In this weeks research note we have articles covering a broad range of topics including data sharing with the UK after Brexit, claiming compensation after a breach, new matrix for assessing fines in Germany, introduction of new DP Law in Cayman Islands, new guidance on cookies, lawful basis for processing and the rights of data subjects under GDPR.
Of particular interest to our clients might be the first article on what Brexit mean to youR ability to transfer data to the UK in the event of Brexit, especially a ‘no deal’ Brexit.
There is a growing conversation about the fines that are being levied against companies that breach data protection legislation, but it is often overlooked that data subjects are more aware that they are also likely due compensation. This is explored in a little more detail in the article about the data breach by London gender identity clinic.
The Cayman Islands Data Protection Law comes into force at the end of this month. Based largely on GDPR it is interesting to note that there is a requirement for data controllers, not established in the Cayman Islands to appoint a representative.
Consent is often held up as the ‘gold standard’ for data protection. However, the article GDPR – A reminder that consent isn’t always the answer is a timely reminder that this really isn’t the case. Consent is no more or no less a valid lawful basis than any of the other 5 basis.
After Brexit – solving the border problem in a data driven world
One would be forgiven for thinking, in today’s increasingly interconnected digital world, that data transcends borders. In practical terms, for example, an email can be sent from an office in Glasgow and, seconds later, be delivered to an inbox in Manila. What is often overlooked is the legal framework which enables the free flow of data cross border. Over recent years we have seen a proliferation of legal challenges to that framework including court action concerning the validity of data transfers to the US from Europe (under the now defunct ‘Safe Harbor’ mechanism and its slightly more muscular relative, ‘Privacy Shield’).
And now there is Brexit together with the uncertainty regarding whether the UK will leave with or without a deal
If the previously unthinkable happens and a no deal Brexit is the outcome, what happens from a data protection perspective? In particular, where does such an outcome leave an organisation based in the Channel Islands, whose main business operations require the sizeable, uninterrupted and unencumbered flow of data to the UK?
Both the GDPR and Channel Islands’ data protection laws prevent controllers and processors (“Data Exporter”) from transferring personal data to any third territory, jurisdiction or ‘international organisation’ which is outside of the European Economic Area or EEA (“Recipient”) unless:
1. the Recipient ensures an adequate level of protection for the personal data as determined by the European Commission (often referred to as an ‘adequacy decision’); or
2. in the absence of an adequacy decision under (a), the Data Exporter puts in place appropriate safeguards that enforceable data subjects rights and effective legal remedies for data subjects are available; or
3. in the absence of either (a) or (b), the Data Exporter is able to rely on one of the recognised derogations to legitimise the transfer.
These restrictions have the effect of creating a barrier in respect of certain jurisdictions, depending on the adequacy of their data protection regimes.
The effect of these restrictions is that:
• Transfers of personal data to a country within the EEA (comprising each of the European Member States as well as Iceland, Liechtenstein and Norway) are unrestricted;
• Similarly, any data transfers to a jurisdiction which holds an adequacy decision are permissible (such as the Bailiwick of Guernsey and the Island of Jersey and those US companies who have signed up to EU-US Privacy Shield); and
• Transfers of personal data to a Recipient who has not received an adequacy decision will not be permitted unless the Recipient can demonstrate that a suitable safeguard or derogation applies.
If the UK leaves the EU on the terms set out in the withdrawal agreement, negotiated by Theresa May’s government, Brexit would not have any immediate impact on data flows to the UK. This is because the terms of the withdrawal agreement provide that the GDPR would continue to apply until 31 December 2020 (a period which may be extended, by joint agreement of the UK and EU, for a further 2 years) and during that time the UK could apply for an adequacy decision. In essence, therefore, the status quo would be preserved until the UK government obtains an adequacy decision.
A ‘No Deal’ Brexit, on the other hand, poses a different set of challenges. If the UK leaves the EU on 1 November 2019 without a deal, it will (for EU purposes) become a ‘third country’ – the UK would essentially fall into the third category of Recipients above – those without an adequacy finding, meaning that transfers of personal data from the EU and the Channel Islands into the UK would not be permitted unless the Recipient can demonstrate that a suitable safeguard or derogation applies.
Moving personal data across the English Channel
Against this turbulent backdrop, it may come as surprise that the Channel Islands are presently unaffected by this issue.
Both Jersey and the Bailiwick of Guernsey have adequacy status and have also implemented legislation to permit Channel Islands’ companies to transfer personal data until the end of 2020 (to coincide with the exit date proposed under Theresa May’s withdrawal agreement).
However, there is a ‘but’. To the extent that the European Commission rules on the UK’s adequacy before the expiry date set in Jersey and Guernsey’s legislation (i.e. before 31 December 2020), Guernsey’s Data Protection Authority has confirmed that it would ask the States of Deliberation in Guernsey to revoke the legislation so that the ability to transfer data to the UK with this approach would cease. It remains to be seen what Jersey would do in a similar situation.
Furthermore, whilst this legislation legitimises the transfer of personal data under the local data protection regimes – it does not extend to the GDPR.
There may, for example, be circumstances where a Guernsey or Jersey company is subject to both the local data protection law and the GDPR itself (by virtue of the GDPR’s extraterritoriality provisions). In these circumstances, local companies will still have to consider which transfer mechanisms they can rely on under the GDPR in order to enable the lawful transfer of data to the UK.
In both scenarios, an alternative data transfer solution would need to be considered. The European Data Protection Board has published a guidance note in this regard which can be found at: https://edpb.europa.eu/our-work-tools/our-documents/drugo/information-no…
For all these reasons, SCCs are likely to remain the most practical solution to allowing data transfers, but some caution should be exercised due to potential changes on the horizon.
Overall, Channel Islands businesses need to be aware of the present situation and the potential changes which might impact significantly on how and where they process their data. They will need to look afresh at their data protection compliance and transfer mechanisms in the coming months, potentially more than once. Hopefully, however, there is maybe good news ahead, with a new set of SCCs in the offing and resolutions (hopefully) to end the speculation regarding the status of Privacy Shield and Brexit.
Serious data breach by London gender identity clinic
Leading lawyer says data breach by the Charing cross gender identity clinic likely to lead to substantial claims for compensation
A leading human rights and information law lawyer has said that the recent actions of the Charing Cross Gender Identity Clinic, in mistakenly revealing the identities of almost two thousand of its patients, are likely to lead to substantial claims for compensation by those affected.
Tavistock and Portman NHS Foundation Trust, the NHS body responsible for the Charing Cross Gender Identity Clinic has issued a short statement tating that “due to an error”, a group email concerning an art competition was sent to patients at the Clinic with the email addresses of all recipients of the email visible.
The Trust refers to the incident as “a serious data breach” and provides contact details for those wishing to access support services. The BBC have reported that two separate emails were sent out by the Clinic with the details of about 900 patients visible in each.
Shon Faye, one of the affected patients, has referred to the incident being a horrendous breach of privacy that could have an impact on people’s lives and stated that “it could lead to people being outed to family members or to their communities as being trans, where it may be a risk to them being known to be trans. That could be hugely dangerous to their wellbeing and safety.”
The incident is likely to represent a breach of the duty of confidence that the Clinic owes to its patients, a misuse of the medical information it holds for them, a breach of the General Data Protection Regulation in relation to the Clinic’s obligations to hold patient information securely and a breach of the patients’ human rights in relation to respect for their private life
The Trust is now likely to face a very substantial fine, almost certainly running into the millions of pounds, from the Information Commissioner’s Office, the UK’s data protection watchdog, for failing to keep patients’ personal information safe.
Sean Humber, from the human rights team at Leigh Day, who has successfully acted in dozens of claims for patients relating to the unauthorised disclosure of confidential medical information over the last 20 years, stated:
“This extremely unfortunate disclosure of sensitive personal information is clearly unlawful – being a breach of the duty of confidence owed by the Clinic to each of its patients and a misuse of their private information as well as being a breach of the General Data Protection Regulation. It is also likely to represent a breach of the patients’ right to a private life under the Human Rights Act.
“The number one priority must now be for the Clinic to take whatever steps they can to limit the wider disclosure of this information and provide any support required by those affected. However, given that the information has already been disclosed, affected patients are likely to be entitled to substantial awards of compensation for distress and any other losses suffered as a result of the unauthorised disclosure of their confidential information.
“Even if the breach turns out to have been entirely accidental or occurred as a result of individual human error, this will be no defence to a claim for compensation. Organisations are required to have robust measures in place to prevent these sorts of incidents occurring, something that seems to have been sadly lacking in this case. It is also important to emphasise that claims for compensation by affected patients are entirely separate from any action that the ICO are likely to take.”
German Data Protection Authorities agree on new GDPR Fining Model
According to recent press reports, the German data protection authorities have agreed on a new way to calculate administrative fines under the General Data Protection Regulation (“GDPR”). The new scoring model, which has not yet been officially published, could make fines of tens of millions of euros a reality in Germany. In contrast to their French and UK counterparts, Germany’s data protection authorities have so far been more restrictive in imposing GDPR fines.
The new model
The new model is reported to derive a daily fine rate from the worldwide company turnover of the previous year. The daily rate is then multiplied by a factor of 1 for a very minor infringement to 14.4 for a very serious infringement. The severity is determined by, among other things, the duration of the infringement, the number of persons affected and the extent of the damage suffered.
The model also takes into account the degree of fault. If the negligence was minor or unintentional, the factored rate is reduced by 25 percent. If the negligence was more than minor but deliberate, the fine may increase by 25 percent or even 50 percent. If the company had been non-compliant in the past, a surcharge will be added: 50 percent if this is a second infringement, 150 percent if this is a third infringement and 300 percent if this is a fourth or more infringement.
Other factors that can have an impact include the company’s cooperativeness with the authorities and measures it has taken to mitigate the damages.
A look ahead
While the model is not official yet, once formally adopted in its reported form, fines are likely to increase. However, it will also give businesses more clarity about how the fines are determined.
Cayman Islands Data Protection law goes into force this month
The Cayman Islands Data Protection Law, 2017 (“DPL”), which was published in June 2017, will go into force on September 30, 2019. The DPL includes requirements for the protection of personal data and is centered upon eight data protection principles. According to the newly minted Cayman Islands data protection authority, the DPL aligns the Cayman Islands with other major jurisdictions around the world. It includes many concepts that exist in other comprehensive data protection laws, such as the EU General Data Protection Regulation. For example, the DPL includes personal data processing limitations, individual data subject rights, data breach notification obligations and cross-border transfer restrictions.
The DPL applies to a “data controller” who (1) is established in the Cayman Islands if the personal data is processed in the context of that establishment, or (2) is not established in the Cayman Islands, but who processes personal data in the Cayman Islands (unless the processing is limited to the data’s transit through the Cayman Islands). “Data controller” is defined as the person who, alone or jointly with others, determines the purposes, conditions and manner in which personal data is processed. Data controllers who are not established in the Cayman Islands must nominate a representative who is established in the Cayman Islands. The representative will bear the obligations under the DPL as if they were the data controller.
The DPL will be enforced by the Office of the Ombudsman. The Office of the Ombudsman has issued non-binding guidance that aims to explain how the Ombudsman will likely interpret certain provisions of the DPL. Failure to comply with an order issued by the Ombudsman is punishable by a fine of CI$100,000 or imprisonment for five years, or both. Monetary penalties of up to CI$250,000 may also be issued.
Cookie Monster – ICO publishes guidance to remind advertisers how cookies should be used
Advertisers and brands will now have to seek GDPR standard consent in order to place non-essential cookies onto a user’s device. Since the Privacy and Electronic Communications Regulation 2003 (PECR) came into force, consent has been required to place non-essential cookies. “Implied consent” was commonly relied on, often through relevant information being included in a cookie banner, with continued browsing being deemed to constitute consent. Such practices are no longer compliant, following the entry into force of the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019, which provide that “consent” under the PECR has the same meaning as consent under the GDPR.
The ICO has now published guidance on how advertisers and brands need to achieve consent to place cookies. The guidance also provides that if the data collected by the cookie is anonymous, the consent requirement still applies because PECR applies to all cookies.
Why this matters
Advertisers and brands often rely on implied consent for cookies in order to optimise a consumer’s journey through a website. The change in the law means that advertisers and brands will need to consider carefully how to obtain consent and the potential effect this may have on its own targeted advertising activities. In order to obtain valid consent, advertisers and brands now should give users the option to opt-out from non-essential cookies, which means that cookies used for online advertising may not be able to be placed, which could prevent the user being tracked for targeting advertising. Advertisers and brands should consider revisiting their cookies policies to ensure they do not fall foul of the law and most recent guidance.
GDPR – A reminder that consent isn’t always the answer
In order to comply with the data processing principles, every data controller must identify a lawful basis under article 6 of the GDPR for their processing activities.
There are six prescribed lawful grounds for processing:
- The data subject has given their consent;
- The processing is necessary for the purposes of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;
- The processing is necessary for compliance with a legal obligation;
- The processing is necessary in order to protect the vital interests of the data subject or another natural person;
- The processing is necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller;
- The processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party (except where such interests are overridden by the interests or freedoms of the data subject).
As an employer, it is likely that you will rely on more than one of the above when processing your employees’ data. It’s important to consider each processing activity separately and identify the most suitable lawful basis for that activity, rather than try to identify a ‘catch all’ ground to cover everything.
Whilst consent may seem like a convenient option, in practice it’s unlikely to be suitable in an employer-employee relationship. In order to be valid, consent must be freely given, specific, informed and unambiguous. It must be a genuine choice which the data subject has the option to revoke without consequence at any time. It is difficult to satisfy the requirement for valid consent in employer-employee relationships because of the imbalance of power between the parties and the presumption that the employee will feel under pressure to give consent. There will also be some data which the controller must have in order to employ an individual and so consent for the processing of that data will not be a genuine choice.
The Greek supervisory authority ruled that PwC were incorrectly relying on consent as their lawful ground for processing their employees’ data when there were more suitable alternatives.
In particular, the Greek supervisory authority cited the following as more appropriate grounds for employers:
- The performance of the employment contract which both the controller and the employees are subject to;
- Compliance with any legal obligations imposed on the controller under the relevant employment laws of that jurisdiction; and
- For the purposes of the controller’s legitimate interests in ensuring good management of the company and their employees.
What does this mean for you or your business?
Whilst the decision was made by a supervisory authority in the EU, it should still be considered a warning to employers in the UK to evaluate their own data processing activities.
What do you need to be doing now?
All data controllers should take stock of the grounds they are currently relying on for processing employee data and ensure these grounds are appropriate. If not, consider whether you need to amend your employment contracts, privacy notice and/or data protection policy.