The Franchise Law Review: Data Protection
I THE ORIGINS AND EVOLUTION OF DATA PRIVACY LAWS
In Europe, the right to privacy is primarily intended as a protection from interference by the state so that individuals can develop their personalities in their relations with other human beings. Data protection, conversely, has evolved in parallel to the growth of information technology as a tool to protect individuals from potential abuses related to the processing of an individual's data; however, although these concepts are, in principle, separate and distinct, they both exist to protect fundamental rights, including an individual's right to a private life. Accordingly, there is a considerable overlap between privacy and data protection.
i Origins of privacy instruments
Although the concept of privacy law can be traced back as early as 1890,2 modern national privacy laws in Europe only began to take shape after the Second World War, when the General Assembly of the United Nations adopted, on 10 December 1948,3 Article 12 of the Universal Declaration of Human Rights:
No one shall be subjected to arbitrary interference with his privacy, family home or correspondence, nor to attacks upon his honour and reputation.
Since the Second World War, the right to privacy or private life has been enshrined in a number of other regional fundamental rights instruments4 in Europe, culminating in Article 8 of the European Convention on Human Rights (ECHR),5 which provides that:
1 Everyone has the right to respect for his private and family life, his home and his correspondence.
2 There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.
While some fundamental rights are absolute and unqualified, the right to private life, at least in the European view, is not absolute and must be weighed against other fundamental rights, such as the right to freedom of expression to be found in Article 10 of the ECHR.6
The 1980 OECD guidelines on privacy were a powerful stimulus to national legislation in OECD member countries and beyond.7 These were developed at the same time as the Council of Europe's 1981 Data Protection Convention8 (Convention 108) and updated in 2013. The OECD's focus was the risk of national privacy laws prejudicing transborder data flows, whereas the Council of Europe emphasised the protection of fundamental rights.
ii Origins of data protection
'Data protection' as distinct from 'privacy' has a shorter legal history. It is a European concept and derives from concerns that rose to prominence in the 1970s9 about the power of automatic data processing – especially by state organisations. Following legislation in Sweden, Germany and France, but also building on the work of the Younger Committee10 in the United Kingdom, the fundamental principles of fairness, lawfulness, accuracy, necessity and security were brought together in Convention 108.11
Data protection legislation is largely procedural rather than substantive and was developed to address concerns by legislators about the ease with which data could be transferred across borders. Safeguards were subsequently integrated into data protection legislation alongside the principles described in, inter alia, Convention 108, to ensure the protection of citizens' privacy rights, while recognising the speed of developments in technology.
At a European level, the European Data Protection Directive 95/46/EC was adopted on 24 October 1995 and implemented by Member States (and other EEA countries) thereafter. On 25 May 2018, this data protection framework was replaced by the General Data Protection Regulation 2016/679 (GDPR), which became directly effective in all Member States and significantly increased the obligations placed on those organisations that process personal data. The modernised Convention 108 and the GDPR were developed in parallel and are both consistent and complementary.
II DATA PROTECTION CHALLENGES FOR INTERNATIONAL FRANCHISE RELATIONSHIPS
Many franchise arrangements will involve the collection and handling of customer data as well as employee and other business contact data. Much of this data will be personal data, the use of which is protected by data protection and privacy laws across the world. Currently, there are at least 100 countries in the world with such laws and Europe has some of the most stringent. Anyone thinking of setting up or expanding their franchise arrangement needs to be aware of these rules as non-compliance can lead to fines, claims for compensation, reputational damage and, in some cases, to prosecution for criminal offences.
i Which laws will apply to my franchise arrangement?
One of the key challenges facing any international franchise relationship will be for companies to work out which data protection laws will be applicable to their business arrangements. Outside Europe, privacy laws tend to be country-specific (e.g., Australia, Argentina and Taiwan), state-specific or applied to specific sectors (e.g., financial services, health or marketing services). However, such laws can apply on the basis of where the individual is located rather than where the organisation that is processing their data is based (this is especially true for many Asian countries). Within Europe, the GDPR has a wide territorial scope and applies to organisations based not only within, but also outside the EU if they monitor or offer goods and services to individuals in the EU. The GDPR increases the obligations on those who process personal data, and individuals will have stronger rights. It contains significantly tougher powers of enforcement for national data protection authorities, with powers to fine organisations up to €20 million or 4 per cent of their total worldwide annual turnover for infringements. The remainder of this chapter focuses on the main obligations under the GDPR.
There are additional privacy rules relating to the use of electronic communications set out in the Privacy and Electronic Communications Directive 2002/58 EC (as amended). This Directive is also under review; a draft e-Privacy Regulation has been proposed but progress has been slow and its future remains uncertain at the time of writing. Some of the existing rules are specific to certain communications service providers (internet service providers (ISPs) and telecommunications companies (telcos)), such as the rules relating to security and confidentiality, breach notification and restrictions on the use of traffic and location data. There are also provisions that apply to all organisations making use of electronic communications, including:
- rules relating to unsolicited marketing by email, fax and text, which can require opt-in consent in some situations.
These rules will be more relevant as franchisors and franchisees look to engage customers across a variety of channels. For example, if a franchisor wants the right to control the e-marketing campaigns to all customers, its franchisees often have to provide access to their customer databases as a matter of course. If this is the case, the parties need to think carefully about the relevant consents that may be required (particularly given the tougher requirements for obtaining valid consent under the GDPR). These rules are also relevant to organisations involved in targeted advertising programmes or that are interested in profiling their customers based on their online behaviour and browsing activities.
Loyalty schemes are another area where the rules can apply. In particular, organisations need to be clear who is participating in the scheme and whether they have appropriate consents to be able to contact the customers.
While the GDPR is directly effective in Member States without the need for implementing legislation, there are numerous areas where the GDPR permits or requires Member States to implement national laws. Thus local law advice can still be required in every country relevant to the franchise arrangement.
As mentioned above, the GDPR further extends the reach of EU data protection laws: it applies to data controllers and data processors that have EU establishments and where personal data are processed in the context of such establishments (whether or not the actual data processing takes place in the EU). The GDPR also applies to controllers and processors that are not established in the EU but that process personal data about data subjects in the EU in connection with (1) the offering of goods or services (payment is not required) or (2) the 'monitoring' of the data subjects' behaviour within the EU (this would include tracking individuals online to create profiles, including where this is used to take decisions to analyse or predict personal preferences, behaviours and attitudes).
ii Who and what is covered by the European data protection rules?
The GDPR applies to the processing of personal data held electronically or in structured paper files and it places obligations on controllers and processors of the data.
The controller is 'the natural or legal person, public authority or agency or any other body which, alone or jointly with others, determines the purposes and means of the processing'. It is clear that franchisors will be data controllers in respect of the personal data they process. In many cases, the franchisees will also be independent data controllers with separate obligations to meet applicable privacy law requirements as they will also determine the purposes and the means of the processing.12 The roles the parties play, however, is not always clear-cut and there may be circumstances in which the franchisees are acting as joint controllers with the franchisor (i.e., where the franchisor and franchisee jointly determine the purposes and means of a processing operation either by way of common or converging decisions) or as processors (i.e., people – other than employees of a data controller – who process personal data on behalf of a data controller and have no independent control over the personal data). This distinction is important as more obligations fall on controllers under the GDPR, which also requires joint controllers to have arrangements in place determining their roles and responsibilities. However, even though franchisees may be independent data controllers, franchisors will still need to put controls in place (in the franchise agreement) to protect the customer data belonging to the 'brand' (even though this is not mandated by the GDPR). For example, a franchisor may, while protecting the IP in any customer database, wish to consider ensuring that the customer data are the confidential information of the franchisor and can only be used for the purposes of the franchise business, thereby ensuring that the data are destroyed or returned to the franchisor on termination of the franchise arrangement. Under the GDPR, while processors have fewer direct obligations, they are required to: (1) document their processing activities (carried out on behalf of the controller); (2) cooperate with supervisory authorities; (3) implement appropriate security; (4) designate a data protection officer (if applicable); (5) notify the controller of any security breaches; and (6) comply with the international data transfer rules. Breach of these obligations can expose the processor to compensation claims from individuals and administrative fines under the GDPR.
Personal data are broadly defined and include information relating to a directly or indirectly identifiable natural person (i.e., an individual, not a company). This includes details such as name, postal address and email address, as well as online identifiers, device identifiers, cookie IDs and IP addresses. Customer data, employee data and business contact data (including details held about franchisees) are caught by the definition. However, truly anonymous data, such as aggregated statistics, are not regulated by the GDPR (but pseudonymous data are still treated as personal data).13 Some data are to be regarded as special categories of data and can only be processed under strict conditions. Such data include racial or ethnic origin, political opinions, religious or other beliefs, trade union membership, health, sex life or sexual orientation, genetic data and biometric data used for the purposes of uniquely identifying a natural person.
Personal data are caught by the GDPR if they are processed wholly or partly by automated means (broadly speaking, on computer) or in certain structured paper files. This would therefore include personal data captured online via social media and apps, as well as CCTV and voice recordings. The GDPR defines a 'filing system' as any structured set of personal data that is accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographic basis.
The definition of processing is broad under the GDPR and applies to almost any operations performed on personal data, from collection to transfer, disclosure, storage and destruction.
iii What are the main obligations under European data protection laws for franchisors or franchisees to consider?
Compliance with data protection principles
Franchisors and franchisees must comply with certain principles whenever they are processing personal data. In summary, these specify that personal data shall be: processed lawfully, fairly and in a transparent manner; collected for specified, explicit and legitimate purposes; adequate, relevant and limited to what is necessary; accurate and up to date; kept for no longer than necessary; and kept securely.
There is also an accountability principle, which requires a controller to be able to demonstrate that it has followed the relevant principles. This will be evidenced by adopting data protection by design and by default, developing policies and procedures, staff training programmes and undertaking audits. Controllers and processors are required to maintain records of processing activity (which replaces the notification regime) and carry out privacy impact assessments in certain circumstances. Data protection officers may also have to be appointed. All data controllers will be subject to a general data-breach notification regime.
The GDPR restricts transfers of data outside the EEA (including to the United Kingdom following the end of the Brexit transition period), which is of particular significance to international franchise arrangements. In short, if personal data processed by EEA franchisors or franchisees are being transferred outside the EEA, then the relevant organisations must show that there is 'adequate protection' for the data, otherwise the transfer will be prohibited. For example, this is relevant where an EEA franchisor or franchisee uses a US cloud provider to store its customer data. While the GDPR sets out a number of data transfer tools that can be used to provide appropriate safeguards for the transfer, such as Commission-approved standard contractual clauses contracts and binding corporate rules, as well as a number of derogations such as explicit consent, this is an area that has recently become much harder for organisations to comply with properly. This follows on from the Court of Justice of the European Union's judgement in Schrems II14 on 16 July 2020, which invalidated the EU–US Privacy Shield and found that organisations relying on the standard contractual clauses may need to implement additional safeguards beyond the clauses to legitimise the data transfers. At the time of writing, the Commission has also issued a new draft of the standard contractual clauses, which are likely to be implemented in early 2021. As such, appropriate legal advice should be sought early in the establishment of any international arrangement. Franchisors engaging with cloud providers would also have to ensure that the contract provides sufficient assurances around data security and access to data, particularly in the event that the franchisees are to be given some level of access. The GDPR also requires specific contractual obligations to be imposed on data processors, including consent to appoint subprocessors, and audit rights.
Compliance with individuals' rights
The GDPR expands the rights granted to individuals to whom information relates (data subjects), including the rights to request:
- access to their personal data;
- data portability (a right to require their personal data to be provided in a commonly used electronic form or transmitted to another controller);
- correction, deletion or restriction of the processing of their personal data;
- to object to certain types of processing; and
- not to be subject to solely automated decisions that produce legal effects (such as computerised decisions regarding job applications).
Individuals also have the right to an effective judicial remedy against a controller or processor and have a right to compensation (including damages for distress) from a relevant controller or processor for material or immaterial damage resulting from an infringement of the GDPR. Individuals can also complain directly to the data protections supervisory authority about such infringements.
Franchisors and franchisees are becoming increasingly aware of the need to protect essential assets such as customer databases from theft, damage, destruction or unauthorised use and in particular from the threats posed by cyberattacks. Franchisors and franchisees will need to identify what assets need to be protected, identify the impact a cyberattack could have on their business, and have in place measures to protect the business (e.g., increased security controls, malware protection, restrictions on the use of removable media). This is a rapidly evolving field that is increasingly attracting regulatory attention. For example, there are already European laws (which predate the GDPR) requiring certain EU telcos and ISPs to notify security breaches to both the regulator and the affected individuals. In July 2016, the Network and Information Security Directive (the NIS Directive) was adopted, and Member States had until 9 May 2018 to implement its provisions into national laws and a further six months to identify 'operators of essential services'. This Directive sets out measures designed to ensure critical IT systems in central sectors of the economy such as banking, energy, health and transport are secure. It applies to operators of such essential services and to 'relevant digital service providers'. Each EU country determines which organisations in their jurisdiction are operators of essential services and subject to the rules in line with criteria set out in the Directive, and determines its own 'effective, proportionate and dissuasive' penalties for infringement. All organisations in these sectors that are identified by the Member States as operators of essential services will have to take appropriate security measures and notify significant incidents to the relevant national authority. The same applies to all entities that meet the definition of relevant digital service providers. Micro and small enterprises are excluded from the scope of the NIS Directive. The NIS Directive also requires Member States to adopt their own cybersecurity and NIS strategies, defining strategic objectives and appropriate policy and regulatory measures, and to designate national authorities competent for monitoring the application of the NIS Directive at national level.
The GDPR and the NIS Directive address different things: the GDPR concerns personal data while the NIS Directive address the security of systems, but there is considerable overlap as security considerations are relevant to both, and most organisations covered by the NIS Directive will be data controllers (as well as being data processors in some situations).
The NIS Directive applies to fewer organisations but is expected to have a knock-on impact for suppliers to relevant digital service providers and operators of essential services. NIS incidents can be (but are not always) a personal data breach under the GDPR, which is reportable to the competent authority (under the NIS Directive) and the data protection authority (under the GDPR). As the GDPR and NIS Directive are separate laws, organisations may face regulatory action (including monetary penalties) under both pieces of legislation.
III KEY DATA PROTECTION RISKS
Each Member State has a supervisory authority or authorities that enforce data protection and must ensure that there are remedies and enforcement arrangements. Enforcement can result in administrative and criminal proceedings imposing fines and imprisonment; civil damages claims; and bad publicity, damage to goodwill, brand image and loss of consumer trust. Therefore, it is important for any international franchise arrangement to implement appropriate data protection measures to avoid such enforcement actions. Under the GDPR, the supervisory authorities will have the power to fine organisations up to €20 million or 4 per cent of their total worldwide annual turnover for infringements of the new rules.
1 Ruth Boardman is a partner and Elizabeth Upton is a legal director at Bird & Bird LLP. Francis Aldhouse is a former Bird & Bird consultant.
2 Samuel D Warren and Louis D Brandeis, 'The Right to Privacy', Harvard Law Review, Vol. 4, No. 5 (15 December 1890), pp. 193–220.
3 Subsequently embodied in Article 17 of the International Covenant on Civil and Political Rights adopted by the General Assembly of the United Nations 16 December 1966.
4 For example, Article 11 of the American Convention on Human Rights, San José, Costa Rica, 22 November 1969.
5 Convention for the Protection of Human Rights and Fundamental Freedoms, Rome, 1950 Council of Europe European Treaty Series 5.
6 For guidance on how to weigh one right against another, see Axel Springer v. Germany App No. 39954/08 (ECtHR, 7 February 2012) and Von Hannover v. Germany (No. 2) App Nos. 40660/08 and 60641/08 (ECtHR, 7 February 2012).
7 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, Organisation for Economic Co-operation and Development, Paris 2002, ISBN 92-64-19719-2.
8 Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, European Treaty Series 108, Strasbourg 1981.
9 For a history see Chapter 2, Colin J Bennett, Regulating Privacy: Data Protection and Public Policy in Europe and the United States (Ithaca, NY and London: Cornell University Press, 1992).
10 Home Office, Lord Chancellor's Office and Scottish Office Report of the Committee on Privacy (Cmnd 5012, July 1972).
11 On 18 May 2018, the European Council adopted an amending Protocol updating Convention 108. This will come into force once ratified by the relevant parties (as at November 2020, this has not yet happened), or on 11 October 2023 if there are 38 parties to the Protocol at this date. Council of Europe membership is significantly wider than that of the European Union and the EEA Member States.
12 Note that the law can apply both to corporate organisations and to sole traders.
13 Pseudonymisation is defined under the GDPR as the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that the additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable individual.
14 Schrems II (C311/18).