Welcome to the June Global Data & Privacy Update. This update is dedicated to covering the latest legislative developments affecting the way data is managed and protected, as well as reporting on the most recent news governing data breaches and industry developments.

The implications of Brexit on data protection

The EU referendum is being held on Thursday 23 June 2016 and a vote to leave may have far reaching implications on data protection laws. The General Data Protection Regulation (GDPR) will enter into force on 25 May 2018 and a vote to leave will mean that the UK will no longer be required to implement the new laws into its legal framework. The GDPR will, however, automatically apply to many UK organisations that offer goods or services to EU residents or monitor the behaviour of EU residents.

A vote to leave will trigger a two-year negotiation period that will determine the UK's onward relationship with the EU. As such, data protection law in the UK will be in a state of flux for a period of time providing uncertainty to UK organisations.

Two potential scenarios in the event of a vote to leave are as follows:

  1. UK leaves the EU and remains part of European Economic Area – the GDPR will still apply. This is because the four freedoms of Europe (the free movement of goods, capital, services and people) are incorporated into the European Economic Area agreement.
  2. UK leaves the EU and there is no free trade agreement – the GDPR will not form part of the legal framework in the UK. The current Data Protection Act 1998 will remain in place until such time that the UK amends its legal framework. In practice, however, the UK is likely to amend its current laws to a regime similar to the GDPR to ensure that business can continue between the UK and EU.

 In any event, the ICO has issued a statement that "the UK will continue to need clear and effective data protection laws, whether or not the country remains part of the EU".

ICO guidance on GDPR expected in next 6 months

The ICO has set out its approach to producing guidance for the GDPR. Three priority areas have been identified (ICO guidance, European level guidance and policy outputs) and the ICO plans to produce guidance over three phases.

Here's what to expect from the ICO:

  • Phase 1 – in the next 6 months, the ICO will focus on producing guidance on the key differences in the GDPR to assist organisations prepare for the change in law. Topics include individuals' rights, consent and privacy notices.
  • Phase 2 – overlapping with phase 1, the ICO will develop a GDPR guidance structure and map its relevant existing content to that structure and identify new guidance priorities.
  • Phase 3 – the ICO will then finalise its guidance, signpost European level guidance and complete the development of any practical tools that assist organisations to comply with the GDPR.

Click here to view the ICO's update.

High Court orders private investigator to comply with DSAR

In Gurieva v Community Safety Development Ltd (CSD,), CSD, a private investigator, had refused to comply with a data subject access request (DSAR) on the grounds that:

  • two of the exemptions set out in the Data Protection Act 1998 (the DPA) applied (crime and legal privilege);
  • it would be disproportionate for CSD to have to comply with the DSAR; and
  • the DSAR was an abuse of process as it had been made for an improper purpose – i.e to gain access to information for the purposes of litigation.

The Court found that whilst the exemptions cited may have applied to some of the data held by CSD, as CSD had failed to disclose any data at all, it was unable to uphold either exemption as to do so would have been to grant a blanket exemption in relation to a substantial quantity of data, not all of which would fall within the relevant exemptions when properly analysed. The Court was also firm in its findings that it was not disproportionate to expect CSD to conduct a full analysis of the 1,500 documents which it had identified as containing the Claimants' personal data in order to ascertain which datasets might be privileged.

Warby J's judgment also confirmed that the DPA does not require an individual seeking access to his or her personal data to justify or explain the request – it was therefore in no way improper that the DSAR may have been made in contemplation of litigation which was ongoing elsewhere.

A more detailed analysis of the employment aspects of this case can be found on our website.

EU council adopts cybersecurity rules

On 17 May 2016, the Council of the European Union formally adopted the Network and Information Security Directive (NIS Directive) with the aim of increasing cooperation between member states on the issue of cybersecurity.

The new rules will place cybersecurity obligations on the following organisations:

  • Operators of essential services – this includes critical sectors such as energy, transport,  health and finance.
  • Digital service providers – this includes online marketplaces, search engines and cloud services.

One of the key rules of the NIS Directive is a new incident notification regime. This will create an obvious overlap with the data breach notification regime outlined in the GDPR. The NIS Directive states that incidents should be notified without undue delay, however the GDPR explicitly states a 72-hour deadline.  Organisations that fall under both regimes will need to deal with the competing notification rules.

The NIS Directive still requires the approval of the European Parliament but is expected to enter into force in August 2016. Thereafter, EU member states will have 21 months to implement the new rules into national legislation.

ICO releases updated encryption guidance

The ICO has recently published updated guidance on encryption, which includes several scenarios designed to help organisations consider when and how encryption should be used.

Under current UK law, it is not a requirement to use encryption however the Data Protection Act 1998 does say that organisations should take appropriate measures to keep personal data secure. Encryption is a relatively cost effective way of keeping data secure and the ICO has expressed a view that it may pursue regulatory action against organisations where a lack of encryption has led to a loss of data.

Encryption is expressly stated in the GDPR as a way for organisations to implement appropriate measures to mitigate the risks relating to processing data.  As such, more organisations will be expected to use encryption once the new rules enter into force and should adopt now the ICO’s guidance as good practice. 

Click here to view the ICO’s guidance.

German court rules that terms and conditions must be provided in German

On 17 May 2016, the German Federation of Consumer Organisations announced that the Berlin Superior Court of Justice (Court) ruled that WhatsApp, Inc. must provide its terms of use and privacy policy (T&Cs) in German. It was WhatsApp's practice to provide this information in English only and the Court determined that this placed an unreasonable burden on German consumers. It also found that, in the absence of a German translation, the T&Cs lacked transparency and were therefore legally void.   

The ruling is subject to appeal but it may impact organisations providing services to German consumers if it becomes law. It was, however, based on German consumer law so does not apply to other EU countries.

Advocate General says IP addresses are personal data

On 12 May 2016 the Advocate General of the Court of Justice of the European Union (CJEU) issued an opinion stating that IP addresses are personal data and data protection laws should apply.

The case was referred by the German Court in 2014 for a preliminary ruling in connection with an individual challenging the federal government’s storage of dynamic IP addresses of individuals using government websites. The individual’s claim was initially rejected by the court of first instance.

The Advocate General’s opinion is not binding on the CJEU, however it is highly influential. It is expected that the CJEU will follow its decision in 2011 wherein it confirmed that IP addresses are personal data.

European Banking Authority seeks feedback on use of consumer data by financial institutions

On 4 May 2016, the European Banking Authority launched a discussion paper on innovative uses of consumer data by financial institutions. The paper identifies a number of risks and benefits for consumers and financial institutions. Financial institutions, combined with fintechs and large digital companies, have recently used consumer data across a range of services, particularly payment data. Organisations can respond now until 4 August 2016.

Click here to respond to the consultation.

Clyde & Co's 'Data as an asset' talk at The London Stock Exchange

Are you confident that your organisation would respond quickly in a crisis to protect your trade secrets, your reputation and your customers? We will explore the most common data crises, including data breach and employee issues and provide practical guidance on how to minimise risk and impact.