Data Protection is an important aspect of financial services (which includes mortgages) and has become increasingly essential every year. There are many items of importance companies need to be aware of. This includes Covid-19, international data transfers, Brexit, and security breaches. Also, GDPR fines imposed by the Data Protection Commission are key issues as well. Companies have reared focus on the operation of the Pan-European Enforcement Regulation (EU), and the General Data Protection Regulation (GDPR), which involves children’s personal data. Lastly, the National Artificial Intelligence (AI) Strategy and ePrivacy Regulation has also been on the forefront.
Covid-19
When Covid-19 kicked off, it introduced challenges for businesses. Business leaders were forced to determine what information they could ask their employees, such as health and travel data. Also, employers contemplated the option of implementing mandatory temperature testing without breaching GDPR obligations. Data security and the processing of employee data came to the forefront with these new changes in the world. Companies with Covid cases had to make a decision about who had the right to know the information regarding employee Covid tests. When Covid cases started to spike, businesses investigated the legality of PCR tests (molecular tests).
Cookies
A published report by the DPC highlights the use of cookies and other tracking technologies in 2020, followed by a cookies’ sweep. The report spoke on the nonconsensual placement of cookies, and the use of pre-checked boxes. Also included is the reliance on implied consent, the lack of clear information, and the disproportionate lifespan of cookies. The DPC gave out a 6-month grace period to comply to the new order of things. They have stated that they will take forceful action when the grace period is over, so it is important for those involved to beware.
International data transfers
A decision made by the Court of Justice of the European Union called “Schrems II”, was a significant development in international data transfer game. The decision invalidated the “US Privacy Shield”, which facilitated the legitimate transfer of personal data from the EEA (European Economic Area) to the United States. It also introduced a concept called “Transfer Impact Assessments” for controllers relying on SCCs (standard contractual clauses) to transfer personal data outside of the EEA. Finally, the decision reinforced the core principle that GDPR protection must travel with personal data when it goes outside the EEA. The DPC served a draft prohibition order on Facebook in relation to data transfers in the United States. Judicial review proceedings were also served by Facebook and Max Schrems.
Big Tech and DPC
The DPC leads Europe as the regulator for big tech companies, and they have continued more inquiries into said companies. They have also investigated Google, Tinder, and Facebook. Facebook planned a launch of a dating feature on their application and it was postponed due to issues with the DPC. The DPC then conducted an online inspection of Facebook’s office in Dublin. They issued a fine arising from its big tech statutory inquiries. Twitter was fined 450,000 euros for failing to report a data breach on time, and for not sufficiently documenting it. This was the first big tech decision where the EU data protection authorities were consulted with the GDPRs consistency mechanism. The DPC proposed different percent fines based on Twitter’s annual turnover, however in Germany the data protection authority thought the fine was too low to discourage further activity.
Data Breaches
The need for technology was imperative to answer the impact Covid-19 had on cybercrime. The public felt the impact from phishing was a fraudulent targeting of bank customers. The government in Ireland announced plans to invest in the National Cybercrime Bureau, in an attempt to thwart these attacks. The NCB is said to have a state-of-the-art decryption suite and over 60 new officers.
Brexit
The UK became a “third country” to EU member states for data protection purposes. The European Union and The United Kingdom’s Transfer and Cooperation Agreement contained a 6-month grace period for data transfers. This is intended to give the European Commission a window to perform its assessment of the UK’s data protection laws.
In the future, these items are important to keep in mind for Irish Businesses. 2021 is going to be a year full of change, and business leaders all over Europe need to remain aware of new adjustments.