New Code of Practice on Privacy Policies

Sian Barr
Sian Barr

The ICO’s new Code of Practice on Communicating Privacy Information to Individuals goes beyond the form of privacy notice that we are accustomed to seeing when we hand over our personal information. It advocates a blended approach of selecting a number of different techniques to communicate privacy details to individuals when they hand over their personal data.

According to the ICO, the benefits of the blended approach include:

  • greater control for individuals over how their personal data is used;
  • greater choice for individuals over how their personal data is used;
  • can be used to demonstrate that personal data is being used fairly and transparently;
  • preference management tools will mean that you are more likely to get better and more specific information from individuals; and
  • more likely to demonstrate that informed consent has been provided.

Drafting privacy notices in accordance with the Code

The Code is full of detailed and helpful guidance on preparing privacy notices, including the following:

Have a plan – consider whether your intended uses of the information would be reasonably expected by the individual?  If not, your privacy notice should explain the uses in greater detail. Make predictions of likely future uses, especially as part of big data, and include this information in the notice.  Put yourself in the shoes of the individual: carry out a privacy impact assessment.

Blended approach – make use of the privacy-enhancing technologies available such as just-in-time solutions, voice or video, privacy dashboards, icons and symbols.

Avoid catch-all privacy notices – instead, have separate notices tailored to groups.

Control – it is good practice to link the notice to a preference management tool such as a privacy dashboard; be clear about the information that is required and that which is optional

Adapt to your business model – the privacy notice should cover all platforms through which the individual can access your services.

Consent – consider whether the individual needs to consent to the processing described in the privacy notice and, if so, include a mechanism for giving and obtaining consent at the appropriate time.

Active communication – when appropriate privacy information should be actively communicated to individuals (as opposed to the individual having to seek it out through, e.g., a web link), for example if the uses are likely to be unexpected, or if information could be shared with other sources to build a more detailed picture about an individual.

Collaborative resource – where several data controllers are involved, the ICO suggests that in addition to individual privacy notices, a collaborative resource which brings together all privacy information could be the way forward.  Such a resource could allow the individual to make and apply privacy preferences across all data controllers.

Encourage individuals to take notice – word privacy notices in an engaging way and embed them into the user journey.


When dealing with complex transactions or platforms which involve personal data collection, compliance with the principles may require a range of privacy communication techniques to be used.  The key is to employ these techniques with a focus on how they can enhance the user experience, rather than over-complicate it.

What do you think about the proposed new Code? The Code is open for consultation until 24 March 2016.

EU and US agree in principle on Safe Harbor 2.0: “EU-US Privacy Shield”

Nigel Miller
Nigel Miller

A couple of days after expiry of the 31 January deadline, political agreement has been reached for a new arrangement for data transfers from the EU to the US, to be known as the “EU-US Privacy Shield” (aka Safe Harbor 2.0).

This follows the European Court of Justice decision in October 2015 in the Schrems case that the (old) Safe Harbour arrangement was invalid.

The new arrangement will provide stronger obligations on US companies to protect the personal data of Europeans and stronger monitoring and enforcement by the US FTC.

To facilitate the data flows, the US has been forced for the first time to give a commitment that access by US public authorities to the personal data of EU citizens will be subject to clear conditions, limitations and oversight.  The US has also given an assurance that it will not conduct mass or indiscriminate surveillance of Europeans.

US companies wishing to import personal data from Europe will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed. The Department of Commerce will monitor that companies publish their commitments, which makes them enforceable under US law by the FTC.

It is very common for EU based subsidiaries of US groups to transfer HR data to the US parent.  Under the EU-US Privacy Shield any US company handling HR data from Europe will have to commit to comply with decisions by European DPAs.

In addition, Europeans who consider that their data has been misused will be able to raise any enquiry or complaint with a dedicated new Ombudsperson.


While it is remarkable to reach agreement on such matters within such a short space of time, underlining the political urgency, it’s not all done yet. The EU have to prepare a draft “adequacy decision” in the coming weeks. And the US have to put in place the new monitoring mechanisms and new Ombudsman. We continue to watch the space!

Meanwhile, bear in mind that Safe Harbor / the EU-US Privacy Shield is not the only solution to data transfers from the EU to the US and we continue to work with many companies to put in place other solutions, such as contracts based on model clauses or binding corporate rules.


A New European Cyber Security Strategy – Part II

Madeleine Croydon
Madeleine Croydon

Last week we introduced the new European Cyber-security strategy and the impetus behind the changes. In 2013 the European Commission announced it had proposed a new directive aiming at ensuring a high common level of network and information security across the EU. The directive aims to do so by improving the security of the internet and the private networks and information systems underpinning the functioning of our societies and economies.

On 7 December 2015, the European Parliament and the Luxembourg Presidency of the EU Council of Ministers announced that they had agreed the text of the directive. Although the text has not yet been published, the draft proposals provide us with a good idea as to the aims and function of the directive.

The Proposed Directive

One of the key provisions of the draft directive is a requirement for member states to adopt a national Network and Information System (“NIS”) strategy defining the strategic objectives and concrete policy and regulatory measures to achieve and maintain a high level of network and information security. Additionally, each member state will designate a national competent authority on the security of network and information systems, to prevent, handle and respond to any network information security risks and incidents. A computer emergency response team should be established under the national competent authority’s supervision. The competent authorities will also monitor the application of the directive at national level and contribute to its consistent application throughout the European Union.

Each national competent authority and the European Commission are to form a co-operation network, to cooperate against risks and incidents affecting network and information systems. This will operate an early warning system for certain incidents, including those that could grow rapidly in scale, exceed national response capacity or affect more than one member state. The national competent authorities should also publish on a website information about early warning on incidents and co-ordinated responses.

Each member state will also ensure public administrations and market operators take appropriate technical and organisational measures to manage the risks posed to the security of the networks and information systems which they control and use in their operations. A market operator is defined as:

(a) provider of information society services which enable the provision of other information society services, (a non-exhaustive list of is set out in Annex II of the directive);

(b) operator of critical infrastructure that are essential for the maintenance of vital economic and societal activities in the fields of energy, transport, banking, stock exchanges and health, (a non-exhaustive list of is set out in Annex II of the directive).

The measures should guarantee a level of security appropriate to the risk presented. In particular, measures shall be taken to prevent and minimise the impact of incidents affecting their network and information system on the core services they provide and thus ensure the continuity of the services underpinned by those networks and information systems. Public administrations and market operators will be required to notify to the competent authority incidents having a significant impact on the security of the core services they provide. The competent authority may inform the public, or require the public administrations and market operators to do so, where it determines that disclosure of the incident is in the public interest.

The competent authorities should report any incidents of a suspected serious criminal nature to law enforcement authorities. They will also work with personal data protection authorities when addressing incidents that have resulted in personal data breaches.

Whilst the proposed text does not set out any specified technical standards, member states are encouraged to use standards and specifications relevant to networks and information security.

Finally, member states must adopt rules on sanctions applicable to infringements of the national provisions adopted pursuant to the directive and must take all measures necessary to ensure that they are implemented. The sanctions provided for must be effective, proportionate and dissuasive.