REUTERS | Luke MacGregor

Privacy and cybersecurity: Autumn agenda 2020

The traditional quiet time of summer was upended this year. The tumult of COVID-19 and Brexit have scarcely been consigned to the background. However, it is the ECJ’s unexpected decision in Data Protection Commissioner v Facebook Ireland and Maximillian Schrems C-311/18 (Schrems II) that has probably stolen the headlines, adding to the unease for those looking after their company’s personal data governance.

In Schrems II the ECJ decided to confirm, to much relief, that the standard contractual clauses, used for many years by organisations for compliant cross-border data transfers, generally remain valid. But, crucially, the EU-US Privacy Shield, the primary mechanism adopted for EU to US data transfers has now been ruled invalid. See Practical Law’s legal updates covering the Schrems II decision:

PLC Magazine has also published an article, Schrems II and data transfers: cast adrift in a sea of uncertainty.

Practical Law has been updating its resources in the light of this landmark decision. Practice note, Cross-border transfers of personal data (GDPR and DPA 2018) (UK): Data exports from the EU to the US provides background and discusses the implications.

With less than four months now until a likely no deal at the end of the Brexit transition period, preparations need to ramp up. See our evergreen blog post from earlier on the year, Data protection: what should companies be doing during the Brexit transition period?

Roundup for Summer 2020

Here are some of the key developments spanning the last three months:

  • On 7 July, the European Commission launched a public consultation on a revision of the NIS Directive.
  • On 13 July, the ICO further updated its regulatory approach during the COVID-19 public health emergency and published detailed guidance for businesses collecting customer and visitor personal data for contact tracing.
  • On 23 July, the ICO published the first two reports from its regulatory sandbox and given an update on the project.
  • On 24 July, the European Commission published a report by the NIS Group on member states’ progress in implementing the EU toolbox on 5G cybersecurity.
  • In late July, the ICO published guidance on AI and data protection to help organisations assess and manage their data protection obligations.
  • On 4 August, Interpol published a report on the increased use of cybercrime related to the COVID-19 pandemic.
  • Also on 4 August, the Court of Appeal held (in R (Bridges) v Chief Constable of South Wales Police (Respondent) and others) that the use of automated facial-recognition technology by the South Wales Police Force was in breach of Article 8 of the ECHR, the Data Protection Act 2018 and the Equality Act 2010.
  • On 18 August, a representative claimant filed a claim against Marriott International, claiming damages in relation to a data breach previously investigated by the ICO, paving the way for a class action against the hotel group.
  • On 19 August, the ICO re-opened its regulatory sandbox for the submission of projects at the cutting edge of innovation that may be operating in particularly challenging areas of data protection, with a focus on children’s privacy or data sharing.
  • On 1 September, DCMS published a summary of the responses to the call for evidence for the Cyber Security Incentives and Regulation Review 2020.
  • The ICO confirmed that its Age Appropriate Design Code, known as the Children’s Code, came into force on 2 September 2020.

Looking ahead

There are a few key dates some will wish to keep an eye on during the autumn:

  • 25 September: Deadline to respond to the government’s call for views seeking industry feedback on the proposed amendments to Network and Information Systems Regulations 2018 (see here).
  • 2 October: Closing date for European Commission public consultation on revision of NIS directive (see here).
  • 22 October: Deadline for DMCS’ call for views on the representative action provisions of Data Protection Act 2018 (see here).

New Practical Law content

Practical Law has published or updated several resources over the last quarter:

Leave a Reply

Your email address will not be published. Required fields are marked *

Share this post on: