Since 2006, 28 January has marked the anniversary of the first international law in the field of data protection – who knew?
A lot has happened since then. Data protection and privacy is now a rapidly expanding area of law of ever-increasing importance. As we head towards the second anniversary since the GDPR came into force, we review current developments and look ahead at what to expect in 2020.
Our special Data Privacy Day newsletter covers the following topics:
The ePrivacy Regulation is due to replace the current ePrivacy Directive, which is the European law behind the Privacy and Electronic Communications Regulations (PECR). These are the rules which govern the use of cookies and similar tracking technologies, as well as digital marketing. The new Regulation is intended to bring the ePrivacy Directive into alignment with the GDPR and to introduce changes to the rules governing electronic marketing.
Originally intended to coincide with the GDPR, the introduction of the ePrivacy Regulation has been highly contentious and has met with considerable delay. Towards the end of 2019, the latest draft was rejected by the Council of Europe leading to further delays in its adoption.
The ePrivacy Regulation promised a simpler set of rules on cookies. It would remove the need for cookie banners and notices and allow browser settings to provide a way for users to indicate whether they accept or refuse cookies and other identifiers. It would clarify that consent is not needed for non-privacy intrusive cookies that improve internet experience (e.g. remembering shopping cart history) or analytics cookies used by a website to count visitors.
The new rules would also ban cookie walls (where a website requires users to accept cookies as a condition of being able to access the website’s content).
The proposal will also continue the ban on unsolicited electronic communications by emails, SMS and automated calling machines. However, it is not yet known if this will extend to B2B communications, or simply apply to B2C marketing as at present.
The draft Regulation also introduces more stringent penalties for non-compliance, and bring the sanctions regime and remedies available broadly into line with the GDPR.
It is uncertain what the final form of the Regulation will be. However, given the latest delay, Brexit has now intervened and so the Regulation will not be directly applicable in the UK. Despite that, it is likely that the UK will adopt the new rules as and when introduced. While the UK may be able to make its own decision on this following Brexit, if the UK does not implement the new Regulation that may stand in the way of the adequacy decision the UK needs in order to allow the free flow of data to and from the EEA. Also, the proposed extra-territorial scope of the new Regulation (like the GDPR) means that it will remain directly applicable to UK businesses targeting the EEA. Who said that after Brexit the UK will take back control of its laws?!
Meanwhile, the ICO has also published a draft direct marketing code of practice for consultation. The consultation closes on 4 March 2020 and the ICO expects to finalise it in 2020. The ICO plans to produce additional practical tools such as checklists to go alongside the code.
Some key points include:
The two lawful bases most likely to be applicable to direct marketing are consent and legitimate interests. However, where PECR applies and requires consent, then in practice consent should also be your lawful basis under the GDPR.
It is important to keep personal data accurate and up to date. It should not be kept for longer than is necessary. It is harder to rely on consent as a genuine indication of wishes as time passes.
If you are considering buying or renting direct marketing lists, you must ensure you have completed appropriate due diligence
Profiling and enrichment activities must be done in a way that is fair, lawful and transparent.
If you are using new technologies for marketing and online advertising, it is highly likely that you will be required to conduct a data protection impact assessment (DPIA).
If someone objects you must stop processing for direct marketing purposes. You should add their details to your suppression list so that you can screen any new marketing lists against it.
Once the draft ePrivacy Regulation is finalised and the UK’s position on Brexit is clear, the ICO has indicated that it will update the direct marketing code to take into account of the ePrivacy Regulation.
Cookies have become a hot topic for the ICO, with it receiving many complaints about websites’ (often unlawful) use of cookies. This theme looks set to continue into 2020.
This is particularly the case since a huge number of organisations, including some of the largest businesses in the UK, have still not updated their practices to ensure they comply with the rules. This is despite the fact that the ICO published clear guidance concerning the requirements for the lawful use of cookies in summer 2019.
It is likely that the ICO will start taking enforcement action against organisations which do not follow the rules, and this could lead to fines. As such, businesses which are not yet compliant should take steps to ensure compliance now.
At a high level, the following are the main rules when using cookies on websites:
User consent must be obtained (except in relation to “strictly necessary cookies”)
The ICO confirmed that the standard of consent for using cookies is the same high standard as under the GDPR, even for cookies which do not involve the processing of personal data. This means that implied or inferred consent can no longer be relied on for cookies. For consent, a clear affirmative act is needed; pre-ticked boxes or inactivity does not constitute consent.
Websites which use non-essential cookies without specifically requiring users to consent to these when accessing a site (e.g. by specifying that continued use entails consent) are, therefore, not compliant. This also means that all non-essential cookies should be switched off by default. It also means that such cookies should only be served on the user if and when the user consents.
“Strictly necessary cookies”, which do not require consent, are those which are essential to provide a user with the service they have requested or to comply with applicable law. Analytics cookies and advertising cookies do not fall within this exemption.
Provide clear and transparent information to users concerning the cookies you use
The ICO Guidance emphasises the need to provide users with transparent information about cookies. The information must be in accordance with the higher standards of transparency as required by the GDPR; it must be presented in a “concise, transparent, intelligible and easily accessible form, using clear and plain language”.
In relation to cookies, this means that online retailers need to review and update their cookies policies to ensure that these are drafted in a sufficiently clear and easily accessible manner for a normal user to be able to understand how the different types of cookies are being used on the website. Failure to provide clear information will breach the transparency requirement, and will also undermine any “consent” if the consent cannot be said to be sufficiently informed.
Highlighting the importance of transparency and consent, in January 2019, the French data protection regulator imposed a fine of €50 million on Google for lack of transparency, inadequate information and lack of valid consent regarding ads personalization on mobile devices. For more information on this, see further https://idatalaw.com/2019/01/25/e50m-fine-for-google-in-france/
International organisations with a UK presence are likely to face further dilemmas in relation to their compliance with the rules concerning international data transfers in 2020, especially now we know that Brexit is set to occur on 31st January.
Whilst the data transfer rules will remain unchanged during the transition period, which runs until 11pm on 31st December 2020, what happens after then is yet to be seen. What we do know is that Britain will become a “third country” for the purposes of EU GDPR from this date. This has the potential to cause a significant amount of disruption.
The most positive outcome would be for the EU Commission to issue an “adequacy” decision before end of the transition period. This would allow data to continue to flow freely between the UK and the European Economic Area (“EEA”). However, reaching an “adequacy” decision is often a lengthy procedure and it is perhaps wishful thinking to believe that the EU Commission will take a short-cut and make such a decision in time.
If an adequacy decision has not been made by the end of the transition period, then organisations in the EEA which are transferring personal data to the UK will need to ensure that they have in place an “appropriate safeguard” for the data. In the majority of cases, the most appropriate lawful mechanism for transfers will be for the parties to enter into the appropriate EU approved “standard contractual clauses” (“SCCs”).
There are currently two sets of SCCs which have been approved by the EU Commission – these regulate transfers from:
an EEA controller to a non-EEA controller; and
an EEA controller to a non-EEA processor (“C2P SCCs”) (see more on the validity of these below).
One legal grey area is in relation to transfers from an EEA processor to a UK controller. There are no SCCs which would regulate such transfers and there will often be no other suitable lawful mechanism which could be used for these types of transfer, meaning EEA organisations are likely to be faced with either violating the GDPR or stopping transfers to the UK if such circumstances arise. It is expected (or perhaps hoped) by the UK government that the European Data Protection Board would issue guidance on this in the event of a no deal Brexit.
On a more positive note, it appears the C2P SCCs will survive the legal challenge currently being brought against them in the European Court of Justice (ECJ) in the case of Data Protection Commissioner v. Facebook Ireland Limited (often referred to as “Schrems II”). The Advocate General Henrik Saugmandsgaard Øe issued his opinion in Schrems II at the beginning of December 2019, recommending that the court uphold the validity of the C2P SCCs.
Although this is not binding and the ECJ will have the final say in the matter, the opinion of the Advocate General is followed in around 80% of ECJ cases. It is, therefore, widely expected that the C2P SCCs will remain intact following the court’s judgment. Although imperfect, and in need of updating, the SCC’s will, for many businesses, continue for the time being to be the glue that holds international data transfers together.
The ICO has been investigating the adtech and real time bidding (RTB) industry over the past year. This is a huge industry and, from a compliance viewpoint, it is particularly complex due to the challenges of providing meaningful information and obtaining valid consent from users.
The ICO is concerned that that the creation and sharing of personal data profiles about people, on such a large scale, is disproportionate, intrusive and unfair, particularly when people are often unaware it is happening. The key issues are:
identifying a lawful basis for the processing of personal data in RTB, as the scenarios where legitimate interests could apply are limited, and methods of obtaining consent are often insufficient;
the privacy notices provided to individuals lack clarity and do not give them full visibility of what happens to their data;
in many cases there is a reliance on contractual agreements to protect how bid request data is shared, secured and deleted. This does not seem appropriate given the type of personal data sharing and the number of intermediaries involved.
Industry bodies such as the IAB have been engaged with these issues looking for practicable solutions for some time. As a recent sign of the seriousness this is being taken in some quarters, Google recently proposed changes to its Chrome browser, including phasing out support for third party cookies within the next two years.
However, in a recent blog, the ICO has expressed frustration that many organisations involved in RTB appear to have their heads firmly in the sand.
The ICO has made it clear that those in the adtech chain cannot rely on “legitimate interests” as the lawful basis for the processing of personal data in RTB. Furthermore, they have said that the Data Protection Impact Assessments they have seen have been “generally immature, lack appropriate detail, and do not follow the ICO’s recommended steps to assess the risk to the rights and freedoms of the individual”. The ICO has indicated that they anticipate it may be necessary to take formal regulatory action in such cases. We could, therefore, see such actions in 2020.
The most effective way for organisations to avoid the need for regulatory action is to engage with the process for industry reform, and to encourage their supply chain to do the same. The ICO warns that those who have ignored the window of opportunity to engage and transform must prepare for the ICO to utilise its wider powers.
Since 2006, 28 January has marked the anniversary of the first international law in the field of data protection – who knew?