'Most Innovative Startup 2020' by RSA - Watch the pitch videoView More
The Court of Justice of the European Union (CJEU) released a decision invalidating the US-EU Privacy Shield arrangement for transatlantic data transfers and changing obligations of data controllers when using Standard Contractual Clauses (SCCs) as a mechanism to export data. Among other things, the court held that data controllers may use SCCs to transfer data of EU citizens to a data importer based in a jurisdiction which has been deemed to have inadequate data privacy protections only after:
1. Carrying out a review of the national legislation and regulations relating to data privacy and security of the data importer and verifying whether the existing laws and regulations ensure that the contractual promises within the SCCs can be honored by the importer;
2. If the national legislations and regulations are too weak to allow the SCCs to be enforced, then the controller along with the assistance of the data importer will have to establish supplementary measures to enforce the data importer’s obligation to protect the data under the SCCs;
3. If the data controller, the data importer or the relevant Supervisory Authority believes that the contractual protections on the data as per the SCCs cannot be honored by the data importer then the data transfer between the controller and importer should be cancelled and any data already transferred under the SCCs should be deleted by the data importer.
Upon a close reading of the CJEU’s judgement, it appears that the data controllers and processors should be focusing on the following factors while conducting the obligatory risk assessments under the SCCs:
1. Identity of the data importer:
The identity of the data importer matters since some data importers might be targeted more by public authorities in comparison to others due to the industry they work in. Moreover, the data importer’s history of compliance with a regulatory regime and it’s capability to challenge requests for surveillance by public authorities can also help assess the risk of exposure to the personal data being transferred.
2. Assessment of the industry-specific regulatory regime of the data importer:
The type of safeguards and redress available to data subjects under a regulatory regime should be analyzed and evaluated in terms of scope, efficacy and enforceability of protections.
3. The nature of the data and the data transfer:
Some data and transfers are inherently more at risk than others to be the subject of surveillance by governments due to national security concerns and/or law enforcement interests in the type of data being transferred. Similarly, the type of data being transferred also matters as sensitive personal data being exposed to surveillance is more harmful to the data subject compared to other data types.
4. The categories of data subjects:
Some data subjects might be at increased risk of surveillance by a country’s public authorities due to their employment or nationality etc. Similarly, some categories of data subjects (i.e EU citizens who have dual nationality as US citizens) will have the enhanced capability to take action to stop or redress any government action which threatens to expose their data while others might not.
5. The nature and scope of surveillance and national security laws of the data importer’s country:
Some jurisdictions have very well structured surveillance laws and the law applies to some specified industries, people, etc. but some jurisdictions have vaguely worded and overbroad surveillance laws. The risk is less if the laws (and their limitations) are well written and understood.
6. Other supplementary measures used by the data importer to protect the data:
Some data importers can be subject to additional and independent supplemental measures for the protection of the transferred data that are industry-specific or international in nature (via international treaties or obligations). These can reduce the risk of the transferred data being exposed.
The data controller after conducting a holistic assessment of the risk can choose to enact additional safeguards within the SCCs to protect the data and mitigate risk to achieve compliance with the CJEU judgment. Such additional measures may include:
"Data controllers in the EU should immediately begin to audit their data sharing practices and prepare for the eventual compliance actions by regulators. NOYB - Max Schrems’ data rights organization - has already filed 101 complaints with various Supervisory Authorities against European companies continuing to transfer data to the US after the judgement and the European Data Protection Board has formed a task force for the implementation of the ruling. Since there is no grace period for companies to adapt to the decision, even tomorrow the Supervisory Authorities can knock on EU data exporters’ doors asking for justifications for data transfers being made to US companies."
Thus adoption and enhancement of SCCs with additional measures to mitigate the risks which arise in risk assessments is the only viable step for many companies (at least in the short term) as other solutions such as Binding Corporate Rules (BCRs) are too expensive and solutions such as enhanced consent are not sustainable or viable for systematic transfers. Until further guidance comes from the authorities or the US and EU authorities can clobber together a Privacy Shield 3.0, these steps are required to ensure the billions of dollars worth of transatlantic trade does not come to a grinding halt.
On May 4, 2020, the European Data Protection Board released updated guidelines on Consent (Guidelines). The Guidelines adhere to the requirements of consent provided under the General Data Protection Regulation (GDPR) and the e-Privacy Directive and have been updated to be consistent with the landmark decision of the Court of Justice of the European Union (CJEU) in Planet49 case that clarified the scope of consent requirements in relation to the processing of cookies.
As per Article 4(11) of the GDPR, consent of a data subject should be freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her. The same standard of consent also applies to consent under the e-Privacy Directive. The e-Privacy Directive requires organizations to provide “clear and comprehensive information” about the purposes of the processing to users before processing cookies and an opportunity to refuse any such processing. Similarly, the GDPR requires data controllers to provide information to the users consisting of at least the controller’s identity, the kind of data that will be processed, how it will be processed, and the purposes of the processing.
On October 1, 2019, the CJEU issued an important decision about consent requirements in relation to the processing of cookies. The case pertained to a German website that organized a promotional lottery online. In order to participate in the promotional lottery, users were required to provide their names and addresses and beneath the input fields for the addresses, there were two explanatory text boxes accompanied with checkboxes. Amongst them, one checkbox was pre-selected for the users and the participation in the promotional lottery was conditional on at least the selection of the first checkbox. While going through the relevant requirements under GDPR, e-Privacy Directive, and EU Regulation 2016/679, the CJEU made the following important conclusions, among others:
The EDPB’s updated Guidelines reaffirms that consent is one of the six lawful bases to process personal data as listed under Article 6 of the GDPR. These Guidelines complement the CJEU’s decision in the Planet49 case that clarified that cookie consent must be specific and active. In the Guidelines, the EDPB interprets the elements of consent as defined by the GDPR as follows:
“Freely given” consent implies real choice and control for data subjects. The EDBP clarifies that access to a service or functionalities cannot be made conditional on a data subject’s consent to the processing of his or her personal information. Through this interpretation, the EDBP has put an end to cookie walls and upheld the idea that access to a service cannot be made conditional on users’ consent to the processing of cookies.
Moreover, refusal or withdrawal of consent should be made as easy and straightforward as giving consent and without any detriment to the data subject, for it to be considered a freely given consent. The EDPB explains that data controllers should allow similar mechanisms for withdrawal of consent as that of giving consent. This means where consent is obtained through a service-specific user interface, the data subject must be able to withdraw consent via the same electronic interface. For example, if consent is obtained through online ticketing, the data subject must be able to withdraw his or her consent via the same online ticketing process and not via telephone call or some other mechanism.
“Specific” consent implies “granularity”, i.e. specific and separate consents should be obtained for separate purposes of the processing. This means data controllers are required to provide specific information to data subjects with each separate consent request about the data that are processed for each purpose. As per the Guidelines, the controller must apply the following to ensure that consent is specific.
(1) Purpose specification as a safeguard against function creep:
This requirement serves as a protection against blurring of different purposes of processing of data;
(2) Granularity in consent requests:
The data controllers must acquire users’ consent for each new purpose of the processing of data; and
(3) Clear separation of information related to obtaining consent for data processing activities from information about other matters:
The data controllers must provide separate information to users for separate purposes of processing.
“Informed” consent implies that data controllers must provide all relevant information to data subjects about the processing of their data in clear, plain, and understandable language. The information to be provided must include at least, the following content, to ensure the transparency requirement of the GDPR.
An “unambiguous indication of the data subject’s wishes” implies a clear affirmative action of the data subject. It may refer to any written or recorded (oral) statement, including by electronic means, by which the data subject deliberately consents to process personal data. Such an action by the data subject must be distinguishable from other actions to avoid any form of ambiguity.
The Guidelines emphasize that the use of pre-ticked boxes, scrolling, swiping, silence, inactivity on the part of the data subject, or any other similar action will not under any circumstances constitute an active or unambiguous indication of data subjects’ wishes, and thereby, won’t constitute valid consent.
The EDPB has offered two substantive clarities in connection with consent requirements pertaining to cookies:
In light of the above, website publishers and other data controllers must review their consent policies and bring those in line with the EDPB’s latest guidelines. In addition to offering clarity on the interpretation of applicable European regulations such as the GDPR and e-Privacy Directive, the EDPB’s approach has demonstrated compliance with the emerging consensus that users should be given choice and control over their personal data.