Welcome to our first blog of 2020. The past twelve months saw an array of guidance, clarifications and new approaches to the changing world of data protection. The clarification to the consent needed before a cookie (Non-essential) can be placed on a user’s system is going to be a major change for organisations with a website presence. The ‘banner’ approach letting visitors know you use cookies, with the ‘OK’ or ‘Accept’ button is no longer valid. Organisation will need to provide a Preference pop-up allowing visitors to select what cookies they will allow on their system. The only cookies allowed without consent are the essential ones for the basic running of the site.
Propelfwd have been working with a company called Critical Media to develop a cookie preference centre. This will allow organisations to have their website scanned, monthly and visitors an opportunity to select their cookie preference or changing the preference (withdrawing consent). This will be available from February 2020, with an initial 30-day free trial. The pricing structure need to be finalised but will be very competitive compared to other available options. Watch this space….
Propelfwd have also developed a training programme for Data Protection (GDPR) Foundation and Practitioners courses. The first two being run in Jersey on the 17th February (foundation) and 19th / 20th February (practitioners). Both of these courses have been assessed and certified by the CPD Standards Office for content and quality. Check out the below links.
Data Protection (GDPR) Foundation course
Data Protection (GDPR) Practitioners course
The Jersey Office of the Information Commissioner have been sending out reminders to all data controllers in Jersey to re-new their registration. The deadline for this is 31st January 2020. A new fee structure was approved by the States December 2019, so gone are the days of paying £50 per year, no matter the size of your organisation. If you registered in 2019 and it is not due to expire, you will be credited the overlap months. Please remember to register – follow the link below.
https://jerseyoic.org/membership/
Now onto news from around Europe…
Guernsey’s data protection regime – shifting attitudes
A shift in Guernsey’s corporate and individual attitude towards the misuse of data is now central to the Office of the Data Protection Authority’s (ODPA’s) future approach to governance and enforcement in Guernsey.
Following the end of the transitional relief period under the Data Protection (Bailiwick of Guernsey) Law 2017 in May 2019, this article rounds up the key issues which the ODPA has communicated and which will dictate its approach.
Changes in culture in the workplace
The ODPA has repeatedly highlighted its encouragement for a shift in attitudes, for both consumers and businesses, so that the misuse of data is seen as both legally and socially unacceptable.
While legislation and regulatory action both have a role to play in protecting data, the ODPA sees consumers and businesses as the key factor in achieving secure, ethical use of data. As consumers begin to recognise the ever-growing value of their personal information and have open access to information about the frequency and severity of data breaches, they can begin to impose an ethical baseline when it comes to the use of their data and punish those businesses which fall beneath it. Over time, this will have the effect of building a self-correcting market.
A simple rule of thumb for officers and employees undertaking any aspect of personal data management to ensure they do not fall foul of the standards of protection required by the ODPA is to treat personal data in the manner in which they would wish their own personal data to be treated.
Predict, prevent, detect, enforce
The ODPA is seeking to achieve a balanced approach across the four key areas of regulation (prediction, prevention, detection and enforcement) in fulfilling its functions under the law.
In particular, businesses have been reminded that the principal purpose of the breach reporting requirements under the law is to assist the regulator in:
- predicting and preventing breaches before they have occurred;
- identifying areas in the industry which may require additional resources; and
- training to achieve compliance and best practice, rather than as an enforcement tool.
Delayed introduction of self-funded charging system
The ODPA released a statement on 28 October 2019 to confirm that while it had been working with the States of Guernsey for the past year to agree a funding model for the ODPA’s activities based on the charging of annual registration fees, it has taken longer than expected to agree and implement such a model.
Guernsey Data Protection Commissioner Emma Martins stated that:
the ODPA’s goal is to achieve a fair, low-cost, low-admin business that allows local businesses to concentrate their efforts on running their businesses well, rather than filling in bureaucratic forms.
The delay in agreeing the funding model has resulted in the extension of the current registration exemptions for small businesses and sole traders. Those persons to which the exemptions apply will no longer be required to register with the ODPA until January 2021.
Schrems II and Standard Contractual Clauses
The Opinion of Advocate-General (AG) Henrik Saugmandsgaardøe in the “Schrems II” case (C-311-18) was delivered on 19 December and will likely leave organisations, which currently rely on EC Commission-approved standard contractual clauses to ensure adequate protection for personal data that they transfer internationally heaving a collective sigh of relief, at least for the moment.
Although not binding on the CJEU, the AG’s Opinion, which suggests that Commission Decision 2010/87/EU on standard contractual clauses for the transfer of personal data to processors established in third countries (SCCs) is valid, may well be indicative of the future validity of SCCs – arguably the most commonly adopted safeguard to ensure adequate protection for personal data transferred outside the EU. Having said that, interestingly, the Opinion also suggests that data controllers (and supervisory authorities) will be obliged to suspend or prohibit international personal data transfers where conflicts arise between the SCCs and the law of third countries to which personal data are transferred if such law means that the SCCs cannot be complied with, so organisations relying on SCCs will also need to consider this.
The GDPR provides that transfers of personal data to third countries or international organisations (i.e. countries or organisations outside the EU) are permitted only where either the EC Commission has made an “adequacy decision” in respect of the destination countries or organisations, or such transfers are made subject to appropriate safeguards (as set out in the GDPR) to ensure adequate protection for such data, or if one of a number of listed derogations for specific situations applies. In the absence of an adequacy decision, organisations can ensure that internationally transferred personal data are adequately protected in various ways, including through the use of binding corporate rules (if personal data are being transferred between entities within the same corporate group), obtaining the explicit consent of the individuals to whom the personal data relate and through the use of SCCs, where an EU-based data exporter enters into an appropriate agreement with a non-EU-based data importer. Many organisations rely on SCCs as being a relatively straightforward and cost-effective method of ensuring compliance with their data protection obligations regarding internationally transferred personal data.
Schrems II follows on from the first Schrems case (C-362/14), which resulted from a complaint made by Maximillian Schrems, an Austrian privacy activist, to the Irish Data Protection Commission. Mr Schrems complained about the transfer by Facebook Ireland of his personal data to the USA where it could be accessed by certain US authorities in ways that, he argued, breached applicable EU data protection laws. Eventually, Schrems I led to the CJEU invalidating the US-EU safe harbor framework (which also resulted from a Commission Decision), which had been relied upon by many organisations to ensure that personal data transferred from the EU to the US were adequately protected. In the light of this, many organisations began to utilize SCCs to protect personal data transferred to the US (as well as to other third countries) although, ultimately, the safe harbor scheme was replaced by the more robust US-EU Privacy Shield scheme. Schrems II challenged the validity of the SCCs for similar reasons to those advanced in Schrems I.
Interestingly, the Opinion questions the validity of the Privacy Shield Commission Decision in the light of the GDPR, especially in respect of inadequate transparency regarding access to personal data transferred from the EU by US intelligence authorities and the effectiveness of remedies available to the relevant data subjects. However, the AG’s view is that the CJEU is not required to rule on this in the context of Schrems II, as the ECJ was not specifically requested to consider this question. If the CJEU does not do so, the European Commission has indicated that it will consider the impact of the CJEU’s judgment in Schrems II on Privacy Shield, but currently Privacy Shield remains a valid mechanism for EU/US personal data transfers. On a related issue, the activities of British intelligence authorities may lead to similar debates post-Brexit if US intelligence activities (as revealed by Snowden) also involve the British intelligence authorities.
While the Opinion will provide some comfort to those organisations currently relying on SCCs to ensure that personal data that they transfer internationally are properly protected, as required by the GDPR, this is not the end of the story – organisations will need to wait for the CJEU’s judgment (expected in early 2020) to discover whether or not they can continue to use SCCs to protect personal data transferred outside the EU, going forward. If the CJEU disagrees with the AG, such organisations would have to find alternative valid transfer mechanisms to rely on, although which alternatives will be most appropriate is currently not completely clear.
EU guidelines on territorial scope finalised
In November 2019 the European Data Protection Board (EDPB) published its finalised Guidelines1 on the territorial scope of the EU General Data Protection Regulation (GDPR)2.
The GDPR can apply to organisations across the world. Given that penalties for breach of the GDPR can amount to fines of up to 4% turnover or 20 million Euros, whichever is the greater, and criminal penalties at local level for individuals including for directors in some jurisdictions, it is important for all organisations and personnel who process personal data to understand their obligations.
Organisations with any connection to or business in the European Economic Area (EEA) should review the guidance and/or take advice and and carry out an analysis of their processing of personal data and take action accordingly. The Guidelines can be accessed here.
Highlights:
- The application of the GDPR should be assessed on a case by case basis for each data processing activity (the UK ICO has interpreted “processing activity” broadly, for example human resources functions, marketing activity, etc.).
- The fact that certain data processing activities of an organisation fall within the scope of the GDPR does not necessarily mean that all of that organisation’s data processing activities are subject to the GDPR.
- Whilst ‘establishment’ is a broad concept, there are limitations to it. A single employee or agent in the EEA may constitute an ‘establishment’ which triggers the application of the GDPR. But the mere presence of an employee or agent in the EEA will not trigger application of the GDPR unless the processing of personal data relates to activities of the EEA-based employee or agent.
- For organisations not established in the EEA, the guidance clarifies the process for designating a representative in the EEA, explains the representative’s responsibilities and obligations, and adds that local supervisory authorities may enforce against non-EEA organisations “through” their representatives.
- After Brexit and any transition period, organisations not established in the UK but which “target” individuals in the UK (by offering them goods or services or monitoring them in the UK) will need to appoint a representative in the UK.
Territorial scope: establishment vs targeting
The Guidance clarifies that there are two essential criteria set out in Article 3 of the GDPR: the ‘establishment’ criterion and the ‘targeting’ criterion. Where one of these applies, the GDPR will apply to the processing in question:
The GDPR is not triggered by the nationality of the individuals concerned, although the location of the individuals is relevant if the targeting criterion applies.
- Establishment criterion: The GDPR applies to the processing of personal data in the context of the activities of an establishment of an organisation (whether controller or processor) in the EEA , or in a place where EEA Member State law applies by virtue of public international law, regardless of where the processing itself takes place; and/or
- Targeting criterion: The GDPR applies to the processing of personal data by an organisation not established in the EEA, but which:
- Offers goods or services to individuals located in the EEA; and/or
- Monitors the behaviour of individuals located in the EEA.
“Establishment’
The GDPR does not define ‘establishment’. However, there is extensive case law on the subject, which pre-dates the GDPR. The Guidance draws on previous case law and emphasises that ‘establishment’ requires a “stable arrangement” in the EEA. This is a low hurdle. However, a non-EEA entity will not have an establishment in the EEA merely because its website is accessible in the EEA.
In the context of the activities of the EEA establishment
On processing “in the context of the activities of” the EEA establishment, organisations should consider: (i) the relationship between an organisation outside of the EEA and its local establishment in the EEA; and (ii) revenue generated in the EEA.
Non-EEA organisations should assess their processing activities, first by checking whether personal data are being processed, and secondly by identifying potential links between the activity for which the data is being processed and the activities of any presence of the organisation in the EEA. The nature of any link between the activity and the EEA presence is key in determining whether the GDPR applies to the processing in question. The processing need not be carried out by the organisation itself, and can take place outside of the EEA.
Controllers and processors
The GDPR applies to both controllers and processors. The Guidance clarifies that the existence of a relationship between a controller and a processor does not necessarily trigger the application of the GDPR to either entity, if it is not established in the EEA.
The targeting criterion and organisations not ‘established’ in the EEA
An organisation not established in the EEA cannot benefit from the ‘one-stop shop’ mechanism provided for in Article 56 of the GDPR (whereby one ‘lead supervisory authority’ will enforce against it, rather than separate supervisory authorities in each EEA Member State).
For the ‘targeting’ criterion, the Guidance stresses that:
- the GDPR can apply to some processing activities but not others: it is essential to consider the processing activities in question; and
- the GDPR will not apply merely because an organisation is processing personal data of an individual in the EEA: the element of “targeting” individuals in the EEA, either by offering goods or services to them or by monitoring their behaviour must always be present as well.
Offering goods or services
The concept of “offering of goods or services” includes the offering of ‘information society services’,3 and other services which are not for payment.
The Guidance lists a number of factors which could indicate targeting of individuals in the EEA. For example, if the description of the good or service mentions an EEA country, or the nature of the activity is international (eg. certain tourist activities), or where marketing and advertisement campaigns are directed at an EEA country audience. The fact that a website is accessible from the EEA does not by itself constitute ‘targeting’ individuals located in the EEA.
Monitoring behaviour
For the monitoring element of the targeting criterion to apply there is no need to show intention to target the individuals. However, ‘monitoring’ implies a specific purpose for the collection and subsequent reuse of the relevant data about an individual’s behaviour within the EEA. The controller’s purpose is key, as is any subsequent behavioural analysis or profiling techniques involving that data.
The Guidance specifically mentions the following activities as relevant ‘monitoring activities’:
- Behavioural advertisement (tracking);
- Geo-localisation activities, in particular for marketing purposes;
- Online tracking through the use of cookies or other tracking techniques such as fingerprinting;
- Personalised diet and health analytics services online;
- CCTV;
- Market surveys and other behavioural studies based on individual profiles; and
- Monitoring or regular reporting on an individual’s health status.
Processors not established in the EEA carrying out targeting activities
Decisions on how and why personal data will be processed can only be made by controllers. However, a processor may actively take part in processing activities related to carrying out targeting. In such circumstances, the processor will have its own obligations under the GDPR (for example to keep the personal data secure).
Processing in a place where Member State Law applies by virtue of Public International Law
The Guidance gives some specific examples of situations in which the GDPR applies outside of the EEA:
Appointment of representatives in the EEA
The Guidance points out that, where the targeting criterion applies, the organisation must appoint a ‘representative’ within the EEA, unless an exemption applies, ie if the processing is: (i) occasional; (ii) does not involve large scale processing of special category personal data or criminal records data; and (iii) is unlikely to result in a risk to the individuals concerned in the circumstances. Appointments must be by a “written mandate”, eg. a service contract. A representative can be a natural or a legal person, and must be itself established within the EEA (in the same location as relevant data subjects). One representative can act on behalf of multiple controllers and processors.
Following the UK’s proposed exit from the EU (and EEA) and any transition agreement non-UK organisations established in the UK or targeting the UK will need to appoint a representative in the UK in addition to any representative in the EEA.
Responsibilities of the representative
The Guidance says that the representative is not itself responsible for complying with data subjects’ rights, but must facilitate compliance with such rights. It must also maintain the controller or processor’s records of processing, and liaise with supervisory authorities and provide information on behalf of its principal.
The Guidance makes clear that the representative will not be liable for breaches of the controller or processor it represents. But local supervisory authorities may “initiate enforcement proceedings through” it, including by “address[ing] corrective measures or administrative fines and penalties imposed on the controller or processor not established in the Union to the representative”.
Action points
If they have not already done so, organisations should:
- Carry out a data audit, checking what personal data they process, why and in what context;
- Consider whether the organisation is ‘established’ in the EEA (or the UK), and if not, whether the targeting criterion applies (ie. whether the organisation offer goods or services to or monitor individuals located in the EEA (or the UK));
- If an organisation is not established in the EEA (or the UK) but the targeting criterion applies, appoint a representative in the EEA (or the UK).
Latest Fines in the EU
United Kingdom
Information Commissioner (ICO)
2019-12-20 €320,000 Doorstep Dispensaree Ltd. (Pharmacy)
Art. 32 GDPR – Insufficient technical and organisational measures to ensure information security
The company had stored some 500,000 documents containing names, addresses, dates of birth, NHS numbers and medical information and prescriptions in unsealed containers at the back of the building and failed to protect these documents from the elements, resulting in water damage to the documents.
Romania
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
2019-12-18 €2,000 Telekom Romania Mobile Communications SA
Art. 32 GDPR – Insufficient technical and organisational measures to ensure information security
The company has failed to ensure the accuracy of the processing of personal data which resulted in a disclosure of a client’s personal data to another client.
2019-12-16 €2,000 Globus Score SRL
Art. 58 GDPR – Insufficient cooperation with supervisory authority
The company did not comply with measures ordered by the National Supervisory Authority.
Belgium
Belgian Data Protection Authority (APD)
2019-12-17 €2,000 Nursing Care Organisation
Art. 12 GDPR, Art. 15 GDPR, Art. 17 GDPR – Insufficient fulfilment of data subjects rights
The company failed to act on requests from the data subject to get access to his data and to have his data erased.
2019-12-17 €15,000 Website providing legal information
Art. 6 GDPR, Art. 12 GDPR, Art. 13 GDPR – Insufficient fulfilment of information obligations
An operator of a website for legal news had the privacy statement only available in English, although it was also addressed to a Dutch and French speaking audience. In addition, the first version of the privacy statement was not easily accessible and did not mention the legal basis for data processing under the GDPR. Furthermore, with reference to the ECJ ruling on Planet 49, it was determined that effective consent was required for the use of Google Analytics.
Sweden
Data Protection Authority of Sweden
2019-12-16 €35,000 Nusvar AB
Art. 6 GDPR – Insufficient legal basis for data processing
Nusvar AB, operator of the website Mrkoll.se, which provides information on all Swedes over 16 years of age, had published information on people who are overdue.
Hungary
Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)
2019-12-11 €1,500 Unknown Company
Art. 6 GDPR – Insufficient legal basis for data processing
The company failed to delete a former employee’s private emails and therefore processed personal data without legal basis and exceeding data retention requirements.
Spain
Spanish Data Protection Authority (aepd)
2019-12-10 €1,600 Megastar SL
Art. 5 (1) c) GDPR, Art. 13 GDPR – Non-compliance with general data processing principles
The company operated a video surveillance system in which the observation angle of the cameras extended unnecessarily far into the public traffic area. Furthermore, no sign with data protection notices was affixed.
2019-12-10 €5,000 Shop Macoyn, S.L.
Art. 32 GDPR – Insufficient technical and organisational measures to ensure information security
The company has sent advertising e-mails to several recipients where the e-mail addresses of all other recipients were visible to all recipients, because the recipient addresses were inserted as CC and not as BCC.
References:
