Brexit: adequacy for data protection
The UK formally left the European Union on 31 January 2020 and entered the transition period, which will last until 31 December 2020. During this period, EU data protection law will continue to apply (in particular, the General Data Protection Regulation (GDPR), and the status quo is mostly retained, although the Information Commissioner’s Office ( ICO) will longer participate in the European Data Protection Board.
It is expected that the UK will apply to the European Commission for an “adequacy” decision to ensure the continued free-flow of personal data between the EU and the UK after the transition period ends, although recent announcements from the prime minister in particular, along with issues concerning the UK’s far-reaching surveillance laws, could put that decision at risk.
Businesses should monitor this situation closely, as in absence of an adequacy decision, it is likely that contracts will need to be revisited and standard contractual clauses entered into to legitimise EU-UK data transfers after 31 December 2020.
Commission report on the evaluation and review of the GDPR
According to Article 97 of the GDPR, the Commission is due to submit its first report on the evaluation and review of the GDPR to the European Parliament and Council by 25 May 2020.
The Commission will examine, in particular, the application and functioning of the provisions of the GDPR concerning: (i) transfers of personal data outside the European Economic Area (which, from the end of the transition period, will include the UK); and (ii) co-operation and consistency between regulators. The Council has already set out its position and findings, which the Commission is required to take into account in its review.
The rejection in November 2019 of the latest draft of the ePrivacy Regulation has taken matters back to the drawing board. It is now for the Croatian presidency to submit a new proposal to Member States. Failing that, the German presidency takes over in July 2020, so we could see some movement in Q3/4 of 2020.
Many commentators do not expect the regulation on ePrivacy to come into force before 2023, with a 24-month implementation period, which will meani that it won’t come into effect before 2025.
This brings continued uncertainty to organisations that operate in certain sectors (particularly adtech) and to technologies such as artificial intelligence, the internet of things and connected and autonomous vehicles. There also remains unsatisfactory and inconsistent overlapping regulation between the GDPR and the (now very outdated) e-Privacy Directive.
ICO focus on adtech
In June 2019, the ICO published its update report into adtech and real-time bidding, following an industry-wide information gathering exercise. Since then, the ICO has published several blog posts reiterating the issues identified in its report, including an overreliance on legitimate interests, a lack of transparency, and the processing of special category data without explicit consent. The ICO has also expressed its disappointment in the failure of the adtech industry to generally engage with it and remedy areas of non-compliance.
However, 2020 looks like it will be the year of change in adtech, both at industry level,with Google announcing its plan to block third-party cookies on its Chrome browser, and at regulator-level, with the ICO expressing its intention to take formal enforcement action against non-compliant players. Businesses operating in this sector (including adtech vendors, publishers and advertisers) need either to take action now to remedy any areas of non-compliance or risk the wrath of the ICO.
Clarity on ICO’s approach to GDPR enforcement?
In July 2019, the ICO announced its intention to issue huge fines against British Airways (£183m) and Marriott International (£99m). While the Data Protection Act 2018 requires the ICO to issue its monetary penalty notice within six months of the notice of intent, it appears that the ICO has agreed an extension until 31 March 2020 with both British Airways and Marriott.
Once the notices of intent crystallise into publicly available monetary penalty notices, we hope to have a much greater understanding of the approach that the ICO intends to take in relation to infringements of the GDPR. Our expectation is that the ICO will become increasingly active in enforcement activity for breaches of the GDPR, and will not hesitate to exercise its power to issue large fines.
Regulatory fines are not the only potential significant cost to an entity following a data protection issue. A growing industry of claimant law firms continue to bring speculative data protection claims following data incidents – a trend that is likely to continue to gather momentum.
The Court of Appeal decision in Lloyd v Google on 2 October 2019, in which it was held that a loss of control of personal data may give rise to a claim for damages in certain circumstances (even where no pecuniary loss or distress is suffered), provided ammunition to such firms. We have seen an uptick in claims following the decision, and we await the decision of the Supreme Court as to whether it is prepared to hear an appeal of the Court of Appeal decision (the impact of which will be amplified considerably in group claims).
In Focus | Responsible business
Which aspects of responsible business are driving the regulatory agenda?
In line with its remit to uphold information rights in the public interest, the Information Commissioner’s Office (ICO) is actively promoting social responsibility in the use of data. It has been focussing in particular on the protection of children online, the use of facial recognition technology and the processing of personal data for direct marketing purposes.
The pace of technological development has presented a myriad of challenges to the regulatory and legislative agenda, which simply cannot keep pace with the rate of technological development by small and large entities alike. Apps and technologies allow the gathering and analysis of enormous amounts of personal data, which the ICO is working to bring under some semblance of responsible use.
Are responsible business considerations having an impact on the tools that regulators are using?
The development of legislation or rules to protect individuals has struggled to keep up with the pace of technological development and the potential for harm arising from the misuse of that technology. The ICO appears to be turning to the use of guidance and codes, rather than rules based regulation, to seek to assert control in relation to the use of those technologies.
For example, in January 2020, the ICO published:
- its draft Age Appropriate Design Code (a statutory code of practice), which aims to provide protections for children when interacting with a digital environment. It introduces 15 design standards promoting heightened privacy protection and child-friendly measures for online providers to adopt where their services are likely to be accessed by children. The Code will apply to providers of information society services and providers of online products/services (including websites, apps, games, and internet of things devices such as connected toys) that process personal data and are likely to be accessed by children in the UK.
- a consultation on its draft Direct Marketing Code of Practice, which has the aim of promoting good practice around data processing for direct marketing purposes. The draft Code builds upon the ICO’s existing direct marketing guidance on areas such as profiling and the distinction between service messages and direct marketing. However, it has also introduced some controversial new guidance around the use of online advertising and new technologies, such as social media marketing – particularly in relation to the use of custom audience and lookalike targeting tools.
As well as this formal guidance, some of the most valuable insights into the ICO’s decision-making can be found in the ICO’s past decisions. For example, in January 2020, the ICO issued a monetary penalty notice against DSG Retail Limited (under the Data Protection Act 1998) in which the ICO noted that the general public would expect DSG, as a large nationwide retailer, to ‘lead by example’ on cyber security.
The ICO’s comments in this respect suggest that the ICO expects organisations to act as ‘responsible businesses’ and in a manner commensurate with the trust that the public places in them.
Which of the recent or upcoming developments are based on international consensus or agreements?
The GDPR is very much a creation of the EU. Some jurisdictions (including US states such as California) are looking at the GDPR model when reforming their own data protection regimes, but with others, including China, taking a markedly different approach, there is far from an international consensus on the regulation of data protection.
In relation to enforcement action within the EU, each Member State appears to be setting its own agenda. While Germany and the Netherlands have adopted fine-based models for GDPR infringements, the UK has adopted no such structure. Based on the European Council’s position and findings on the application of the GDPR (which will feed into the European Commission’s review), we expect that the Commission will seek to further strengthen the co-operation among regulators, particularly for the supervision of cross-border processing which – in the Commission’s view – involves significant risks to the rights and freedoms of individuals, such as is undertaken by large technology companies.
In respect of e-privacy compliance, despite local implementing legislation being derived from the e-Privacy Directive, the rules governing cookies and other similar tracking technologies vary, or at least, have been interpreted differently, even within the EU (and the UK). This is highlighted by the recent guidance issued by different data protection regulators (specifically, the UK, Spain and France) on this topic. This lack of consistency has caused a compliance headache for publishers that operate websites across multiple EU Member States. The hope is that harmonisation will come in the form of the ePrivacy Regulation, which will have direct effect across all EU Member States.
What are the main challenges for businesses in complying with these developments?
The main challenge for businesses, particularly those that span more than one jurisdiction, is uncertainty. The regulatory agenda is presently driven by guidance, which remains more changeable than legislation or case law, and uncertainty arises where different jurisdictions may adopt different approaches.
It is also difficult to predict what approach the ICO will adopt in enforcement proceedings, as we await transparency as to the approach that the ICO will take within its first large monetary penalty notices under the GDPR. One thing that does seem clear is that the ICO is ready to exercise its vastly increased fining powers.
Finally, businesses are awaiting clarity as to whether the UK will secure an adequacy decision (or any other arrangements with the EU in relation to data protection) and are having to consider what actions they would need to take if no such decision or arrangement is forthcoming.
Dates for the diary
|By 31 March 2020||ICO is due to issue monetary penalty notices to British Airways and Marriott International|
|By 25 May 2020||The European Commission is due to submit its first report on the evaluation and review of the GDPR to the European Parliament and the Council.|
|Q2-3 2020||Direct Marketing Code of Practice to be introduced into Parliament. If there is no objection within 40 days, the ICO will issue the Code and it will come into force 21 days later.|
|Q2-4 2020||New ePrivacy Regulation draft expected.|
|Q2-4 2020||The European Commission plans to report on its review of the 11 adequacy decisions adopted before the GDPR came into effect.|
|Q3 2021||The Age Appropriate Design Code comes into full effect.|
|Read the full Regulatory Outlook here >|