This quarterly update highlights some of the international data protection issues that have caught our attention, and the attention of our clients, in the past three months.
Europe, the Middle East and Africa
Data Breach Notification – The European Data Protection Board (EDPB) published new draft guidance in January for data breach notification. This guidance presents examples typical of the most common data breach notification scenarios, according to European data protection authorities, including ransomware, data exfiltration attacks and lost or stolen devices. Responses from the public consultation on this draft guidance are now available on the EDPB’s website.
Health Data – In response to a request from the European Commission (EC), the EDPB published clarifications for consistent application of the General Data Protection Regulation (GDPR) when using personal data for health research. The EC also published its assessment of EU member states rules on health data under the GDPR. This assessment highlights the fragmented member state approaches to the implementation of health data laws and the negative impact on cross-border cooperation in the provision of healthcare, administration of healthcare systems, public health issues and research.
Discovery or Data Subject Access Request? – The Irish Data Protection Commission (DPC) published a statement in February to clarify a decision from the Irish High Court related to document discovery in litigation. The High Court determined that a business was not required to disclose CCTV recordings of an incident that occurred at the business to an individual identifiable in the recordings who was claiming damages related to the incident. As the DPC explained, the purpose of discovery is to give litigating parties access to information necessary to the matter before the court. The right to access one’s own personal data applies whether an individual is involved in litigation or not.
Compensable Damages and Fines Under the GDPR – In February, the German Federal Constitutional Court overturned a lower court decision and sent a minor lawsuit to the Court of Justice of the European Union to determine the scope of compensable damages under the GDPR, including any materiality threshold under Article 82. Article 82 allows anyone who “has suffered material or non-material damage” as a result of a violation of the GDPR to receive compensation for the damage suffered. The lower court had determined that the individual who brought the lawsuit had not suffered compensable damages when one marketing email was sent without consent to his business email address. In a different German court challenge, the Berlin District Court overturned a fine issued by the Berlin data protection authority due to the authority’s failure to meet the requirements of German law, which sets a higher bar than the GDPR, namely that there must be evidence of a specific act by management or legal counsel that resulted in the fineable offense.
U.K. Adequacy – The United Kingdom’s post-Brexit adequacy decision moved forward with the EC’s publication of its draft adequacy decision in February. A finalized adequacy decision would help ensure the continuation of free data flows between the EU and the United Kingdom. The interim period during which free data flows may continue absent a final adequacy decision following Brexit will expire on June 30, 2021. Adequacy will not bring the United Kingdom back within the “one-stop-shop” mechanism of the EU’s GDPR. Businesses will also still need to consider appropriate data transfer mechanisms for any onward transfers from the United Kingdom to a third country. The United Kingdom has also developed its own process for new adequacy decisions under the U.K. GDPR.
EU Data Transfers – Many businesses remain in limbo with regard to data transfers following the Schrems II decision last summer. We continue to wait for finalized, revised Standard Contractual Clauses (SCCs) from the EC. In January, the EDPB and the European Data Protection Supervisor (EDPS) issued a joint opinion on the draft cross-border SCCs issued in November 2020. The joint opinion requested improvements related to liability provisions, onward personal data transfers, assessments of third-country laws and notifications to be provided to data protection authorities, among other issues. We also continue to wait for a finalized version of the EDPB’s draft recommendations on supplemental transfer measures to ensure compliance with the EU level of protection of personal data; the public consultation period ended in December 2020. Meanwhile, in France, a lawsuit has been filed to try to force the CNIL to take action on a data transfer issue, and the Irish Data Protection Commission has come under fire for being slow to act and not properly enforcing the GDPR. DPA enforcement actions in Spain and Germany have recently targeted cross-border data transfers as well.
Russia’s Amended Law on Personal Data – On March 1, Russia’s amendments to its Federal Law on Personal Data entered into force. According to a statement from the Duma, these amendments add protections related to consent and the deletion of personal data. In particular, consent by default, such as through inaction or silence, is no longer allowed. Rather, consent must be given directly through an affirmative action. Russia’s Code of Administrative Offenses also was amended in February to introduce new maximum penalties for personal data violations that take effect on March 27, 2021. Russia’s data protection authority has proposed adding new restrictions on cross-border data transfers and explicitly extending the scope of Russia’s data protection laws to include Internet sites operated in other countries.
China’s Civil Code – As of January 1, 2021, the Civil Code of the People’s Republic of China (Civil Code), which was adopted in May 2020, is now in effect. Notably, the Civil Code defines the right to privacy, lists activities that require consent and provides civil liabilities for infringing on an individual’s privacy. Any business processing data is subject to the Civil Code’s provisions, and a number of the new provisions relate to the collection, usage and other processing of personal data and the adoption of security measures. Many of the provisions of this new Civil Code are similar to existing provisions in China’s Cybersecurity Law, but the Civil Code extends the Cybersecurity Law and introduces certain individual rights, such as the right to access, copy or correct personal information.
Singapore’s Personal Data Protection Act Amendments – Amendments to Singapore’s Personal Data Protection Act (PDPA) began to be implemented on February 1. The amendments now in effect include new mandatory data breach notification requirements, changes to consent obligations and individual liability for certain data misuses. The Personal Data Protection Commission has updated its advisory guidance to account for these changes now in effect.
New Zealand’s Data Transfer Tools – In February, New Zealand issued revised guidance for personal data transfers to third countries under the Privacy Act 2020, which includes two useful online tools. The first is a decision tree with online questions to help businesses determine whether Principle 12 of the Privacy Act, which restricts overseas personal data transfers, is applicable. The second is a model clause builder that customizes model clauses to cover the transfer, which creates an agreement that can be downloaded and completed by the parties.
Brazil and the LGPD – Currently, enforcement of Brazil’s General Personal Data Protection Law (the Lei Geral de Proteção de Dados Pessoais, or LGPD) appears set to begin on August 1, 2021, but two bills were introduced in February that might change that date. One bill seeks immediate enforcement of the LGPD; the other would extend the enforcement date into early 2022. Meanwhile, Brazil’s new data protection authority (Autoridade Nacional de Proteção de Dados, or ANPD) has been steadily releasing new draft compliance guidance, including a recent public comment version of its guidance on data breach reporting procedures under the LGPD. This guidance details the notification obligations of the data controller; what information must be provided to the ANPD, setting a deadline of two working days from incident awareness for notification; and when and how individuals need to be notified. Further, the Supreme Court of Brazil has called into question the constitutionality of the LGPD’s right to be forgotten.
Panama’s New Data Protection Law – Panama’s new Law No. 81 on Personal Data Protection is effective on March 29, 2021. The law applies to public and private entities that process personal data. Among the law’s provisions are requirements regarding international data storage, explicit consent and data retention obligations.
Selected Enforcement Actions
- The French CNIL fined a controller (€150,000) and a processor (€75,000) for the same incident related to repeat credential stuffing attacks that were not properly mitigated in a timely manner through the implementation of sufficient security measures.
- The South Korean regulator, the Personal Information Protection Committee (PIPC), has issued several recent fines related to data breaches, at least one of which had been undiscovered prior to an audit by the Korean Internet and Security Agency (a pseudo-governmental organization). The company’s report to PIPC following the discovery led to the fine. Another fine highlighted a lack of security measures that led to the data breach, including inadequate access rights and insufficient encryption.
- The data protection authority of the German state of Lower Saxony fined a retailer €10.4 million for its employee video monitoring practices. The retailer claimed the video monitoring was implemented to prevent employee theft, but the Lower Saxon data protection authority found this to be an insufficient legal basis for the video monitoring. Specifically, less-intrusive methods could have been used initially that would not have affected the retailer’s customers, and 60 days was too long to retain the videos. The data protection authority reminded the retailer that video monitoring for crime deterrence is only allowed on the basis of a specific suspicion.
- The U.K.’s Information Commissioner’s Office (ICO) issued a €250,000 fine under the U.K.’s Privacy and Electronic Communications Regulations 2003 to a company that sent more that 2.6 million “nuisance text messages” to individuals without their consent. The company intentionally created a text message that appeared to come from a different company to mislead recipients. More than 10,000 individuals lodged complaints related to the original text messages. According to the ICO, the company then continued to send texts during and after the ICO’s investigation and failed to cooperate completely with the investigation.
- The Spanish data protection authority (Agencia Española de Protección de Datos, or AEPD), which has been particularly active in the enforcement space so far this year, fined a telecommunications provider €8.15 million for unlawful telemarketing, including phone calls, emails and text messages. In its decision, the AEPD cited the company’s failure to implement appropriate security measures, violations of individuals’ rights under the GDPR and relevant Spanish law, and international data transfers without an approved data transfer mechanism. The AEPD issued another large fine related to data transfers in January when it fined a bank €6 million for improper customer consents to intracompany data transfers.