This update highlights some of the international data protection issues that caught our attention, and the attention of our clients, over the summer.
China’s Data Security Law and Personal Information Protection Law – This summer, the People’s Republic of China passed two new data protection laws. The Data Security Law (DSL) passed in June and is in effect as of September 1. The DSL applies broadly to data use and data processing activities, including those that take place outside China, when they could harm China’s national security or public interests or the legal rights and interests of Chinese citizens and organizations. The DSL outlines data security requirements that aim to safeguard data through comprehensive data security management, ongoing assessments, regulatory reporting, and effective risk monitoring and remediation. Many of the required protections depend on how data is classified under the DSL. Sanctions for noncompliance include monetary penalties and business license revocation or suspension.
In August, China adopted a comprehensive data protection law, the Personal Information Protection Law (PIPL). PIPL will come into effect on November 1, 2021. PIPL covers the processing of personal information of individuals located in China, including when that information is processed outside China, such as when providing goods and services in China or analyzing or assessing the behavior of individuals in China. PIPL’s definition of personal information is broad and similar to the EU’s General Data Protection Regulation (GDPR) and many other data protection laws. The definition of sensitive personal information (including biometric identifiers, religion, health, location tracking, etc.) also is familiar but adds financial information and the personal information of individuals under the age of 14. Like the GDPR, PIPL distinguishes between entities that determine the purposes of processing and those that do not, requires a Chinese-based representative for non-Chinese companies subject to PIPL, necessitates a lawful basis for personal information processing, provides individuals with certain rights over their personal information, restricts cross-border personal information transfers, and allows for steep monetary penalties. However, certain PIPL requirements differ from those of the GDPR. For example, PIPL requires discrete consent for specified personal information processing activities including disclosure, cross-border transfer and sensitive personal information processing. Additionally, PIPL provides a private right of action if an individual’s request to exercise rights under the law is rejected.
India’s IT Rules – Earlier this year, India published its new Information Technology (Guidelines for Intermediaries and Digital Media Ethics Code) Rules, 2021 (IT Rules). On May 25, the three-month compliance grace period ended for significant social media intermediaries (those with 5 million or more registered users in India). The IT Rules are applicable to news publishers and intermediaries that “enable the transmission of news and current affairs,” such as social media networks, blogs and online discussion forums. The IT Rules apply differently depending on the platform’s scale, and they impose obligations related to, among other things, content due diligence, content moderation, automated content screening and illegal content removal. The validity of many of these requirements is currently being challenged in the Indian High Courts.
Thailand’s Personal Data Protection Act – Thailand’s comprehensive data protection law, the Personal Data Protection Act, was set to come into effect in June 2021. However, the Thai government has pushed back the enforcement date for a number of provisions to May 31, 2022.
South Korean Adequacy Decision – In June, the European Commission (EC) started the process to adopt an adequacy decision for South Korea, which would allow the transfer of European Union (EU) personal data to South Korea without additional safeguards. The EC’s draft adequacy decision deems South Korea to offer a level of data protection essentially equivalent to that provided under the GDPR, emphasizing the recent reform of South Korea’s Personal Information Protection Act, which strengthened the powers of South Korea’s regulator, the Personal Information Protection Committee (PIPC). Several additional safeguards, enforceable by PIPC, were also agreed to during the adequacy talks and are aimed at enhancing the protection of EU personal data transferred to South Korea. PIPC’s press release regarding the draft adequacy decision indicates that the final adoption of South Korean adequacy is likely by the end of the year.
Europe, the Middle East and Africa (EMEA)
EU Data Transfers – Cross-border data transfer issues have been top of mind for many U.S. companies doing business with Europe since the Court of Justice of the European Union’s Schrems II decision in July 2020. This past June, we were given more clarity, first in the new European Commission Standard Contractual Clauses (SCCs) for international personal data transfers and then in the European Data Protection Board’s (EDPB) final recommendations on supplemental personal data transfer measures. Even as companies move forward to implement the new SCCs, which will fully replace the prior versions on September 27, European data protection authorities (DPAs) continue to issue related guidance, are auditing compliance with data transfer requirements and are taking enforcement actions against noncompliant data transfers.
France’s Commission nationale de l’informatique et des libertés (CNIL), for example, updated its data transfer information and FAQs on the invalidation of the Privacy Shield and issued a guide to help data controllers assess their cross-border data transfers along with a revised map broadly showing data protection levels worldwide. Meanwhile, the German DPAs issued statements regarding data transfer obligations, specifically the need for additional assessments and supplementary measures and actions companies should take. Simultaneously, the German DPAs began coordinated data transfer compliance audits, sending questionnaires to various companies.
With regard to cloud computing specifically, the European Data Protection Supervisor (EDPS) also began an examination of the data transfer contracts for cloud services used by EU institutions. Belgium’s Autorité de la protection des données/Gegevensbeschermingsautoriteit (APD-GBA) approved a code of conduct for cloud service providers, and the French government released information about their national strategy for cloud technologies.
Elsewhere, enforcement action continued. The Portuguese Comissão Nacional de Proteção de Dados suspended the international transfer of census data to the United States as noncompliant with the Schrems II decision. The French CNIL expressed concern regarding personal data transfers and the use of collaborative educational technologies at French universities. In Germany, the Hamburg DPA advised the regional Senate Chancellery to suspend its use of on-demand videoconferencing, as the use required the transfer of personal data to the United States, and the DPA determined that the strict requirements for the data transfer could not be met. And the Bavarian DPA warned a company that its failure to implement additional measures to protect personal data made the data transfers noncompliant with the GDPR following Schrems II. The company voluntarily suspended its use of the third-party processor before any additional action was taken.
These actions, taken together, suggest that there is not yet a single European approach to evaluating data transfers and that some DPAs may interpret the SCCs and EDPB guidance more strictly than others that are willing to take a more practical approach to data transfer requirements. Meanwhile, the EU and the U.S. continue negotiations on a more comprehensive mechanism for approved data transfers as a replacement for the defunct Privacy Shield Framework.
UK Adequacy and Data Transfers – On June 28, the EC adopted final adequacy decisions for the United Kingdom (UK) – one under the GDPR and one under the Law Enforcement Directive – which means that personal data can now “flow freely from the European Union to the United Kingdom where it benefits from an essentially equivalent level of protection to that guaranteed under EU law.” Opinions from the EDPB and the European Parliament pointed to concerns related to onward transfers from and public authority access to personal data transferred to the UK. Separately from the EU adequacy negotiations, the Grand Chamber of the European Court of Human Rights ruled in May that the UK’s public authority bulk surveillance powers were incompatible with fundamental human rights, did not have sufficient safeguards, and “lacked an extensive independent and continual oversight” mechanism. Ultimately, the final UK adequacy decisions are limited to a four-year (renewable) period, and adequacy will be monitored throughout in case there is a future divergence between EU and UK laws. The UK has already recognized the European Economic Area countries as adequate, so the flow of personal data is now allowed in both directions.
On August 11, the UK Information Commissioner’s Office (ICO) initiated its consultation on transfers of personal data out of the UK, publishing, in addition to the consultation paper and questions, a draft UK addendum to the EC’s SCCs, an international data transfer agreement (IDTA) and an international transfer risk assessment. The ICO’s IDTA introduces a new format – a unified, adaptable agreement that can be signed between controllers, processors and others and includes a table that identifies the agreement’s key details at the beginning. The transfer risk assessment provides an optional framework that takes a holistic approach to these assessments, helpfully moving somewhat away from the law enforcement access focus of late. The document includes guidance and examples and can be freely modified based on an organization’s data processing risks. Most businesses will be happiest to see that the ICO is considering whether to permit data transfers via a UK-specific addendum that can be appended to data transfer agreements approved by other jurisdictions, including the new EU SCCs. The proposed addendum is brief and flexible. The ICO’s consultation period closes on October 7, so we will not have a final UK decision in place prior to the September 27 expiration of the old EU SCCs. Businesses should continue to expect contracting complexities in moving European personal data until we have the ICO’s final guidance.
Swiss Data Transfers – The Swiss data protection authority has approved the use of the revised EU SCCs for cross-border transfers of Swiss personal data as long as specific requirements are met that comply with Swiss law. The necessary modifications will be dependent on whether the transfer involves only Swiss data or a combination of Swiss and EU data. The changes required to use the EU SCCs for Swiss data transfers include giving parallel supervisory authority to the Swiss and EU Member State DPAs and supplementing the SCCs with an annex specifying the inclusion of Switzerland and Swiss laws in the SCCs. Effective September 27, 2021, the Swiss DPA will terminate its approval for all previously approved model clauses, including the Swiss Transborder Data Flow Agreement and older EU SCCs. Prior uses of these agreements may remain in place until January 1, 2023, unless the underlying contract changes significantly.
Artificial Intelligence (AI) – In April, the EC proposed its expansive new AI Regulation, which would ban certain AI practices that create an unacceptable risk. The draft AI Regulation outlines strict safeguards for AI systems that it defines as high risk, creates voluntary codes of conduct for lower-risk AI systems and establishes the potential for large fines for noncompliance. In June, the EDBP and the EDPS issued a joint opinion on the AI Regulation, highlighting that the processing of any personal data under the AI Regulation would also be subject to existing EU data protection laws and asking for a general prohibition on the use of AI for both remote biometric identification in public spaces and algorithmic uses of AI that can lead to discrimination.
EU’s One-Stop Shop – Bypassing the Lead Supervisory Authority – Under the EU’s GDPR, cross-border data protection matters that involve multiple EU Member States are typically handled by a lead DPA, which is the DPA in the Member State where the organization under investigation is based. This so-called one-stop shop mechanism is intended to simplify enforcement for businesses that operate in multiple Member States. The EDPB explained in a May response that the one-stop shop mechanism “ensures that the lead supervisory authority responsible for investigating cases against a particular controller considers the input of any concerned supervisory authority.” A Court of Justice of the European Union decision on June 15 clarified that in some limited situations, such as when the matter is truly urgent, other DPAs can bring cases against organizations for which another DPA is the lead supervisory authority.
Not to be left out of the push for cookie compliance, the European nonprofit noyb (founded by Max Schrems) is taking on cookie banners and has developed its own cookie compliance monitoring tool. In a statement on May 31, noyb accused organizations of attempting to frustrate users into cookie consent and said noyb had issued more than 500 draft complaints to companies with noncompliant cookie banners as part of its goal to “end cookie banner terror.” In August, noyb stated that they had followed up on their draft complaints by filing 422 complaints with DPAs across the EU.
Health Data – As Europe loosens COVID-19-related restrictions, vaccine passports and employer collection of employee COVID-19 vaccination status have been key areas of interest. In June, the EU signed the Regulation on the EU Digital COVID Certificate, which will be in effect for 12 months beginning on July 1 and aims to “facilitate safe and free movement inside the EU during the COVID-19 pandemic.” The EU Digital COVID Certificate gateway was live as of June 1 and was at launch being used already in Bulgaria, Croatia, the Czech Republic, Denmark, Germany, Greece and Poland. Several countries have issued guidance with a few key themes on workplace COVID-19 measures. The Italian Garante, for example, highlighted that the imbalance in the employer-employee relationship means that consent cannot be the legal basis for processing vaccination-related personal data, and consequences (positive or negative) may not be based on an employee’s vaccination status. Taking this one step further, the Irish Data Protection Commission’s guidance states that processing vaccination data is likely to “represent unnecessary and excessive data collection for which no clear legal basis exists” where a public health authority has not determined that it is necessary for employers to collect the data or provided direction on how they should use the information once they have it.
UK’s Children’s Code – The Children’s Code (or the Age Appropriate Design Code) in the UK is fully in force as of September 2, 2021. This code includes 15 standards that online services – including apps, games, connected toys and devices, social media platforms, online marketplaces, and content streaming services – must follow if children are likely to access the service. These standards help ensure compliance with obligations related to protecting children’s data online. The code applies to any companies that process the personal data of UK children, regardless of location.
European Data Protection Board – The EDPB had a busy summer, issuing guidelines on the concepts of controller and processor, virtual voice assistants and codes of conduct as tools for data transfers under the GDPR as well as finalizing the recommendations for supplemental cross-border data transfer tools. The EDPB also called upon Member States to assess and “review their international agreements that involve international transfers of personal data,” taking into consideration both the GDPR and the EU’s Law Enforcement Directive.
New EMEA Laws and Regulations
- Belarus – Belarus passed a new data protection law that creates a data protection regulator, specifies data subject rights and imposes obligations on organizations to ensure data protection. The new law will be in effect beginning November 15, 2021.
- Saudi Arabia – Saudi Arabia’s Communications and Information Technology Commission announced in May that its cybersecurity regulatory framework entered into force. The regulatory framework contains a comprehensive set of cybersecurity requirements and controls that apply to telecommunications, information technology and postal services providers.
- South Africa – Full implementation and enforcement of South Africa’s Protection of Personal Information Act, which was already partially in effect, began on July 1. Failure to comply with the law may result in fines up to R10 million, imprisonment of up to 10 years or both. The South African Information Regulator issued guidance notes, policies and other notices to assist with compliance.
- Switzerland – Switzerland’s Federal Council revised the Ordinance on the Federal Data Protection Act and launched its public consultation on the ordinance. The revisions bring the ordinance into alignment with the revised Federal Data Protection Act. Both the revised act and the ordinance are expected to come into force in the latter half of 2022. The new provisions of both aim to ensure compatibility between Swiss data protection laws and the EU’s GDPR.
- Uganda – Uganda’s new Data Protection and Privacy Regulations are in effect as of mid-April. The regulations establish a Personal Data Protection Office and require registration with the office. They also clarify data subject rights, impose limitations on personal data processing outside Uganda and add data breach notification obligations.
- Uzbekistan – New data localization requirements are now in force in Uzbekistan that require the personal data of Uzbek citizens to be processed in Uzbekistan and stored in registered Uzbek databases.
Brazil’s LGPD – The administrative sanctions available under Brazil’s Lei Geral de Proteção de Dados (LGPD) now may be imposed as of August 1, allowing its DPA, the Autoridade Nacional de Proteção de Dados (ANPD) to enforce compliance with the law more effectively. The ANPD has indicated that the regulator plans to take a “responsive regulation” approach, gathering information and investigating before deciding on appropriate measures. In May, the ANPD issued guidance on the roles of data controllers and data processors and the designation of data protection officers to help companies with compliance.
Canada’s Revised Sensitive Personal Information Guidance – In August, Canada’s Office of the Privacy Commissioner revised several of its guidance documents to help businesses subject to Canada’s Personal Information Protection and Electronic Documents Act better understand, evaluate and protect the types of data considered sensitive. Specifically, although any personal information can be contextually sensitive, certain types of information – including health and financial information, ethnic and racial origins, political and religious beliefs and opinions, genetic and biometric data, and information about an individual’s sex life or sexual orientation – will generally be considered sensitive and therefore require heightened protection.
Ecuador’s Organic Law on Data Protection – Ecuador’s Organic Law on the Protection of Personal Data was published in the Official Registry in May 2021, giving organizations two years to come into compliance with the new law. The law is based largely on the EU’s GDPR. The law will establish a new national data protection authority, provide individual rights in personal data and help ensure that personal information held by companies is adequately protected.
Panama’s Personal Data Protection Law – Panama’s Law No. 81 on Personal Data Protection entered into effect at the end of March. On May 28, Panama’s president approved an executive decree, which establishes the rights, obligations and procedures necessary to regulate the law.
Selected Global Enforcement Actions
- In May, the Dutch Autoriteit Persoonsgegevens (AP) fined an online platform €525,000 in part for failing to appoint an Article 27 representative in the EU, as may be required under the GDPR for companies not established in the EU. The AP additionally ordered the company to appoint the required representative or face additional fines.
- In June, Luxembourg’s Commission Nationale pour la Protection des Données announced several fines and corrective measures for violations related to the appointment of a data protection officer (DPO), including failing to communicate the details of the DPO to the DPA, hiring a DPO without the required professional qualifications, appointing a DPO with a conflict of interest and not adequately involving the DPO in data protection matters affecting the company’s operations.
- The Versailles Criminal Court in France issued a fine against a multinational company and imposed a two-year prison sentence on its French former CEO for carrying out illegal employee surveillance activities, such as targeting specific employees, searching employee criminal records and looking for information on employees’ personal lives.
- In the past few weeks, South Korea’s PIPC issued its annual report and first “casebook,” demonstrating its key enforcement activities and other priorities. The regulator reports handling more than 500 cases in the past year, a significant increase over the prior year. Large fines this summer have addressed noncompliance with legal basis and consent requirements, failures to disclose overseas data transfers, inadequate protection of user personal information, and not responding to requests from individuals.
- In May, Italy’s Supreme Court of Cassation ordered a case reexamined when it disagreed with the lower court’s interpretation of adequate consent. The lower court had originally quashed the Garante’s decision to suspend an automated decision-making system because it found that individuals provided consent in order to use the system. The Supreme Court, however, was persuaded by the Garante’s arguments that the lack of algorithmic transparency rendered the consent invalid. Ultimately, the Supreme Court determined that consent is only valid if there is adequate transparency of what the individual is consenting to when the consent is given, which means the algorithmic logic must be explained to individuals for valid consent. In August, the Garante issued an unrelated €2.5 million fine to a food delivery platform for its failure to provide sufficiently transparent information about the algorithms it used to manage its workers.
- A Danish medical provider was fined €80,000 by Datatilsynet for using an instant messaging app to transmit health information. Employees were using their personal phones to transmit confidential personal data (national ID numbers and health data) to the company’s central administrative office using a group chat. All employees were invited to join the group chat, and all members of the group chat, including former employees and other employees who had no legitimate need to access the information, received the personal data transmitted. Datatilsynet’s investigation concluded that a large amount of confidential personal data had been disclosed to unauthorized individuals. Further, because the company did not test the process in advance, it could be presumed that the inappropriate data sharing was intentional rather than negligent.
- The Office of the Australian Information Commissioner (OAIC) concluded a multiyear data breach investigation this summer. The OAIC noted in particular that the company’s delays in fully assessing the personal information accessed, which took nearly a year to complete, and notifying the public were not in compliance with the Australian Privacy Principles. Additionally, in response to the company’s arguments that it was not subject to the Australian Privacy Principles, the OAIC emphasized that global corporations have responsibilities under Australian privacy laws and that “Australians need assurance that they are protected by the Privacy Act when they provide personal information to a company, even if it is transferred overseas within the corporate group.” The OAIC ordered the company to implement and maintain a data retention and destruction policy, information security program, and incident response plan that is in compliance with the Australian Privacy Principles. The company also must appoint an independent expert to review and report on these actions. The reports must be submitted to the OAIC, and the company must implement any recommended changes.
- The UK’s ICO has continued its trend of levying fines on companies for nuisance marketing communications, including noncompliant calls, emails and text messages without appropriate consent. France’s CNIL and Italy’s Garante issued similar large fines over the summer.
- Russia’s Roskomnadzor and the country’s courts have been actively enforcing Russia’s data localization rules, which at a high level require that the personal information of Russians is processed in databases located in Russia. This requirement has been in effect since 2015.
- In June, Europol announced its largest enforcement operation against encrypted criminal communications, made possible by the joint development and operation of a covert encrypted device company in cooperation with the U.S. FBI and 16 other countries.