CIPP/US - Chapter 14 - The GDPR and International Privacy Issues

Data Protection Officer

Primary point of contact on data protection issues within a business that is based in the EU. The DPO facilitiates and reviews the company's GDPR compliance.

14.3.3 Data Minimization

Processing of personal data must be adequate, relevant and limited to what is necessary considering the purposes of processing. When determining the purpose of a processing activity, a company should carefully consider what personal data is necessary to achieve that purpose and subsequently collect and process only the necessary personal data. For instance, compliance with the data minimization principle requires that personal data no longer necessary should be deleted or anonymized and that any data retention period be limited to a strict minimum

SCC

Standard Contractual Clase

14.7 Global Data Flows Under the GDPR

Strict rules regarding data traveling to third party country.

Key new provisions introduced in the GDPR include

(1) new requirements for processing data, (2) individual rights, (3) notification of security breaches, (4)designation of data protection officers, (5) sanctions of up to 4 percent of worldwide revenues, and (6) rules for international transfers

When the DPA handles a complaint initiated by a data subject, the data subject has the right to bring the complaint to a national court if

(1) the data subject is not satisfied with the decision of the DPA, or (2) the DPA does not inform the data subject - within 3 months - the outcome of the complaint or of the progress on the complaint. In addition, the data subject has the right to seek a judicial remedy against the controller or processor.

For consent to be valid under the GDPR, the business must provide the data subject with the following for the consent to be deemed informed:

- Controller's identity - Purpose of processing for which consent is sought - Types of data that will be collected - Information about the right to withdraw consent - Information about automated processing - Risks of transfers outside Europe

There is one DPA in each EU....

..member state (country) with the exception of Germany, which has a federal DPA with jurisdiction over the public sector and statelevel DPA's over commercial sector

Seven Key Principles of the GDPR (framework for company's compliance program) Lamar Fails, Austin's Team Prevails, League Defeats Mark, Activating Self Loathing, Insecurity and Crippling Anxiety

1. lawfulness, fairness and transparency 2. purpose limitation 3. data minimization 4. accuracy 5. storage limitation 6. integrity and confidentiality 7. accountability

Fines for violations of the GDPR can be as much as

4% of worldwide revenues

14.4 Data Subject Rights

A cornerstone of the GDPR is providing individuals with control over their personal data. the right to be informed of transparent communication and information, right of access, right to rectification, right to erasure, right to restrict processing; right to data portability; right to object; and right not to be subject to automated decision-making

14.6.1 Complaint Process

An administrative complaint can be initiated by a data subject or by a DPA. A data subject can file an administrative complaint with a DPA

Binding Corporate Rules (BCRs)

Another mechanism that exists for lawful transfers of personal data from the EU to the United States are BCRs. BCRs provide that a multinational company can transfer data between countries AFTER CERTIFICATION BY A DPA

Adequate countries per EU

As of early 2020, countries and territories deemed adequate for purposes of the GDPR are Andorra, Argentina, Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, Switzerland and Uruguay. U.S. and Canada have received "less than adequate" decision

14.6 Enforcement

At least some commentators believe that the major didifference between the 1995 Data Protection Directive and the GDPR relates to fines. EU data protection law in the 1990's was oen aspirational. Today, with significant fines part of the picture, EU data protection law is a compliance regime. With fines as large as 4 percent of worldwide revenues, it is important for companies to understand the complaint process, liability for compensation, and levels of fines.

14.7.2 Transfers from Europe to the United States

Because the United States has not received a full adequacy decision from the EU, the primary lawful bases for transfer of data between the EU and the United States at the time of the writing of this book include: the Privacy Shield Framework, standard contractual clauses (SCCs), and binding corporate rules (BCRs).

Processor obligations under the GDPR

Compliance with instructions of the controller Confidentiality Record of processing activities Data security Data breach reporting Cooperation with DPAs

Data Protection Authorities

DPAs are responsible for enforcing data protection laws at a national level, and providing guidance on the interpretation of those laws. DPAs are independent public authorities that investigate and enforce data protection laws.

Schrems v. Data Protection Commission

EU courts struck down the Safe Harbor Program - in part due to US gov surveillance made public by Snowden

EEA

European Economic Area

14.6.3 Levels of Fines

For companies, it is important to understand that the GDPR has two levels of fines. Higher-level fines can be up to 4 percent of global annual revenues. Lower level fines can be up to 2 percent of global annual revenues.

GDPR

General Data Protection Regulation

Higher-level fines

Higher-level fines focus on infringements related to basic principles of processing (including conditions of consent, lawfulness of processing, and processing of special categories of personal data), rights of data subjects, and transfers of personal data to a recipient outside of the EU. In this higher-level category, the maximum fines are the greater of €20 million or 4 percent of global annual revenue

Derogations.

If a transfer is not covered by an adequacy decision or appropriate safeguard, the GDPR provides derogations or conditions under which a transfer may occur. (Derogation is a term oen used in the EU where the term exception would be used in the United States

EU-US Privacy Shield

In July 2016, after extensive negotiations, the EU-U.S. Privacy Shield was finalized after its formal adoption by the EU. The agreement sets forth (1) commitments by U.S. companies, (2) detailed explanations of U.S. laws, and (3) commitments by U.S. authorities. U.S. companies wishing to import personal data from the EU under the Privacy Shield accept obligations on how that data can be used, and those commitments are legally binding and enforceable

Standard Contractual Clauses

In addition to the EU-U.S. Privacy Shield, SCCs are widely used. For SCCs, a company contractually promises to comply with EU law and to submit to the supervision of a DPA.

Schrems II

In its July 2020 Schrems II judgment, the Court of Justice of the European Union (CJEU) declared the European Commission's Privacy Shield Decision invalid on account of invasive US surveillance programmes, thereby making transfers of personal data on the basis of the Privacy Shield Decision illegal.

Lower-level fines

Lower-level fines include infringements related to integrating data protection by default or by design, records of processing, cooperation with DPAs, security of processing data, notification to DPAs of a data breach, communication of data breach to data subjects, and designation of a DPO. For the lower-level category, the maximum fines can be the greater of €10 million or 2 percent of global annual revenues.

Purpose Limitations

Personal data must be collected for specified, explicit, and legitimate purposes · relationship between the purposes of collection and the purposes of further processing · nature of the personal data and the safeguards adopted to ensure fair processing · reasonable expectations of the data subjects and the impact of the further processing on the data subjects

adequacy

Personal data permitted to flow to "adequate" countries, as deemed by the EU

Data Subject

The individual about whom information is being processed, such as the patient at a medical facility, the employee of a company or the customer of a retail store. a data subject is any natural person whose data is being collected, stored or processed

14.7.1 Requirements for Data Transfers

Transfers from EEA to non EEA countries / int'l organizations prohibited unless one of the following transfer mechanisms can be relied upon: an adequacy decision, appropriate safeguard (e.g., standard contractual clauses, binding corporate rules), or derogation (e.g., explicit consent).

14.6.2 Liability for Compensation

Under the GDPR, both the controller and the processor can be liable to data subjects for harm caused by unlawful processing of personal data. Controllers are liable for any damages caused by unlawful processing. Processors are liable for processing in violation of the GDPR obligations on processors and for processing in violation of instructions given by the controller. Controllers and processors are exempt from liability when they are "not in any way responsible for the event giving rise to the damage"

DPO Qualifications

With regard to qualifications, the DPO must have expertise in data protection law relevant to the data processing of the company. Critically, the DPO must not have any conficts of interest the DPO must not have duties related to processing personal data that con.ict with duties related to monitoring.

Are member states permitted to impose criminal sanctions?

Yes - 10 countries have adopted

14.5 Breach Notification and Response GDPR defines a data breach as

a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed

Controller

an individual or entity that "determines the purposes and the means of the processing of personal data" In simple terms, the controller is the company that directs the processing of data to further its business objectives.

processor

an individual or entity that "processes personal data on behalf of the controller" The GDPR requires the processor to be governed by instructions provided by the controller in a contract. Generally speaking, the controller should bear more of the legal responsibility under the GDPR than the processor.

The term data protection officer is used to refer to the representative for companies that are...

based in the EU not in EU? EU representative

personal data

data that relates to "an identified or indentifiable natural person" This means a person who can be identified directly or indirectly.

consent

freely given, specific, informed, and an unambiguous indication of the data subject's wishes

Because the United States has not received a full adequacy decision from the EU, the primary lawful bases for transfer of data between the EU and the United States at the time of the writing of this book include:

the Privacy Shield Framework, standard contractual clauses (SCCs), and binding corporate rules (BCRs). Commentators warn that these methods of data transfer are subject to the same sorts of legal challenges as those expressed in the Safe Harbor case.

Appropriate Safeguards

· A legally binding and enforceable instrument between public authorities or bodies · Binding corporate rules · Standard data protection clauses adopted by the European Commission · Standard data protection clauses adopted by a DPA and approved by the European Commission · An approved code of conduct, together with binding and enforceable commitments of the non-EEA controller or processor · An approved certification mechanism together with binding and enforceable commitments of the non-EEA controller or processor · Contractual clauses authorized by the DPA of the controller or processor transferring the data outside of the EEA; or · Administrative arrangements between public authorities authorized by · the DPA in the country from which the transfer is being made

Factors determining whether DPO is needed

· Are the data subjects from the EU? · Is the data in/from the EU? · Is there large-scale monitoring of data subjects? · Is there large-scale processing of sensitive personal information? · Where is the company based?

Personal Data Includes:

· First and last name · Home address · Email address including a .rst and last name · Identi.cation card number · Location data · IP address [often not personally identifiable information (PII) in the United States] · Cookie ID (often not PII in the United States) · Advertising identi.er on phone · Data held by doctor or hospital, even separated from the patient's name

Obligations of Controllers under the GDPR

· Implement data protection by default and by design · Provide instructions to processors · Ensure data security · Report data breaches · Cooperate with DPAs · Appoint a DPO for the business · Identify legal basis for processing · Maintain data processing records · Conduct data protection impact assessments (DPIAs)

14.2.2 Sensitive Personal Data

· Race or ethnic origin · Political opinions · Religious or philosophical beliefs · Trade union membership · Genetic data · Biometric data · Health data · Sex life or sexual orientation

These derogation allow for a transfer if the data subject has provided explicit consent to the transfer or if the transfer is necessary for:

· The performance of a contract between the data subject and controller (including pre-contractual measures) and the transfer is occasional · The performance or conclusion of a contract concluded in the interest of the data subject between the controller and a third party and the transfer is occasional · Important reasons of public interest · The establishment, exercise or defense of legal claims and the transfer is occasional; or · The protection of the vital interests of an individual incapable of giving consent ALSO: - public register - purposes of compelling interest

To allow individuals to exercise such control, the GDPR provides the following rights

· the right to be informed of transparent communication and information, · right of access, · right to rectification, · right to erasure, · right to restrict processing; · right to data portability; · right to object; and · right not to be subject to automated decision-making