It has been a busy start to the year in the world of data protection. First, there were two noteworthy decisions by the European authorities on transfers of EEA personal data to the US, followed recently by the ICO presentation of its proposed International Data Transfer Addendum. So, where does this leave us?
Duty to watch over the safety of European users’ data
A year ago (January 2021), the Austrian based data protection group None of Your Business (NOYB), founded by Max Schrems, brought complaints against the European Parliament in relation to its internal coronavirus testing website. The complaints related to the transfers of data to the US as well as misleading cookie banners and unclear data protection notices.
The European Data Protection Supervisor (EDPS) – an independent supervisory authority whose primary objective is to monitor data compliance by the official European institutions and bodies – investigated. In January 2022, it reprimanded the European Parliament for violating the GDPR which applied to EU institutions under a special regulation applicable to EU institutions only (Regulation (EU) 2018/1725).
The European Parliament website transferred personal data (via the use of analytics cookies associated with Google Analytics and Stripe) to the US without ensuring adequate protection. The parliament failed to provide any documentation for the transfer or documenting appropriate security or technical/organisational measures taken, nor for any related risk assessment. Their cookie banner and privacy policy were also criticised for inaccuracy and lack of transparency.
Key takeaways
Even the placement of cookies by a US provider may be considered a violation of EU and UK privacy laws. The EDPS commented that no proper protections against US surveillance were put in place, considered to be particularly serious given that European politicians have been targets for surveillance. Arguably, this may be less serious if the data subjects are not European politicians or other public figures.
The use of misleading cookie banners that do not list all cookies used, means that the ‘consent’ obtained when the user clicks ‘accept’ is not valid. Inconsistent or misleading privacy policies are not acceptable as they do not serve their intended purpose of informing the data subjects on the use of their personal data. The message here is to ensure cookie banners are accurate and privacy policy notices are clear and do not give conflicting information.
The Austrian Google analytics case
The recent Austrian court ruling is another example of how the transfer of personal data to the US for electronic storage or services is a restricted transfer that may only be made if adequate security is in place to prevent third party access. As the US authorities have an overriding right to surveillance of e-communications in the US, it is very difficult to see how their access to electronic communications can be limited or excluded and as such, these transfers are likely to be in breach of GDPR.
The main issues arising from this ruling is that (i) it relates to the Google analytics cookies that so many websites use – potentially impacting a great number of businesses – and (ii) while it did not penalise the US based importer of personal data (Google), it certainly did penalise the EEA-based business exporting the personal data in breach of the GDPR. Again, this means that UK and European businesses will need to assess their use of cookies and export of personal data to the US.
Considering the EDPS action against the EU parliament, the clear message from the EU is to review cookie use (although we are post-Brexit, UK GDPR follows EU GDPR).
Introduction of the IDTA before parliament by the ICO
The Information Commissioner’s Office (ICO) recently put the draft International Data Transfer Agreement (IDTA) before parliament, after a long period of consultation, intending it to come into force on 21 March 2022.
The proposed document follows the existing UK GDPR and the GDPR processes, and appears to indicate the intention of the UK to continue to follow the EU lead on personal data protection and stay close to the GDPR, rather than break away and create new laws post-Brexit.
The draft IDTA will be relevant for transfers – or ‘restricted transfers’ – of personal data to third countries (including the US) under the GDPR. The IDTA may replace the EU SCCs in relation to UK personal data transfers to third countries, but it also includes a ‘UK addendum’ format of the IDTA, to be addended to the ‘new’ EU SCCs (of 4 June 2021), or other data protection transfer documents in place in other territories. This is, presumably, to simplify the transfer of UK personal data alongside EEA personal data (the two data sets currently require entirely separate documentation).
For the time being, however, the IDTA is a draft and not yet in force.
