Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
By Ali Qassim
Feb. 25 — Adopting resilient arrangements for international data transfers and preparing to implement the European Union General Data Protection Regulation (GDPR) are among the major privacy priorities for Irish businesses in 2016, industry professionals and attorneys told Bloomberg BNA.
Both challenges are considerable given that the majority of Irish companies don't feel fully prepared for the implementation of the GDPR, which is set to replace the now over 20-year-old Data Protection Directive (95/46/EC) , and less than half have taken measures to adapt their privacy policies to the new rules, according to the Irish Computer Society's latest annual survey.
The ICS survey found that three quarters of Irish organizations transfer data internationally, a process which has been significantly complicated after the European Court of Justice invalidated the U.S.-EU Safe Harbor framework . Negotiators Feb. 2 agreed in principle to a replacement framework—the EU-U.S. Privacy Shield .
Brian Honan, chief executive officer of information technology consulting company BH Consulting in Dublin, said the issue of international transfers “is still quite fluid in spite of the recent agreement reached by the EU and the U.S. over the new Privacy Shield agreement to replace Safe Harbor.”
Honan, who is also a member of the Advisory Group on Internet Security to the Europol Cybercrime Centre, said there is “major concern” that the Privacy Shield doesn't address the ECJ's findings on the conflict between U.S. surveillance law and “the fundamental rights to privacy granted under EU law to its citizens.”
The Article 29 Working Party is analyzing to what extent the Privacy Shield complies with fundamental rights guarantees .
When the ICS survey was unveiled, Ireland Data Protection Commissioner Helen Dixon said her office is “very aware” the country is the EU base for nearly every large U.S.-based Internet company, including Google Inc., Apple Inc. and Facebook Inc. “Not only does a very significant responsibility lie with the office in ensuring robust regulation and delivery of compliance but it's also evident that we must demonstrate that this is what we're doing,” Dixon said.
Honan said that companies “will in most cases continue using whatever services they were previously using until guidance is provided” by the Data Protection Commissioner or the Privacy Shield is deemed sufficient.
According to ICS Data Protection Consultant Lanre Oluwatona, business are most likely to use model contracts that require an organization outside the EU “to adhere to a set of restrictions on processing personal data that mirrors EU data protection requirements.”
Rob Corbet, a partner and head of the Technology & Innovation Department at Arthur Cox in Dublin, concurred that model clauses are the most viable route “at least until we know what's involved in reaching the Privacy Shield standard.”
Although model contract clauses provide lawful alternatives to Safe Harbor for most companies, “the bureaucracy involved is frustrating,” Corbet said.
Erik O'Donovan, head of digital economy policy at Irish Business and Employers Confederation, said that companies will “need clarity on what they need to do to fully comply with the new EU-U.S. Privacy Shield framework so it can be implemented quickly and effectively.”
But he said businesses were reassured by the Article 29 Working Party's Feb. 3 announcement that companies would be able to “honor the use of existing alternative data transfer mechanisms, including binding corporate rules (BCRs) and standard contractual clauses, until their analysis of the newly announced EU-U.S. Privacy Shield is completed.”
Oluwatona said that the option of obtaining consent of the data subject was “lawful basis for exporting data,” but warned that the “threshold for validating consent and justification for data transfer may be difficult to demonstrate particularly in situations where the Data Protection Commissioner challenges an organization's data transfer practices.”
During this uncertain period, Honan said he would “recommend that companies that could potentially be impacted should work with their providers to develop contingency options to move their data to the providers data centers in Europe or assess alternative suppliers.”
(Click image to enlarge.)
He also advised companies to “put in place some plans in the event they can no longer export personal data of EU citizens to the US.”
Oluwatona said that even though companies will have two years before the new rules take effect, “implementation will be an uphill task” as “a vast number” have adopted a “wait and see approach” until now.
Implementing changes will also be “administratively overburdening” given that Irish Data Protection legislation contains 36 provisions while the GDPR contains at least 90 articles, he said.
Asked which aspects of the GDPR will pose most difficulties for businesses, Oluwatona said adopting privacy risk management “as a way of life.”
Under the new regulation, “risk is mentioned at least 70 times, an indication that data processing is now a risky business for organizations that are found to be non-compliant.”
Adopting a risk-based approach is a “requirement where data processing activities will most likely involve “high” risk to the rights and freedoms of individuals, such as discrimination, identity theft, fraud or financial loss, he said.
“Explicit regulatory requirements that will definitely require a shift in the way” that businesses plan include making privacy risk impact assessments, alongside privacy by design and privacy by default, he said.
Corbet agreed that one of the biggest impacts of the GDPR for companies will be “data protection by design or default” requirements and “knowing when to conduct a Data Protection Impact Assessment.”
According to Honan, many companies will “struggle to comply with this requirement” as they may not have the necessary skills or tools to conduct these assessments, particularly “before any new applications or services are developed or launched.”
Another “challenge facing many companies will be mandatory breach notification in the event of a security breach impacting personal information,” Honan said about another GDPR requirement.
“This will make many companies uncomfortable as they face the risk of their breaches becoming publicly known,” he said. “It may also lead to the public becoming more aware and alarmed as breaches they normally would out hear about now become regular news items.
That means companies will need to ensure “they have appropriate security controls in place to prevent a breach and also effective response plans in the event a breach does occur,” Hogan said.
GDPR will also “introduce large fines for non-compliance for the first time in Ireland which will also be a big change”, Corbet said. Under the heavy sanctions introduced by the GDPR, noncompliance with the data breach reporting provisions could cost companies the higher of 10 million euros (slightly more than $11 million), or 2 percent of their annual worldwide revenues.
According to Lanre, the change will be significant because as of now, “where a data controller contravenes” the Irish Data Protection Acts 1998 and 2003-the Data Protection Commissioner “may issue a cautionary or prohibition notice (in extreme cases) following an investigation.”
However, “there are no automatic sanctions in place” as the commissioner doesn't have “the power to issue fines as does its U.K. counterpart,” Lanre said. “Currently legal proceedings are initiated against offenders and penalties are decided by the courts. Under EUGDPR, that will change.”
The ICS survey revealed “high levels of confusion” over whether Irish organizations have official sanctions for non-compliance with data protection laws, with almost a third of respondents saying there were “not sure” and 28 percent saying there were no sanctions.
Another “practical challenge” for companies, at least in the short term, will be the “requirement to identify a Data Protection Officer who is competent to address the record keeping and other tasks laid down in the Regulation,” Corbet said.
“For many it will be difficult to find someone with the skills, knowledge, and understanding of the Data Protection regulations to take on the role,” Honan concurred.
Although pseudonymisation “is not, of itself, a new concept” and “has become part of our daily life”, Oluwatona said that “it is the first time it has been enshrined expressly” in regulation through the GDPR.
“The days of implied or presumed consent are over,” he said. “Data controllers wishing to adopt either profiling or pseudonymisation can do so provided explicit consent has be given by the data subject and the data controller has taken suitable measures to safeguard data subject's rights, freedoms and legitimate interests which can be costly to implement.”
To contact the reporter on this story: Ali Qassim in London at email@example.com
To contact the editor responsible for this story: Jimmy H. Koo at firstname.lastname@example.org
Full text of the ICS survey is available at http://src.bna.com/cOY.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)