2020: A year that changed everything
Since the implementation of GDPR in May 2018 there have been approximately 500 fines issued out across all the jurisdictions. From large fines to little fines, where an organisation is found to have breached one of the principles of the GDPR, the Supervisory Authorities have exercised their powers to enforce GDPR compliance. In a year dominated by the Covid-19 pandemic ,a lot has also happened in the world of Data Protection in 2020. We take a look at some of the stand out decisions and their future impact.
Brexit & Standard Contractual Clauses (SCC)
It should be noted that the United Kingdom has already recognised the adequacy of data management legislation across the European Economic Area (EEA). Therefore, transfers of personal data from the UK to EEA Member States will continue as currently. Furthermore, the UK has already acknowledged the status of the 12 designated ‘safe’ countries, so that data transfers from the UK to these jurisdictions can also continue as currently.
The problems arise because the European Union (EU) has not yet reciprocated by recognising the UK as having the same ‘adequacy’. It is important to note that this was never a criterion for the Brexit Trade Agreement. The designation of adequacy is at the discretion of each party separately and independently. It is not to be assumed or expected simply because the other party has already done so.
The Agreement proposes that, for this ‘specified period’ of four months, transfers of personal data from EU Member States to the UK will be treated as they are currently, namely that the UK will not be viewed as a ‘third country’ (Article FINPROV.10A). This provision relies on the UK making no unilateral changes to its UK GDPR during the four-month ‘specified period’, without EU approval. For this reason, Standard Contractual Clauses will not be required for transfers from the EU Member States to the UK, at least during this initial four- or six-month period.
This initial period may, pending agreement of both parties, be extended for a maximum of two further months. If the EU grants the UK adequacy status during that time, the interim period ceases and transfers to the UK will be viewed as transfers to a ‘safe’ country. The same arrangement will apply, during the four-month period, for transfers of personal data from the European Free Trade Association (EFTA) States (Norway, Iceland and Liechtenstein) to the UK, as long as each of these States acknowledge their agreement to the proposal to both parties. At the time of writing, this has not yet occurred.
During this four-month ‘specified period’, the UK must suspend its ‘designated powers’ in relation to the UK GDPR, namely the modification of its domestic privacy legislation, introduction of UK Standard Contractual Clauses, determination of Binding Corporate Rules (BCR’s), approval of Codes of Conduct or Certification standards in relation to data management, etc. The specified period will end either on the date that the EU Commission arrives at an adequacy decision, or at the end of the four-month period from the effective date of the Agreement (January 1st 2021), (with the possibility of a two-month extension), whichever date is the earlier.
If the UK chooses to amend its privacy legislation during that time, without approval from the EU Commission, the specified period ends and the UK automatically reverts to the status of a ‘third country’, with all of the arrangements, protocols and implications which that carries. The good news is that the four-month window outlined above means that EU-based organisations can continue to trade, interact and transfer personal data with their UK-based counterparts for the time being without any requirement to change contracts, protocols or commercial arrangements (there will be no tariff on such data transfers).
Furthermore, the ‘specified period’ allows the EU Commission more time to review and formally adopt the more detailed and GDPR-relevant SCC templates which were published for consideration in late November. Finally, the ‘time added on’ offers the possibility, however slim, of the EU agreeing to award the UK an adequacy designation for the transfer of personal data, meaning that the UK can join the community of ‘safe’ countries offering an equivalent level of protection and respect for individual privacy.
Privacy activist, Mark Schrems, has challenged the transfer of personal data to the US and has successfully de-commissioned both Safe Harbour and Privacy Shield. The decision made by the European Court of Justice (CJEU) confirmed that Privacy Shield is ineffective and toothless as a device to protect EU citizens privacy rights.
The major concern of the CJEU was the lack of control that US Federal Authorities had in relation to the EU data they processed. Surveillance laws in the US permitted US government security services to intercept or obtain such data upon request and that disclosure of that data would be made available to them. This defeated the purpose of Privacy Shield as a mechanism for the safe transfer and management of that data.
Ultimately, organisations in the EU can no longer rely on Privacy Shield as a means to safely transfer such data as it does not afford the appropriate security and protections as they would be afforded by the GDPR. The responsibility will fall on the data exporter and the importer to assess such transfers by way of ensuring that the seven principles of the GDPR are enforced and protections to data subjects rights and freedoms are respected.
2021 should be the year that the new SCC clauses will be drafted by the European Commission and organisations will be able to rely on them. In the meantime, the European Data Protection Board (EDPB) guidelines offer great advice in this regard.
Blackbaud Ransomware attack
Blackbaud, a cloud software company, disclosed that they had been the victim of an attempted ransomware attack, in which client data of a proportion of their international client base was held ‘hostage’. This breach illustrates the need that organisations not only need to adopt and implement a robust Privacy Programme, but they also need to ensure from an IT Security perspective advanced cyber security infrastructure also need to be in place.
In 2020, due to the Covid-19 pandemic, Cyber Security is more important than ever, with a growing number of cyberattacks, malware, disinformation and data breaches. During the Covid-19 global pandemic, attackers have taken advantage of changes in the way many organisations do business to intensify attacks with a bewildering array of malicious campaigns including malware.
There is no longer a distinction between online and offline threats. Digital and physical are now inextricably intertwined.
A reminder that cyber threats present an ongoing risk to any organisation in any sector. Understanding that the world of data protection and security work hand in hand with one another is critical in protecting your organisations brand reputation. Some key points to address in this regard:
- Implement Effective Malware Solutions
- Implement Internet Acceptable Use policy
- Keep Firewalls up to date
- Review your Patch Management
- Review your Access Control policies and procedures
- Implement Secure Configuration
- Consider Cyber Security Awareness
Irish Cookie Sweep
The sweep resulted in a follow up by the DPC in ensuring that organisations fulfil their obligations in meeting the standards of consents. This was achievable by way of embedding appropriate notice (cookie banners & interfaces) and cookie consent management tools. The DPC, to our knowledge, is clamping down on organisations for failing to meet the deadline for compliance in this regard. We suspect that this will continue throughout 2021. See 2019 GDPR Year in Review.
You can view the full recording of the webinar hosted alongside the DPC, explaining the cookie sweep, by clicking on the link below: