1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

What does BREXIT mean for data protection?

On 23 June 2016, the UK is holding a referendum as to whether to stay in the European Union or leave it. But what does a BREXIT (a British Exit from the EU) mean for data protection?

Most of the UK law on data protection comes from the EU. The UK Data Protection Act 1998 and the Privacy and Electronic Communications Regulations both implement overarching EU law. So you might think this is like “unplugging” the source of data privacy law and therefore switching it off? But UK data protection law, in fact, pre-dates the European data protection directives. In fact, the UK was a signatory to the 1981 Convention (the forerunner of modern data protection law). Enough history!

What could happen in theory?

The UK parliament could reduce (or repeal) the Data Protection Act. The Courts could decide to no longer follow EU case law. Most importantly, the UK could choose not to implement the General Data Protection Regulation (GDPR). This, as we all know, is a wholesale upgrade to EU data protection law. GDPR includes new penalties of up to 4% of worldwide turnover, new legal duties to notify of data breaches and requirements to implement an accountability framework of policies and procedures.

What will happen in practice?

The UK could leave the EU and join the European Economic Area. In this case, it would be legally obliged to maintain data protection law on an equivalent footing to the EU. So all the current law would stay. GDPR would also be a requirement.

Theoretically, the UK could go out on its own. However this would make it a non-adequate jurisdiction for international data transfers. This means it cannot receive personal data freely from the EU. It could ask the EU for an “adequacy decision” but its anyone’s guess as to how long that would take. It could be a difficult negotiation (…think about the recent story of Snowden, Schrems and the proposed Privacy Shield, which is still being worked on).

No doubt there would be huge pressure on the UK to fall into line (dare I say it) with EU-style data protection law anyway. Otherwise, this could be a significant drag on international trade.

Finally, there is the practical argument that we actually need data protection law to underpin consumer trust in the digital economy. So let’s not trash it.

For what it’s worth, the ICO say that the UK needs clear and effective data protection law regardless of whether it remains in the EU. They don’t expect to be packing their bags.

Whatever the uncertainty on a possible UK exit, the issue will, at least, be resolved in a little over 7 days.

What does BREXIT mean for data protection?

ICO releases 12 step guide on the GDPR

On Monday this week the UK Information Commissioner’s Office released its first guidance on the General Data Protection Regulation (GDPR): the 12 steps that businesses can start taking now to prepare for the GDPR.  The guide was launched as part of the ICO’s annual Data Protection Practitioners’ Conference, in Manchester.  The ICO also launched a new microsite on the GDPR (see below).

In its accompanying press release, the ICO emphasised that its role is “not just about enforcement and fines” and that the guide would help the ICO to do its work in “guiding organisations who want to make sure they’re following the new rules, and getting it right from the start”. This tallies with the message of the ICO at the conference – it is here to help organisations, but that there are steps that can be taken now to start preparing for the implementation of the GDPR.

Here is a summary::

  • Ensure there is awareness amongst key stakeholders in the organisation that the GDPR represents a major overhaul of data protection law in Europe and ensure they identify the areas of the GDPR that have the biggest impact on them.
  • document the personal data that they hold, where it came from and with whom they share it. The ICO suggests that this can be done through an information audit – this will be necessary to match the updated subject rights for the “networked world”.
  • review current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
  • check existing procedures to ensure that they cover all the rights data subjects now have under the GDPR – both the enhanced rights and the additional right of data portability.
  • look at the various types of data processing they carry out, identify a legal basis under the GDPR for carrying it out and document it.
  • ensure process and procedures are documented – to help demonstrate compliance with the accountability requirements. This may also help a controller to rely on the “manifestly unfounded or excessive” exemption for subject access requests, help to readily produce the upgraded form of privacy notice or help to determine the lead supervisory authority.

Interestingly, many of these recommendations will already be in place for those with BCRs or who have done data audits following the recent Safe Harbor and Privacy Shield developments.  Clearly, now is the time to get your ‘data privacy’ house in order.

We think that the 12 step guide is a useful starting point for all businesses, especially those small-to medium-sized enterprises who may be intimidated by the (over 200-page) GDPR – it helps puts theory into practice and could hint at the ICO’s enforcement focus going forward.

We expect that it will be the first in a set of practical guidance issued by the ICO ahead of the GDPR. Indeed, the ICO has anticipated, in its accompanying blog entry, that over the next few months, it will “…be doing more work to consider the feedback we’ve received and produce a more detailed plan for the guidance, other tools and services we need to develop”. In this way, the ICO seems to be taking a phased and business-friendly approach to the GDPR.

The ICO has also launched a new microsite dpreform.org.uk – this will be the home for the ICO’s GDPR guidance; a key addition to your “favourites” bar.

It has also invited further feedback about the areas in which advice and guidance is most needed – so get in touch if you have any strong views. Watch this space as we see what else the ICO (and other European regulators) will produce on the GDPR


ICO releases 12 step guide on the GDPR

Article 29 WP response to “Privacy Shield”

The Article 29 Working Party (WP 29) published their initial response to the new Privacy Shield yesterday.

Here’s the good news:

  • WP 29 welcomes the conclusion of negotiations by the deadline (actually, the deal was announced on Tuesday which is a couple of days late but let’s overlook that).
  • WP 29 looks forward to receiving the relevant documents to analyse the detail. They want to look at the content and legal bindingness of the arrangement to assess whether it deals with the risk of massive and indiscriminate surveillance (as per the Schrems judgment).

Here’s another interesting development:

  • WP 29 has been assessing the current legal framework and practices of US intelligence and has decided on 4 “essential guarantees” that will be required: (a) clear, precise and accessible rules on surveillance; (b) access to be proportionate at all times; (c) independent oversight mechanism (judge/independent body); and (d) effective remedies.

Next Steps

The Commission now has to deliver on the detail. It will communicate all documents pertaining to the new arrangement to WP 29 by the end of February.  WP 29 will then run its assessment on the Privacy Shield proposal (it’s not the law yet).  It will also review other transfer mechanisms such as model clauses and BCRs.

What does this mean for business now?

  • Don’t rely on the Privacy Shield just yet. It’s not an “adequacy decision” and the detail needs to be provided and assessed.
  • Ensure data transfers are either covered by model clauses or BCRs or one of the other derogations.
  • As we recommended previously: do a “fact find” (to identify what data is collected and shared, data flows, data centres and purposes of onward transfer);
  • Consider prioritising data flows to ensure that model contracts are applied to the important data flows as early as possible;
  • Unless an alternative transfer mechanism in place, there is a risk of enforcement action. WP 29 is clear that you can no longer rely on old Safe Harbor.
Article 29 WP response to “Privacy Shield”

EU-US Privacy Shield Announced

Today, political agreement has been reached on the new solution to replace the Safe Harbor regime, the so-called “EU-US Privacy Shield”. The College of Commissioners have approved the new framework which, according to the European Commission press release, “will protect the fundamental rights of Europeans where their data is transferred to the United States and ensure legal certainty for businesses“.

This sudden announcement comes hours after it was announced that there was no deal yet on “Safe Harbor 2.0”.

According to the European Commission, the EU-US Privacy Shield reflects the CJEU’s recommendations as set out in the Schrems decision. In particular, the new framework will include the following:

  • Strong obligations on companies handling Europeans’ personal data and robust enforcement (including that companies importing EU data will need to commit to “robust” obligations which will be monitored by the Department of Commerce and ultimately enforced by the FTC);
  • Clear safeguards and transparency obligations on US government access (including, for the first time, assurances that there will be limitations, safeguards and oversights placed on public bodies having access to EU data);
  • Effective protection of EU citizens’ rights with several redress possibilities (including the creation of a new “Ombudsperson” to deal with any complaints about access for surveillance purposes).

No draft has been issued yet. The next step is for a “adequacy decision” to be drafted by Vice-President Ansip and Commissioner Jourova. The intention is then for this draft to be adopted by the College of Commissioners following “advice” from the Article 29 Working Party and further representatives of Member States. During the Q&A session yesterday with Commissioner Jourova, it was also hinted at that the new solution may need to be reviewed by the CJEU to pre-empt another complaint being received. This was not mentioned in the Commission’s Press Release today.

Next question: how will the A29WP react?  We find out tomorrow.

EU-US Privacy Shield Announced

Safe Harbor fallout: where are we now?

As we all know, the EU decided to invalidate Safe Harbor on 6 October 2015.  Please see our Insight article and blog post for a quick recap.  But what has happened since?

Article 29 WP Guidance

The most significant guidance is from the A29 WP.  The key points were:

  • International data transfers from Europe based on Safe Harbor are now unlawful;
  • Model Clauses (also known as Standard Contractual Clauses) and Binding Corporate Rules (BCRs) can still be used.  However they are under review and do not prevent individual DPAs from investigating particular cases;
  • By the end of January 2016, if no appropriate solution with the US authorities is found, EU DPAs will take “appropriate actions” (= enforcement?)
  • For more information on the Working Party statement, please see our blog post.

What do DPAs say?

Most EU DPAs have now issued statements on Safe Harbor.  Many welcomed the decision!

The UK approach is “don’t panic”.  The ICO has said that there are alternative mechanisms to Safe Harbor and recommends model clauses.

The French DPA (the CNIL) calls on companies to implement model clauses to transfer data to the US but doesn’t reference other transfer mechanisms such as BCRs or the derogations (e.g. consent).  The CNIL also re-affirms the Working Party position on possible enforcement in due course.

The most extreme position comes from the German DPA for the Schleswig-Holstein.  It disagreed with the Working Party opinion and said that neither model clauses nor consent provide a legal basis for data transfers.  However, the joint position paper of the German Federal State DPAs simply said that German DPAs will not issue “new approvals” on the basis of BCRs or data export agreements.  This is certainly “drawing a new line in the sand”.  In addition, this has slowed down German approvals of BCRs and any approvals of transfer agreements (where approval is required).  However, provided you use the standard Model Clauses, no approval is required in Germany.

What are companies doing in practice?

Companies are seeking to address the issue proactively.  Some are conducting assessments to identify what data is being transferred internationally.  Others are incorporating this within global privacy audits and programmes.  As a minimum, companies are implementing model clauses both intra-group and with vendors.  There is usually a need to prioritise the larger transfers of more sensitive information and the bigger vendor offerings to get the job done.  As we know, many vendors are offering pre-signed Model Clauses.  These need careful review.  Some strike a fair balance between strict legal requirements and a pragmatic approach but some go further.

What’s next?

We are told that the new Safe Harbor deal is imminent. But we are living in a time of uncertainty.  So risk-based decisions are required.

As you’ll have seen, the final GDPR text was released this week too!

A little more holiday reading….

Safe Harbor fallout: where are we now?