Now that 2021 has come to a close, what data protection developments and compliance challenges lie ahead in 2022, and what are the Irish Data Protection Commission’s (“DPC”) key enforcement and regulatory priorities?
In 2022, organisations will undoubtedly continue to wrestle with a number of key data protection issues including:
- legitimising data transfers;
- processing Covid-19 vaccination data in the workplace;
- drafting data privacy notices;
- verifying the identity of data subjects when exercising their GDPR rights; and
- legitimising data sharing between public bodies.
In this article we look at these 5 data protection issues, and the DPC’s enforcement and regulatory priorities for the year ahead.
1. Repapering the SCCs
Repapering the old Standard Contractual Clause (“SCCs”), and carrying out Transfer Impact Assessments will continue to be priority GDPR compliance tasks for businesses in the coming year.
In June 2021, the European Commission adopted new EU Standard Contractual Clauses for transfers of personal data to third countries. The new SCCs were widely welcomed to the extent that they take into account the Schrems II decision, and incorporate the obligatory contractual rights and obligations of controllers and processors under Article 28(3) and (4) of the GDPR. The SCCs also cater for four different transfer scenarios including, for the first time, processor to processor transfers, and processor to controller transfers.
Whilst the old SCCs were repealed on 27 September 2021, organisations have a grace period until 27 December 2022, to amend contracts executed pre-27 September 2021, in order to remove the old SCCs and insert the new SCCs. Although this deadline is 11 months away, it would be prudent for organisations to start taking steps now to review their data flows and identify which data transfer contracts need to be updated. Repapering legacy contracts will inevitably be a time-consuming exercise for many organisations, as it will entail more than simply swapping out the old clauses for the new clauses.
The new SCCs impose some onerous obligations on data exporters and importers, and complying with them will present formidable challenges for many organisations. For example, the new SCCs (clause 14) require the parties to conduct an assessment of the laws and practices of the third country of destination which are applicable to personal data transferred. There is an obligation for the parties to document this assessment (colloquially known as a ‘transfer impact assessment’ (“TIA”)) and make it available to data protection authorities on request. Having conducted the assessment, the parties are required to warrant that they have no reason to believe the laws and practices in the third country prevent the importer from fulfilling its obligations under the SCCs.
Organisations must also consider whether any supplementary measures (such as contractual, technical or organisational measures) need to be implemented in addition to the SCCs, to ensure the transferred personal data is afforded a level of protection that is essentially equivalent to that provided by EU laws, and implement those measures which are most suitable in light of the specific circumstances of the transfer.
Furthermore, organisations will also need to take time to review related agreements, in particular any existing data processing agreements, to ensure they do not conflict with the SCCs. In the event of any conflict, the SCCs will prevail.
Another challenging task on organisations ‘To Do’ list will be legitimising transfers to non-EEA importers who are subject to the GDPR by virtue of Article 3(2) GDPR (because the processing relates to the offering of goods or services to, or monitoring the behaviour of, EU individuals). Recital 7 of the new SCCs indicates that they are not suitable for use for transfers to non-EEA importers that are already subject to the GDPR. In late 2021, the European Commission stated that it is developing a new data transfer tool, in the form of a further set of SCCs, which can be used specifically for this transfer scenario, however there is no indication yet as to when these SCCs will be finalised, and uncertainty pervades as to how to legitimise such transfers in the interim (discussed further here).
2. Processing Vaccination Data in the Workplace
As we approach the second anniversary of the Covid-19 pandemic, employers are continuing to grapple with the issue of whether they can lawfully process information about employees’ covid vaccination status.
Most employers would like to ask employees about their vaccination status, in order to facilitate their safe return to the workplace. However, information about an individual’s vaccination status is special category data for the purposes of the GDPR, and is afforded additional protections under data protection law.
The DPC has published guidelines (last updated in November 2021) which make it clear that the DPC does not consider there is any legal basis under the GDPR or Data Protection Act 2018 for employers to request the vaccination status of their employees. In the DPC’s view, the collection of vaccination data should not in general be considered a necessary workplace health and safety measure.
The guidelines emphasise that the processing of health data in response to the Covid-19 pandemic should be guided by the Government’s public health policies. The current version of the Work Safely Protocol: Covid-19 National Protocol for Employers and Workers sets out a number of obligations that require employers to process personal data. For example, employers should keep a log of contacts to facilitate contact tracing. In addition, employees should complete a pre-Return to Work form, which contains their personal data. However, the Protocol does not currently require employers to collect any information about the vaccination status of employees and this is not required for pre-Return to Work forms. Instead, the Work Safely Protocol notes that vaccination is a voluntary health step in Ireland and an employer’s primary basis for protecting against Covid-19 should be measures such as social distancing, PPE, hand sanitiser, and CO2 monitoring.
The DPC acknowledges that there are some specific employment contexts where the processing of vaccination status data may be deemed necessary, subject to a risk assessment and with reference to sector-specific public health guidance. For example, the Medical Council’s Guide to Professional Conduct and Ethics for Registered Medical Practitioners states that practitioners “should be vaccinated against common communicable diseases”.
The processing of personal data in the context of employment takes place in a situation where there is an imbalance between the data subject (employee) and data controller (employer). Therefore, employees should not be asked to consent to the processing of vaccine data, as such consent will not be deemed to have been freely given.
Unless the DPC guidance changes as a result of public health advice or laws, employers will need to continue to exercise caution about seeking vaccination status data, as they may be exposed to legal risks if they if they seek such information.
3. Data Privacy Notices
We will likely see further regulatory scrutiny and debate about the required content of organisations’ privacy notices in the year ahead, along with organisations grappling with whether they should update their notices in line with the WhatsApp decision, pending the appeal.
On 20 August 2021, the DPC imposed a €225 million fine on WhatsApp for failing to discharge its transparency obligations under the GDPR, in regard to the content of its privacy notice. The DPC also required WhatsApp to provide the required privacy information within three months of the date of the decision, and issued a reprimand.
The 266-page decision has implications for all organisations, as it sets out the DPC’s high expectations in respect of the information that controllers must provide to individuals in their privacy notices, and how it should be presented. The standard set out in the decision arguably goes beyond that of most privacy notices, and a substantial amount of work will be required by many organisations to provide the level of information required. It is noteworthy that the decision reflects the views of data protection authorities across the EU, to the extent that it was delivered by the DPC following consultation with other EU data protection authorities under the Article 60 procedure (i.e. the one-stop-shop) provision, and incorporates the conclusions of the EDPB under Article 65.
The decision also includes the EDPB’s findings on the relevance of the consolidated turnover of the entire group of companies when calculating both the maximum fining cap, and the appropriate fine to impose, which may have a bearing on the size of future fines.
WhatsApp has issued judicial review proceedings seeking an order quashing the DPC’s decision, along with declarations that certain provisions of the Data Protection Act 2018 are invalid, unconstitutional, and incompatible with Ireland’s obligations under the European Convention on Human Rights. It has also lodged a statutory appeal before the Irish courts against the DPC’s decision, and an annulment action against the EDPB’s decision to the Court of Justice of the European Union (CJEU). In particular, WhatsApp allege that the EDPB exceeded its competence under Article 65, and violated the principle of legal certainty by failing to acknowledge that its decision puts forward novel interpretations and applications of several provisions of the GDPR, with the consequence that the infringement was unpredictable.
Organisations will be closely monitoring the progress of these legal proceedings, which will hopefully provide some legal certainty in regard to the scope of their transparency obligations. Pending the outcome of these proceedings, it would be prudent for organisations to review their privacy notices and consider the extent to which they comply with the DPC’s expectations (as set out in the WhatsApp decision), and the steps that can be taken to ensure compliance.
4. Identity & minimisation of data
We may also see further regulatory scrutiny over the coming year of organisations’ identity verification practices when individuals exercise their data protection rights under the GDPR. It is clear that having a general policy of asking individuals for additional identity information, when individuals exercise their data protection rights, violates the GDPR. Article 12(6) provides that such information should only be requested where there is “reasonable doubt” about an individual’s identity. Even where there is reasonable doubt, requesting photographic information may be deemed to be excessive, and in breach of the data minimisation principle, when there are other less intrusive measures available, such as sending a verification email or a code.
The DPC’s decision in December 2020, in the Groupon case, reminded organisations of the importance of only requesting such information when there are reasonable doubts about the individual’s identity, and complying with the data minimisation principle when requesting identity verification information from individuals. In that case, the DPC, acting as lead supervisory authority, launched an investigation following a complaint about Groupon’s general policy of requiring individuals to provide photographic identification, in the form of an electronic copy of their national identity card, when making an erasure request under Article 17 of the GDPR. This requirement applied when individuals made erasure requests, but did not apply when individuals created a Groupon account. Therefore Groupon did not have any pre-existing identity card information on its systems against which to verify the national identity card against. This called into question the relevance and proportionality of seeking a national identity card even where reasonable doubts existed concerning the identity of the requester.
The DPC reprimanded Groupon for infringing the data minimisation principle in Article 5(1)(c) of the GDPR. The DPC concluded that a less data-driven solution to identify verification was available (namely by way of confirmation of email address). The DPC also found that Groupon had infringed Article 12(2) by requesting proof of the complainant’s identity, in circumstances where it had not demonstrated that it had reasonable doubts about same.
NYOB recently filed a GDPR complaint against a dating app, Grindr, for requesting excessive information to verify the identity of individuals when exercising their GDPR rights. In particular, Grindr requests individuals to take a selfie of themselves, whilst holding up a piece of paper with their email address and passport. Similar to the Groupon case, no similar identification requirements apply when an individual registers their account.
5. Data Sharing by Public Bodies
In the coming months, we will see the commencement of the final sections of the Irish Data Sharing and Governance Act 2019. The 2019 Act clarifies the legality of data sharing between public bodies and introduces data governance within the public service on a statutory footing. It only applies where no other legal basis exists in Irish or EU law permitting or requiring data sharing between public bodies.
The Irish government adopted a phased commencement of the 2019 Act, with all sections commenced except Section 6(2) and Section 6(3) which will commence on 31 March 2022. Section 6 concerns the interaction of the 2019 Act with the Data Protection Act 2018 and the GDPR. When section 6(2) and 6(3) are commenced this March, public bodies will no longer be able to rely on section 38 of the Data Protection Act 2018 as a legal basis for the sharing of personal data. Instead, where no other enactment permits or requires the sharing of personal data between specified public bodies, those bodies will have to rely on the provisions of the 2019 Act to legitimise such sharing. Where public bodies share data in accordance with the 2019 Act, a data sharing agreement must be put in place. The 2019 Act sets out detailed provisions that must be included in such agreements, and requires draft agreements to be published on a public body’s website for public consultation, and to be submitted to a new Data Governance Board for review prior to being executed.
Whilst the 2019 Act is intended to reduce the burden on individuals who wish to receive public services, from having to provide the same information to different bodies, and to facilitate the effective administration of public services, it will likely present some challenges for public bodies, in light of the strict requirements it creates for the sharing of data.
DPC Regulatory Priorities for 2022
The DPC recently published its Regulatory Strategy for 2022-2027, which sets out the DPC’s regulatory vision for the next five years. The strategy document highlights that the protection of children and other vulnerable groups is an enforcement priority for the DPC. This was underlined by the publication of the DPC’s guidance on the processing of children’s data in December 2021 (discussed here).
Another noteworthy priority is the primary allocation of the DPC’s investigative resources to the “cases that are likely to have the greatest systemic impact for the widest number of people over the longer term”. In the two years between May 2018 and May 2020, the DPC received in excess of 80,000 contacts to its office, on foot of which it opened 15,025 cases on behalf of individuals. The DPC notes that the vast majority of these cases were narrow in scope, involving just one individual and centred on issues that have no major or lasting impact on the rights and freedoms of the individual.
The strategy document notes that there is a tendency to conflate fining with regulatory success and to use the imposition of fines as a means to measure effectiveness. In the responses received from stakeholders, this was one of the areas where opinion diverged. Individuals favoured large fines for breaches of data protection law, while respondents from industry called for a more risk-based approach, so that instances of wilful negligence or deliberate infractions would be punished more severely. The DPC states that “driving compliance – rather than retrospectively and unilaterally penalising noncompliance – can ultimately produce better results for all stakeholders”, and that “the GDPR is a risk-based regulation and, a risk-based approach to sanctions is also the preferred method of applying these powers”. The DPC will therefore prioritise prosecution, sanction and/or fining those infractions that result from wilful, negligent or criminal intent.
The DPC is also reportedly doing a deep dive across all sectors in relation to how the Article 30 GDPR obligation to maintain records of processing activities is being managed and will publish findings.
2022 promises to be another busy year in the world of data protection. New EU and national regulatory developments, enforcement actions and litigation will undoubtedly keep companies and legal practitioners busy until the end of 2022 and beyond.
If you would like to discuss this, or any other related data protection and data privacy matters, please do not hesitate to contact Davinia Brennan, or any other member of the Technology and Innovation Group.