EU Privacy + Security Intensive Jan Dhont Partner, Wilson Sonsini - PowerPoint PPT Presentation

EDPB Guidelines – Transparency Easily Accessible • By providing it directly • By linking to it • By clearly signposting it • As an answer to a natural language question • In an online layered privacy statement • In FAQs • By way of contextual pop-ups that activate when a data subject fills in a online form • In an interactive digital context through a chat box interface

EDPB Guidelines – Transparency Clear and plain language /1 • Avoid complex sentence and language structure • Provide concrete and definitive information • Do not use abstract or ambivalent terms • Do not leave room for different interpretations • Provide clear statement of the purposes of, and legal basis for, the processing • Avoid language qualifiers such as “may”, “might”, “some”, “often” and “possible”

EDPB Guidelines – Transparency Clear and plain language /2 • Use bullets and indents • Use active instead of the passive form • Avoid excess nouns • Avoid overly legalistic, technical or specialist language or terminology • When targeting data subjects speaking those languages, provide translations, ensure that those translation are accurate, ensure that phraseology and syntax make sense

EDPB Guidelines – Transparency Formats for Providing Information • Layered privacy notice – Make sure that the layers to do not provide conflicting information • Privacy dashboard • Just-in-time notice • Hard copy : paper, leaflets, flowcharts, cartoons • Telephone environment : oral explanation; pre-recorded information • Screenless smart technology, IoT, Wi-Fi tracking : icons, QR codes, voice alerts • CCTV, drone : public signage, visible boards

EDPB Guidelines – Transparency Accountability Obligations • As part of its accountability obligations, the data controller must be able to demonstrate that personal data is processed in a transparent manner • Accountability as applied to transparency applies: – At the point of collection of the data – Throughout the processing life cycle – When changing content , terms of existing privacy statements • Timing for notification of changes • Making data subjects aware of the risk

EDPB Guidelines – Transparency Demonstrating Accountability • Accountability requires the controller or processor to be able to demonstrate – Rationale for a decision – Justify why the decision was made , and how the potential impact on the data subject was evaluated . • Example: when a data controller/processor seeks to rely on an exception, it is expected to: – Carry-out an analysis of the situation, and how it applies to the particular situation – Assess the information against the impact and effects on the data subject if implementing that solution – Keep a record of the evaluation, analysis and decision

EDPB Guidelines – Data Breaches Types of Data Breaches • “Personal Data Breach” is a breach of security leading to the accidental or unlawful – Destruction – Loss – Alteration – Unauthorized disclosure of – Unauthorized access to personal data transmitted, stored or processed • Three types of personal data breaches: – Confidentiality Breach : disclosure, access (e.g., phishing) – Integrity Breach : alteration (e.g., man-in-the-middle attack) – Availability Breach : loss of access (even if temporary), destruction (e.g. denial of service)

EDPB Guidelines – Data Breaches Notification requirements in the GDPR Notification to Supervisory Authority (Art. 33 Communication to Data Subjects (Art. 34 GDPR) GDPR) A controller shall notify a data breach if it is A controller shall notify every data breach. likely to result in a high risk to the rights and HIGH RISK freedoms of natural persons. UNLESS the breach is unlikely to result in a risk RISK to the rights and freedoms of natural persons, EXCEPT if: e.g.: • The controller adopted protective measures on the • If disclosed data was already publicly available; or affected data (e.g., encryption); or • • If data is unintelligible due to strong encryption. The controller adopted measures which ensure that the risk won’t materialize. Deadline : “Without undue delay and, where feasible, no later than 72 hours ”. Deadline : “Without undue delay”.

EDPB Guidelines – Data Breaches When the Controller Becomes Aware • A controller becomes “aware” when it has a reasonable degree of certainty that a security incident has occurred and has led to the compromise of personal data. • GDPR requires controllers to have in place appropriate technical and organizational measures to establish immediately whether a breach has taken place • When a controller can be considered to be “aware” of a particular breach will depend on the circumstances of the specific breach • The emphasis should be on prompt action to investigate an incident to determine whether personal data have indeed breached, and if so to take remedial action and notify if required.

EDPB Guidelines – Data Breaches Being “informed” is not being “aware” • Detection – After first being informed by a third party, or having detected a security incident, the controller may undertake a short period of investigation in order to establish whether a breach has in fact occurred. • Investigation – During the period of investigation, the controller may not be regarded as being ”aware”, however, it is expected that the initial investigation should begin as soon as possible, and establish with a reasonable degree of certainty whether a breach has taken place; a more detailed investigation can then follow. • Awareness – Once the controller has become aware, with a certain level of certainty, that a breach has occurred, if the conditions for notification in Art. 33(1) have been met, a notifiable breach must be notified without undue delay, and, where feasible not later than 72 hours. – During this period, the controller should assess the likely risk to individuals in order to determine whether the requirements for notification have been triggered, and the actions needed to address the breach

EDPB Guidelines – Data Breaches Criteria for assessing a breach • When assessing a breach, the controller should consider the specific circumstance of the breach, including the severity of the potential impact and the likelihood of occurrence, taking into account the following criteria: – Type of breach – Nature, sensitivity, volume of data – Ease of identification of individuals – Severity of the consequences to the individual – Special characteristics of the individuals (children, vulnerable individuals) – Special characteristics of the data controller – Number of affected individuals • See also ENISA’s “ Recommendation for a Methodology of the Assessment of the Severity of Personal Data Breaches ” https://www.enisa.europa.eu/publications/dbn-severity .

EDPB Guidelines – Data Breaches Preparedness • The ability to detect, address and report a breach in a timely manner is an essential element of the requirement that each controller and processor have in place appropriate technical and organizational measures to ensure an appropriate level of security of personal data • Controller should have – Internal processes in place to be able to • detect a breach (e.g., data flow and log analyzers) • address a breach (e.g., upwards reporting management) – Incident response plan – Arrangements with any processors that the controller uses • Obligation to notify the controller • Specific requirements for prompt notification to help the controller meet the 72 hour threshold. – Process for keeping documentation of the breach as it develops

EDPB Guidelines – Data Breaches Crossborder Processing – Where to Notify? • When a breach takes place in the context of cross-border processing: – The controller should notify the lead supervisory authority . – If the controller is not established in the EU/EEA, the controller’s EU Representative should notify the supervisory authority of the Member State where the EU Representative is located. • In case of doubt, (also) notify the local supervisory authority where the breach has taken place. • When drafting an Incident Response Plan, identify the applicable lead supervisory authority.

EDPB Guidelines – Data Breaches How to Contact Affected Individuals • Data subjects should be contacted directly , unless doing so would involve a disproportionate effort. – In that case, the communication may be made using public communication • Dedicated messages should be used, i.e., not combined with other information • Examples of approved transparent communications methods – Direct messaging (email, SMS, direct message) – Prominent website banners or notification – Postal communications – Prominent advertisement in print media – Use of different languages • EDPB encourages – The use of means that maximize the chances of properly communicating the information, such as using several channels concurrently. – Cooperation with supervisory authorities and law enforcement.

EDPB Guidelines – Data Breaches Record Keeping Obligations • Whether or not notification is required, Controller must keep documentation of all breaches. • Companies should establish a register of breach and keep records of their assessment of identified breach. • Supervisory authority can request to see these records – Breach – Causes of the breach – What took place – Which personal data were affected Records / • Effects and consequences of the breach • Remedial action taken by the controller • Reasoning for decision taken to report / not report the breach • Reason for the delay in reporting, if any • Any relevant evidence

EDPB Guidelines – Data Breaches Practical Considerations  Obtaining cooperation of processors/vendors  Dependency on (a) vendor(s) / Vendor(s) physically hold(ing) the data  Keep control tight (joint and several liability)  Upward trend of class-actions by non-for-profits  Complex interaction with investigations by the DPAs  Courts may grant injunctive relieve  Processors need strategy to deal with multiple controllers  Data breaches often trigger investigations and fines by Supervisory Authorities

EDPB Guidelines - DPO When is a DPO required? GDPR Art. 37(1) • Core activity of controller/processor consists of processing – that requires regular and systematic monitoring of data subjects on a large scale ; or – Of special categories of data on a large scale ; or – Of personal data relating to criminal convictions and offenses on a large scale ; or • Processing is carried out by a public authority or body EU Member State laws may add other grounds

WHEN IS A DPO REQUIRED? (Art. 37 GDPR) Source of this slide: DPO Network Europe

EDPB Guidelines - DPO Key Terms: Core Activity Definition • The key operations necessary to achieve the objectives of the business; and/or • The activities where data processing forms an inextricable part of the activity of the business. • Not the routine activities of a company (e.g. payroll, IT support) Examples • Hospital  processing of health data is a core activity but payroll is not; payroll is “accessory” to the business. • Surveillance  processing of visitors’ biometrics data is core activity • Payroll service processor  processing of personal data to perform hospital's payroll activity is “core activity” for the payroll processor.

EDPB Guidelines - DPO Key Terms: Large Scale Sample criteria – Number of individuals; proportion of the relevant population – Volume of data to be processed – Duration, permanence of the data processing activity – Geographical extent of the processing activity Examples – Patient data in hospital – Travel data using travel cards – Geolocation of customers – Processing of insured data by insurance company

EDPB Guidelines - DPO Key Terms: Regular and Systematic Monitoring “Concept clearly includes all forms of tracking and profiling on the Internet, including for the purpose of behavioral advertising ” Examples – Location tracking – Loyalty programs – Retargeting; behavioral advertising – Monitoring wellness, fitness, health care – CCTV; operating a telecom network; providing telecom services – Connected devices, smart cars, home automation – Profiling and scoring for risk assessment (e.g. credit scoring) – Fraud prevention; detection of money laundering – Establishment of insurance premiums

EDPB Guidelines - DPO To DPO or not to DPO? Clearly required?  Go to next slide Not clearly required • Conduct an analysis of the relevant factors; analysis is part of the documentation under the accountability principle • If conclusion is “no DPO needed”, keep record of the analysis and of the conclusions • Analysis should be updated as business, activities, services, change Risks • WP29 “encourages voluntary efforts” to appoint a DPO • Beware, if the of the person responsible for personal data is named “DPO”, the business is expected to treat the individual as a GDPR DPO. Use a different title to avoid confusion • WARNING: DPO once appointed, whether voluntary or mandatory, it is designed for ALL processing operations conducted by the business.

EDPB Guidelines - DPO DPO Responsibilities • DPO is not responsible in case of non-compliance with the GDPR • GDPR Art. 24(1): The business is required – to ensure compliance – to be able to demonstrate that the processing is performed in accordance with the GDPR • DPO – Is independent – Should be given the possibility to make his/her dissenting opinion clear – Cannot be dismissed for providing his/her advice.

EDPB Guidelines - DPO Independence: No Conflicts GDPR Art. 38(3): organization must enable the DPO to act in an independent manner: • No instructions by the business regarding the exercise of the DPO’s tasks • No dismissal or penalty for the performance of the DPO’s tasks • No conflict of interest with possible other tasks and duties. DPO cannot wear several hats: – CEO; COO, CFO – CMO, HR, IT – Other roles that involve the determination of purposes and means of the processing.

EDPB Guidelines - DPO Tasks: Monitor Compliance GDPR Article 39 (1)(b) • Collect information to identify processing activities • Analyze and check the compliance of the processing activities • Inform, advise and issue recommendations to the controller/processor GDPR Art. 39(1)(d) & (e) • Cooperate with supervisory authority • Act as a contact point with the supervisory authority

EDPB Guidelines - DPO Data Protection Impact Assessments GDPR Art. 35(2), 37(1)(c) – DPIA • Controller must seek the advice of the DPO when conducting a DPIA. • DPO does not perform the DPIA, but provides advice – Whether or not to carry out a DPIA – What methodology to follow when carrying out a DPIA – Whether to carry out a DPIA in-house or to outsource it – What technical, organizational measures should be used to mitigate any risks to the rights and interest of the data subjects – Whether the DPIA has been correctly carried out – Whether conclusions to go ahead, or apply safeguards, are inline with GDPR

EDPB Guidelines - DPO Location of DPO • Key factor: accessibility • EDPB – Recommends that the DPO be located in the EU whether or not the business is established in the EU BUT – States that where a business has no establishment in the EU, a DPO may be able to carry out his/her activities more effectively if located outside the EU

EDPB Guidelines - DPO DPO’s Professional Qualities DPO must be designated on the basis of professional qualities and in particular expert knowledge: • Expertise in national and EU data protection laws & practices • In-depth understanding of GDPR • Understanding of the processing operations to be carried out • Understanding of information technology and data security • Knowledge of the business sector and other organizations • Ability to promote a data protection culture within the organization.

Should We Appoint an Internal or an External DPO? Internal DPO External DPO   PROS Deeper understanding of company’s privacy culture. Entirely dedicated to privacy.   Easy access to processing operations and relevant Can leverage experience from other clients.  stakeholders. Flexibility re work arrangement and risk allocation due to  May be elected among trusted professionals. contractual relationship. .   May be associated with management more easily Ability to tailor a solution to company’s temporary or urgent compared to external DPO. needs.   Appears as the face of the company towards SA and May complement where internal DPO is in place. Ex: individuals, which enhances trust. consultation for specific projects such as inventory  May have access to sensitive and confidential business preparation. information without fear for external disclosure.   CONS May be difficult to find due to hyper-specialization of the Less familiar with the company’s privacy culture and role. expectations.   May implement restrictive policies due to strict Less direct access to processing operations, management, interpretation of GDPR. and relevant stakeholders in the company.   Has a protected status similar to that of a union May not find his or her place as team player within the representative. company.  Less involvement in strategy.  May value personal interest to keep client over company’s 51 interest.

3. Member State Session A: GDPR: Laws Where are we now?

Introduction  Regulation has direct effect…  … but allows member states to specify or derogate on certain points: e.g.,  Organization Supervisory Authorities is a national matter  Restrictions to data subject rights (Art. 23 GDPR)  Employment-related processing, scientific research, national ID, … (Chapter IX GDPR) 53

Member State Laws Belgium: Data Protection Act 2018

Member State Laws BE Data Protection Act 2018 I. The Act of 3 December 2017 establishing the data protection authority GDPR • Reshapes the pre-GDPR Belgian regulator officially into the ‘Belgian Data Protection Authority’ • Grants it new powers in accordance with the GDPR II. The Act of 30 July 2018 on the protection of natural persons with regard to the processing of personal data • Implements / supplements provisions of the GDPR • Covers interaction between law enforcement and data protection law

Member State Laws Belgium: Data Protection Act 2018 example provisions • Safeguards for the processing of Safeguards for the processing of Limitation of data subject genetic, biometric or health criminal convictions and offences rights (e.g. the right to be data : or related security measures: informed about the processing and the right to obtain access • Companies must keep a list of • Limited purposes available (e.g. to data) in context of law the categories of persons with necessary for the management enforcement and national access to such sensitive data; of disputes; for scientific, security. role description in relation to historical or statistical research • data. The age at which a child can or archiving). consent to the processing of • Specific regime for processing • The controller must implement their personal data for online of data for scientific purposes. the same safeguards as for the purposes is set at 13 years of processing of health data. age.

Member State Laws BE Data Protection Authority  Operational since April 25, 2019  “Dispute resolution chamber” and dedicated “inspection body”  Broad investigation powers (e.g. unannounced on site inspections, order to stop processing, penalty payments, publication of decision on website)  https://www.wsgrdataadvisor.com/ 2019/04/belgian-dpa/

Member State Laws France: Data Protection Act 2018

Member State Laws French Data Protection Act 2018 T he French Data Protection Act No. 78- 17 (“ DPA ”) was first adopted on 6 January 1978. Its current version is 50 pages long (approx. 40,000 words). • The DPA was amended to implement the GDPR via law No. 2018-493 of 20 June 2018. It was subsequently revised via ordinance No. 2018-1125 on 12 December 2018 and complemented via an implementing decree No. 2019-563 on 29 May 2019. • The revised DPA reiterates pre-GDPR data protection principles and focuses on derogations and other aspects for which the GDPR allows for national deviations. • The recent revision of the DPA is also aimed at implementing the provisions of EU directive 2016/680 (“ Police Directive ”) under French law.

Member State Laws France: Data Protection Act 2018 example provisions • Consent from minors . The age at • Scope . The provisions of the DPA Processing of personal data post- which a child can consent to the which deviate from, or complement mortem processing of their personal data for the GDPR, apply to individuals who online purposes is set at 15 years of reside in France even if the data • The DPA provides for a French-specific age. controller is established outside of right which allows individuals to give France. instructions on how their personal • Specific “right to be forgotten” data is stored, deleted, and further • Limitation of data subject disclosed after their death. for minors . Where the data subject rights. In accordance with Article 23 was a minor at the time of data • An individual may be appointed to collection, he or she can obtain the GDPR, the DPA provides some carry out these instructions and deletion of the data “as soon as restrictions on data subjects rights, request their implementation from possible”. including limitations on the right to be the data controller. informed about the processing in the context of law enforcement and • Data subjects have the right to be national security. informed of their post-mortem rights.

Member State Laws United Kingdom: Data Protection Act 2018

Member State Laws UK Data Protection Act 2018 The DPA received Royal Assent on 23 May 2018. It is 339 pages long (approx. 136,000 words). • The DPA recognises that most processing is subject to the GDPR • Applies a broadly equivalent regime to certain types of processing not in the GDPR (“applied GDPR”) • Implements EU Law Enforcement Directive • Implements Convention 108 with regards to processing by intelligence services • Articulates role of the Information Commissioner • Sets out the enforcement regime

Member State Laws

Member State Laws UK: Data Protection Act 2018 example provisions • The age at which a child can • Government may specify limits Criminal offences which can be consent to the processing of on the fees that a controller prosecuted by the ICO include: • their personal data for online may apply when dealing with selling or offering to sell purposes is set at age 13 subject access requests (e.g. unlawfully obtained data • Processing of special • for unfounded or excessive retention of personal data categories/criminal data, ot requests) without the consent of the • restrictions of rights where Controller must provide an controller • substantial public interest , e.g. appeal process for “qualifying Unauthorised re-identifying of • Fraud prevention significant decisions” based de-identified information • • Suspicion of terrorist solely on automated alteration of data to prevent financing or money processing disclosure following a data • laundering Govt. may make further subject rights request • Insurance provisions to safeguard data Courts may impose fines but • Political parties subject rights in relation to imprisonment subject to other • Sport (e.g. anti-doping) automated decision-making acts, e.g. Computer Misuse Act

Member State Laws Ireland: Data Protection Act 2018

Member State Laws Ireland: Data Protection Act 2018 The Data Protection Act 2018 was signed into law on 24 May 2018. It is 184 pages long (approx. 68,000 words). Its implementation has the following key effects: • It transposes the Law Enforcement Directive. • It retains elements of the Data Protection Acts 1988 and 2003 for purposes of national security, defence and international relations of the State. • It contains new substantial enforcement powers for the Irish Data Protection Commission ('DPC’).

Member State Laws Ireland: Data Protection Act 2018 example provisions • The age at which a child can It permits the processing of health Criminal offences under the DPA consent to the processing of data for insurance and pension include: • their personal data for online purposes where it is necessary and Disclosure of personal data purposes is set at 16 years of proportionate for the purpose of: without prior authorization age. from the data controller • A policy of insurance or life • Unauthorized disclosure by a • A right to be forgotten for assurance data processor • A policy of health insurance or • children . Controllers must erase Selling of data following ‘without undue delay’ personal health-related insurance, unauthorized disclosure • An occupational pension, • data collected in relation to the Obstruction of an authorized offer of online services to a child retirement annuity contract or officer under the DPA if requested by a data subject. pension arrangement • The mortgaging of property Both fines and imprisonment available to courts (potential maximum of.

Session A: GDPR: 4. Enforcement Where are we now?

The New Enforcement Paradigm Powers and Remedie ies Extended Investigative Powers Corrective Powers   Powers of Order companies to provide information Issue warnings/issue reprimands   Data Auditing Order to bring processing in compliance (in a specified manner/time period)   Protection Dawn raids (obtain access to premises, Order to communicate personal data breaches to individuals  Authorities including equipment/means) Order ban on processing/suspension of data flows  (“DPAs”) Withdraw certifications  Impose administrative fines Specific Right to submit complaints with DPA (Art. 77 GDPR) Remedies Effective remedy against a DPA (Art. 78 GDPR) Effective judicial remedy against a controller or processor (Art. 79 GDPR) Representation of data subjects by non-for-profit bodies (Art. 80 GDPR) Liability Civil Liability . Right to receive compensation from a controller or processor for damage suffered as result of a GDPR infringement Regime (Art. 82 GDPR) Administrative Fines. DPAs must ensure “effective, proportionate and dissuasive” application of administrative fines (Art. 83 GDPR) Criminal Liability. Left to national law. For the most serious violations and often require “intent”

The New Enforcement Paradigm Th The Numbers • Most common triggers for investigations: • 51% complaints by data subjects • 32% data breach notifications • 63% of complaints and notifications until May 2019 have been closed: 37% are still pending • Most DPAs have increased their budget and staff to face increasing workload

Evolution Cross-Border Cases Source: European Data Protection Board

Consumer Rights Activism

Investigations on the Rise CNIL carried out 310 Dutch DPA investigates investigations, including • Generally not much the data processing in relation to CCTV agreements of 30 systems and data visibility organizations subjects rights • DPAs are getting up to speed Irish DPC initiated Greek DPA carried out investigations on more • Expect the number investigations on 65 than 45 companies (e.g., controllers Facebook, Twitter, and of investigations to Instagram) increase Swedish DPA • Proactive vs reactive investigates Google for collection of location data and web browsing histories * May 2019 Figures

Fines and Litigation on the Rise

Fines and Litigation on the Rise Key UK Enforcement Decisions • July 2019: Intention to fine Marriott International, Inc. £99 million (approx. $120 million) • A cyber incident exposed 339 million records (30 million were EEA residents of which 7 million were in UK). Case was investigated under one-stop shop system • Incident related to the vulnerability of Starwood Hotels systems which was subsequently acquired by Marriott GDPR PR • ICO found that insufficient due diligence had been Don one!! undertaken when it acquired the Starwood system • July 2019: Intention to fine British Airways £183 million Both cases were investigated under the (approx. $224 million) GDPR one-stop shop system with UK • Incident resulted from user traffic to BA website being acting as lead authority. They are both diverted to a fraudulent site. About 500,000 records were compromised awaiting a final decision following • ICO found that information was compromised by poor representations from the companies and security arrangements, including log in, payment card, DPAs of affected EU residents. travel booking details, names and addresses

Your #1 Priority: Info Sec 50,000 EUR fine by Italian DPA for failure to use strong security for the use of passwords EUR 20,000 fine by DPA of Baden-Wuerttenberg for storage of passwords in clear text without pseudonymization or encryption 400,000 EUR fine by CNIL for lack of authentication measures to allow access to rental documents Up to 900,000 EUR fine by Dutch DPA for lack of multi-factor authentication in context of health-related data processing 61,500 EUR fine by Latvian DPA for failure to implement effective access logs 400,000 EUR fine by Portuguese DPA for absence of regular checks of a hospital’s access logs

Calculation of Fines  Perceived lack Default Fine Fine Range Example of transparency Cat. 1 100 K EUR 0 – 200 K EUR Insufficient Record Keeping  Perceived lack Cat. 2 310 K EUR 120 K – 500 K Insufficient of inconsistency EUR Processing Agreements, German DSK Fine Methodology independence DPO [Group TO/360 Days] X Severity Factors (1-14.4.) X Classification Score (multiplier) X Aggrav./Mitig. Factors Cat. 3 525 K EUR 300 K – 750 K Failure to notify EUR breaches, lack of transparency Cat. 4 725 K EUR 450 K – 1 M Unlawful EUR processing

Triggers For Enforcement Actions Individual initiates court proceedings • High profile security against incident company NGO DPA initiates investigates • Issues in another court issue on its proceedings own country against initiative company Triggers • Novel product or service • Privacy scandal Individual/co NGO files mpetitor file complaint complaint with DPA with DPA

A Few Possible Proceedings Civil (interim First instance Appeals Court Supreme Court measures) Civil (on the First instance Appeals Court Supreme Court merits) Administrative Administrative Administrative DPA CJEU Appeals Court Supreme Court Criminal First instance Appeals Court Supreme Court EDPB Decisions Procedural law is a matter of national law – harmonization in EU is lacking

How Challenge EDPB and DPA decisions? DPA decisions can be challenged before national EDPB decisions can be challenged before CJEU courts • Challenge DPA decision before national courts of • Bring action for annulment of EDPB decision DPA’s country, under procedural law of that country before CJEU • National courts exercise full jurisdiction and examine • Limited circumstances under which action can be questions of fact and law brought (Art. 263 TFEU) • National courts may always ask CJEU how to interpret EU law • Only DPA to whom EDPB decision is addressed • and those who are (individually and directly) If DPA decision implementing EDPB decision is challenged, EDPB decision must be forwarded to the concerned by EDPB decision can bring action national court • Within 2 months following publication of EDPB • If national court considers EDPB decision to be invalid, CJEU must rule on validity (but it cannot be decision on EDPB website or of notification challenged by parties who had the possibility to bring an action for annulment) • Lengthy procedure before CJEU 80

Looking Forward • DPAs state they were only “flexing their muscles” in 2018 – period of transition is over and organizations must move beyond a base level of compliance • CNIL and ICO have issued statements that will start to use their full breadth of regulatory powers, including fines • Regulators gained additional resources since May 2018 • Top priorities: • Strong accountability programs (including knowledgeable DPO) [ICO] • Focus on how companies deal with data subject rights [CNIL]: • Focus on controller/processor designations and what this means in terms of direct and contractual responsibility [CNIL]: • Focus on direct marketing via its Direct Marketing Code [ICO]

Enforcement Focus – Primary Work Streams • Where it can go wrong • Information security and data breach • Complaint management • Vendor management • Interaction with individuals and SAs • Data subject rights • Processing records • Documentation of compliance efforts • Core compliance – outward facing compliance • Core policies and notices • Data transfers

Session B: GDPR: 1. Cross-border Data Transfers What is happening 2. CJEU Rulings 3. Brexit across EU and across 4. Influence on Global Laws Borders

Session B: GDPR: 1. Cross-border What is happening Data Transfers across EU and across Borders

GDPR Data Transfer: Decision Tree YES YES YES 3. Derogations? (Art. 49) 1. Is country of import 2. Appropriate  Consent white-listed? Safeguards ? (Art. 46)  Performance of  BCRs (can also be sector or contract  EC Standard NO region ) (Art.45) NO  Important reasons Contractual Clauses of public interest  National Standard  Legal claims Contractual Clauses  Vital interests  Codes of Conduct  Legitimate interest  Certification + notification  Ad hoc Contract * EU- US Privacy Shield would be a “white - listed” regime. * Codification of WP29 Guidance; preference for appropriate safeguards over derogations.

Data Transfer Mechanisms Compared Scope Legal certainty Burden • Intra-group transfers • High upfront High BCRs Data Protection Directive • Flexible • Low ongoing (GDPR Art. 47) • Regulator approved (Arts. 25, 26) • Sector/company specific • Transfers permissible only if third country ensures adequate • High upfront Codes of Likely High • New; mechanisms must be level of protection or derogation applies • Low ongoing Conduct/Seals (GDPR Arts. 40-43) developed • Controllers responsible for compliance • Seals valid for up to 3 years; option to renew • Low Commission High • Limited to countries Adequacy recognized as providing adequate protection Derogations • Limited in scope • Medium Medium (e.g., explicit consent, • Narrowly interpreted • Documentation General Data Protection Regulation (GDPR) contractual performance) required (Arts. 44-50) • Limited to contracting parties • Low Invalidation • Supersedes Directive; effective May 25 th 2018 Model Contracts • Intensive Risk • maintenance Similar but more detailed transfer regime • Controllers and processors responsible for compliance • Limited to certain • High upfront Invalidation Privacy Shield • Low ongoing business Risk • EU to US transfers

Update on Data Transfers  Less redtape  Schrems II – the big unknown  Invalidation of SCCs?  Invalidation of Privacy Shield?  Effect on BCRs?  New model clauses in the pipeline (?)  Certification and Codes of Conduct taking a slow start 87

BCRs under the GDPR – What’s New ? • Formal recognition by the European Legislator (Art. 47 GDPR) • Data transfer permit requirements have been abolished • Available to a “group of enterprises engaged in a joint economic activity” • Working Party Documents on BCRs have been overhauled: – WP 256 rev.01 – Content requirements BCR-C – WP 257 rev.01 – Content requirements BCR-P – WP 263 rev.01 – Cooperation Procedure for Approval of BCRs (Procedural Guideline) – WP 264 – Application Form for BCR-C – WP 265 – Application Form for BCR-P • Pre-GDPR BCRs must be updated (!)

The Advantages of Implementing BCRs A foundation for a coherent global privacy program A flexible, scalable mechanism for intra-group – transfers Necessitates mapping of existing data flows and controls – Accommodates new data flows, group – Harmonizes approach to privacy within members and geographies group and raises awareness – Provides legal certainty for transfers – Drives future compliance measures – Enhances customer confidence – Signals corporate responsibility to DPAs A means to achieve compliance with the GDPR or to Foster compliance with other national data protection benefit from GDPR compliance efforts laws (e.g. CCPA) – SA approval will hinge on compliance with EU rules, including new GDPR requirements Get to know your Lead SA – Companies that implement BCRs are less likely to face the GDPR’s potentially draconian sanctions

Approval Process from the Regulator’s Perspective New! * Concerned SAs are determined based on the countries from where transfers are to take place or, in the case of a BCR-P, all SAs since a processor established in a Member State may provide services to controllers in potentially all Member States.

Can BCRs be Invalidated? What can data subjects or SAs do in theory? • Individuals can submit complaints to Sas • Individuals can sue SAs that do not take action before national courts and obtain injunctive relief (Art. 78 GDPR) – National courts may obtain ECJ preliminary ruling • SAs can also act autonomously and stop data exports in specific cases (Art. 77 GDPR) • SAs can, at the same time, trigger the “urgency procedure” (Art. 66 GDPR) and obtain EDPB “binding decision” compelling other SAs also to stop data exports • Consumer organizations can do the same (Art. 80 GDPR) Some risk to BCRs and adequacy • Same U.S. government protections as for SCCs and Privacy Shield • BCRs cannot stop surveillance of non-EU National Authorities On the other hand, significant legal arguments support BCRs • GDPR itself mentions and strongly supports BCRs • Considered the gold standard for protecting personal data • No pending litigation against BCRs: Thus, even if CJEU holds against SCCs and Privacy Shield, that would have no legal holding concerning adequacy of BCRs.

Session B: GDPR: What is happening 2. CJEU Rulings across EU and across Borders

Recent CJEU Judgments Jehovan todistajat Wirtschaftsakademie Shleswig- (July 10, 2018) Holstein (June 5, 2018) • Joint controllers • Joint controllers • • A Facebook fan page Both the community and its administrator is a joint members are joint controllers controller of the data regarding data collected by collected through cookies on members in the context of door- the page. to-door preaching organized by • Irrelevant that page the community. administrators do not have • Irrelevant that the community access to cookies, but only does not have access to the to aggregate statistics. specific data.

Recent CJEU Judgments Joint controllers: (i) collection and (ii) transmission Controller for further processing ECJ: By integrating FB’s code into its website, FashionID has allowed the collection and transmission of personal data to FB. FashionID is also considered to obtain economic advantage (optimizing advertisement; visibility on FB platform)

Recent CJEU Judgments Fashion ID (July 29, 2019) • Joint control. Website operator and plugin providers are joint controllers. • Website operator is responsible for notice and consent. Since the data is collected and transmitted as soon as individuals visit the website. However, ECJ did not exclude possibility to rely on legitimate interest. • No decision as to whether the Facebook “like button” involves storing or access triggering consent under Directive 2002/58.

Recent CJEU Judgments Action Points: 1. Identify and assess use of third-party plug-ins in websites/apps 2. Review notice and consent strategy 3. Review data privacy terms in contracts with plug- in providers

Recent CJEU Judgments Planet49 GmbH (October 1, 2019) I want to receive marketing I allow analysis and third party advertising cookies Questions to ECJ: (i) is the practice to drop cookies based on pre-ticked boxes compatible with ePrivacy Directive? ; (ii) what information must be provided to meet obligations under same Directive?

Recent CJEU Judgments Planet49 GmbH (October 1, 2019) • Active consent. No implicit consent / Consent requires positive action / No pre-ticked tick boxes. • Users must be informed of Cookie duration and third-party access to cookies . Provide sufficient information of cookie functionality. • Consent is required for storage of information.

ICO/CNIL Cookie Guidance  ECJ caselaw confirms position of ICO/CNIL  Consent for all cookies, except essential cookies  No implied consent  Consent should include a list of third-party cookies  Cookie walls are disfavored (not allowed in France)

Session B: GDPR: What is happening 3. Brexit across EU and across Borders