On Thursday 8th October, the Privacy and Cyber Security Group held a breakfast briefing (a "fireside chat") at Dentons' London office where the keynote speaker was Christopher Graham, the UK Information Commissioner. Nick Graham, Global Co-Chair of the Group opened the session which was led by Chantal Bernier, Counsel from Dentons Canada and former Canadian Privacy Commissioner. There was full attendance and an engaged audience. The event covered a number of privacy issues, not least the CJEU's decision two days earlier that Safe Harbor is invalid.
Click here to view video.
Safe Harbor Decision: reactions
Christopher Graham provided reassurance and pragmatism in response to the Safe Harbor ruling. He was keen to emphasise that the message from the ICO (his office), is "don't panic"! He does not intend to be “knee-jerking into sudden enforcement". At the same time, he said that the ICO "understand(s) the significance of what has happened". "If you’re using the cloud, you’re concerned about this. If you’re an SME involved in transfers of information between Europe and the U.S., you’re concerned… We absolutely understand that the ICO needs to be thoroughly engaged… We're working hard on making sure there is a coherent, coordinated response from the DPAs [Data Protection Authorities] to these developments". With regards to the meeting due later that day of the Article 29 sub-committee on transfers, he said that the ICO will argue for a "practical response" and "will be a voice arguing restraint".
When asked whether the decision will also impact the alternative transfer mechanisms to Safe Harbor (i.e. Standard Contractual Clauses and BCRs), Graham responded: "Let’s not create a drama out of a crisis, by saying, ‘Oh if that’s the case for Safe Harbor that must also be the case for BCRs and Standard Contractual Clauses. Let’s not panic." He pointed out that Safe Harbor was already in the process of being renegotiated, and that also there are special arrangements for security services provided in the Data Protection Directive. "The problems about the access that security authorities claim for personal information are there in every jurisdiction… Talk about elephants in the room. That’s one of the elephants", he said. Graham reassured that the ICO and the other national data protection authorities are working together and with the respective governments towards balancing these "competing obligations".
One of key themes of the morning was the importance of national authorities working in "effective co-ordination" and GPEN as "leading the way as the network of networks". Graham warned that as a result of this better co-ordination, authorities will be "more on your case". However, he was quick to note that enforcement is a "weapon of last resort": "we don’t get off fining people". "We want to encourage good behaviour. You have a friend in the ICO", he assured.
Graham announced that the ICO is currently revising its Privacy Notices Code of Practice to take account of the mobile environment and to steer the focus of these policies on clear language rather than "legal speak", among other things.
Since the session, the DPAs have met with regards to Safe Harbor and are now working on issuing guidance.
As part of the session we conducted a risk survey of the audience to identify the main data privacy concerns currently faced by business. Below is a graphic displaying our findings of what respondents prioritised as most concerning.
Click here to view chart.