EU-US Privacy Shield

EU-US Privacy Shield invalidation business implications follow-up

Since the Court of Justice of the European Union (CJEU) invalidated the EU-US Privacy Shield in their Schrems II judgement delivered two weeks ago, many questions have arisen around international data transfers to the US.

After the invalidation of the EU-US Privacy Shield by the CJEU two weeks ago, as reported by Aphaia, data transfers to the US require another valid safeguard or mechanism that provides an adequate level of data protection similar to the one granted by the GDPR.

European Data Protection Board guidelines

With the aim of clarifying the main issues derived from the invalidation of the EU-US Privacy Shield, the European Data Protection Board (EDPB) has published Frequently Asked Questions on the Schrems II judgement. These answers are expected to be developed and complemented along with further analysis, as the EDPB continues to examine and assess the CJEU decision.

In the document, the EDPB reminds that there is no grace period during which the EU-US Privacy Shield is still deemed a valid mechanisms to transfer personal data to the US, therefore businesses that were relying on this safeguard and that wish to keep on transferring data to the US should find another valid safeguard which ensures compliance with the level of protection essentially equivalent to that guaranteed within the EU by the GDPR.

What about Standard Contractual Clauses?

The CJEU considered the SCC validity depends on the ability of the data exporter and the recipient of the data to verify, prior to any transfer, and taking into account the specific circumstances, whether that level of protection can be respected in the US. This seems to be difficult though, because the Court found that US law (i.e., Section 702 FISA and EO 12333) does not ensure an essentially equivalent level of protection.

The data importer should inform the data exporter of any inability to comply with the SCCs and where necessary with any supplementary measures and the data exporter should carry out an assessment to ensure that US law does not impinge on the adequate level of protection, taking into account the circumstances of the transfer and the supplementary measures that could be put in place. The data exporter may contact the data importer to verify the legislation of its country and collaborate for the assessment. Where the result is not favourable, the transfer should be suspended. Otherwise the data exporter should notify the competent Supervisory Authority.

What about Binding Corporate Rules (BCRs)?

Given that the reason of invalidating the EU-US Privacy Shield was the degree of interference created by the US law, the CJEU judgement applies as well in the context of BCRs, since US law will also have primacy over this tool. Likewise before using SCCs, an assessment should be run by the data exporter and the competent Supervisory Authority should be reported where the result is not favourable and the data exporter plans to continue with the transfer.

What about derogations of Article 49 GDPR?

Article 49 GDPR comprises further conditions under which personal data can be transferred to a third-country in the absence of an adequacy decision and appropriate safeguards such as SCCs and BCRs, namely:

  • Consent. The CJEU points out that consent should be explicit, specific for the particular data transfer or set of transfers and informed. This element involves practical obstacles when it comes to businesses processing data from their customers, as this would imply, for instance, asking for all customers’ individual consent before storing their data on Sales Force.
  • Performance of a contract between the data subject and the controller. It is important to note that this only applies where the transfer is occasional and only for those that are objectively necessary for the performance of the contract.

What about third countries other than the US?

The CJEU has indicated that SCCs as a rule can still be used to transfer data to a third country, however the threshold set by the CJEU for transfers to the US applies for any third country, and the same goes for BCRs.

What should I do when it comes to processors transferring data to the US?

Pursuant to the EDPB FAQs, where no supplementary measures can be provided to ensure that US law does not impinge on the essentially equivalent level of protection as granted by the GDPR and if derogations under Article 49 GDPR do not apply, “the only solution is to negotiate an amendment or supplementary clause to your contract to forbid transfers to the US. Data should not only be stored but also administered elsewhere than in the US”.

What can we expect from the CJEU next?

The EDPB is currently analysing the CJEU judgment to determine the kind of supplementary measures that could be provided in addition to SCCs or BCRs, whether legal, technical or organisational measures.

ICO statement

The ICO is continuously updating their statement on the CJEU Schrems II judgement. The latest version so far dates 27th July and it confirms that EDPB FAQs still apply to UK controllers and processors. Until further guidance is provided by EU bodies and institutions, the ICO recommends to take stock of the international transfers businesses make and react promptly plus they claim that they will continue to apply a risk-based and proportionate approach in accordance with their Regulatory Action Policy.

Other European Data Protection Authorities’ statements

Some European data protection supervisory authorities have provided guidance in response to the CJEU Schrems II judgement. While most countries are still considering the implications of the decision, some other are warning about the risk of non-compliance and a few of them like Germany (particularly Berlin and Hamburg) and Netherlands have openly stated that transfers to the US are unlawful.

In general terms, the ones that are warning about the risks claim the following:

  • Data transfers to the U.S. are still possible, but require the implementation of additional safeguards.
  • The obligation to implement the requirements contained in the CJEU’s decision is both on the businesses and the data protection supervisory authorities.
  • Businesses are required to constantly monitor the level of protection in the data importer’s country
  • Businesses should run a previous assessment before transferring data to the US.

The data protection supervisory authority in Germany (Rhineland-Palatinate) has proposed a five-step assessment for businesses. We have prepared the diagram below which summarizes it:

Can the level of data protection required by the GDPR be respected in the US?

The CJEU considered that the requirements of US domestic law and, in particular, certain programmes enabling access by US public authorities to personal data transferred from the EU, result in limitations on the protection of personal data which do not satisfy GDPR requirements. Furthermore, the CJEU stated that US legislation does not gran data subjects actionable rights before the courts against the US authorities. 

In this context, it seems difficult that a company could be able to demonstrate that they can provide an adequate level of data protection to personal data transferred from the EU, because basically it would have to bypass US legislation.

Latest moves in the US Senate does not shed light in this issue, because the “Lawful Access to Encrypted Data Act” was introduced last month. It mandates service providers and device manufacturers to assist law enforcement with accessing encrypted data if assistance would aid in the execution of a lawfully obtained warrant.

Do you make international data transfers to third countries? Are you affected by Schrems II decision? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We also offer CCPA compliance servicesContact us today.

European Commission on Transition

European Commission Released Communication on transition between EU and UK.

The European Commission released a statement detailing the implications of the transition between the EU and UK. 

 

As the UK comes to the end of its transitory period from the EU to the end of this year, the European Commission has released communication assessing the country’s readiness for separation from the region. The withdrawal agreement which was entered into on February 1st, 2020 secured the UK’s departure, and stated that the laws of the Union would continue to apply until the end of the transition period ending on December 31st, 2020. The UK continues to participate in Union programmes, the EU’s single market and Customs Union and to abide by Union policies and any international agreements which include the EU. All of this is due to change come January 1st, 2021 when the transition period has ended and the Withdrawal Agreement comes into effect. The transition period therefore serves as a period of continuity to ensure readiness for the implementation of all necessary measures and arrangements and to facilitate negotiation of a new partnership between the EU and the UK by January 1st, 2021. 

 

Negotiations pick up momentum this summer as the EU and the UK seek to reach an agreement on a future partnership before the January 1st 20201 implementation date.

 

While negotiations have been slow in moving during the earlier part of this year, as of June they have picked up, as the UK’s government has made a decision not to extend the transition period. The aim is to reach an agreement on an ambitious partnership covering all areas agreed with the United Kingdom in the Political Declaration by the end of 2020. The resulting agreement would create a relationship very different from the current UK participation in the EU single market and Customs Union, and in the VAT and excise duty area. It is expected that there will be resulting barriers to trade in goods and services and to cross-border mobility and exchanges. All this, compounded by the pressure that businesses are already under due to the COVID-19 pandemic, are expected to cause some disruptions as of January 1st 2021. 

 

Businesses are advised to revisit their existing preparedness plans which were drawn up in the event that the UK’s withdrawal from the Union happened without a withdrawal agreement. While negotiations are still underway, those preparedness plans may still be relevant for the changes at the end of the transition period.

The European Commission released information on the effects of those changes specific to various industries, and implores companies to implement actions to ensure readiness.

 

The European Commission communicated an outline of changes to be expected whether there is an agreement on a future partnership between the EU and the UK or not. As of 1 January 2021, the transition period allowing for the temporary participation of the United Kingdom in the EU Single Market and Customs Union will end, thereby putting a stop to the free movement of persons, goods and services. As a result there will be several automatic changes 

 

The European Commission, since March 2020, has been publishing notices of readiness specific to various industries. To date, there are 59 notices spanning a wide range of industries, and this list will be updated on a regular basis as new notices become available. The Commission calls on all national and European consumer, business and trade associations to ensure that their members are fully aware of the expected changes. The changes being implemented as of January 1st 2020 will be automatic, far reaching and unavoidable. Both logistical and legal changes are to be expected, the effects of which should not be underestimated. Ultimately, businesses still need to undergo their own risk assessments and implement actions to ensure their own readiness. 

 

What does this mean for data protection?

 

As we published in our blog in January, the ICO released an statement on the implications of Brexit on data protection, where they provided some guidance on this matter. That is:

 

During the transition period

  • The GDPR continues to apply in the UK.
  • There is no need for a European representative.
  • ICO GDPR guidance is still relevant.
  • Transfers of data from the UK to the EU and from the EU to the UK are not restricted.

After the transition period

  • The GDPR will be brought into UK law as the ‘UK GDPR’ but the UK will have the independence to keep the framework under review.
  • A European representative may be necessary from the end of the transition period.
  • The ICO will not be the regulator for any European-specific activities caught by the EU version of the GDPR.
  • The DPA 2018 will continue to apply.
  • The ICO will remain the independent supervisory body regarding the UK’s data protection legislation.
  • Data transfers between the UK and the EU may be restricted and adequate safeguards may be necessary.

 

Does your company process  personal information in the UK or transfer personal information between the EU and the UK? If so, Brexit may affect the way you process personal data. Aphaia’s data protection impact assessments, GDPR and Data Protection Act 2018 consultancy services and Data Protection Officer outsourcing will assist you with ensuring compliance.

AI Ethics and Real Estate

AI Ethics and Real Estate: Further considerations for best practices.

The importance of upholding AI ethics in the world of real estate is essential to maintaining integrity in the industry as AI systems are incorporated in its processes.

 

Earlier this month we explored the importance of AI ethics in the real estate industry in ensuring its ability to function within regulation, while being of benefit to buyers, sellers, the industry and society in general. Artificial intelligence has the ability to revolutionize the real estate industry, however, as with anything else, measures have to be put in place to ensure that this functions ethically, in order to be of true benefit. In this article, we seek to explore the ethical principles that should be applied in the real estate industry to ensure that AI is truly of benefit to the society at large, not just a small number of individuals.

 

With real estate being the second least digitised industry in the world, difficulties are clearly present in how best to incorporate artificial intelligence in this industry. There are many factors to be considered in approaching the use of AI in the world of real estate and construction. With the many categorisations of data that describe any property, there is a need to ensure that coding for any AI system to be applied to real estate is extremely thorough. There is also a need for extreme transparency in the process to ensure that these AI systems function within regulation, and avoid discrimination as far as possible.

 

Technical robustness and safety is AI system development.

 

Machine learning is currently the dominant approach to developing AI systems and contributes to all sorts of technologies including those used in the real estate sector. While this approach has been successful it can sometimes fail in unintuitive ways. If we are to use machine learning effectively and ethically, it is important to consider the possibility of erroneous processing, and work to limit its impact on the use of these systems. We must understand the strengths and limitations of this technology to ensure that it is being used to the best of its ability within reason and within policy.

 

The development of AI systems should consider environmental, social and societal impact.

 

When it comes to choosing the perfect home or the right home for oneself, there are several factors that come into play. Home specifications, neighborhood demographics, and several other factors are paramount to making a buying decision. The opportunity arises here, to develop AI which can differentiate and seek out properties which are best suited to a buyer based not only on price or location, but perhaps building materials or even proximity to certain essential services.

 

It is important to ensure AI systems are avoiding discrimination as far as possible.

 

In using AI systems in the real estate market, it is important to ensure that buyers are not being “algorithmically blackballed” based on factors like nationality, race or generally just not fitting in with the current demographic of a neighbourhood. It is likely that historic biases can be inadvertently built into algorithms and cause them to reflect human prejudices. While it is unlikely that an AI software would be intentionally developed to discriminate against certain demographics, it is possible that these systems discriminate based on the original data inputs, which may show biases based on human prejudices. Real estate companies using AI should test the algorithms often to ensure that any algorithmically biased processes are curtailed.

 

AI systems used in real estate must be developed, and function within regulation.

 

The data of both buyers and sellers needs to be protected throughout the process of the sale and beyond. All AI systems’ processes should be governed by the GDPR to ensure that this is the case. It can be argued that the GDPR poses significant challenges to AI development because AI startups rely on data to train machine learning algorithms. However, if AI systems are to function ethically, they must be used within regulation, including during the development phases. Running a Data Protection Impact Assessment (DPIA) and legitimate interest assessment are likely to be a must.

 

One of the aims of the GDPR is to ensure that people have the power to decide which of the information is used by third parties. This begins with the right to knowledge. In this regard transparency is key, as people have the right to information regarding how much of their data is being used and how. While it may be difficult to ensure full transparency with data subjects, data controllers need to ensure that they are compliant with the GDPR. Finding GDPR-friendly methods of AI development will benefit not just service providers but also data subjects, if done correctly.

 

We recently released a second vlog exploring the use of AI in the real estate sector as part of our series on AI within various Industries.

Subscribe to our YouTube channel to be updated on further content.

Do you have questions about how AI is transforming the real estate sector and the associated risks? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including Data Protection Impact Assessments, AI Ethics Assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

CCPA Enforcement date

The CCPA Enforcement Date for employment information and business-to-business data may be pushed back to January 1, 2022.

The CCPA Enforcement date may be pushed back to January 1, 2022 when it comes to employment and business-to-business data, rather than the initially scheduled January 1, 2021.

 

The California Consumer Privacy Act of 2018 or CCPA, originally enacted in 2018, was set to be enforced as of July 1, 2020, after the required regulations from the California Attorney General were issued in October 2019. While officials stated that the legislation was set to be enacted despite the crisis brought on by the coronavirus pandemic and therefore the enforcement has already begun, employment and business-to-business data may not be fully subject to the CCPA until January 1,, 2022.

Is there any possibility for further changes to this act?

 

The initial proposed regulations were first published on October 11, 2019 and since then, two sets of modifications (on February 10, 2020 and March 11, 2020), have been released. California Attorney General Xavier Becerra, in June, submitted the final CCPA regulations to the Office of Administrative Law (OAL) for review. These final submissions were substantively identical to the second set of modified regulations proposed in March. While the general CCPA enforcement date remains the same, on June 25, the California state Senate amended Assembly Bill 1281 (“AB 1281”) to extend until January 1, 2022 exemptions from the CCPA for certain employment information and personal information involved in business-to-business communications and transactions. This act will likely come into effect only if it is enacted and the California Privacy Rights Act of 2020 (the “CPRA”) is not approved in the statewide general election on November 3.

 

What does this mean?

 

Currently, there are two exemptions in the CCPA which were supposed to become ineffective on January 1, 2021: employment-related information and information involved in business-to-business communications and transactions. This date may change though, depending on whether AB 1281 is enacted and the CPRA is approved.

 

Based on this, there are several potential scenarios:

 

AB 1281

Passed

AB 1281

Not passed

CPRA approved January 1, 2023 January 1, 2023
CPRA not approved January 1, 2022 January 1, 2021

 

Who will be affected by CCPA?

 

This piece of legislation will apply to all organisations which conduct business in California, whether or not they are based outside of the state, once they collect, sell or disclose California consumers personal information. In this way, it is similar to the GDPR, however there are some clear differences between the two, which can be fully explored via our previously published blog comparing GDPR and CCPA.

 

Aphaia can help you comply with CCPA. We offer CCPA implementation as a stand-alone service or together with GDPR, plus other related services such as data protection impact assessments and Data Protection Officer outsourcing.