Changing uses of personal data in global real estate businesses

Real estate has always had to handle personal data, and like other businesses, has had to grapple with more stringent data protection rules since the introduction of the General Data Protection Regulation (GDPR) in 2018. Traditionally, though, personal data has been more incidental to than a driver of core function real estate business, used for employee administration, managing residential tenancies, and running CCTV and security systems around estates.

However, with the sector constantly looking for new solutions to develop and drive forward business through challenging times, there has been a rise in the use of data-rich technologies and increased innovation around use of personal data.    

New uses of personal data in real estate

From COVID-19-related administrative scenarios, such as shared access to commercial property, COVID-19 testing in 'gradual return to work' programmes, and the introduction of health (special category) data in lifestyle living settings (rather than just in rent administration scenarios), through to innovative marketplace solutions like over 55s lifestyle property, and office space as a service, the real estate sector has seen the range of purposes for processing personal data widen.

Improving tenant services can also involve use of personal data in a way unexpected or intrusive to data subjects (for example through add-on services such as WiFi in student accommodation and retail shopping centres). Use of residential tenant records to create analytics for more targeted tenant market profiles sees the real estate sector becoming increasingly fluent in leveraging the commercial value of its customer data and using it as a key strategic driver for the business.  

Monitoring tenants for ESG initiatives, use of ANPR to administer commercial and retail parking spaces, use of location based services for delivery of advertising messages to retail shoppers, data sharing initiatives between shopping centre retail tenants and the police, and use of facial recognition technologies on retail estate to drive advertising campaigns, are all sensitive contexts that need to be trodden carefully in terms of GDPR compliance and accountability, particularly if the data ultimately ends up in the US or other restricted countries.  

Minimising risk

Companies are taking huge steps forward in 'privacy by design' building ground-breaking information platforms to facilitate speedy and operationally efficient minimised personal data sharing, both domestically and internationally across estates and property portfolios.

The use of this technique and engaging minimised and 'pseudonymised' rather than raw personal data, attracts certain compliance concessions, and reduces risk of non-compliance and potential harm or damage to data subjects, particularly in the event of data security breaches.

General considerations

With more sophisticated and widespread use of personal data comes getting to grips with the full complexities of the GDPR regime. For some areas of real estate, this is a more recent challenge, requiring significant investment to evolve their data protection compliance frameworks to accommodate these more sophisticated personal data uses and there is an added complexity where the data is transferred to 'third countries' outside the GDPR/UK GDPR regime.

Aside from the international aspect, which is considered below, data sharing chains should be subjected to detailed privacy assessments to establish the GDPR status of parties involved in the chain - whether they are controller to processor is important in ensuring appropriate contractual provision to cater for specific compliance operations for the benefit of the chain.

Often the chain involves parties wanting to receive personal data of individuals they don't have operational proximity to or direct contractual relationships with. This can make complying with certain obligations such as delivering privacy notices, and responding to data subject rights requests, more challenging, so provision of specific operational obligations along the chain can help facilitate compliance. Collaboration and consultation provisions are also important in mitigating risk in the unfortunate event of a data security breach along the property management chain.    

A global reach

The global reach of real estate portfolios, their supporting business and supply infrastructure, and the number of business partners and stakeholders in the chain of development and property portfolio management, can raise specific compliance considerations including around international data transfers.

Exporting personal data has become a more sensitive issue in recent times – in particular, because of the potential to expose users' internet activities to wholesale scrutiny by law enforcement agencies for anti-terrorism purposes. Data could, for example, be stored on provider platforms in the US. Exposure to access by US surveillance agencies of UK/EU personal data both in transit to and at rest in the US, has been the subject of much data protection concern by the EU and UK data protection authorities.

Starting with the good news, the uncertainty that was hanging over the UK regarding post-Brexit personal data transfers to the EU, has, at least for the time being, been lifted. In June 2021, the European Commission issued its eagerly awaited decision that the Data Protection Act 2018 and the UK GDPR provide an adequate level of protection for the rights and freedoms of EU data subjects regarding the processing of their personal data in the UK.

This is not, however, a 'be-all and end-all' compliance solution – businesses must continue to comply with their wider GDPR obligations regarding this data, not just the international transfer element. The European Commission has emphasised that its adequacy decision for the UK was enabled by alignment of current UK data protection laws to those of the EU. The UK government's recent announcement that it would look to adjust UK data protection laws to align to its post-Brexit vision, and the road the UK takes regarding surveillance powers, although not immediate threats to the UK 'adequacy' decision, will undoubtedly be kept under close scrutiny by the European Commission.

Of course, real estate business is rarely confined to a UK/EU bubble, so the challenge of compliance regarding transferring personal data outside the UK/EU remains. UK/EU affiliates of US companies regularly transfer personal data to the US parent or US affiliates for corporate and business support functions such as human resources and information platforms, and provision of IT support. UK real estate business often share data with parties in the property development and management chain via industry specialist third party platforms. Businesses therefore need to consider whether this will involve personal data being stored or accessed outside the UK/EU.

Despite the availability of the much used personal data transfer solution of European Commission Standard Contractual Clauses (SCCs), for data transfers to the US and other 'third countries' (ie those not subject to a European Commission adequacy decision), SCCs are now far from the 'ready-made' solution they were previously considered to be.

The European Court of Justice decision in the Schrems II case struck down the EU-US Privacy Shield solution for EU to US personal data transfers, on the grounds that US surveillance laws did not fully meet certain essential guaranteed rights and freedoms for individuals under EU law.

The CJEU also made it clear that SCCs are not necessarily a complete compliance solution to transferring personal data to third countries. Use of the SCCs must be accompanied by an assessment of the compatibility of the importing country's surveillance laws with the essential guaranteed rights and freedoms of individuals provided by EU law (the European Essential Guarantees). Where this assessment concludes that the European Essential Guarantees are not met, the SCCs must be supported by supplementary measures to protect the personal data in the restricted country.

June 2021 also saw the introduction of the European Commission's long-awaited new version of the SCCs. These are designed to incorporate a 'double-step' improvement – to align obligations to GDPR requirements (as the previous model pre-dated GDPR), and to address some of the issues arising from the Schrems II case. This includes improved obligations around transparency and accountability for requests by surveillance agencies to access personal data in third countries.

Despite these improvements, the new SCCs still do not necessarily provide a complete data transfer mechanism but are rather part of a wider compliance roadmap for personal data transfers outside the EU/UK. This roadmap, known as the Six Step Plan, is summarised as follows:

• Step 1: Know your transfers – what personal data do you transfer, to whom, and why? (Maintaining the organisation's mandatory GDPR Records of Processing is key to this).
• Step 2: Identify the data transfer basis you are relying on – adequacy decision, SCCs, ad hoc contract clauses, Binding Corporate Rules, data transfer exceptions, and looking ahead, certified schemes and codes of conduct.
• Step 3: Assess whether in the circumstances of the transfer, the tool you are relying on is effective – whether the country's surveillance laws meet the European Essential Guarantees, although an assessment of the likelihood of accessing the particular data is also relevant.
• Step 4: Adopt any supplementary measures identified from this assessment – technical and organisational measures such as pseudonymisation, encryption, and split processing, contractual obligations for tailored safeguards such as transparency and accountability around surveillance agency requests to access the data, and effective policies for maintaining these supplementary measures.
• Step 5: Procedure for adopting identified supplementary measures – documentation and awareness training.
• Step 6: Periodic evaluation of these tools and measures – audit and tracking against emerging regulatory guidance and developments.

What does this mean for real estate businesses?

Only time, practical experience and emerging regulatory guidance will provide clear insight into how the Six Step Plan translates operationally to real estate business practices. Certainly the type of general compliance issues in real estate such as data minimisation and pseudonymisation, use of special category personal data, transparency, and appropriate contractual provision, will all play an important role in the Six Step Plan for ensuring compliance for international data transfers as well as general GDPR compliance.

A robust governance framework, policies and procedures, and awareness training programmes for those involved in handling personal data, and those making key decisions around business strategy involving personal data, are key to a successful GDPR regime. However, just as important to a company's GDPR regime is a clearly defined commercial strategy and vision of what personal data is involved or is to be leveraged to generate business value.

Creating such a strategy is an important business opportunity. It helps businesses avoid compliance for compliance sake, so that the data protection compliance framework is used to drive and facilitate business strategy rather than dictate it, as many in the real state sector are discovering.

Find out more

To discuss the issues raised in this article in more detail, please reach out to a member of our Data Protection & Cyber team.