The European Data Protection (EDPB) recently published the first report of the taskforce it set up to look at some of the complaints received by EU data protection regulators from pressure group NOYB founded by Max Schrems. The work effectively looks at what are known as the “101 complaints” received from NOYB about Google (and in particular Google Analytics) and Facebook (now owned by Meta). This all follows the fall of Privacy Shield and criticism by the ECJ of data transfer mechanisms more generally in July 2020. You can read the background on that and watch our film here https://www.corderycompliance.com/ecj-rules-scc-valid-not-ps/.
This note has some technical terms which are explained at www.bit.ly/gdprwords.
What was this about?
The EDPB created a specific task force known as the 101 Taskforce to look into a coordinated position on the complaints made by NOYB, particularly about the use of Google Analytics and Facebook Business Tools. Each Data Protection Authority (DPA, formally called a Supervisory Authority under GDPR) is still responsible for its own investigation, but the taskforce aimed to help DPAs cooperate and exchange information. The taskforce report essentially looks at the data transfer issues of tools like Google Analytics rather than the cookie compliance issues at this stage which are dealt with by a different taskforce (see here https://www.corderycompliance.com/eu-dpb-cbr-01/).
What does the report say?
The report has some interesting aspects including:
- Data transfer isn’t the whole story – to use these tools data controllers will need to be satisfied that they are processing data lawfully in addition to considering data transfer issues.
- Privacy Shield cannot be relied on to legitimise a data transfer from the EU from 16 July 2020.
- Standard Contractual Clauses (SCCs) cannot be retro-fitted, so they are only effective from the date that they were signed.
- Encryption will not work as a means of safeguarding personal data if the data importer has a legal obligation to give up the keys.
- Anonymisation does not work as a mitigating measure where the anonymization takes place after the data has been exported from the EU.
- Where website operators are data controllers, they have to take into account the accountability principle and be able to demonstrate that appropriate measures have been taken to safeguard data protection rights. This will include being able to provide evidence.
- If a website operator chooses to use third party tools (such as social media plug-ins or analytics tools), this is likely to lead to potential liability for the website operator.
The paper makes it clear that a number of DPAs have already taken action as a result of the complaints and that more decisions are on the way. We have been helping clients with some of those investigations. It is clear that data transfer is not the only issue concerning DPAs and NOYB – for example some of the retention periods for Google Analytics data are likely to be hard to justify.
There are a number of practical steps that you can take to reduce your risk, this will include:
- Doing proper training on the risks. A Cordery data transfer clinic might help with that. There is more information on that here https://www.corderycompliance.com/solutions/data-transfers-clinic/.
- Properly working out the cookies and tools that have been used on your website and doing due diligence on those tools.
- Doing data transfer assessments where appropriate and making sure the proper agreements are in place.
- Looking at additional technical and organisations measures (TOMs) to secure data. This might include encrypting data before sending it rather than afterwards and looking careful at who has the encryption keys and where they are based.
- Looking at your transparency obligations. We have concerns that the claims made by some providers are not honest – for example claiming the tool is for security when the data is also used for marketing, claiming the data is anonymised when it is not. To be transparent you’ll also need those you deal with to be honest too. You’ll need to be ready to challenge the hype put forward by some providers.
- Being able to react quickly to complaints from regulators or potential litigants – regulatory activity and litigation (some of it from people looking for an opportunity to make money) is on the rise.
There is more information about this and other data protection topics in Cordery’s GDPR Navigator subscription service. GDPR Navigator includes short films, straightforward guidance, checklists and regular conference calls to help you comply. More details are at www.bit.ly/gdprnav.
You can download the full report here https://bit.ly/424ppft.
For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH||André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH|
|Office: +44 (0)207 075 1784||Office: +44 (0)207 075 1785|