Welcome to Safe & Sound Fire Limited and our data protection blog, covering the key developments in data protection law from February 2022. Our website is complete GDPR secure and ensures we follow the below guidelines on processing any personal data.
New Data Act proposed by EU
On 23 February 2022, the European Commission (“EC”) published its proposal for a Data Act (the “Act”) which aims to improve trust in data sharing and facilitate the sharing of industrial data between connected devices and devices on the Internet of Things (“IoT”). The EC hopes that the Act will help unlock the growth potential of the data economy (estimated by the EC to be worth €270 billion by 2028). The act is part of a suite of measures within the European Strategy for Data following the political agreement on the European Data Governance Act. The Act is not focussed on personal data, but the data generated by devices on the IoT and other connected devices which, currently, generally pass to the manufacturer.
As well as applying to manufacturers, providers and users of connected products and services placed on the market in the European Union, if adopted by EU lawmakers, the Act will also apply to data holders making data available to data recipients, public bodies, and data processors, where relevant.
The key proposals of interest in the Act are:
The Act will be monitored by a competent authority within each member state and shall apply from 12 months after the date of entry into force of the Act, providing it passes the legislative processes within the EU.
The ICO has released the third chapter of its extended consultation into draft guidance on anonymisation, pseudonymisation and privacy enhancing technologies (the “Draft Guidance”). The third chapter of the Draft Guidance focuses on pseudonymisation and explains the key differences compared to anonymisation.
“Pseudonymisation” is defined in the data protection legislation in the UK as processing personal data in a way that it can no longer be attributed to a specific data subject without additional information. These two pieces of information (the processed data and the additional information), when combined, can reconstruct the data, but each has meaning only in combination with the other. That legislation adds that “unauthorised” reversal (i.e. the recombination of the two pieces of information) can specifically result in harm and so the risk of that harm must be mitigated appropriately.
The Draft Guidance also confirms that pseudonymised data is still personal data as it can identify a living individual, albeit indirectly. However, it does suggest that the pseudonymised data may no longer be personal data once transferred to another organisation without the key to re-identifying the individuals involved.
According to the Draft Guidance, the benefits of pseudonymisation are:
The Draft Guidance also explains how an organisation should approach pseudonymisation: from defining goals and risks to techniques and evaluating outcomes. The consultation is open until 16 September and can be accessed here.
The European Data Protection Board (“EDPB”) has begun its first action under the Coordinated Enforcement Framework by launching a review into the use of cloud-based services by the public sector (the “Review”). The Review will cover over 80 public bodies which will be contacted by their local Supervisory Authority to assess compliance with the data protection legislation. The Review does not eliminate individual investigations, and ongoing probes are not necessarily brought within the scope of the action.
However, it does mean that targeted investigations currently being carried out by Supervisory Authorities into affected areas are supplemented. One of the key concerns of the EDPB is data transfers out of the EU, in particular to large cloud suppliers in the US following the ruling in Data Protection Commissioner v Facebook Ireland Limited & Maximillian Schrems (Case C-311/18). The French data protection authority, the CNIL, has added to the point by suggesting that these cloud-based services have become essential technologies and so warrant additional attention.
The results, as well as any supervision and enforcement actions, will, although aggregated, give deep insight into the topic and allow follow up at the EU-level. That insight is intended to streamline enforcement and cooperation among supervisory authorities. It also aims to “foster best practices to ensure adequate protection of personal data” by public sector bodies across the EU. There is expected to be a state of play report published by the EDPB updating on the Review before the end of this year. The EDPB’s press release can be found here.
The EDPB has published guidelines on “Examples regarding Personal Data Breach Notification” (the “Guidelines”). The Guidelines set out a number of example scenarios where it would be necessary for data controllers to provide a notification to a supervisory authority under Article 33(1) of the GPDR and, where relevant, to data subjects under Article 34(1) of the GDPR. The examples in the Guidelines are from practice and are under common categories of breaches (e.g. ransomware attacks, human error and lost or stolen devices), with associated mitigation and preventative steps for each scenario along with notification obligations.
The Guidelines categorises data breaches according to the three key information security principles of confidentiality, integrity and availability of data and explores how a breach occurs in each of these:
Although the last category is typically the least harmful to data subjects, the Guidelines identify examples where it could result in a notification to a supervisory authority, for instance, where a health authority no longer has access to patient notes leading to a delay in treatment.
The Guidelines note that a variety of factors can be relevant to establishing when a risk is “high” to individuals but do not repeat the guidance on “likely to result in high risk” processing operations (further to the Article 29 Working Party Guidelines on Data Protection Impact Assessments here).
Instead, additional risk factors are considered such as: (i) personal data is exfiltrated but not fully backed up, rendering data not recoverable, and therefore unavailable; (ii) personal data is not secured using state-of-the-art encryption and is therefore readily available; and (iii) personal data is not maintained and compromised data cannot be effectively recovered.
A key emphasis in the Guidelines is on accountability; encouraging every controller and processor to have plans and procedures in place for handling eventual data breaches. This includes recommendations for regular training and awareness and ensuring that organisations have clear reporting lines and persons responsible for breach notification and data recovery processes.
The Guidelines are available to review here.