Data protection digest 3 – 16 July 2023: can the new EU-US data privacy framework respect the GDPR to the letter?

TechGDPR’s review of international data-related stories from press and analytical reports.

EU-US Data Privacy Framework

Effective Immediately: On 10 July, the European Commission’s decision on the adequacy of the level of data protection in the US within the new data privacy framework entered into force. If an American-based business is on the approved list, you can transfer personal data to it as if it were a European (EEA) business. You still have to follow the other rules in the GDPR, for example having a legal basis for processing or a data processing agreement to share personal data with others.

Self-certification: The new data privacy framework enables US organisations to make self-certification submissions and, as applicable, the UK and/or the Swiss extensions and to enable participating organisations to make their annual re-certification submissions, (the self-certified organisations under the invalidated Privacy Shield framework must comply with the updated principles, but they do not need to make a separate submission).

Transfer Impact Assessment: Data transfer to the US by the use of EU standard contractual clauses or binding corporate rules are still possible, providing that a Transfer Impact Assessment is made. In this case, state security services’ ability to access and use transferred personal data is limited and recognised in the Commission’s adequacy decision.

Redress mechanism: The new framework gives European residents a legal remedy and allows them rectification of data collected in an illegal manner. In practice, reportedly, data subjects can file a data breach notification with their national data protection authority, which will be transmitted to the US. The national authority will ensure that the person concerned receives information related to the procedure and the final decision, (either that no breach of US law has been identified or that a breach has been identified and that it has been remedied.) Individuals also will be able to appeal a complaint if needed.

Criticism: Although the new data privacy framework marks a significant step forward, it was criticised by the EDPB and the Parliament as not sufficiently addressing the temporary bulk collection, retention, and dissemination of data by the US intelligence services, the scope of exemptions, the onward transfers, the exercisability of the data subject rights, and the practical functioning of the redress mechanism. Privacy advocacy group NOYB is also ready to newly challenge the framework in court by the end of 2023 or the beginning of 2024. 

Legal processes and redress

Procedural rules: The European Commission proposes a new law to streamline cooperation between data protection authorities when enforcing the GDPR in cross-border cases. For example, it will introduce an obligation for the lead Data Protection Authority to send a ‘summary of key issues’ to their counterparts concerned, identifying the main elements of the investigation and its views on the case. For individuals, the new rules will clarify what they need to submit when making a complaint and ensure that they are appropriately involved in the process. And for businesses, it will clarify their due process rights when a DPA investigates a potential breach of the GDPR. The new law also recognises the importance and the legality of amicable settlement of complaint-based cases. 

“Stop”, “revoke”, “end”, and “opt-out”: The US Federal Communications Commission proposed guidelines that would allow customers to cancel consent to calls and text messages sent using automated technology “in any reasonable way”, allaboutadvertisinglaw.com reports. This contains texts such as “stop,” “revoke,” “end,” and “opt-out.” Callers and texters would be unable to limit the ways in which customers might cancel consent. Consumers can revoke via text, voicemail, or email to any phone number or email address where they would expect to contact the sender. A request must be fulfilled within 24 hours of being received. The government is also investigating and soliciting feedback on the present exemptions.  

CCPA/CPRA:  Businesses that planned to comply with the amended California Consumer Privacy Act this month will now have until spring 2024. After the California Chamber of Commerce demanded businesses have one year from the adoption of final regulations before enforcement could begin, a state court judge made a last-minute decision to postpone enforcement

Minors safety online: On 28 June, the Louisiana Secure Online Child Interaction and Age Limitation Act was signed by the Governor. Notably the act will require social media companies to withhold certain functions from accounts held by Louisiana residents who are minors, including prohibiting direct messaging with unfamiliar accounts and not displaying advertising and suggested groups, products, posts, services or users to the minor. Further, accounts held by minors will not show up in search results of other accounts unless they were already linked through “friending”.

Official guidance

APIs: The French privacy regulator CNIL published technical recommendations on data sharing by Application Programming Interfaces, (in French). All types of sharing of personal data by API, whether open or restricted, and all types of organisations, public or private, are covered by these recommendations. Three categories of actors in API data sharing are defined: data holders, API managers and data reusers. Recommendations are given to each category to guide them towards measures to achieve the desired level of security, but also measures likely to facilitate compliance with data protection principles, (exercise of rights, information obligation). However, it is up to organisations to evaluate their level of risk and apply the appropriate measures.

Google Search: The Danish data protection authority has recently published an advisory on how to have a search result about you deleted from a search engine, (eg, Google or Bing). If you wish to have a search result removed, you must first contact the search engine. This is done most easily through the complaint form. You must specify exactly which search result is in question and why you want the search result in question removed. A number of grounds to the right to erasure are laid down in Art. 17 of the GDPR. If the search engine does not want to remove the search result in question, you still have the option of complaining to the data protection authority, which then assesses whether it is appropriate to investigate the matter.

Research projects: The Danish data protection authority also published new guidance on GDPR-goverened role allocation in research projects, (in Danish). It mainly consists of numerous examples of data controllers, data processors and joint data controllers that can arise in practice. In many cases, legal and professional obligations as well as professional standards could mean that the actor in question is prevented from being able to follow a detailed instruction from a business partner. For example, doctors who test a new surgical method as part of a research project will continue to be bound by their medical oath and are obliged to carry out the surgery in the most responsible manner, possibly without providing information or following an instruction that is relevant and necessary according to the trial protocol. Similarly, a laboratory remains subject to professional standards for the analysis of, for example, blood samples. Read the full instructions here. 

Lessons learned from reprimands: Looking back at the reprimands issued by the UK Information Comissioner’s Office in the past three months, here are three brief lessons for organisations across the public and private sectors to improve their data protection practices:

  • Avoid inappropriate disclosure of personal information by having policies in place and training your staff, (redacting documents properly, correct disposal, avoid accidental on-screen display of personal information).
  • Respond to information access requests on time, (organisations must respond within one month of receipt of the request. However, this could be extended by up to two months if the request is complex).
  • Deployment of any new apps should take a Data Protection by Design and Default approach from the very start.

Case law

Meta and consent: The CJEU decided that competition authorities can rule on GDPR compliance in the undertakings. In the test case, the German cartel office in 2019 ordered Meta to stop collecting users’ data without their consent, calling the practice an abuse of market power. According to Art. 6 of the GDPR, there are six legal bases for processing personal data, one of which is consent, but Meta decided to use only the other five legal bases. The need for the performance of the contract with the user may justify the practice only if the processing is objectively indispensable. The CJEU expressed doubts as to whether personalised content and use of the Meta group’s own services, like Meta Pixel, fulfil this criteria. For companies to be able to use the ‘consent’ lawful processing condition they need to demonstrate that a person has ‘freely given’ that consent. This may be difficult to prove when a company such as Meta holds a dominant position in the market as people have less choice over what platform they can use.

Big Tech

Google’s Privacy Sandbox: Since 2021, different features have been tested as part of Chrome Beta’s Origin Trials. As a result of these tests, and starting 13 March, some of the users of the standard version of Chrome were asked to enable three new targeting and ad measurement tools – the Privacy Sandbox. As part of the Chrome browser, it consists of a set of Google interfaces, (APIs), accessible by site publishers. These interfaces allow the continuation of targeted advertising, avoiding the technical constraints that could emerge with the end of third-party cookies. Google Chrome users included in the experimental phase are randomly selected and are informed by a specific screen when their browser is launched, asking for their consent to participate. A refusal will not affect navigation: it is still possible for users who have agreed to activate these features to reconsider their choice within the Chrome settings in the “Privacy and Security” tab and then “Privacy Sandbox”.

Do you need support on data protection, privacy or GDPR? TechGDPR can help.

Request your free consultation

Tags

Show more +