Have you spent the last few weeks sitting somewhere else than in front of a computer screen? No worries. This article summarises the key developments in privacy-land that happened over the summer and we think are noteworthy. The new school year promises to be another busy one.
GDPR-enforcement became big
Data protection authorities in Europe have been criticised for being soft on enforcement. Critics have been arguing that there is too little GDPR-enforcement in Europe, that enforcement takes too long and that the fines are not sufficiently hefty.
This criticism may no longer be so pertinent given that, over the summer, several data protection authorities in Europe have upped the enforcement game.
It started with the Luxembourg data protection authority who, on 16 July, imposed a fine of a staggering EUR 746 million upon Amazon Europe Core S.à r.l. claiming that Amazon had violated the GDPR. Shortly afterwards, over a period of less than two weeks, the Spanish data protection authority imposed not less than 10 fines on organisations who have been found to violate the GDPR. On 2 September the Irish data protection authority issued another super fine (EUR 225 million), this time against WhatsApp.
Those who say that European data protection authorities are tame, may need to think twice since this summer.
But GDPR-enforcement is also (and increasingly) coming from another angle: class actions. On 31 August the Dutch Stichting Take Back Your Privacy announced it has launched court proceedings against TikTok-owner ByteDance to obtain EUR 2billion in damages for alleged GDPR-violations by ByteDance.
For up-to-date statistics on GDPR-fines, see our online enforcement tracker.
International data transfers
As you will recall, the European Commission announced two new sets of standard contractual clauses (SCCs): (i) for international transfers of personal data (new SCCs) (available here) and (ii) to be used by controllers and processors in the EU/EEA (available here). In response, the Belgian Data Protection Authority (BDPA) updated its dedicated webpage on international data transfers (see in French; Dutch).
The whole process of handling international data transfers and documentation will be challenging as concluding new SCCs will not in itself be sufficient to comply with the requirements set out in the Court of Justice’s Schrems II decision (see our previous Law Now for more information). Considering the timeframe for replacing existing SCCs with the new SCCs, we recommend (i) reviewing and prioritising contracts based on business risk; (ii) establishing clear policies and procedures for cross-border personal data transfers, including appropriate processes to document and regulate the business’s personal data flows; and (iii) identifying and implementing supplementary measures recommended by the European Data Protection Board (EDPB) (available here) to ensure a level of data protection that is essentially equivalent to the EU’s standard of data protection.
Finally, the Belgian administrative supreme court (“Raad van State”/“Conseil d’Etat”) ruled on 19 August 2021 that transfers of personal data to recipients located in the USA should not as such be regarded as illegal (decision is available here). The court also added that the EDPB guidance did not seem to rule out such transfers, provided that (i) the data is fully encrypted before being made available to the US-based service provider and (ii) the encryption keys are fully controlled by the controller.
The UK may not be so adequate after all
As you may recall, on 28 June 2021, the EU Commission adopted a so-called adequacy decision in respect of the EU. That basically means that personal data may freely be exported from the European Economic Area to data recipients in the UK.
On 26 August, the UK government announced that it intends to reform its data protection laws, to enter into data sharing arrangements with the US and a series of other countries, to loosen data protection obligations for small businesses and charities. In a reaction to this announcement, the EU promptly warned the UK government any divergence by the UK from the EU’s data protection standards may result in the UK losing its adequacy status.
This development provides further ground to what we have been advising our clients so far: it is not wise to rely merely on the UK’s adequacy status for large-scale and systematic transfers of personal data from the European Economic Area to data recipients in the UK. Data exporters should start implementing a fall-back option just in case the UK would lose its adequacy status (e.g. by rolling out the new SCCs).
The European Center for Digital Rights (NOYB), founded by privacy activist Max Schrems, issued a new wave of complaints that focused on compliance of cookie banners in Europe. Some of the practices under scrutiny include the use of pre-ticked boxes to obtain consent. It is however clear from the GDPR and decisions from the EU Court of Justice that pre-ticked boxes cannot be used to obtain valid consent under the GDPR (see our previous Law Now, here and here for more information).
BDPA draft recommendation on biometric data
The considerable increase in biometric data processing in everyday life has prompted the BDPA to publish its draft recommendation on biometric data (see in French; Dutch). It provides a lengthy and practical guide for organisations engaged in such technologies, including at the workplace. The BDPA recalls that it is important that recourse to such technologies takes place with due respect to the key principles set forth in the GDPR.
Whereas the use of biometric technologies may be perceived as particularly effective (e.g. access control, security purposes), companies should assess the privacy impact and consider less intrusive means to achieve their legitimate purpose of processing. Conducting a data protection impact assessment is recommended to determine appropriate additional measures.
The public consultation is now closed. We expect the final recommendation in the coming months.
Man-in-the-middle attack (e-mail hijacking)
We have seen an increase in the number of man-in-the-middle (MitM) attacks during the summer. This type of cyber-attack requires the malicious actor to place himself between two communicating parties and relay messages for them, while the parties believe they are communicating with each other directly until it’s too late. The malicious actor collects information (such as personal data, passwords and banking details) and/or impersonates one party to solicit additional information or bring about certain actions. These actions can include completing a transaction or initiating a transfer of funds.
To mitigate an MitM attack, we recommend the following best practices: (i) make sure that encryption and proper certificates are used whenever possible; (ii) enforce restrictive corporate or user policies on the operating system and web browser; (iii) enable multi-factor authentication capabilities; (iv) engage in regular staff training to recognise signs of MitM attacks; (v) equip all network assets with VPN capabilities; and (vi) be aware of messages you receive from organisations you do not normally deal with and/or that suddenly change their bank account number.
Qualification of controllers and processors
The EDPB adopted the final version of its guidelines on the concepts of (joint-) controller(s), processor, third party and recipient under the GDPR (Guidelines available here). These guidelines provide further explanation on these concepts, a flowchart for applying these concepts in practice and concrete examples, which should be useful for companies to properly assess the role of each entity involved. Information is also provided on the form and content of (i) contracts that must be entered into between controllers and processors and (ii) joint-controller arrangements.