ICO publishes statement on EU-US Privacy Shield

In a blog post the Information Commissioner's Office (ICO) has set out its position in the wake of the EU-US Privacy Shield, the replacement for the Safe Harbour framework aka "Safe Harbour 2.0 ."

The ICO state that it is too early to say whether the Privacy Shield will provide adequate protection for personal data transferred from the EU to the US.

The Regulator stated that organisations can continue to use other tools like Standard Contractual Clauses (Model Clauses) and Binding Corporate Rules (BCRs) for data transfers to the US. It states that organisations should have a proper understanding of the legal basis of transfers to ensure they are in a good position to act, in the event that they need to. They suggest that it might be good practice to contact organisations in the US which are the intended recipient of personal data to draw attention to the possibility of the Shield's future consideration. The position regarding Model Clauses and BCRs remains uncertain as it may be the case that these will be reviewed for adequacy under the new framework in future. Organisations are advised to watch this space.

Regarding enforcement, the ICO state that their position is the same as in October 2015, when the Safe Harbour framework was invalidated – whilst complaints can be considered the usual ICO regulatory policy will be applied. They will be guided by the risk posed to individuals and steps that can be reasonably expected of data controllers. They will not be looking to expedite Safe Harbour complaints while the process for its replacement is still ongoing. In their interim guidance dated 10 February 2016 Data transfers to the US and Safe Harbor the ICO state:

"We are not rushing to use our enforcement powers. There is no new and immediate threat to individuals’ personal data that has suddenly arisen that we need to act quickly to prevent. Of course the ICO will consider complaints from affected individuals whatever transfer mechanism you’re relying on but we will be sticking to our published enforcement criteria and not taking rushed action whilst there’s so much uncertainty around and solutions are still possible. We can’t create legal certainty where there is none but we will continue to work with our European counterparts in an effort to ensure that, as far as possible, we’re all delivering a single and sensible message. Ultimately though, for the ICO, it has to be a message that is consistent with UK law, with our powers and with the public commitments we have made about when and how we will use these powers. In time we will update our published guidance on international transfers but for the most part it is still valid. We will also be building on this interim guidance by publishing some practical advice for businesses, including SMEs that may rely on cloud and similar services provided by others, on what they should and should not be doing in the current period of uncertainty".

The full statement and a link to a guidance note can be found here

The ICO's interim guidance note can be found here

The big data dilemma: Fourth Report of Session 2015-16

Parliament’s Science and Technology Committee report has concluded that 58,000 jobs could be created and £216bn added to the economy by big data in a five year period. It states that companies are not currently exploiting existing data to its full potential. It defines the term "big data" as the collection and analysis of data on such a scale or such complexity as to make its use challenging. Big Data is a hot topic right now and more and more organisations are starting to cotton on to the fact that it has the potential to provide a highly lucrative new stream of revenue.

The report does address concerns about privacy and the way personal data is used and re-used and highlights public distrust of industry and government data use, issues which they say must be resolved. The Committee recommends the establishment of a Council of Ethics to address consent and trust issues and encourages the Government to make the identification of individuals by de-anonymising data a criminal offence. Data at present can be anonymised via the use of algorithms however a study at Harvard has shown that as quickly as data can be anonymised, the algorithm can also be reversed to de-anonymise data. The security of data and the protection of data subjects personal data is key, therein this recommendation to criminalise reverse algorithms is a move in the right direction.

The Science and Technology Committee report: The big data dilemma can be found here

Report of Joint Committee on the Draft Investigatory Powers Bill

The Joint Committee on the draft Investigatory Powers Bill has published a report of session 2015-16.

The report states that the major change which would be introduced by the draft Bill is the creation of a new judicial oversight body and the much greater involvement of judges in the authorisation of warrants allowing for intrusive activities.

The report sets out recommendations which aim at ensuring:

  • any new system will deliver the increased independence and oversight which have been promised
  • protections for lawyers and journalists are not compromised
  • further clarity is provided as to the proposals for the form of internet connection records and the cost and feasibility of their creation and storage

It is thought that the judicial oversight function brought in by the new bill will strike a much needed balance for UK Surveillance generally.

The full report can be found here


WP29 statement on EU General Data Protection Regulation

The Article 29 Working Party (WP29) has released a statement on the upcoming adoption of the General Data Protection Regulation (GDPR).

WP29's four priorities are:

  • setting up the administration structure of the European Data Protection Board (EDPB)
  • preparing the one stop shop and the consistency mechanism
  • issuing guidance for controllers and processors
  • communication around the EDPB and GDPR

The action plan will be completed in 2017 with new objectives and deliverable.

The full text of the statement can be found here

Google applies 'right to be forgotten' across EU

Right to be forgotten requests will apply across all sites accessed from Google searches in the EU. Previously the company had only removed content from search websites that included google.co.uk or google.fr, stating that its other sites were not covered by rules which allow outdated and irrelevant links to be removed. The Financial Times states that the move comes at a time when tech companies are looking to take a more conciliatory approach with EU privacy regulators.

The "right to be forgotten" has been enshrined in the finalised December text of the Draft European Data Protection Regulation in Article 17, however it is now referred to as "the right to erasure".

The Financial Times article can be found here


President Obama uses Executive Order to establish Federal Privacy Council

A permanent Federal Privacy Council has been established after President Obama signed an Executive Order on 9 February 2016. The Council is intended to act as the principal interagency support structure of the US government and agencies acting on its behalf.

Key aims of the Privacy Council:

  • build on existing interagency efforts to protect privacy
  • expand skills and career development opportunities for agency privacy professionals
  • improve the management of agency privacy programs through the identification of lessons learned and best practices
  • promote collaboration between and among agency privacy professionals to reduce unnecessary duplication of effort and to ensure the effective, efficient, and consistent implementation of privacy policy Government-wide
  • promote collaboration between and among agency privacy professionals to reduce unnecessary duplication of effort and to ensure the effective, efficient, and consistent implementation of privacy policy Government-wide

The text of the Executive Order can be found here