When are Reach Measurement Cookies exempt from the consent requirement?

Photo of Dr. Andreas SplittgerberPhoto of Daniel KadarPhoto of Laetitia GaillardPhoto of Sven SchonhofenPhoto of Stéphanie AbdesselamBy Dr. Andreas Splittgerber, Daniel Kadar, Laetitia Gaillard, Sven Schonhofen and Stéphanie Abdesselam on Posted in Cookies, Tracking & Online Behavioral Advertising, Privacy & Data Protection, Regulatory

After Germany became the last EU member state to transpose Article 5(3) of the Directive 2002/58/EC, amended by Directive 2009/136/EC (ePrivacy Directive) into national law, the use of cookies in the EU must meet one of the following requirements:

  • The user’s consent, or
  • The cookie must be strictly necessary in order to provide the service explicitly requested by the user (Strictly Necessary Cookies).

The category of Strictly Necessary Cookies was previously interpreted rather narrowly. There must be a clear link between the strict necessity of the cookie and the delivery of the service. It is not sufficient that the cookie is merely necessary from an economic perspective to run a website. The Article 29 Working Party in WP194 regarded shopping cart, user authentication, security, load balancing, or multimedia player as use cases for Strictly Necessary Cookies.

The legal basis for so-called Reach Measurement Cookies has been heavily debated. Reach Measurement Cookies are statistical audience measurement tools for websites used to estimate the number of unique users, track the users’ interaction with the website and track down navigation issues. Typically, they have not been regarded as Strictly Necessary Cookies because websites can be provided to the users without measuring the users’ interactions with the websites. At the same time, Reach Measurement Cookies only provide useful findings if every users’ interactions with the websites are tracked.

In this context, the French data protection authority (CNIL) has provided guidelines (Guidelines) under which the Reach Measurement Cookies may be considered as Strictly Necessary Cookies and thus benefit from the consent exemption.

Continue Reading

The European Data Protection Board adopts guidelines on codes of conduct as a tool for transfers

Photo of Cynthia O’DonoghuePhoto of Angelika BialowasBy Cynthia O’Donoghue and Angelika Bialowas on Posted in Privacy & Data Protection

During its 51st plenary session on 7th July 2021, the European Data Protection Board (EDPB) adopted guidelines on codes of conduct as tools for transfers (CoC Guidelines). The CoC Guidelines are available here.

The CoC Guidelines support and complement the previous EDPB Guidelines on CoCs published in 2019 (2019 Guidelines) that established the general framework for the adoption of CoCs. We have previously written about the 2019 Guidelines here.

Purpose of the CoC Guidelines

The main purpose of the CoC Guidelines is to clarify the application of Articles 40(3) and 46(2)(e) of the General Data Protection Regulation (GDPR) relating to codes of conduct as appropriate safeguards for transfers of personal data to third countries. These provisions specify that a code of conduct, which has been (1) approved by a competent supervisory authority and (2) has been granted general validity within the EEA by the EU Commission, may be used and adhered to by controllers and processors not subject to the GDPR to provide appropriate safeguards to affect transfers of data outside of the EU.

The CoC Guidelines should further act as a clear reference for all EU supervisory authorities, the EDPB and assist the EU Commission in evaluating codes in a consistent manner and streamline the procedures involved in the assessment process. They should also provide greater transparency, ensuring that code owners who intend to seek approval for a code of conduct intended to be used as a tool for transfers are aware of the process and understand the formal requirements and the appropriate thresholds required for setting up such a code of conduct. Continue Reading

Ransomware is on the rise – what to do if you are faced with a cyber attack

Photo of Cynthia O’DonoghuePhoto of Philip ThomasBy Cynthia O’Donoghue and Philip Thomas on Posted in Data & Cyber Security, Privacy & Data Protection

As a result of the COVID-19 pandemic, many more organisations have moved their business operations online.  From a cybersecurity and privacy perspective, this brings hackers and criminals greater opportunities to try to infiltrate the increased amount of devices and even deploy ransomware attacks. This is where malware is installed to block access to the user’s data by locking the computer or encrypting the data until the demanded ransom is paid. In some cases, the attackers also threaten to disclose the stolen data if the ransom is not paid.

Ransom attacks are on the rise, with the ICO reporting an increase from 13 ransomware incidents per month to 42 at its 2021 conference. In the U.S., the recent Kaseya ransomware attack affected nearly 200 companies, while the recent pipeline attack disrupted fuel supplies to the East Coast for several days, leading to fuel shortages.

According to a global survey conducted by Sophos, the average total cost of recovery from a ransomware attack has more than doubled, increasing from $761,106 in 2020 to $1.85 million in 2021. These remediation costs include business downtime, lost orders and operational costs. The average ransom paid is $170,404, yet only 8 per cent of organisations managed to recover all of their data after paying a ransom.

In 2020 and so far this year in 2021, the manufacturing, government, education, services and healthcare industries have been particularly hard hit by ransomware attacks. However, no industry is immune from such attacks and ransomware attacks are featured across all industries, including utilities, technology, logistics, transportation, finance and retail.

Continue Reading

New SCCs: Ireland amends its legislation to allow for third-party rights

Photo of Cynthia O’DonoghueBy Cynthia O’Donoghue on Posted in Privacy & Data Protection

The European Commission’s (EC) International Standard Contractual Clauses (SCCs), which we previously discussed here, contain extensive third party beneficiary rights. The EC’s decision made clear that with these new international transfer SCCs, the parties can decide for themselves which EU Member State law will govern their SCCs, provided that the Member State’s laws allowed for third-party beneficiary rights. Where a Member State’s laws did not allow for third-party beneficiary rights, then the SCCs would have to be governed by the law of another Member State that recognises third party beneficiary rights.

Ireland had been the only member state that did not allow for third-party beneficiary rights as the law had required strict privity of contract. Despite some commentary about data subjects being able to use a theory of agency to enforce their rights, the Irish Department of Justice issued a statutory instrument (S.I.) to amend the Irish Data Protection Act 2018.

With the new SCCs entering into force on the 27th of June, a new Irish S.I., the EUROPEAN UNION (ENFORCEMENT OF DATA SUBJECTS’ RIGHTS ON TRANSFER OF PERSONAL DATA OUTSIDE THE EUROPEAN UNION) REGULATIONS 2021, was issued and came into force on the 24th of June—just days before the SCCs became effective. S.I. No. 297 of 2021 amends Section 117A of the Irish Data Protection Act by providing an express right for individuals to enforce third party beneficiary rights granted to data subjects under the SCCs. What’s more, this S.I. also allows for data subjects to enforce third party beneficiary rights under binding corporate rules and any other standard data protection clauses that may be adopted by a national supervisory authority and approved by the EC.

Continue Reading

Here we go again – Unified Patent Court back on track

Photo of Anette GaertnerPhoto of Alexander KlettPhoto of Thierry LautierPhoto of Jonathan RadcliffePhoto of Marianne SchaffnerBy Anette Gaertner, Alexander Klett, Thierry Lautier, Jonathan Radcliffe and Marianne Schaffner on Posted in Intellectual Property, Regulatory

The German Constitutional Court issued a landmark decision with implications for many companies doing business in Europe on July 9, 2021. For decades, the European Commission and EU member states strived to create a pan-European Unified Patent Court (UPC). After overcoming many hurdles, any sensible commentator will be cautious in making statements about the future of the UPC. That said, for the first time in years it now appears that the pan-European patent litigation system may finally come into being. This entails advantages and disadvantages, such as the availability of pan-European injunctions and pan-European patent invalidation proceedings. Admittedly, nobody can predict the quality of judgments issued by the future court. For owners of European patents who are concerned about losing their IP rights, now is the time to identify the crown jewels and to opt out of the system.

Our recent client alert explains the German Constitutional Court decision and what is next.

Tune in for the latest updates on our Tech Law Talks podcast

Photo of Sarah BrunoPhoto of Therese CraparoPhoto of Anthony DianaPhoto of Jason GordonPhoto of Cynthia O’DonoghuePhoto of Dr. Andreas SplittgerberPhoto of Catherine CastaldoPhoto of Asel IbraimovaBy Sarah Bruno, Therese Craparo, Anthony Diana, Jason Gordon, Cynthia O’Donoghue, Dr. Andreas Splittgerber, Catherine Castaldo and Asel Ibraimova on Posted in Data & Cyber Security, Privacy & Data Protection, Regulatory

Catch up on our Tech Law Talks podcast series for practical observations on technology and data legal trends, from product and technology development to operational and compliance issues that practitioners encounter every day.

What’s new in data protection in the EU

It has been a busy few weeks in the EU for all things data protection, particularly data transfers. Cynthia O’Donoghue and Andy Splittgerber walk us through the new Standard Contractual Clauses (SCCs) for international transfers and for controllers to processors, the newly issued EDPB Supplementary Measures Recommendations, and the UK adequacy decision. (18 mins)

M365 in 5: Compliance and governance in M365

E-Discovery consultant Lighthouse returns to our M365 in 5 series for a discussion about the importance of compliance and governance in M365 and collaboration among stakeholders to balance risk and business needs. Reed Smith’s Anthony Diana and Therese Craparo join Lighthouse’s John Holliday to discuss implementing controls and managing data to mitigate risk. (8 mins)

Continue Reading

EDPB and EDPS adopt joint opinion on the data protection implications raised from the proposed Artificial Intelligence Act

Photo of Cynthia O’DonoghuePhoto of Angelika BialowasBy Cynthia O’Donoghue and Angelika Bialowas on Posted in Privacy & Data Protection

The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) adopted Joint Opinion 5/2021 on the proposal for a Regulation of the European Parliament and of the Council laying down harmonised rules on artificial intelligence (Joint Opinion).

The Joint Opinion follows the European Commission’s (Commission) Proposal for a Regulation of the European Parliament and of the Council laying down harmonised rules on artificial intelligence (AI) which was presented on the 21st April 2021 (Proposed Regulation). The Proposed Regulation laid out (i) harmonised rules for the placing on the market, the putting into service and the use of AI systems in the EU; (ii) prohibitions of certain AI practices; (iii) specific requirements for high-risk AI systems and obligations for operators of such systems; (iv) harmonised transparency rules for AI systems; and (v) rules on market monitoring and surveillance. We have previously summarised the obligations, scope and effect of the Proposed Regulation in our previous client alert, here.

The EDPB and the EDPS welcome the concern of the Commission in addressing the use of AI within Europe and stress that the Proposed Regulation has important data protection implications. Both authorities agree with the risk-based approach underpinning the Proposed Regulation and further welcome the fact that the Proposed Regulation designates the EDPS as the competent authority and the market surveillance authority for the supervision of the EU institutions. However, they note the role and tasks of the EDPS should be further clarified, specifically to its role as a market surveillance authority.

Continue Reading

EDPB adopts final recommendations on Supplementary Measures nearly a year after the CJEU’s Schrems II ruling

Photo of Cynthia O’DonoghuePhoto of Dr. Andreas SplittgerberPhoto of Asel IbraimovaPhoto of Christian LeuthnerBy Cynthia O’Donoghue, Dr. Andreas Splittgerber, Asel Ibraimova and Christian Leuthner on Posted in Privacy & Data Protection

The European Data Protection Board (EDPB) adopted final Recommendations on Supplementary Measures (Recommendations) for data transfers to third countries, published in response to the CJEU ruling in Schrems II. The Recommendations contain a six-step methodology to assess transfers of personal data from the EEA to those countries outside the EEA that have not been approved by the European Commission as providing adequacy. The Recommendations also contain various supplementary measures that can be used if the transfer tools an organisation has selected does provide an equivalent level of protection to that offered under the GDPR and individual’s rights and freedoms under the EU Charter of Fundamental Rights. The Recommendations contain practical guidance where there is “problematic legislation” in an importing country such that public and governmental authorities would be able to access individuals’’ personal data.

The EDPB published draft recommendations for public consultation in November 2020. There are some key changes between the draft and the final Recommendations.  The final draft places a particular focus on the specific circumstances of the transfer in the data transfer assessment. It also calls organisations to review not only laws but also practices of a third country’s surveillance measures by public authorities. The final Recommendations also emphasise that use of the GDPR derogations are meant to be an exception to rule barring transfers of personal data from the EEA to third countries not otherwise deemed adequate.

The Recommendations emphasize that it is the obligation of both data exporters and data importers to ensure the level of protection set by the EU laws when they transfer data to third countries. To comply with the accountability principle under the GDPR, controllers or processors acting as data exporters must ensure that data importers collaborate with them in ensuring protection travels with the data and jointly monitor the measures taken are effective in achieving that aim. Continue Reading

Department of Health and Social Care announce its draft strategy on data usage in the health and social sector

Photo of Cynthia O’DonoghuePhoto of Angelika BialowasBy Cynthia O’Donoghue and Angelika Bialowas on Posted in Privacy & Data Protection

On the 22nd of June 2021, the Department of Health and Social Care (DHSC) published its draft strategy ‘Data saves lives’ on the use of data within the health and social care sector, available here. In the draft strategy, the DHSC set out its plans to use data to improve the health and care of the general population, with the ultimate goal to have a health care system that is supported with accessible and high-quality data.

The proposed changes come at a time when the use of data to improve patient care and digital developments are even more important as a result of the COVID-19 pandemic.

Priorities

The document outlines three key priorities underpinning the DHSC strategy:

  • To build understanding on how data is used, explore the potential for data innovation, and improve transparency so the public has control over how DHSC make use of their data.
  • To make appropriate data sharing the norm across health, adult social care and public health.
  • To build the right technical, legal and regulatory foundations to make these priorities possible.

The DHSC plans to announce secondary legislation to require all adult social care providers to provide information about all the services they fund to ensure service users have the best care and experience and to give staff more information in providing care.

The draft strategy is split across seven chapters, here are the key takeaways from each chapter:

  • Bringing people closer to their data: the strategy plan includes breaking down data barriers and giving patients’ confidence that their health and care staff have up-to-date data. The plan is to give patients more control over their health data with easier access to their test results; medication lists; procedures; and care plans across all parts of the health system through patient apps, such as the NHS App.
  • Giving health and care professionals the data they need to provide the best possible care: this commitment includes plans to embed the Information Governance Portal as a one-stop-shop for guidance and assistance when it comes to data sharing. DHSC also plans to develop a national information governance strategy to address training for frontline staff and develop new e-learning packages on the use of data.
  • Supporting local and national decision makers with data: efforts to support national decision makers with data will include ensuring that adult social care providers integrate with basic shared records solutions across health by September 2022. DHSC hopes this will give national leaders, the necessary insights and evidence required for an accurate understanding of the health and care system to develop better policy and guidance.
  • Improving data for adult social care: DHSC points out that few social care providers have access to information about the people in their care. DHSC wants to collect client-level data rather than aggregate data from local authorities to ensure that social care providers have regular and comprehensive data to enable person-centred, sustainable innovation for adult social care.
  • Empowering researchers with the data they need to develop life-changing treatments, models of care and insights: DHSC also set out plans to support researchers with data. To provide reassurance to the public that those entrusted with their data are keeping it safe, DHSC is also looking to develop new technological advances in how data is collected, stored and analysed. These systems will increasingly look to trusted research environments (TREs) which are secure spaces where researchers can access sensitive data without breaching privacy.
  • Helping colleagues develop the right technical infrastructure: this DHSC strategy focuses on setting up the necessary technical infrastructure in which data can be accessed in real-time through APIs via a national gateway. DHSC wants to agree target data architecture for health and social care outlining how and where data will be stored, shared and sent by winter 2021.
  • Helping developers and innovators to improve health and care: this final chapter acknowledges that innovators will be supported to develop and deliver new solutions quickly and safely for the benefit of all citizens, staff and the system. DHSC underlines the importance of using artificial intelligence (AI) to improve the delivery of health and care services by analysing large quantities of complex information. To support this effort, DHSC will ensure AI regulation is fit for purpose as part of amending the Medical Devices Regulations 2002 following the UK’s departure from the EU and aim to streamline the regulation pathway for AI technologies to enable innovators to get their products on the market in an efficient manner.

Next Steps

One thing we have learnt from the difficult COVID-19 pandemic is the importance of data and the potential it has to make a difference when it is used appropriately and effectively. The DHSC strategy has the potential to unlock health and care data for the benefit of everyone. The draft strategy is open for public consultation until 5 p.m. on the 23rd July 2021. If you would like to offer feedback, you can do so by accessing this link

UK adequacy decision for European data transfers

Photo of Cynthia O’DonoghuePhoto of Sarah O'BrienBy Cynthia O’Donoghue and Sarah O'Brien on Posted in Privacy & Data Protection

On the 28th June 2021, the European Commission (Commission) adopted two adequacy decisions for the UK; one covering the GDPR and the other the Law Enforcement Directive (LED). Such decisions demonstrate that the Commission believes the UK ensures an ‘essentially equivalent’ level of protection to that within the EU. The implication of these decisions is that personal data can now flow freely from the EU to the UK, effective immediately.

Background

On the 19th February, the Commission published two draft adequacy decisions and launched the procedure for their adoption, which we previously wrote about here. Since then, the Commission has carefully assessed the UK’s laws and practices on personal data protection, including access to data by public authorities in the UK. The European Data Protection Board gave its opinion on the draft decisions in support of the Commission’s findings, which we also blogged about here, before finally receiving the ‘green light’ from the EU Member states’ representatives.

The Commission’s 93-page GDPR decision assesses the legal framework for the UK in detail even referencing laws such as the Magna Carta and Bill of Rights, and states ‘As the UK GDPR is based on EU legislation, the data protection rules in the United Kingdom in many aspects closely mirror the corresponding rules applicable within the European Union.’ They conclude  that ‘the Commission considers that the UK GDPR and the DPA 2018 ensure a level of protection for personal data transferred from the European Union that is essentially equivalent to the one guaranteed by Regulation (EU) 2016/679.’

Continue Reading

LexBlog