April 1, 2019

Global Data & Privacy Update - March 2019

Welcome to the March Global Data & Privacy Update. This update is dedicated to covering the latest legislative developments affecting the way data is managed and protected, as well as reporting on the most recent news governing data breaches and industry developments.

Dutch Guidance on Cookie Walls

The Dutch Supervisory Authority has released guidance on the use of cookie walls. A cookie wall is where a user, on accessing a site, is presented with a pop-up and must agree to all cookies placed on the site in order to gain access. The guidance states that cookie walls (deploying tracking cookies) are not permitted as they do not meet the requirements for valid consent, under the General Data Protection Regulation (GDPR), to process personal data collected from those cookies. In its view, no genuine choice is provided where users are presented with a cookie wall and so the website has not obtained freely given and valid consent from the user to process their personal data. The European Data Protection Board (EDPB), in a previous statement on the draft ePrivacy Regulation which regulates the placement of cookies (rather than the processing of personal data from cookies), did not approve of cookie walls due to the issues with obtaining valid consent (the definition of consent in the ePrivacy rules is the same as in the GDPR).

This guidance follows a divergence of approaches across European supervisory authorities in recent cases that have assessed the validity of consent in relation to collecting personal data from cookies. Those cases focussed on the question of validity from the angle of cookie choice being connected to subscription payments.

Click here to read the Dutch Supervisory Authority Guidance on Cookies (accessible only in Dutch).

Regulating in a Digital World – House of Lords Report

The House of Lords Select Committee on Communications has published a report recommending a new Digital Authority manage and oversee regulation in the digital sphere. Currently, there are 13 regulators which touch on different aspects of this space, including the Information Commissioner's Office, however no single authority has oversight. The report advocates a principle based approach to shaping reform, due to the pace of developmental change in this area where specific rules could become quickly outdated. The report proposes 10 principles to support changes in this area, which include accountability, privacy and transparency.

The report notes the advances of recent legislative changes in strengthening data protection but highlights that in the digital world there are still improvements that should be made, including more extensive data portability rights, transparency and access.

Click here to read the House of Lords Report, HL Paper 299, on Regulating in a Digital World.

GPEN 2018 Report on Privacy Accountability

The Global Privacy Enforcement Network (GPEN) has released their annual report, this year addressing the implementation of data protection concepts within organisations, from the angle of accountability. This study was carried out in conjunction with 18 national data protection supervisory authorities who received responses from over 300 organisations.  

The report demonstrates that organisations still have a way to go with appropriately providing privacy notices, with 45% of organisations failing to maintain an appropriate notice which is easily accessible. It was flagged that some privacy notices did not clearly state whether the organisation has a data protection officer and or failed to provide contact information, which shows issues with transparency and accountability.  

Over half of responding organisations indicated that they have measures and processes in place to manage a data security breach, with 88% of organisations maintaining data security incident records. However, just under half stated that these records are not always current. The report highlights that companies do not regularly assess performance against standards, for example internal audits or self-assessments of different aspects of privacy, with only 36% of organisations managing compliance in this way.

The report demonstrates that there is still progress to be made to ensure that data protection concepts are complied with and embedded into an organisation.

Click here to read the full GPEN report.

EDPB Report on Supervisory Authority Roles under the GDPR

The European Data Protection Board (EDPB) has published a report on cooperation mechanisms available to supervisory authorities under the GDPR and cases reported to authorities. The GDPR, in contrast to previous legislation, specifically envisages cooperation between supervisory authorities, rather than working separately on cross-border cases.

The paper sets out, at a high level, how cooperation between a lead supervisory authority and a concerned supervisory authority will operate under the one-stop-shop mechanism. It notes that concerned supervisory authorities may object to a draft decision from the lead supervisory authority. There have so far been 45 cases reported to be operating under the one-stop-shop mechanism.

Since the GDPR has been implemented, there have been 281 cases with a cross-border element flagged in the EDPB's IT system for supervisory authorities. Just under 70% of those cases originated from a complaint made by an individual, pertaining primarily to data subject rights, consumer rights or a data breach.

Over 206,000 cases have been reported by supervisory authorities since the GDPR came into force. Just under 95,000 of those cases relate to a complaint, whilst around 65,000 originated from a controller's own data breach notification.

Click here to read the EDPB report.