This Communications & Media e-bulletin contains summaries of recent developments in law and regulation in the EU and the UK:

  1. Data Data everywhere: A round-up of data legal developments in the UK and Europe
  2. Closing the borders: European Commission report on geo-blocking in the e-commerce sector
  3. Roaming free: BEREC publishes new guidelines on roaming
  4. Broadband for all: Proposals for a new broadband Universal Service Obligation 
  1. Data Data everywhere: A round-up of data legal developments in the UK and Europe

Data has never before enjoyed such prominence on the business agenda. The increasing digitisation of business, together with the realisation that data can be a valuable commodity in and of itself, and a plethora of new data regulation, means that organisations are having to grapple with numerous different aspects of data as part of their compliance methodology. This article summarises where we currently are with various aspects of data regulation in the UK and EU, including the new General Data Protection Regulation and the proposed EU-US Privacy Shield, as well as the so-called EU Cyber Security Directive and the UK "snooper's charter" (a.k.a. the Investigatory Powers Bill).

The European General Data Protection Regulation

On 14 April 2016, the European Parliament formally approved the final text of the General Data Protection Regulation ("GDPR") bringing close to the finishing line a legislative process which has taken more than four years since the introduction of the original text by the European Commission in January 2012. The final text is now being translated into the official languages of the EU and is expected to be published in the Official Journal in the next couple of months. It will enter into force 20 days after that and the obligations under the GDPR will then be directly applicable in all Member States at the end of a two year implementation period (estimated to be Summer 2018).

The final text has not been significantly amended since the compromise text was published earlier this year, having just gone through the legal-linguistic "tidying-up" process. Key highlights of the text include:

  • Extra-territoriality – the GDPR will extend to data controllers located outside of the EU who offer goods and services to EU citizens or monitor their behaviour.
  • Fair Processing Information – the GDPR will require data controllers to provide more information to data subjects in their fair processing notices.
  • Consent – consent will need to be freely given, specific, informed and unambiguous, involving a clear affirmative action on behalf of the data subject.
  • Rights of the Data Subjects – the GDPR will provide more transparency for data subjects with respect to the processing of their data, as well as enhanced rights to rectify, delete, restrict, or object to, data being processed. There will be additional obligations on data controllers when dealing with subject access requests, save that manifestly unfounded or excessive requests may be refused.
  • Controller/Processor Accountability – the GDPR will give statutory recognition to best practice concepts such as data protection by design, imposing greater accountability on data controllers, as well as placing data processors on the hook for certain regulatory liability for the first time.
  • International Transfers – binding corporate rules will be given statutory recognition; criteria for adequacy decisions are set-out, and new possibilities for adequate protection are provided in the form of codes of conduct and certifications.
  • Data Protection Officer – the mandatory appointment of a data protection officer will be required for organisations involved in large scale processing of sensitive personal data or the monitoring of data subjects.
  • Security – the GDPR will set-out slightly more detailed requirements for security of data but the responsibility for determining appropriate security measures will remain with the data controller.
  • Data Breaches – the GDPR will introduce a new mandatory requirement for data controllers to notify the regulatory authority of personal data breaches.
  • Sanctions – the GDPR will provide for two tiers of sanctions, with maximum fines of up to EUR 20 million or 4% of annual worldwide turnover, whichever is greater.
  • Guidance, Codes of Conduct and Certifications – the GDPR sets out certain areas where we can expect/hope to either see further guidance in the future from the new European Data Protection Board, or potentially the development of approved Codes of Conduct and/or certification mechanisms.

To view a copy of the final text, please click here

Transatlantic data transfers and the EU-US Privacy Shield

On 13 April 2016, the Article 29 Working Party (the European body comprising representatives from each of the data protection authorities of each of the EU Member States, the European Data Protection Supervisor and the European Commission) (the "Working Party") adopted its opinion on the Privacy Shield, which is intended to replace the previous Safe Harbor agreement in relation to data transfers from the EU to the United States. The Safe Harbor was invalidated by the Court of Justice of the European Union in October 2015, on the grounds that it did not provide adequate safeguards to protect personal data collected in the EU and transferred to the US.

While welcoming the "significant improvements" brought by the Privacy Shield, the Working Party noted that it still does not ensure a level of protection "essentially equivalent" to the EU legal framework. According to the Working Party, some key data protection principles outlined in the EU framework have not been reflected in the draft adequacy decision and the annexes, or have been "inadequately substituted by alternative notions."

Importantly, in relation to the GDPR, the Working Party recommended that a review of the Privacy Shield documents should be undertaken soon after the GDPR becomes applicable so as to ensure that the higher level of protection envisaged in the GDPR is also reflected in the Privacy Shield documents.

On the commercial aspects of the Privacy Shield, key observations of the Working Party included that:

  • the data retention principle is not expressly mentioned in the documentation;
  • the documentation does not include any protections against automated individual decisions based on automated processing;
  • onward transfers of EU data are insufficiently framed – the Working Party suggests that every Privacy Shield organisation should have an obligation to assess the mandatory requirements of the national legislation of the third country to which data is being transferred; and
  • the new redress mechanisms included may be too complex for individuals to use – the Working Party suggests that national data protection authorities should be considered as contact points and given the option of acting on individuals' behalf.

Whilst acknowledging the increased transparency offered by the US on the legislation applicable to data collection, the Working Party also makes the following observations on derogations for national security purposes:

  • the representations of the US Office for the Director of Intelligence do not exclude massive and indiscriminate collection of personal data, especially in light of increased instances of such collection in recent times; and
  • the Ombudsperson's role is not sufficiently independent and is not vested with adequate powers to guarantee a satisfactory remedy in case of disagreement.

The Working Party also requested further details on the arrangements around the annual joint review mechanism.

Opinions of the Working Party are not binding and the European Commission could push ahead with the Privacy Shield as it is rather than delay the process to make any changes. However, it will need to be mindful of the likelihood of legal challenge in the future.

It seems therefore that, for the moment at least, we remain in a state of uncertainty regarding transatlantic data transfers.

Network and Information Security Directive – the so-called Cyber Security Directive

The European Parliament, Council of the EU and European Commission reached political agreement in December 2015 on the first EU-wide legislation on cyber security – the Network and Information Security Directive.

The final official text of the Directive has yet to be released and is still currently subject to legal-linguistic review. However, the consolidated compromise text has been made available here. 

As part of the Directive, Member States will be required to adopt a national 'NIS strategy' which will define strategic objectives and appropriate policy and regulatory measures in relation to cyber security. Member States will also be required to designate a national competent authority for the implementation and enforcement of the Directive, as well as Computer Security Incident Response Teams ("CSIRTs") responsible for handling incidents and risks and to promote swift and effective operational cooperation on specific cyber security incidents and sharing information about risks.

Critically for organisations, the Directive will also apply security and incident reporting obligations on two distinct categories of organisation, being: (i) operators of essential services; and (ii) digital service providers.

Operators of essential services will be required to adopt risk management practices and report major security incidents on their core services to the appropriate national authority or CSIRT. The original text of the Directive defined these operators broadly to include information service providers – internet payment gateways, social networks, search engines, cloud computing providers and app stores – and operators of critical infrastructure, such as electricity and gas suppliers, operators of oil and natural gas, air carriers, maritime carriers, railways, airports and ports, traffic management operators, banks, financial market infrastructure and health care providers. However, the final agreement between the European institutions provides that Member States will identify the operators in their jurisdiction to fall within the scope of the Directive, based on three criteria laid down in the text. These criteria are that:

  • they provide a service that is essential for the maintenance of critical societal and/or economic activities;
  • the provision of that service depends on network and information security; and
  • an incident impacting the network and information security would have significant disruptive effects on the provision of those services.

Digital service providers are also subject to express security and notification requirements. Digital service providers are providers of online marketplaces, online search engines and cloud computing services, but hardware and software developers are excluded, as are social network providers. Digital service providers are required to take appropriate and proportionate technical and organisational measures, having regard to the state of the art, to manage the risks posed to the security of the network and information security used in the provision of service within the EU. They are also required to notify the competent authority or CSIRT without undue delay of any incident having a substantial impact on the provision of their service.

Organisations who are not operators of essential services or digital service providers may also notify the competent authority or CSIRT of any incidents but are not mandated to do so.

The text of the Directive will now have to be formally approved by the European Parliament and the Council. After that it will be published in the EU Official Journal and will officially enter into force. Member States will then have 21 months to implement the Directive into their national laws and six further months to identify operators of essential services in their jurisdiction.

To view a copy of our recent article "Cyber Security: Top Ten Tips for Businesses" please click here. This article first appeared in the January/February 2016 issue of PLC Magazine – click here for the PLC magazine home page.

To view a copy of our recent "Cyber Security Quarterly Update", please click here

Investigatory Powers Bill

Against the backdrop of an ongoing global battle between public authority access to data for national security purposes and individuals' right to privacy, the controversial UK Investigatory Powers Bill has been revised and introduced to the House of Commons with a deadline of 31 December 2016 for the legislation to be in place.

The Investigatory Powers Bill was introduced to the House of Commons on 1 March 2016. The Bill is intended to address the deficiencies of the Regulation of Investigatory Powers Act 2000, which was drafted before the advent of, for example, social media and over the top messaging services such as WhatsApp.

Some of the key provisions likely to affect communication service providers ("CSPs") are:

  • The provision for interception of communication, which will be lawful when carried out with a warrant, with consent or in the exercise of any statutory power.
  • The creation of a judicial oversight body, with Judicial Commissioners acting as a check for the Secretary of State's warrant decisions.
  • The obligation on CSPs to collect and store internet connection records ("ICRs").

The first draft of the Bill was published in November 2015, after which various government committees, among them the Joint Committee on the Draft Investigatory Powers Bill, submitted their recommendations to the Home Office.

The Bill which has now been introduced to the House of Commons has been revised to respond to some of the concerns raised by these committees. The main changes are:

  • amended definitions and additional material published to provide further guidance on how the powers are to be used;
  • strengthening of privacy safeguards, particularly with regard to the protection of journalists' and lawyers' communications; and
  • developing implementation plans with industry experts for retaining ICRs.

The Bill was backed by 281 votes to 15 during its second reading in the House of Commons on the 15 March 2016. It has now reached the Committee stage in the House of Commons, with the Home Office aiming for the new legislation to be in force by 31 December 2016.

To view a copy of the Home Office papers, please click here

ePrivacy Directive Review

On 6 May 2015, the European Commission adopted the Digital Single Market Strategy, which announced that, following the adoption of the GDPR, the ePrivacy rules in Europe would also be reviewed.

The ePrivacy Directive sets up specific rules concerning the processing of personal data in the electronic communications sector. It was last updated in 2009 to provide clearer rules on customers' rights to privacy. In particular, new requirements were introduced such as on "cookies" and on personal data breaches.

However, in the past few years, there have been changes in the electronic communications arena, both on the technology side, for example the spread of Internet-based communications services, and on the regulatory side, for example the adoption of the GDPR. These developments have led the European Commission to undertake a review of the ePrivacy framework.

The consultation closes on 5 July 2016 and the Commission will use the feedback as part of its review and to prepare a new legislative proposal on e-privacy, which is expected by the end of 2016.

To view a copy of the consultation, please click here

  1. Closing the borders: European Commission report on geo-blocking in the e-commerce sector

As part of its wider inquiry into competition barriers in the European e-commerce industry, the Commission has published initial findings highlighting the prevalence of geo-blocking in the EU.

Geo-blocking is the practice by which retailers and digital content providers prevent online shoppers from purchasing goods or accessing digital content services because of the shopper's location or country of residence. Geo-blocking can take various forms: refusal to deliver goods abroad, refusal to accept foreign payment methods and re-routing or website blocks.

While widespread incidents of geo-blocking are due to unilateral decisions by companies not to sell abroad, in some cases geo-blocking appears to be linked to agreements between suppliers and distributors. Of the respondents surveyed, 12% of online goods retailers and 59% of digital content providers indicated that they are contractually required to geo-block. These figures have attracted the attention of the Commission, and will feed into its wider inquiry on anti-competitive behaviour in the e-commerce sector. The Commission notes that it could open case investigations if it identifies specific competition concerns in connection with geo-blocking.

As regards next steps, the Commission proposes to publish a Preliminary Report on its e-commerce inquiry for public consultation in mid-2016, with a Final Report due to published in the first quarter of 2017. Following the adoption of the Digital Single Market Strategy last year, the Commission also plans to propose a legislative package to boost e-commerce in May 2016. The findings of the e-commerce sector inquiry (include those on geo-blocking) will likely inform the legislative proposals.

To view a copy of the findings, please click here.

  1. Roaming free: BEREC publishes new guidelines on roaming

BEREC has published revised Guidelines on the application of Regulation (EU) No. 531/2012 (the "Roaming Regulation"), as amended by Regulation (EU) No. 2015/2120, also known as the Telecom Single Market Regulation (the "TSM Regulation"), which came into force in November 2015.

The objective of the Roaming Regulation is to establish a new retail pricing mechanism that will eliminate the difference between roaming and domestic tariffs by 15 June 2017, without distorting domestic markets. It also establishes rules to safeguard the principle of net neutrality, the right of end-users to access internet services without discrimination or interference by service providers.

BEREC says that it has published the Guidelines because these regulations will substantially change the existing roaming regime, and the revised sections deal especially with the provisions governing the so-called "transitional period".

The transitional period will run from 30 April 2016 to 14 June 2017 and will allow operators to charge users a surcharge on top of the domestic price for intra-EU roaming services. The sum of the domestic price and the surcharge shall not exceed the various price caps relating to the different types of services set out in Article 6 of the Roaming Regulation.

Operators must provide for a message containing basic personalised information about roaming charges to be sent automatically to customers entering other Member States (Articles 14 and 15). The information must be provided in a way that allows the customer to access it without incurring roaming costs. Article 15 also requires operators to offer a "cut-off mechanism" to their customers, whereby a maximum financial or volume limit for roaming is set. The customer is notified when the limit has been reached, and must consent to continue using the services.

These measures are intended to protect customers from running up higher bills than intended or expected.

To view a copy of the Guidelines, please click here

  1. Broadband for all: Proposals for a new broadband Universal Service Obligation

Recognising the need to extend fast broadband speeds to all, in an environment where crucial services (including public services) are increasingly becoming "digital by default", the Department for Culture, Media & Sport has launched a public consultation on a Universal Service Obligation ("USO") for broadband access.

USOs aim to ensure that a minimum set of communication services are available to everyone at a fixed location, upon reasonable request, and at an affordable price, irrespective of where they live, in order to prevent social exclusion.

The Government's proposal is to introduce a new enabling power in primary legislation which will give the Secretary of State ("SoS") an explicit power to introduce a broadband USO to provide for the functional internet access considered appropriate for today's needs. It is planned that secondary legislation would then be developed setting out the scope, requirements and specific guidance for the design of the USO, which Ofcom would then be responsible for implementing. The Government has also proposed an additional measure in primary legislation that would provide the SoS with the authority to require Ofcom to review the USO as appropriate, in order to ensure that it reflects connectivity needs. In light of the Government's proposal, the public is invited to specifically comment on the following:

  • Concerns about the approach that has been set out in the Government's proposal;
  • Whether a minimum speed should be specified in the primary legislation or the secondary legislation; and
  • Whether the SoS should be given the power to direct Ofcom to review the USO, or should this be a matter best left to Ofcom.

The consultation ran from 23 March 2016 to 18 April 2016. To view a copy of the consultation document, please click here. 

Separate to the Government's consultation, Ofcom has also published a call for inputs to help inform the design of a broadband USO; including seeking views on:

  • appropriate download speeds, and other technical measures, necessary to deliver a ‘decent’ broadband connection;
  • funding of the broadband USO;
  • when, and on what basis, the USO should be reviewed; and
  • designation of the universal service provider or providers.

Ofcom's call for inputs is open until 22 June 2016 and the Department for Culture, Media and Sport has asked Ofcom for a report setting out evidence based-analysis and recommendations on the design of the USO by the end of this year.

To view a copy of the Ofcom Call for Inputs, please click here