Cross-border data transfers
Following a complaint lodged to the Data Protection Commissioner in Ireland by privacy-activist Max Schrems, the Court of Justice of the EU (CJEU) issued a judgment which invalidated the EU-US Privacy Shield, the mechanism used by UK, EU and US businesses to transfer personal data legitimately to the US.
Businesses will need to determine quickly the extent to which they (or their processors) transfer personal data to the US on the basis of the EU-US Privacy shield, and look at what alternative measures can be put in place to ensure cross-border transfers remain compliant. In the short term, businesses will need to explore other bases of transferring data to the US, including using the standard contractual clauses – which allow data to be transferred outside the UK/
EU – or by obtaining consent from the data subjects, however difficult that may be.
Solutions that simply avoid all transfers of data to the US can also be considered but this will likely come at considerable cost.
Businesses should expect their response to the decision to be scrutinised. Schrems’s non-profit privacy organisation has already sent queries to numerous high-profile data controllers (and published their responses). As we discuss in more detail below, transfers of personal data between the UK and the EU are currently still allowed, but businesses will need to monitor the situation, with alternative solutions for EU to UK data transfers potentially required after
April or June 2021.
European Data Protection Board guidelines
Following the outcomes of recent CJEU cases, the European Data Protection Board (EDPB) has published guidelines on the definition and obligations of controllers and processors under the GDPR. The EDPB noted that a clear definition of “controller” and “processor” is vital to determine who is responsible for complying with specific data protection rules under the GDPR. The concept of “joint controllership” – whereby two or more controllers “jointly determine” the
purposes and the means of processing the data – was interpreted broadly and was taken to include parties that make complementary decisions necessary for the processing to take place in the manner envisaged in the purpose of the processing.
Data controllers will need to ensure that their contracts clarify how elements of the GDPR will be implemented, rather than simply repeating the GDPR provisions in their contracts. Details surrounding security, assistance duties and mechanisms for agreeing changes should be included. The guidelines document is not yet in its final form as the EDPB invited businesses to comment on the guidelines.
ICO fining methodology for personal data breaches
The UK Information Commissioner’s Office (ICO) initiated a public consultation of its draft statutory guidance, which explains the powers available to the ICO as well as how it calculates fines.
This consultation closed in mid-November 2020 and the guidance will be published early in 2021. Until the new guidance is finalised, the applicable fining methodology remains the ICO’s Regulatory Action Policy.
ICO’s approach in light of the COVID-19 pandemic
The ICO has written to businesses setting out the support available to them as the Covid-19 pandemic continues.
In an open letter to businesses, the ICO Commissioner, Elizabeth Denham, expressed sympathy for businesses struggling to comply with data protection and freedom of information rules. The regulator has supported organisations by providing answers to new data protection questions that have arising out of the pandemic as well as creating an information hub dedicated to assisting small and medium-sized enterprises during this crisis.
Businesses will need to ensure that they do not become complacent in their compliance with data protection rules, as the regulator has warned that it will take action against businesses that take advantage of this uncertain period by breaching data protection rules.
Age-appropriate design: Code of Practice
In February 2020 the ICO published its final version of the Age Appropriate Design Code of Practice for Online Services.
The code of practice sets privacy standards for designing “information society services” (websites, apps and connected devices) which are more likely to be used by children. The code outlines that businesses should consider the age ranges of their users as this assessment will have a knock-on effect as to
how data should be collected, retained and processed. The code came into force in September 2020 with a 12 month transition period. During this period, businesses will need to give thought about how best to comply. For new services, businesses will need to undertake an age-appropriate assessment at the earliest stage of the design process.
ICO monetary penalty notices
These decisions provide insight into the ICO’s approach to personal data breaches and, in particular, how the ICO will
determine whether appropriate technical and organisational measures have been taken. As such, these decisions are of interest to all data controllers and processors.
New guidance on data subject access requests
The ICO has published guidance on data subject access requests, which provides welcome relief for data controllers in the form of an ability to “stop the clock” on the one-month deadline in certain circumstances.
In Focus: Regulation after Brexit
What do UK businesses trading in the EU need to do now that the Brexit transition period has ended?
As at 1 January 2021, the EU GDPR ceased to apply directly to the UK, but effectively became part of UK domestic law. All EU-derived UK domestic legislation (such as Privacy and Electronic Communications Regulations) continues to apply.
Therefore, there is now a ‘UK GDPR’ but many UK businesses will also be subject to, and need to comply with, the EU GDPR.
To ensure that the UK GDPR works in a solely UK context, various changes from the EU GDPR were required. These were made by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. The changes aim to ensure the UK GDPR makes sense and is directly applicable in the UK on a standalone basis – for example, references to “the Union” become “the United Kingdom”.
For UK businesses, there are a number of changes that may need to be made in order to ensure compliance with the UK GDPR and / or the EU GDPR:
- Make changes to records of processing – records will need to cover UK-EEA transfers (and vice versa) – data mapping is time consuming, so start now.
- Make changes to template contracts to update relevant data transfer wording and appropriate referencing to the UK GDPR and EU GDPR.
- Consider changes to existing contracts if necessary to update relevant data transfer wording and appropriate referencing to the UK GDPR and EU GDPR.
- Update privacy policies to describe clearly data flows between the UK and the EEA and to cover the relevant requirements of the UK GDPR.
- Subject to the EU GDPR? Consider whether your business is still directly subject to the EU GDPR. This can be a complex question to assess, depending upon the extent to which a business is deemed to be “established” in the UK, whether you are monitoring the behaviour of EEA data subjects, or are offering goods or services to them.
- EU representative? Given that UK businesses may also be caught by the EU GDPR, consider whether you need to appoint an EEA representative.
- Lead supervisory authority? If your business operates across the EEA it will need to consider whether it can establish a lead supervisory authority in the EEA. In an EEA cross-border data breach scenario, a lead supervisory authority may need to be notified under the EU GDPR (as well as compliance with the ICO notification requirements under the UK GDPR). If there is no lead supervisory authority, the business may need to prepare to deal with multiple data
protection authorities across the EEA.
What do non-UK businesses trading in the UK need to do now that the transition period has ended?
The UK GDPR, like the EU GDPR, has extra-territorial effect. This means that businesses based in the EEA, or in other countries outside the EEA, may also be caught by the UK GDPR.
Organisations with operations in both the UK and other EEA countries are likely to have to comply with two separate, but similar, legislative regimes, with the consequential risk of dual enforcement action (by EEA Data Protection Authorities in the EEA and the ICO in the UK) in the event of breaches or complaints.
In the short-term, businesses will need to consider at least the issues set out above. In the longer term you will need to monitor and keep on top of UK developments.
Which incoming EU laws should UK businesses be aware of, and is the UK likely to implement similar rules?
The e-Privacy Regulation will focus on modernising and harmonising the law around privacy in communications, cookies and direct marketing. The Regulation has not yet been finalised, and we don’t know when it will be.
Will something similar be implemented in the UK? Realistically, yes, but we suspect there will be scope for the UK version to differ in certain respects. In general, the UK may aim to be more business friendly in its reforms.
Are there any other areas where the UK regime might start to diverge from that of the EU? If so, what should businesses do to ensure they are prepared?
Post-transition period, there is certainly scope for UK laws on data protection to diverge from the EEA. The UK has already confirmed that, on a transitional basis, it deems the EEA member states to be adequate to allow for data flows to them from the UK without additional protective mechanisms. However, divergence threatens adequacy and how much the UK diverges will affect whether it receives (and maintains) an adequacy decision from the European Commission.
While an adequacy decision is not included in the EU-UK Trade and Cooperation Agreement (TCA), the TCA puts in place an interim solution that buys the EU more time to conclude its assessment. Under this temporary arrangement, transfers from the EEA to the UK will be treated as if they were still transfers
within the EEA – so no other transfer mechanisms are required for those transfers for the moment.
Businesses should continue to monitor this situation, as the interim solution is for a limited period of up to four months (extendable to six months). If no adequacy decision is forthcoming for the UK, it is likely that other measures (such as EU approved standard contractual clauses) will need to be entered into for EEA-UK data transfers from April or June 2021.
Dates for the diary
Statutory guidance expected on how the ICO exercises its data protection regulatory functions likely to be published.
The Age Appropriate Design Code comes into practice.