Week ending 18/10/19
We have seen lots of articles this week on a deal or no-deal situation and the possible issues with data transfers to and from the UK, once they leave and more about Cookies. This is the hot topic for this week, with the judgement of the Planet49 decision, clearly showing that consent is required for all non-essential cookies before they are placed on a device. It also states that clear, understandable explanation of the cookies is needed, so informed consent can be given.
The six articles we have decided to share with you cover these topics and explains in more detail the requirements for data transfers, Cookie consent, training of employees, when email goes wrong and finishing up with a brief summary of the new draft ePrivacy law.
We are always available at Propelfwd to give you advice, guidance or come and help you with your data protection compliance. Please contact us if you have any questions.
How to keep the lawful transfer of personal data from EU to UK in case of no-deal
A hot topic this month is how the UK is preparing for a no-deal Brexit on 31st October 2019 and what would the consequences be for the EU and UK citizens and organisations on both sides of the Channel.
In the light of these developments Brexit will change a lot in the personal data field. The main issue is whether the free flow of personal data between the UK and all other EU/EEA countries will continue.
Issues arising in business relations
Business partners from the UK and the EU/EEA will face the need to take steps allowing lawful ongoing transfers of personal data.
For example, an English language centre in EU currently is freely transferring its students’ personal data to the UK for assessment of their exam results and issuance of certificates. Once no-deal Brexit becomes a fact, there will be additional requirements for EU and UK partners concerning the lawful transfer of student’s personal data. Similarly, UK organisations contracting with entities in the EU/EEA usually need to obtain personal data of the employees of the EU/EEA entity. Transferring these employees’ personal data to the UK will have to meet the requirements in force following no-deal Brexit.
The no-deal complications
In case of no-deal Brexit, the UK will no longer be bound by EU legislation, including the security levels established by the GDPR. The UK will become a “third country” as per GDPR. And this will cause complications for EU organisations transferring personal data to the UK. A general principle is that a transfer of personal data outside the EU/EEA requires the presence of at least one of the mechanisms envisaged in the GDPR – adequacy decision of the European Commission, appropriate safeguards or the so-called derogations.
Where the European Commission does not adopt an adequacy decision in respect of a third country (and obviously there is no such decision concerning the UK, yet), organisations transferring personal data towards this third country must ensure that another alternative safeguard mechanism exists. As a result, the cross-border flow of personal data within the EU/EEA remains entirely free, whereas transfer of personal data from the EU/EEA to the UK will be burdened to comply with the above mentioned additional requirements if an adequacy decision is not adopted.
How organisations can prepare themselves?
The UK government published No-Deal Readiness Report (the “Report”) aiming to demonstrate readiness for leaving the EU without any arrangements. This Report provides some general guidelines to the affected UK organisations and in essence states that UK organisations have to take the steps required to enable the continued free flow of personal data. As the European Commission does not intend to adopt an adequacy decision in respect of the UK at the time of Brexit, organisations from the two sides of the Channel must take measures to put in place one of the above mentioned safeguard mechanisms.
Identify the flow of personal data
The Report recommends that all UK businesses, civil society organisations and other organisations should identify the personal data they receive from organisations in the EU/EEA and where this data is held. Likewise, the EU/EEA organisations should identify personal data they transfer to their partners in the UK.
Choose the appropriate mechanism
Organisations should check whether they need to put in place alternative safeguard mechanisms to continue receiving personal data from the EU/EEA or transferring personal data to the UK and to choose which mechanism serves their needs best.
These mechanisms include:
- Standard contractual clauses (SCCs)
- Bounding corporate rules (BCR)
- Presence of a derogation such as data subject’s explicit consent, a contract between the data subject and the controller, establishment, exercise or defense of legal claims, etc.
The appropriateness of the mechanism must be assessed on a case-by-case basis.
“No consent, no cookie”- European Court of Justice
The Belgian “cookie law” is now in its 7th year and since its inception it has sowed little more than frustration and confusion.
In other words, a pop-up banner when you first visit a website asking for permission to place cookies is really necessary. This also means that the visitor must be free not to give his permission and to visit your website.
However, in recent years we have seen all kinds of creative solutions that try to avoid having to ask for explicit permission, ranging from simply not requesting permission, via pre-checked opt-ins to a system of opt-outs. In the light of the above, it should be clear that this is usually very problematic.
Cookie legislation and GDPR
To complicate matters, cookie legislation does not stand on an island, isolated from other laws. Anyone who wants to process personal data through cookies must simultaneously and in addition to the cookie law also take GDPR into account and in most cases, separately and in addition to the cookie opt-in, must obtain a second opt-in for the effective use of the personal data concerned.
What exactly does the European Court have to do with this?
However, the European Court recently had to answer some very pertinent questions:
- Can a cookie opt-in be checked in advance?
- Is it relevant here whether or not personal data is processed under GDPR via the relevant cookie?
Why did the European Court have to answer these questions?
The German company Planet49, organises online promotional competitions and draws. Anyone who wants to participate must enter their name and address on a Planet49, promotional site. The form that is used for this purpose contains two check boxes and a “I participate” button.
By checking the first check box, the participant gives permission to pass on his or her data to commercial partners of Planet49. A link at the checkbox shows that it concerns no fewer than 57 companies, which you as a participant can uncheck one by one if you wish. Participation in the lottery is only possible if the participant actually ticks this first checkbox.
The second checkbox serves to obtain permission to place cookies on the first visit to the Planet49 website. The purpose of these cookies is to monitor the surfing behavior of the participants and to send individualised advertisements from the 57 partners on the basis thereof. This checkbox is checked in advance.
And what is the verdict?
Well, in Case C ‑ 673/17, the Court of Justice ruled that a pre-checked check box – insofar as doubt could exist – does not constitute valid consent under cookie law.
What is interesting is that the Court makes extensive comparisons between GDPR on the one hand and cookie rules on the other. Based on that comparison, the Court decides that consent or consent actually means exactly the same under both regulations: the visitor to a website must be free to say yes or no, must perform an active act for that purpose (tick box), must be sufficiently informed about what will happen to his data (and which cookies will be used for this and how long it will be stored) and he or she should not be disadvantaged for the fact that he or she does not opt-in.
Moreover, the Court confirms that the processing of data by means of cookies always requires the active consent of the data subject, regardless of whether or not personal data is involved.
What does this mean in practice?
This also means that everyone who so far implicitly accepted the visitor’s agreement “due to the further visit to our website” is not in line, that all opt-out based cookie banners are not in line, that all cookie banners that have one general opt-in provided without distinction per processing are also not in line, …
The reality today is that the cookie model is under great pressure. Consumers are no longer willing to accept unlimited monitoring of their online behavior and it is becoming increasingly difficult to obtain opt-ins. In the meantime, the EU is working on a full revision of cookie legislation in the form of the future “ePrivacy Regulation”.
What the impact of that ePrivacy regulation and of for example Apple’s recent ITP 2.1 is on retargeting and affiliate marketing or on current practices with new versus returning visitors, time to convert, marketing automation, lifecycle-based prospect or lead generation, personalised content, attribution models , … you can read in our contribution in the upcoming book “Obsessed” by Marc Bresseel and Renout Van Hove by Duval Union and Growth Agent.
However, that is a necessity, both under GDPR and under the cookie law.
The answer to the following questions is essential for every company and must be communicated to your website visitors:
- Which cookies do we use?
- Who is the publisher?
- How long are those cookies stored?
- With whom is the collected data shared?
- Is it about personal data?
- Is the processing in the case of personal data “GDPR compliant”?
- How and when do we ask for consent?
- Is that consent free and informed?
The central role of employee training for GDPR compliance
Integrating the GDPR into the daily life of a business is a far from obvious matter. Developing employees’ awareness of the GDPR and training them to apply it to their daily work is a key element of the process
Employees are at the front line in the collection, processing and management of data. Without adequate training, often employees are not aware that they work with information that, under the regime of the GDPR, counts as personal data and is thus subject to special treatment. In order for employees to handle the information correctly, they have not only to adopt GDPR-compliant practices, but more fundamentally, they need to be able to identify the basic materials that the GDPR governs.
Moreover, the GDPR introduces a new dimension of reputational risk for businesses. If a company is found to be non-compliant, it not only faces the risk of heavy fines, but it can also lose the trust of its customers and partners. Employees are the guarantors of a business’ trustworthiness; and this being no trivial matter, it is imperative that employees’ practices be maximally robust.
As an example, a data subject calling to exercise their right of access will more likely than not simply call the main switchboard of the company. Hence, it is crucial that the employees receiving the call recognise it as being a SAR request and escalate it immediately to the right persons in the company. Otherwise, this may lead to a complaint to the supervisory authorities, as well as bad publicity. Recognising a data breach should also be within the capacity of most employees. But without appropriate training, requests may be misinterpreted, and breaches may take time to be identified, leading to a failure to meet the requirements laid out in the GDPR.
Training means development of competence and competence is measurable, whence metrics. Providing training with measurable assessment will generate metrics. This in turn will allow businesses to track progress, identify areas for improvement, and demonstrate compliance when needed. Demonstrating compliance is a major part of the GDPR. Hence, being able to provide evidence documenting the progress of training and the level of competence of the staff will weight strong in the balance, should a company be challenged on its personal data management practices.
At the very least, all employees ought to have a basic training in the GDPR. That being said, a more in-depth and focused training should be designed for specific functions or roles that carry out specialised processing. For the training to be effective, a combination of different pedagogical approaches should be considered, including multichannel diffusion. Workshops, one-on-one trainings, interactive web courses, function-specific manuals, webinars, informational videos are a few possible options.
Finally, to preserve its prominent place, all training should be backed by constant awareness raising programmes, such as posters, meetings or recreational activities on Data Protection Day.
In sum, integrating the GDPR into the daily life of a business amounts to carrying out radical organisational change. Personal data need to be addressed in a manner that meets the imperatives of the GDPR and this all the way down to the level of the individual employee. The GDPR is meant to change the way that companies think about data, and this entails changing the way individual employees think about data. Sound training about the GDPR is the cornerstone of the new mindset that is required under the GDPR.
The Data Protection Commission is Undertaking a Cookies Sweep
The Special Investigations Unit of the Data Protection Commission (DPC) has been contacting website operators in Ireland requesting their participation in a cookies sweep survey.
We understand that these sweep surveys are grounded on Article 31 of the GDPR, which requires controllers and processors to cooperate with the DPC, if requested, in respect of the performance of its statutory tasks. Participation is not optional. A refusal to participate could result in enforcement measures.
The European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 (ePrivacy Regulations) gives effect in Ireland to EU Directive 2002/58/EC (as amended).
Generally, user consent is required before setting non-essential cookies and similar technologies used to store or gain access to information on a user’s device. Users must be provided with easily accessible, ‘clear and comprehensive’ information on the technology being used and its purpose.
The CJEU’s recent ruling (Case C‑673/17) in Planet49 provides that the standard of consent that must be obtained from users in order to comply with the ePrivacy Regulations, is based on the definition of, and the conditions for, valid consent under Articles 4(11) and 7 of the GDPR (i.e. a clear, affirmative act, freely given, specific, informed, and unambiguous), even if the activity does not involve the processing personal data.
Recital 32 of the GDPR prohibits pre-ticked boxes, and provides that silence or inactivity does not constitute valid consent. The CJEU’s ruling in Planet49 confirms this in respect of obtaining valid consent for cookies – an active action by the user is required to signify their consent.
Consent is not required if the cookie or other technology is:
- used for the sole purpose of carrying out the transmission of a communication; or
- ‘strictly necessary’ in order to provide an online service explicitly required by the user (e.g. essential cookies used to remember the contents of a user’s online shopping basket; or to comply with security obligations mandated by law).
Proposal for an EU-wide ePrivacy Regulation to replace Directive 2002/58/EC
A proposed EU-wide ePrivacy Regulation, intended to replace Directive 2002/58/EC, is anticipated to introduce simplified rules on cookies including by extending the current consent exemptions. Whilst the European Parliament adopted the proposed Regulation in October 2017, it remains in draft. The most recent version was issued on 18 September 2019, but the timing for the formal adoption of the Regulation remains uncertain. The DPC’s current cookies sweep is not based on this draft EU Regulation.
- Details of all cookies and similar technologies currently used, including their names, functions, security, origin and duration, whether first-party or third-party, whether essential or optional and the methodology used to determine whether a cookie is essential or optional.
- Information demonstrating how users’ consent is obtained before the deployment of cookies and similar technologies, and how this consent meets the GDPR’s requirements for valid consent.
- The reason(s) for any non-compliance with the ePrivacy Regulations on the part of the participant, the steps taken and the expected time line for rectification of any non-compliance.
Why is the DPC carrying out this cookies sweep?
Cookies sweeps are not a new initiative. The European Data Protection Board (EDPB), under its previous guise of the Article 29 Working Party, coordinated a cookies sweep of 478 websites across eight EU member states in 2014. This sweep was carried out before the higher standards for consent were introduced by the GDPR. Ireland did not take part in that sweep.
The DPC’s cookies sweep is not unexpected. Whilst there is no mention of the sweep on its website, DPC representatives have previously indicated that cookie-based transparency and consent is on the DPC’s agenda for the second half of 2019.
Cookies consent is topical across Europe. For example, on 1 October 2019, the CJEU provided its judgment in the Planet49 case concerning cookie-based transparency and consent. Whilst the CJEU’s judgment deals with consent under the ePrivacy Directive, its judgment indicates that inferred consent from passive activities (e.g. continued browsing of a website) may not be valid. This view is supported by recent guidance issued by data protection authorities in France, Germany and the UK.
What should organisations be doing now?
- Audit: Conduct a review, and prepare an inventory, of all cookies and similar technologies currently used by your websites and apps. Establish whether appropriate arrangements are in place for the use of any third-party cookies, including what information is shared with any third party, how it is shared, and how users are informed of this. If you identify any cookies that are no longer needed, you should consider removing them.
When email goes badly wrong | Managing data breaches
A recent data breach, in which emails revealed sensitive patient data, is reported to impact almost two thousand individuals and underscores the importance of a comprehensive data and cybersecurity programme.
What learnings can you take from the case to mitigate breaches at your organisation?
The Charring Cross data breach
The data breach by the Charing Cross gender identity clinic, which supports adults with issues related to gender, is being treated as a serious incident by Tavistock and Portman NHS Foundation Trust, the NHS body responsible for the clinic. Those impacted may suffer understandable distress as they may be outed to their friends and family, and some patients may even potentially suffer serious danger to their wellbeing or even safety.
The breach is an unfortunate case of human error – the clinic’s patient and public involvement team used the carbon copy (cc) rather than the blind carbon copy (bcc) functionality when sending out the emails. This scenario is not uncommon. However, notification to the Information Commissioner’s Office (ICO) of such an incident is not always required.
It is important for businesses to be able to ascertain quickly whether a data incident has occurred, and equally important to be able to determine whether the incident is likely to result in “a risk to the rights and freedoms of natural persons.” If there is no risk, then the leak may be classed as a data incident and may not be reportable to the ICO. There has been a tendency, particularly following GDPR, for businesses to ‘over-report’ incidents to the ICO when it is not necessary. An emerging best practice where close judgment calls must be made is to engage data security lawyers to assist in evaluating the “rights and freedoms” test as it applies to a data incident to determine reporting requirements and whether incidents do or do not meet the notification threshold.
More than a pound of cure – regulatory enforcement
The Trust may face a significant fine from the ICO for its failure to keep its patients’ personal information safe. Separately, given the type of sensitive information disclosed, those individuals affected may be entitled to compensation. A leak of this nature could attract more substantial amounts than the loss of basic data. However, the ICO will often take into account mitigating circumstances in each case when considering data breaches, which could help to minimise any fine.
Mitigating steps may involve being able to show the ICO that the relevant IT systems were in place prevent unauthorised processing of data; that staff were provided with adequate and regular training/updates; and/or that satisfactory policies and processes are in place to ensure safe processing of data. Organizations should consider a comprehensive programme of data protection and cybersecurity to prevent these data incidents and mitigate any regulatory enforcement action. In this area careful documentation helps demonstrate these mitigating steps and for small and medium sized organisations its helpful to have a data protection and cybersecurity “systems integrator” such as a law firm or audit firm to organize and execute the program.
An ounce of prevention – not “if” but “when”
Many businesses have “GDPR indigestion” after spending large amounts looking at their systems, policies and procedures. However, these organisations must now develop the endurance because they are required to continuously monitor their compliance mechanisms and ensure that they are executed and updated.
With respect to email:
- Implement appropriate technical and organisational measures to prevent unauthorised processing of personal data. This depends on the nature, scope, context and purposes of the processing, and the risks posed to individuals, eg. in the Charing Cross case, given that the potential harm to individuals is greater due to the nature of the data, there is an argument that the Trust should have considered using professional email campaign technology or an account that could send a separate e-mail to each service user.
- Ensure that your staff receive regular data protection training to ensure they fully understand the potential consequences of breaching data protection laws.
- Ensure that there are strict policies and procedures in place so that information is processed safely, eg. having a system in place for double checking these types of marketing email.
When (not if!) a data breach happens it is important to have a rehearsed plan already in place. Organisations should have a procedure in place so that data incident response is structured and well-rehearsed and that the resources are pre-positioned to deal with the fall out. Consider hosting a Serious Data Breach training day for key staff.
In addition to a rehearsal, data breach planning should include:
- How an investigation would be covered so it could be legally privileged and involve forensic experts if appropriate
- A communication plan for regulators, customers and the public
- Controlling or mitigating damage to reputation by direct engagement with the media and any follow-up actions that require the removal or correction of defamatory material
- Providing access to support services/advice for those affected
- Implementing remedial measures to ensure that subsequent breaches cannot occur
- How any data breach litigation would be defended.
New Draft ePrivacy Regulation Released
The Council of EU Member States – one of the two main EU lawmaking bodies – recently released a new draft version of the ePrivacy Regulation (“EPR”). Negotiations on the regulation have been deadlocked for a while, but seem to be gathering new momentum under the Finnish Presidency.
Below we highlight some selected topics that may be of interest to readers:
- Users will have to be reminded (probably every 12 months) of their right to withdraw their consent to the processing of electronic communications content or metadata, unless users request not to receive these reminders. This does not apply to consent for cookies or direct marketing by e-mail or SMS.
- Member States continue to reserve the right to implement data retention obligations, for example, for law enforcement purposes. This remains a controversial topic in light of past and pending CJEU case law.
- The consent requirements for cookies do not materially change, although the derogations are more clearly defined; they now include audience measuring and software updates, among others, under certain conditions. In the draft, it is clear that the consent must be a GDPR-consent, which is in line with the recent CJEU Planet49 decision, but the draft also explicitly indicates that consent can be obtained by “appropriate” technical settings of software.
- Recital 21 addresses the issue of cookie walls (e., subjecting a service to consent for cookies used for advertising purposes). The current draft suggests that this is indeed possible and that the required consent (users must “accept such use”) should not be considered an invalid (tied) consent under Art. 7(4) GDPR when the processing for advertising is “necessary” for the performance of the service. In other words the acceptance is freely given. However, the tortured language of the recital demonstrates its political sensitivity – e.g., the recital refers to accept, not “consent”.
- Direct marketing by e-mail or SMS for own products and services to existing customers would still be based on legitimate interest with a right to opt-out. However, Member States could set an expiration time on this, following which the relevant party would presumably have to seek an opt-in consent if it wants to continue sending advertising. This risks creating a patchwork of un-harmonized marketing rules across the EU, despite having an EU-wide regulation.
- Electronic communications metadata can be used for scientific research, without consent, under certain conditions. Interestingly, under the most recent version of the EPR, these conditions no longer require that the research be based on Union or Member State law ( a contrario Art. 9(2)(j) GDPR). This is a welcome change, given that these laws do not exist in most cases.