Legal processes and redress: GDPR jurisdictional reach, CNIL’s regulatory win over Google, CJEU case laws summary

A recent UK Court of Appeal decision emphasizes the broad geographic scope of both the EU GDPR and the UK GDPR, but also ongoing uncertainty regarding the jurisdictional reach, according to the JD Supra publication. In the given case, the court had allowed a claim for contravention of the GDPR to be served on various US parties. In particular, the claimant commenced proceedings against a US-based news outlet for a series of articles and social media posts making a number of “unflattering” allegations about the claimant. In deciding whether to grant permission (to serve a claim outside of the UK jurisdiction) the court had to determine whether the claimant’s allegations that the GDPR applied had a real prospect of success. 

Of particular note was the intention of the defendant to offer goods/services to EU/UK individuals when considering whether a data controller has an ”establishment” in the EU/UK. In the given case the platform expressly solicited european subscriptions (available in sterling and euros) and had secured a number of UK/EU subscribers (albeit only 6). However the court stated that the UK Information Commissioner should be invited to participate in the case to assist the court when it comes to make a final determination. You can read more details of the case in the original judgment.

In France, the Council of State confirmed the competence of the CNIL to impose sanctions on cookies outside the one-stop shop mechanism. The decision follows an appeal by Google LLC and Google Ireland Ltd against the 100 mln euros fine imposed by the CNIL in 2020. The case relates to dropping advertising cookies on the users computers through the google.fr webpage and its search engine without prior consent or satisfactory information. In its decision, the CNIL found a couple of violations of national legislation transposing the ePrivacy Directive, (The Data Protection Act). The Council of State noted that the cookies in question were being implemented within the activities of Google France, and the CNIL was competent under the above law. It therefore did not have to refer the case to the Irish Data Protection Authority, which is the lead authority for Google companies under the GDPR’s one-stop shop mechanism. Read the full decision (in French) here. 

The Court of Justice of the European Union, (CJEU), has published a fact sheet on personal data protection, including the EU legal framework and the court’s judgements and opinions in such areas as: a) compatibility of secondary EU law with the right to the protection of personal data; b) processing of personal data within the meaning of ePrivacy Directive; c) main data protection concepts such as lawful processing, controllership; d) transfer of personal data to third countries; e) protection of personal data on the internet, intellectual property rights, user consent; f) the competent supervisory authorities, territorial application of EU legislation, etc.

Official guidance: US surveillance laws, right of access, Connected TV, NRP data, Information security vs IT security 

In Germany the Data Protection Conference has published, (only in German), its expert opinion on US surveillance laws. In particular, for the applicability of Section 702 of the US Foreign Intelligence Surveillance Act (FISA), the term “electronic communication service provider” does not only include classic IT and telecommunications companies, but also companies such as banks, airlines, hotels or shipping service providers. Additionally, it is not necessary in every case for the services to be made available to the public. It may be sufficient, for example, for a company to provide an email service to its employees. Moreover, request arrangements for some datasets may relate to all data in the company, even when the communication service has nothing to do with the main entrepreneurial activity. The report also deals with the questions of whether European companies operating in the US are subject to problematic US law and whether FISA 702 applies extraterritorially. 

The EDPB has published its recently adopted Guidelines on data subject rights – Right of access. The right of access to data subjects is enshrined in Art. 8 of the EU Charter of Fundamental Rights, and is further developed by more specific and precise rules in Art. 15 of the GDPR. However, the right of access according to data protection law is to be distinguished from similar rights with other objectives, for example the right of access to public documents which aims at guaranteeing transparency in public authorities’ decision-making and good administrative practice. The right of access includes three different components:  

• Confirmation as to whether data about the person is processed or not. 
• Access to this personal data, and  
• Access to information about the processing, such as purpose, categories of data and recipients, duration of the processing, data subjects’ rights and appropriate safeguards in case of third country transfers.

The EDPB guide includes numerous examples and illustrations for data controllers on how to interpret and assess the request, how to answer it, checking limits and restrictions, how to provide access, timing and format, how to deal with requests made by a third party, etc.

The Interactive Advertising Bureau Europe has published its guide to Connected TV (CTV) targeting and measurement solutions. Some contextual flags and metadata segments allow app publishers or CTV channel providers to create identifiers by channel, by genre, or by context for targeting purposes. According to the report, this is still in its infancy but is one of the fastest growing areas across the CTV landscape, (eg, Comscore have already launched more advanced CTV cookie-free audience targeting in Europe based on meta-data, content ID and app bundle IDs). According to the guide, these contextual segments use a “crosswalk between audience behaviours and privacy-friendly contextual signals empowering brands to target CTV content that is the strongest predictor of audience behaviours without user-level identifiers”. Read the full document here.

The transfer and the generalised and undifferentiated automated processing of Passenger Name Record (PNR) data are compatible with the fundamental rights to respect for private life and to the protection of personal data, according to the CJEU Advocate General, (Pitruzzella). By contrast, a generalised and undifferentiated retention of PNR data in a non-anonymised form can be justified only where there is a serious, actual and present or foreseeable threat to the security of the Member States, and only on condition that the duration of such retention is limited to what is strictly necessary. The PNR Directive requires the systematic processing of a significant amount of air passengers data entering and leaving the EU (in the fight against terrorism and serious crime). It also provides Member States with the possibility to apply the directive to intra-EU flights. That is not to forget the importance of an independent supervisory authority in verifying the lawfulness of that processing, conducting investigations, inspections and audits and dealing with complaints lodged by any person concerned. 

The Swedish privacy authority, IMY, published a blogpost, (in Swedish), on differences between Information security and IT security. Although information today is to a very large extent produced and provided via IT systems, information security concerns all types of information, including, for example, information in paper format. Information security is usually divided into two legs: administrative security and technical security. Data protection is often associated with various technical measures such as firewalls, encryption and the like, but administrative security is at least as important:

• Technical security is typically divided into two parts: physical and IT security. Physical security is things like alarms, code locks to office rooms, safes to protect sensitive information stored on IT equipment or in paper format. IT security is about everything from VPN connections and antivirus to intrusion detection and backup.
• Administrative security is about ensuring that there are appropriate policies, routines and instructions in place that describe how information should be handled in the organization, for example how employees should handle information, but also how to manage permissions to different IT systems. 

Data breaches, investigations and enforcement actions: failed proof of consent, multi factor authentication, encryption

The Spanish data protection agency AEPD has punished Garlex Solutions, (an energy supply consultancy), with a 15,000 euro fine over insufficient legal basis for data processing. The claimant received a phone call by the claimed entity with an offer to “renew” an electricity supply contract. She subsequently received an SMS with a link to an electricity supply contract with Aldro Energia, in which their personal data appeared. The claimant stated it was obtained and processed without their consent. The defending party said that the claimant was contacted with the objective of offering very good conditions for the supply of electricity by Aldo Energia, for which the defendant is a contracted marketer. The usual procedure is to explain the offer and only if the person is interested and provides their data, is the link to a pre-contractual deal sent. The AEPD ruled against, as the burden of proof always lies with a data controller, the claimed entity could not provide documentation proving that it had the consent of the claimant to use her personal data and send her a pre-contract. Even if the company obtained the claimant’s data, it did not obtain her consent for its treatment and therefore incurs a violation of Art. 6 of the GDPR. 

Datatilsynet issued the notification of an approx 200,000 euro fine to the Storting – Norway’s parliamentary administration for not implementing two-factor authentication, DataGuidance reports. In 2020, the Storting was exposed to data breaches, but since then has not implemented appropriate technical and organizational measures to achieve a sufficient level of security. The attackers had downloaded data, including personal information from email accounts, about elected representatives and the Storting’s employees, including, among other things, bank and account information, date of birth, as well as health information. Possible consequences for those affected by the attack could be the misuse of identity, the misuse of payment cards and the use of information for extortion. The Norwegian regulator believes that if two-factor authentication had been carried out at an earlier stage, the chance of a successful attack would have been considerably smaller. The Storting has three weeks to provide feedback with their views on the case and then Datatilsynet will assess the feedback and make a final decision.

The Swedish IMY issued administrative sanction fees totaling 180,000 euros against the Uppsala Region after finding that the regional and hospital boards had not taken appropriate security measures when handling sensitive personal data. The IMY has received two reports of personal data incidents including sensitive personal data sent without encryption to recipients in and outside Sweden. This concerns emails with patient data that have been sent automatically to the relevant healthcare administrations within the region, and manually – to researchers and doctors within the region, as well as the storage of patient data in the hospital’s e-mail server. The investigations also show that the processing of personal data in both cases took place in violation of the region’s own guidelines, and also indicate shortcomings in the organizational measures to protect the data against unauthorized access. 

New York’s Attorney General announced a 600,000 dollar agreement with EyeMed Vision Care that resolves a 2020 data breach that compromised the personal information of approximately 2.1 mln consumers nationwide, including tens of thousands in New York state. EyeMed experienced a data breach in which attackers gained access to an EyeMed email account with sensitive customer information. The compromised information included consumers’ names, mailing addresses, Social Security numbers, identification numbers for health and vision insurance accounts, medical diagnoses and conditions, and medical treatment information. The intrusion permitted the attacker access to emails and attachments with sensitive customer information dating back six years prior to the attack. The attacker also sent approximately 2,000 phishing emails from the compromised email account to EyeMed clients, seeking login credentials for their accounts. The investigation found that EyeMed had failed to implement:

• multi factor authentication for the affected email account, (the account was accessible via a web browser and contained a large volume of consumers’ sensitive personal information);
• adequate logging of its email accounts, which made it difficult to investigate security incidents.

Data security: DP Engineering

The EU Agency for Cybersecurity, ENISA, published its report on Data Protection Engineering. The document can be perceived as part of data protection by Design and by Default. It aims to support the selection, deployment and configuration of appropriate technical and organizational measures in order to satisfy specific data protection principles as set out in Art. 5 of the GDPR. The guide helps with the selection of the anonymization and pseudonymisation schemes, data masking and privacy-preserving computations, access, storage, transparency, intervenability and user control tools, connection with the DPIA, and privacy enhancing technologies. The report provides conclusions and recommendations for relevant stakeholders.

Big Tech: WhatsApp privacy policy, Google’s legal fails and victories, Big data & media sector

Consumer complaints have prompted the EU Commission to give WhatsApp until the end of February to clarify changes to its privacy policies. It is unclear if the new rules infringe EU consumer protection laws. Spearheaded by the European Consumer Organisation, (BEUC), the complaint adds WhatsApp has been unfairly pressuring users to sign up to the new policies, which include sharing some data with Facebook and other companies under the Meta umbrella. When the privacy update was announced it was condemned worldwide, with some abandoning the service for other platforms like Telegram and Signal.

Plaintiffs struggling with California’s voluminous Invasion of Privacy Act in an attempt to bring a class action against Google have had their hopes definitively dashed. A Federal judge has denied them any further route forward under another of the Act’s many articles. Two claims were dismissed, notably ruling a users’ disabling of Google tracking their browsing activity via a button did not contractually oblige Google to do so, as the act of clicking did not unilaterally create a contract between Google and the user, despite the possibility, the judge noted, that the consumer might assume it did. More details in the article by Jurist.org.

Meanwhile Arizona just got hotter for Google, where a judge has ruled in favour of the state’s Attorney General, and will send a lawsuit to jury trial, according to Reuters. Lawyers for parent company Alphabet tried to get the case, which focuses on allegations Google deceived clients with misleading smartphone location tracking settings, thrown out of court. Four other state Attorney Generals have launched similar lawsuits, building on the Arizona case, which was filed in 2020.

The UK Department for Digital, Culture, Media & Sports has also published an analytical report on how user data shapes the media sector. It appears that upstream providers of digital devices, several large tech companies, are able to exert control over how data can be shared, accessed and used by other organisations, including media businesses. Here are some examples from the report:

• Currently, many media businesses rely on third party cookies to gather data on user behaviour beyond their own website/app.
• Google’s announcements, (and subsequent delays), of their intention to restrict use of third party cookies via their services is of great concern to many media organisations. Google’s ‘Privacy Sandbox’ will likely end up driving more business in Google’s own direction. 
• Social media and tech platforms host and distribute a huge amount of the content that press publishers produce. When this happens, these host/distributor platforms have access to first party user data. The publishers, unless the consumer is asked for additional consent, do not.
• Some TV organisations felt that data about their shows and viewers was being ‘ringfenced’ by the companies who control the operating systems on TVs—the TV manufacturers and large tech firms. The companies, such as Amazon, Google or Apple, were perceived to have a huge amount of control both over what people see and what data is available to the other media providers whose content is watched on them. 
• Smart speakers and third-party listening platforms were creating a barrier to data access by traditional radio groups, etc. Read the full report here.

The post Weekly digest January 24 – 31, 2022: GDPR jurisdictional reach, US surveillance laws, DP Engineering appeared first on TechGDPR.

In this article, we provide practical guidance for all organisations that export data outside of the EEA on how to reassess their transfers of personal data outside of Europe in a post-Schrems II era.

The Schrems-II ruling of the European Court of Justice on Transfers of Personal Data outside of the EU

The European Union is infamous for its diligent approach to the protection of the rights of human rights. The GDPR, the regulation ensuring the right to personal data protection, limits all transfers of personal data outside of the European Union to ensure that the data and individual rights are not abused as soon as they cross the EU border. 

The European Commission produced a list of 13 countries deemed to ensure a sufficient level of data protection, to which personal data can be transferred without limitations. That list also allowed a select group of companies based in the US to receive personal data from their EU partners. The requirement for those companies in this group is to self-declare and join the so-called EU-US Privacy Shield. Until recently, more than 5000 organisations used the scheme, among which Amazon, Facebook, and Google. 

With its judgement, the CJEU has invalidated the EU-US Privacy Shield, making further transfers of personal data to those organisations in the US, illegal. Additionally, the ruling impacted another mechanism, that of Standard Contractual Clauses (SCCs), which was used in 88% of international transfers, warning that these SCCs cannot always be used in transfers to third countries. It implied a similar fate for Binding Corporate Rules, another transfer mechanism for transfers within a corporate group.

As if this were not enough, the court left no grace period for organisations to understand their situation and come up with alternative transfer mechanisms applicable to their business model. It leaves thousands of transfers of personal data to the US and, presumably, to many other countries, unlawful. This is why a swift reaction is vital for companies in the EU.

Step-by-step guide to international data transfers after the CJEU ruling

Step 1 – Audit existing transfers 

To start with, prepare a list of all connections with companies that imply transfers of personal data outside of the European Union. Acknowledge  that storing personal data on the cloud servers in another country, using third-party applications such as CRM, HR, payment systems, collaboration tools, video-conferencing or task managers definitely implies the international transfer of data. Remember that involving contractors or software development agencies from third countries also imply international data transfers.

Next, figure out the transfer mechanisms used by these partner organisations and service providers. Most information can be parsed from public sources, e.g. company websites, but if not, we recommend contacting your service providers directly. The current mechanisms used by the companies can be an adequacy decision (Art. 45 GDPR), the (defunct) EU-US Privacy Shield, Standard Contractual Clauses (Art. 46.3.a) GDPR), Binding Corporate Rules (Art. 47 GDPR), or Derogations (Art. 49 GDPR).

Step 2 – Choose appropriate safeguards

Pay specific attention to the transfers of personal data to the US. While the situation with other third countries remains unclear, transfers of personal data in the States cannot continue as they do at the moment. Companies that have relied on the Privacy Shield must consider adopting new safeguards, and Standard Contractual Clauses cannot be used by the providers of cloud computing and telecommunication services.

If you already use or consider using Standard Contractual Clauses or Binding Corporate Rules for transfers under Art. 46, ask your partners and service providers whether they are subject to national laws that:

• require indiscriminate surveillance / data collection from them by government bodies;
• prohibit deletion of the transferred data at the end of your relationship with them;
• limit the rights of concerned individuals (data subjects), such as the right to be informed, right to access, rectify and erasure, upon the request.

The restrictions above will be difficult to overcome by the available EU privacy safeguards, which was confirmed by the CJEU judgement. This is exactly the case with the transfers to the United States: under 702 FISA (50 USC § 1881a), all “electronic communication service providers”, which are providers of remote computing services, electronic communication services, or telecommunications carriers must share the data that they store about foreigners with the U.S. national enforcement agencies. As a result, it is considered that the SCC cannot be used for transfers of data to these types of providers at all. 

For other types of partners and services providers, the SCC and BCR remain a possible option, though additional examination will be necessary.

To make matters worse is that foreign companies can be prohibited from informing you about such requirements due to their statutory provisions. The option, in this case, is to look into media-coverage of such scenarios, as well as to check their national enforcement and judicial practice on data protection.
Best practice, however, is to regard those companies who claim they cannot disclose that information to be under that statutory obligation and interpret that answer as those likely to be subject to such national requirements.

Step 3 – Consider derogations or restructure the transfers

Art. 49 of the GDPR provides derogations from the rule described above. For case-by-case transfers, you can ask for explicit consent from the data subject. However, such an option seems unrealistic for transferring the whole database as it may prove impractical to ensure collecting consent from all concerned users. 

You can also transfer personal data to third countries if it is necessary to perform the contract with your users or other data subjects. Unfortunately, it is only available to the transfers that are strictly necessary, i.e. where the execution of the contract takes place on U.S. territory (or another third country). That said, the mere convenience to transfer the data to the U.S. cannot be regarded as the “necessity”, neither can the cost of the offered solution be a determining factor alone.

Finally, as a temporary measure, the company can argue that it has legitimate interests in international transfers. This option can serve as a temporary relief for those companies that need time for re-architecting their processing activities following the CJEU judgement. The transfer based on the legitimate interests should not be repetitive. It must concern only a limited number of data subjects, and must not be overridden by the interests or rights and freedoms of the data subject. Two conditions come when relying on  this derogation: the need to inform your supervisory authority and data subjects about the transfers. Thus, legitimate interests might be used as a temporary measure while searching for a more reliable transfer mechanism.

There are many situations where none of the above options can be used by the EU company. For example, it is fairly difficult to come up with a solution for transferring personal data to cloud hosting providers in the U.S. or EU subsidiaries of those companies. In such cases, a strong decision is needed: that of restructuring your data processing and stop transfers of personal data outside of the EU. In such a case, only local EU service providers will be used, particularly those not under legal or contractual obligation to transfer data back to the US -or merely allow access to other entities.

Conclusion: what to do after the Schrems-II ruling

Until new guidance from the EU regulators is issued, in particular the EDPB and the EU Commission, the situation with international transfers remains rather vague, to say the least. In accordance with its announcement in the assessment of the last 2 years of the GDPR, the European Commission is also working on new transfer mechanisms. The new safeguards should allow transferring personal data outside of the EAA more easily. This is a much awaited work considering the fact that current SCCs date back prior to the GDPR, thus not being fully in line with the GDPR provisions

In the meantime, the companies are left with few options:

1. To amend their processing infrastructure and limit transfers of personal data outside of the EU; or
2. To take a risk and try to come up with protective measures to complement these unstable mechanisms, in an attempt to consolidate the current mechanisms. However, until the European Data Protection Board drafts guidance on such measures, choosing them ought to be carefully examined by data protection professionals.

This article is for information purposes only, and does not constitute or replace legal advice. Seek professional support for any specific questions you may have.

If your business relies on international transfers of personal data, the TechGDPR team provides practical and actionable assessments for organisations to find a solution for each case. Feel free to reach out if you need further help.

The post International Transfers of Personal Data after the Schrems II ruling appeared first on TechGDPR.