Schrems II: Rethinking Privacy Shield & Standard Contractual Clauses

Briefing

On 16 July 2020, the European Union’s highest court, the Court of Justice of the European Union (CJEU) delivered the much anticipated decision in the Max Schrems Case (Schrems 2). The court was asked by Ireland’s High Court to decide on key mechanisms for international transfers of personal data from the EU to the United States. The underlying cases arose out of Austrian privacy activist Max Schrems’ complaint against Facebook and Ireland’s Data Protection Commission over interpretation of key data protection provisions. Max Schrems objected to US surveillance of foreign nationals which conflicted with the General Data Protection Regulation (GDPR). The court decided that US surveillance laws and practices stand in opposition to the GDPR’s fundamental human rights protection of EU citizens. As a result, personal data transfers are non-compliant to EU law and need special attention, assessment, reviews and additional safeguards to make these compliant. The case has been called constitutional and cannot be appealed.

Privacy Shield

The Court of Justice of the European Union found that the EU/US Privacy Shield data protection adequacy decision agreed in 2016 is invalid. Personal data transfers based on this mechanism must cease.  EU citizens have no real judicial remedy or equivalent protections in the US under Privacy Shield. The Swiss/US Privacy Shield remains in force but the Swiss Data Protection Authority is reviewing its position. Privacy Shield continues to operate internally in the USA based on federal enforcement mechanisms, US laws and the role of domestic regulators.

Standard Contractual Clauses (SCCs)

The European Commission’s Data Protection Standard Contractual Clauses remain lawful and enforceable. However, the court has insisted that Data Exporters (in the EU) and Data Importers (in foreign countries) must carry out more detailed checks to ensure that foreign laws and data governance rules are compatible with GDPR. Data Importers must inform Data Exporters if they are unable to comply with EU data protection law. Data Exporters must refuse to transfer personal data where specific personal data transfers are incompatible. EU Data Protection Authorities are also encouraged to intervene and review Standard Contractual Clauses and be prepared to withhold or withdraw authorisations for international personal data transfers.

Responses and Actions

  1. Companies and organisations should assess their exposure to Privacy Shield, work towards stopping these personal data transfers and investigate substitute arrangements. There is no grace period for compliance.
  2. Wait for and act on concrete guidance from each relevant EU Member State’s Data Protection Authority, the European Data Protection Board (EDPB) and the European Commission.
  3. Wait for the European Commission’s new GDPR-approved Standard Contractual Clauses, due for publication in 2020 or 2021.
  4. Begin to review high value and high risk contracts that contain Standard Contractual Clauses (SCCs) that allow transfers to the USA.
  5. Review Binding Corporate Rules (BCRs) to see if personal data transfer protections from the EU to the USA need to be strengthened or varied.

Resources

EU / US and Swiss / US Privacy Shield Home Page

Schrems II Case Press Release

Schrems II Case Full Judgment

Schrems II European Data Protection Board (EDPB) Frequently Asked Questions

Schrems II US Federal Trade Commission (FTC) Statement

Schrems II US Secretary of Commerce Statement

Schrems II Joint Statement from European Commission and US Department of Commerce

Schrems II Ireland Data Protection Commission (DPC) First Statement

Schrems II UK Data Protection Commissioner’s Office (ICO) First Statement and Updated Statement

Schrems II European Data Protection Board (EDPB) Taskforce on Post-Schrems II Complaints

Schrems II US Department of Commerce, US Justice Department & US Office of the Director of National Intelligence White Paper on US Privacy Safeguards for SCCs and other Legal Bases

Schrems II European Data Protection Supervisor (EDPS) Strategy for EU Institutions to comply with Schrems 2 Ruling

Schrems II European Data Protection Board (EDPB) Supplementary Measures for data transfer tools to ensure GDPR compliance – Consultation

Schrems II European Commission Standard Contractual Clauses (SCCs) 2020 – Consultation  

Schrems II European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS) Joint Opinion 2/2021 on Standard Contractual Clauses for the Transfer of Personal Data to Third Countries

For Further Assistance, contact PrivacySolved:

Telephone (London): +44 207 175 9771

Telephone (Dublin): +353 1 960 9370

Email: contact@privacysolved.com

GDPR in 2020 and in the Future: Views from Brussels

Briefing

The European Commission’s General Data Protection Regulation (GDPR) Evaluation Report of June 2020, declares the GDPR a success. However, it concedes that there is still more work to do. The EU is proud that the law is now a reference point and a catalyst for many countries around the world to modernise their data protection rules. Businesses, including SMEs, can comply with unified rules on a more level playing field. The general level of GDPR awareness among European citizens stands at between 69% and 71%. Conversely, 30% of EU citizens are not sufficiently engaged with data protection.  This is a concern in an increasingly data-driven and artificial intelligence led future.  The EU boasts that GDPR is future-proof and provides important and flexible tools to ensure data protection / privacy by design and security by design as new technologies develop.

The Challenges

Since May 2018, there have been challenges to the uniform application of GDPR at EU level and in each EU country:

  • Between May 2018 and November 2019, 22 EU/EEA GDPR regulators issued 785 fines. However, most fines have been relatively modest and were mainly issued against the public sector and small companies.
  • The handling of cross-border cases has not been as efficient or cohesive as intended.  Differences persists in national administrative and court procedures, varying interpretations of key GDPR concepts and how and when to activate cooperation procedures.
  • Slovenia has not yet enacted new GDPR laws or updated older data protection laws and so is a weak link in EU-wide compliance.
  • Ireland and Luxembourg which hosts large global company headquarters have not received sufficient national funding and resources to meet their significant GDPR regulatory responsibilities.
  • The EU’s GDPR regulators acting as the European Data Protection Board (EDPB) mutually assist each other, but the consistency mechanism’s key dispute resolution and urgency procedures have not yet been used.

Priorities and Actions

EU institutions, GDPR regulators and national governments have been tasked with the following actions:

  • National governments should ensure that national laws and sector rules, are fully in line with the GDPR.
  • National governments should provide GDPR regulators with the necessary human, financial and technical resources to properly enforce the data protection rules and liaise with stakeholders, citizens and SMEs.
  • GDPR regulators should develop efficient working arrangements and increase the functioning of the cooperation and consistency mechanisms.
  • GDPR regulators should closely monitor how GDPR applies to new technologies such as Artificial Intelligence, Internet of Things, Blockchain, scientific research and other technologies and the EDPB will issue guidance on these topics.
  • The European Commission should continue to promote the convergence of data protection rules to ensure safe international data flows. This could include new or updated data protection laws or adopting the Data Free Flow with Trust (DFFT) concept internationally.
  • The European Commission should continue data protection adequacy discussions with non EU/EEA third-countries.
  • The European Commission will modernise and expand international data transfer mechanisms by updating the EU’s data protection Standard Contractual Clauses (SCCs) and certification mechanisms.
  • The EDPB will clarify the procedural steps to improve cooperation between the lead data protection authority and the other GDPR regulators involved in shared activities.
  • The EDPB will streamline the assessment and approval processes for Binding Corporate Rules (BCRs) to speed up the process.
  • The EDPB will complete work on the architecture, procedures and assessment criteria for codes of conduct and certification mechanisms as tools for international data transfers.

The Future

The EU believes that the GDPR’s future-proof and technology-neutral approach was tested by the Coronavirus Covid-19 pandemic and has proven to be successful. GDPR principles provided a useful framework to support the development of tools to combat and monitor the spread of the virus. This future-proof and risk-based approach will apply to the EU’s framework for Artificial Intelligence and the European Data Strategy. The overall aim is that GDPR becomes fully incorporated into the EU’s digital policy, data governance, data ethics, digital transformation, cybersecurity and pandemic recovery plans and initiatives. The EU’s strategy is also international, including engagement with African and Asian partners and inter-governmental bodies to promote regulatory convergence and support capacity-building within data protection regulators globally. There is also a plan to promote greater international enforcement cooperation between data privacy regulators, including signing cooperation and mutual assistance agreements.

Navigating Brexit Data Protection Uncertainty, Risks, and Options

Article

The UK’s departure from the EU on 31 January 2020 (‘Brexit’) changes the EU/UK data governance landscape. The agreed transition period1 until 31 December 2020 offers a period of EU/UK data protection continuity2 and ‘business as usual.’ In the longer term, however, there is uncertainty about EU to UK personal data flows, UK data protection law, and General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) compliance. EU-based, European Economic Area (‘EEA’) based, and international businesses face a series of challenges when seeking to understand and fully predict the UK’s data protection future. Wayne Cleghorn, CEO of PrivacySolved, explores these uncertainties, risks, and options to shed light and offer guidance on priorities and actions.

Mind the gap: UK data protection and EU GDPR future

EU, EEA, and international businesses and organisations understand that EU data protection laws lay at the heart of EU politics, human rights, economy, and trade. The GDPR seeks to place data protection at the heart of the EU’s single market and the future digital single market while also further elevating the protection of personal data and special categories of data as a fundamental EU right and a broader human right4. The UK’s EU Withdrawal Agreement Act5 removes the UK from this system, by revoking6 key EU treaties from applying to the UK. However, the UK enacted the Data Protection Act 2018 (‘the Act’)7 to anchor the GDPR into UK domestic law. This Act will replace the GDPR after the end of the transition period and offers most of the protections of the GDPR, but without the key functional mechanisms that other EU Member States will rely on. These mechanisms include the role of the European Commission in data protection, European Data Protection Board (‘EDPB’) membership8, the consistency mechanism9, the One Stop Shop10 mechanism, the EU-US Privacy Shield11 (‘the Privacy Shield’), and the data protection decisions of the Court of Justice of the European Union12 (‘CJEU’). Legally and practically, UK data protection divergence begins on 1 February 2020, even within the short transition period. At the end of the transition period, UK data protection risks becoming less aligned with the EU and less automatic. The UK and EU will be on different paths as a result of the post-Brexit status and inertia. This ‘new normal’ creates pockets of uncertainty, risks, opportunities, and options.

Uncertainties and risks

UK adequacy decision

UK, EU, EEA, and international businesses’ personal data flows are best protected and suffer the least disruption if the European Commission issues a post-Brexit ‘adequacy decision13’ that the UK provides an adequate level of data protection comparable to the EU. The UK has a good claim to such an adequacy decision because of its existing GDPR alignment14, but the adequacy process includes wide-ranging investigations and a formal decision of the European Commission in consultation with other EU bodies15. As a result, a decision is unlikely to be made for many months and it may become entangled in the UK/EU free trade agreement negotiations occurring throughout 2020 and beyond.

International data transfers

On exiting the EU and the EEA, after the transition period, without an adequacy decision, the UK becomes a ‘third country’ in terms of data protection16. EU and EEA businesses and organisations, as well as international businesses with EU/EEA operations, need to review and plan in advance for the appropriate safeguards needed to facilitate EU to UK personal data transfers. Standard Contractual Clauses17 (‘SCCs’) are the most common solution, but the data exporter must be in the EU and the data importer outside the EU, so these will not typically facilitate data transfers from the UK to the EU after the transition period. The existing Privacy Shield18 will no longer cover the UK, for UK to US data transfers, and so existing arrangements will need to be adjusted in advance and while a UK version of the Privacy Shield is created. Binding Corporate Rules19 (‘BCRs’) are a stable solution but these cover only intra-group data transfers, but take a long time to prepare and receive approval from EU data protection supervisory authorities. The agreed transition period appears to be too short to begin any substantial BCR applications at the UK Information Commissioner’s Office (‘ICO’). After transition, the ICO will no longer be a GDPR BCR-granting data protection supervisory authority, and so EU and international businesses and organisations need to examine their legal proximity and access to other EU data protection supervisory authorities for their BCR compliance activities. One key post-Brexit transition period challenge will be how EU-based data processors and sub-processors respond to data protection compliance instructions from UK-based data controllers. This scenario20 was never envisaged by the authors of the GDPR. As a result, this situation creates many complications and must be dealt with on a case-by-case basis. Bespoke contracting will be one of the ways to create solutions for these gaps.

The ICO and UK courts

At the time of publication, the ICO21 is one of the largest, most active, and influential data protection authorities in the EU and around the world. During the Brexit transition period, it will continue its GDPR supervisory authority role22, but at a distance and with the disadvantage of no longer being an active decision-making member23 of the EDPB. The ICO’s longer term position in the EU’s structures remains even more uncertain after the Brexit transition period. While the ICO will continue to safeguard UK residents and be the data protection authority for many UK-based businesses, it is unclear whether the ICO will accept and handle GDPR complaints from EU citizens, EU-based, and international data controllers and processors under the GDPR24. Several of the ICO’s key powers come from the GDPR, which has made it an integral member of the EDPB25. However, the ICO has accepted that, in law, it will no longer be a ‘supervisory authority’ for the GDPR after the end of the transition period26, but it will seek to maintain a close relationship with the EDPB. Going forward, the most impactful issue is the likelihood that the ICO will begin to apply data protection legal interpretation primarily from UK courts and not the CJEU or other EU Member States. If this occurs, UK data protection divergence will become entrenched. UK courts have only recently begun to produce high level court decisions on data protection remedies27. Post-Brexit, these courts may retreat to narrower and more UK-centric data protection interpretations and applications.

Options and actions for EU-based, EEA-based, and international businesses and organisations

In the short to medium term, the UK data protection landscape should be regarded as a work in progress, a special case, and a candidate country for an EU adequacy decision. Businesses and organisations should seek continuity where possible, reduce the risks to personal data flow interruption, and preserve UK/EU GDPR alignment as much as possible, especially within the Brexit transition period which runs to December 202028. However, this implementation period is short and there are several matters that require specific early attention, review, and action, by data controllers and data processors outside the UK.

Plan to update data protection notices, data protection policies, contract clauses about the GDPR, and initiate supply chain reviews

Key documents that have not already been reviewed will need be updated to ensure that the impact of the UK’s Brexit on data protection compliance is acknowledged in commercial arrangements. New arrangements may need to be negotiated, agreed and formally updated.

Plan to replace the UK ICO as the GDPR lead supervisory authority, One Stop Shop authority, and BCR approval authority

EU and international businesses and organisations should review their previous analysis of the UK ICO as their lead supervisory authority for the GDPR, their One Stop Shop authority, and the authority to which their BCRs can be submitted and agreed. Alternative EU supervisory authorities should be considered and selected to replace the ICO’s existing role for these activities to properly comply with the GDPR over the longer term. Detailed expert advice may be required to embed these changes. For larger organisations, the transition period could be used to consider and begin to implement any changes.

Appoint an EU representative

During and after Brexit’s transition period, the GDPR will still apply to businesses or organisations that offer goods, services, or monitor EU citizens. Where these businesses and organisations have no establishment of settled presence or stable arrangements in an EU Member State, the business or organisation must appoint an EU representative29 to liaise with the relevant EU supervisory authorities, and deal with individuals who wish to exercise their rights under the GDPR. The UK will no longer be an eligible EU Member State after the transition period. As a result, UK businesses and international businesses and organisations that have GDPR obligations will need to re-direct their GDPR compliance focus to other EU countries. International businesses should also reassess UK-based EU representatives which are currently in place. Care should be taken to negotiate and agree the scope of these appointments. The identities of the relevant instructing data controllers and data processors should be clear. Liability, insurance, and the roles and responsibilities of each party should also be explicitly agreed. It will take time to update internal and external teams, processes, technologies, and training, and so larger and more complex businesses should not wait until the end of the transition period to begin this work.

Focus on international data transfers

International data transfers can be a risky area of GDPR compliance and are subject to change. The CJEU is likely to issue court decisions on SCCs and EU institutions will provide updates on the Privacy Shield and BCRs. Currently approved EU SCCs may be updated to better reflect the GDPR. When these updates occur, the UK’s position will become apparent, especially if EU institutions and courts require changes to be made, which the UK may not be legally obliged to follow. A key test is due in May 2020, when the European Commission will present its first evaluation and review30 of the GDPR to the European Parliament and the Council of the European Union.

Focus on data protection developments in key sectors and the growth of the GDPR codes of practice and certifications

Codes of practice and certification mechanisms are being developed in the EU and UK, and may provide GDPR compliance solutions and options in the medium to longer term. These may, over time, help to bridge the increasing EU/UK data protection divide and reduce the data protection uncertainties created by Brexit.

For Enquiries:

contact@privacysolved.com

London: +44 207 175 9771 \ Dublin: +353 1 960 9370

www.privacysolved.com

References:

1. Articles 126-127 of the EU / UK Consolidated Withdrawal Agreement of 17 October 2019, TF50 (2019) – Commission to EU 27, available at: https://ec.europa.eu/commission/sites/beta-political/files/consolidated_withdrawal_agreement_17-10-2019_1.pdf

2. Article 128 of the EU/UK Consolidated Withdrawal Agreement of 17 October 2019, TF50 (2019) – Commission to EU 27, available at: https://ec.europa.eu/commission/sites/beta-political/files/consolidated_withdrawal_agreement_17-10-2019_1.pdf

3. GDPR, available at https://eur-lex.europa.eu/eli/reg/2016/679/oj

4. GDPR, Recitals 1-8.

5. EU (Withdrawal Agreement) Act 2020, available at: http://www.legislation.gov.uk/ukpga/2020/1/contents/enacted

6. Section 1 of EU (Withdrawal Agreement) Act 2018, available at: http://www.legislation.gov.uk/ukpga/2018/16/contents/enacted

7. UK Data Protection Act 2018, available at: http://www.legislation.gov.uk/ukpga/2018/12/contents/enacted

8. Articles 68-76 and Recitals 139 – 140, GDPR.

9. Articles 63-67 and Recitals 136 – 138, GDPR.

10. Article 56 and Recital 127, GDPR.

11. Available at: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/eu-us-data-transfers_en#commercial-sector-eu-us-privacy-shield  and https://www.privacyshield.gov/welcome

12. Available at: https://curia.europa.eu/jcms/jcms/j_6/en/

13. Article 45, GDPR, see also: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en

14. See: https://publications.parliament.uk/pa/cm201719/cmselect/cmexeu/1317/131702.htm

15. See: https://www.europarl.europa.eu/RegData/etudes/STUD/2018/604976/IPOL_STU(2018)604976_EN.pdf

16. See Speech by EU Chief Negotiator Michel Barnier on 26 May 2018 in Lisbon “..And we cannot, and will not, share this decision-making autonomy with a third country, including a former Member State who does not want to be part of the same legal ecosystem as us” available at: https://ec.europa.eu/commission/presscorner/detail/en/SPEECH_18_3962

17. Article 46, GDPR, see also: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en

18. Article 45, GDPR, see also: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/eu-us-data-transfers_en

19. Article 47, GDPR, see also: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/binding-corporate-rules-bcr_en

20. EDPB Guidelines 3/2018 on the territorial scope of the GDPR, available at: https://edpb.europa.eu/our-work-tools/public-consultations/2018/guidelines-32018-territorial-scope-gdpr-article-3_en

21. See: https://ico.org.uk

22. See “Statement on data protection and Brexit implementation – what you need to do” on 29 January 2020 and updated “Brexit FAQ”, available at: https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/01/statement-on-data-protection-and-brexit-implementation-what-you-need-to-do/

23. Article 128 (5) of the EU/UK Consolidated Withdrawal Agreement of 17 October 2019, TF50 (2019) – Commission to EU 27, available at: https://ec.europa.eu/commission/sites/beta-political/files/consolidated_withdrawal_agreement_17-10-2019_1.pdf

24. Article 57, GDPR.

25. Articles 51-59 and Recitals 117-129, GDPR.

26. See: https://ico.org.uk/for-organisations/data-protection-and-brexit/data-protection-if-there-s-no-brexit-deal-3/the-gdpr/ico-and-the-edpb/

27. See Vidal-Hall v Google Inc [2015] EWCA Civ 311 [2016] QB 1003 see: https://www.judiciary.uk/wp-content/uploads/2015/03/google-v-vidal-hall-judgment.pdf and Lloyd v Google [2018] EWHC 2599, see: https://www.judiciary.uk/wp-content/uploads/2018/10/lloyd-v-google-judgment.pdf

28. Section 33 of EU (Withdrawal Agreement) Act 2020.

29. GDPR, Article 27.

30. GDPR, Article 97.

Also published by DataGuidance

Five Key Steps to Take ahead of CCPA Enforcement

The California Consumer Privacy Act 2018, or CCPA, took effect on 1 January 2020. The CCPA protects the rights of California consumers and gives them new data privacy and online rights. These new privacy rights include the right to know what information is held and used, the right to delete personal information, the right to opt-out of the sale of personal information (called “Do Not Sell”) and the protection from discrimination for individuals who exercise their CCPA rights. The California Attorney General is the CCPA regulator. Regulator enforcement beings on 1 July 2020. California is the world’s fifth largest economy and is home to some of the world’s most innovative companies and discerning consumers.

  1. How can we plan for CCPA enforcement, during Covid-19?

The regulator, the California Attorney General can enforce the CCPA after 1 July 2020 but can look back to January 1, 2020 when making enforcement decisions. The coronavirus covid-19 pandemic period is included. Companies and organisations need to document their pre Covid-19 CCPA compliance steps as well as the changes made to these compliance programmes by the impact of Covid-19.

  1. How important are data flow mapping and personal information inventories?

Data flow mapping and the creation of personal information inventories are key to CCPA compliance. There are many ways to create these and work from General Data Protection Regulation (GDPR) compliance activities can help. As part of this process, the approach taken by key suppliers, such as making CCPA rights available to all citizens across the USA or worldwide, will impact your company’s or organisation’s risk profile.

  1. What are the key areas we should spend time on at this stage?

The CCPA, like similar laws, places consumers and users personal information at the centre of data governance. Companies and organisations should focus on consumer touch points including privacy policies, consumer notices, consumer opt-out mechanisms, terms of service and data subject rights processes. It is very important that companies and organisations put in place and test their identity verification processes. For App-only companies and organisations or those with a lot of App-based customers, developing just-in-time consent notification solutions is a CCPA requirement that can lead to real and lasting consumer innovations.

  1. What should be our approach to CCPA and cybersecurity?

Where there is change, uncertainty or fear, cybercrime and cybersecurity incidents rise. CCPA requires substantial changes to data governance and data flows, which is significantly affected by the impact of coronavirus covid-19. Companies and organisations should strengthen their information security defences to reduce the impact of phishing attacks, impersonation, fraudulent CCPA applications and social engineering that uses the CCPA as a trigger.

  1. What are the steps to take to prepare for the next stages of privacy changes in California?

The California Attorney General will publish the finalised CCPA enforcement regulations in the coming weeks for agreement. Federal and California state-level coronavirus covid-19 rules will impact consumers across a range of sectors affected by CCPA. There are plans to submit a new California Privacy Rights Act (CPRA) into the November 2020 ballot to extend the scope of CCPA. Companies and organisations should avoid CCPA programme mission creep, especially as the global economy cools. Speculative or draft privacy changes should be monitored and assessed, but not confuse or detract from core CCPA compliance.

Further Information:

PrivacySolved Briefing: Five Key Things to Know about California Consumer Privacy Act (CCPA)

California Attorney General CCPA Resources

Californians for Consumer Privacy CPRA Resources

For Enquiries:

contact@privacysolved.com

GDPR 2 Years On: Board and Leadership Priorities

Briefing

Companies and organisations have had four years to implement the EU’s General Data Protection Regulation (GDPR), since it became law in 2016. May 2020 marks two years since enforcement of the law by the EU’s twenty-eight GDPR regulators began. GDPR has transformed global data governance standards and expectations. It has created a new lexicon for data protection, new responsibilities, new rights, new processes, new governance tools and has empowered the Data Protection Officer (DPO). GDPR compliance requires more than generalised assurances of privacy or data security. The requirements can be exacting, and companies and organisations must demonstrate compliance and accountability to prove their competence. The most forward-looking organisations now leverage data protection as a key market differentiator, a trust-building asset and a catalyst for data and cybersecurity innovation. The marketplace and individuals are now placing companies and organisations on an emerging spectrum of data ethics, seen through the prism of privacy by design, security by design, data minimisation, transparency and accountability. There are many lessons for boards and leadership teams and key issues to prioritise.

EU GDPR Regulators, Capacity Building, Enforcement and Fines

The GDPR can only be as effective as the levels and quality of enforcement that takes place. The GDPR required most EU data protection regulators to increase their staff, resources and working practices to deal with the sharp increases of GDPR complaints that arrived on and after May 2018. Since then, there have been  few multi-million Euro fines and some commentators have wrongly concluded that the GDPR has not been effective. GDPR regulators in France, United Kingdom, Germany, Italy, Netherlands and Spain have been the most high-profile and active in enforcement, but most of their output has been to publish detailed guidance, legally binding Codes of Practice and to put forward strategic positions on new and emerging technologies such as artificial intelligence, adtech, cookies, tracking technologies and privacy by design for children’s online services. Early enforcement has focussed on public sector bodies and smaller organisations. Several GDPR regulators had put in place GDPR enforcement moratoriums between May 2018 and May 2019 in order to build their capacity and to reduce their 2018 complaints backlogs. For some GDPR regulators, there has only been twelve months of proactive enforcement. The over-reporting of low risk personal data breaches since May 2018 has diverted much GDPR regulator time and resources.

Overall, GDPR regulators have been cautious in issuing high value fines. When EU-wide enforcement decisions are assessed together, it is clear that GDPR regulators are actively building a strong body of decisions, opinions, legally enforceable codes of practice and lower-level fines which will increasing expose GDPR compliance outliers. These will form the basis of future fines and more aggressive enforcement, especially for basic non-compliance and repeat complaints.

The European Data Protection Board (EDPB), which brings together all twenty-eight GDPR regulators, has been under-utilised, although its opinions, consultations and decisions are regarded as offering high quality GDPR legal interpretation and application. The EDPB’s work has focussed on its internal capacity building, work with other EU institutions and administering the twenty-eight GDPR regulator projects and meetings. A change of emphasis towards sharing large and high-profile investigations, constantly rebalancing resources to speed up enforcement decisions across all the EU regulators and actively supporting small and newer GDPR regulators would improve GDPR enforcement outputs. Taking a lead on globally significant cross-cutting issues such as data protection in politics, privacy-invasive technologies, data protection and market competition and privacy-enhancing cybersecurity, could systematically increase GDPR application and reduce individual complaints.  The EDPB could better use the powers it has in the GDPR to develop its unique voice and contributions. Board and leadership teams should continue to monitor how GDPR regulators are incrementally dictating the rules of the road for data governance and information security, especially for new and emerging technologies. The GDPR decisions of the EU’s highest courts, and the courts of each EU member state should also be monitored. These decisions can have immediate impacts on business models, data protection risks, supply chain data exposure and market positioning.  

Data Protection Officers (DPOs)

Data Protection Officers are one of the GDPR’s most powerful tools. They are mandated to report to the highest level of management in companies and organisations, must have enough resources, must act independently, must be protected from penalty and intimidation and all have a duty to co-operate with GDPR regulators.  Individuals can contact DPOs directly, public bodies must appoint DPOs and their knowledge of the data and security ecosystem and organisational supply chains make them unique and formidable net contributors. They can also help to influence and shape data governance, cybersecurity risk appetite and data ethics.

However, there is a shortage of senior DPOs in the EU and around the world.  Too many DPOs are not as well paid as they should be and some lack the required status, influence and respect within organisations. Often, their ability to access the board and senior leadership team is mediated by unnecessary layers of management and bureaucracy. It is common to find that named DPOs often perform other management roles within the organisation that can conflict with their DPO role and affect their independence. Many DPOs are not consulted and included early enough, within projects, so that privacy by design work and data protection impact assessments can inform key decisions. External DPOs and Data Protection Officer as a Service (DPOaaS) are growing service offerings but it will take time to diversity these offerings and provide more innovative solutions. Boards and leadership teams must actively review the position, role and tasks of DPOs. Their reporting structures, resources and their contribution must be analysed. EU, EDPB and guidance from each of the EU’s GDPR regulators, where applicable, should be incorporated into organisations to increase GDPR compliance. DPOs must work in close partnership with Chief Information Officers and Chief Information Security Officers. Communication between DPOs, the board, senior leadership team, the C-Suite and operational heads should be easy, transparent, trusting and purposive. DPOs should be acknowledged as key asset guardians, critical friends and enablers.

Privacy by Design and Data Protection Impact Assessments

Before GDPR, Privacy by Design principles were practiced in highly regulated sectors and often only in the largest and most innovative organisations. GDPR has democratised and added Privacy by Design, Privacy by Default and Data Protection Impact Assessments (DPIAs) firmly into the data governance lexicon. These principles and data governance tools are expected to influence data flows, contribute to the design of new technologies and create a framework for risk-analysis, mitigation and review throughout data life cycles. GDPR regulators are beginning to request evidence of these. In the public sector, government bodies are increasingly expected to publish assessments of their digital transformation projects, smart cities initiatives, coronavirus covid-19 contact tracing apps and facial recognition technology projects.  Boards and leadership teams, should encourage a culture of data protection impact and data risk analysis, fully engage with these evaluations, monitor outputs and encourage their supply chains to demonstrate compliance, especially cloud services and emerging technologies.

Cybersecurity Takes Centre Stage

Information Security and Cybersecurity expectations were not fully developed in the pre-GDPR EU data protection laws. The GDPR has pulled these topics to the centre stage, allowing companies and organisations to address data protection and cybersecurity in a more integrated way. Personal data breach fines, notifications to regulators, notifications to data breach victims, data processor cybersecurity requirements and clearer risk-based information security analysis based on the costs, context, purpose and state of the art in information security are GDPR innovations. The power and impact of this is shown in the over reporting of information security incidents between 2018 and 2019 by many organisations in the EU.

Pseudonymisation, encryption, confidentiality, integrity, availability and testing are all specifically written into the GDPR. Detailed guidance has been issued by various GDPR regulators across the EU, and many provide online personal data breach reporting. The growth of cybersecurity monitoring, real-time reporting and breach incident management software continues. GDPR personal data breaches are widely reported in the media. GDPR has added momentum to existing efforts to publicise the impact of data breaches on organisations’ reputation, share price, consumer trust, user engagement, market share and profits. As a result of this, boards and senior leaders must remain fully engaged with their cybersecurity risk profile and encourage their teams to risk-assess their supply chains, practice data breach drills, purchase effective cybersecurity insurance, apply relevant GDPR regulator guidance, train staff and partners and empower their entire organisations to actively remain within a framework of information security resilience.

GDPR, Global Soft Power and Future Expansion

The GDPR exerts soft geopolitical power, bilateral trade power and is an engine for the international growth of data ethics and security by design. For example, GDPR was a key component in the EU-Japan Economic Partnership (Trade) Agreement in 2019 and the accompanying Japan Data Protection Adequacy Decision in 2019. GDPR and personal data flows are also key themes in the EU-UK Brexit trade deal negotiations taking place in 2020. The key question in Brexit is whether the EU will grant the UK data protection adequacy status or will both sides concede that the UK should be treated as an outsider “third country” for data protection and GDPR purposes. The GDPR has become the global reference point for data protection standards and has inspired new draft laws, updates of established laws and new enactments in Australia, Brazil, California (USA), India, Jamaica, Japan, South Korea and Thailand, with more countries to follow. In the USA, numerous states now have draft laws and the US Federal government also has a range of similar draft laws to consider.

Companies and organisations are actively seeking ways to develop data ethics frameworks for data use and data sharing around the world. GDPR is maturing previously nascent data governance ideas and creating new tools and a language that boards and leadership teams must understand, analyse and implement. After two years of GDPR implementation, the European Commission is not proposing major changes to the GDPR’s legal text. It believes that the law and how it can be applied are sufficiently intuitive and adaptable. EU GDPR policy makers are keen to see the law interpreted and applied to all new and emerging technologies. GDPR enforcement in the form of high impact fines will come. For now, GDPR is not actively expanding in scope, but it is broadening its application while also discreetly consolidating and strengthening its EU and global impact.