Global news about personal data protection – Legal Monitoring Letter #1

/ EUROPE

/ New Draft Standard Contractual Clauses Published by the European Commission[1]^,[2]

On November 12, 2020, the European Commission published draft standard contractual clauses for transfers of personal data from the EU to third countries (“New SCCs”). The purpose of these New SCCs is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. The New SCCs are expected to be adopted at the beginning of 2021. Once approved, they will replace the previous SCCs which were released before the implementation of the GDPR. The business will have a 12-month transitional period from the date the new SCCs come into force to replace contractual provisions based on the previous SCCs.

The primary changes are that the New SCCs will likely:

1. Offer a modular approach based on the nature of the relationship between the parties.
2. Cover Processors to Processors situations with the requirement that the parties list all of the ultimate data controllers.
3. Cover Processors to Controllers situations.
4. Reinforce data subjects rights by allowing enforcement against both an exporter and importer.
5. Require data exporters to notify their competent authority if a data importer notifies them that they are unable to comply with the SCCs.
6. Provide that Non-EEA entities can sign as data exporters.
7. Include joint and several liability provisions.
8. Allow for multiple signatories.
9. Set out an obligation on importing non-EEA controllers to notify EEA authorities of data breaches where the breach is likely to result in ‘significant adverse effects.’
10. Define additional assessments of the legislation of the country or countries of destination, particularly around public authority access.

[1] https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/12741-Commission-Implementing-Decision-on-standard-contractual-clauses-for-the-transfer-of-personal-data-to-third-countries

[2] https://www.shlegal.com/docs/default-source/news-insights-documents/2520-a-bd1118-standard-contractural-clauses-v2.pdf?sfvrsn=bcdded5b_0

/ ICO Takes Enforcement Action Against Experian After Data Broking Investigation[1]^,[2]

A complaint from the campaign group Privacy International to the ICO also raised concerns about the data broking industry, specifically Equifax and Experian.

After a two-year investigation by the ICO into how Experian, Equifax and TransUnion (the “CRAs”) used personal data within their data broking businesses for direct marketing purposes, the enforcement notice was issued.

The investigation found how the CRAs were trading, enriching and enhancing people’s personal data without their knowledge. This processing resulted in products which were used by commercial organizations, political parties or charities to find new customers, identify the people most likely to be able to afford goods and services, and build profiles about people.

Key finding 1: The privacy information of the CRAs did not clearly explain their processing with respect to their marketing services. CRAs have to revise and improve their privacy information. Those engaging in data broking activities must ensure that their privacy information is compliant with the GDPR.

Key finding 2: In the circumstances we assessed the CRAs were incorrectly relying on an exception from the requirement to directly provide privacy information to individuals (excluding where the data processed has come solely from the open electoral register or would be in conflict with the purpose of processing – such as suppression lists like the TPS). To comply with the GDPR, CRAs have to ensure that they provide appropriate privacy information directly to all the individuals for whom they hold personal data in their capacity as data brokers for direct marketing purposes. Those engaging in data broking activities must ensure individuals have the information required by Article 14.

Key finding 4: The consents relied on by Equifax were not valid under the GDPR. To comply with the GDPR, CRAs must ensure that the consent is valid, if they intend to rely on consent obtained by a third party. Those engaging in data broking activities must ensure that any consents they use meet the standard of the GDPR.

[1] https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/10/ico-takes-enforcement-action-against-experian-after-data-broking-investigation/

[2] https://ico.org.uk/media/action-weve-taken/2618470/investigation-into-data-protection-compliance-in-the-direct-marketing-data-broking-sector.pdf

/ CNIL launches public consultation on DPO certification reference system[1]

On 7 December 2020, CNIL announced that it had launched a public consultation on its certification reference system for data protection officers (‘DPO’). The reference system contains information on the criteria against which an organization’s DPO would be certified as meeting the appropriate requirements for skills and expertise for the role.

/ CANADA

/ New federal privacy legislation[2]^,[3]

On November 17, Canada introduced Bill C-11, a new federal privacy legislation, which aims to modernize federal privacy laws. If adopted, the Consumer Privacy Protection Act (“CPPA”), will effectively replace the Personal Information Protection and Electronic Documents Act as Canada’s main privacy law and create one of the strictest data protection regimes in the world, accompanied by some of the most severe financial penalties. The Canada’s privacy regulator, the Office of the Privacy Commissioner will have the right to audit any organization’s privacy practices, enter into compliance agreements with non-compliant organizations, refer matters to a newly created Personal Information and Data Protection Tribunal, and impose administrative penalties. The fines can amount to the greater of 3% of an organization’s global revenue or C$10 million for most non-compliance with the CPPA, and up to 5% of an organization’s global revenue or C$25 million for the most serious infractions.

The CPPA would substantially update virtually all aspects of existing Canadian privacy laws and grant Canadian consumers greater control over their personal information. Consent will remain the primary basis for the processing of personal information.

[1] https://www.cnil.fr/fr/certification-des-competences-du-dpo-la-cnil-lance-une-consultation-publique-referentiels

[2] https://www.connectontech.com/2020/12/03/watch-out-gdpr-canada-proposes-strict-new-privacy-law-framework-backed-by-significant-fines/#page=1

[3] https://www.priv.gc.ca/en/opc-news/news-and-announcements/2020/s-d_201119/

/ SINGAPORE

/ Guidelines Published for Changes to the Singapore Data Privacy Regime[1]^,[2]

On November 20, 2020, the Singapore Personal Data Protection Commission (PDPC) published a set of draft advisory guidelines (“the Advisory Guidelines”) to provide clarification on recent amendments to the Personal Data Protection Act (the PDPA Amendments).

Mandatory data breach notification: Breaches affecting 500 or more individuals would meet the criteria for data breach notification and 30 calendar days once it has credible grounds to believe that a data breach has occurred, or it should be prepared to provide an explanation to the PDPC.

Expanded scope of deemed consent: Consent is deemed to be given only after the opt-out period has lapsed — organizations should ensure that any collection, use, or disclosure of personal data commence after the expiration of the opt-out period. Need to define of the reasonable period for individuals to opt-out.

New consent exceptions: identifying the legitimate interests of collecting, using, or disclosing the personal data for a purpose, organizations should be able to articulate what the benefits are and who the beneficiaries are.

“Business improvements” exception: Business insights and predictions generated about a specific individual will be considered personal data if an individual can be identified from that data. Organizations may rely on this new exception to use, without consent, and share such data between group companies for business improvement purposes.

[1] https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Advisory-Guidelines/Draft-AG-on-Key-Provisions/Draft-Advisory-Guidelines-on-Key-Provisions-of-the-PDP-(Amendment)-Bill-(20-Nov-2020).pdf?la=en

[2] https://datamatters.sidley.com/guidelines-published-for-changes-to-the-singapore-data-privacy-regime#page=1

/ New Zealand

/ Privacy Act 2020[1]^,[2]

On 1 December 2020, the Office of the Privacy Commissioner (‘OPC’) announced the entry into effect of the Privacy Act 2020. In a nutshell, the key reforms include:

• reporting obligations for breaches that cause, or are likely to cause, serious harm;
• new criminal offences for misleading an agency in order to access someone else’s personal information;
• injunctions may be issued by the authority to organizations to either require them to do something or cease doing something;
• injunctions to access information which can be issued by the OPC to direct an organization to confirm whether they hold personal information about an individual and to provide the individual with access to that information;
• a new requirement by which an organization or business may only disclose personal information to an agency outside of New Zealand if the receiving agency is subject to similar safeguards to those in the Act;
• expanded extraterritorial scope, encompassing overseas organizations that ‘carry on business’ in New Zealand even if they do not have a physical presence in the country.

[1] http://www.legislation.govt.nz/act/public/2020/0031/latest/LMS23223.html

[2] https://www.dataguidance.com/news/new-zealand-privacy-act-2020-enters-effect