Global Data Privacy
In these digital times, personal data may be easily and rapidly collected and transferred across borders – both virtual and geographical – to be stored on servers in multiple countries within and outside the European Economic Area and European Union territories.
The development of the digital economy has momentously increased the relevance of free movement of personal data. This is demonstrated by the exponential growth in the quantity, quality, diversity, and nature of global data processing and the sheer volume of cloud computing.
Cross-border flows of personal data are necessary for the strategic growth of international trade and commerce. Global trade operations are made possible largely by the collection, transfer, usage, and storage of personal data for various purposes including: human resources and employment; market research; direct-to-consumer marketing; digital advertising; online purchasing and e-commerce; social media; search engine capabilities; clinical trials; and adverse-drug-reaction (ADR) reporting.
European Data Protection Law
The concept and definition of “personal data” are based on: content, purpose, and result.
SENSITIVE PERSONAL DATA
- Race and ethnicity
- Political opinion
- Religious and philosophical beliefs
- Trade union membership
- Sex life
Contractual mechanisms such as Model Clauses and Binding Corporate Rules have gained significant importance to multi-national companies maintaining global and regional data security and data protection law compliance.Cross-border data transfer and transnational data storage has resulted in the strengthening of the individual’s data protection rights on an international level, particularly in Europe. The fundamental rights to respect for private life, and to protection of personal data, enshrined in Articles 7 and 8 of the Charter of Fundamental Rights of the European Union respectively are underscored in case-law. The Treaty for the European Union (TFEU) furthermore declares in Article 16: “Everyone has the right to the protection of personal data concerning them”.
The European Data Protection Directive applies to the European Economic Area (EEA), which includes all EU member states and non-EU countries Iceland, Liechtenstein, and Norway. The Directive requires the taking of special precautions when personal data is transferred to countries outside the EEA that do not provide EU-standard data protection. Personal data can only be transferred to countries outside the EU and the EEA when an adequate level of protection is guaranteed. However, several exceptions (or “derogations”) to this rule may apply.
Transatlantic Data Transfer: EU – U.S.
In determining whether to transfer personal data to a third country, the data controller evaluates whether the third country ensures an adequate level of data protection. The Schrems case (Case C‑362/14, Maximillian Schrems v. Data Protection Commissioner, October 6th 2015) http://curia.europa.eu/juris/document/document.jsf?text=&docid=169195&pageIndex=0&doclang=en&mode=req&dir=&occ=first&part=1&cid=112676 reiterated the significance of the fundamental right to data protection, which also applies to personal data transfer to third countries.
The European Court of Justice (ECJ) ruled that a national supervisory authority of a member state is not prevented from examining the person’s claim concerning the protection of his rights and freedoms. A national supervisory authority may examine a person’s claim regarding the processing of his or her personal data transferred from a member state to that third country, when that person contends that the law and practices in effect in the third country do not ensure an adequate level of protection. The Court also ruled that the Safe Harbor Framework (Commission Decision 2000/520), which was used by over 4,000 U.S. companies to transfer data to Europe, is invalid.
Following the ECJ’s Schrems case ruling, the European Commission issued a Communication (November 2015) to serve as guidance on transatlantic data transfers. The Communication outlines the alternative bases for personal data transfer from the EEA to the U.S., without prejudice to the independence and broad powers of the Data Protection Authorities (DPAs) to examine lawfulness of such data transfers. The following alternative mechanisms are implemented by businesses pursuing transatlantic data transfers:
- Contractual solutions: These include contractual provisions that create obligations, such as security measures, information to the data subject, safeguards in case of transfer of sensitive data etc. Contractual clauses “must satisfactorily compensate for the absence of a general level of adequate protection, by including the essential elements of protection which are missing in any given particular situation”. With the aim of facilitating the use of contractual instruments in international transfers, the Commission has approved four sets of SCCs: Two sets of model clauses relate to transfers between data controllers. The other two sets of model clauses concern transfers between a controller and a processor acting under its instructions. Each set of model clauses details the obligations of data exporters and importers including:
- security measures;
- information be provided to the data subject in case of transfer of sensitive data;
- notification to the data exporter of access requests by the third countries’ law enforcement authorities, or, any accidental or unauthorized access;
- the rights of data subjects to the access, rectification, and erasure of their personal data; and
- rules on compensation for the data subject in case of damage arising from a breach by either party to the SCCs.
Under the model clauses, EEA data subjects are entitled to petition the DPA, and/or a court of the Member State, in which the data exporter is established to invoke the rights the data subjects derive from the contractual clauses as a third party beneficiary. These rights and obligations are necessary in contractual clauses, as it cannot be presumed that the data importer in the third country is subject to an adequate system of oversight and enforcement of data protection rules.
European Commission decisions are binding in their entirety in Member States. Therefore national DPAs are, in principle, under the obligation to accept clauses incorporating the SCCs in a contract. Consequently national DPAs may not refuse the transfer of the data to a third country on the sole basis that these SCCs do not offer sufficient safeguards. This is without prejudice to the authorities’ power to examine these clauses in terms of the requirements set out by the Court in the Schrems ruling. Some Member States maintain a system of notification and/or pre-authorization for the use of the SCCs.
- Binding Corporate Rules for intra-group data transfers: BCRs allow personal data to be transferred freely between the different entities of a global corporation. They must generally be authorized by the DPA of each member state from which the multinational company intends to transfer data. A standardized application form, and a specific co-operation procedure between concerned DPAs, including the designation of one “lead authority” responsible for handling the approval procedure, have been established to facilitate the process.
- Derogations: The following derogations are particularly contextually relevant to commercial data transfers following the Safe Harbor invalidity ruling –
- Data transfers necessary for the performance of a contract, or the implementation of pre-contractual measures taken in response to the data subject’s request;
- Data transfers necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller or a third party;
- Data transfers necessary or legally required for the establishment, exercise, or defense of legal claims;
- The unambiguous and informed consent of the data subject prior to the data transfer.
Compliance is assessed by DPAs on a case-by-case basis as part of their independent investigative, supervisory, and enforcement functions – including the approval or otherwise of contractual arrangements, BCRs, and/or, on the basis of individual complaints
Data Protection Reform
The Reform consists of two instruments:
- The General Data Protection Regulation should enable data subjects to better control their personal data. Modernized and unified rules are designed to allow businesses to make the most of Digital Single Market opportunities.
- The Data Protection Directive shall regulate data of victims, witnesses, and suspects of crimes, in criminal justice and investigations and law enforcement. Harmonized laws are designed to facilitate cross-border cooperation of police and prosecutors to combat crime and terrorism more effectively in Europe.
The European General Data Protection Regulation
The Regulation includes nine chapters, covering:
- General provisions (including subject matter, scope, and definitions).
- Data protection principles.
- Rights of the data subject.
- Obligations of data controllers and data processors.
- Transfer of personal data to third countries, or to international organizations.
- Obligations and powers of national supervisory authorities.
- Co-operation between the Member States, including creating the European Data Protection Board (EDPB) to replace the Article 29 Working Party.
- Remedies, liability, and sanctions.
- Specific data processing situations, e.g. processing in a healthcare, or employment, context.
The Regulation revises the principles enshrined in the 1995 Data Protection Directive to protect privacy rights. It focuses on: reinforcing individuals’ rights; strengthening the EU internal market; ensuring stronger enforcement; streamlining international transfers of personal data; and setting global data protection standards. Changes thought to have the greatest impact include:
- The “right to be forgotten”: An individual’s personal data shall be deleted at the person’s request – provided that there are no legitimate grounds for retaining it. Data subjects may also request to be delisted from online search engines;
- Easier access to one’s data: Individuals are to be provided with clear and understandable information on how their data is processed;
- The right to data portability: Individuals may more easily transfer their personal data between service providers;
- The right to know when personal data has been hacked: Companies and organizations must notify the national supervisory authority of data breaches that put individuals at risk, and communicate all high-risk breaches to the data subject as soon as possible;
- Data protection by design and by default: To better protect the right to privacy and the right to data protection, safeguards shall be built into products and services from the earliest stage of development. Privacy-friendly default settings are to be the norm, e.g. on social networks or mobile apps;
- Stronger enforcement: Data protection authorities will be able to fine a company that does not comply with European data protection rules up to 4% of the company’s global annual turnover;
- Creation of the European Data Protection Board (EDPB): The new Board will include the head of each national data protection regulator, and the European Data Protection Supervisor, or their respective representatives. The EDPB issues guidance and will be empowered to resolve disputes among the national regulators. Companies will only be required to engage with the data protection regulator in their own European jurisdiction. The national supervisory authority will be itself responsible for consulting regulators in other Member States whose nationals are affected, or who have an interest in a particular matter;
- Definition of personal data – The scope of “personal data” has expanded slightly. In addition, two new categories of data – genetic and biometric – are included on a list of “sensitive data,” which also includes racial or ethnic origin data, political opinions, religious or philosophical beliefs, trade-union membership, sexual orientation, and health data;
- Pseudonymized v. anonymized data– Pseudonymized data remains personal data because it can be associated with a specific consumer. The Regulation does not apply to fully anonymized data;
- Definition of consent– Consent must be freely given, specific and informed. If consent is required, it must be the “clear affirmative action by the data subject.” The Regulation outlines limitations on consent.
The Regulation places data protection obligations on data controllers and data processors. Data controllers must dynamically implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks presented by the data processing, and the nature of the personal data to be protected. Security measures are to be reviewed periodically in light of new technical, state-of-the-art developments, and the costs involved.
The Digital Single Market
The European Commission considers the creation of a European Digital Single Market to be a high priority policy. It is estimated to potentially contribute approximately €415 billion per year to the European economy, and create hundreds of thousands of new jobs. The Digital Single Market strategy is comprised of three policy areas
- Enhancing online access to goods and services:
- Improving affordable, high-quality parcel delivery;
- Facilitating cross-border e-commerce by harmonizing consumer law and contract law;
- Reviewing the Satellite and Cable Directive and examining how to boost cross-border access to broadcasters’ services in Europe;
- Tackling geo-blocking;
- Modernizing copyright law to achieve a balance between creators’ interests and consumers’ interests
- Increase enforcement against commercial-scale infringements of intellectual property rights;
- Simplifying VAT rules to advance cross-border business operations;
- Creating single electronic registration and payment.
- Developing digital networks and digital services:
- Overhauling telecoms legislation to build a competitive, dynamic, regional telecoms industry;
- Reviewing media rules to build an audiovisual technology framework for the 21st century;
- Improving transparency of online platforms e.g. search engines, social media, e-commerce platforms, app stores, and price comparison websites;
- Strengthening consumer trust in online services by reviewing e-privacy and cybersecurity legislation.
- Advancing digital growth:
- Implementing transition-management to digitalize industry and integrate new technologies;
- Developing standards and interoperability in cybersecurity, the Internet of Things, big data, and cloud computing;
- Overcoming challenges of the data economy and cloud computing e.g. data mechanization, data ownership, data protection standards, innovation of data processing methods, creating a “European cloud”;
- Unlocking the benefits of online public e-services, and advancing digital skills to create an inclusive e-society.
The data protection reform package contributes to the realization of the Digital Single Market’s potential and increases Europe’s data economy competitiveness by implementing the following measures:
- One continent, one law: a single, pan-European set of laws for data protection is intended to replace current national laws. The financial benefit of removing administrative burdens is valued at €2.3 billion per year.
- One-stop-shop: Businesses should be answerable to a single supervisory authority, making it simpler and cheaper for companies to do business in Europe.
- The same rules for all companies – regardless of where they are established: Companies based outside of Europe will be required to comply with the same European data protection rules as European companies when offering goods or services to the European market.
- Technological neutrality: Innovation is facilitated to further thrive under the Regulation.
Start-ups, Small and Medium Enterprises (SMEs), and Smaller Businesses
Data protection reform is targeted at stimulating economic growth by reducing administrative costs for European business, including start-up companies and small and medium enterprises (SMEs). Startups and SMEs shall gain better access to data markets presently dominated by digital giants, and be able to attract more consumers by offering better data security solutions.
The compliance levels of data controllers and data processors are calibrated to the size of the business and/or to the nature of the personal data being processed. SMEs are generally exempt from the following obligations:
- Appointment a data protection officer – unless the SME’s core activities require regular and systematic large scale monitoring of data subjects, or if special categories of personal data are processed e.g. data revealing racial or ethnic origin, or religious beliefs. An ad-hoc consultant, rather than a full-time employee, may be engaged as a data protection officer, thereby reducing operational costs.
- Record-keeping of processing activities – unless the processing SMEs carry out is not occasional or likely to result in a risk for the rights and freedoms of data subject.
- Reporting of all data breaches to data subjects – unless the data breaches represent a high risk for individuals’ rights and freedoms.
Public Health and European Data Protection
As sensitive personal data, health data is granted a high level of protection in the Europe. The European Data Protection Directive states that the data subject’s explicit consent is needed where distribution of such data may, of its nature, result in the infringement of privacy or fundamental rights.
Explicit derogations from this prohibition are granted for specific needs – particularly, data processing for health-related purposes by persons subject to a legal obligation of professional secrecy. Sensitive personal data may need to be processed by national public health authorities to protect the health and wellbeing of its citizens.
Member States may, on justifiable grounds of public interest – including public health, authorize derogations from the prohibition of processing sensitive personal data e.g. for reasons of preventive medicine; medical diagnosis; medical treatment and healthcare; prevention of spreading of communicable disease and pandemics; and the management of healthcare services. Member States may provide additional exceptions on grounds of substantial public interest.
Data Protection Law in the Republic of Malta (EU)
As a member of the European Union, Malta’s data protection legislation conforms with European rules and regulations – mainly the European Data Protection Directive 95/46/EC which is fully transposed into national law. The protection of personal data is regulated by the Data Protection Act (Chapter 440 of the Laws of Malta).
The Information and Data Protection Commissioner
The objective of the Maltese Office of the Information and Data Protection Commissioner is “the protection of the individual’s right to privacy by ensuring correct processing of personal data”. The Data Protection Act entrusts the Information and Data Protection Commissioner to:
- carry out inspections or investigations, and consider any complaints. For such purposes, the Commissioner may require the production of any documents, and obtain access to premises where personal data is kept;
- create and maintain a public register of all processing operations notified by data controllers;
- support the drawing up of codes of conduct by stakeholders;
- order the blocking, erasure, or destruction of data;
- impose a temporary or definitive ban on data processing;
- issue warnings and admonishments to data controllers;
- collaborate with supervisory authorities of other countries to the extent necessary for the performance of duties under the Act;
- participate in active EU fora for data protection authorities;
- enforce the provisions of the Act in cases of violation and non-compliance;
- impose administrative fines;
- institute court proceedings.
Processing personal data in the Republic of Malta (EU)
The Data Protection Act (Chapter 440 of the Laws of Malta) broadly defines “processing” and “processing of personal data” as an operation or set of operations, whether or not it/they occur with automatic means including the “collection, recording, organization, storage, adaptation, alteration, retrieval, gathering, use, disclosure by transmission, dissemination or otherwise making information available, alignment or combination, blocking, erasure or destruction of such data”.
Personal Data Representative
The role of the Personal Data Representative (PDR) is established under Articles 31, 32, and 33 of the Data Protection Act (Chapter 440 of the Laws of Malta).
The PDR shall independently ensure that the data controller processes personal data in a lawful and correct manner, in accordance with good practice. Any inadequacies should be brought to the attention of the data controller. The PDR interfaces with national supervisory authorities on the application and interpretation of data protection rules. A register of processing operations similar to those required in the notification, shall also maintained by the PDR. The proactive identification, anticipating, and mitigation of risk prior to the processing of data is crucial to global trade and commerce.
The European General Data Protection Regulation strengthens the role of the PDR by imposing additional obligations on data controllers and processors, including the requirement to carry out privacy impact assessments prior to implementing processing operations. Non-compliance is penalized with hefty fines.
We counsel both public and private corporations on a wide range of data privacy and data protection matters, including:
- Advising on data privacy and data security matters under the European Data Protection Directive 95/46/EC;
- Managing and monitoring client’s data privacy and data protection compliance efforts;
- Advising on the creation of internal data protection policies and procedures;
- Overseeing cross-border projects, and global digital marketing initiatives, relating to data protection and privacy matters;
- Identifying and mitigating transnational data privacy compliance risk;
- Negotiating, drafting, and reviewing agreements with third parties including: i) data transfer agreements ii) employment agreements; iii) vendor, supplier, and service agreements; and iv) processing, storage and use of data; iv) model contractual clauses under European Commission Decision 2001/497/EC of 27 December 2004, and European Commission Decision 2010/87/EU of 5 February 2010; v) binding corporate rules (BCRs) for intra-company-group personal data transfers.
- Regularly interfacing with regional and local Data Protection Authorities;
- Keeping clients informed of the latest global data protection legislation and industry trends;
- Making timely submissions of required notifications, registrations, and accompanying documents to Data Protection Authorities;
- Assisting in comprehensive data processing and transfer from EU member states to third countries (including to the United States of America) under Article 27 and 28 of the Malta Data Protection Act, and Legal Notice 155 of 2003 Third Country (Data Protection Act) Regulations (as amended);
- Advising on the organizational, legal, contractual, and procedural changes brought about by the European General Data Protection Regulation;
- Managing cross-functional and in-house legal counsel teams in various EEA and EU member states, and Latin American countries;
- Delivering learning and development training and data protection compliance presentations to in-house legal counsel, management, and staff;
- Evaluating and reviewing global data privacy compliance impact assessments;
- Assisting in proper handling of inspections, audits, and data privacy requirements according to applicable data protection legislation and internal company policy;
- Assisting in compilation of data privacy SOPs, reports, and other procedures;
- Advising on the practical aspects and implementation of the Data Protection Act (Chapter 440 of the Laws of Malta);
- Acting as an independent Personal Data Representative.
European Commission, DG Justice
European Commission, DG Health and Food Safety
European Commission, Digital Single Market
Republic of Malta, Office of the Information and Data Protection Commissioner
- Provision of legal advice on data privacy and data security matters under the EU Data Protection Directive 95/46/EC
- Managing, directing and monitoring data privacy and data protection compliance efforts of multinational companies
- Driving the creation of and supporting internal data protection policies and procedures
- Overseeing cross-border projects and global initiatives relating to data protection and privacy issues
- Identifying and remedying privacy and/or data protection vulnerabilities
- Drafting and reviewing agreements with third parties and updating contractual provisions (data transfer agreements, employee agreements/vendor/supplier/service provider agreements) relating to data privacy, and processing, storage and use of data, including model contractual clauses under Commission Decision 2001/497/EC of 27 December 2004 and Commission Decision 2010/87/EU of 5 February 2010
- Interacting with EU Data Protecti European data protectionon Authorities to ensure access to appropriate information to data subjects and complete, timely submission of required notifications, registrations and accompanying documents
- Assistance in comprehensive data processing operations transfer from EU member states to third countries (including United States) under Article 27 and 28 of the Malta Data Protection Act and Legal Notice 155 of 2003 Third Country (Data Protection Act) Regulations (as amended).
- Preparing and directing changes to be made in preparation of the proposed European General Data Protection Regulation, across teams in different EU member states
- Coordination and delivery of training/presentations to management and staff
- Evaluation of privacy compliance assessments
- Assistance in proper handling of inspections, audits and data privacy requirements according to applicable legislation and internal company policy
- Assistance in compilation of SOPs, reports and other procedures
- Legal advice on the Data Protection Act (Chapter 440 of the Laws of Malta)
- Acting as Personal Data Representative to clients