The Lawyer, with Cooley partners Ann Bevitt and Patrick Van Eecke, gathered eight in-house lawyers for a roundtable addressing developments in data protection and the GDPR.
The roundtable covered four main discussion points, exploring what in-house counsel need to know and address in H2 2020: (i) data transfers and how to navigate Schrems II; (ii) Brexit; (iii) GDPR enforcement trends; and (iv) breach notification.
The discussion kicked off with Van Eecke summarising the “Schrems II” decision and the practical impact it has for the UK – specifically the contractual and technical security measures businesses should consider to minimise privacy risks that arise when transferring personal data from the UK and European Union (EU) to the US and other jurisdictions outside the European Economic Area (EEA).
In a judgment in July the Court of Justice of the EU (CJEU) ruled that the EU-US Privacy Shield framework was an insufficient mechanism to ensure compliance with EU data protection requirements. The framework had been set up to help businesses transfer personal data across the Atlantic in a way which complies with the requirements of EU data protection law.
“The problem is that the ruling wasn’t limited to the invalidation of the Privacy Shield” stated Van Eecke. The CJEU’s concerns regarding the lack of protection afforded to personal data transferred to the US under the Privacy Shield apply equally to the other means which companies use to transfer personal data outside the EEA in compliance with EU data protection rules. In particular, the CJEU cast doubt on the ability of businesses to rely on the standard contractual clauses (SCCs) approved by the EU Commission when transferring personal data to other jurisdictions with known invasive surveillance regimes similar to those in the US without “additional safeguards”.
“This means companies must undergo a huge exercise, carrying out an assessment of each country outside the EU to which they want to transfer personal data and the adequacy of its legal framework” Van Eecke said. “Then they must beef up the SSCs with additional clauses, including technical measures – encryption, tokenisation – any measures that make it impossible for surveillance authorities to capture the data.”
The group voiced their concerns about the potential illegality of some data transfers and discussed how to enhance levels of protection and what additional provisions may be needed when using SSCs. For transfers of personal data from the EU to the UK, the key question is whether the UK will be successful in securing an adequacy finding from the EU Commission by 31 December 2020 or whether it will be considered a third country, for which data transfers will need to be legitimised by appropriate safeguards, as is the case for other third countries with no finding of adequacy.
“In the absence of an adequacy finding for the UK, the Schrems II decision throws a spanner into the works for companies wanting to rely on SCCs to transfer personal data from the EU to the UK because of the question mark hanging over the validity of the clauses” Bevitt pointed out. “The UK has already said it accepts that the EU is adequate so transfers from the UK to the EU aren’t a problem. Data transfers into the UK, however, are going to require these “additional safeguards”. And we don’t know what they are yet.”
Bevitt added that the EU Commission has already found a dozen countries adequate for receiving EU personal data (Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay). Adequacy talks are ongoing with some other countries including South Korea. Unfortunately, the UK is not top of the list.
“If we don’t get a deal and become a non-adequate country, based on previous adequacy findings the process can take anywhere from 18 months to five years” Bevitt stated.
One of the lawyers noted the political implications. Because of Brexit, the EU Commission does not feel encouraged to grant the UK adequacy.
Van Eecke concurred: “This is definitely the sense I get in Brussels. It means companies based in the UK and doing business in the EU should start thinking about what they are going to do now.”
As well as considering SCCs, Van Eecke recommended that now is the time to set up other solid data transfer mechanisms such as binding corporate rules (BCRs).
The discussion flowed onto the subject of Brexit and what happens when the UK emerges from its current transitional state. Bevitt outlined the changes companies will need to make in anticipation of Brexit, including appointing an EU representative, as required by Article 27 of the GDPR. This means that companies that are not established in the EU, but that monitor or process the personal data of people within the EU, will need to appoint an EU-based representative to act as their Europe-facing point of contact for individuals and local data protection authorities (DPAs).
The post-Brexit UK GDPR will also require companies not established in the UK to have a UK representative, in the same way that the EU GDPR requires an EU representative.
“I think of the representative as a post box: a contact point within the EU (or UK)” said Bevitt.
Van Eecke highlighted one of the difficulties that appointing a representative may entail: “It’s no fun being a representative. There is a high liability risk as in some countries you can be sanctioned for infringements of the GDPR carried out by your clients.” Because of the quasi-criminal nature of these fines, they seem not to be insurable, as put forward by some legal commentary.
A pressing topic is the enforcement of breaches of GDPR and what companies should watch out for. There is a public list of all the companies which participated in the Privacy Shield. When the Privacy Shield was invalidated, overnight it became a list of companies in non-compliance with the GDPR’s transfer restrictions. This is an obvious opportunity for regulators, who could use it is a chance to wield the enforcement stick. Every DPA is looking for companies to sanction.
Van Eecke warned: “If you’ve got a case you’re not going to go to court in front of an objective judge. You will be sanctioned by a regulatory authority that lives by data protection compliance.”
Non-compliant companies risk heavy sanctions. In a high-profile example, Google was fined 50 million euros (£44m) by the French DPA, the CNIL, for a breach of the EU’s data protection rules. So far, it remains the largest penalty. However, even smaller businesses must remain vigilant.
Van Eecke laid out the trends he has been seeing with regard to fines:
- With the GDPR in its second year, DPAs have stepped up their game in issuing sanctions. The first year was about learning to work with the new regulatory framework. Now every DPA in every member state of the EU has already issued at least one sanction.
- The sanctions began as small sums while the DPAs tested the water. This was smart. The fines were low so many companies didn’t try to appeal. DPAs have used this to set precedents for future fines.
- Nobody escapes the dance. Every industry sector is affected. In the UK, for example, Bevitt pointed out that the Information Commissioner’s Office (ICO) has indicated an intention to fine Marriott Hotels nearly £100m after hackers stole the records of 339 million guests. The breach was due to a vulnerability within the Starwood hotels group in 2014. Marriott acquired Starwood in 2016, and the theft of customer information was discovered later. The ICO said Marriott had failed to undertake sufficient due diligence when it acquired Starwood.
- Many of the fines are not about companies acquiring personal data for illegal purposes. Sometimes it is simply a case of keeping data on systems for too long.
- The DPAs are increasingly scrutinising who has been appointed as Data Protection Officers. They must be independent and neutral. It is best if they have no role in the management function so the DPA cannot claim they are involved in data processing activities.
- Companies are not honouring data subjects’ requests to exercise their rights under the GDPR, such as data subject access requests (DSARs). The Cooley partners see more DSARs being made in the UK than in Continental Europe.
“A classic example is an employee who wants to cause pain, or an ex-employee trying to find ammunition to threaten a claim and get money from the company” Bevitt stated.
Bevitt and Van Eecke concluded the discussion by sharing their practical tips based on their experience of handling breaches for clients.
If there is a breach, it is important for lawyers to notify the authorities even when they do not know all the facts. “It’s better to raise the alarm as soon as possible, as long as what you’re saying is accurate. Within the 72-hour deadline, it is better to err on the side of caution” Bevitt said.
In-house teams must also be consistent in their assessment of the incidents that confront them. Van Eecke pointed out the danger in the DPA sanctioning not for the data breach itself, but for the company handling it improperly. Cooley uses an assessment tool based on ENISA technology, and comprised of 25 questions, to get an objective assessment of the severity of the data breach. With this type of objective assessment, the company will be able to explain to a DPA why it decided to (or not to) notify.
“It’s always about accountability – the magic word in the GDPR,” Van Eecke said.
- On 30 October 2020, the ICO announced that it is fining Marriott International £18.4 million for failing to keep 7 million UK customers’ personal data secure. The fine relates to Marriott’s failures between May 2018 (when the GDPR came into force) and September 2018 (when it discovered the attack).