REUTERS | Luke MacGregor

Privacy and cybersecurity: Autumn agenda 2019

Since our last quarterly horizon scan, attention for in-house lawyers is inevitably returning to Brexit and those focused on privacy and cybersecurity will now need to be gearing up seriously for a no-deal outcome. As many will not need reminding, following the agreement to extend the Article 50 period, if the withdrawal agreement is not ratified by 31 October, the Article 50 period will end at 11pm on that date and the UK will leave the EU with no deal unless a further extension is agreed or the Article 50 notice is revoked.

Practical Law is aiming to imminently publish further resources to assist with no-deal preparations but the following should assist in navigating the current landscape:

Away from the highly-charged politics of Brexit, there remain a large number of forthcoming developments in privacy and cybersecurity law for in-house practitioners to be aware of as we head into the autumn.

Open consultations

There are a number of consultations currently open which you may wish to respond to if you have not already done so:

Other key dates

  • 1 October 2019 marks the deadline for EU member states to complete a joint review of risks on cybersecurity of 5G networks. The European Commission has issued a recommendation that sets out the actions that member states should take to assess the risks, co-ordinate across national and EU bodies and identify a common set of measures to mitigate the risks relating to infrastructures underpinning the digital environment, including 5G networks (see Legal update, European Commission recommendation on cybersecurity of 5G networks).
  • The UK government has until 1 November 2019 to clarify its approach on the UK’s cybersecurity strategy. In June 2019, the House of Commons Public Accounts Committee’s report on cybersecurity in the UK criticised the Cabinet Office for a lack of evidence-based assessment and a rigorous business case when trying to meet the objectives of the current five-year national cybersecurity programme which runs until 2021. (For more information, see Legal update, Commons accounts committee report on implementation of UK cybersecurity strategy.)
  • 25 November 2019 is the deadline for the ICO’s Age Appropriate Design Code to be submitted to the Secretary of State for Parliamentary approval. The ICO will be producing a final version of the code to be approved by parliament before it can be published. (For more information, see Legal update, ICO publishes responses to call for evidence on the age appropriate design code.)
  • As set out in European Commission’s guidance (issued on 29 May 2019) on the interaction between the Regulation on the free flow of non-personal data and the GDPR, codes of conduct for cloud services to facilitate switching between cloud service providers are due to be developed by 29 November 2019. (For more information, see Legal update, European Commission publishes guidance on the interaction between the Regulation on the free flow of non-personal data and the GDPR).
  • On 1 December 2019, the ICO is due to evaluate on the use of personal data in the advertising sector (adtech) and real time bidding. In a recent report, the ICO found that the compliance with the data protection legislations were not adequate in the adtech sector. In the second half of 2019, the ICO will continue its engagement activities with the sector to obtain more information, towards the end of the year it will review whether further action is needed. (For more information, see Legal update, ICO publishes update report into adtech and real time bidding.)
  • The AG opinion of the much-anticipated “Schrems 2” case is due to come out in early December. Following case 362/14, “Schrems I”, where the Safe Harbor Framework was invalidated by the CJEU, Mr Schrems has returned to challenge data transfers between EEA and non-EEA countries on the basis of the European Commission adopted standard contract clauses. The judgment is due out in early 2020.

New Practical Law content

Recently published privacy and cybersecurity content on Practical Law includes:

Leave a Reply

Your email address will not be published. Required fields are marked *

Share this post on: