French DPA Issues Guidance on Processors' Reuse of Data for Their Own Purpose
On January 12, 2022, the French data protection authority (“CNIL“) published guidance on the reuse of personal data by processors for their own purposes (the “Guidance”).
The GDPR generally restricts processors’ use of the personal data they process for controllers: processors may only process the data as instructed by the controller in a data processing agreement and may not use the data for their own purposes, or they risk running afoul of the GDPR and their contractual agreements.
The CNIL’s Guidance confirms that processors can reuse personal data obtained from controllers for purposes such as product improvement or the design of new services, but only under the following specified conditions:
- The purpose of reusing the personal data must be compatible with the initial purpose of processing. The controller remains responsible for conducting, on a case-by-case basis, a compatibility test to determine if the further processing (reuse) is compatible with the purpose for which the data was originally collected.
- The controller agrees in writing to the reuse. If the reuse is compatible with the original processing purpose, controllers can decide to authorize reuse of personal data for further processing.
- Data subjects must be duly informed. The controller is responsible for (and in some cases can delegate to the processor) informing data subjects of (i) the further processing and its purpose; and (ii) the right of data subjects to object to further processing, where applicable.
Please see here for our recent Dechert OnPoint.
Takeaway: Processors that use controllers’ data without complying with the above conditions may be prevented from reusing the data and risk a GDPR fine. If a processor reuses personal data for its own purposes, it will become a controller for that processing subject to the suite of GDPR obligations that apply to controllers.
With the foregoing in mind, controllers and processors will want to consider reviewing their processing agreements to ensure that the agreements:
- include a written authorization to reuse personal data, clearly specifying the purpose of the further processing,
- reference the outcome of the compatibility test, and
- assign responsibility between the parties for informing data subjects of the reuse of their personal data.
Privacy policies will also need to be updated to properly disclose the processor’s reuse and the data subjects’ corresponding right to object.
The FCC Proposes Stricter Requirements on Data Breach Reporting for Telecommunications Carriers
On January 12, 2022, the Federal Communications Commission (“FCC”) announced that Chairwoman Jessica Rosenworcel shared a Notice of Proposed Rulemaking (“Proposal”) with FCC staff that would establish stricter data breach reporting requirements for telecommunications carriers (“Announcement”). While the actual Proposal is not yet publicly available, the Announcement states that the Proposal would strengthen the FCC’s rules for notifying customers and federal law enforcement in the event of breaches of customer proprietary network information (“CPNI”) and better align the FCC’s rules with recent developments in other federal and state data breach notification laws.
According to the Announcement, the Proposal would update existing FCC rules on telecommunications carrier breach notification requirements by: (1) eliminating the current seven business day mandatory waiting period for notifying customers of a breach; (2) expanding customer protections by requiring notification in the event of “inadvertent” breaches; and (3) requiring carriers to notify the FCC of all reportable breaches in addition to the FBI and U.S. Secret Service.
The Announcement states that the Proposal will also solicit comment on whether the FCC rules should require specific categories of information to be included in customer breach notices and that the Proposal would make corresponding updates to the FCC’s data breach reporting rule for telecommunications relay service.
Takeaway: Telecommunications carriers should continue to monitor developments related to the Proposal and consider submitting comments once it becomes public. The Proposal is the most recent in a series of proposed rules and legislation announced across industries relating to cybersecurity and data breach reporting in the wake of the sharp increase in the number of data breaches in the last few years. _________________________________________________
UK Court of Appeal Considers Territorial Scope of GDPR
The UK Court of Appeal has allowed a GDPR infringement claim to be served on various US defendants in a decision that suggests a low bar for the EU/UK nexus required to bring GDPR claims against non-EU/UK parties in the UK. The claimant, Walter Soriano, commenced proceedings against US news outlet Forensic News following a series of negative publications about him.
Given the procedural nature of the decision, the court did not have to reach a definitive conclusion on the territorial remit of the GDPR, but only on whether the claimant had a sufficiently arguable case, taking into consideration each of the following three grounds for data processing to be subject to the GDPR.
- Article 3(1) of the GDPR provides that the GDPR applies to data processing in the context of an “establishment” in the EU/UK. The court noted that minimal activities can be sufficient to constitute an “establishment” if they are undertaken through “stable arrangements.” The defendants had no physical presence in the EU/UK, but the court held that their online journalism platform that expressly solicited EU/UK subscriptions arguably constituted an “establishment” (even though there were only 6 actual subscribers in EU/UK).
- Article 3(2)(a) sets out that processing personal data of data subjects who are in the EU/UK is subject to the GDPR where the processing relates to “the offering of goods or services … to such data subjects.” The court suggested Article 3(2)(a) only protects individuals who are actually offered goods and services, but, in this case, Mr. Soriano was not one of the individuals that was offered the defendants’ services. However, none of the parties had argued that Article 3(2)(a) should be interpreted in that way. Therefore, the court followed the approach of the parties in treating Article 3(2)(a) as applying also where the EU/UK data subjects whose data is processed are different from the EU/UK data subjects to whom goods or services are offered.
- Article 3(2)(b) provides that processing personal data of data subjects who are in the EU/UK in relation to “the monitoring of their behaviour” in the EU/UK is within scope of the GDPR. The court considered that mere collection of personal data relating to a data subject’s behaviour in the EU/UK might not constitute monitoring, but assembling, analysing, sorting and reconfiguring it was more likely to bring the activity within the scope of the GDPR.
Takeaway: The court’s analysis highlights continuing uncertainty in the applicability of GDPR outside the EU and UK. Broad interpretations are still very much on the table. Many businesses that offer goods/services to data subjects in the EU/UK from abroad may be deemed to have an “establishment” in the EU/UK and may therefore need to comply with the GDPR not only in relation to the data of their EU/UK customers, but also the data of other individuals (such as staff) that is processed in the context of those activities. Assuming Mr. Soriano’s case progresses to a final judgment, it will be one to watch closely. For more detail, see our recent Dechert OnPoint.
The US Chamber of Commerce, Joined by Others, Urges the Passage of Federal Privacy Legislation
On January 13, 2022, the U.S. Chamber of Commerce, local Chambers of Commerce in 29 states, and over a dozen national associations published a letter to Congress calling for the passage of national “comprehensive privacy legislation.” The letter emphasizes that the current patchwork of state privacy laws (including recent proposed laws that take “significantly diverse approaches” on enforcement, duties, and scope) threatens innovation and makes compliance difficult, in particular placing small businesses at a disadvantage. The letter further notes that the new privacy rulemaking being considered by the U.S. Federal Trade Commission (addressed in a previous Cyber Bits issue here) would add “a further layer of complexity” to the existing patchwork of state legislation in the U.S.
The coalition contends that it is “critical” that Congress enact a single national privacy law that provides meaningful and robust protections for consumers “through sole federal agency and state attorney general enforcement.” The letter asserts that having one national privacy law that is “clear and fair to businesses and empowering to consumers” will “foster the digital ecosystem necessary for America to compete."
Takeaway: Companies should expect continued interest in and conversation regarding national privacy legislation but be prepared for lawmakers to stall over disagreements on key provisions, including how tough the law will be and whether federal law should preempt state privacy laws. Until a national privacy law is passed, something that has been talked about for nearly two decades but has not yet happened, companies should be prepared for individual states and federal agencies to continue updating and expanding their respective privacy laws.
Recent News from Dechert's Privacy & Cybersecurity Practice
Dechert's California Consumer Privacy Act Resource Center