In this week’s research note we have articles covering a broad range of topics including insurance against fines, Brexit, Cookies and Right to Be forgotten:
Of particular interest to our clients might be the article on insurability against GDPR fines. Cyber Security Insurance is relatively new and it is important that if you are considering getting this insurance that you properly understand the scope of your cover and more importantly its limits.
Brexit, of course, is an issue which has potentially very serious implications for all data controllers and processors. When/If the UK leaves the EU then there will be a knock-on effect locally. Whilst the transfer of data between Jersey and UK should not be affected (The Data Protection (Jersey) Law 2018) will be amended to enable transfers to take place, local companies who sell goods and services to the UK and EU may require a UK representative as well as an EU representative.
We are developing a Compliant Cookie preference centre, that works with a local tech company, watch this space.
If you have any questions about EU/UK representatives or cookie compliance or you have any questions about any aspect of data protection please do not hesitate to give us a call.
European Commissions Issues Report on the Implementation of the GDPR
On July 24, 2019, the European Commission (“the Commission”) published a report appraising Europe’s progress in implementing the General Data Protection Regulation (“GDPR”) as a central component of its revamped data protection framework. In its report, the Commission highlights certain achievements resulting from implementation efforts, calls attention to issues that require further action, and describes several ongoing and planned initiatives. The report is a follow-up to a prior report issued in January 2018, and was informed to a great extent by the ongoing work of the Multi-stakeholder Group, which is comprised of civil society and business representatives, academics and practitioners, to support the application of the GDPR. The report will contribute to the Commission’s formal 2-year review of the GDPR to take place in May 2020.
The report emphasizes the success of the GDPR in harmonizing data protection rules across Europe to provide greater legal certainty for individuals and businesses.
The report praises the work of the Member State supervisory authorities, who in its view have exercised their new enforcement powers in a balanced manner that values dialogue over sanctions.
The Commission further notes that individuals are showing a greater awareness of their privacy rights under the GDPR and a willingness to exercise those rights. Nevertheless, efforts in this area should continue to enhance individual participation and prevent any misunderstandings or misinformation about privacy rights.
In the report The Commission applauds the efforts of businesses to comply with the GDPR, which has undeniably resulted in challenges for some, but has also created a timely opportunity for organizations to enhance internal privacy and data security practices, as well as develop privacy-friendly services.
The Commissions concludes its report by stating that the first year of the application of the GDPR has been overall positive, but there is still work to be done in a number of areas.
Italian Supervisory Authority Issues Judgment Concerning ‘Right to be Forgotten’
On July 22, 2019, the Italian supervisory authority for data protection (“Garante”) issued a judgment involving the so-called “right to be forgotten”. The Garante’s decision explores the boundaries of this right in a case in which Internet users could access an article by using a professional position as a search term, whereas it was not possible to access the article merely by using an individual’s name as a search term.
More specifically, the case before the Garante involved a professional, namely the president of a cooperative, who requested that Google remove a link to online content about him accessible by Internet users. The content was accessible not by entering the individual’s name as a search term, but rather by entering his position as president of the cooperative, an association that serves the interests of members, i.e., social or economic needs or other general aims.
The internet searches in question brought users to an article concerning a criminal proceeding in which the professional was involved and that had occurred approximately a decade before. The story had not been updated to reflect the fact that the criminal proceeding had terminated with an acquittal of the professional.
For this reason, the individual requested that Google remove the search link, on the grounds that this harmed his personal reputation as well as his career. Google refused to remove the URL, arguing that the right to be forgotten did not permit individuals to remove links to stories accessible via searches apart from those based on a person’s name, and cited the judgment of the European Court of Justice in Case C-131/12 (the so-called “Google Spain” decision) in support of its argument.
The Garante held that, in accordance with Article 21 of the GDPR, the data subject has the right to object to the processing of personal data on the grounds of his or her particular situation. On that basis, Google is required to stop the processing of the personal data unless it can demonstrate compelling legitimate grounds.
Furthermore, the Garante made clear that the principles of data protection apply to any information concerning an identified or identifiable natural person. Citing the GDPR’s definition of “personal data”, which refers to “factors specific to cultural or social identity of that natural person”, the Garante concluded that the data subject’s position as president of a cooperative constituted identifiable – and therefore personal – data relating to him.
Finally, the Garante rejected Google’s argument that the damage that the data subject suffered was outweighed by the public interests served by making the story available to the public, especially insofar as the report was incomplete and inaccurate.
For these reasons, the Garante ruled that Google must remove the URL within 20 days from the date of receipt of the decision.
The Insurability of GDPR Fines
As the first fines are imposed across Europe, a question will now be asked of insurance companies: are GDPR fines actually insurable?
In January 2019, a fine of €50 million (the most significant fine to be imposed under the GDPR regime to date) was imposed by the French data protection authority (the CNIL) on Google LLC. More recently on 8 July 2019, the UK Information Commissioner’s Office announced its intention to fine British Airways £183.39 million (which will be the largest fine to date under the GDPR regime if imposed) for infringements of GDPR relating to a cyber-security incident which occurred in September 2018 and the following day (in response to a statement made by Marriott in a regulatory filing) announced its intention to fine the Marriott hotel chain £99 million fine for infringements of the GDPR relating to a cyber incident in November 2018.
While some cyber insurance policies expressly exclude cover for fines and penalties, others provide cover “to the extent insurable by law”. However, the extent to which GDPR fines are insurable is still uncertain in Ireland and in a number of other jurisdictions, including the UK. Such uncertainty has prompted the Global Federation of Insurance Associations to call for guidance from the Organisation for Economic Cooperation and Development (the “OECD”). While such guidance would not be binding, it would be a helpful starting point for both insurers and insureds to consider their potential exposure.
The position on the insurability of GDPR fines remains a grey area. As the law currently stands, there is a large question mark over whether GDPR fines will be insurable in Ireland where there is any element of “moral turpitude” in the infringement. The GDPR calls for fines to be “dissuasive”, and if all GDPR fines are indemnifiable under insurance, the public policy behind the fines could arguably be undermined. It may be that some element of moral turpitude or wrongdoing would be required in order for the fine to be uninsurable, which could potentially result in a “sliding scale” of insurability, with criminal or quasi-criminal fines likely being uninsurable.
Given that cyber insurance is still a relatively new product on the market, there is no standard wording or extent of cover and it is important for policyholders to properly understand the scope of their cover and more importantly its limits. It is recommended that policyholders review their cyber liability cover and consider if fines and penalties are covered “to the extent insurable by law” or, indeed, if they are expressly excluded. Cyber liability insurers will need to consider how they will respond in the event of a claim for a GDPR fine, where this wording is included in their policies, in circumstances where insurability for the ‘tier 1’, ‘tier 2’ or ‘tier 3’ fines has not yet been determined.
The effects of a no-deal Brexit on privacy and data protection
With the Johnson ministry into it’s second week, it is important to take stock of what impact Brexit will have on your Privacy and Data Protection provisions. The Prime Minister has made clear that there will be ‘no ifs or buts’ on the withdrawal of the UK from the EU on 31 October 2019 (exit day).
What does this mean for privacy and data protection? There still remain some areas in need of government clarification or that will be determined in any withdrawal agreement.
Below, we set out some of the key issues that companies with UK and EU operations need to think about:
Personal data flows from the EU to the UK after Brexit. What happens? The UK will be a ‘third country’ without adequacy status.
In the event of a no-deal Brexit, the UK will become a third country. This means that, post-Brexit, data transfers to the UK can only occur under the following mechanisms:
Adequacy agreement. There is currently no adequacy agreement in place for the UK.
Standard contractual clauses. These can be used alongside your data processing agreement. They must not be modified, and must be signed as provided by the European Commission.
Binding corporate rules (BCR). These are personal data protection policies agreed by a group of companies, and approved by the BCR lead supervisory authority (LSA) and the European Data Protection Board (EDPB).
Codes of conduct and certification mechanisms. These should contain binding and enforceable commitments, such as to provide appropriate safeguards. The EDPB is planning to publish guidance in this area.
Relying on derogations. There are a number of derogations which allow for the transfer of personal data without the safeguards listed above. However, these are interpreted very restrictively.
Will you need to appoint a UK representative if you’re selling into the UK?
Controllers of personal data located outside of the UK will be required to appoint a UK representative. This requirement will only apply to companies that sell into the UK or monitor the behaviour of UK residents. This obligation will mirror GDPR Article 27.
Lead supervisory authorities. What happens if the Information Commissioner’s Office (ICO) is your LSA? What happens to the GDPR cooperation and consistency mechanism?
In the event of a no-deal exit, the UK will no longer participate in the one stop shop mechanism or the consistency and cooperation procedure. The ICO may be able to continue to be your LSA if the UK enters into the Withdrawal Agreement or another agreement negotiated in between now and exit day. Depending on the terms of any other agreement, the issue of whether the ICO can remain as LSA may have to be resolved at the end of a transition period.
The EDPB advise that groups of companies headquartered in the UK should identify a new BCR lead within the EU.
What about eMarketing? Will ePrivacy Regulation come into force in the UK?
The draft Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 amends UK data protection laws to ensure that they continue to operate after exit day. PECR is amended to align the definition of consent for cookies with UK GDPR.
Whether the ePrivacy Regulation come into force in the UK depends on whether the UK enters into the Withdrawal Agreement or not. If the ePrivacy Regulation applies during the transition period then the ePrivacy Regulation will be implemented automatically into UK domestic law. This may not be the case with another agreement negotiated by the UK before exit day.
Much of your contingency planning will depend on whether an agreement can be reached between the EU and UK, and what form that agreement takes.
Cookie consent: update one year post-GDPR
The cookie compliance requirements in the UK have recently been overhauled to make it crystal clear that GDPR level consent is now needed to set most cookies. These stricter requirements will impact most organisations.
In the UK, the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 expressly state that, from 29 March 2019, consent to drop cookies in the UK must comply with the GDPR requirements for consent.
The UK supervisory authority (the ICO) went further and this month published updated guidance reinforcing the requirement for GDPR level consent and giving practical direction on how to achieve it. The ICO clarifies that, where you need consent under PECR to set non-essential cookies, then your legal basis under GDPR will also be consent. The move to GDPR level consent represents a huge change to the way in which many companies in the UK currently approach cookie compliance.
It is important to realise that this GDPR level consent is also needed for “similar technologies” to cookies, i.e. anything which stores or accesses information on a user’s device, such as HTML5 local storage, Local Shared Objects, tracking pixels, plug-ins, and device fingerprinting techniques.
Consent is not needed for ‘essential’ cookies. However, the ICO has clarified that the concept of “essential” is very narrow and will not include any analytics cookies, first or third party advertising cookies, social media plugins or tracking or cross-device tracking. It is interesting that the ICO has taken a stricter approach in this area to the CNIL in France which has suggested that audience measurement cookies can, in certain circumstances, be seen as necessary.
Essential cookies might include cookies that track user input where this is essential for the operation of the service (for example which items had been put in a shopping basket over the course of a web session) or where required to comply with security obligations such as authentication, but this will need to be assessed on a case by case basis. Having said that, care should be taken with the classification of essential cookies as there are a number of exceptions. For example:
authentication cookies are generally seen as essential but persistent authentication cookies such as login cookies are not, because the user may not remember that they are logged in during a subsequent visit.
security cookies are exempt if they are first party cookies but if the information is used for another purpose (such as the security of third parties’ online services) then consent is required.
cookies that relate to video or audio may be seen as essential for streaming content but will not be exempt from the consent requirement if they relate to additional functionality, such as personalisation, or usage monitoring.
What does this mean for you?
Even if you made changes to the way in which you set cookies in the run up to GDPR, you should consider revisiting this to ensure that your methods do not fall foul of more recent guidance on cookie consent. In particular this means consent should be:
Active. All permissions should be defaulted to settings which reject cookies. For example any tick box asking individuals to consent to cookies must be presented unticked, and you cannot rely on inaction (such as continuing to browse a website) as an indication of consent. ICO guidance goes as far as to state that the consent mechanism should not emphasise “agree” or “allow” buttons over those stating “reject” as this influences individuals towards accepting cookies.
Informed. Individuals must be informed about what the cookies do before they can validly consent. The explanation must be comprehensive and clear (taking account of the type and age of individuals using the site). The French regulator in particular has criticised Google and others in the adtech industry for a lack of transparency. The ICO states that consent should include information about the controller’s name, the purposes of the processing and the types of processing activity.
Identify of any third parties. If you use any third party cookies then your consent mechanism will need to cover third party cookies by identifying the relevant third party and explaining how these third parties will use the information collected from their cookie. You will need to ask for new consent each time you add a new third party which places cookies or when they change the purpose for which cookie information is collected and used.
Granular. You need specific consent for each different processing activity so you should ask individuals to consent separately to each different type or group of cookies (such as advertising, analytics etc). As a result of regulator scrutiny, many cookie management platforms have revised their consent mechanisms to make them more specific and granular, although the ICO also criticises an over-granular and over-complicated approach in its guidance. The level of detail required will need to be assessed on a case by case basis and balanced against the need to be clear and transparent.
Unbundled. Cookie consent must be separate from any other consents (for example, consent to cookies should not be included in the general terms and conditions).
Freely given. You should not make cookie consent a condition for accessing your services or site where cookies are not necessary for the particular services (such as using a cookie wall).
Capable of being withdrawn. Individuals must be informed that they can withdraw their consent at any time and you should offer them a simple mechanism for withdrawing consent (as it should be as easy to withdraw consent as it was to give it). They must also be provided with controls over any non-essential cookies and should be allowed to continue to use your site even if they withdraw their consent.
Importantly you should not set any non-essential cookies on your site or landing page before the relevant individual has given their consent.
France’s CNIL Publishes New Guidance on Cookies
On 4 July 2019, one day after the UK Information Commissioner’s Office (ICO) published new guidance on cookies, the French Data Protection Authority (CNIL) released its own new guidance (Guidance). A corrective version followed on 19 July 2019.
The Guidance clarifies that such consent must comply with the definition and conditions of GDPR Articles 4(11) and 7 as interpreted by the European Data Protection Board guidelines on consent. As a result, the Guidance repeals the CNIL’s 2013 guidance, pursuant to which users who continued browsing a website after being informed of cookie placement were deemed to have given consent.
How to obtain valid consent?
According to the Guidance, organizations shall not place cookies or other tracking devices or process personal data obtained through them unless users have previously positively accepted the placement in a free, specific, informed, and unambiguous manner.
The Guidance mainly restates these principles without providing real concrete applications, contrary to the ICO’s own guidance. However, a few interesting takeaways include:
The use of “cookie walls” (blocking access to a website unless users consent to cookies) is not an acceptable practice because consent cannot be considered to be freely given under such circumstances.
Informed consent requires that prior to obtaining user consent, organizations must, at a minimum, provide to users (i) the identity of the data controller(s), (ii) the purpose(s) of the processing activities, and (iii) the existence of the right to withdraw consent.
The use of pre-checked boxes does not amount to a clear, positive act of consent.
GDPR Privacy FAQs
Do European privacy laws require that a company obtain opt-in consent from a website user before placing analytics cookies on their browser?
European data privacy law distinguishes between session cookies that, for example, allow a website to function properly, and analytics cookies that are unnecessary for the functioning of the website. With respect to analytics cookies, recent guidance from the United Kingdom’s Information Commissioner’s Office indicates that consent is required prior to the deployment of analytics cookies by a website. Specifically, the guidance states “consent is required because analytics cookies are not strictly necessary to provide the service that the user requests. For example, the user can access your online service whether analytics cookies are enabled or not.”