The General Data Protection Regulation (GDPR) will apply from 25 May 2017. Preparations for compliance are hopefully underway and should pick up pace in the early part of next year. It’s not just the GDPR which has featured this year though. Visit our Global Data Hub to review this year’s news in full. You can also find articles, webinars and checklists about the GDPR and other data privacy issues there, and take advantage of our interactive data privacy compliance tools. These include our Data Protection Guide, which compares the data protection regimes in over 65 jurisdictions, and tools to help with processing HR data and with data exports.
One of the most important elements of GDPR compliance is accountability - you have to be able to demonstrate you comply. This means compliance can only be achieved by putting processes and regular reviews in place.
There has been a raft of regulator guidance (some of which is still in draft) issued over the past year. The Article 29 Working Party guidance carries considerable weight as the Working Party is made up of EU regulators. You will also need, however, to consider guidance by local regulators in jurisdictions which are relevant to you. The ICO, for example, has published draft guidance on consent and on contractual arrangements between controllers and processors.
Not all the guidance has been on the GDPR. The ICO updated its code of practice on subject access requests to take account of recent case law. The changes relate mostly to the disproportionate effort exemption and SARs made for collateral purposes. The CCTC Code of Practice was also updated.
The Data Protection Bill
The General Data Protection Regulation (GDPR) will apply from 25 May 2018 at which point the UK will still be in the EU. The government has committed to applying the GDPR. This only tells part of the story, however, because the GDPR will not necessarily make sense in its entirety once we are no longer in the EU. For example, without explicit agreement to the contrary, the UK will become a third country for the purposes of data exports, and it will not have a seat on the European Data Protection Board.
The UK government published its draft Data Protection Bill in October. While the government has presented the Bill as its own initiative, it is fair to say that its primary aim is to incorporate the GDPR and the Law Enforcement Directive into UK law and deal with permitted derogations. It also hopes to provide continuity during and after Brexit and to ‘Brexit proof’ the legislation so that it continues to work in a post-Brexit environment. The Bill is intended to come into force from 25 May 2018, the date from which the GDPR will apply.
The message is very much to carry on with full GDPR implementation because the rights and obligations are essentially the same. However, the Bill also deals with those areas of the GDPR where it is left up to Member States to add in or vary. As we have said before, there are far more of these than were initially intended, leading to a watering down of the concept of a single EU data protection regime. Schedule 6 also attempts to amend those parts of the GDPR that will no longer work once the UK leaves the EU and personal data processing is no longer covered by Union law in the UK, for example, removing references to “Union and Member State Law”.
This means that in the UK, the GDPR has to be read alongside the Bill, in particular, the derogations and schedules. Unfortunately, this is not an easy task as, on the whole, the Bill makes reference to GDPR clauses, rather than reproducing them. Having said that, the Bill will not change the fact that by 25 May 2018, organisations will have to comply with the GDPR.
The Bill recently had its second reading in the House of Lords and a number of amendments are being tabled so it may yet change but you can read more about it and about other Member State data protection legislation being brought in as a result of the EU’s data protection package here.
Having passed the GDPR, the Commission turned its attention to updating the ePrivacy Directive, implemented in the UK by PECR. A draft Regulation was published in January and lobbying has been almost as intense as it was in relation to the GDPR.
The original draft:
- applies to ‘over the top’ service providers such as WhatsApp, Facebook, Gmail and Skype and not just to telecommunications service providers;
- takes the form of a Regulation rather than a Directive;
- covers both content and metadata derived from electronic communications – both will need to be anonymised or deleted if users have not given consent, unless required for billing purposes;
- gives traditional telecommunications providers more scope to use data and provide additional services subject to obtaining appropriate consent;
- streamlines rules on cookies – consent to cookies will be able to be given through browser settings and consent will not be needed for non-privacy intrusive cookies improving internet experience and cookies set to count visitors to a website;
- bans unsolicited electronic communication by any means including phone calls if users have not given consent;
- allows Member States to require that marketing callers display their phone number or use a special prefix; and
- enhances enforcement, including by bringing penalties for non-compliance in line with those under the GDPR.
Both the EDPS and the Article 29 Working Party expressed concerns that the draft did not dovetail properly with the GDPR. There has also been considerable debate on whether or not legitimate interests should be included as a justification for processing. Publishers around Europe are particularly concerned about plans to allow users to block third party cookies.
In November, the way was paved for trilogies to begin after the European Parliament adopted a privacy-friendly version of the Regulation. The EP’s proposal requires high levels of protection from unauthorised access to electronic communications, including safety of transmission means or use of end to end encryption. Decryption is prohibited and consent in line with the GDPR is the basis for lawful processing. The European Parliament calls for a ban on cookie walls (which prevent access to a website where cookies are refused), and tracking without consent, including through public hotspots or shopping centre wifi networks. It also wants a restriction on snooping on personal devices via software updates. Meta data should be treated as confidential and privacy by default should become standard for all software used for electronic communications.
This has only intensified lobbying and the European Commission’s goal of passing the ePrivacy Regulation and bringing it in alongside the GDPR in May 2018, continues to look ambitious, if not unrealistic.
Other legislative developments
The EU-US Umbrella agreement on passenger data sharing came into force in February. The EU has published draft legislation relating to the sharing of non-personal data and unnecessary data localisation restrictions.
It has been a more tranquil year for data exports on the whole than we’ve seen in recent times. The EU-US Privacy Shield self-certification scheme was given adequacy in July 2016 and has seen a considerable amount of take-up.
The European Commission’s report following the first annual review of the EU-US Privacy Shield was the scheme’s first real test. The EC found that the Privacy Shield works and ensures an adequate level of protection for personal data flowing from the EU to the US. It did, however, recommend a number of improvements:
- more proactive and regular monitoring of companies’ compliance with the Privacy Shield by the US Department of Commerce, including regular searches for companies making false claims about their participation;
- more awareness-raising to help EU individuals understand how to lodge complaints and exercise their rights under the Privacy Shield;
- closer cooperation between the US Department of Commerce, the Federal Trade Commission, and the EU data protection regulators, including producing guidance;
- enshrining the protection for non-Americans offered by Presidential Policy Directive 28; and
- appointing a permanent Privacy Shield Ombudsman and filling empty posts on the Privacy and Civil Liberties Oversight Board as quickly as possible.
The relatively anodyne position of the EC came as a relief to those relying on the Privacy Shield for their EU-US data transfers.
The Article 29 Working Party’s report took a predictably harder line. The WP29 acknowledges progress has been made but calls for an urgent action plan to address its “significant concerns”. Discussions between the Commission and US competent authorities should begin immediately and the action plan should prioritise the appointment of the Ombudsperson, appointment of Privacy and Civil Liberties Oversight Board members, and the explanation of rules of procedure, including by declassification. The prioritised concerns “need to be resolved” by 25 May 2018, and all remaining concerns dealt with by the time of the second annual joint review.
If remedies are not found to address the WP29’s concerns, it will take action, including by bringing the Privacy Shield adequacy decision to the national courts for them to make a reference to the CJEU for a preliminary ruling.
Crunch time is also coming for Standard Contractual Clauses as an effective data transfer solution, after the Irish High Court decided to make a reference on their adequacy. If you rely on SCCs to transfer personal data between the EU and the USA, the outcome of this reference may be highly significant and it’s true that the CJEU has form in taking bold action in this area. We are conceivably looking at a situation in which the Ombudsperson mechanism is a stumbling block to the effective operation, not only of SCCs, but also the Privacy Shield and, by extension, Binding Corporate Rules (BCRs). Having said that, question marks around data transfers to the USA are not new and, for now, we need to keep a watching brief on developments, not only in terms of the exact questions. See here for more.
In November, the EC announced it would be launching a review of all its existing adequacy decisions which allow data sharing between the EU and each of Switzerland, Andorra, the Faroe Islands, Guernsey, Jersey, the Isle of Man, Argentina, Canada, Israel, New Zealand and Uruguay. The Commission is asking the relevant governments to clarify their privacy safeguards and is sending experts to visit the countries. The Commission has said the intention is to keep the agreements in place. This is in addition to the scrutiny of arrangements with the USA. The EC is also, however, looking to give more countries adequacy and a decision on Japan is imminent.
In better news, the UK’s ICO has confirmed that BCRs approved before Brexit will continue to be valid, and also that the UK is prioritising ensuring the continuing flow of data between the UK, the EU and third countries, as part of the Brexit negotiations. It is no doubt with this in mind that the government recently announced changes to the controversial Investigatory Powers Act to bring it more in line with EU law.