Welcome to Charmley Construction and our data protection blog, covering the key developments in data protection law from February 2022. Our website is complete GDPR secure and ensures we follow the below guidelines on processing any personal data.
New Data Act proposed by EU
On 23 February 2022, the European Commission (“EC”) published its proposal for a Data Act (the “Act”) which aims to improve trust in data sharing and facilitate the sharing of industrial data between connected devices and devices on the Internet of Things (“IoT”). The EC hopes that the Act will help unlock the growth potential of the data economy (estimated by the EC to be worth €270 billion by 2028). The act is part of a suite of measures within the European Strategy for Data following the political agreement on the European Data Governance Act. The Act is not focussed on personal data, but the data generated by devices on the IoT and other connected devices which, currently, generally pass to the manufacturer.
As well as applying to manufacturers, providers and users of connected products and services placed on the market in the European Union, if adopted by EU lawmakers, the Act will also apply to data holders making data available to data recipients, public bodies, and data processors, where relevant.
The key proposals of interest in the Act are:
- Granting greater access to data manufactured through connected devices by the owners and users of the devices. That includes permitting the sharing of that data to other services, including analytics.
- Certain contractual terms will be automatically deemed unfair when unilaterally imposed on micro businesses or SMEs, meaning that such terms will not be binding. As to whether this imposes unreasonably upon B2B contractual freedom, recital (52) of the Act explains that only terms unilaterally imposed on certain businesses (micro / SME) will be considered subject to this unfairness term and then only where negotiation has been attempted by the receiving party. This may mean manufacturing parties will have to consider the fairness of their standard terms and conditions where negotiations are requested by purchasers.
- The Act provides for interoperability standards to enable the re-use of data (including the introduction of the “FRAND” standard, which means where data holders are obliged to make data available, they must do so under fair, reasonable and non-discriminatory (FRAND) terms). The intention is to address the lack of harmonised standards by using minimum essential requirements for smart contracts and provides for further legislation to be provided which will implement common specifications.
- The Act extends the requirement to use safeguards against unlawful data transfers, outside of the European Economic Area, found within the General Data Protection Regulation (“GDPR”) in terms of personal data to non-personal data.
The Act will be monitored by a competent authority within each member state and shall apply from 12 months after the date of entry into force of the Act, providing it passes the legislative processes within the EU.
ICO Publishes third chapter of anonymisation and pseudonymisation guidance for consultation
The ICO has released the third chapter of its extended consultation into draft guidance on anonymisation, pseudonymisation and privacy enhancing technologies (the “Draft Guidance”). The third chapter of the Draft Guidance focuses on pseudonymisation and explains the key differences compared to anonymisation.
“Pseudonymisation” is defined in the data protection legislation in the UK as processing personal data in a way that it can no longer be attributed to a specific data subject without additional information. These two pieces of information (the processed data and the additional information), when combined, can reconstruct the data, but each has meaning only in combination with the other. That legislation adds that “unauthorised” reversal (i.e. the recombination of the two pieces of information) can specifically result in harm and so the risk of that harm must be mitigated appropriately.
The Draft Guidance also confirms that pseudonymised data is still personal data as it can identify a living individual, albeit indirectly. However, it does suggest that the pseudonymised data may no longer be personal data once transferred to another organisation without the key to re-identifying the individuals involved.
According to the Draft Guidance, the benefits of pseudonymisation are:
- Risk reduction regarding individual’s rights and enhancing security. The technique limits the level of identifiability in the data to what is necessary and, in turn, reduces the amount of personal data shared. The Draft Guidance mentions the exemption to breach reporting to affected data subjects, under Article 34 UK GDPR, and says that pseudonymisation can form part of the broad technical and organisational measures which, if in place, may permit a data controller to avoid reporting a breach to affected individuals;
- Supporting re-use of personal data, as a safeguard for the rights and freedoms of the data subjects;
- Supporting overall compliance; and
- Building trust and confidence in an organisation’s data processing.
The Draft Guidance also explains how an organisation should approach pseudonymisation: from defining goals and risks to techniques and evaluating outcomes. The consultation is open until 16 September and can be accessed here.
EDPB reviews use of cloud by public sector
The European Data Protection Board (“EDPB”) has begun its first action under the Coordinated Enforcement Framework by launching a review into the use of cloud-based services by the public sector (the “Review”). The Review will cover over 80 public bodies which will be contacted by their local Supervisory Authority to assess compliance with the data protection legislation. The Review does not eliminate individual investigations, and ongoing probes are not necessarily brought within the scope of the action.
However, it does mean that targeted investigations currently being carried out by Supervisory Authorities into affected areas are supplemented. One of the key concerns of the EDPB is data transfers out of the EU, in particular to large cloud suppliers in the US following the ruling in Data Protection Commissioner v Facebook Ireland Limited & Maximillian Schrems (Case C-311/18). The French data protection authority, the CNIL, has added to the point by suggesting that these cloud-based services have become essential technologies and so warrant additional attention.
The results, as well as any supervision and enforcement actions, will, although aggregated, give deep insight into the topic and allow follow up at the EU-level. That insight is intended to streamline enforcement and cooperation among supervisory authorities. It also aims to “foster best practices to ensure adequate protection of personal data” by public sector bodies across the EU. There is expected to be a state of play report published by the EDPB updating on the Review before the end of this year. The EDPB’s press release can be found here.
EDPB issues guidance on breach notifications
The EDPB has published guidelines on “Examples regarding Personal Data Breach Notification” (the “Guidelines”). The Guidelines set out a number of example scenarios where it would be necessary for data controllers to provide a notification to a supervisory authority under Article 33(1) of the GPDR and, where relevant, to data subjects under Article 34(1) of the GDPR. The examples in the Guidelines are from practice and are under common categories of breaches (e.g. ransomware attacks, human error and lost or stolen devices), with associated mitigation and preventative steps for each scenario along with notification obligations.
The Guidelines categorises data breaches according to the three key information security principles of confidentiality, integrity and availability of data and explores how a breach occurs in each of these:
- “Confidentiality breach”: where there is an unauthorised or accidental disclosure of, or access to, personal data.
- “Integrity breach”: where there is an unauthorised or accidental alteration of personal data.
- “Availability breach”: where there is an accidental or unauthorised loss of access to, or destruction of, personal data.
Although the last category is typically the least harmful to data subjects, the Guidelines identify examples where it could result in a notification to a supervisory authority, for instance, where a health authority no longer has access to patient notes leading to a delay in treatment.
The Guidelines note that a variety of factors can be relevant to establishing when a risk is “high” to individuals but do not repeat the guidance on “likely to result in high risk” processing operations (further to the Article 29 Working Party Guidelines on Data Protection Impact Assessments here).
Instead, additional risk factors are considered such as: (i) personal data is exfiltrated but not fully backed up, rendering data not recoverable, and therefore unavailable; (ii) personal data is not secured using state-of-the-art encryption and is therefore readily available; and (iii) personal data is not maintained and compromised data cannot be effectively recovered.
A key emphasis in the Guidelines is on accountability; encouraging every controller and processor to have plans and procedures in place for handling eventual data breaches. This includes recommendations for regular training and awareness and ensuring that organisations have clear reporting lines and persons responsible for breach notification and data recovery processes.
The Guidelines are available to review here.