0

The Do’s and Don’ts of DSARs: A Practical Guide for Responding to Data Subject Access Requests

DSAR, EU, GDPR, State Privacy Laws, United States , , , , , ,
Handling data subject access requests (DSARs) isn’t as easy as ticking a compliance checkbox. It can be a test of an entity’s data organization, internal communication, and understanding of legal requirements. Between navigating jurisdictional nuances and meeting strict deadlines, the DSAR response process can quickly unravel without a clear plan. In this guide, we suggest best practices for handling and responding to DSARs, along with tips and common pitfalls to avoid when planning effective responses.

1.    Understand the Individual’s Ask

Under international data privacy laws, including those in the US and EU, individuals may have rights over the personal data collected about them by covered entities. The way individuals generally actualize those rights are through DSARs submitted to the relevant entities. These rights can include, but are not limited to:
  • Accessing Data: Individuals may request access to all or specific categories of their personal data.
  • Ceasing Data Processing: Individuals may request the entity stop processing their personal data.
  • Data Correction or Deletion: Individuals may request rectification of inaccurate or outdated personal data or even request the deletion of their personal data.
  • Processing Information: Individuals may request what their personal data is used for and why.
  • Portability: Individuals may request to receive a copy of their personal data in a portable format.
When an individual makes a request to exercise one of these rights, the entity must then respond to the request within a set time frame determined by the applicable law. These time frames differ between applicable laws, so the first step is ensuring you know the appropriate time frame to apply. Who can submit a DSAR? DSARs may be submitted by individuals whose data is processed by entities under the scope of laws like the GDPR and US state privacy laws. Depending on the jurisdiction, DSARs may also be submitted by employees of the covered entity or by agents appointed by the individual and authorized to submit DSARs on the individual’s behalf. Why are DSARs important? DSARs allow individuals to determine what information a covered entity holds about them, how it’s being used, and why it is being processed. In short, they empower individuals to understand and exert some control over their personal data. Additionally, DSARs serve as a tool to confirm that covered entities are upholding their promises: by using these requests, individuals can check whether entities are adhering to both privacy laws and customer privacy notices. This allows individuals to better hold entities accountable for lawful data processing.

2.    Build A Response Team

Given the complexity of modern data systems, internal collaboration is essential when handling DSARs. Clear communication helps ensure DSARs are handled effectively—especially for more comprehensive requests, like deleting or accessing an individual’s data. To build your response team, start by identifying key players. Privacy officers can help oversee legal and regulatory compliance, data experts can help retrieve and process data securely, and communication teams can help draft clear responses to requests and questions. While the specific structure of each team will vary based on the covered entity’s size and complexity, every member of the team should understand the DSAR requirements and specific responsibilities, and get proper training based on their role. Do: Train Your Team       Training is critical to help every member of the team understand the importance of DSARs and their role in maintaining compliance. This isn’t about knowing the legal jargon—each team member should be able to recognize these requests (even if worded in a vague or informal way) and how to execute the steps required to meet deadlines. Since each DSAR is unique, teams should also have a clear point of contact for guidance and next steps if there is any confusion. Don’t: Delay Decisions Effective responses generally take effective planning. Because of the tight DSAR response deadlines imposed by applicable laws, covered entities should plan for these requests before they arrive. By defining clear rules, covered entities can avoid last-minute confusion and chaos when responding to DSARs.

3.    Prepare A Playbook

The regulatory landscape governing DSARs is far from uniform. Because each law may have its own requirements and response timeline, it is essential to understand jurisdiction-specific obligations. A playbook is a simple way to address these obligations in one place and guide the response team through a step-by-step process. To create a playbook, consider:
  • Legal scope: Identify applicable laws based on where the entity operates and whose personal data they process.
  • Verification requirements: Confirm the verification requirements, if any, under each law to determine what steps are needed to confirm the identity of the individual submitting the DSAR.
  • Data retrieval methods: Determine what tools and workflows are needed to locate and compile data efficiently, and how this information may be transmitted to the individual, if necessary.
  • Template responses: Draft standardized responses for anticipated outcomes, like fulfillment or denial of requests, or requests for additional information.
  • Escalation plans: Provide guidance for handling complex requests.
Playbooks should be regularly reviewed to reflect changes in regulations or operational processes. Do: Note the Nuances of Each Law Laws that provide individuals with rights over their personal data commonly include exemptions, such as data that is covered by other laws. Double-check and note these requirements for each jurisdiction and ensure that the playbook is marked in a way that users can easily understand it. Don’t: Forget to Customize Using the same strategy for every DSAR risks a misstep in responses. Privacy laws are often unique, and failing to adapt to these nuances can lead to delays, incomplete responses, or even regulatory penalties. By making your playbook specific to both your entity’s needs and the requirements of each jurisdiction, you are better preparing your team to handle DSARs.

4.    Respond Effectively

Most data privacy laws require a response within a certain time frame from when the request was received. In other words, once a DSAR is received, a clock usually starts ticking. We suggest the following steps as a starting place for a well-executed response, but your steps should be tailored to the applicable legal requirements:
  1. Acknowledge the Request: Confirm the request and provide a clear timeline for how the request will be handled.
  2. Verify the Identify (as needed): Ensure the individual’s identity is confirmed, if required by the relevant laws.
  3. Locate and Collect Data: Collaborate across departments as needed to gather the relevant information.
  4. Review Data for Exceptions: Identify data that may be exempt from disclosures or require redaction, like data that pertains to another individual.
  5. Respond Clearly: Deliver the response in a clear, accessible format with an explanation of how that response was arrived at.
  6. Record and Learn: Maintain detailed records for accountability and review the process regularly.
 Do: Build a Feedback Loop    The best way to learn is by doing. After developing your playbook, perform a trial exercise to ensure your communication is streamlined and a test request is handled as expected. Then, talk to your team to review what went well and what improvements are needed. By viewing this process as iterative, with modifications and refinements made along the way, the DSAR response team can effectively grow and shift with the volume of requests or any regulatory changes. Don’t: Overlook Redaction and Exemptions Redaction and exemptions can easily be overlooked, but neglecting these steps can lead to non-compliance, or even a breach. Always double-check any information before it is disclosed and verify that all information is accounted for and handled appropriately.   While typically seen as a compliance obligation, DSARs can also present an opportunity for entities to demonstrate data privacy and transparency. Each DSAR is a chance to refine operations, and with a capable response team and a detailed playbook, entities can approach the process with a better understanding of compliance.
0
Photo of Uber sign on the windshield of a car.

Uber Fined $324 Million for Data Transfer Violations

Data Transfers, GDPR, United States , , ,

What Happened?

On Monday, the Dutch Data Protection Authority (DPA) found that Uber will be fined over $324 million for violating a European Union data privacy law.[1] The Dutch DPA stated that Uber transferred personal data about its drivers to the United States without appropriate safeguards, violating the GDPR.[2] According to the decision, transfer tools to protect this data were not used during the two years that Uber sent personal data from the EU to its US headquarters.[3]

 

Uber is expected to appeal the ruling, and Michael Valvo, an Uber spokesperson, stated that the “flawed decision and extraordinary fine are completely unjustified.”[4] In 2018, the Dutch DPA fined Uber $1.2 million for failing to report a data breach in a timely manner.[5] Earlier this year, the Dutch DPA fined Uber $11 million for infringement of privacy regulations, also concerning the personal data of drivers working for Uber.[6]

 

What Can We Learn?

Uber’s fine is among one of the largest penalties issued under the GDPR, highlighting the strict enforcement and requirements of data protection law within the EU.[7] The chairman of the Dutch DPA, Aleid Wolfsen, stated that, “the GDPR protects people’s fundamental rights by requiring companies and governments to handle personal data with care” and that Uber’s violations were “very serious.”[8]

 

Enacted in 2016, the GDPR sets forth rigorous standards for transferring and managing personal data. Significant financial penalties have been issued to multiple technology companies, including Meta’s $1.3 billion fine in 2023 for similar violations.[9]

 

The Dutch DPA alleges that Uber failed to implement adequate protections as they were not part of the Data Privacy Framework.[10] Additionally, the Dutch DPA alleged that in August of 2021, the company stopped their use of Standard Contractual Clauses (SCCs).[11] Either of these methods may have resulted in Uber avoiding regulatory scrutiny.

 

Understanding the Data Privacy Framework

There are specific rules that apply to data transfers from the EU to the US.[12] Some businesses in the US are members of the Data Privacy Framework, a set of agreements about safe personal data transfers to the US.[13] If the organization belongs to the Data Privacy Framework, they are treated as having an equivalent level of data protection to the EU.[14] This means that those businesses can transfer EU personal data to businesses consistent with EU law and without additional transfer tools.[15] However, if the business is not part of the Data Privacy Framework, the company will have to take additional protective steps when transferring data.[16]

 

Understanding Standard Contractual Clauses

If the US-based business or entity does not participate in the Data Privacy Framework and does not fall within Article 49 derogations or another exception to data transfer requirements, then two additional requirements should be met to transfer personal data outside of the EU: 1) a transfer tool, and 2) additional measures to protect data must be taken as needed. Article 46 of the GDPR provides a list of transferring tools which provide “appropriate safeguards,” including Standard Contractual Clauses (SCCs).[17]

 

SCCs are model contracts approved by the European Commission which allow controllers and processors to comply with requirements of EU data protection law.[18] SCCs have highly specific data protection safeguards, so when they are used between companies, there is a contractual obligation that personal data will be treated with a high level of protection when transferred outside the EU.[19] Because these contracts are standardized, SCC’s are a “ready-made” tool, which are relatively easy to implement.[20]

 

The investigation into Uber arose after the Schrems II ruling, which invalidated the EU-US Privacy Shield due to insufficient data protection standards in the US.[21]  Despite this ruling, Uber continued transferring personal data of their drivers from the EU to the US without implementing SCCs or other safeguards, based on the argument that Chapter V of the GDPR, which covers transfers of personal data to other countries, did not apply.[22] Uber stated that their actions were exempted under Article 3(2), which defines the territorial scope of processing activities.[23] While Uber maintains that its data protecting policies and processes, found in its privacy notice, are sufficient, this investigation and initial ruling demonstrate the heightened scrutiny that US companies face when operating in the EU.

 

Update from 9/13/2024

The European Commission has launched public consultation on the new EU SCCs. This consultation is for clauses in specific cases where a data importer is located in a third country but is directly subject to the GDPR. Adoption of these guidelines is expected in Q2 of 2025.

 

[1] https://www.reuters.com/technology/cybersecurity/dutch-privacy-watchdog-fines-uber-sending-drivers-data-us-2024-08-26/

[2] https://www.reuters.com/technology/cybersecurity/dutch-privacy-watchdog-fines-uber-sending-drivers-data-us-2024-08-26/

[3] https://www.jurist.org/news/2024/08/netherlands-data-protection-authority-fines-uber-e290m-for-violating-eu-data-regulation/

[4] https://www.nytimes.com/2024/08/26/business/uber-netherlands-fine-driver-data.html

[5] https://www.ciodive.com/news/uber-hit-with-12m-in-fines-for-2016-data-breach/543017/

[6] https://www.reuters.com/technology/cybersecurity/dutch-privacy-watchdog-fines-uber-sending-drivers-data-us-2024-08-26/

[7] https://complexdiscovery.com/uber-faces-e290-million-fine-for-gdpr-violation-in-data-transfer-to-us/

[8] https://complexdiscovery.com/uber-faces-e290-million-fine-for-gdpr-violation-in-data-transfer-to-us/

[9] https://www.metaverse.law/2023/05/22/meta-fined-for-data-transfer-violations/

[10] https://www.autoriteitpersoonsgegevens.nl/en/current/dutch-dpa-imposes-a-fine-of-290-million-euro-on-uber-because-of-transfers-of-drivers-data-to-the-us

[11] https://www.autoriteitpersoonsgegevens.nl/en/current/dutch-dpa-imposes-a-fine-of-290-million-euro-on-uber-because-of-transfers-of-drivers-data-to-the-us

[12] https://www.autoriteitpersoonsgegevens.nl/en/themes/international/transfer-within-and-outside-the-eea/personal-data-transfers-to-the-us

[13] https://www.autoriteitpersoonsgegevens.nl/en/themes/international/transfer-within-and-outside-the-eea/personal-data-transfers-to-the-us

[14] https://ec.europa.eu/commission/presscorner/detail/en/ip_23_3721

[15] https://www.dataprivacyframework.gov/Program-Overview

[16] https://www.autoriteitpersoonsgegevens.nl/en/themes/international/transfer-within-and-outside-the-eea/personal-data-transfers-to-the-us

[17] https://www.edpb.europa.eu/system/files/2021-06/edpb_recommendations_202001vo.2.0_supplementarymeasurestransferstools_en.pdf

[18] https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/new-standard-contractual-clauses-questions-and-answers-overview_en

[19] https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/new-standard-contractual-clauses-questions-and-answers-overview_en

[20] https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/new-standard-contractual-clauses-questions-and-answers-overview_en

[21] https://www.metaverse.law/2020/11/30/eu-us-data-transfers-after-schrems-ii-european-commission-publishes-new-draft-standard-contractual-clauses/

[22] https://www.linkedin.com/posts/protectionofdata_uber-decision-dutch-dpa-activity-7234087611676463106-PWNz?utm_source=share&utm_medium=member_desktop

[23] https://www.linkedin.com/posts/protectionofdata_uber-decision-dutch-dpa-activity-7234087611676463106-PWNz?utm_source=share&utm_medium=member_desktop

Image of the entrance to the United States Supreme Court building.

Will the Courts Treat Foreign Data Privacy Laws as Fact or Farce in U.S. Contracts? Whose Law Will Prevail in Privacy Disputes?

Privacy Law , , , , , , , ,

Image Credit: MarkThomas from Pixabay.

[Originally published as a Feature Article: Will the Courts Treat Foreign Data Privacy Laws as Fact or Farce in U.S. Contracts?, by Amira Bucklin and Lily Li, in Orange County Lawyer Magazine, May 2021, Vol. 63 No.5, page 40.]

by Amira Bucklin and Lily Li

In 2020, when lockdown and shelter-at-home orders were implemented, the world moved online. Team meetings, conference calls, even court hearings entered the cloud. More than ever, consumers used online shopping instead of strolling through malls, and online learning platforms instead of classrooms. “Zoom” became a way to meet up with friends over a glass of wine, or conduct job interviews in a blouse, suit jacket, and yoga pants.

This has had vast consequences for personal privacy and cybersecurity. While most consumers might recognize the brand of their online learning platform, ecommerce store, or video conference tool of choice, most consumers don’t notice the network of service providers that work in the background. A whole ecosystem of connected businesses and platforms that collect, store, and transfer data and software, all governed by a new set of international privacy rules and contractual commitments. Yet, many of these rules have not been tested in the courts, and they have several implications in the context of privacy.

The Privacy Conundrum

This month marks the three-year anniversary of the EU’s General Data Protection Regulation (GDPR). As expected, its consequences have been far-reaching, and fines for violations have been staggeringly high.

The GDPR requires companies in charge of personal data (“data controllers”) to enter into data processing agreements with their service providers (or “data processors”), including, at times, standard data protection clauses drafted by the EU Commission. These data processing mega-contracts (ranging from 1-100+ pages) impose a series of foreign data protection and security obligations on the parties.

A unique challenge presented by these contracts is the fact that such data processing agreements and model data protection clauses often include their own choice of law provisions, calling for the applicability of EU member state law, and requiring the parties to grant third-party beneficiary rights to individuals in a wholly different country.

This challenge is not just limited to parties contracting with EU companies, either. Due to the GDPR’s extraterritorial scope, two U.S.-based companies can enter into a contract subject to the laws of the State of California, but which includes a data processing addendum or security schedule that is subject to the laws of the United Kingdom, France, or Germany.

What happens if there is a dispute between these parties regarding their rights and responsibilities, which are subject to foreign data protection laws? How will U.S. courts treat these disputes? How much deference will—and should—a U.S. court provide to foreign interpretations of law?

Read More
European Union flag.

EU-US Data Transfers After Schrems II: European Commission Publishes New Draft Standard Contractual Clauses

GDPR, Privacy Law , , , , , , , , , , , ,

Image Credit: GregMontani from Pixabay.

**Update: On June 4, 2021, the European Commission formally adopted the new standard contractual clauses (“SCCs”) for international personal data transfers. Businesses will have a grace period of 18 months from the effective date of the European Commission’s decision to update all existing SCCs for transfers outside the European Union with the new SCCs.

In the meantime, businesses will be allowed to keep using the old SCCs for “new” data transfers over a transition period of three months from the effective date of the European Commission’s decision — giving organizations the chance to make any changes necessary for compliance with the new SCCs before incorporating them into their contracts. Such contracts, however, will also need to be updated within the 18-month-grace period.

On November 12, 2020, roughly four months after the European Court of Justice’s “Schrems II” decision which invalidated the EU-US Privacy Shield, the EU Commission released a draft set of new Standard Contractual Clauses (“SCCs” or “model clauses”).

These updated SCCs allow transfers of personal data from the EU to third countries, as well as a transfers by controllers when engaging processors located inside the EU. (For a further analysis of the Schrems II judgment, and the motivation for these new clauses, see our prior blog post).

Who can use the new SCCs?

The Commission’s draft, which includes the new SCCSs in its Annex, covers two new types of international transfers and contains important updates in order to bring the text of the model clauses in line with the General Data Protection Regulation (“GDPR”).

The current SCCs, approved by the Commission in 2001 and 2010, only addressed two data flow scenarios:

  • An EU-based controller exporting data outside of the EU to other controllers (controller-controller SCCs)
  • An EU-based controller exporting data outside of the EU to processors (processor- processor SCCs).

In this new draft, the Commission addressed a gap which frequently occurred in practice: EU processors exporting data to controllers and processors outside of the EU. This addition further reflects the expanded territorial scope of the GDPR.

Read More
Blue EU flag fluttering in the wind

Schrems II: No Privacy Shield for EU-US Data Transfers, but Don’t Put Your Eggs into Standard Contractual Clauses Either

GDPR , , , , , , , , , , , , ,

Image Credit: Capri23auto from Pixabay

On July 16th, 2020, privacy professionals scrambled after the Court of Justice of the European Union (CJEU) handed down its decision in Schrems II. The ruling invalidated the US-EU Privacy Shield agreement, which authorized transfers of data from the EU to the US for Privacy Shield-certified companies. Though the ruling on Privacy Shield was unexpected given that it was not directly at issue, such a decision is not without precedent or historical pattern. Privacy Shield itself was a replacement for the Safe Harbor framework that was invalidated in 2015 in Schrems I.

Now that the Privacy Shield framework has been invalidated, both data controllers and data processors are likely concerned about the next steps to take to ensure that any data transfers integral to its operations can continue. Although the U.S. Department of Commerce has indicated that it will continue processing Privacy Shield certifications, affected companies such as U.S. data importers and EU data exporters should quickly explore and adopt other transfer legitimizing mechanisms with their service providers and vendors in order to prevent any gaps in compliance.

Read More
1 2 3