A&L Goodbody | Ireland IP & Technology Law Blog | Cyber Risk & Data Privacy..
Ireland IP & Technology Law Blog provides every information you need to know about Intellectual property & technology law in Ireland. A&L Goodbody is an Irish law firm providing expert legal advice across every aspect of business law. The Firm advises a broad domestic and international client base in both the private and public sectors, across the island of Ireland.
The Data Protection Commission (DPC) has issued guidance in relation to the transfer of personal data to and from the UK in the event of a ‘no deal’ Brexit. The DPC’s guidance is in line with the ‘no deal’ Brexit guidance published on 13 December 2018 by the UK Government (supplementing its September 2018 Technical Note) and by the UK Information Commissioner’s Office(ICO). Some highlights of the guidance issued by the Irish and UK regulators, and UK government, are set out below.
Personal data flows from the UK to the EEA (including EU Member States) and Gibraltar
The UK Government has made it clear that the current practice which permits personal data to flow freely from the UK to the EEA (including EU Member States), and Gibraltar, will continue in the event of a ‘no deal’ Brexit.
Personal data flows from the EEA to the UK
Companies will need to start considering what mechanisms to put in place to ensure that personal data can continue to lawfully flow from the EEA to the UK from 30 March 2019. Without the Withdrawal Agreement, the UK will become a ‘third country’ for the purposes of EU personal data transfers from 30 March 2019. The GDPR requires companies who transfer personal data to a recipient in a ‘third country’ (i.e. a country outside the EEA) to put in place a transfer mechanism under Chapter V of the GDPR, such as the standard contractual clauses (SCCs), in order to lawfully transfer personal data to that non-EEA recipient. Whilst the UK intends to seek an adequacy decision from the European Commission recognising the UK’s data protection regime as essentially equivalent to those in the EU, allowing data flows from the EEA to the UK without the need for an EEA-based organisation to adopt any specific transfer mechanism, an adequacy decision will not be in place before the UK leaves the EU. The European Commission has made it clear that a decision on adequacy cannot be taken until the UK is a third country.
Personal data flows from the UK to non-EEA countries
In respect of personal data flows from the UK to non-EEA countries, the UK government intends to preserve the effect of EU adequacy decisions made prior to exit day on a transitional basis. This means that transfers from UK organisations to Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, and Uruguay, can continue uninterrupted.
The UK will also continue to recognise the use of EU SCCs as a legal basis for data transfers from the UK in a ‘no deal’ scenario. After exit day, it is proposed that the UK ICO will have the power to issue new SCCs to facilitate transfers from the UK to non-EEA countries. In addition, the UK government will recognise binding corporate rules (BCRs) authorised under the EU process before the exit date as ensuring appropriate safeguards for transfers from the UK.
In conclusion, if the UK leaves the EU in March 2019 with no agreement in place regarding future arrangements for data protection, there will be no immediate change in the UK’s own data protection standards. This is because the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, made under the EU (Withdrawal) Act 2018 and Data Protection Act 2018, will incorporate the GDPR into UK law with the aim of ensuring that the UK legal framework for data protection functions correctly after exit day. The draft Regulations were laid before Parliament on 19 December 2018. UK organisations would continue to able to send personal data from the UK to the EEA, as the UK would at the point of exit continue to allow the free flow of personal data from the UK to the EEA.
However, the legal framework governing transfers of personal data from organisations (or subsidiaries) established in the EEA to organisations established in the UK would change on exit, and organisations would need to take action to ensure they are able to continue to send UK organisations personal data.
It is vital that companies operating across the EU start taking steps now to review their structure, processing operations and data flows. Many companies have already been taking precautionary measures in case of a ‘no deal’ Brexit. The DPC’s guidance emphasises the importance of planning ahead, recommending that organisation start taking the following steps:
Map the personal data currently being transferred to the UK.
Determine if the transfers will need to continue beyond 30 March 2019.
Consider which transfer mechanism best suits the situation and work towards having it in place by 30 March 2019.
The European Commission has published its Reportand Staff Working Document on the second annual review of the Privacy Shield. The Report concludes that the U.S. continues to ensure an adequate level of protection for personal data transferred under the Privacy Shield from the EU to the 3850 participating companies in the U.S. It notes that the steps taken by the U.S. authorities to implement the recommendations made by the Commission in last year have improved the functioning of the framework.
However, the Commission expects the US authorities to nominate a permanent Ombudsperson by 28 February 2019 to replace the one that is currently acting. The Ombudsperson is an important mechanism that ensures complaints concerning access to personal data by U.S. authorities are addressed. If the Ombudsperson is not appointed by that date, the Commission will consider taking appropriate measures, in accordance with the GDPR.
Improvements reported to have been made over the past year include the strengthening by the US Department of Commerce of the certification process and of its proactive oversight over the framework. The Department has set up new mechanisms to detect compliance issues, such as random spot checks, and carried out an analysis of Privacy Shield participants’ websites to ensure that links to privacy policies are correct. The US Federal Trade Commission has also been taking a more proactive approach to enforcement, including by issuing subpoenas to request information from Privacy Shield participants.
New members of the Privacy and Civil Liberties Oversight Board have been appointed which restores the Board’s full quorum. In addition, the Presidential Policy-Directive No. 28, which provides privacy protections for non-Americans, has been implemented across the US intelligence community. The Department of Commerce has also launched a consultation on a federal approach to data privacy.
The Commission notes concerns among NGOs about the adoption of the US CLOUD Act in March 2018, which requires US service providers to comply with US orders to disclose content and other data, regardless of where such data is stored. The Act also establishes a framework for the conclusion of executive agreements with foreign governments, on the basis of which US service providers would be allowed to disclose content data directly to law enforcement authorities of those third countries in investigation of serious crime, subject to civil liberties and privacy safeguards. The Commission states that it will closely monitor whether any executive agreements under the CLOUD Act are being concluded, and carefully assess their impact on the Privacy Shield.
The Commission also highlights two important developments in regard to access to personal data for law enforcement purposes, which have strengthened the protections of individuals. Firstly, in the case of Carpenter v United States (2018), the US Supreme Court held that a search warrant is in principle required for law enforcement authorities to access cell site location records. Secondly, the Deputy Attorney General issued a memorandum on a more restrictive policy on applications for non-disclosure orders under the US Stored Communications Act (SCA). The SCA permits US law enforcement authorities to obtain records (on the basis of a warrant, subpoena or court order) relating to customers or subscribers of providers of electronic communications services or remote computing services for both content and non-content data. Providers are able to voluntarily notify a customer or subscriber whose information is sought by law enforcement authorities, except when such authorities obtain a non-disclosure order prohibiting voluntary notification. The memorandum requires prosecutors to make a detailed determination regarding the need for a non-disclosure order and puts a ceiling on how long a notification can be withheld. The Commission states that the new policy contributes to stronger protections where law enforcement authorities seek to obtain access to personal data transferred under the Shield.
The Report will now be sent to the European Parliament, the Council, the European Data Protection Board and to the US authorities.
The European Data Protection Board (EDPB) has published the eagerly awaited draft Guidelines on the territorial scope of the GDPR. The 23-page Guidelines, which are open to public consultation until 18 January 2019, aim to help EU and non-EU established controllers and processors determine whether their processing operations fall within the scope of the GDPR, and ensure a consistent approach to the application of the GDPR. This note considers some of the EDPB’s key recommendations and examples of when the GDPR does or does not apply.
The DPC has determined that a DPIA will be mandatory for the following types of processing operations:
Use of personal data on a large-scale for a purpose(s) other than that for which it was initially collected (a compatibility test must also be carried out pursuant to Article 6(4) GDPR).
Profiling vulnerable persons including children to target marketing or online services at such persons.
Use of profiling or algorithmic means or special category data as an element to determine access to services or that results in legal or similarly significant effects;
Systematically monitoring, tracking or observing individuals’ location or behaviour.
Profiling individuals on a large-scale.
Processing biometric data to uniquely identify an individual or enable the identification or authentication of an individual in combination with any of the other criteria set out in the WP29 DPIA Guidelines.
Processing genetic data in combination with any of the other criteria set out in WP29 DPIA Guidelines.
Indirectly sourcing personal data where GDPR transparency requirements are not being met, including when relying on exemptions based on impossibility or disproportionate effort.
Combining, linking or cross-referencing separate datasets where such linking significantly contributes to or is used for profiling or behavioural analysis of individuals, particularly where the data sets are combined from different sources where processing was/is carried out for different purposes or by different controllers.
Large scale processing of personal data where the Data Protection Act 2018 requires “suitable and specific measures” to be taken in order to safeguard the fundamental rights and freedoms of individuals.
The GDPR and WP29 DPIA Guidelines (as endorsed by the European Data Protection Board) also set out a number of situations when it is mandatory for a data controller to carry out a DPIA, including:
Where a type of processing is likely to result in a high risk to the rights and freedoms of individuals, taking into account the nature, scope, context and purposes of the type of processing, such as where the processing involves new technologies (Article 35(1) GDPR).
Where a data controller uses systematic and extensive profiling with significant effects; processes special category or criminal offence data on a large scale, or systematically monitors publicly accessible places on a large scale (Article 35(3) GDPR).
Where processing meets two of the criteria listed in the WP29 DPIA Guidelines (as set out on pages 9-11 of those Guidelines). However, in some cases, processing meeting only one of these criteria may require a DPIA.
Factors influencing DPIA preparation
The DPC notes that where certain factors are involved in a processing operation, there is a chance they are likely to result in a high risk, and require a DPIA to be carried out. However, these factors are not prescriptive, and a data controller ultimately is responsible for determining if there is a high risk. Where there is a doubt, conducting a DPIA is advised. These factors include:
Uses of new or novel technologies.
Data processing at a large scale.
Profiling/Evaluation – Evaluating, scoring, predicting of individuals’ behaviours, activities, attributes including location, health, movement, interests, preferences.
Any systematic monitoring, observation or control of individuals including that taking place in a public area or where the individual may not be aware of the processing or the identity of the data controller.
Processing of sensitive data including that as defined in GDPR Article 9, but also other personally intimate data such as location and financial data or processing of electronic communications data.
Processing of combined data sets that goes beyond the expectations of an individual, such as when combined from two or more sources where processing was carried out for different purposes or by different data controllers.
Processing of personal data related to vulnerable individuals or audiences that may have particular or special considerations related to their inherent nature, context or environment. This will likely include minors, employees, mentally ill, asylum seekers, the aged, those suffering incapacitation.
Automated decision-making with legal or significant effects. This includes automatic decision-making where there is no effective human involvement in the process.
Insufficient protection against unauthorised reversal of pseudonymisation.
Are there any exemptions to the requirement for a DPIA?
The DPC has determined that a DPIA is NOT required where:
Processing operations do not result in a high risk to the rights and freedoms of individuals.
Processing was previously found not to be at risk by DPIA.
Processing has already been authorised by supervisory authority.
Processing already has an existing clear legal basis.
Performed as part of an impact assessment arising from a public interest basis and where a DPIA was an element of that impact assessment (Article 35(10)).
Where a supervisory authority chooses to enumerate the processing operation in accordance with Article 35(5).
Keep a record of why a DPIA is or is not necessary
A data controller will need to assess, decide and document whether a DPIA is necessary for each proposed data processing operation. Records of processing operations should include relevant risk information including reasons why a DPIA does or does not need to be carried out, or not. The DPC has emphasised, however, that it is good practice to carry out a DPIA for any major new project involving the use of personal data, even if there is no specific indication of likely high risk.
The Deputy Commissioner noted that since the GDPR came into effect on 25 May 2018, the ICO has received approximately 500 calls per week to its breach reporting line. After a discussion with the ICO’s officers, roughly one third of these organisations decide that their breach does not meet the reporting threshold. The Irish Data Protection Commission has also been reported as having received a massive increase in breach notifications since the introduction of the GDPR.
Key trends in the UK
The Deputy Commissioner outlined key trends regarding breach reporting under the GDPR, including:
Organisations are struggling with the 72 hour time-limit to report data breaches to the data protection authority. Organisations must remember that it is not 72 working hours, the clock starts ticking from the moment you become aware of a breach.
Some reports are incomplete. Whilst the ICO accepts that organisations may not have all information to hand within 72 hours, people with suitable seniority and clearance should be available to talk to the ICO and indicate when the rest of the information will be provided. If adequate resources are not assigned to managing the breach, the ICO will question why not.
Some controllers are over-reporting, in an effort to be transparent and manage their perceived risk or because they think that everything needs to be reported. The ICO will discourage this once the new breach reporting threshold has become more familiar. Organisations are not required to notify the data protection authority if the breach is “unlikely to result in a risk to the rights and freedoms” of the affected data subjects. (The Irish Deputy Irish Data Protection Commissioner, Anna Morgan, has also warned against over-reporting – see our previous blog ).
Like the Irish Data Protection Commission, the ICO has not yet issued any fines under the new regime. However, the ICO is currently investigating a data breach by British Airways, in which a hacker is alleged to have stolen credit card data associated with the purchase of 380,000 airline tickets. In addition to a potential administrative fine being imposed by the ICO, British Airways faces possible compensation claims from individuals adversely affected by the breach. The airline has already promised customers that it will reimburse them for any fraudulent losses experienced as a result of the breach, however a UK law firm is reportedly threatening to launch a group action, the British version of a class-action lawsuit, unless British Airways also agrees to settle compensation claims for inconvenience and distress suffered by individuals as a result of the breach.
In regard to the level of fines that may be levied under the GDPR for data breaches, the Deputy Commissioner has indicated that if organisations take their responsibilities under the GDPR seriously, adopt a privacy by design approach to data protection, treat cyber security as a boardroom issue, and demonstrate a robust culture with appropriate transparency, control and accountability for employee and customer data, then the ICO will not usually have an issue with the organisation should the worst happen.
In regard to high fines imposed on large corporates by the ICO under the old Data Protection Act 1998, the Deputy Commissioner noted that a common thread ran through these, including:
Poor board level awareness of the risk to the organisation
Incomplete or missing corporate records including third party or inter-group contracts and policies
Lapsed staff training
Policies repeatedly not followed
Understanding the data protection risks of your supply chain or outsourced providers
Investment in security deferred
Poor data governance (particularly in test or product development environments)
Staff work arounds compromising security systems because the agreed way of working is not the easiest way of working, and
Obvious misconfiguration of systems leaving them open to long-known vulnerabilities.
Accordingly, organisations should be able to mitigate the risk of hefty fines for a data breach by ensuring they have a good data governance system in place, and can demonstrate to the data protection authority that they have been taken all appropriate measures to meet their data protection obligations.
The Irish Data Protection Commission has published new guidance on data breach reporting under the GDPR, available here.