Practical Law

Since our last quarterly horizon scan, attention for in-house lawyers is inevitably returning to Brexit and those focused on privacy and cybersecurity will now need to be gearing up seriously for a no-deal outcome. As many will not need reminding, following the agreement to extend the Article 50 period, if the withdrawal agreement is not ratified by 31 October, the Article 50 period will end at 11pm on that date and the UK will leave the EU with no deal unless a further extension is agreed or the Article 50 notice is revoked.

Practical Law is aiming to imminently publish further resources to assist with no-deal preparations but the following should assist in navigating the current landscape:

• Practice note, Brexit: implications for data protection
• Video, Key data protection measures to prepare for a no-deal Brexit
• Practice note, Brexit: implications for cybersecurity in the UK

Away from the highly-charged politics of Brexit, there remain a large number of forthcoming developments in privacy and cybersecurity law for in-house practitioners to be aware of as we head into the autumn.

Open consultations

There are a number of consultations currently open which you may wish to respond to if you have not already done so:

• European Data Protection Board (EDPB) guidelines on processing of personal data through video devices. The EDPB adopted the guidelines on 10 July 2019 but the consultation remains open until 9 September 2019.
• Information Commissioner’s Office (ICO) data sharing code of practice. The ICO published its draft updated data sharing code of practice on 16 July. It is open to consultation until 9 September 2019.
• The Department for Digital, Culture, Media and Sport (DCMS) and the Cabinet Office call for evidence on plans to make it safer for people to confirm their identity online. This call for evidence was opened on 19 July 2019 and responses should be sent to digital-identity-cfe@culture.gov.uk by 15 September 2019.
• DCMS new rules for video-sharing platforms. The new rules were introduced by amendments to the Audiovisual Media Services Directive (2010/13/EU) and must be implemented in EU member states by 19 September 2020. The consultation closes on 17 September 2019.
• ICO draft framework code of practice for the use of personal data in political campaigning. The draft code was published on 9 August 2019 and the consultation closes on 4 October 2019.

Other key dates

• 1 October 2019 marks the deadline for EU member states to complete a joint review of risks on cybersecurity of 5G networks. The European Commission has issued a recommendation that sets out the actions that member states should take to assess the risks, co-ordinate across national and EU bodies and identify a common set of measures to mitigate the risks relating to infrastructures underpinning the digital environment, including 5G networks (see Legal update, European Commission recommendation on cybersecurity of 5G networks).
• The UK government has until 1 November 2019 to clarify its approach on the UK’s cybersecurity strategy. In June 2019, the House of Commons Public Accounts Committee’s report on cybersecurity in the UK criticised the Cabinet Office for a lack of evidence-based assessment and a rigorous business case when trying to meet the objectives of the current five-year national cybersecurity programme which runs until 2021. (For more information, see Legal update, Commons accounts committee report on implementation of UK cybersecurity strategy.)
• 25 November 2019 is the deadline for the ICO’s Age Appropriate Design Code to be submitted to the Secretary of State for Parliamentary approval. The ICO will be producing a final version of the code to be approved by parliament before it can be published. (For more information, see Legal update, ICO publishes responses to call for evidence on the age appropriate design code.)
• As set out in European Commission’s guidance (issued on 29 May 2019) on the interaction between the Regulation on the free flow of non-personal data and the GDPR, codes of conduct for cloud services to facilitate switching between cloud service providers are due to be developed by 29 November 2019. (For more information, see Legal update, European Commission publishes guidance on the interaction between the Regulation on the free flow of non-personal data and the GDPR).
• On 1 December 2019, the ICO is due to evaluate on the use of personal data in the advertising sector (adtech) and real time bidding. In a recent report, the ICO found that the compliance with the data protection legislations were not adequate in the adtech sector. In the second half of 2019, the ICO will continue its engagement activities with the sector to obtain more information, towards the end of the year it will review whether further action is needed. (For more information, see Legal update, ICO publishes update report into adtech and real time bidding.)
• The AG opinion of the much-anticipated “Schrems 2” case is due to come out in early December. Following case 362/14, “Schrems I”, where the Safe Harbor Framework was invalidated by the CJEU, Mr Schrems has returned to challenge data transfers between EEA and non-EEA countries on the basis of the European Commission adopted standard contract clauses. The judgment is due out in early 2020.

New Practical Law content

Recently published privacy and cybersecurity content on Practical Law includes:

• Practice note, GDPR member state permitted variations and requirements chart which provides an overview of the EU General Data Protection Regulation ((EU) 2016/679) (GDPR) provisions that allow EU member states to implement national legislation deviating from, or supplementing, the GDPR.
• Video, Data security under the GDPR: mid-2019 update which provides a mid-2019 update on data security developments, including regulatory actions from across the EU, under the GDPR.
• Video, Outsourced versus in-house data protection officers (DPOs) aimed at helping you decide whether an internal or external DPO would best suit your organisation.
• Standard document, Data subject data portability request form (GDPR and DPA 2018) which organisations can use to create a form for data portability requests under Article 20 of the GDPR.
• Standard document, Controller’s response to data portability request (GDPR and DPA 2018) (UK) which organisations can use to create a letter responding to a data portability request under Article 20 of the GDPR.
• Standard document, Data subject processing objection form (GDPR and DPA 2018) (UK) which organisations can use to create a form for data processing objections under Article 21 of the GDPR.
• Standard document, Controller’s response to data processing objection (GDPR and DPA 2018) (UK) which organisations can use to create a letter responding to data processing objections under Article 21 of the GDPR.