Comparative Look at Models of Data Protection – Series of Webinars Led by the Israel Tech Policy Institute (ITPI)

Authors: Kavisha Patel and Lee Matheson

Kavisha Patel is a current student at Georgetown Law and an FPF Global Privacy Intern.

As a result of Israel’s recently proposed comprehensive privacy law update, the Protection of Privacy Bill, the Israel Tech Policy Institute led a series of three webinars in February 2022 discussing comparative models of data protection around the world. Organized by ITPI Senior Fellow Adv. Rivki Dvash, the webinars aimed to bring together practitioners and experts in the data protection field to explain their perspectives on existing arrangements in various countries with the goal of enriching the ongoing discussion in Israel.

The first webinar, “Legal Bases for Data Processing”, took place on February 9, 2022. The panel for this webinar included Dr. Yaacov Lozowick, Historian, Israel’s Previous Chief Archivist, Lecturer at Bar-Ilan University; Dr. Gabriela Zanfir-Fortuna, Vice President for Global Privacy at The Future of Privacy Forum; Dr. Clarisse Girot, Managing Director for Asia Pacific at the Future of Privacy Forum; and Dr. Bruno Bioni, Director-Founder of Data Privacy Brazil.

The second webinar, “Data Protection Authorities’ Powers of Enforcement and Sanctions”, took place on February 16, 2022. Panelists for this webinar included Adv. Reuven Eidelman, Head of Legal Department at the Israeli Privacy Protection Authority at the Ministry of Justice; Adv. Florence Raynal, Head of the International and European Affairs Department of the CNIL; J.D. Stacey Gray, Director of Legislative Research and Analysis at the Future of Privacy Forum; and Adv. Lore Leitner, Partner at Goodwin in London, UK.

The third webinar, “Civil and Class Actions Under Privacy and Data Protection Law Frameworks in Israel, the EU and the US”, took place on February 23, 2022. Panelists for this webinar included Professor Peter Swire, Professor of Law and Expert on Privacy and Cybersecurity, Georgia Tech University; Sebastião Barros Vale, EU Policy Fellow at the Future of Privacy Forum; and Professor Assaf Hamdani, Professor of Law at Tel Aviv University.

The webinars were moderated by Adv. Limor Shmerling Magazanik, Managing Director of the Israel Tech Policy Institute. Below is a summary of the main points and insights from the series. The recordings of the three sessions are available here.

First Webinar: Legal Bases for Data Processing

Key Insights:

• The purpose of personal data protection law is not to completely prohibit the processing of personal information, but to establish a robust means of protection for the processing of personal data so that it will be used in a manner that respects the rights and freedoms of individuals.
• There is no hierarchy between the various legal bases for processing under the GDPR, which include consent, contract, legal obligations, vital interests, public interests, and legitimate interests.
• Under the GDPR, the legitimate interest basis for lawful processing of data is complex and nuanced. Legitimate interests may only serve as a lawful ground for data processing if those interests are not overridden by the data subjects’ rights, interests and freedoms, requiring a balancing test between the two that must be conducted by the data controller on a case-by-case basis for each processing activity.
• Under the Brazilian LGDP, the legitimate interest basis for legal processing of data is similarly subject to principles of necessity, the balancing of rights and freedoms, and sufficient safeguards.
• In APAC jurisdictions, the landscape for lawful grounds of data processing are very fragmented, which makes it difficult for cross-border businesses to comply on a systemic basis.
• Some controllers interpret the laws and regulations incorrectly, making it very important for regulators to clarify their interpretations.
• In practice, due to divergences between countries, many businesses have been building their compliance programs focused on consent, as consent is often a common denominator between data protection regimes as a legal basis for data processing.
• Recent recognition of legitimate interests as a lawful ground for data processing in the Singaporean PDPA could influence other APAC countries to do the same. This can be a substitute for consent-based lawful processing.
• In the Israeli context, the same laws dictate how contemporary data and archival data is protected. Dr. Lozowick argues that this should change as legitimate interests for scientific and historical research arise when data is dated enough that it is not reflective of current reality.
• Meaningful consent (i.e., whether consent is given voluntarily, the extent to which consent is based on understanding, etc.) continues to be a core issue in data protection. As a result, strengthening this basis for data processing is important. This could include increasing transparency through UX/UI design and consideration of users’ vulnerabilities and degrees of literacy.
• Any legal system dealing with the crucial issues of data protection today should consider the impact of the passage of time on data privacy interests. Some propose that contemporary data protection arrangements should consider the passage of time as a criterion that reduces the interest in the protection of personal information and strengthens the interest in making information accessible to researchers for the benefit of the public.

Second Webinar: Data Protection Authorities’ Power of Enforcement and Sanctions

Key Insights:

• While the GDPR itself does not impose criminal sanctions, some states have added a criminal provision to local law. Even in these countries, criminal enforcement will not be carried out by the national Data Protection Authority (DPA). The latter must pass the matter to a prosecutor, but these rarely take such cases due to limited resources. Nevertheless, there will be criminal enforcement by target authorities in related areas, such as wiretapping and computer hacking.
• The GDPR allows for a variety of administrative sanctions, in addition to financial sanctions. The enforcement tool used is tailored to the specific violation.
• Each EU DPA determines financial sanctions differently, resulting in a high variance between the fines imposed. Some may not even have the power to issue them on their own: in France, there is a separate body authorized to impose financial sanctions, which is not subordinate to the national DPA (CNIL).
• The United States has a wide range of different federal, state, and local laws that apply to privacy and data security both directly and indirectly. The new state laws passed regarding privacy and consumer protection, such as the CCPA and the CPA, differ in some respects.
• The Federal Trade Commission (FTC) is the lead data privacy enforcer in the United States. It has no formal complaint mechanism in that it is not required to respond to individual or group complaints. Rather, investigations often come directly from the staff at the FTC or from something raised by Congress.
• The FTC often settles cases with companies through agreed arrangements called “consent decrees” which requires the companies to affirmatively take certain actions with respect to privacy and data security (i.e., privacy audits, impact assessments, hiring privacy officers etc.) Many major technological companies are currently under such consent decrees, including Facebook and Google. Although the FTC does not have the authority to initially impose fines under Section 5 of the FTC, violation of the consent decree allows for the imposition of financial sanctions.
• The main justification for personal capacity criminal enforcement in Israel is the need for a deterrent against offenders that operate as individuals. The mechanism does not apply personal liability to corporate officers.

Third Webinar: Civil and Class Actions

Key Insights:

• In Israel, there is a possibility of class actions arising from a privacy cause of action but only if the plaintiffs are in a special relationship covered by the relationship permissions for class actions. This does not include relationships with government entities, NGOs, or other businesses that do not contract directly with plaintiffs.
• Professor Assaf Hamdani suggests that privacy class actions should only be used as a tool if public enforcement is insufficient and where the specific violation merits the use of such a tool. Generally, public enforcement is not driven by fee considerations and public enforcers examine broader issues like the impact of a case.
• Under the GDPR, data subjects’ the right to compensation that data subjects have extends to material and non-material damages suffered as a result of a breach. The concept of “non-material damage” is contentious, as national courts across the EU have given it different interpretations. The Court of Justice of the European Union (CJEU) will soon clarify whether the data subject’s sense of discomfort with an unauthorized data disclosure, or their worries, fears, and anxieties count as non-material damages for the purposes of the GDPR. This underlines the importance of having a clear definition of non-material damages in the law when it comes to privacy breaches.
• In the EU, representative actions under data protection law may be brought against both private and public entities, just like regular civil actions brought by affected data subjects. In some EU Member-States, national laws allow non-profits to go to court even without the data subject’s mandate, although in those cases they cannot seek compensation on behalf of data subjects. Barros Vale explained that the recently-passed EU Collective Redress Directive is more flexible in this regard, as data subjects may explicitly or tacitly express their wish to be bound by a collective compensation claim even after the action is brought.
• In order to combat the possibility of underenforcement or overenforcement, Professor Swire suggests looking at three variables: 1) how likely it is that the company has a privacy violation, 2) how likely it is that an enforcement action will be taken against the company, and 3) how much the company would have to pay in damages, including attorney fees.