While many transnational companies continue to feel headache after ‘Schrems II’ hit in July, the problem for SMEs looks simpler and more trivial: they seem to be unable to meet even more general and clear data protection requirements without external help.
This can return us to early talks (they are sometimes heard now, though) that the GDPR may be too burdensome for many business actors. And we see it can really be like this.
So hot of the press is that H&M (a Swedish business), although the fine of €41,4m was due to practices in one of their German outlets which were not compliant with GDPR.
Clearly as an employer it is difficult to avoid the collection of sensitive data from employees, i.e. when they are sick, just the notification is in itself sensitive and a DPIA must be conducted on how the notification and following process is done in order to any identify privacy risks, and remediations necessary in order to minimise the risk of harm to the rights and freedoms of each employee.
It seems that H&M were in conducting a “welcome back to work” after sick/vacation interview, recording the contents of the conversation, and storing it somewhere, which badly for them became exposed, which meant they got found out because they were reported to the German DPA.
It seems a bit of a pity, as the purpose of the interview seems to be positive, and a nice way to return to the workplace, especially after one has been unwell. However, storage of this conversation is processing outside of the specific purpose of the conversation, and indications -from what I read- are that this personal data was in fact used beyond purely storage, in that 50 managers had access.
Bad news for H&M. Great news for privacy and GDPR. Great work Germany, as per usual at the front of data protection and privacy of each and every data subject!
It’s been announced last week that the EU Data Protection Code of Conduct (CoC) for Cloud Service Providers is now underway.
Designed as a safeguard for the international data transfers under the GDPR Article 46(2) in a post-‘Schrems II’ world, the CoC might become an interesting one by itself. At the same time, it still leaves us with the same question like SCC upheld by the CJEU: how a formal legal mechanism can remediate inadequate privacy practices in a third country?
After the Privacy Shield (PS) invalidation, a suggestion to migrate to the SCC to continue EU-US data transfers looks weird because a formal change of an underlying legal mechanism actually change nothing in defective privacy practices of the US intelligence. If we replace USA with another random third country with similar practices and/or take CoC instead of SCC – the conclusion will remain the same.
To that end, it is highly questionable that a CoC is able to become a ‘window’ to America (as currently expected). At the same time, let us see how this will work in real life. Indeed, if SCC can factually be deemed as a proper safeguard instead of PS (despite the conflict with common sense), why CoC cannot?
Allocating roles within a group of different actors might often become very difficult, in particular when drawing a line between joint decisions and separate ones gets tricky.
Say that a parent company offers its subsidiaries to use a new uniform online platform for the processing of orders placed by customers entering into a supply contract with a subsidiary. There are at least two actors here, so how to properly allocate roles here?
‘Guidelines’ intend to provide for some new tips helping to spot a joint controllerships in paragraphs 3.2.2.1, 3.2.2.2, but all of them still revolve around what has always been clear from Article 26: finding out how means and purposes of processing are defined requires careful case-by-case assessment. To that end, ‘Guidelines’ are more likely to be expected to outline a clear methodology of how this assessment should be performed.
Referring to the question above, e.g., it might revolve around questions like: does the parent company make it mandatory for the subsidiary to use the online platform (and thus it solely defines means and purposes)?; or can the platform only be used in case of a common decision of the parent company and the subsidiary to do so?
Instead of the methodology, we can (not only but mostly) see examples. Examples are always good but they are rarely helpful when factual picture in practice differs (even slightly) from that described in the example. In other words, examples contain an analysis of very specific facts alone, while a privacy pro needs an understanding (method, checklist, etc.) of how to properly approach every possible set of facts.
Good job, EDPB, but could you please try again?
Negotiating R&D contracts with European partners over the past 20 years has always been my favorite type of transaction work. You have the cultural differences, the time zone issue, language issues, IPR issues, liability and indemnification issues, currency issues, and other issues that add complexity to the negotiation (and ultimately management) of such transatlantic research contracts.
Since May 25, 2018, the date that the GDPR came into force, the exporting of European personal data to America via research contracts has assumed more importance in the international contracts realm. In this brief post I want to point out several of the large buckets that university contract negotiators need to consider in negotiating and managing such contracts (and ultimately the relationship between the parties).
The scenario covered by this article is a European sponsor (government, foundation, private company, etc.) who wants to provide money to an American university for specific research work, such work often involving the private information of European data subjects and requiring its exporting to the U.S. partner. For example, such a scenario could involve funding from the European Commission to Harvard University. Now onto the buckets.
Bucket 1: Ascertaining Important Data Protection / Privacy Information Parameters at the Beginning
This bucket includes the information that should be ascertained at the beginning: the pre – award / proposal development / Scope of Work (SOW) stage of the research partnership. Here are some questions that should arise from the American side: Is there a European address? Where is the corporate headquarters? Why does your partner want to include GDPR terms in the contract?
At this stage, it is also important to determine what type of data is being transferred and if the data meets one of the three standards for GDPR application to U.S. – based organizations: 1) physically present in the EEA; 2) offering goods / services in the EEA; or 3) monitoring behavior in the EEA. These questions – and their follow on ones – really are part of the partnership building process at the beginning. This should happen well before the issuance of a research contract for negotiation and signature.
Bucket 2: Who is the Controller? Who is the Processor?
This is Privacy 101, but these questions are foundational. Who determines the purposes and means of the processing of European personal data of data subjects? (Controller) Who acts on behalf of the Controller pursuant to a data processing agreement? (Processor) These roles need to be determined as the project is conceptualized and developed.
Once again, it is useful to look at the Scope of Work (SOW) to determine what role is best suited for each party given the proposed research activities.
While for most European – American projects it would be the European Sponsor / Funder of research activities as the controller and the American university as the processor, it is still theoretically possible that either contracting party could be either a controller, processor, or joint controller. Once again, it depends on project scope and what each party is doing during the project.
Conclusion
This relatively short post is meant as an introduction to the GDPR dimensions of transatlantic university research contracts. Data protection / GDPR considerations have joined a multitude of programmatic and contractual issues for these international contracts. A future post will focus on contract negotiation. Please feel free to leave comments below.
Organizing your data transfers to 3rd countries in a post-‘Schrems II’ world might become a truly daunting task. But what should definitely be avoided? Learn from this short video.
Why I think so? It stems from a superb article written by the IAPP authors who skilfully and clearly explain (for the first time ever?) how to tackle the issues raised in the CJEU’s decision and to continue data transfer to USA based on supplemented SCC (see the link below).
Just take a deeper look and see how many details of the US laws are taken into account and analysed, based on which practical recommendations are given. At the same time, the CJEU factually introduced the requirement to evaluate legal landscape in every third country that imports data flows.
The above means that the same exercise should be conducted in relation to each third country. In many of them the laws may not even be translated in English and be publicly available, case law may indeed be unclear or even absent. Such analysis will almost definitely require a great deal of time and money amid the absence of grace period.
Where to get help:
An extremely interesting development considering the recent Schrems II decision and that Tetra Pak has US operations.
This is a first for the Swedish Data Protection Authority with BCRs. OneTrust has a good summary of the decision, etc., in English. Here is the decision in Swedish.
Now, there is much discussions on the legality of Binding Corporate Rules since Schrems II, after all surveillance in the U.S. is omnipresent, over which we have no control over here in the E.U., but in reality what this decision means is that the we need to be realistic, business must go on.
My take on the transfer of data is to dive into the potential risks to rights and freedoms of the natural person. If there are none, e.g. you are only transferring email address and name of the individual, and maybe they are adding business activities into a log, e.g. financial records. I find it difficult to really force myself to change an established business practice, especially now with coronavirus times, and many businesses are in survival mode, and many close to bankruptcy. If HR data is being transferred then this must change clearly.
I am, even as a privacy professional sceptical of all the fuss and hype there is on blocking all personal data transfers out of the EU to a country such as the U.S. (lacking adequacy decision now with Privacy Shield gone), because of Schrems II.
I guess if I wasn’t a small startup myself, serving small-medium businesses, I would think differently. But if this is all too complex, the SMB will do nothing, they have too much to lose, and when it happens it can go quick, money spent must be prioritised. For the SMB Schrems II is like double-dutch, all this legal speak, it’s out of their boundaries of business operations, and and the Data Protection Authorities get this, and are not normally targeting the small actors selling consulting, car repairs, chickens, or a pair of shoes, they are after the biggies.
An extremely well-written article from OneTrust in the context of adtech, but still I am sure will get you thinking deep.
There’s been quite some cookie talk lately on this blog and one reason why is that I have as CEO of my little startup been looking for a cookie consent banner which costs nothing for my website.
So why only now. Well, I did only have essential cookies on my website until recently which didn’t require cookie consent. I had inserted a banner and notice. However, I started adding YouTube videos and Chat, which came packaged with an analytics engine, Zoho SalesIQ.
So when one of my Linkedin Connections was kind enough to point this out, I responded without thinking, that only essential cookies are used…… I was feeling just a bit little stupid when I realised that I’d been so deep in getting my business out to market, that I’d actually missed the privacy thing, which is not good, after all my business is about GDPR compliance!
So I was on a mission, install a cookie consent banner with a preference centre on my website, catch was that I had not budget for this. I am after all a small business, and all these small costs add up to something more. And not all small business have funding for extra overheads. I wanted to find something which I could recommend to my customers/partners, many are SMBs, so they have (1) a free option, and (2) paying option.
Criteria for SMB as I see it is:
Most cookie banner solutions cost money, and you can expect to pay circa €9 per month. However, there are some free ones out there, with restrictions such as a single domain. But this is good enough for most of my customers.
On a technical level it needs to work on all types of websites, e.g. mine is hosted on one.com, and some which I came across and tested didn’t work because they required that I install code in the Header html, and I don’t have access to this. I can only insert code within the page/footer).
Ease of setup, was not great. I spent 2 days looking/testing suitable cookie consent banner. Of those I found, I tested 8, and became extremely frustrated because IMHO this should be EASY, but it was most certainly not. I am not technophobia, and do have a decent level of competence to make this work. But it required javascript, and of all I tested only 2 came close, and only one met the technical criteria for the SMB and the cost criteria. That was Termly.
Now, I still say there is no excuse for how the Guardian’s banner was configured, they have money to pay techie to do this work, but for a small business, setting up a cookie consent banner is not reasonable. If 2 days work is required to find/test and install one. That is why I have written this blogpost. If you’re an SMB you don’t need to waste time looking. Carry on reading for an alternative to Termly later on….
It doesn’t stop here. I then checked this blog to look at cookies. This blog was originally setup by myself in 2007, and cookies weren’t a big thing then. Even since, I haven’t given a thought to my musings on this blog, and that a cookie consent banner is necessary, because I wanted to believe that Article 2 applied, household exception. However, now we are many Authors, and unfortunately WordPress downloads over 80 cookies! Even though this is a personal blog, now for many, we needed to fix this -now that I’m on a cookie kill drive, and starting to hate these little blighters!
Now if your business website is using WordPress you must upgrade to Business to get the Plugin for free, and this should be easy to install, although I haven’t tried yet, because this is a personal blog, and I don’t intend to upgrade at a monthly subscription of €35 just to get my hands on a cookie consent banner. I checked some other cookie banner options. I received a tip on Metomic from a privacy Connection, and I liked it, wish I’d found before. But when it scanned this virtualshadows blog it reported there were no cookies, which is a lie. It could be that it is a not on its own domain. But Metomic looks easy to use, is free, and could be worth testing as an alternative to Termly. I may even replace Termly with Metomic, but it does require some code in the website Header, not sure if this is required or optional.
As it looks now, unless I find a free cookie banner, this blog will be migrated to another platform. Criteria, it must be free of cost, and free of cookies.
My takeaway from the last 3 days…. is that the cookie consent banner has pulled me -a single-man resource in my business- from product development and from revenue generating activities. GDPR has in practice blocked innovation and growth. I became angry and frustrated, not only by the activity, but at the thought that every small business out there which requires a cookie consent banner will find it just too difficult to fix, and they don’t have budget to pay someone else to do this as the larger organisations have.