Key takeaways this November include:
- EU Digital Operation Resilience Act: Financial services firms – including banks, insurers and private equity firms – should start assessing what they will need to do to comply with the extensive obligations in the recently finalised Digital Operation Resilience Act (DORA);
- Cybersecurity for critical infrastructure: Businesses should check to see if they will be covered by, or will have to update processes to comply with, the significantly expanded EU Network and Information Systems Directive (NIS2), which covers an expanded, broad range of critical infrastructure sectors;
- Direct marketing: Businesses may want to consider: (i) implementing enhanced data broker due diligence in light of the French CNIL’s €600,000 fine against utilities company EDF, in particular when relying on third party consents for direct marketing purposes; and (ii) whether their privacy notice disclosures about the source of data need to be more specific. For the CNIL, stating that data was received from an organization specialized in data enrichment was insufficiently precise;
- Cross Border data transfers: Businesses transferring personal data from the UK to jurisdictions outside the EEA without an adequacy decision may want to review their current transfer risk assessments against the ICO’s new assessment tool to ensure they meet the regulator’s latest expectations;
- Facial recognition: Entities using facial recognition technology should assess any impact from a new prohibition in Italy on private use of facial recognition systems based on biometric data;
- Privacy disclosures: A €525,000 enforcement action by the Spanish data protection authority (AEPD) highlighted, among other takeaways, that: (i) privacy notices may need to be available in multiple languages; (ii) data should not be retained indefinitely; and (iii) businesses should be careful not to implement overly burdensome identity verification requirements before individuals can exercise their data subject rights;
- Third-Party access to data: An UK data protection authority ICO reprimand of the UK Department of Education for allowing unlawful third-party access to student data highlights the need for businesses to take special care in negotiating data sharing arrangements, especially involving special category data;
- Internal policies and data security: Businesses still using six-character passwords may wish to enhance their password complexity requirements, following the French data protection authority’s €800,000 fine against communications platform Discord for this and other data protection violations; and
- Controller Binding Corporate Rules: Global groups may wish to consider the advantages of adopting BCRs in light of new EDPB recommendations updating the process for BCR applications.
These developments are covered below.
Digital Operation Resilience Act is imminent
What happened: On 28 November 2022, the European Union finalised the EU Digital Operational Resilience Act (“DORA”). Following a two-year implementation period, DORA will impose far-reaching operational resilience requirements and management oversight requirements on almost all financial services firms – including banks, insurers and private equity firms – as well as critical service providers that, for the first time, will be directly regulated by EU financial services regulators. While aspects of the regime, including details of incident reporting obligations, remain to be decided, the key requirements are now set. For example, financial services firms will be required to implement a comprehensive ICT (Information and Communication Technologies) risk management framework and audit ICT vendor risk, while critical ICT service providers must establish an EU subsidiary and will have to cooperate with a variety of requests and inquiries by relevant supervisory authorities. Management will also face new overarching and specific obligations to approve, oversee and manage DORA-related compliance frameworks.
What to do: Our recent blog post provides a deep dive into what businesses will need to do to comply with DORA, but key takeaways are:
- For financial services firms – determine if you are covered as a “financial entity” and, if so, begin charting a path to compliance: it is likely to be a resource-intensive undertaking and one which demands ongoing engagement from across the business, including management.
- For ICT service providers – assess the risk of designation and, regardless of whether that is likely, consider how mandatory contractual provisions for financial entities may “flow-through” and necessitate updates to policies and procedures.
New critical infrastructure cyber rules approved
What happened: On 28 November 2022, the European Union also finalised the second network and information systems directive (“NIS2”). NIS2 will expand the applicability and is intended to reduce variation in Member State implementation of the existing NIS Directive, while imposing updated cybersecurity obligations on a wide range of entities designated as critical infrastructure. Key obligations will include: (i) mandatory, two-stage incident reporting; (ii) enhanced security requirements; and (iii) mandatory management body oversight of cybersecurity risk-management measure implementation.
The UK Government followed on 30 November 2022 with an announcement about its own expanded measures, which focus in particular on critical digital infrastructure.
What to do: Read our blog post for detailed guidance on scope, applicability and penalties under NIS2, including how to prepare for the revised incident reporting, security and management oversight obligations.
French CNIL fines EDF €600,000 for marketing and other GDPR breaches
What happened: On 24 November 2022, the French CNIL fined utility company EDF €600,000 for failing to:
- Obtain individuals’ valid consent before conducting direct marketing, including by failing to implement sufficient measures to ensure third party data brokers had obtained valid consents;
- Provide specific information on the lawful basis for each processing activity, the retention period, and specific information about the origin of the personal data (EDF only mentioned that the data was collected “from an organization specialized in data enrichment”);
- Failing to ensure that individuals could properly exercise their rights, including by not responding to GDPR requests in the required time frame;
- Failing to respect individuals’ right of access and right to object, including by providing inaccurate information on the origin of the data and by not responding to objections to receiving marketing communications; and
- Failing to ensure the security of personal data, as the passwords for accessing customer areas of EDF were stored in an unsecured manner or were hashed without having been salted.
What to do: Businesses – especially those subject to the CNIL’s jurisdiction – may want to consider: (i) taking steps to verify processes to obtain consent where personal data is obtained from data brokers; (ii) auditing policies and procedures for actioning data subject requests under GDPR; and (iii) reviewing their password policies in the light of the recent CNIL guidelines.
UK ICO provides new risk assessment tool for Article 46 transfers
What happened: On 17 November 2022, the UK ICO published updated guidance on international data transfers. The UK ICO’s position is that all international data transfers to jurisdictions without an adequacy decision require a risk assessment, including where businesses are relying on the approved standard contractual clauses. The EDPB Guidance envisages a relatively formalistic risk assessment which involves comparing the laws and practices of the exporting country to the laws and practices of the importing country. The UK ICO’s updated guidance permits a holistic and transfer-specific risk assessment that focuses on “whether the transfer significantly increases the risk of either a privacy or other human rights breach” (our emphasis).
To help businesses carry out this new form of risk assessment, the UK ICO released a transfer risk assessment tool, with six questions to guide them through the process.
What to do: Businesses seeking to transfer UK GDPR-covered data to entities in jurisdictions without a UK-adequacy decision should consider whether using the UK ICO’s new risk assessment tool may assist in ensuring UK GDPR compliance. However, if a data transfer is also subject to the EU GDPR, businesses should consider the risk that EU regulators might not consider the UK ICO’s risk assessment tool sufficient and whether a broader review is needed.
Italy bans private use of facial recognition technology
What happened: On 14 November 2022, the Italian Garante announced that the use of existing and new facial recognition systems that use biometric data is prohibited until a new law is passed, and at least until the end of 2023. The Garante stated that “[t]he moratorium arises from the need to regulate eligibility requirements, conditions and guarantees relating to facial recognition, in compliance with the principle of proportionality.” The ban follows recent public sector scandals involving the use of facial recognition technology. Despite this, there remain public interest exemptions for court proceedings and law enforcement purposes.
What to do: Businesses operating in Italy that use facial recognition technology should assess the lawfulness of ongoing use and possibly seek alternatives to the use of such systems.
Recent €525,000 AEDP fine highlights importance of clarity and intelligibility, including potential need for multi-language privacy disclosures
What happened: The Spanish data authority AEPD fined a company that operates several adult content websites €525,000 for multiple GDPR violations linked to a lack of intelligible and clear privacy disclosures, inadequate consent processes, and deficiencies in age verification.
An investigation into allegations that the company was processing personal information of minors under 14 years old led to 11 different privacy violations including parental privacy control setup with broken links, indefinite data retention practices, data sharing without proper consent, and burdensome identity verification requirements to exercise data subject rights.
Finally, notwithstanding that the websites did business primarily with those outside Spain, the AEPD specifically criticized the fact that the privacy policy was in English only and, for this reason, not “intelligible” in Spain.
What to do: Businesses should consider simplifying privacy disclosures and consent processes and ensuring intelligibility within the context of all jurisdiction(s) in which they operate. This may require providing notices in multiple languages for different audiences. The fine is also a reminder that indefinite data retention is not envisaged under the GDPR.
ICO reprimands Department of Education for allowing gambling companies to use learning records database to verify customers’ age
What happened: An employment screening company conducted 22,000 searches in a 14-month period of a Department of Education learning records database that contained information about 28 million adults and children aged 14 and older. It used this data to provide age verification services to gambling companies.
The Department database stored personal and special category data, including full names, dates of birth, gender, email addresses and nationality. The data was collected and processed for the purpose of checking students’ academic qualifications and eligibility for funding. The Department granted the screening company access to the database because it held itself out to be an authorised training provider.
The ICO formally reprimanded the Department for unlawfully sharing the data with a third party and allowing its further processing without data subject consent. Had the Department not been a public institution, the ICO indicated that it would have fined it £10.03 million for these breaches.
What to do: Businesses should ensure that they have policies in place to review third party access to data, and that sufficient vetting mechanisms exist to ensure a lawful basis for third party processing and to prevent vendor misuse of data.
French CNIL fines Discord €800,000 for GDPR data retention and security failings
What happened: The French CNIL fined U.S. communications company Discord Inc. €800,000 for:
- not having a written data retention policy in circumstances where it had over two million French user accounts that had been inactive for more than three years;
- failing to provide its users with clear and complete information about data retention periods;
- failing to ensure data protection by default by using settings that permitted other users to continue hearing a user who exited the Discord application by clicking on the “X” button;
- only requiring weak password security (no more than six characters); and
- failing to carry out a data protection impact assessment (“DPIA”) given the volume of processed data, including that of minors.
What to do: Based on the CNIL’s views, businesses may want to consider: (i) reviewing and applying their data retention policy with appropriate retention periods that are clearly communicated to users; (ii) strengthening authentication procedures; and (iii) reviewing the EDPB DPIA guidelines as implemented by the CNIL to ensure they are preformed wherever necessary.
EDPB updates application process for Binding Corporate Rules
What happened: To facilitate intragroup data transfers from EEA to non-EEA countries, the GDPR provides members of a corporate group the possibility of entering into Binding Corporate Rules (BCR) among other Third Country data transfer instruments such as Standard Contractual Clauses. BCRs for controllers frame transfers from controller group members covered by the territorial scope of the GDPR to controllers or processor group members outside of its territorial scope. The European Data Protection Board (EDPB) prepared on the basis of pre-existing guidance draft recommendations in regard of a standard application form and the content of the BCRs for controllers designed to drive efficiency and consistency in a not always smooth review process.
What to do: Businesses engaging in regular intragroup data transfers between entities based in and out of the EEA may wish to consider the efficacy of adopting BCRs, in light of the new process.
To subscribe to the Data Blog, please click here.
The authors would like to thank legal trainees Sophie Michalski, Clara Montillet, and Maria Santos and law clerks Anya C. Allen, Melyssa Eigen, David Z. Rochelle, and Ned Terrace for their contributions to this article.