Data Protection and Privacy

Data Protection, privacy and technology developments continued to dominate the headlines last year. In this briefing, we consider some of the most noteworthy developments of which organisations should be aware, and look at what is coming down the tracks in 2023.

The importance of fair, transparent and lawful processing has been in the spotlight as the Irish Data Protection Commission ("DPC") recently imposed three significant fines on a leading technology company for unlawful reliance on contractual necessity as a lawful basis for certain processing activities. International transfers continues to be a hot topic, as the EU Parliament, EDPB and a Committee of EU Member States review the draft EU-US Data Privacy Framework ("DPF").

In addition, the extent and scope of the right to compensation for non-material damage under Article 82 GDPR has been subject to scrutiny as a number of national court decisions concerning this matter are filtering up to the Court of Justice of the European Union ("CJEU"). All of these matters are considered in more detail in this commentary.

We also consider the CJEU decision in the case of X-Fab (Case C-453/21) which provides guidance on how to determine whether a conflict of interest could arise for an organisation's Data Protection Officer. In addition, the European Data Protection Board ("EDPB") has finalised a number of Guidelines to assist organisations to comply with their GDPR obligations including, amongst others, Guidelines on what constitutes an international transfer of data under Chapter V GDPR, and Guidelines on deceptive design patterns in social media platform interfaces.

Legislation surrounding data protection, privacy and technology continues to develop at a rapid pace. These technologies and developments present new challenges for companies and consumers alike. As a result, 2023 will undoubtedly be an exciting and busy year for all.

Key Themes in Data Protection and Technology

DPC Enforcement Activity - Fair, Transparent, and Lawful Processing in the Spotlight

2022 was another record year for GDPR fines across Europe. It is estimated that European Data Protection Authorities ('DPAs') imposed approximately €1.64 billion in fines last year, a 50% increase over the prior year. Ad-tech and behavioural advertising were a top enforcement priority in 2022. Other infringements in relation to violations concerning the processing of children's data, the failure to meet privacy by design requirements and the failure to implement appropriate security mechanisms also caught regulators' attention.

There is also a noticeable rise in willingness on the part of supervisory authorities to fine controllers who have been the subject of cybercrime where controllers did not have adequate security measures in place appropriate to the risk profile of the data processed. This trend arose particularly where special category data such as employment and health data were impacted.

2023 started with the DPC imposing a number of significant fines. In particular, the DPC fined Meta €210 million, Instagram €180 million, and WhatsApp €5.5 million in relation to breach of the transparency obligation, and for unlawfully relying on contractual necessity as a lawful basis for processing personal data for behavioural advertising purposes and for security and service improvements. The fines serve as a reminder of the importance of providing data subjects with clear and granular information in Privacy Notices about what personal data is being processed for each processing activity, the purpose(s) of such processing, and the lawful bases relied upon for the processing. In addition, more careful consideration must be given to the most appropriate lawful basis to rely on for the processing activity at hand. Typically the practice has been to avoid relying on consent as a lawful basis, due to the high threshold that must be reached to obtain valid consent and the right of data subjects to withdraw consent at any time. However, it seems that consent and legitimate interests are likely to be relied on more frequently in the future to legitimise data processing activities, as it is clear that the contractual necessity and legal obligation lawful bases can only be relied upon in narrow circumstances.

Resources:

Key Developments in Data Protection and Privacy

Compensation Claims

Article 82 of the GDPR, along with the Data Protection Act 2018, allows data subjects or non-profit organisations mandated to act on their behalf, to take compensation claims for material or non-material loss suffered as a result of a breach of the GDPR. However, uncertainty prevails as to the scope of the right to compensation for non-material damage.

On 6 October 2022, the Advocate General at the CJEU issued an Opinion in the Österreichische Post AG case (Case C-300/21) that a mere violation of the GDPR is not sufficient to recover compensation. Proof of material or non-material damage must be also provided by the claimant. In addition, compensation for non-material damage does not cover mere upset which the person concerned may feel as a result of a violation of the GDPR. If the CJEU follows this opinion, it would be welcome news for companies, as it would raise the bar for successful damages claims for non-material loss.

On 23 January 2023, the Irish Circuit Court, in the case of Cunniam v Parcel Connect Limited & Ors, granted a stay on proceedings brought by a data subject where only non-material damages have been alleged, pending six decisions awaited from the CJEU relating to non-material damage (including the CJEU's decision in the Österreichische Post AG case). The Court held that not granting the stay would substantially prejudice the defendants’ case, and would lead to the risk of an irreconcilable judgment being produced by the Court.

Data Protection Officers ("DPOs")

The CJEU decision in X-Fab (Case C-453/21) provides guidance on how to determine whether a conflict of interest arises in respect of the role of Data Protection Officer and when a DPO may be lawfully dismissed. In this case, an employee, who performed the role of DPO and also worked as council chair, was dismissed at the direction of the State DPA due to a potential conflict of interest between these roles. The employee claimed that the dismissal was void due to protective employment provisions under German law, and the German court referred the matter to the CJEU.

Article 38(6) GDPR acknowledges that a DPO may fulfil other tasks and duties, provided such other tasks and duties do not result in a conflict of interests. The CJEU held that an assessment of whether a conflict of interests exists must be carried out on a case by case basis, in light of all the relevant circumstances, in particular the structure of the organisation. However, DPOs cannot be entrusted with tasks or duties which would result in them “determining the objectives and methods of processing personal data on the part of the controller or processor".

Article 38(3) of the GDPR further states “[a DPO] shall not be dismissed or penalised by the [organization] for performing his tasks”. The CJEU held that member states, such as Germany, are free to lay down more protective provisions provided they do not undermine the GDPR’s objectives. However, a national law which prevents the dismissal of a DPO who is unable to carry out their role in an independent manner because of a conflict of interest would be incompatible with the GDPR.

The EDPB recently announced that it has selected the designation and position of the DPO role as the focus for its next coordinated pan-EU enforcement action. It would therefore be prudent for organisations to take steps to review their DPO function. It is natural for jobs and roles to evolve over time, so organisations which have appointed a DPO should take steps to ensure that their DPO is not also entrusted with tasks or duties which conflict with the performance of their DPO obligations.

International transfers

In January 2023, the DPC referred its draft decision in relation to the lawfulness of Meta's EU-US transfers to the European Data Protection Board ("EDPB") under the Article 65 dispute resolution process, after it was unable to resolve objections from other EU data protection authorities. The dispute resolution procedure comes as the EU considers a draft adequacy decision for the Data Protection Framework ("DPF").

The DPF is expected to be finalised and adopted by Summer 2023, which will mark three years since the invalidation of its predecessor, the EU-US Privacy Shield. The DPF and accompanying US Executive Order aims to address the concerns raised by the European Court of Justice in Schrems II. In particular, they provide binding safeguards that limit access by US intelligence services to what it is necessary and proportionate to protect national security, and establishes an independent and impartial redress mechanism, including a new Data Protection Review Court. Although a finalised adequacy decision is expected later this year, many organisations may continue entering into the standard contractual clauses and conducting transfer impact assessments due to the likelihood of the DPF being further challenged by privacy advocates such as NOYB or others before the CJEU in the future.

Following public consultation, on 23 February 2023, the EDPB have also issued their finalised Guidelines 05/2021 on the interplay between Article 3 and Chapter V GDPR. The guidelines provide some welcome clarity in regard to what constitutes a 'transfer' requiring compliance with the international transfer rules set out in Chapter V of the GDPR.

Data Subject Access Requests ("DSARs")

Over the past year, the EDPB and DPC have each published guidelines on the right of access to help controllers understand the scope of their obligations under Article 15 GDPR (available here and here). Whilst these non-binding guidelines are informative, in many ways they raise the bar in regard to what is expected from controllers when responding to access requests. Two issues, in particular, are worth noting.

First, the draft EDPB guidelines reject any proportionality limit with regard to the efforts a controller has to expend on responding to a DSAR. This is surprising as to date there have been strong grounds to believe that a controller is only required to take reasonable and proportionate steps to search for personal data in line with the EU principle of proportionality. It remains to be seen if this approach will be endorsed in the finalised guidelines. In contrast, the DPC guidelines state that controllers are not obliged to conduct searches which go beyond what is reasonable in terms of time and money, taking into account the circumstances of the case.

Second, both sets of guidelines indicate that in order to meet the information requirements in Article 15(1) and (2) GDPR it is not sufficient for companies to provide a copy of, or link to, or extract of their privacy notice, when responding to access requests. Rather, organisations are required to update and tailor the information in the privacy notice to reflect the processing operations carried out with regard to the data subject making the request. A recent ruling from the CJEU ( Case C-151/21) supports this view. This will unfortunately make responding to access requests a more burdensome task for many organisations.

Further cases regarding the scope of the right of access under Article 15 GDPR are currently pending before the CJEU which should provide greater clarity on the scope of the right of access.

Resources:

Responding to data subject access requests

Cookie Compliance

Cookie compliance continues to be an enforcement trend. In January 2023, the EDPB Cookie Banner Task Force published a report which provides some tips on how to comply with the cookie rules in the ePrivacy Directive. The Report was issued following complaints from NOYB, and investigations by EU DPAs in relation to certain companies' cookie banners and policies. In light of the report and continued enforcement of cookie rules by EU DPAs across Europe, it would be prudent for organisations to revisit their cookie practices to ensure they comply with the cookie rules and expectations of Regulators.

Deceptive Design Patterns in Social Media Platform Interfaces

The EDPB have published finalised Guidelines 03/2022 on deceptive design patterns in social media platform interfaces. The guidelines offer practical recommendations to designers and users of social media platforms on how to assess and avoid deceptive design patterns that violate the GDPR. Deceptive design patterns are interfaces and user journeys implemented on social media platforms that attempt to influence users into making unintended, unwilling and potentially harmful decisions, regarding the processing of their personal data. The guidelines provide examples of deceptive design pattern types, present best practices for different use cases and contain specific recommendations for designers of user interfaces that aim to facilitate the effective implementation of the GDPR.

European Data Protection Board Agenda for 2023

The European Data Protection Board ("EDPB") recently published its 2023-2024 work programme. In particular, the EDPB intends to publish guidance on a list of topics, including: Legitimate Interest; Children’s Data; Processing of data for Medical and Scientific Research Purposes; Anonymisation and Pseudonymisation. The EDPB further indicated its intention to develop guidance on the interplay between the proposed EU Artificial Intelligence Act and the GDPR, along with updated guidance on the right of access, identifying lead supervisory authority and breach notification. Organisations should familiarise themselves with these guidelines once published, as they set out the expectations of EU DPAs, in regard to GDPR compliance requirements.

The EDPB will also continue to prioritise effective enforcement and cooperation between European data protection authorities such as by supporting their work on cases of strategic importance.

Separately, the European Commission has launched an initiative to improve and streamline cooperation between EU data protection authorities when enforcing the GDPR in cross-border cases. Little is known of the initiative so far, other than the fact that it aims to harmonise aspects of administrative procedure applied by national DPAs in cross-border cases. The initiative likely follows on from the EDPB's letter to the European Commission of 10 October 2022, which contained a list of procedural aspects that could benefit from further harmonisation at EU level. The list includes, amongst other issues, the status and rights of parties to administrative procedures; procedural deadlines; requirements for admissibility or dismissal of complaints; investigative powers of Supervisory Authorities; and the practical implementation of the cooperation procedure.

Recent Developments in the EU Digital Technology Space

The European Commission has been making good progress with its Digital Single Market Strategy, which consists of a wide-ranging group of legislative initiatives aimed at adapting the European market to the digital age. EU regulation of digital services is intended to ensure better access for consumers and businesses to online goods and services across Europe, for example by removing barriers to cross-border e-commerce and improving access to online content while increasing consumer protection. It also aims to address concerns in relation to cybersecurity, data protection/e-privacy, and the fairness and transparency of online platforms.

The legislative proposals, once a promise for the future, are quickly becoming a reality. The Digital Markets Act, Digital Services Act, Data Governance Act and the NIS2 Directive have each been published in the Official Journal and entered into force in recent months.

2023 is likely to bring much more data regulation, as negotiations continue at EU level in respect of the proposed Data Act, Artificial Intelligence Act, Artificial Intelligence Liability Directive, Cyber Resilience Act, and ePrivacy Regulation. These legislative proposals will significantly affect companies operating in the technology sector and beyond.

Explore the Horizon Tracker

Network and Information Systems 2.0 Directive: New Obligations on Digital Service Providers

Dec 6, 2022, 17:06 PM

Title : Network and Information Systems 2.0 Directive: New Obligations on Digital Service Providers

Filter services i ds : 2667fc55-c28b-49b5-9332-02a907bcd9b6;58e1c11f-ed5e-4824-9d6a-3b96b5c0acb6;ce9cedb8-3d0d-4010-b52d-f6f988b6ef47;

Engagement Time : 6

Insight Type : Article

Insight Date : Dec 6, 2022, 00:00 AM

The EU has further expanded the scope of its cybersecurity rules. On 28 November 2022, the EU Council adopted the text of the NIS 2.0 Directive. The new Directive aims to harmonise cybersecurity requirements and implementation of cybersecurity measures in different Member States. It expands the list of sectors and activities subject to cybersecurity obligations and provides for remedies and sanctions to ensure enforcement.

In this article, we consider the scope of the current NIS Directive (EU 2016/1148) along with the changes introduced by the new NIS 2.0 Directive which companies providing essential and digital services should be taking steps to prepare for.

A Recap on the NIS Directive

Baseline Cybersecurity Measures and Reporting Obligations

The NIS Directive imposes minimum standards for network and information system security and reporting obligations on EU Member States and to designated operators of essential services ("OES") and relevant digital service providers ("RDSPs"). The NIS Directive was transposed into Irish law by the European Union (Measures for a High Level of Security and Network and Information Systems) Regulations 2018 (S.I. 360 of 2018) (the "NIS Regulations") on 18September 2018.

The NIS Regulations identify OES as operators of critical infrastructure including: energy, transport, banking, health, supply and distribution of drinking water and digital infrastructure (internet exchange point operators, domain name service providers and top-level domain name registries)[1]. RDSPs include online marketplaces, online search engines and cloud computing services[2].

Key Obligations

Action	OES	RDSPs
Manage Risk	Identify and take technical and organisational measures to manage the risks posed to the security of its network and information systems.	Identify and take technical and organisational measures to manage the risks posed to the security of its network and information systems , taking into account factors such as the security of systems and facilities; incident handling; business continuity management; monitoring, auditing and testing; and compliance with international standards.
Take Action	Take appropriate measures to prevent and minimise the impact of any incidents which affect the security of its network and information systems to ensure continuity in the provision of those services.	Take measures to prevent and minimise the impact of incidents affecting the security of its network and information systems to ensure continuity in the provision of those services.
Notify Incidents	Notify the computer security response team within the Department of the Environment, Climate and Communications ("CSIRT") if an incident significantly impacts the continuity of the provision of its essential services , not later than 72 hours after becoming aware of the incident.	Notify the CSIRT of any incident that has a substantial impact on its provision of its services within the EU as soon as practicable after the incident occurs and, in any event, not later than 72 hours after becoming aware of the incident , subject to the RDSP having access to the information required to assess the impact of the incident, including the number of users affected, the duration, the geographical spread of the area affected, the extent of the disruption and the extent of the impact on economic and social activities.

Enforcement

Along with information notices, authorised officers, appointed by the Minister, or the Central Bank in the case of banking and financial market infrastructures, may serve a compliance notice on an OED or RDSP prescribing directions as to remedial actions to be taken. The compliance notice may also direct the OES / RDSP to notify those affected, or the public generally, of the suspected breach.

Criminal sanctions may be imposed for failure to comply with these obligations, comprising of a €5,000 fine on summary conviction or a fine not exceeding €50,000 on conviction on indictment or, in the case of a company, not exceeding €500,000.

The NIS Directive has proved difficult to implement in practice. A review of the Directive showed a wide divergence in its implementation across the EU, particularly in regard to security and incident reporting obligations and in relation to enforcement. The NIS 2.0 Directive aims to address the shortfalls of the NIS Directive and increase the level of enforcement of cybersecurity across the EU.

NIS Directive 2.0 – Proposal for Reform

Stronger Risk and Incident Management and Cooperation

The European Commission's proposal for the NIS 2.0 Directive was first published on 16 December 2020 with a view to addressing the limitations of the NIS Directive that had come to light in the two years since its implementation and to ensure greater coordination of cybersecurity across the EU internal market in order to better adapt and respond to new challenges. The NIS 2.0 Directive aims to enhance and expand the scope of cybersecurity protection, streamline risk management measures and reporting obligations, and introduce stricter enforcement requirements, including harmonised sanctions across the EU.

The NIS 2.0 Directive will also formally establish the European Cyber Crises Liaison Organisation Network, EU-CyCLONe, which will support the coordinated management of large-scale cybersecurity incidents and crises.

Widening of Scope of the Rules

Under the old NIS Directive member states were responsible for determining which entities would meet the criteria to qualify as operators of essential services. However, the new NIS 2.0 Directive introduces a size-cap rule as a general rule for identification of regulated entities. This means that all medium-sized and large entities operating within the sectors or providing services covered by the Directive will fall within its scope.

The NIS 2.0 Directive also extends the scope of the current NIS Directive to cover new sectors classified as "important entities" such as postal and courier services, waste management, manufacture and distribution of chemicals, food production and manufacturing and digital providers. The NIS 2.0 Directive eliminates the classification of OED and RDSP and instead provides for differing regimes for "essential entities" and "important entities".

The text of the NIS 2.0 Directive indicates that it will not apply to entities carrying out activities in areas such as defence or national security, public security, and law enforcement. Judiciary, parliaments, and central banks are also excluded from the scope.

Cybersecurity Training and Risk Management

The NIS 2.0 Directive introduces an obligation on Member States to ensure that a company's management approve its cybersecurity risk management measures and follow specific cybersecurity training. It also places new obligations on entities within its scope to implement supply chain security assessments and to take "appropriate and proportionate technical and organisational measures" to manage the risks posed to the security of the network and information systems which those entities use in the provision of their services.

Breach Reporting

In strengthening cybersecurity obligations on companies, the NIS 2.0 Directive introduces more precise provisions for the process and timelines for incident reporting to CSIRTs, along with enhanced supervisory measures for national authorities and stricter enforcement requirements. In particular, the NIS 2.0 Directive imposes notification obligations in phases, including an initial notification within 24 hours of becoming aware of certain incidents or cyber threats (instead of simply “without undue delay” as in the NIS Directive), “intermediate” and “final” reporting obligations.

Sanctions

Member States have discretion under the NIS 2.0 Directive to lay down rules on penalties in their domestic implementing legislation. Such penalties must be "effective, proportionate and dissuasive". The Recitals to the Directive indicate that penalties may include criminal penalties for infringement of the legislation. Accordingly, it is important for organisations falling within the scope of the NIS 2.0 Directive to be aware of their potential liability (both criminal and civil) under implementing national laws.

The NIS 2.0 Directive requires Member States to impose GDPR-like administrative fines for non-compliance. Depending on whether an entity is considered an "essential" or "important" one (which depends on their size and sector), administrative fines for non-compliance can be respectively up to: (i) €10 million or a maximum of at least 2% of the total worldwide annual turnover of the undertaking or (ii) €7 million or a maximum of at least 1.4 % of the total worldwide annual turnover of the undertaking.

It is notable that the Irish regulatory enforcement regime has recently been strengthened by the introduction of civil enforcement powers under the new Competition (Amendment) Act 2022 and the Communications Regulation Bill 2022. These new laws allow the Competition and Consumer Protection Commission and the Commission for Communications Regulation to investigate and sanction companies, and to seek to impose sanctions at the civil standard of proof (balance of probabilities), rather than the higher criminal standard of proof (beyond reasonable doubt), which regulators must satisfy very often at present. If further civil sanctions are introduced in the Irish law transposing the NIS 2.0 Directive, the competent authority will have greater direct control than in criminal prosecutions, which will naturally lead to more investigations and the imposition of more sanctions under the future Irish law transposing the NIS 2.0 Directive.

It is important that providers of essential and digital services in Ireland are aware of the new cyber security legislation that is coming down the tracks, as failure to meet their obligations under the new Directive may result in extensive civil sanctions, criminal liability and reputational damage where the incidents are publicised by the CSIRT.

Next Steps

The text of the NIS 2.0 Directive received formal approval by the European Council on 28 November 2022. It will be published in the Official Journal of the European Union in the coming days, and will enter into force on the twentieth day following this publication. Member States will have 21 months from the entry into force of the Directive in which to transpose the NIS 2.0 Directive into their national law.

In Ireland, recent experience would indicate that we may encounter delays in the implementation of the NIS 2.0 Directive, as deadlines have been missed recently for the transposition of other key legislation driving transformation in the digital sector (eg, the European Electronic Communications Code and the Audio-Visual Media Services Directive).

This article has been authored by Kate McKenna, Davinia Brennan, Simon Shinkwin, Neringa Juodkunaite and Evelyn Soye, for more information please contact us or your usual Matheson contact.

[1] Schedule 1, NIS Regulations.

[2] Schedule 2, NIS Regulations.

[3] Regulation 18(1), NIS Regulations.

[4] Regulation 21(1), NIS Regulations.

[5] Regulation 21(2), NIS Regulations.

[6] Regulation 17, NIS Regulations.

[7] Regulation 21(3), NIS Regulations.

[8] Where an OES relies on a third-party digital service provider in the provision of an essential service, the OES must notify the CSIRT if an incident affecting the digital service provider has a significant impact on the continuity of the provision of the essential services of the OES.

[9] Regulation 18(2), NIS Regulations.

[10] Regulation 22(1), NIS Regulations.

[11] Regulation 22(4), NIS Regulations.