Data protection: Year of disruption

A. COVID-19: the new normal

For most of this year, COVID-19 has dominated and disrupted much of our day-to-day life. Working from home, restrictions on who we can socialise with and where we can spend time in public places are becoming the new normal. Amongst these changes, many businesses are collecting customer details in line with new COVID-19 track and trace requirements. These data fall within the scope of the GDPR, so businesses must ensure they are complying with data protection rules when collecting and processing the data.

In Scotland, it is now mandatory for certain businesses (e.g. hospitality businesses serving food or drink to customers on their premises) to gather minimum contact details from customers. Businesses in other sectors may also wish to collect such details to aid public health efforts, even where it is not a legal requirement.

Whether a business is legally required to collect customer data or not, under the GDPR it will need a “lawful basis” to do so.

If a business is legally required to collect data, the applicable lawful basis is compliance with a “legal obligation”. If this is not legally required, “legitimate interest” is likely to be the most appropriate lawful basis. Businesses should not rely on the consent of customers when collecting their details: unless the details collected may reveal health information (e.g. that a customer has COVID-19 symptoms), collection of details is not a legal requirement, and the customer will not be denied service if they refuse to consent.

Additionally, businesses must:

• only collect information that is necessary (which in most cases will include name, telephone number, and date and time of visit);
• not retain data for longer than necessary (Government guidance suggests 21 days);
• hold all data securely (i.e. making sure it’s physically safe, in the case of paper records, or digitally safe, in the case of electronic records);
• implement an appropriate way of telling customers how and why their data is being collected (e.g. putting signs up on-premises, or directing people to further information online); and
• ensure that they are able to fulfil data subjects’ rights requests in relation to collected data (e.g. where a customer asks for access to their data).

Contact tracing data should only be shared with a legitimate public authority when requested. Businesses must not use the data to market to individuals, unless the individuals have specifically and separately consented to this in line with e-privacy regulations.

B. Schrems II: demise of the Privacy Shield

The Court of Justice of the European Union (CJEU) delivered its highly anticipated ruling in the Schrems II case – once again, disrupting the international data sharing landscape. The decision invalidates the EU-US Privacy Shield. To the relief of the vast majority of observers, however, the decision confirms that standard contractual clauses (SCCs) – which were also in the firing line – remain a valid method for effecting transfers of personal data to non-EU countries (including the US).

The Privacy Shield enabled the free transfer of personal data from the EU to certified US companies who undertook to comply with additional data protection obligations under the scheme. It was one of the main mechanisms for transferring personal data from the EU to organisations in the US, with over 5,000 US companies registered under it. Notwithstanding this, and the legal and commercial uncertainty any invalidation would cause, the CJEU invalidated the scheme on the basis that the requirements of US national security, public interests and law enforcement retain supremacy over the fundamental rights of persons whose data are transferred to the US (thereby condoning interference with such rights).

Anyone who was relying on Privacy Shield to send personal data to the US must now rely on one of the other transfer mechanisms under GDPR (i.e. SCCs, a derogation under the GDPR for non-systematic/one-off data transfers, or binding corporate rules). In practice, this will most likely be SCCs.

So far as SCCs are concerned, the CJEU confirmed that they remain valid for transferring personal data to non-EU countries, but with certain caveats and conditions, the most important of which are:

• prior to the transfer, EU data exporters seeking to rely on SCCs must assess whether the local law of the importing country provides a level of protection that is essentially equivalent to the EU. This includes assessing that the law of the importing country does not impose obligations that are contrary to the SCCs (e.g. protection against access to data by public bodies); and
• following the transfer, both the exporter and the importer should ensure that the processing of that data has been, and will continue to be, carried out in accordance with EU data protection law.

In short, the key steps that data exporters need to take now include:

• considering whether personal data are currently being transferred under Privacy Shield, and if so, transitioning to a suitable alternative transfer mechanism – this will most likely be SCCs;
• if transitioning to, or continuing to rely on SCCs, you should assess whether the importing country offers the level of data protection required by EU law, and whether additional accountability measures should be implemented to provide additional safeguards for “at risk” transfers (e.g. data minimisation, pseudonymisation, data protection impact assessments etc).

C. An “inadequate” Brexit?

The Schrems II ruling emphasises the urgent need for the UK to obtain an adequacy decision from the EU by the end of the Brexit transition period (currently 31 December 2020). Without it, the free flow of data from the EU to the UK will end.

At the end of the transition period, the changes made by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 will take effect. The regulations will introduce a new UK GDPR, and the GDPR will be known as the “EU GDPR” in the UK.

The UK GDPR will be formed by merging the EU GDPR and the “applied GDPR” (which arises under the Data Protection Act 2018). In practice, this will create a set of UK data protection rules that are, on the whole, the same as those currently set out in the GDPR.

Whilst the core provisions of the UK GDPR will remain the same, some important changes to note are that the Secretary of State will replace the role of the European Commission, and the ICO the role of the European Data Protection Board.

Though the UK has made clear that it will provide UK adequacy decisions for the EEA, Gibraltar, the EU institutions, and for those non-EU countries for whom an EU adequacy decision already exists, it is still unclear whether the EU will provide an EU adequacy decision in favour of the UK. In July the Commission reiterated that the EU will use its best endeavours to provide an answer by the end of 2020, but there is speculation that the decision in Schrems II will delay this response. If we do not obtain an EU adequacy decision before 31 December 2020, European companies will need to rely on SCCs and possibly additional safeguards in order to export data to the UK. This could have significant implications for the continued flow of EU personal data into the UK, at a time where there is already substantial economic uncertainty due to the lack of a UK/EU trade deal and the challenges presented by the COVID-19 pandemic.

D. A fine too far?

Europe has long led the way in established data protection standards, but there were always grumblings in various quarters that EU regulators did not have adequate enforcement powers, particularly against large multinationals who could financially afford to ignore the rules. This all changed with the GDPR, which arguably gave teeth to European regulators for the first time. Before the GDPR came into force, much was made of the eye-watering fines that regulators could hand out under it. Under GDPR, fines can reach up to €20 million or 4% of annual worldwide revenue (whichever is greater). This was a far cry from the maximum fine of £500,000 that could be levied under the old Data Protection Act 1998.

The question then was, would a regulator actually impose a fine of €20 million on a company for flouting privacy rules? Fines remained within the realms of existing practice for the first few months of the GDPR coming into force. However, in early 2019, first blood was drawn by the French regulator (CNIL), which fined Google €50 million for breaching GDPR in its processing of personal data for the purposes of behavioural advertising. This was the first GDPR fine of this scale, and it was thought this might indicate the new parameters within which European regulators would operate.

This misconception was put to rest almost half a year later, when the ICO (the UK’s regulator) announced its intention to fine British Airways a record £183 million for poor security arrangements that compromised the personal information of around 500,000 customers. In its recent financial statements, BA revealed that it now expected to pay a fine of £20 million. Full details of the actual figure are still awaited. [Now confirmed at £20 million – Editor]

The ICO announced a second major penalty shortly after, fining Marriott over £99 million. The breach resulted from a cyber-attack that exposed personal information of up to half a billion guests. Though the hotel group reported the incident in late 2018, the ICO decided that it had failed to carry out sufficient due diligence in its acquisition of the Starwood hotels group in 2016 (whose IT systems had been compromised).

This summer, low-cost airline easyJet revealed it was a target of a sophisticated cyber-attack. An estimated 9 million customers had their personal data exposed, including around 2,200 customers who had their credit card details stolen. The airline could be set back tens of millions of pounds by an ICO fine. However, industry experts suggest that the timely notification of the breach may help to minimise the fine.

Most recently, in October 2020, the Hamburg Commissioner for Data Protection and Freedom of Information fined retailer H&M over €35 million for unjustified surveillance of employees. H&M kept detailed records about the private lives of hundreds who worked at its Nuremberg service centre. Details included information about vacation experiences, illnesses and diagnosis, religious beliefs and family issues. This is the highest GDPR fine by a German regulator, and the highest fine in the EU concerning HR data.

Under GDPR, regulators have shown a willingness to wield their new fining powers to the detriment of those that do not comply with the rules.

What is now clear is that companies with a European presence must ensure compliance with the rules, or risk significant fines and reputational damage.