Data Protection, Privacy and Technology
Last year was another busy year in the data protection, privacy and technology sector. Over the course of the last 12 months, we have seen a number of important data protection developments at EU and national level, including:
- the European Commission’s adoption of the highly anticipated Standard Contractual Clauses (“SCCs”) for international data transfers;
- Guidelines by the Data Protection Commission (“DPC”) on data processing in the workplace in the context of preventing the spread of Covid-19; and
- a record GDPR fine imposed for a company’s failure to provide the necessary transparency information in a privacy notice.
The European Data Protection Board (“EDPB”) has also published a number of helpful Guidelines, which provide some welcome clarity on a number of issues including, what constitutes a “transfer” of data under the GDPR; recommendations on measures to supplement transfer tools; the concepts of controller and processor; the scope of the right of access under Article 15 of the GDPR, and data breach notification.
Key Themes in Data Protection and Technology
A number of important pieces of legislation are also coming down the track at EU and national level, which demonstrate that the GDPR does not resolve all data issues.
On the EU front, as part of its Digital Single Market strategy, the European Commission has proposed the Digital Services Act, Digital Markets Act, Artificial Intelligence Act, Data Act and Data Governance Act. The proposals aim to facilitate the further use and sharing of data between more public and private parties inside the data economy, to support the use of specific technologies such as Big Data and AI, and to regulate online platforms and gatekeepers.
The ePrivacy Regulation, and the NIS2 Directive are also amongst the legislative developments that we will be monitoring closely. This digital framework will be coupled with the GDPR and will grow alongside it, affecting privacy and data protection in unprecedented ways.
The Irish government has also recently published the long anticipated Online Safety and Media Regulation Bill 2022, after three years of engagement with stakeholders, including members of the public, companies, NGOs, and other government organisations. The bill has been described as marking “a watershed moment as we move from self-regulation to an era of accountability in online safety”.
In addition, the government has announced the imminent publication of the Consumer Rights Bill, which has been hailed as representing “the biggest overhaul of consumer rights law in 40 years”.
New SCCs for International Transfers were adopted by the European Commission in June 2021. The SCCs require companies to remove the old SCCs and insert the new SCCs into all legacy contracts by 27 December 2022.
In addition, prior to executing the new SCCs, companies will have to carry out and document a transfer impact assessment, and consider whether supplementary measures need to be adopted in order to ensure the transferred data is afforded an adequate level of data protection. This will be a burdensome exercise for many companies, particularly those transferring massive amounts of data globally.
A new data transfer tool, in the form of a further set of SCCs, is expected in 2022.
The European Commission intends to develop these SCCs to facilitate transfers of data to importers that are already subject to the GDPR by virtue of Article 3(2) of the GDPR. The EDPB has stated that this further set of SCCs are needed due to the fact that less protection is required when transferring data to an importer that is already subject to the GDPR, and in order not to duplicate its direct GDPR obligations.
The DPC imposed a record €225 million fine on a technology company last year for failure to discharge its transparency obligations under the GDPR, in regard to the content of its privacy notice. The decision, which is subject to appeal before the Irish Courts and an annulment action before the European Court of Justice, has implications for all organisations.
It sets out the DPC’s high expectations in respect of the information that must be provided in privacy notices, and how it should be presented. The standard set out in the decision arguably goes beyond that of most privacy notices. We will likely see further regulatory scrutiny and debate about the required content of organisations’ privacy notices in the year ahead.
The largest category of complaints from data subjects to the DPC continues to concern data subject access requests (“DSARs”). In its Annual Report for 2021, the DPC has warned that it intends to increase enforcement in this area and target non-responses and inadequate responses from controllers in respect to DSARs in the year ahead.
The EDPB recently published draft
guidelines on DSARs, which discuss the scope of the
right of access under Article 15 of the GDPR; how to provide access; general
issues controllers should consider when assessing a DSAR; along with restrictions to the
right of access. Interestingly, in the EDPB’s view, no proportionality test
applies when considering the right of access against the efforts the controller
has to take to comply with a DSAR. The draft guidelines also state
that “the fact that it would take the
controller a vast amount of time and effort to provide the information or the
copy to the data subject will not on its own render a request ‘excessive’”, and will not permit the
controller to refuse to act on the request pursuant to Article 12(5) of the
The Consumer Rights Bill 2022 will transpose EU Directives 770/2019 and 771/2019, on consumer contracts for the supply of digital content and digital services, and for the sale of goods, respectively.
It will also update and consolidate the statutory provisions on consumer rights and remedies in relation to contracts for the supply of non-digital services, unfair contract terms, and information and cancellation rights. The Bill is due to be published shortly by the Irish government.
The Online Safety and Media Regulation Bill 2022 will establish a new regulator, a multi-person Media Commission, to which an Online Safety Commissioner will be appointed. The Media Commission will replace the Broadcasting Authority of Ireland. It will be responsible for overseeing updated regulations for broadcasting and video on-demand services, and the new regulatory framework for online safety created by the bill.
The bill will also transpose the revised Audiovisual Media Services Directive into Irish law. The bill was published on 12 January 2022, and will now make its way through all stages in the Oireachtas.
The Digital Services Act (“DSA”) focuses on creating a safer digital space in which the fundamental rights of all users of digital services are protected. Among the core concerns tackled by the DSA are the trade and exchange of illegal goods, online services and content, and algorithmic systems amplifying the spread of disinformation. The European Parliament passed its position on the Digital Services Act on 20 January, allowing for negotiations with EU countries to start.
The Digital Markets Act (“DMA”) aims to establish a level playing field both in the European Single market and globally. It will create harmonised rules defining and prohibiting certain unfair practices by “gatekeeper” platforms (providers of core platform services). The European Commission will have new powers to carry out market investigations, and update the obligations for gatekeepers when necessary.
The European Parliament debated its position on the Digital Markets Act on 14 December 2021 and adopted it the following day. Negotiations with the EU governments started in January 2022.
The Artificial Intelligence ("AI") Act aims to address the development and adoption of safe AI across the EU while respecting the fundamental rights of EU citizens. Like the GDPR, the AI Act takes a risk-based approach.
It categorises all AI into:
- unacceptable risk – activities which are prohibited (e.g. social scoring)
- high-risk activities - which are only permitted subject to compliance with mandatory requirements and a conformity assessment (e.g. AI systems used for recruitment purposes or evaluating creditworthiness);
- limited risk (e.g. chatbots) – where users must be informed that they are interacting with a machine; and
- minimal risk (e.g. spam filters) – where free use of AI is allowed.
The proposed AI Act is still at the early stages of the European legislative process.
The Data Act covers both personal and non-personal data. It will govern who can use and access what data for which purposes across all economic sectors in the EU. The Act aims to unlock the value of data generated, for example, by connected objects in Europe, one of the key areas for innovation in the coming decade. It will clarify who can create value from such data and under what conditions.
The Data Governance Act ("DGA") also applies to both personal and non-personal data. It establishes a framework to facilitate general and sector-specific data-sharing (including data of public bodies, private companies and citizens). The DGA is designed to break down barriers to data sharing.
There are four pillars to the DGA:
- the re-use of sensitive public sector data;
- establishing a framework for new data intermediaries;
- corporate and individual data altruism; and
- fostering coordination and interoperability through the European Data Innovation Board.
The revised Network and Information Security Directive ("NIS2") will strengthen the security requirements, address the security of supply chains, streamline reporting obligations, and introduce stricter enforcement requirements, including harmonised sanctions across the EU to address the growing threats posed by digitalisation and the surge in cyber-attacks.
The proposed expansion of the NIS2 scope will effectively oblige more entities and sectors to comply with cybersecurity requirements.
"The standard set out in the decision goes significantly beyond that of most privacy notices"
Davinia Brennan, Technology and Innovation Partner, Matheson, commenting on the record fine imposed on a technology company by the DPC in 2021.
GDPR and Data Subject Reporting Obligations - Why, When and How?
Data controllers are familiar with their legal obligation to report a personal data breach to the Data Protection Commission ("DPC") when Article 33, GDPR is triggered and where necessary, to notify affected data subjects when Article 34 is triggered.
In this article, Deirdre Crowley, a partner in Matheson’s Data Protection, Privacy and Cyber Security Team considers the key issues to bear in mind when carrying out a risk assessment with a view to establishing what notifications, if any, are required in a personal data breach scenario.
What are the Circumstances in which a Controller must Notify a Breach to the DPC?
Article 33 (1) of the General Data Protection Regulation 2016/679 (“GDPR”), and Section 86 of the Data Protection Act 2018 (“DPA”) require data controllers to notify the Data Protection Commission (“DPC”) of personal data breaches in certain circumstances. To recap, a personal data breach occurs where personal data is accessed, disclosed, altered, lost or destroyed in contravention of an organisation’s obligation to keep personal data in its possession safe and secure.
A controller must notify the DPC when a personal data breach occurs, unless the breach is unlikely to result in a risk to the rights and freedoms of natural person.
When Should the DPC be Notified?
Time is of the essence and controllers must notify the DPC, without undue delay and, where feasible, no later than 72 hours after becoming aware of a data breach. Where the notification to the DPC is not made within 72 hours, a controller must explain the reasons for the delay in writing when notifying the breach out of time.
The DPC is generally taking a strict approach to notification as soon as possible (without undue delay) and certainly within 72 hours of becoming aware of a breach.
We recommend that only very genuine, exceptional circumstances can justify reporting out of time. While there is no statutory definition or case law guidance in relation to what might constitute an acceptable circumstance explaining when the
notification of a data breach can be out of time, it is clear from the recent Twitter decision where
Twitter was fined €450,000 that late notification will be difficult to justify and that the bar is very high.
Even where a breach is not notifiable in a controller’s opinion, there is an obligation to document the facts of the breach, its effects and the remedial action taken (Article 33(5), GDPR). In December 2021, the European Data Protection Board published useful examples of how to approach risk assessments in various data breach scenarios and we recommend that these guidelines ("the Guidelines") are consulted for all risk assessments in relation to personal data breach scenarios. Notably, the Guidelines note that if a controller self-assesses the risk to be unlikely, but it turns out that the risk materialises, the competent SA can use its corrective powers and may resolve to sanctions.
How do I Determine if a Breach is Reportable to the DPC or Not?
The risk assessment to determine whether a breach is reportable or not can be distilled at a very high level in two key steps:
- Is there a risk that the personal data breach will present a risk to a data subject(s) privacy? A data breach is not reportable if it is unlikely to result in a risk to the rights and freedoms of the data subject.
Recital 75 of the GDPR and helpful guidance from the DPC are instructive when assessing the types of risk controllers should take account of. The default position for controllers is that all data breaches are reportable unless they are unlikely to result in a risk to the rights and freedoms of natural persons (meaning a data subject).
- Identify the extent of the breach, the effects of the breach, and any remedial steps taken.
Overview of the Key Risk indicators in a Data Breach Risk Assessment:
- Confirmation of the type and nature of the personal data, including whether sensitive personal data has been breached;
- The circumstances of the personal data breach – is it limited to the Irish jurisdiction or is it a cross border issue?;
- Whether an uncorrupted secure back of data exists and whether data is rendered unintelligible to unauthorised third parties by reason of state of the art security measures implemented – check if dual authentication, encryption or Pseudonymisation or other security measures are in place;
- The ease of direct or indirect identification of data subjects;
- The likelihood of the reversal of Pseudonymisation or loss of confidentiality;
- The likelihood of identity fraud or similar misuse of the personal data occurring;
- Whether the personal data could be, or are likely to be, used maliciously;
- The likelihood that the breach could result in, and the severity of, physical, material, or non-material damage to data subjects; and
- Whether the breach could result in discrimination, damage to reputation, or harm to data subjects’ other fundamental rights.
What Information Must I Provide to the DPC When Notifying a Data Breach?
The DPC recent published a new data breach notification form that sets out in some detail the information to be provided further to the information required to be submitted in lien with Article 33, GDPR. Where all information is unavailable but it is clear that a security incident is notifiable, it is possible to furnish further information to the DPC in phases without delay (Article 33(4), GDPR).
Key changes of note include the abolition of a separate cross border notification forms and the streamlining of both domestic and cross border notifications into one form. The DPC’s request for specific information in the new form is more granular and is designed to avoid follow up queries from the DPC where possible.
Examples of Likely Risk Factors that would Trigger a Notification to a Data Subject
- Identity theft or fraud;
- Financial loss;
- Unauthorised reversal of Pseudonymisation;
- Damage to reputation;
- Loss of confidentiality of personal data protected by professional secrecy; or
- Any other significant economic or social disadvantage to the natural person concerned that limits their data subject rights.
For further guidance on “likely to result in a high risk” processing operations, see Article 29 Working Party Guidelines dealing with how to assess risk in the context of preparing a Data Protection Impact Assessment (DPIA).
What Minimum Information must be in a Notification to a Data Subject?
- The name and contact details of the data protection officer, or other relevant contact point;
- The likely consequences of the personal data breach; and
- The measures taken, or proposed to be taken, by the controller to address the personal data breach including, where appropriate, measures to the data subject may need to take to mitigate any potential adverse effects (Article 34 (2), GDPR).
What are the Circumstances in which a Controller is Not Required to Report a Breach to a Data Subject?
- The controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption.
- The controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise.
- Notification to data subjects would involve disproportionate effort. In this scenario, a controller is obliged to issue a public communication or similar measure whereby the data subjects are informed in an equally effective manner (Article 34 (3) (a) – (c) of the GDPR) and may be required to explain why personal notification was a disproportionate burden to the DPC.
We recommend that organisations conduct frequent data breach simulations to road-test the organisation’s ability to meet its very clear notification obligations on time.
Having up to date Article 30 records, accurate data mapping and state of the art security will mean that a controller is well placed to meet the challenges of a personal data security incident.
The recent December 2021 EDPB Guidelines note the importance of having a “Handbook on handling Personal Data Breach” such that a controller is aware of each facet of processing at each major stage of a data processing operation. The Guidelines note that having a handbook of this kind will provide a quick source of information to controllers to best position them to mitigate risk and deal with reporting obligations without undue delay.
Having advised on multiple serious personal data security breaches, we applaud the EDPB’s practical observations in this regard and confirm the very real benefit for controllers in data breach scenarios, including in cyber security related breaches, in having up to date and accurate data protection compliance documentation.
For further assistance in relation to any issues raised in this article, please do not hesitate to contact Deirdre Crowley or any member of Matheson’s Data Protection, Privacy and Cyber Security Team.