Update on GDPR, Privacy Shield, international transfers of data, latest from the ICO and more.
Update on the General Data Protection Regulation (GDPR)
We had been expecting the Information Commissioner’s Office (ICO) to publish its final consent guidance in the summer. However, its “Guidance: what to expect and when” webpage was recently updated to say that the final version will not be published until after the Article 29 Working Party (WP29) has agreed its Europe-wide consent guidelines. The latest timetable for the WP29 consent guidelines to be agreed and adopted is December 2017. In the meantime, the ICO has announced that it intends to publish a summary of the responses to its draft consent guidance consultation.
A group of European trade associations has written to the European Commission and the WP29 Chair, expressing concerns over the WP29’s stakeholder consultation process in respect of GDPR guidelines. It calls on the WP29 to work to ensure that the final guidelines are developed as swiftly as possible and that a reasonable consultation period is set. The group notes that GDPR and the associated guidelines will have a wide-ranging and fundamental impact on the financial services industry and that the industry needs to receive guidance in a timely manner to prepare for GDPR taking effect on 25 May 2018. It says that, at present, there are no indications of when or if stakeholder feedback would be expected through a timetable or roadmap, and it believes that the WP29’s consultation processes, which have taken place so far with 30-day deadlines to respond, have been much too short. It is also concerned that the guidelines effectively introduce additional rules to what is required under GDPR.
To date, the WP29 has published final, adopted guidelines on the right to data portability, data protection officers, and identifying a controller or processor’s lead supervisory authority. A consultation on draft guidelines on high risk processing and data protection impact assessments closed in May 2017.
We reported previously that the UK’s Information Commissioner participated in March 2017 in a wide-ranging evidence session before the EU Home Affairs Sub-Committee on the topic of the EU Data Protection Package. At that session, the Commissioner spoke of the importance of obtaining an adequacy decision post-Brexit (considered the most straightforward process to ensure the continued flow of data between the EU and the UK) and the importance of the UK’s status and influence on the European Data Protection Board (EDPB), which will make decisions about data processing that impact on UK citizens. The Sub-Committee has now published its report which considers the implications of the UK’s exit from the EU for cross-border data transfers and for UK data protection policy more generally. A summary of conclusions and recommendations is set out at the end of the report.
Among other things, the report says that the government must not only signal its commitment to unhindered and uninterrupted flows of data, but set out clearly, and as soon as possible, how it plans to deliver that outcome (the Sub-Committee was “struck by the lack of detail in the government’s assurances thus far”). It recommends that the government should seek adequacy decisions to facilitate UK-EU data transfers post-Brexit, and urges it to ensure that any transitional arrangements agreed during the withdrawal negotiations provide for continuity of data sharing, pending the adoption of adequacy decisions (to avoid a “cliff edge” on exit day). The report notes that securing unhindered data flows with the EU may require the UK to demonstrate that it has put arrangements in place with the US that afford the same level of protection as the EU-US Privacy Shield and the EU-US Umbrella Agreement (which will no longer apply in the UK), and that maintaining unhindered data flows with the EU post-Brexit could require the UK to continue to align its domestic data protection rules with EU rules that it no longer participates in setting. It says it is imperative that the government considers how best to replace the structures and platforms from which the UK has been able to influence EU rules on data protection and retention and it should start by seeking to secure a continuing role for the ICO on the EDPB.
The ICO recently published its first ever International Strategy, designed to help it meet overseas data protection challenges including increased globalism, changing technology, GDPR and Brexit.
Fees payable to the ICO
In the evidence session before the EU Home Affairs Sub-Committee in March 2017, the ICO stated that a proposal had been submitted to Parliament for an alternative fee structure to replace the annual notification fee which will cease to apply under GDPR.
On 31 July 2017, sections 108 to 110 of the Digital Economy Act 2017 came into force. These sections give the Secretary of State the power to make regulations requiring data controllers to pay fees of an amount which is yet to be specified….watch this space.
More from Europe…
The WP29 has published an Opinion on data processing at work, which assesses the balance between the legitimate interests of employers to protect their business and the reasonable privacy expectations of employees, in the context of the risks posed by new technologies. The document can be found under the ‘Letters, Opinions and other documents’ heading on the WP29’s website.
The Opinion makes it clear that where employers use social media profiles, either as a vetting process for job applicants or as part of the ongoing monitoring of their workforce, they need to make sure that what they do is transparent, necessary and proportionate. This means that employers have to tell job applicants and employees in advance that their social media profiles may be reviewed. Employers must also be clear what they are trying to achieve by checking social media profiles in this way and satisfy themselves that this is the most appropriate way of achieving that objective. They will also need to be sure that they have a lawful ground for collecting data in this way, bearing in mind that asking the individual for consent is unlikely to be sufficient.
The Opinion also reminds employers that simply because a social media profile is publicly available does not mean that they are allowed to access and use that data for their own purposes. This echoes the guidance issued by the ICO to the political parties just before the General Election that public information is “not fair game”.
A delegation from the European Parliament’s Committee on Civil Liberties, Justice, and Home Affairs recently visited Washington DC for the first time during the Trump presidency. While all parties reiterated their continued commitment to making the EU-US Privacy Shield work, the Chair of the Committee stressed that “deficiencies still remain which need to be urgently resolved to ensure that the Privacy Shield doesn’t suffer from critical weaknesses.” See the press release here. The first annual joint review of the besieged data transfer agreement is due to be held in September 2017 (see our earlier briefing for further details).
We reported previously that Human Rights Watch and the American Civil Liberties Union wrote a joint letter to the EU’s Commissioner for Justice, Consumers and Gender Quality urging her to re-examine whether the Privacy Shield and EU-US Umbrella Agreement (on the protection of personal data exchanged for law enforcement purposes) sufficiently protect the fundamental rights of people in the EU. On 26 July 2017, Human Rights Watch and Amnesty International wrote a joint letter urging the Commission to, among other things, re-evaluate its Privacy Shield adequacy decision. The letter enclosed a briefing setting out their detailed assessment of US legal authorities and surveillance activities and conclusions regarding why they fail to provide an adequate level of protection for the purposes of EU law.
International transfers of data
The European Court has also delivered its opinion on the proposed agreement between the EU and Canada on the transfer and processing of passenger name record data. The Court found that there were a number of issues with the agreement which mean that it is incompatible with the EU Charter of Fundamental Rights and it therefore cannot be entered into in its current form, including:
- the agreement does not specify sufficiently the scope of the data to be transferred
- there is no “precise and particularly solid” justification for the transfer of sensitive personal data
- the agreement should only allow data to be retained in relation to passengers who have left Canada if there is objective evidence that they “may present a risk in terms of the fight against terrorism and serious transnational crime”.
The Court’s opinion has implications for the validity of the existing Passenger Name Record agreements in place between the EU and the US and the EU and Australia.
It also illustrates the approach the Court may adopt in relation to both the challenges to the Privacy Shield which are currently proceeding before it and any referral from the Irish High Court in respect of the model contract clauses.
The Court’s opinion should also be taken into account in the forthcoming first annual joint review of the Privacy Shield.
Latest from the ICO, including direct marketing and enforcement action
We reported previously that the ICO had updated its guidance for organisations on dealing with data subject access requests (DSARs), to reflect recent Court of Appeal decisions on the use of DSARs in litigation and the efforts required in searching. The ICO’s blog post on this topic highlights that changes have also been made to the ICO’s CCTV code of practice and guide to data protection in light of these decisions.
In relation to direct marketing, loan firm Provident Personal Credit Limited – responsible for sending nearly a million nuisance text messages – was fined £80,000 by the ICO. It had employed third party affiliate companies to send unsolicited text messages on its behalf to promote personal loans. Moneysupermarket was also fined £80,000 after it sent millions of emails to customers who had previously opted out of direct marketing.
In the first seven months of 2017, the ICO has issued 39 monetary penalties totalling £2,737,500, compared to the 32 monetary penalties totalling £3,121,500 issued by the ICO in the whole of 2016. Please click here for further details.
These fines reiterate the ICO’s recent message to organisations to ensure that they have the appropriate consents in place for sending unsolicited marketing communications and to refresh these to ensure they meet the higher threshold for consent under GDPR where necessary. An ICO fine of £50,000 issued to a lead generation and data brokerage business for instigating the sending of unsolicited marketing texts about debt, was reduced to £20,000 taking into account the company’s size, the fact that it was its first contravention and the fact that it was the first and only time it had conducted such a direct marketing campaign. At the time of the contravention, the company’s turnover and profit appeared to have increased substantially, and this was a factor in setting the appropriate penalty .
On 6 July 2017, the Fundraising Regulator launched the Fundraising Preference Service, which will enable individuals to block direct marketing communications from named charities.
In other recent news: the ICO fined a video game rental firm £60,000 after it failed to take basic steps to stop its website being attacked; a recruitment manager was prosecuted and fined after he illegally disclosed job applicants’ personal information to a third party employment agency; and the ICO ruled that the Royal Free NHS Foundation Trust failed to comply with the Data Protection Act when it provided patient details to Google DeepMind in a clinical trial. Patients were not adequately informed that their data would be used as part of the test. The ICO published a blog post setting out four lessons that NHS Trusts can learn from this case, but the principles apply equally to companies in the private sector. On the subject of healthcare, the government has responded to the National Data Guardian for Health and Care’s Review of Data Security, Consent and Opt-Outs and the Care Quality Commission’s Review ‘Safe Data, Safe Care’.
 LAD Media Ltd v Information Commissioner  UKFTT 2017_0022