Our IT & Outsourcing eBulletin contains summaries of the following recent developments in technology, outsourcing and data protection developments in law, and regulation in the EU and the UK.
1. Data Superpower? A review of the Privacy Shield documentation
The documentation supporting the proposed new EU-US Privacy Shield has been published by the European Commission.
In the aftermath of the decision of the Court of Justice of the European Union in October last year declaring the US Safe Harbor invalid, the Article 29 Working Party set a deadline of 31 January 2016 for the relevant European and US authorities to agree a new framework for the exchange of personal data between the EU and US for commercial purposes. On 2 February 2016, the EU-US Privacy Shield was announced, although no accompanying documentation was produced. The Article 29 Working Party accordingly set another deadline of the end of February for the European Commission to provide it with a copy of all the Privacy Shield documentation. On 29 February 2016, the European Commission then published the legal texts which will put in place the Privacy Shield should it be approved.
This article sets out some key features of the proposed EU-US Privacy Shield for organisations looking to take advantage of this proposed new compliance method for transatlantic data transfers:
Like the Safe Harbor regime before it, the Privacy Shield will involve a self-certification mechanism for organisations wishing to benefit from the arrangement. In order to get the benefit of the Privacy Shield, an organisation must: (a) be subject to the investigatory and enforcement powers of the Federal Trade Commission (the "FTC"), the Department of Transportation ("DoT") or another statutory body that will effectively ensure compliance with the Privacy Principles as described below (other US statutory bodies recognised by the EU may be included as an annex to the European Commission Adequacy Decision in the future); (b) publicly declare its commitment to comply with the Privacy Principles; (c) publicly disclose its privacy policies in line with these Privacy Principles; and (d) fully implement them.
From a practical perspective, this means that the Privacy Shield, like the Safe Harbor before it, will not be available to all organisations. For example, it will not for the moment be available to financial institutions who are not subject to the jurisdiction of the FTC or DoT.
The Privacy Principles will apply immediately upon certification. However, organisations that certify to the Privacy Shield Framework in the first two months following the Framework's effective date will be given an additional nine months in which to bring their existing relationships with third parties into conformity with the Accountability for Onward Transfer Principle (as described below). Organisations which do not take advantage of this first adopter window will need to be fully compliant from the time they self-certify.
The Department of Commerce ("DoC") will maintain a publicly available list of organisations that have self-certified and declared their commitment to adhere to the Privacy Principles (the "Privacy Shield List"). The DoC will remove an organisation from the Privacy Shield List if it voluntarily withdraws from the Privacy Shield or if it fails to complete its annual re-certification (as required under the Recourse, Enforcement and Liability Principle).
The Privacy Shield sets out seven privacy principles with which organisations will need to adhere:
- Notice Principle - organisations will be obliged to provide information in "clear and conspicuous language" to data subjects on a number of key elements relating to the processing of their personal data (e.g. type of data collected, purpose of processing, right of access and choice, conditions for onward transfers and liability). This notice must include information regarding the redress mechanisms available to data subjects, including recourse to an independent dispute resolution body designated to address complaints and provide appropriate recourse free of charge to the individual.
- Choice Principle - data subjects must be able to object (opt out) to their personal data being disclosed to a third party or used for a "materially different" purpose than the one for which it was originally collected. In the case of sensitive data, organisations must obtain the data subject's affirmative express consent (opt in) to their personal data being disclosed to a third party or used for a "materially different" purpose than the one for which it was originally collected. Opt out/opt in mechanisms must be clear, conspicuous and readily available.
- Accountability for Onward Transfers Principle - any onward transfer of personal data from an organisation to controllers or processors can only take place: (i) for limited and specified purposes; (ii) on the basis of a contract (or comparable arrangement within a corporate group); and (iii) only if that contract provides the same level of protection as the one guaranteed by the Privacy Principles. Where compliance problems arise in the (sub-) processing chain, the organisation acting as the controller of the personal data will have to prove that it is not responsible for the event giving rise to the damage, or otherwise face liability, although it is not clear from the draft text of the Privacy Shield how this will be tested in practice.
- Security Principle - organisations creating, maintaining, using or disseminating personal data must take "reasonable and appropriate" security measures, taking into account the risks involved in the processing and the nature of the data.
- Data Integrity and Purpose Limitation - personal data must be limited to what is relevant for the purpose of the processing, reliable for its intended use, accurate, complete and current. An organisation may not process personal data in a way that is incompatible with the purpose for which it was originally collected or subsequently authorised by the data subject.
- Access Principle – data subjects will have the right to access their personal data without justification and subject only to payment of a non-excessive fee. Organisations must respond to any request for access within a reasonable period of time. Data subjects must further be able to correct, amend or delete personal information where it is inaccurate or has been processed in violation of the Privacy Principles.
- Recourse, Enforcement and Liability Principle – participating organisations must provide robust mechanisms to ensure compliance with the Privacy Principles and recourse for EU data subjects whose personal data have been processed in a non-compliant manner, including effective remedies. Organisations must annually re-certify their participation in the framework and must take measures to verify that their published privacy policies conform to the Privacy Principles and are in fact complied with. At a minimum, compliance with this principle should include: (i) independent recourse mechanisms under which individual complaints are investigated and resolved at no cost to the individual; (ii) follow-up procedures for verifying that the attestations and assertions organisations make about their privacy practices are true and that privacy practices have been implemented as presented; and (iii) obligations to remedy problems arising out of failure to comply with the Principles and consequences for such organisations.
From a practical perspective, the seven Privacy Principles go beyond what was required under the old Safe Harbor regime. For example, the requirements for onward transfers and third party contracts in the supply chain and the new recourse mechanisms which have to be in place. This means that organisations will not simply be able to transfer across their old Safe Harbor policies and procedures into the new world of the Privacy Shield. The new Privacy Principles mirror many of the requirements set out in the new EU General Data Protection Regulation and organisations wishing to take the benefit of the new framework will therefore need to evolve and amend their current privacy practices to bring them into line with the new requirements.
Aside from the operational requirements placed upon organisations wishing to self-certify under the new framework, the Privacy Shield also seeks to provide assurances around US national security access to personal data transferred to the US. For the first time, the US has given written assurances, to be published in the federal register, that the access of public authorities for law enforcement and national security purposes will be subject to clear limitations, safeguards and oversight mechanisms. The US makes further assurances that there will be no indiscriminate or mass surveillance of personal data transferred to the US under the Privacy Shield.
There are still several legal steps to be taken before the Privacy Shield can be officially adopted. The Article 29 Working Party is expected to adopt its own opinion on the Privacy Shield at its next plenary session on the 12/13 April. Any such opinion will be influential but not binding on the European Commission. Finally, the framework will need to be adopted by the College of the EU Commission. This could potentially happen as soon as June this year.
Once adopted, the existence of the Privacy Shield would enable organisations in the EU to transfer personal data to organisations on the Privacy Shield List without further regulatory scrutiny. Any such "adequacy decision" adopted by the European Commission under the terms of the current Data Protection Directive, would also remain in force under the new General Data Protection Regulation unless and until amended, replaced or repealed by the European Commission in the future.
However, adoption of the Privacy Shield may not necessarily be the end of the story. Once adopted, the only way to question the validity of the Privacy Shield would be through the Court of Justice of the European Union ("CJEU"). However, given the level of interest and criticism of the Privacy Shield proposals, it seems entirely possible that the whole issue could at some point be referred to the CJEU for consideration. For example, Max Schrems, the lawyer who brought the original case of the US Safe Harbor to the CJEU, has made several criticisms of the proposals, concluding that "there will be a number of people that will challenge this decision if it ever comes out this way — and I may very well be one of them". The uncertainty created by the Schrems decision could therefore very well linger for a long time yet.
To view a copy of the Privacy Shield documentation, please click here.
2. US Government Increases its Scrutiny of Acquisitions in Technology-Related Sectors
"Philips and GO Scale Capital will continue to engage with CFIUS and will take all reasonable steps to address its concerns, but given these, the closing of the transaction is uncertain." Royal Philips N.V., Q3 2015 Report, 26 October 2015
The foregoing assessment by Royal Philips N.V. ("Philips") of its then-pending plan to sell one of its business units to Chinese investor GO Scale Capital ("GO Scale") turned out to be accurate, as Philips announced in January this year that it was abandoning the deal because it could not secure approval from the US government's Committee on Foreign Investment in the United States ("CFIUS"), due to unspecified US national security concerns.
The roadblock to closing that Philips encountered illustrates the US government's increasing scrutiny of deals in which non-US parties look to acquire non-US based businesses where such transactions include, as was the case with Philips, the sale of US affiliates with significant technology portfolios.
The case broadly emphasises that dealmakers need to be mindful of the potential for CFIUS scrutiny in any acquisition that would transfer control of US assets to a non-US entity, even where such acquisitions seemingly have little nexus to US national security. This is the case even where the deal parties are not US companies or where the US business is already owned by a non-US entity. The increasing scrutiny of such acquisitions, however, does not mean that CFIUS approval cannot be secured. Indeed, the majority of transactions reviewed by CFIUS are cleared, including those involving Chinese investors, who have secured CFIUS approval of several high-profile acquisitions in recent years. Thus, deal parties should consider, as early as practical, whether the transaction reasonably implicates US national security concerns as currently interpreted by CFIUS, and if so, whether those concerns can be addressed, perhaps through a restructuring of the deal terms or otherwise. Parties may also need to be flexible regarding deal terms should CFIUS require mitigation as a condition for approval. Ultimately, parties should take a proactive approach to CFIUS issues, and where appropriate engage with CFIUS early on to maximize the chances for approval of their cross-border transactions.
To read more about the Philips case, please see our eBulletin available here.
3. Head in the Clouds: BBA responds to FCA consultation on cloud outsourcing
On 12 November 2015, the UK Financial Conduct Authority ("FCA") published draft guidance with the aim of clarifying the requirements on firms when outsourcing to the 'cloud' and other third-party IT services. The British Bankers Association ("BBA") has now published its response to the consultation, although the timing of the final FCA guidance remains unclear.
In its response to the FCA consultation, the BBA highlights the following key messages:
- Not all cloud services should be considered outsourcing – by considering all uses of cloud systems as outsourcing, the BBA maintains that the guidance does not sufficiently reflect the major differences in technologies and business models inherent in cloud services.
- The need for proportionality in cloud outsourcing requirements – for the guidance to be successful in encouraging firms to take advantage of the potential in cloud services, the outsourcing requirements must be proportionate to the risks incurred to the user in contracting to a cloud service provider.
- Uneven balance of negotiating power between cloud service providers and regulated firms – financial institutions need to be able to indicate clear industry guidelines if they are to negotiate contracts which allow for the various requirements outlined in the guidance with large technology organisations that own global technology platforms.
- Industry best practice – the BBA is keen to encourage the adoption of cloud systems and therefore suggests to the FCA that it consider how a pooled collection of industry best practice could encourage firms to be confident that they have fulfilled their regulatory obligations.
The FCA's consultation closed on 12 February 2016, although it is not yet clear when the final guidance will be published, or indeed, if the BBA's call for clearer industry guidance and best practice will be heeded.
To view the BBA response to the FCA consultation, please click here.
The disruptive effect of new technologies such as the cloud on traditional outsourcing models was also considered further in our article "Sourcing 3.0: The rise of the intelligent customer". Please click here to view a copy of the article which first appeared in the May 2015 edition of PLC Magazine.
4. Snooper's Back: Investigatory Powers Bill introduced to the House of Commons
Against the backdrop of an ongoing global battle between public authority access to data for national security purposes and individuals' right to privacy, the controversial UK Investigatory Powers Bill has been revised and introduced to the House of Commons with a deadline of 31 December 2016 for the legislation to be in place.
The Investigatory Powers Bill was introduced to the House of Commons on 1 March 2016. The Bill is intended to address the deficiencies of the Regulation of Investigatory Powers Act 2000, which was drafted before the advent of, for example, social media and over the top messaging services such as WhatsApp.
Some of the key provisions likely to affect communication service providers ("CSPs") are:
- The provision for interception of communication, which will be lawful when carried out with a warrant, with consent or in the exercise of any statutory power.
- The creation of a judicial oversight body, with Judicial Commissioners acting as a check for the Secretary of State's warrant decisions.
- The obligation on CSPs to collect and store internet connection records ("ICRs").
The first draft of the Bill was published in November 2015, after which various government committees, among them the Joint Committee on the Draft Investigatory Powers Bill, submitted their recommendations to the Home Office.
The Bill which has now been introduced to the House of Commons has been revised to respond to some of the concerns raised by these committees. The main changes are:
- amended definitions and additional material published to provide further guidance on how the powers are to be used;
- strengthening of privacy safeguards, particularly with regard to the protection of journalists' and lawyers' communications; and
- developing implementation plans with industry experts for retaining ICRs.
The Bill was backed by 281 votes to 15 during its second reading in the House of Commons on the 15 March 2016. A final vote is expected in April 2016, with the Home Office aiming for the new legislation to be in force by 31 December 2016.
To view a copy of the Home Office papers, please click here.
5. National Cyber Security Centre announced
The UK Government has confirmed that its National Cyber Security Centre ("NCSC") will be headquartered in London and will begin operations in October 2016. This new body is designed to bring the UK's cyber expertise into one place and address current problems with the digital defences of companies and organisations.
GCHQ is currently the main organisation which deals with cybersecurity. However, as a secret intelligence service, it has a poor record in terms of accessibility and encouraging communication between the relevant parties and the Government. The new centre is aimed at remedying this problem by taking advantage of its presence in both the intelligence world and the public space.
The new "authoritative voice on cyber security in the UK" will aim to implement its goals by informing the entire business community and public sector about emerging threats, providing support when attacks happen and educating everyone on how best to stay safe online. The NCSC will work with a variety of government departments and critical national infrastructure players, as well as with the business community and the public.
The organisation's first task will be to collaborate with the Bank of England in order to produce guidance on how financial institutions can manage cyber security more effectively. This will involve setting standards for the financial sector when responding to different types of cyber threats which could negatively impact the UK economy.
To view a copy of the Government announcement, please click here.
6. Using our Best Endeavours: HSF guide to endeavours obligations
Obligations to endeavour to achieve some object are commonly agreed in commercial contracts where the relevant party is not willing to take on an absolute obligation to that effect.
Typical clauses may require the use of “best endeavours”, “reasonable endeavours” or “all reasonable endeavours”, but it is not always clear what these terms require in practice.
In our latest practical guide to contract law, we consider how the typical clauses differ from one another and what they are likely to require in practice and provide some practical tips for commercial parties.
Please click here to view HSF's Guide to Endeavours Obligations.
The other guides in the series published so far (on when you have a binding contract, how courts interpret contracts, pre-contractual statements and the role of good faith in commercial contracts) can be accessed from our Litigation Notes blog, available here.