3rd February 2020
Latest from the ICO, including Brexit, subject access request timings and draft direct marketing code; international data transfers; cybersecurity; and more.
On 29 January 2020, the ICO issued a brief statement on data protection and Brexit implementation, with links through to its various guidance materials and other resources. It will be “business as usual” until the end of December 2020. The General Data Protection Regulation (GDPR) will continue to apply.
In other developments:
On 19 December 2019, just after the November/December 2019 edition of the Regulatory round-up went to press, one of the advocates general of the Court of Justice of the European Union (CJEU) delivered his eagerly anticipated opinion on the validity of the European Commission decision that established standard contractual clauses for the transfer of personal data from EU controllers to processors established outside the EU or European Economic Area.
The advocate general’s view is that the decision is valid given the obligation on controllers and supervisory authorities to suspend or prohibit a transfer when the clauses cannot be complied with. See the press release.
The opinion follows a referral to the CJEU in the long-running litigation involving Facebook and Austrian privacy activist Max Schrems regarding the transfer of his personal data by Facebook Ireland Limited to Facebook Inc. in the US for processing, and concerns over US mass surveillance.
While the opinion is non-binding, the CJEU tends to follow such opinions in the majority of cases, and organisations can breathe a cautious sigh of relief that this key international data transfer mechanism looks set to remain available.
The opinion is particularly relevant now that the UK has left the EU, with no guarantee at this stage that the European Commission will issue an adequacy decision in respect of the UK before the end of the transition period in December 2020 – i.e. a finding that the UK’s legal framework provides adequate protection for individuals’ rights and freedoms for their personal data.
Importantly, the advocate general went on to say that he entertained certain doubts as to the conformity of the Commission’s Privacy Shield decision (one of the key mechanisms for the transfer of personal data between the UK and US for commercial purposes) to the relevant GDPR provision on adequacy, read in the light of certain provisions in the EU Charter of Fundamental Rights and the European Convention on Human Rights. Walker Morris will continue to monitor and report on developments.
On 6 January 2020, the European Data Protection Supervisor published a preliminary opinion on data protection and scientific research. The executive summary can be found on page two.
On 15 January 2020, the Council of the European Union published its position and findings on the application of GDPR, ahead of a review and evaluation of the legislation by the European Commission, which is due to submit a report by 25 May 2020. See this link. Among other things, while the Council notes that GDPR was drafted to be technologically neutral and its provisions already address the new challenges associated with emerging technologies, it considers that it is necessary to clarify as soon as possible how GDPR applies to these technologies.
On 27 January 2020, the government announced new legislation to improve security standards of internet-connected household devices. The measures set a new standard for best practice requirements for companies that manufacture and sell consumer smart devices or products.
A guide which brings together for the first time knowledge from the world’s leading cybersecurity experts was launched recently in London. The National Cyber Security Centre (NCSC) says that the ‘Cyber Security Body of Knowledge’ has the potential to help organisations to better protect themselves. It covers the foundations of cybersecurity, ranging from the human element through to issues in computer hardware security. See this link.
The NCSC published a complete refresh of all of its end-user device content (mobile device guidance) for organisations. See the blog post for details and a link through to the guidance.
And finally, the NCSC also recently released guidance to assess the security of voice, video and messaging services. See the blog post for details and a link through to the NCSC’s secure communication principles. Feedback on the principles is requested by 30 April 2020.
Head of Regulatory & Compliance