The finalised EDPB Guidelines on the concepts of controller and processor (07/2020) in the GDPR were published this week. The Guidelines set out the EDPB’s recommendations on what should be included in data processing contracts between controllers and processors, in order to ensure compliance with Article 28 GDPR. We have set out some key highlights of the Guidelines below.
The Data Protection Commission (DPC) recently published its decision following a formal inquiry into the Irish Credit Bureau DAC (the ICB) following the ICB’s notification to the DPC of a personal data breach on the 31 August 2018. The ICB is a credit reference agency that maintains a database on the performance of credit agreements between financial institutions and borrowers.
The personal data breach occurred when the ICB implemented a code change to its database that contained a technical error. As a result, between 28 June 2018 and 30 August 2018, the ICB database inaccurately updated the records of 15,120 closed accounts. This update had the effect of changing key data in a data subject’s record so that it appeared that their accounts had been closed recently, even where the loans or credit facilities had been paid off years before. This caused the ICB to disclose 1,062 inaccurate account records to financial institutions as part of credit checks, which would have potentially resulted in a refusal of credit in circumstances where it would have been granted. The records did not, however, misstate that a balance was outstanding on the accounts.
The incident was handled by the ICB as a data breach and was reported to the DPC. The DPC’s investigation focussed on the application of Data Protection by Design and by Default (Article 25), the appropriateness of organisational and technical controls under Article 24, and whether or not there was a joint controller relationship under Article 26 GDPR between the ICB and the lenders who shared data with them.
In addition to issuing new Standard Contractual Clauses (SCCs) for international transfers of personal data to a third country outside the EEA, the European Commission has also published the finalised Article 28 SCCs for use between controllers and processors. The Article 28 SCCs came into force on 27 June 2021. Unlike the SCCs for international data transfers, it will not be mandatory to use the Article 28 SCCs. Companies may therefore continue to negotiate their own individual contracts addressing the compulsory elements of Article 28(3) and (4) of the GDPR.
The Court of Justice of the European Union (CJEU) has confirmed the limited competence of a national supervisory authority, that is not the lead supervisory authority (LSA), to bring legal proceedings in their national courts for alleged infringements of the GDPR. The CJEU concluded that in cases of cross-border data processing, a national supervisory authority that is not the LSA has power to bring legal proceedings in its national courts, only if: (i) that power is exercised in one of the situations where the GDPR confers on that supervisory authority a competence to adopt a decision finding that such processing infringes the rules contained in the GDPR, and (ii) that power is exercised with due regard to the cooperation and consistency procedures laid down by the GDPR.
The Irish government has moved swiftly to plug a perceived gap in protection under Irish data protection law that had raised doubts about whether Irish law was fit for purpose as a governing law under EU approved standard contractual clauses (SCCs).
On 4 June 2021, the European Commission adopted new SCCs, which became effective on 27 June 2021. The parties are free to agree an EU member state governing law applicable to their SCCs. However, Clause 17 of the new SCCs, on its face, posed a problem for Ireland. It stated that: “These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of _______ ”
In other words, the parties are free to choose an EU member state law to govern their SCCs so long as that law allows for third party beneficiary rights. But, therein lay the problem for Irish law. As a rule, Irish contract law doesn’t allow for third party beneficiary rights because the privity of contract doctrine still prevails in Irish law with few exceptions. Controllers and processors in Ireland (and their Iegal advisers) were therefore justifiably concerned that they would not be able to choose Irish law to govern their data transfers under the new SCCs.
The Irish government has moved remarkably quickly to dispel the legal uncertainty. On 24 June 2021, the Minister for Justice adopted the European Union (Enforcement of Data Subjects’ Rights on Transfer of Personal Data Outside the European Union) Regulations 2021 (S.I. 297/2021).
These Regulations insert a new section – Section 117A – into the Data Protection Act 2018. The new section confers an express right on data subjects to enforce the SCCs provisions (or other contractual transfer mechanisms such as BCRs) against the parties to the contract. Controller and processors in Ireland can now breathe a sigh of relief: Irish law does provide third-party beneficiary rights for data subjects making Irish law eligible as a governing law for SCC transfers.
The Data Protection Commission (DPC) has published guidelines addressing the issue of what information employers can process in relation to their employees’ return to the workplace. In particular, the DPC considers the question as to whether employers can lawfully collect and process information about the Covid-19 vaccination status of their employees.
Information about a person’s vaccination status is special category personal data for the purposes of GDPR. It represents part of their personal health record, and is afforded additional protections under data protection law. The guidelines make it clear that the DPC does not consider there is any general legal basis for employers to request the vaccination status of their employees at this time.
The EU Commission has formally adopted two UK adequacy decisions, one under the GDPR and the other under the Law Enforcement Directive (LED). This means that personal data can continue to flow freely from the EU to the UK, without putting in place additional safeguards, such as the Standard Contractual Clauses.
The adequacy decisions were adopted just two days before the interim solution agreed under the EU-UK Trade and Cooperation Agreement, permitting the free flow of data from the EU to the UK, was due to expire on 30 June 2021.
On 25 May the Grand Chamber of the European Court of Human Rights, (ECtHR) ruled that the UK’s surveillance regime of bulk interception of online communications violated the European Convention on Human Rights (Convention) in the case of Big Brother Watch v United Kingdom. According to the ECtHR this regime breached the rights to privacy and freedom of expression enshrined within Article 8 and 10 of the Convention, a ruling that will have significant implications for state surveillance across Europe.
The European Commission has published its final Implementing Decision on new standard contractual clauses (SCCs) for the transfer of personal data to third countries.
The new SCCs have been expected for some time in order to address the entry into force of the GDPR and the requirements of that regime. The delay to the update was due partly to the European Court of Justice’s decision in Schrems II (C-311/18), and the need for the European Commission to reconcile the new SCCs with that decision. They also take into account the Joint Opinion (2/2021) of the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) on the draft SCCs, as well as the EDPB’s draft recommendations on supplementary measures.
The Data Protection Commission (DPC) has completed its ‘own volition’ inquiry into whether the Department of Employment Affairs and Social Protection interfered with the role of its Data Protection Officer (DPO). The inquiry concerned the process leading to the amendment of the Department’s Privacy Statement on 6 July 2018. The DPC examined whether the Department’s DPO was involved in a proper and timely manner in the process (as required by Article 38(1) of the GDPR); and whether the DPO received instructions regarding the exercise of his tasks (contrary to Article 38(3) of the GDPR). The DPC concluded that the Department had not breached Articles 38(1) or 38(3) of the GDPR.