The traditional quiet time of summer was upended this year. The tumult of COVID-19 and Brexit have scarcely been consigned to the background. However, it is the ECJ’s unexpected decision in Data Protection Commissioner v Facebook Ireland and Maximillian Schrems C-311/18 (Schrems II) that has probably stolen the headlines, adding to the unease for those looking after their company’s personal data governance.
In Schrems II the ECJ decided to confirm, to much relief, that the standard contractual clauses, used for many years by organisations for compliant cross-border data transfers, generally remain valid. But, crucially, the EU-US Privacy Shield, the primary mechanism adopted for EU to US data transfers has now been ruled invalid. See Practical Law’s legal updates covering the Schrems II decision:
- Case report
- US Department of Commerce and EU Commission issue joint statement on Privacy Shield
- Department of Commerce Updates Privacy Shield FAQs
- ICO issues updated statement on Schrems II judgment
- EDPB publishes FAQs on Schrems II judgment
- Government responds to judgment in Schrems II
- EDPB publishes statement on Schrems II judgment
- ICO issues statement on Schrems II judgment
PLC Magazine has also published an article, Schrems II and data transfers: cast adrift in a sea of uncertainty.
Practical Law has been updating its resources in the light of this landmark decision. Practice note, Cross-border transfers of personal data (GDPR and DPA 2018) (UK): Data exports from the EU to the US provides background and discusses the implications.
With less than four months now until a likely no deal at the end of the Brexit transition period, preparations need to ramp up. See our evergreen blog post from earlier on the year, Data protection: what should companies be doing during the Brexit transition period?
Roundup for Summer 2020
Here are some of the key developments spanning the last three months:
- On 7 July, the European Commission launched a public consultation on a revision of the NIS Directive.
- On 13 July, the ICO further updated its regulatory approach during the COVID-19 public health emergency and published detailed guidance for businesses collecting customer and visitor personal data for contact tracing.
- On 23 July, the ICO published the first two reports from its regulatory sandbox and given an update on the project.
- On 24 July, the European Commission published a report by the NIS Group on member states’ progress in implementing the EU toolbox on 5G cybersecurity.
- In late July, the ICO published guidance on AI and data protection to help organisations assess and manage their data protection obligations.
- On 4 August, Interpol published a report on the increased use of cybercrime related to the COVID-19 pandemic.
- Also on 4 August, the Court of Appeal held (in R (Bridges) v Chief Constable of South Wales Police (Respondent) and others) that the use of automated facial-recognition technology by the South Wales Police Force was in breach of Article 8 of the ECHR, the Data Protection Act 2018 and the Equality Act 2010.
- On 18 August, a representative claimant filed a claim against Marriott International, claiming damages in relation to a data breach previously investigated by the ICO, paving the way for a class action against the hotel group.
- On 19 August, the ICO re-opened its regulatory sandbox for the submission of projects at the cutting edge of innovation that may be operating in particularly challenging areas of data protection, with a focus on children’s privacy or data sharing.
- On 1 September, DCMS published a summary of the responses to the call for evidence for the Cyber Security Incentives and Regulation Review 2020.
- The ICO confirmed that its Age Appropriate Design Code, known as the Children’s Code, came into force on 2 September 2020.
There are a few key dates some will wish to keep an eye on during the autumn:
- 25 September: Deadline to respond to the government’s call for views seeking industry feedback on the proposed amendments to Network and Information Systems Regulations 2018 (see here).
- 2 October: Closing date for European Commission public consultation on revision of NIS directive (see here).
- 22 October: Deadline for DMCS’ call for views on the representative action provisions of Data Protection Act 2018 (see here).
New Practical Law content
Practical Law has published or updated several resources over the last quarter:
- Practice note, Pensions and data protection: issues in practice highlights some of the key data protection issues that may arise for trustees of occupational pension schemes under the GDPR and Data Protection Act 2018.
- Practice note, Cyber insurance: an overview provides an overview of cyber insurance, including the type of risks covered, some typical insurance terms and risks that might be excluded.
- Practice note, Appointing a data protection representative in EU or UK (UK) provides an overview of the key requirements and considerations in appointing a data protection representative under Article 27 GDPR.
- Practice note, Processor obligations under GDPR (GDPR and DPA 2018) (UK) provides an overview of processor obligations under the GDPR and Data Protection Act 2018.
- Standard document, Data sharing agreement (joint controllers) (GDPR and DPA 2018) (UK) for use where a UK private sector controller discloses personal data on a systematic and routine basis to another private sector controller and the parties have determined that they are joint controllers.
- Standard document, Data sharing agreement (controller to controller) (public sector) (GDPR and DPA 2018) (UK) for use where a UK public sector controller discloses personal data on a systematic and routine basis to another UK public sector controller (or controllers).
- Data protection supplier audit checklist (GDPR and DPA 2018) (UK) provides a non-exhaustive checklist of points to be considered when carrying out an audit of a UK supplier’s compliance with the GDPR.
- Data protection audit: checklist (UK) (GDPR and DPA 2018) provides a non-exhaustive checklist of points to be considered when carrying out an audit of a UK organisation’s compliance with the GDPR.
- Article, Schrems II and data transfers: cast adrift in a sea of uncertainty discusses the recent ECJ decision in Data Protection Commissioner v Facebook Ireland and Maximillian Schrems C-311/18.
- Article, Data protection training and compliance: when DPOs become teachers discusses the importance of training under the GDPR and the role of the DPO and others in delivering it.