To no great final surprise, the European Commission has adopted its adequacy decisions in respect of the UK.
Here’s a piece by me on the Mishcon de Reya website.
Category Archives: Europe
UK adequacy confirmed
Filed under adequacy, Data Protection, Europe, GDPR, international transfers, law enforcement
New Model Clauses – a Mishcon podcast
My colleagues, partners Adam Rose and Ashley Winton, discuss the new European Commission Standard Contractual Clauses announced on 4 June 2021. I honestly can’t think of two better people to discuss what they mean.
Initial Reactions: New Standard Contractual Clauses (mishcon.com)
Filed under adequacy, Brexit, consistency, Data Protection, data sharing, EDPB, Europe, GDPR, international transfers, Schrems II
GDPR’s scope – does it extend to China?
The answer to the question in the title is, of course, “yes”, if the processing in question is of personal data of data subjects in the EU, by a controller outside the EU, and related to the monitoring of data subjects’ behaviour as far as their behaviour takes place within the Union.
So, the activities of Zhenhua Data, in compiling its Overseas Key Individual Database, as described in The Mail, will be squarely within the scope of Article 3(2) of the General Data Protection Regulation (GDPR):
Boris Johnson and the Queen are among 40,000 Britons listed on a database compiled by a Chinese tech firm with reported links to Beijing’s military and intelligence networks, it can be disclosed.
Files on senior British politicians including the Prime Minister, members of the Royal Family, UK military officers and their families, and religious leaders are currently being stored by Zhenhua Data, a technology company based in Shenzhen, China as part of a ‘global mass surveillance system on an unprecedented scale’.
It seems difficult to imagine that the processing can possibly comply with GDPR. Where is the Article 14 notice? What is the Article 6 legal basis? Or the Article 9 exception to the general prohibition on processing special categories of data? Or the Article 30 record of processing activities? Or…or…or…?
But here’s the problem with any legislative attempt to extend the scope of laws beyond geographical and jurisdictional borders, to the activities of those who are not consulted, nor assigned rights, nor (in all likelihood) bothered: how does one enforce those laws? In 2018 (oh those heady early GDPR days!) the Information Commissioner’s Office (ICO) was reported to have told the Washington Post that its practice of only allowing those who paid for its premium subscription to refuse tracking cookies was unlawful. How many figs the WaPo gave is evidenced by a glance at its current subscription model:
(i.e. it appears to have changed nothing.)
Indeed, as the ICO said at the time
We hope that the Washington Post will heed our advice, but if they choose not to, there is nothing more we can do in relation to this matter
If there was nothing ICO could do against a newspaper outside the jurisdiction, consider how unrealistic is the idea that it might enforce against a Chinese company rumoured to work for the Chinese military, and which is said to view its mission as ‘using big data for the “great rejuvenation of the Chinese nation”‘.
The logical question, though, which arises is this – in the absence of an effective regulatory scheme to enforce them what exactly is the point of GDPR’s (or even more trenchantly, the UK GDPR’s) extra-territorial scope provisions?
The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
Filed under Data Protection, enforcement, Europe, GDPR, Information Commissioner
One-stop shop starts to get interesting
The disagreement between the EU supervisory authorities over an Irish DPC draft decision could mark the start of a line of cases which the EDPB will need to resolve – and maybe resolve to the consternation of the DPC, and Big Tech
As the UK hurtles backwards, blindfolded and with both arms tied behind its back, towards the precipice that is the end of the Brexit implementation period (31 December), and with no sign that the government is particularly pushing for an adequacy decision for the UK, it hardly seems worth it (the ICO is, for instance, already no longer a member) to analyse the implications of the news that the European Data Protection Board (EDPB) is being required to take its first binding decision pursuant to Article 65 of GDPR.
But I’m going to.
The Article 65 process has been triggered because an unspecified number of other supervisory authorities have raised objections (as they are entitled to) to the draft decision of the Irish Data Protection Commissioner (DPC) – the lead supervisory authority – in its investigation of of whether Twitter (more correctly “Twitter International Company”) complied with its personal data breach obligations under Article 33 of GDPR, in relation to a notification it made to the DPC in November 2018. In line with Articles 56 and 60, the DPC submitted its draft decision in May of this year. As this was a case involving cross-border processing, the DPC was required to cooperate with the other supervisory authorities concerned. One assumes, given the controller involved, that this meant the supervisory authorities of all member states. One also assumes that most complaints involving Big Tech (many of whom tend to base their European operations in Ireland, thus making the DPC the default lead supervisory authority) will similarly engage the supervisory authorities of all member states. The DPC already has many such complaint investigations, and, courtesy of civil society groups like “NOYB“, it is likely to continue to get many more.
Article 65 provides that where another supervisory authority “has raised a relevant and reasoned objection” to a draft decision of the lead supervisory authority, and the latter then doesn’t agree, then the EDPB must step in to consider the objection. The EDPB then has one month (two if the subject matter is complex) to reach a two-thirds majority decision, or, failing that, within a further two weeks, to reach a simple majority decision. The decision is binding on all the supervisory authorities.
And here’s where it gets interesting.
Because it must mean that, in circumstances where the EDPB agrees with an objection, then the lead supervisory authority will be bound to accept a decision it probably still does not agree with, and determine the substantive matter accordingly. In the context of the DPC, and its jurisdiction over the European processing of the world’s largest technology companies, this sounds like it might be a lot of fun. There are many supervisory authorities on the EDPB who take a substantially harder line than the DPC – if they end up being part of a simple majority which results in a “robust” binding decision, fur might well fly.
The controller being investigated appears to be able to challenge the EDPB’s decision by way of judicial review under Article 263 of the Treaty of the Functioning of the European Union. There is no direct route of appeal under the GDPR. But presumably an aggrieved controller may also potentially challenge the lead supervisory authority’s decision (which, remember, the latter might essentially disagree with) through the domestic courts, perhaps to the point where a referral to the CJEU could then also be made.
No doubt some of this may become clearer over the next few months. And, though it pains me to say it, and though it would be a development fraught with complexity and political shenanigans, maybe the UK will start to look like a more attractive place for Big Tech to base its European operations.
[This piece was updated on 24.08.20 to correct/clarify a point about the availability of judicial review of the EDPB].
The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
Filed under adequacy, Data Protection, EDPB, Europe, Ireland
Ofqual and the International Baccalaureate – more woes?
UPDATE: 23.08.20 One week on from this original post below, and it is clear (and unsurprising, when one reads the details) that many IB students are still deeply unhappy about the process, and now, with the u-turn on the A-Level awards, are arguably feeling even further aggrieved that their results are still tied to the outcome of what they see as a flawed an unfair algorithmic process. Also one week on, there seems to have been no word from the ICO about the decision of the Norwegian DPA, and what it means for UK IB students. END UPDATE.
UPDATE: 17.08.20 It appears that the IBO has responded to concerns (and possibly to the Norwegian DPA’s investigation, by reviewing the results, and making an adjustment to awarded results, with the emphasis that “no student will receive a lower grade than what was received previously”) END UPDATE.
In a piece for the Mishcon de Reya website last week, I noted, in the context of the recent A-Level awards fiasco, that the Norwegian Data Protection Authority had sent the International Baccalaureate Association (IBO) an advance notification that it was going to order the latter to rectify grades it had awarded based on “so-called ‘school context’ and ‘historical data'”. The IBO has until 21 August to “contradict” the Norwegian DPA’s draft decision.
What I had not fully appreciated were two things:
- The effect of the Norwegian DPA’s draft decision, should it be formalised, may be that all IBO grades based on such data would have to be re-done, not just those of Norwegian children.
- In a move now saturated with irony, the IBO’s grading process is, apparently, already being scrutinised by…erm…Ofqual, to whom the IBO’s awarding model was submitted , both prior to its actual use and to the issue of results.
The second point raises the rather remarkable possibility that Ofqual was a controller, in GDPR terms, for the International Baccalaureate model, as well as for the English A-Levels. This will only add to its already significant woes.
The first point turns on this: the IBO is based in Switzerland. Although Norway is not in the EU, it is in the European Economic Area (EEA), and by a joint agreement of July 2018 GDPR was incorporated into the EEA Agreement. To the extent that the IBO is offering (which it clearly is) goods or services to data subjects in the European Union, it is subject to GDPR’s extra-territorial provisions at Article 3(2). So, although in theory, the Norwegian DPA’s decision would only apply in respect of the processing of personal data in respect of Norwegian data subjects, in practice it is very difficult to see how the IBO could comply with an order only applying to Norwegians, when the effect of the order would be that IB candidates across everywhere would have had their data impermissibly processed in the same way. If it decided not to redo all awards, and just Norwegian ones, then presumably supervisory authorities across Europe, including the Information Commissioner in the UK, would need to investigate.
[This post was edited to reflect the blindingly obvious point that Norway is not in the EU, but is in the EEA. I’m embarrassed to admit that I’m only human]
The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
Filed under accuracy, EDPB, Europe, GDPR, Information Commissioner
Schrems II – what now?
A piece I have written with my Mishcon colleague Adam Rose, looking at the issues for businesses involved in international transfers (esp. to the US).
Make no mistake – the effect of Schrems II is to make bulk/regular transfers of personal data to the US problematic (putting it at its lowest). It arguably has the same effect in respect of transfers to most, if not all, third countries.
Schrems II – this time it’s serious
As soon as judgment came out, my Mishcon de Reya colleague Adam Rose and I recorded our initial reactions to the CJEU’s decision in Schrems II. Here’s the link to the recording. Excuse my lockdown locks.
Some takeaways
- The EU-US Privacy Shield arrangement for transferring personal data to the US is declared invalid.
- Parties using Standard Contractual Clauses to transfer personal data from the EEA to countries outside must not do so if, in their assessment, the recipient country doesn’t provide an adequate level of protection. There must now be serious questions as to whether any transfers to the US can be valid.
- The Binding Corporate Rules regime used by some of the world’s biggest international groups must now also be open to challenge.
- Data Protection Authorities (such as the ICO) must intervene to stop transfers under SCCs which are made to countries without an adequate level of protection.
- Post-Brexit UK may be seen as an attractive place for US companies to base operations, but there may well be further legal challenges to such arrangements.
There’s nothing like consistency
A tale of two Member States, and two supervisory authorities.
First, the Belgium Data Protection Authority is reported to have fined a controller €50,000 for, among other infringements, appointing its director of audit, risk and compliance as its Data Protection Officer (DPO). This was – the DPA appears to have said – a conflict of interest, and therefore an infringement of Article 38(6) of the General Data Protection Regulation (GDPR).
Second (and bearing in mind that all cases turn on their specific facts), one notes that, in the UK, the Data Protection Officer for the Information Commissioner’s Office (ICO), is its Head of Risk and Governance.
Let’s speculate –
Are the tasks of a Head of Risk and Governance likely to be similar to those of a director of audit, risk and compliance?
Would the Belgium DPA take the view that its UK equivalent is infringing GDPR, by appointing as DPO someone in circumstances which create a conflict of interest? (ICO notably says “[In respect of the combined roles of] DPO and Head of Risk and Governance, the tasks and focus of each role complement each other, and do not conflict. Neither responsibility is focused on determining the purposes and means of processing personal data but are both focused on providing advice about the risks, mitigations, safeguards and solutions required to ensure our processing is compliant and supported by our business decisions“).
What view would the European Data Protection Board take, if asked to consider the matter under the GDPR consistency mechanism (for instance on receipt of a request for an Opinion, under Article 64(2))?
Does it matter, given Brexit?
And if doesn’t matter immediately, might the status and position of the ICO’s DPO be one of the factors the European Commission might subsequently take into account, when deciding whether post-Brexit UK has an adequate level of protection, as a third country?
No answers folks, just questions.
The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
Filed under adequacy, Brexit, consistency, Data Protection, Europe, GDPR, Information Commissioner
€9.5m GDPR fine to German telco for insecure customer authentication
Another post by me on the Mishcon de Reya website – federal telecoms regulator issues fine for Article 32 failings after callers could give customer name and d.o.b. and obtain further information.
Filed under Data Protection, Europe, GDPR, monetary penalty notice
No direct liability under GDPR for representatives, says EDPB
I have a new post on the Mishcon de Reya website, drawing attention to a change from draft to agreed EDPB guidance which might make being a GDPR representative much more attractive.
Filed under EDPB, EU representative, Europe, GDPR
informationrightsandwrongs 