Practical Law

The key current developments in the world of data privacy and cybersecurity centre largely on the highly complex area of international transfers. The UK’s wait for the European Commission’s adequacy decisions is now, as of today, over. The decisions allow for the free flow of personal data from the EU to the UK (see our update). The decisions include sunset clauses that limit the decisions to four years, after which they will be reviewed.

The long-awaited standard contractual clauses (SCCs) for international transfers of personal data made under the EU GDPR have now been finalised (see our update). The new SCCs have been updated to reflect the requirements of the EU GDPR. They adopt a modular structure that will make the them more flexible to use, including for processor-to-processor and processor-to-controller transfers, and a “docking” provision to enable companies to join (and leave) group arrangements for data transfers. However, as before, the content of the clauses cannot be amended. The new clauses became effective on 27 June.

Meanwhile, the European Data Protection Board has finalised its guidance on supplementary measures to be taken by controller and processors when acting as exporters of personal data to third countries. The ICO has not commented so far in any detail on these developments

For a detailed summary of these key developments and their impact on UK companies, see our article, European Commission’s new standard contractual clauses: what they mean for UK businesses.

Looking back: Spring 2021

In case you missed them, here are some of the key developments that took place over the spring:

• On 14 April, the EDPB adopted opinions on the draft EU-UK GDPR and LED adequacy decisions.
• On 21 April, the government responded to a Call for Views to get industry feedback on proposals for a new law to protect users of consumer connected devices from cyber criminals.
• On 22 April, the ICO published its position paper on the UK government’s proposed digital identity and attributes trust framework.
• In late April, The European Data Protection Supervisor (EDPS) and the Spanish Data Protection Agency (AEPD produced a paper on ten misunderstandings related to the anonymisation of personal data.
• On 6 May, the ICO announced that it is working on bespoke UK standard contractual clauses for international data transfers.
• In early May, the ICO confirmed in a blog post that a draft version of a new data protection and journalism code of practice will be published this summer.
• On 11 May, the Home Office launched a call for information on the Computer Misuse Act 1990 (CMA 1990). The consultation is aimed at UK organisations including academia, business, law enforcement agencies, the cybersecurity industry and the private sector.
• On 11 May, the Civil Liberties, Justice and Home Affairs (LIBE) Committee of the European Parliament announced that it had passed a resolution evaluating the European Commission’s approach on the adequacy of the UK’s data protection regime.
• On 12 May, the ICO and Office of the Privacy Commissioner for New Zealand (OPC) signed a Memorandum of Understanding for Co-operation in the Enforcement of Laws Protecting Personal Data.
• On 17 May, the government launched a call for views on measures to enhance the security of digital supply chains and third-party IT services.
• On 18 May, the ICO confirmed that the new data sharing code of practice has been laid before Parliament and in the absence of any objections, will come into force after 40 sitting days.
• On 18 May, DCMS published its key findings from the National Data Strategy (NDS) consultation, held between 9 of September and 9 of December 2020.
• On 19 May, the CMA and ICO published a joint statement setting out their shared views on the relationship between competition and data protection in the digital economy. They have also published an updated Memorandum of Understanding.
• On 21 May, MEPs passed a resolution requesting the European Commission make amendments to the draft EU-UK GDPR and LED adequacy decisions in a resolution passed in the European Parliament.
• On 24 May, the Centre for Data Ethics and Innovation blogged on its recent work in the areas of trustworthy data sharing, privacy enhancing technologies (PETs) and smart data.
• On 28 May, the ICO opened a call for views on the first draft chapter of its draft guidance on anonymisation, pseudonymisation and privacy enhancing technologies. The call for views is open until 28 November 2021 and feedback can be sent to anonymisation@ico.org.uk.
• On 4 June, the European Commission adopted and published final versions of two sets of standard contractual clauses, one for the transfer of personal data from the EEA to third countries and one for use between controllers and processors within the EEA.
• On 18 June, the EDPB, after public consultation, adopted the final version of its recommendations on measures to supplement transfer tools to ensure compliance with the EU level of data protection, published in response to the ECJ’s ruling in the Schrems II case.

Key dates: Summer 2021

Key forthcoming dates over the summer months includes:

• 28 June: Articles 58, 60, 61, 63, 64 and 65 of Regulation (EU) 2019/881 on ENISA and ICT cybersecurity certification begin to apply (see more).
• 30 June: Interim provision in the EU-UK trade and co-operation agreement for transmission of personal data to the UK ends (see more).
• 11 July: Closing date of call for views on measures to enhancing security of digital supply chains and third-party IT services (see more).
• 31 July: Deadline for EU BCR holders to produce a UK BCR version where the UK ICO did not issue an authorisation (see more).
• 31 July: Law Commission consultation seeking ideas for its 14th programme of law reform closes. The consultation includes the seeking of views on emerging technology (see more).

New Practical Law content

Over the course of the spring, Practical Law has published:

• Blog post, We shall fight on the breaches: GDPR vs class actions which considers the importance of handling data carefully in the GDPR era, and the nature of class actions for data breaches.
• Article, Updated SCCs for international data transfers: fit for the future which discusses the key revisions in the new SCCs and the transitional arrangements.
• Article, GDPR enforcement: a changed landscape which reviews the latest trends in enforcement of the General Data Protection Regulation.

We have also published the following Asks:

• Ask, In response to a DSAR, can we insist that an individual does not disclose call centre recordings on social media to create negative publicity?
• Ask, Under a company retention policy, is there any legal reason to retain hard copy documents where these have already been scanned into an electronic filing system?
• Ask, What data protection obligations should an employer wishing to use staff birthdays (date and month only) for morale/team building consider?
• Ask, What UK GDPR requirements should a company consider when buying personal data from a third party for marketing or data analytics purposes and is it possible to rely on consent from individuals to sell or buy their data?