Tag: USA

US Data Transfers and Privacy Shield 2.0 

On 14th December 2022, the European Commission published a draft ‘adequacy decision’, under Article 47 of the GDPR, endorsing a new legal framework for transferring personal data from the EU to the USA. Subject to approval by other EU institutions, the decision paves the way for “Privacy Shield 2.0” to be in effect by Spring 2023.

The Background

In July 2020, the European Court of Justice (ECJ) in “Schrems II”, ruled that organisations that transfer personal data to the USA can no longer rely on the Privacy Shield Framework as a legal transfer tool as it failed to protect the rights of EU data subjects when their data was accessed by U.S. public authorities. In particular, the ECJ found that US surveillance programs are not limited to what is strictly necessary and proportionate as required by EU law and hence do not meet the requirements of Article 52 of the EU Charter on Fundamental Rights. Secondly, with regard to U.S. surveillance, EU data subjects lack actionable judicial redress and, therefore, do not have a right to an effective remedy in the USA, as required by Article 47 of the EU Charter.

The ECJ stated that organisations transferring personal data to the USA can still use the Article 49 GDPR derogations or standard contractual clauses (SCCs). If using the latter, whether for transfers to the USA or other countries, the ECJ placed the onus on the data exporter to make a complex assessment  about the recipient country’s data protection legislation (a Transfer Impact Assessment or TIA), and to put in place “additional measures” to those included in the SCCs. 

Despite the Schrems II judgment, many organisations have continued to transfer personal data to the USA hoping that regulators will wait for a new Transatlantic data deal before enforcing the judgement.  Whilst the UK Information Commissioner’s Office (ICO) seems to have adopted a “wait and see” approach, other regulators have now started to take action. In February 2022, the French Data Protection Regulator, CNIL, ruled that the use of Google Analytics was a breach of GDPR due to the data being transferred to the USA without appropriate safeguards. This followed a similar decision by the Austrian Data Protection Authority in January. 

The Road to Adequacy

Since the Schrems ruling, replacing the Privacy Shield has been a priority for EU and US officials. In March 2022, it was announced that a new Trans-Atlantic Data Privacy Framework had been agreed in principle. In October, the US President signed an executive order giving effect to the US commitments in the framework. These include commitments to limit US authorities’ access to data exported from the EU to what is necessary and proportionate under surveillance legislation, to provide data subjects with rights of redress relating to how their data is handled under the framework regardless of their nationality, and to establish a Data Protection Review Court for determining the outcome of complaints.

Schrems III?

The privacy campaign group, noyb, of which Max Schrems is Honorary Chairman, is not impressed by the draft adequacy decision. It said in a statement:

“…the changes in US law seem rather minimal. Certain amendments, such as the introduction of the proportionality principle or the establishment of a Court, sound promising – but on closer examination, it becomes obvious that the Executive Order oversells and underperforms when it comes to the protection of non-US persons. It seems obvious that any EU “adequacy decision” that is based on Executive Order 14086 will likely not satisfy the CJEU. This would mean that the third deal between the US Government and the European Commission may fail.”

Max Schrems said: 

… As the draft decision is based on the known Executive Order, I can’t see how this would survive a challenge before the Court of Justice. It seems that the European Commission just issues similar decisions over and over again – in flagrant breach of our fundamental rights.”

The draft adequacy decision will now be reviewed by the European Data Protection Board (EDPB) and the European Member States. From the above statements it seems that if Privacy Shield 2.0 is finalised, a legal challenge against it is inevitable.

UK to US Data Transfers 

Personal data transfers are also a live issue for most UK Data Controllers including public authorities. Whether using an online meeting app, cloud storage solution or a simple text messaging service, all often involve a transfer of personal data to the US. At present use of such services usually involves a complicated TRA and execution of standard contractual clauses. A new UK international data transfer agreement (IDTA) came into force on 21st March 2022 but it still requires a TRA as well as supplementary measures where privacy risks are identified. 

Good news may be round the corner for UK data exporters. The UK Government is also in the process of making an adequacy decision for the US. We suspect it will strike a similar deal once the EU/US one is finalised.

This and other GDPR developments will be discussed in detail on our forthcoming GDPR Update workshop. 

Our next online GDPR Practitioner Certificate course, starting on 10th January, is fully booked. We have places on the course starting on 19th January. 

New US-EU Data Transfer Announcement: Time to celebrate?

On 25th March 2022, the European Commission and the United States announced that they have agreed in principle on a new Trans-Atlantic Data Privacy Framework. The final agreement will replace the Privacy Shield Framework as a mechanism for lawfully transferring personal data from the EEA to the US in compliance with Article 44 of the GDPR. As for UK/US data transfers and compliance with the UK GDPR is concerned, it is expected that the UK Government will strike a similar deal once the EU/US one is finalised.

The need for a “Privacy Shield 2.0” arose two years ago, following the judgment of the European Court of Justice (ECJ) in “Schrems II” which stated that organisations that transfer personal data to the US can no longer rely on the Privacy Shield Framework as a legal transfer tool. They must consider using the Article 49 derogations or standard contractual clauses (SCCs). If using the latter, whether for transfers to the USA or other countries, the ECJ placed the onus on the data exporters to make a complex assessment  about the recipient country’s data protection legislation (a Transfer Impact Assessment or TIA), and to put in place “additional measures” to those included in the SCCs. The problem with the US is that it has stringent surveillance laws which give law enforcement agencies access to personal data without adequate safeguards (according to the ECJ in Schrems).

Despite the Schrems II judgment, many organisations have continued to transfer personal data to the US hoping that regulators will wait for a new deal before enforcing Article 44.  Whilst the UK Information Commissioner’s Office (ICO) seems to still have a “wait and see” approach, others have started to enforce. In February 2022, the French Data Protection Regulator, CNIL, ruled that use of Google Analytics was a breach of GDPR due to the data being transferred to the US without appropriate safeguards. This followed a similar decision by Austrian Data Protection Authority in January. 

Personal data transfers are also a live issue for most UK Data Controllers including public authorities. Whether using an online meeting app, cloud storage solution or a simple text messaging service, which one does not involve a transfer of personal data to the US? At present use of such services usually involves a complicated TRA and execution of standard contractual clauses. In the UK, a new international data transfer agreement (IDTA) came into force on 21st March 2022 but it still requires a TRA as well as supplementary measures where privacy risks are identified. 

Has the Trans-Atlantic Data Privacy Framework saved DPOs hours of work? But before you break open the bubbly, it is important to understand that this is just an agreement in principle. The parties will now need to draft legal documents to reflect the agreed principles. This will take at least a few months and will then have to be reviewed by the European Data Protection Board (EDPB) adding more time. And of course there is the strong possibility of a legal challenge especially if the ECJ’s concerns about US surveillance laws are not addressed. Max Schrems said in a statement:

We already had a purely political deal in 2015 that had no legal basis. From what you hear we could play the same game a third time now. The deal was apparently a symbol that von der Leyen wanted, but does not have support among experts in Brussels, as the US did not move. It is especially appalling that the US has allegedly used the war on Ukraine to push the EU on this economic matter.” 

“The final text will need more time, once this arrives we will analyze it in depth, together with our US legal experts. If it is not in line with EU law, we or another group will likely challenge it. In the end, the Court of Justice will decide a third time. We expect this to be back at the Court within months from a final decision.

“It is regrettable that the EU and US have not used this situation to come to a ‘no spy’ agreement, with baseline guarantees among like-minded democracies. Customers and businesses face more years of legal uncertainty.”

What should organisations do in the meantime? Our view is, if you have any choice in the matter, stick to personal data transfers to adequate countries i.e. those which have been deemed adequate by the UK/EU under Article 45. This will save a lot of time and head scratching conducting TRAs and executing SCCs. Where a US/non-adequate country transfer is unavoidable, a suitable transfer mechanisms has to be used as per Article 45. Of course for genuine one-off transfers the provisions of Article 49 derogations are worth considering. 

Only 2 places left on our Advanced Certificate in GDPR Practice course starting in April. We have also just announced three new GDPR workshops for experienced practitioners.

Google Analytics and GDPR Compliance: What next?

Google Analytics is a popular tool used by website owners across the world to observe and measure user engagement. In February 2022, the French Data Protection Regulator, CNIL, ruled that use of Google Analytics was a breach of GDPR. This followed a similar decision by Austrian Data Protection Authority in January. 

Is a website owner processing personal data by making use of Google Analytics? On the face of it, the answer should be no. Google Analytics only collects information about website visitors, such as which pages they access and where they link from. The website owners do not see any personal data about visitors. However, Google does assign a unique user identification number to each visitor which it can use to potentially identify visitors by combining it with other internal resources (just think of the vast amount of information which is collected by Google’s other services). 

The fact that the above mentioned French and Austrian decisions ruled that analytics information is personal data under GDPR does not in its itself make the use of Google Analytics unlawful. Of course website owners need to find a GDPR Article 6 condition for processing (Lawfulness) but this is not an insurmountable hurdle. Legitimate interests is a possibility although the UK Information Commissioner’s Office (ICO) holds the view that use of analytics services is not “strictly necessary” in terms of the PECR cookie rules and its own cookie banner, adopts the express consent approach.  

A bigger obstacle to the use of Google Analytics in Europe is the fact that website users’ personal data is being passed back to Google’s US servers. In GDPR terms that is a “restricted transfer” (aka international transfer). Following the judgment of the European Court of Justice (ECJ) in “Schrems II”, such transfers have been problematic to say the least.  In Schrems, the ECJ concluded thatorganisations that transfer personal data to the USA can no longer rely on the Privacy Shield Framework. They must consider using the Article 49 derogations or standard contractual clauses(SCCs). If using the latter, whether for transfers to the USA or other countries, the ECJ placed the onus on the data exporters to make a complex assessment about the recipient country’s data protection legislation, and to put in place “additional measures” to those included in the SCCs. The problem with the US is that it has stringent surveillance laws which give law enforcement agencies access to personal data without adequate safeguards (according to the ECJ in Schrems).

In France, the CNIL has ordered the website which was the subject of its ruling about Google Analytics to comply with the GDPR and “if necessary, to stop using this service under the current conditions”, giving it a deadline of one month to comply. The press release, announcing the decision, stated:

“Although Google has adopted additional measures to regulate data transfers in the context of the Google Analytics functionality, these are not sufficient to exclude the accessibility of this data for U.S. intelligence services.”

“There is therefore a risk for French website users who use this service and whose data is exported.”

The CNIL decision does leave open the door to continued use of Google Analytics but only with substantial changes that would ensure only “anonymous statistical data” gets transferred. It also suggests use of alternative toosl which do not involve a transfer outside the EU. Of course the problem will be solved if there is a new agreement between the EU and U.S. to replace the Privacy Shield. Negotiations are ongoing.

In the meantime, what can UK based website owners do. Should they stop using Google Analytics? Some may decide to adopt a “wait and see” approach. The ICO has not really shown any appetite to enforce the Schrems decision concentrating instead on alternative transfer tools including International Data Transfer agreement which comes into force tomorrow. Perhaps a better way is to assess which services, not just analytics services, involve transfers to the US and switch to EU based services instead.  

This and other GDPR developments will be discussed in detail on our forthcoming GDPR Update workshop on Wednesday. We also have a few places left on our Advanced Certificate in GDPR Practice course starting in April.

advanced_cert
https://www.actnow.org.uk/advancedcert

The CCPA Becomes Enforceable on 1st July 2020 (and there is more to come!)

photo-1523595857-fe9ee689f76f

The California Consumer Privacy Act (CCPA) becomes fully enforceable on 1st July 2020. The Act regulates the processing of California consumers’ personal data, regardless of where a company is located. CCPA provides broader rights to consumers and stricter compliance requirements for businesses than any other state or federal privacy law.

Like the EU General Data Protection Regulation (GDPR), CCPA is about giving individuals control over how their personal data is used by organisations. It requires transparency about how such data is collected, used and shared. It gives Californian consumers various rights including the right to:

  • Know and access the personal being collected about them
  • Know whether their personal data is being sold, and to whom
  • Opt out of having their personal data sold
  • Have their personal data deleted upon request
  • Avoid discrimination for exercising their rights

CCPA also requires that a security breach involving personal data, must be notified to each individual it affects. It does not matter if the data is maintained in or outside of California.

CCPA is often called the US equivalent of the EU General Data Protection Regulation (GDPR). Both laws give individuals rights to access and delete their personal information. They require organisations to be transparent about information use and necessitate contracts between businesses and their service providers. In some respects, however, the CCPA does not go as far as GDPR. For example, it only applies to for profit entities, it does not require a legal basis for processing personal data (like Article 6 of GDPR), there are no restrictions on international transfers and no requirement to appoint a data protection officer.

Enforcement

Unlike GDPR, CCPA does not have a regulator like the Information Commissioner in the UK. It is primality enforced by the California Attorney General (AG) through the courts; although there is a private right of right action for a security breach. The courts can impose fines for breaches of CCPA depending on the nature of the breach:

  • $2,500 for an unintentional and $7,500 for an intentional breach
  • $100-$750 per incident per consumer, or actual damages, if higher – for damage caused by a security breach

A business shall only be in breach of the CCPA if it fails to cure any alleged breach within 30 days after being notified of the same.

The AG has now published the final proposed CCPA Regulations. These have to be read alongside the Act. The accompanying Final Statement of Reasons provides some interesting insights into the AG’s views and potential positions on certain issues.

While the CCPA fines and damages may appear relatively low, it is important to note that they are per breach. A privacy incident can affect thousands or tens of thousands of consumers, in which case it could cost a company hundreds of thousands or even millions of dollars.

Two big US companies, Hanna Andersson and Salesforce, are already facing a class action lawsuit alleging CCPA violations. Both suffered a data breach that compromised the names, addresses, and credit card information of over 10,000 California residents, which were then sold on the dark web. The lawsuit claims the companies failed to protect consumer data, provide adequate security measures, safeguard their systems from attackers, and delayed notification of the breach.

During the coronavirus pandemic there has been an increased use of video chat and conferencing apps to stay connected. Both Zoom and Houseparty have class actions claiming that they failed to obtain consent from customers for the disclosure of their personal information to third parties like Facebook.

CCPA 2.0

There is more to come! The California State Assembly held a hearing on 12th June 2020 on the California Privacy Rights Act (CPRA) ballot initiative. Californians for Consumer Privacy, an advocacy group and the proponent of the 2018 ballot initiative that led to the enactment of the CCPA, has gathered more than 900,000 signatures to place the CPRA on the ballot in November of 2020. This is now looking very likely after Friday’s California Superior Court ruling although a deal could be struck to amend the CCPA in exchange for withdrawing the ballot initiative.

The CPRA (or an amendment to the CCPA) will further expand privacy rights of California consumers as well as compliance obligations of businesses, their service providers and contractors. It will, among other things, permit consumers to (1) prevent businesses from sharing (in addition to selling) their personal data; (2) correct inaccurate personal data about them; and (3) limit businesses’ use of “sensitive personal information,” known as Special Category Data under GDPR. This includes information about their race, ethnicity, religion, union membership and biometric data. The proposed law will prohibit businesses from collecting and using personal information for purposes incompatible with the disclosed purposes, and from retaining personal information longer than reasonably necessary. Readers with knowledge of GDPR will agree that this new law is even more like GDPR than the CCPA.

The CPRA will also establish a new California Privacy Protection Agency which will be tasked with enforcing and implementing consumer privacy laws and imposing administrative fines. If enacted CPRA will become operative on 1st January 2023 although its obligations would only apply to personal data collected after 1st January 2022.

A Federal Privacy Law?

CCPA represents the first real, comprehensive privacy legislation in the U.S. It will, no doubt, form the foundation for other state privacy regulations in the future, and quite possibly a U.S federal privacy regulation. Nevada residents also now have more control over how their personal information is used. Senate Bill 220 went into law recently, giving consumers more ability to keep websites from selling their information to third-party firms. Proactive businesses are already considering CCPA as a de facto US privacy law. Recently Microsoft announced that it will apply the main CCPA rights to all its customers in the U.S.

CCPA’s impact will not just be felt by California based businesses. Any business which processes personal data about Californian consumers needs to revaluate its privacy practices. With 40 million Californian residents, making up 12 percent of the US population, it is likely that most big business wherever they are based will have to comply with the CCPA. With substantial fines and penalties for breaches and a 6 month ‘look back’ period, now is the time to implement CCPA compliance measures.

Act Now has launched a US privacy programme covering every thing US and international business need to know about CCPA and GDPR.

 

.

online-gdpr-banner

%d bloggers like this: