Happy Data Privacy Day! And what’s coming up in 2020?

Since 2006, 28 January has marked the anniversary of the first international law in the field of data protection – who knew?

A lot has happened since then. Data protection and privacy is now a rapidly expanding area of law of ever-increasing importance. As we head towards the second anniversary since the GDPR came into force, we review current developments and look ahead at what to expect in 2020.

Our special Data Privacy Day newsletter covers the following topics:

Accountability – sounds good, but what does it actually mean?
International transfers and Brexit
What’s cooking with cookies?
Whatever happened to the ePrivacy Regulation?
The growing culture of Data Subject Access Requests (DSARs)
Adtech – under regulator scrutiny
Artificial Intelligence (“AI”) and data protection
Data security – what’s appropriate?
Fines – more to come …
Class action compensation claims

Meanwhile, please make a diary note of our annual Data Protection Update seminar, which will be held on 14 May 2020.

Please do contact us if you have any questions or if our data protection team can assist you in any way.

Continue reading

International transfers and Brexit

International organisations with a UK presence are likely to face further dilemmas in relation to their compliance with the rules concerning international data transfers in 2020, especially now we know that Brexit is set to occur on 31st January.

Whilst the data transfer rules will remain unchanged during the transition period, which runs until 11pm on 31st December 2020, what happens after then is yet to be seen. What we do know is that Britain will become a “third country” for the purposes of EU GDPR from this date. This has the potential to cause a significant amount of disruption.

The most positive outcome would be for the EU Commission to issue an “adequacy” decision before end of the transition period. This would allow data to continue to flow freely between the UK and the European Economic Area (“EEA”). However, reaching an “adequacy” decision is often a lengthy procedure and it is perhaps wishful thinking to believe that the EU Commission will take a short-cut and make such a decision in time.

If an adequacy decision has not been made by the end of the transition period, then organisations in the EEA which are transferring personal data to the UK will need to ensure that they have in place an “appropriate safeguard” for the data.  In the majority of cases, the most appropriate lawful mechanism for transfers will be for the parties to enter into the appropriate EU approved “standard contractual clauses” (“SCCs”).

There are currently two sets of SCCs which have been approved by the EU Commission – these regulate transfers from:

  1. an EEA controller to a non-EEA controller; and
  2. an EEA controller to a non-EEA processor (“C2P SCCs”) (see more on the validity of these below).

One legal grey area is in relation to transfers from an EEA processor to a UK controller. There are no SCCs which would regulate such transfers and there will often be no other suitable lawful mechanism which could be used for these types of transfer, meaning EEA organisations are likely to be faced with either violating the GDPR or stopping transfers to the UK if such circumstances arise.  It is expected (or perhaps hoped) by the UK government that the European Data Protection Board would issue guidance on this in the event of a no deal Brexit.

On a more positive note, it appears the C2P SCCs will survive the legal challenge currently being brought against them in the European Court of Justice (ECJ) in the case of Data Protection Commissioner v. Facebook Ireland Limited (often referred to as “Schrems II”). The Advocate General Henrik Saugmandsgaard Øe issued his opinion in Schrems II at the beginning of December 2019, recommending that the court uphold the validity of the C2P SCCs.

Although this is not binding and the ECJ will have the final say in the matter, the opinion of the Advocate General is followed in around 80% of ECJ cases. It is, therefore, widely expected that the C2P SCCs will remain intact following the court’s judgment. Although imperfect, and in need of updating, the SCC’s will, for many businesses, continue for the time being to be the glue that holds international data transfers together.

Return to Data Privacy Day 2020 index

Standard Contractual Clauses survive (for now) – Advocate General issues opinion in Schrems II

Ben Nolan
Ben Nolan

The Advocate General of the European Court of Justice (“ECJ”) has recommended that the court uphold the validity of the controller-to-processor Standard Contractual Clauses in the case of Data Protection Commissioner v. Facebook Ireland Limited (commonly referred to as Schrems II).

Background and facts

The case concerns the Austrian privacy activist, Max Schrems, and the transfer of his personal data by Facebook from Ireland to the US. In an earlier decision involving Schrems and Facebook, the ECJ invalidated the EU-US “Safe Harbor” transfer mechanism (which then led to the EU-US “Privacy Shield” framework being implemented as a replacement for the Safe Harbor scheme).

At a very high level, Schrems’ complaint in the present case is that Facebook should not be allowed to rely upon the Standard Contractual Clauses to transfer his personal data to the US since these do not adequately protect his personal data once transferred due to the wide-reaching surveillance powers provided to US governmental organisations.

Although the case relates specifically to transfers by Facebook to the US, one potential outcome of the case was that the Standard Contractual Clauses would be invalidated. This would have broad implications for a large number of businesses which currently rely upon Standard Contractual Clauses as a convenient mechanism to transfer personal data outside of the European Economic Area.

Advocate General’s Opinion

Given the opinion of the Advocate General, which is not binding on the ECJ but which is followed in around 80% of cases, it seems unlikely that such an outcome will materialise.

The key points to note from the Advocate General’s opinion are as follows:

  • The decision of the ECJ should not result in the Standard Contractual Clauses being invalidated. These are designed to provide protection to the transferred data through contractual means, irrespective of the law in the country of the data importer.
  • It is for the controller (the data exporter) to assess on a case-by-case basis whether the Standard Contractual Clauses can be or are being implemented properly in practice (including by reference to the law of the country of the importing party). If not, the transfers must be prohibited or suspended by the controller.
  • Where it appears that the Standard Contractual Clauses are not being complied with, supervisory authorities (such as (in the UK) the ICO) are required to take measures to remedy this, for example, by ordering suspension of the transfer.
  • The ECJ should not rule on the validity of the EU-US Privacy Shield framework as part of its decision (although the Advocate General does discuss this at length in his opinion and casts doubt on its validity as a transfer mechanism).

Other points

It is to be expected that the EU Commission will issue updated controller-to-processor Standard Contractual Clauses in the not-too-distant future. The general consensus is that they are outdated and in need of a refresh to reflect the requirements of the GDPR.

Conclusion

The Advocate General’s opinion will come as welcome news to the numerous businesses which currently rely upon Standard Contractual Clauses. The opinion does highlight, however, that businesses should in practice be reviewing compliance with such clauses and not simply treating the implementation of the contracts as a tick-box exercise.

The above is of course subject to change based on the final decision of the ECJ in this case (expected early 2020). We will be keeping our eyes on this and will update you once we are in a position to do so.

 

Ben Nolan is a Solicitor Admitted in Scotland, in the commerce & technology team at City law firm Fox Williams LLP and can be contacted at bnolan@foxwilliams.com

Implications of a No Deal Brexit on Data Protection

Whereas some impacts of a no deal Brexit have been well documented in the press, such as the potential shortage of medical supplies, issues around data protection have received less attention. Notwithstanding this, the consequences of a no deal Brexit could impose significant regulatory hurdles for many UK businesses and it would be advisable for businesses to prepare accordingly prior to Brexit taking place.

In this article, we discuss the data protection challenges posed by a no deal Brexit and detail some of the solutions which businesses should consider implementing in order to overcome these challenges.

Legal Framework

Following a no deal Brexit, UK laws concerning data protection, including the Data Protection Act 2018, would continue to apply and the GDPR would become incorporated into UK law – this is referred to as the UK GDPR. As such, UK organisations will essentially be required to comply with the same obligations which they should have been adhering to since the introduction of the GDPR in May 2018.

Transfers

One of the key causes for concern in the event of a no deal Brexit is the impact this will have on data transfers between the UK and the European Economic Area (“EEA”). As things currently stand, data can be transferred freely between organisations in the UK and those elsewhere in the EEA. However, in the event of a no deal Brexit, such transfers would become subject to restrictions, at least insofar as these relate to transfers from the EEA to the UK.

In respect of data transfers from the UK to the EEA, the British government has said that these will not be restricted, meaning that no additional steps would need be taken to continue to transfer data from the UK to other entities in the EEA.

In terms of transfers of data from the EEA to the UK, the rules as to data transfers as set out in the GDPR would apply following a no deal Brexit. Once Britain leaves the EU, it will technically become a third country for the purposes of the GDPR and therefore organisations based in the EEA which are seeking to transfer data to entities in the UK would need to have in place a lawful mechanism for doing so.

The most seamless way to transfer to a recipient in a third country under the GDPR is where an “adequacy decision” has been made by the EU Commission in respect of that country. Where this is the case, personal data can be transferred freely to such countries without relying upon other legal mechanisms. It had been hoped by the UK government that an adequacy decision in relation to the UK would be in place immediately following Brexit. However, the EU Commission has insisted that it will not start the (often lengthy) adequacy decision process in respect of the UK until such time as it has formally left the EU.

The effect of this is that transfers from the EEA to the UK will need to be based on other lawful mechanisms set out in the GDPR from the date a no deal Brexit takes place. In the vast majority of cases, the most appropriate lawful mechanism for such transfers will be for the parties to enter into EU approved “standard contractual clauses” (“SCCs”). There are currently two sets of SCCs which have been approved by the EU Commission – these regulate transfers from:

  1. an EEA controller to a non-EEA controller; and
  2. an EEA controller to a non-EEA processor.

One legal grey area that has emerged is in relation to transfers from an EEA processor to a UK controller following a no deal Brexit. There are no SCCs which would regulate such transfers and often there will be no other suitable lawful mechanism for these types of transfer. It is expected (or perhaps hoped) by the UK government that the European Data Protection Board would issue guidance on this in the event of a no deal Brexit.

An alternative to SCCs which group companies with a UK presence may consider is to implement Binding Corporate Rules (BCRs). However, BCRs are subject to approval from the relevant supervisory authority and it will, therefore, prove time consuming to put such documentation in place.

Finally, UK organisations which currently rely on the EU-US Privacy Shield to transfer personal data to organisations in the US should be aware that this will no longer serve as a valid transfer mechanism in the event of a no deal Brexit unless the recipient US organisation has updated its public commitment to comply with the Privacy Shield to include the UK.

Procedural requirements

Notwithstanding the fact that the UK will have left the EU, many UK organisations will continue to be caught by the EU GDPR due to the extra-territorial scope of the GDPR. Where this is the case, organisations will have to consider whether or not they are required to appoint an EU representative pursuant to Article 27 of the GDPR.

On the flipside, the UK government has indicated that a similar requirement will apply to non-UK entities which are bound to comply with the UK’s data protection regime following Brexit, meaning many EU organisations carrying out activities in the UK could be caught.

In addition to the above, UK organisations which have any branches or establishments in the EU or are otherwise caught by the extra-territorial provisions of the GDPR and will be carrying out cross-border processing in the EEA following Brexit may be required to update their lead supervisory authority following Brexit.

Updates to documentation

At present, many organisations have drafted their GDPR compliance documentation from the perspective of the UK being a member the EU. Businesses should review their GDPR compliance documentation to ensure that these references are updated accordingly. In particular, it would be prudent to review:

  • Privacy notices – to ensure that the position in respect of international transfers is correctly stated; and
  • Contracts with third parties – to ascertain whether these contain any restrictions on transfers outside the EEA.

Conclusion

As can be seen from the above, the implications of the UK leaving the EU without a deal will have serious data protection consequences not only for UK organisations, but also for EU organisations which transfer or process personal data to or in the UK. Businesses should be aware of the additional compliance steps which they may need to overcome following the UK’s exit from the EU without a deal and begin preparations for this as soon as possible.

Please contact us if you need any assistance preparing for Brexit.

 

Ben Nolan is a Solicitor, Admitted in Scotland in the commerce & technology team at City law firm Fox Williams LLP and can be contacted at bnolan@foxwilliams.com

No-deal Brexit – the effect on data flows

Nigel Miller
Nigel Miller

Following the overwhelming rejection of Theresa May’s Brexit deal on 15 January 2019, the possibility of a no-deal Brexit continues to be a real risk and many businesses are looking at what they need to do to prepare for this.

A key consideration is to ensure that data flows with group companies, partners and vendors can be legally maintained. In this connection, if the UK does exit Europe without a transitional arrangement, what will be the position in relation to data flows to and from the UK?

What does the GDPR say?

The GDPR prohibits transfers of personal data from the European Economic Area (the EU plus Norway, Liechtenstein and Iceland) (“EEA”) to a country outside the EEA (referred to in the GDPR as a “third country”) unless:

  • that third country has been deemed “adequate” by a European Commission adequacy decision (for example, Switzerland has adequacy status); or
  • one of a number of legal safeguards has been put in place beforehand. For most EU businesses transferring personal data to third countries which do not have “adequacy” status, the most convenient legal safeguard used is the standard contractual clauses (or “SCCs”) which is a set out standard data protection clauses prescribed by the EU and entered into between the data transferor (in the EEA) and the data recipient (in the relevant third country).

Will the GDPR still apply?

The GDPR is here to stay post-Brexit regardless of whether there is a deal or no deal. This is because, on the day the UK leaves the EU, most of the EU law (including the GDPR) which applied prior to the UK leaving the EU will be converted into UK law. In addition, the new Data Protection Act 2018 (“DPA 2018”), which supplements the GDPR, will continue to apply in the UK regardless of the outcome.

What about transfers of data from UK to EEA?

When the UK leaves the EU, the UK will be become a “third country”. The UK government has stated that, post-Brexit, UK businesses will continue to be able to send personal data from the UK to the EEA. Having said that, it has also said that the “UK would keep this under review”. Therefore, unless otherwise indicated by the UK government in future, the continued free flow of personal data from UK business to the EEA will continue.

What about transfers of data from EEA to UK?

The position is not the same in respect of data transferred from the EEA to the UK.

While the UK government has indicated its intentions to begin discussions on an adequacy decision for the UK, the European Commission has not yet given a timetable for this and have stated that a decision on adequacy cannot be taken until the UK is a third country. In any event, such decisions typically take many years to conclude. Therefore, for the time being, EU organisations will need to implement one of the appropriate legal safeguards (the SCCs usually being the most convenient option) in order to continue to transfer personal data to businesses in the UK.

What about transfers of data from UK to other territories?

In relation to transfers from the UK to other territories, the EU’s existing decisions on adequacy and SCCs that were in place on Brexit day can continue to be used after Brexit to ensure the free flow of data. Longer term, these adequacy decisions and SCCs will fall under the responsibility of and will be reviewed by the UK ICO rather than the European Data Protection Board.

Other issues to consider

Aside from the issue of international data transfers, there are some other issues to consider upon the UK exiting EU:

  • If you market to EU consumers, or you monitor the behaviour of individuals located in the EU, you will need to comply with both the UK data protection regime and the EU regime after the UK exits the EU, due to the extra-territorial reach of the GDPR. This carries with it the potential for regulatory actions including fines from both EEA authorities and the ICO, in the event of a data breach or infringement of data laws.
  • The GDPR requires a controller or processor not established in the EEA to designate a “representative” within the EEA in certain circumstances where they are processing the personal data of data subjects who are in the EEA. This is not a straightforward matter; the “representative” is a separate role to a data protection officer and may assume some direct compliance responsibility.
  • Likewise, controllers that are based outside the EU but that target UK customers (and are therefore subject to the UK GDPR) will be required to appoint a UK representative.
  • As well as dealing with the UK ICO, you may have to deal with European supervisory authorities in every EEA and EU state where individuals are affected. You may no longer be able to have a “lead authority” and benefit from the One-Stop-Shop. The One-Stop-Shop means you can deal with a single European supervisory authority rather than every supervisory authority in every EEA and EU state where individuals are affected.
  • Privacy notices may need to be updated in relation to international transfers and the appointment of a representative.

 

We are advising a number of clients on preparations for a no-deal Brexit. Contact us to explore how we can assist you.

Nigel Miller is a partner in the commerce & technology team at City law firm Fox Williams LLP and can be contacted at nmiller@foxwilliams.com