Our IT & Outsourcing eBulletin contains summaries of the following recent developments in technology, outsourcing and data protection law and regulation in the EU and the UK.
1. Blue sky thinking: FCA publishes cloud outsourcing guidance
In July 2016, the FCA published its final guidance for financial service firms outsourcing to the "cloud" and other third party IT services (the "Guidance"). The guidance confirms that it is possible for firms to outsource to the cloud, including the public cloud, in a manner that is compliant with FCA rules. As such, it is likely to be welcomed by financial services organisations and service providers alike. However, it is not all plain sailing, and firms will need to consider their regulatory compliance carefully in consultation with the guidance before embarking on any cloud outsourcing.
This bulletin sets out some of the key issues covered in the Guidance which firms and service providers will need to consider in the context of any financial services outsourcing to the cloud.
Status of the Guidance
The Guidance is not legally binding and firms will need to continue to comply with their regulatory obligations with respect to outsourcing, as contained in the Senior Management Arrangements, Systems and Controls sourcebook ("SYSC"). However, the FCA has confirmed that it believes that compliance with the Guidance will generally indicate compliance with the FCA outsourcing requirements.
Identifying the supply chain
In its original proposed guidance, the FCA had included a requirement that firms identify all the service providers in the supply chain and ensure that the requirements on the firm can be complied with throughout the supply chain. Many respondents to the original consultation noted that this requirement was impractical and unduly burdensome in an environment where supply chains are often large and complex. As a result, the FCA have slightly amended their position in the Guidance to provide that firms are only required to identify service providers in the supply chain providing services relating to regulated activity (i.e. not necessarily all providers in the supply chain).
A similar approach has been taken in the Guidance to subcontracts. Rather than requiring firms to review all subcontracting arrangements (as was proposed in the original version of the guidance), the Guidance limits this obligation to arrangements relevant to the regulated activity.
The Guidance obliges firms to require prompt and appropriately detailed notification of any breaches or other relevant events arising, including the invocation of business recovery arrangements. In the responses to the original consultation, a number of firms had suggested that a threshold for breach notification should be stipulated. However, the FCA have suggested that the wording in the Guidance gives firms flexibility to consider and agree with service providers what constitutes a breach (or other relevant event) in the context of the service being provided.
Firms should also note the data breach notification requirements in the EU General Data Protection Regulation which will apply from 25 May 2018. This legislation will require data controllers to notify the Information Commissioner in the UK of any data breaches within 72 hours of becoming aware of the same, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. Firms may therefore wish to consider this new regulatory requirement when agreeing with service providers about the notification of breaches in the context of the Guidance.
In its original proposed guidance, the FCA had suggested that firms looking to use cloud services would need to have "choice and control regarding the jurisdiction in which their data is stored, processed and managed". Both service providers and firms alike raised concerns about this requirement in the consultation, arguing that choice and control was impractical and may stifle service provider innovation. The FCA responded to state that it wished to ensure that firms are able to determine in which jurisdictions their data are held, whilst recognising that many service providers are not able to allow firms full control of this. The Guidance therefore provides that firms must agree a data residency policy with service providers, which sets out the jurisdictions where their data can be stored, processed and managed. Service providers would then be free to process data in any of the jurisdictions agreed in the data residency policy.
This requirement should also help firms with their data protection compliance. The Data Protection Act in the UK restricts the ability of data controller organisations to transfer data outside of the EEA. By agreeing a data residency policy with service providers, firms will have oversight of the jurisdictions in which their data is being processed, to enable them to put appropriate data protection compliance mechanisms in place.
Access to data centres
The Guidance provides that firms should be able to request an onsite visit to relevant business premises. It further reminds firms that SYSC 8 requires them to have "effective access to data related to the outsourced activities, as well as to the business premises of the service provider". A number of respondents to the original consultation had noted that access to data centres in particular could be impractical, raising significant security concerns. In response, the FCA has noted in the Guidance that it views "business premises" as a broad term which may include head offices and operations centres, but does not necessarily include data centres.
Unfortunately, this appears to be an area where firms may struggle to balance commercial agreement with regulatory compliance. Although the Guidance appears to acknowledge that access to data centres may sometimes not be commercially possible, it does not rule out the fact that SYSC 8 regulation requires access to business premises, which may include data centres.
To view a copy of the Guidance, please click here.
2. Transatlantic data transfer protection? Privacy Shield adopted
On 12 July 2016 the European Commission adopted an "adequacy decision" allowing for the transatlantic transfer of personal data from the EU to the US in accordance with the framework and principles of the EU-US Privacy Shield (the "Privacy Shield").
The Privacy Shield was developed earlier this year following the decision of the Court of Justice of the European Union ("CJEU") in October 2015 finding the previous transatlantic compliance mechanism, the US Safe Harbor, invalid.
The "adequacy decision" was notified to Member States on 12 July 2016 and entered into force immediately. In parallel, the European Commission has also published a short guide for citizens explaining the available remedies in case an individual considers that his or her personal data has been used in the US without taking into account the data protection rules.
In the US, the Privacy Shield framework was published in the Federal Register, the equivalent to the EU Official Journal. Companies in the US have been able to certify under the Privacy Shield with the US Department of Commerce since 1 August 2016. However, according to Privacy Laws and Business there has so far been tentative take-up, with only 35 companies having been so far certified. The current list of 35 does not include large multinationals apart from Microsoft and Salesforce. Google is understood to be in the process of signing up and it has been reported that the US Department of Commerce, which issues the certifications, is dealing with some 200 applications from US companies.
The Information Commissioner's Office ("ICO") has also published a blogpost summarising the current position on the transfer of personal data from the EU to the US. Whilst the ICO refers to use of the Privacy Shield, it also states that "the area of international transfers is still not free from uncertainty" due to pending CJEU cases (the so-called Model Clauses have been referred to the CJEU) and unresolved Article 29 Working Party concerns regarding the Privacy Shield. In light of this potential uncertainty, the ICO intends to provide further guidance on international transfers later this year.
For further detail on the key features of the Privacy Shield refer to our previous article here.
To view a copy of the Privacy Shield, please click here.
3. Non-stop drip? Advocate General issues opinion on data retention under DRIPA
The Advocate General has issued his opinion on bulk data retention laws in the EU.
The preliminary finding by the advocate general of the European court of justice came in response to a legal challenge that was brought initially by David Davis, when he was a backbench Conservative, and Tom Watson, Labour’s deputy leader, over the legality of GCHQ’s bulk interception of call records and online messages and the Data Retention and Investigatory Powers Act 2014.
The advocate general found that a general obligation to retain data is not automatically incompatible with EU, but must be subject to strict conditions, including that the obligation must be strictly necessary in the fight against serious crime, and proportionate, within a democratic society, to the objective of fighting serious crime, meaning that the serious risks set out in that obligation must not be disproportionate to its advantages in the fight against serious crime.
The advocate general said: "Solely the fight against serious crime is an objective in the general interest that is capable of justifying a general obligation to retain data, whereas combating ordinary offences and the smooth conduct of proceedings other than criminal proceedings … are not."
The opinion is not binding on the Court of Justice of the European Union but these types of opinions are usually followed.
The Investigatory Powers Bill is currently making its way through the House of Lords and the advice of the Advocate General is sure to provoke further debate on the scope of the bulk data powers contained in the Bill.
To view a copy of the opinion, please click here.
4. Cyber Security Directive published in the Official Journal
The EU Network and Information Security Directive (otherwise known as the Cyber Security Directive) has finally been published in the Official Journal. Member States will now have until 9 May 2018 to adopt appropriate national legislation to comply with the Directive, with such legislation to apply from 10 May 2018.
The Cyber Security Directive requires certain "operators of essential services" to adopt risk management practices and report major security incidents on their core services to the appropriate national authority.
By 9 November 2018, for each sector and subsector referred to in Annex II to the Directive, Member States are required to identify the operators of essential services with an establishment on their territory. The sectors listed in the Directive are: energy, transport, banking, financial market infrastructures, health sector, drinking water supply and distribution and digital infrastructure. The criteria for the identification of the operators of essential services are that:
- an entity provides a service which is essential for the maintenance of critical societal and/or economic activities;
- the provision of that service depends on network and information systems; and
- an incident would have significant disruptive effects on the provision of that service.
Digital service providers, being providers of online marketplaces, online search engines and cloud computing services are also subject to security requirements.
To view a copy of the Cyber Security Directive, please click here.
5. Braving Brexit: What next for Data Protection and Cyber Security?
The outcome of the Referendum – in favour of so-called Brexit – sent shockwaves through the world's financial markets. As the future relationships of the UK with the EU and the wider world enter a new chapter, it raises significant questions for businesses operating in the UK.
The "in-out" Referendum on the question of the UK's membership of the EU resulted in the majority of voters preferring the UK to leave the EU. The vote was 51.9% in favour of leaving, with 48.1% voting to remain. Under the terms of Article 50 of the Treaty on European Union, which governs the process, the UK must first inform the European Council of its intention to leave the EU. This notification triggers the two-year period specified by the Treaty for the negotiation of the terms of a Member State's withdrawal.
In the sphere of data protection, the referendum result leaves a number of questions unanswered about whether and when organisations in the UK will have to comply with the requirements in the upcoming General Data Protection Regulation ("GDPR").
The GDPR is due to come into force on 25 May 2018. If the UK does not actually exit from Europe until, say, November 2018 (because of the two year negotiation period under Article 50), that would leave organisations with the difficult scenario of having to comply with the GDPR for a short period of time before potentially having then to move to comply with a new UK law.
However, when putting in place any new UK data protection law post-Brexit, in practice it is unlikely that the UK will want or be able to stray far from the principles of data protection set out in the GDPR. Depending on the form of Brexit undertaken, the UK may be required to adopt certain EU laws anyway, including data protection laws. Also, the UK Government will want to ensure that the transfer of data to and from the UK is not restricted, as this could have a negative effect on UK business. The GDPR includes a provision prohibiting the transfer of personal data outside of the EEA unless adequate protections are in place. If the UK were no longer part of the EEA, to avoid administratively burdensome measures to overcome this prohibition, the Government would be likely to seek an "adequacy decision" from the European Commission, declaring that the UK is "adequate" for data protection purposes. However, this is likely to only be possible if the UK has in place data protection regulation that is essentially equivalent to the GDPR.
Despite the Referendum result, the ICO recently published an overview of the GDPR which set out the key themes to help organisations understand the new legal framework. This further highlights the continued importance of the GDPR that is expected for many organisations in the UK. Whilst Baroness Neville-Rolfe, the UK minister responsible for data protection, also acknowledged in a recent speech at the Privacy Laws & Business Annual Conference that the future will be more uncertain, she confirmed that "the underlying reality on which policy is based has not changed all that much."
In relation to cyber security legislation, the timing of the Network and Information Security Directive (the "Cyber Security Directive") may also have an impact on the UK's implementation and compliance with such legislation. Member States have until 9 May 2018 to transpose the Cyber Security Directive into national law, and until 9 November 2018 to identify operators of essential services who will be subject to some of the requirements of the Directive. This timing could be similar to the timing of the UK's exit from the EU, meaning that the UK Government may take the decision not to implement the Cyber Security Directive into national law at all. However, given that the Government has already taken steps in anticipation of the Cyber Security Directive, and the importance of international cooperation on cyber security issues, we would anticipate that something similar might be implemented instead.
For further information on the implications of Brexit, please see our Brexit "hub" available here.
6. House of Commons report suggests linking CEO compensation to cyber security
The Culture, Media and Sport Committee (the "Committee") of the House of Commons has published a report in the wake of the TalkTalk cyber attack of 21 October 2015, recommending, amongst other things, that a part of CEO compensation be linked to effective cyber security.
On 21 October 2015, there was a cyber attack on UK telecommunications and internet provider TalkTalk. A House of Commons inquiry was launched on 3 November 2015 and on 20 June 2016, the inquiry committee published its report. Key findings and recommendations of the report included, at an organisational level:
- That organisations handling large quantities of personal data should submit annual reports to the ICO on data protection/cyber security matters, including cyber training for staff; details of security audits; and details of guidance provided to customers (both current and prospective) relating to cyber attacks.
- That security by design should be a core principle for new systems and app development and a mandatory part of developer training.
- That responsibility for cyber security should sit with someone able to take full day-to-day responsibility, with Board oversight, and who can be fully sanctioned if the organisation has not taken sufficient steps to protect itself from a cyber attack.
- That, to ensure the issue receives sufficient CEO attention before a crisis strikes, a portion of CEO compensation should be linked to effective cyber security, in a way to be decided by the Board.
- The committee also made a number of recommendations in relation to regulation and regulatory sanctions, including:
- That the ICO should introduce a series of escalating fines, based on the lack of attention to threats and vulnerabilities which have led to previous breaches. Greater fines should also be available for any delay in notifying a breach to the regulator.
- That the process for consumers to claim compensation for data breaches should be made easier.
- That the Committee supported the availability of custodial sentences in cases of unlawful possession and sale of personal data. Strong support was also expressed for the ICO's decision to create a privacy seal, to be awarded to organisations with a strong privacy practice and data protection standards.
To view a copy of the House of Commons report, please click here.
7. Electronic Signatures - when and how can they be used?
More and more businesses are now opting to sign documents using electronic signatures to allow the signing process to be conducted remotely and are making use of e-signing platforms.
From a legal perspective, there have also been a number of recent developments. In July, the Law Society and the City of London Law Society issued a practice note on the execution of documents governed by English law using electronic signatures. Also last month, EU law on electronic signatures was amended by a directly applicable regulation on electronic identification with consequential amendments made to English law.
We have prepared a briefing which provides an overview of these latest developments, summarises the legal position in relation to electronic signatures and sets out some of the benefits and risks associated with signing by electronic means.
Herbert Smith Freehills has detailed knowledge and experience on the use and legal status of electronic signatures and e-signing platforms, including the practical steps required to minimise identified risks.
Please click here to see our briefing.