Data Protection and Privacy
As we enter into the final quarter of 2022, its timely to consider the hottest developments in the data protection space, and the compliance challenges companies are facing.
In this briefing, we set out some key legislative and case-law developments in relation to international transfers, compensation for non-material loss under the GDPR, and cyber security reporting requirements.
Key Themes in Data Protection and Technology
On 7 October 2022, President Biden issued an Executive Order, which paves the way for the European Commission to draft a US Adequacy Decision, known as the "EU-US Data Privacy Framework". This Framework will replace the EU-US Privacy Shield, which was invalidated by the Court of Justice of the European Union ("CJEU") in July 2020 in the Schrems II case.
Since the Schrems II decision, there has been much legal uncertainty over how to legitimise EU-US data transfers, and EU Data Protection Authorities have been ramping up enforcement in this area. Once the US Adequacy Decision is formally adopted (likely to be in Spring 2023), US companies will be able to self-certify with the US Department of Commerce, and commit to complying with a detailed set of privacy obligations.
It will undoubtedly be a huge relief to companies transferring data from the EU to the US, to be able to rely on the new Framework, and avoid the burden and uncertainties associated with relying on Article 46 transfer tools (such as the SCCs), including transfer impact assessments and supplementary measures.
Whilst we await the adoption of the US Adequacy Decision (which is by no means guaranteed), the European Commission has confirmed that all the safeguards contained within the Executive Order will be available for all transfers to the US under the GDPR, regardless of the transfer tool used. Accordingly, companies should start taking account of the new safeguards when carrying out their Transfer Impact Assessments in respect of EU-US transfers, as the safeguards (including the redress mechanism once implemented) should serve to lower the data protection risks associated with EU-US transfers.
Since the GDPR and Data Protection Act 2018 came into force, it has been possible for individuals, or groups of individuals in Ireland to claim damages for "non-material loss" (i.e. non-economic loss) arising from breaches of their data protection rights. However, there has been much debate about what claimants need to prove in order to seek compensation for non-material damage, in particular whether it requires proof of something greater than "mere upset" about their GDPR rights being violated.
Now, more than four years later, we are awaiting judgments in a number of cases which have been referred to the CJEU by Member State courts, which have the potential to significantly curtail the operation of the new regime for non-material loss claims before it has ever really taken off in Ireland.
On 6 October 2022, Advocate General Manuel Campos Sánchez-Bordona delivered his opinion in UI v Österreichische Post AG, the Austrian Supreme Court (Oberster Gerichtsof]) Case C-300/21, at the CJEU which clarifies that mere infringement of the provisions of the GDPR, without accompanying damage (whether that be material or non-material), is not sufficient for the purposes of awarding compensation; and in relation to non-material damage, compensation for such damage as provided for in the GDPR does not cover "mere upset".
It can often take several months after the publication of an Advocate General Opinion for the CJEU to deliver its final judgment. While the Opinion is not binding on the CJEU, it will be of strong persuasive value.
Read more in Matheson's Cyber Bulletin here.
In response to the growing threats of cyber-attacks and taking into account the significant growth of digitalisation, the European Commission is in the process of updating the NIS Directive through the introduction of a replacement directive ("NIS 2"). In parallel, the European Commission has published a draft regulation for a Digital Operational Resilience Act ("DORA") as part of its Digital Finance Strategy, which is specifically directed to financial services.
One of the key features of both initiatives is the extension of the regulatory cyber and operational resilience regime to a broader range of business sectors (NIS 2) and a much broader range of financial services (DORA).
The focus of reporting obligations will shift from impact on total users to incidents causing (or having the potential for) severe operational disruption, financial losses for the entity or considerable material or non-material losses for other natural or legal persons. The timeframe within which reports must initially be made under will also be reduced, depending on whether the report is required under NIS 2 or DORA.
What organisations should do now:
- Assess whether within scope of NIS 2 or DORA
- Refresh or undertake risk assessment
- Update or create incident response plans, and communicate them
- Implement additional technical and organisational protections where gaps and vulnerabilities have been identified
- Update all relevant and impacted policies and procedures
- Train personnel on cyber risks and awareness, and on the incident response plan
- Do a dry run / simulation