In this article we will discuss the implications of the Personal Data Processsing Agreement (DPA) required by the Regulation. This have recently become particularly relevant, more specifically, about data transfers to countries outside the European Union where the legislation is incompatible with the European Regulation
Table of Contents:
- Stiffer penalties for non-compliance.
- Parts of a Data Processing Agreement.
- Important implications of the DPA.
- The problem of international transfers.
- The Schrems I and II cases and the challenges of transfer compliance
- The supplementary measures for transfers recommended by the European Data Protection Board
- Data-centric security for personal data transfers
- Conclusions
Tougher penalties for non-compliance
In 2021 we have seen record penalties for non-compliance with GDPR in Europe. One of them imposed on Amazon by the Luxembourg Supervisory Authority (€746M) and the other on WhatsApp by the Irish Data Protection Commission (€225M). Both fines are subject to ongoing appeals. This is a 14-fold increase on the previous record fine imposed on Google by the French authorities.
According to this DLA Piper report, a total of €1.1 billion in fines for non-compliance have been imposed in the last year, which is almost seven times more than the previous year’s total.
On the other hand, more than 130,000 personal data breaches have been reported to regulators in the last year, with an 8% increase in daily notifications over the previous year.
In the ranking of fines by country according to this report, we find in the Top 5 Luxembourg, Ireland, which are headquarters of well-known US multinationals, followed by Italy, Germany, Spain and France.
In the Top 5 of security breach notifications are Germany, the Netherlands, the UK, Poland and Denmark, followed in the Top 10 by Sweden, Finland, France, Norway and Spain.
While some authorities have opted to impose a few fines with a high media profile (e.g. Ireland, Luxembourg), others have chosen to impose many more fines of lower amounts (e.g. Italy and Spain).
This growth in sanctions and notifications, together with the controversy generated by the non-compliance of international data transfers, reflects the tightening of sanctions and a growing focus of European regulators on the control of data sovereignty.
An example of this is the recent case of the Austrian Data Protection Regulator who has determined the use of Google Analytics on the NetDoktor website to be in breach of GDPR. Using Google Analytics, all the data on what users read, their interests, end up on servers in the United States without being properly protected against potential access by US intelligence agencies.
Parts of a Data Processing Agreement (DPA)
Whether you work with suppliers and provide them with personal data, or if you offer a service where you collect personal data from third parties, you must have, in accordance with the European Regulation, a Data Processing Agreement.
In this contract, which is sometimes an addendum to a broader contract, such as a collaboration agreement with a partner or supplier, or the terms of use of a service, there are two main figures:
- The Data Controller: It is who controls and is responsible for ensuring compliance with the GDPR regarding the collection, management, access and revocation of personal data.
- The Data Processor: Is the one who processes personal data solely on behalf of the Data Controller.
An example would be a company with a large number of employees that signs a contract with a payroll management consultancy in order to be able to make payroll payments. The company provides the consultancy with the data of new employees, those who leave the company, etc. for the correct payment of salaries, and the consultancy provides the computer system and stores the data of the employees. In this case, the Data Controller is the company, and the Data Processor is the consultancy.
The person in charge can never vary the purposes or uses of the data, nor can he use them for his own purposes. On the other hand, he/she is obliged to comply with the instructions, relative to data, of the person who entrusts him/her with the service.
The fundamental points of this DPA are as follows:
• Identify the Responsible and Processor party: For example, for the previous case, identify the role of the company as the Responsible Party and of its supplier, the consultancy as the Processor.
• Purpose of the Data Processor: Making it clear that the Data Processor will process the data as required by the Controller.
• Processing Activity and Identification of the Affected Information: What use the data will be put to by the Processor and what type of data is exchanged with the Processor.
• Right of Information in the Collection of Data: Indicating that it is the Data Controller who performs the collection, and pertinent authorizations.
• Obligations of the Data Processor:
- Involve your staff or workers.
- Record the categories of processing activities.
- Avoid transferring data to third parties without the consent of the Data Controller (outsourcing, etc.).
- Notify the Responsible of possible discrepancies with GDPR in case of detecting them.
- Assist the Data Controller in the rights of access, rectification, deletion, and opposition.
- Notify data transfers.
- Report data security breaches.
- Be obliged to adopt security measures in accordance with the purposes of data processing, and those determined by the Data Controller.
- Return of data in case of contractual termination.
• Obligations of the Data Controller:
- Deliver the data.
- Conduct risk analysis and impact assessment on personal data protection.
- Ensure compliance with the GDPR by the person in charge.
- Supervise treatment through audits and inspections.
- Communicate to the Data Controller any change in the category of data.
• Duration of the Contract.
• Jurisdiction of the Contract and Applicable Law.
Important Implications of a Data Processing Agreement
According to the Regulation, the Controller shall implement appropriate technical and organizational measures to ensure and be able to demonstrate that the processing is in compliance with the Regulation. Such measures shall be reviewed and updated as necessary.
These security measures, included in Article 32 of the GDPR, include among others:
a) pseudonymization and encryption of personal data
b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
c) the ability to restore availability and access to personal data quickly in the event of a physical or technical incident;
d) a process of regular verification, evaluation and assessment of the effectiveness of technical and organizational measures to ensure the security of the processing.
On the other hand, where processing is to be carried out on behalf of a controller, the controller should only choose a processor providing sufficient guarantees to implement appropriate technical and organizational measures, so that the processing is in compliance with the requirements of this Regulation and ensures the protection of the data subject’s rights.
The Processor shall also take the necessary measures listed above in Article 32, in addition to the items discussed above under “Obligations of the Processor”.
In the event of a personal data security breach, the Controller must notify the supervisory authority without delay and within 72 hours of becoming aware of the incident. Similarly, the Controller is obliged to notify the Controller of the security breach in the event of such a breach.
Similarly, when the breach of data security is likely to be a risk to the rights and freedoms of natural persons, the Data Controller shall communicate by the Data Controller to the data subject.
This communication to the interested party is NOT necessary if any of these conditions are met:
1) the Data Controller has adopted measures that make personal data unintelligible to any person not authorized to access it, such as encryption;
2) has taken measures to ensure that the high risk to the data subject’s rights and freedoms is unlikely to materialize.
3) The notification involves a disproportionate effort and a public communication is chosen.
In short, let’s suppose that we have collected personal data from third parties and we save them in Excel files, PDFs, etc. to keep them on record. This could be employee data, resumes, clients, etc. To store them we have chosen the service of a Cloud provider of storage and file sharing, and we upload the documentation there.
In the event that the supplier suffers a security breach, we as Data Controllers are affected by this breach of personal data that we have collected. The responsibility lies directly with us and cannot be avoided even if it was a supplier who suffered the breach. We will be obliged to notify the authorities, and the data subjects.
However, if this data that is stored at the provider is encrypted and the encryption is controlled by us as the Controllers, the security breach at the provider renders the data unintelligible to anyone who can access it. In this case, we will not be obliged to notify the data subjects.
With this effective measure, by encrypting the files we store with a third party and controlling access to them, we can avoid future headaches, fines and loss of reputation.
The problem of international transfers
The European Union, through the EU-GDPR, presents restrictions on international transfers of personal data to countries that do not have adequate regulations. If the country where the data travels or is stored does not comply with the requirements of the regulation, we will be faced with a risky transfer that can be blocked.
The approach in the United States of America is very different in terms of data processing compared to the European model. Although there are regulations such as NIST 800-171 or sectoral (health, financial) and some states have established privacy standards, as is the case in California, there is no common federal standard. This has meant that different data processing agreements have had to be negotiated between the European Union and the United States: Safe Harbor (2000) or Privacy Shield (2016).
However, despite these agreements, the approach between the two blocs remains radically different. To put it simply: Europe says that the level of protection must travel with the data and the United States says that your data can be accessed without telling you, for whatever they want and without you being able to do anything about it.
Schrems I and II cases and the challenges of transfer compliance
Maximilian Schrems,gained international notoriety with the “Facebook Case”, in which this Austrian activist, who later created the organization “My Privacy is None Your Business (NOYB)”, denounced Facebook’s practices in handing over its users’ data to the National Security Agency (NSA). Schrem I is known as the decision of the Court of Justice of the EU in 2015 that resulted in the invalidation of the Safe Harbor agreement for data transfers between the European Union and the United States on the grounds that it did not follow a treatment comparable to that required by European legislation.
With all data transfers “up in the air”, the approval of a new agreement was not long in coming (Privacy Shield; 2016). However, this agreement was nothing more than a repetition of the previous clauses, which led to the Schrem II judgment, whereby the European Court of Justice invalidated the use of the Privacy Shield in July 2020.
Currently, we are in a situation where there is no adequacy decision regulating data transfers between the European Union and the United States.
In the absence of an adequacy decision, as in the case of the United States, Article 46 of the Regulation provides for the application of certain safeguards for very specific cases, in order to overcome the general prohibition. Article 46 provides the following alternatives to validate transfers to unsuitable countries:
1) a legally binding and enforceable instrument between public authorities or agencies;
2) binding corporate standards;
3) the standard data protection clauses adopted by the European Commission;
4) standard data protection clauses adopted by a supervisory authority and approved by the European Commission;
5) an approved code of conduct; or
6) an approved certification mechanism
However, even these guarantees referred to in Article 46 are in question for countries such as the United States where the circumstances of the transfer must be evaluated on a case-by-case basis.
Supplementary measures for transfers recommended by the European Data Protection Board
In June 2021, the European Commission helped reduce this compliance gap by publishing standard contractual clauses that reflect the recommendations of the European Data Protection Board. However, complying with these clauses is not trivial and is beyond the reach of many small and medium-sized companies.
Among the recommendations included in this publication are:
- 1. Know your transfers.
2. Verify the instrument on which the transfer is based, since if the transfer is made to a country that the European Commission has declared suitable, it will not have to take additional measures into account.
3. Assess whether there is anything in the country’s legislation or practice that may affect the transfer safeguards
4. Determine and adopt complementary measures necessary to ensure that the level of protection complies with EU standards, if it is found that the country’s legislation affects the effectiveness of what is described in Article 46 (see above).
5. Adopt any formal procedural steps that may be required by the complementary measure: e.g. consult the supervisory authorities.
6. Re-evaluate at appropriate intervals the level of protection.
Annex 2 of this document describes examples of technical, contractual and organizational measures to help ensure compliance, for third countries where their authorities may access the content of data in transit (communications, etc.) or at rest, stored by a third party, requiring the third party to locate and extract data of interest and forward it to the authorities.
If we go to the example we put above where we store personal data of third parties in a Cloud storage system located in the USA, it is put as complementary measures:
• Use of transport encryption, or end-to-end encryption if transport encryption is not sufficient.
• Decryption only possible outside the third country in question.
• Use of a key length and algorithm that conforms to the state of the art and can be considered optimal..
• Custody of the encryption key in a jurisdiction with an adequate level of compliance.
In this case, the European Data Protection Board will consider this content encryption as an effective complementary measure.
Data-centric security for personal data transfers
Data-centric security provides an effective and simple means of encrypting information end-to-end, allowing personal data contained in files to travel securely and under control:
• Security travels with the document, wherever it is stored.
• It is persistent and can be applied in transit, at rest and in use.
• There is independence of who has the data stored and who has control over the encryption applied.
• Allows a complete audit of accesses, blocked access attempts, etc.
• Allows you to revoke remote access, leaving the document inaccessible wherever it is located.
• Set granular access controls: By person, group, domain, etc.
• Set permission levels on the data: Read only, edit, but not copy and paste, etc.
In this sense and sticking to the example of storing files with personal data in a cloud provider, we can ensure that we control these data since they carry an encryption controlled by us, so that a possible leak in the provider will not affect us and will avoid notifying those affected.
In the case of transfers to third countries with legislation incompatible with EU-GDPR, it allows to apply the complementary technical measures recommended by the European Data Protection Board in the June 2021 publication: An encryption in transit and at rest on the data, with the ability to decrypt the data under control in a location or country that meets the EU-GDPR criteria, and which additionally has access controls, permissions and auditing capabilities that help maximize control of the data.
Conclusions
Given the recent case of Austria considering that systems such as Google Analytics do not comply with the EU-GDPR criteria, and the different views of blocks such as the European Union and the United States regarding the processing of personal data, it is not surprising to see an increasing focus on European regulators for security compliance in international data transfers and an increase in sanctions.
Given that a security breach in a Data Processor does not relieve the Controller of its duty in the management of personal data, it is necessary to have appropriate Data Processing Agreements with the different providers and to implement additional technical measures to help us ensure compliance.
As reflected in the regulation itself and the supplementary measures recommended by the European Data Protection Board for international transfers at risk, encryption in transit and at rest together with a separation of who has the data and who can decrypt it is one of the most powerful and recommendable mechanisms to guarantee the correct processing of personal data.
If you would like to learn more about how SealPath can help you protect your data at rest, in transit and in use, please contact us here.