GDPR / Data Protection Updates from around Europe

No. Of Articles – 7

1. Data security and breach notification in Canada

Provides an overview of obligations to report security breaches in Canada.

• Appears similar to GDPR
• Organisations are required to notify affected individuals with respect to any breaches of security safeguards that are likely to result in significant direct harm to such individuals.
• Organisations are required to report breaches of security safeguards to the Office of the Privacy Commissioner of Canada where such breaches are likely to result in significant direct harm to an individual.

There are other laws which are based upon regions. For instance Ontario has health sector privacy laws which require reporting to the relevant privacy commissions for certain types of data breaches.

2. Data Subject Access Requests: update on paper files and proportionate searches

Provides update of recent high court findings on what constitutes a ‘relevant filing system’ and what is a ‘proportionate search’

• Relevant Filing System: The judge considered that as the (paper) files were arranged chronologically, the personal data could be “easily retrieved” and that a page turning exercise through those files looking for personal data was not unduly onerous. (The question of whether data could be “easily retrieved” should not be looked at in isolation but alongside whether it was structured by reference to specific criteria “related to individuals”.)
• This departs from the Court of Appeal’s more restrictive interpretation in Durant v FSA which was that a manual filing system would be a relevant filing system only if it was broadly equivalent to a computerised system in that it could be easily searched for personal data.
• Proportionate Search: The burden is on the controller to prove that the search would be disproportionate by setting out the time and cost involved. The court did find that it would be disproportionate to require the controller to search a back-up database (presumably electronic) as it would reveal confidential information about their employees or other clients (??). However, The Court did say that searches of personal space of current employees (in which they could save documents and emails) would not be disproportionate.

3. UK to be treated like any other third country by French data protection regulator in case of a no-deal Brexit

In February 2019,   the French data protection regulator, the Commission nationale de   l’informatique et des libertés (CNIL), clarified that, in the event of a   no-deal Brexit and absent an adequacy decision (it is widely accepted that an   adequacy decision will not be made before the end of 20200, the UK should be   treated like any other country outside the European Economic Area (third   country).The CNIL declared that data controllers and   processors woud have to:

• identify any data transfers to the UK;
• determine and put in place the most appropriate lawful transfer tools;
• update their internal documentation so as to add transfers to the UK as of Brexit date; and
• update their notices to data subjects to indicate that data transfers out of the European Economic Area also include transfers to the UK.

CNIL also stated there will be no grace period so it will come into immediate effect following a no deal Brexit.This would only effect our customers who have processors in the EU who transfer data to the UK. 

4. Legal Aspects of Cloud Computing: Cloud Contracting

A 25 page ‘white   paper’ setting out the legal aspects of cloud computing and contracts. I   think of particular relevance to us is Section D Regulatory Aspects. D.22 on   Page 11 talks about data protection.It states that   market practice appears to be evolving around a Data Protection Addendum   which is incorporated into the main cloud agreement. The white paper has   a number of ‘key questions’

i) Will the customer need to prepare a data protection impact assessment   (‘DPIA’)?  Basically it says yes.

ii) Is the CSP a data controller or data processor? The position may be complex in   practice as (i) the boundaries between controller and processor can be fuzzy;   (ii) the same CSP can be a processor for some activities (e.g. SaaS provider)   and a controller for others (e.g. professional services); 

(iii) if both are   controllers, the customer and CSP may be separate controllers for some   activities but joint controllers (where different duties arise) for others;   and 

(iv) the CSP may also be providing personal data to the customer so GDPR   may need to be addressed from both sides.

If data controller, what contract terms will need to be included? Basically those included in standard CP agreement.

In each case what is the relationship between data protection and IS terms? GDPR   duties in relation to IS are a subset of the IS duties that apply to cloud   customers and CSPs more generally. Under the GDPR, they mainly arise (for   controllers) directly under Articles 32 to 36 and (for processors) indirectly   under Articles 28(3)(c) (calling down Article 32) and 28(3)(f) (calling down   Articles 32 to 36).

In each case, what audit rights will the customer or its regulator have? In the context of cloud computing, this can lead to practical difficulties, especially over audits and inspections where access to the host data centre is restricted (in compliance with the CSP’s own processes and security duties). Nonetheless, the customer should insist on this requirement, not only as regards the customer’s data protection regulator but also in regulated sectors where the cloud service is equated to outsourcing and/or subject to audit or inspection by the customer’s sector regulator.

What is the liability position for breach of data protection   obligations? Market   practice in enterprise cloud agreements is starting to develop around a   contractual liability limitation construct where breach of the CSP’s data   protection, IS and confidentiality duties are removed from the general liability cap and dealt with separately, with either unlimited liability, a higher cap or indemnification, which may also cover fines and the costs of regulatory action 

5. Cloud computing in the United Kingdom

Gives results of a recent survey in cloud services in the UK. Provides some useful definitions.There are three National Institute of Standards and Technology (NIST) definition of cloud computing: software-as-a-service (SaaS), platform-as-a-service (PaaS), and infrastructure-as-a-service (IaaS) and four deployment models (private cloud, community cloud, public cloud and hybrid cloud (deployment models)), private, public and hybrid clouds are widely adopted.Cloud in all of its service and deployment models has been adopted in most, if not all, UK industry sectors. 

The Cloud Industry Forum (CIF), a not-for-profit industry body that promotes the adoption of cloud in the UK, reported in 2017 from a poll of 250 companies and public sector organisations that overall adoption had reached 88 per cent, with 67 per cent of organisations polled expecting to increase their usage of cloud during 2017. CIF concluded that, since 2010, the overall cloud adoption rate had increased by 83 per cent.

The report provides a list of global international cloud providers active in the UK market:

• Accenture;
• Adobe;
• AWS;
• Avaya;
• Cisco;
• Citrix;
• Dell EMC;
• Dropbox;
• Equinix;
• Facebook (Workplace);
• Google;
• Huawei;
• IBM;
• Interoute;
• Joyent;
• Kaspersky;
• Microsoft;
• NetApp;
• Oracle;
• Rackspace;
• Red Hat;
• SalesForce;
• SAP;
• SAS;
• Skype;
• Sungard;
• Symantec;
• VMware; and
• Workday.

(See  www.cloudpro.co.uk/providers). The report also provides a list of other (apart from GDPR) laws which are likely to apply to cloud computing:

• Digital Economy Act 2017 (www.legislation.gov.uk/ukpga/2017/30/contents/enacted – see question 6);
• Investigatory Powers Act 2016 (www.legislation.gov.uk/ukpga/ 2016/25/contents/enacted – interception of communications and data retention, etc) – as amended by the Data Retention and Acquisition Regulations 2018 and the Communications Data Code of Practice. At the time of writing, both have yet to come into force. Together they will amend the existing regime concerning the retention of communications data.
• EU Dual-Use Regulation 2009, Council Regulation (EC) No 428/2009 (and associated legal amendments) (www.gov.uk/guidance/controls-on-dual-use-goods – regulates the export of dual-use technologies and software);
• Export Control Order 2008: www.legislation.gov.uk/uksi/2008/3231/contents/made – controls on the export of military and certain other technologies and software;
• Communications Act 2003 (www.legislation.gov.uk/ukpga/2003/21/contents- overall regulatory structure and powers for communications and media in the UK, including the regulator, Ofcom);
• Export Control Act 2002 (www.legislation.gov.uk/ukpga/2002/28/contents – controls on the export of, among others, strategic technologies);
• Regulation of Investigatory Powers Act 2000 (www.legislation.gov.uk/ukpga/2000/23/introduction – interception of communications and data retention, etc) as amended, in particular by the Investigatory Powers Act 2016 (at the time of writing, these amendments have yet to come into force); and
• Unfair Contract Terms Act 1977 (www.legislation.gov.uk/ukpga/1977 – makes unenforceable certain terms in B2B contracts that do not satisfy the requirements of ‘reasonableness’).

6. Free flow of non-personal data and GDPR

Provides an overview of the new EU Regulation 2018/1807 on the free flow of non-personal data. The Regulation applies to the processing of electronic data other than personal data, within in the EU, which is:

• provided as a service to users residing or established in the EU, regardless of whether the service provider is established or not in the EU; or
• carried out by a natural or legal person residing or established in the EU for his/her own needs.

In the case of a mixed dataset, i.e. a dataset composed of both personal and non-personal data, the Regulation applies to the non-personal data part of the dataset. If the personal and non-personal data are inextricably linked, then the   Regulation applies without prejudice to the application of the GDPR.Its most likely to effect our customers in relation to mixed data sets which contain both non-personal and personal data. These should be treated as personal data under GDPR. The EU Guidance   gives examples of mixed data:Examples of mixed datasets: 

• A company’s tax record, mentioning the name and telephone number of the managing director of the company;
• Datasets in a bank, particularly those with client information and transaction details, such as payment services (credit and debit cards), partner relationship management (PRM) applications and loan agreements, documents mixing data concerning natural and legal persons;
• A research institution’s anonymised statistical data and the raw data initially collected, such as the replies of individual respondents to statistical survey questions;
• A company’s knowledge database of IT problems and their solutions based on individual IT incident reports;
• Data related to the Internet of Things, where some of the data allow assumptions to be made about identifiable individuals (e.g. presence at a particular address and usage patterns); and
• Analysis of operational log data of manufacturing equipment in the manufacturing industry.

Interestingly the guidance also gives a practical example which I think would fit with a CSP.Practical example: A company operating within the EU offers its services via a platform. Businesses (customers) upload their documents, which contain mixed datasets on the platform. As a   ‘controller’, the business uploading the documents needs to make sure that the processing complies with the General Data Protection Regulation. By processing the dataset on behalf of the controller, the company that offers the services (the ‘processor’) needs to store and process the data in   compliance with the General Data Protection Regulation, for instance to make   sure that an appropriate level of security related to data is guaranteed,   including by means of encryption.I have also downloaded the relevant regulation.  

7. Teacher’s report is in! Out of 10, how’s the first year of GDPR really gone?

The European Commission created an Expert Group to support the application of the EU General Data Protection Regulation (or GDPR) and it delivered it’s ‘1st Year Report’ on 13 June 2019.

Key findings are:

• Organisations are finding GDPR hard. It needs investment in people, processes and technology, not all of which is easy or available for SMEs in particular. ‘Many SMEs mention they had to seek advice from external consultants to understand the rules and set up systems to comply with the GDPR (including the implementation of technical and organisational measures), and that they usually lack the necessary human and economic resources to implement the obligations in GDPR.’
• GDPR isn’t always easy to understand and some terms and requirements aren’t clearly defined. While the EDPB is putting out good guidance (as the Art 29WP did before it), there could be more, and more tailored to SMEs.
• Ongoing uncertainty on ePrivacy only adds to the difficulties businesses face in creating their compliance programs.
• The report shows a clear desire for official standard contractual clauses – an official Data Processing Agreement as it were – perhaps in a multitude of flavours.
• The Report also notes that SCCs for transfers need updating and should cover current gaps such as processor-to-subprocessor transfers as well as allow more clearly for joint controllers etc.
• Access requests have risen more in some industries than others (as to be expected) and have fallen back a bit since GDPR came in. There are various practical difficulties, for example if someone asks for all CCTV where they appear. Other data subject rights (such as portability, and requests for meaningful explanations on the use of automated decision-making) have yet to make their presence felt.