On Data Protection Day 2019, the team at Crowley Solicitors looks forward to the year ahead with predictions for data protection and ePrivacy in 2019.
• Brexit – Data processing is not immune from the business wide impact of Brexit and we currently lack clarity on how the UK will leave the EU due to the recent rejection of the withdrawal agreement by the UK Parliament. Under the terms of the rejected withdrawal agreement, during the transition period the UK would have continued to apply EU data protection law and transfers of data between the European Economic Area and the UK could have carried on as normal. It was anticipated that, during the transition period, the UK would obtain adequacy status to allow for the legitimate international transfer of personal data once the transition period ended in December 2020. For as long as we remain in Brexit limbo, organisations need to check their data mapping and third-party inventories for any UK-related data processing that may require a transfer mechanism (most likely to be a standard contractual/model clauses agreement) in order to regularise the flow of personal data in a no-deal environment.
• Data Protection Commission (DPC) Pointers – the DPC issued a number of very clear guidance notes in 2018 on topics that Helen Dixon, Data Protection Commissioner, also made reference to during public engagements. This suggests a focused approach on these areas for 2019. These include guidance on data processing by elected representatives, community-based CCTV schemes and dash cams. In light of recent high-profile controversy over the use of drones, it may also be useful to refresh on the DPC’s 2016 guidance on the topic.
• Transparency – if organisations apply one mantra to their data protection and e-privacy compliance in 2019 it should be the DPC’s stated number-one priority: transparency of processing. Organisations that have committed to the principle of transparency and are in a position to demonstrate such commitment in practice will be well placed to meet the full force of the DPC and data subjects.
• Breach Reporting Leading to Investigations – one clear trend from 2018 that we predict will follow through into 2019, is the tendency for an organisation to be the subject of a DPC investigation following its reporting of a medium-high risk personal data breach.
• E-mail Addresses, E-receipts & E-marketing – a real bug bear for the DPC and an area that has been the target of a number of separate audits by the DPC and the UK supervisory authority of the retail industry since 2016. In short, if organisations issue e-receipts to customers and/or use e-mail addresses obtained as part of the sales process for e-marketing, they can expect a zero-tolerance policy from the DPC if their operations are not compliant. This is now regarded as low-hanging fruit for the DPC and a common source of data subject complaints.
• International Transfers:
- Standard contractual (model) clauses – due to come under the scrutiny of the Court of Justice of the EU (CJEU) – will they survive the year and what will replace them?
- Another international transfers hot topic is the EU-U.S. Privacy Shield – will the US authorities nominate a permanent Ombudsperson by 28 February 2019 following the second annual review in December 2019 by the European Commission (EC)? And what appropriate measures under the GDPR will the EC consider taking?
• E-privacy Regulation (ePR) – After much debate, the Regulation to repeal and replace the 2002 Directive and align Europe’s regime to protect private electronic communications with the GDPR remains in draft format despite earlier promises of it being enacted on 25 May 2018 alongside the GDPR. Its absence is regarded as a gap in the EU’s Digital Single Market and 2019 is set to be the year that this will be remedied. Watch this space for clarity on cookie consents, default settings on website browsers and, hopefully, an opportunity for digital businesses to compete equally in an appropriately regulated personal privacy environment.
• Fines & Powers – a strong start to 2019 from the French supervisory authority, CNIL, who fined Google €50million for breach of GDPR rules regarding legal basis for processing and transparency and information may indicate what is to come from other supervisory authorities once the GDPR beds in fully. Administrative fines are not the only stick that supervisory authorities have; an investigation or corrective action (for example, a cease processing notice) could cause more disruption and pain to organisations than a fine and we can expect to see supervisory authorities use these powers throughout 2019. Failure to demonstrate an organisation’s privacy preparedness and accountability will not be treated lightly by the authorities.
• Spotlight on Tech Firms – Amazon, Apple, Facebook, Google, Netflix, Spotify, YouTube (Alphabet) in light of complaints made to the Austrian supervisory authority by the non-profit headed up by Max Schrems, as well as the Irish High Court’s referral of the Facebook and standard contractual (model) clauses case to the CJEU and the statutory inquiries by the Irish DPC into each of Facebook and Twitter.
• Children – on 19 December 2018, the DPC launched a public consultation process on children and data protection issues, with a view to producing guidance materials and drawing up of codes of conduct to promote best practices by organisations that process the personal data of children and young people. This is one of the first public consultations to be launched by the DPC since the enhanced regime came into force on 25 May 2018 and is an indication of how children’s rights will be strongly upheld by the DPC. Likewise, the Irish legislature already has a Data Protection (Amendment) Bill 2018 before the Dail and, if enacted, it will update the current legislation to restrict the micro-targeting and profiling of children in an effort to protect children from being subjected to the marketing of junk food and drinks.
• Accreditation of Certification Bodies – the implementation of a certifications process for controllers and processors is a priority for the European Data Protection Board (EDPB), and guidelines on the accreditation of certification bodies under Article 43 of the GDPR have been released by the EDPB for public comments. This is a critical first step in the certification process. Certification by an accredited body will be one means for controllers and processors to demonstrate GDPR compliance of their data processing activities. We hope to see traction and progress on this throughout 2019 from the EDPB and our own DPC.
For further information on any issue raised in this article please contact the team at Crowley Solicitors https://www.crowleysolicitors.ie/our-people/
This briefing is for general guidance only and should not be regarded as a substitute for professional advice. Legal advice should always be taken before acting on any of the matters discussed.