1. SCHREMS 2.0 – the demise of Standard Contractual Clauses and Privacy Shield?
On July 9th, the Court of Justice of the European Union (CJEU) – heard a case concerning the validity of two key data transfer mechanisms: Standard Contractual Clauses (SCCs) and Privacy Shield – mechanisms widely used by businesses within the European Economic Area (EEA) to legitimise the transfer of personal data to countries outside the EEA.
The case was referred to the CJEU by the Irish High Court following a complaint from Mr Schrems about concerns about the degree of cooperation between US companies and intelligence services. The complaint follows on from his previous complaint (SCHREM 1.) about whether Facebook’s transfer of EU citizens’ personal data to Facebook Inc in the US violated their rights. In a landmark finding in October 2015, the CJEU agreed with Mr Schrems finding that the Safe Harbor framework did not provide a level of protection for personal data which was equivalent to that afforded within the EU thanks to the Directive and the Charter, and that it did not therefore meet the adequacy standards of the Directive in respect of international transfers.
Following this finding the EU Commission agreed to replace ‘safe harbor’ with a new EU-US transfer regime Privacy Shield and many companies switched to Standard Contractual Clauses (SCCs) to legitimise their international data transfers.
The latest complaint (SCHREM 2.) challenged Facebook’s use of SCCs as an alternative transfer mechanism. The Irish regulator referred the issue to the Irish High Court for consideration. They subsequently referred the matter to the CJEU, with the questions posed to the CJEU extended to also include consideration of the wider issue of EU-US data transfers more generally. Importantly, the European Court was asked to consider the validity of Privacy Shield alongside the validity of SCCs.
If the EUCJ invalidates the SCCs and/or Privacy Shield then this would have wide-ranging and significant impact upon any companies transferring data out of the EEA.
The EUCJ is expected to report on its decision late 2019/early 2020.
2. In First GDPR Fine, the Romanian DPA mixes the old and the new.
On 4 July 2019, the Romanian Authority for the Supervision of Personal Data Processing (the “Romanian DPA”) announced that it applied the first fine under GDPR:
• the sanctioning entity: a banking institution
• the deed: disclosing payers’ addresses and, in some cases, personal numeric codes to recipients of payments done via the banking institution’s online system; such information was also reflected in bank statements
• number of affected persons: 337,042
• duration of breach: 25 May – 10 December 2018
• amount of fine: EUR 130,000
3. Second GDPR Fine in Romania: it’s all about personal data security
On July 8th, 2019, the Romanian Authority for the Supervision of Personal Data Processing (the “Romanian DPA”) announced that it applied the second fine under GDPR:
• the sanctioning entity: an entity active in the hospitality sector, amongst others
• the deed: mishandling of clients’ personal data: the personal data was in paper format (list of clients having paid for breakfast), it got photographed by unauthorized persons and published online, hence affecting the data subjects’ right to privacy
• relevant details: the investigation was initiated after the controller had notified the personal data breach according to Article 33 of GDPR
• number of affected persons: 46
• amount of fine: EUR 15,000
4. UK cookie guidance published: Are you compliant?
The UK Information Commissioner’s Office (ICO) has published its eagerly awaited updated guidance on cookies.
The guidance confirms what most data practitioners already knew about cookie requirements and there are few big surprises. However, since many companies have not been complying, steps will need to be taken by huge numbers of sites and services to avoid censure now that the regulator has confirmed what it expects. There is no transition or lead time for compliance. This is in force now.
Key points to note from the guidance:
It confirms that cookie consent has to be ‘GDPR’ level consent for the installation of the cookies on the device. This means a freely given, specific, informed and unambiguous indication of wishes by way of a clear affirmative action.
Silence or inaction or wording (regularly seen in currently in cookie notices) along the lines that “by continuing to use this site” consent is given, is not valid.
You can’t use default consent settings such pre-ticked boxes or sliders set to on.
Consent has to be obtained before the cookies are installed.
The user has to be given clear information about the cookies before consenting to them.
Users have to have a means to control the cookies – ie to turn them off. Just allowing them the ability to turn them off though (again, a practice regularly seen) is not sufficient.
Cookie walls (ie which block users from accessing the site or content before they agree to the cookies) are problematic. Consent has to be freely given. The ICO does open the door to acceptable use in very limited circumstances but it is clear this won’t work for advertising or general restrictions to sites and services.
Consents that ‘nudge’ individuals towards a particular option (for example by emphasising ‘I accept’ over the option to say no) are invalid. The ICO says that users should not be influenced to make a particular choice. Just putting options to say ‘no’ in a ‘more information’ or ‘settings’ section would also be non-compliant.
4. UK – Is the new guidance a cookie killer?
Consent will be needed for cookies unless they are strictly necessary. The table below summarises the position in the revised guidance which makes a number of significant amendments, particular the new distinction between session cookies and persistent cookies.
The new guidance also imposes much stricter obligations to obtain consent, reflecting the fact that consent must meet the standards under the GDPR.
Accordingly, the following practices will not provide a valid consent:
• Default to consent – A mechanism with pre-set or default option to allow cookies will not provide consent.
Importantly, the consent must be informed. That means that you must provide clear information about what cookies are used and why. If you use any third party cookies (see below), you must clearly and specifically name who the third parties are and explain what they will do with the information.
The guidance also clearly requires that websites obtain consent before placing any cookies on the users’ computer (unless it is strictly necessary). SEPTEMBER 5, 2019