Practical Law

Last week’s publication by DCMS of the outcome of its consultation “Data: a new direction” has the potential to put data protection very much back into the limelight. The document sets out the government’s plans to reform the UK’s data protection regime as part of its National Data Strategy  (see Article, DCMS data protection reforms: summary of consultation proposals).

John Edwards, the UK Information Commissioner, issued a statement supporting the proposals:

“We look forward to continuing to work constructively with the government as the proposals are progressed and will continue to monitor how these reforms are expressed in the Bill.”

Practical Law has written a short legal update covering the development and will follow up with a more detailed update in the coming days.

Developments over spring 2022

There have been several other key data privacy developments over the spring that in-house counsel should be aware. The timeline over this period looks like this:

• On 1 April, the ICO published guidance to help organisations comply with their data protection obligations after the government relaxed the rules relating to COVID-19.
• On 6 April, the European Parliament approved the text of the European Commission’s proposal for a new Regulation on European data governance (Data Governance Act). This has subsequently been adopted by the Council of the EU and published in the OJEU.
• On 6 April, the EDPB published documents adopted at its 63rd plenary session including in relation to a proposed new Trans-Atlantic Data Privacy Framework.
• On 20 April, the EDPS published his 2021 Annual Report, together with his executive summary, his speech presenting the Report and a factsheet.
• On 4 May, DCMS issued a call for views on plans to improve the security and privacy of apps and app stores.
• On 9 May, DCMS published new research detailing cyber security issues in internet-connected devices used by businesses.
• On 10 May, the Queen’s Speech was delivered, setting out the government’s legislative plans for the next session of Parliament. Proposed legislation included a new Data Reform Bill and Bill of Rights. Practical Law has summarised the data protection implications.
• On 12 May, the EDPB published its 2021 Annual Report: Enhancing the depth and breadth of data protection.
• On 26 May, the government launched a call for views on measures to enhance the security of data centres and cloud services.
• In late May, the European Commission published some Q&As on two sets of standard contractual clauses which it adopted last year under the EU GDPR.
• On 14 June, at its 66th Plenary session, the EDPB adopted guidelines on certification as a tool for transfers.

Key dates: Summer 2022

Key forthcoming dates include:

• 29 June. DCMS call for views on plans to improve the security and privacy of apps and app stores closes.
• 24 July. Government call for views on measures to enhance the security of data centres and cloud services closes.

New Practical Law content

Over the course of the spring, Practical Law has published:

• New personal data sub-processing agreements (processor-to-processor) which can be used alongside a sub-contract or other similar agreement when the contracted services involve a UK service provider processing personal data on behalf of a UK controller customer and sub-contracting to a UK sub-processor.
• Standard Contractual Clauses between Controllers and Processors Under GDPR Article 28(7) which enable organisations to meet their EU GDPR Article 28 obligations using standardised terms.
• Article, Cyber incidents: managing the employee fallout which looks at the key practical and legal considerations for employers in their capacity as data controllers when dealing with ransomware attacks and other cyber incidents.
• Article, Proposed EU Data Act: sweeping impact which looks at how the proposed Act tries to establish a cross-sectoral governance framework for data access and use, which would have the potential to fundamentally change the environment for data-driven business models in the EU.

Featured Asks

We have also published the following Asks:

• What are the consequences for my client if they do not hold any information or documents in relation to a data subject in response to a DSAR?
• Am I obligated to send internal communications on an account as requested by a data subject?
• We are acting for a client who is developing a mobile app/video game which it is proposed will incorporate the names and nationalities of sportspeople that are in the public domain. What are the data protection risks of using this type of data? Further, what mitigating steps could be taken to reduce any risk?
• Is it a requirement under the UK GDPR for individuals to consent (for example by way of an unticked check box) to an organisation’s privacy policy, or is it sufficient for an organisation to provide a link to their privacy policy at the time the personal data is collected?
• Do controllers have to include information on legitimate interests within their privacy notices or could they simply make this information available upon request?
• What data falls within the scope of personnel records and should be retained whilst the employment continues and for seven years after it ends? Additionally, what data would be considered unnecessary and therefore, deleted as soon as the employment ends?
• Does the IDTA address the Schrems II requirements completely?
• How far does a controller need to go in terms of compliance around restricted transfers and Schrems II? Must it carry out its own transfer impact assessments in respect of the processor’s transfers to its sub-processors, or can the controller simply rely on an assurance from the processor as to its own assessments?
• Is there anything precluding a controller sharing the fact a DSAR had been made (and the scope of that DSAR) with an interested third party?
• Would a UK-based controller intending to appoint another UK-based company as a processor (who will need to appoint a sub-processor outside the UK) need to be party to the standard contractual clauses between our processor and their sub-processor, or can we rely on article 28(4) of the UK GDPR?
• With regard to clause 13 of the EU SCCs regarding the competent supervisory authorities, if the data exporter is not established in a member state, can the exporter choose any member state to act as the competent supervisory authority under Annex 1C?
• To what extent does the legal proceedings exemption under the DPA 2018 apply to special category data and to what extent must we redact personal/special category data?
• If a retailer wishes to launch a loyalty card scheme for customers, can it make a condition that the customer must have provided a valid email address and not have opted out of receiving emails from the retailer (both in connection with the scheme but also marketing emails giving details of special offers?