Regulatory Actions

Nigel Miller

As the deadline to replace old EU SCCs passes …

Arjun Majumdar
Arjun Majumdar
Tayler Sani
Tayler Sani

Companies subject to the EU GDPR and reliant on standard contractual clauses (“SCCs”) to transfer personal data out of the EEA are reminded that the regulatory deadline to update their existing agreements has now passed.

EU GDPR Requirements

To recap, on 4 June 2021, we saw the European Commission adopt new, modernised EU SCCs for the transfer of personal data from the EEA to third countries.

Organisations were afforded a transitional period, which required that they:

  • cease using the old SCCs in new contracts by 27 September 2021, and
  • transition all existing contracts over to the new EU SCCs by 27 December 2022.

This means that organisations should have now adopted the new EU SCCs in all existing contracts involving international transfers of personal data under the EU GDPR. If they have not already done so, they should prioritise doing so as soon as possible.

UK GDPR Requirements

As the UK is no longer part of the EU, the new EU SCCs are not a valid transfer mechanism under the UK GDPR. However, in March 2022, the UK ICO formally adopted:

  • the IDTA, a standalone agreement – similar to (but not the same as) the new EU SCCs – for international data transfers from the UK to third countries;
  • the UK Addendum, which can be appended to, and have the effect of modifying, the new EU SCCs so that they work for international data transfers from the UK to third countries.

These were discussed in further detail in our previous article “New UK International Data Transfer Agreement.”

In respect of data transfer arrangements subject to the UK GDPR, contracts entered into prior to 21 September 2022 can rely on old EU SCCs until March 2024 (provided there are no modifications to the data transfer operations under those contracts) but, from now, new contracts must incorporate either the IDTA or the new EU SCCS-plus-UK Addendum-combination.

In Other News

Following Schrems II, businesses – whether subject to the EU GDPR or UK GDPR – relying on SCCs for their data transfers to recipients in third countries are also required to undertake and document transfer risk assessments. SCCs alone are no longer sufficient. Whilst the European Data Protection Board (EDPB) already published recommendations on this topic in June 2021 (which can be accessed here) in respect of restricted transfers subject to the EU GDPR, the ICO only recently published updated guidance on transfer risk assessments in respect of restricted transfers made subject to the UK GDPR, which can be accessed here.

Together with its guidance, the ICO have also published a TRA tool which can be used to help businesses carry out their TRAs. It is worth noting that the ICO have given businesses the option of conducting their assessments in line with the EDPB recommendations: either option is acceptable to the ICO.

Nigel Miller

Risk Management in Law Firms

Partner and head of our technology and data protection group, Nigel Miller has written the data protection chapter in Global Law and Business’s recent publication Risk Management in Law Firms: Mitigate Risk and Enhance Firm Success.

The publication brings together lawyers, consultants and other risk and compliance professionals to provide expert and practical guidance on essential risk management topics. Chapters cover risks relating to clients, internal operations and law and regulation, and address recent developments including issues arising from the shift to hybrid working, the increased focus on ESG and climate change, and the extended influence of clients through outside counsel guidelines.

Nigel’s chapter on data protection is available to read here. The chapter sets out a high-level summary of applicable data protection laws, with a focus on areas that have specific application to law firms, and
provides some best practice points for risk management.

Nigel Miller

Do you consent to cookies? The latest data protection reforms in the UK

Kolvin Stone
Kolvin Stone (partner)
Vlad Arutyunyan

The government has announced significant proposed reforms to data privacy laws in the form of a Data Reform Bill, which was introduced into Parliament on 18 July 2022.

The Bill, part of the UK’s National Data Strategy, aims to improve on the UK’s current data protection standards whilst minimising the administrative burden of requirements on businesses in the UK.

We look at key aspects of the Bill, which originated from a government consultation, the response to which came out earlier this year.

Cookies and calls

Part of the Bill focuses on reducing ‘consent fatigue’.

Websites will use an ‘opt-out’ rather than ‘opt-in’ model for cookie consents and the onus for protecting data will be on users to alter their own browser settings to better protect their data. This means accepting cookies each time you enter a new site may be a thing of the past!

There will also be greater financial penalties for nuisance calls, texts, and certain data breaches where no consent has been given for such marketing. For example, fines will now be made in-line with current UK GDPR guidelines, the higher of up to 4% of the company’s global turnover or £17.5 million.

Updating the ICO

The Bill aims to modernise the Information Commissioner’s Office (ICO) including extending its legal remit, clarifying its framework for decision-making, and building out its leadership to enhance its reputation internationally.

The proposed board of the ICO will be entirely independent and consist of a chair, chief executive, and other board members. The Bill also proposes greater accountability of the ICO to the public and the government. The ICO will also be expected to consider in future decision making:

  1. economic growth and innovation
  2. competition
  3. collaborating with other regulators and relevant bodies

In addition, the ICO will be expected to set up expert panels in relevant areas when developing statutory guidance.

“Data Protection”

The Bill seeks to limit the definition of “data protection” to only include situations where:

  • information is identifiable by the controller or processor by reasonable means at the time of the processing or
  • the controller or processor ought to know that another person will likely obtain the information as a result of the processing and the individual will likely be identifiable by that person by reasonable means at the time of the processing.

Fewer requirements

The Bill also poses removing the requirement:

  • for mandatory ICO consultation (where a company has identified a high-risk data processing activity) and making it voluntary
  • to appoint a Data Protection Officer and placing data privacy responsibilities on a senior member of the company
  • to perform Data Protection Impact Assessments and
  • to retain records of any processing activities.

Automated decision making

The Bill has removed previous restrictions on automated decision making. It proposes to allow for solely automated decision making in relation to significant decisions where appropriate safeguards are in place, including the right to human intervention. There is not yet clarity as to what would constitute a “significant” decision in this context.

Data transfers

Whilst data privacy laws will need to remain at the standard imposed by the EU GDPR to facilitate effective data transfer between the UK and EU, the Bill also seeks to strengthen data transfers with trade areas outside the EU. The Bill puts forward an autonomous UK international transfer regime in lieu of the current EU-aligned regime.

The UK has highlighted high target jurisdictions where adequacy decisions will be prioritised. This includes the US, Australia and Singapore. On 5 July 2022, the UK announced that it has reached a data agreement with the Republic of Korea which hopes to create a new age of digital trade between the two nations.

Supporting scientific research

The proposed reform aims to encourage at-home scientific innovation by offering further clarity as to how data can be used for research purposes.

The Bill removes some of the tick boxes before scientists can collect data, by removing the need for granular specification of the ultimate purpose of any research before it can begin.

The Bill also suggests clarifying the standard to which data should anonymised to be relevant to each situation and the extent to which any data can be reused for further research.

The future

There is a substantial risk it will jeopardise the UK’s adequacy decision with the EU, which facilitates free data flow between the UK and EU. For instance, the Law Society aired its reservations surrounding the approach for being too business and innovation focussed which may be to the detriment of individual rights and protection.

The data rights activist body, Open Rights Group have commented on the Bill’s restriction of data subject’s rights “substantially incompatible” with the EU GDPR.

As a result, we expect ongoing discourse between the EU and UK to resolve these issues.

Nigel Miller

UK to reform data protection laws

Nigel Miller (partner)

Prince Charles, in giving the Queen’s Speech on 11 May 2022, announced the government’s intention to reform UK data protection laws. The purpose of the reforms is to:

  • Take advantage of the benefits of Brexit to create a “world class data rights regime” that will allow us to create a new pro-growth and trusted UK data protection framework that reduces burdens on businesses, boosts the economy, helps scientists to innovate and improves the lives of people in the UK.
  • Modernise the Information Commissioner’s Office, making sure it has the capabilities and powers to take stronger action against organisations who breach data rules while requiring it to be more accountable to Parliament and the public.
  • Increase industry participation in Smart Data Schemes, which will give citizens and small businesses more control of their data. The Bill will also help those who need health care treatments, by helping improve appropriate access to data in health and social care contexts.

The main elements of the Bill are:

  • Ensuring that UK citizens’ personal data is protected to a gold standard while enabling public bodies to share data to improve the delivery of services.
  • Using data and reforming regulations to improve the everyday lives of people in the UK, for example, by enabling data to be shared more efficiently between public bodies, so that delivery of services can be improved for people.
  • Designing a more flexible, outcomes-focused approach to data protection that helps create a culture of data protection, rather than “tick box” exercises.

The government sees the GDPR as a highly complex and prescriptive piece of legislation which encourages excessive paperwork, and creates burdens on businesses with little benefit to citizens. As the UK has now left the EU, the data protection framework can be reformed in order to reduce burdens on businesses.

Comment:

The contents of the Bill are not yet available and it remains to be seen quite how far these reforms will go. It is one thing (for example) to reduce paperwork, and remove the need for irritating cookie banners (a couple of the potential targets of the Bill), but another to go too far and put at risk the UK’s adequacy ruling that allows the free flow of data from the EU. In the end, the reforms may be helpful but relatively modest.

Nigel Miller

A new year, a new ICO

As of 4 January, John Edwards became the new UK Information Commissioner for a five-year term. Mr. Edwards spent the past eight years as New Zealand Privacy Commissioner, and before that worked as a barrister. He succeeds Elizabeth Denham CBE.

Looking ahead to 2022, Mr Edwards will be working on the proposed reforms to the Data Protection Act and the introduction of the Online Safety Bill. He will also prioritise the protection of children online, through the Age Appropriate Design Code, which has already prompted international tech companies to make changes to better respect children’s rights online.

One little known fact: In 1986 – 1987 Mr. Edwards worked as a mountaineer in the Search and Rescue Team at Mount Cook National Park. These skills may come in handy navigating the complex data protection landscape!