Data Protection – December 2016/January 2017

Print publication


Latest on the GDPR, e-privacy developments, updates on cyber security, international data transfers and direct marketing.

General Data Protection Regulation (GDPR) – a game changer for everyone

The Minister for Digital and Culture has reconfirmed in parliament that the GDPR will become UK law from 25 May 2018. The government is working on the details of implementation and plans to consult with stakeholders on key measures where there is an opportunity to apply flexibilities in the legislation “to maximise and to protect our domestic interests and to get the balance right between delivering the protection that people need and ensuring that the regulation operates in a way that ensures that the UK’s data economy can be highly successful”.

In the meantime, the Article 29 Working Party (WP29) has published its GDPR action plan for 2017 and the first tranche of European-level guidance on certain aspects of the GDPR.  At its December meeting, the WP29 adopted guidelines and FAQs for data controllers and processors on: the right to Data Portability; Data Protection Officers; and the Lead Supervisory Authority.  Watch out for our upcoming commentary on this guidance, the next in our series of guides to help businesses plan ahead for implementation.  Our initial publication can be found here: Introducing our series of guides to the EU General Data Protection Regulation.

The Information Commissioner’s Office (ICO) has also updated its “Guidance: what to expect and when” and in a recent speech to the Institute of Chartered Accountants, the Information Commissioner said that “we’re all going to have to change how we think about data protection” as the new legislation “puts an onus on businesses to change their entire ethos to data protectionThe message about GDPR is continuity and change...There’s a lot in the GDPR you’ll recognise from the current law, but make no mistake, this one’s a game changer for everyone… accountability is at the centre of all of this: of getting it right today, getting it right in May 2018, and getting it right beyond that”.

E-privacy and the “Snooper’s Charter”

In a key judgment, the Court of Justice of the European Union (CJEU) has ruled that national legislation which, for the purpose of fighting crime, provides for the general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication, is incompatible with the EU e-Privacy Directive when read in light of the EU Charter of Fundamental Rights.

This was a referral by the English Court of Appeal following a 2015 High Court ruling that the Data Retention and Investigatory Powers Act 2014 (DRIPA) was inconsistent with EU law.  The controversial Investigatory Powers Act 2016 (IPA) which replaced DRIPA at the end of 2016, despite opposition from privacy advocates, academics, the Law Society and major technology and telecommunications companies, who voiced significant privacy and data security concerns, goes even further than DRIPA.  The IPA, like DRIPA, has been dubbed the ‘Snooper’s Charter’.

The government has said it will put forward “robust arguments” when the case returns to the Court of Appeal. In the meantime, human rights group Liberty has already launched a crowdfunding campaign to fund a legal challenge to the new law.  The CJEU’s ruling also raises the possibility of challenge to the adequacy of the UK’s protection of EU personal data in a post-Brexit world.

A new e-Privacy Regulation

The EU e-Privacy Directive itself has been under review – one of the key initiatives proposed under the “Digital Single Market” strategy, aimed at reinforcing trust and security in digital services in the EU. The European Commission recently published the results of its consultations in this area and a proposal to replace the Directive with a new e-Privacy Regulation which, among other things, aligns the rules for electronic communications (including fines and remedies for individuals) with the standards of the GDPR.  The Commission intends for the new e-Privacy Regulation to come into force at the same time as the GDPR on 25 May 2018.

In the same press release, the Commission included a link to its proposed “Communication on Exchanging and Protecting Personal Data in a Globalised World” – setting out its strategic approach to the issue of international data transfers. This could be of relevance to the UK post-Brexit.

Cyber security – always on the agenda

Following on from the publication of the National Cyber Security Strategy 2016-2021, the government has now published its cyber security regulation and incentives review.  The review was conducted to consider whether there is a need for additional regulation or incentives to boost cyber risk management across the wider economy.  For now, the government will seek to improve cyber risk management in the wider economy through the GDPR.  The breach reporting requirements and fines capable of being issued under the GDPR will be supplemented by further measures to more clearly link data protection with cyber security.  There will also be new non-regulatory interventions to incentivise better cyber security management.

The Joint Committee on the National Security Strategy announced an inquiry into UK national security in a digital world.  The closing date for submissions is 20 February 2017.

Having already disclosed an earlier data breach affecting over 500 million user accounts, Yahoo recently reported that it had been subject to a second major cyber attack affecting 1 billion users – making it the largest data breach in history. US authorities have launched an investigation.  National Lottery operator Camelot also reported that around 26,500 of its players’ accounts had apparently been accessed by cybercriminals.  TalkTalk was also criticised by security experts for its advice to customers that there was “no need” to change their router settings after it emerged that the router credentials of many customers had been hacked.

These latest incidents underline yet again how vital it is for businesses to take data protection and security seriously, both in terms of prevention and recovery.

The ICO has published a post to help businesses prevent and recover from ransomware attacks, keep information secure and avoid financial and reputational damage.  There are links through to further guidance and tips, including from the government and the National Crime Agency.

EU and US conclude “Umbrella Agreement” for law enforcement cooperation

The European Commission has published a fact sheet on the “Umbrella Agreement” concluded between the EU and US on the protection of personal data exchanged for law enforcement purposes, which was backed by a majority of MEPs in early December.

International data transfers – changes to the Model Contract Clauses

The European Commission has amended its adequacy decisions on the Model Contract Clauses (an approved mechanism for transferring data outside the European Economic Area) and its adequacy decisions “whitelisting” certain countries and territories as providing adequate protection for personal data.

The changes are intended to implement the CJEU’s decision in the in C-362/14 Schrems v Data Protection Commissioner (see What does the Safe Harbor ruling mean for business? and Putting the EU-US Privacy Shield into motion – what next? for more details) by removing the restrictions on when the national data protection authorities can exercise their powers to suspend data, which the CJEU ruled were invalid.

The changes to the “whitelisting” adequacy decisions have no impact on the Commission’s finding that the 11 countries and territories provide adequate protection and so businesses can continue to transfer personal data to these countries without having to implement any additional safeguards.

The changes to the adequacy decisions for Model Contract Clauses don’t affect the Model Contract Clauses themselves.  So, for the time being at least, businesses which have incorporated the Model Contract Clauses into their agreements won’t need to make any changes.

However, the Model Contract Clauses are subject to an ongoing legal challenge in Europe. It is not yet clear what, if any, effect these amendments may have in relation to that challenge.  Walker Morris will monitor and report on developments.

Watch out for our upcoming LexisNexis Q&A on this topic.

International data transfers – update on the EU-US Privacy Shield

The EU Justice Commissioner has said that the Commission will “closely monitor the respect of protection standards and the correct implementation of both the Umbrella agreement and the EU-US Privacy Shield” under the leadership of US President Donald Trump.  Over 1,500 companies have now self-certified under the new regime for the transatlantic exchange of personal data for commercial purposes.  Concerns over the future of the Privacy Shield were raised last week after the President signed an executive order potentially affecting the privacy protections of non-US citizens or permanent residents. The European Union is closely following any changes that might have an effect on Europeans’ data protection rights.  Walker Morris will monitor and report on developments.

The Irish Times reports that the US, German and Czech governments have requested to participate in the case involving campaign group Digital Rights Ireland’s legal challenge to the Privacy Shield.  Other countries include the UK, France and the Netherlands.  In a news release issued by the International Association of Privacy Professionals, it was reported that some European tech companies are worried that the ongoing legal challenges will prove problematic in the long run.

The WP29 has published helpful FAQ documents for both European businesses and individuals on the practicalities of the Privacy Shield (links are available here).

Latest on direct marketing

The ICO recently took over management of the Telephone Preference Service (TPS) from Ofcom – one of a number of government measures to tackle nuisance calls and messages.  It has since fined one firm £40,000 for breaking the law by calling people registered with the TPS.

As we reported previously, the government announced in October that from spring 2017 the ICO will have powers to hold company directors directly responsible for breaches of The Privacy and Electronic Communications (EC Directive) Regulations 2003.  Each director could be liable for a fine of up to £500,000.  Ofcom and the ICO have recently published an update to their joint action plan.

Two companies responsible for sending millions of spam texts offering easy access to loans were recently fined £100,000 and £30,000 by the ICO respectively. Another was fined £50,000 for instigating the sending of nearly 400,000 spam texts about debt.  Since last April, the ICO has issued more than £1 million in fines to firms for breaking the law on marketing calls, text messages and emails.  It recently issued an update on the action taken to tackle nuisance calls and messages.