Source: Leaders League
Further to investigations initiated by the Data Protection Commission (or DPC, the Irish supervisory authority) in 2018, Whatsapp Ireland Limited has received a EUR 225 million fine on 2 September 2021. The company infringed multiple GDPR provisions including in relation with the information provided to data subjects which breached the obligation to ensure transparency of processing (Articles 13 and 14 GDPR).
Following GDPR’s one-stop-shop mechanism and as WhatsApp operates cross-border flows of personal data, the DPC had initially been designated as lead supervisory authority (‘LSA’). Article 60 GDPR requires the LSA to submit a draft decision to its impacted counterparts across the European Union (the ‘Concerned Supervisory Authorities’). Such draft has been submitted in December 2020 and the Hungarian, Portuguese, Italian, French, Dutch, Polish, German (local and federal) Concerned Supervisory Authorities unanimously raised objections to the DPC in January 2021. The objections mostly addressed the lax approach by the DPC in the assessment of WhatsApp’s breach of GDPR as well as the amount of the initially contemplated fine in view of the dozens of millions of individuals affected by such breach across the European Union.
This resulted in a non-consensual situation, escalading to the dispute resolution process under Article 65 GDPR conducted by the European Data Protection Board (EDPB). The binding decision, adopted on 28 July 2021 and subsequently notified to the DPC, required the Irish supervisory authority to reassess and increase the fine, thus leading to the second-highest fine under GDPR since its entry into force in 2018.
The UK government has announced that it intends to consult on a new, post-Brexit data protection regime, potentially moving away from the UK General Data Protection Regulation that currently underpins the UK’s data protection legislation. The Digital Secretary, Oliver Dowden, said, “It means reforming our own data laws so that they’re based on common sense, not box-ticking.”
A public consultation on the new legislation will follow, but it is clear that the United Kingdom must be careful about any changes it makes to its data regime in order to avoid disrupting the EU-UK adequacy decision with EU GDPR awarded just two months ago. The adequacy decision allows personal data from the European Union to flow freely to the United Kingdom (and vice versa), without businesses needing to put any additional paperwork in place. In granting the adequacy decision, the European Union placed particular emphasis on the fact that the United Kingdom was continuing to base its data protection laws on the same EU GDPR rules that had applied when it was a member of the European Union. A European Commission spokesperson commented that the EU will be closely monitoring any developments in UK data laws and noted that: “In case of problematic developments that negatively affect the level of protection found adequate, the adequacy decision can be suspended, terminated or amended, at any time by the Commission.”
It will be interesting to see how far the United Kingdom diverges, particularly as the current trend is that other countries seem to be keen to state that their data protection laws closely follow the EU GDPR.
The UK government also announced that its preferred candidate to be the next Information Commissioner, head of the UK data protection regulator, will be John Edwards, currently in charge of New Zealand’s data regulator, a country that also maintains an EU adequacy decision.
First publication: K&L Gates Cyber Law Watch Blog with Noirin McFadden
The French data protection Supervisory Authority (The CNIL) has issued a fine totaling EUR 400,000 against Monsanto for failing to inform individuals whose personal data was collected and processed for lobbying purposes.
Further to the revelation by several media outlets, in May 2019, that Monsanto kept records on more than 200 political and civil society figures (e.g. journalists, environmental activists, scientists or farmers) likely to influence the debate or public opinion on the renewal of the authorization of glyphosate in Europe, the CNIL received seven complaints from individuals whose personal data was included in those records. The personal data included in those records included professional details (e.g. company name, position, business address, business phone number, mobile phone number, business email address and Twitter account), along with a score of 1 to 5, aiming at evaluating their influence, credibility and support for Monsanto on various topics such as pesticides or genetically modified organisms.(more…)
On 30 March 2021, the European Commission, in a joint statement with the Personal Information Protection Commission, the data protection authority of the Republic of Korea (Korea), declared that Korea ensured a level of protection for personal data that is similar to the level provided in the European Union (the EU) and, as such, is a jurisdiction deemed “adequate.” Further to this joint declaration, the European Commission completed its internal procedures and formally adopted the substance of this joint statement in a draft adequacy decision published on 14 June 2021. Once finalized, businesses will be allowed to transfer personal data freely from the EU and European Economic Area (EEA) to Korea without being required to provide further safeguards as required for “third country transfers” under the EU General Data Protection Regulation 2016/679 (GDPR). Once so adopted, the adequacy decision would cover transfers of personal data to commercial operators located in Korea, as well as Korean public authorities. However, the transfer of personal credit information that is subject to jurisdiction of Korea’s Financial Services Commission will be excluded from the coverage of the adequacy decision.
The adequacy decision only relates to the transfer of personal data from the EU/EEA to a recipient in Korea, but it does not cover the general applicability of GDPR. In this context, any company (even outside the EU/EEA) that directly collects personal data from EU residents in connection with offering goods or services or monitoring of behavior of EU residents will still need to comply with the obligations set out in the GDPR for its collection of personal data. Also, significantly, the adequacy decision only covers data flow in one direction, from the EU to Korea, but not in the opposite direction, i.e., from Korea to the EEA. As noted below, barring any further statutory amendments, Korean privacy laws still require data handlers to obtain the consent of data subjects (as opposed to an opt-out) prior to transferring their personal data outside of Korea.
The conclusion of adequacy talks between Korea and the European Commission is a major step in their ongoing four-year dialogue regarding mutual recognition of personal data protection regimes. Korea has been preparing for this adequacy decision since 2015, when the Korean government established a joint public-private sector task force, which was charged with conducting data regulation-related feasibility studies, self-assessments, and comparative analyses in preparation for the first round of adequacy negotiations with the EU in 2017. After two extensive rounds of adequacy negotiations between the representatives of the European Commission and Korea ended without an adequacy finding, Korea decided to make significant amendments to its data protection laws. Such amendments were enacted by the National Assembly, Korea’s national legislature, in January 2020 and became effective in August 2020, thus paving the way for the March 2021 joint statement.(more…)
Depending on whether you are an optimist or a pessimist, it will have taken the European Commission either three years and two weeks (since the entry into force of the General Data Protection Regulation (GDPR) or eleven months (since the Schrems II decision — see our Alert here) to publish its finalized revision of the most flexible tool to allow for the transfer of personal data to partners located in countries not otherwise providing an adequate level of data protection (Adequate Countries): the Standard Contractual Clauses (SCCs).
While Schrems II made headlines with its cancellation of the Privacy Shield framework, this mechanism only affected 5,000 companies in the United States. SCCs, on the other hand, remain the most widely used instrument to ensure an end-to-end sufficient level protection of personal data covered by European data protection. With their original version dating back 2001, an update was severely needed to align them with GDPR’s extensive reach and requirements.
IN A NUTSHELL:
- The new SCCs were published on 4 June 2021:
- Starting on 27 June 2021, companies will need to transition to the new SCCs;
- On 27 December 2022, companies must have finalized their transition to the new SCCs.
- Affected companies include:
- EU-based entities sharing data with partners and providers located in countries deemed not to offer an adequate level of protection;
- Non EU-based entities otherwise subject to GDPR’s extensive territorial reach (see our Alert here) sharing data with partners and providers located in countries deemed not to offer an adequate level of protection; and
- Non-EU based entities receiving or processing personal data from or on behalf of EU-based partners or non-EU partners otherwise subject to GDPR.
- Key new elements include:
- Data exporting entities will need to assess the importing countries’ regulatory framework;
- Where such framework cannot safeguard the transferred data subject to GDPR, additional measures must be implemented contractually, organizationally and/or technically;
- Each and every step of the assessment, and the relevancy of the remediation measures, must be thoroughly documented; and
- In the case of a controller/processor/sub-processor relationship, the new SCCs consolidate the requirements into a single agreement addressing the data processing requirements under Article 28 GDPR and the data transfer agreement.
- While the new SCCs provide for a general framework, many issues are left to:
- The expected interpretation and guidance from the European Data Protection Board (EDPB); and
- Contractual negotiations between the stakeholders.
Practice head(s): Claude-Etienne Armingaud
‘Skilled technical lawyers with excellent industry knowledge.‘
‘Claude-Étienne Armingaud possesses excellent technical legal skills with a sensible practical commercial approach which comes through unrivalled knowledge of the sector.‘
‘Claude-Étienne Armingaud is the best at what he does, plain and simply.
Source: Legal 500
With notable experience in the implementation of GDPR compliance and data protection, the team at K&L Gates LLP coordinates with the firm’s wider European practice to act for multinational clients in the luxury goods, entertainment, and telecoms sectors. Practice head Claude-Etienne Armingaud frequently acts for fintech clients in contentious multi-jurisdictional matters regarding IP and IT data protection. In March 2020, associate Clara Schmit joined from D’Alverny Demont Associés.
Practice head(s): Claude-Étienne Armingaud
Other key lawyers: Clara Schmit
‘Claude-Etienne Armingaud is the best at what he does, plain and simply. Fast, reliable, and efficient.’
‘A team which is very familiar with the evolution of the regulatory framework applicable to data, and which has often participated in the work of developing new guidelines with the CNIL.’
‘Claude-Etienne Armingaud is very familiar with the issues of data protection and privacy. He supports a large clientele in various fields of intervention.’
The French Law n°2016-1691 of 9 December 2016 relating to transparency, the fight against corruption, and the modernization of economic life, known as the “Sapin II” Act 1)Sapin II entered into force on 10 December 2016 (JORF n°0287 of Dec. 10, 2016) introduced to legal entities additional compliance requirements to address corruption in order for France to meet the highest European and international standards.
Sapin II has established a general principle of prevention and detection of corruption risks under the control of a national anticorruption structure, the French Anti-Corruption Agency (AFA), whose main mission is to help economic and public players in the process.
The AFA noted in its 2019 annual activity report 2)French Anti-Corruption Agencyn Annual Activity Report 2019 (7 July 2020) (in French).that anticorruption measures implemented by economic and public players were still incomplete.
On 12 January 2021, the AFA published new recommendations entered into force on 13 January 2021 (Recommendations, here in French).
The AFA specifies the practical procedures for implementing an anticorruption system structured around three foundational principles, namely:
- Governing body’s commitment;
- Understanding the entity’s exposure to probity risks; and
- Risk management.
To whom these Guidelines Are Addressed
The AFA urges all entities to implement an anticorruption process, independently of the thresholds required under Sapin II. According to the AFA, an adaptation of these Recommendations remains necessary in light of the potential risks and activities of each entity. In concrete terms, each organization has an interest in protecting itself against the risks of probity breach and the resulting criminal risks.
Pursuant to Article 17 of Sapin II, relevant companies with at least 500 employees and recording a turnover exceeding EUR 100 million have the obligation to implement a program to prevent and detect corruption and influence peddling through eight internal preventive measures3)As per Article 17, II of Sapin II, this obligation would require the implementation of a specific French Code of Conduct, an internal whistleblowing … Continue reading. In these Recommendations, the AFA thus advises private companies subject to the prevention obligation of article 17 of Sapin II to include a wide range of criminal offences beyond corruption and influence peddling in their internal system and specifies that the actions to be implemented should be based on a genuine commitment by each company’s governing body.
Governing bodies have a key role in the process of integrating anticorruption measures into risk procedures and policies and must be supported by nonexecutive bodies and compliance teams.
Strengthening the French Anticorruption System
In order to encourage the various stakeholders to make up for the highlighted shortcomings and to abide by the established procedures, the key word in the AFA’s Recommendations is “formalization.”
In this context, risk-mapping methods should be refined. Each company will have to draw up a risk map in the form of written and structured documentation, detailing the underlying methods used to draw it up, measures adopted to control the risks, and roles and responsibilities of each party involved.
The FA applies the same standards to internal whistleblowing systems, which are described for the first time in the Recommendations. Companies will therefore have to formalize their internal investigation procedure, providing at the very least the criteria required to trigger an alert and the methods used to carry out the investigation. Following the investigation, a report will have to be drawn up and a dedicated committee set up.
The integrity evaluation of third parties is not exempt from this formalization requirement. While this procedure is not new4)Article 17, II, 4° of Sapin II, it must now be carried out within a formal framework, as it is specified that the determination of information and documents useful for the evaluation of third parties must be carried out by the company at the risk-mapping stage, taking into account the obligations prescribed by General Data Protection Regulation (GDPR)5)Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the … Continue reading.
Following its willingness to truly involve corporate governing bodies in implementation of the anticorruption system, the AFA recommends that, in the context of human resources management, the recruiting process for the most exposed executives and staff should include an assessment of their “honorability.”
The applicability of GDPR to these procedures is all the more to be anticipated insofar as the AFA recommends identifying certain types of personal data relating to employees working on behalf of clients, suppliers, or intermediaries of the companies who are evaluating third parties.
Therefore, and as per GDPR’s data minimization principle6)Article 5 of GPDR, only the data strictly necessary to achieve the purposes of Sapin II may be collected and processed by the companies concerned. In the same way, physical, logical and organizational security measures shall be implemented to ensure the security and integrity of the data collected during the evaluation7)Article 32 of GDPR.
Furthermore, individuals subject to an integrity evaluation will have to be informed8)Article 13 of GDPR. of the specifics of the processing operations pertaining to their personal data, as well as their rights regarding such data9)Article 12 of GPDR.. Finally, as the verification of the integrity of third parties may be carried out due to their presence or absence on sanction lists, the impacted stakeholders will need to implement special measures to ensure the protection of these special categories of personal data (known as “sensitive”) under GDPR.
Similar attention will need to be drawn to personal data relating to disciplinary sanctions identified by private companies and public entities alike. The Recommendations clarify the regime applicable to disciplinary sanctions by providing, without much novelty, for the principle of gradation of sanctions. While the AFA calls on governing bodies to be strict and to sanction breaches of anticorruption measures, it also requires that the dissemination of these sanctions internally, as a reminder of the zero-tolerance policy, be carried out while preserving the anonymity of third parties at all costs.
Through the Recommendations, the AFA aims at reconciling the need to provide for limited retention of personal data10)Article 5 of GPDR. with the need for companies and public actors to be able to justify their decisions in the event of controls or audits. Finally, the same principles resulting from the application of GDPR will have to be respected within the framework of the implementation of whistleblowing systems by companies and public players, with a particular attention to the automated processing of such alerts.
Although the AFA is increasing its knowledge of the rules of the GDPR through its controls, it is unfortunate that the AFA did not consult the French Data Protection Authority (CNIL) to propose a turnkey compliance framework for impacted companies. Failing this, companies will have to determine themselves the operational methods that will best meet the dual compliance requirements vis-à-vis the AFA and the CNIL.
These Recommendations are not binding or obligatory for the different entities but enforceable by the AFA in its control activities. The AFA will refer to the Recommendations for audits that will begin six months after their entry into force, i.e., as of 13 July 2021.
Following a recommendation of the Enforcement Committee11)French Anti-Corruption Agency, Decision no. 19-01 Société S SAS and Mme C. (4 July 2019)., the AFA specifies that entities which have indicated that they comply with the Recommendations will benefit from a compliance presumption, which can only be overturned by the AFA’s demonstration of ineffective, incorrect, or incomplete implementation of the Recommendations. Otherwise, it will be up to the organization to demonstrate that the choices it made effectively allowed it to meet the regulatory requirements.
Each entity will also be invited to update its internal compliance procedures. Irrespective of the health crisis managements, integrating compliance tools has become a new challenge for 2021, since failure to comply with the Recommendations could be enforced in the context of an audit. The AFA is in line with the current trend of accountability frameworks, meaning that strict legal compliance is no longer sufficient. Such companies must also be able to document this compliance and the decisions taken to implement it.
In addition to the criminal sanctions resulting from acts of corruption, influence peddling, and similar offences, the AFA is able to adopt similar sanctions for failure to comply with the obligations arising from Sapin II following the submission of a request to its Enforcement Committee.
After the person concerned has been given the opportunity to present its observations, such commission may order the company to adapt its internal compliance procedures as per the recommendations it addresses to them within a period that must be shorter than three years.
The Enforcement Committee may also impose a financial penalty of up to EUR 200,000 for individuals and EUR 1,000,000 for legal entities and, finally, order the publication, distribution or posting of its decision. These sanctions remain without prejudice to possible additional sanctions by the CNIL regarding GDPR breaches, up to €20 million or 4 percent of companies’ overall turnover (whichever is greater), even in cases where there was compliance with the Recommendations.
This invitation for compliance is a reminder of the European Union’s willingness to standardize the different anticorruption measures of the member states. The implementation of the whistleblowing directive12)Directive (EU) 2019/1937 of the European Parliament and of the Council of October 23, 2019 on the protection of persons reporting violations of Union … Continue reading by EU member states will need to be effective before 17 December 2021 and will bring some changes to Sapin II, notably by giving up the notion of a “disinterested act,” thus broadening the spectrum of prohibited retaliation measures or authorizing public disclosure. The various private or public stakeholders will benefit from a grace period to update their anticorruption measures, beginning when the Recommendations are transposed.
K&L Gates’ multidisciplinary labor and data protection law teams remain available for more information and to anticipate and implement your company’s compliance.
First published by K&L Gates with Christine Artus, Natacha Meyer, Clara Schmit & Alexia Montagnon