Action after the GDPR 2-yr report? (what's NOT in the report but tucked away)
Dr W Kuan Hon
Of Counsel, Dentons; Member, UK International Data Transfer Expert Council; Editor, Encyclopedia of Data Protection & Privacy All views personal only.
Most of the below isn't in the Commission's Communication or EDPB work programme, but from the Commission's Staff Working Document. Which I've read so you don't have to!
The SWD put some very useful flesh on the Communication's bones, offering insights on what's next, some of which I've summarised below.
Commission action
Standard contractual clauses (SCCs)/model clauses for transfers - the Commission is "currently working on" updated clauses under GDPR, and this work is "well advanced". Also, "the Commission is in contact with international partners that are developing similar tools" e.g. ASEAN model contractual clauses.
The Commission is awaiting the Schrems II 16 July 2020 CJEU decision before submitting the draft to the EDPB for its opinion, in case that decision requires changes to the draft. But, the new SCCs will take into account:
- Art.28 controller-processor requirements, and data importer transparency (privacy notice) requirements
- Processor-subprocessor and processor-controller transfers (yay!)
- Modern complex supply chains and evolving relationships e.g. allowing for multiple parties, accession by new parties
- Architecturally, possibly one SCCs document cf. multiple sets
- Possible safeguards re. foreign public authorities' access particularly for national security, e.g. action by importer and/or exporter - obviously that's awaiting Schrems II.
Note: these SCCs are adopted through a "comitology" procedure - see my explanatory flowchart of this comitology procedure.
Commission report on its review of the current adequacy decisions (13 countries) - will be issued after the Schrems II judgment, as "certain elements of the adequacy standard may also be further clarified by the Court".
Adequacy process - at "advanced stage" with South Korea. As for the UK, "In line with the Political Declaration on the Future Relationship between the EU and the UK, the Commission is currently carrying out an adequacy assessment under both the GDPR and the Law Enforcement Directive. Considering the autonomous and unilateral nature of an adequacy assessment, these talks follow a separate track from the negotiations on an agreement on the future relationship between the EU and the UK."
Art.28 standard contractual clauses (SCCs)/model clauses for controller-processor contracts (DPAs) - "The Commission is working on standard contractual clauses between controllers and processors, also in light of the modernisation of the standard contractual clauses for international transfers"
Cross-border info exchange, enforcement - "In addition there is a need to develop appropriate legal instruments for closer forms of cooperation and mutual assistance, including by allowing the necessary exchange of information in the context of investigations. The Commission will therefore make use of the powers granted in this area by Article 50 of the GDPR and, in particular, seek authorisation to open negotiations for the conclusion of enforcement cooperation agreements with relevant third countries. In this context, it will also take into account the Board’s views as to which countries should be prioritised in light of the volume of data transfers, the role and powers of the privacy enforcer in the third country and the need for enforcement cooperation to address cases of common interest."
- Never mind "convergence" and "adequacy", these agreements could enable true cross-border enforcement of data protection/privacy laws and individuals' rights, if they're entered into. Let us hope they don't take too long to negotiate - although I admit I'm not holding my breath.
EDPB action
SA cooperation - no joint operations, dispute resolution or urgency procedures yet under Arts.62, 64 or 66. "Reflection is on-going within the Board on the practical implementation of [joint investigations of cross border cases] and how to promote its use."
What EDPB guidelines might we expect next?
Use of personal data in scientific research - the Commission's SWD (see end, below) noted requests for guidance on processing in the context of scientific research (including in relation to international collaboration)though not in the EDPB's 2019-20 work programme, but its prioritisation is not unexpected in these times. The EDPB had issued Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak so it seems broader guidance is sought.
Processing of health data - requested, not in the work programme but no doubt will be prioritised. (Again, Covid-19-specific guidance has already been issued, see above.)
Controller/joint controller/processor and the necessary arrangements between them - in preparation (and in the 2019-20 work programme).
Scope of data subject rights including in the employment context - requested and in the work programme.
Legitimate interests opinion update - requested and in the work programme.
Processing of children’s data - requested and in the work programme: "many organisations ignore that children may be concerned by their data processing. The Council stressed that particular attention could be paid to the protection of children when drafting codes of conduct. The protection of children is also a focus of data protection authorities".
Transfers and territorial scope - "it is very important that the Board finalises its work on further clarifying the relationship between Article 3 on the direct application of the GDPR and the rules on international transfers in Chapter V". A personal bugbear (see my data localization book) is the equating of data localisation with data protection.
- The ICO demonstrated true 21st century sensibilities when updating its post-GDPR transfers guidance to state that it's a restricted "transfer" for GDPR purposes (i.e. international transfer/data export) only if personal data is sent or made accessible "to a receiver to which the GDPR does not apply. Usually because they are located in a country outside the EEA".
- Interestingly, "Several submissions to the public consultation have raised this point, for instance as regards the transmission of personal data to recipients outside the EU but covered by the GDPR". As Thorsten Ihler has pointed out, this may only help a few organisations who transfer to a branch of the same legal entity, because it doesn't apply where the transfer is to a receiver that's a different entity even if it's in the same group as the sender. But still, I think in principle that approach has to be right - focus on GDPR's applicability to the receiver, not the physical location of the personal data. (Yes, GDPR's broad extraterritoriality may raise issues on this front. But this extraterritoriality was of course deliberate.)
- The Commission is also "determined to tackle digital protectionism, as recently highlighted in the Data Strategy. To that end, it has developed specific provisions on data flows and data protection in trade agreements which it systematically tables in its bilateral – most recently with Australia, New Zealand, and the UK – and multilateral negotiations such as the current WTO e-commerce talks. These horizontal provisions rule out unjustified restrictions, such as forced data localisation requirements, while preserving the regulatory autonomy of the parties to protect the fundamental right to data protection". Again, the Commision's enlightened approach to data location/localisation and "transfers" is heartening. Let us hope that SAs will also take the same approach.
Codes of conduct/certifications for transfers - the EDPB is "currently working on guidelines for using [codes of conduct] as a tool for transfers" and "the Commission urges the Board to finalise as soon as possible its guidance in this regard. This concerns both substantive (criteria) and procedural aspects (approval, monitoring, etc.)... ISO 27701, which aims to help businesses meet privacy requirements and manage risks related to the processing of personal data through ‘privacy information management systems’ . Although certification under the standard as such does not fulfil the requirements of Articles 42 and 43 of the GDPR applying Privacy Information Management Systems can contribute to accountability, including in the context of international data transfers". So, cue increasing adoption of ISO 27701 in future?
International organisations - "the Commission will work closely with the EDPB to further clarify how EU public and private operators can comply with their GDPR obligations when exchanging data with international organisation such as the UN."
What about codes and certifications?
Codes of conduct "currently in preparation": mobile health apps, health research in genomics, cloud computing, direct marketing, insurance, processing by prevention and counselling services for children.
The Council stressed the importance of codes focusing on children's data and health data.
"The Commission is supporting code(s) of conducts that would harmonise the approach in health and research and facilitate the cross-border processing of personal data... Having transnational codes of conduct rapidly in place is especially important for areas involving the processing of significant amounts of data (e.g. cloud computing) or sensitive data (e.g. health/research)"
Security and data protection by design are key elements in GDPR certification schemes "and would benefit from a common and ambitious approach throughout the EU."
Cybersecurity Act certification schemes "do not explicitly address data protection and privacy, they contribute to increasing consumers’ trust in digital services and products. Such schemes may provide evidence of adherence to the principles of security by design as well as the implementation of appropriate technical and organisational measures related to the security of processing of personal data". Such as the certification scheme ENISA is preparing on cloud computing security.
EDPB work on developing criteria to approve certification mechanisms as international transfer tools is "still ongoing".
What might we see in future...
Generally?
Big tech is still a target - "civil society organisations note... the practices of major digital players have not yet fundamentally changed towards more privacy-friendly processing... Strong and effective enforcement of the GDPR vis-à-vis large digital platforms and integrated companies, including in areas such as online advertising and micro-targeting, is an essential element for protecting individuals." "Individuals still face difficulties when requesting access to their data, for instance from platforms, data brokers and adtech companies". "The exercise of the rights of individuals is sometimes hampered by the practices of a few major digital players that make it difficult for individuals to choose the settings that most protect their privacy (in violation of the requirement of data protection by design and default)".
EU representative appointment - "Where these operators fail to meet their obligation to appoint a representative, supervisory authorities should make use of the full enforcement toolbox in Article 58 of the GDPR (e.g. public warnings, temporary or definitive bans on processing in the EU, enforcement against joint controllers established in the EU)."
- So, a warning shot across the bow of non-EEA established controllers and processors that are caught by the GDPR but haven't appointed any representatives yet.
From the EDPB?
Guidelines requested on application of GDPR to new technologies (such as blockchain and artificial intelligence) - the 2019-20 work programme included as "possible topics" blockchain, and "Use of new technologies, such as AI, connected assistants".
Guidelines requested on pseudonymisation and anonymisation - not in the work programme, but hopefully the old guidance will be updated as part of the 2020-2021 work programme?
Harmonised forms for data breaches, simplified processing records "may help SMEs" as the Art.30(5) exemption "is indeed very narrow".
BCRs - "It is important that data protection authorities continue working on further streamlining the approval process, as the length of such procedures is often mentioned by stakeholders as a practical obstacle to the broader use of BCRs."
From the Commission?
This is speculative, but given national inconsistencies and indeed national laws exceeding what the GDPR allows, it's not inconceivable that the Commission could take action to bring Member States into line:
- National inconsistencies: cookies, application of legitimate interests, data breach notifications, DPIAs, ( within Germany alone ) controller & processor.
- National restrictions on GDPR's applicability: e.g. some Member States exclude national parliament activities.
- National applicability/territorial scope: Some Member States link the applicability of their national law to the place where the goods or services are offered, others to the place of establishment of the controller or processor. Cf. GDPR itself, of course.
- National legislation going beyond the GDPR's margin for specifications or restrictions: particularly national laws determining the conditions for processing based on legitimate interest by providing for the balancing of the interests of the controller and data subjects. Cf. under GDPR that balancing is for the individual controller to do.
- National "specifications and additional requirements beyond processing for compliance with a legal obligation or performance of a public task (e.g. for video surveillance in the private sector or for direct marketing); and for concepts used in the GDPR (e.g. ‘large scale’ or ‘erasure’)".
- Freedom of expression - in some Member States this takes precedence or processing for journalistic purposes and for academic, artistic and literary expression are exempt from entire chapters mentioned in Article 85(2) (although to some extent media laws provide some safeguards for data subject rights); in others, data protection takes precedence and only specific situations are exempt e.g. a person with public status; still others provide for balancing by the legislator and/or a case-by-case assessment as regards derogations from certain provisions of the GDPR.
- National restrictions (some "extensive") on data subject rights, beyond what Art.23(1) permits - not specifying the objectives of general public interest safeguarded by the restrictions, and/or not sufficiently specifying the conditions and safeguards (e.g. because they simply repeat Article 23(1)'s wording). Several Member States leave no room for the proportionality test or extend restrictions beyond the scope of Article 23(1), e.g. denying the right of access for reasons of disproportionate effort on the controller's part, for personal data stored based on a retention obligation or related to performance of public tasks, without limiting the restriction to objectives of general public interest.
- The SWD noted Germany's "additional requirement" for a DPO where >=20 employees, whatever the processing risk, has led to "additional burdens" - but didn't comment beyond that.
Other points
Children's age and consent - see the table for different Member States, derived from the SWD, in my blog post.
Data subject rights - "Not all data controllers comply with their obligation to facilitate the exercise of data subjects’ rights". The SWD called out not ensuring an effective contact point for data subjects, not proactively providing the DPO's contact info, and limiting the data subject to email only.
- Really easy quick fixes here for controllers to avoid complaints or regulatory attention - make sure you have an effective contact point, can actually receive data subject requests (so emails don't go into spam or some unmonitored inbox), provide your DPO's contact details when responding, and don't force data subjects to communicate via emails or forms only (or please please please, paper post only!), but have an appropriate escalation procedure - sometimes a quick call is enough to mollify a disgruntled individual. Not always, but sometimes... Whereas forcing them to go round in circles via slow comms channels can only frustrate them more!
Right to information / privacy notices - "some companies have a very legalistic approach, taking data protection notices as a legal exercise, with information being quite complex, difficult to understand or incomplete, whereas the GDPR requires that any information should be concise and use clear and plain language. It seems that some companies do not follow the Board’s recommendations, for example as regards listing the names of the entities with whom they share data.”
- That final sentence is not surprising given that strictly it's a recommendation, not legal requirement ("categories" of recipients are acceptable), and listing all possible recipients, especially when those can change (sometimes often), is often not considered practicable or commercially desirable.
Culture, breach notifications and complaints - the SWD noted that the highest numbers of breach notifications were in Germany and the Netherlands respectively (excluding the UK, as sadly we now must), and "This may point to a lack of consistent interpretation and implementation, despite the existence of EU-level guidelines on data breach notifications". However, the highest numbers of complaints to SAs were also in Germany and the Netherlands, respectively, and "The number of complaints is not necessarily correlated to the size of the population or GDP, with for instance close to twice as many complaints in Germany compared to the Netherlands, and four times as many compared to Spain and France."
- May I suggest that this indicates it's not so much an issue of interpretation or implementation, as an issue of national cultural and social norms & standards regarding privacy and data protection?
Social media research - "As regards research in the field of social media, the Commission recalls that the GDPR cannot be used as an excuse by social media platforms to limit researchers’ and fact-checkers’ access to non-personal data such as statistics on which targeted ads have been sent to which categories of people, the criteria for designing this targeting, information on fake accounts, etc."
International cooperation - "the Commission is setting up a “Data Protection Academy” to foster exchanges between European and third country regulators and, in this way, improve cooperation ‘on the ground’" - but what about the Global Privacy Assembly, what's the diff?
DPIAs and lowest common denominator? - "the Board’s responsibility in ensuring a consistent interpretation of the GDPR cannot be discharged by simply finding the lowest common denominator" - and see the Communication: "At times, finding a common approach meant moving to the lowest common denominator and as a result, opportunities to foster more harmonisation were missed... For instance the national lists of the kinds of processing operations which requires data protection impact assessment under Article 35 of the GDPR could have been better harmonised."
Countries influenced by the GDPR - as mentioned in the SWD. For a map, see my blog post.