GDPRXpert.ie- Thoughts on GDPR a Year On.

The GDPR is now over 14 months in operation. This blog post offers some thoughts on GDPR a year on. It is still a little early to have any kind of truly substantive analysis of the effectiveness of the Regulation to date. A difficulty that immediately surfaces is how to quantify its effectiveness. What is an appropriate measure or barometer of its effectiveness? Fines speak to enforcement, but without the specific details, little can be extrapolated, even in a general context.  If the level of fines is taken as a metric, does it mean that as fines rise the regulation is simply being enforced more? Do the increasing fines mean that the overall level of compliance is dropping?  It could be that fines are increasing because more organisations are, and in some cases choosing to be, non- compliant.

In any sphere of regulation there will always be a non- compliant percentage. Therefore, it does not follow that there is a direct relationship between fines and non- compliance. In other words, it does not mean that as fines go up, the level of non- compliance is also going up.  Fines are always going to be imposed as a deterrent, even in situations of high percentages of compliance. Some organisations that are being fined may be repeatedly and stubbornly non- compliant.  Any increase in reported data breaches that leads to the opening of an investigation may conclude with the imposition of fines.

Are regulators to go on ‘fishing expeditions’ to fine some high profile organisations? There has always been talk of the DPC and other regulators planning to go for some ‘low hanging fruit’ in the early days of the GDPR. Most experts put financial services in this category. No evidence of this has been found so far. In the case of undertakings, fines can reach 2% or 4% of global turnover, depending on the infringement.  So far, companies have been spared the harshest penalties that can be meted out. This is likely to change, according to the regulators across the EU.

In the lead up to the Regulation’s introduction, the general strategy of Supervisory Authorities (SAs) was to educate the public and organisations. It was the consensus amongst SAs that education was the best mechanism for regulation preparedness. Ignorance of the law (regulation) is never an excuse and so an EU wide focus was on promoting education on the regulation.  ‘GDPR Awareness-building’ was the process chosen to direct the education mechanism. The ultimate goal was to foster and nurture compliance with the new regulation, and develop a culture of compliance over time.  The general public was to be made aware of rights, and organisations were to be made aware of obligations and responsibilities.  A thorough understanding of the core principles of transparency and accountability was highlighted as a mandatory requirement for competent data controllers and processors.

What has been happening since the introduction of GDPR?

In a previous blog, we examined some stats. from the DPC’s first annual report, post-GDPR. Most noteworthy was the number of data breaches adding to a total of 3,452. Perhaps this should not be surprising. What was surprising was that out of this total number of breaches, the largest category was ‘Unauthorised Disclosures’, but the fines did not seem to follow.

The French regulator, Mathias Moulin, emphasised that the first year of GDPR should be considered a ‘transition year’. Transition year or not, early numbers for the GDPR make clear that the policy has been a success as a breach notification law, but largely a failure when it comes to imposing fines on companies that fail to adequately protect their customers’ data. Stephen Eckersley, the head of enforcement at the U.K. Information Commissioner’s Office, said the U.K. had seen a “massive increase” in reports of data breaches since the GDPR’s implementation. In June 2018, companies self-reported 1,700 data breaches, and Eckersley estimated that the total will be around 36,000 breaches reported in 2019, a significant increase from the previous annual reporting rate of between 18,000 and 20,000 breaches”. See,https://slate.com/technology/2019/03/gdpr-one-year-anniversary-breach-notification-fines.html

Some Stats

Other reports give more information on GDPR to date . There were 89,000 data breaches recorded of which 37% are still pending investigation or penalties. 65,000 data breaches were reported to the European Data Protection Board. In the first 8 months of the GDPR nearly 60,000 breaches were reported across Europe. (Law firm DLA Piper).  Google was hit with a €50million fine for not making it clear to users how it was harvesting data from its own search engine, YouTube and Google Maps. This penalty was the largest and was issued by the French Data Protection Authority (CNIL) in January against Google. It was related to a lack of transparency, inadequate information and a lack of valid consent regarding the personalization of the ads.

French authorities had received complaints abourt  Google’s handling of personal data. CNIL, the relevant authority, found that the structure of Google’s privacy policy and terms and conditions were too complicated for users, and the use of pre-ticked boxes as a consent mechanism did not establish a legal basis for data processing to deliver targeting advertising. It is helpful for a better understanding of the fines regime to look at the broader context of the  Google fine more closely.

 

Some Fines

The French regulator cited Google’s failure to centralize essential information on one page, and its process requiring users to go through “up to five or six actions.”Google’s penalty accounts for nearly 90% of the total value of fines levied to date. But it had the potential to be much larger. In 2018 Google reported nearly $136.2 billion in revenues. Therefore, the 50 million euro fine represented approximately .04% of revenue, far from the 4% potential penalty. (Above 2 paras. from https://blogs.thomsonreuters.com/answerson/gdpr-one-year-us/) Compared to the Google fine, other fines levied by European national data protection authorities (DPAs) have been considerably smaller. For example, in March 2019 the Polish DPA announced that it had fined a company approximately 219,000 euros for failure to inform six million individuals that their personal data were being processed. Also, in March 2019, the Danish DPA fined a company approximately 161,000 euros for holding on to personal data longer than allowed under GDPR. (from the  same source directly above)

Outside of the Google fine, the penalties thus far have been so small that many are anxiously awaiting the next whopper of a fine. Irish and UK authorities have hinted that a large fine is coming. (Todd Ehret, Thomas Reuter’s, May 22, 2019). GDPRXpert has previously reported on Facebook’s difficulties with the office of the DPC here in Ireland, and ongoing investigations seem likely to conclude with large fines being meted out. See also GDPRXpert’s blog post, https://www.gdprxpert.ie/more-problems-for-facebook/

European Data Protection Board Survey

It is somewhat surprising that, despite the awareness building campaign by all SAs, a European Data Protection Board survey found in May 2019 that;

  • only 67% of people across Europe had heard of GDPR;
  • 36% claimed to be ‘well aware’ of what GDPR entails;
  • 57% of EU citizens polled indicated they are aware of the existence of a public authority in their country responsible for their data protection rights

(https://edpb.europa.eu/news/news/2019/1-year-gdpr-taking-stock_en

This result represents an increase of about 20% from a 2015 Eurobarometer. It is a disappointment that it is not higher, considering the cost, the scale and the scope of the campaigns in all Member States to educate citizens, prior to GDPR. Many people question whether the message of GDPR was communicated in a properly measured manner, before the introduction of the legislation.

 ‘Privacy Sweep’.

Some stats from the 6th annual  Privacy Sweep conducted by the Global Privacy Enforcement Network (GPEN)  reaffirm the veracity of the results above. Data protection consultants, GDPRXpert.ie have included elements of this in a published blog post.  Data protection authorities from around the world participated, and in the last sweep GPEN aimed to assess how well organisations have implemented accountability into their own internal privacy programmes and policies. One goal was to establish a sort of baseline of an organisation’s compliance with data protection. This was the brief for the DPC, as their input was targeted at randomly selected organisations in Ireland. 30 organisations across a range of sectors completed a suite of pre-set questions relating to privacy accountability. Because the sweep was done in the last quarter of 2018 only preliminary or provisional results are available to date of report (DPC Report, 2018).

 

 

Some Stats from ‘Privacy Sweep

Preliminary results include the following:

  • 75% appear to have adequate data breach policies in place;
  • All organisations seem to have some kind of data protection training for staff;
  • However, only 38% could provide evidence of training for all staff including new entrants and refresher training;
  • In most cases, organisations appear to undertake data protection monitoring/self -assessment but not to a sufficiently high level. In this category, 3 out of 29 scored ‘poor’, while 13 could only reach a ‘satisfactory’ level;
  • 1/3 of organisations were unable to show any documented processes in place to assess risks associated with new technology and products;
  • 30% of organisations failed to show they had an adequate inventory of personal data, while close to 50% failed to keep a record of data flows.

 

Is There Still a Wait and See Approach?

Businesses and organisations have reacted to the GDPR in their own way, depending on what they view as their individual exposure. There is no doubting the cost-benefit analyses done by some companies to quantify the potential fines v. the cost of compliance measures. This is especially so for companies that have no presence in the EU but fall under the GDPR by virtue of Art. 3. Most companies are taking a proactive approach to dealing with the new realities of personal data protection. Possibly, because many of the fines to date have been nominal compared to what they could have been, there are some companies that are waiting to see what the supervisory authorities in each EU member country are going to do. The prevailing wisdom is that fines will be going up as regulatory actions play out. https://www.scmagazine.com/home/security-news/evaluating-the-gdpr-experiment

At the moment businesses and organisations are looking at the possibility of larger fines being imposed. Many are waiting to see if there are any trends emerging or are particular types of businesses being targeted.  So far, it seems only the very big companies have been targeted by the office of the DPC here in Ireland. Anecdotal evidence suggests smaller businesses do not see themselves as being on the DPC radar. The perception is that the DPC has too much on their plate and ‘bigger fish to fry’. Smaller businesses may very well fly under the radar for a short while longer.  However, one can assume, partly because of the prolonged bedding in period for the regulation, by the time the DPC gets around to some smaller fish, a high level of compliance will be expected. At that stage, no excuses are going to be accepted in any defence of non- compliance.

What is Likely to Happen in the Next Phase?

In the DPC Annual Report 2018,  there were  2,864 complaints, of these the largest single category was in the category ‘Access Rights’ with 977 complaints, or a little over 34%of the total. Here is a warning flag for businesses. All of these complaints have the potential to trigger an associated investigation by the DPC into an organisation’s compliance with the GDPR.  At least initially, it is believed supervisory authorities will take a more cautious approach to levying the harshest penalties, says Peter Milla, the data protection officer at Cint, a provider of consumer data sets to market researchers around the world, with global corporate headquarters in London.

“What’s going to happen is the regulators are going to come in to see if you have a compliance program but they’re going to be very lenient,” he says. “They’re obviously not going to put small companies out of business because there’s a political component here but they will fine. They’re going to be commercially reasonable. The Germans are probably going to be the harshest, Milla says.

One thing that has been forecasted is that there will be greater enforcement. Regulators across the EU have significantly increased staffing levels and it is logical to expect greater enforcement as a result.   Another expected development is that increasingly educated and ‘GDPR conscious’ consumers will drive data protection and privacy by design. The same consumers will be attracted to businesses and organisations that are seen to respect their data protection and privacy rights. A lack of either a Privacy Notice or a Privacy Statement is a clear indicator of an organisation’s clear disregard for the core principle of transparency. What is such an organisation doing with your personal data? That is anyone’s guess.

Patrick Rowland, GDPRXpert.ie

GDPRXpert.ie,  with bases in Carlow/ Kilkenny and Mayo, offer a nationwide GDPR and data protection consultancy service.

Visit www.gdprxpert.ie to learn more

 

Transfers of Personal Data outside the EU/EEA

In the most recent blog post we attempted to capture the context of some of the channels of transfers of data outside the EU/EEA. The Schrems case provided some of this, by its scrutiny of the Standard Contractual Clause mechanism. Since the introduction of the GDPR the channels of transfer of personal data to a third country or international organisation have undergone changes.

Transfers of personal data to third countries or international organisations.   

Following the inception of the GDPR the law on transfers of personal data to third countries or international organisations (‘transfers’) is more settled. A caveat is that the exact interpretation of express terms in the GDPR that relate to transfers may come before the Court of Justice for ultimate clarification.

Art. 44 GDPR provides that transfers may only take place if subject to the other provisions in the regulation, and the conditions laid down in Chapter V are complied with by the controller and processor. A plethora of conditions is laid out in Chapter V. These conditions can be grouped as transfers subject to:

Adequacy Decisions;

Appropriate safeguards; or

Specific derogations.

 

Adequacy Decisions

Art.45 allows transfers where the European Commission has decided that the third country or international organisation ensures an adequate level of protection. Under this scenario, no specific authorisation is required. In practice, this confers a broad discretion on the European Commission in assessing adequacy. This has the potential to be viewed subjectively and politically influenced. It was the discretion in declaring an adequate level of protection existed that led to Schrems ( Case C-362/14, 6 Oct. 2015) ending up before the CJEU. As a means to counter balance the discretion of the Commission, Art.45(2) sets out three elements that the Commission must ‘in particular’ take into account when assessing the adequacy of the data protection in the third country. A list of countries with an adequacy decision is found here.

 

Elements to be taken into account to assess Adequacy

  • ‘the rule of law, respect for human rights and fundamental freedoms…’ Legislation, both general and sectoral, is examined. Are there adequate protections available when assessed   in the light of legislation concerning public security, defence, national security and criminal law? How about access of public authorities to personal data and the implementation of legislation above? What about data protection rules, professional rules, security measures and rules for onward transfer of personal data to another third country? Can data subjects gain effective administrative and judicial redress where they have complaints about how their data are being transferred?
  • ‘the existence and effective functioning of one or more independent supervisory authorities in the third country…’ The Commission should expect to see a supervisory authority with responsibility for ensuring and enforcing compliance with data protection rules, including adequate enforcement powers. It is not enough to have responsibility for enforcement, but it must have the powers to deliver on enforcement. Toothless tigers are not wanted.
  • ‘the international commitments the third country or international organisation has entered into..’ Something like this can act as an accurate gauge as to the value placed on international norms and rules. Part of this element of assessment can include scrutiny of international obligations the third country may have, as a result of some legally binding convention or instrument. Does the third country or international organisation participate in multilateral or regional systems, especially in the data protection sphere?

 The Goal

In essence, the goal is to have similar, if not identical, means of protection of personal data operating in the third country as is available to data subjects in the EU/EEA. As noted in the Schrems case, there must be an appropriate balance struck between the powers assigned to authorities in a third country and the protections provided for the persons whose personal data is being transferred. If the Commission is satisfied with the integrity and substance of data protection in the third country, it may then issue an Adequacy Decision. Any Adequacy Decision must be monitored and reviewed over time (Art.45 (4)) and can also be repealed, amended or suspended (Art. 45(5)).

 

Transfers Subject to Appropriate Safeguards

In the absence of an Adequacy Decision a controller or processor may transfer personal data to a third country or international organisation only where;

  • the controller or processor has provided appropriate safeguards; and
  • on condition that enforceable data subject rights and effective legal remedies for data subjects are available.

These appropriate safeguards can be provided in a number of ways and some need no specific authorisation from the Supervisory Authority (SA). Art. 46 (2) sets down the list of those not needing SA authorisation:

  • a legally binding and enforceable agreement between public authorities or bodies;
  • binding corporate rules in accordance with Art.47 ( more below);
  • standard data clauses adopted by the Commission ( in accordance with an examination procedure laid out in Art. 92(3));
  • standard data protection clauses adopted by the SA and approved by the Commission;
  • an approved code of conduct pursuant to Art. 40 together with binding and enforceable commitments of the controller or processor in the third country to apply appropriate safeguards;
  • an approved certification mechanism pursuant to Art.42  together with the same binding and enforceable commitments as above.

Of those listed above the most common mechanisms are Binding Corporate Rules (BCRs) and Standard Data Clauses. BCRs are “personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity” (Art.4 (19)).

Recital 101 advises that a group of undertakings engaged in joint economic activity should be able to make use of BCRs for international transfers from the Union to organisations within the same group, provided the BCRs contain all essential principles and enforceable rights to ensure appropriate safeguards for the transfers of personal data. Competent SAs may adopt  BCRs, but the Commission itself may specify the exact  format and procedures for the exchange of information between the controllers, processors and SAs for those BCRs. Otherwise it is a matter for the SA to approve the BCRs.

Art.47 (2) sets some pre-conditions on any approval of the BCRs. First, they must be legally binding, and apply to and be enforced by every member of the group of undertakings engaged in the joint economic activity. Second, they must expressly confer enforceable rights on data subjects with regard to the processing of their personal data. Third, they must fulfil the requirements set out in GDPR Art. 47(2).

 

The Content of the Binding Corporate Rules

This same Art.47(2) lays down a comprehensive list of specific requirements for the content of the BCRs. It is not within the scope of this blog to enumerate all these requirements but they should be examined carefully in the text of Art.47(2).  There is no hierarchy of requirements but some on their face seem more important than others. A detailed analysis of the requirements for Binding Corporate Rules is laid out in this Ar. 29 Working Party document . It is a very comprehensive examination of the requirements and an excellent reference to satisfy any query.

Some of the Requirements

To be valid and acceptable the BCR must contain the structure and contact details of the group of undertakings/enterprises engaged in the joint economic activity and its members. All data transfers or sets of transfers, including the categories of personal data, the type of processing and its purposes, the type of data subjects and the identification of any third countries, must be clearly enumerated as part of the contents of the BCR.  Data protection principles are applicable and the rights of data subjects are to be expressly recognised including a right to obtain redress and, where appropriate, compensation for a breach of the BCR. Controllers or processors must accept liability for any beaches of the BCR by any member not established in the Union. Other requirements are laid out in Art. 47(2).

Standard Data Protection Clauses

For many organisations these clauses are the most usual mechanism to transfer personal data to a third country or international organisation. These are more common than adequacy decisions but they represent a minimum standard for data protection and for this reason it is envisaged (See Recital 109) that controllers and processors will add additional safeguards. The clauses must contain the contractual obligations of the ‘Data Importer’ and the ‘Data Exporter’ and confirm the data protection rights of the individuals whose data are being transferred.  Individuals can directly enforce those rights against either of the parties.

Standard clauses have been issued under the old Directive and these remain valid. However, the European Commission has advised the European Data Protection Board (EDPB) that it is planning to update the Clauses for the new GDPR. The Commission has made available the sets of Standard Contractual Clauses issued up to now.

Safeguard Mechanisms Requiring Specific Authorisation.

 Other mechanisms allow for the transfer of personal data to a third country or international organisation but these need prior specific authorisation from the SA. Safeguards in these cases may be provided by a) contractual clauses between the controller or processor and the controller, processor or recipient of the personal data in the third country and b) provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights. The consistency mechanism referred to in Art.63 is to apply to such authorisations. For example, where the SA aims to authorise contractual clauses it shall communicate that draft decision to the Board (i.e., the EDPB).

Specific Derogations

Where there is neither an adequacy decision available under Art.45, nor appropriate safeguards pursuant to Art. 46, a transfer of personal data can still take place if one of the conditions set out in Art. 49 is fulfilled. These conditions include:  explicit consent of the data subject to the data transfer, having been informed of the possible risks; the transfer is necessary for performance of a contract between the data subject and the controller or the implementation of pre contractual measures taken at the data subject’s request ; transfer is necessary for the performance of a contract concluded in the interest of the data subject  between the controller and another natural or legal person ( the foregoing do not apply to activities carried out by public authorities in the exercise of their public powers) ;

Specific Derogations contd.

… the transfer is necessary for important reasons of public interest ;the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent; the transfer is necessary for the establishment, exercise or defence of legal claims; the transfer is made from a register which in accordance with Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest. Apart only from explicit consent, in all other cases the transfer is dependent on the transfer being deemed ‘necessary’. In practice the conditions are strictly applied and strictly interpreted with the result that it is preferable to use some other mechanisms to transfer data to third countries or international organisations. There is one final option if all other mechanisms or conditions are not present or available.

‘Last Resort’ Transfers of Personal Data

Where a transfer cannot be based on an adequacy decision or  appropriate safeguards, including binding corporate rules,  and none  of the derogations for specific situations apply, a transfer of personal data may still take place only if:

  • the transfer is not repetitive;
  • the transfer concerns only a limited number of data subjects;
  • the transfer is necessary for the purposes of compelling legitimate interests pursued by the controller, provided they are not overridden by the interests or rights and freedoms of the data subject; and
  • the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment put in place suitable safeguards for the protection of personal data. In addition, the controller must inform the SA and the data subject of the transfer. Any compelling legitimate interest pursued must be communicated to the data subject, together with  all the information requirements of Arts. 13 and 14.

The Recitals regard the last basis as one to be relied on, ‘in residual cases where none of the other grounds for transfer are applicable…’( Recital 113).

In most cases personal data transfers to third countries or international organisations are routine and uncomplicated. A complicated part is   knowing whether those transfers are legally sound or not. The prudent route is to follow the text of Arts. 45-49 and be aware of changes, such as CJEU decisions. Should the UK leave the EU without an agreed deal then the UK will become a ‘third country’ for the purposes of the GDPR and data transfers. If there is a ‘no deal Brexit’, data transfers to the UK will have to follow one  of the routes described in this blog.

Patrick Rowland, GDPRXpert.ie

 

Latest News