Privacy law

A look at the European Data Protection Board guidance on supplementary measures – Olivia Wint

The Privacy PerspectiveLeave a comment

Data transfers have been a prominent topic in the data protection world in recent months, with the UK’s recent adequacy decision adding to the conversation on the topic.

On 21 June 2021, the European Data Protection Board (“EDPB”) published the final version of Recommendations on supplementary measures (the “Recommendations”). For context, the first draft Recommendations which were published in November 2020 were prompted as a result of the much-anticipated Schrems II judgment which was handed down in July 2020.

The Schrems II judgment comes after the Schrems I judgment, which in 2015, invalidated the Safe Harbour regime in 2015. The focal point of the Schrems II case concerned the legitimacy of standard contractual clauses (“SCCs”) as a transfer mechanism in respect of cross border data transfers from the EU to the US. Max Schrems, a privacy advocate argued that Facebook Ireland transferring a significant amount of data to the US was not adequate due to the US’ surveillance programmes. Schrems argued that this fundament tally affected his right to ‘privacy, data protection and effective judicial protection’.  Rather unexpectedly, the Court of Justice in the European Union (“CJEU”) declared the invalidity of the privacy shield in this case and whilst SCCs were not invalidated, the CJEU laid down stricter requirements for cross border transfers relying on SCCs, which included additional measures to ensure that cross border transfers have ‘essentially equivalent’ protection to that of the General Data Protection Regulation 2016/ 679 (“GDPR”).

As a result of the Schrems II judgment and the invalidation of the privacy shield, the estimated 5300 signatories to this mechanism now need to seek alternate transfer mechanisms and companies on a transatlantic scale have been forced to re-examine their cross-border transfers. As such EDPB’s Recommendations could not have come sooner for many in the privacy world. 

Based on the Schrems II judgment, supplementary measures are in essence additional safeguards to any of the existing transfer mechanisms as cited in Article 46 GDPR, which include SCCs, binding corporate rules (“BCRs”) and approved code of conducts to name a few with the overarching objective of the supplementary measures to ensure the ‘essentially equivalent’ threshold is met.

The EDPB’s Recommendations, outline six key steps which comprise part of an assessment when deducing the need for supplementary measures:

  1. know your transfers;
  2. identify the transfer mechanism(s) you are relying on;
  3. assess whether the transfer mechanism you are relying on is effective in light of all circumstances of the transfer);
  4. identify and adopt supplementary measures;
  5. take any formal procedural measures; and
  6. re-evaluate at appropriate intervals.

Step 1- know your transfers

Step 1 concerns organisations having a good grasp on their data processing activities, mainly evidenced through data mapping and/or records of processing activities (“ROPAs”). As ROPAs are a direct obligation under the GDPR, in theory for most organisations it will be a case of ensuring that the ROPA accurately reflects any new data processing that has occurred (with the inclusion of any third parties).

Key data protection principles should also be considered for example, lawfulness, fairness and transparency (does the privacy policy make it clear that cross border transfers are taking place?), data minimisation (is the whole data set being transferred or just what is relevant?) and accuracy (have data quality checks been conducted on the data in question?).

The Recommendations stipulate that these activities should be executed before any cross-border transfers are made and highlights the fact that cloud storage access is also deemed to be a transfer too.

Step 2- identify the transfer mechanism(s) you are relying on

There are a number of transfer mechanisms that can be relied on for cross border data transfers, such as SCCs, BCRs, codes of conduct etc and adequacy decisions and this step requires organisations to identify the mechanism that will be used for the transfer.

EDPB has noted for organisations that will be using the adequacy decision as their desired transfer mechanism, the subsequent steps in the Recommendations can be discarded.

N.B. to date, the European Commission has only recognised Andorra, Argentina, Canada (commercial organisations only), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay and the UK.

Step 3- Assess whether the transfer mechanism you are relying on is effective in light of all circumstances of the transfer

This is a critical part of the assessment and requires organisations to assess/ examine the third country’s legislation and practices to ascertain the extent to which there are limitations which may mean the protection afforded as a result of the cross-border transfer is less than ‘essentially equivalent’. The Recommendations affirm that the scope of the assessment needs to be limited to the legislation and practices relevant to the protection of the specific data you transfer. The legislation and/or practices examined must be publicly available in the first instance, verifiable and reliable.

Key circumstances which may influence the applicable legislation/ and or practices include (but are not limited to):

  • purpose for data transfer (marketing, clinical research etc);
  • sector in which transfer occurs (financial, healthcare etc);
  • categories of personal data transferred (children’s data, health data etc); and
  • format of the data (raw, pseudonymised, anonymised, encrypted at rest and in transit etc).

The assessment should be holistic in nature and cover all relevant parties such as controllers, processors and sub- processors (as identified in Step 1) and should consider the effectiveness of data subject rights in practice.

Examining of legislation and practices is of utmost important in situations when:

  1. legislation in third country does not formally meet EU standards in respect of rights/freedoms and necessity and proportionality;
  2. legislation in third country may be lacking; and
  3. legislation in third country may be problematic.

The EDPB stipulates that in scenarios i) and ii) the transfer in question has to be suspended, there is more flexibility in scenario iii) where the transfer may be either be suspended, supplementary measures may be implemented or continue without supplementary measures if you are able to demonstrate and document that the problematic legislation will not have any bearing on the transferred data.

Step 4- Identify and adopt supplementary measures

If as a result of Step 3, the assessment concludes that the transfer mechanism is not effective with third legislation and/ or practices, then the Recommendations urge that consideration needs to be given to whether or not supplementary measures exist that can ensure ‘essentially equivalent’ level of protection. Supplementary measures can be in a myriad of forms which include technical (controls such as encryption), organisational (procedures) and contractual and must be assessed on a case-by-case basis for the specific transfer mechanism.

N.B. A non-exhaustive list of supplementary measures include can be found in Annex 2 of the Recommendations.

Step 5- Take any formal procedural measures

A recurring theme throughout the Recommendations is the need for a nuanced approach to be adopted when assessing each specific transfer mechanism and as such, the procedural measures that will need to be taken are dependent on the specific transfer mechanism with some mechanisms requiring supervisory authority notification.

Step 6- Re-evaluate at appropriate intervals

As with all aspects of compliance, monitoring and re-evaluating of supplementary measures should be done frequently, the Recommendations do not explicitly define a time period, however factors which could impact the level of protection on transferred data such as developments in third country legislation will cause re-evaluation.

One of the main aims of the GDPR (and also one of the key principles) is that of accountability and the EDPB’s Recommendations on supplementary measures bolsters this premise. There is emphasis placed on documentation which adequately considers and records the decision-making process at each of the six steps to ensure organisations have an accurate audit trail.

In addition to the EDPB’s Recommendations, it is important for organisations (especially global ones) to take heed of any local developments in this area. With the CNIL already publishing guidance, the ICO expected to issue guidance and the Bavarian Data Protection Authority’s ruling against Mailchimp in this area, it can be said that supplementary measures will be crux of many impending data protection developments.

Olivia Wint is a seasoned data protection professional, with over five years experience in this area. Olivia has worked in a range of sectors including local authority, third sector, start-ups and the Big 4 advising on all aspects of data protection compliance.

Transgender Rights Charity Mermaids fined £25,000 by the ICO for data protection breaches

The Privacy PerspectiveLeave a comment

It is unfortunate at times that some charities which do the most sensitive of work also hold the most sensitive data. It makes data protection compliance all the more critical. Unfortunately, the transgender rights charity Mermaids has fallen afoul of data protection laws in the creation of a email group that was not sufficiently annexed or encrypted to protect the data it contained.

The result was that the 780 email pages were identifiable online over a period of three years. This led to the personal information of 550 people to be searchable online. Furthermore. the personal data of 24 of those people revealed how they were coping and feeling. Finally, for a further 15 classified as special category data as mental and physical health and sexual orientation were exposed.

Steve Eckersley, Director of Investigations at the ICO said:

“The very nature of Mermaids’ work should have compelled the charity to impose stringent safeguards to protect the often vulnerable people it works with. Its failure to do so subjected the very people it was trying to help to potential damage and distress and possible prejudice, harassment or abuse.

“As an established charity, Mermaids should have known the importance of keeping personal data secure and, whilst we acknowledge the important work that charities undertake, they cannot be exempt from the law.”

This serves a warning call for charities who process sensitive personal data – under the GDPR and the framework of self reporting you need to have appropriate technical measures in place. Failure to do so puts users data at risk and leaves them vulnerable. Mermaids penalty was imposed for the data being at risk for the period of 25 May 2018 to 14 June 2019.

It is notable that Mermaids data protection policies and procedures were not updated to reflect GDPR standards. Post the implementation of the Data Protection Act 2018 data protection practices are taking increasing importance and a robust review with practical changes to data harvesting, management, retention and rights handling is now a necessity.

Privacy concerns around Amazon’s Ring

The Privacy PerspectiveLeave a comment

“A home security product upscaled and diversified into law enforcement and integrated with video software brings with it some serious privacy concerns.”

What is the Ring?

door wooden bell old

The Ring is Amazon’s bestselling smart security device product line. The most notable of which is the Ring doorbell which allows users to monitor movement by their front doors, video and receive mobile notifications whenever someone presses the doorbell. Users can also benefit from an App which is installed on their mobile, monitors local news and allows social media style sharing with other Ring users.

Ring additionally offers security services, cross-selling into the wider security service market.

Ring and law enforcement

Recent controversy was sparked when it was found that the Ring in partnering with over 400 police departments in the United States. The extent of the Ring’s collaborative efforts extend to targeting ad words to users encouraging that they share live video feed footage with law enforcement. This in and of itself is a significant extension in police surveillance meriting further legislative scrutiny.

However, pair this with the fact that the Ring’s being dubbed as “the new neighborhood watch”- it becomes a little disconcerting.

It is well-established that people’s likeness is considered personal data and that the recording of individuals without their consent is potentially invasive. There are also civil liberties concerns regarding the police acquiring these live video feeds for their own use.

This has drawn the attention of the Senator for Massachusetts, Edward Markey, who recently published a letter sent to Amazons CEO Jeffery Bezos, highlighting civil liberties concerns with the Ring. This highlights issues previously raised in the United Kingdom in relation to the use of facial recognition software; its potential to racially profile individuals. Whilst this was considered by the Administrative Court to be too an intangible argument lacking sufficient supporting data, further scrutiny would be most welcome.

And it looks like further scrutiny seems forthcoming. In his letter Senator Markey highlights 10 key concerns around the Ring system, demanding a response from the Amazon CEO by 26 September 2019. We highly recommend readers consider the letter in its entirety here.

Breach of confidence

The Privacy PerspectiveLeave a comment

Breach of confidence occurs when confidential information, as shared between parties in a manner which is confidential, is shared with a third party in breach of that duty of confidence. What imposes the duty to protect the information in a breach of confidence case is a pre-existing confidential relationship between the parties.

The case of Coco v A.N. Clark involved the claimant looking to bring a new form of moped to the market, parts of which were then sourced from a third party in breach of obligations of confidence. This case underpinned the three elements of the tort and highlights the most common scenario breach of confidence claims arise in; those involving business secrets and negotiations.

In relation to privacy breach of confidence tends to cover confidential conversations and communications where the nature of the information itself attracts a reasonable expectation of privacy. This may relate to communications with lawyers or medical professionals, for example.

black android smartphone on top of white book

Defamation

The Privacy Perspective1 Comment

Defamation seeks to protect the individuals’ reputation from false statements which harm or may harm it. Slander and libel (more permanent forms of communication) refer to a statement publicized to a third party which has or is likely to cause serious harm to their reputation.

Defamation is a construct of the common law, built up over a series of legal cases. Defamation cases have been held to extend to social media, such as to tweets made by Katie Hopkins to food writer Jack Monroe.

Thornton v Telegraph Media Group Ltd [2011] EWHC 159 (QB) highlighted that defamation claims often cross the threshold to engage Article 8 privacy rights. In particular, the European Court of Human Rights has ruled that:

“In order for Article 8 to come into play, however, an attack on a person’s reputation must attain a certain level of seriousness and in a manner causing prejudice to personal enjoyment of the right to respect for private life…”

Claimants have to show the statement at issue is likely to cause serious harm to their reputation per s.1 Defamation Act 2013. This is typically via evidence such as circulation, subscribers and views of the statement at issue.

The defenses available to defamation are:

  1. Truth: That the statement itself was substantially true.
  2. Honest opinion: That the statement was one of opinion and that an honest person could have reasonably held that opinion.
  3. Public interest: That the matter was one which was in the public interest and the publisher of the statement reasonably believed it to be so.
  4. Privilege: This can be absolute (such as a Parliamentary statement) or qualified (e.g. job references). Qualified privilege does not protect the publisher of a statement where it was done so maliciously.

Passing off

The Privacy PerspectiveLeave a comment

Passing off is typically used to protect a person’s name or image, which has attracted goodwill as a business commodity. There are three well-established elements of passing off as stated in the case of Reckitt & Colman Products Ltd v Borden Inc & Ors [1990] RPC 341:

shallow focus photography of assorted color clothes hanged on clothes rack

  1. Goodwill or reputation in the mind of the public attached to goods or services;
  2. The defendant misrepresented that their goods or services are that of the claimant’s; and
  3. The claimant suffered or is likely to suffer damages due to erroneous belief in the mind of the public that the defendant’s goods are the claimant’s.

A case which illustrates this is that of Fenty v Arcadia [2015] EWCA Civ 3, a case involving Rihanna bringing a passing off action against Topshop. The action arose from Topshop’s unauthorized use of an image of Rihanna on a line of t-shirts. It was first considered that:

  “registered trade marks aside, no-one can claim monopoly rights in a word or a name. Conversely, however, no-one may, by the use of any word or name, or in any other way, represent his goods or services as being the goods or services of another person and so cause that other person injury to his goodwill and so damage him in his business” – p.34

However, it was concluded that all elements of the tort were made out by the claimant. Rihanna had a marked presence in the fashion industry and had generated significant goodwill. By using her image on its t-shirts Topshop created a likelihood of confusion between customers that the t-shirts were endorsed by Rihanna herself. They were not. It was, therefore, considered Rihanna suffered damage due to the unauthorized use of her image. This was despite the fact that there is no standalone right to protect one’s image at law.

The Fenty case is illustrative of how passing off can be used to protect elements of the person which are inherently private identifying factors. The foremost of these being the likeness of a person or their name.

It should be noted that the rationale from protection in passing off cases in protecting the goodwill which attaches to these elements of the person. The nature of a passing-off action is, therefore, more akin to other economic torts such as malicious falsehood. Notwithstanding this nature, the propensity for passing off actions to be used to protect elements of the persona that attract inherent private character is significant.

Malicious falsehood

The Privacy PerspectiveLeave a comment

These claims stem from the malicious publication of a false statement which identifies the claimant and has caused them financial loss. These four elements must be proven by the claimant. What malicious falsehood seeks to protect is the claimant’s economic rights, primarily the goodwill in their business. Therefore, in many cases claimants will seek to show special pecuniary loss in the form of damages to business evidenced by loss of profits.

In some cases, however, no loss needs to be proven by the claimant. These instances are outlined in s3(1)(a) and (b) Defamation Act 1952 and typically involve instances, where the statement complained of, is in writing and was calculated to cause pecuniary damage to the plaintiff.

Malicious falsehood is firstly concerned with the falsity of a statement, rather than matters of comment or opinion that defamation is typically debated around.

“Some malicious falsehood claims also involve Art 8 (privacy) rights, although less frequently than in defamation claims” – Thornton v Telegraph Media Group Ltd [2011] EWHC 159 (QB) at p.33

The requirement for financial loss to be evidenced in malicious falsehood cases means that it less often covers Article 8 issues, as these are more likely to be personal attacks meriting Article 8 protection. As an economic tort malicious falsehood sits less easily with Article 8 issues than the personal tort of defamation (see Ajinomoto Sweetners Europe SAS v Asda Stores Limited [2010] EWCA Civ 609).

In a malicious falsehood claim damages are compensatory in nature. They seek to provide compensation for the pecuniary loss caused by the false statement.

As practical matter defamation and malicious falsehood claims are typically brought together. Covering Article 8 rights statements can include false allegations which impinge upon the private life of the claimant. These include mixed statements which have personal imputations which damage the claimant’s business, such as statements about infidelity or convictions.

marketing man person communication