- Security: The FTC has been active in bringing data security cases and is exploring its remedial authority related to data privacy.
- Transparency: The FTC supports transparency as an important means for building trust in privacy disclosures. Challenges arise with “how and when to be transparent” so that consumers have access to meaningful information at the right time. While privacy disclosures provide accountability, the FTC staff comment notes that many “are characterized by bloat, opacity, and legalese.” The FTC supports a more consumer-oriented approach to disclosures, including context-specific and sector-specific approaches.
- Control: The FTC supports a balanced approach to consumer control of collection and use of data in a manner that “takes consumer preferences, context (including risk), and form into account.”
- FTC Enforcement: The staff comment reports that the FTC has “used its enforcement authority vigorously” and “should continue to be the primary enforcer of laws related to information flows in markets.” However, the FTC’s enforcement capabilities are limited by lack of authority over non-profits and common carrier activity and the absence of civil penalty authority. FTC enforcement can be constrained because certain privacy laws are either targeted narrowly to specific risks or do not include in statutory definitions the kinds of data collection made possible as the result of technological advances.
The FTC staff comment urged Congress to act on data security and breach notification legislation. The Commission noted that “legislation should balance consumers’ legitimate concerns about the protections afforded to the collection, use, and sharing of their data with business’ need for clear rules of the road, consumers’ demand for data-driven products and services, and the importance of flexible frameworks that foster innovation.”
EDPB Publishes Guidelines On Territorial Scope For Public Consultation – On November 16, 2018, the European Data Protection Board (“EDPB”), the General Data Protection Regulation (“GDPR”) successor of the Art. 29 Data Protection Working Group, released its long-awaited Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) (“Guidelines”) for public consultation. While not final, the Guidelines already address several pressing issues regarding the GDPR’s (extra) territorial application. This article summarizes the EDPB’s advice on some of the most frequently asked questions about these issues since the GDPR entered into force on May 25, 2018.
The GDPR’s territorial scope is stipulated in Article 3 of the GDPR. The first paragraph of the provision addresses the GDPR’s application to companies established in the European Union (“EU Controller” or “Processor”), and in the second paragraph, GDPR’s extraterritorial application to companies not established in the EU (“Foreign Controller” or “Processor”). Whilst the wording of the provision initially appears to be straightforward—GDPR either applies if data are processed through an establishment in the EU or if a Foreign Controller or Processor targets or tracks data subjects in the EU—the application of this provision has caused companies across all industries a headache in day-to-day practice.
The following three issues seem to be amongst those which arise most frequently in practice:
- EU Controllers wonder whether the personal data of data subjects living outside the EU must be processed in accordance with GDPR principles. For example, must a European based reinsurance company inform Chinese policy holders about the processing of their data under a reinsurance contract with the Chinese insurer pursuant to Article 14 (information to be provided where personal data have not been obtained from the data subject)?
- As the first sentence of Article 3(1) refers to the processing of personal data “in the context of the activities of an establishment of a controller or a processor in the Union,” it was unclear whether GDPR may apply to Foreign Controllers just because they retain an EU Processor. Some sources argued that an EU-based vendor “taints” the foreign processing activities of a Foreign Controller and makes them subject to GDPR.
- Foreign Controllers in different industries, including financial institutions, hotels or hospitals, have been challenged by the question of whether they have to comply with GDPR when dealing with EU citizens, e.g., when accepting European investors, guests or patients in their respective home countries.
In practice, there has been a high level of uncertainty about how to deal with these issues. Now, the EDPB’s Guidance provides some answers to these questions.
On the first question as to whether non-EU citizens may benefit from the protections of GDPR, the EDPB notes that “the text of Article 3(1) does not restrict the application to the processing of personal data of individuals who are in the Union.” It concluded, therefore, that GDPR applies to EU Controllers and Processors “regardless of the location or the nationality of the data subject whose personal data are being processed.” This means that the duties under GDPR to provide information about processing—as well as all other GDPR provisions —are likely to apply to data subjects in foreign countries, subject to the application of specific derogations, in Article 14(5), for example the disproportionate effort involved in providing such information, or the requirement to keep data confidential due to a secrecy obligation derived from EU or member state law.
Regarding the second issue as to whether retaining an EU-Processor may bring Foreign Controllers within the GDPR’s reach, the EDPB has voiced its strong opinion that the retention of an EU Processor does not automatically subject the Foreign Controller to GDPR. The EDPB stressed that a Foreign Controller “will not become subject to the GDPR simply because it chooses to use a processor in the Union.” In this constellation, only the EU Processor must comply with the GPPR requirements imposed on it directly, for example in Article 28, which deals with the obligations on vendors who process personal data on behalf of a Data Controller. The EDPB provided a full list of directly applicable provisions in the Guidelines (see page 11 of the Guidelines).
As to the third issue about whether Foreign Controllers have to comply with the GDPR when dealing with EU citizens, the EDPB clarified that this section is limited to the processing of data of individuals who are “in the Union.” Therefore, the processing of personal data of EU citizens or residents that takes place in a third country does not trigger the application of the GDPR as long as the Foreign Controllers or Processors do not specifically “target” or “track” individuals in the EU pursuant to Article 3(2) a) or b). U.S. funds, hotels or hospitals that are available to EU investors, guests or patients from the EU, but do not specifically target or track them, do therefore not fall under GDPR.
The Guidelines also provide further helpful rules to assess the threshold definition of an “establishment” of a controller or processor and when the rules around “targeting” or “tracking” of data subjects in the EU apply. The EDPB also clarified that, once GDPR applies, there can be no cherry picking regarding the respective rights and obligations, but that “all provisions of the Regulation apply to such processing,” including, as the case may be, the appointment of a Data Protection Officer (“DPO”) pursuant to Article 37, or, in case of an extraterritorial application, the designation of a representative in the EU pursuant to Article 27.
Whilst the EDBP confirmed that the function of a representative can be exercised by a wide range of commercial and non-commercial entities based on a service contract, including law firms or consultancies, it has confirmed its view that the function of a representative in the Union is incompatible with the role of an external DPO. In the EDPB’s view, there are different requirements for the two roles: whereas the representative acts under the direct instruction of the management, the DPO has to fulfill its role with a sufficient degree of autonomy and independence. Therefore, Foreign Controllers or Processors subject to the application of these provisions may be required to appoint two (external) service providers in the EU to comply with GDPR requirements.
Proposed Changes to South Korea’s Personal Information Protection Act – On November 2018, the South Korean National Assembly considered a bill to amend the Personal Information Protection Act (“PIPA”) to give the Personal Information Protection Commission (“PIPC”) enforcement powers of its own.
PIPA, which was enacted on September 30, 2011, provides the main framework for South Korea’s strict data privacy regime and governs the collection, usage, disclosure and other processing of personal information. PIPA applies to all private and governmental organizations, unless there is sector-specific legislation (such as the Act on Promotion of Information and Communication Network Utilisation and Information Protection (the “Network Act”), the Act on Use and Protection of Credit Information, the Framework Act on Electronic Commerce, the Medical Service Act, or the Act on Real Name Financial Transactions and Guarantee of Secrecy) which provides for different rules in specific industries. Notably, PIPA established the PIPC as the independent supervisory body, and set down strong penalties for breaches which include heavy fines and even imprisonment for data handlers.
South Korea has been seeking an adequacy decision from the European Union (the “EU”) since 2015. An adequacy decision is a finding made by the EU Commission which ratifies that the data protection legislation and systems in place in a non-EU country (“third country”) provide a comparable level of protection to that in the EU, such that personal data can be transferred safely from countries in European Economic Area (the 28 EU Member States, Norway, Liechtenstein and Iceland) to that third country and without the imposition of further authorisations. Although the third country's data protection regime does not need to be identical to that of the EU, there must be "essential equivalence." Under Article 45.2(b) of the General Data Protection Regulation, when assessing equivalence, the EU Commission must take into account “the existence and effective functioning of one or more independent supervisory authorities in the third country…with responsibility for ensuring and enforcing compliance with the data protection rules, including adequate enforcement powers.” Under PIPA in its current form, the PIPC does not have any enforcement powers. Instead such powers are assigned to the Ministry of the Interior and Safety (the “MIS”), which is a government body and therefore not independent.
Accordingly, South Korea is now looking to amend PIPA to hand the enforcement functions of the MIS and the Korea Communications Commission (which is the sanctioning authority under the Network Act) over to the PIPC. Commentators say that once such changes have been made, South Korea will be in a good position to obtain an EU adequacy decision.