Data Protection Report - Norton Rose Fulbright

1. Brace yourself (for export turbulence)

2020 could well be a year of data export turmoil – so brace yourself!

The Court of Justice of the European Union (CJEU) will determine the validity of the EU Standard Contractual Clauses (SCCs) (Data Protection Commissioner v Facebook Ireland Limited, Maximillan Schrems) whilst the General Court of the EU will consider the future of Privacy Shield (La Quadrature du Net v Commission).

The Advocate General (AG) delivered his non-binding opinion on the SCCs just before Christmas (see our blog post).  Although the AG’s view was that the SCCs are valid, he suggested that those using them would need to examine the national security laws of the data importer’s jurisdiction to determine whether they can in fact comply with the terms of the SCCs.  He also raised serious doubts over the validity of the Privacy Shield.  If the CJEU shares these doubts, it could influence the outcome of La Quadrature du Net.

Data localisation issues are also set to resurface during 2020.  China’s requirements are tricky, the Russian Data Localisation law now has monetary penalties and the draft Indian data protection bill also imposes localisation requirements in certain circumstances.

2. Don’t let the Cookies crumble!

For companies whose websites still operate a blatantly non-compliant opt-out cookie consent model in the EU, 2020 is the year to rectify this!

2019 saw a number of developments in the area of cookies which can’t be ignored. There was guidance from data protection regulators in the UK, France and Germany which made clear that implied cookie consent mechanisms are not viable under the EU General Data Protection Regulation (GDPR).  The CJEU Planet 49 decision confirmed the guidance and in particular highlighted that consent cannot be lawfully established via pre-ticked boxes.

In the UK, the Information Commissioner’s Office (ICO) has been very outspoken on the ad tech industry’s use of special category personal data and onwards data sharing without explicit consent.  On 20 December, the ICO updated its blog post explaining the work that it has been doing in this area and how it is considering next steps and “evaluating all of the options available”. In addition, the Dutch Data Protection Authority recently published a statement explaining that it had carried out a check of 175 websites to see if they comply with the law on cookies.

As a result, organisations need to revisit their current cookie consent mechanisms and notices and reassess their appetite to risk.

Organisations subject to the California Consumer Privacy Protection Act (CCPA) should monitor guidance released by the Attorney General about obligations in relation to third party behavioural advertising cookies.  Some consider that cookies in the context of adtech could be considered a “sale”, therefore triggering the rules under the CCPA.  It is hoped that the Attorney General will provide clarification around this issue.

3. Address the ghost of Christmas past! (aka data and records retention)

It’s time to take the “data and records retention project” out of the “too hard / I’ll do it after GDPR” tray.

Data retention is a rising trend in GDPR enforcement.  The Berlin regulator imposed a whopping EUR14.5m fine against Deustche Wohnen for not having a proper data retention schedule in place and the Danish regulator also imposed fines against two companies for similar offences.

In the U.S., the Federal Trade Commission has long recommended that companies properly and promptly dispose of personal information once it is no longer necessary for legal or business reasons.  The New York State Department for Financial Services regulations require covered entities to have appropriate record retention policies and procedures and the CCPA provides an extra incentive to implement proper information governance to minimise the costs data access requests.

Given the increased regulatory attention, and the obvious risks of over retention from a cyber-security perspective, initiating a data and records retention strategy and project should be a key priority for 2020.

Overwhelmed at the prospect?  Check out our blog post which summarises our recent webinar where we discussed the practical challenges and solutions of these projects and how the reality is not quite as daunting as it may seem.

4. Take time to reflect (on your policies)

Many of us bravely drafted our GDPR policies and processes with very little regulatory guidance.  However, data protection authorities (DPAs) and the European Data Protection Board have since worked very hard to give us guidance on a variety of areas, particularly those which were “new” under GDPR or required special clarification.  Examples include Data Protection Impact Assessments (DPIAs), special category data, data subject rights requests, data protection by design and default and automated decision making.

DPAs have also published guidance around specific local law requirements.  The ICO, for example, has recently published guidance on how to produce an “appropriate policy document” which is required in a variety of circumstances when processing special category data.

So now is a good time to either: (i) take stock and review your cherished GDPR policies –  not only so that they reflect current thinking but also so you can claim adherence to the much revered principle of GDPR – accountability; or, if time and resources are limited (ii) conduct DPIAs on the key risk areas so that you’re at least minimising your regulatory exposure.

5. Conquer the world!

GDPR wasn’t the beginning and it’s definitely not the end.  Lots of countries around the globe have data protection laws, many of which are very similar to the GDPR (or its predecessor). Some even seem like a copy and paste job!  India and Brazil are in the 2020 pipeline and the CCPA has just taken effect.  With GDPR as a baseline, and taking into account local variations, now is a good time to expand your privacy programme to the rest of world.  This exercise could also be hugely beneficial if you are thinking of applying for intra-group data transfer solutions, such as binding corporate rules or a certification.

6. Be one step ahead

The potential of AI is huge but so are the risks if legal, ethical, and cybersecurity considerations are not addressed at the outset.  If the use and / or development of AI is a strategic priority for your organisation make sure you’re an advocate for these issues and be sure to stay one step ahead. Guidance has been issued in a number of countries but the UK ICO has been particularly active and practical in its approach. You should monitor the ICO’s AI auditing framework which is due to be published for consultation in January 2020.   The framework aims to support the work of the ICO’s investigation and assurance teams when assessing how organisations use AI and to help organisations manage data protection risks arising from AI applications.

7. Don’t ignore the competition (in the data protection arena)

The focus on the interplay between competition and data protection law has never been greater as tech giants are scrutinised over their perceived monopoly and exploitation of personal data.

This year, we can expect to hear more from both UK and EU authorities about the impact that Open Banking is having in the financial services sector and how this initiative could be expanded into other sectors, particularly those in the digital market.  This would include the major tech giants but there is also appetite to include more “hidden” players in the digital ecosystem, such as data brokers.  There are also calls to introduce more prescriptive and effective data portability rules and, in some cases, to allow wholesale access to underlying databases to train AI models.

These developments may present threats and opportunities depending on market position, but if your organisation is consumer facing now is the time to get to grips with data portability.

8. Stay safe

Security standards and expectations expressed in the CCPA and by EU DPAs could help pave the way for an upsurge in class-action style litigation on both sides of the Atlantic.

For years, class actions following data breaches have been common in the United States.  Under the CCPA, Californian consumers affected by a data breach are empowered to bring private actions for actual or statutory damages for any data breach that is a “result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices”.  While the law raises questions of reasonable security and provides businesses with an undefined “right to cure,” introducing statutory damages removes many of the barriers that had previously stopped or short-circuited data breach litigation, specifically by removing the requirement that plaintiffs show harm.  Now, plaintiffs merely need to assert statutory damages, and the traditional first line of defence for businesses, claiming that the plaintiff suffered no harm, is no longer available.  This change is likely to refocus litigation on what the right to cure and reasonable security mean under the CCPA as both terms are not defined under the statute.  Also, litigation is likely to focus on more factual questions like whether the business maintained reasonable security prior to and at the time of the breach.

Over in the EU, organisations have been criticised by some DPAs for not implementing general security standards and recommendations.  For example, the Polish DPA fined an e-commerce provider for data security failings, criticising the company for not following general security recommendations, such as ISO and those proposed by ENISA.

These types of security expectations provide fertile ground for claimants as simultaneously the threat of class actions in data breach cases becomes more of a reality, particularly following the ground breaking decision in the UK of Lloyd v Google.  This case suggested it is possible to bring an opt-out style class action with damages, in principle, capable of being awarded without proving pecuniary loss or distress.  The case has some unique aspects and Google is likely to seek an appeal, but it certainly a case to keep an eye on with significant implications for follow-on data breach claims in the UK.