<p class=

Happy Birthday, WP237 - it is now 5 years since you were adopted.  We still enjoy your rather pithy description: "working document 01/2016 on the justification of interferences with the fundamental rights to privacy and data protection through surveillance measures when transferring personal data (European Essential Guarantees) - WP237."

Following the landmark ruling in the Maximillian Schrems v Data Protection Commissioner CJEU case C-362/14 on 6 October 2016 when the so-called Safe Harbour decision was annulled as it did not make sufficiently clear the US legislation offered adequate safeguards to protect personal data originating in the EU, it was clear the internet wars had kicked off.  Indeed, the CJEU raised questions on the extent of possible national security and law enforcement related interferences with the fundamental rights of the persons whose data is transferred from the EU to the US, and brought doubt on whether other transfer tools (like standard contractual clauses [SCCs]) offer an adequate safeguard when personal data is sent to the US.

Perhaps a more fundamental question is whether data protection legislation itself offers an adequate safeguard for such transfers.

What is now the European Data Protection Board (EDPB) spelled out 5 years ago four European Essential Guarantees.  The task is for organisations to assess if an interference with a fundamental right can be justified and apply to all data processing operations, including transfers (which include restricted transfers - a restricted transfer is one where the processing is not already caught by legislation and requires further safeguards, like an adequacy decision, SCCs, or other transfer tools):

- processing should be based on clear, precise and accessible rules

- necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated

- an independent oversight mechanism should exist

- effective remedies need to be available to the individual

A transfer impact assessments (TIA) initially needs to ascertain if transfers are taking place given the nature, scope and context of the processing.  This is important because it may not be you that is making the transfer – it may be a joint controller whose obligations you are not liable for, like a US subsidiary you are contracting with in your own territory – in which case, there’s no need for you to proceed any further with your own TIA.

However, if you are transferring personal data, the rules (as per the principle of lawfulness, fairness and transparency) that you rely upon need to documented, i.e. whether the processing is already caught by the legislation, or if there is a particular transfer tool that is required.  Also, you have to justify that the processing which requires the transfer is necessary and proportionate, e.g. it could not be done in a less privacy-intrusive way – such justification can be further tested using the principles of purpose and storage limitation as well as data minimisation.

Regarding the oversight mechanism, if you are caught by legislation, document the fact that you are de facto subject to judicial control and / or supervisory authorities in the originating jurisdiction, e.g. Belgian authorities working with their local ISPs to limit US websites from operating in Belgium.  For restricted transfers, document the tool being relied upon (such as adequacy, SCCs, etc), so that effective mechanisms are clear, e.g. German authorities intervening when a local organisation used a US Cloud provider to send direct marketing emails.  

To get the relevant assistance from your local supervisory authority, you should also include in your TIA that you may be unable to control the transferred personal data – such a residual high risk requires prior consultation with your regulator – because of obligations imposed on data importers by US authorities to disclose the data to US agencies, given the US was found not to have effective oversight mechanisms.  This is why the Belgian and German authorities intervened as they did.

Finally, document what remedies are available to affected data subjects, e.g. your policy and processes to deal with rights requests, complaints, enquiries and personal  data breaches, as well as that such processes are underpinned by training and regular verification that they are working as intended.

In reality, most organisations have continued to use US companies.  To have a defensible position, document the facts, and if it appears there is a residual high risk relating to the processing, simply seek direction from the relevant authorities.

It lasted all of 4 years and 4 days before the Court Justice for the European Union (CJEU) decided on 16 July 2020 that the Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-US Privacy Shield is invalid.  Er, pardon?

OK, in summary, this means the CJEU has judged that Privacy Shield was invalid from 12 July 2016.  It has never been valid.  Just like its predecessor, Safe Harbor.  In other words, no-one can rely on Privacy Shield to transfer personal data to the USA.

So what?

If you don’t transfer personal data to the US, there’s no problem – it doesn’t affect you.  If you keep life simple by keeping personal data in the UK, you have nothing to worry about.  And let’s face it, the majority of businesses appear to do just that anyway.  BTW, if it’s true now, it’ll be true after Brexit too.

However, if you do transfer personal data to the US, take note.  There are more than 5,000 organisations registered for Privacy Shield that do.  For example, do you rely on SaaS or Cloud providers that manage the hiring of new recruits?  If so, it is likely these guys are based in the US, and have relied on Privacy Shield.  Similarly, does your marketing team rely on cookies (and other trackers / technologies) provided by US-based companies for your email campaigns or your App?  What about your financial software?  The list goes on, and on (and on…).

Here's what to do ASAP:

• step 1: look at all your processing operations to check if parties you rely on are based in the US
• step 2: check your understanding of personal data… in summary, it includes any information about an individual, such as an online identifier, MAC ID, the type of browser they use, not just a name (indeed, a name is not even required)
• step 3: in the processing operations identified in step 1, is any personal data leaving the EU (include the UK for just now)?  NB this applies to any party involved in the processing, not just you
• step 4: has that party (including you) relied on Privacy Shield?  If not, there’s nothing further to be done.  If so,
• step 5: get your data protection expert to help identify options to fix the problem
• step 6: update your documentation (e.g. privacy statements, records of processing activities, etc)

Your data protection expert needs to be very careful which options you look at in step 5 above.  For example, don’t make the mistake that the transfer is necessary for the conclusion or performance of a contract.  This is because ‘necessary’ is the operative word here.  In other words, it is not necessary to use a US company, as you could use a UK one instead.

Also, when considering standard data protection clauses – also known as standard contractual clauses (SCC) or model clauses – do bear in mind the Hamburg DPA’s view published on Friday: the ECJ's decision to maintain the standard contractual clauses (SCC) as an appropriate instrument is not consistent. If the invalidity of the Privacy Shield is primarily due to the escalating secret service activities in the USA, the same must also apply to the standard contractual clauses. Contractual agreements between data exporter and importer are equally unsuitable to protect those affected from government access. At least with regard to the conclusion of the SCC with the US company at issue, the ECJ should have reached the same result.

Why is this significant?

Essentially, Hamburg are saying, “don’t use SCCs.”  That’s a problem because in addition to Privacy Shield, the most common mechanism used for transference of personal data to the US is SCCs – indeed, even Facebook use them.  There are other available options, but that’s why your data protection expert will need to take steps 1-4 above into account to get it right for you… there’s no cookie-cutter approach to this, as compliance is at a process level.

Is there a pragmatic answer?

Great question.  Let’s look at the facts.  It took Max Schrems some 5 years to go through the legal process which eventually saw the CJEU strike down Safe Harbour.  Privacy Shield was cobbled together in 6 months to replace it.  To my knowledge, no organisations suffered any severe liability damages for previously relying on Safe Harbor, never mind continuing to transfer personal data during that 6-month period (when no mechanism existed).  Then Schrems successfully struck again, this time on Privacy Shield.  So, by the end of 2020, there is likely to be a replacement for Privacy Shield.  You can make your own mind up regarding the probability that anyone will take action against you… either for not having any mechanism (if you relied upon Privacy Shield), or for using SCCs.  In the same time frame, i.e. by the end of 2020, the UK will need to come up with an equivalent mechanism for its own data transfers because of Brexit – for both to the US, as well as from the EU to the UK.  At the same time, we know from their Press Release on 24 June that in addition and in cooperation with the EDPB, the Commission is looking at modernising other mechanisms for data transfers, including Standard Contractual Clauses, the most widely used data transfer tool.

Thursday’s timing for the CJEU’s judgment has actually been perfect.  By the end of the year, it appears that we will have sorted out the next generation of both SCCs as well as Privacy Shield for not only the EU, but also for the UK.

Happy days.

Ludicrous as it sounds, but even though Facebook had a $5bn fine confirmed by the FTC, their share value went up!  Of course, they can still expect other actions against them by regulators in Europe and elsewhere, as well as Court cases and further Brand damage. With so many other new platforms appearing, it appears that Facebook cannot continue to rely on its powerful global grip it has established.

The company has recently made some efforts to market their caring position vis-a-vis privacy - the issue is that “data protection by design” requires ‘whole privacy’ thinking, so that the likes of Cambridge Analytica relationships should not be allowed to disrespect our privacy, by either Facebook or Cambridge Analytica... but Facebook’s statements appear to be more vacuous in terms of substance.

The wake up call from the world’s regulators this week has not gone unnoticed - does this mean we can rest a little more restfully?

Sadly not. More organisations are turning to machine learning and artificial intelligence. For sound legitimate and necessary reasons in a global competitive economy that is driving down costs. To stay ahead these technologies are required.

What therefore are organisations to do?

Look, data protection legislation is not designed to stop such advances. Au contraire, the object is to facilitate free flows of data, in particular personal data. With that in mind, establishments simply need to get data protection by design right, unlike Facebook and Cambridge Analytica.

Do you get it right? How would you know? How would individuals whose personal data you process know?

Easy. Check with priviness for free.

There has been a lot of fanfare in the Press this week regarding data protection - "and about time!" some might say.

One might feel particularly sorry for Sir Kim Darroch. Through no fault of his own, due to the lack of adequate measures to safeguard his emails that conveyed his opinions, the consequence on him is both social and financial disbenefit: we heard yesterday that he's lost his job. The fault would appear to lie at the feet of the Foreign and Commonwealth Office ("FCO"), who are obliged to self-report this personal data breach to the UK data protection watchdog, the Information Commissioner's Office ("ICO"). In order to establish if appropriate safeguarding measures had been considered in the light of potentially identified risks to Sir Kim and other FCO employees, t is likely that the ICO will request a data protection impact assessment ("DPIA") relating to the processing of emails under the control of the FCO - one hopes that such documentation is all in order.

Then there was the update from the ICO on Tuesday that the Marriott hotel chain is facing a £99 million fine relating to inadequate security measures that led to a confidentiality breach of 339 million guests' personal details, which we first heard about in November last year.

And the week started on with the staggering statement from the ICO that British Airways is in the dock for a £183 million fine for their confidentiality breach that came to light in early September last year. Interestingly, this may have been more than one episode, one of which occurring before GDPR came into force. It is not clear what the ICO have taken into account in their deliberations with BA and other EU regulators. One thing for sure, though, is that this fine is in addition to any Court actions and Brand damage that BA is likely to suffer from.

In summary, it appears that if organisations thought that the regulators were only focussing their attention on the likes of Google and Facebook, we all need to think again. The fine against BA is some 4 times the amount that CNIL fined Google - the largest yet.

Let's put some perspective around this. Organisations must self-report in the event of a personal data breach. Whereas the run-rate has on average been about 1,500 per month of such reports to the ICO, across the EU it's closer to 7,500 per month. The problem is that the regulator is starting to crack down on organisations where it is appears they have not put sufficient technical and organisational measures in place to safeguard our rights and freedoms.

The waiting game is over. It's time to be able to prove your organisation is compliant!

When there is a personal data breach, the Morrisons Supermarket case has set the precedent (subject to appeal) that the employer, Morrisons, is vicariously liable for the actions of the employee.

This makes sense.

The obligations of the controller are to ensure that risks to data subjects whose personal data they process have been assessed and appropriate safeguarding measures have been put in place.  So, if an employee, for example, accesses personal data they are unauthorised to access, then the employer is liable for not putting in place adequate measures.

In the Manchester case (see "Read More" link at end of article), the employee has themselves become a controller, and taken it upon themselves to access personal data they were not entitled to access.  This breach of confidentiality under GDPR could attract a fine of up to 4% of the employee's turnover, which, assuming a salary of, say, £15,000, would equate to £600 OR up to €20,000,000, whichever is greater.  With a £300 fine, £364 costs and £30 victim surcharge, the employee appears to have got off lightly (but that was pre-GDPR, of course).

Despite this case being brought by the ICO in a Magistrates Court, the victim might also seek damages in the County Court, both against the employee and the employer (potentially for vicarious liabiliities).

So what do employers have to do to avoid the charge of vicarious liability or other such claims for damages in such a case?

In this case, Stockport Homes quotes an employee code of conduct that presumably all employees are obliged to follow as part of their employment contract.  But is that enough?  To start with, it appears that the personal data was available for the employee, and therefore the employer is liable for their failure to ensure adequate identity and access management protocols werre in place.   So, no, an employee code of conduct is not enough.

Organisations like CybSafe provide excellent training as well to ensure that employers are not subject to the 'human factor'.  This might be another measure Stockport Homes could have put in place.  The list is endless.

#StockportHomes #PersonalDataBreach #ConfidentialityBreach #ICO #fine #StockportMagistratesCourt #DataProtection #Privacy #priviness #privinews #GDPR #training #CodeOfConduct

The New York Times article in the "read me" is written by journalists who, like so many organisations, do not get what data protection is all about.

"Companies are free today to monitor Americans' behaviour and collect information about them from across the web and the real world to do everything from sell them cars to influence their votes to set their life insurance rates," writes the Editorial Board. "Although Americans cannot legally avail themselves of specific rights under GDPR, the fact that the biggest global tech companies are complying everywhere with the new European rules means that the technocrats in Brussels are doing more for Americans' digital privacy rights that their own Congress."

The bit about Brussels doing more than Congress is true. The rest is wayward.

Americans absolutely can avail themselves legally of specific rights under GDPR. Professor David Carroll, a US citizen, has taken up the opportunity to do exactly that when he discovered SCL Elections were processing his personal data in the EU and he complained to the UK watch dog.

It is laughable to also suggest it is a fact that the biggest global tech companies are complying everywhere with GDPR. It is more accurate to hint that these organisations are relying on a defensible position that (a) few individuals understand the legislation well enough to know what to complain about; (b) those individuals are unlikely to know what evidence to present to make their case; and (c) the individuals will need deep pockets and resilience to fight a battle being defended by an army of lawyers using delaying tactics to keep their corporate client out of the docks.

The problem with articles like this is they spread the wrong myths.

The article goes on, "GDPR requires companies to take adequate security measures to protect data." The focus on GDPR is actually to ensure and demonstrate a high level of protection of human rights and fundamental freedoms of natural persons with regard to the processing of their personal data. A not-so-subtle and important difference: it's not about security of data, but protection of rights and freedoms.

When journalists understand the reality, perhaps the articles will improve. An otherwise good article though, dispite being riddled with flaws, that draws awareness to issues such as consent, it redeems itself a little in the final paragraph, "any regulation must evolve alongside technology to safeguard fundamental freedoms."

#NewYorkTimes #DataProtection #Congress #CaliforniaConsumerPrivacyAct #GDPR #privacy #privinews #priviness