Irish Companies Set Data Transfer, EU Reg Priorities

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Ali Qassim

Feb. 25 — Adopting resilient arrangements for international data transfers and preparing to implement the European Union General Data Protection Regulation (GDPR) are among the major privacy priorities for Irish businesses in 2016, industry professionals and attorneys told Bloomberg BNA.

Both challenges are considerable given that the majority of Irish companies don't feel fully prepared for the implementation of the GDPR, which is set to replace the now over 20-year-old Data Protection Directive (95/46/EC) , and less than half have taken measures to adapt their privacy policies to the new rules, according to the Irish Computer Society's latest annual survey.

The ICS survey found that three quarters of Irish organizations transfer data internationally, a process which has been significantly complicated after the European Court of Justice invalidated the U.S.-EU Safe Harbor framework . Negotiators Feb. 2 agreed in principle to a replacement framework—the EU-U.S. Privacy Shield .

Brian Honan, chief executive officer of information technology consulting company BH Consulting in Dublin, said the issue of international transfers “is still quite fluid in spite of the recent agreement reached by the EU and the U.S. over the new Privacy Shield agreement to replace Safe Harbor.”

Honan, who is also a member of the Advisory Group on Internet Security to the Europol Cybercrime Centre, said there is “major concern” that the Privacy Shield doesn't address the ECJ's findings on the conflict between U.S. surveillance law and “the fundamental rights to privacy granted under EU law to its citizens.”

The Article 29 Working Party is analyzing to what extent the Privacy Shield complies with fundamental rights guarantees .

When the ICS survey was unveiled, Ireland Data Protection Commissioner Helen Dixon said her office is “very aware” the country is the EU base for nearly every large U.S.-based Internet company, including Google Inc., Apple Inc. and Facebook Inc. “Not only does a very significant responsibility lie with the office in ensuring robust regulation and delivery of compliance but it's also evident that we must demonstrate that this is what we're doing,” Dixon said.

Model Contracts

Honan said that companies “will in most cases continue using whatever services they were previously using until guidance is provided” by the Data Protection Commissioner or the Privacy Shield is deemed sufficient.

According to ICS Data Protection Consultant Lanre Oluwatona, business are most likely to use model contracts that require an organization outside the EU “to adhere to a set of restrictions on processing personal data that mirrors EU data protection requirements.”

Rob Corbet, a partner and head of the Technology & Innovation Department at Arthur Cox in Dublin, concurred that model clauses are the most viable route “at least until we know what's involved in reaching the Privacy Shield standard.”

Although model contract clauses provide lawful alternatives to Safe Harbor for most companies, “the bureaucracy involved is frustrating,” Corbet said.

Irish Businesses Call for Clarity

Erik O'Donovan, head of digital economy policy at Irish Business and Employers Confederation, said that companies will “need clarity on what they need to do to fully comply with the new EU-U.S. Privacy Shield framework so it can be implemented quickly and effectively.”

But he said businesses were reassured by the Article 29 Working Party's Feb. 3 announcement that companies would be able to “honor the use of existing alternative data transfer mechanisms, including binding corporate rules (BCRs) and standard contractual clauses, until their analysis of the newly announced EU-U.S. Privacy Shield is completed.”

Oluwatona said that the option of obtaining consent of the data subject was “lawful basis for exporting data,” but warned that the “threshold for validating consent and justification for data transfer may be difficult to demonstrate particularly in situations where the Data Protection Commissioner challenges an organization's data transfer practices.”

During this uncertain period, Honan said he would “recommend that companies that could potentially be impacted should work with their providers to develop contingency options to move their data to the providers data centers in Europe or assess alternative suppliers.”

(Click image to enlarge.)

Facebook Ireland

He also advised companies to “put in place some plans in the event they can no longer export personal data of EU citizens to the US.”

Oluwatona said that even though companies will have two years before the new rules take effect, “implementation will be an uphill task” as “a vast number” have adopted a “wait and see approach” until now.

Implementing changes will also be “administratively overburdening” given that Irish Data Protection legislation contains 36 provisions while the GDPR contains at least 90 articles, he said.

Managing Privacy Risks

Asked which aspects of the GDPR will pose most difficulties for businesses, Oluwatona said adopting privacy risk management “as a way of life.”

Under the new regulation, “risk is mentioned at least 70 times, an indication that data processing is now a risky business for organizations that are found to be non-compliant.”

Adopting a risk-based approach is a “requirement where data processing activities will most likely involve “high” risk to the rights and freedoms of individuals, such as discrimination, identity theft, fraud or financial loss, he said.

“Explicit regulatory requirements that will definitely require a shift in the way” that businesses plan include making privacy risk impact assessments, alongside privacy by design and privacy by default, he said.

Corbet agreed that one of the biggest impacts of the GDPR for companies will be “data protection by design or default” requirements and “knowing when to conduct a Data Protection Impact Assessment.”

According to Honan, many companies will “struggle to comply with this requirement” as they may not have the necessary skills or tools to conduct these assessments, particularly “before any new applications or services are developed or launched.”

Breach Notification, Sanctions

Another “challenge facing many companies will be mandatory breach notification in the event of a security breach impacting personal information,” Honan said about another GDPR requirement.

“This will make many companies uncomfortable as they face the risk of their breaches becoming publicly known,” he said. “It may also lead to the public becoming more aware and alarmed as breaches they normally would out hear about now become regular news items.

That means companies will need to ensure “they have appropriate security controls in place to prevent a breach and also effective response plans in the event a breach does occur,” Hogan said.

GDPR will also “introduce large fines for non-compliance for the first time in Ireland which will also be a big change”, Corbet said. Under the heavy sanctions introduced by the GDPR, noncompliance with the data breach reporting provisions could cost companies the higher of 10 million euros (slightly more than $11 million), or 2 percent of their annual worldwide revenues.

According to Lanre, the change will be significant because as of now, “where a data controller contravenes” the Irish Data Protection Acts 1998 and 2003-the Data Protection Commissioner “may issue a cautionary or prohibition notice (in extreme cases) following an investigation.”

However, “there are no automatic sanctions in place” as the commissioner doesn't have “the power to issue fines as does its U.K. counterpart,” Lanre said. “Currently legal proceedings are initiated against offenders and penalties are decided by the courts. Under EUGDPR, that will change.”

The ICS survey revealed “high levels of confusion” over whether Irish organizations have official sanctions for non-compliance with data protection laws, with almost a third of respondents saying there were “not sure” and 28 percent saying there were no sanctions.

Another “practical challenge” for companies, at least in the short term, will be the “requirement to identify a Data Protection Officer who is competent to address the record keeping and other tasks laid down in the Regulation,” Corbet said.

“For many it will be difficult to find someone with the skills, knowledge, and understanding of the Data Protection regulations to take on the role,” Honan concurred.

Although pseudonymisation “is not, of itself, a new concept” and “has become part of our daily life”, Oluwatona said that “it is the first time it has been enshrined expressly” in regulation through the GDPR.

“The days of implied or presumed consent are over,” he said. “Data controllers wishing to adopt either profiling or pseudonymisation can do so provided explicit consent has be given by the data subject and the data controller has taken suitable measures to safeguard data subject's rights, freedoms and legitimate interests which can be costly to implement.”

To contact the reporter on this story: Ali Qassim in London at correspondents@bna.com

To contact the editor responsible for this story: Jimmy H. Koo at jkoo@bna.com

For More Information

Full text of the ICS survey is available at http://src.bna.com/cOY.