Mandatory data breach notification has been introduced in Singapore, with more changes to follow

Some of the key changes to the Personal Data Protection Act 2012 (“PDPA”) took effect on 1 February 2021. These include a mandatory breach notification regime and new consent exceptions, including an exception which may apply if an organisation has legitimate interests in the collection, use or disclosure of the personal data and the legitimate interests of the organisation or other person outweigh any likely adverse effect to the individual.

The Personal Data Protection (Amendment) Bill was passed by the Singapore Parliament on 2 November 2020, with the changes set to take effect in phases. The first phase of these changes took effect from 1 February 2021.

Changes which have already taken effect as of 1 February 2021

1. Mandatory breach notification

One of the key changes which has now taken effect is the introduction of the mandatory data breach notification requirement.  If a data breach is notifiable, the Personal Data Protection Commission (“PDPC”) must be notified. If certain reporting thresholds are met, the affected individuals must also be notified. The new provisions require that:

  • once an organisation has grounds to believe that a data breach has occurred, the organisation is to carry out an assessment of the data breach in a reasonable and expeditious manner to determine whether the data breach is a notifiable data breach. Generally, the assessment should be completed within 30 calendar days of when the organisation first became aware that a data breach may have taken place.
  • a data breach is notifiable to the PDPC if the data breach: (a) results in, or is likely to result in, significant harm to an affected individual; or (b) is, or is likely to be, of a significant scale (i.e. affecting 500 or more individuals). The organisation must notify the PDPC of the breach as soon as it is practicable to do so and, in any event, no later than 72 hours after establishing that the data breach is notifiable.
  • the organisation must also notify affected individuals of the data breach once the organisation has determined that the data breach is likely to result in significant harm to any individuals to whom the information relates, as soon as it is practicable to provide the individuals with the notification. This will allow the affected individuals the opportunity to take steps to protect themselves from the risks of harm or impact resulting from the data breach (e.g. review suspicious account activities, cancel credit cards, and change passwords).

2. New deemed consent and consent exceptions

Consent is required for collecting, using or disclosing an individual’s personal data. The individual must also be notified of the purpose(s) for which an organisation is collecting, using or disclosing the individual’s personal data on or before such collection, use or disclosure of the personal data. Consent may be given expressly or impliedly by individuals. An individual may also be deemed to have given consent under the PDPA in 3 ways: (a) deemed consent by conduct; (b) deemed consent by contractual necessity; or (c) deemed consent by notification, (as the case may be).

In certain circumstances, the amended PDPA also allows an organisation to collect, use and disclose personal data without the individual’s consent. These exceptions may apply when:

  • the organisation or another person has a legitimate interest in the collection, use or disclosure of the personal data (i.e. the legitimate interest exception);
  • the organisation is a party or prospective party to a business asset transaction with another organisation (i.e. the business asset transaction exception);
  • the organisation is using the personal data for the purposes of business improvement (i.e. the business improvement exception); and
  • the organisation is using the personal data for the purposes of research (i.e. the research exception).


Changes which will take effect later

The following changes have not yet taken effect as of 1 February 2021, but are expected to become effective in the near future:

3. Increased financial penalties for contravention of PDPA

The maximum penalty imposed on organisations for breaches of certain key obligations under the PDPA will be increased to S$1 million or 10% of the organisation’s annual turnover in Singapore, whichever is higher. The increased financial penalties are expected to take effect on a future date to be notified, and no earlier than 1 February 2022.

4. Right to data portability

The recent amendments have also introduced provisions which require an organisation to, at the request of an individual, transmit an individual’s personal data that is in the organisation’s possession or under its control to another organisation in accordance with the prescribed requirements in the PDPA. These provisions, which are found under the new Part VIB[1], have yet to come into effect.

For details on the major changes to the PDPA, please refer to our previous e-bulletin “Singapore data privacy law updates 2020” (click here).

[1] Part VIB has not been added to the PDPA because this Part has not come into effect yet.

Mark Robinson
Mark Robinson
Partner, Singapore
+65 6868 9808
Peggy Chow
Peggy Chow
Senior Associate, Singapore
+65 6868 8054
Sandra Tsao
Sandra Tsao
Of Counsel, Singapore
+65 6812 1353

Happy International Data Privacy Day: Our predictions for 2021

Happy International Data Privacy Day! And what better day than today, to explore what 2021 is likely to have in store for data and privacy? Almost three years after the EU General Data Protection Regulation (GDPR) came into force, and now 28 days since the UK GDPR replaced it in the UK following Brexit, data and privacy issues remain firmly in the spotlight for many organisations. And there are no signs that the rate of regulatory development is going to slow any time soon.

In this post, we set out our predictions for data protection and privacy developments in the year to come. Please click on the icon below for the full briefing:

 

Miriam Everett
Miriam Everett
Partner, Head of Data Protection and Privacy, London
+44 20 7466 2378
Claire Wiseman
Claire Wiseman
Professional Support Lawyer, London
+44 20 7466 2540
Chloe Kite
Chloe Kite
Associate, London
+44 20 7466 2194

EDPB and ICO respond to the Brexit data transfer window

As most in the data community are aware, the EU-UK Trade and Cooperation Agreement (the “Brexit Deal”) was agreed on Christmas Eve and provides for an interim period (up to a maximum of six months ending on 30 June 2021) whereby data transfers from Europe to the UK will not be treated as transfers to a third country subject to Chapter V of the GDPR following the end of the transition period on 1 January 2021, provided the UK complies with certain conditions during the interim period (discussed in our blog here).

Following this, both the European Data Protection Board (“EDPB”) and the UK’s supervisory authority (the Information Commissioner’s Office (“ICO”)) have issued either updated or new responses which provide some more clarity on areas of focus and what to expect over the coming year.

The EDPB’s Response

Prior to the Brexit Deal being agreed, in mid-December the EDPB adopted its ‘Statement on the end of the Brexit transition period’ (here) (the “Statement”) and an ‘Information note on data transfers under the GDPR to the United Kingdom after the transition period’ (here) (the “Information Note”) which highlighted some key considerations of the EDPB.

Following the agreement and implementation of the Brexit Deal from the beginning of 2021, the EDPB has now updated the Statement and Information Note.

  • The interim data transfer window

In line with Article FINPROV.10A of the Brexit Deal, the update to the Statement and Information Note emphasises that data transfers to the UK can continue to take place without the requirement of a transfer tool under Article 46, or relying on the derogations list under Article 49, until 30 June 2021 (at the latest) provided that the UK’s current data protection regime stays in place.

  • Preparing for an adequacy decision (or lack of one)

The EDPB provides no further view on the adequacy of the UK’s data protection regime other than that the timeline for a favourable decision has now been pushed to the end of June. If a favourable adequacy decision is not taken by 30 June 2021, the EDPB emphasises in the Statement and Information Note that transfers between entities regulated by the GDPR to the UK will become subject to Chapter V of the GDPR. This will mean that transfers to the UK will require adequate safeguards such as standard data protection clauses, binding corporate rules, intra-group agreements, codes of conduct etc. to be put in place along with ensuring enforceable data subject rights and effective legal remedies for data subjects as required by Article 46.

The Information Note further reminds controllers and processors that, absent an adequacy decision, from the end of the interim period compliance with other GDPR obligations will come into sharper focus, including:

    • updating privacy notices and records of processing to account for data transfers to the UK;
    • taking caution if intending to rely on grounds under Article 49 in the absence of safeguards under Article 46, as such grounds are to be interpreted restrictively, only being fit for occasional and non-repetitive transfers; and
    • considering whether any supplementary tools may need to be put in place, a relatively complex and time-consuming consideration discussed further here (albeit the fact that the UK’s data law is the application of the GDPR then such consideration should theoretically be straightforward).
  • One-Stop-Shop mechanism

While not affected by the EDPB’s updates, it is worth noting that the Statement and Information Note also clarify the applicability of the One-Stop-Shop (“OSS”) mechanism envisioned by the GDPR within the UK.

The OSS mechanism provides that the supervisory authority in the jurisdiction of an entity’s main establishment will act as the lead supervisory authority and carry out compliance and regulatory functions on behalf of supervisory authorities in each EU jurisdiction in relation to that entity.

From 1 January 2021, the OSS will not apply in the UK so that the ICO will not be able to act as a lead supervisory authority (i.e. the Brexit Deal did not extend this mechanism). The EDPB notes that it has engaged with supervisory authorities and the ICO to ensure a smooth transition of existing cross-border cases.

The Statement and Information Note goes on to remind controllers and processors that they remain free to establish a main establishment in an EU jurisdiction under Article 4(16) to utilise the OSS mechanism (although the feasibility of this for many entities may well be impracticable). If this is not in place, entities will need to designate a representative under Article 27 as long as their activities are subject to the GDPR under Article 3(2).

The ICO’s Response

In a blog posted on 22nd January (here), the ICO’s Information Commission Elizabeth Denham responded to the Brexit Deal (the “ICO Response”) by welcoming the long-term commitments made by the EU and UK, most notably, to promoting high international standards of data protection, developing a regulatory relationship, and co-operating on enforcement activity.

The ICO Response considered the interim period allowing data transfers between Europe and the UK as the “best possible outcome for UK organisations” in light of the risks and impacts to digital trade if this had not been put in place. However, given this interim period will end in either four or six months under the Brexit Deal, the importance of a positive adequacy decision for UK data flows is clear in the ICO Response, emphasised by the reference to the EU’s commitment to considering the UK’s adequacy position “promptly” in a declaration accompanying the Brexit Deal. Although the ICO Response also sounds the warning that adequacy is not guaranteed and so organisations should be putting in place appropriate safeguards during this window.

Finally, as well as some specific commentary regarding data sharing in the context of law enforcement  and noting that the UK must also notify the EU-UK Partnership Council, as far as reasonably possible, of any new international transfers of personal data between public authorities for international transfers of personal data, the ICO Response also highlights that the process for any decisions in a range of areas (including UK adequacy decisions, approving international transfer mechanisms, or standard contractual clauses) must be put before the EU-UK Partnership Council. Given this requirement, it may be that material departure from the current UK data protection position is unlikely in the imminent future.

Miriam Everett
Miriam Everett
Partner, Head of Data Protection and Privacy, London
+44 20 7466 2378
Claire Wiseman
Claire Wiseman
Professional Support Lawyer, London
+44 20 7466 2267
Alasdair McMaster
Alasdair McMaster
Associate, London
+44 20 7466 2194
Asmita Singhvi
Asmita Singhvi
Trainee, London
+44 20 7466 3697

ENSURING COMPLIANCE WITH ELECTRONIC MARKETING RULES: A CLOSER LOOK AT SOFT OPT-IN CONSENT

The ICO’s recent decision to take enforcement action against a number of organisations (both in the form of investigations and regulatory fines) for sending unsolicited email and text based electronic marketing communications to individuals should serve to prompt organisations to take stock of the ways in which they promote their products and services using electronic marketing, especially if they rely on so-called ‘soft opt-in consent’, the subject of much of the ICO’s recent enforcement action.

We have sought in this article to set out a refresher of the rules that currently apply to electronic marketing as well as carry out a closer examination of soft opt-in consent.

Executive Summary:

In order to avoid complaints from individuals and enforcement action from the ICO, organisations seeking to rely on soft-opt in consent should ensure that they:

  • only target individuals with whom they have a pre-existing relationship;
  • only target individuals who have either previously purchased or shown a genuine interest in a product or service;
  • only send marketing communications about products and services that are genuinely similar in nature to those that the individual has previously purchased or shown a genuine interest in purchasing;
  • notify such individuals in advance of their intention to send them marketing communications about similar products and services; and
  • always provide such individuals with an opportunity to opt out of receiving these electronic marketing communications.

The extent to which stricter ePrivacy rules could be introduced under the new European ePrivacy Regulation, as well as the extent to which the UK will follow any such stricter rules in a post-Brexit world is still unclear at this stage.

The relevant law

Under the General Data Protection Regulation (“GDPR”) as now incorporated into UK law by virtue of the European Union Withdrawal Act 2018, a company must be able to rely on one of the six available lawful bases in order to process personal data. Where a company wishes to send marketing communications to individuals, obtaining consent or relying on the legitimate interests condition are likely to be the most appropriate legal bases for the purposes of Article 6 GDPR.

Organisations in the UK also need to observe the requirements of the Privacy and Electronic Communications Regulations (“PECR”) in relation to electronic marketing communications. PECR was implemented in 2003 and sits alongside the UK GDPR. Under PECR, a company must not send electronic marketing communications by email or text, unless:

  1. the individual has given their explicit consent to receive such communications; or
  2. the organisation can rely on soft opt-in consent.

Given that PECR effectively imports the definition of consent from the GDPR, an organisation wishing to rely on explicit consent for carrying out electronic marketing for the purposes of PECR needs to ensure that the UK GDPR conditions (which stipulate that consent must be freely given, specific, informed and unambiguous) are met. Further, separate consents must be obtained for different types of electronic marketing, unbundled from any other consents that the organisation is seeking at the same time.

This can be an onerous undertaking and so organisations often seek to rely on soft opt-in consent, which provides a more practical alternative to legitimise sending electronic marketing communications to an existing customer base.

An organisation may rely on soft opt-in consent when the organisation receives an individual’s contact details in the course of making or negotiating a sale of a product or service, notifies the individual of their intention to market similar goods and services to them and provides the individual with the opportunity to opt-out of receiving those marketing communications, both at the outset and each time the individual receives any subsequent marketing communications.

In this scenario, the individual is presumed to be happy to receive marketing communications about similar products or services from the organisation, even where they have not provided any specific opt-in consent to this marketing activity.

PECR makes it very clear that in order to rely on soft opt-in consent, an organisation must only seek to promote its own products or services which are similar in nature to those purchased or under consideration by the individual at the initial point of contact, which means that organisations cannot rely on soft opt-in consent to send electronic marketing communications on behalf of a third party.

Recent ICO enforcement action

As stated above, the ICO has taken enforcement action against a number of organisations in relation to their electronic marketing activities, intervening following complaints from individuals about being sent electronic marketing communications by organisations with whom they had no prior relationship (and who they sometimes hadn’t even heard of) without being given any privacy notification in advance and/or the opportunity to opt out of receiving these electronic marketing communications.

In a lot of these cases, the offending organisations had sought to rely on soft opt-in consent to justify sending these electronic marketing communications to individuals where according to the ICO, they did not have the right to do so.

Issues interpreting soft opt-in

We set out below a breakdown of the criteria that an organisation must meet when seeking to rely on soft opt-in consent and the difficulties that organisations seem to face when interpreting these criteria.

1. Marketing to pre-existing customers

As we have established, organisations may only market to individuals with whom they have a pre-existing relationship (as opposed to new customers) when seeking to rely on soft opt-in consent.

However, the question of whether an organisation has a pre-existing relationship with an individual is less clear-cut in scenarios involving multiple organisations facilitating a single sale transaction e.g. when online retailers work with payment solution providers and other third parties to deliver their service offering. In such cases, each of the organisations involved should consider whether the individual is aware of their role in the transaction and whether the individual would reasonably expect to receive marketing communications from them.

Organisations might seek to make individuals aware of their role in the transaction by ensuring that their privacy notice is incorporated into and is sufficiently prominently displayed as part of the customer journey and stating their intention in this privacy notice to process the individual’s personal data to market similar goods and services to them in the future.

2. Similarity of goods or services

As we have established, soft opt-in consent only allows organisations to send electronic marketing communications relating to products or services which are similar in nature to those purchased or considered by the individual at the time of the initial transaction. However, determining what amounts to an acceptable degree of similarity between products and services for this criterion to be met can be challenging for organisations, especially for multi-channel retailers/service providers who offer a broad range of products/services spanning multiple product/service categories.

For example, an individual purchasing an item of clothing on a fashion website may reasonably expect to receive an offer for a matching handbag. On the other hand, the same individual may not expect to receive an email or text message about a dining set, even if the fashion retailer has branched out and offers homeware products on its website.

Whilst what constitutes products or services which are similar in nature is dependent on the type of business and the context of the transaction, organisations should always consider whether the individual would reasonably expect messages about the product or service. Where a range of products or services is being offered, organisations should ensure they separate such channels for the purposes of sending electronic marketing messages.

3. Making or negotiation of a sale

As outlined above, a company is permitted to rely on soft opt-in consent where an individual has provided their details in the course of a sale. However, an organisation may also rely on this mechanism where the sale of a product or service was merely negotiated, e.g. if an individual contacts an organisation to enquire about the particular features of a product or service.

Whilst this allows for the organisation to rely on soft opt-in consent to contact potentially interested customers with whom they have had previous interactions but who have not necessarily purchased or ordered anything, organisations should be careful not to stretch this concept too far.

For instance, if an individual fills out a form to make a general enquiry about an organisation, e.g. to enquire about employment opportunities at a retail location and the organisation subsequently sends marketing emails using the details from the enquiry form, the organisation would find it difficult to defend its position given the general non-commercial nature of the initial interaction.

Whilst it may be difficult for organisations to determine the level of customer engagement/interaction for this criterion to be met, organisations should consider whether an individual has made contact to show genuine interest in a product or service, including taking positive action to affirm their interest such as requesting a quote before sending them electronic marketing materials in reliance on the soft opt-in consent principle.

In all three scenarios, individuals should be provided with a choice to opt-out of receiving marketing communications at the outset and at each subsequent time they receive a marketing communication. The opt-out prompt should be clearly visible and unobstructed – if an individual is left searching for a way to stop receiving the marketing communications, the ICO may deem the organisation’s reliance on soft opt-in consent to be invalid on the basis that the individual has lost control of their data and that the obfuscation constitutes an unnecessary barrier preventing the individual from exercising their rights.

Conclusion and legislative outlook

Although soft opt-in consent provides a convenient alternative to explicit consent for organisations wishing to carry out electronic marketing activities, organisations should be careful that they do not seek to rely on soft opt-in consent inappropriately to avoid enforcement action from the ICO.

Organisations should also bear in mind that changes to ePrivacy legislation are incoming as the European Union is in the process of replacing the Directive upon which PECR is based with the more onerous e-Privacy Regulation. However, whilst PECR continues to apply in the UK alongside the UK GDPR post Brexit, it is unclear the extent to which the UK will align its rules governing ePrivacy with the EU and whether changes imposed by the new European e-Privacy Regulation will be implemented into UK law.

Duc Tran
Duc Tran
Senior Associate, Digital TMT, Sourcing and Data, London
+44 20 7466 2954
Julia Ostendorf
Julia Ostendorf
Trainee Solicitor, London
+44 20 7466 2154

EU-UK Brexit Deal grants an interim data transfer window

On Christmas Eve, the EU and UK announced that they had reached an agreement on their future relationship, which we expect to come into effect on 1 January 2021 (the “Brexit Deal”). Further details of the deal itself will be discussed by my colleagues on our Beyond Brexit blog, available here. And for the most part, the Brexit Deal does not deal with data protection specific issues.

However, for those data practitioners amongst us, you will know that the main area of concern related to Brexit has long been the issue of data transfers and whether or not the UK will be considered ‘adequate’ for GDPR purposes. In this respect, the Brexit Deal does throw a slightly unexpected lifeline of sorts.

The interim data transfer window

Article FINPROV.10A (Interim provision for transmission of personal data to the United Kingdom) provides for a four month window (which can be extended to six months) during which the UK will still not be treated as a ‘third country’ for GDPR purposes, thereby allowing the free flow of data from the EU and EEA Member States to the UK. So far so good, and many companies may be breathing a sigh of relief that the 31st December ‘cliff edge’ has been avoided. However, the interim data transfer window comes with strings attached.

The draft Brexit Deal makes it clear that the interim data transfer window will only remain open provided that the UK: (i) does not change its data protection laws from those in place on 31 December 2020 (i.e. the UK GDPR); and (ii) does not exercise any of its ‘designated powers’ without agreement from Europe. The ‘designated powers’ referred to are a relatively long shopping list of actions that the UK may not take with respect to international data transfers. For example, it may not publish its own set of ‘standard contractual clauses’ or approve a draft Code of Conduct with respect to international transfers of data. If the UK takes any such action without agreement from Europe, then the transfer window will automatically close (meaning the companies would need to put additional transfer mechanisms in place to legitimise the transfer of data from the EU to the UK). This appears to be a relatively significant restraint on the UK’s autonomy over its own laws in the pending post-Brexit world, although presumably a concession that the UK was willing to make given that it had always intended to effectively transpose the GDPR into UK domestic law.

Implications for adequacy

It is difficult at this stage to understand what the implications of the Brexit Deal could be for the ongoing adequacy assessment being undertaken by the European Commission. The establishment of an interim 4-6 month data transfer window could lead some to be cautiously optimistic that the European Commission simply needs a bit more time to dot its ‘i’s and cross its ‘t’s with respect to adequacy. However, the relatively long shopping list of actions that the UK is prevented from taking in the field of data protection in order to keep the data transfer window open for that 4-6 month period hints at a nervousness within the European Commission that the UK may move away from the principles of the GDPR in the future, something that could prevent an adequacy decision being granted in its favour. As a result, many companies may be left with the distinct impression that the deal is simply delaying the inevitable cliff edge when it comes to data transfers. The implications of not obtaining an adequacy decision are particularly concerning when considering the possible implications of the CJEU judgment in the Schrems II case earlier this year (for further details, please see our Schrems blog posts available here). So whilst the interim data transfer window provided by the Brexit Deal will likely be welcomed, there nonetheless remains an anxious wait to understand the European Commission’s position on the long-term adequacy of the UK in the eyes of data protection law.

Miriam Everett
Miriam Everett
Partner, Head of Data Protection and Privacy, London
+44 20 7466 2378

Singapore data privacy law updates 2020

Singapore has recognised regional certification for transferring personal data overseas

In June 2020, the Personal Data Protection Regulations 2014 (“Regulations”) were revised to recognise the Asia Pacific Economic Cooperation (“APEC”) Cross Border Privacy Rules (“CBPR”) System and, for data processors, the Privacy Recognition for Processors (“PRP”) System certifications as an additional data transfer mechanism under the PDPA for transferring personal data outside Singapore. Continue reading

China Cybersecurity and Data Protection: What you need to know about China’s draft Personal Information Protection Law

Mid-October marked the start of the formal legislative approval process for China’s proposed new law on personal information protection. The milestone draft Personal Information Protection Law (PIPL) underwent is first reading by the Standing Committee of the 13th National People’s Congress and was released for public consultation on 22 October 2020.

For further details on the draft PIPL please refer to our briefing by clicking here. In this briefing we highlight the key provisions of the draft law and set out our observations.

Overview

The draft PIPL expands the scope of personal information and sets out the key concepts and principles for processing personal information. It replaces the current consent-based protection regime with a new one allowing multiple legal bases for processing personal information, as well as setting out more detailed requirements for consent. The draft PIPL also lays down obligations on processors when sharing and transferring personal information to third parties. The safeguards on export of personal information and the requirements on data localisation are less stringent and more practical as compared to previous draft regulations. The GDPR-style extraterritorial effect extends the application of the PIPL to processors outside of China. Individuals may exercise a comprehensive set of rights against processors, and processors are required to take a range of measures to protect personal information.

The Cyberspace Administration of China is responsible for coordinating the ministries who are charged with regulating and supervising the protection of personal information, and the draft PIPL equips them with a wide range of powers to discharge their duties. It sets out the legal liabilities for those processing personal information and dramatically increases the economic penalties that may be imposed for breaches. Significantly, public interest litigation is introduced into the personal information protection regime for the first time. New technologies such as automated decision-making are also regulated by the draft PIPL.

Although there are a number of points still to be clarified by future drafts and guidelines, we can now see for the first time the future regulatory landscape of the personal information protection regime in China. Once the PIPL is enacted, it will have a far-reaching impact on protection of personal information as well as the business and compliance practices for companies.

For further details on China’s draft Personal Information Protection Law please refer to our briefing here.

James Gong
James Gong
Of Counsel, Corporate
+86 10 6535 5106
Mark Robinson
Mark Robinson
Partner, Corporate
+65 68689808
Nanda Lau
Nanda Lau
Partner, Corporate
+86 21 23222117

European Commission publishes new draft Standard Contractual Clauses for consultation

Hot on the heels of the EDPB’s guidance on ‘supplementary measures’ with respect to international data transfers as a result of the Schrems II judgment (for further details see our blog post here), the European Commission has now published its long-awaited draft new Standard Contractual Clauses (the “New SCCs”) for consultation.

Legal Background

Chapter V of the GDPR prohibits the transfer of personal data out of the EEA to a third country or international organisation unless one of a number of available conditions under the GDPR is satisfied.

One of the conditions most often relied upon to legitimise the international transfer of personal data is use of the so-called Standard Contractual Clauses (“SCCs”). These are effectively a contract entered into between the data exporter and the data importer and impose certain data protection obligations on both parties. There are currently two different sets of SCCs which have been approved by the European Commission to cover transfers from: (i) a controller to another controller; and (ii) a controller to a processor.

However, the existing SCCs did not get updated when the GDPR came into force and so still refer to the old EU Data Protection Directive rather than the GDPR. There has also been criticism of the SCCs for a number of reasons, including because they don’t cover processor to processor transfers, leaving organisations the difficult task of trying to fit a square peg into a round hole when it comes to transfers from an EEA processor to a non-EEA sub-processor. The recent Schrems II case (see our blog post on the case here) also raised the question of whether or not contractual ‘supplemental measures’ are required when using the SCCs in order to further protect personal data being sent to countries which don’t otherwise provide adequate protection.

The New SCCs have therefore been eagerly awaited.

In this blog post we ‘summarise’ some of the key changes (both good and bad) and what they could mean for organisations and international data flows. With apologies for the length of this post, there is (fortunately or unfortunately) quite a lot to comment on! We have tried to limit our comments below to some of the more ‘big ticket’ issues. However, as always the devil is in the detail and there is an awful lot of detail with devils in it.

Grace period

The New SCCs contemplate a one year grace period for implementation, from the date of the European Commission’s implementing decision. Whilst this may seem positive in contrast to, for example, the ECJ’s decision in the Schrems II case to invalidate the EU-US Privacy Shield with immediate effect, it is important to note that the one year grace period applies because the New SCCs will repeal the existing clauses, meaning that organisations will have no choice but to re-paper their contracts to put the New SCCs in place. See further our ‘repapering’ section below.

Structure

The New SCCs adopt a modular format, allowing organisations to include or exclude particular modules depending on the factual scenario in question. Whilst at first blush, this appears to be a sensible and perhaps surprisingly flexible approach, it does appear to result in a particular sting in the tail as it means that it is not easily possible to ‘rip and replace’ and swap out the SCCs with the New SCCs. See further our ‘repapering’ section below.

Scope (data transfers)

As mentioned above, the SCCs only cover controller to controller (“C2C”) transfers or controller to processor (“C2P”) transfers. This created significant hurdles when an EEA controller was transferring data to an EEA processor who then wanted to onwards transfer to a non-EEA sub-processor, as there were no processor to processor (“P2P”) clauses available. In addition, since implementation of the GDPR, it has been unclear how the SCCs were supposed to apply in the context of a non-EEA controller subject to the GDPR as a result of the extra-territoriality provisions in Article 3. The SCCs only contemplated controllers/exporters located in the EEA.

The New SCCs contemplate all transfer scenarios, being C2C, C2P, P2P and even processor to controller (“P2C”). They also contemplate transfers where the data exporter is located outside of the EEA. This extended scope is likely to be good news for organisations who have long struggled to make the existing scope fit for purpose in the context of complex supply chains.

Scope (processor clauses)

As well as updating the SCCs for international data transfer purposes, the European Commission has also used the opportunity to incorporate into the New SCCs a set of processor clauses required by Article 28 GDPR. The GDPR mandates the inclusion of certain provisions in contracts between controllers and processors so, once again, at first blush it seems absolutely sensible to include such provisions in an international data transfer contract between a controller exporter and a processor importer.

However, the Article 28 provisions in the New SCCs are not a ‘module’ in and of themselves, meaning they cannot easily be extracted. In addition, the New SCCs make it clear that, in the event of a conflict between the provisions of the New SCCs and the provisions of any other agreement between the parties, the terms of the New SCCs will prevail. For organisations who have spent significant time and resource over the last 2-3 years negotiating data protection provisions into their commercial contracts, it is unlikely to be welcome news to understand that at least some of those negotiated positions may be superseded by the version of Article 28 that the European Commission has decided to incorporate into its New SCCs. See also our ‘liability’ section below.

Extending the extra-territorial reach of the GDPR?

The New SCCs (in the C2C module) contain an interesting requirement for non-EEA data importers who are controllers to notify the competent EU supervisory authority of any personal data breach likely to result in ‘significant adverse effects’. This would apply even to a non-EEA controller not otherwise subject to the GDPR, therefore extending the extra-territorial reach of the GDPR even beyond Article 3(2). In addition, the threshold is ‘significant adverse effects’ rather than the thresholds referred to in the GDPR. Thresholds aside however, this is likely to be a challenging obligation for controller importers who would otherwise have no interaction or relationship with any EU supervisory authority.

Schrems

It was almost inevitable that the New SCCs would include provisions to try and deal with some of the challenges brought about by the Schrems II case. Indeed, many commentators have suggested that the reason it has taken the European Commission such a long time to publish the New SCCs is because it wanted to be able to publish a version which responded to the Schrems case. It is therefore not surprising that the New SCCs include ‘supplementary measures’ to address concerns about the transfer of personal data to countries which don’t provide adequate protection.

The Schrems-related provisions in the New SCCs include: (i) a warranty from the parties that they have no reason to believe that the laws in the importer country prevent the importer from fulfilling its obligations under the New SCCs; (ii) a requirement to assess the laws of the importer country; (iii) a requirement to document the assessment referred to in (ii); and (iv) a requirement to make the documented assessment available to a competent supervisory authority on request. In addition, there are obligations on the data importer to challenge requests for access received from an authority and only provide the minimum amount of personal data possible once such challenges have been exhausted.

These types of obligations are a fairly logical consequence of the Schrems judgment but they are nonetheless onerous on the parties to the transfer. For small/medium data importer organisations in particular, the requirement to exhaust legal challenges in response to access requests is likely to be expensive and challenging. Similarly, the requirement on data exporters to assess the relevant laws in the importing country appears to place an obligation on private sector companies that the European Commission itself hasn’t been able to discharge other than with respect to a handful of countries that have obtained an adequacy decision. The final sting in the tail here would also appear to come in the form of the recently published EDPB Schrems guidance which suggests that contractual supplementary measures are nonetheless unlikely to enable a data exporter to transfer data to a third country that does not have essentially equivalent laws (i.e. the inclusion of these clauses in the New SCCs could make no difference whatsoever to the ability of a data exporter to transfer the data in a compliant manner).

Repapering (again)

As mentioned several times above, there appears to be no escaping the fact that the New SCCs are going to require every single organisation in Europe that transfers data outside of the EEA to undertake a mass repapering effort. Coming so soon after data protection repapering exercises undertaken to deal with: (i) the invalidation of the Safe Harbor; (ii) the implementation of the GDPR; (iii) the invalidation of the EU-US Privacy Shield; and (iv) the upcoming expiry of the Brexit transition period, this is likely to be particularly unwelcome news. The prospect of asking for additional budget to undertake such an exercise is also unlikely to be particularly appetising for many privacy professionals within organisations.

However, the modular structure of the New SCCs means that a simple ‘rip and replace’ for existing SCCs in unlikely to be possible. In addition, the introduction of P2P and P2C clauses will require the papering of new relationships as these clauses didn’t exist previously.

As well as the administrative burden of a repapering exercise though, it appears that this latest project is also likely to require more careful legal analysis than those that went before it. The interplay between commercially negotiated C2P positions and the provisions in the New SCCs will need to be carefully considered to understand the extent to which existing positions conflict with the New SCCs. There will also likely end up being a divergence between the processor terms negotiated between controllers and processors based in the EU, and those negotiated between controllers in the EU and processors outside of the EEA. In summary, it won’t be simple.

Liability

It perhaps follows on from the point above regarding potential conflict between negotiated commercial positions and the New SCCs that the issue of liability is likely to become a particular sticking point. The New SCCs contain more detailed liability provisions than are currently set out in the SCCs, and many organisations will already be aware of the complex negotiations undertaken commercially with respect to processor liability in particular. For example, the interaction between commercial agreed liability caps and the ‘uncapped’ liability position in the New SCCs is unclear – would an agreed liability cap be viewed as being in ‘conflict’ with the position in the New SCCs?

Conclusions

The New SCCs are not all bad news. It is clear that the European Commission has tried to address many of the criticisms of the existing clauses with its new drafting and flexible modular structure. However, regardless of whether or not the drafting has been improved, the fact that their implementation will require yet another resource-heavy and expensive repapering exercise is possibly a disadvantage that many will consider outweighs any possible benefit. In combination with the recent EDPB guidance on Schrems, it seems to make for a rather bleak outlook for organisations trying to balance data protection compliance with the commercial reality of global data flows.

Miriam Everett
Miriam Everett
Partner, Head of Data Protection and Privacy, London
+44 20 7466 2378
Alasdair McMaster
Alasdair McMaster
Associate, Digital TMT, Sourcing and Data, London
+44 20 7466 2194

A change in approach to subject access? ICO Publishes Updated DSAR Guidance

Summary

  • The ICO (the UK privacy regulator) has updated its guidance on data subject access rights, and the revised guidance appears to be aimed at giving organisations practical advice on managing and responding to subject access requests by including further detail and examples.
  • Although the revised guidance has not changed dramatically, it is fair to say that there are a few elements of the revised guidance which offer a glimmer of hope for organisations currently struggling to effectively manage the burden of DSAR compliance, and increasingly frustrated regarding the use of DSARs as a ‘fishing expedition’ for disgruntled employees.
  • In certain circumstances, the guidance provides that organisations can now stop the clock when clarifying access requests with data subjects.
  • Additional guidance is now also available on what constitutes a ‘manifestly excessive’ request (i.e. when an organisation can refuse to comply with a subject access request).
  • The ICO has also widened the circumstances in which organisations are permitted to charge a reasonable fee for DSAR responses.
  • Interestingly, the guidance contains a new section on ‘enforced’ subject access requests (sometimes seen in the employment context as a tool to carry out background checks), and concludes that in some circumstances these can result in a criminal offence being committed.

Continue reading

HOW TO CALCULATE A GDPR FINE – THE PROPOSED ICO WAY

The Information Commissioner’s Office in the UK (the “ICO”) has published for consultation its draft statutory guidance setting out how it will regulate and enforce data protection legislation in the UK.

The document explains all of the ICO’s key powers (including information notices, assessment notices, enforcement notices and penalty notices). Perhaps most interestingly for organisations, it also sets out for the first time, the ICO’s approach to how it calculates fines under the GDPR, giving organisations a better sense of the level of fine to which they could be subject for GDPR non-compliance.

However, although the ICO has provided a table setting out it’s ‘starting point’ for the calculation of fines, there is nonetheless a large amount of discretion that the regulator can apply to adjust the fine both upwards and downwards, meaning that the process is not as transparent as it may at first seem.

Although the fine calculator is only in draft form at this stage, it is the first time that the process adopted by the ICO has been made public. Responses to the consultation are required by 5pm on Thursday 12 November 2020.

GDPR fine calculator

The ICO’s draft guidance sets out nine steps which will factor into the calculation of a fine for non-compliance with the GDPR, including seriousness, culpability, aggravating and mitigating factors, economic impact and dissuasiveness.

These steps will be applied to all GDPR fines, regardless of whether the so-called ‘standard maximum amount’ or ‘higher maximum amount’ applies. As per the GDPR, the higher maximum amount is €20 million or 4% of annual worldwide turnover (whichever is greater). The standard maximum amount is €10 million or 2% of annual worldwide turnover (whichever is greater).

The following three steps will be considered initially in order to enable the ICO to identify its ‘starting point’:

Seriousness

The factors to consider when assessing the seriousness of any infringement reflect those set out in the GDPR, including the nature, gravity, and duration of the failure; any action taken by the data controller or processor to mitigate the damage suffered by data subjects; the degree of cooperation with the ICO; and the way the breach became known to the ICO, including whether the data controller or processor notified the ICO of the failure.

Culpability

When assessing culpability, the ICO will take into account the intentional or negligent character of the failure; specifically whether the organisation was intentional or negligent about its responsibility for the breach.

Turnover

The ICO will review relevant accounts and obtain expert financial, or accountancy advice if required, to determine the amount of turnover (or equivalent for non-profit organisations such as the annual revenue budget and the financial means of individuals).

In circumstances where turnover or equivalent is minimal, the ICO will give greater weight to other factors such as dissuasiveness, particularly where there is a serious breach. Where there is a lack of cooperation in providing all relevant financial information, the panel will rely on the information available or otherwise give greater weight to factors such as aggravating features.

Starting point

Once the factors above have been assessed, the helpful table below sets out the ‘starting point’ for the fine, stated as a percentage of annual worldwide turnover, against which various other factors will be applied:

Once the appropriate starting point has been identified, the ICO will then apply the following other factors in order to adjust the starting point and reach the final level of the fine:

Aggravating and mitigating factors

The ICO will consider any aggravating and mitigating factors applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the breach.

When determining the amount of any proposed administrative fine, the ICO will then adjust the starting point figure for each band accordingly, upwards or downwards, to reflect its assessment of applicable aggravating or mitigating circumstances. It will clearly record which aggravating and mitigating features it has taken into account and why and how it considers that these influence the proposed administrative penalty.

Financial means

The ICO will consider the likelihood of the organisation or individual being able to pay the proposed penalty and whether it may cause undue financial hardship.

Economic impact

The ICO will, where appropriate, consider any economic impact on the wider sector, or related regulatory impact of the proposed penalty beyond the organisation or individuals it is serving the penalty on.

Effectiveness, proportionality and dissuasiveness

The ICO will ensure that the amount of the fine proposed is effective, proportionate, and dissuasive and will adjust it accordingly.

Early payment discount

The ICO will reduce the monetary penalty by 20%, if it receives full payment of the monetary penalty within 28 calendar days of sending its final penalty notice. However, this early payment discount is not available if the controller decides to exercise its right of appeal to the First-tier Tribunal.

Miriam Everett
Miriam Everett
Partner, Head of Data Protection and Privacy, London
+44 20 7466 2378