Our data protection experts, Jocelyn Paulley and Helen Davenport, look at the latest hot areas and developments of data protection, including international transfers, recent cases and updated guidance from the ICO.
Transcript
Helen Davenport: Good morning everyone and welcome to the first of our series of Autumn 2021 Thinkhouse Webinars developed specifically for in-house counsel. Thank you very much for joining us today. I am Helen Davenport, a partner in the commercial litigation team at Gowling WLG and leader of the contentious data protection and cyber security practice at Gowling WLG in the UK. I will be co-presenting the data protection update session we have for you today with Jocelyn Paulley also a partner at Gowling WLG.
In terms of housekeeping, before we begin, we are very pleased to take questions as we go so please do put any questions as they occur to you in the Q&A box and we will also aim to pick up any remaining questions in the time that we have got at the end. I confirm that the session will be recorded and available after the event and it will also be circulated to attendees with the rest of the series of these seminars. Those details covered, I will hand over to Jocelyn.
Jocelyn Paulley: Good morning everyone. Pleased to have you with us today. I will just briefly outline our agenda for this morning because today we are going to take a look at some of what is hot and what is happening in the world of data protection and there has been a lot going on over the course of the year as Helen and I were looking back and preparing for the session.
So first of all, I am going to take a look at what has been going on around international transfers and there has of course been an awful lot going on since the UK left the European Union over the course of the summer and then particularly in the last month as we start to get a flavour of what might lie on the road ahead. I will then hand back to Helen and she is going to have a look at some recent UK cases and enforcement action and see what trends and patterns we can start to see emerging there and then I will take us back for a quick reminder of the latest guidance we have seen come from ICO that are most likely to be significant for you and a bit of horizon scanning to see what else is out there that you might need to be aware of in your day to day.
So firstly let us have a look at international transfers. I am going to break this down and do this by transfer to transfer so first of all we will look at EU to UK transfers. Now this might not seem immediately apparent to some of you here today if you work within a UK Based business, but I am conscious that lots of you will actually have group companies spread across Europe and even if you are within the UK, you are going to be on the receiving end of transfers out of the European Union so still helpful to know the context in which the Europeans are operating. So following the UK's departure from the European Union we are now of course seen as a third country in terms of international transfers which would mean that transfers from the EU have to have an appropriate safeguard to be able to get the data to the UK. It came down very close to the wire for the European Commission to decide to give the UK adequacy which we did finally get on 28 June just before the transitional arrangements were due to expire at the end of June so good news for a regulatory point of view for now in that transfers from the EU to the UK do not need any additional level so protection because we have adequacy but unfortunately that is not the end of the story in terms of an EU finding of adequacy for the UK. This adequacy decision for the first time ever has what has become known as a sunset clause which says that if at any time in the future, the European Commission deems that the UK practices have moved away from the standard they were when the decision was given and that the UK is no longer offering an adequate level of protection, the European Commission could withdraw that finding of adequacy and in any event even if that was not there the adequacy decision will automatically expire in four years' time so we there will definitely be a review at that point. So I am afraid this is still an area that we will have to watch and be aware of and in terms of your day to day, it means that the data mapping that we always talk about at these sessions is ever important so that you know and understand have a view of your organisation's data transfers now including as between the EU and the UK which we did not used to look at when we were all within the EU so that if this changes in the future you have got a really clear picture of which transfers that is going to affect within your organisations or its supplier relationships or customer relationships and what steps you will have to take.
So moving on then to look at EU to other third country transfers. Again we have seen some significant action here so over the course of the summer we saw the European Commission publish a new version as standard contractual clause to replace the previous ones. These will be mandatory for any new data transfers happening from next Monday and for current data transfers that are based on the old version of the SCCs, the EU want to see that all of those repapered and put on to the new SCCs by December next year, so it gives a period of time but not a huge period as we know from doing GDPR update exercises. This kind of repapering if you have a large customer base or supplier basis is quite a significant effort. Why has the European Commission done this? It is not just to add more paperwork to our lives, there was a recognition that the clauses that we currently approved or if the European Commission has previously approved only deal with a limited number of scenarios we only had controller to controller or controller to processor and in today's world of data transfers the clauses need more options and more variables for different transfer relationships so clauses also now cover processor to a sub-processor or a processor in the EU back to a controller outside of the EU so there are now four varieties of combinations you can use the clauses for. There is also an optional docking clause to allow more than just two parties to sign SCCs which was again another difficulty previously recognising that data transfers are now often not just bio-lateral but they go many ways between groups of organisations, and as you might expect the clauses also now cater for the impact of the Schrems II decision from last summer so there are clauses saying that the parties have looked at the laws of the country to which the data is being imported and that the parties have done an assessment and have put in place any additional measures that are necessary to ensure the transfer is adequately protected so they are a really significant departure from the clauses that we had previously. Still cannot be negotiated by a party, still in that set form, still have appendices that need to have the specific details of the personal data being processed entered into but the content of the clauses is really quite different and also just a reminder that over the summer the EU issued what they called somewhat unhelpfully SCCs but it was actually template controller to processor set of clauses, nothing to do with international transfers just for day to day processing within a jurisdiction so there are now two sorts of SCCs out there, one in an international context and one in a pure just day to day processing context.
So now let us witch and look at what is happening within the UK because of course we are outside of the EU, we look outside to all other countries as third parties and have our own rules around transfers. So we have known since last year sometime in the autumn that transfers from the UK to the EU would have adequacy, the Government came out early on and said we are not going to require additional paperwork for transfers from the UK to the EU. But what about the countries which had adequacy from the European Commission prior to the UK's departure. Well the UK Government also said we will honour those findings of adequacy and so transfers from the UK to countries who had findings of adequacy previously those can still go ahead and will still be adequate.
The big news and where this starts to get interesting, and now increasingly political, is about what does the UK do next around potentially finding other countries can have adequacy so we do not need to put in place any other measures. Within the last month the Government has come out and said that it has a primary list of countries which are the ones on the slide there to which the UK is going to look at their regimes to see if they can give a finding of adequacy and there was actually a secondary phase of countries as well behind those listed on the slide covering India, Brazil, Kenya and Indonesia. This has become political because the power to grant these findings of adequacy now lies with the Government, the Secretaries of State rather than with the ICO. The ICO will still have a consultation role to play and has signed a memorandum of understanding with the Government around how the ICO will work with the Government and review and assessments and be involved in the findings of adequacy but this is no longer the Regulator's decision. So the Government has published this mission statement called international data transfers building trust, delivering growth and firing up innovation. As you can quite clearly see there the link that the Government is emphasising between the ability to pass data and the ability to trade and this mission statement talks about the value of trade with the countries where the UK is looking to find adequacy for over £80 billion worth of trade passing between these countries and they see making the transfer of data easy as one way to unlocking further trade potential and encouraging innovation and I really think this is a very active example of what the UK Government said it wanted to do if we were able to leave the European Union to make its own decision, emphasise its own powers and set its own trade agenda and seem to have alighted on data and international transfers as a way to make this very real. There is also within the mission statement they talk about the international data transfers expert counsel which is being created. It is taking applications for members at the moment. This will be a council of 15 and they are going to work to remove unnecessary barriers to cross border data flows so this is the Government really taking hold of this whole area and looking to try to facilitate trade by removing what it sees as unnecessary barriers. The caveat though of course to all of this is that if the Government does give findings of adequacy to some of these countries and we know the European Commission has serious concerns about data processing in the US because that is what we learnt through the Schrems II decision, this could then impact the finding where adequacy that the European Union has given to the UK so it might make data transfers easier but ten we might have different issues sending data back into the European Union. So a really interesting area to watch and it will be definitely be one we will be picking up again future ThinkHouse events.
The UK though is also looking at its own version of SCCs. Helpfully we are now going to call them a different acronym; they will be the IDTA, the international data transfer agreement so we can use a different acronym to distinguish from what the Europeans have and these are currently out for consultation at the moment. That consultation will end on 7 October. The IDTA does not sit in isolation though. The pack that the ICO has put out for consultation includes a transfer risk assessment toolkit. So it is a really comprehensive toolkit and as always with ICO guidance, it is trying to be as practical and easy to follow as it can be; there are a series of flowcharts prompting organisations to work through a work assessment around any international transfer and try to get to a point where it tells you whether the IDTA I a suitable tool for you to use or not and helps to identify the risks of the transfer and therefore potentially what additional measures you could put in place to safeguard the data that is being transferred. The ICO is hoping to have the IDTA and the transfer risk assessment tool finalised by the end of this year so really quite quickly and that would then mean that if we are transferring data out of the UK to third countries that do not have adequacy this is the process that you would be looking to follow.
The draft IDTA is very different from the EU SCCs, it does not follow the same format at all, you cannot spot that it is a drafting that had been moved across. It does of course cover similar ground in that it allows for a lot of flexibility, it is trying to be a flexible document and somewhat less rigid than the EU SCCs can be. It allows you for example to talk out linked agreements that might be the service agreement to which your data transfer is related but it is a very different approach to the EU SCCs. The ICO though does seem to have offered an alternative to a brand new IDTA which is a very simple, very short addendum to the EU SCCs to let the work in a UK context so it looks like the results of the consultation could be quite significant in terms of the paperwork that we are then left to work with when we are transferring data from the UK and help to other third countries.
So that is all on international transfers for now. Over to Helen to look at some of the UK enforcement action.
Helen: And before we do that actually Jocelyn we have had a few questions on international transfers so I wonder if now might be a good time to at least pick up a couple of those before we move on. One question, any recommendations for data processors, I think this is in the context of having existing arrangements with data controllers, what should data processors be doing? Any recommendations either to wait until they are proactively contacted by the data controller or to take more action in the meantime?
Jocelyn>: I think if you are a data processor and you know that as part of your supply chain you work with sub-contractors or sub-processors who are based in other jurisdictions it will make your life a lot easier if you can go to your controllers and say this is what our data transfer landscape looks at, this is how we think we should make sure that is compliant because we are using binding corporate rules or because we are using some version of SCCs and present that as a solution to a customer. Because otherwise if you get lots of different customers pulling you in different directions that is going to be much more of a headache for you to administer within your own business and if you can set up a structure and persuade your customers that this is an easy structure for them to work with and you have the right paperwork and documentation already in place.
Helen: Thank you Jocelyn and one more before we moved. There are lots actually, so we may need to come at the end but one more in the time we have available, and this is regarding the EU transfer SCCs which have a number of module sections in them. Do you recommend tailoring the SCCs just using the applicable modules or providing for effectively using all of the modules and saying that these will apply if the circumstances apply in future?
Jocelyn>: I know going back in time, we did used to do that with the data protection clauses sometimes to say 'if the context says we act like this then these clauses apply, if however the context is like this, these clauses apply'. I think that is harder nowadays with the requirements for accountability and data mapping, records of processing, organisations are meant to understand in what context they are processing and handling data because if you do not know if you are a controller, a processor or even a sub-processor or a joint controller then you are not going to be able to comply with all the other obligations that then stem from the role in which you are acting with regard to that data so if you were going to have this structure that said if we are acting in this context then these clauses apply I think you would still have to have documented somewhere when those clauses apply, what scenario it was. I don't think you could leave it just totally flexible without including the specifics in the agreement because that is what all the regulators want to see in any context. They want to know what data are you actually processing as part of this relationship.
Helen: So as I have said there are other questions, it might be that we come back to them at the end but I am conscious of time, I suggest we move on to our UK cases and enforcement update.
Companies are increasingly faced with compensation claims made under the UK GDPR where there has been a cyber attack or an accidental data breach. The UK GDPR and its predecessors allows for a claim to be made for compensation for damage caused by its contravention, including for distress and/or loss of control as well as or instead of financial loss, as you will be well aware. This has been a significant factor in the growth in claims.
In previous sessions we have covered developments that have given encouragement to claimant lawyers such as TLT v Secretary of State for the Home Department, a 2016 case, damages totalling between £2,500 and £12,500 were awarded to six asylum seekers whose confidential information in the form of a spreadsheet about 'the family returns process' was accidentally published online and downloaded by third parties; The potential for group claims on the basis of vicarious liability following the Supreme Court's decision in Various v Morrisons despite the claimants' claims failing in that case.
Today we will look at some of the trends and developments in data protection cases including some good news for data controllers who may be facing such claims or may face them in future.
Support for there being a common understanding that there is a de-minimis threshold for compensation comes from the Court of Appeal decision in Lloyd v Google in [2019] [EWCA Civ 1599] despite that decision otherwise being helpful for claimants. The decision refers to the threshold for seriousness applying to claims under section 13 of the Data Protection Act 1998, the predecessor to the GDPR, with Sir Geoffrey Vos Chancellor of the High Court saying that threshold would undoubtedly exclude a claim for damages over an accidental data breach that was a one-off and quickly remedied.
Therefore, in low-level data breaches the question of whether compensation is payable at all may arise. Distress must be reasonable in the circumstances, and claimants must also show that the de minimis threshold has been reached. What is perhaps surprising is that we do not already have further guidance on this from subsequent cases but given that claims continue to rise, it is reasonable to expect more guidance in the near future.
One species of inadvertent data breach considered recently by the Courts is that of a cyber-attack. Judgment in Warren v DSG Retail Limited was handed down at the end of July this year [[2021] EWHC 2168 (QB)]. It is a case which concerns a low value claim arising out of a data breach in 2018 in which DSG's systems were accessed by an unauthorised third party. The Claimant claimed that his name, address, phone number, date of birth and email address were compromised and he has suffered distress as a result.
The causes of action relied upon were breach of confidence, misuse of private information and breach of the Data Protection Act 1998 (not the GDPR given the timing of the incident) and common law negligence, which is an approach commonly adopted by claimant law firms in such claims. The defendant applied for strike out/summary judgment of all claims apart from the claim under the Data Protection Act 1998.
Mr Justice Sani found that misuse of private information and breach of confidence were not appropriate causes of action in such a cases as those heads of claim are concerned with prohibiting actions by the holder of the information and do not impose a data security duty. The Judge also found that the negligence claim had fundamental issues as (a) a duty of care would not be imposed where the statutory duties under the Data Protection Act 1998 apply; and (b) the claimant's claim for distress was not sufficient to be entitled to claim damages in negligence claim, which absent financial loss require the claimant to have suffered a clinically recognisable psychiatric illness which was not alleged here.
Consequently, the only remaining claim for a future trial is whether the security of the data was sufficient under the Data Protection Act 1998. Unless successfully appealed, and I'm not presently aware of one, the decision has a number of consequences for data protection litigation going forward.
The decision limits the scope for claimants to bring claims for breach of confidence, misuse of private information and negligence claims alongside claims for breaches of the data protection legislation. Fewer issues to be dealt with reduces the burden on defendants. However, of further significance is that claimants in these types of disputes commonly obtain after the event insurance and seek recovery of the premiums from Defendants. The value of the insurance premiums can be more than the claim in issue and also provide claimants with an opportunity to recover damages but with limited costs risk if they lose.
Following Court reforms the ability of claimants generally to recover ATE premiums is significantly reduced, but they are still recoverable in "publication and privacy proceedings". Those types of proceedings include misuse of private information and breach of confidence claims but not Data Protection Act 1998 or GDPR claims. So if a claimant cannot bring misuse of private information and breach of confidence claims in its claim it also cannot recover the ATE premium, which may well make bringing the claim less attractive. The decision may also have an impact on allocation and/or the appropriate court for such claims.
Data breach claims ma be issued in the County Court or High Court, but should only be issued in the High Court if their financial value, complexity or public importance warrants it. The fact that the claim is for a data breach and so would fall under the Media and Communications List if issued in the High Court is not by itself sufficient reason to bring a claim there. A real risk of a low-level data breach claim proceeding in the High Court is that while any eventual damages may be low, costs sought by a claimant, and the costs risk for data controllers will be far higher. The court may, of its own volition, transfer claims to the County Court. And Defendants can apply to transfer such claims to the County Court if this does not occur. In Warren the Court has now transferred the claim to the County Court for directions.
Claims transferred to the County Court may also be appropriate for allocation to the small claims track. This has the benefit for would be defendants that under the small claims track only fixed costs are permitted, and the risk that a claimant may only recover fixed costs, at best, may well discourage claimant law firms from taking on such cases in the first place.
An example of a case being transferred is that of Ameyaw v McGoldrick [2020] EWHC 3035 (QB) which included a claim for non-compliance with a subject access request. In that case, Mr Justice Warby, as he was then, held that the High Court was not "even arguably the right forum" for such an action. The proportionate means of disposing of it was to transfer the matter to the county court for resolution he thought under the small claims track. There is certainly good news here for data controllers involved data protection cases including low level accidental data breach cases and/or cyber attacks. However, it remains to be seen whether these decisions will substantively reduce the number of claims being brought or whether there may just be a change of focus to other claims.
Mass data breach claims are likely to still be attractive and where ATE premium is proportionate for it to be incurred given the total sum being claimed by all of the claimants together. We've spoken before about the risks for data controllers that whilst the sum that one claimant may be able to claim is relatively small that can give rise to a large sum when multiplied to the number of affected individuals and potential claimants.
A key decision to watch out for will be the Supreme Court's decision in Lloyd v Google LLC following the hearing that took place in April. That case is not about a cyber attack or accidental data breach but about Google having allegedly tracking and collated information relating to users internet usage on the Apple Safari browser without their consent and will impact on the ongoing potential for representative class actions on an opt-out basis.
Another potential area of ongoing interest for claimants - that we continue to see - are claims arising out of the use of cookies and in particular where it is alleged cookies are used in breach of the Privacy and Electronic Communications Regulations and the UK GDPR without consent having being obtained from the individual concerned.
Before we move on, also briefly round up what the ICO have reported as their main areas of regulatory activity over the last 12 months or so. The first highlighted by the ICO is that of GDPR fines. The figure on the slide of £39.65m mostly made up of the final fines for BA and Marriott. The circumstances of those fines being reduced are relatively well known so I do not propose to use any of the time we have today. It remains the case that in most personal data breach reports the ICO does not take further action, but important to note that a key factor is that is because the ICO has determined in those case the organisation had measures in place to address the breach or was doing so.
The other fines issued by the ICO have been in the area of nuisance calls, emails and text messages where the ICO has issued 35 penalties totalling £2.306m in the 12 month period to July 2021 and this continues to be an area in which the ICO is active - further penalties this week.
The ICO has taken action regarding use of the technique of mobile phone extraction by police forces as part of criminal investigations following an ICO investigation into the same.
Transparency and FOIA remains a key area for the ICO dealing with 4,000 complaints and issued 1029 decision notices, although there has been a reduced number in the last 12 months or so which the ICO attributes to the pandemic.
The final area is are credit reference monitoring and adtech which I am not going to say more on at this stage as Jocelyn is going to cover the current work and future developments in this area in some detail in the final part of this session given the potential breadth of impact and interest. The key overall message that in focusing on these areas that the ICO says this is because there has been the most significant impact on individuals.
The final point I wanted to cover that the first GDPR fine issued by the ICO has now been revisited in the Tribunal. As you may recall, in December 2019, the Information Commissioner's Office fined a London-based pharmacy £275,000 for failing to ensure the security of special category data. Doorstep Dispensaree, which supplies medicines to customers and care homes, was alleged to have left approximately 500,000 documents in unlocked containers at the back of its premises in Edgware. The documents included names, addresses, dates of birth, NHS numbers, medical information and prescriptions belonging to an unknown number of people.
The penalty was reduced by two thirds on appeal. During the appeal process, it emerged that the ICO had based its figure of 500,000 affected documents on an estimate provided by the Medicines and Healthcare Products Regulatory Agency, which was carrying out its own separate enquiry into the pharmacy. The Tribunal heard that in fact a significantly lower number of documents containing personal data were recovered, - around 66,000 of which around 53 and a half thousand of which contained special category data. Judge Macmillan ruled that no single factor led her to reduce the fine to £92,000. Instead, she had taken "a number of issues" into consideration, including the financial hardship suffered by Doorstep Dispensaree and significance of the breach. In this context it should be noted that Doorstop Dispensaree's submission that the penalty should be reduced proportionately to the percentage of documents now relied upon was rejected and no doubt Doorstop Dispensaree incurred significant costs in achieving the reduction.
Jocelyn>: Thanks very much Helen. So now a bit of a look about what else is moving on the horizon and likely to be coming down the tracks and a reminder of some of the latest guidance we have seen come out. So first of all I want to pick up on the ICO's investigations into advertising industry. This has been ongoing for some time, first started in 2019 was suspended during the pandemic but kicked off again as of February this year.
So the ICO's previous focus was around some of the direct marketing activities of three of the largest credit reference agencies and the ICO carried out audits during their powers under the GDPR to go in and understand more about the detail of the data processing activities of these three key credit reference agencies because they said they found that their processing activities were so significant given the volume of the processing, how much data was collected, how much was augmented and profiled and there were concerned about how that was then being used potentially in a marketing context and as a result of that investigation the three organisations were all asked to change some of the data processing activities, some of their non-compliant products were actually withdrawn from the market and ultimately there was an enforcement issued against Experian requiring it to change some of its practices and requiring it to change its privacy notice. So interestingly all around transparency and did individuals understand the way in which their data was being used as opposed to there being breaches of the type that Helen was focusing on around where data is lost or hacked or corrupted in some way.
This is really around the accountability and the transparency points and almost using that as a starting point and a springboard the ICO is now focusing their investigation around real time bidding in the adtech industry so that is where in as few split fractions of a second where you land on a web page the banner ads and the ads down the side of the page. There is a real time bidding auction goes on as to whose advert is going to be displayed to you in that space and that auction depends on what cookies have been set on your devices from which you are viewing this webpage, travelling that through this huge industry so that brands who want to place an advert in front of someone with your profile or with the kind of preferences you have indicated previously can get their advert there and this is a massive really complex industry and the ICO and the papers issued to date state that their initial investigations find there is a big lack of transparency. Consumers do not understand how their data is being used and the vast number of organisations that are involved in this real time bidding process, they are concerned specifically about lack of consent around special category data because some areas of advertising do rely on knowing special category data, for example if you are trying to advertise a healthcare product they have started to look at DPIAs and interest assessments that some companies in this sector have undertaken and their comments are they are concerned about the lack of maturity around those documents. They feel that people have had a go at them, they have not really given them due care and regard and attention. They have not properly worked through the issues and even when they have, ICO are not convinced by the arguments put forward in that balance of responsibility and risk as between the organisation and the individual. So that is why the ICO is really focusing on this sector and trying to unearth where the problem areas are and what might need to be done to resolve it. I think we will see in the course of this investigation more audits into different companies as the ICO tries to increase and enhance their understanding.
It is not just the ICO as a Regulator that is interested in this area so some years now the Eprivacy regulation has been under review at the European Commission so this has been a very long time in coming. An early draft was around at the time of GDPR and the initial intention had been that it would come into force at the same time as GDPR but it got delayed because GDPR took over and then there have of course been changes in the seat of the European Commission but it is now moving through the legislative process actually making progress so it does look likely we are going to see it be finalised later this year and then potentially 2023 before it comes into force. So the Eprivacy regulation would be the successor to the Privacy and Electronic Communications Regulations that Helen mentioned previously so this is the legislation that looks at the legal regime around the placing of cookies and similar technologies on end users' devices and the consent that has to be sought around that and then you get this linkage between PECR and GDPR in two ways; one because the standard of consent that is required under PECR is the same standard of consent that is required under GDPR so it has to be specific, valid and informed and the other link is because in collecting in cookie data, you are very often actually collecting personal data and then of course GDPR applies in the same way as it does to any other personal data so it is quite a complex area so a reform of it is really interesting particularly because you can see some issues that the regulator in the UK is trying to address.
So what does draft Eprivacy regulation currently do? You will not be surprised to hear it is broadening the remit of what PECR was focused on. PECR was focused around cookies and similar technology so flash beacons and similar bits of texts that could be embedded on a device but this is also broadening it out to internet of things devices, machine to machine communications and over the top communications so anything that has two devices or two points of contact talking to each other and transferring data. It is going to apply to the collection of metadata so the extra information that is generated around some kind of transfer like the time of it and the size of it and it all requiring consent from the end user before any kind of collection of data or placing of a bit of code on a user's device can take place, and that of course leads to issues around just consent fatigue and consumers just clicking on boxes that pop up because they want to get on to websites without reading it or understanding it and that of course defeats the whole point of having a consent mechanism there in the first place. So the regulators are really pushing for browsers to come up with a better technology to help users give a consent up front as to what cookies they want to engage with and what they do not so that the user can set that and set it once or go back and adjust it if they want but not so that each time you landed a website you have to deal with that pop up which results in people just clicking to make it go away and also they hope it means it will get rid of a cookie wall where effective you can't access a website before you have clicked OK which they see as not a valid consent in any event unless there is really good justification as to why that is the case.
The Eprivacy regulation in its current draft form also brings in requirements to assess grounds processing in the same way as you would do under GDPR and brings in extra territorial effect so although this would be a European piece of legislation and not directly relevant to the UK that extra territorial effect probably will mean that we need to end up complying with it depending on how a UK website is structured if it is being focused back and asking people in the European Union to engage with it so likely to be significant from that point of view but this whole area around cookies and Ad tech is very much on the agenda internationally so we have seen the ICO's investigations, this is the European angle but at the G7 summit only a couple of weeks ago the ICO brought the issue of cookies to the table at that summit as an issue that requires greater collaboration internationally. So beyond just the UK and the EU in order again to facilitate better trade and better privacy controls so it is absolutely up there internationally and even ahead of this regulation coming into force we are actually starting to see changes in industry.
Google is creating its privacy sandbox where it is trying to put in place some of those mechanisms that the Commission seem to be calling for by allowing personal data to be processed and analysis about preferences done at browser level and then when a third party, who historically would have placed a third party cookies, wants that data the data can be sent out from the browser in an anonymised form so it is not showing personal data. So even ahead of this regulation coming in Google is changing the whole way it works with regard to third party cookies, and while some browsers from Apple and Safari have done that previously because they do not have as big a share of the market it has not had the impact on industry that it will do if Google changes it approach to third party cookies which will then in turn affect the way that all of your businesses think about their marketing strategies and how you collect that kind of data about audiences so some really big changes going on in this area.
And then finally a bit of a broader horizon look, what else is out there so I wanted to just remind everyone of the two statutory codes of practice that are now in force. Very briefly data sharing code of practice, we looked at this back in ThinkHouse earlier in the year but we are definitely seeing it having an impact in the type of work that we are doing for clients, we are looking at more and more data sharing agreements where that is controller to controller or joint controllers or multi-party detailing out the nature of the data sharing and recording the relationships and setting out each party's obligations so it is really important in a data sharing context now that you have the necessary documentation to back up your data sharing in order to comply with the accountability principle.
Much more recent is the age appropriate code of practice. That came into force just on 2 September this year so this applies if you are an information society service which is effectively any kind of website or connected toy or search engine or marketplace or an educational service that is likely to be accessed. It is not as a primarily aimed at but likely to be accessed by a child. A child is anyone under the age of 18 so that is pretty broad although the clue is in the title. It is an age appropriate code, the regulator does want to see organisations who are focusing on different parts of that 0 - 18 market, styling all their information appropriately depending on the age and understanding of the child and overall the code of practice only has one new thing and there are 15 standards that it sets, 15 areas it looks at most of which is take the GDPR principals and go into them in more detail or are more shaped in terms of what regulators expect to see around children's data. I think the new element is this idea of having to act in the best interests of the child which is definitely a higher standard than you see when dealing with normal personal data when you have to have regard to the rights of freedoms of the individual but actively action the best interests of the child really put quite a kibosh on things like trying to profile around children's data, having nudge notifications turned on, geo location turned on, so it is a change in that sense.
The AI toolkit - that carries on its progression. We have seen an alpha release and beta release and the ICO is hoping to have a final release in December this year so this is a toolkit that helps organisation that are using AI to process personal data and it is designed to help you audit that tool and work out whether or not it is GDPR compliant. There is also a broader guide to data protection and AI and then there is the very, very detailed explain-ability decisions made with AI which the ICO produced in collaboration with the Alan Turing Institute and that is all about how do you write a privacy notice that explained to people what AI is and how it is using your data and what the impact on you might be so it is very, very detailed guidance.
And finally one that will be relevant to every single organisation here the ICO has a consultation out to refresh its data protection and employment code of practice. This is now quite old when you look at it, the main guidance was published in 2011 and the supplemental guidance goes all the way back to 2005 with the old ICO branding on it even so it is definitely due a refresh and the ICO feels that now is the right time particularly in light of things like COVID and increased collection of healthcare data, working remotely and different types of monitoring that employers are carrying out on employees now we are working more remotely. So they are aiming for a pragmatic and practical guidance again which I think the old guidance was so just look out for that consultation closing later this year and then that guidance being refreshed because that is one that will be relevant to everyone.
So than you very much. We will now take some questions and I know there have been a number come on the chat. If Helen, you pulled any out?
Helen: Jocelyn I was going to take a question on data breaches which has come in. A lot of the questions are relating to international transfers - popular topic - so which you may have had chance to look at while I was speaking so if I take the data breach question and then possibly you could pick up one or two questions on the international transfers.
So the question that we have ha around data breaches is the fact that the ICO says they want to know about breaches that impact the rights and freedoms of the individual but what does that mean because they also have a statement on the website that says that they are not expecting to be informed of all data breaches and is there any guidance about how to go about that?
As the question also includes these is a self-assessment tool on the ICO's website which is now published which you may find helpful and important to mention of course this is an assessment done by the data controller, the data processor's role is to report the breach to the data controller without undue delay so that the data controller can undertake this assessment. If the guidance on the ICO website, self-assessment tool and the other examples there do not get you to a final answer or there is still doubt, we have had some guidance at an EU level since 2018 and that was published by the article 29 working party. It has now been adopted by the European Data Protection Board and so there is guidance on personal data breach reporting and even more recently the EU also has some guidance on particular examples and whether those would be reportable o the supervisory authority and/or individuals so all of that is potentially helpful. The caution around that at the moment is that because it is EU guidance it does not strictly, the ICO are not effectively bound to apply it, it is not their guidance, but you may well find that useful particularly while we have a consistent regime. If you have still got a difficult decision obviously it may be prudent to take some advice but the key thing is ultimately is to document the decision that you have reached in your breach log so that if there are any questions about the decisions you made and whether you should report it or not then at least you can explain your decision making after the event. So I hope that answers that one. Over to you Jocelyn.
Jocelyn>: Thanks Helen. So there are a couple that had similar questions so I might group a few together. So there were some asking given that there is the IDTA under consultation and there are new EU SCCs if you are in the UK looking to transfer data out to a third country what documentation should you be using right now?
So right now, we should still be using the old EC SCCs so the new EU SCCs because they are from the European Commission and they were post-Breixt. They have no effect in this country unless the ICO says that is what we should be using. The ICO though does have guidance on the website saying right now continue to use the old EU SCCs but ICO does have a version on their website and we can include it with the notes that come out after this where they have taken old EU SCCS and just made tweaks the legislative references so it makes sense in a UK context just referring back to the UK GDPR not the EU GDPR so that is what you should be using right now. I would not recommend using the IDTA while that is still under consultation. It could change in the final version. I think given what we have seen with previous ICO consultations I would be surprised if there were dramatic changes in the structures being set out but there could well be changes within the drafting of some of the clauses which could still be quite significant so that is what I would do for now.
Another question around the complexities of lining up what is happening contractually under your services agreement with the data processing side. So it is quite possible that you might have a services agreement between customer and supplier but then the supplier is actually using an affiliate to fulfil at least part of the scope of the services and it is that affiliate that is based outside of the EU or the UK or not in a country that has an adequacy decision so in that circumstance yes you would have a control between customer and supplier let's say it is the supplier's headquarters but then you would your data transfer agreement between the customer and relevant supplier affiliate that is based outside of the UK or the EU that would be with different legal entities and that is why often you cannot just append or add standard contractual clauses to the back of your main services agreement and just say oh by signing this agreement we are signing the standard contractual clauses as well, do you actually need a different signatory just add a contractual clauses because it needs to be a supplier's affiliate who is outside of the jurisdiction because they are the data importer so you are right to look at those two things separately, you have to follow the actual line of the data transfer the data processing rather than the contractual service agreement to which is relates.
Read the original article on GowlingWLG.com
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
