I THE ORIGINS AND EVOLUTION OF DATA PRIVACY LAWS
In Europe, the right to privacy is primarily intended as a protection from interference by the state so that individuals can develop their personalities in their relations with other human beings. Data protection, conversely, has evolved in parallel to the growth of information technology as a tool to protect individuals from potential abuses related to the processing of an individual’s data; however, although these concepts are, in principle, separate and distinct, they both exist to protect fundamental rights, including an individual’s right to a private life. Accordingly, there is a considerable overlap between privacy and data protection.
i Origins of privacy instruments
Although the concept of privacy law can be traced back as early as 1890,2 modern national privacy laws in Europe only began to take shape after the Second World War, when the General Assembly of the United Nations adopted, on 10 December 1948,3 Article 12 of the Universal Declaration of Human Rights:
No one shall be subjected to arbitrary interference with his privacy, family home or correspondence, nor to attacks upon his honour and reputation.
Since the Second World War, the right to privacy or private life has been enshrined in a number of other regional fundamental rights instruments4 in Europe, culminating in Article 8 of the European Convention on Human Rights (ECHR),5 which provides that:
1 Everyone has the right to respect for his private and family life, his home and his correspondence.
2 There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.
While some fundamental rights are absolute and unqualified, the right to private life, at least in the European view, is not absolute and must be weighed against other fundamental rights, such as the right to freedom of expression to be found in Article 10 of the ECHR.6
The 1980 OECD guidelines on privacy were a powerful stimulus to national legislation outside Europe.7 These were developed at the same time as the Council of Europe’s 1981 Data Protection Convention8 (Convention 108). The OECD’s focus was the risk of national privacy laws prejudicing transborder data flows, whereas the Council of Europe emphasised the protection of fundamental rights.
ii Origins of data protection
‘Data protection’ as distinct from ‘privacy’ has a shorter legal history. It is a European concept and derives from concerns that rose to prominence in the 1970s9 about the power of automatic data processing – especially by state organisations. Following legislation in Sweden, Germany and France, but also building on the work of the Younger Committee10 in the United Kingdom, the fundamental principles of fairness, lawfulness, accuracy, necessity and security were brought together in Convention 108.
Data protection legislation is largely procedural rather than substantive and was developed to address concerns by legislators about the ease with which data could be transferred across borders. Safeguards were subsequently integrated into data protection legislation alongside the principles described in, inter alia, Convention 108, to ensure the protection of citizens’ privacy rights, while recognising the speed of developments in technology.
II DATA PROTECTION CHALLENGES FOR INTERNATIONAL FRANCHISE RELATIONSHIPS
Many franchise arrangements will involve the collection and handling of customer data as well as employee and other business contact data. Much of this data will be personal data, the use of which is protected by data protection and privacy laws across the world. Currently, there are at least 100 countries in the world with such laws and Europe has some of the most stringent. Anyone thinking of setting up or expanding their franchise arrangement needs to be aware of these rules as non-compliance can lead to fines, claims for compensation, reputational damage and, in some cases, to prosecution for criminal offences.
i Which laws will apply to my franchise arrangement?
One of the key challenges facing any international franchise relationship will be for companies to work out which data protection laws will be applicable to their business arrangements. Outside Europe, privacy laws tend to be country-specific (e.g., Australia, Argentina and Taiwan), state-specific or applied to specific sectors (e.g., financial services, health or marketing services). However, such laws can apply on the basis of where the individual is located rather than where the organisation that is processing their data is based (this is especially true for many Asian countries). Within Europe, the current legislation is the Data Protection Directive 95/46/EC (the Directive), which applies to all Member States of the European Economic Area (EEA) including the EU Member States, Norway, Iceland and Liechtenstein. However, on 25 May 2018, the General Data Protection Regulation (GDPR) comes into force and will be directly effective across all EU Member States, where it will replace existing data protection laws, as well as having broader territorial application. The GDPR has a wide territorial scope and will apply to organisations based outside the EU if they monitor or offer goods and services to individuals in the EU. The GDPR will increase the obligations on those who process personal data, and individuals will have stronger rights. There will also be significantly tougher powers of enforcement for national data protection authorities, with powers to fine organisations up to €20 million or 4 per cent of their total worldwide annual turnover for infringements of the new rules. The remainder of this chapter will focus on the changes that the GDPR will bring compared to the existing Directive.
There are additional privacy rules relating to the use of electronic communications set out in the Privacy and Electronic Communications Directive 2002/58 EC (as amended). This Directive is also under review, and an e-Privacy Regulation, currently in draft form, is expected to be implemented during 2018/2019. Some of these existing rules are specific to certain communications service providers (internet service providers (ISPs) and telecommunications companies (telcos)), such as the rules relating to security and confidentiality, breach notification and restrictions on the use of traffic and location data. The e-Privacy Regulation is expected to have a wider scope, so as to apply to all services functionally equivalent to telcos. There are also current provisions that apply to all organisations making use of electronic communications, including:
- b rules relating to unsolicited marketing by email, fax and text, which can require opt-in consent in some situations.
These rules will be more relevant as franchisors and franchisees look to engage customers across a variety of channels. For example, if a franchisor wants the right to control the e-marketing campaigns to all customers, its franchisees are likely to be required to share access to customer databases with it as a matter of course. If so, the parties will need to think carefully about the relevant consents that may be required. These rules will also be relevant to organisations involved in targeted advertising programmes or who are interested in profiling their customers based on their online behaviour and browsing activities.
Loyalty schemes are another area where the rules may apply. In particular, organisations will need to be clear who is participating in the scheme and whether they have appropriate consents to be able to contact the customers.
While the aim of these rules is to set out certain common privacy standards for individuals across the EEA, it is important to note that they only impose minimum standards and many Member States have currently chosen to add different, and often higher, standards into their local privacy legislation, which can vary significantly from country to country. This may, therefore, require local advice to be sought in every country relevant to the franchise arrangement. While the intention of the GDPR is to alleviate some of these differences, it still permits Member States to legislate in many areas, which will continue to challenge the GDPR’s aim of consistency, and will mean that there continues to be a need for local law advice.
While the Directive only applies to data controllers established in the EEA and that process personal data in the context of that establishment, the GDPR will further extend the reach of EU data protection laws: it will apply to data controllers and data processors that have EU establishments and where personal data are processed in the context of such establishments (whether or not the actual data processing takes place in the EU). The GDPR will apply to controllers and processors that are not established in the EU but where they process personal data about EU data subjects in connection with (1) the offering of goods or services (payment is not required) or (2) the ‘monitoring’ of their behaviour within the EU (this would include tracking individuals online to create profiles, including where this is used to take decisions to analyse or predict personal preferences, behaviours and attitudes).
ii Who and what is covered by the European data protection rules?
The Directive will apply to personal data held in certain types of records that are processed by a data controller.
The data controller is ‘the natural or legal person, public authority or agency or any other body which, alone or jointly with others, determines the purposes and means of the processing’. It is clear that franchisors will be data controllers in respect of the personal data they process. In many cases, the franchisees will also be independent data controllers with separate obligations to meet applicable privacy law requirements as they will also determine the purposes and the means of the processing.11 The roles the parties play, however, is not always clear-cut and there may be circumstances in which the franchisees are acting as data processors (i.e., people – other than employees of a data controller – who process personal data on behalf of a data controller and have no independent control over the personal data). This distinction is important as most obligations in the Directive fall on data controllers. However, even though franchisees may be independent data controllers, franchisors will still need to put controls in place (in the franchise agreement) to protect the customer data belonging to the ‘brand’. For example, a franchisor may, while protecting the IP in any customer database, wish to consider ensuring that the customer data are the confidential information of the franchisor and can only be used for the purposes of the franchise business, thereby ensuring that the data are destroyed or returned to the franchisor on termination of the franchise arrangement. Under the GDPR, direct obligations and liability placed will be placed upon data processors for the first time. This will include obligations to: (1) document their processing activities (both with the controller and more generally); (2) cooperate with supervisory authorities; (3) implement appropriate security; (4) designate a data protection officer (if applicable); (5) notify the controller of any security breaches; and (6) comply with the international data transfer rules. Breach of these obligations could expose the processor to compensation claims from individuals and administrative fines under the GDPR. There are also specific provisions relating to joint controllers, requiring them to document arrangements and risk joint and several liability.
Personal data are broadly defined and will include information relating to a directly or indirectly identifiable natural person (i.e., an individual, not a company). This will include details such as name, postal address, email address, as well as facts and opinions held about an individual. Customer data, employee data and business contact data (including details held about franchisees) will all be caught by the definition. However, truly anonymous data, such as aggregated statistics, are not regulated by the Directive or the GDPR. Some data are to be regarded as sensitive and can only be processed under strict conditions. Such data include racial or ethnic origin, political opinions, religious or other beliefs, trade union membership, health, sex life, and the commission of offences and related proceedings. The GDPR retains a similar definition but also makes it clear that certain categories of online data may be personal such as online identifiers, device identifiers, cookie IDs and IP addresses. The categories of sensitive data are also extended to cover genetic and biometric data.
Personal data will be caught by the Directive and the GDPR if they are processed wholly or partly by automated means (broadly speaking, on computer) or in certain structured paper files. This would therefore include personal data captured online via social media and apps. The GDPR defines a ‘filing system’ as any structured set of personal data that is accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographic basis.
The Directive and the GDPR will apply to any operations performed on personal data, from collection through to transfer, disclosure, storage and destruction.
iii What are the main obligations under European data protection laws for franchisors or franchisees to consider?
The Directive placed an obligation on data controllers to give notification of their data processing activities to the applicable data protection authority. This obligation will (largely) disappear under the GDPR, although organisations will be required to demonstrate accountability by keeping new records of their processing activities (the type of data processed, the purposes for which they are used, etc.), which will contain similar information to that which under current laws controllers are required to register with data protection authorities.
Compliance with data protection principles
Franchisors and franchisees will need to comply with certain principles whenever they are processing personal data. In summary, these specify: data quality standards; the need for a lawful legitimate basis for processing the data; and security and confidentiality obligations and restrictions on transferring data outside the EEA (except in limited circumstances).
Data transfer restrictions will be of particular significance to international franchise arrangements. In short, if personal data belonging to EEA franchisors or franchisees are being transferred outside the EEA, then the relevant organisations will need to show that there is ‘adequate protection’ for the data, otherwise the transfer will be prohibited. For example, this will be relevant where an EEA franchisor or franchisee is using a US cloud provider to store its customer data. There are a number of solutions that can currently be relied upon to demonstrate adequacy, which include relying on standard contractual clauses contracts approved by the Commission, binding corporate rules, the EU–US Privacy Shield framework, and unambiguous consent. Franchisors and franchisees should note that the US Safe Harbor scheme, which was considered to provide adequate protection, was declared invalid in October 2015 following the Schrems case. The standard contractual clauses and EU–US Privacy Shield are also being challenged on similar grounds, so this is an area that needs to be kept under review and on which appropriate legal advice should be sought early in the establishment of any international arrangement. Franchisors engaging with cloud providers would also need to ensure that the contract provides sufficient assurances around data security and access to data, particularly in the event that the franchisees are to be given some level of access. The GDPR also requires specific contractual obligations to be imposed on data processors.
The GDPR will also introduce more organisational and documentary measures on organisations. Organisations will have to demonstrate compliance with the GDPR, including by adopting data protection by design and by default, staff training programmes and undertaking audits. They will be required to maintain records of processing activity and to carry out privacy impact assessments in certain circumstances. Data protection officers may also need to be appointed. All data controllers will be subject to a general data breach notification regime.
Compliance with individuals’ rights
The GDPR expands the rights granted to individuals to whom information relates (data subjects), including the following:
- a a right to be provided with specified information about the processing of information relating to them (including the right to a copy of the actual information held, free of charge, if requested);
- b a right to request an organisation to transfer information relating to them to another organisation;
- c a right to request correction, deletion or restriction to the processing of their information;
- d a right to object to certain types of processing; and
- c rights in relation to significant automated decisions (such as computerised decisions regarding job applications).
An individual is also entitled to compensation if he or she suffers damage because a data controller has breached the provisions of the Directive or the GDPR, and can complain directly to the data protections supervisory authority about such breaches.
Franchisors and franchisees are becoming increasingly aware of the need to protect essential assets such as customer databases from theft, damage, destruction or unauthorised use and in particular from the threats posed by cyberattacks. Franchisors and franchisees will need to identify what assets need to be protected, identify the impact a cyberattack could have on their business, and have in place measures to protect the business (e.g., increased security controls, malware protection, restrictions on the use of removable media). This is a rapidly evolving field that is increasingly attracting regulatory attention. For example, there are already European laws requiring certain EU telcos and ISPs to notify security breaches to both the regulator and the affected individuals. In July 2016, the Network and Information Security Directive (the NIS Directive) was adopted by the European Parliament, and Member States have until 9 May 2018 to implement its provisions into national laws and a further six months to identify ‘operators of essential services’. This Directive sets out measures designed to ensure critical IT systems in central sectors of the economy such as banking, energy, health and transport are secure. It will apply to operators of such essential services and to ‘digital service providers’. Each EU country will determine which organisations in their jurisdiction are operators of essential services and subject to the rules in line with criteria set out in the Directive, and will determine its own ‘effective, proportionate and dissuasive’ penalties for infringement. All organisations in these sectors that are identified by the Member States as operators of essential services will have to take appropriate security measures and notify significant incidents to the relevant national authority. The same applies to all entities that meet the definition of digital service providers. Micro and small enterprises are excluded from the scope of the NIS Directive. The NIS Directive also requires Member States to adopt their own cybersecurity and NSI strategies, defining strategic objectives and appropriate policy and regulatory measures, and to designate national authorities competent for monitoring the application of the NIS Directive at national level.
III KEY DATA PROTECTION RISKS
Each Member State has a supervisory authority or authorities that enforce data protection and must ensure that there are remedies and enforcement arrangements. Enforcement can result in administrative and criminal proceedings imposing fines and imprisonment; civil damages claims; and bad publicity, damage to goodwill, brand image and loss of consumer trust. Therefore, it is important for any international franchise arrangement to implement appropriate data protection measures to avoid such enforcement actions. Under the GDPR, the supervisory authorities will have the power to fine organisations up to €20 million or 4 per cent of their total worldwide annual turnover for infringements of the new rules.
1 Ruth Boardman is a partner, Francis Aldhouse is a consultant and Elizabeth Upton is a senior associate at Bird & Bird LLP.
2 Samuel D Warren and Louis D Brandeis, ‘The Right to Privacy’, Harvard Law Review, Vol. 4, No. 5 (15 December 1890), pp. 193–220.
3 Subsequently embodied in Article 17 of the International Covenant on Civil and Political Rights adopted by the General Assembly of the United Nations 16 December 1966.
4 For example, Article 11 of the American Convention on Human Rights, San José, Costa Rica, 22 November 1969.
5 Convention for the Protection of Human Rights and Fundamental Freedoms, Rome, 1950 Council of Europe European Treaty Series 5.
6 For guidance on how to weigh one right against another, see Axel Springer v. Germany App No. 39954/08 (ECtHR, 7 February 2012) and Von Hannover v. Germany (No. 2) App Nos. 40660/08 and 60641/08 (ECtHR, 7 February 2012).
7 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, Organisation for Economic Co-operation and Development, Paris 2002, ISBN 92-64-19719-2.
8 Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, European Treaty Series 108, Strasbourg 1981.
9 For a history see Chapter 2, Colin J Bennett, Regulating Privacy: Data Protection and Public Policy in Europe and the United States (Ithaca, NY and London: Cornell University Press, 1992).
10 Home Office, Lord Chancellor’s Office and Scottish Office Report of the Committee on Privacy (Cmnd 5012 July 1972).
11 Note that the law can apply both to corporate organisations and to sole traders.