The General Data Protection Regulation (GDPR) came into force in May 2018, as did local legislation designed to implement equivalent measures in the Islands. One might be forgiven for thinking that by the time we reach the GDPR's third birthday the world of data protection will be well settled. However, we anticipate that 2021 may in fact be a particularly busy year, for the reasons set out in this briefing.
Mourant has a team of experts who have advised extensively on data protection matters for a number of years, ranging from advice on: registration requirements; ensuring policies, procedures and outward facing documents are in place and adequate; data breaches; and addressing the exercise of rights by data subjects, which often become contentious.
We envisage the following key themes in 2021:
Focus by the regulators on compliance and enforcement
The GDPR and local equivalent laws did not represent a radical departure from the fundamental principles previously set out under EU Directive 95/46/EC or the earlier laws in the Channel Islands. However, it became clear that the obligations to ensure compliance increased significantly. In addition, the new threat of sanction by way of civil penalty brings the compliance obligations into sharper focus.
The Data Protection Authorities appear to have recognised the greater burden introduced by the new regime. As such, the focus over the last couple of years has been on introducing secondary legislation and guidance designed to assist businesses to understand and meet their obligations. One clear example of this relates to companies that process a small amount of personal data, such companies often being administered by a financial services business. It was previously understood that those companies were not intended to fall within the ambit of data protection legislation – however, that is no longer the case and those companies are all caught and expected to comply (although may be able to take advantage of a slightly lighter touch compliance regime).
The focus on assisting businesses to comply has meant a more limited focus on enforcement. However, it was always contemplated that any amnesty would end and the signs indicate that the time is now. In Jersey, the most recent publications and appointments at the authority have an enforcement focus, and the rollout in late 2020 of an audit programme suggests a greater emphasis on monitoring, rather than encouraging, compliance. In Guernsey, enforcement activity has already taken place with public reprimands and penalties being issued in late 2020. The trend in other jurisdictions is also towards greater enforcement.
There is a clear need to ensure compliance and to take action against those failing to comply in order for the Islands to maintain their adequacy status and ensure safe data flows can happen. However, the financial and reputational consequences for a business the subject of enforcement action can be substantial. As such, businesses are well advised to ensure they meet their compliance obligations, and are able to evidence that they do so.
The safe transfer of data from one controller to another and between jurisdictions is a necessary part of most business operations. If the transfer is to a country within the European Union, or a country holding adequacy status, the transfer is usually relatively straightforward. However, for jurisdictions not holding adequacy, there is a need to look to alternative measures to ensure compliance, which can be complicated.
Of particular recent relevance is:
The United Kingdom: Post Brexit, the UK is a third country for EU data protection purposes and no longer holds adequacy status. The UK was seeking adequacy, but this was not concluded as part of the Brexit deal. Instead, the Brexit agreement effectively grants a stay on the UK being a third country until 1 July 2021. Therefore, for present purposes, the situation is as previously. If the UK is able to obtain an adequacy decision prior to 1 July 2021, that will remain the case, and is understood to be the intention of the UK. However, failure to do so will clearly affect data transfers between the EU and the UK. It should be noted that Jersey (and Guernsey) already extended their own adequacy decisions in respect of the UK until 31 December 2021. This should allow data transfers to continue to the UK throughout 2021. However, if the UK does not receive an adequacy decision prior to 1 July 2021, issues may arise under the GDPR.
The United States: The US has had a somewhat tricky history when it comes to adequacy. The latest position (following a decision of the Court of Justice of the European Union in August 2020 known as 'Schrems II') invalidated the previous basis for US adequacy. This was in light of a finding that US Law did not provide sufficient protection of data in line with GDPR requirements. This means that businesses that transfer data to the US will need to find alternative means to demonstrate compliance. Whilst this may involve reliance on certain standard clauses, there is doubt over whether that will be adequate in light of the findings of the CJEU.
Businesses are well advised to review where their data is stored and transferred, and to ensure satisfactory protections are in place.
Exercising of rights
The introduction of the GDPR, and equivalent laws, did result in an increase in data subjects exercising their rights against data controllers to a fair degree. It is anticipated that the greater focus on enforcement as referenced above may well result in a further increase.
This is particularly the case in relation to individuals affected by a data breach and data subjects exercising their right to gain access to their personal data (known as a Data Subject Access Request or DSAR). The issue of handling a DSAR can be time consuming and costly for businesses. Further, the question of what in fact needs to be disclosed pursuant to a DSAR can be complicated, in particular in light of some conflicting authorities and guidance from data protection authorities.
The best advice in this regard is to adopt a transparent and consistent approach, yet also being prudent and careful in light of issues that can arise with over-disclosure.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.