Eva Jarbekk
Partner
Oslo
Newsletter
by Eva Jarbekk
Published:
In other respects, a big discussion centres on whether the new agreement for transfers of personal information between Europe and the US can be trusted – something which is not at all certain, even if it would make life easier for many companies.
Academics have also dived into a new discussion about whether the European Data Protection Board (EDPB) and the data protection authorities have been right to rule out a risk-based approach to the consequences of transfers to the US. A more risk-based approach would obviously make transfers easier, while at the same time leading to challenging discussions about what is an acceptable risk. Until someone conducts a court case that changes the data protection authority's interpretation of the law, it is probably wise to follow the guidelines from the EDPB.
One of the most discussed developments in recent weeks has been President Biden signing an Executive Order ("EO") on 7 October to facilitate the transfer of personal data from Europe to the US. Europeans are given stronger protection against surveillance by American authorities, in particular by introducing the principles of proportionality and necessity. There must be necessity and proportionality between the purpose of the surveillance and the personal data under surveillance. A complaint mechanism is also established in two instances for alleged violations. The final appeal body is called a "Data Protection Review Court", which will be able to make binding decisions in relation to complaints.
NOYB has of course done an analysis of whether the measures are good enough, available here.
The short version of the analysis is that the surveillance still constitutes what is called bulk surveillance and that what they call a "review court" is not an actual court. Furthermore, NOYB emphasizes that even if criteria of necessity and proportionality are introduced, these words mean something different in the USA than they do in the EU.
The next step is that the European Commission will make a proposal for a so-called adequacy assessment of the scheme according to GDPR Article 45, which will be sent to the EDBP for their opinion. Any comments from the EDPB are not decisive, but there is reason to believe that significant weight will be placed on them. The EU countries will then vote on the proposal and, finally, the Commission will adopt the adequacy decision.
One will then possibly have a basis of transfer that can be put into use in March 2023, but at the same time there is reason to believe that NOYB (or others) will challenge this in court. Most of the people I speak to relate less to the new framework and more to what are sufficient additional measures according to EDPB's existing guidelines.
Caitlinn Fennessy from IAPP has a good analysis on this, with a slightly different perspective than NOYB, you may read this here.
It would have been nice if there was a simple and legal basis for the transfer of personal data to the US. Just the fact that there are new decisions from the Norwegian Data Protection Authority that you cannot use Google Analytics gives many people frustrations. The same applies to the fact that NRK has decided to no longer use the marketing automation platform Mailchimp for the same reason.
I am in doubt whether I think it is a big privacy risk to use Mailchimp for uncontroversial email subscriptions, even if the NSA were to monitor which newsletters I receive. I understand that it is not 100% formally compliant. But is it really dangerous?
The Nordic Privacy Arena was recently held in Stockholm. I was lucky enough to chair a debate between, inter alia, Allan Frank from the Danish Data Protection Authority and Google's Global Privacy Counsel, Peter Fleischer.
Google hopes that technical measures may remedy the transfer problem, while the Danish Data Protection Authority wishes to stay loyal to the ECJ and Schrems II. At the conference, Google had a separate session where they described how they will change their Data Processing Agreement (at least for some schools) in light of the focus from several Data Protection Authorities on the use of certain types of personal data such as log data/event data. This is actually not really about transfer to the US, but about the use of data and the balance between data processor and data controller.
Microsoft has also made a number of changes to its Data Processing Agreement, which is stated to have effect for all customers from 15 September this year. It is a step in the right direction that such large players are willing to change their terms.
How should one understand what a relevant risk is when transferring personal data to countries outside the EU? As you will remember, both EDPB and the data protection authorities have been clear that when assessing whether a recipient country has an "equivalent" level of protection, a risk‑based approach cannot be assumed. Either the receiving country has an equivalent level of protection, or it does not – the answer, according to the authorities, is binary.
In Norway, the Norwegian Digitalisation Agency (Digdir) recently had to attend meetings with the Norwegian Data Protection Authority after they had published their new guide, precisely because they had recommended a risk-based approach which the Norwegian Data Protection Authority disagreed with. The guide will probably be issued as a revised version based on dialogue between the Norwegian Data Protection Authority and Digdir. You may read more on this here.
In the Netherlands, however, renowned privacy lawyer and professor of law Lokke Moerel has recently published a comprehensive legal analysis of the conditions for the transfer of personal data to third countries, and she concludes that there is a legal basis for being able to use a risk-based approach. Despite the fact that EDPB's guidelines explicitly conclude that it is not legal. Moerel is no novice, she has previously published a widely used book on Binding Corporate Rules and is considered one of Europe's best privacy lawyers. In the article, she writes that the EDPB and the Norwegian Data Protection Authority interpret the GDPR too narrowly when they say that there is a binary understanding of whether the recipient country has "equivalent" data protection to that of the EU. Moerel believes that such an assessment should be risk-based, and she is clear that the EDPB and the Norwegian Data Supervisory Authority are too strict.
In this newsletter, there is no space for a review of the argument, and it is possibly also most relevant for academics, since both the EDPB and local data protection authorities (still) consider that such an approach is not sufficient. Nevertheless: the short version is that Moerel believes that the principle of proportionality in GDPR Article 24 should also be applied to GDPR Chapter 5 on transfers, while the EDPB and the data protection authorities believe that it is the somewhat more rigid principles in Article 5 that must be applied to Chapter 5. Those particularly interested can read Moerel's analysis here.
In other respects, I'm sure everyone has noticed that the Norwegian Data Protection Commission has recently published its report "Your privacy – our shared responsibility", available here.
The Norwegian Data Protection Authority seems to agree with the findings and recommendations from the Commission. It is easy to understand that the Norwegian Data Protection Authority supports the recommendations on specific measures within digitalisation in schools and kindergartens. The Norwegian Data Protection Authority also believes that a general ban on behaviour-based marketing should be investigated further, something that has been high on their agenda for a long time. Read the Norwegian Data Protection Authority's comment here.
On 12 October, the EDPB adopted what they call "Opinion 28/2022 on the Europrivacy criteria of certification regarding their approval by the Board as European Data Protection Seal", which you can find here.
This concerns a European privacy certification. It is the first time that the EDPB has approved such a seal of approval. Formally speaking, this is done based on GDPR, Article 42. The approval means that the company 'European Center for Certification and Privacy' (Europrivacy) can certify businesses – i.e., certify that they are "compliant" with the GDPR.
It will be exciting to see how this develops further. Presumably this type of certification will be relevant for a good number of companies. At the same time, there is also some criticism in social media that this will be an expensive process that is not suitable for everyone. It is obvious that some companies will think that there is money to be made in privacy certification going forwards.
There are many new rules coming from the EU. There is the proposed regulation on AI, the Digital Service Act and the Digital markets Act and many more. We will revert to those. But very recently they also proposed another set of rules on artificial intelligence. They are proposing something called an AI Liability Directive that will reduce the burden of proof for people who want to sue someone responsible for incidents involving products that use artificial intelligence. These regulations, if adopted, will apply in addition to the proposed Regulation on AI. It is, of course, difficult to say both if and when this will possibly become a reality, but the core of the thinking seems to be that individuals should not have to understand the actual logic behind the artificial intelligence they have been exposed to, but that there should be a causal connection between the product and any resulting damage. We will have plenty of rules to deal with in the future. Read more about this here.
Otherwise there are, as usual, a number of new cases from the data protection authorities in Europe. This includes several decisions relating to a lack of response to access requests, lack of consent, data that is stored for too long, lack of security measures and other matters. Below are some cases that piqued my interest.
Consents are still a hot topic. The Italian Data Protection Authority, Garante, has fined an American company that offers an app for diabetics. The fine of EUR 45,000 related, inter alia, to the fact that the users' email addresses became available to others, but also that by downloading the app, a single click would mean that they accepted the entire privacy policy. This prevented users from giving separate consents to different processes, which included health-related data. This was contrary to, among other things, the principle of transparency. The case also concerned a number of other elements, and there is much evidence that one must have more granular consents in the future. You can read more about the fine here.
In a case from the Netherlands, the situation was that an employee had pried into the medical records of one of the patients repeatedly. The controller was ordered to pay the patient €2,000 for pain and suffering. In the case, the hospital was also criticized for not adequately logging the activity of employees with unrestricted access to patient records and for only carrying out monthly random checks on two records to see if wrongful inquiries had been made. The decision is little discussed in the English-language media, but can be found in the original language here. The case shows that logs are important (but often overlooked) and that it is central to have a good balance between having too few and too many logs.
At the same time, NOYB strongly criticizes several new decisions on compensation for pain and suffering in Europe, see their article here here. One of the conditions that is criticized stems from a new case before the ECJ in which the Advocate General seeks to limit the amount for which compensation can be claimed.
From a Norwegian point of view, this criticism seems a bit foreign, as we do not have a tradition of giving large sums in compensation for pain and suffering. It is clear that it can probably act as a motivation to ensure compliance if such claims become large, nevertheless, I think that the most important thing is that the data protection authorities ensures compliance by, e.g., imposing a decision to stop processing that is not as it should be.
In Poland, a cultural centre was fined this summer for transferring personal data to an external data protection officer. The reason for the fine was that the cultural centre had not entered into a written agreement with the data protection officer as required under Article 28.
To those of you who transfer personal data to countries outside the European Economic Area: Remember that there is a deadline for getting all contracts for transfers of data to countries outside the EEA to the new Standard Contractual Clauses by 27 December this year. If your suppliers have not taken the initiative to do this for you, you should contact them yourself now.