On 25 March 2022 the US Government and European Commission announced that they had struck a deal on an enhanced version of the EU-US Privacy Shield. The announcement is a very welcome one for businesses who rely on seamless transfers of personal data from the EU to the US.

In July 2020 the CJEU invalidated the EU-US Privacy Shield, following a challenge brought by privacy campaigner Max Schrems. The Court cited concerns that the level of access to EU personal data by US law enforcement agencies, and a lack of effective oversight, failed to adequately protect the rights of EU data subjects. The CJEU had already quashed the Safe Harbor framework, Privacy Shield's predecessor, in 2015 in response to Mr Schrems' first legal challenge.

Organisations that rely on trans-Atlantic data flows will be hoping it will be third time lucky, and that the Privacy Shield 2.0 can provide a predictable, effective and lasting remedy for what has become an increasingly painful compliance headache. However, it will be crucial to understand not only the substance of the deal but also to what extent the new scheme will address the concerns that were central to the Schrems II case, without any amendments to US surveillance laws.

Although the text of the deal is not yet available and few details have been confirmed, there is inevitable scepticism about whether the deal will truly bridge the gap on the contentious issues surrounding the outreach of US surveillance laws. However, there is clearly a political will to overcome the considerable obstacles to data flows on both sides of the pond, particularly given how high the stakes are in the current geopolitical environment. It remains to be seen whether any such EU-US bilateral agreement, and a new EU Commission adequacy finding for Privacy Shield 2.0, could withstand yet another judicial challenge from Mr Schrems.

The final text should certainly be a fascinating read. 

This subject will be top of the agenda at our upcoming Data Download Webinar on Tuesday 29 March 2022. Click here for more information and registration options.  

The new UK IDTA and UK Addendum to the updated EU SCCs entered into force on 21 March 2022. Data exporters can choose to use either of these instruments for the export of personal data from the UK. In order to guarantee that they provide adequate safeguards for data subjects, they must be executed without modification, save for the addition of information about the parties and further details regarding the data processing activities concerned.

The documents are unchanged from the ICO's draft versions, having received no objections since they were laid before Parliament by the DCMS on 2 February 2022. The documents are available for use via the ICO's website, and the ICO has promised to publish further tools and guidance regarding the use of these instruments soon. 

This article by Addleshaw Goddard Partner Dr. Nathalie Moreno examines the IDTA and the UK Addendum as new transfer mechanisms in further detail. It also outlines the calendar for implementation set out in the transitional provisions and what will come next for the UK Data Transfer Package.

The Court of Appeal has dismissed an appeal which sought to establish that the disclosure of personal information contained in a business email account was unlawful. The Court found that the access to, and limited disclosure of, the information did not amount to a misuse of private information or breach of confidence. Although some of the relevant emails contained personal data, there was no reasonable expectation of privacy in relation to those communications and the information was not imparted in circumstances importing an obligation of confidence.

The Court stated that the question of whether a reasonable expectation of privacy should arise in relation to such information is fact-specific. The fundamental question is an objective one; "whether a reasonable person of ordinary sensibilities placed in the same position of the claimant and faced with the same publicity [of the information]", would be offended. In this case, the claimants failed to meet this standard, the Court noting the following as significant factors:

• the claimant stored the personal emails in an email account set up to handle business enquiries
• at the point at which the business email account was set up, a separate email account was also set up for the claimant's individual use
• other personnel had access to the business enquiry account, and this was well known to the claimant. Personal messages within the account were not marked as such, or filed separately
• the defendants had no interest in the content of the personal emails and provided ample opportunity for the claimant to review the business account, in order to flag and remove any personal communications
• the disclosures by the defendants were limited to legal and professional advisors, to the extent necessary to obtain advice on the ongoing dispute with the claimant. Further, this limited disclosure meant that the claimant suffered minimal damage
• the defendant was not required to rebut any presumption of privacy in relation to the relevant emails  

While previous decisions of the European Court of Human Rights have established that communications from business accounts may fall within the scope of private life under ECHR Article 8, the question of whether a reasonable expectation of privacy arises depends on many factors. Although certain types of information (e.g. relating to health, finances or personal correspondence) will normally give rise to a reasonable expectation of privacy, that is a starting point for the assessment rather than a legal presumption. The burden of demonstrating a reasonable expectation of privacy is for the claimant to discharge.

IAB Europe has announced its intention to appeal against the Decision issued by the Belgian Data Protection Authority (APD) last month, which found that IAB Europe's Transparency and Consent Framework (TCF) infringed numerous aspects of the GDPR (the Decision).

The TCF was designed to facilitate the use of IAB's "OpenRTB" protocol; one of the most widely-used protocols in Real-Time Bidding (RTB) for the placement of personalised online ads. By collecting and managing information about users' preferences, the TCF is specifically designed to address the major challenges created by the GDPR in providing transparency to individuals and obtaining valid consent to use their data. However, the ADP found that the TCF itself failed to comply with numerous aspects of the GDPR. The infringements included a lack of transparency, absence of an appropriate legal basis for processing, failings in privacy by design and default, and numerous other shortcomings in GDPR's accountability framework.

The Decision has far-reaching implications, due to:

• the widespread compliance defects identified by the ADP, and the knock-on effects of these violations on market operators who rely on user preference data collected by IAB;
• the widespread use of OpenRTB by operators at all levels of the adtech value chain; and
• the classification of IAB as a data controller (and in some cases a joint controller) rather than a data processor; many other organisations will have to reopen this question, and consider the prospect of a far greater compliance burden under GDPR. 

Furthermore, the Decision imposes specific obligations on the IAB to conduct meaningful due diligence as to the suitability of potential users of the TCF, based on their data protection compliance posture. Even if the IAB succeeds in implementing changes to the system which are satisfactory to the APD this will be an extremely onerous task, and the decisions the IAB makes as to which organisations meet the required standard seems a likely area of further legal challenge.   

However, there has been intense scrutiny of the architecture of the adtech sector by numerous data protection regulators since GDPR's inception, and uncertainty as to whether the complexity and opacity of RTB platforms is fundamentally incompatible with GDPR's transparency and consent requirements. There are numerous initiatives already underway to seek to reduce the reliance of the adtech industry on personal data in order to serve highly targeted ads and track user engagement, and these may ultimately prove the only viable approach to satisfying regulators that data subjects' rights are sufficiently protected.

The European Data Protection Board (EDPB) has published Guidelines on Examples regarding Personal Data Breach Notification (Guidelines). The Guidelines build on the general guidance on data breach notification produced by the Article 29 Working Party in 2017, acknowledging that the 2017 guidance did not address practical issues in sufficient detail.

The Guidelines walk through various breach scenarios including: ransomware and data exfiltration attacks; misdirected communications to trusted third parties; lost or stolen devices; and social engineering, and highlight exacerbating and mitigating circumstances for data controllers to consider. It is well known that many data protection regulators have been inundated with unnecessary breach notifications from overly cautious data controllers since the requirement was introduced by the GDPR. The Guidelines may be intended to reduce the number of notifications being made where there is unlikely to be any risk to data subjects, in addition to clarifying the scenarios in which controllers have no choice but to inform the authorities (and individuals).

The title of the Guidelines also does them something of a disservice; in addition to the worked examples, they also provide helpful insight regarding the specific measures controllers can adopt before, during and after breaches to mitigate their impact (or avoid them entirely). Where Data Controllers elect not to notify a data breach where there may be an obligation to do so, it will be highly advisable to at least be able to demonstrate that the measures outlined in the Guidelines were quickly and meticulously adopted to prevent a recurrence - in case the decision not to notify should ever come under scrutiny. 

The Guidelines also hammer home the importance of maintaining a comprehensive record of data breaches that do not meet the threshold for notification, including the cause(s) of the breach and the steps taken to mitigate their impact. Controllers who fail to meet this obligation should not expect much goodwill from regulators who come knocking. 

The EDPB has published draft Guidelines on the Right of Access (RoA Guidelines), analysing the various aspects of the access right and providing further clarification on the scope of data controllers' obligations when responding to a data subject access request (DSAR). 

Of particular note is the EDBP's emphasis on the requirement that data controllers facilitate the exercise of the access right by data subjects. Throughout the process of responding to a DSAR controllers are faced with many decisions which can either significantly increase, or dramatically reduce, the burden they face in responding to the DSAR. The EDPB seems to send a clear message in the draft Guidelines that controllers can only take steps to reduce this burden if there is no adverse impact whatsoever on the data subject, stating: “the right of access is without any general reservation to proportionality with regard to the efforts the controller has to take to comply with the data subjects request". This appears in conflict with guidance issued by the UK's ICO, which makes clear that controllers are entitled to apply a proportionality filter in formulating their approach. 

Unless the EDPB elects to water down this position following the public consultation, this will be an area for data controllers with a significant UK presence to keep a close eye on. The DCMS Consultation "Data: A New Direction" specifically references the economic benefits to business if the threshold for responding to DSARs were to be raised. As a result, it may be that in the coming months we see a growing divergence between the interpretation of the access right in the UK and the EU. 

Controllers may wish to put in place distinct policies and/or revise training for responding to DSARs, depending on which regime is engaged. 

The EDPB has launched its first coordinated enforcement action (CEA), investigating the use of cloud-based services by the public sector. The action follows the EDPB's decision to set up a Coordinated Enforcement Framework ('CEF') in October 2020 and represents a key pillar of the EDPB's 2021-23 Strategy. Key issues under examination are understood to be lack of appropriate due diligence of cloud service providers, defective contracts stemming from lack of clarity around controller/processor status, and (of course) challenges around ensuring adequate protection for international data transfers.

The CEA forms part of the EDPB's desire to streamline enforcement and cooperation among Supervisory Authorities (SAs). The EDPB states that it will collaborate with 22 national SAs in analysing the activities of more than 80 public bodies across the EEA, covering a wide range of sectors including health, finance, tax, education, and central procurement of IT services. The results are expected to lead to localised national supervision and possible enforcement actions by SAs. The EDPB is expected to report on the outcome of the CEA before the end of 2022.

The EDPB has published the final version of the Guidelines on Codes of Conduct as a tool for transfers, which were adopted on 22 February 2022 (CoC Guidelines). The CoC Guidelines are designed to provide practical guidance to organisations regarding the essential contents of CoCs, and the requirements for executing and enforcing them. 

There has been a great deal of conjecture regarding the potential for CoCs to fill the considerable void created by the Schrems II decision which, in addition to invalidating Privacy Shield, cast major doubts about the viability of the Standard Contractual Clauses (SCCs) for data transfers to the US (and other "Third Countries"). However, so far there have been no CoCs approved as a tool for transfers (and indeed only two other CoCs relating to data protection standards for data processing confined to the EEA). This may result from the fact that transfers relying on CoCs face the same challenges as those reliant on SCCs; namely the requirement to ensure that the protections captured by the contract or other legal instrument cannot be undermined through the exercise of powers to intercept and obtain personal data in the clear by law enforcement agencies. 

However, as we now have agreement in principle on Privacy Shield 2.0 and a new express route for EU-US transfers could open up in the not-too-distant future, the lack of uptake to date would suggest a very limited role for CoCs for transfers in the future (until Schrems III, at least…).