Practical Law

Our last quarterly horizon scan drew attention to the need to gear up for a no-deal Brexit. That prospect reduced in likelihood somewhat after Prime Minister Boris Johnson’s renegotiated withdrawal agreement seemed to be making its way through parliament. The political process, however, has been temporarily paralysed once more pending the outcome of the general election on Thursday 12 December. The UK may still depart the EU, with or without a deal, on 31 January 2020. Meanwhile, a Labour-led administration of any kind may lead to a second referendum and a possible no Brexit outcome.

On the basis that the picture remains unclear and no-deal remains in play, it is worth highlighting that Practical Law has published a No-deal Brexit: data protection toolkit which includes the following resources:

• Practice note, Brexit: implications for data protection
• Video, Key data protection measures to prepare for a no-deal Brexit
• Practice note, Brexit: implications for cybersecurity in the UK
• Practice note, Data protection: no-deal Brexit FAQs
• Data protection: no-deal Brexit international data transfers quick reference table

Away from the politics, there are a number of forthcoming developments which in-house practitioners may need to be aware of as we head into the winter.

Open consultations

Consultations currently open which you may wish to respond to include:

• ICO consultation on application for powers under the Proceeds of Crime Act 2002 (POCA). The consultation seeks views on the ICO being granted access to investigation and other associated powers under POCA and remains open until 6 December 2019.
• DCMS Cyber Security Incentives and Regulation Review 2020 call for evidence. This call for evidence is due to close on 20 December 2019. The review aims to, among other things, identify the barriers which prevent organisations from improving cyber security.
• Law Commission’s second consultation on driverless cars: passenger services and public transport. Responses should be sent by 16 January 2020.

ICO AI auditing framework

The ICO expects to publish its final artificial intelligence (AI) auditing framework by 31 January 2020, with the associated guidance for organisations scheduled for publication during spring 2020. The framework is the culmination of a consultation process in which the ICO invited organisations to share thoughts on the challenges of deploying AI technology. For more information, see ICO: AI Auditing Framework.

Other key dates

• The AG opinion of the much-anticipated “Schrems II” case is due to come out on 12 December 2019. Following case 362/14, “Schrems I”, where the Safe Harbor Framework was invalidated by the CJEU, Mr Schrems has returned to challenge data transfers between EEA and non-EEA countries on the basis of the European Commission adopted standard contract clauses. For more information, see Legal update, EDPB publishes its pleading made to the ECJ in Facebook Ireland and Schrems case (Schrems II).
• On 31 December 2019, the Centre for Data Ethics and Innovation (CDEI) is expected to publish its final report on how data is used to shape people’s online environments via the personalisation and targeting of messages, content and services online.
• The EU Commission is due to report on the state-of-play of its work in relation to the retention of electronic communications data for the purpose of fighting crime on 31 December 2019. For more information, see Legal update, EU Council adopts conclusions on retention of electronic communications data to combat crime.
• By 31 December 2019 the co-operation group established under the Cybersecurity Directive (2006/1148) will identify best practices used at national level and create a toolbox of risk management measures that can be applied at national and EU level. This will be used to advise the European Commission on the development of minimum requirements for the security of 5G networks across the EU. For more information, see Legal update, European Commission recommendation on cybersecurity of 5G networks.
• 2 January 2020 marks the deadline for the CMA to decide whether to make a market investigation reference for its Online platforms and digital advertising market study. For more information, see Legal update, Online platforms and digital advertising market study: CMA publishes responses to Statement of Scope.

New Practical Law content

We close this edition with a look back at the privacy and cybersecurity-related resources Practical Law has published over the autumn which you may have missed. In addition to the no-deal Brexit: data protection toolkit referred to above, recently published content includes:

• Practice note, Blockchain and data protection (GDPR and DPA 2018) (UK) which provides an overview of the data protection issues that arise in the context of blockchain. For wider legal issues, see Blockchain toolkit.
• A revised version of Practice note, Data breach notification (GDPR and DPA 2018) (UK) which provides guidance on the key legal elements and considerations of responding to a breach of personal data security, principally the obligation to notify supervisory authorities or data subjects in accordance with the requirements of the GDPR.
• Practice note, Resources on Practical Law for those new to data protection law which provides guidance on the use of Data Protection practice area resources for trainees and new joiners in data protection teams, and those new to data protection law.
• Standard document, Appropriate policy document (special categories of personal data and criminal convictions data) (GDPR and DPA 2018) (UK) for use by a business processing special categories of personal data and criminal convictions data which complies with the requirements of the Data Protection Act 2018.
• Three new standard documents, confidentiality agreements with data protection provisions, intended for use where confidential information is being disclosed for general commercial purposes and some of that information includes personal data.
• Article, Data protection claims: a green light for representative actions reporting on the landmark Court of Appeal case, Lloyd v Google.
• Article, The right to erasure: ECJ limits territorial scope of delisting orders reporting on the landmark decision of the CJEU on right to erasure in Google v CNIL.
• Blog post, GDPR eighteen months on: making data privacy governance a positive which highlights the virtues of good data management.
• Blog post, Google and the emergence of opt-out data protection class actions providing further commentary on Lloyd v Google.
• Blog post, GDPR, data security and the law of unintended consequences which examines an unintended security vulnerability of the GDPR.
• Blog post, Remember GDPR? on the importance of making GDPR training memorable.
• Blog post, Crunch time for cookies? reporting on the Planet49 case on cookies and similar technologies in the CJEU.
• Video, Use of cookies and similar technologies: updated ICO guidance explaining the key points to note in the updated guidance from the ICO on using cookies and similar technologies.