Schrems II: what does this mean in practice?

In the flurry of (my) excitement after the Schrems II judgement I got to thinking, isn’t this what we have been saying all along? Anyone who knows me, or who has attended one of my training sessions knows that I usually start with “compliance is not just about doing the right thing, but showing you are doing the right thing”. This is exactly what the judgement is asking us to do now.

The Privacy Shield has been invalidated – mainly because the access is not “necessary” and “Proportional”  and EU data subjects lack actionable remedy. So in practice, companies will need to look for an alternative legal basis to enable transfers under GDPR. There are options of consent or other derogations, but the only practicable way of making transfers valid is by Standard Contractual Clauses  (“SCC”) . These clauses remain valid, albeit with some questions raised.  

Companies will now have to do proper 3rd party due diligence and develop actionable protections for data transfer, either through existing recipient country laws, or through their own contractual measures  – or a mix. So what does “appropriate due diligence” mean in practice? It could mean creating a checklist to understand clearly to which third country the data is being transferred; collecting best practices in relation to the laws of well known “importers”; what security measures can be taken to further protect the data?

In reality, these SCCs were almost “too good to be true”. Some practitioners had developed a bad habit of “throwing” them into a contract, and never looking back. It is of great benefit to the privacy community to see that SCC are upheld. I reinforce the message that companies should understand fully (if they do not already) what EU safeguards require,  do a case-by-case due diligence to see if the foreign government (not only US) protections regarding access to data meets the EU standards and if this is not the case, put in place additional safeguards.

This is exciting for privacy lawyers like me, as we get the opportunity to reinforce our collaborative efforts with our infosec colleagues. This development brings us closer together in determining what the landscape looks like, what is required and how we make it happen. We can now come to the table together and determine how to do these transfers safely, relying on our infosec colleagues for expertise and our legal colleagues to get it airtight in the contract. Then both functions work together to raise awareness in the organisation.

Companies will have to start looking outwards to see if their industry is one that is regulated or targeted and what is the “likelihood” of an interference. This means good things for data subjects as there will be a natural effort to reduce the amount of data transferred to reduce risk – thereby strengthening the minimisation and necessity / purpose principles.

Recipients will have to ensure that they really do have a solid plan in place for end of life – of the contract and of the data within it. We will likely see more complex rolling retention periods established in order to reduce the amount of data held by 3rd parties and thereby reducing risk (of breach and of government interference)

I’m confident the guidance from the Irish Data Protection Commission will contain these principles and I will continue to monitor the developments and report regularly on practical steps companies can take.

If you like what you read, connect with me on LinkedIn!

The ethics of privacy

Privacy is a fundamental human right recognized in the UN Declaration of Human Rights, the International Covenant on Civil and Political Rights and in many other international and regional treaties. Privacy underpins human dignity and other key values such as freedom of association and freedom of speech. It has become one of the most important human rights issues of the modern age. And yet, for many, the GDPR is the beginning of privacy law as we know it. The most remarkable difference being the introduction of some really sizeable fines.   So how does this affect the ethics of privacy?

Privacy is, in its nature, an element of compliance. Compliance with privacy laws and with the “intention” of privacy laws is how we show optimal data protection.  When talking of compliance, I always say that “Compliance is not about just doing the right thing, but showing we are doing the right thing”. Compliance is only possible with accountability. No one ever challenges the concept that compliance is about doing the right thing. We should remodel our approach to privacy away from compliance with law, but towards the behaviour of doing the right thing. The GDPR helps us to show we are doing the right thing; it helps us to show our accountability, but it is not the reason privacy exists.

Why is this important for companies? Privacy is now a central element of business ethics.  It forms part of the corporate approach to mitigating controversial subjects in order to gain public trust and support. No matter what industry, data is essential to the functioning of business. Without an ethical approach to treating data, it will not be entrusted to those who need it most to make business turn and of course, maintain reputation, help avoid significant financial and legal issues, and thus, ultimately benefit everyone involved.

Bring the forces back!

We have spoken a lot about WFH. But what about “return to office”. Here are some tips for a seamless return from a privacy perspective. Firstly – be careful with sensitive data. If you are processing test results , these are health data, and hence they are sensitive data. You need an Article 9 condition. The relevant condition will be the employment contract legal basis in Article 9(2)(b).

Demonstrate accountability through a DPIA. This DPIA should set out:

  • the activity being proposed;
  • the data protection risks;
  • whether the proposed activity is necessary and proportionate;
  • the mitigating actions that can be put in place to counter the risks; and
  • a plan or confirmation that mitigation has been effective

Collect the minimum amount of data. For example, you might probably only require information about the result of a test, rather than additional details about underlying conditions.

Keep the data accurate. Record the date of any test results to pin it to a particular time period. The health status of individuals may change over time and the test result may no longer be valid. 

Keep lists of affected employees very securely. Work with your HR teams or other site leaders to ensure restricted access, password protection etc.

Transparency is crucial so a privacy notice to staff will be required prior to processing. This doesn’t have to be “legalistic” it could be beneficial to write a small note to colleagues to let them know how you plan to support them and their families in case of  infection.

Work from home safely. Get cybersecurity cement.

Since March we have seen an increase in cyber incidents relating to the current pandemic. During this period reports suggest not necessarily an increase in cybercrime but instead s a visible increase in the use of Covid19 for tricking unsuspecting victims. In other words, no new crimes, but old crimes using new tricks.

Phishing, malicious domains and ransomware using Covid19 as bait are the most prevalent tactics but there is also an increase in attacks on vulnerable remote access technologies. Out of date software or indeed software developed without adequate privacy and security considerations are higher risk when combined with home networks and inexperienced users.  Work from home has become a reality to most in a very short space of time. Many organisations have had to grapple together solutions to meet demand for example: relying on VPN solutions that had not been patched or insecure configurations exposed to unprotected internet connections.

Whilst security (like patching and pen testing) are obviously essential to protecting organisations, the increase in cyber incidents demonstrate the importance of data protection by design by default. A data protection impact assessment (DPIA) will allow for adequate risk identification and work towards achieving appropriate controls. It is also a robust way of documenting project development to ensure that privacy takes a structured place in design work-streams. Data protection by design by default can supplement and support infosec colleagues in ensuring that the incidents are dealt with in an appropriate manner.

Finally, an essential part of any DPIA assessment is to identify immediate necessary mitigations, and subsequent actions to prevent reoccurrence, i.e. remediate. I have never done a DPIA that hasn’t made reference to training. Indeed, training is the cement that ties cybersecurity and privacy together and creates the strong wall of defence for an organisation. For many organisations, they should be looking at retraining the workforce after the pandemic. This is not to “teach” them how to work from home, but how to do it “safely”!

Accountability. Implications for a Controller using CCTV.

But what is a controller I hear you ask?! Once again we return to the “purpose and means (essential elements) of processing”. Not trying to get boring about it but this is where the magic happens! We have some interesting and challenging situations to consider. We need to always come back to who is the real controller of the camera. Not just who put the camera up – but the why? to what purpose? who benefits? and who controls how?

We also need to consider the types of data being processed. For cameras, it’s images and sound, probably not a lot more. This data is central to our security and it is realistic to expect it will be held for a period of time.   

Cameras in communal areas of apartment blocks; cameras on the street; cameras in areas that are semi-public -they all pose challenges that are not easily explained by the GDPR. Public cameras are also on the increase. Police forces are protecting us as a community with strategically placed cameras. It seems that no matter how far we roam we are never too far away from a CCTV camera. The central question for all of us is “who is the controller?”.  

So does the right of the controller to use this camera to “prevent” or “solve” crime override your rights of data integrity. The European Data Protection Board suggests a particular methodology to follow for private persons.  The controller should have tried other methods and determined that this is the necessary solution. From there, they need to ensure that they are applying the minimisation principle. Video surveillance to “prevent accidents” is not proportional.  Individuals should not be monitored in places they don’t expect to be monitored. changing rooms or saunas.

Household or domestic exemption rule in GDPR is strictly viewed, and getting more strict following recent guidelines. These days if we buy a camera for our home – we must be prepared to take responsibility for it. This means that (among other things) we should be really clear about the purpose of the camera; positioning it correctly and having a sign letting people know there is camera surveillance.