Happy Data Protection Day!
The 28 January each year is celebrated as Data Protection Day (or Data Privacy Day outside of Europe), which marks the anniversary of the Council of Europe’s Convention 108.
To mark Data Protection Day 2021, we have summarised some of the key trends and developments in the EU, UK and beyond from a data protection perspective and looking ahead to what to expect for 2021.
You can jump to specific country overviews using the links below:
Developments in the UK and EU
International Data Transfers
There were a number of key developments regarding international data transfers in 2020, the impact of which will be felt for many months and years to come. Compliance with international data transfers continues to be a high profile issue, which organisations will continue to deal with during 2021 and beyond.
The Schrems II judgement from the Court of Justice of the European Union in July 2020 invalidated the EU-US Privacy Shield as a mechanism for transferring personal data from the EU to the US, and also left a number of unanswered questions in relation to use of the EU Standard Contractual Clauses (“SCCs”) going forward. In November 2020, the European Data Protection Board (“EDPB”) published a recommendation for consultation which attempts to address some of those questions.
The EDPB published two recommendations, one on supplementary transfer tools as well as an updated version of the European Essential Guarantees for Surveillance Measures. These provide further information on:
- what additional steps are needed when relying on the SCCs to transfer personal data outside of the EU;
- examples of the supplementary or additional measures that may need to be put in place for particular transfers; and
- how to go about assessing the laws and practices in third countries.
In addition, in November 2020 the European Commission published an updated version of the SCCs, although these are not yet finalised. Based on the draft the expectation is that there will be a year-long transitional period in which all previous data transfer agreements incorporating the existing SCCs will need to be replaced and updated.
Going forward, to address these developments organisations will need to:
- Understand where your personal data is going and your data flows;
- Determine what data transfer tool(s) you are using under the GDPR and UK GDPR;
- If you are using the SCCs, carry out an assessment of the law and practice in the third jurisdiction to which the personal data is transferred;
- If as part of the assessment it is determined there is not an essentially equivalent level of protection in the recipient jurisdiction, put in place additional or supplementary measures, which can include technical as well as contractual measures;
Longer term, update existing agreements with the new SCCs once these have been finalised. This includes updating both intra group data transfer agreements as well as agreements with third parties
UK data protection law post Brexit
From 1 January 2021 the Brexit transition period ended. The EU GDPR no longer directly applies in the UK going forward. However, the GDPR has now been incorporated into UK domestic law, known as the “UK GDPR”. Therefore, from a UK data protection perspective there isn’t a significant difference in the substantive obligations UK organisations are required to comply with, although that could change over time if the UK Government decides to depart from the GDPR standard.
Data Transfers to and from the UK and EU
On 24 December 2020, the UK and the EU reached an agreement which allows for transfers of personal data from the EU to the UK to continue without additional measures such as the SCCs for an interim period of up to six months. This interim arrangement is in place whilst the European Commission considers whether to adopt an adequacy decision for the UK. You can read more about this in our summary here.
Once that six month period expires, if the European Commission does not issue an adequacy decision for the UK (and the interim period is not further extended), the UK will be regarded as a third jurisdiction for the purposes of the GDPR. This would mean appropriate safeguards would be required under the GDPR to transfer personal data from the EU to the UK. In practice, if the SCCs were used in those circumstances, this would also involve the assessment and potentially supplementary measures required by the Schrems II judgement.
For transfers of personal data from the UK to the EEA and jurisdictions which have previously received an adequacy decision from the European Commission, these transfers remain uninterrupted from a UK data protection perspective. This is because the UK has deemed the EEA member states (and jurisdictions with an adequacy decision from the European Commission) as adequate on a transitional basis.
Brexit – other impacts
In addition to data transfers, the end of the Brexit transition period may require other data protection compliance steps. If you are in the UK, not established in the EU and offer goods or services to data subjects in the EU or monitor the behaviour of data subjects in the EU, the GDPR will apply and you may need to appoint a representative in the EU. There is a corresponding requirement for appointing a UK representative under the UK GDPR. There are also updates that may be required to your existing agreements, privacy notices and records of processing now that the Brexit transition period has ended.
The processing of personal data of children will come into focus during 2021, as the 12 month transition period for complying with the ICO’s Age Appropriate Design Code approaches on 2 September 2021. It is important for organisations to start considering now whether the Code applies, and if so how they will comply with the 15 standards of the Code. The Code applies to online services “likely” to be accessed or used by a child, which for these purposes is anyone under the age of 18. For more information on the Code and practical steps to prepare, please read our summary here.
Continued enforcement focus on data breaches and cyber security
The ICO was active in terms of enforcement during the later months of 2020, bringing three significant monetary penalties focusing on cyber security issues. This demonstrates the ICO’s continued enforcement in relation to significant data security incidents, with a particular focus on technical security measures that the ICO expect to be implemented. The ICO has recently referred extensively to third party guidance in support of what “state of the art” measures are, as well as known security issues or vulnerabilities. You can read more about recent enforcement action from the ICO in our summaries here and here.
The Belgian Data Protection Authority (“DPA”) has been very active in 2020, including by:
- publishing guidance and recommendations, focusing on practical guidance for DPOs, processing of personal data for direct marketing purposes, processing of personal data by employers in relation to Covid-19 pandemic, etc.;
- carrying out investigations and imposing sanctions such as reprimands, warnings, fines, etc. on individuals or organizations whose processing activities were not in line with GDPR;
- issuing opinions on draft bills relating to the processing of personal data, in particular in the context of Covid-19;
- entering into a protocol/cooperation agreement with DNS Belgiumto block .be domain names; and
- adopting its 2021 Management Plan translating the strategic and operational objectives of its 2020-2025 Strategic Plan into concrete objectives for the year to come.
It is expected that the DPA will proceed along these lines in 2021, although it insists that further resources are required to perform all its tasks and missions.
Guidance and Recommendations
In 2020, the Belgian DPA published key guidance and recommendations, notably on:
- Direct marketing: In January 2020, the DPA published its Recommendation 1/2020 on the Processing of personal data for direct marketing purposes. Direct marketing is one of the top priorities identified by the DPA in its Strategic Plan 2019-2025. This Recommendation aims at clarifying the concept of direct marketing and the complex rules applying to the various stakeholders involved in direct marketing activities. It also covers enrichment of personal data, legal bases for the processing, conditions for consent, etc.
- CCTV systems: The DPA has published a new thematic folder and recommendations on its website in relation to the new requirements applying to the use of CCTV systems for surveillance purposes, use of thermic cameras, etc. The Belgian DPA has also imposed sanctions in relation to the use of CCTV systems.
- Covid-19 related guidance: In March 2020, and then updated in June 2020, the DPA published FAQs to respond to questions regularly raised to the DPA, such as temperature checks, travel questionnaires, etc.
- Data Protection Officers: The Belgian DPA imposed a sanction on a company in 2020 due to the absence of conflict of interests in the DPO role. Later in the year, the DPA published practical guidance for DPOs, including a check-list document as well as “The 10 basic rules for the data protection officer (DPO)”.
The Litigation Chamber of the Belgian DPA has imposed a number of sanctions on data controllers for violation of the GDPR in 2020, and these sanctions have tended to be more significant over time.
One of the competences of the Belgian DPA is to issue opinions commenting on draft bills. In 2020, the DPA notably reviewed and provided opinions on a number of draft bills in the context of Covid-19.
Protocol with DNS Belgium
On 1 December 2020, the Belgian DPA announced that it had signed a cooperation agreement with DNS Belgium vzm/asbl, the organization that manages .be domain names in Belgium. The agreement will allow the DPA to request DNS to make unavailable any .be websites which violate the GDPR, following a quick procedure.
If the Inspection Service or the Litigation Chamber of the DPA considers that there is a severe infringement of the GDPR and a refusal to comply with an order to suspend, restrict, (temporarily) freeze or cease a given processing of personal data, they can send a “notice and action” request to DNS Belgium. DNS Belgium will inform the domain name holder that the infringement constitutes a violation of the DNS Belgium’s T&Cs and at the same time, will take the necessary technical measures to redirect the domain name in question towards a warning page of the DPA, hosted by DNS Belgium. This means that the website can no longer be visited through the domain name in question. The link between the domain name and the website will be re-established if DNS Belgium receives confirmation within 14 days that the necessary remediation measures have been taken and the DPA does not object. Some concerns have been raised that such a measure would lack an appropriate right of defence and that such a strong measure should only be imposed by a judge. According to the press, it seems that the measure would even raise internal oppositions within the DPA. It remains to be seen how it would be implemented in practice, and whether it will be challenged before courts.
At the end 2019,the Belgian DPA published a draft Strategic Plan 2019-2025, highlighting its priorities and areas of focus for that period. The DPA indicated that it will focus on five main sectors: telecommunications and media, public authorities, direct marketing, education and SMEs.
Three important social topics will also benefit from particular attention from the DPA: online data, sensitive data and images/CCTV.
Lastly, the following GDPR aspects appear to be considered a priority: the role of the DPO, the legitimacy of the processing and the processing of sensitive data. The DPA started focusing on the above priorities in 2020 and has just published its 2021 Management Plan translating the strategic and operational objectives of its 2020-2025 Strategic Plan into concrete objectives for the year to come.
The French Data Protection Authority (the “CNIL”) was active in terms of enforcement (investigations and fines) during 2020 despite the Covid-19 crisis. In December 2020, the CNIL issued fines of 35 million Euros, 60 million Euros and 40 million Euros in relation to placing cookies on users’ computers without their consent.
The CNIL also imposed two fines, one of 2,250,000 Euros and one of 800,000 Euros, for violations of the GDPR in November 2020. The CNIL found that data processing practices were breached, among others articles, the obligation to inform data subjects and facilitate the exercise of their rights (Articles 12, 13, 15, 17 GDPR), and the obligation to retain data for a limited period of time (Article 5.1(e) GDPR). (CNIL’s summary available in English here).
Enforcement actions – focus on cookies
In October 2020, the CNIL published revised cookies guidelines and recommendations. Amendments made by the CNIL aim to allow online advertisers and consumers to have more control over tracking tools. The recommendations provide useful practical guidance and examples to help navigate the rules applicable to cookies and other trackers and comply with applicable French requirements. Companies have until March 31st, 2021 to comply with the revised guidelines.
Data transfers – concerns over the French Health Data Hub
The “Health Data Hub”, a new platform designed to ultimately host all health data of people who receive medical care in France, was debated in France during S2 2020. In October 2020, while the CNIL had some concerns over data transfers under the French’s Health Data Hub due to the recent ruling of the CJEU in “Schrems II”, the French Council of State did not call for its suspension. The importance of the Health Data Hub, particularly in managing the Covid-19 health crisis, has been taken into account to conclude that this risk does not justify the immediate termination of the platform. However, the French Council of State required the Health Data Hub to seek additional safeguards to better protect the data it hosts. The judge called on the CNIL to ensure any use of the platform is necessary. The CNIL said it will take on this role while working with public authorities on long-term solutions. (CNIL’s summary available in English here).
Several new guidelines (Covid-19 data processing and others)
The CNIL published new guidance on several other topics. In addition to cookies, the conditions for carrying out data processing activities in the context of teleworking, facial recognition and the handling of deceased data have been specified by the CNIL. At the end of 2020, the CNIL published guidance on the principles employers should follow when potentially collecting employee data to monitor Covid-19 symptoms or for contact-tracing purposes. The CNIL recapped the processing of health data under the GDPR and offered updates on certain practices, such as monitoring employees’ temperatures as they enter the building and carrying out surveys to gauge staff members’ health.
Enforcement actions with multi-million Euro fines
In 2020 and early 2021, we saw further multi-million Euro fines in Germany and a court decision that significantly reduced a multi-million Euro fine:
- The State Commissioner for Data Protection in Lower-Saxony imposed a 10.4 million Euro fine in January 2021 against an electronic retailer for unlawful video surveillance activities of its employees at work desks, in salesrooms, warehouses and in recreation rooms for more than two years;
- The Hamburg Commissioner for Data Protection and Freedom of Information imposed a 35.5 million Euro fine in November 2020 on a global fashion company for violations of the GDPR. Employees were subject to comprehensive monitoring activities about their private lives for several years. Supervisors collected and retained very detailed information obtained through conversations with their employees and floor talks about their vacations, health conditions, health diagnoses, family issues and religious beliefs, including the development of these over a greater period of time. Some of this information was digitally stored and made accessible to up to 50 other supervisors. The information was even used to make employment-related decisions;
- The Federal State Data Protection Commissioner imposed a 9.5 million Euro fine in December 2019 against a telecommunication company for insufficient authentication procedures in the customer call centre before disclosing customer data by customer service personnel to callers. However, this fine was significantly reduced by the Regional Court in Bonn in November 2020 to 900,000 Euro because the negative consequences of the violation (insufficient authentication measures for customers) apparently only affected one data subject;
- The State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg imposed a 1.2 million Euro fine in June 2020 against an insurance organisation for using personal data of lottery participants for advertising purposes without their consent;
- The Berlin Commissioner for Data Protection and Freedom of Information (“Berlin DPA”) imposed a 14.5 million Euro fine in October 2019 against a real estate company for violating data retention requirements (the company ignored warnings from the Berlin DPA to take corrective measures and implement an appropriate data deletion procedures).
Guidance for Schrems II
The State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg issued guidance in September 2020 relating to Schrems II, which included recommendations for supplementary contractual measures as well as a checklist with action items. Those guidelines are available here.
Guidance for data processing relating to Covid-19
The German authorities have issued various guidelines regarding data processing activities to fight the pandemic, such as employee and customer questionnaires, temperature checks and Covid-19 tests.
Decision requested from CJEU by German Supreme Court
The German Supreme Court has submitted to the Court of Justice of the European Union (“CJEU”) the question whether consumer protection associations or competitors are authorised to initiate a civil action in case of infringements of the GDPR. In this preliminary ruling procedure, the CJEU will have to decide whether, among other provisions, Art. 80 GDPR precludes member state law which allows consumer protection associations and competitors to take action against infringements of the GDPR on the basis of the prohibition of unfair commercial practices or breach of consumer protection law irrespective of the violation of subjective rights of individuals and without a mandate from the data subject.
Between continuity and innovation has been the slogan adopted by the Italian Data Protection Authority (the Garante) in its annual report last year, and for 2020 this has confirmed: the Garante has been pursuing the initiatives already started with a glance to new challenges.
Last December the Garante issued a new logo and the message of a privacy authority aiming to be more strategic, dynamic and active in a world where data and networks are key elements of any activity. The idea is that the person and relevant privacy rights have to be at the centre of the digital environment. The Garante has also been very active on communication channels it has not traditionally used such as media platforms and re-shaping the way its information is delivered. It also pushed forward the acronym GPDP, to make the authority clearly identifiable.
The Garante has put significant efforts into training and information initiatives, aimed at raising awareness of data protection rights among individuals and providing guidance to controllers, both in the public and private sector. One such initiative was the launch of a data breach self-assessment tool for controllers to determine the need to notify a breach to the Garante and affected individuals. Other initiatives included: information to help individuals to enforce their privacy rights (such as data access) and public initiatives warning against the risks of losing control of data when interacting with digital initiatives.
In relation to its FAQs on CCTV, the Garante aligned the previous provisions (which dated back to 2010) to the GDPR requirements, clarifying some grey areas, as well as long-awaited guidelines on cookies and tracking technologies. These have been issued recently and will be open to public consultation for 30 days. This includes confirmation that page scroll-down as well as “cookie walls” are not viable options to collect valid consent for placing cookies, as well as the possibility to adopt alternative ways to collect consent in addition to a traditional “I accept” tick.
In the fight against Covid-19, the Garante has been closely monitoring the use of the Italian App Immuni and has also approved the setup of a dedicated call centre.
In terms of enforcement, the Garante has issued a high number of fines and investigations. The main areas of its audits have been in relation to marketing and profiling activities, the eHealth sector, banking and insurance, IoT and the HR sector. The Guarantee has also been highly engaged with the EDPB and European initiatives on data protection.
Significant increase in the amount of penalties
Following the example of other European data protection authorities, the Spanish data protection authority has started to increase the amount of its sanctions. In a few weeks, the AEPD has imposed the highest fines in its history (5 million Euros and 6 million Euros against two Spanish banks). The Spanish data protection authority has even sanctioned a minor infringement with a fine of 2 million Euros. Although the legal framework has remained unchanged, a few months ago the same infringement would have resulted in a fine of only a few thousand Euros.
Promoting a Digital Bill of Rights
The Spanish government is promoting the drafting of a Charter of Digital Rights with the aim of becoming a reference code of ethics. The public consultation process for this Charter ended on January 20.
Current Spanish data protection legislation already contains a declaration for the extension of constitutional rights and freedoms to the Internet. This law goes beyond the provisions of the GDPR and lists:
- eight fundamental digital rights (digital security, digital education, special protection of minors on the Internet, data protection rights on the Internet and digital will);
- three digital labour rights (privacy and use of digital devices in the workplace, privacy against the use of monitoring, video surveillance and geolocation systems in the workplace, protection of personal data in collective bargaining);
- two mandates for public authorities in the form of digital rights: net neutrality and universal access to the Internet; and
- a demand for diligence and transparency, requiring the Spanish Government to submit an annual report on the evolution of the rights, guarantees and mandates referred to above.
IMY: looking forward to 2021
The Swedish Authority for Privacy Protection (Sw: Integritetsskyddsmyndigheten, “IMY”) has stated that five of its most important and fundamental areas of focus are: complaints, personal data breaches, response to queries, supervision and guidance to data protection officers. IMY has also stated that it will increase its supervisory activity. Going forward, IMY intends to focus on supervision in addition to following complaints.
As of 2018, IMY has the authority to grant camera surveillance permits, where these are required. IMY has also had a clear increase of both supervisory activities for, as well as resources spent on, camera surveillance. 4 out of 17 enforcement decisions leading to fines from IMY were related to unlawful camera surveillance, emphasizing the controller’s obligation to continuously review whether a need for video surveillance is justified. You can read more about IMY’s enforcement actions in Baker McKenzie’s GDPR Enforcement Tracker here.
Recent and ongoing enforcement activities
IMY was active in terms of enforcement during 2020, issuing several monetary penalties relating to inter alia unlawful video surveillance, the right to be forgotten, health care providers’ access rights to medical records, and inappropriate technical and organizational measures for e.g. sensitive personal data. Following the Schrems II ruling and subsequent complaints from the organization NOYB, IMY has also initiated six audits relating to transfer of personal data.
Developments in Asia Pacific and LatAm
Asia Pacific and Latin America have witnessed a flurry of activities in the privacy space in the past year with a number of jurisdictions in both regions introducing new regimes or revisiting legal and regulatory frameworks to align with international standards, particularly with the GDPR. In 2021 and beyond, organizations and businesses that handle personal data will have to face increased scrutiny and grapple with greater obligations mandated by the new or amended laws, such as data breach notification, cross-border data transfer restrictions, data portability rights, and tougher penalties for privacy violations, just to name a few.
October 2020 saw the publication of the draft Personal Information Protection Law (“PIPL”), China’s first draft data protection law. The draft PIPL has extraterritorial application to processing of personal information of data subjects resident in China that is conducted outside of the country. It also provides for more mechanisms and conditions with respect to cross-border transfer of personal information. Further, there are GDPR-like penalties on violations. For instance, it is proposed that a fine of up to RMB 50 million (approximately USD 7.4 million) or up to 5% of annual revenue be imposed for serious violation of the law. The draft law is expected to be finalised within 2022. It will be prudent for businesses processing personal information of residents in China to periodically review the legislative and regulatory developments and conduct an assessment of the implications of the law to their business operations.
On 12 June 2020, Japan enacted the law amending the Act on the Protection of Personal Information (“APPI”). The new law, among other things, expands the scope of the data subjects’ rights, restricts the range of personal data that may be provided to third parties, and introduces mandatory obligations to report and notify data breach incidents. It also introduces “pseudonymized information”, and toughens the statutory penalties for violating an order of the Personal Information Protection Commission (“PPC”) or submitting a false report to the PPC. The new law is expected to come into force in Spring 2022, but potentially earlier, and largely depends on when the guidelines currently being drafted by the PPC will come into effect.
Major amendments to the Personal Data Protection Act (“PDPA”) were passed in the Parliament on 2 November 2020 and will come into effect on 1 February 2021. The amendments mark the first comprehensive review of the PDPA since its enactment in 2012, and follow an extensive series of consultations conducted by the government and the Personal Data Protection Commission (“PDPC”) since 2017. The amendments aim to safeguard consumers’ interests in the digital economy, while keeping pace with both technological advances and newer business models by aligning the PDPA with international best practices. The new law provides for increased financial penalties of up to 10% of an organisation’s annual gross turnover in Singapore for breaches of the PDPA, mandatory data breach notification requirements, a new data portability obligation, an expanded scope of “deemed consent”, new consent exceptions (legitimate interests exception and business improvement exception) and improved controls for commercial communications, among other things.
New Zealand’s Privacy Act 2020 came into force on 1 December 2020. The new law strengthens existing privacy protections, and imposes greater obligations on organizations and businesses that handle personal information. The Act introduces new privacy breach reporting obligations, requiring that where a business or organization believes a privacy breach has caused (or is likely to cause) serious harm, it must notify the Office of the Privacy Commissioner and impacted individuals as soon as possible. The Act also introduces a new privacy principle regulating the transfer of personal information outside of New Zealand, which allows disclosure of personal information only if the receiving agency is subject to safeguards similar to that under the Act. The Act has extraterritorial effect on businesses and organizations which are “carrying on business” in New Zealand, even where they do not have a physical presence in the country. The Act also introduces new criminal offences and gives the Privacy Commissioner the power to issue compliance notices to businesses or organisations requiring them to comply with the Act.
Brazil’s General Data Protection Law (“LGPD”) came into force in September 2020, allowing consumer protection authorities to enforce the law (in connection with consumer relationships) as well as judicial claims under the law. The Brazilian Data Protection Authority (“ANPD”) has been created but may only apply administrative penalties as of 1 July 2021. LGPD is the first comprehensive data protection law in Brazil and brings about significant cultural changes. It follows some of the concepts of the GDPR, and requires companies to map all processing activities and maintain a record of processing, process personal data according to the legal basis for processing as set forth under the law only, comply with data subjects rights, notify the authority and data subjects in certain cases of security incidents, appoint a data protection officer, adopt technical, organization and security measures and take additional steps in case of international data transfers. The law also sets forth different penalties that may be applied by the ANPD as of 1 July 2021, including a fine of up to 2% of the group’s net revenues in Brazil in the preceding year.