Welcome to the July Global Data & Privacy Update. This update is dedicated to covering the latest legislative developments affecting the way data is managed and protected, as well as reporting on the most recent news governing data breaches and industry developments.

ICO issues EU referendum statement

On 24 June 2016, the ICO issued a statement following the UK’s referendum vote to leave the EU setting out the implications of the vote on data protection law and the General Data Protection Regulation (GDPR) in particular. The ICO confirmed the Data Protection Act 1998 remains in full force and effect, and that whatever happens, having international consistency around data protection laws and rights is vital given many businesses and services operate across borders.

Click here to view the ICO’s statement.

ICO releases annual report

On 28 June 2016, the ICO released its Annual Report which highlighted that it had received 16,388 data protection queries last year and has issued £2 million in fines against organisations for breach of data protection rules. The ICO had also dealt with big data breaches such as TalkTalk and provided guidance on international transfers following Safe Harbour being held to be invalid by the Court of Justice of the European Union (CJEU) in the Schrems decision in October 2015.

The outgoing UK Information Commissioner, Christopher Graham, will now be replaced by Elizabeth Denham who has been the Information and Privacy Commissioner for British Columbia since 2010.

EU-US data transfers part 1 - Privacy Shield could take effect in early July

On 24 June 2016 the EU and US agreed the final changes to the EU-US Privacy Shield, which permits data transfers between the EU and US in compliance with EU data protection laws and is intended to replace the now defunct Safe Harbour.

The updated agreement includes the following changes:

  • Data retention – explicit data retention rules requiring companies to delete data that no longer serves the purpose for which it was collected.
  • US bulk collection of massive and indiscriminate data – a written commitment from the White House providing that bulk data collection can only occur under specific preconditions and must be "as targeted and focused" as possible.
  • Independence of the Ombudsman – a commitment that the Ombudsman will be independent from national security services.

The revised Privacy Shield has been sent to the Article 31 Working Party, the independent advisory body made up of representatives from all the EU data protection authorities, for approval. The College of Commissioners is expected to adopt the agreement in early July.

EU-US data transfers part 2 - German Data Protection Authorities issue first fines for continued reliance on Safe Harbour

On 6 June 2016, the Hamburg Data Protection Authority announced that it has fined three subsidiaries of US companies for failing to set up alternative data transfer mechanisms quickly enough following Safe Harbour being held to be invalid.

The grace period to establish alternative data transfer mechanisms for transferring data from Europe to the United States (e.g. Model Contract Clauses and Binding Corporate Rules) expired on 31 January 2016.

Adobe Systems Inc, Punica and Unilever were fined €8,000, €9,000 and €11,000 respectively for failing to ensure the privacy for employee and customer data being transferred to the United States. The fact the companies subsequently implemented alternative data transfer mechanisms was taken into account when calculating the fines.

EU-US data transfers part 3 – Model Contract Clauses to be challenged

The Irish Data Protection Commissioner has recently made an unpublished draft decision that Model Contract Clauses (MCCs) breach privacy and data protection rights of EU citizens and has asked the Irish High Court to refer the issue to the CJEU. The draft decision relates to Max Schrems' challenge to MCCs on grounds similar to those that resulted in Safe Harbour being held to be invalid. The case relates to Facebook’s use of MCCs, as an alternative data transfer mechanism, to transfer personal data from the EU to the US.

In an unusual move the United States government and other organisations have asked to join the proceedings. Schrems said "This is a huge chance to finally get solid answers in a public procedure. I am very much looking forward to raise all the uncomfortable questions on US surveillance programs in this procedure.”

Government publishes report on cyber security and protection of personal data online

On 17 June 2016, the House of Commons Select Committee for Culture, Media and Sports (Committee) published its report on its inquiry into the recent cyber attack of TalkTalk’s website and the wider implications for telecoms and internet service providers.

The Committee made a number of recommendations to improve the ICO's powers, including:

  • Preventative measures – organisations holding large amounts of personal data should report annually to the ICO on their security processes to ensure more proactive monitoring. Also, the ICO should have the power to carry out non-consensual audits, particularly in the health and local government sectors.
  • Increase consumer awareness – the privacy seal, due to be launched later this year, should incorporate a traffic light system that would demonstrate to consumers that an organisation follows good privacy practice and high data protection compliance standards.
  • Data breach deterrence – the introduction of an escalating fine for companies who delay in reporting a data breach. Also, custodial sentences for individuals who unlawfully obtain and sell personal data.

The Committee also recommended that someone should take full day-to-day responsibility within a company for dealing with cyber attacks. To ensure the issue received sufficient CEO attention before such an attack, the Committee suggested that a portion of CEO compensation should be linked to effective cyber security.

Click here to view the Committee’s report.

Bank of England publish cyber risk speech

The Bank of England has published a speech by its Chief Information Security Officer, Will Brandon, on the approach financial institutions should take to managing cyber risk.

Brandon recommended that firms should put in place a system of oversight that provides "a formal means for the business to assess and manage risk". This includes managers taking ownership of cyber risk and quantifying it by assessing or testing threats, vulnerabilities and assets.

Click here to view the speech.