Global news about personal data protection – Legal Monitoring Letter #1
On November 12, 2020, the European Commission published draft standard contractual clauses for transfers of personal data from the EU to third countries (“New SCCs”). The purpose of these New SCCs is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. The New SCCs are expected to be adopted at the beginning of 2021. Once approved, they will replace the previous SCCs which were released before the implementation of the GDPR. The business will have a 12-month transitional period from the date the new SCCs come into force to replace contractual provisions based on the previous SCCs.
The primary changes are that the New SCCs will likely:
- Offer a modular approach based on the nature of the relationship between the parties.
- Cover Processors to Processors situations with the requirement that the parties list all of the ultimate data controllers.
- Cover Processors to Controllers situations.
- Reinforce data subjects rights by allowing enforcement against both an exporter and importer.
- Require data exporters to notify their competent authority if a data importer notifies them that they are unable to comply with the SCCs.
- Provide that Non-EEA entities can sign as data exporters.
- Include joint and several liability provisions.
- Allow for multiple signatories.
- Set out an obligation on importing non-EEA controllers to notify EEA authorities of data breaches where the breach is likely to result in ‘significant adverse effects.’
- Define additional assessments of the legislation of the country or countries of destination, particularly around public authority access.
A complaint from the campaign group Privacy International to the ICO also raised concerns about the data broking industry, specifically Equifax and Experian.
After a two-year investigation by the ICO into how Experian, Equifax and TransUnion (the “CRAs”) used personal data within their data broking businesses for direct marketing purposes, the enforcement notice was issued.
The investigation found how the CRAs were trading, enriching and enhancing people’s personal data without their knowledge. This processing resulted in products which were used by commercial organizations, political parties or charities to find new customers, identify the people most likely to be able to afford goods and services, and build profiles about people.
Key finding 1: The privacy information of the CRAs did not clearly explain their processing with respect to their marketing services. CRAs have to revise and improve their privacy information. Those engaging in data broking activities must ensure that their privacy information is compliant with the GDPR.
Key finding 2: In the circumstances we assessed the CRAs were incorrectly relying on an exception from the requirement to directly provide privacy information to individuals (excluding where the data processed has come solely from the open electoral register or would be in conflict with the purpose of processing – such as suppression lists like the TPS). To comply with the GDPR, CRAs have to ensure that they provide appropriate privacy information directly to all the individuals for whom they hold personal data in their capacity as data brokers for direct marketing purposes. Those engaging in data broking activities must ensure individuals have the information required by Article 14.
Key finding 4: The consents relied on by Equifax were not valid under the GDPR. To comply with the GDPR, CRAs must ensure that the consent is valid, if they intend to rely on consent obtained by a third party. Those engaging in data broking activities must ensure that any consents they use meet the standard of the GDPR.
/ CNIL launches public consultation on DPO certification reference system
On 7 December 2020, CNIL announced that it had launched a public consultation on its certification reference system for data protection officers (‘DPO’). The reference system contains information on the criteria against which an organization’s DPO would be certified as meeting the appropriate requirements for skills and expertise for the role.
On November 17, Canada introduced Bill C-11, a new federal privacy legislation, which aims to modernize federal privacy laws. If adopted, the Consumer Privacy Protection Act (“CPPA”), will effectively replace the Personal Information Protection and Electronic Documents Act as Canada’s main privacy law and create one of the strictest data protection regimes in the world, accompanied by some of the most severe financial penalties. The Canada’s privacy regulator, the Office of the Privacy Commissioner will have the right to audit any organization’s privacy practices, enter into compliance agreements with non-compliant organizations, refer matters to a newly created Personal Information and Data Protection Tribunal, and impose administrative penalties. The fines can amount to the greater of 3% of an organization’s global revenue or C$10 million for most non-compliance with the CPPA, and up to 5% of an organization’s global revenue or C$25 million for the most serious infractions.
The CPPA would substantially update virtually all aspects of existing Canadian privacy laws and grant Canadian consumers greater control over their personal information. Consent will remain the primary basis for the processing of personal information.
On November 20, 2020, the Singapore Personal Data Protection Commission (PDPC) published a set of draft advisory guidelines (“the Advisory Guidelines”) to provide clarification on recent amendments to the Personal Data Protection Act (the PDPA Amendments).
Mandatory data breach notification: Breaches affecting 500 or more individuals would meet the criteria for data breach notification and 30 calendar days once it has credible grounds to believe that a data breach has occurred, or it should be prepared to provide an explanation to the PDPC.
Expanded scope of deemed consent: Consent is deemed to be given only after the opt-out period has lapsed — organizations should ensure that any collection, use, or disclosure of personal data commence after the expiration of the opt-out period. Need to define of the reasonable period for individuals to opt-out.
New consent exceptions: identifying the legitimate interests of collecting, using, or disclosing the personal data for a purpose, organizations should be able to articulate what the benefits are and who the beneficiaries are.
“Business improvements” exception: Business insights and predictions generated about a specific individual will be considered personal data if an individual can be identified from that data. Organizations may rely on this new exception to use, without consent, and share such data between group companies for business improvement purposes.
On 1 December 2020, the Office of the Privacy Commissioner (‘OPC’) announced the entry into effect of the Privacy Act 2020. In a nutshell, the key reforms include:
- reporting obligations for breaches that cause, or are likely to cause, serious harm;
- new criminal offences for misleading an agency in order to access someone else’s personal information;
- injunctions may be issued by the authority to organizations to either require them to do something or cease doing something;
- injunctions to access information which can be issued by the OPC to direct an organization to confirm whether they hold personal information about an individual and to provide the individual with access to that information;
- a new requirement by which an organization or business may only disclose personal information to an agency outside of New Zealand if the receiving agency is subject to similar safeguards to those in the Act;
- expanded extraterritorial scope, encompassing overseas organizations that ‘carry on business’ in New Zealand even if they do not have a physical presence in the country.
In a highly regulated environment, we believe, at iCOVER, that promoting transparency by sharing activity standards between business partners is essential to ensure best practices, better quality services and, ultimately, the protection of individual rights.
The content of this note has been prepared by iCOVER’s legal & compliance department for informational purposes only and does not constitute legal advice. This note is non-contractual, and the information provided herein is subject to change at any time without prior notice. All information in this note is provided in good faith, however, we make no representation or warranty of any kind, express or implied, regarding the accuracy, adequacy, validity, reliability, availability, or completeness of any information in this note. The iCOVER Group shall not be liable for any indirect, incidental, special, consequential, or punitive damages, or any loss of profits or revenues, whether incurred directly or indirectly, or any loss of data, use, goodwill, or other intangible losses resulting from your use of this note.
We hope that you will find the above informative and useful, and we remain available for any question you may have.
Legal & Compliance team – January 2021