Welcome to our second Data & Privacy eBulletin of 2020, where we look at the impact of the Schrems II decision, COVID-19 data privacy implications and other high profile developments.
Two out of two for Max Schrems
Privacy Shield is binned; Standard Contractual Clauses remain (sort of)
Back in 2015, Schrems I, the case brought by Austrian data privacy activist Max Schrems against Facebook Ireland (which transfers EU data to Facebook, Inc. in the US), took down the Safe Harbour scheme (one of the main routes to allow EU-US data transfers), as the ECJ considered that the scheme did not provide enough protection for EU citizens given the surveillance powers available to the US government. Following a frantic set of US/EU negotiations, that scheme was replaced by the EU-US ‘Privacy Shield,’ a programme with increased protections for EU citizens. More than 5000 US companies were signed up to the Privacy Shield programme, and presumably relied on it to justify EU to US data transfers.
But Mr Schrems was not finished. One of the other main routes to enable EU-US data transfers was to use the ‘standard contractual clauses’ (SCCs; essentially, an EU-approved template contract to be put in place between the EU sender and the US recipient). His new action (Schrems II) focussed on whether the SCCs provided enough protection for the relevant individuals. However, in the course of Schrems II, the ECJ’s attention also turned to whether the Privacy Shield did actually solve the problems found in Safe Harbour – and has now found that Privacy Shield is also invalid. Companies can no longer use the Privacy Shield mechanism to justify bulk transfers of data from the EU to the US.
Every company which relied on the Privacy Shield scheme to justify EU to US bulk data transfers now needs to find another legal route to justify the transfer. National data protection regulators are facing urgent calls for clarification on enforcement measures whilst companies which relied on the Privacy Shield make the necessary changes.
But what of the use of SCCs (which, according to research conducted by the International Association of Privacy Professionals, are used by 88% of companies to justify EU-US data transfers)? They remain valid – for now – but there is now a clear obligation on the relevant data controller (essentially, the entity which makes the decisions about the collection and transfer of the data) to consider the level of data protection in place in the recipient country. How to ensure that in the US, when the ECJ has clearly struck down both Safe Harbor and Privacy Shield because of concerns over US surveillance laws, is very unclear. Using SCCs to justify EU-US data transfers now seems questionable, at best.
And there aren’t many other options; of the two other main potential routes for transferring data to countries without an ‘adequacy’ decision from the EU Commission (and there aren’t many countries that have been granted ‘adequacy’), binding corporate rules (essentially, a set of binding data rules which have been approved by an EU data regulator) are not appropriate for all transfers – they are most relevant for intra-group transfers only – and can take a long time to put in place, and getting the specific informed consent of the relevant individuals to the transfer is fraught with difficulty. There are other, specific derogations, but they are very limited.
A case by case assessment of data flows from the UK and the EU to the US and other countries with potential surveillance issues is required urgently. Some companies will decide that UK/EU to US data transfers are no longer appropriate or justifiable and will restructure their operations to reduce or remove them.
And what about Brexit? After the transition period ends in December 2020 the UK will become a ‘third country’ to the EU, just like the US is now. This ECJ judgement raises questions about the UK’s ability to be awarded ‘adequacy’ to justify EU-UK data transfers, given the UK’s own surveillance laws and its membership of the Five Eyes programme etc. Data transfers between the EU and the UK from 1 January 2021 could well become very challenging indeed.
Data & contact tracing
Contact tracing apps
The development of various contact tracing apps in order to combat the ongoing coronavirus pandemic has led to concerns about the protection of the personal data which is processed by the apps. Amy Bradbury, a senior associate in our Reputation Protection team, explored the issues arising in detail in a recent insight and, in particular, noted the importance of maintaining anonymity in the data.
In a further article on 23 April 2020 we highlighted that the Information Commissioner, Elizabeth Denham, had identified the very reason why it is so important to get this right: to ensure the benefits of technology are not lost as a result of the public failing to embrace it.
As noted in the article, the ICO, together with more than 250 commissioners, government representatives, privacy professionals and stakeholders discussed the data protection issues arising in this context in a virtual meeting. A series of simple questions were prepared for those developing and seeking to rely on new contact tracing technologies:
- Have you demonstrated how privacy is built into the processor technology?
- Is the planned collection and use of personal data necessary and proportionate?
- What control do users have over their data?
- How much data needs to be gathered and processed centrally?
- When in operation, what are the governance and accountability processes in your organisation for ongoing monitoring and evaluation of data processing – to ensure it remains necessary and effective, and to ensure that the safeguards in place are still suitable?
- What happens when the processing is no longer necessary?
These concepts are all at the centre of data protection regulation. Of course, how they will be implemented in practice, as part of the development of the new technology, is yet to be seen.
The ICO has continued to provide guidance and information on the issue. The ICO has published a formal opinion on Google and Apple’s joint work on contact tracing technology. In summary, the opinion says the proposals align with the principles of data protection by design and by default but clarification is needed for app users around who is responsible for data processing.
In addition, the ICO has published a paper setting out its expectations on how contact tracing apps should be developed in accordance with the principles of data protection and giving guidance on best practice which should be of assistance to developers.
Businesses recording personal data for contact tracing
Concerns about data protection arising out of contact tracing efforts extend beyond apps and technology to the manual recording of data, now that restaurants and pubs are permitted to open and have been asked to record customer data for the purposes of contact tracing.
The ICO has acknowledged the need to assist businesses with this. Its Deputy Chief Executive Paul Arnold gave a statement, noting that: “We appreciate the challenge that many small businesses face in introducing unfamiliar arrangements at speed.” The ICO has given guidance to businesses on how to ensure that data protection principles are complied with.
Back to work – data protection considerations
The ICO has issued guidance for employers on COVID testing as many businesses move towards a phased return to work.
The ICO makes clear that data protection law does not preclude employers from carrying out testing on employees. However, employers will need to satisfy themselves that any testing is necessary and proportionate.
The ICO asks organisations to consider whether:
- they really need the information;
- the steps will actually help to provide a safe environment; and
- they could achieve the same result without collecting personal information; in particular, health information.
If an organisation could ensure appropriate social distancing among its employees, for example, it might decide that testing would not be necessary or proportionate.
The ICO has confirmed that for most employers, the appropriate lawful basis of processing will be Article 9(2)(b) GDPR, along with Schedule 1 condition 1 of the DPA 2018 – processing required for an employer’s health and safety obligations.
Organisations will of course need to consider their other data protection law responsibilities, particularly since health data or ‘special category’ data is afforded a high degree of protection under data protection law.
A data protection impact assessment (DPIA) will help organisations to demonstrate their compliance with data protection law.
Some key requirements are:
- To provide transparent information to employees about the testing. This can be achieved by an update and recommunication of the organisation’s privacy notice.
- To keep the amount of personal data collected to a minimum. For example, it might be possible not to record the results of a temperature test conducted upon entry to a premises – those with a result in the acceptable range could be allowed to enter, and those who fall outside of that range could be turned away without the need to record any temperature readings.
- To keep personal data accurate and delete it when it is no longer needed. An employee’s health status will change over time so employers will need to consider how frequently it would be appropriate to test their employees in light of these requirements.
- To keep any personal data collected secure, and, if possible, not to share results with others, including with other employees.
- Similar issues arise in relation to sharing with employees information relating to a positive test result for one of their colleagues, or the development of COVID type symptoms. Again, themes of transparency and minimising data collection are key. Employers should advise employees as part of their COVID security communications that they will need to let those colleagues with whom they have come into contact know of a positive test result or reporting of symptoms. This processing is in the interests of the health and safety of all employees and so can be appropriate use of employee data.
- Careful consideration should be given to the possibility of minimising the number of employees who need to be told of any positive test or symptoms and this will be informed by the systems which are introduced in the workplace to minimise unnecessary contact or movement around the workplace.
Data breaches & enforcement
Another high profile data breach
- Boots Advantage Card: Boots suspended loyalty card payments in March 2020 following an attempted cyber-attack whereby attackers tried to use passwords from other websites to access customers’ accounts. A spokesperson for Boots told the BBC that less than 1% of Boots’ 14.4 million active Advantage Cards were affected.
ICO enforcement news
- Cathay Pacific: Pre-GDPR enforcement action continues. The ICO has fined Cathay Pacific Airways Limited £500,000 (the maximum fine permitted pre-GDPR) on the basis that it failed to protect the security of its customers’ personal data. It was found that between October 2014 and May 2018 Cathay Pacific’s computer systems did not have appropriate security measures which led to customers’ personal details, such as their names, passport and identity details, being subject to unauthorized access. Over 100,000 of the affected customers were from the UK and there were around 9.4 million more affected worldwide.
- CRDNN: In further pre-GDPR enforcement action, the ICO has also fined CRDNN Limited £500,000 for making more than 193 million automated nuisance calls. It was found to be making almost 1.6 million calls per day about window scrappage, debt management, window, conservatory and boiler sales between 1 June and 1 October 2018. CRDNN Limited has also been issued with an enforcement notice ordering it to comply with the Privacy and Electronic Communications Regulations.
Significant recent cases
- Scott v LBGT Foundation: In February 2020 the High Court held that the Data Protection Act 1998 did not apply to purely verbal communications: a verbal disclosure did not constitute the ‘processing’ of personal data.
- Various Claimants v Morrisons: On 1 April 2020 the Supreme Court handed down its eagerly awaited decision in this case. The Supreme Court held that supermarket chain Morrisons cannot be held vicariously liable for an employee’s unauthorized disclosure of personal data of nearly 100,000 fellow employees. However, the Supreme Court considered that employers can in some circumstances be vicariously liable for breaches of data protection law by their employees. The conditions for imposing vicarious liability were not satisfied in this case, but may be in others. See our insight for further details.
ICO priorities during the COVID-19 pandemic
In early May, the Information Commissioner published the ICO’s reshaped priorities which will apply during the COVID-19 pandemic and beyond. As discussed in our insight piece the three key impacts identified are:
- Protecting public interests
- Enabling organisations to engage in responsible data sharing
- Monitoring intrusive and disruptive technology
In addition the ICO has published supporting priorities for 2020-21 here.
- Protecting vulnerable citizens
- Supporting economic growth and digitalisation, including small businesses
- Shaping proportionate surveillance
- Enabling good practice in AI
- Enabling transparency
- Maintaining business continuity: developing new ways of working in readiness for recovery.
EU’s update on Brexit and adequacy issues
On the 9 July, the European Commission issued a communication ‘on readiness at the end of the Transition Period between the European Union and the UK’ available here.
The communication provides an update on the progress towards securing an adequacy assessment of the UK’s data protection regime from the European Commission. Under the GDPR, transfers of personal data to territories outside of the EU which have received an ‘adequacy decision’ from the European Commission are permitted without further appropriate safeguards such as the model clauses.
The UK has already conferred adequacy on the EU Member States meaning that data transfers from the UK to the EU will not require further safeguards. However, a reciprocal decision from the European Commission may take longer to negotiate (for example, it took two years for Japan to achieve an adequacy decision from the European Commission) but the communication states that, in accordance with the Political Declaration, the EU will ‘use its best endeavours’ to conclude the assessment by the end of the transition period.
The European Commission is currently conducting the assessment and has already held a number of technical meetings with the UK to gather information in order to inform the process. Note though our comments at the start of this bulletin in relation to the potential impact of the Schrems II decision on an adequacy decision for the UK.