The Advocate General of the European Court of Justice (“ECJ”) has recommended that the court uphold the validity of the controller-to-processor Standard Contractual Clauses in the case of Data Protection Commissioner v. Facebook Ireland Limited (commonly referred to as Schrems II).
Background and facts
The case concerns the Austrian privacy activist, Max Schrems, and the transfer of his personal data by Facebook from Ireland to the US. In an earlier decision involving Schrems and Facebook, the ECJ invalidated the EU-US “Safe Harbor” transfer mechanism (which then led to the EU-US “Privacy Shield” framework being implemented as a replacement for the Safe Harbor scheme).
At a very high level, Schrems’ complaint in the present case is that Facebook should not be allowed to rely upon the Standard Contractual Clauses to transfer his personal data to the US since these do not adequately protect his personal data once transferred due to the wide-reaching surveillance powers provided to US governmental organisations.
Although the case relates specifically to transfers by Facebook to the US, one potential outcome of the case was that the Standard Contractual Clauses would be invalidated. This would have broad implications for a large number of businesses which currently rely upon Standard Contractual Clauses as a convenient mechanism to transfer personal data outside of the European Economic Area.
Advocate General’s Opinion
Given the opinion of the Advocate General, which is not binding on the ECJ but which is followed in around 80% of cases, it seems unlikely that such an outcome will materialise.
The key points to note from the Advocate General’s opinion are as follows:
The decision of the ECJ should not result in the Standard Contractual Clauses being invalidated. These are designed to provide protection to the transferred data through contractual means, irrespective of the law in the country of the data importer.
It is for the controller (the data exporter) to assess on a case-by-case basis whether the Standard Contractual Clauses can be or are being implemented properly in practice (including by reference to the law of the country of the importing party). If not, the transfers must be prohibited or suspended by the controller.
Where it appears that the Standard Contractual Clauses are not being complied with, supervisory authorities (such as (in the UK) the ICO) are required to take measures to remedy this, for example, by ordering suspension of the transfer.
The ECJ should not rule on the validity of the EU-US Privacy Shield framework as part of its decision (although the Advocate General does discuss this at length in his opinion and casts doubt on its validity as a transfer mechanism).
It is to be expected that the EU Commission will issue updated controller-to-processor Standard Contractual Clauses in the not-too-distant future. The general consensus is that they are outdated and in need of a refresh to reflect the requirements of the GDPR.
The Advocate General’s opinion will come as welcome news to the numerous businesses which currently rely upon Standard Contractual Clauses. The opinion does highlight, however, that businesses should in practice be reviewing compliance with such clauses and not simply treating the implementation of the contracts as a tick-box exercise.
The above is of course subject to change based on the final decision of the ECJ in this case (expected early 2020). We will be keeping our eyes on this and will update you once we are in a position to do so.
Ben Nolan is a Solicitor Admitted in Scotland, in the commerce & technology team at City law firm Fox Williams LLP and can be contacted at firstname.lastname@example.org
Whereas some impacts of a no deal Brexit have been well documented in the press, such as the potential shortage of medical supplies, issues around data protection have received less attention. Notwithstanding this, the consequences of a no deal Brexit could impose significant regulatory hurdles for many UK businesses and it would be advisable for businesses to prepare accordingly prior to Brexit taking place.
In this article, we discuss the data protection challenges posed by a no deal Brexit and detail some of the solutions which businesses should consider implementing in order to overcome these challenges.
Following a no deal Brexit, UK laws concerning data protection, including the Data Protection Act 2018, would continue to apply and the GDPR would become incorporated into UK law – this is referred to as the UK GDPR. As such, UK organisations will essentially be required to comply with the same obligations which they should have been adhering to since the introduction of the GDPR in May 2018.
One of the key causes for concern in the event of a no deal Brexit is the impact this will have on data transfers between the UK and the European Economic Area (“EEA”). As things currently stand, data can be transferred freely between organisations in the UK and those elsewhere in the EEA. However, in the event of a no deal Brexit, such transfers would become subject to restrictions, at least insofar as these relate to transfers from the EEA to the UK.
In respect of data transfers from the UK to the EEA, the British government has said that these will not be restricted, meaning that no additional steps would need be taken to continue to transfer data from the UK to other entities in the EEA.
In terms of transfers of data from the EEA to the UK, the rules as to data transfers as set out in the GDPR would apply following a no deal Brexit. Once Britain leaves the EU, it will technically become a third country for the purposes of the GDPR and therefore organisations based in the EEA which are seeking to transfer data to entities in the UK would need to have in place a lawful mechanism for doing so.
The most seamless way to transfer to a recipient in a third country under the GDPR is where an “adequacy decision” has been made by the EU Commission in respect of that country. Where this is the case, personal data can be transferred freely to such countries without relying upon other legal mechanisms. It had been hoped by the UK government that an adequacy decision in relation to the UK would be in place immediately following Brexit. However, the EU Commission has insisted that it will not start the (often lengthy) adequacy decision process in respect of the UK until such time as it has formally left the EU.
The effect of this is that transfers from the EEA to the UK will need to be based on other lawful mechanisms set out in the GDPR from the date a no deal Brexit takes place. In the vast majority of cases, the most appropriate lawful mechanism for such transfers will be for the parties to enter into EU approved “standard contractual clauses” (“SCCs”). There are currently two sets of SCCs which have been approved by the EU Commission – these regulate transfers from:
an EEA controller to a non-EEA controller; and
an EEA controller to a non-EEA processor.
One legal grey area that has emerged is in relation to transfers from an EEA processor to a UK controller following a no deal Brexit. There are no SCCs which would regulate such transfers and often there will be no other suitable lawful mechanism for these types of transfer. It is expected (or perhaps hoped) by the UK government that the European Data Protection Board would issue guidance on this in the event of a no deal Brexit.
An alternative to SCCs which group companies with a UK presence may consider is to implement Binding Corporate Rules (BCRs). However, BCRs are subject to approval from the relevant supervisory authority and it will, therefore, prove time consuming to put such documentation in place.
Finally, UK organisations which currently rely on the EU-US Privacy Shield to transfer personal data to organisations in the US should be aware that this will no longer serve as a valid transfer mechanism in the event of a no deal Brexit unless the recipient US organisation has updated its public commitment to comply with the Privacy Shield to include the UK.
Notwithstanding the fact that the UK will have left the EU, many UK organisations will continue to be caught by the EU GDPR due to the extra-territorial scope of the GDPR. Where this is the case, organisations will have to consider whether or not they are required to appoint an EU representative pursuant to Article 27 of the GDPR.
On the flipside, the UK government has indicated that a similar requirement will apply to non-UK entities which are bound to comply with the UK’s data protection regime following Brexit, meaning many EU organisations carrying out activities in the UK could be caught.
In addition to the above, UK organisations which have any branches or establishments in the EU or are otherwise caught by the extra-territorial provisions of the GDPR and will be carrying out cross-border processing in the EEA following Brexit may be required to update their lead supervisory authority following Brexit.
Updates to documentation
At present, many organisations have drafted their GDPR compliance documentation from the perspective of the UK being a member the EU. Businesses should review their GDPR compliance documentation to ensure that these references are updated accordingly. In particular, it would be prudent to review:
Privacy notices – to ensure that the position in respect of international transfers is correctly stated; and
Contracts with third parties – to ascertain whether these contain any restrictions on transfers outside the EEA.
As can be seen from the above, the implications of the UK leaving the EU without a deal will have serious data protection consequences not only for UK organisations, but also for EU organisations which transfer or process personal data to or in the UK. Businesses should be aware of the additional compliance steps which they may need to overcome following the UK’s exit from the EU without a deal and begin preparations for this as soon as possible.
Please contact us if you need any assistance preparing for Brexit.
Ben Nolan is a Solicitor, Admitted in Scotland in the commerce & technology team at City law firm Fox Williams LLP and can be contacted at email@example.com
While few people fully understand what a cookie is and what a cookie can do, and many don’t much care, the subject of cookies is very much on the regulator’s radar. The Information Commissioner’s Office (ICO) receives over 100 complaints each month about cookies. Indeed, the ICO has a special page on their website with a ‘Report your cookie concerns‘ tool.
The ICO has said that cookie compliance is an increasing regulatory priority for the ICO. Given that GDPR-level fines can be issued for non-compliance with cookie rules, it is now important to review what cookies you use and your policies in relation to them.
Cookies are widely used in order to make websites work, or work more efficiently, as well as to provide information to the website operator. Without cookies, or some other similar method, websites would have no way to ‘remember’ anything about visitors, such as how many items are in a shopping basket or whether they are logged in.
While we refer to cookies, it is important to bear in mind that PECR applies not only to cookies but also to “similar technologies” that store or access information on the user’s device. This includes technologies like device fingerprinting and scripts, tracking pixels and plugins. Also, the rule on cookies is not limited to traditional websites and web browsers. For example, where mobile apps communicate with websites which set cookies PECR also covers this.
you provide the user with clear and comprehensive information about the purposes of, or access to, the information in the cookie; and
the user has given consent.
The most significant change in the ICO guidance in relation to cookies relates to areas where the GDPR has imposed higher standards in relation to what constitutes transparency and consent.
Clear and comprehensive information
The information to be provided must be in accordance with the higher standards of transparency as required by the GDPR. This requires that information be “concise, transparent, intelligible and easily accessible form, using clear and plain language”.
The ICO highlights that levels of user understanding will differ and that you need to make a particular effort to explain cookies in a way that all people will understand.
Similarly, to be valid, consent must now be in accordance with the higher standard required by the GDPR. This requires that consent means any “freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
The GDPR specifically bans pre-ticked boxes – silence or inactivity does not constitute consent. And the ICO does not consider that browser settings can be relied on to signify consent.
In addition, you must be able to demonstrate that you have valid consent; and your consent mechanism must allow the user to withdraw their consent at any time.
“Strictly necessary” exemption
The cookie rule does not apply to cookies which are “strictly necessary” for the provision of the service requested by the user.
To benefit from this exemption, the cookie must be essential, rather than important or reasonably necessary. For example, a cookie used to remember the goods a user wishes to buy when they go to the checkout or add goods to their shopping basket is “strictly necessary” and does not need consent. “Necessary” cookies also include those which enable core functionality such as security, network management, and accessibility. On the other hand, analytics and advertising cookies will not be regarded as “strictly necessary” and require consent.
PECR and the GDPR
The GDPR regulates the processing of personal data, which is broadly defined and can include “online identifiers” such as cookies. Therefore, in some cases cookies will be classed as personal data where an individual is identifiable. In such cases, the GDPR will apply as well as PECR. This is likely to be the case where identifiers are used or combined to create profiles of individuals, even when those individuals are unnamed. However, where a cookie does not involve processing of “personal data” PECR will still apply.
To process personal data, under GDPR you must have a lawful basis. There are six lawful bases, of which consent is one. For GDPR purposes, use of personal data for marketing purposes often relies on “legitimate interests” rather than consent. However, if your cookies require consent under PECR, then where GDPR applies you must also rely on consent as the lawful basis to process personal data and you cannot rely on “legitimate interests”.
PECR applies to the storing of information, or accessing information stored, on the user’s device. It does not apply to any prior or subsequent processing operations involving this information. However, the regulator’s view is that any processing of personal data that follows (or depends on) the setting of cookies is also highly likely to require consent as its lawful basis and cannot rely on “legitimate interests”.
The ICO’s guidance indicates that consent is required, therefore, for tracking and profiling for purposes of direct marketing, behavioural advertisement, location-based advertising or tracking-based digital market research.
Third party cookies
Where you set third party cookies, you must clearly and specifically name who the third parties are and explain what they will do with the information.
Both you and the third party have a responsibility for ensuring that users are clearly informed about cookies and for obtaining consent. In practice, it is more difficult for the third party to do this where they do not have any direct contact with the user. Therefore, it is recommended that the third party include a contractual obligation into its agreements with web publishers that the publisher will provide information about the third party cookies and obtain consent.
The ICO acknowledges that the process of getting consent for third-party cookies is more complex and is one of the most challenging areas in which to achieve compliance with PECR. The ICO says that they continue to work with industry and other EU data protection authorities to assist in addressing the difficulties and finding workable solutions.
A key issue is that most people do not understand how their data is being used in the context of Adtech and there is a lack of intelligible information which risks breaching the transparency requirement of PECR and the GDPR, thereby also rendering any consent invalid for being insufficiently informed.
Again, the ICO continues to work with industry on these challenges and we can expect further guidance on this in due course.
Proposed ePrivacy Regulation and Brexit
The proposed new ePrivacy Regulation (ePR), which will replace the ePrivacy Directive on which PECR is based, is still under development. Its aim is to update and modernise PECR in the same way that the GDPR did for data protection. However, the ePR is not yet finalised and, with the 24-month grace period contained in the current draft, it is not expected that the ePR will apply in Europe before the end of 2021. Also, as it is unlikely to be finalised until after Brexit it will not automatically form part of UK law, although the UK may choose to implement a similar regulation.
So, what needs to be done now?
Following the new ICO guidance, you should now do the following:
Carry out a cookie audit to check what cookies you use, and their purposes; identify which cookies are “necessary” and which are not.
Review your cookie information (policy) and how it is provided – the obligation to provide information about cookies must be in line with the higher GDPR transparency standard. Typically, fuller and more granular information on cookies must be provided than has been the case to date.
Review your consent mechanisms:
the user must take a clear and positive action to give their consent to cookies such as ticking a box or clicking “accept” – you can no longer rely on “implied consent” and continuing to browse the website does not constitute valid consent;
you cannot use pre-ticked boxes (or equivalents such as ‘on’ sliders) for non-essential cookies;
consent must be separate from other matters and cannot be bundled into terms and conditions or privacy notices.
Use of a banner, pop-up, message bar, header bar or similar technique may be convenient, but consider implications for the user experience across different platforms to make sure that consent requests are not be unnecessarily disruptive.
You must ensure that (non-essential) cookies are not actually set until the user has given their consent.
Please contact us for assistance with your cookie review.
Nigel Miller is a partner in the commerce & technology team at City law firm Fox Williams LLP and is a Certified Information Privacy Professional (CIPP/E). Nigel can be contacted at firstname.lastname@example.org
The ICO announced yesterday its intention to fine BA £183 million.
This will be the first fine imposed by the ICO since the GDPR came into force – it relates to a cyber security incident during 2018 which led to the names, addresses and payment card details of approximately 500,000 BA passengers being compromised. The ICO says that BA had failed to put in place appropriate measures to keep the personal data secure.
This is not a fine as yet. Before a fine is imposed, the ICO issues a notice of intent to fine a particular amount (in this case, £183m). BA now has the opportunity to make final representations in the hope of getting the amount reduced before it is imposed.
Laura Monro is a senior associate in the commerce & technology team at City law firm Fox Williams LLP and can be contacted at email@example.com
We’re now one year on from the introduction of the General Data Protection Regulation (“GDPR”) and one of the consequences for our clients has been a significant rise in the number of data subject access requests (“DSARs”) made by employees. By making a DSAR, current and former employees can obtain all their “personal data” held by their employer. As personal data is information that relates to an identifiable individual, employers hold significant amounts of personal data about their staff.
DSARs are notoriously time-consuming to manage and, under the GDPR, the time period employers have to respond has been reduced to one month from the longer period of 40 days that applied under the old regime.
Given the increase in number of requests and the shorter period for a response we set out below 10 top tips to help employers if and when they receive a request:
1. Create a protocol so that your business can respond within one month
In today’s electronic world, employees generate significant amounts of material which is likely to contain their personal data and which will need to be collated, reviewed and processed before your business can respond to a DSAR. Doing all of this within the short deadline of one month can be difficult, so having an agreed protocol in place which outlines the steps you will take to respond to a DSAR can help save precious time. A protocol should include an allocation of responsibilities and the steps which must be taken to comply with a request.
Although it is possible in exceptional circumstances to notify the employee, within a month of receiving the DSAR, that you require three months to reply, the circumstances when an extension of time may be justified are rare. The exceptional circumstances apply to complex requests or to repeated requests from the same employee. However, these circumstances will apply rarely. Remember that your employee can challenge your decision to extend time to the ICO (Information Commissioner’s Office).
2. Train your staff
Your staff need to understand the importance of dealing promptly with DSARs. This will include who within your business should be notified once a DSAR is received and, if they are responsible for responding to the request, how it should be managed. Crucially relevant staff need to be trained on these points
3. Try to narrow the scope of the request
Often employees will be interested in very specific material when they submit a DSAR. For example, if they are participating in a grievance or disciplinary process or have recently had their employment terminated, there are likely to be particular documents they want to read. The scope of the request may be clear from the initial request. However, if it isn’t clear consider having a conversation with the person making the request about what they want and whether the request can be narrowed. Doing so should help to ensure you can respond within 30 days and only give the employee the personal data they really want. Of course this isn’t always possible.
4. Consider using a bespoke platform to manage the DSAR
It can be helpful to use bespoke electronic platforms to manage DSARs as these will often have specific functionality to assist with running searches, identifying relevant documents and carrying out redaction. This can be very useful particularly for larger DSARs, which can otherwise be very difficult to manage on an employer’s normal IT platform. Employers should discuss this with their IT provider and make sure that their systems are fit for purpose.
5. Use appropriate search terms and do a sample review before undertaking a full review
Once you know what you are looking for, consider using search terms to generate an initial set of results. This might be the employee’s name (or variations on it) plus key words and date ranges which are likely to generate personal data, taking account of the scope of the request. Once you have created an initial set of results, carry out a sample review to make sure that the results are largely relevant. Depending on the search that you’ve carried out, you might have generated a lot of false positives which could be removed by a further refinement to your search terms before you conduct a full review.
6 .Carry out a full review to ensure that the results contain personal data
Just because an individual’s name is mentioned in a document doesn’t necessarily mean that the document contains personal data. Make sure that you understand the test for personal data and apply it to your search results appropriately. Remember, personal data is information which relates to an identifiable individual.
7. Use the exemptions
When analysing the personal data, review the documents for those that are exempt from disclosure. You may need to take advice on this but the exemptions include references given or received, management forecasting or planning, information about negotiating intentions – perhaps in relation to a settlement agreement, third party information or information that may be subject to legal professional privilege.
8. Allow enough time for redaction
Once you have produced an initial set of results containing the employee’s personal data, you will need to review the material to see if anything needs to be redacted. In particular, you should ensure that any privileged material or personal data of other individuals is redacted before the response is sent to the employee.
9. Allow enough time to send the response
Depending on how the DSAR was submitted and the size of the response, you may need to provide a hard copy and/or electronic response. If you’re going to provide an electronic response, consider whether you will share the response on an electronic platform (and, if so, which one will you use) or whether you will email the response (in which case, ensure you have the right email address and that the attachments are small enough to be sent through any relevant firewalls).
10. Create an audit trail
If an employee is dissatisfied with the response they receive to a DSAR they may complain about it to the Information Commissioner or a court or tribunal. If they do so, it will be important that you can demonstrate the steps you took to respond to the DSAR so as to minimise the risk of sanctions being applied.
How we can help
We regularly advise our clients on how to respond to DSARs and often work through these steps with them. If you’d like more information about the services we provide or if you have any questions arising out of this article, please contact us.
Helen Farr is a partner, and Daisy Jones is a senior associate, in our HR law team.