DPAs’ guidances to survive in the post-‘Schrems II’ world

by

22 July 2020

20:12

Leave a comment on DPAs’ guidances to survive in the post-‘Schrems II’ world

Uncategorized

, , , , ,

IAPP has set up a valuable resource collecting together guidances and statements issued by national DPAs in response to the recent CJEU ruling on the so-called ‘Schrems II’ case. The IAPP will aim to update the register on an ongoing basis.

The link is below:

https://iapp.org/resources/article/dpa-and-government-guidance-on-schrems-ii-2/

While privacy pros advise to seek to put in place SCC as a substitution for the invalidated Privacy Shield, it should, however, be noted that SCC are by itself a safeguard with a limited scope of application as: (i) it still does not cover many processing scenarios (e.g., processor-to-controller, processor-to-sub-processor); (ii) it is quite outdated (issued in 2001, 2004 and 2010 in the pre-GDPR world); (iii) its validity has been put on several conditions by the ‘Schrems II’ decision.

Schrems II: what does this mean in practice?

by

22 July 2020

14:37

Leave a comment on Schrems II: what does this mean in practice?

Uncategorized

In the flurry of (my) excitement after the Schrems II judgement I got to thinking, isn’t this what we have been saying all along? Anyone who knows me, or who has attended one of my training sessions knows that I usually start with “compliance is not just about doing the right thing, but showing you are doing the right thing”. This is exactly what the judgement is asking us to do now.

The Privacy Shield has been invalidated – mainly because the access is not “necessary” and “Proportional”  and EU data subjects lack actionable remedy. So in practice, companies will need to look for an alternative legal basis to enable transfers under GDPR. There are options of consent or other derogations, but the only practicable way of making transfers valid is by Standard Contractual Clauses  (“SCC”) . These clauses remain valid, albeit with some questions raised.  

Companies will now have to do proper 3rd party due diligence and develop actionable protections for data transfer, either through existing recipient country laws, or through their own contractual measures  – or a mix. So what does “appropriate due diligence” mean in practice? It could mean creating a checklist to understand clearly to which third country the data is being transferred; collecting best practices in relation to the laws of well known “importers”; what security measures can be taken to further protect the data?

In reality, these SCCs were almost “too good to be true”. Some practitioners had developed a bad habit of “throwing” them into a contract, and never looking back. It is of great benefit to the privacy community to see that SCC are upheld. I reinforce the message that companies should understand fully (if they do not already) what EU safeguards require,  do a case-by-case due diligence to see if the foreign government (not only US) protections regarding access to data meets the EU standards and if this is not the case, put in place additional safeguards.

This is exciting for privacy lawyers like me, as we get the opportunity to reinforce our collaborative efforts with our infosec colleagues. This development brings us closer together in determining what the landscape looks like, what is required and how we make it happen. We can now come to the table together and determine how to do these transfers safely, relying on our infosec colleagues for expertise and our legal colleagues to get it airtight in the contract. Then both functions work together to raise awareness in the organisation.

Companies will have to start looking outwards to see if their industry is one that is regulated or targeted and what is the “likelihood” of an interference. This means good things for data subjects as there will be a natural effort to reduce the amount of data transferred to reduce risk – thereby strengthening the minimisation and necessity / purpose principles.

Recipients will have to ensure that they really do have a solid plan in place for end of life – of the contract and of the data within it. We will likely see more complex rolling retention periods established in order to reduce the amount of data held by 3rd parties and thereby reducing risk (of breach and of government interference)

I’m confident the guidance from the Irish Data Protection Commission will contain these principles and I will continue to monitor the developments and report regularly on practical steps companies can take.

If you like what you read, connect with me on LinkedIn!

https://www.linkedin.com/in/annickobriencompliance/

In the Privacy Shield storm -practical advice

by

20 July 2020

17:17

2 Comments on In the Privacy Shield storm -practical advice

U.S.

,

I am and still attending a great session hosted by the IAPP on the Schrems II decision and Privacy Shield consequence, i.e. it is no longer a legal mechanism for data transfer from the EU to the US.

Miriam Wegmeister was a great panelist and gave some great insights, very practical and cool lady!

Practical steps as follows:

  • There were some revised SCCs drafted even before this decision which can be used.
  • Look at other mechanisms, e.g. transfers subject to appropriate safeguards (Article 46). What jumps out at me are (e) Code of Conduct, and (f) Certification.
  • Art 49 normally only to be used in exceptional circumstances, maybe the Commission can relax on this. Art 49 is derogations for international transfers, my favourite (not) legal subject. It makes sense, as it is similar to Art 6, with some variations.

The decision is that Privacy Shield is not legal anymore, stop, no grace period, however looking at the UK Information Commissioner website and voila, they are recommending to “continue using Privacy Shield until new guidance becomes available” but do not start using Privacy Shield.

Yes, I’m angry about the Schrems II decision!

by

19 July 2020

16:19

4 Comments on Yes, I’m angry about the Schrems II decision!

U.S.

,

Why the hell should a devote privacy and GDPR advocate be angry about this decision, after all it’s good for privacy is it not?

Yes decision is correct, but also no.

Clearly Facebook is a scapegoat, twice now with Schrems I and II. But now we are in limbo again! The fact is that even if the large businesses have heaps of money to bring in an army of legal professionals to replace all Data Processing Agreements (DPAs) with Standard Contractual Clauses (SCCs), which may or may not work. The Small Medium Business (SMB) do not have this luxury.

Apart from the large businesses, I work with quite a lot of SMBs, and I can tell you exactly how they feel in a single word…. confused in two words confused and hopeless. Most have yet to do their work for GDPR compliance, and those which have, may have done an initial effort in 2018, but have since done nothing.

What makes me angry is that now in 2020, some of these are calling me in because I have created some low-cost tools which help them to help themselves. They are making the effort, but they are in main, using cloud providers from the U.S., and there was a simple remediation, to check that the business was Privacy Shield certified. I had a cheat list of all most common cloud services, if the business wasn’t listed, my recommendation was to move to another which was. And so it was cheap and easy for them to fix themselves, without paying me my expensive hourly consulting rate.

So now all these SMBs have nothing, again. And yes I’m angry, because I was starting to get some traction in the SMB market. My speciality is making this legal stuff doable for any businesses, it’s not rocket science, But now it’s quite ridiculous, there is no way I will instruct every SMB to stop using all U.S. cloud services, they will kick me out. In fact the low-cost GDPR tools I have created are based on U.S. services, and they can’t be moved. There is nothing equivalent in the EU. It feels unfair to the SMB, they are getting the GDPR thing, and how it is good for business. Together, my small business and my customers were starting to make great progress.

It is not only my opinion that the SMB is critical for a functioning society, although maybe it is just mine that it is the SMB which will suffer most from this judgement?

Okay, sorry for this rant. I’m feeling a bit like Ms Angry, but now I’m done 😉

Image taken from https://www.bbc.co.uk/programmes/p05g2zz1.

Ambiguous status of SCC under the ‘Schrems II’ decision

by

16 July 2020

23:52

3 Comments on Ambiguous status of SCC under the ‘Schrems II’ decision

Uncategorized

, , , , ,

As all privacy community already know, the CJEU has today struck down EU-US Privacy Shield scheme, while confirming the validity of SCC.

Arguments against Privacy Shield has changed little since the ‘Schrems I’ decision that invalidated Safe Harbour – governmental intrusion, lack of proportionality, ineffective role of ombudsperson.

What is really new is that a EU-based data controller relying upon SCC is now expected to assess how public authorities in third countries obtain access to personal data and how legal system in those countries works.

Two questions still remain:

1. How such controllers in question are expected to conduct such evaluation? Any methodology in this regard? It may seem somewhat similar to what we have in Article 45(2) – which factors Commission shall evaluate when issuing adequacy decisions. However, a private entity living with SCC is not a EU body and often does not have sufficient resources and understanding as to how to conduct the research and put necessary safeguards in place.

2. Enforcement. Amid DPAs facing lack of financial resources and manpower, the CJEU’s decision puts even extra burden on them. Thus, a newly invented (by CJEU) requirement may easily end up becoming unviable with no practical effect due to insufficient oversight.

Bonus question: taking into account the ‘accountability’ principle, how exporting controllers should demonstrate their compliance with the new obligation?

Hopefully, answers are yet to come.

What went wrong? Foodora hacked!

by

14 July 2020

13:46

Leave a comment on What went wrong? Foodora hacked!

Article 5, Sweden

Half a million customer data was stolen by hackers is being reported by Swedish newspapers. Foodora a Swedish concern is owned by a German business, Delivery Hero. As one can guess by the combination of both names: 1) its about food, and 2) yes, customers book online from whichever is their favourite restaurant and get it delivered.

From what I can gather, the data was stolen from their test environment. This means that live data was stored in test which was not appropriately protected as is required by Art 32 (GDPR). Moreover it seems that the purpose limitation (Art 5.1b) and data minimisation (Art 5.1c) principles were not respected. There is probably more, but this is what I have based on a couple of newspaper articles.

So the affected data subjects are included as customer data was from 2016. The only data stolen in clear text was data which is in main public in Sweden (except if you have a protected identity), so it seems low risk, but read on…

What is not public data is the fact that the individual is a customer of Foodora, and this is a great way to social engineer a phishing attack that seems to come from Foodora to these customers.

On the plus side it looks as though Foodora have got out their communications function, sent a message to all customers warning them on what has happened, and not to click on any links in emails from them. Their quick action is impressive, very transparent, and a good example on how to act when this kind of incident occurs.

Nevertheless, I see that there will be an investigation of Foodora by the Swedish Data Protection Authority, which is scheduled to finish before December 2021.

Image taken from https://www.missethoreca.nl/ restaurant guide.

On a crucial importance of TOMs under GDPR Article 32

by

13 July 2020

21:44

1 Comment on On a crucial importance of TOMs under GDPR Article 32

Uncategorized

, , , ,

DPA of Baden-Württemberg (Germany) fined a health insurance company 1’240’000 EUR for insufficient implementation of TOMs resulted in personal data of app. 500 individuals being accidentally processed for advertising purposes without due consent. 

The fine is quite high, especially given that there have been some mitigating factors in this case:

  • not too many data subjects concerned
  • cooperation with DPA
  • TOMs were not absent at all, the level of implementation thereof was just insufficient

Besides, no data breaches or other factors posing a (high) risk to data subjects were identified.

The investigation resulted in one of the highest fines issued under Article 32 (if not highest). This can be explained, in particular, by the adoption of the German model for calculating fines under the GDPR.

Anyway, this is another one reminder for controllers and processors about the importance of putting TOMs in place appropriate to the risk as ‘somewhat good’ TOMs will unlikely be enough.

More to read – see below.

https://digital.freshfields.com/post/102garn/1-2m-fine-in-germany-for-failure-to-implement-appropriate-toms

At the Nexus of Privacy and Antitrust

by

10 July 2020

15:32

1 Comment on At the Nexus of Privacy and Antitrust

Uncategorized

,

The IAPP Privacy Advisor published an excellent article on 23 June entitled “The thin line between privacy and antitrust.” In particular, the three scenarios presented by the authors are concise introductions to the important ways that privacy issues may arise in antitrust matters / investigations. And how the areas of privacy and antitrust are more linked as a way forward in the future.

As someone who has worked at the nexus of antitrust and privacy for the past couple years – and involved in 10 such U.S. matters (involving the U.S. Federal Trade Commission and the U.S. Department of Justice) – I have the following general observations to share:

  1. It is important to be extremely careful in internal corporate communications when it comes to privacy issues as discussed by those “in the know.” That may sound like an obvious piece of common sense, but I have been shocked by how corporate leaders (from the CEO on down) are inappropriate and sloppy when it comes to privacy discussions in antitrust matters. Email is an easy mode to fire off one’s thoughts, but discipline of thought and tact are incredibly important.
  2. I have been pleased by the awareness of company personnel when it comes to personal sensitive information, PHI – PII, etc. Very impressed.
  3. I have seen little discussion of privacy as a basic human right. Much more work needs to be done in the U.S. in terms of cultural change. As privacy pros know, they are excellent ambassadors for that point of view.
  4. In some situations, discussions of privacy issues were subtly couched in ways to restrain competition in the industry. As everyone here knows, never say that. As well versed antitrust lawyers also know, sometimes corporate leaders and counsel cease writing emails on a topic and continue the discussion on the phone.
  5. Some of the situations I have been involved with involved mergers where getting the data from the acquired company is one proposed benefit of the merger. The discussion by the authors in their section entitled, “Sharing data raises privacy concerns” is spot on and bears multiple reading. Once again, if you view data protection & privacy as a basic human right, there should be no question that a more rigorous conception of those topics is necessary from Day One. Privacy should be baked into the company’s DNA – and a newly merged entity is an excellent opportunity to make that a reality.

The section in the IAPP article focusing on nascent competition is especially pertinent for the future, though now with the pandemic in full force it remains to be seen what the final damage inflicted upon the U.S. economy will be. And how that will ultimately change corporate leadership in the future – especially with regards to the privacy / antitrust relationship.

My TikTok – My Observations

by

9 July 2020

14:20

Leave a comment on My TikTok – My Observations

Social Media

Well apart from the fact that my 10 year old daughter has been an avid user of TikTok for 2 years, my interest would be nonetheless sparked by the torrent of privacy issues which have been popping up left, right and centre. I thought it could be good to give you an idea of what TikTok actually is if you haven’t tried it (yet), and what it means to kids, because I’ve actually spent some time there.

To summarise on the list of issues I see:

  • TikTok is a Chinese business and hence privacy is not something they feel strongly about so I just don’t trust them -I guess this is a British understatement 😉
  • They are not following any of the GDPR principles, e.g. data minimisation on content created by EU data subjects, incl. minors.
  • Privacy is not built in the design of the App -you only need to Google to find what I mean here.
  • Kids are be stalked by sexual predators, there are no ‘safe gardens’ for kids.
  • Kids are being cyber-bullied -aggressively, and not only by peers but by older users, the Trolls.

Nonetheless, TikTok is in fact fun! I created an account 2 years ago to try and understand why kids were here. All good material for my next book! As a success, one TikTok Post (below) I made together with the help of my daughter got of 67,8k Views, 3 630 Likes and circa 100 Comments. So had had something perfect to use for my analysis.

Fun observations:

  • It’s addictive, and getting involved as a parent has removed barriers we had concerning the use of TikTok or other social media Apps.
  • The inbuilt templates provides kids with opportunities to test their creative abilities beyond what I ever thought was possible. Working with my daughter to create this and other TikToks has given me an insight of what the world could look like when they are entering the workplace!
  • Watching kids collaborate on TikTok and other social Apps is mind-blowing beyond what we ever did ourselves as kids. We have a generation of kids growing up socially connected/collaborating -these kids won’t understand why our generation had to learn how to work as a team.
  • I was amazed at how my daughter on seeing some rather nasty comments, just deleted them, and then how she advised me to ignore them.
  • Accounts setup -at least 2 years ago- were not on Only Friends as a default.

Worrying observations:

  • I saw kids being cyber-bullied on TikTok aggressively one poor girl who couldn’t have been older than 9 was being attacked as ugly… the Comments were damning. There was a ‘report abuse’ button which I used, but there was no follow-up.
  • The template we used was damned as racist “100% DNA, Swedish”. Although not raciest, they are triggers for Trolls.
  • Kids can be easily lured into creating ‘duets’ or more and I’ve seen kids kissing through a virtual wall to older teenage boys when singing together a love song. This makes online grooming very easy.
  • It is likely that many kids have multiple accounts for reasons such as they lost their password and can’t fix it, or they are harassed by cyberstalkers and need to move.

This is the TikTok I made together with my daughter which went viral a couple of years ago. Btw. Something going viral, doesn’t mean it’s good…. so you’ve been warned 🙂