Data Protection – February 2017

Print publication


Latest on cyber security, the GDPR, international data transfers and more.

Launch of National Cyber Security Centre

The National Cyber Security Centre (based in London) was officially opened on 14 February 2017.  This follows on from publication in November 2016 of the government’s National Cyber Security Strategy 2016-2021, setting out its plan to make Britain secure and resilient in cyberspace, with £1.9 billion to be invested over the next five years.  Links to advice and guidance for organisations can be found here.  In a speech delivered at the launch, Chancellor Philip Hammond spoke of how cyber attacks are increasing in their frequency, severity and sophistication.  He referred to several recent high-profile incidents which serve as a reminder of the scale of damage that a single successful cyber attack can inflict.

Update on the General Data Protection Regulation (GDPR) and post-Brexit arrangements

At an EU Home Affairs Sub-Committee meeting on 1 February 2017, the Minister of State for Digital and Culture reiterated that the UK will implement the GDPR and that the government is keen to secure the unhindered flow of data between the UK and the EU post-Brexit (he expressed a similar view in relation to UK-US arrangements).  The Minister explained that parts of the Data Protection Act 1998 will be repealed to ensure compatibility with the requirements of the GDPR and that he does not foresee any significant changes to UK data protection law post-Brexit, to provide the UK with the greatest possible chance of securing the free flow of data between the UK and the EU.  It remains to be seen, however, whether or to what extent the UK will choose to mirror any changes that the EU makes to data protection law in the future, post-Brexit. In a recent speech, the UK Information Commissioner had this to say: “If I could give you just one piece of advice today, it would be not to put this off. The GDPR is happening”.

Latest on international data transfers – Model Contract Clauses and EU-US Privacy Shield

The Article 29 Working Party (WP29) has confirmed that Google’s contractual arrangements for international data transfers for its G Suite and Google Cloud Platform are in line with the European Commission’s Model Contract Clauses (one of the approved mechanisms – for now at least – for transferring personal data outside the European Economic Area).  This means that Google’s European business customers will be able to rely on Google’s model clauses for the transfer of personal data, without the need for further authorisations.

Meanwhile, the Irish Data Protection Commissioner (DPC) is asking the Irish High Court to make a reference to the CJEU as to the validity of the Model Contract Clauses.  Arguments in this much-anticipated case got under way in early February.  The case goes back to a complaint made by Austrian national Max Schrems against Facebook in 2013, regarding the transfer of his personal data from Facebook Ireland to its parent company, Facebook Inc, in the US. Facebook was using the ‘Safe Harbor’ framework.  In 2015, the CJEU ruled that the European Commission’s adequacy decision regarding Safe Harbor (i.e. that the US provided an adequate level of protection) was invalid.  ‘Safe Harbor’ has since been replaced by the EU-US Privacy Shield.  The DPC recently published an update on the current status of the proceedings.

Over 1,700 companies have now signed up to the Privacy Shield. As we reported previously, concerns were recently raised over its future following President Trump’s executive order potentially affecting the privacy protections of non-US citizens or permanent residents.  While the US has sought to play down these concerns, the WP29 decided at its February meeting to write directly to the US authorities for clarification on the issue.  See the WP29’s press release for more details on this and other topics discussed at the meeting, including the adoption of Privacy Shield complaint documentation, implementation of the GDPR and the work of the enforcement subgroup (which has initiated detailed inquiries into the processing of personal data processed via Windows 10 by Microsoft). The press release can be found in the ‘Updates’ section at the end of the following link. In other news, Human Rights Watch and the American Civil Liberties Union have written a joint letter to the European Commissioner for Justice, Consumers and Gender Equality urging her to re-examine whether the Privacy Shield and EU-US Umbrella Agreement (on the protection of personal data exchanged for law enforcement purposes) sufficiently protect the fundamental rights of people in the EU in light of the recent developments in the US.

Concerns over proposed changes to Fourth Money Laundering Directive

The European Data Protection Supervisor (EDPS) has published an opinion assessing the data protection implications of the European Commission’s proposed amendments to the Fourth Money Laundering Directive ((EU) 2015/849).  The amendments are aimed at tackling tax evasion in addition to money laundering.  An executive summary is set out at page 3 of the opinion.  The EDPS is concerned that the amendments introduce other policy purposes (other than countering anti-money laundering and terrorist financing) that do not seem to be clearly identified.  The amendments also raise questions as to why certain forms of invasive personal data processing, acceptable in relation to anti-money laundering and the fight against terrorism, are necessary out of those contexts and whether they are proportionate.

Data subject access rights – recent case law

Data subject access requests, which an individual has a right to make under data protection law to find out what information a data controller holds about them, have been the subject of two recent decisions in the English courts. In Holyoake v Candy and another [1] the High Court considered, among other things, the claimant’s argument that one of the defendants had invalidly relied on the legal professional privilege exemption.  In a judgment likely to be welcomed by data controllers, the judge was satisfied that legal professional privilege had been properly claimed, and it was not appropriate in the circumstances of this particular case to order the defendant to comply with the request.  However, in Dawson-Damer and others v Taylor Wessing LLP [2] the Court of Appeal overturned an earlier High Court decision and ordered compliance.  In a judgment likely to be welcomed by data subjects the court held, among other things, that Taylor Wessing (which had made a blanket assertion of legal professional privilege) had not shown that to comply with the request would involve disproportionate effort as all it had done so far was to review its files – disproportionate effort must involve “more than an assertion that it is too difficult to search through voluminous papers”.

Information Commissioner’s Office (ICO) and direct marketing

In further recent examples of the ICO’s crackdown on those who break the rules around direct marketing, one company was fined £20,000 for unlawfully trading personal information which resulted in 21,000 spam texts about payday loans being sent by the firm which had bought the information; and a credit broker was fined £120,000 for being responsible for millions of marketing texts sent without proper consent.  In her recent briefing to the Lords Bill Committee on the Digital Economy Bill, the Information Commissioner welcomed the provision for a statutory direct marketing code which would make it easier to take enforcement action against organisations.


[1] [2017] EWHC 52 (QB)
[2] [2017] EWCA Civ 74