In this month's edition of our Privacy & Cybersecurity Update, we examine the European Data Protection Board's published opinions on data protection impact assessments, an Ohio court's ruling that bitcoin is covered insured property rather than money, and a Florida court's decision involving third-party hackers and coverage under a commercial general liability policy. We also analyze cybersecurity-related settlements involving companies in the U.K. and the U.S., and China's new regulations that will take effect November 2018.
European Data Protection Board Issues Opinions on Data Protection Impact Assessments
Ohio Trial Court Holds That Bitcoin is Property, Not Money, Under a Homeowners Insurance Policy
Florida District Court Holds That Policyholder is Not Covered Under CGL Policy For Data Breaches Publicized by Third-Party Hackers
UK Financial Conduct Authority Fines Tesco £16.4 Million for Failing to Protect Against Cyberattacks
Vizio Settles Claims Relating to Data Collection Practices
Anthem to Pay Record HIPAA Settlement for Data Breach
China Passes New Cybersecurity Regulations Pursuant to 2017 Cybersecurity Law
European Data Protection Board Issues Opinions on Data Protection Impact AssessmentsA key European data protection body has published opinions on the circumstances in which a company should carry out a data protection impact assessment under the GDPR. The opinions include specific requests to individual EU member states to update their own positions on these issues, creating an important test for the EU’s efforts to harmonize GDPR enforcement across the member states.
On the October 3, 2018, the European Data Protection Board (EDPB) published opinions as to the circumstances in which a company should carry out a data protection impact assessment (DPIA),1 recommending certain amendments to the guidance previously given by each member state on this topic. If implemented, the amendments could mean that mandatory DPIAs would be required in fewer instances than previously recommended in some member states, such as the U.K., but more frequently in others, such as Germany.
These EDPB opinions also draw attention to whether the GDPR will ever successfully achieve harmonization across the member states. DPIAs are just one example of differing GDPR approaches taken by member states, and it remains to be seen whether the EU can actually achieve one of the GDPR’s key goals: consistency.
The Role of the European Data Protection Board
The EDPB is an independent European body based in Brussels that replaced the Article 29 Working Party (WP29) when the GDPR came into effect on May 25, 2018. It comprises representatives of the national supervisory authorities and the European Data Protection Supervisor (EDPS), as well as the supervisory members of the EEA EFTA states (Norway, Iceland and Liechtenstein), who are members with regard to GDPR-related matters but do not have capacity to vote or to be elected as chair or deputy chairs. The European Commission and the EFTA Surveillance Authority are able to participate in board meetings and activities but also lack a voting right.
The overriding aim of the EDPB is to contribute to the consistent application of data protection rules throughout the EU and promote cooperation between supervisory authorities. As opposed to the WP29 guidance, the general guidance issued by the EDPB (including guidelines, recommendations and best practices) is binding guidance. It also is worth noting that the EDPB has endorsed the WP29 guidance in relation to the GDPR issued prior to May 25, 2018.
Data Protection Impact Assessments
A DPIA is a process that helps an organization identify and minimize the data protection risks of any project involving new or amended data processing activities. As part of this assessment, organizations will need to describe the envisioned processing, to assess the necessity and proportionality of such processing in relation to the purposes, to assess the risks to rights and freedoms of the individuals concerned and to set out the measures that will be taken to address these risks.
A DPIA becomes mandatory when the level of risk is assessed to be of “high risk.” Certain situations automatically are considered high risk under the GDPR when an organization plans to:
- use systematic and extensive profiling with significant effects;
- process sensitive (e.g. health data) or criminal offense data on a large scale; or
- systematically monitor publicly accessible places on a large scale.
In addition, the GDPR requires supervisory authorities in each member state to publish lists of the other types of processing activities requiring a DPIA and, at their discretion, those for which no DPIA is required.
Though EDPB-endorsed guidelines (WP248 Guidance)2 on how to assess a high-risk action are available, the lists put together by supervisory authorities providing practical examples on the type of processing activities requiring a DPIA differ significantly across the EU. The 22 opinions recently released by the EDPB advise how those DPIA lists should be amended for consistency purposes across the EU.
Potential Changes to Member State Advice
The EDPB, which will impact a number of member states, clarifies that the lists prepared by supervisory authorities should state that they are not exhaustive, as scenarios that may qualify as high risk ultimately need to be assessed on a case-by-case basis. It also is good practice for an organization to conduct a DPIA prior to any critical project involving the processing of personal data. We highlight below the impact on Belgium, France, Germany and the U.K.
Interestingly, the EDPB seems to reference the list published by the Belgian Autorité de la Protection des Données (APD-DBA) when advising the other supervisory authorities on how to amend their lists, as the APD-DBA's list received far fewer requests for amendments than other member states. The EDPB did request a change to the list regarding the processing of health data with the aid of an implant to a matter that requires a DPIA, thereby adding a new scenario to the list of mandatory DPIAs in Belgium.
In relation to the processing of biometric, genetic or location data, the EDPB advised that such activity requires a mandatory DPIA only if another criterion requiring a DPIA also applies and therefore requested the U.K. Information Commissioner’s Office (ICO) to amend its list accordingly.
Similarly, the EDPB required the French Commission Nationale de L’informatique et des Libertés (CNIL) to update its list (and to include the processing of location data). At the other end of the spectrum, the list of the German Budesbeauftragte und die Aufsichtsbehörden der Länder (BfDI) did not mention these types of processing activities at all, which prompted the EDPB to request that they be added in line with the advice given to the ICO and the CNIL.
In relation to the processing of personal data collected via third parties, the EDPB advises that the lists of all four supervisory authorities be amended to reflect that only where such processing is carried out in conjunction with at least one other criterion will it trigger the need for a mandatory DPIA. If the suggested amendments were followed through in such jurisdictions, this would add another type of processing activity requiring a DPIA.
In relation to processing using new or innovative technology, the ICO also was requested to amend its list to state that a DPIA only would be required when such processing is done in conjunction with at least one other criterion. This amendment would further restrict the ICO's current list in terms of mandatory DPIAs.
These four supervisory authorities, as with any other supervisory authority in the EU, are not obliged to amend their list in line with the EDPB opinion, but must justify their reasons if they elect not to do so.
Key Takeaways
We expect the DPIA lists of individual countries to evolve in light of the EDPB opinions. However, it is unclear if, and to what extent, the supervisory authority in each country will take the EDPB's suggested (but not required) changes into account. Where the guidance is not followed, it will be interesting to see the reasoning articulated as this may also point to potential future divergences from the EDPB.
Most importantly, how the supervisory authorities react to the EDPB's suggestions in relation to the DPIA lists represents one of the first real tests as to whether the GDPR is capable of being consistently applied across the EU. Given the existing discrepancies, it is quite possible that the supervisory authorities may not acquiesce to the EDPB’s views, reflecting the different aims and agendas that each jurisdiction has concerning data protection. This recent development, therefore, demonstrates the distance between the current data protection framework and the more...
