US Private Sector Privacy PDF

Summary

This chapter discusses the GDPR and international privacy issues, focusing on the evolving privacy rules outside the US. It covers key provisions of the GDPR, including processing requirements, individual rights, security breach notifications, and sanctions for violations. The chapter also examines international data transfers, the right to be informed, rectification, and data portability.

Full Transcript

MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 14 – as of 04/02/2024 © IAPP CHAPTER 14 The GDPR and International Privacy Issues As discussed in Chapter 1, governments around the world vary in their approach to privacy law, policy, and regulation. As of the writing of this book, more than 160 nations globally have enacted significant privacy laws that apply to companies doing business within their borders (including ecommerce) and with their citizens. 1 Countries that have recently enacted or are currently enacting significant privacy protections include China, 2 India, 3 and Brazil. 4 The evolving privacy rules outside of the U.S. often impact business practices that relate to privacy. As also discussed in Chapter 1, the first wave of modern privacy laws – beginning in the 1970s – was based on fair information practices (FIPs) which originated with the U.S. government. Today, the worldwide template for privacy laws related to the protection of data is the 2018 update to the comprehensive European Union (EU) privacy requirements—the General Data Protection Regulation (GDPR). 5 The EU requirements apply broadly to companies with assets and employees in the EU; to companies who sell to individuals in the EU; and to data that has been stored in the EU. Fines for violations of the GDPR can be as much as 4 percent of worldwide revenues. This means that, for a company with worldwide revenues of $1 billion, the maximum fine is $40 million, while the maximum fine can be $4 billion for a company with worldwide revenues of $100 billion. These sanctions are significant enough to garner the attention of even the top management in businesses. Since a series of decisions by the European Court of Justice referred to as Schrems I and Schrems II (discussed in detail in Section 14.7.3), the EU legal system has closely scrutinized the surveillance practices of those countries where EU data is transferred – highlighting particular complexity in the data flowing from the EU to the U.S. 14.1 Overview of the General Data Protection Regulation Key provisions introduced in the GDPR include (1) requirements for processing data, (2) individual rights, (3) notification of security breaches, (4) designation of data protection officers, (5) sanctions of up to 4 percent of worldwide revenues, and (6) rules for international transfers. 6 Under the broad definition in the EU of which companies are covered by the GDPR, companies doing business in the EU have the legal obligation to comply with these comprehensive privacy requirements, subject to potentially very large fines. 7 14.2 Key Terms The key terms in the GDPR include personal data, sensitive personal data, data subject, controller, processor, consent, data protection authority (DPA), and data protection officer (DPO). These terms have specific meanings under EU law that may appear to U.S. practitioners to be terms of art. 14.2.1 Personal Data Personal data is broadly defined as any data that relates to “an identified or identifiable natural person.” This means a person who can be identified directly or indirectly. If data can be grouped 1 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 14 – as of 04/02/2024 © IAPP together to lead to an identification, the pieces constitute personal data. Data that has been deidentified, encrypted, or pseudonymized remains personal data if it can be used to reidentify the person. Data is only considered “anonymized” if the process used is irreversible. 8 Examples of personal data include: First and last name Home address Email address including a first and last name Identification card number Location data IP address [often not personally identifiable information (PII) in the United States] Cookie ID (often not PII in the United States) Advertising identifier on phone Data held by doctor or hospital, even separated from the patient’s name Examples not considered personal data include registration number for a company, email addresses such as [email protected], and anonymized data. 9 14.2.2 Sensitive Personal Data “Sensitive personal data” is a special category of “personal data” that receives additional protections under the GDPR. Sensitive personal data includes: Race or ethnic origin Political opinions Religious or philosophical beliefs Trade union membership Genetic data Biometric data Health data Sex life or sexual orientation Unless a specific exception applies under the GDPR, sensitive personal data requires the business to obtain “explicit consent” from the person to process the data for a specified purpose. 10 14.2.3 Data Subject With regard to the GDPR, the concept of “data subject” is critical to understanding the regulation. Basically, a data subject is the person whose data is being processed. 11 According to one of the official comments to the GDPR, known as a Recital, a data subject is any natural person whose data is being collected, stored or processed. 12 To understand which data subjects have rights under 2 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 14 – as of 04/02/2024 © IAPP GDPR, it is important to consider the meaning of data subject in conjunction with the definition of personal data and the territorial scope of the law. When EU-based establishments are processing the personal data of data subjects located outside of the EU, GDPR rights apply. Similarly, when establishments based outside of the EU are monitoring the behavior of or targeting goods or services to data subjects in the EU, GDPR rights apply. 14.2.4 Controller The term controller means an individual or entity that “determines the purposes and the means of the processing of personal data.” 13 In simple terms, the controller is the company that directs the processing of data to further its business objectives. Under the GDPR, the obligations of controllers include the following: Implement data protection by default and by design Provide instructions to processors Ensure data security Report data breaches Cooperate with DPAs Appoint a DPO for the business Identify legal basis for processing Maintain data processing records Conduct data protection impact assessments (DPIAs) 14 14.2.5 Processor The term processor means an individual or entity that “processes personal data on behalf of the controller.” 15 The GDPR requires the processor to be governed by instructions provided by the controller in a contract. Generally speaking, the controller should bear more of the legal responsibility under the GDPR than the processor. Requirements flow downstream to a subprocessor (like a subcontractor). Under the GDPR, the obligations of processors include the following: Compliance with instructions of the controller Confidentiality Record of processing activities Data security Data breach reporting Cooperation with DPAs 16 3 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 14 – as of 04/02/2024 © IAPP 14.2.6 Consent Consent is a concept that is foundational to the GDPR. For U.S. practitioners, the definition of consent in the GDPR may be much more detailed and elaborate than expected. The term consent is defined as follows: freely given, specific, informed, and an unambiguous indication of the data subject’s wishes. 17 For consent to be valid under the GDPR, the business must provide the data subject with the following for the consent to be deemed informed: Controller’s identity Purpose of processing for which consent is sought Types of data that will be collected Information about the right to withdraw consent Information about automated processing Risks of transfers outside Europe Under the GDPR, a data subject may express their consent by statement or by clear affirmative action. Note that businesses are responsible for being able to demonstrate that consent was obtained, and for ensuring that the data subject was provided sufficient information to make the consent informed. 18 14.2.7 Data Protection Authorities DPAs are responsible for enforcing data protection laws at a national level, and providing guidance on the interpretation of those laws. DPAs are independent public authorities that investigate and enforce data protection laws. 19 There is one DPA in each EU Member State (which means a country in the EU) with the exception of Germany, which has a federal DPA with jurisdiction over the public sector and 16 Lander (or state-level) DPAs with jurisdiction over the commercial sector. 20 14.2.8 Data Protection Officer The DPO is the primary point of contact on data protection issues within a business that is based in the EU. The DPO facilitates and reviews the company’s GDPR compliance. With regard to qualifications, the DPO must have expertise in data protection law relevant to the data processing of the company. Critically, the DPO must not have any conflicts of interest—meaning the DPO must not have duties related to processing personal data that conflict with duties related to monitoring. 21 Which entities must appoint a DPO? The answer is not based on the entity being a controller or a processor. Several key factors in determining the need for a DPO: Are the data subjects from the EU? Is the data in/from the EU? Is there large-scale monitoring of data subjects? Is there large-scale processing of sensitive personal information? 4 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 14 – as of 04/02/2024 © IAPP Where is the company based? Importantly, the term data protection officer (DPO) is used to refer to the representative for companies based in the EU. For companies that do not have a physical presence inside the EU, the company must appoint an “EU representative”—notably, someone who is subject to enforcement proceedings pursuant to the GDPR. For non-EU companies with subsidiaries in the EU, the picture is somewhat complex. 22 14.3 General Principles The GDPR contains seven key principles that are the foundation of the regulation underpinning the rights it affords as well as its requirements and rules. These key principles form the framework for a company’s GDPR compliance program, and all processing of personal data must abide by these principles. The seven key principles are as follows: lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability. 23 14.3.1 Lawfulness, Fairness and Transparency Processing of personal data must be lawful and fair. This means that companies should have a legal basis for processing personal data and that data subjects should be made aware of the rules and safeguards as well as the risks associated with their data. 24 In addition, processing of personal data must be made transparent to data subjects so that they understand to what extent personal data concerning them are or will be processed. The principle of transparency, which is intrinsically linked to fairness, requires that any communication (such as privacy notices) be concise, easily accessible, and written using clear and plain language that it is easy to understand (in particular, when providing information to children). 25 14.3.2 Purpose Limitation Personal data must be collected for specified, explicit, and legitimate purposes. 26 The specific purposes for which personal data are processed should comply with all applicable laws (e.g. privacy, contract, employment) at all times during the data life cycle and should be clearly expressed to data subjects. 27 Thus, companies need to determine what personal data they need to collect and why before collecting personal data. The purpose limitation principle also requires that personal data not be further processed—any processing activity following collection such as storage—in a manner that is incompatible with the original purpose for which it was collected. Whether further processing is incompatible will need to be assessed on a case-by-case basis considering the following key factors: 28 The relationship between the purposes of collection and the purposes of further processing The nature of the personal data and the safeguards adopted to ensure fair processing The reasonable expectations of the data subjects and the impact of the further processing on the data subjects 5 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 14 – as of 04/02/2024 © IAPP The GDPR makes it clear that further processing for archiving purposes in the public interest, scientific, or historical research purposes or statistical purposes is not considered to be incompatible with the original purposes. 29 14.3.3 Data Minimization Processing of personal data must be adequate, relevant and limited to what is necessary considering the purposes of processing. 30 When determining the purpose of a processing activity, a company should carefully consider what personal data is necessary to achieve that purpose and subsequently collect and process only the necessary personal data. For instance, compliance with the data minimization principle requires that personal data no longer necessary should be deleted or anonymized and that any data retention period be limited to a strict minimum. 31 14.3.4 Accuracy Personal data must be accurate and, where necessary, kept up to date. 32 The accuracy principle requires that every reasonable step is taken to ensure that personal data that are inaccurate are erased or rectified without delay. 14.3.5 Storage Limitation Personal data must be kept for no longer than is necessary for the purposes of processing, which is interlinked with the data minimization principle. 33 The data retention period should reflect the purposes of processing, legal obligations, and industry best practices. The GDPR does allow the storage of personal data for longer periods if processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes. To ensure that personal data is kept only as long as necessary, companies should establish time limits to review or erase the personal data stored. 34 14.3.6 Integrity and Confidentiality Through appropriate technical or organizational measures, personal data must be processed in a way that ensures a level of security appropriate to the risk of processing the personal data. 35 A company should take into account the state of the art; the costs of implementation; and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of individuals. 36 14.3.7 Accountability Under the accountability principle, a controller is responsible for and must be able to demonstrate compliance with the six principles in Sections 14.3.1–14.3.6. 37 The accountability principle aims to move privacy from theory to practice by requiring that the processes underlying privacy policies and procedures are implemented appropriately and effectively. 38 Accountability measures include documenting personal data breaches (including those not requiring notification), maintaining a record of processing activities, and conducting DPIAs. 39 6 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 14 – as of 04/02/2024 © IAPP 14.4 Data Subject Rights A cornerstone of the GDPR is providing individuals with control over their personal data. 40 To allow individuals to exercise such control, the GDPR provides the following rights: the right to be informed of transparent communication and information, right of access, right to rectification, right to erasure, right to restrict processing; right to data portability; right to object; and right not to be subject to automated decision-making. 41 Controllers are responsible for facilitating the exercise of these rights and must respond to rights requests within one month of receipt of the request (or, where necessary, within three months) in writing or, if requested, orally. 42 The identity of the requestor should be verified using reasonable measures such as asking for a form of photo identification. Generally, controllers cannot charge a fee to requestors; however, controllers may charge a fee to cover administrative costs for requests that are manifestly unfounded or excessive or for requests for additional copies of information previously provided. 43 In certain instances, a controller may refuse to act on a request either because an exemption exists, or it is manifestly unfounded or excessive. 44 14.4.1 Right to be Informed of Transparent Communication and Information Providing individuals with control over their personal data is only possible when they understand what a company is doing with their personal data. To help ensure that data subjects are properly informed, and as a part of the principle of transparency, the GDPR requires that controllers provide certain information on their processing and handling of personal data to data subjects when they collect personal data. This is commonly referred to as a privacy notice. 45 Where personal data is not collected directly from data subjects, the data subjects must be informed of details they would not be aware of, such as the source of personal data concerned. 46 Controllers should take into account the nature, circumstances, scope, and context of their processing activities when balancing the requirements under the GDPR to provide comprehensive information in a concise form. Examples of different forms of privacy notices include a layered approach (short overview of key information linking to additional layers of detailed information), just-in-time notices (information relevant to the personal data about to be collected), and privacy dashboards (information and privacy preference management in one centralized area). 47 14.4.2 Right of Access The GDPR provides data subjects with the right to obtain the following from controllers: confirmation as to whether they are processing the data subject’s personal data, a copy of the personal data, and other information that should already be provided in a privacy notice. 48 When data subjects exercise their right of access, the request is often called a “subject access request.” A subject access request allows data subjects to understand the what, why and how regarding a controller’s personal data-processing activities, which in turn allows them to verify the lawfulness of processing. 49 Given the scope of information a controller may have to provide to data subjects under this right, the right of access is often the gateway to data subjects exercising other rights under the GDPR. 7 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 14 – as of 04/02/2024 © IAPP 14.4.3 Right to Rectification While the accuracy principle requires that personal data must be accurate, the right to rectification supplements this principle by allowing data subjects to require controllers to confirm the accuracy of their personal data. The GDPR provides data subjects with the right to have inaccurate personal data corrected and, taking into account the purposes of processing, to have incomplete personal data completed. 50 Personal data may be completed via a supplementary statement. 14.4.4 Right to Erasure (“Right to be Forgotten”) Under the GDPR, data subjects have the right to have personal data erased in certain circumstances. This right is known as the right to erasure or the “right to be forgotten.” The right applies where: “The personal data are no longer necessary … [for] the purposes for which they were collected or otherwise processed” “The data subject withdraws consent on which the processing is based … and where there is no other legal ground for the processing” “The data subject objects to processing [based on legitimate interests] and there are no overriding legitimate grounds for the processing” “The personal data have been unlawfully processed” “The personal data have to be erased for compliance with a legal obligation” “The personal data have been collected … [to offer] information society services [to children].” 51 Under a valid erasure request, a controller must delete the relevant personal data, including from backup systems, unless an exemption applies such as processing necessary to comply with a legal obligation or for the establishment, exercise or defense of legal claims. Further, where a controller has made the personal data publicly available online, the controller must use reasonable measures to inform other controllers processing the personal data to erase any links to or copies of the personal data. 52 14.4.5 Right to Restriction of Processing As an alternative to the right to erasure, data subjects have the right to restriction of processing, which allows them to limit the way their personal data is processed. The GDPR defines restriction of processing as “the marking of stored personal data with the aim of limiting their processing in the future.” 53 Methods of restriction include temporarily moving data to another system, making personal data unavailable to users, or removing data from a website. 54 The right applies where: “The accuracy of the personal data is contested,” and the controller is verifying the accuracy “The processing is unlawful,” and the data subject prefers to have the use of their personal data restricted rather than having it erased 8 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 14 – as of 04/02/2024 © IAPP “The controller no longer needs the personal data,” but the data subject requires it for the establishment, exercise or defense of legal claims “The data subject has objected to processing” pursuant to the GDPR, and the controller is verifying whether its legitimate grounds override those of the data subject. 55 The GDPR requires controllers to communicate any rectification or erasure of personal data and any restriction of processing to each recipient to whom they have disclosed the personal data, unless this is impossible or involves disproportionate effort. The information required to make such communications should be documented in the record of processing activities. 56 14.4.6 Right to Data Portability The GDPR further strengthens data subjects’ control and access to their personal data with the right to data portability. This right allows data subjects to port data to themselves or to another controller. 57 Data subjects may request that the data is provided in a structured, commonly used, and machine-readable format such as CSV or Excel files. The right only applies (1) to personal data provided by the data subject (actively and knowingly provided by the data subject or observed data provided by the data subject through the use of the service or device such as search history or location data), (2) where the processing is based on consent or the performance of a contract, and (3) the processing is carried out by automated means. 58 The right to data portability cannot adversely affect the rights and freedoms of others, including trade secrets or intellectual property rights. 59 14.4.7 Right to Object The right to object allows data subjects to require controllers to stop processing their personal data. When a data subject objects to the processing of their personal data for direct marketing purposes, a controller must cease all such processing, including any related profiling activities. 60 Data subjects may also object to the processing of personal data based on one of the following legal bases: (1) a task carried out in the public interest, (2) the exercise of official authority, or (3) legitimate interests; however, these objections do not trigger an absolute right. In these circumstances, data subjects must provide reasons as to why they are objecting to the processing, and controllers may refuse to act on the request if (1) they have compelling legitimate grounds overriding those of the data subject or (2) the processing is necessary for the establishment, exercise or defense of legal claims. 61 14.4.8 Right Not to be Subject to Automated Decision-Making Similar to the right to be informed, the right not to be subject to automated decision-making applies without any action by data subjects. This right is in the form of a general prohibition on fully automated decision-making, including profiling, that has a legal or similarly significant effect (e.g., cancellation of a contract, entitlement to or denial of a social benefit, or denial of citizenship). 62 A controller cannot carry out such processing unless the decision is (1) necessary for the performance of a contract between the data subject and controller, (2) authorized by law (e.g., monitoring and preventing fraud), or (3) based on the data subject’s explicit consent. 63 9 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 14 – as of 04/02/2024 © IAPP 14.5 Breach Notification and Response The GDPR defines a data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” 64 Recall that personal data is defined as “any information relating to an identified or identifiable natural person.” This means the concept of data breach is broader under the GDPR than under most U.S. laws. 65 In 2022, the annual aggregate number of data breach notifications reported pursuant to the requirements of the GDPR was approximately 110,000. During that time period, the Netherlands had the most breaches notifications per capita, followed closely by Denmark. Since the GDPR went into effect in 2018, the DPAs in Germany and the Netherlands have received the most notices of data breaches. 66 The GDPR authorizes fines for data breaches up to 4 percent of a company’s worldwide revenues. This topic will be further discussed in Section 14.6 on enforcement. 14.5.1 Notice Required from Controllers The GDPR requires controllers to report data breaches to the relevant DPA within 72 hours of becoming aware of a breach, where feasible. Controllers are “aware” of a breach when they have a reasonable degree of certainty that a security incident has compromised personal data. 67 If for any reason the controller cannot make this deadline, they are required to provide the reasons for the delay with the notification. 68 Controllers are not required to report a breach if it is unlikely to result in a risk to individuals’ rights and freedoms, but controllers must still document the details of the breach (e.g., nature of the breach, personal data affected, likely consequences of the breach, remedial measures taken, and decision whether to report to the DPA). 14.5.2 Notice Required from Processors Processors are required to notify controllers “without undue delay” after discovering a breach. Controllers should strongly consider including specific instructions for how to handle this notice requirement in the contract between controller and processor. 14.5.3 Notice to Data Subjects If a data breach occurs that is likely to result in a high risk to individuals’ rights and freedoms, the controller must notify affected data subjects without undue delay. At a minimum, the notification must be in “clear and plain language” and must include: 69 The name and contact of the DPO (or appropriate person) The likely consequences of the data breach Any measures taken by the controller to mitigate the breach Note that the controller is exempted from notifying data subjects when (1) the risk of harm is low because the affected data is protected (such as encrypted data), (2) the controller has taken steps to protect the data subject from harm (such as suspended accounts), and (3) the notice would 10 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 14 – as of 04/02/2024 © IAPP impose disproportionate effects on the controller (and would still require public notice of the breach). 70 14.6 Enforcement At least some commentators believe that the major difference between the 1995 Data Protection Directive and the GDPR relates to fines. EU data protection law in the 1990s was often aspirational. Today, with significant fines part of the picture, EU data protection law is a compliance regime. With fines as large as 4 percent of worldwide revenues, it is important for companies to understand the complaint process, liability for compensation, and levels of fines. 14.6.1 Complaint Process An administrative complaint can be initiated by a data subject or by a DPA. A data subject can file an administrative complaint with a DPA. A data subject can file complaints with the courts in EU Member States: where the alleged issue occurred; where they reside, or where they work. A DPA can initiate a compliant or can address a complaint filed by a data subject. 71 Once a DPA has a complaint, there must be an assessment to determine whether more than one DPA has a similar complaint. A lead DPA must be determined. After assessing the complaint, the DPA must decide whether to impose an administrative fine. 72 When the DPA handles a complaint initiated by a data subject, the data subject has the right to bring the complaint to a national court if (1) the data subject is not satisfied with the decision of the DPA, or (2) the DPA does not inform the data subject—within 3 months—of the outcome of the complaint or of the progress on the complaint. In addition, the data subject has the right to seek a judicial remedy against the controller or processor. The judicial proceeding against the controller or processor should take place in the EU member state (1) where the controller or processor is established or (2) where the data subject has “habitual residence.” 73 14.6.2 Liability for Compensation Under the GDPR, both the controller and the processor can be liable to data subjects for harm caused by unlawful processing of personal data. Controllers are liable for any damages caused by unlawful processing. Processors are liable for processing in violation of the GDPR obligations on processors and for processing in violation of instructions given by the controller. If a controller and a processor are involved in the same processing, where damage occurred, each is liable for the entire damage. Once the data subjects involved have been fully compensated, the controller or processor is entitled to compensation from the other relevant parties corresponding to their part in the responsibility for the damage. In a situation where there are joint controllers, each controller is liable for the entire damage. Once the data subjects involved have been fully compensated, then the controllers involved can bring proceedings to recover portions of the damages from each other. 74 The GDPR provides that both controllers and processors are exempt from liability when they are “not in any way responsible for the event giving rise to the damage.” 75 11 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 14 – as of 04/02/2024 © IAPP 14.6.3 Levels of Fines Since the GDPR came into effect in 2018, European regulators have handed out several notable fines. 76 In 2022, Instagram was fined €405 million concerning improper handling of children’s data. 77 Also, in 2022, Facebook was fined €265 million related to a complaint of data scraping. 78 In 2021, Amazon was fined €746 million related to lack of consent for cookies. 79 For companies, it is important to understand that the GDPR has two levels of fines. Higher-level fines can be up to 4 percent of global annual revenues. Lower-level fines can be up to 2 percent of global annual revenues. 80 Higher-level fines focus on infringements related to basic principles of processing (including conditions of consent, lawfulness of processing, and processing of special categories of personal data), rights of data subjects, and transfers of personal data to a recipient outside of the EU. In this higher-level category, the maximum fines are the greater of €20 million or 4 percent of global annual revenue. Lower-level fines include infringements related to integrating data protection by default or by design, records of processing, cooperation with DPAs, security of processing data, notification to DPAs of a data breach, communication of data breach to data subjects, and designation of a DPO. For the lower-level category, the maximum fines can be the greater of €10 million or 2 percent of global annual revenues. 81 In addition to these fines, member states are permitted to impose criminal sanctions for violation of the GDPR. As of the writing of this book, at least 10 countries have adopted criminal sanctions. 82 14.7 Overview of EU Requirements for International Data Transfers The GDPR governs cross-border transfers of personal data. 83 Under the GDPR, transfers of personal data from the EU and Norway, Liechtenstein, and Iceland – which is known as the European Economic Area or EEA – to non-EEA countries or international organizations are prohibited unless one of the following transfer mechanisms can be relied upon: an adequacy decision, an appropriate safeguard (e.g., standard contractual clauses, binding corporate rules), or a derogation (e.g., explicit consent). 84 This section analyzes these numerous EU requirements for international data transfers. In the first subsection, we examine transfers to adequate countries. The second subsection details permissible methods to transfer data to other “third countries” – countries without an adequacy decision that are outside the EEA. Both appropriate safeguards and derogations are discussed. This section concludes with a discussion of transfers between the EU and U.S. As of the writing of this book, two agreements – U.S.-EU Safe Harbor and EU-U.S. Privacy Shield – have been put in place and subsequently struck down by the European Court of Justice. In July 2023, the EU-U.S. Data Privacy Framework was finalized. Many expect that this third agreement will be challenged as insufficient in the EU legal system. 14.7.1 Transfers to Adequate Countries Personal data is permitted to flow freely from the EU to countries that have adopted legal protections that EU law deems “adequate” – meaning that each country’s protections have been assessed to be “essentially equivalent” to those found in the GDPR. 85 As of the writing of this book, 12 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 14 – as of 04/02/2024 © IAPP countries and territories deemed adequate for purposes of the GDPR are Andorra, Argentina, Canada, 86 Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, South Korea, Switzerland, the U.K., the U.S., 87 and Uruguay. 88 The grant of an adequacy decision is subject to periodic review. 89 It is worth noting that an initial threshold for an adequacy decision appears to involve an assessment of whether the country’s government upholds democratic principles and has an established rule of law. 90 14.7.2 Transfers to other “Third Countries” The GDPR prohibits data transfers to other “third countries” – countries without an adequacy decision that are outside the EEA – unless the transfer is subject to an appropriate safeguard or unless a derogation applies. Part of the EU assessment is the extent to which the recipient country has rule-of-law protections within a democracy. 91 14.7.2.1 Appropriate Safeguards According to the GDPR, the term appropriate safeguards include the following: A legally binding and enforceable instrument between public authorities or bodies; Binding corporate rules; Standard data protection clauses adopted by the European Commission; Standard data protection clauses adopted by a DPA and approved by the European Commission; An approved code of conduct, together with binding and enforceable commitments of the non-EEA controller or processor; An approved certification mechanism together with binding and enforceable commitments of the non-EEA controller or processor; Contractual clauses authorized by the DPA of the controller or processor transferring the data outside of the EEA; or Administrative arrangements between public authorities authorized by the DPA in the country from which the transfer is being made. 92 Among these safeguards, it is important for privacy practitioners to understand the following two transfer mechanisms utilized by many companies. These mechanisms provide for lawful transfers of personal data from the EU to the U.S. Standard contractual clauses (SCCs). For SCCs, a company contractually promises to comply with EU law and to submit to the supervision of a DPA. 93 In practice, SCCs are the most common legal basis for transferring personal data. 94 Binding corporate rules (BCRs). BCRs provide that a multinational company can transfer data between countries, including among affiliated entities, after certification of its practices by a DPA. 95 13 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 14 – as of 04/02/2024 © IAPP 14.7.2.2 Derogations If a transfer is not covered by an adequacy decision or appropriate safeguard, the GDPR provides derogations or conditions under which a transfer may occur. (Derogation is a term often used in the EU where the term exception would be used in the United States.) The derogations allow for a transfer if the data subject has provided explicit consent to the transfer or if the transfer is necessary for one of the following: The performance of a contract between the data subject and controller (including precontractual measures) and the transfer is occasional; The performance or conclusion of a contract concluded in the interest of the data subject between the controller and a third party and the transfer is occasional; Important reasons of public interest; The establishment, exercise or defense of legal claims and the transfer is occasional; or The protection of the vital interests of an individual incapable of giving consent. 96 A transfer is also allowed if made from a public register. 97 Finally, as a last-resort derogation, a transfer may take place if none of the other derogations apply if it is necessary for the purposes of compelling legitimate interests and if it meets all of the specified requirements under the GDPR, including notifying the DPA of the transfer. 98 The EDPB and other EU regulators have interpreted the scope of these derogations relatively narrowly, citing case law permitting derogations only so far as is “strictly necessary.” 99 14.7.3 Transfers from Europe to the U.S. At the time of writing of this book, the legal authorization to transfer data between the EU and the U.S. has transformed from a stable process to one that is in flux. Privacy practitioners should be keenly aware that this critical area of cooperation between the EU and the U.S. could change rapidly and dramatically, depending on the outcome of European court cases or negotiations between the EU and U.S. 14.7.3.1 Schrems I Case Until 2015, many U.S. companies that did business in the EU participated in the U.S.-EU Safe Harbor program to provide a lawful basis for EU data to be transferred to the United States under the EU Data Protection Directive in place at that time, which is the pre-cursor to the GDPR. In 2015, the European Court of Justice struck down the Safe Harbor program in the case of Schrems v. Data Protection Commission (Schrems I case). 100 This decision was made in significant part based on concerns about U.S. government surveillance, as made public by the 2013 Snowden disclosures. 101 14.7.3.2 Schrems II Case In 2016, the EU-U.S. Privacy Shield – the successor agreement to the U.S.-EU Safe Harbor – was put in place. The agreement set forth (1) commitments by U.S. companies, (2) detailed explanations of U.S. laws, and (3) commitments by U.S. authorities. U.S. companies who imported personal data 14 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 14 – as of 04/02/2024 © IAPP from the EU under the Privacy Shield accepted obligations on how that data could be used, and those commitments were legally binding and enforceable. In 2020, the European Court of Justice struck down the Privacy Shield in the case of Data Protection Commissioner v. Facebook Ireland & Schrems (Schrems II case). 102 In Schrems II, the Court again raised concerns about the perceived lack of legal protections from U.S. government surveillance for EU data being transferred to Facebook, which is headquartered in the U.S. 103 It is important to note that, although the Schrems II case involved a U.S.-based company, the language of the Schrems II case states that the decision applies generally to all “third countries” – with potentially significant implications for countries outside of the EU, such as China, 104 that provide fewer protections against government surveillance than the U.S. 105 14.7.3.3 EU-U.S. Data Privacy Framework In July 2023, the EU and the U.S. finalized the requirements of the EU-U.S. Data Privacy Framework. From the U.S. side, this meant that the U.S. put in place safeguards to address the concerns raised by the European Court of Justice in the Schrems II case. With the issuance of President Joe Biden’s Executive Order 14086, 106 the U.S. agreed: 1) to ensure that surveillance activities would comply with the “necessity and proportionality” standard; and 2) to establish an independent data protection review court to provide European citizens the ability to complain when they believe their personal data has been collected inappropriately by U.S. intelligence agencies. 107 As part of implementing the requirements of this Executive Order, the U.S. designated the EU and its Member States as “qualifying states,” meaning the U.S. determined that surveillance programs in Europe adequately protect the rights of U.S. citizens. 108 After the U.S. put these measures in place, the European Commission issued its adequacy decision for the U.S. 109 As of the writing of this chapter, many expect that the EU-U.S. Data Privacy Framework will be challenged as insufficient in the EU legal system. 110 14.8 Recent Developments in Global Data Flows The impact of GDPR has been significant, both in countries adopting their own GDPR-like data protection statutes as well as in companies adopting practices for cross-border data flows based on interpretations of the requirements of EU law. There have also been numerous developments in global data flows that are not derived from GDPR. In part acknowledging that most countries in the world are not likely to qualify for an adequacy decision under the EU’s GDPR, the Asian-Pacific Economic Cooperation (APEC) undertook an approach to allow trade while providing privacy protections. 111 Realizing the need for common principles for government access to personal data held by private companies, the Organisation for Economic Co-operation and Development (OECD) 112 has engaged in a multi-year process to develop these principles. 14.8.1 Global Cross-Border Privacy Rules Forum based on Existing APEC Framework As of the writing of this book, APEC has published a declaration concerning an international approach to allow trade between participating countries while providing assurances regarding how data will be handled. The U.S., Canada, Japan, Singapore, the Philippines, the Republic of Korea, and Chinese Taipei announced in 2022 the establishment of an international certification system based 15 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 14 – as of 04/02/2024 © IAPP on the existing APEC Cross-Border Privacy Rules and Privacy Recognition for Processors (PRP) Systems. 113 The new approach, known as the Global Cross-Border Privacy Rules Forum (Global CGPR Forum), will technically be independent of the existing APEC framework, allowing non-APEC members to participate. 114 14.8.2 OECD Common Principles for Government Access to Personal Data Held by Private Companies In 2022, the OECD adopted a declaration on common principles for government access, both for law enforcement and national security purposes, to personal data held by private companies. The principles focus on the following topics: legal basis for government access; pursuit of legitimate aims and in conformity with the rule of law; requirements for approval; appropriate handling of personal data; transparency; oversight; and appropriate remedies. Numerous governments are involved in these negotiations including the U.S., the U.K., Canada, Australia, New Zealand, and the EU. 115 14.9 Conclusion For companies doing business outside the U.S., an increasingly important aspect of information management is ensuring compliance with the laws in non-U.S. countries. Even companies operating within the U.S. may be covered if their websites are accessed from the EU or other jurisdictions with strict privacy rules. For companies affected by non-U.S. laws, compliance efforts often focus on rules governing international data flows and data breaches. Since 2018, the requirements of the EU’s GDPR have become increasingly important – both because most businesses with an internet presence are doing business in Europe and because many countries around the world are implementing privacy laws to protect data that are patterned after the GDPR. Thus, familiarity with the GDPR is important for most privacy professionals in the U.S. 1 Graham Greenleaf, “Global Data Privacy Laws 2023: 162 National Laws and 20 Bills,” 181 Privacy Laws & Business International Report 1, 2-4, https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4426146. For a searchable database, see “Data Protection Laws of the World,” DLA Piper, https://www.dlapiperdataprotection.com/#handbook/world-map-section/c1_RU (accessed October 2023); see Francesca Casalini, Javier Lopez Gonzalez & Taku Nemoto, “Mapping Commonalities in Regulatory Approaches to Cross-Border Data Transfers,” Organisation for Economic Co-operation and Development (OECD) Trade Policy Paper, May 2021, https://www.oecd-ilibrary.org/trade/mapping-commonalities-in-regulatoryapproaches-to-cross-border-data-transfers_ca9f974een;jsessionid=9M_Msj7seEBO28Cf3Rb0ybdofqqitbLo9mu1C9zU.ip-10-240-5-97. 2 China, IAPP Resource Center, https://iapp.org/resources/topics/china-3/ (last accessed November 2022); see Derek Ho & Mandy Zhu, “China Cross-Border Data Transfer Mechanism and Its Implications,” IAPP, August 23, 2022, https://iapp.org/news/a/china-cross-border-data-transfer-mechanism-and-its-implications/; see also Graham Webster, “Topic Guide: Personal Information Protection Law,” DigiChina, October 31, 2021, https://digichina.stanford.edu/work/knowledge-base-personal-information-protection-law/; “Translation: Data Security Law of the People’s Republic of China,” DigiChina, June 29, 2021, https://digichina.stanford.edu/work/translation-data-security-law-of-the-peoples-republic-of-china/. As of the writing of this book, China has handed out the largest fine for violations of privacy and cybersecurity laws. In 2022, the Cybersecurity Administration of China fined Didi Global, the Chinese ride-sharing company, approximately $1.2 billion. Michael Hill, “The 12 Biggest Data Breach Fines, Penalties, and Settlements So Far,” 16 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class.