Were you aware !
This article is an extract from The Privacy, Data Protection and Cybersecurity Law Review, 8th Edition. Click here for the full guide.
In the EU, data protection is principally governed by the EU General Data Protection Regulation (GDPR),2 which came into force on 25 May 2018 and is applicable in all EU Member States. The GDPR repealed the Data Protection Directive 95/46/EC (Directive),3 regulates the collection and processing of personal data across all sectors of the EU economy and introduced new data protection obligations for controllers and processors alongside new rights for EU individuals.
The GDPR created a single EU-wide law on data protection and has empowered Member State data protection authorities (DPAs) with significant enforcement powers, including the power to impose fines of up to 4 per cent of annual worldwide turnover or €20 million, whichever is greater, on organisations for failure to comply with the data protection obligations contained in the GDPR.
In 2020, the European Data Protection Board (EDPB) published various guidelines including on the concepts of controller and processor under the GDPR, the processing of personal data in the context of connected vehicles and mobility related applications as well as the processing of location and health data in the context of covid-19.
Importantly, in a decision with significant implications for international trade and cross-border data flows, the EU's highest court, the Court of Justice of the European Union (CJEU), ruled on 16 July 2020 in the Schrems II case that a key legal mechanism (called the EU–US Privacy Shield programme) used to enable transfers of personal data from the European Union was invalid, while also potentially requiring additional protections to be implemented when another key transfer mechanism, the standard contractual clauses (SCC or model contract), is used. The European Commission, on 4 June 2021, adopted new EU SCCs for international data transfers of personal data from the European Economic Area (EEA) to third countries to address certain requirements as a result of the Schrems II decision and to bring the obligations under the new SCCs to more closely align with the requirements of the GDPR. The multiple transfer scenarios addressed in the new SCCs, including transfers from processors in the EU to its instructing controller in a country the European Commission has not recognised as having adequate data protection laws (otherwise known as a third country), should greatly facilitate the 'widespread use of new and more complex processing operations'.4 Moreover, on 18 June 2021, the EDPB adopted its final recommendations describing how controllers and processors transferring personal data outside of the EEA may comply with the Schrems II decision.
Set out in this chapter is a summary of the main provisions of the GDPR. We then cover guidance provided by the EU's former Article 29 Working Party (which has, since 25 May 2018, been replaced by the EDPB) on the topical issues of cloud computing and whistle-blowing hotlines. We conclude by considering the EU's Network and Information Security Directive (NIS Directive).
II The GDPR
The GDPR imposes a number of obligations on organisations processing the personal data of individuals (data subjects). The GDPR also provides several rights to data subjects in relation to the processing of their personal data.
Failure to comply with the GDPR and Member State data protection laws enacted to supplement the data protection requirements of the GDPR can amount to a criminal offence and can result in significant fines and civil claims from data subjects who have suffered as a result.
Although the GDPR sets out harmonised data protection standards and principles, the GDPR grants EU Member States the power to maintain or introduce national provisions to further specify the application of the GDPR in Member State law.
i The scope of the GDPR
The GDPR applies to the processing of personal data wholly or partly by automated means and to the processing of personal data that forms part of a filing system or is intended to form part of a filing system other than by automated means. The GDPR does not apply to the processing of personal data by an individual in the course of a purely personal or household activity.
The GDPR only applies when the processing is carried out in the context of an establishment of the controller or processor in the EU, or where the controller or processor does not have an establishment in the EU, but processes personal data in relation to the offering of goods or services to individuals in the EU; or the monitoring of the behaviour of individuals in the EU as far as their behaviour takes place within the EU.
This means that many non-EU companies that have EU customers will need to comply with the data protection requirements in the GDPR.5
The EDPB published its final guidance on the territorial application of the GDPR on 12 November 2019. The guidance largely reaffirms prior interpretations but it does leave some legal uncertainty for non-EU organisations including on how to deal with the GDPR's international data transfer restrictions.
There are a number of important terms used in the GDPR,6 including:
- controller: any natural or legal person who alone or jointly with others determines the purpose and means of processing personal data. Interestingly, a recent decision from the CJEU (decided under the former Directive) considered the question of joint controllership. In particular, the CJEU held that for there to be a relationship of joint control, the parties do not need to share responsibility equally, nor do they have to have access to the personal data processed. Unfortunately the ruling does not address the question of liability between the parties;
- processor: a natural or legal person who processes personal data on behalf of the controller;
- data subject: an identified or identifiable individual who is the subject of the personal data;
- establishment: the effective and real exercise of activity through stable arrangements in a Member State;7
- filing system: any structured set of personal data that is accessible according to specific criteria, whether centralised or decentralised or dispersed on a functional or geographical basis, such as a filing cabinet containing employee files organised according to their date of joining or their names or location;
- personal data: any information that relates to an identified or identifiable individual who can be identified, directly or indirectly, by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual. In practice, this is a broad definition including anything from someone's name, address or national insurance number to information about taste in clothes. Additionally, personal data that has undergone pseudonymisation, where the personal data has been through a process of de-identification so that a coded reference or pseudonym is attached to a record to allow the data to be associated to a particular data subject without the data subject being identified, is considered personal data under the GDPR; and
- processing: any operation or set of operations performed upon personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. This definition is so broad that it covers practically any activity in relation to personal data.
ii Obligations of controllers and processors under the GDPR Notification
The notification obligation under the Directive requiring controllers to notify their national DPA prior to carrying out any processing of personal data no longer exists under the GDPR. Instead, DPAs may introduce their own notification requirements. For example, the UK's DPA, the Information Commissioner's Office (ICO), requires controllers to register on a public register maintained by the ICO, in addition to paying a fee to the ICO ranging from £40 to £2,400 depending on the controller's business type.
Importantly, instead of the notification obligation, Article 30 of the GDPR requires controllers (and processors) to maintain a record of their processing activities. For controllers, this record should include the purpose of the processing; a description of the categories of data subjects and of the categories of personal data; the categories of recipients to whom the personal data has been or will be disclosed including recipients in third countries (non-EEA Member States); identifying the third country if there are transfers of personal data to a third country; envisaged time limits for the retention of the different categories of personal data; and a general description of the technical and organisational security measures in place to protect the personal data.
Data protection principles and accountability
Generally, the GDPR requires controllers to comply with the following data protection principles when processing personal data:
- the lawfulness, fairness and transparency principle: 8 personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject;
- the purpose limitation principle: 9 personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- data minimisation principle: 10 personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accuracy principle: 11 personal data must be accurate and, where necessary, kept up to date, and every reasonable step must be taken to ensure that personal data that are inaccurate in relation to the purposes for which they are processed are erased or rectified without delay;
- storage limitation principle: 12 personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
- integrity and confidentiality: personal data must be processed in a manner that ensures appropriate security of personal data as described below; and
- accountability: the GDPR's principle of accountability under Article 5(2) of the GDPR is a central focus of the data protection requirements in the GDPR and requires controllers to process personal data in accordance with data protection principles found in the GDPR. Article 24 of the GDPR further provides that controllers implement appropriate technical and organisational measures to ensure and to be able to demonstrate that data processing is performed in accordance with the GDPR.
Data protection impact assessments
Article 35(1) of the GDPR imposes an obligation on controllers to conduct a data protection impact assessment (DPIA) prior to the processing of personal data when using new technologies and where the processing is likely to result in a high risk to the rights and freedoms of data subjects. This may be relevant to certain activities of the controller such as where it decides to carry out extensive monitoring of its employees. The controller is required to carry out a DPIA, which assesses the impact of the envisaged processing on the personal data of the data subject, taking into account the nature, scope, context and purposes of the processing.
Article 35(3) of the GDPR provides that a DPIA must be conducted where the controller engages in:
- a systematic and extensive evaluation of personal aspects relating to data subjects that is based on automated processing, including profiling, and produces legal effects concerning the data subject or similarly significantly affecting the data subject;
- processing on a large scale special categories of personal data under Article 9(1) of the GDPR, or of personal data revealing criminal convictions and offences under Article 10 of the GDPR; or
- a systematic monitoring of a publicly accessible area on a large scale.
Article 35(4) of the GDPR requires the DPA to publish a list of activities in relation to which a DPIA should be carried out. If the controller has appointed a data protection officer (DPO), the controller should seek the advice of the DPO when carrying out the DPIA.
Importantly, Article 36(1) of the GDPR states that where the outcome of the DPIA indicates that the processing involves a high risk, which cannot be mitigated by the controller, the DPA should be consulted prior to the commencement of the processing.
A DPIA involves balancing the interests of the controller against those of the data subject. Article 35(7) of the GDPR states that a DPIA should contain at a minimum:
- a description of the processing operations and the purposes, including, where applicable, the legitimate interests pursued by the controller;
- an assessment of the necessity and proportionality of the processing operations in relation to the purpose of the processing;
- an assessment of the risks to data subjects; and
- the measures in place to address risk, including security, and to demonstrate compliance with the GDPR, taking into account the rights and legitimate interests of the data subject.
The EDPB noted in its guidelines on DPIAs that the reference to the rights and freedoms of data subjects under Article 35 of the GDPR while primarily concerned with rights to data protection and privacy also includes other fundamental rights such as freedom of speech, freedom of thought, freedom of movement, prohibition on discrimination, right to liberty and conscience and religion.13
The EDPB introduced the following nine criteria that should be considered by controllers when assessing whether their processing operations require a DPIA, owing to their inherent high risk14 to data subjects rights and freedoms:
- evaluation or scoring, including profiling and predicting, especially from 'aspects concerning the data subject's performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements';
- automated-decision making with legal or similar significant effects – processing that aims at taking decisions on data subjects producing 'legal effects concerning the natural person' or which 'similarly significantly affects the natural person'. For example, the processing may lead to the exclusion or discrimination against data subjects. Processing with little or no effect on data subjects does not match this specific criterion;
- systematic monitoring: processing used to observe, monitor or control data subjects, including data collected through networks or 'a systematic monitoring of a publicly accessible area'. This type of monitoring is a criterion because the personal data may be collected in circumstances where data subjects may not be aware of who is collecting their data and how their data will be used;
- sensitive data or data of a highly personal nature, which includes special categories of personal data as defined in Article 9 of the GDPR (for example information about individuals' political opinions), as well as personal data relating to criminal convictions or offences as defined in Article 10 of the GDPR. An example would be a hospital keeping patients' medical records or a private investigator keeping offenders' details. Additionally, beyond the GDPR, there are some categories of data that can be considered as increasing the possible risk to the rights and freedoms of data subjects. These personal data are considered as sensitive (as the term is commonly understood) because they are linked to household and private activities (such as electronic communications whose confidentiality should be protected), or because they impact the exercise of a fundamental right (such as location data whose collection questions the freedom of movement) or because their violation clearly involves serious impacts in the data subject's daily life (such as financial data that might be used for payment fraud);
- data processed on a large scale: the GDPR does not define what constitutes large-scale. In any event, the EDPB recommends that the following factors, in particular, be considered when determining whether the processing is carried out on a large scale:
- the number of data subjects concerned, either as a specific number or as a proportion of the relevant population;
- the volume of data and/or the range of different data items being processed;
- the duration, or permanence, of the data processing activity; and
- the geographical extent of the processing activity;
- matching or combining datasets, for example originating from two or more data processing operations performed for different purposes or by different controllers in a way that would exceed the reasonable expectations of the data subject;
- data concerning vulnerable data subjects: the processing of this type of data is a criterion because of the increased power imbalance between the data subjects and the data controller, meaning the data subjects may be unable to easily consent to, or oppose, the processing of their data, or exercise their rights. Vulnerable data subjects may include children as they can be considered as not able to knowingly and thoughtfully oppose or consent to the processing of their data and employees;
- innovative use or applying new technological or organisational solutions, for example, combining use of finger print and face recognition for improved physical access control. The GDPR makes it clear that the use of a new technology, defined in 'accordance with the achieved state of technological knowledge' can trigger the need to carry out a DPIA. This is because the use of such technology can involve novel forms of data collection and usage, possibly with a high risk to data subjects' rights and freedoms. Furthermore, the personal and social consequences of the deployment of a new technology may be unknown; and
- when the processing in itself 'prevents data subjects from exercising a right or using a service or a contract'. This includes processing operations that aim to allow, modify or refuse data subjects' access to a service or entry into a contract. An example of this is where a bank screens its customers against a credit reference database in order to decide whether to offer them a loan.
Additionally, the EDPB noted that the mere fact the controller's obligation to conduct a DPIA has not been met does not negate its general obligation to implement measures to appropriately manage risks to the rights and freedoms of the data subject when processing their personal data.15 In practice, this means controllers are required to continuously assess the risks created by their processing activities in order to identify when a type of processing is likely to result in a high risk to the rights and freedoms of the data subject.
The EDPB recommends that as a matter of good practice, controllers should continuously review and regularly reassess their DPIAs.16
Data protection by design and by default
Article 25 of the GDPR requires controllers to, at the time of determining the means of processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation and anonymisation, which are designed to implement the data protection principles in the GDPR, in an effective manner, and to integrate the necessary and appropriate safeguards into the processing of personal data in order to meet the data protection requirements of the GDPR and protect the rights of the data subject.
Controllers are also under an obligation to implement appropriate technical and organisational measures that ensure that, by default, only personal data necessary for each specific purpose of the processing are processed. This obligation under Article 25(2) of the GDPR covers the amount of personal data collected, the extent of the processing of the personal data, the period of storage of the personal data and its accessibility.
In October 2020, the EDPB published its final guidelines on data protection by design and by default.17
Article 37 of the GDPR requires both controllers and processors to appoint a DPO where:
- the processing is carried out by a public authority or body, except where courts are acting in their judicial capacity;
- the core activities of the controller or processor consist of processing operations that, by virtue of their nature, scope or purpose, require regular and systematic monitoring of data subjects on a large scale; or
- the core activities of the controller or processor consist of processing on a large scale special categories of personal data pursuant to Article 9 of the GDPR or personal data about criminal convictions and offences pursuant to Article 10 of the GDPR.
The EDPB, in its guidance on DPOs, noted that 'core activities' can be considered key operations18 required to achieve the controller or processor's objectives. However, it should not be interpreted as excluding the activities where the processing of personal data forms an 'inextricable' part of the controller or processor's activities. The EDPB provides the example of the core activity of a hospital being to provide healthcare. However, it cannot provide healthcare effectively or safely without processing health data, such as patients' records.19
Any DPO appointed must be appointed on the basis of their professional qualities and expert knowledge of data protection law and practices.20 The EDPB note personal qualities of the DPO should include integrity and high professional ethics, with the DPO's primary concern being enabling compliance with the GDPR.21
Staff members of the controller or processor may be appointed as a DPO, as can a third-party consultant. Once the DPO has been appointed, the controller or processor must provide their contact details to their DPA.22
A DPO must be independent, whether or not he or she is an employee of the respective controller or processor and must be able to perform his or her duties in an independent manner.23 The DPO can hold another position but must be free from a conflict of interests. For example, the DPO could not hold a position within the controller organisation that determined the purposes and means of data processing, such as the head of marketing, IT or human resources.
Once appointed, the DPO is expected to perform the following, non-exhaustive list of tasks:
- inform and advise the controller or processor and the employees who carry out the processing of the GDPR obligations and relevant Member State data protection obligations;
- monitor compliance with the GDPR, and other relevant Member State data protection obligations, and oversee the data protection policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in the processing operations and the related audits;
- provide advice where requested in relation to the DPIA;
- cooperate with the DPA; and
- act as the contact point for the DPA on issues relating to processing.24
The GDPR also provides the option, where controllers or processors do not meet the processing requirements necessary to appoint a DPO, to voluntarily appoint one.25
The EDPB recommends in its guidance on DPOs that even where controllers or processors come to the conclusion that a DPO is not required to be appointed, the internal analysis carried out to determine whether or not a DPO should be appointed should be documented to demonstrate that the relevant factors have been taken into account properly.26
Lawful grounds for processing
Controllers may only process personal data if they have satisfied one of six conditions:
- the data subject in question has consented to the processing;
- the processing is necessary to enter into or perform a contract with the data subject. The EDPB published draft guidelines on this lawful ground in April 2019 in which a very narrow interpretation of contractual necessity was adopted;27
- the processing is necessary for the purposes of the legitimate interests pursued by the controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject that require protection of the personal data;
- the processing is necessary to comply with a legal obligation to which the controller is subject;
- the processing is necessary to protect the vital interests of the data subject; or
- the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. Of these conditions, the first three will be most relevant to business.28
Personal data that relates to a data subject's racial or ethnic origin, political opinions, trade union membership, religious or philosophical beliefs, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation (special categories of personal data) can only be processed where both a lawful ground under Article 6 and a condition under Article 9 are satisfied. The Article 9 conditions that are most often relevant to a business are where the data subject has explicitly consented to the processing or the processing is necessary for the purposes of carrying out its obligations in the field of employment and social security and social protection law.
The EDPB states in its guidance on consent, that where controllers intend to rely on consent as a lawful ground for processing, they have a duty to assess whether they will meet all of the GDPR requirements to obtain valid consent.29 Valid consent under the GDPR is a clear affirmative act that should be freely given, specific, informed and an unambiguous indication of the data subject's agreement to the processing of their personal data. Consent is not regarded as freely given where the data subject has no genuine or free choice or is not able to refuse or withdraw consent without facing negative consequences. For example, where the controller is in a position of power over the data subject, such as an employer, the employee's consent is unlikely to be considered freely given or a genuine or free choice, as to choose to withdraw consent or refuse to give initial consent in the first place could result in the employee facing consequences detrimental to their employment.
As the EDPB notes, consent can only be an appropriate lawful ground for processing personal data if the data subject is offered control and a genuine choice with regard to accepting or declining the terms offered or declining them without negative effects.30 Without such genuine and free choice, the EDPB notes the data subject's consent becomes illusory and consent will be invalid, rendering the processing unlawful.31
Provision of information
Certain information needs to be provided by controllers to data subjects when controllers collect personal data about them, unless the data subjects already have that information. Article 13 of the GDPR provides a detailed list of the information required to be provided to data subjects either at the time the personal data is obtained or immediately thereafter, including:
- the identity and contact details of the controller (and where applicable, the controller's representative);
- the contact details of the DPO, where applicable;
- the purposes of the processing;
- the lawful ground for the processing;
- the recipients or categories of recipients of the personal data;
- where the personal data is intended to be transferred to a third country, reference to the appropriate legal safeguard to lawfully transfer the personal data;
- the period for which the personal data will be stored or where that is not possible, the criteria used to determine that period;
- the existence of rights of data subjects to access, correct, restrict and object to the processing of their personal data;
- the right to lodge a complaint with a DPA; and
- whether the provision of personal data is a statutory or contractual requirement or a requirement necessary to enter into a contract.
In instances where the personal data are not collected by the controller directly from the data subject concerned, the controller is expected to provide the above information to the data subject, in addition to specifying the source and types of personal data, within a reasonable time period after obtaining the personal data, but no later than a month after having received the personal data or if the personal data is to be used for communication with the data subject, at the latest, at the time of the first communication to that data subject.32 In cases of indirect collection, it may also be possible to avoid providing the required information if to do so would be impossible or involve a disproportionate effort, or if the personal data must remain confidential subject to an obligation of professional secrecy regulated by EU or Member State law or obtaining or disclosing of personal data is expressly laid down by EU or Member State law to which the controller is subject.33 These exceptions, according to the EDPB should be interpreted narrowly.34
The EDPB notes that in order to ensure the information notices are concise, transparent, intelligible and easily accessible under Article 12 of the GDPR, controllers should present the information efficiently and succinctly to prevent the data subjects from experiencing information fatigue.35
iii Security and breach reporting
The GDPR requires controllers and, where applicable, processors to ensure that appropriate technical and organisational measures are in place to protect personal data and ensure a level of security appropriate to the risk.36 Such technical and organisational measures include the pseudonymisation of personal data, encryption of personal data, anonymisation of personal data, and de-identification of personal data, which occurs where the information collected has undergone a process that involves the removal or alteration of personal identifiers and any additional techniques or controls required to remove, obscure, aggregate or alter the information in such a way that no longer identifies the data subject. Additionally, controllers must also ensure that when choosing a processor they choose one that provides sufficient guarantees as to the security measures applied when processing personal data on behalf of the controller, pursuant to Article 28 of the GDPR. A controller must also ensure that it has in place a written contract with the processor under which the processor undertakes to comply with data protection requirements under Article 28 of the GDPR, including only processing the personal data on the instructions of the controller and being subject to the same data protection obligations as set out in the contract between the controller and processor. Under such an agreement, the processor will remain liable for the failure of the sub-processor to perform its data protection obligations under the agreement between the processor and the sub-processor.37
Personal data breaches
Article 4(1) of the GDPR defines a personal data breach broadly as a 'breach of security leading to the accidental or unlawful destruction, loss, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed'. According to the guidelines published by the EDPB on personal data breach notification under the GDPR38 personal data breaches typically fall in one of the following categories:
- confidentiality breaches: where there is an unauthorised or accidental disclosure of, or access to, personal data;
- availability breaches: where there is an accidental or unauthorised loss of access to, or destruction of, personal data; and
- integrity breaches: where there is an unauthorised or accidental alteration of personal data.
Additionally, controllers are required, with the assistance of the processors, where applicable, to report personal security breaches that are likely to result in a risk to the rights and freedoms of the data subject, to the relevant DPA without undue delay and, where feasible, not later than 72 hours after having first become aware of the personal data breach. Where the processor becomes aware of a personal data breach it is under an obligation to report the breach to the controller, without undue delay. Upon receiving notice of the breach from the processor, the controller is then considered aware of the personal data breach and has 72 hours to report the breach to the relevant DPA.
The EDPB notes in its guidance on personal data breaches that the controller should have internal processes in place that are able to detect and address a personal data breach.39 The EDPB provides the example of using certain technical measures such as data flow and log analysers to detect any irregularities in processing of personal data by the controller.40 Importantly, the EDPB notes that once a breach is detected it should be reported upwards to the appropriate level of management so it can be addressed and contained effectively. These measures and reporting mechanisms could, in the view of the EDPB, be set out in the controller's incident response plans.41
Controllers are exempted from notifying a personal data breach to the relevant DPA if it is able to demonstrate that the personal data breach is unlikely to result in a risk to the rights and freedoms of data subjects. In assessing the level of risk, the following factors should be taken into consideration:
Type of personal data breach: whether the breach involves a compromise in the confidentiality, availability, or integrity of the personal data.
Nature, sensitivity and volume of personal data: usually, the more sensitive the data, the higher the risk of harm from a data subject's point of view. Also, combinations of personal data are typically more sensitive than single data elements.
Ease of identification of data subjects: the risk of identification may be low if the data were protected by an appropriate level of encryption. In addition, pseudonymisation can reduce the likelihood of data subjects being identified in the event of a breach.
Severity of consequences of data subjects: especially if sensitive personal data are involved in a breach, the potential damage to data subjects can be severe and thus the risk may be higher.
Special characteristics of the data subjects: data subjects who are in a particularly vulnerable position (e.g., children) are potentially at greater risk if their personal data are breached.
Number of affected data subjects: generally speaking, the more data subjects that are affected by a breach, the greater the potential impact.
Special characteristics of the controller: for example, if a breach involves controllers who are entrusted with the processing of sensitive personal data (e.g., health data), the threat is presumed to be greater.
Other general considerations: assessing the risk associated with a breach can be far from straightforward. Therefore the EDPB, in its guidance on personal data breach notifications, refers to the recommendations published by the European Union Agency for Network and Information Security (ENISA), which provides a methodology for assessing the severity of the breach and that may help with designing breach management response plans.42
Notifying affected data subjects
In addition to notifying the relevant DPA, in certain cases controllers may also be required to communicate the personal data breach to affected data subjects (i.e. when the personal data breach is likely to result in a 'high risk' to the rights and freedoms of data subjects). The specific reference in the law to high risk indicates that the threshold for communicating a breach to data subjects is higher than for notifying the DPAs, taking account of the risk factors listed above.
It should be noted that the accountability requirements in the GDPR summarised above, such as purpose limitation, data minimisation and storage limitation, mean, for example, that implementing technical controls in isolation, or the piecemeal adoption of data security standards, are unlikely to be sufficient to ensure compliance. As a default position, controllers should seek to minimise the collection and retention of personal data, and especially where sensitive personal data are collected and retained, ensure that those data are encrypted or otherwise made unintelligible to unauthorised parties, to the greatest extent possible.
iv Prohibition on transfers of personal data outside the EEA
Controllers and processors may not transfer personal data to countries outside of the EEA43 unless the recipient country provides an adequate level of protection for the personal data.44 The European Commission can make a finding on the adequacy of any particular non-EEA state and Member States are expected to give effect to these findings as necessary in their national laws. So far, the European Commission has made findings of adequacy with respect to Andorra, Argentina, Canada, the Faroe Islands, Guernsey, the Isle of Man, Israel, Japan, Jersey, New Zealand, Switzerland and Uruguay. Further, the European Commission, on 16 June 2021, launched the process toward adoption of the adequacy decision for the Republic of Korea.45 Moreover, on 28 June 2021, the European Commission announced that it had adopted adequacy decisions for the UK as it had deemed UK's data protection laws to be 'essentially equivalent' to the data protection laws within the EU.
Importantly, on 16 July 2020, in the Schrems II case, the CJEU invalidated the Privacy Shield. According to the CJEU, the alleged lack of effective judicial or other independent redress for EU residents regarding the data collection and surveillance activities by US national security agencies materially diminishes the privacy protections afforded to individuals whose personal data had been transferred to the US by organisations that had certified to the Privacy Shield programme. In turn, the CJEU concluded that the privacy protections afforded to individuals under the Privacy Shield programme were not 'essentially equivalent' to privacy rights afforded to such individuals under EU law. Accordingly, organisations that were relying on their Privacy Shield certification (including data transfers to affiliates, customers and vendors) need to identify and implement an appropriate alternate legal transfer mechanism (for example, SCCs, binding corporate rules, or perhaps even reliance on informed consent from relevant data subjects or other exemptions under the GDPR, such as for performance of a contract).46 The European Commission and the US government have already announced their intention to develop a successor programme to the Privacy Shield that addresses the CJEU's findings in Schrems II.
Although the Schrems II decision did uphold the use of SCCs for purposes of international transfers from the EEA to non-EEA countries, organisations relying on SCCs are now required to carry out a transfer privacy impact assessment that, among other things, assesses whether any laws governing access to personal data in the recipient country impacts the protections provided in the SCCs. Where this assessment reveals that such laws impact the protections provided in the SCCs, organisations will need to consider whether supplementary measures in addition to the protections in the SCCs will need to be implemented. Such supplementary measures are intended to ensure an essentially equivalent level of data protection to that guaranteed in the EEA.
On 18 June 2021, the EDPB issued its long-awaited practice guidance on measures that supplement transfer tools to ensure compliance with the EEA level of protection of personal data. Organisations using SCCs to transfer personal data to a country that has not been deemed to provide an adequate level of data protection will need to carry out a six-step assessment to determine, taking account the circumstances of the transfer, whether they need to implement supplementary measures to ensure that the law of the recipient country does not impinge on the level of protection guaranteed by the SCCs. Where such assessment reveals that appropriate safeguards would not be ensured, organisations are required to suspend transfers of personal data or notify the relevant supervisory authority that it wishes to continue transferring data.
Personal data transferred on the basis of a model contract will be presumed to be adequately protected. Previously, there were two forms of SCCs: one where both the data exporter and data importer are controllers; and another where the data exporter is a controller and the data importer is a data processor. The European Commission, on 4 June 2021, adopted a new set of SCCs for international data transfers to take into account the Schrems II decision and to align more closely with the requirements under the GDPR.47 The new SCCs are required to be implemented into new agreements from the repeal date, being 27 September 2021, and organisations can continue to rely on the previous SCCs in existing agreements concluded prior to 27 September 2021 for 15 months following this date (i.e., essentially a transition period of 18 months). The new SCCs take a modular approach to accommodate the diversity of transfer scenarios and now address the following four data transfers: controller to controller; controller to processor; processor to processor; and processor to controller.
To address certain requirements arising from the Schrems II decision, the parties to the new model clauses are to provide a warranty that they have no reason to believe that the laws and practices applicable to the data importer, including any requirements around disclosure to, or access by, public authorities, prevent the data importer from complying with the new model clauses. In giving this warranty, the parties must carry out a transfer privacy impact assessment, taking into account the circumstances of the transfer, the laws and practices in the recipient third country and any supplementary measures implemented.
The clauses of the SCCs cannot be modified except to select the appropriate module or modules or to add or update information in the appendices to the new SCCs. The new SCCs are expected to be included in a broader commercial contract and additional clauses can be added provided these do not contradict the new SCCs or prejudice the rights of data subjects.
An alternative means of authorising transfers of personal data outside the EEA is the use of binding corporate rules. This approach may be suitable for multinational companies transferring personal data within the same company, or within a group of companies. Under the binding corporate rules approach, the company would adopt a group-wide data protection policy that satisfies certain criteria and, if the rules bind the whole group, then those rules could be approved by the relevant DPA as providing adequate data protection for transfers of personal data throughout the group. The EDPB has published various documents48 on binding corporate rules, including a model checklist for the approval of binding corporate rules,49 a table setting out the elements and principles to be found in binding corporate rules,50 an explanatory document on processor binding corporate rules, recommendations on the standard application for approval of controller and processor binding corporate rules,51 a co-operation procedure for issuing common opinions on adequate safeguards resulting from binding corporate rules, a framework for the structure of binding corporate rules, and frequently asked questions on binding corporate rules. Entities relying on binding corporate rules are still required to carry out a Schrems II transfer privacy impact assessment in accordance with EDPB guidance.
In addition to binding corporate rules and other data transfer solutions, the transfer of personal data outside of the EEA can occur via the use of approved codes of conduct or certification mechanisms.
v Rights of the data subject
The GDPR provides for a series of rights data subjects can use in relation to the processing of their personal data, with such rights subject to certain restrictions or limitations.
Timing and costs
The GDPR requires that a data subject's request to exercise their rights be complied with without undue delay and in any event within one month of receipt of the request. If the request is particularly complex, then this period can be extended to three months if the data subject is informed of the reasons for the delay within one month. Where it is determined that compliance with the request is not required, then data subjects should be informed of this within one month together with the reasons as to why the request is not being complied with and the fact that they can lodge a complaint with a DPA and seek a judicial remedy.
A fee must not be charged for compliance with a data subject's rights request unless it can be demonstrated that the request is manifestly unfounded or excessive.
Right to access personal data
Article 15 of the GDPR provides data subjects with the right to access their personal data processed by the controller. The right requires controllers to confirm whether or not they are processing the data subject's personal data and confirm:
- the purpose of the processing;
- the categories of personal data concerned;
- the recipients or categories of recipients to whom the personal data has been or will be disclosed to, in particular recipients in third countries;
- where possible, the retention period for storing the personal data, or, where that is not possible, the criteria used to determine that period;
- the existence of the right to request from the controller rectification, erasure, restriction or objection to the processing of their personal data;
- the right to lodge a complaint with the DPA;
- where personal data is not collected from the data subject, the source of the personal data; and
- the existence of automated decision making, including profiling, where applicable.
Under the right of access to personal data, the controller is required to provide a copy of the personal data undergoing processing.
This right is not absolute, but subject to a number of limitations, including the right to obtain a copy of the personal data shall not adversely affect the rights and freedoms of others.52 According to Recital 63 of the GDPR, these rights may include trade secrets or other intellectual property rights. As such, before disclosing information in response to a subject access request, controllers should first consider whether the disclosure would adversely affect the rights of any third party's personal data; and the rights of the controller and in particular, its intellectual property rights. However, even where such an adverse effect is anticipated, the controller cannot simply refuse to comply with the access request. Instead, the controller would need to take steps to remove or redact information that could impact the rights or freedoms of others.
Where the controller processes a large quantity of the data subject's personal data, as would likely be the case in respect of an organisation and its employees, the controller has a right to request that, before the personal data is delivered, the data subject should specify the information or processing activities to which the request relates.53 However, caution should be exercised when requesting further information from the data subject as it is likely that under the GDPR a controller will not be permitted to narrow the scope of a request itself.
Where the controller is able to demonstrate that the data subject's request for access to the personal data the controller holds is manifestly unfounded or excessive because of its repetitive nature, the controller can refuse to comply with the data subject's request.54 However, in the absence of guidance or case law to provide parameters around the scope of these exemptions, a strict interpretation should be considered for the concept of 'manifestly unfounded' with repetitive requests being documented in order to fulfil the burden of proof as to their excessive character.
If the controller has reasonable doubts concerning the identity of the data subject making the access request, the controller can request the provision of additional information necessary to confirm the identity of the data subject.55
If the controller is able to demonstrate that it is not in a position to identify the data subject, it can refuse to comply with a data subject's request to access his or her personal data.56
Right of rectification of personal data
Article 16 of the GDPR provides data subjects with the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.
The right is not absolute but subject to certain limitations or restrictions, including:
- where the controller is able to demonstrate that the data subject's request for rectification of their personal data the controller holds is manifestly unfounded or excessive because of its repetitive nature, the controller can refuse to comply with the data subject's request;57
- where the controller has reasonable doubts concerning the identity of the data subject making the request, the controller can request the provision of additional information necessary to confirm the identity of the data subject;58 and
- where the controller is able to demonstrate that it is not in a position to identify the data subject, it can refuse to comply with a data subject's request to access their personal data.59
Right of erasure of personal data (right to be forgotten)
Article 17 of the GDPR provides data subjects with the right of erasure of their personal data the controller holds without undue delay, where:
- the personal data are no longer necessary for the purposes for which they were collected;60
- the data subject withdraws consent to the processing and there is no other legal ground for the processing;61
- the data subject objects to the processing and there are no overriding legitimate grounds for the processing;62
- the personal data has been unlawfully processed;63
- the personal data has to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;64 and
- the personal data has been collected in connection with an online service offered to a child.65
However, the right of erasure is not absolute and is subject to certain restrictions or limitations:
- the data subject's right of erasure will not apply where the processing is necessary for exercising the right of freedom and expression and information;
- where complying with a legal obligation which requires processing by Union or Member State law;
- reasons of public interest in the area of public health in accordance with Article 9(2)(h) and (i);
- for archiving purposes in the public interest, scientific, historical research or statistical research purposes;
- for the establishment, exercise or defence of legal claims;
- where the controller is able to demonstrate that the data subject's request for rectification of their personal data the controller holds is manifestly unfounded or excessive because of its repetitive nature, the controller can refuse to comply with the data subject's request;66
- where the controller has reasonable doubts concerning the identity of the data subject making the request, the controller can request the provision of additional information necessary to confirm the identity of the data subject;67 and
- where the controller is able to demonstrate that it is not in a position to identify the data subject, it can refuse to comply with a data subject's request to access his or her personal data.68
Right to restriction of processing
Article 18 of the GDPR also provides data subjects with the right to restrict the processing of their personal data in certain circumstances. The restriction of processing means that, with the exception of storage, the personal data can only be processed where:
- the accuracy of the personal data is contested by the data subject, enabling the controller to verify the accuracy of the personal data;
- the processing is unlawful and the data subject opposes the erasure of the personal data and requests restriction of the processing;
- the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; or
- the data subject has objected to the processing pursuant to Article 21(1) of the GDPR, pending the verification of whether the legitimate grounds of the controller override those of the data subject.
The right of the data subject to request the restriction of the processing of their personal data is not absolute and is qualified:
- where the controller is able to demonstrate that the data subject's request for rectification of their personal data the controller holds is manifestly unfounded or excessive because of its repetitive nature, the controller can refuse to comply with the data subject's request;69
- where the controller has reasonable doubts concerning the identity of the data subject making the request, the controller can request the provision of additional information necessary to confirm the identity of the data subject;70 and
- where the controller is able to demonstrate that it is not in a position to identify the data subject, it can refuse to comply with a data subject's request to access his or her personal data.71
Right to data portability
Article 20 of the GDPR provides data subjects with the right to receive their personal data which they have provided to the controller, in a structured, commonly used and machine-readable format and have the right to transmit their personal data to another controller without hindrance, where the processing is based on consent pursuant to Article 6(1)(a) or 9(2)(a) of the GDPR, and where the processing is carried out by automatic means.
This right would, for example, permit a user to have a social media provider transfer his or her personal data to another social media provider.
Article 20(2) of the GDPR limits the requirement for a controller to transmit personal data to a third-party data controller where this is 'technically feasible'. The EDPB has published guidance on the right to data portability, stating that a transmission to a third-party data controller is 'technically feasible' when 'communication between two systems is possible, in a secured way, and when the receiving system is technically in a position to receive the incoming data'.72
In addition, the EDPB guidance recommends that controllers begin developing technical tools to deal with data portability requests and that industry stakeholders and trade associations should collaborate to deliver a set of interoperable standards and formats to deliver the requirements of the right to data portability.73
The guidance also clarifies which types of personal data the right to data portability should apply to, specifically:
- that the right applies to data provided by the data subject, whether knowingly and actively as well as the personal data generated by his or her activity;74
- the right does not apply to data inferred or derived by the controller from the analysis of data provided by the data subject (e.g., a credit score);75 and
- the right is not restricted to data communicated by the data subject directly.76
Right to object to the processing of personal data
Article 21 of the GDPR provides data subjects with the right to object to the processing of their personal data. This right includes the right to object to:
- processing where the controller's legal basis for the processing of the personal data is either necessary for public interest purposes or where the processing is in the legitimate interests of the controller (the 'general right to object');
- processing for direct marketing purposes (the 'right to object to marketing'); and
- processing necessary for scientific or historical research purposes or statistical purposes and the data subject has grounds to object that relate to 'his or her particular situation'.
The right of the data subject to object to the processing of their personal data is not absolute:
- where the controller can demonstrate compelling legitimate grounds for the processing which overrides the interests, rights and freedoms of the data subject or where the processing is necessary for the establishment, exercise or defence of legal claims;77 or
- where the processing is necessary for research purposes, there is an exemption to the right of data subjects to object where the processing is necessary for the performance of a task carried out for reasons of public interest.78
vi Company policies and practices
While the GDPR is not prescriptive as to the policies and procedures that a company should have in place, it emphasises the concept of accountability (i.e., the ability to demonstrate compliance with the GDPR). In turn, to comply with the accountability obligations under the GDPR, a company will need to have in place a number of policies and procedures. These may include, for example:
- a data protection policy: addressing how the company complies with the principles of the GDPR;
- a data processing record: to comply with Article 30 of the GDPR;
- legitimate interest assessments: where processing personal data relies on the legitimate interest ground for processing;
- data protection or fair processing notices: to comply with Articles 13/14 of the GDPR (e.g., for customers and employees);
- data processing provisions for inclusion in contracts entered into between controllers and processors: to comply with Article 28 of the GDPR;
- a vendor data protection questionnaire: to assess data protection compliance of processors processing personal data on company's behalf;
- a GDPR-compliant form of consent or checklist to assess requirements for valid consent;
- data treatment guidelines: to address how in practice the company complies with the data treatment principles under Article 5 of the GDPR;
- a data protection impact assessment template and guidelines for when it should be completed;
- a records retention policy and schedule: which will in fact be broader than data protection;
- information security policies and procedures, and a personal data breach incident response plan;
- data subject rights' guidelines: addressing how in practice the company will respond to a request made by a data subject to exercise their rights under the GDPR;
- EU standard contractual clauses or other data transfer solutions;
- a data protection officer (DPO) assessment: to document whether or not the company is under a statutory obligation to appoint a DPO;
- a GDPR audit checklist;
- a data protection representative agreement: as required under Article 27 of the GDPR;
- a lead DPA assessment: documenting whether or not the company can take the benefit of the one-stop-shop principle under the GDPR and in turn, identify a lead DPA and if so, which DPA will likely be the lead DPA; and
- GDPR training materials for staff.
vii Enforcement under the GDPR DPAs, lead DPAs and 'one-stop shop'
Enforcement of the GDPR is done at a national level through national or state DPAs. In addition, one of the aims of the GDPR was to enable a controller that processes personal data in different EU Member States to deal with one lead DPA, known as the one-stop shop mechanism.
The one-stop shop mechanism
Under Article 56 of the GDPR, a controller or processor that carries out cross-border processing will be primarily regulated by a single lead DPA where the controller or processor has its main establishment.
Article 4(23) of the GDPR defines cross-border processing as either:
- processing of personal data that takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the EU where the controller or processor is established in more than one Member State (i.e., processing of personal data by the same controller or processor through local operations across more than one Member State (e.g., local branch offices); or
- the processing of personal data that takes place in the context of the activities of a single establishment of a controller or processor in the EU but that substantially affects or is likely to substantially affect data subjects in more than one Member State.
In determining whether the processing falls within this scope, the EDPB has published guidance stating that DPAs will interpret 'substantially affects' on a case-by-case basis taking into account:
- the context of the processing;
- the type of data;
- the purpose of the processing and a range of other factors, including, for example, whether the processing causes, or is likely to cause, damage, loss or distress to data subjects; or
- whether it involves the processing of a wide range of personal data.
Assuming a controller is engaged in cross-border processing, it will need to carry out the main establishment test. If a controller has establishments in more than one Member State, its main establishment will be the place of its 'central administration' (which is not defined in the GDPR) unless this differs from the establishment in which the decisions on the purposes and means of the processing are made and implemented, in which case the main establishment will be the latter.79
For processors, the main establishment will also be the place of its central administration. However, to the extent a processor does not have a place of central administration in the EU, the main establishment will be where its main processing activities are undertaken. The EDPB in its guidance on lead supervisory authorities, make it clear that the GDPR does not permit 'forum shopping'80 and that where a company does not have an establishment in the EU, the one-stop-shop mechanism does not apply and it must deal with DPAs in every EU Member State in which it is active.81
Importantly under Article 60 of the GDPR, other concerned DPAs can also be involved in the decision-making for a cross-border case. According to the GDPR, a concerned DPA will participate where:
- the establishment of the controller or processor subject to the investigation is in the concerned DPA's Member State;
- data subjects in the concerned DPA's Member State are substantially or are likely to be substantially affected by the processing of the subject of the investigation; or
- a complaint has been lodged with that DPA.82
In the case of a dispute between DPAs, the EDPB shall adopt a final binding decision.83 The GDPR also promotes cooperation among Member State DPAs by requiring the lead DPA to submit a draft decision on a case to the concerned DPA, where they will have to reach a consensus prior to finalising any decision.84
The EDPB is an independent EU-wide body, which contributes towards ensuring the consistent application of the GDPR across all EU Member States, and promotes cooperation between EU DPAs. The EDPB is comprised of representatives from all EU DPAs, the European Data Protection Supervisor (EDPS), the EU's independent data protection authority, and a European Commission representative, who has a right to attend EDPB meetings without voting rights.
Since the coming into force of the GDPR, the EDPB has been fairly active in publishing GDPR guidance and for the most part this has been well received by companies. In addition to the GDPR guidance published by the former Article 29 Working Party and adopted by the EDPB, the EDPB has finalised guidelines on codes of conduct and certification mechanisms. The EDPB has also published a variety of guidelines including addressing the territorial scope of the GDPR and video surveillance.
The GDPR provides data subjects with a multitude of enforcement rights in relation to the processing of their personal data:
Right to lodge a complaint with the DPA: Article 77 of the GDPR provides data subjects with the right to lodge a complaint with a DPA, in the Member State of the data subject's habitual residence, place of work or place of the alleged infringement of the GDPR, where the data subject considers that the processing of his or her personal data infringes the data protection requirements of the GDPR.
Right to an effective judicial remedy against a controller or processor: Article 79 of the GDPR provides data subjects with the right to bring a claim against a controller or a processor before the courts of the Member State where the controller or processor is established in, or where the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers.
Right to compensation and liability: Article 82 of the GDPR provides data subjects with the right to receive compensation from the controller or processor where the data subject has suffered material or non-material damage as a result of an infringement of the GDPR.
Notably, Article 83 of the GDPR grants DPAs the power to impose substantial fines on controllers or processors for the infringement of the GDPR. The GDPR provides a two-tier structure for fines, where the following will result in fines of up to €10 million or 2 per cent of annual turnover, whichever is greater:
- failure to ensure appropriate technical and organisational measures are adopted when determining the means of processing the personal data in addition to the actual processing itself;
- failing to comply with the Article 28(3) of the GDPR, where any processing of personal data must be governed by a written data processing agreement;
- maintaining records as a controller of all processing activities under its responsibility;
- conducting data protection impact assessments; and
- notifying personal data breaches to the data subject and data supervisory authorities, respectively.85
The GDPR states that certain infringements of the GDPR merit a higher penalty and will be subject to higher fines of up to €20 million or 4 per cent of annual turnover, whichever is the greater.86 These include:
- infringements of the basic principles of processing personal data, including conditions for obtaining consent;
- failing to comply with data subjects' rights requests; and
- failing to ensure there are appropriate safeguards for the transfer of personal data outside the EEA.
These extensive penalties represent a significant change in the field of data protection that should ensure that businesses and governments take data protection compliance seriously.
DPAs' investigative powers
DPAs also have investigative powers under Article 58(1), including the power to:
- carry out investigations in the form of data protection audits;
- notify the controller or processor of an alleged infringement of the GDPR; and
- obtain access to any premises of the controller and the processor, including to any data processing equipment and means, in accordance with Union or Member State procedural law.
DPAs are not limited to enforcement and investigative powers, but also have corrective87 and authorisation and advisory88 powers.
DPAs' corrective powers
Article 58(2) of the GDPR grants DPAs the power to require the controller or processor to make certain corrections in relation to the processing of personal data, including to:
- issue warnings to a controller or processor that intended processing operations are likely to infringe provisions of the GDPR;
- issue reprimands to a controller or processor where processing operations have infringed provisions of the GDPR;
- order the controller or processor to comply with the data subject's requests to exercise their data subject's rights in accordance with the GDPR;
- order the controller or processor to bring processing operations into compliance with the provisions of the GDPR, where appropriate, in a specified manner and within a specified period;
- order the controller to communicate a personal data breach to the data subject;
- impose a temporary or definitive limitation on processing, including a ban;
- order the rectification or erasure of personal data or restriction of processing of personal data and the notification of such actions to recipients to whom the personal data has been disclosed; and
- order the suspension of data flows to a recipient in a third country.
DPAs' authorisation and advisory powers
DPAs also have a range of advisory and authorisation powers under Article 58(3) of the GDPR, including the power to:
- issue opinions to the relevant Member State national parliament, Member State government or other institutions and bodies, as well as to the general public on the protection of personal data;
- authorise processing pursuant to Article 36(5) of the GDPR, if the law of the Member State requires prior authorisation;
- issue an opinion and approve draft codes of conduct pursuant to Article 40(5) of the GDPR;
- issue certifications and approve criteria of certification in accordance with Article 42(5) of the GDPR; and
- approve binding corporate rules pursuant to Article 47 of the GDPR.
viii Health data under the GDPR
Data concerning health falls within the scope of the special categories of personal data under Article 9 of the GDPR. The GDPR defines data concerning health as 'personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status'.89
The GDPR also states health data should include the following:
- all data pertaining to the health status of a data subject that reveals information relating to the past, current, or future physical or mental health status of the data subject;
- information collected in the course of registration for or the provision of healthcare services;
- a number, symbol, or particular assigned to an individual that uniquely identifies that individual for health purposes;
- information derived from the testing or examination of a body part or bodily substance, including from genetic data and biological samples; and
- any information on disease, disability, disease risk, medical history, clinical treatment, or the physiological or biomedical state of the individual, independent of its source, for example, from a physician or a medical device.90
Relevant in the context of health data is Article 9(2)(j) of the GDPR, which includes the legal ground regarding where the processing is necessary for scientific research purposes. To rely on this legal ground the processing must comply with Article 89(1) of the GDPR, which requires that the processing be subject to appropriate safeguards to ensure technical and organisational measures are in place and in particular, to comply with the principle of data minimisation.
ix Artificial intelligence
On 18 June 2021, the EDPB and the EDPS published a joint opinion on the European Commission's draft proposal laying down harmonised rules on artificial intelligence (AI Act).91 The EDPB and the EDPS welcome the aim of addressing the use of AI systems within the EU and the risk-based approach of the proposal. However, they have a variety of concerns and recommendations, including:
- the exclusion of international law enforcement cooperation from the scope of the proposal as this creates a risk of circumvention, such as where third countries operate high-risk AI applications relied on by public authorities in the EU;
- ensuring that existing EU data protection law applies to any processing of personal data falling within the scope of the AI Act;
- ensuring the concept of risk to fundamental rights is aligned with the concept under the EU data protection framework; and
- assessing and mitigating any potential risks for groups of individuals.
In the view of the EDPB and the EDPS, a general ban on any use of AI for automated recognition of human features in publicly accessible spaces, such as recognition of faces, gait, fingerprints, DNA, voice, keystrokes and other biometric or behavioural signals, in any context is necessary.
Moreover, the joint opinion further notes that the EDPB and the EDPS recommend a ban on AI systems using biometrics to categorise individuals into clusters based on ethnicity, gender, political or sexual orientation, or other grounds on which discrimination is prohibited under Article 21 of the Charter of Fundamental Rights.
III Direct marketing and privacy
The EU Privacy and Electronic Communications Directive 2002/58/EC(ePrivacy Directive) imposes requirements in relation to the use of personal data for unsolicited direct marketing sent to EU individuals. Direct marketing for these purposes includes unsolicited faxes, or making unsolicited telephone calls through the use of automated calling machines, or direct marketing by email. In such instances, the direct marketer in principle needs to have the prior opt-in consent of the recipient. However, in the case of emails, there are limited exceptions for email marketing to existing customers where, if certain conditions92 are satisfied, unsolicited emails can still be sent without prior consent. In other instances of unsolicited communications, it is left up to each Member State to decide whether such communications will require the recipient's prior consent or can be sent without prior consent unless recipients have indicated that they do not wish to receive such communications (i.e., consent on an opt-out basis).93 Being an EU directive, the ePrivacy Directive is not directly applicable in EU Member States but has to be implemented into EU Member State domestic law. As a result, the requirements described in this section vary from one EU Member State to another.
The ePrivacy Directive imposes requirements on providers of publicly available electronic communication services to put in place appropriate security measures and to notify subscribers of certain security breaches in relation to personal data.94 The ePrivacy Directive was also amended in 200995 to require that website operators obtain the informed consent of users to collect personal data of users through website 'cookies' or similar technologies used for storing or gaining access to information stored in the users' equipment. There are two exemptions to the requirement to obtain consent before using cookies: when the cookie is used for the sole purpose of carrying out the transmission of a communication over an electronic communications network; and when the cookie is strictly necessary for the provision of an information society service explicitly requested by the subscriber or user.96
The former Article 29 Working Party published an opinion on the cookie consent exemption97 that provides an explanation on which cookies require the consent of website users (e.g., social plug-in tracking cookies, third-party advertising cookies used for behavioural advertising, analytics) and those that fall within the scope of the exemption (e.g., authentication cookies, multimedia player session cookies and cookies used to detect repeated failed login attempts). The WP29 Opinion dates back to 2012, and DPAs in various EU Member States have since issued (diverging) guidance on when and how cookie consent must be obtained.98
In July 2016, the former Article 29 Working Party issued an opinion on a revision of the rules contained in the ePrivacy Directive.99
On 10 January 2017, the European Commission issued a draft of the proposed Regulation on Privacy and Electronic Communications (ePrivacy Regulation) to replace the existing ePrivacy Directive.100 The ePrivacy Regulation will complement the GDPR and provide additional sector-specific rules, including in relation to marketing and the use of website cookies. Whereas the ePrivacy Directive's legal framework is still fairly fragmented due to the national implementation requirements, the ePrivacy Regulation aims to provide a harmonised legal framework that is directly applicable throughout the EU.101
The current draft of the ePrivacy Regulation has a number of elements, including, among other: things, the following: it requires a clear affirmative action to consent to cookies except in a number of limited exceptions (which are broader than the ones foreseen in the ePrivacy Directive102); it aligns the consent standard with the consent standard of the GDPR; and it explicitly covers interpersonal communications services such as over-the-top communication services.
The European Commission's original timetable for the ePrivacy Regulation was for it to apply in EU law and have direct effect in Member State law from 25 May 2018, coinciding with the GDPR's entry into force. On 3 June 2020, the Presidency of the Council of European Union published a progress report indicating that substantial progress on the draft ePrivacy Regulation has been as limited due to the covid-19 pandemic.103 A further iteration of the ePrivacy Regulation was published by the Portuguese presidency on 5 January 2021.104 In view of the fact that there are some points of contention regarding the current draft, the ePrivacy Regulation is now not expected to come into force before 2023. A potential transition period of 24 months means that the ePrivacy Regulation would then not come into effect before 2025.
IV Cloud computing
It has been nearly a decade since the EU's WP29 adopted its guidance on an EU code of conduct for cloud computing.105 Following the submission by the Belgian DPA, on 19 May 2021, the EDPB approved the EU Cloud Code of Conduct (Cloud Code).106 The Cloud Code is now the first endorsed pan-Europe code of conduct for cloud service providers addressing all cloud offerings under Article 40 of the GDPR.
The Cloud Code aims to establish good data protection practices for all cloud service models (including software (i.e., SaaS) and platforms (i.e., PaaS) as well as infrastructure (i.e., IaaS), and applies to all B2B cloud services where the cloud service provider acts as a processor under Article 28 of the GDPR. The Cloud Code does not apply to B2C services or any processing activities for which the cloud service provider may act as a controller. However, the Cloud Code can still be relevant for customers of cloud services since they will receive an additional guarantee of compliance with entrusting adherent cloud service providers.
The main objective of the Cloud Code is to provide practical guidance and a set of specific binding requirements (such as requirements regarding the use of sub-processors, audits, compliance with data subject rights requests, transparency, etc.), as well as objectives to help cloud service providers demonstrate compliance with Article 28 of the GDPR.
i Lawfulness of processing
Cloud service providers are required to act in accordance with their controller's instructions and establish documented procedures to comply with duties and internal communication mechanisms.
The Cloud Code contains rules on engaging a new sub-processor including documenting procedures for implementing the flow of the same data protection obligations and appropriate technical and organisational measures down the processing chain.
iii International transfers
According to the EDPB, the Cloud Code is not to be used in the context of international transfers of personal data.107
iv Right to audit
According to the Cloud Code, cloud service providers are required to implement appropriate and accessible mechanisms for providing evidence of compliance to customers with established confidentiality obligations.
v Personal data breaches
According to the Cloud Code, cloud service providers are required to assist customers in the case of a personal data breach under the GDPR, establish reporting procedures specifying data breach notification obligations and ensure that the customer is able to easily retrieve personal data following any such breach.
V Whistle-blowing hotlines
The WP29 published an Opinion in 2006 on the application of the EU data protection rules to whistle-blowing hotlines108 providing various recommendations under the now repealed Directive, which are summarised below. It would be reasonable to expect that the EDPB will issue new guidance on whistle-blowing hotlines to reflect new requirements under the GDPR. For the purposes of this section, references to the Directive should be read as references to the GDPR.
In addition, a new EU Whistleblowing Directive introduced on 23 October 2019 will need to be transposed into the national laws of EU Member States by 17 December 2021.109 This new Whistleblowing Directive requires companies to establish whistleblowing hotlines and accept reports concerning violations of EU law, while also ensuring a wide protection to whistleblowers against retaliation.
The Whistleblowing Directive expressly provides that any processing of personal data in compliance with the Whistleblowing Directive, including disclosing personal data to DPAs, must be carried out in compliance with the GDPR. In addition, personal data that is not manifestly relevant for handling a specific report should not be collected or, if accidently collected, must be deleted without undue delay. As such, it is important for companies subject to the Whistleblowing Directive to consider GDPR requirements when using vendors, such as hotline providers, and requirements on retaining hotline reports in line with the GDPR and international data transfer requirements, particularly in light of the Schrems II decision.
i Legitimacy of whistle-blowing schemes
Under the GDPR, personal data must be processed fairly and lawfully. For a whistle-blowing scheme, this means that the processing of personal data must be on the basis of at least one of certain grounds, the most relevant of which include where:
- the processing is necessary for compliance with a legal obligation to which the data controller is subject, which could arguably include a company's obligation to comply with the provisions of the US Sarbanes-Oxley Act (SOX). However, the WP29 concluded that an obligation imposed by a foreign statute, such as SOX, does not qualify as a legal obligation that would legitimise the data processing in the EU; or
- the processing is necessary for the purposes of the legitimate interests pursued by the data controller, or by the third party or parties to whom the data are disclosed, except where those interests are overridden by the interests or the fundamental rights and freedoms of the data subject. The WP29 acknowledged that whistle-blowing schemes adopted to ensure the stability of financial markets, and in particular the prevention of fraud and misconduct in respect of accounting, internal accounting controls, auditing matters and reporting as well as the fight against bribery, banking and financial crime, or insider trading, might be seen as serving a legitimate interest of a company that would justify the processing of personal data by means of such schemes.
ii Limiting the number of persons eligible to use the hotline
Applying the proportionality principle, the WP29 recommends that the company responsible for the whistle-blowing reporting programme should carefully assess whether it might be appropriate to limit the number of persons eligible for reporting alleged misconduct and the number of persons who might be incriminated. However, the recommendations acknowledged that in both cases the categories of personnel involved may still sometimes include all employees in the fields of accounting, auditing and financial services.
iii Promotion of identified reports
The WP29 pointed out that, although in many cases anonymous reporting is a desirable option, where possible, whistle-blowing schemes should be designed in such a way that they do not encourage anonymous reporting. Rather, the helpline should obtain the contact details of reports and maintain the confidentiality of that information within the company, for those who have a specific need to know the relevant information. The WP29 opinion also suggested that only reports that included information identifying the whistle-blower would be considered as satisfying the essential requirement that personal data should only be processed 'fairly'.
iv Proportionality and accuracy of data collected
Companies should clearly define the type of information to be disclosed through the system by limiting the information to accounting, internal accounting control or auditing, or banking and financial crime and anti-bribery. The personal data should be limited to data strictly and objectively necessary to verify the allegations made. In addition, complaint reports should be kept separate from other personal data.
v Compliance with data-retention periods
According to the WP29, personal data processed by a whistle-blowing scheme should be deleted promptly and usually within two months of completion of the investigation of the facts alleged in the report. These periods would be different when legal proceedings or disciplinary measures are initiated. In such cases, personal data should be kept until the conclusion of these proceedings and the period allowed for any appeal. Personal data found to be unsubstantiated should be deleted without delay.
vi Provision of clear and complete information about the whistle-blowing programme
Companies as data controllers must provide information to employees about the existence, purpose and operation of the whistle-blowing programme, the recipients of the reports and the right of access, rectification and erasure for reported persons. Users should also be informed that the identity of the whistle-blower shall be kept confidential, that abuse of the system may result in action against the perpetrator of that abuse and that they will not face any sanctions if they use the system in good faith.
vii Rights of the incriminated person
The WP29 noted that it was essential to balance the rights of the incriminated person and of the whistle-blower and the company's legitimate investigative needs. In accordance with the Directive, an accused person should be informed by the person in charge of the ethics reporting programme as soon as practicably possible after the ethics report implicating them is received. The implicated employee should be informed about:
- the entity responsible for the ethics reporting programme;
- the acts of which he or she is accused;
- the departments or services that might receive the report within the company or in other entities or companies of the corporate group; and
- how to exercise his or her rights of access and rectification.
Where there is a substantial risk that such notification would jeopardise the ability of the company to effectively investigate the allegation or gather evidence, then notification to the incriminated person may be delayed as long as the risk exists.
The whistle-blowing scheme also needs to ensure compliance with the individual's right, under the Directive, of access to personal data on them and their right to rectify incorrect, incomplete or outdated data. However, the exercise of these rights may be restricted to protect the rights of others involved in the scheme and under no circumstances can the accused person obtain information about the identity of the whistle-blower, except where the whistle-blower maliciously makes a false statement.
The company responsible for the whistle-blowing scheme must take all reasonable technical and organisational precautions to preserve the security of the data and to protect against accidental or unlawful destruction or accidental loss and unauthorised disclosure or access. Where the whistle-blowing scheme is run by an external service provider, the EU controller needs to have in place a data processing agreement and must take all appropriate measures to guarantee the security of the information processed throughout the whole process and commit themselves to complying with the data protection principles.
ix Management of whistle-blowing hotlines
A whistle-blowing scheme needs to carefully consider how reports are to be collected and handled with a specific organisation set up to handle the whistle-blower's reports and lead the investigation. This organisation must be composed of specifically trained and dedicated people, limited in number and contractually bound by specific confidentiality obligations. The whistle-blowing system should be strictly separated from other departments of the company, such as human resources.
x Data transfers from the EEA
The WP29 believes that groups should deal with reports locally in one EEA state rather than automatically share all the information with other group companies. However, data may be communicated within the group if the communication is necessary for the investigation, depending on the nature or seriousness of the reported misconduct or results from how the group is set up. The communication will be considered necessary, for example, if the report incriminates another legal entity within the group involving a high-level member of management of the company concerned. In this case, data must only be communicated under confidential and secure conditions to the competent organisation of the recipient entity, which provides equivalent guarantees as regards management of the whistle-blowing reports as the EU organisation.
The former Article 29 Working Party published a working document providing guidance to controllers in dealing with requests to transfer personal data to other jurisdictions outside the EEA for use in civil litigation110 and to help them to reconcile the demands of a litigation process in a foreign jurisdiction with EU data protection obligations.
The main suggestions and guidelines include the following:
- Possible legal bases for processing personal data as part of a pretrial e-discovery procedure include consent of the data subject and compliance with a legal obligation. However, the former Article 29 Working Party states that an obligation imposed by a foreign statute or regulation may not qualify as a legal obligation by virtue of which data processing in the EU would be made legitimate. A third possible basis is a legitimate interest pursued by the data controller or by the third party to whom the data are disclosed where the legitimate interests are not overridden by the fundamental rights and freedoms of the data subjects. This involves a balance-of-interest test taking into account issues of proportionality, the relevance of the personal data to litigation and the consequences for the data subject.
- Restricting the disclosure of data if possible to anonymised or redacted data as an initial step and after culling the irrelevant data, disclosing a limited set of personal data as a second step.
- Notifying individuals in advance of the possible use of their data for litigation purposes and, where the personal data is actually processed for litigation, notifying the data subject of the identity of the recipients, the purposes of the processing, the categories of data concerned and the existence of their rights.
- Where the non-EEA country to which the data will be sent does not provide an adequate level of data protection, and where the transfer is likely to be a single transfer of all relevant information, then there would be a possible ground that the transfer is necessary for the establishment, exercise or defence of a legal claim. Where a significant amount of data is to be transferred, the WP29 previously suggested the use of binding corporate rules or the Safe Harbor regime. However, Safe Harbor was found to be invalid by the CJEU in 2015 and was effectively replaced on 12 July 2016 by the Privacy Shield. In the absence of any updates from the EDPB to the former Article 29 Working Party's e-discovery working document, it can be assumed that the use of Privacy Shield is also an appropriate means of transferring significant amounts of data. It also recognises that compliance with a request made under the Hague Convention would provide a formal basis for the transfer of the data.
It would be reasonable to expect that the EDPB will issue new guidance on e-discovery, in light of the entry into force of Article 48 of the GDPR.
Article 48 of the GDPR facilitates the transfer of personal data from the EU to a third country on the basis of a judgment of a court or tribunal or any decision of an administrative authority of a third country where the transfer is based on a mutual legal assistance treaty (MLAT) between the requesting third country and the EU Member State concerned.111 As MLATs between EU Member States and third countries are not widespread, there is a further exception for data controllers to rely on. The GDPR states that the restrictive requirements in which a judicial or administrative request from a third country to transfer personal data from the EU to that third country is only permissible on the basis of an MLAT, is 'without prejudice to other grounds for transfer' in the GDPR.
Accordingly, this enables controllers in the EU facing e-discovery requests to transfer personal data to a jurisdiction outside of the EU to rely on transfer mechanisms such as EU standard contractual clauses and binding corporate rules. In the absence of a transfer mechanism, the GDPR provides certain derogations for several specific situations in which personal data can in fact be transferred outside the EEA:
- where the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;
- the transfer is necessary for the performance of a contract between the data subject and the controller;
- the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject;
- the transfer is necessary for important reasons of public interest under EU law or the law of the Member State in which the controller is subject;
- the transfer is necessary for the establishment, exercise or defence of legal claims;
- the transfer is necessary to protect the vital interests of the data subject, where the data subject is physically or legally incapable of giving consent; and
- the transfer is made on the basis of compelling legitimate interests of the controller, provided the transfer is not repetitive and only concerns a limited number of data subjects.112
VII EU cybersecurity strategy
The Network and Information Security Directive (NIS Directive) is part of the European Union's Cybersecurity Strategy aimed at tackling network and information security incidents and risks across the EU and was adopted on 6 June 2016 by the European Parliament at second reading.113
The main elements of the NIS Directive include:
- new requirements for 'operators of essential service' and 'digital service providers';
- a new national strategy;
- designation of a national competent authority; and
- designation of computer security incident response teams (CSIRTs) and a cross-border cooperation network.
As for the ePrivacy Directive, the NIS Directive requires EU Member State implementation, and, as such, the NIS framework varies from one EU Member State to another.
i New national strategy
The NIS Directive requires Member States to adopt a national strategy setting out concrete policy and regulatory measures to maintain a high level of network and information security.114 This includes having research and development plans in place or a risk assessment plan to identify risks, designating a national competent authority that will be responsible for monitoring compliance with the NIS Directive and receiving any information security incident notifications,115 and setting up of at least one CSIRT that is responsible for handling risks and incidents.116
ii Cross-border cooperation network
The competent authorities in EU Member States, the European Commission and ENISA will form a cooperation network to coordinate against risks and incidents affecting network and information systems.117 The cooperation network will exchange information between authorities and also provide early warnings on information security risks and incidents, and agree on a coordinated response in accordance with an EU–NIS cyber-cooperation plan.
iii Security requirements
A key element of the NIS Directive is that Member States (i.e., through NIS implementing legislation) must ensure that public bodies and certain market operators118 take appropriate technical and organisational measures to manage the security risks to networks and information systems, and to guarantee a level of security appropriate to the risks.119 The measures should prevent and minimise the impact of security incidents affecting the core services they provide. Public bodies and market operators must also notify the competent authority of incidents having a significant impact on the continuity of the core services they provide, and the competent authority may decide to inform the public of the incident. The significance of the disruptive incident should take into account:
- the number of users affected;
- the dependency of other key market operators on the service provided by the entity;
- the duration of the incident;
- the geographic spread of the area affected by the incident;
- the market share of the entity; and
- the importance of the entity for maintaining a sufficient level of service, taking into account the availability of alternative means for the provisions of that service.
Member States had until May 2018 to implement the NIS Directive into their national laws.
Organisations should review the provisions of the NIS Directive and of any relevant Member State implementing legislation and take steps as applicable to amend their cybersecurity practices and procedures to ensure compliance.
iv New Cybersecurity Act
In June 2019, the EU Cybersecurity Act120 (Act) came into force. The Act creates an EU-wide cybersecurity certification scheme for the purposes of ensuring an adequate level of cybersecurity of information and communication technology (ICT) products and services across the EU. The Act introduces a set of technical requirements and rules relating to the production of certifications for ICT devices, or products, ranging from smart medical devices and connected cars to video game consoles and fire alarms. The Act is part of the European Union's push towards a digital single market.
The Act includes a permanent mandate for ENISA as the renamed European Union Agency for Cybersecurity and grants ENISA new powers to provide effective and efficient support to EU Member States and EU institutions on cybersecurity issues and to ensure a secure cyberspace across the EU. In addition, ENISA will be responsible for carrying out product certifications, with certifications voluntary for companies unless otherwise stated in EU or Member State law. The EU wide cybersecurity certification framework for ICT products and services will allow certificates to be issued by ENISA ensuring an adequate level of cybersecurity for the ICT products and services, which will be valid and recognised across all EU Member States, and serve to address the current market and Member State fragmentation in relation to cybersecurity certifications for ICT products and services.
On 26 June 2019, the European Commission released questions and answers on EU cybersecurity that address the certification framework among other things.
The GDPR came into force over three years ago and while it appears the immediate panic surrounding it seems to have subsided, the legislation remains a hot topic and one many companies continue to grapple with. The GDPR continues to evolve with new guidance being published at an EU and national level. At the same time there have been a number of enforcement actions and cases dealing with the requirements of the GDPR that companies will need to carefully consider. Indeed, the value of GDPR fines dramatically increased during the 2020/2021 period, reaching its peak on 16 July 2021 when the Luxembourg DPA imposed a record-breaking fine on Amazon Europe Core Sàrl of €746 million for alleged violations of the GDPR. Among the largest penalties handed down by the UK's ICO were to British Airways and Marriott International, Inc for £20 million and £18.4 million respectively.
Dealing with the GDPR has been made more difficult by the lack of consistency in approach taken at a national level by EU Member States and this remains the case in spite of guidance being published by the EDPB at an EU level. The developments on international data transfers with the Schrems II decision will also require many international companies to closely examine their data transfers from the EEA and consider how best to deal with these transfers going forward. The European Commission's new SCCs incorporate elements of the Schrems II decision and require companies to conduct a transfer privacy impact assessment for each international transfer. In addition, the EDPB's final Schrems II guidance provides clarity to organisations carrying out transfers outside the EEA in reliance on a data transfer tool, such as SCCs, and recommends certain supplementary measures that can be adopted by organisations where there is not a finding of essential equivalence. It is likely that further guidance on Schrems II will be published by the EDPB and national DPAs.
To view all formatting for this article (eg, tables, footnotes), please access the original here.
After all of that camDown is the only solution you need to block webcam hackers and that's no joke!