Empty Link Skip to Content

Data Protection, Privacy and Technology

Last year was another busy year in the data protection, privacy and technology sector. Over the course of the last 12 months, we have seen a number of important data protection developments at EU and national level, including: 

  • the European Commission’s adoption of the highly anticipated Standard Contractual Clauses (“SCCs”) for international data transfers; 
  • Guidelines by the Data Protection Commission (“DPC”) on data processing in the workplace in the context of preventing the spread of Covid-19;  and 
  • a record GDPR fine imposed for a company’s failure to provide the necessary transparency information in a privacy notice. 

The European Data Protection Board (“EDPB”) has also published a number of helpful Guidelines, which provide some welcome clarity on a number of issues including, what constitutes a “transfer” of data under the GDPR; recommendations on measures to supplement transfer tools; the concepts of controller and processor; the scope of the right of access under Article 15 of the GDPR, and data breach notification.

Key Themes in Data Protection and Technology

It is apparent that the GDPR does not resolve all data issues

A number of important pieces of legislation are also coming down the track at EU and national level, which demonstrate that the GDPR does not resolve all data issues. 

On the EU front, as part of its Digital Single Market strategy, the European Commission has proposed the Digital Services Act, Digital Markets Act, Artificial Intelligence Act, Data Act and Data Governance Act. The proposals aim to facilitate the further use and sharing of data between more public and private parties inside the data economy, to support the use of specific technologies such as Big Data and AI, and to regulate online platforms and gatekeepers.  

The ePrivacy Regulation, and the NIS2 Directive are also amongst the legislative developments that we will be monitoring closely. This digital framework will be coupled with the GDPR and will grow alongside it, affecting privacy and data protection in unprecedented ways.

The Irish government has also recently published the long anticipated Online Safety and Media Regulation Bill 2022, after three years of engagement with stakeholders, including members of the public, companies, NGOs, and other government organisations. The bill has been described as marking “a watershed moment as we move from self-regulation to an era of accountability in online safety”.   

In addition, the government has announced the imminent publication of the Consumer Rights Bill, which has been hailed as representing “the biggest overhaul of consumer rights law in 40 years”.

What key data protection compliance challenges lie ahead in 2022?

New SCCs for International Transfers were adopted by the European Commission in June 2021. The SCCs require companies to remove the old SCCs and insert the new SCCs into all legacy contracts by 27 December 2022.

In addition, prior to executing the new SCCs, companies will have to carry out and document a transfer impact assessment, and consider whether supplementary measures need to be adopted in order to ensure the transferred data is afforded an adequate level of data protection. This will be a burdensome exercise for many companies, particularly those transferring massive amounts of data globally.

A new data transfer tool, in the form of a further set of SCCs, is expected in 2022.

The European Commission intends to develop these SCCs to facilitate transfers of data to importers that are already subject to the GDPR by virtue of Article 3(2) of the GDPR. The EDPB has stated that this further set of SCCs are needed due to the fact that less protection is required when transferring data to an importer that is already subject to the GDPR, and in order not to duplicate its direct GDPR obligations.

The DPC imposed a record €225 million fine on a technology company last year for failure to discharge its transparency obligations under the GDPR, in regard to the content of its privacy notice. The decision, which is subject to appeal before the Irish Courts and an annulment action before the European Court of Justice, has implications for all organisations.

It sets out the DPC’s high expectations in respect of the information that must be provided in privacy notices, and how it should be presented. The standard set out in the decision arguably goes beyond that of most privacy notices. We will likely see further regulatory scrutiny and debate about the required content of organisations’ privacy notices in the year ahead.

The largest category of complaints from data subjects to the DPC continues to concern data subject access requests (“DSARs”). In its Annual Report for 2021, the DPC has warned that it intends to increase enforcement in this area and target non-responses and inadequate responses from controllers in respect to DSARs in the year ahead.

The EDPB recently published draft guidelines on DSARs, which discuss the scope of the right of access under Article 15 of the GDPR; how to provide access; general issues controllers should consider when assessing a DSAR; along with restrictions to the right of access. Interestingly, in the EDPB’s view, no proportionality test applies when considering the right of access against the efforts the controller has to take to comply with a DSAR. The draft guidelines also state that  “the fact that it would take the controller a vast amount of time and effort to provide the information or the copy to the data subject will not on its own render a request ‘excessive’”, and will not permit the controller to refuse to act on the request pursuant to Article 12(5) of the GDPR.

 

From the Consumer Rights Bill to the A.I. Act, what’s on the Irish and EU’s digital agenda? 

The Consumer Rights Bill 2022 will transpose EU Directives 770/2019 and 771/2019, on consumer contracts for the supply of digital content and digital services, and for the sale of goods, respectively. 

It will also update and consolidate the statutory provisions on consumer rights and remedies in relation to contracts for the supply of non-digital services, unfair contract terms, and information and cancellation rights. The Bill is due to be published shortly by the Irish government.

The Online Safety and Media Regulation Bill 2022 will establish a new regulator, a multi-person Media Commission, to which an Online Safety Commissioner will be appointed. The Media Commission will replace the Broadcasting Authority of Ireland. It will be responsible for overseeing updated regulations for broadcasting and video on-demand services, and the new regulatory framework for online safety created by the bill.

The bill will also transpose the revised Audiovisual Media Services Directive into Irish law. The bill was published on 12 January 2022, and will now make its way through all stages in the Oireachtas. 

The Digital Services Act (“DSA”) focuses on creating a safer digital space in which the fundamental rights of all users of digital services are protected. Among the core concerns tackled by the DSA are the trade and exchange of illegal goods, online services and content, and algorithmic systems amplifying the spread of disinformation. The European Parliament passed its position on the Digital Services Act on 20 January, allowing for negotiations with EU countries to start.

The Digital Markets Act (“DMA”) aims to establish a level playing field both in the European Single market and globally. It will create harmonised rules defining and prohibiting certain unfair practices by “gatekeeper” platforms (providers of core platform services). The European Commission will have new powers to carry out market investigations, and update the obligations for gatekeepers when necessary.

The European Parliament debated its position on the Digital Markets Act on 14 December 2021 and adopted it the following day. Negotiations with the EU governments started in January 2022.

The Artificial Intelligence ("AI") Act aims to address the development and adoption of safe AI across the EU while respecting the fundamental rights of EU citizens. Like the GDPR, the AI Act takes a risk-based approach.

It categorises all AI into:

  1. unacceptable risk – activities which are prohibited (e.g. social scoring)
  2. high-risk activities - which are only permitted subject to compliance with mandatory requirements and a conformity assessment (e.g. AI systems used for recruitment purposes or evaluating creditworthiness);
  3. limited risk (e.g. chatbots) – where users must be informed that they are interacting with a machine; and
  4. minimal risk (e.g. spam filters) – where free use of AI is allowed.

The proposed AI Act is still at the early stages of the European legislative process.

The Data Act covers both personal and non-personal data. It will govern who can use and access what data for which purposes across all economic sectors in the EU. The Act aims to unlock the value of data generated, for example, by connected objects in Europe, one of the key areas for innovation in the coming decade. It will clarify who can create value from such data and under what conditions.

The Data Governance Act ("DGA") also applies to both personal and non-personal data. It establishes a framework to facilitate general and sector-specific data-sharing (including data of public bodies, private companies and citizens). The DGA is designed to break down barriers to data sharing.

There are four pillars to the DGA:

  1. the re-use of sensitive public sector data; 
  2. establishing a framework for new data intermediaries;
  3. corporate and individual data altruism; and
  4. fostering coordination and interoperability through the European Data Innovation Board.

The e-Privacy Regulation is still being negotiated at EU level. When it comes into force, it will, in particular, have an impact on organisations’ electronic marketing practices and use of cookies.

The revised Network and Information Security Directive ("NIS2") will strengthen the security requirements, address the security of supply chains, streamline reporting obligations, and introduce stricter enforcement requirements, including harmonised sanctions across the EU to address the growing threats posed by digitalisation and the surge in cyber-attacks.

The proposed expansion of the NIS2 scope will effectively oblige more entities and sectors to comply with cybersecurity requirements.

"The standard set out in the decision goes significantly beyond that of most privacy notices"

Davinia Brennan, Technology and Innovation Partner, Matheson, commenting on the record fine imposed on a technology company by the DPC in 2021.

New Data Transfer Tool – Further complexity ahead for international data transfers?

Jan 7, 2022, 13:51 PM
Title : New Data Transfer Tool – Further complexity ahead for international data transfers?
Filter services i ds :
Engagement Time : 5
Insight Type : Article
Insight Date : Jan 7, 2022, 00:00 AM

In the post-Schrems II era, legitimising international data transfers can be a burdensome and uncertain exercise.  As we embark on 2022, it continues to be one step forward and two steps back in the area of international data transfers.

A Step Forward

In a positive move, in late 2021, the European Data Protection Board (“EDPB”) adopted draft guidelines 05/2021 (“the draft guidelines”) on the interplay between data transfers and the scope of the General Data Protection Regulation (“GDPR”), which provide welcome clarification on what constitutes a “transfer” of personal data to a third country or to an international organisation under Chapter V of the GDPR.

Two Steps Back

On the other hand, the European Commission and EDPB also created a new complexity for businesses, by stating that a new data transfer tool needs to be developed to legitimise transfers of data to non-EEA data importers that are already subject to the GDPR (pursuant to Article 3(2) because they offer goods or services to or monitor the behaviour of EU individuals).

In this article, Matheson’s Technology and Innovation partner Davinia Brennan outlines the effect of these developments on data transfers. 

One Step Forward – Clarification on what Constitutes a Data “Transfer”

The EDPB, in its draft guidelines, propose the following three-part definition of what constitutes a “transfer” of personal data under the GDPR:
 
1. The controller or processor (“exporter”) is subject to the GDPR for the given processing (regardless of whether it is located in the EU or not).
 
2. The controller or processor (“exporter”) discloses by transmission or otherwise makes personal data, subject to this processing, available to another controller, joint controller or processor (“importer”).
 
3. The importer is in a third country or is an international organisation, irrespective of whether or not this importer is subject to the GDPR in respect of the given processing in accordance with Article 3.

When the three criteria listed above are met, the data flow is considered a “transfer” under the GDPR, and the controller or processor will need to comply with the conditions of Chapter V of the GDPR. This means ensuring an appropriate level of protection is guaranteed in the third country of destination (e.g. through an adequacy decision in respect of the third country, or a transfer tool such as the Standard Contractual Clauses (“SCCs”), Binding Corporate Rules (“BCRs”), or Article 49 derogations in specific situations).

Situations that will not require SCCs

With regard to the second criterion, the EDPB note that a transfer tool is not needed when an EU individual discloses personal data directly and on their own initiative to an entity based outside the EEA, as there is no controller or processor sending or making the data available (i.e. no exporter).

The EDPB also highlight that the concept of a transfer only applies to disclosures of personal data between two different (separate) parties (each of whom is a controller, joint controller or processor). The EDPB provide an example of a Polish employee travelling to India for a business meeting. The employee uses his computer to remotely access personal data on his company’s database to finish a memo. This remote access from a third country does not constitute a “transfer” of personal data, as the employee is not another controller, but rather an employee of the controller.

On the other hand, data disclosures between entities belonging to the same corporate group may constitute transfers of personal data, to the extent they are separate controllers or processors.

Why was Clarity Needed?

As the GDPR does not provide a legal definition of what constitutes a “transfer” of personal data to a third country or international organisation, EU and/or national regulatory guidance on this issue has been eagerly awaited. Confusion has reigned, in particular, in regard to the interplay between the extraterritorial scope of the GDPR in Article 3, and the transfer rules in Chapter V of the GDPR. The key question has been whether a transfer tool is required when personal data is transferred to an importer located outside the physical territory of the EEA or if a transfer tool is only required if the importer falls outside the jurisdictional scope of the GDPR.

This confusion was exacerbated by Recital 7 of the new SCCs, which were adopted by the European Commission on 27 June 2021. That recital states that the SCCs should not be used for transfers of personal data to non-EEA importers who are already subject to the GDPR pursuant to Article 3(2). The inclusion of this recital implied that a transfer tool might only be required if the importer falls outside the jurisdictional scope of the GDPR.

However, the draft guidelines helpfully clarify that a “transfer" of data occurs when personal data moves from an organisation subject to the GDPR to a separate organisation outside the physical territory of the EEA. Accordingly, the need for compliance with the transfer rules in Chapter V of the GDPR is a territory-based, rather than jurisdiction-based, issue.

This ultimately means that the disclosure of personal data to a non-EEA importer, to whom the GDPR is applicable on an extraterritorial basis pursuant to Article 3(2), should be regarded as a “transfer” of data, and comply with the data transfer rules in Chapter V of the GDPR.

Two Steps Back – the Development of a New Transfer Tool

As highlighted above, the new SCCs are not suitable for use when an exporter is transferring data to a non-EEA importer that is already subject to the GDPR pursuant to Article 3(2). In the EDPB’s view, a new transfer tool needs to be developed for such transfers, as less protection is needed if the non-EEA importer is already subject to the GDPR, and in order not to duplicate the GDPR obligations which the importer is already subject to. The EDPB suggest that the new transfer tool should, for example, address the measures to be taken in the event of conflict of laws between third country legislation and the GDPR and in the event of legally binding requests in the third country for disclosure of data.

The European Commission has confirmed that it intends to develop a new transfer tool – in the form of a new set of SCCs - specifically for transfers to non-EEA importers subject to Article 3(2) of the GDPR. However there is no indication as to when the new SCCs will be finalised. In the interim, companies should exercise caution in regard to such transfers and ensure appropriate safeguards are in place.

The consultation period for the draft guidelines closes on 31 January 2022. The Matheson Technology and Innovation team will be actively keeping abreast of developments as the consultation process progresses. If you would like to discuss this, or any other related data protection and data privacy matters concerning your business, please do not hesitate to contact Davinia Brennan, or any other member of the Technology and Innovation Group

HoldingImage_558x245_Blue HoldingImage_450x200_Red
Co Authors
Related Insights

Download the Spring 2022 Horizon Tracker

Download the Full Report