DPC under pressure from critics.

The  DPC is  under pressure from critics with varied agendas. The backdrop for all of  this has to be criticism from late last year,  especially the criticism of the handling of some cases investigated by the DPC . Much of this criticism, perhaps unexpectedly, came from other EU  Data Protection authorities, and more from journalists, commentators, interested actors ( some perhaps with questionable motives) and data protection practitioners. In the foreground will be the DPC’s recently announced 2022-2027  regulatory strategy, which is timely in light of all the criticism  levelled at the DPC of late. An annual report  from the DPC is also  informative and its timing is helpful to the public and for the morale of staff at the DPC. It is available here for your convenience.

In some opening remarks to the new regulatory strategy the DPC acknowledges that  some “challenges, against a backdrop of hugely increased public consciousness of data protection, have given rise to ambiguities of interpretation and application of the law that the DPC – along with its peer data protection authorities – must work to clarify”. The regulatory strategy is also “being implemented in the very early years of radically reformed data protection legislation – in the form of the GDPR and ancillary Law Enforcement Directive – along with all the attendant interpretative challenges that such immense regulatory change usually produces”.

 

The DPC “recognises that it cannot achieve its ambitions alone – new partnerships and new ways of engaging will be necessary as we look towards a future of closer convergence. Nonetheless, the DPC builds from a position of confidence: we are a Regulatory office with ambition, a clear sense of purpose, a history of achievement, and a future of considerable promise”. This last sentence will be questioned by many and it will  irritate even more. It can hardly be stated with any conviction  that the DPC builds from a position of confidence and a history of achievement.  If anything, maybe it has underachieved, but that is for another time and forum.

Another sentence,  “The DPC is of the belief that compliance in general will be greatly improved when stakeholders are clear in their understanding of how the law is enforced”, holds the essence of much of the criticism levelled at the DPC. Stakeholders are not clear in their understanding of how the law is enforced and  many of these stakeholders are other EU Data Protection authorities who have their own  expertise in knowing and applying the GDPR, in particular. A stated goal in the new strategy is to bring clarity to stakeholders. This is  easily stated as a goal to aim for, but again, sure to irritate many . Data protection law experts GDPRXPERT .ie  take the view that  the direct and primary  strategy to achieve this goal will not be stated as easily. Two aspects will be key: having a clear goal, and knowing the most effective route to get to that goal. Compromises will  be needed along the way as there are so many stakeholders involved.  Ultimately, although the most effective route may well be signposted, there will be necessary diversions along the way in the interest of overall stakeholder consensus. Pragmatism has to guide any strategy where there are legitimate and valid  competing interpretations of any regulation. In this context, the co-operation and consistency mechanism under GDPR is a clear example of necessary deviation from a legitimate route to a destination.

GDPRXPERT previously looked at issues in relation to the workings of the  office of the DPC ( see https://www.gdprxpert.ie/the-dpc-is-not-infallible/). We can say that some  of the more recent  criticism levelled at the office of the DPC  is unjustified, some is justified, and more is premature. There is premature criticism because  the CJEU still is going to have to interpret some aspects of the GDPR  so that at least there is more clarity ,if not 100% certainty,  in relation to some contentious aspects of the GDPR. It is not surprising that some of the criticism of the DPC  consistently emanates from the same sources, and one has to consider the possibility that some of these sources have their own particular agendas. Some of these  agendas  have very little to do with bolstering the  data protection environment  for any data subject. These agendas are more  to do with  using supposed concerns about  data protection as a  shallow conduit to increase their own profiles.  Repetitive sources that spring to mind include Max Schrems and his NOYB organisation, The Irish Council for Civil Liberties , and  some Euro MEPs who are sceptical about everything, including  their own fellow sceptics.

Recent Criticism.

From the inception of the GDPR  it became clear that the role of the Irish DPC would be central in the overall enforcement of the Regulation. There was no way it could be other than central, having so many global tech companies head quartered here. Indeed, there is much anecdotal evidence of regulators in other jurisdictions not exactly wishing the office of the DPC the best in their GDPR enforcement endeavours. Unquestionably, some regulators in more populous  countries  felt slighted by the stronger role the DPC here was destined to play. This was shared by many MEPs with nationalistic fervour, as opposed to  European commitment . There was a similar sentiment expressed for years in relation to Ireland’s corporation tax regime.

It may be that criticisms that gained media attention at the end of 2021 had their origins in similar nationalistic contexts. For example, several members of the European Parliament (MEPs) recently wrote to the EU authorities and Minister for Justice Helen McEntee accusing the Irish DPC of lobbying for lower standards for big tech. This was vehemently denied by the DPC. It seems to expert data protection consultants, GDPRXPERT, that these criticisms were outlandish. At the core is an allegation that the DPC was acting in bad faith and devoid of objectivity. This was particularly the case in relation to the criticism directed at the DPC concerning some of its interactions with Facebook.

DPC response

The DPC responded by stating, “ There has been considerable media coverage in recent days, alleging that the Data Protection Commission (DPC), acting in bad faith on foot of meetings it held with Facebook as part of its regulatory role, “lobbied” the European Data Protection Board (EDPB) with a view to achieving the adoption of guidelines by the EDPB on Article 6(1)(b) GDPR (‘necessity for the performance of a contract’), in the best interests of the company. These allegations are utterly untrue. Issuesrelating to the proper legal interpretation of the necessity for the performance of a contract are presently the subject of an ongoing regulatory procedure. That procedure is currently being conducted under  Article 60 of the GDPR. (Art. 60 GDPR sets out the scenarios for co-operation between the lead supervisory authority and other supervisory authorities concerned over the same issue.) More significantly and separately, Article 6(1)(b) is the subject of proceedings before the Court of Justice of the European Union.”

 

As referenced earlier, the objective in going to the CJEU is to get clarity on an issue where it may not be possible to get certainty. There is not always going to be ‘a one size fits all’ decision. From  a pragmatic perspective, often the best that can be expected is clarity, as opposed to certainty. Circumstances change from case to case and so much within the GDPR  has valid differing interpretations. Differing interpretations are consistent with a  regulation that has to be interpreted and applied in light of other competing rights. It has also  been alleged that the DPC approved/ negotiated/ jointly developed Facebook’s position in relation to the legal basis for its processing operations. “This is absolutely incorrect and without basis in fact. To be clear, the DPC does not and never has, endorsed, jointly developed, approved or in any other way assented or consented to a controller’s or processor’s policies or position in relation to compliance with its data protection obligations”( DPC statement, 7th December, 2021).

Form of the criticism

A central tenet of the criticism in relation to the DPC’s dealings with Facebook on the issue of contract as a lawful basis for processing is that the DPC sought to subvert the procedures of the EDPB with a view to achieving the adoption of guidelines by the EDPB on Article 6(1)(b), favourable to the interests of a particular controller. As a long established data protection advisory service, GDPRXpert.ie  would reject that  immediately. What can be accepted is that issues relating to the proper legal interpretation of the necessity for the performance of a contract are presently the subject of an ongoing regulatory procedure. The outcome of the procedures to which reference is made above will of course bind controllers and regulators alike, and may determine whether, when, and in what circumstances Article 6(1)(b) may be relied on by controllers as providing a legal basis for certain of their personal data processing operations.

Some critics of the DPC seem unaware themselves of the process that precedes the issuance of any  guidelines from  the European Data Protection Board on the interpretation of any concepts inherent in the GDPR. Amongst other things, according to the DPC, the criticism  also “reveals a lack of any kind of basic understanding of the workings of the EDPB, and how, through an iterative process, divergent views relating to complex issues of principle are typically reconciled through dialogue, and through respectful and mature engagement”. ( DPC statement, 7 December, 2021)

It is a common sense expectation that stakeholders’ compliance level will improve when they are clearer in their understanding of how the law is enforced. This is especially so when regulations such as the GDPR are based on some very broad principles, ( See Art.5 GDPR) rather than specifics, thus making regulations more open to  interpretation than, for example , road traffic legislation. No wonder then that the DPC is involved in so much discussion with other Supervisory Authorities in other EU countries, and other stakeholders, with the goal of increasing certainty and stability in how data protection law is to be applied. If  the DPC is doing this  in good faith, then can any criticism be justified? Increased certainty and stability is to the benefit of all stakeholders.

This has been a consistent prong of attack for critics of the DPC but what is often ignored or denied is the complex nature of many of the issues involved. As with all EU regulations the CJEU is the final arbiter in the case of dispute, and the journey to that final point is long and arduous. Along the way, many  opinion writers  are guilty  of unprofessionalism in  simply repeating the same sources and quoting incorrect statistics. One of the most vocal critics of the DPC before and since the GDPR has been Max Schrems. Schrems  No:1 and No: 2 dragged on for years, but through no fault of the DPC. A closer look at these cases may  enable a clearer understanding of the legal obstacles to be overcome in order to avoid the procedural pitfalls embodied in much of the GDPR.  They also should  demonstrate the complicated nature of the legal and regulatory remit of the office of the DPC.

Warranted criticism?

The painstaking nature of the legal processes that must be gone through to make prudent adjudications on data protection law issues leads to unfair criticism being directed at the DPC. Such criticism usually takes the form of hastily made statements to the press citing inaction by the DPC. These statements are often perceived as facts by some journalists who lack  an  understanding of both  the depth of data protection  issues involved and the consequences of a misapplication of the facts. Criticism is often then repeated without any objective analysis. Some  analysis that is carried out is done by those least qualified to do it.  Again, data protection law advisers GDPRXPERT.IE  would reject such criticism as ill-informed at best and strategically devised at worst.  If one takes the High Court judicial review taken by FBI, [2020 No. 617 JR.] [2020 No. 126 COM.] , the judgment runs to 200 pages and  is deserving of more than a cursory perusal by some commentators who later claimed to be expertly knowledgeable. What was clear from their comments was that,  in all likelihood , they  had hurriedly  skimmed through a few pages.

Schrems  seems to have  taken matters somewhat personally  and accused the DPC of failing to make a decision.  In fact, much of his criticism seems to take the form of personality based attacks rather than legal or principles based formats. He seems to never have forgotten that his original complaint  was dismissed on grounds of frivolity  by the DPC. This seemed a reasonable view at the time, and it was only in the aftermath of the full revelations by Edward Snowden that the scenarios took on a different texture.  However, what was lost on Schrems,  who is himself a lawyer, was that, as pointed out by Bermingham  J in O’N v McD  [2013] IEHC 135, “the words frivolous and vexatious are terms of the Article, they are legal terms and they are not used in a pejorative sense. They merely mean the plaintiff has no reasonable chance of succeeding, and that , because there is no reasonable chance of success, it is frivolous to bring the case”.

Defensive position

A position  taken by the DPC was that once an adequacy decision (here, the Safe Harbours Agreement) had been issued, the office had no part in investigating a complaint. This has always been the accepted view in relation to Commission decisions . For example, in Schrems No. 1  the CJEU stressed that while national authorities retained the ability to examine EU decisions, the CJEU alone retained the authority to declare an EU act (such as a Commission decision) invalid. It was clearly not within any legal remit of the DPC to act as a quasi court of last resort.  Safe Harbours itself stood as testament to the adequacy of the protection of transfers of personal data to the US.  Mr Justice Hogan in the High Court thought Schrems was objecting more ‘to the terms of the Safe Harbour regime itself’, than to the DPC’s application of it. (Schrems v DPC [2014] IEHC 310 (18 June 2014) Para.69).  Another position taken by the DPC was that the complaint ( the original) was essentially speculative and hypothetical in nature.  However, Mr. Justice Hogan took the view that there was no need to establish that the applicant had even grounds to suspect such a breach had occurred. It was enough to believe the mere absence of controls might lead to a breach of the applicant’s rights. If the matter was solely governed by Irish law significant issues would have arisen under the constitutional right to privacy.

Mr Justice Hogan referred the case to the CJEU partly on the basis that, ‘in reality, on that key issue Irish law has been pre-empted by general EU law in the area…’  Facebook appealed this  referral to the CJEU but the Supreme Court did not find reason to block  it. The Court held it could not entertain an appeal over the fact of a referral itself. There had to be inconsistencies with the   ‘facts’ found by the High Court . The Court held  (through Clarke J.)  it  could only overturn those if it could  be established they were not sustainable in accordance with the relevant Irish jurisprudence. Having reached the CJEU ,the decision known as Schrems I, was finally made in Oct. 2015.  In that ruling, the CJEU quashed the Commission’s Decision, meaning that the US Safe Harbours could no longer be relied on as providing a legal basis for transfers of personal data to the US. It was in fact to enable a decision to be made that the DPC referred the case to the High Court in the first place. The idea was to get a decision  for once and for all from the  CJEU. This course of action has been assessed as rational, prudent and proper by EU Justice Commissioner  Didier Reynders. Indeed, the action was widely praised although some ( including some MEPs) did not agree but Commissioner Reynders was categorical in stating,  “the DPC faces “complex” matters, including in an issue over the targeting of ads by social media companies.

Support for DPC

The Irish regulator has supported the idea of allowing social media companies to target users with adverts without their consent, on the basis of rules governing the performance of a contract. Many other European national data regulators oppose this stance and some have criticised the DPC’s position. However, Mr Reynders reminded the MEPs that the issue of advert targeting as it pertains to Facebook has already been referred to the EU’s court of justice in the context of contract law, essentially backing the Irish regulator’s decision to weigh the issue carefully. Remember this;  at the very start Hogan J in the High Court had stated that the DPC had “demonstrated scrupulous steadfastness to the letter of the 1995 Directive and the 2000 Decision”. Commissioner Reynders  also backed the DPC by dismissing criticism that it is running late in its handling of 98 per cent of cross-border privacy cases: “The figure about the proportion of cases dealt by the Irish DPC mentioned in your letter appears to be a misinterpretation of the statistic.”

Any criticism of the bona fides of the DPC regarding the original  Schrems case was, and is ,unjustified and cannot be legitimately upheld. Meanwhile, Facebook Inc. switched to “standard contractual clauses” to transfer EU data to the U.S., to which Schrems responded by updating his complaint with the DPC to include this new transfer mechanism which launched Schrems No:2. Although apparently not known by Mr Schrems at the time, FBI had identified three legal bases for ongoing transfers to the US. These were standard contractual clauses (SCCs), transfers with the consent of the data subject and transfers under the contractual necessity derogation in the then Directive.  In fact, it was the DPC that had  invited Schrems to reformulate his complaint in light of the judgment in Schrems 1 and in light of the fact that Safe Harbours had been found to be invalid. On Dec.1  2015 Schrems submitted a reformulated complaint using the validity of the standard contractual clauses as the prong of attack.

End in sight

In May 2016, the DPC issued a draft decision stating that the DPC had formed the view on a “preliminary basis” that Max Schrems’s contention that the SCCs could not be relied on was well founded. However, in the DPC’s view, questions as to the validity of the SCCs could only be determined by the CJEU, not by the DPC, or by national courts. The DPC therefore immediately commenced further proceedings in the Irish High Court seeking a reference to the CJEU. Following an unsuccessful appeal by Facebook Ireland Ltd. (FBI) against the High Court’s decision to refer a range of questions to the CJEU, these proceedings   ultimately led  to the CJEU’s Schrems II ruling in July 2020. It is worth noting that in the meantime the European Commission had adopted a Decision that the Privacy Shield, as a replacement for the Safe Harbor, now ensured an adequate level of protection for personal data transferred from the EU to the US. Furthermore the GDPR had replaced the former Data Protection Directive, coming into force in May 2018.

The Schrems II ruling established that, although the SCCs remained valid, a data exporter in the EU making use of them is nevertheless required to verify, on a case by case basis, and taking into account their terms, whether the law and practice in the destination country ensures essentially equivalent protection for any transferred data . At particular issue was the ability of public authorities in the destination country to conduct surveillance on the transferred data.  The CJEU had specially concluded that EU citizens had no effective way to challenge American government surveillance of their personal data after it had been sent to the U.S.  Such surveillance was legal under U.S. law. If the data exporter is not, as far as is necessary, able to put in place sufficient supplementary measures to guarantee essentially equivalent protection, the data exporter, or, failing that, the relevant data protection authority, is required to suspend or end the transfers. In the ruling, the CJEU also went on to quash the Commission’s Decision on the Privacy Shield.

Getting closer

In August 2020 , the month following the CJEU’s ruling in Schrems 11,  the DPC wrote to FBI enclosing the PDD that was subsequently the subject of the FBI’s judicial review application. This gave FBI 21 days to respond and stated that the DPC was now undertaking an “own-volition” inquiry into FBI’s data transfers after which it would return to Max Schrems’ original, reformulated complaint. At that stage the situation was that if the Preliminary Draft Decision of the DPC  was translated into a final decision , then Facebook would be required to suspend its data transfers to the US.  However Max Schrems appears to have taken exception to his apparent exclusion from proceedings and submitted his own application to the Irish High Court for judicial review of the DPC’s approach. Settlement was subsequently reached between the DPC and Max Schrems on this judicial review application in which the DPC agreed, upon the Court’s lifting of the stay of its investigation, to progress the handling of Max Schrems complaint and its “own-volition” inquiry as expeditiously as possible. FBI took exception to the issuing of the PDD on several grounds relating to unfairness including procedural unfairness and instigated judicial review proceedings against the DPC with a consequential stay on the DPC’s “own-volition” inquiry. The case was heard by the Irish High Court in December.

What we now know

We now know that on 14  May 2021  the Irish High Court handed down its judgment in the judicial review case brought by Facebook Ireland Ltd (FBI)against the DPC, finding substantially in favour of the DPC. Although not entirely uncritical of the DPC, the judgment accepts the validity of the approach adopted by the DPC in its investigation of FBI’s data transfers. The Court did agree with FBI that the issuing of the PDD and the surrounding procedures were open to judicial review and therefore went on to consider, in some depth, each of the grounds of challenge advanced by FBI. In the course of proceedings, FBI dropped two of these grounds. The remaining grounds were all rejected by the Court, the overall conclusion being that FBI had not established any basis for calling into question the validity of the DPC’s processes. It is reported that on 20 May and with consent of the parties, the Irish High Court formally lifted the stay on the DPC’s “own-volition” inquiry. FBI  still had the opportunity at that time  to respond to this PDD but, unless it could  satisfy the DPC as to the safeguards in place for its international transfers to the US, it seems likely that, following the application of the GDPR’s cooperation and consistency mechanism, FBI would  be ordered to suspend these transfers.

Judgment time

The High Court judgment when it came was lengthy and detailed, running to nearly 200 pages. For the most part, it addressed procedural points which, given that that the findings went against FBI, are unlikely to be particularly instructive for other businesses. The picture is also made more complex by the involvement of Max Schrems himself as a participant in the hearing and by his own application for judicial review against the DPC. This application was settled between the date of the High Court hearing and the date of the delivery of its judgment and is referred to in the judgment. There is thus little to be gained from an in depth analysis of all aspects of the judgment. It might nevertheless be of value to recap just where we are now, and how we have arrived there, in the long running saga of Max Schrems and his challenges to FBI’s international data transfers. Some high level insights can also be drawn about the conduct of major investigations by data protection authorities which might be instructive. Finally, there remains an open question as to where this now leaves other businesses that are continuing to transfer personal data to the US on the basis of the European Commission’s Standard Contractual Clauses (SCCs).

It was  clear from the judgment that the DPC’s preliminary view, as set out in its PDD, was that;

  • US law did not provide a level of protection that is essentially equivalent to that provided by EU law;
  • SCCs cannot compensate for the inadequate protection provided by US law;
  • FBI did not appear to have in place any supplemental measures which would compensate for the inadequate protection provided by US law.

More support for DPC

The High Court judgment was  undoubtedly welcome news for the embattled Irish Data Protection Commissioner, Helen Dixon. She had, and continues to, come under fire from many sides, including the European Parliament’s LIBE Committee, for what is perceived to be a reluctance to take sufficiently strong enforcement action against major tech companies that have their European headquarters in Ireland and for her office’s long processing times. The LIBE Committee even expressed disappointment with her decision to initiate the Schrems II case rather than triggering enforcement action against FBI. Furthermore, the Committee  has called on the European Commission to launch infringement proceedings against Ireland for a failure to enforce the GDPR effectively. Against this background, the judicial review case makes clear that DPC was right to have proceeded cautiously.

When faced with enforcement action that seeks to significantly restrict their business models or when faced with multi-million euro fines businesses will understandably look for legitimate avenues to challenge the actions of data protection authorities, whether through more conventional appeals against sanctions or by means of judicial review. Any data protection authority needs to have a defensible position that it can put before the courts when challenged. The DPC has survived an examination by the Irish High Court and there can be no denying that it was a comprehensive and searching examination.

Had the DPC been found to have jumped to conclusions without a thorough investigation, not to have been offering FBI a proper opportunity to state its case, otherwise followed procedures that were unfair to any of the parties involved or had not been sufficiently transparent about those procedures, it would almost certainly have come a cropper. Ensuring the necessary procedural fairness requires time and effort by a data protection authority whatever the political pressures on it might be. At the time there was a concerted and shallow choreography of criticism directed at the DPC.

The High Court did  recognise that there has to be some flexibility. A data protection authority can legitimately be expected to continue a well-established practice of following a particular procedure but, provided that it stays within the law, it does not have to do so rigidly. It can adapt its approach to the circumstances of particular cases. It is just that any procedural variation by the data protection authority has to be based on objective reasons and must not create unfairness or be unjust to the party under investigation. Nothing was written in stone. An earlier  annual report, detailing inquiry  procedures that Facebook sought to rely on, did state  ( at p.28) things were “subject to changes”. ( See DPC Annual Report 2018)

Rebuke for DPC

The DPC did not entirely escape criticism though. The High Court judge, whist finding in favour of the DPC in relation to an allegation of premature judgment, suggested that it might have been wiser for the Commissioner, Helen Dixon, to have been more circumspect in remarks she made in a conference address to the effect that the Schrems II ruling by the CJEU had given her no room for manoeuvre in relation to EU-US data transfers. Again, whilst finding in favour of the DPC in relation to an allegation of a failure to respect the duty of candour, the judge expressed some misgivings about the DPC’s failure to respond more fully to requests for information from FBI and suggested that it had acted in an overly defensive manner. The Judge was actually at his most critical in relation to an allegation by the DPC that FBI’s issuing of its proceedings amounted to an abuse of process and had been done for an improper purpose, that of buying time. Here the Judge said that this was a serious allegation, that there was no basis for it and that it ought never to have been made.

 

Data protection commissioners have a difficult path to steer. On the one hand they operate in an increasingly political environment and are expected to be champions of privacy and of data subject rights. On the other hand, when considering sanctions, they carry out quasi-judicial functions and have to act, and be seen to act fairly and without bias. The High Court judgment confirms that Helen Dixon has managed to keep to the straight and narrow so far in the case in question but the same might not have been true had she conceded more ground to her critics. What is clear though is the extent to which commissioners, when acting in their quasi-judicial capacity, can now be held accountable to the courts, and the extent to which affected businesses may be willing to exercise their rights to give effect to this accountability. As the UK Commissioner, Elizabeth Denham was also reminded of when seeking to defend the ICO’s imposition of a fine on Facebook in the wake of the Cambridge Analytica scandal, commissioners need to be very careful not to risk giving any appearance of rushing to premature judgment, to stick to their published procedures unless there are objective and fair reasons for departing from these and not to otherwise risk bringing unfairness or injustice into their deliberations whatever the wider pressures on them might be.

Back to the SCCs

It was the question of supplemental measures that  attracted most interest from other businesses. Here it needs to be borne in mind that Facebook Inc in the US qualifies as an electronic communications service provider and can therefore be ordered to make transferred data about specified non-US persons in its stored communications directly available to US public authorities. It is not just liable to have its communications to and from the EU intercepted in transit by such authorities. Although, in an effort to be helpful, the EDPB had produced recommendations on supplemental measures that could be adopted to enhance the SCCs, there remained  a question in relation to EU-US transfers as to how to sufficiently compensate for the inadequate protection provided by US law in practice.

We now know that the DPC went on to prepare a full draft decision and submitted it via the co-operation and consistency mechanism. The DPC had simultaneously  been working on an inquiry into Facebook  Ireland( now Meta Platforms) concerning a series of data breaches between 7 June 2018 and 4 December 2018.  The inquiry examined the extent to which Meta Platforms complied with the requirements of GDPR Articles 5(1)(f), 5(2), 24(1) and 32(1) in relation to the processing of personal data relevant to the twelve breach notifications.

As a result of its inquiry, the DPC found that Meta Platforms infringed Articles 5(2) and 24(1) GDPR.  The DPC found that Meta Platforms failed to have in place appropriate technical and organisational measures which would enable it to readily demonstrate the security measures that it implemented in practice to protect EU users’ data, in the context of the twelve personal data breaches.

Final destination in sight?

Given that the processing under examination constituted “cross-border” processing, the DPC’s decision was subject to the co-decision-making process outlined in Article 60 GDPR and all of the other European supervisory authorities were engaged as co-decision-makers.  While objections to the DPC’s draft decision were raised by two of the European supervisory authorities, consensus was achieved through further engagement between the DPC and the supervisory authorities concerned.  Accordingly, the DPC’s decision represents the collective views of both the DPC and its counterpart supervisory authorities throughout the EU. On 15 March 2022 the DPC imposed a fine of €17 million on FBI( Meta Platforms). To any fair minded neutral observer, any criticism of the DPC on the basis of inactivity is certainly  unsustainable.

Remember, in the content of the FBI/Schrems saga the DPC had to prepare its draft decision and submit this to the cooperation and consistency mechanism, which ultimately  involved the need for an EDPB opinion. This process seldom results in a quick outcome, despite the time limits in the GDPR.Because of a sort of  stalemate on the issue going back to February this year, there were movements by some national supervisory authorities to take a  stand on the case. Some  adopted  a literal interpretation of the ruling.

The French privacy regulator CNIL ruled that an unnamed website could not use Google Analytics because doing so involves the transfer of personal information from Europe to the U.S. in violation of the 2020 Schrems II decision. The French decision came  hot on the heels of a decision by Austria’s data protection authority to also ban a website from using the popular Google web analytics tool for the same reason, and presages a raft of decisions by other European data protection authorities on the use of these tools. The Dutch privacy agency warned last December  that using Google Analytics may soon be illegal. Elsewhere, the Norwegian data watchdog has advised companies to start looking for alternatives to Google’s tools.

Almost there!

Data protection authorities, including the CNIL, are also expected to rule soon on the use of Facebook’s analytics tool, known as Facebook Connect. These decisions mark a significant clamp-down on data transfers, which form the lifeblood of the digital economy and represent billions of euros’ worth of transatlantic trade.   GDPR and data protection advisory services, such as GDPRXPERT.ie, have had  large volume of enquiries from businesses regarding the future of transfers to the US. Much from the preceding paragraphs has been reported through https://www.politico.eu/article/us-eu-data-transfers-on-life-support-after-french-google-decision/

Once the landmark decision began to bite, regulators across the bloc were left with few  alternatives or choices in adhering to the new rules. That began to prompt companies like Google, Microsoft and TikTok to consider the once unthinkable: storing ever more data in Europe. The potential negative effects of such moves may also have spurred the DPC to continue efforts to resolve the issue.  After the 2021 High Court ruling against Facebook the DPC was able to continue efforts to bring a conclusion to the protracted affair. This meant publishing a full draft decision and taking it all through the cooperation and consistency mechanism under Art. 60 GDPR in order to set out a final decision. This is exactly what the DPC did. Throughout all of this, proper procedures were followed.

Finally, the stage was reached where it was imperative the Commission  reached a decision on transfers. Some measure of substantive adjustment to existing Standard Contractual Clauses, or an entirely new mechanism, was needed to ensure uninterrupted data flows to the US.  On 22nd March 2022 the European Commission and the Biden administration reached an agreement in principle, the Trans-Atlantic Data Privacy Framework Agreement. While the agreement is still “in principle” and specific details have yet to be determined, if approved, this agreement will reimplement an important legal mechanism necessary to facilitate data transfers between the European Union and the United States. Some have urged caution, “From a purely technical perspective, there’s no path forward for data transfers. That’s why we need [a] durable EU-U.S. data pact that can stand the test in court,” said Rob van Eijk, Europe managing director for the Future of Privacy Forum think tank.

More still to come

Very soon we will return to the issue to report on the evolving  position on transfers to the US.

We also note the DPC has attempted to clear the air on the criticisms directed at it and has issued a report on cross border complaints where it sets out the actual statistics, instead of some alternative ones, that to an objective observer were  clearly  distorted, biased and misleading. See https://www.dataprotection.ie/en/news-media/press-releases/dpc-publishes-statistical-report-handling-cross-border-complaints-under-gdprs-one-stop-shop-oss   The actual report is here.

 

Here at GDPRXPERT.ie we are GDPR and data protection law experts  offering businesses our  vast expertise in addressing compliance issues.

GDPRXPERT.ie are located in Carlow/Kilkenny and Mayo, offering a  nationwide service.

Call 0858754526 or 0599134259 to discuss your particular need.

Patrick Rowland, GDPRXPERT.ie

GDPRXpert.ie- Thoughts on GDPR a Year On.

The GDPR is now over 14 months in operation. This blog post offers some thoughts on GDPR a year on. It is still a little early to have any kind of truly substantive analysis of the effectiveness of the Regulation to date. A difficulty that immediately surfaces is how to quantify its effectiveness. What is an appropriate measure or barometer of its effectiveness? Fines speak to enforcement, but without the specific details, little can be extrapolated, even in a general context.  If the level of fines is taken as a metric, does it mean that as fines rise the regulation is simply being enforced more? Do the increasing fines mean that the overall level of compliance is dropping?  It could be that fines are increasing because more organisations are, and in some cases choosing to be, non- compliant.

In any sphere of regulation there will always be a non- compliant percentage. Therefore, it does not follow that there is a direct relationship between fines and non- compliance. In other words, it does not mean that as fines go up, the level of non- compliance is also going up.  Fines are always going to be imposed as a deterrent, even in situations of high percentages of compliance. Some organisations that are being fined may be repeatedly and stubbornly non- compliant.  Any increase in reported data breaches that leads to the opening of an investigation may conclude with the imposition of fines.

Are regulators to go on ‘fishing expeditions’ to fine some high profile organisations? There has always been talk of the DPC and other regulators planning to go for some ‘low hanging fruit’ in the early days of the GDPR. Most experts put financial services in this category. No evidence of this has been found so far. In the case of undertakings, fines can reach 2% or 4% of global turnover, depending on the infringement.  So far, companies have been spared the harshest penalties that can be meted out. This is likely to change, according to the regulators across the EU.

In the lead up to the Regulation’s introduction, the general strategy of Supervisory Authorities (SAs) was to educate the public and organisations. It was the consensus amongst SAs that education was the best mechanism for regulation preparedness. Ignorance of the law (regulation) is never an excuse and so an EU wide focus was on promoting education on the regulation.  ‘GDPR Awareness-building’ was the process chosen to direct the education mechanism. The ultimate goal was to foster and nurture compliance with the new regulation, and develop a culture of compliance over time.  The general public was to be made aware of rights, and organisations were to be made aware of obligations and responsibilities.  A thorough understanding of the core principles of transparency and accountability was highlighted as a mandatory requirement for competent data controllers and processors.

What has been happening since the introduction of GDPR?

In a previous blog, we examined some stats. from the DPC’s first annual report, post-GDPR. Most noteworthy was the number of data breaches adding to a total of 3,452. Perhaps this should not be surprising. What was surprising was that out of this total number of breaches, the largest category was ‘Unauthorised Disclosures’, but the fines did not seem to follow.

The French regulator, Mathias Moulin, emphasised that the first year of GDPR should be considered a ‘transition year’. Transition year or not, early numbers for the GDPR make clear that the policy has been a success as a breach notification law, but largely a failure when it comes to imposing fines on companies that fail to adequately protect their customers’ data. Stephen Eckersley, the head of enforcement at the U.K. Information Commissioner’s Office, said the U.K. had seen a “massive increase” in reports of data breaches since the GDPR’s implementation. In June 2018, companies self-reported 1,700 data breaches, and Eckersley estimated that the total will be around 36,000 breaches reported in 2019, a significant increase from the previous annual reporting rate of between 18,000 and 20,000 breaches”. See,https://slate.com/technology/2019/03/gdpr-one-year-anniversary-breach-notification-fines.html

Some Stats

Other reports give more information on GDPR to date . There were 89,000 data breaches recorded of which 37% are still pending investigation or penalties. 65,000 data breaches were reported to the European Data Protection Board. In the first 8 months of the GDPR nearly 60,000 breaches were reported across Europe. (Law firm DLA Piper).  Google was hit with a €50million fine for not making it clear to users how it was harvesting data from its own search engine, YouTube and Google Maps. This penalty was the largest and was issued by the French Data Protection Authority (CNIL) in January against Google. It was related to a lack of transparency, inadequate information and a lack of valid consent regarding the personalization of the ads.

French authorities had received complaints abourt  Google’s handling of personal data. CNIL, the relevant authority, found that the structure of Google’s privacy policy and terms and conditions were too complicated for users, and the use of pre-ticked boxes as a consent mechanism did not establish a legal basis for data processing to deliver targeting advertising. It is helpful for a better understanding of the fines regime to look at the broader context of the  Google fine more closely.

 

Some Fines

The French regulator cited Google’s failure to centralize essential information on one page, and its process requiring users to go through “up to five or six actions.”Google’s penalty accounts for nearly 90% of the total value of fines levied to date. But it had the potential to be much larger. In 2018 Google reported nearly $136.2 billion in revenues. Therefore, the 50 million euro fine represented approximately .04% of revenue, far from the 4% potential penalty. (Above 2 paras. from https://blogs.thomsonreuters.com/answerson/gdpr-one-year-us/) Compared to the Google fine, other fines levied by European national data protection authorities (DPAs) have been considerably smaller. For example, in March 2019 the Polish DPA announced that it had fined a company approximately 219,000 euros for failure to inform six million individuals that their personal data were being processed. Also, in March 2019, the Danish DPA fined a company approximately 161,000 euros for holding on to personal data longer than allowed under GDPR. (from the  same source directly above)

Outside of the Google fine, the penalties thus far have been so small that many are anxiously awaiting the next whopper of a fine. Irish and UK authorities have hinted that a large fine is coming. (Todd Ehret, Thomas Reuter’s, May 22, 2019). GDPRXpert has previously reported on Facebook’s difficulties with the office of the DPC here in Ireland, and ongoing investigations seem likely to conclude with large fines being meted out. See also GDPRXpert’s blog post, https://www.gdprxpert.ie/more-problems-for-facebook/

European Data Protection Board Survey

It is somewhat surprising that, despite the awareness building campaign by all SAs, a European Data Protection Board survey found in May 2019 that;

  • only 67% of people across Europe had heard of GDPR;
  • 36% claimed to be ‘well aware’ of what GDPR entails;
  • 57% of EU citizens polled indicated they are aware of the existence of a public authority in their country responsible for their data protection rights

(https://edpb.europa.eu/news/news/2019/1-year-gdpr-taking-stock_en

This result represents an increase of about 20% from a 2015 Eurobarometer. It is a disappointment that it is not higher, considering the cost, the scale and the scope of the campaigns in all Member States to educate citizens, prior to GDPR. Many people question whether the message of GDPR was communicated in a properly measured manner, before the introduction of the legislation.

 ‘Privacy Sweep’.

Some stats from the 6th annual  Privacy Sweep conducted by the Global Privacy Enforcement Network (GPEN)  reaffirm the veracity of the results above. Data protection consultants, GDPRXpert.ie have included elements of this in a published blog post.  Data protection authorities from around the world participated, and in the last sweep GPEN aimed to assess how well organisations have implemented accountability into their own internal privacy programmes and policies. One goal was to establish a sort of baseline of an organisation’s compliance with data protection. This was the brief for the DPC, as their input was targeted at randomly selected organisations in Ireland. 30 organisations across a range of sectors completed a suite of pre-set questions relating to privacy accountability. Because the sweep was done in the last quarter of 2018 only preliminary or provisional results are available to date of report (DPC Report, 2018).

 

 

Some Stats from ‘Privacy Sweep

Preliminary results include the following:

  • 75% appear to have adequate data breach policies in place;
  • All organisations seem to have some kind of data protection training for staff;
  • However, only 38% could provide evidence of training for all staff including new entrants and refresher training;
  • In most cases, organisations appear to undertake data protection monitoring/self -assessment but not to a sufficiently high level. In this category, 3 out of 29 scored ‘poor’, while 13 could only reach a ‘satisfactory’ level;
  • 1/3 of organisations were unable to show any documented processes in place to assess risks associated with new technology and products;
  • 30% of organisations failed to show they had an adequate inventory of personal data, while close to 50% failed to keep a record of data flows.

 

Is There Still a Wait and See Approach?

Businesses and organisations have reacted to the GDPR in their own way, depending on what they view as their individual exposure. There is no doubting the cost-benefit analyses done by some companies to quantify the potential fines v. the cost of compliance measures. This is especially so for companies that have no presence in the EU but fall under the GDPR by virtue of Art. 3. Most companies are taking a proactive approach to dealing with the new realities of personal data protection. Possibly, because many of the fines to date have been nominal compared to what they could have been, there are some companies that are waiting to see what the supervisory authorities in each EU member country are going to do. The prevailing wisdom is that fines will be going up as regulatory actions play out. https://www.scmagazine.com/home/security-news/evaluating-the-gdpr-experiment

At the moment businesses and organisations are looking at the possibility of larger fines being imposed. Many are waiting to see if there are any trends emerging or are particular types of businesses being targeted.  So far, it seems only the very big companies have been targeted by the office of the DPC here in Ireland. Anecdotal evidence suggests smaller businesses do not see themselves as being on the DPC radar. The perception is that the DPC has too much on their plate and ‘bigger fish to fry’. Smaller businesses may very well fly under the radar for a short while longer.  However, one can assume, partly because of the prolonged bedding in period for the regulation, by the time the DPC gets around to some smaller fish, a high level of compliance will be expected. At that stage, no excuses are going to be accepted in any defence of non- compliance.

What is Likely to Happen in the Next Phase?

In the DPC Annual Report 2018,  there were  2,864 complaints, of these the largest single category was in the category ‘Access Rights’ with 977 complaints, or a little over 34%of the total. Here is a warning flag for businesses. All of these complaints have the potential to trigger an associated investigation by the DPC into an organisation’s compliance with the GDPR.  At least initially, it is believed supervisory authorities will take a more cautious approach to levying the harshest penalties, says Peter Milla, the data protection officer at Cint, a provider of consumer data sets to market researchers around the world, with global corporate headquarters in London.

“What’s going to happen is the regulators are going to come in to see if you have a compliance program but they’re going to be very lenient,” he says. “They’re obviously not going to put small companies out of business because there’s a political component here but they will fine. They’re going to be commercially reasonable. The Germans are probably going to be the harshest, Milla says.

One thing that has been forecasted is that there will be greater enforcement. Regulators across the EU have significantly increased staffing levels and it is logical to expect greater enforcement as a result.   Another expected development is that increasingly educated and ‘GDPR conscious’ consumers will drive data protection and privacy by design. The same consumers will be attracted to businesses and organisations that are seen to respect their data protection and privacy rights. A lack of either a Privacy Notice or a Privacy Statement is a clear indicator of an organisation’s clear disregard for the core principle of transparency. What is such an organisation doing with your personal data? That is anyone’s guess.

Patrick Rowland, GDPRXpert.ie

GDPRXpert.ie,  with bases in Carlow/ Kilkenny and Mayo, offer a nationwide GDPR and data protection consultancy service.

Visit www.gdprxpert.ie to learn more

 

Transfers of Personal Data outside the EU/EEA

In the most recent blog post we attempted to capture the context of some of the channels of transfers of data outside the EU/EEA. The Schrems case provided some of this, by its scrutiny of the Standard Contractual Clause mechanism. Since the introduction of the GDPR the channels of transfer of personal data to a third country or international organisation have undergone changes.

Transfers of personal data to third countries or international organisations.   

Following the inception of the GDPR the law on transfers of personal data to third countries or international organisations (‘transfers’) is more settled. A caveat is that the exact interpretation of express terms in the GDPR that relate to transfers may come before the Court of Justice for ultimate clarification.

Art. 44 GDPR provides that transfers may only take place if subject to the other provisions in the regulation, and the conditions laid down in Chapter V are complied with by the controller and processor. A plethora of conditions is laid out in Chapter V. These conditions can be grouped as transfers subject to:

Adequacy Decisions;

Appropriate safeguards; or

Specific derogations.

 

Adequacy Decisions

Art.45 allows transfers where the European Commission has decided that the third country or international organisation ensures an adequate level of protection. Under this scenario, no specific authorisation is required. In practice, this confers a broad discretion on the European Commission in assessing adequacy. This has the potential to be viewed subjectively and politically influenced. It was the discretion in declaring an adequate level of protection existed that led to Schrems ( Case C-362/14, 6 Oct. 2015) ending up before the CJEU. As a means to counter balance the discretion of the Commission, Art.45(2) sets out three elements that the Commission must ‘in particular’ take into account when assessing the adequacy of the data protection in the third country. A list of countries with an adequacy decision is found here.

 

Elements to be taken into account to assess Adequacy

  • ‘the rule of law, respect for human rights and fundamental freedoms…’ Legislation, both general and sectoral, is examined. Are there adequate protections available when assessed   in the light of legislation concerning public security, defence, national security and criminal law? How about access of public authorities to personal data and the implementation of legislation above? What about data protection rules, professional rules, security measures and rules for onward transfer of personal data to another third country? Can data subjects gain effective administrative and judicial redress where they have complaints about how their data are being transferred?
  • ‘the existence and effective functioning of one or more independent supervisory authorities in the third country…’ The Commission should expect to see a supervisory authority with responsibility for ensuring and enforcing compliance with data protection rules, including adequate enforcement powers. It is not enough to have responsibility for enforcement, but it must have the powers to deliver on enforcement. Toothless tigers are not wanted.
  • ‘the international commitments the third country or international organisation has entered into..’ Something like this can act as an accurate gauge as to the value placed on international norms and rules. Part of this element of assessment can include scrutiny of international obligations the third country may have, as a result of some legally binding convention or instrument. Does the third country or international organisation participate in multilateral or regional systems, especially in the data protection sphere?

 The Goal

In essence, the goal is to have similar, if not identical, means of protection of personal data operating in the third country as is available to data subjects in the EU/EEA. As noted in the Schrems case, there must be an appropriate balance struck between the powers assigned to authorities in a third country and the protections provided for the persons whose personal data is being transferred. If the Commission is satisfied with the integrity and substance of data protection in the third country, it may then issue an Adequacy Decision. Any Adequacy Decision must be monitored and reviewed over time (Art.45 (4)) and can also be repealed, amended or suspended (Art. 45(5)).

 

Transfers Subject to Appropriate Safeguards

In the absence of an Adequacy Decision a controller or processor may transfer personal data to a third country or international organisation only where;

  • the controller or processor has provided appropriate safeguards; and
  • on condition that enforceable data subject rights and effective legal remedies for data subjects are available.

These appropriate safeguards can be provided in a number of ways and some need no specific authorisation from the Supervisory Authority (SA). Art. 46 (2) sets down the list of those not needing SA authorisation:

  • a legally binding and enforceable agreement between public authorities or bodies;
  • binding corporate rules in accordance with Art.47 ( more below);
  • standard data clauses adopted by the Commission ( in accordance with an examination procedure laid out in Art. 92(3));
  • standard data protection clauses adopted by the SA and approved by the Commission;
  • an approved code of conduct pursuant to Art. 40 together with binding and enforceable commitments of the controller or processor in the third country to apply appropriate safeguards;
  • an approved certification mechanism pursuant to Art.42  together with the same binding and enforceable commitments as above.

Of those listed above the most common mechanisms are Binding Corporate Rules (BCRs) and Standard Data Clauses. BCRs are “personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity” (Art.4 (19)).

Recital 101 advises that a group of undertakings engaged in joint economic activity should be able to make use of BCRs for international transfers from the Union to organisations within the same group, provided the BCRs contain all essential principles and enforceable rights to ensure appropriate safeguards for the transfers of personal data. Competent SAs may adopt  BCRs, but the Commission itself may specify the exact  format and procedures for the exchange of information between the controllers, processors and SAs for those BCRs. Otherwise it is a matter for the SA to approve the BCRs.

Art.47 (2) sets some pre-conditions on any approval of the BCRs. First, they must be legally binding, and apply to and be enforced by every member of the group of undertakings engaged in the joint economic activity. Second, they must expressly confer enforceable rights on data subjects with regard to the processing of their personal data. Third, they must fulfil the requirements set out in GDPR Art. 47(2).

 

The Content of the Binding Corporate Rules

This same Art.47(2) lays down a comprehensive list of specific requirements for the content of the BCRs. It is not within the scope of this blog to enumerate all these requirements but they should be examined carefully in the text of Art.47(2).  There is no hierarchy of requirements but some on their face seem more important than others. A detailed analysis of the requirements for Binding Corporate Rules is laid out in this Ar. 29 Working Party document . It is a very comprehensive examination of the requirements and an excellent reference to satisfy any query.

Some of the Requirements

To be valid and acceptable the BCR must contain the structure and contact details of the group of undertakings/enterprises engaged in the joint economic activity and its members. All data transfers or sets of transfers, including the categories of personal data, the type of processing and its purposes, the type of data subjects and the identification of any third countries, must be clearly enumerated as part of the contents of the BCR.  Data protection principles are applicable and the rights of data subjects are to be expressly recognised including a right to obtain redress and, where appropriate, compensation for a breach of the BCR. Controllers or processors must accept liability for any beaches of the BCR by any member not established in the Union. Other requirements are laid out in Art. 47(2).

Standard Data Protection Clauses

For many organisations these clauses are the most usual mechanism to transfer personal data to a third country or international organisation. These are more common than adequacy decisions but they represent a minimum standard for data protection and for this reason it is envisaged (See Recital 109) that controllers and processors will add additional safeguards. The clauses must contain the contractual obligations of the ‘Data Importer’ and the ‘Data Exporter’ and confirm the data protection rights of the individuals whose data are being transferred.  Individuals can directly enforce those rights against either of the parties.

Standard clauses have been issued under the old Directive and these remain valid. However, the European Commission has advised the European Data Protection Board (EDPB) that it is planning to update the Clauses for the new GDPR. The Commission has made available the sets of Standard Contractual Clauses issued up to now.

Safeguard Mechanisms Requiring Specific Authorisation.

 Other mechanisms allow for the transfer of personal data to a third country or international organisation but these need prior specific authorisation from the SA. Safeguards in these cases may be provided by a) contractual clauses between the controller or processor and the controller, processor or recipient of the personal data in the third country and b) provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights. The consistency mechanism referred to in Art.63 is to apply to such authorisations. For example, where the SA aims to authorise contractual clauses it shall communicate that draft decision to the Board (i.e., the EDPB).

Specific Derogations

Where there is neither an adequacy decision available under Art.45, nor appropriate safeguards pursuant to Art. 46, a transfer of personal data can still take place if one of the conditions set out in Art. 49 is fulfilled. These conditions include:  explicit consent of the data subject to the data transfer, having been informed of the possible risks; the transfer is necessary for performance of a contract between the data subject and the controller or the implementation of pre contractual measures taken at the data subject’s request ; transfer is necessary for the performance of a contract concluded in the interest of the data subject  between the controller and another natural or legal person ( the foregoing do not apply to activities carried out by public authorities in the exercise of their public powers) ;

Specific Derogations contd.

… the transfer is necessary for important reasons of public interest ;the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent; the transfer is necessary for the establishment, exercise or defence of legal claims; the transfer is made from a register which in accordance with Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest. Apart only from explicit consent, in all other cases the transfer is dependent on the transfer being deemed ‘necessary’. In practice the conditions are strictly applied and strictly interpreted with the result that it is preferable to use some other mechanisms to transfer data to third countries or international organisations. There is one final option if all other mechanisms or conditions are not present or available.

‘Last Resort’ Transfers of Personal Data

Where a transfer cannot be based on an adequacy decision or  appropriate safeguards, including binding corporate rules,  and none  of the derogations for specific situations apply, a transfer of personal data may still take place only if:

  • the transfer is not repetitive;
  • the transfer concerns only a limited number of data subjects;
  • the transfer is necessary for the purposes of compelling legitimate interests pursued by the controller, provided they are not overridden by the interests or rights and freedoms of the data subject; and
  • the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment put in place suitable safeguards for the protection of personal data. In addition, the controller must inform the SA and the data subject of the transfer. Any compelling legitimate interest pursued must be communicated to the data subject, together with  all the information requirements of Arts. 13 and 14.

The Recitals regard the last basis as one to be relied on, ‘in residual cases where none of the other grounds for transfer are applicable…’( Recital 113).

In most cases personal data transfers to third countries or international organisations are routine and uncomplicated. A complicated part is   knowing whether those transfers are legally sound or not. The prudent route is to follow the text of Arts. 45-49 and be aware of changes, such as CJEU decisions. Should the UK leave the EU without an agreed deal then the UK will become a ‘third country’ for the purposes of the GDPR and data transfers. If there is a ‘no deal Brexit’, data transfers to the UK will have to follow one  of the routes described in this blog.

Patrick Rowland, GDPRXpert.ie

 

Latest News