To be clear about cookies in our cookie notices.
In January 2022, the European Data Protection Supervisor, acting on complaints by MEPs and the European privacy campaign None of Your Business (“NOYB”), found that the European Parliament had failed compliance with the GDPR on two counts:
- Failed to put in place the appropriate safeguards to enable the transfer to the US of personal data collected by the cookies used on its site;
- Failed to provide accurate information on which cookies were used, offer choices to reject cookie use and to obtain “informed, specific and freely given” consent to the cookie use and proposed transatlantic transfer of personal data collected.
Google cookies are extremely difficult to use compliantly
Later in January 2022, an Austrian court considered further complaints by NOYB, that the use of the authorised European Standard Contractual Clauses (“SCCs”) did not provide sufficient safeguards to provide an adequate level of protection for personal data under the GDPR.
As Google automatically process all personal data collected in the US and are considered an “electronic communication service provider” they fell within the e-communications that the US intelligence agencies can “surveil” – this surveillance itself is considered a breach of GDPR.
Google does not take sufficient measures to prevent such surveillance, and therefor there was held to be a lack of “adequate protection” under the GDPR for the personal data transferred in this way.
The Austrian court held:
- Encryption of data at rest is not a sufficient safeguard to prevent access to the personal data in plain text
- Google’s measures to notify data subjects publish transparent reports and assess government requests for access were inadequate to ensure the protection of the personal data transferred
- IP addresses and online identifiers are confirmed to be personal data under GDPR. Actual and immediate identification is not necessary, and the fact that the information enabling identification if held by various stakeholders – rather than just one party – is irrelevant as to whether the data is identifiable
- That a “risk based approach” was not adequate as a protection of personal data. Similarly there is no requirement for a “minimum quantity” of data – all data transfers (big or small) benefit from the same protection !
- The obligation of ensuring a compliant data transfer lies with the exporter of the personal data and not the (US-based) importer. The risk of exporting personal data to the US therefore lies with the party exporting the personal data out of the EEA/ UK. Enforcement action will be taken against the exporter.
Undertaking Transfer Impact Assessments (Transfer Risk Assessments) is necessary to assess the risks involved in the proposed transfer, but if a risk is identified and cannot be countered by appropriate safeguards, the courts recommend that the transfer should then not take place.
The EDPB Guidelines of November 2021 have been applied where a personal data is exported to a third country – a country outside the EEA or UK – either by data-transmission to the third country or by “making available” the personal data to the third country data importer.
Agreement in Principle
The European Union-U.S. Data Privacy Framework, a political agreement in principle, has been reached between the US and the EU to create a new framework for transatlantic data flows. This is to enable predictable and trustworthy data flows between the EU and US, and safeguard privacy and civil liberties in accordance with the GDPR requirements.
President Biden’s executive order
On 7 October 2022, President Biden signed an executive order on “Enhancing Safeguards for United States Signals Intelligence Activities (E.O.)” to put into effect the steps the US has agreed to take including the following:
- Any access or surveillance be conducted only when necessary to advance a validated intelligence priority and only to the extent and in a manner proportionate
- Requires U.S. Intelligence Community elements to update their policies and procedures to reflect the new privacy and civil liberties safeguards to achieve adequacy under the GDPR.
- Creates a multi-layer mechanism for individuals (data subjects) to obtain independent and binding review and redress of claims that their personal information collected through U.S. signals intelligence – the first layer, the Civil Liberties Protection Officer in the Office of the Director of National Intelligence (CLPO) will review the claim and determine whether there has been an infringement of the individuals rights. Then a second layer of review, a Data Protection Review Court (“DPRC”) to provide independent and binding review of the CLPO’s decisions, on application by the individual or an element from the intelligence community.
A draft adequacy decision has been prepared by the European Commission
Based on the agreement in principle and the executive order, to be reviewed by the European Data Protection Board, a separate data protection committee and then voted on by MEPs. At present, it is hoped that the final adequacy decision for the US may be granted in Spring 2023, but since the US provisions still enable surveillance by the US intelligence agencies and are based on an executive order which may be reversed by a subsequent executive order, this adequacy decision may be short lived or subject to challenge by future Schrems/NOYB actions. If the adequacy decision is granted, then the tricky question of compliance for transatlantic data transfers will be put aside and personal data transfers to the US will (we hope) be simplified and compliant with GDPR.
While the EU adequacy decision is not legally binding on the UK, it is expected that the UK will follow suit from a commercial perspective and to ensure continued compliance with the EU legislation.
The UK ICO will publish reprimands issued since January 2022
The Information Commissioner has said (in December 2022) “we would normally publish enforcement notices, fines […] on our website. But now we will also publish all reprimands going forward, including reprimands issued from January 2022 onwards”. This is justified because members of the public are “entitled” to see the action take by the ICO – and this action tends to indicate that the ICO is not softening in their approach to data protection enforcement.