EU-US Data Privacy Framework Adequacy Decision adopted by European Commission

Last month, three years after the Court of Justice of the European Union ('CJEU') struck down the EU-US Privacy Shield (the 'Privacy Shield') in Schrems II, the European Commission formally adopted a new adequacy decision with the EU-US Data Privacy Framework (the 'Framework'). The Commission's press release states that the decision concludes that the US will provide an adequate (i.e. essentially equivalent to that of the EU) level of protection for data transfers from EU to US companies under the Framework. The Framework, which has been long awaited, will provide EU companies transferring personal data to the US an additional mechanism to legalise such transfers.

The adequacy decision allows companies that adhere to the Framework to receive personal data from the EU without the need to put in place further transfer safeguards. Companies that previously self-certified under the Privacy Shield will have a streamlined procedure to self-certify under the Framework. According to the Commission, the Framework addresses all the concerns raised by the CJEU with respect to US intelligence services having access to personal data from the EU. There will also be a new court, the Data Protection Review Court, that will provide data subjects with a mechanism to challenge access to personal data. The Framework is not static, but rather will be subject to periodic reviews by the Commission, representatives of the EU's data protection authorities, and their equivalents in the US.

The EU Commissioner for Justice, Didier Reynders, stated in a press conference that: 'With the adoption of the Adequacy Decision, personal data can now flow freely and safely from the European Economic Area to the U.S. without any further conditions or authorisations.'

On the possibility of a challenge against the adequacy decision, he stated that the Commission is 'very confident to try to, not only implement such an agreement, but also to defend [the agreement] in all procedures that [such agreement will] have to face.' Max Schrems's organisation noyb ('none of your business') is expected to challenge the Framework and the adequacy decision in the CJEU.

Further Problems for Meta in Europe

The Norwegian Data Protection Authority ('NDPA') has taken action to ban Meta from processing personal data for the purposes of behavioural advertising, after the latter purported to change the legal basis for that processing.

After complaints in Ireland from the privacy organisation noyb ('none of your business'), the Irish data protection authority ('DPC') found that Meta could not rely on the contractual basis (Art. 6(1)(b) GDPR) for the processing of personal data for behavioural advertising, and ordered Meta to make its processing compliant with the GDPR.

Meta then purported to rely on legitimate interest (Art. 6(1)(f) GDPR) as the legal basis for its processing. However, in Germany, the Court of Justice found that attempting to rely on Art. 6(1)(f) was also not compliant with the requirements of the GDPR.

Following these two findings, the NDPA raised concerns with the DPC and requested mutual assistance from the DPC under Art. 61(1) GDPR as the lead supervisory authority in Europe for Meta. The NDPA requested that the DPC:

1. Issue a temporary ban on Meta regarding certain processing operations until Meta provided adequate and sufficient commitments to ensure its compliance with Art. 6(1) GDPR; and

2. Share information on how the DPC would ensure and monitor Meta's compliance with Art. 6(1).

The DPC refused to comply with the first request, and, in the opinion of the NDPA, did not provide a sufficient response to the second request, nor any reason for why it was unwilling to provide the requested information.

Accordingly, the NDPA instigated an urgency procedure under Art. 66 GDPR, which allowed the NDPA to issue a temporary ban on Meta and Facebook Norway AS processing personal data for behavioural advertising. This order only applied in Norway and would have lasted for three months, unless Meta demonstrated remedial measures prior to that date. Non-compliance could have led to a fine of NOK 1,000,000 (c. EUR 90,000) per day.

Meta has since capitulated, and will no longer seek to rely on legitimate interest in this context. Rather, throughout the EU, Meta will rely on consent for the purposes of processing personal data for targeted advertising.

UK ICO to Make Enquiries into OpenAI's 'WorldCoin'

This summer, the creator of ChatGPT, OpenAI, launched a new crypto project, 'WorldCoin,' that offers participants a share of a crypto token in exchange for their biometric data (an iris scan). Worldcoin's mission is said to include developing a 'reliable solution for distinguishing humans from AI online' and creating a 'potential path to AI-funded UBI [universal basic income].'

More than 2 million participants have signed up to WorldCoin since its launch. Accordingly, OpenAI may be processing a huge quantity of biometric data (if the iris scans are used to identify individuals) – which is sensitive ('special category') personal data under the GDPR and UK GDPR. Concerns have already been raised as to whether WorldCoin is harvesting more information from its participants than that to which those participants have consented. WorldCoin claims to host users' data on a decentralised blockchain. Data subjects have the right to withdraw consent for processing health data at any time, and to seek its deletion, but it is not clear whether the WorldCoin blockchain storage approach is compatible with those rights.

On July 31st 2023, the UK Information Commission released a statement, that included the following:

1. 'Organisations must conduct a Data Protection Impact Assessment (DPIA) before starting any processing that is likely to result in high risk, such as processing special category biometric data.'

2. 'Organisations also need to have a clear lawful basis to process personal data. Where they are relying on consent, this needs to be freely given and capable of being withdrawn without detriment.'

3. 'We note the launch of WorldCoin in the UK and will be making enquiries.'

Other European data protection regulators have also commented, with the French regulator describing WorldCoin as 'questionable.'

Indian Parliament Adopts Digital Personal Data Protection Bill

This week both Chambers of the Indian Parliament voted to pass the Digital Personal Data Protection Bill 'DPDPB,' which has some similarities with the GDPR, as well as noticeable differences. Some initial observations on the DPDPB include:

1. Data subjects (called 'data principals' under the DPDPB) have the right to access, correct and erase data, but only where that personal data is based on consent or voluntary disclosure. However, 'false or frivolous' complaints can result in a fine.

2. Data controllers are called 'data fiduciaries' under the DPDPB. Some larger data fiduciaries in India will have additional requirements, such as appointing a DPO (data protection officer), as well conducting DPIAs (data protection impact assessments) and other audits.

3. The DPDPB provides two lawful grounds for processing data: Consent and so-called 'certain legitimate uses.' The latter, surprisingly, does not include 'legitimate interest,' but does include where the personal data has been voluntarily disclosed, e.g. in a transaction.

4. Publicly available data is excluded from the purview of the DPDPB. This is likely to be welcomes by businesses seeking to train large-language model AIs. Processing for research and statistics is also generally excluded from the scope of the bill.

5. The DPDPB has broad extraterritorial effect, similar to that of the GDPR. It covers any person or entity outside of India that processes data 'in connection with any activity related to offering of goods or services [to people in India].' However, the DPDPB does not cover outsourcing companies in India that are processing the data of individuals outside India.

6. Unlike under the GDPR, international data transfers are permitted unless they are forbidden (rather than vice versa).

7. The DPDPB creates a new 'Data Protection Board of India' ('DPBI'), described as being 'independent.' However, it appears that under the DPDPB, the Central Government has the power to obtain personal data from Indian companies or from the DPBI, and to block public access to 'any computer resource.'

India is now the world's largest country by population; as its data protection regime develops, it is likely to serve as an example for other countries in the region as they formulate their own local data protection laws.

Originally published 21 August 2023

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.