At the time of the Autumn agenda the CJEU’s unexpected decision in Data Protection Commissioner v Facebook Ireland and Maximillian Schrems C-311/18 (Schrems II), which invalidated the EU-US Privacy Shield, was causing some consternation in legal departments across the world. Since then, a good deal has been done at EU level to clear a path for organisations transferring personal data across borders.
International data transfers
A few weeks ago, the EDPB published draft Recommendations on supplementary measures for data transfers where the importing jurisdiction does not ensure an adequate level of data protection such as the US. At the time of writing, we do not know whether the UK will fall into this category at the end of 2020 but the UK’s post-transition status will be at the top of people’s minds in this context. The Recommendations are open for consultation until 21 December 2020.
The European Commission’s publication of a new set of standard contractual clauses for data transfers outside the EEA is also well timed, although it is possible they will not come into force until early 2021. Feedback is open on the clauses until 10 December 2020.
Our recent blog post provides commentary on both of these developments impacting international data transfers. PLC Magazine also previously published an article, Schrems II and data transfers: cast adrift in a sea of uncertainty.
ICO enforcement
The other main story over the autumn has been some high profile ICO enforcement action. The UK regulator fined British Airways £20 million and Marriott International £18.4 million for processing personal data without adequate cyber security measures in place leading to major attacks and data losses. Both fines were substantial reductions on the ICO’s original intention to fine amounts.
The ICO has also issued a monetary penalty notice to Ticketmaster of £1.25 million after the company failed to put appropriate security measures in place to prevent a cyber-attack on a chat-bot installed on its online payment page.
See our blog post and article on the BA, Marriott and Ticketmaster fines.
In addition, following a two year investigation the ICO imposed an enforcement notice on Experian for failing to improve its compliance with transparency requirements under the GDPR and cease using credit reference data for direct marketing purposes. Experian intends to appeal.
Brexit
We have just over three weeks until the end of the Brexit transition period (31 December 2020). For guidance, see Practical Law’s data protection content in relation to Brexit.
Of particular note, Practical Law recently published Brexit post-transition period: changes to data protection references: checklist (UK) which is designed to assist organisations in identifying the key areas where amendments may be needed in their documents to reflect legislative changes at the end of the transition period.
Practical Law has also published this forward looking piece about the co-existing UK and EU data protection regimes after 31 December 2020.
Practical Law editors are currently in the process of updating its data protection and other resources to reflect the expected legal position at the end of the transition period.
Roundup for Autumn 2020
Here are some of the other key developments in the last three months:
- On 8 September, the ICO published a blog sharing ten top data protection tips for innovators.
- On 10 September, the ICO published its accountability framework, designed as a practical tool to help organisations understand what good accountability looks like.
- On 16 October, DCMS updated its guidance for organisations on transfers of personal data between the UK and the EU after the end of the transition period, and expressed its confidence that the European Commission will make an adequacy decision for the UK before 1 January 2021.
- On 16 October, DCMS published revised versions of its guidance for both UK digital service providers operating in the EU, and for non-UK digital service providers operating in the UK, on what they should do after the post-Brexit transition period to comply with the Network and Information Systems Regulations 2018 (NIS Regulations).
- On 21 October, the ICO published detailed guidance for organisations on how to deal with rights of access to personal data (subject access rights) under the GDPR.
- On 6 November, the ICO published detailed guidance on criminal offence data. The guidance is aimed at data protection officers and those with specific data protection responsibilities in larger organisations, rather than competent authorities with law enforcement functions who are processing for law enforcement purposes.
- On 11 November, the CJEU delivered its preliminary ruling on conditions for valid consent to the processing of personal data in an offline context in Orange România SA v Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal.
- On 12 November, the European Commission published new standard contractual clauses between controllers and processors under Article 28 of the GDPR. Like the clauses designed for data export referred to above, feedback is open until 10 December 2020.
- In late November, the Centre for Data Ethics and Innovation published a report on the use of algorithms in four sectors: financial services, local government, policing and recruitment. The report proposes a roadmap for tackling algorithmic bias.
- On 1 December, the EDPB published a final version of its guidelines on data protection by design and by default.
Looking ahead
There are a few key dates some will wish to keep an eye on over the winter:
- 9 December 2020. DCMS consultation on National Data Strategy ends. See here.
- 10 December 2020. The period for feedback on standard contractual clauses between controllers and processors under Article 28 of GDPR ends. See here.
- 10 December 2020. The period for feedback on standard contractual clauses for the transfer of personal data to third countries under GDPR ends. See here.
- 21 December 2020. Proposed Regulation (COM(2020) 568 final) creating a temporary derogation from the applicability of Articles 5(1) and 6 of the E-Privacy Directive (for purposes of combatting child sexual abuse online) to be implemented in the EU. See here.
- 21 December 2020. EDPB consultation on recommendations on supplementary measures for data transfers to third countries in response to Schrems II closes. See here.
- 31 December 2020. Changes to the Network and Information Systems Regulations 2018 come into force. See here.
- 31 December 2020. The transition period under the UK-EU withdrawal agreement ends at 11.00 pm (UK time).
- 21 January 2021. European Commission consultation on rules on data governance closes. See here.
New Practical Law content
Practical Law has published several new resources over the last three months:
- Practice note, Data protection issues in IT contracts sets out the key issues to address when considering the impact of the EU GDPR, the UK GDPR and the Data Protection Act 2018 on rights and obligations commonly found in IT contracts.
- Practice note, Cyber security: FCA regulation provides an overview of the FCA’s requirements and expectations of regulated financial institutions relating to cyber security. There is also an accompanying checklist, Cyber security: checklist for financial institutions.
- Standard document, Data processing agreement (controller-to-processor) (within UK) is for use with a master service agreement or other similar agreement when the contracted services involve a service provider processing personal data on behalf of a customer.
- Standard document, Cyber incident response plan (IRP) UK is a model cyber incident response plan (IRP) addressing how organisations can prepare for and handle cyber attacks, data breaches, and other information security incidents.
- Standard documents, Personal data processing clauses for IT agreements (UK) (pro-customer) and Personal data processing clauses for IT agreements (UK) (pro-supplier) are personal data processing clauses designed for use in an IT context, to facilitate compliance with the GDPR.
- Developing a UK cyber incident response plan: checklist outlines steps organisations handling data in the UK should take when developing a UK cyber incident response plan (IRP).
- Video, Data ethics: what it is and why it matters provides an introduction to data ethics, including why it matters to businesses, increasing regulatory interest and practical steps for using data ethically.
- Video, Data ethics: impact of COVID-19 provides an insight into the impact of COVID-19 on data ethics, including what the pandemic has taught us about data ethics, COVID-19 tracing apps and innovative uses of data and AI.