The DPOInsider covers the latest news and developments in data compliance and privacy. The DPO's favourite weekly read ☕️
Meta & data transfers to set a new precedent
The latest developments around Meta's data transfer suspension order and GDPR fine are a must-watch. According to Meta's Q1 2023 Form Q-10 and Q1 2023 earnings report, the company is preparing for a halt on its EU-U.S. data flows and a GDPR fine due to Ireland's Data Protection Commission (DPC) imminent final decision. This decision could potentially force Meta to halt its EU operations if an adequacy decision for the proposed EU-U.S. Data Privacy Framework isn't granted in time.
Meta's report states, "We expect the Irish Data Protection Commission to issue a decision in May in its previously disclosed inquiry relating to transatlantic data transfers of Facebook EU/EEA user data, including a suspension order for such transfers and a fine."
IAPP Vice President and Chief Knowledge Officer Caitlin Fennessy notes that the expected stop transfers order and any corrective measures could have larger financial implications for Meta and thousands of other companies than even a record penalty. A new data transfer mechanism replacing the EU-U.S. Privacy Shield Framework remains the top solution for Meta's transfer woes.
The timeline for finalizing a new mechanism is still uncertain as the European Commission collaborates with the U.S. for a final adequacy decision under the proposed EU-U.S. Data Privacy Framework. European Commissioner for Justice Didier Reynders indicated that the framework could be finalized as early as July, possibly within the deadline if the order includes a three-month implementation window.
It's crucial to understand that these developments could lead to EU businesses demanding data localization from U.S. partners or switching to domestic alternatives, as Fennessy points out. Such shifts might outlast the adequacy process, so privacy professionals should prepare their CEOs and boards for significant data transfer disruptions in the coming months.
This situation stems from the July 2020 "Schrems II" decision when the Court of Justice of the European Union invalidated the Privacy Shield and cast doubt over the use of standard contractual clauses. Meta's legal challenges to the DPC's inquiry were denied by the High Court of Ireland in May 2021, leading to the current draft decision that may halt Meta's personal data transfers from the EU to the U.S. The final decision from the Irish DPC is expected by 12 May.
New EDPB Guidelines on Personal Data Breach Notification
Recently, the European Data Protection Board (EDPB) published a new set of guidelines on personal data breach notifications under the General Data Protection Regulation (GDPR). These guidelines aim to revise and update the guidance on data breach notifications and provide much-needed clarification on some key concepts.
One crucial aspect clarified by the EDPB is the meaning of a personal data breach. According to the GDPR, a personal data breach is the "destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed." The EDPB further clarifies this definition with some concrete examples, like when a device containing a customer database is lost or stolen, or when a set of personal data is encrypted by ransomware. The key factor in determining whether an event is a data breach is the risk to individuals' rights and freedoms, which can result in "physical, material, or non-material damage."
Another vital aspect covered in the guidelines is the procedural obligations of data controllers in case of a data breach. Controllers are required to notify the competent data protection authority (DPA) without undue delay and, where feasible, no later than 72 hours after becoming aware of the breach. The EDPB clarifies when a controller is considered "aware" and emphasizes that even if all necessary information concerning a breach is not available within 72 hours, the DPA should still be informed.
In case of cross-border breaches, the guidelines recommend notifying the lead DPA, even though the breach may not necessarily have occurred where the affected data subjects are located. However, this does not apply to non-EU controllers not established in the EU. In such cases, the controller has the responsibility to notify the breach to each supervisory authority of Member States where data subjects are affected by the breach.
Lastly, the guidelines discuss the communication to data subjects in case of a data breach. If there's a high risk to the rights and freedoms of individuals, data controllers have an obligation to notify the affected data subjects, in addition to the competent or lead DPA. The EDPB provides examples and a list of criteria to consider when assessing such risk.
Overall, these new guidelines offer helpful clarifications and examples to help organizations better understand their notification obligations in case of a data breach. Despite some remaining challenges, such as non-EU controllers needing to notify personal data breaches in all 27 EU Member States, these guidelines should prove valuable for data privacy professionals in updating their data breach policies and procedures.
Other data privacy news
‘Divergence is coming’: Experts cast doubt on EU adopting U.K. GDPR reforms
The U.K. government in March introduced new legislative proposals aimed at freeing up compliance requirements under the country’s version of the General Data Protection Regulation (GDPR).
Capita hack prompts watchdog to warn pension funds over data
Regulators have urged UK pensions schemes to investigate whether they have suffered data breaches following a cyber attack on outsourcer Capita.
Data Breach Settlement: Manufacturing Company to Pay $1.75M to Employees
Parker Hannifin agreed to settle a class action lawsuit filed by employees in response to a data breach. Could more employees take legal action against employers when their personal information is compromised?
Post of the week
https://twitter.com/RobertJBateman/status/1653888053117632520?s=20