Data Protection and Privacy

As we enter into the final quarter of 2022, its timely to consider the hottest developments in the data protection space, and the compliance challenges companies are facing.

In this briefing, we set out some key legislative and case-law developments in relation to international transfers, compensation for non-material loss under the GDPR, and cyber security reporting requirements.

Key Themes in Data Protection and Technology

Legal Certainty ahead for EU-US Data Transfers?

On 7 October 2022, President Biden issued an Executive Order, which paves the way for the European Commission to draft a US Adequacy Decision, known as the "EU-US Data Privacy Framework". This Framework will replace the EU-US Privacy Shield, which was invalidated by the Court of Justice of the European Union ("CJEU") in July 2020 in the Schrems II case.

Since the Schrems II decision, there has been much legal uncertainty over how to legitimise EU-US data transfers, and EU Data Protection Authorities have been ramping up enforcement in this area. Once the US Adequacy Decision is formally adopted (likely to be in Spring 2023), US companies will be able to self-certify with the US Department of Commerce, and commit to complying with a detailed set of privacy obligations.

It will undoubtedly be a huge relief to companies transferring data from the EU to the US, to be able to rely on the new Framework, and avoid the burden and uncertainties associated with relying on Article 46 transfer tools (such as the SCCs), including transfer impact assessments and supplementary measures.

Whilst we await the adoption of the US Adequacy Decision (which is by no means guaranteed), the European Commission has confirmed that all the safeguards contained within the Executive Order will be available for all transfers to the US under the GDPR, regardless of the transfer tool used. Accordingly, companies should start taking account of the new safeguards when carrying out their Transfer Impact Assessments in respect of EU-US transfers, as the safeguards (including the redress mechanism once implemented) should serve to lower the data protection risks associated with EU-US transfers.

Non–material damages not available for "mere upset"

Since the GDPR and Data Protection Act 2018 came into force, it has been possible for individuals, or groups of individuals in Ireland to claim damages for "non-material loss" (i.e. non-economic loss) arising from breaches of their data protection rights. However, there has been much debate about what claimants need to prove in order to seek compensation for non-material damage, in particular whether it requires proof of something greater than "mere upset" about their GDPR rights being violated.

Now, more than four years later, we are awaiting judgments in a number of cases which have been referred to the CJEU by Member State courts, which have the potential to significantly curtail the operation of the new regime for non-material loss claims before it has ever really taken off in Ireland.

On 6 October 2022, Advocate General Manuel Campos Sánchez-Bordona delivered his opinion in UI v Österreichische Post AG, the Austrian Supreme Court (Oberster Gerichtsof]) Case C-300/21, at the CJEU which clarifies that mere infringement of the provisions of the GDPR, without accompanying damage (whether that be material or non-material), is not sufficient for the purposes of awarding compensation; and in relation to non-material damage, compensation for such damage as provided for in the GDPR does not cover "mere upset".

It can often take several months after the publication of an Advocate General Opinion for the CJEU to deliver its final judgment. While the Opinion is not binding on the CJEU, it will be of strong persuasive value.

Read more in Matheson's Cyber Bulletin here.

Operational Resilience and Cyber Security

In response to the growing threats of cyber-attacks and taking into account the significant growth of digitalisation, the European Commission is in the process of updating the NIS Directive through the introduction of a replacement directive ("NIS 2"). In parallel, the European Commission has published a draft regulation for a Digital Operational Resilience Act ("DORA") as part of its Digital Finance Strategy, which is specifically directed to financial services.

One of the key features of both initiatives is the extension of the regulatory cyber and operational resilience regime to a broader range of business sectors (NIS 2) and a much broader range of financial services (DORA).

The focus of reporting obligations will shift from impact on total users to incidents causing (or having the potential for) severe operational disruption, financial losses for the entity or considerable material or non-material losses for other natural or legal persons. The timeframe within which reports must initially be made under will also be reduced, depending on whether the report is required under NIS 2 or DORA.

What organisations should do now:

Assess whether within scope of NIS 2 or DORA
Refresh or undertake risk assessment
Update or create incident response plans, and communicate them
Implement additional technical and organisational protections where gaps and vulnerabilities have been identified
Update all relevant and impacted policies and procedures
Train personnel on cyber risks and awareness, and on the incident response plan
Do a dry run / simulation

Read more in Matheson's Cyber Bulletin here.

Explore the Horizon Tracker

Legal certainty ahead for EU-US data transfers?

Oct 12, 2022, 17:56 PM

Title : Legal certainty ahead for EU-US data transfers?

Filter services i ds : 58e1c11f-ed5e-4824-9d6a-3b96b5c0acb6;6e10fdc5-0d23-4933-baa6-ef058f845dc3;

Engagement Time : 6

Insight Type : Article

Insight Date : Oct 12, 2022, 00:00 AM

On Friday 7 October 2022, President Biden issued an Executive Order on "Enhancing Safeguards for United States Signals Intelligence Activities". The new Executive Order aims to address the legal uncertainty surrounding EU-US data transfers following the invalidation of the EU-US Privacy Shield by the Court of Justice of the European Union ("CJEU") in Schrems II. The EU-US Privacy Shield was invalidated on the grounds that: (i) US intelligence authorities' powers were not sufficiently circumscribed in US legislation to what was necessary and proportionate, and (ii) EU citizens had insufficient means of redress before the US courts to challenge US intelligence authorities' surveillance activities.

The Executive Order introduces new binding safeguards aimed at addressing the CJEU's findings in Schrems II, in particular by: (i) limiting US intelligence authorities' access to data to what is necessary and proportionate to protect national security, and (ii) establishing a new independent and impartial redress mechanism, which includes a new Data Protection Review Court ("DPRC") to investigate and resolve complaints regarding access to data by US intelligence authorities. The Executive Order requires US intelligence agencies to review their policies and procedures to implement these new safeguards.

On 25 March 2022, the European Commission and US Government announced that they had reached an agreement in principle on a new EU-US Data Privacy Framework. The adoption of the Executive Order, accompanying Regulations, along with a series of letters from US agencies to the EU, enables the European Commission to now prepare a draft adequacy decision in favour of the US, otherwise known as the "EU-US Data Privacy Framework" ("EU-US DPF").

What safeguards are included in the Executive Order?

The Executive Order, and accompanying Regulations, implement commitments made by the US in the agreement in principle announced earlier this year.

(i) Limiting US Intelligence Services' Access to Data

The Executive Order requires U.S. intelligence authorities' activities to be subject to additional safeguards. These safeguards include requiring that such activities be: (i) conducted only in pursuit of defined national security objectives; (ii) take into consideration the privacy and civil liberties of all persons regardless of nationality or country of residence; and (iii) be conducted only to the extent and in a manner that is proportionate to the validated intelligence priority for which they have been authorised.

US intelligence authorities are required to designate senior-level legal, and compliance officials to conduct periodic oversight of signals intelligence activities, including to ensure that appropriate actions are taken to remediate incidents of non-compliance.

U.S. intelligence authorities are required to update their policies and procedures as necessary to reflect the new privacy and civil liberties safeguards contained in the Executive Order.

(ii) New Redress Mechanism

The Executive Order creates a two-layer redress mechanism enabling individuals from qualifying states and regional economic integration organizations (as designated in the Order), to seek redress if they believe their personal data was collected through U.S. signals intelligence in a manner that violated applicable U.S. law, including the enhanced safeguards in the Executive Order.

Under the first layer of review, EU individuals will be able to lodge a complaints with the Civil Liberties Protection Officer ("CLPO") of the US Intelligence Community, who will conduct an initial investigation to determine whether the Executive Order’s enhanced safeguards or other applicable U.S. law were violated and, if so, to determine the appropriate remediation. The CLPO’s decision will be binding on the Intelligence Community, subject to the second layer of review. The Executive Order provides protections to ensure the independence of the CLPO’s investigations and determinations.

Under the second layer of review, individuals will have the opportunity to appeal the decision of the CLPO before the newly created Data Protection Review Court (“DPRC”). Judges on the DPRC will be appointed from outside the U.S. Government, have relevant experience in the fields of data privacy and national security, review cases independently, and enjoy protections against their removal. Decisions of the DPRC regarding whether there was a violation of applicable U.S. law and, if so, what remediation is to be implemented will be legally binding.

To further enhance the DPRC’s review, in each case the DPRC will select a special advocate who will advocate regarding the complainant’s interest in the matter and ensure that the DPRC is well-informed of the issues and the law with regard to the matter.

New Regulations, published alongside the Executive Order, provide for the establishment of the DPRC. The US Department of Justice is expected to publish additional information about the DPRC soon, including the process for individuals to submit applications for independent review by the DPRC of determinations by the CLPO.

The European Commission has stated that the new redress mechanism is "a significant improvement, compared to the mechanism that existed under the Privacy Shield". Previously, individuals could only turn to an Ombudsperson, which lacked both the power to adopt decisions that could bind US intelligence authorities and independence from the executive, since the Ombudsman could be dismissed.

Next Steps?

The Executive Order and accompanying Regulations provide the European Commission with a basis to prepare a draft adequacy decision under Article 45 of the GDPR. It is expected that the adoption procedure for the adequacy decision could take up to 6 months. During the process, the European Commission will obtain an opinion from the European Data Protection Board ("EDPB") on the draft adequacy decision, but is not bound by its findings. A qualified majority of EU Member States must then approve the draft decision.

Once the European Commission adopts a formal US adequacy decision, US companies will be able to join the EU-US DPF by self-certifying with the US Department of Commerce, and committing to comply with a detailed set of privacy principles. It will undoubtedly be a welcome relief to self-certified companies transferring data from the EU to the US to be able to rely on the EU-US DTF, and avoid the uncertainties associated with relying on Article 46 transfer tools, including transfer impact assessments and supplementary measures.

However, despite the fact that a new US adequacy decision appears to be very clearly on the horizon, and there is significant EU and US political and industry support for the EU-US DPF, companies should be aware that it is not guaranteed.

Further Legal Uncertainty Ahead?

Although a new US adequacy decision will bring some welcome legal certainty in regard to how to legitimise EU-US data transfers, businesses should be aware that such legal certainty may be short-lived. EU privacy advocate, Mr Schrems, has already alleged that the new Executive Order - on which the US adequacy decision will be based - does not address the concerns raised by the CJEU in Schrems II. In particular, Mr Schrems notes that "bulk surveillance" continues under the new Executive Order and the new Data Protection Review Court is not a real "Court" in the normal legal meaning of Article 47 of the EU Charter or the US constitution, but rather a body within the US government's executive branch, and would not amount to "judicial redress" as required under the EU Charter. It therefore appears likely that any new US adequacy decision based on the Executive Order will be subject to challenge before the CJEU by Mr Schrems and his privacy advocacy group, NYOB, or by another group. The question is whether the EU-US DTF will survive such challenges. Only time will tell.

What should Companies do now?

Whilst we await the adoption of a formal US adequacy decision, which is unlikely to occur before Spring 2023, businesses must continue to put in place an Article 46 GDPR transfer tool (such as the SCCs or BCRs), implement any necessary supplementary measures (having regard to the EDPB Recommendations 01/2020) and carry out a Transfer Impact Assessment, prior to transferring any personal data from the EU to the US.

It is worth noting that the safeguards contained within the Executive Order are available for all EU-US data transfers under the GDPR, regardless of the transfer tool used. Accordingly, companies should start taking account of the new safeguards when carrying out their Transfer Impact Assessments in respect of EU-US transfers, as the safeguards (including the redress mechanism once implemented) should serve to lower the data protection risks associated with such transfers.

It will be interesting to see how EU Data Protection Authorities ("DPAs") react to the safeguards in the Executive Order pending the adoption of a formal US adequacy decision. In any enforcement proceedings regarding EU-US data transfers going forward, EU DPAs should consider the impact of the new safeguards when assessing the lawfulness of the transfer. However, it remains to be seen how the new safeguards will affect existing investigations and draft decisions. It is hoped that the new safeguards will provide greater legal certainty for companies using any Article 46 GDPR transfer tool to transfer personal data from the EU to the US, to the extent that they will reduce the risk of unjustifiable access to transferred data by US intelligence authorities, and enable EU individuals to seek effective redress in respect of any unlawful access.

The Latest Data Protection Developments

Download the Full Report