Privacy and Cybersecurity Law 

On 21 January 2020, the ICO published the Age Appropriate Design Code of Practice. The Code is available here.

Who does the Code apply to?

• The Code applies to information society services which are likely to be accessed by under-18s. The ISS does not have to be deliberately directed at children.
• This includes any online products or services (e.g. apps, programs, websites, games). This also includes Internet of Things (IoT) connected toys and devices – whether with or without a screen.
• The Code applies to ISS with an establishment in the UK OR those that are outside the UK (but target goods and services to, or monitor children in the UK).

What does the Code say?

The Code sets out 15 headline “standards of age appropriate design”:

• Best Interests: The best interests of the child should be a primary consideration when you design and develop online services likely to be accessed by a child.
• Data Protection Impact Assessments: You should undertake a DPIA before launching the product or service to assess and mitigate risks to the rights and freedoms of children.
• Age Appropriate Application: You should take a risk-based approach to recognising the age of individual users and ensure you effectively apply the standards in this code to child users. Either establish age with a level of certainty that is appropriate to the risks to the rights and freedoms of children that arise from your data processing OR apply the standards in this code to all your users instead.
• Transparency: The privacy information you provide to users must be concise, prominent, and in clear language suited to the age of the child.
• Detrimental Use of Data: You should not use children’s personal data in ways that have been shown to be detrimental to their wellbeing, or that go against industry codes of practice, other regulatory provisions, or Government advice.
• Policies and Community Standards: Uphold your own published terms, policies and community standards (including but not limited to privacy policies, age restriction, behaviour rules and content policies).
• Default Settings: Settings must be ‘high privacy’ by default (unless you can demonstrate a compelling reason for a different default setting, taking account of the best interests of the child).
• Data Minimisation: Collect and retain only the minimum amount of personal data you need to provide the elements of your service in which a child is actively and knowingly engaged. Give children separate choices over which elements they wish to activate.
• Data Sharing: You should not disclose children’s data unless you can demonstrate a compelling reason to do so, taking account of the best interests of the child.
• Geolocation: You should switch geolocation options off by default (unless you can demonstrate a compelling reason for geolocation to be switched on by default, taking account of the best interests of the child), and provide an obvious sign for children when location tracking is active. Options which make a child’s location visible to others should default back to ‘off’ at the end of each session.
• Parental Controls: If you provide parental controls, give the child age appropriate information about this. If your online service allows a parent or carer to monitor their child’s online activity or track their location, provide an obvious sign to the child when they are being monitored.
• Profiling: You should switch options which use profiling ‘off’ by default (unless you can demonstrate a compelling reason for profiling to be on by default, taking account of the best interests of the child). Only allow profiling if you have appropriate measures in place to protect the child from any harmful effects (in particular, being fed content that is detrimental to their health or wellbeing).
• Nudge techniques: You should not use nudge techniques to lead or encourage children to provide unnecessary personal data or turn off privacy protections.
• Connected Toys and Devices (IoT): If you provide a connected toy or device, ensure you include effective tools to enable conformance to this code.
• Online Tools: Provide prominent and accessible tools to help children exercise their data protection rights and report concerns.

What should businesses do?

There are five steps that businesses should take now to prepare themselves (as set out in the Code):

• Step 1: Implement an accountability programme
• Step 2: Have policies to support and demonstrate compliance
• Step 3: Train staff
• Step 4: Keep proper records
• Step 5: Be prepared to demonstrate compliance with the Code 

What happens now?

• The Code needs to be notified to the European Commission and laid before Parliament (in case there are any objections). This process will likely be concluded in July / August 2020.
• Businesses will then have 12 months to implement the changes from the date the Code takes effect. Based on the timescales above, we anticipate the Code will take effect around August/September 2021.
• The ICO will enforce the Code in line with their Regulatory Action Policy and may impose fines under the Privacy and Electronic Communications Regulations (PECR) and/or GDPR, depending on the nature of the breach.

On Friday, January 31, 2020, the United Kingdom (UK) left the European Union (EU) after 47 years as part of the union.

While the UK has ceased to be part of the EU when the clock struck midnight in Brussels, the UK and EU have agreed to a transition period until the end of 2020, to allow the UK to continue its current relationship with the EU, while future trading relationships are negotiated.

As part of this transition period, the UK’s Information Commissioner Office has clarified that the EU’s General Data Protection Regulations (GDPR) will remain in effect until the end of 2020.

No changes required at this time, but …

If you or your clients offer goods or services in the UK, and process personal data of UK residents, the GDPR will continue to apply to the treatment and safeguarding of that personal data.

Similarly, the GDPR still applies, and data protection agreements (DPA) are still required as part of an agreement with organizations that process personal data of individuals from the UK.

The UK’s Data Protection Act of 2018 incorporates the GDPR into UK law. It remains to be seen what status the EU will give to personal data transfers to the UK: Will the EU allow such transfers or will it apply the same conditions as for the rest of the world?

Adequacy status for Canada

At the time of this writing, the EU Commission considered Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) adequate to receive and process personal data of EU residents in Canada without further conditions under the GDPR. However, this adequacy status is up for review in 2020 by the EU Commission.  

Even if Canada retains its adequacy status with the EU, it is not clear what regime the UK will adopt in relation to cross-border personal data flows. While it is fair to expect that the UK will look favourably at facilitating cross-border data flows towards North America in support of new trade agreements, UK businesses have recently started to show concern with the UK’s direction in that regard. Indeed, in the months leading up to the UK leaving the EU, organizations from the UK have started to ask for further assurances related to data protection from entities outside the UK, including Canadian businesses processing information of UK residents.

With all these uncertainties at play this year, do not be surprised if a UK business partner asks you to sign the Standard Contractual Clauses with respect to personal data of UK residents being stored or processed in Canada. 

What to expect

Following the transition period, there may be areas of uncertainty around the data protection landscape in the UK. It is likely, however, that the UK will keep its GDPR-based data protection legislation to address any concerns about the flow of personal data between the EU and the UK, and keep its flexibility in negotiating free trade agreements with North America.

Please contact a member of our Privacy and Cybersecurity group if you have any questions on the impact of Brexit and the privacy compliance obligations.

Senators Mark Warner (D-Va.) and Josh Hawley (R-Mo.) have proposed the Designing Accounting Safeguards to Help Broaden Oversight and Regulations on Data Act, or “DASHBOARD Act.” The bipartisan legislation seeks to impose a series of new regulations on major commercial data operators. Among the new requirements, the proposed legislation will mandate that commercial data operators disclose their internal valuations of consumer data. This requirement could fundamentally change how damages are demanded, calculated, and awarded in data breach litigation. In the linked article, Denton’s partner Jason Scheiderer looks at the why and how the DASHBOARD Act might impact data breach litigation.

Read the full article

Date and time:
Start: June 11, 2019, 9:00 AM EST
End: June 11, 2019, 4:30 PM EST

Location: 
Shopify
150 Elgin Street
14th floor 
Ottawa, Ontario K2P 1L4
Canada

CPD accreditation
This program is eligible for 5 substantive hours required by the Law Society of Ontario.

On December 11, 2018, the House of Commons Standing Committee on Access to Information, Privacy and Ethics (ETHI) released its final report “Democracy Under Threat: Risks and Solutions in the Era of Disinformation and Data Monopoly”. The Report calls for increased regulation on the Internet.

Dentons and the International Commission of Jurists (ICJ), an international organization created 60 years ago to assert the rule of law as a matter of democracy, invite you to a complimentary all-day  conference that will address the specific challenges and solutions that arise in this context.

Topics will include:

• Legal disruption: Impact of digital on the existing regulatory framework
• From lock and key to encryption – Applying privacy law on digital
• Can data monopolies exist within privacy and competition law?
• The particular case of e-commerce
• Are Internet giants the guardians of democracy on the Internet?

Speakers

• Kevin Chan, Global Director and Head of Public Policy Canada – Facebook
• Anthony Durocher, Deputy Commissioner – Competition Bureau Monopolistic Practices Directorate
• Nathaniel Erskine-Smith, Member of Parliament for Beaches –East York, Vice-Chair of the Standing Committee on Access to Information, Privacy and Ethics (ETHI)
• Joe Frasca, General Counsel – Shopify
• Jacob Glick, General Counsel – North
• Tamir Israel, Staff Lawyer – Canadian Internet Policy and Public Interest Clinic (CIPPIC)
• Janet Lo, VP of Privacy & Consumer Legal Affairs – TekSavvy Solutions
• Brenda McPhail, Director of Privacy, Technology & Surveillance Project – Canadian Civil Liberties Association
• Errol Mendes, Professor, University of Ottawa and President, International Commission of Jurists (Canadian Section)
• Vivek Narayanadas, Associate General Counsel, Privacy & Data Protection Officer – Shopify
• Marina Pavlovic, Associate Professor – University of Ottawa
• Mark Schaan, Director General, Marketplace Framework Policy Branch – Innovation, Science and Economic Development Canada (ISED) / Government of Canada
• Chantal Bernier, Of Counsel and National Practice Leader, Privacy and Cybersecurity– Dentons Canada LLP
• Monica Song, Partner – Dentons Canada LLP

Click here to view a more detailed agenda. 

Questions

Please contact Carla Vasquez, Events Manager, at carla.vasquez@dentons.com or +1 416 361 2377.

Dentons Canada LLP is committed to accessibility for persons with disabilities. Please contact us at toronto.events@dentons.com in advance of the event if you have any particular accommodation requirements. We will work with you to make appropriate arrangements.

Register now

Yesterday, the ICO published new guidance on data protection implications of a “no deal Brexit”. This includes a “Six Steps to Take” Guide, a blog with embedded guidance and FAQs.  In addition, UK government published its plans for “No Deal Brexit”.

Here are the key points:

• Substantive changes to GDPR rules: GDPR continues to apply under the EU Withdrawal Act.  But UK Government will amend it to remove references to “EU institutions and procedures” and references to “Union or Member State law”.
• ICO role: The ICO will remain the ICO’s Independent privacy regulator. It will no longer be a member of the European Data Protection Board. But the UK and EU have agreed to implement rules on co-operation between the ICO and the Board.
• Data Transfers to EEA countries and Gibraltar: the UK will transitionally recognise all EEA states and Gibraltar as providing adequate protection for personal data.  Personal data continues to flow freely from the UK to these countries.  But this may be kept under review.
• Data Transfers from the EEA to the UK: you need a transfer solution in place.  This may require re-papering with SCCs to be clear that the UK is a data importer or another transfer solution.
• Data Transfers under EU adequacy decisions: The UK will preserve the effect of the EU adequacy decisions on a transitional basis.  Data Transfers to these jurisdictions can continue uninterrupted.  This covers: Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and USA (under Privacy Shield framework). As Privacy Shield is an EU/US agreement, it is less clear how the UK can recognise it post-Brexit.  The ICO have actually said that Privacy Shield would be excluded from this arrangement but that the UK government’s intention is to make arrangements for it to continue to apply.  This will need a “watching brief”.  It may require an alternative solution to be in place for transfers from UK to US if these arrangements are not in place in time.
• Data Transfers from countries with an existing EU adequacy decision to the UK:  These transfers were based on an adequacy decision in place with the EU.  It will be for each individual country to determine whether it will respect that decision regarding transfers to UK.  But transfer solutions may be necessary.
• Data Transfers from UK under EU Standard Contractual Clauses (SCCs): you are probably using SCCs to export data to countries like the US.  No action is required on these at this time provided you have SCCs in place.  The UK government plans to recognise EU SCCs.  The ICO will be given the power to issue new SCCs (presumably customised for UK terminology) post-Brexit.
• BCRs: Existing authorisations of BCRs made by the ICO continue to be recognised in UK law post-Brexit.  The UK will also recognise BCRs approved by other EU supervisory authorities pre-Brexit.  The DCMS paper suggests that post-Brexit, the ICO will continue to be able to authorise new BCRs but only under domestic law.  It is not clear why BCRs approved post-Brexit by the EU would not be potentially valid for transfers from the UK (as UK BCRs are for transfers from adequate jurisdictions).  BCRs (both approved and in-flight applications) will presumably need to transition to a new Lead Supervisory Authority.  Existing BCRs will also need to be updated to reflect the UK as a third country.
• One Stop Shop:  If you’re only established in the UK post-Brexit (not the rest of the EU), you’ll lose the benefit of “One Stop Shop”.  You will also lose the benefit of “One Stop Shop” where you no longer undertake any cross-border processing in the EU due to Brexit (e.g. you previously processed only in two EU countries one of which was the UK).  This may mean that in the event of a breach you would need to deal with both the ICO as well as the supervisory authorities in the each of the relevant EU countries in which individuals are affected.   This raises the possibility of multiple enforcement actions (including fines).

There are a number of other significant implications:

• Consider updating GDPR documentation (e.g. Article 30 records) and privacy notices (e.g. references to the UK as part of the EU and in relation to data transfers).
• If you end up not established in the EU post-Brexit but are caught by the EU extra-territorial scope, you’ll probably need to appoint a Representative (one Representative in the jurisdiction in which you have the majority of your customers). Conversely, if you target products into or monitor data subjects in the UK but are not established here, you probably need to appoint a UK Representative.
• Consider reviewing DPIAs (if they involve data transfers).

DCMS plan to issue draft regulations soon to implement the above proposals.