Brexit – What Does it Mean for Data Privacy?

As of 11:00pm tonight the Withdrawal Agreement between the UK and the EU becomes effective.  Many companies have planned for a No-Deal-Brexit, securing data privacy representatives in the UK and the EU separately, and standing by with contract revisions at the ready.  The Withdrawal Agreement provides for a transition period until the end of 2020, during which the GDPR continues to apply to the transfer of personal information between the UK and the EU.

One issue with a No-Deal-Brexit was that since the UK had not yet obtained a ruling from the EU Commission that its data privacy and protection laws provides an adequate level of data protection transfers of personal data between the EU and the UK could only be made subject to additional protections, for example, the Standard Contractual Clauses.  The hope is that during the transition period the UK will amend its current Data Privacy law the Data Protection Act 2018 to ensure to obtain this adequacy decision.  The Data Protection Act of 2018, with amendments, if any will continue to apply in the UK and for the collection and processing taking place wholly with the UK.

The current guidance recommends that at the end of the transition period companies collecting and processing personal information to individuals in both the UK and EU will need to appoint representation in both the UK and the EU and will need to register with a supervisory authority in the EU or the UK depending on the original registration.  Following the end of the transition period the GDPR will continue to apply to personal information collected and processed from data subjects in the EU. 

Other laws covering aspects of data privacy and protection including the PECR (marketing, cookies, and electronic communications), the NIS rues (network and information systems) and their EU counterparts will continue to apply during the transition period. 

What to do in a No-Deal-Brexit Scenario

What happens to your GDPR Compliance Program in the event that the UK leaves the EU without striking an agreement with the EU.   Here is a summary of actions you will likely need to take, followed by a more detailed explanation.

  1. Revise your standard contractual clauses for transfers from the EU to the UK
  2. Ensure you appoint an Article 27 representative in both the UK and the EU. 
  3. Register with a supervisory authority in both the UK and the EU
  4. Make revisions to your privacy policy to refer to both the UK and EU laws, identifies the supervisory authority and the company’s representative in both the UK and the EU
  5. Review DPIAs to ensure compliance with both sets of laws.

According to the ICO (the UK Data Privacy Supervisory Authority), the UK government intends to incorporate the GDPR directly into UK law upon Brexit (UK GDPR).  The UK GDPR together with the Data Protection Act 2018 will comprise the UK’s data protection scheme. Existing GDPR compliance programs must continue to apply those protections to personal data of UK data subjects. Nevertheless,  data controllers and processors will need to make changes to their data privacy and protection practices before a No Deal Brexit. In particular, companies will need to make adjustments with regard to the following:

Data Transfers

Most likely the most burdensome issue. Since the European Commission determines whether a country outside the EU offers an adequate level of data protection, transfers of personal data to such countries are not automatically deemed “adequate.”  Thus, until there has been an adequacy determination, transfers of personal data between the EU and the UK can be made only subject to certain protections, such as Standard Contractual Clauses (SCCs).

The length of time it will take to obtain an adequacy determination from the European Commission is unknown, and there is no assurance that such a decision will be made quickly.  Be prepared to implement interim safeguards and understand how personal data flows from within and out of the UK. Identify which data transfers will be problematic.  Adopt appropriate transfer mechanisms.

Transfers from the EU to the UK. If your company transfers EU personal data to the UK, you will need to ensure adequate safeguards are in place or that one of the exceptions in GDPR Article 49 applies. For some companies, the only available data transfer mechanism will be SCCs. Identify all such data transfers now and begin the process of entering into SCCs with entities to which your company transfers data, such as vendors, customers, and even internal corporate affiliates, so these agreements are in place before Brexit.

Transfers from the UK to the EU. If your company transfers personal data from the UK to the EU, the ICO has indicated that post-Brexit transfers from the UK to the EU will not be restricted.  Although no specific action is required concerning these transfers, best practice suggests that you keep these transfers under review.  

Transfers from the UK to the countries outside the EU. There will not be changes to the rules that govern theEUse changes, as they will have already been in place. It is expected that the UK government will confirm existing adequacy decisions and the SCCs.

Article 27 Representatives

By now you will have appointed a data protection officer (DPO), whether internally or engaged an external one.  This is required, with some exception, by the GDPR.  If your DPO is located in the UK, that DPO will only be valid for compliance within the UK.  Conversely, if your DPO is situated in the EU, an additional DPO must be appointed in the UK.  As a result, to remain in compliance with both the UK and the EU companies will need to appoint two DPOs one in the UK and one in the EU.

Lead Supervisory Authority

Under the GDPR, companies with a physical presence in the EU, and that engage in “cross-border processing,” are permitted, but not required, to choose a lead supervisory authority (LSA). The LSA then coordinates “cross-border processing” issues across the EU and has primary responsibility for conducting investigations into the company’s data processing activities and responding to its compliance inquiries. When choosing an LSA, it should be where the company’s headquarter is located, or if no headquarters, then the place where decisions about the purpose and means of processing are made. Following Brexit, companies whose “main establishment” is in the UK will no longer be able to designate the ICO as their LSA. Moreover, unless those companies physically move the operations where their decisions about the processing of personal data are made to an EU country, they may lose the ability to designate an LSA altogether, leaving them subject to regulation by multiple EU data protection authorities.

Data Protection Officers

The ICO’s guidance states that Data Protection Officers (DPOs) appointed by a company may continue in that role and combine their UK responsibilities with ongoing EU responsibilities, so long as “they have expert knowledge of both UK data protection law and the EU regime and are ‘easily accessible’ from both locations.” Because the UK GDPR will mirror the GDPR, your DPO who already possesses knowledge of the GDPR will also necessarily possess knowledge of the UK GDPR. Your DPO should also possess knowledge of the Data Protection Act 2018, which took effect at the same time as the GDPR.

Privacy Notices

Although, information required in your privacy notice is unlikely to change references to EU law and the identification and contact information for the DPO and the LSA may need to be changed.  If your U.S.-based company participates in the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks you will need to update your privacy notice by March 29, 2019, to affirm that your commitment to the Privacy Shield extends to UK personal data.

Article 30 Records of Processing

Changes to the information you are required to document are not likely. You may need to review certain of your processing activities involving data transfers to the UK and update your records accordingly. For example, you may now have to classify certain personal data as being subject to international transfer rules and document under which adequate safeguards it was transferred.

Data Protection Impact Assessments

Existing assessments may need to be reviewed to determine whether they cover international data flows that become restricted after Brexit.

If you have questions or concerns please contact me for assistance.

California Consumer Privacy Act (CCPA)—Or should we say CDPR?

Just when you thought you could catch your breath, California, on June 28, 2018, enacted the strictest data privacy law in the United States—the California Consumer Privacy Act (“CCPA”). With striking resemblances to the GDPR, the new law will carry with it broad implications for businesses providing services to, or collecting data from, California consumers. By passing the bill, the California legislature secured time to review and amend the law before it becomes effective on January 1, 2020. The ink is far from dry on the new bill, and it will be the center of heated debates before it slams the streets of California.

The tab for non-compliance? Any business that intentionally violates the CCPA may be liable for a civil penalty of up to $7,500 per violation. To put that in context, Yahoo’s 2016 data breach of over 500 million accounts would have amounted in a fine north of 100 billion dollars. Like the GDPR, the CCPA will require organizations to reassess how they are handling personal information, data retention policies, third-party processing contracts, and master privacy policies. To ensure compliance, businesses must take steps similar to those that the GDPR requires, such as data mapping, data inventory, gap analysis, and drafting new privacy policies and contracts.

Like the GDPR, the CCPA will require organizations to reassess how they are handling personal information, data retention policies, third-party processing contracts, and master privacy policies. To ensure compliance, businesses must take steps similar to those that the GDPR requires, such as data mapping, data inventory, gap analysis, and drafting new privacy policies and contracts.

California—with its roughly 39.5 million people—boasts the fifth largest economy in the world. Given that businesses across the globe contribute to California’s growing economy, the CCPA sets the new standard of privacy for anyone transacting business in the United States. In the modern digital world, the CCPA, like its influential digital counterpart—the GDPR, are here to stay and shift privacy rights back to the hands of consumers. Let us help you with this hurdle to CCPA compliance.

See chart below for a comparison of the CCPA and the GDPR.

General Data Protection Regulation (GDPR) California Consumer Privacy Act 2018 (CCPA)
The basis for consent Opt-in Opt-out
To whom it applies Anyone processing or controlling the processing of personal data of individuals located in the EU. For-profit businesses that process personal data of CA residents and satisfy one or more of the following thresholds:

A)    Have annual gross revenue of $25 million or more;

B)    Collects, sells or shares for personal purposes the personal information of at least 50,000 consumers, households, or devices; or

C)    Derives 50% or more of its annual revenues from selling consumers’ personal information

 

The law also applies to affiliated, cobranded entities of businesses that meet the above criteria, even if the affiliate doesn’t do business in CA.

Individual Rights 1.     Access

2.     Rectification

3.     Erasure

4.     Restriction of processing

5.     Object to processing

6.     Data portability

7.     Withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal

 

1.     The right to know all data collected by a business on you.

2.     The right to know whether their personal information is sold or disclosed and to whom.

3.     The right to say no to the sale of personal information.

4.     The right to access their personal information.

5.     The right to delete your data.

When does it come into effect? May 25, 2018 January 1, 2020
Potential Fines Up to €20 million or up to 4% of the total worldwide annual turnover, whichever is higher. A civil penalty up to $7,500 per violation

 

Private individual right up between $100 and $750 per consumer, per incident.

Time allowed to respond to a request One month 45 days

 

Facebook Page Administrators Faced with the Floodgate of Liability

The powerful nature of the GDPR has instilled fear among businesses across the globe. As most companies rush toward compliance, some try to hide behind others. Just weeks after the GDPR came into effect, the European Court of Justice (ECJ) decided a case that made clear that businesses cannot avoid liability by hiding behind other companies. The issue before the ECJ concerned a decision from 2011 when the German data protection authority ordered a company to shut down its Facebook page for failing to inform users of the processing and collection of their personal data.

To better understand this issue, it is best to break it down step by step. First, Facebook uses cookies to collect personal data about visitors to the company’s page. Second, the company (Facebook page administrator) obtains the anonymous statistical data about its visitors. Finally, the company tells Facebook to place targeted ads on its Facebook page.

The central issue was whether the company using the Facebook page was a controller, despite that it never obtained or had any access to the personal information collected by Facebook’s cookies. A controller is someone who determines the purposes and the means for the processing of personal data. The data protection authority maintained that the company was the “controller” of the personal data collected through its fan page; therefore, it was responsible. The company denied responsibility for Facebook’s processing of personal data and argued that any action should be brought against the social network.

The Court held that the company was a “controller” and was jointly responsible with Facebook for the processing of data on its page. It reasoned that the administrator of the company’s page contributed to Facebook’s determination of the means and purposes of processing the visitors’ data. Specifically, the page administrator takes part in deciding what data to collect and how to process; the administrator defines a target audience and requests information about the lifestyles and interests of its visitors to the page. The Court stated, “[t]he fact an administrator of a fan page uses the platform provided by Facebook to benefit from the associated services cannot exempt it from compliance with its obligations concerning the protection of personal data.”

This decision highlights the need for page administrators and businesses to take additional steps to ensure GDPR compliance on their pages. The GDPR will fine businesses processing page visitors’ personal data with no lawful basis up to EUR 20,0000,000.00 or 4% of the total annual worldwide turnover. Rather than accept the risk of noncompliance, let us help your business reach its compliance goals today.

Email Marketing Post-GDPR: Untangling Recital 47 in the Pre-ePR Era

On May 25th, 2018, EU lawmakers unleashed the GDPR—a new privacy law capable of delivering a financial blow to businesses across the globe, not just in Europe. The data which drives email marketing programs must be processed and stored in accord with the GDPR. Recital 47 of the GDPR states: “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”

Businesses may rely on its “legitimate interests” to send postal marketing about a new product to its customers. This means that businesses may send postal marketing without its customers’ consent. However, direct marketing by electronic means such as by emailing complicates the issue.

Although the GDPR governs the data used for email marketing, the Privacy and Electronic Communication Regulation (“PECR”) defines the required permission to send marketing and advertising by electronic means, such as by email. Further, the PECR does not include “legitimate interests” as a lawful basis for electronic marketing by email. To further muddy the water, the PECR will soon be repealed in favor of the new ePrivacy Regulation (“ePR”) that is expected to arrive by late 2019. As a result, sending marketing emails remains subject to the PECR.

As for now, the general rule under the PECR is that businesses may send marketing emails to individuals that have consented to receive them. But, there is an exception for existing customers—known as the “soft opt-in.” This means that consent is not required if an individual’s contact details were obtained during a sale and the individual had the opportunity to opt-out at that time.

As the EU works to introduce the ePR, businesses face the challenge of complying with the GDPR and the PECR. Nevertheless, given the imminent arrival of the ePR, businesses must further prepare for complying with the new regulation too.

Let us help you with this hurdle to GDPR compliance.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

GDPR versus Direct Marketing: Re-consenting for Marketing Data?

As the new sheriff in town, the GDPR casts a dark shadow over businesses processing direct marketing data. The regulation has businesses wondering if they must obtain new consents for their entire marketing database. The answer is “it depends.”

This problem arises from Recital 171 of the GDPR which states: “Where processing is based on consent pursuant to Directive 95/46/EC, it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of this Regulation, so as to allow the controller to continue such processing after the date of this Regulation.”

The premise is that if you acquired consent for processing data pre-GDPR, then you can continue to rely on that consent post-GDPR. All is okay up to this point. But the dark cloud above all this is that the pre-GDPR consent remains valid only if it was obtained to a GDPR standard. The GDPR requires that an indication of consent must be unambiguous and involve a clear affirmative action. With the added requirements for consent, it follows that all consents obtained pre-GDPR are likely no longer valid and businesses must obtain new GDPR-based consent.

The GDPR will fine businesses processing marketing data with no lawful basis up to EUR 20,000,000.00 or 4% of the total annual worldwide turnover. Rather than accept the risk of noncompliance, let us remove that dark cloud of noncompliance and help your team comply now.

GDPR versus Employers: Time to reconsider consent as a lawful basis to collect personal data?

In light of the GDPR’s stringent requirements for consent, HR departments will need to review the legal basis for processing employee data under employment contracts based on consent. The GDPR heightened the requirements for using consent as a legal basis, making this method risky and burdensome. The GDPR requires that consent must be: (1) freely given, (2) specific, (3) informed, and (4) unambiguous. In the employment context, it is unlikely that an employee can respond “freely” to a request for consent from his/her employer.

Blanket consent policies in employment contracts are no longer adequate to process employee data. The employer must identify an alternative legal basis (e.g., a “legitimate interest”) for both new and existing employment contracts. Further, HR must draft new employment contracts and rely on an alternative legal basis to process employee data to avoid sanctions and fines.

The GDPR will impose severe fines on employers that process employee data with no lawful basis of up to EUR 20,0000,000.00 or 4% of the total annual worldwide turnover. To put this in perspective, the Supervisory Authorities, only hours after the GDPR came into effect, filed complaints against Facebook, Google, Instagram, and WhatsApp with fines reaching a staggering EUR 9.3 billion in total. Employers must become GDPR compliant before the Supervisory Authority makes landfall at your organization.

Let us help you with this hurdle to GDPR compliance.

Data Retention under the GDPR

The impact of the GDPR on US companies will be significant. One of the most difficult issues to overcome will be handling data retention. Creating a data retention policy is easy, implementing it will be significantly more difficult. Article 5 sets forth the principle that personal data may be maintained for no longer than is necessary for the purposes for which personal data is collected. While prolonged storage is permitted if the data is anonymized, no longer allowing identification of the data subject, failure to delete and/or anonymize data could trigger significant administrative fines for noncompliance.

Personal information is collected through external processes for example, lead generation, consumer profiling, media pitching and database management; and internal processes, for example, recruitment, hiring, and vendor relationships. The GDPR requires companies maintain higher standards of transparency, security and accountability when it comes to the way they collect, use, and store data. Preparation of a case study for each class of data collected (customers, employees, etc) and compilation of support for maintenance of the data for a set period of time after which it will be deleted is essential. Fines are steep.

Understanding what data may be maintained and what data must be deleted and when is one of the biggest hurdles to ensuring compliance. Many companies have maintained a central database and allowed data to be stored on employee laptops. This practice must now be replaced with strict policies creating a central repository with easily identifiable categories of data with varying deletion deadlines.

Let us help you with this hurdle to GDPR compliance.

 

Notifiable Data Breach Scheme goes Live in Australia

The Notifiable Data Breaches (NDB) scheme went into effect February 22, 2018. This requires agencies and organizations in Australia that are covered by the Privacy Act to notify individuals whose personal information is involved in a data breach that is likely to result in “serious harm” as soon as practicable after becoming aware of a breach. This notification must include recommendations about the steps individuals should take in response to the breach. The Australian Information Commissioner (Commissioner) must also be notified of eligible data breaches. The link provided here sends the reader to the Office of the Australian Information Commissioner and the online form to be used to notify the Australian Information Commissioner.

When a breach occurs the organization is tasked with conducting a quick assessment of a suspected data breach to determine whether it is likely to result in serious harm to any individual affected and thus notification. ‘Serious harm’ is not defined in the Privacy Act. In the context of a data breach, serious harm to an individual may include serious physical, psychological, emotional, financial, or reputational harm.

The first step in deciding whether an eligible data breach has occurred involves considering whether there has been a data breach; that is, unauthorized access to or unauthorized disclosure of personal information, or a loss of personal information (s 26WE(2)). The Privacy Act 1988 (Cth) (Privacy Act) does not define these terms, however the Office of the Australian Information Commissioner provide some guidance through examples.

https://forms.business.gov.au/smartforms/servlet/SmartForm.html?formCode=OAIC-NDB

WHY CHOICE OF LAW IS IMPORTANT IN CROSS BORDER CONTRACTS

Global business means global contracts.  Each of the parties are resident or domiciled in different countries.  As laws and legal language differs from country to country contracts need to reflect language that accommodates and clarifies provisions that might not be familiar in that foreign jurisdiction.  In addition, the cost of litigating in a foreign jurisdiction can exceed all expectations and thus is difficult to quantify.

The choice of law can be dictated by the contract itself, yet the choice of law can also be different than the place chosen for resolution of the dispute.  Thus, a foreign court could be in the position of, for example, an English court interpreting U.S. law.  In this example, parties before an English court are permitted to present experts to assist the court in interpreting U.S. law.  This can become a battle of the experts. 

Where a standard form is used, which is meant to provide a uniform interpretation providing some certainty, however, foreign courts are not necessarily familiar with such universal interpretation and may alter the operation and effect of the underlying agreement.

Contracts provide certainty in business.  Such potential alteration eliminates this certainty and creates risk that is difficult to quantify.  With regard to specific provisions, U.S. courts generally takes a broad view and interpretation of contract provisions and are willing to imply provisions, for example, good faith.  Yet courts in other jurisdictions are not willing to imply what is not spelled out by specific language.  Interpretations also varying with regard to specific legal concepts.  “Gross negligence” is a well-recognized legal concept in U.S. law, however, in England for example, there is no concept of gross negligence, rather this concept is replaced by a notion of serious error or conduct falling significantly short of expectations. 

Whenever possible, check with a lawyer in the foreign jurisdiction to ensure the differences are fully understood and clarified wherever possible.  If possible carefully draft provisions keeping in mind a foreign court may be interpreting the terms should a dispute arise.