Data Privacy Day - An Ashurst global view of privacy trends and regulatory hotspots
28 January 2022
28 January 2022
In honour of Data Privacy Day, Rhiannon Webster, Head of Ashurst's Data Practice in the UK, caught up with the Ashurst International Privacy Team in key jurisdictions worldwide. In this article, they reflect on the status of privacy regulation and enforcement in their region and identify the key trends emerging across the globe.
Rhiannon summarises "We are seeing a perfect storm emerging from an increase in regulation which is combined with a growing number of privacy activists and class actions taking place. Some of these cases have succeeded in fundamentally changing the way organisations are processing personal data and the potential financial risks associated with such processing. Never before has the humble data subject had such power to command how their data is processed or the courts more willing to uphold their rights."
Europe |
---|
In this hop across the globe, we start in Europe, arguably the founder of privacy laws and certainly where such laws are most developed. Businesses across Europe are still grappling with the ramifications of the 2020 case of "Schrems II"1 ) which concerned the international transfer of personal data from Facebook's servers in Ireland to servers in the US. In Schrems II, the European Court of Justice ("CJEU") invalidated the EU-US Privacy Shield as a transfer mechanism for exports of personal data to the US. Of even greater relevance for businesses across the globe, the CJEU additionally established much stricter requirements for the application of the EU Standard Contractual Clauses ("SCC"). They concluded that, to comply with the requirements of the GDPR, the SCC parties need to assess whether, when considered alongside the laws and practice of the data importing jurisdiction concerned, the data importer will actually be in a position to comply with the SCC. This assessment (referred to as "transfer impact assessment" or "TIA") was implemented by the EU Commission in the new set of SCC which were published in June 2021. The new SCC require data importer and data exporter to adopt "supplementary safeguards" to remedy any risks identified in the transfer impact assessment. Andreas Mauroschat, Partner and Head of Ashurst's Data Practice in the EU comments "Properly conducting a TIA under the new SCC has proven in practice to be a challenging task for businesses. In particular for our globally active clients, who have to conduct TIAs for a multitude of jurisdictions, this has created a significant due diligence burden. But the core problem is the legal uncertainty for businesses and whether they can still rely on the SCC as a data transfer tool if they have identified relevant risks in a TIA. This has not been helped by the relevant guidance of the EDPB which suggests that data transfers to US cloud providers may be illegal in certain circumstances. We are advising our clients on how to effectively conduct and document their TIAs and how to identify and apply appropriate supplementary safeguards to limit legal risk to a minimum". This issue has been brought to the foreground in two recent decisions in Europe. The Austrian Data Protection Authority ("ADPA") this month published a decision concerning the use of Google Analytics. This decision comes following 101 complaints filed by ‘My Privacy is None of Your Business’ ("NOYB") against numerous data exporters across Europe for their alleged continued transfer of personal data to Facebook and Google in the US, in breach of the Schrems II judgment and GDPR requirements. The ADPA decision concluded that the SCCs alone were insufficient to provide an adequate level of protection for transfers of personal data (which were collected by the Google Analytics cookies) from the website operator to Google's servers in the US. The supplemental measures in place (in this case encryption of the data) were also insufficient as Google held the key to the encryption and would be obliged to hand it over to surveillance authorities if asked. Based on similar reasoning, the European Data Protection Supervisor ("EDPS") recently ruled that the European Parliament breached Chapter V of the GDPR by allowing cookies from Google Analytics and the Stripe payment service to be placed on the devices of users of its Covid testing website. Andreas notes: "These cases demonstrate that there remains great legal uncertainty for businesses as to whether certain data transfers, in particular data transfers to cloud service providers in the US and other third countries, may soon be considered illegal. Obviously, the practical ramifications of such decisions would be massive and have the potential to severely damage established business models. But as long as there is no new Transatlantic agreement on data transfers and official guidance establishing clear and practical criteria for data transfers, businesses will have to carefully monitor the situation and be prepared to take corrective action". |
UK |
Moving across the English Channel to the UK, the Schrems case and its ramifications remain valid law despite Brexit. At the time of writing, the ICO has not yet finalised its guidance on conducting TIAs but the draft form appears to indicate a more risk based approach. Under this approach, the ICO would allow businesses to consider whether US surveillance authorities would, in fact, wish to access the data being transferred or if the risk of harm to individuals is low. When taking into account the type of data that Google Analytic Cookies collect in combination with the fact that we understand Google has offered analytics related services to global businesses for more than 15 years without having received the types of demand speculated by the ADPA, one cannot help but conclude that the ICO is likely to take a different view than that offered by the ADPA. Consequently, UK based businesses may be free to take more risk based decisions concerning their international transfers than their former compatriots. Rhiannon comments: "This may be the first move we see in an inevitable game of chess as the UK starts to move apart from Europe in its privacy regime yet remain close enough to European laws to retain the finding of adequacy, granted by the EU Commission in June 2021 with an ominous 4 year sunset clause. "We know that the UK Government is committed to securing the UK's status as a global hub for the free and responsible flow of personal data, and this is currently going against a trend of increasing moves towards data localisation within Europe". A trend of note in the UK is the swelling ranks of claimant law firms who specialised in quickly gathering a cohort of claimants following the announcement of a data breach and pursuing multiple low-value claims against the controller. Capitalising on the fact that this area of law was still in its infancy, the claimants often asserted that damages were payable simply because of the fact of the breach and made no attempt to establish pecuniary loss or distress. Jon Gale, Partner and data breach litigation specialist comments, " Last year we saw the courts in the UK making life more difficult for such claims". The recent Supreme Court decision in Lloyd v Google2 involved a representative action for loss of control damages against Google on the basis that Google had breached its obligations under data protection law by taking browsing data from the devices of Google users without their consent. There was no claim for distress or pecuniary loss. The essence of the claim was that Google was obliged to pay a fixed sum to affected data subjects simply because they had lost control of their data, in breach of their data protection rights. Overturing the Court of Appeal decision, the Supreme Court held that (i) loss of control damages are not available for breach of the Data Protection Act 1998 (they pointedly did not consider the GDPR/Data Protection Act 2018, although the substance of the relevant provisions is similar). That finding will stop many claimant law firms asserting claims on this basis without sowing pecuniary loss or distress; and (ii) the representative action procedure could be used to establish liability in a claim of this sort, but damages would have to be dealt with through a group action or individual claims; a finding that is likely to have significant implications for the extent to which funders are prepared to support cases of this nature. Less well known, but still of considerable practical importance, was the High Court decision in Warren v DSG Retail Limited3. The case concerned a low-value claim following a cyber-attack on the Defendant's systems. The High Court struck out the claims for breach of confidence and misuse of private information on the basis that both of those claims require some positive wrongful conduct or use on the part of a defendant, not merely the breach of a data security duty that enabled a cyber -attack to occur. The court also struck out the negligence claim on the basis that there is no duty of care owed in respect of conduct covered by data protection legislation. That decision brings welcome clarity to the causes of action that are available in cases arising from a data breach that was the responsibility of an external actor. Jon comments "These decisions are to be welcomed both for the resulting clarity to the law that they bring and the good common sense they display." |
Asia |
As the UK may be taking its first tentative steps away from the perceived gold standard of the GDPR, in Asia there is increasing divergence towards regimes which are seeking to replicate it. Hoi Tak Leung, Counsel in Ashurst Hong Kong comments "In Asia, the data privacy landscape remains in a state of flux – with jurisdictions taking similar yet different paths (and at different speeds) regarding their data privacy laws and related sector-specific regulations." Generally, jurisdictions are gradually passing and implementing data privacy laws that are more closely reflecting the GDPR – though not quite at the point of entirely duplicating it. However, significant jurisdictions in Asia have passed amendments that either take a flavour from the GDPR but with their own interpretation (e.g. China, Japan), or which have very narrow scope targeted at specific local developments (e.g. Hong Kong). This reflects the disparate policy aims that different jurisdictions in Asia face – particularly in relation to national security and economic development goals. In that regard, such disparate approach reflect the wider political and socio-economic dynamics in the region. Given the number of new or amended privacy laws in the region, many of these laws are still fresh enough that it is difficult to gather enforcement trends in the region. There have been a lack of substantial financial penalties in the region – either from regulators or from class action cases. In many Asian jurisdictions, enforcement remains a work in progress. Having said that, the Singapore Personal Data Protection Commission have particularly and increasingly been issuing fines under their amended data privacy laws. This may be the harbinger of a new trend in the region (and following closely trends globally). Regional developments have also been progressing – for example, the release of the ASEAN Model Contractual Clauses for international data transfers reflect a growing recognition of the role that Asia plays in the global digital economy. These clauses have been widely adopted; and jurisdictions are increasingly executing free trade agreements and memorandums of understanding that involve free data transfers and close collaboration on data privacy as key aspects. The APEC Cross Border Protection Rules have also seen increased adoption in the region. Relatedly, outside of China, we have seen a gradual slowdown in data localisation efforts. While there have still been efforts from time to time in this space, there is also a growing awareness by both public and private sectors of the increasing digital economy in the region. Such developments have been driven by COVID-19; the pandemic has had a key impact on data privacy practices – leading to a growing awareness in the region regarding cybersecurity and the collection of personal data by governments and organisations. All of this is to say that while data privacy progress has been uneven and disparate in Asia, at a general level we are increasingly seeing a willingness for both the public and private sectors to focus on data privacy practices, and bring standards in the region closer to recognised international 'gold standards'. We expect such regional advancements to continue in the future. |
Australia |
Finally to Australia, where we are seeing the beginning of the regulator's willingness to use its teeth. The Information Commissioner instituted proceedings against Facebook in the Federal Court of Australia in 2020, which will progress into 2022. The case relates to the Cambridge Analytica incident, with the disclosure of the personal information of 311,127 Australian Facebook users to the developers of an application who were able to collect and sell the personal information for political profiling purposes. Importantly, this is the first representative action (a regulator-led alternative to class actions) under the Privacy Act that the Australian privacy regulator has brought to the Federal Court, opening up an avenue for future representative actions. The proceedings continue, with the Federal Court having made a preliminary finding in 2021 that Facebook's US-based entity was carrying on business in Australia and was therefore able to be served (Facebook has sought leave to appeal). This judgment foreshadowed some key issues: the purpose for which the information was collected and Facebook's obligation to take reasonable steps to protect the personal information. Key considerations for the Court will be the scope of non-economic losses available, and whether a single breach or multiple breaches have occurred, both significantly impacting the quantum of any compensation or penalties payable. Geoff McGrath, Senior Associate in Ashurst Australia's digital economy team comments "This case reflects the Australian regulator's evolving adversarial stance to privacy breaches in Australia. The decision will be seminal for future representative proceedings, as others are underway or arriving, including a claim against telecommunications provider Optus, as well as an earlier determination against the federal Department of Home Affairs. This increased regulatory scrutiny arises against the backdrop of significant legislative reform, including a review of the Privacy Act in 2022, the introduction of a binding online privacy code for digital platforms and proposed increases in the penalties under the Privacy Act, as well as increasing interest from the Australian Competition and Consumer Commission in privacy and data-related matters. With these changes in mind and the threat of representative actions becoming a real possibility, organisations will need to become more vigilant in ensuring they comply with Australian privacy law obligations, including how they collect and store personal information. " |
Rhiannon concludes "If the last 2 years have taught us anything, it is that the digital world is here to stay. With that digital world comes an ever growing knowledgeable data subject community who know their rights and are keen to exercise them. Put this in combination with a growing global privacy regime and regulators that are keen to exercise their powers, organisations across the world should be reminded this Data Privacy Day to put privacy compliance and understanding of the potential risks involved towards the top of their boardroom agenda".
The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
Readers should take legal advice before applying it to specific issues or transactions.