Latest on cross-border transfers of personal data, the new Data Protection Bill, GDPR and more.
A round-up of the recent flurry of activity in the world of data protection, starting with two key developments in relation to cross-border transfers of personal data.
EU-US Privacy Shield lives to fight another day
The European Commission has published its report on the functioning of the EU-US Privacy Shield after the first annual joint review of the transatlantic data transfer framework took place in Washington DC in September 2017. See the Commission’s press release for links to the report and other materials.
The Commission concludes that the US continues to ensure an adequate level of protection for personal data transferred under the Privacy Shield from the EU to organisations in the US, but considers that practical implementation can be further improved to ensure that the guarantees and safeguards provided in the framework continue to function as intended. It recommends that:
- companies should not be able to publicly announce their Privacy Shield certification until it is finalised by the US Department of Commerce (DoC);
- the DoC conducts regular compliance checks and searches for false claims of Privacy Shield participation;
- the DoC and EU national data protection authorities (DPAs) strengthen their awareness-raising efforts, such as informing individuals about how to exercise their rights under the Privacy Shield;
- the DoC and DPAs cooperate (with the US Federal Trade Commission if appropriate) to develop guidance on the interpretation of certain concepts in the Privacy Shield;
- the US Congress enshrines the protections of Presidential Policy Directive 228 (PPD-28) in the Foreign Intelligence Surveillance Act (FISA) – PPD-28 sets out limitations and safeguards on the use by national security authorities of personal data, regardless of the individual’s nationality;
- the US administration swiftly appoints a permanent Privacy Shield Ombudsperson (the Commission says that it calls on the administration to confirm its political commitment to the Ombudsperson mechanism, as an important element of the framework as a whole);
- the US administration swiftly appoints missing members of the Privacy and Civil Liberties Oversight Board (PCLOB), an independent agency within the executive branch, so that it can fulfil its important function protecting privacy and civil liberties in the field of counterterrorism policies and their implementation (the Commission also calls on the US administration to publicly release the PCLOB’s report on the implementation of PPD-28); and
- the US authorities proactively fulfil their commitment to provide the Commission with timely and comprehensive information about any developments that could raise questions about the functioning of the Privacy Shield.
On this final point, the Commission highlighted two “particularly noteworthy” possible future developments in the US legal system. The first is the review by the end of 2017 of section 702 of FISA, which has raised concerns over the possible expansion of surveillance powers and/or the curtailment of existing protections. The second relates to concerns that Congress may be considering ways to narrow the jurisdiction of the PCLOB to US individuals and/or to limit the body’s oversight functions. The Commission says that the situation will continue to be closely monitored and the impact of any changes carefully assessed.
The result is that, while it does not appear to have received a ringing endorsement, Privacy Shield lives to fight another day.
In the meantime, the Privacy Shield remains subject to two legal challenges in Europe. Walker Morris will continue to monitor and report on developments.
European Court to rule on validity of model contract clauses
In a judgment with potentially wide-ranging ramifications, the Irish High Court is referring questions over the validity of the Commission’s adequacy decisions on model contract clauses to the Court of Justice of the European Union (CJEU) . This follows the complaint by Austrian privacy campaigner Max Schrems to the Irish Data Protection Commissioner about Facebook Ireland’s transfer of his personal data to Facebook Inc. in the US.
The Irish Court shares the Commissioner’s “well-founded” concerns that there is an absence of an effective remedy in US law, compatible with the requirements of Article 47 of the EU Charter of Fundamental Rights, for EU citizens whose data may be at risk of being accessed and processed by US state agencies for national security purposes in a way which is incompatible with Articles 7 and 8 of the Charter. Articles 7 and 8 concern respect for private and family life and protection of personal data. Article 47 provides for the right to an effective remedy before an independent and impartial tribunal.
The exact questions to be referred to the CJEU are yet to be formulated, and it appears unlikely that the CJEU will make any ruling before the end of 2018 or even into 2019, unless the process is expedited in some way. The Irish Court’s judgment does not invalidate the Commission’s adequacy decisions, so that model contract clauses remain a valid legal basis for the cross-border transfer of personal data. Walker Morris will continue to monitor and report on developments.
Latest on the new Data Protection Bill
The Data Protection Bill, which will replace the UK’s existing Data Protection Act, had its second reading in the House of Lords on 10 October 2017. There was a wide-ranging discussion which covered, among other things, the question of how the government plans to deliver its objective of free and uninterrupted data flows post-Brexit, and the proposal to set the age of children’s consent to the processing of their data at 13 years. In particular, Lord Stevenson of Balmacara noted “[t]his is a tricky Bill to get hold of, first because of its size and volume. It is a bulky package and it is not even complete because we are told to expect a large number of amendments still being processed and not yet available which may – who knows? – change it substantially”.
Lord Ashton of Hyde and Baroness Williams of Trafford have subsequently published a letter which addresses 12 points raised during the debate including the Bill’s complexity.
The UK’s Information Commissioner published a briefing ahead of the second reading. The first day of the committee stage, involving a line-by-line examination of the Bill and the first chance to make changes, took place on 30 October 2017. The committee stage continues on 6 November 2017.
Independent consumer body Which? is calling for the Data Protection Bill to be amended so that independent organisations acting in the public interest can help groups of affected consumers to get collective redress. It says that the call is widely supported by the public, with three quarters of those surveyed saying they would welcome an independent body helping to get redress on a collective basis. Which? is asking consumers to provide it with the evidence it needs, by sharing their experiences of data breaches.
The House of Commons Library published a briefing paper looking at data protection and what might happen after Brexit. Among other things, the paper outlines some of the potential implications of the government’s proposal to exclude the EU Charter of Fundamental Rights, which is central to EU data protection law, from ‘EU retained law’ after Brexit. This includes the question of how the UK would continue close cooperation with the EU on exchanging data, when compliance with the Charter is likely to be required in practice to ensure regulatory equivalence.
EU General Data Protection Regulation (GDPR) – more European-level guidance published
The Article 29 Working Party (WP29) has published final, adopted guidelines on high risk processing and data protection impact assessments. It is currently consulting until 28 November 2017 on draft guidelines on personal data breach notification and on automated individual decision-making and profiling. All of these materials can be found on the WP29 website. Guidelines on administrative fines have also been published. In a recent blog post, the Information Commissioner’s Office (ICO) provided an update on its work in relation to GDPR. This includes plans to launch a dedicated telephone service aimed at helping small businesses.
We will be publishing a separate briefing which will provide an overview of the newly available guidance as well as looking at what businesses should be doing now to progress their preparations for the arrival of GDPR.
More news from Europe…
The European Data Protection Supervisor has published recommendations on specific aspects of the proposed e-Privacy Regulation, which is also due to come into force on 25 May 2018. However, we understand from the European Parliament website that, as discussions still appear to be required, the proposed implementation date is considered difficult to achieve. Walker Morris will continue to monitor and report on developments.
As reported in a previous edition of the Regulatory round-up, the Security of Network and Information Systems Directive (or NIS Directive) must be transposed into UK law by 9 May 2018. The European Commission has been consulting on a draft implementing regulation in relation to digital service providers (cloud services, online marketplaces and search engines). The Information Commissioner has been proposed as the UK competent authority for regulation of digital service providers under the NIS Directive, and has recently provided her comments on the consultation.
Draft data sharing codes of practice
In other news, the government is consulting until 2 November 2017 on various draft data sharing codes of practice, regulations and a statement of principles as required under Part 5 of the Digital Economy Act 2017, which gives government new powers to share personal information across organisational boundaries to improve public services.
Website privacy notices are “too vague and generally inadequate”
An international study led by the ICO found that organisations “need to be more open, honest and transparent in their online privacy notices about how they handle people’s personal data”. The ICO’s press release sets out examples of the problems it identified and the conclusions reached by the Global Privacy Enforcement Network.
ICO fee and registration changes
The ICO has outlined the proposed fee and registration changes which will come into force next year. At the moment, organisations that process personal information as data controllers are required to notify with the ICO and to pay a notification fee of either £35 or £500 depending on their size. Under GDPR, there will no longer be a requirement to notify the ICO in the same way, but there will still be a legal requirement in the UK for data controllers to pay the ICO a ‘data protection fee’. The new fee system will start on 1 April 2018. The ICO expects to know more about it by the end of this year, but the current draft proposal is a three tier system which will differentiate between small and big organisations and also how much personal data an organisation is processing. In the meantime, notification renewals should continue as usual.
Recent ICO enforcement action
It seems that not a month goes by without us talking about the ICO’s crackdown on nuisance marketing, and this month is no different. A Liverpool-based firm was fined £70,000 after over 100,000 automated calls were made to people who had not agreed to be contacted in that way. It was responsible for ensuring that the necessary consents were obtained, regardless of its argument that the details were bought from another firm which it paid to carry out the calls. A London advertising firm was fined £50,000 after it sent nearly 1.26 million spam emails promoting a wide range of products and services on behalf of other firms, again without the appropriate consents. The message from the ICO is loud and clear – make sure you have the necessary consents to send marketing emails and texts and to make automated calls.
 Data Protection Commissioner v Facebook Ireland Limited and Maximilian Schrems [2016 No. 4809 P.]