Data Protection, Privacy and Technology
Last year was another busy year in the data protection, privacy and technology sector. Over the course of the last 12 months, we have seen a number of important data protection developments at EU and national level, including:
- the European Commission’s adoption of the highly anticipated Standard Contractual Clauses (“SCCs”) for international data transfers;
- Guidelines by the Data Protection Commission (“DPC”) on data processing in the workplace in the context of preventing the spread of Covid-19; and
- a record GDPR fine imposed for a company’s failure to provide the necessary transparency information in a privacy notice.
The European Data Protection Board (“EDPB”) has also published a number of helpful Guidelines, which provide some welcome clarity on a number of issues including, what constitutes a “transfer” of data under the GDPR; recommendations on measures to supplement transfer tools; the concepts of controller and processor; the scope of the right of access under Article 15 of the GDPR, and data breach notification.
Key Themes in Data Protection and Technology
A number of important pieces of legislation are also coming down the track at EU and national level, which demonstrate that the GDPR does not resolve all data issues.
On the EU front, as part of its Digital Single Market strategy, the European Commission has proposed the Digital Services Act, Digital Markets Act, Artificial Intelligence Act, Data Act and Data Governance Act. The proposals aim to facilitate the further use and sharing of data between more public and private parties inside the data economy, to support the use of specific technologies such as Big Data and AI, and to regulate online platforms and gatekeepers.
The ePrivacy Regulation, and the NIS2 Directive are also amongst the legislative developments that we will be monitoring closely. This digital framework will be coupled with the GDPR and will grow alongside it, affecting privacy and data protection in unprecedented ways.
The Irish government has also recently published the long anticipated Online Safety and Media Regulation Bill 2022, after three years of engagement with stakeholders, including members of the public, companies, NGOs, and other government organisations. The bill has been described as marking “a watershed moment as we move from self-regulation to an era of accountability in online safety”.
In addition, the government has announced the imminent publication of the Consumer Rights Bill, which has been hailed as representing “the biggest overhaul of consumer rights law in 40 years”.
New SCCs for International Transfers were adopted by the European Commission in June 2021. The SCCs require companies to remove the old SCCs and insert the new SCCs into all legacy contracts by 27 December 2022.
In addition, prior to executing the new SCCs, companies will have to carry out and document a transfer impact assessment, and consider whether supplementary measures need to be adopted in order to ensure the transferred data is afforded an adequate level of data protection. This will be a burdensome exercise for many companies, particularly those transferring massive amounts of data globally.
A new data transfer tool, in the form of a further set of SCCs, is expected in 2022.
The European Commission intends to develop these SCCs to facilitate transfers of data to importers that are already subject to the GDPR by virtue of Article 3(2) of the GDPR. The EDPB has stated that this further set of SCCs are needed due to the fact that less protection is required when transferring data to an importer that is already subject to the GDPR, and in order not to duplicate its direct GDPR obligations.
The DPC imposed a record €225 million fine on a technology company last year for failure to discharge its transparency obligations under the GDPR, in regard to the content of its privacy notice. The decision, which is subject to appeal before the Irish Courts and an annulment action before the European Court of Justice, has implications for all organisations.
It sets out the DPC’s high expectations in respect of the information that must be provided in privacy notices, and how it should be presented. The standard set out in the decision arguably goes beyond that of most privacy notices. We will likely see further regulatory scrutiny and debate about the required content of organisations’ privacy notices in the year ahead.
The largest category of complaints from data subjects to the DPC continues to concern data subject access requests (“DSARs”). In its Annual Report for 2021, the DPC has warned that it intends to increase enforcement in this area and target non-responses and inadequate responses from controllers in respect to DSARs in the year ahead.
The EDPB recently published draft
guidelines on DSARs, which discuss the scope of the
right of access under Article 15 of the GDPR; how to provide access; general
issues controllers should consider when assessing a DSAR; along with restrictions to the
right of access. Interestingly, in the EDPB’s view, no proportionality test
applies when considering the right of access against the efforts the controller
has to take to comply with a DSAR. The draft guidelines also state
that “the fact that it would take the
controller a vast amount of time and effort to provide the information or the
copy to the data subject will not on its own render a request ‘excessive’”, and will not permit the
controller to refuse to act on the request pursuant to Article 12(5) of the
The Consumer Rights Bill 2022 will transpose EU Directives 770/2019 and 771/2019, on consumer contracts for the supply of digital content and digital services, and for the sale of goods, respectively.
It will also update and consolidate the statutory provisions on consumer rights and remedies in relation to contracts for the supply of non-digital services, unfair contract terms, and information and cancellation rights. The Bill is due to be published shortly by the Irish government.
The Online Safety and Media Regulation Bill 2022 will establish a new regulator, a multi-person Media Commission, to which an Online Safety Commissioner will be appointed. The Media Commission will replace the Broadcasting Authority of Ireland. It will be responsible for overseeing updated regulations for broadcasting and video on-demand services, and the new regulatory framework for online safety created by the bill.
The bill will also transpose the revised Audiovisual Media Services Directive into Irish law. The bill was published on 12 January 2022, and will now make its way through all stages in the Oireachtas.
The Digital Services Act (“DSA”) focuses on creating a safer digital space in which the fundamental rights of all users of digital services are protected. Among the core concerns tackled by the DSA are the trade and exchange of illegal goods, online services and content, and algorithmic systems amplifying the spread of disinformation. The European Parliament passed its position on the Digital Services Act on 20 January, allowing for negotiations with EU countries to start.
The Digital Markets Act (“DMA”) aims to establish a level playing field both in the European Single market and globally. It will create harmonised rules defining and prohibiting certain unfair practices by “gatekeeper” platforms (providers of core platform services). The European Commission will have new powers to carry out market investigations, and update the obligations for gatekeepers when necessary.
The European Parliament debated its position on the Digital Markets Act on 14 December 2021 and adopted it the following day. Negotiations with the EU governments started in January 2022.
The Artificial Intelligence ("AI") Act aims to address the development and adoption of safe AI across the EU while respecting the fundamental rights of EU citizens. Like the GDPR, the AI Act takes a risk-based approach.
It categorises all AI into:
- unacceptable risk – activities which are prohibited (e.g. social scoring)
- high-risk activities - which are only permitted subject to compliance with mandatory requirements and a conformity assessment (e.g. AI systems used for recruitment purposes or evaluating creditworthiness);
- limited risk (e.g. chatbots) – where users must be informed that they are interacting with a machine; and
- minimal risk (e.g. spam filters) – where free use of AI is allowed.
The proposed AI Act is still at the early stages of the European legislative process.
The Data Act covers both personal and non-personal data. It will govern who can use and access what data for which purposes across all economic sectors in the EU. The Act aims to unlock the value of data generated, for example, by connected objects in Europe, one of the key areas for innovation in the coming decade. It will clarify who can create value from such data and under what conditions.
The Data Governance Act ("DGA") also applies to both personal and non-personal data. It establishes a framework to facilitate general and sector-specific data-sharing (including data of public bodies, private companies and citizens). The DGA is designed to break down barriers to data sharing.
There are four pillars to the DGA:
- the re-use of sensitive public sector data;
- establishing a framework for new data intermediaries;
- corporate and individual data altruism; and
- fostering coordination and interoperability through the European Data Innovation Board.
The revised Network and Information Security Directive ("NIS2") will strengthen the security requirements, address the security of supply chains, streamline reporting obligations, and introduce stricter enforcement requirements, including harmonised sanctions across the EU to address the growing threats posed by digitalisation and the surge in cyber-attacks.
The proposed expansion of the NIS2 scope will effectively oblige more entities and sectors to comply with cybersecurity requirements.
"The standard set out in the decision goes significantly beyond that of most privacy notices"
Davinia Brennan, Technology and Innovation Partner, Matheson, commenting on the record fine imposed on a technology company by the DPC in 2021.
Top 5 Data Protection Compliance Challenges for 2022
Now that 2021 has come to a close, what data protection developments and compliance challenges lie ahead in 2022, and what are the Irish Data Protection Commission’s (“DPC”) key enforcement and regulatory priorities?
In 2022, organisations will undoubtedly continue to wrestle with a number of key data protection issues including:
- legitimising data transfers;
- processing Covid-19 vaccination data in the workplace;
- drafting data privacy notices;
- verifying the identity of data subjects when exercising their GDPR rights; and
- legitimising data sharing between public bodies.
In this article we look at these 5 data protection issues, and the DPC’s enforcement and regulatory priorities for the year ahead.
1. Repapering the SCCs
Repapering the old Standard Contractual Clause (“SCCs”), and carrying out Transfer Impact Assessments will continue to be priority GDPR compliance tasks for businesses in the coming year.
In June 2021, the European Commission adopted new EU Standard Contractual Clauses for transfers of personal data to third countries. The new SCCs were widely welcomed to the extent that they take into account the Schrems II decision, and incorporate the obligatory contractual rights and obligations of controllers and processors under Article 28(3) and (4) of the GDPR. The SCCs also cater for four different transfer scenarios including, for the first time, processor to processor transfers, and processor to controller transfers.
Whilst the old SCCs were repealed on 27 September 2021, organisations have a grace period until 27 December 2022, to amend contracts executed pre-27 September 2021, in order to remove the old SCCs and insert the new SCCs. Although this deadline is 11 months away, it would be prudent for organisations to start taking steps now to review their data flows and identify which data transfer contracts need to be updated. Repapering legacy contracts will inevitably be a time-consuming exercise for many organisations, as it will entail more than simply swapping out the old clauses for the new clauses.
The new SCCs impose some onerous obligations on data exporters and importers, and complying with them will present formidable challenges for many organisations. For example, the new SCCs (clause 14) require the parties to conduct an assessment of the laws and practices of the third country of destination which are applicable to personal data transferred. There is an obligation for the parties to document this assessment (colloquially known as a ‘transfer impact assessment’ (“TIA”)) and make it available to data protection authorities on request. Having conducted the assessment, the parties are required to warrant that they have no reason to believe the laws and practices in the third country prevent the importer from fulfilling its obligations under the SCCs.
Organisations must also consider whether any supplementary measures (such as contractual, technical or organisational measures) need to be implemented in addition to the SCCs, to ensure the transferred personal data is afforded a level of protection that is essentially equivalent to that provided by EU laws, and implement those measures which are most suitable in light of the specific circumstances of the transfer.
Furthermore, organisations will also need to take time to review related agreements, in particular any existing data processing agreements, to ensure they do not conflict with the SCCs. In the event of any conflict, the SCCs will prevail.
Another challenging task on organisations ‘To Do’ list will be legitimising transfers to non-EEA importers who are subject to the GDPR by virtue of Article 3(2) GDPR (because the processing relates to the offering of goods or services to, or monitoring the behaviour of, EU individuals). Recital 7 of the new SCCs indicates that they are not suitable for use for transfers to non-EEA importers that are already subject to the GDPR. In late 2021, the European Commission stated that it is developing a new data transfer tool, in the form of a further set of SCCs, which can be used specifically for this transfer scenario, however there is no indication yet as to when these SCCs will be finalised, and uncertainty pervades as to how to legitimise such transfers in the interim (discussed further here).
2. Processing Vaccination Data in the Workplace
As we approach the second anniversary of the Covid-19 pandemic, employers are continuing to grapple with the issue of whether they can lawfully process information about employees’ covid vaccination status.
Most employers would like to ask employees about their vaccination status, in order to facilitate their safe return to the workplace. However, information about an individual’s vaccination status is special category data for the purposes of the GDPR, and is afforded additional protections under data protection law.
The DPC has published guidelines (last updated in November 2021) which make it clear that the DPC does not consider there is any legal basis under the GDPR or Data Protection Act 2018 for employers to request the vaccination status of their employees. In the DPC’s view, the collection of vaccination data should not in general be considered a necessary workplace health and safety measure.
The guidelines emphasise that the processing of health data in response to the Covid-19 pandemic should be guided by the Government’s public health policies. The current version of the Work Safely Protocol: Covid-19 National Protocol for Employers and Workers sets out a number of obligations that require employers to process personal data. For example, employers should keep a log of contacts to facilitate contact tracing. In addition, employees should complete a pre-Return to Work form, which contains their personal data. However, the Protocol does not currently require employers to collect any information about the vaccination status of employees and this is not required for pre-Return to Work forms. Instead, the Work Safely Protocol notes that vaccination is a voluntary health step in Ireland and an employer’s primary basis for protecting against Covid-19 should be measures such as social distancing, PPE, hand sanitiser, and CO2 monitoring.
The DPC acknowledges that there are some specific employment contexts where the processing of vaccination status data may be deemed necessary, subject to a risk assessment and with reference to sector-specific public health guidance. For example, the Medical Council’s Guide to Professional Conduct and Ethics for Registered Medical Practitioners states that practitioners “should be vaccinated against common communicable diseases”.
The processing of personal data in the context of employment takes place in a situation where there is an imbalance between the data subject (employee) and data controller (employer). Therefore, employees should not be asked to consent to the processing of vaccine data, as such consent will not be deemed to have been freely given.
Unless the DPC guidance changes as a result of public health advice or laws, employers will need to continue to exercise caution about seeking vaccination status data, as they may be exposed to legal risks if they if they seek such information.
3. Data Privacy Notices
We will likely see further regulatory scrutiny and debate about the required content of organisations’ privacy notices in the year ahead, along with organisations grappling with whether they should update their notices in line with the WhatsApp decision, pending the appeal.
On 20 August 2021, the DPC imposed a €225 million fine on WhatsApp for failing to discharge its transparency obligations under the GDPR, in regard to the content of its privacy notice. The DPC also required WhatsApp to provide the required privacy information within three months of the date of the decision, and issued a reprimand.
The 266-page decision has implications for all organisations, as it sets out the DPC’s high expectations in respect of the information that controllers must provide to individuals in their privacy notices, and how it should be presented. The standard set out in the decision arguably goes beyond that of most privacy notices, and a substantial amount of work will be required by many organisations to provide the level of information required. It is noteworthy that the decision reflects the views of data protection authorities across the EU, to the extent that it was delivered by the DPC following consultation with other EU data protection authorities under the Article 60 procedure (i.e. the one-stop-shop) provision, and incorporates the conclusions of the EDPB under Article 65.
The decision also includes the EDPB’s findings on the relevance of the consolidated turnover of the entire group of companies when calculating both the maximum fining cap, and the appropriate fine to impose, which may have a bearing on the size of future fines.
WhatsApp has issued judicial review proceedings seeking an order quashing the DPC’s decision, along with declarations that certain provisions of the Data Protection Act 2018 are invalid, unconstitutional, and incompatible with Ireland’s obligations under the European Convention on Human Rights. It has also lodged a statutory appeal before the Irish courts against the DPC’s decision, and an annulment action against the EDPB’s decision to the Court of Justice of the European Union (CJEU). In particular, WhatsApp allege that the EDPB exceeded its competence under Article 65, and violated the principle of legal certainty by failing to acknowledge that its decision puts forward novel interpretations and applications of several provisions of the GDPR, with the consequence that the infringement was unpredictable.
Organisations will be closely monitoring the progress of these legal proceedings, which will hopefully provide some legal certainty in regard to the scope of their transparency obligations. Pending the outcome of these proceedings, it would be prudent for organisations to review their privacy notices and consider the extent to which they comply with the DPC’s expectations (as set out in the WhatsApp decision), and the steps that can be taken to ensure compliance.
4. Identity & minimisation of data
We may also see further regulatory scrutiny over the coming year of organisations’ identity verification practices when individuals exercise their data protection rights under the GDPR. It is clear that having a general policy of asking individuals for additional identity information, when individuals exercise their data protection rights, violates the GDPR. Article 12(6) provides that such information should only be requested where there is “reasonable doubt” about an individual’s identity. Even where there is reasonable doubt, requesting photographic information may be deemed to be excessive, and in breach of the data minimisation principle, when there are other less intrusive measures available, such as sending a verification email or a code.
The DPC’s decision in December 2020, in the Groupon case, reminded organisations of the importance of only requesting such information when there are reasonable doubts about the individual’s identity, and complying with the data minimisation principle when requesting identity verification information from individuals. In that case, the DPC, acting as lead supervisory authority, launched an investigation following a complaint about Groupon’s general policy of requiring individuals to provide photographic identification, in the form of an electronic copy of their national identity card, when making an erasure request under Article 17 of the GDPR. This requirement applied when individuals made erasure requests, but did not apply when individuals created a Groupon account. Therefore Groupon did not have any pre-existing identity card information on its systems against which to verify the national identity card against. This called into question the relevance and proportionality of seeking a national identity card even where reasonable doubts existed concerning the identity of the requester.
The DPC reprimanded Groupon for infringing the data minimisation principle in Article 5(1)(c) of the GDPR. The DPC concluded that a less data-driven solution to identify verification was available (namely by way of confirmation of email address). The DPC also found that Groupon had infringed Article 12(2) by requesting proof of the complainant’s identity, in circumstances where it had not demonstrated that it had reasonable doubts about same.
NYOB recently filed a GDPR complaint against a dating app, Grindr, for requesting excessive information to verify the identity of individuals when exercising their GDPR rights. In particular, Grindr requests individuals to take a selfie of themselves, whilst holding up a piece of paper with their email address and passport. Similar to the Groupon case, no similar identification requirements apply when an individual registers their account.
5. Data Sharing by Public Bodies
In the coming months, we will see the commencement of the final sections of the Irish Data Sharing and Governance Act 2019. The 2019 Act clarifies the legality of data sharing between public bodies and introduces data governance within the public service on a statutory footing. It only applies where no other legal basis exists in Irish or EU law permitting or requiring data sharing between public bodies.
The Irish government adopted a phased commencement of the 2019 Act, with all sections commenced except Section 6(2) and Section 6(3) which will commence on 31 March 2022. Section 6 concerns the interaction of the 2019 Act with the Data Protection Act 2018 and the GDPR. When section 6(2) and 6(3) are commenced this March, public bodies will no longer be able to rely on section 38 of the Data Protection Act 2018 as a legal basis for the sharing of personal data. Instead, where no other enactment permits or requires the sharing of personal data between specified public bodies, those bodies will have to rely on the provisions of the 2019 Act to legitimise such sharing. Where public bodies share data in accordance with the 2019 Act, a data sharing agreement must be put in place. The 2019 Act sets out detailed provisions that must be included in such agreements, and requires draft agreements to be published on a public body’s website for public consultation, and to be submitted to a new Data Governance Board for review prior to being executed.
Whilst the 2019 Act is intended to reduce the burden on individuals who wish to receive public services, from having to provide the same information to different bodies, and to facilitate the effective administration of public services, it will likely present some challenges for public bodies, in light of the strict requirements it creates for the sharing of data.
DPC Regulatory Priorities for 2022
The DPC recently published its Regulatory Strategy for 2022-2027, which sets out the DPC’s regulatory vision for the next five years. The strategy document highlights that the protection of children and other vulnerable groups is an enforcement priority for the DPC. This was underlined by the publication of the DPC’s guidance on the processing of children’s data in December 2021 (discussed here).
Another noteworthy priority is the primary allocation of the DPC’s investigative resources to the “cases that are likely to have the greatest systemic impact for the widest number of people over the longer term”. In the two years between May 2018 and May 2020, the DPC received in excess of 80,000 contacts to its office, on foot of which it opened 15,025 cases on behalf of individuals. The DPC notes that the vast majority of these cases were narrow in scope, involving just one individual and centred on issues that have no major or lasting impact on the rights and freedoms of the individual.
The strategy document notes that there is a tendency to conflate fining with regulatory success and to use the imposition of fines as a means to measure effectiveness. In the responses received from stakeholders, this was one of the areas where opinion diverged. Individuals favoured large fines for breaches of data protection law, while respondents from industry called for a more risk-based approach, so that instances of wilful negligence or deliberate infractions would be punished more severely. The DPC states that “driving compliance – rather than retrospectively and unilaterally penalising noncompliance – can ultimately produce better results for all stakeholders”, and that “the GDPR is a risk-based regulation and, a risk-based approach to sanctions is also the preferred method of applying these powers”. The DPC will therefore prioritise prosecution, sanction and/or fining those infractions that result from wilful, negligent or criminal intent.
The DPC is also reportedly doing a deep dive across all sectors in relation to how the Article 30 GDPR obligation to maintain records of processing activities is being managed and will publish findings.
2022 promises to be another busy year in the world of data protection. New EU and national regulatory developments, enforcement actions and litigation will undoubtedly keep companies and legal practitioners busy until the end of 2022 and beyond.
If you would like to discuss this, or any other related data protection and data privacy matters, please do not hesitate to contact Davinia Brennan, or any other member of the Technology and Innovation Group.