DWF Data Protection Insights November 2020

This month's highlights include the European Commission and the EDPB's response to the Schrems II decision, in the publication of consultation versions of new and updated standard contractual clauses, supplementary measures and recommendations on essential guarantees for surveillance measures.

Regulatory guidance/campaigns/other news from the Information Commissioner's Office (ICO)/European Data Protection Board (EDPB)

EDPB/European Commission Guidance
This month's top data protection news is the publication of consultation drafts of:

• updated standard contractual clauses for the transfer of data from the EEA to countries outside the EEA (third countries);
• new standard contractual clauses between EEA controllers and processors;
• recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal; and
• recommendations on the European Essential Guarantees for surveillance measures.

Recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data
Given the importance of these recommendations, we've focused on them to provide details of the key points, but feel free to scroll down for an overview of the other items published by the EDPB and European Commssion, as well as other news.

These were published in response to the recent Schrems II decision, in which the CJEU invalidated the Privacy Shield as a lawful basis for transferring personal data from the EEA to the USA, but stated that data exporters could continue to rely on the Standard Contractual Clauses (SCCs) provided that, in some circumstances, "additional measures" were put in place.  The EDPB's recommended measures include a six-step approach to compliance:

• Know your transfers – map all your transfers of personal data to third countries.
  
• Verify the transfer tool your transfer relies on – is the transferee's country/sector covered by an adequacy decision?  If not, if the transfers are regular and repetitive, you need to rely on a transfer tool listed under Article 46 (usually standard contractual clauses or binding corporate rules).  You can only rely on a derogation under Article 49 for occasional and non-repetitive transfers.
  
• Assess whether there is anything in the law or practice of the third country that may affect the effectiveness of the appropriate safeguards of the transfer tools you are relying on, in the context of your specific transfer. Your assessment should focus on the transfer tool you are relying on, the legislation in the country to which the data is being transferred and whether it may undermine the level of protection the safeguard provides.  To help you to conduct this assessment, you should refer to the EDPB European Essential Guarantees recommendations (see below).
  
• Identify and adopt supplementary measures that are necessary to bring the level of protection of the data transferred up to the EU standard of essential equivalence - This step is only necessary if your assessment reveals that the third country legislation affects the effectiveness of the transfer tool you are relying on or you intend to rely on to make the transfer. Annex 2 of the recommendations contains examples of supplementary measures with some of the conditions they would require to be effective.  Importantly, it also contains examples of scenarios where no effective measures could be found, in which cases the transfer could not go ahead.
  The categories of supplementary measure covered are:

• Technical measures, including strong encryption, pseudonymisation and split processing, where the personal data is split so that the data subject(s) cannot be identified;
  
• Additional contractual measures, such as:

• Requiring the recipient to: implement specific technical measures; provide information about public authorities' access to personal data in its country; or certify that it has not created back doors or similar programming or changed its business processes in a way that could be used to access the data and that national law does not require it to do so. 
• Including the right to conduct audits on short notice.
  
• Requiring the recipient to inform the exporter promptly if the recipient is unable to comply with its commitments.
  
• Where permitted by national law, provide for a "warrant canary" method, where the recipient commits to publish regular cryptographically signed messages confirming that it has not been ordered to disclose personal data.
  
• Requiring the recipient to review the legality of any order to disclose data, and challenge such orders where appropriate.

• Organisational measures, such as putting in place internal policies for governance of transfers, particularly with groups of enterprises; and developing specific training for personnel in charge of managing public authority requests to access personal data.
  
• Transparency and accountability measures, such as:

• Recording the requests for access received from public authorities and the response provided, alongside the legal reasoning and personnel involved.  The importer should provide these to the exporter, who can then provide them to data subjects where required.
  
• Regular publication of transparency reports or summaries regarding governmental requests for access to data and the kind of reply provided, where local law allows this.

• Organisation methods and data minimisation measures – implementing a strict "need-to-know" principle, and considering whether the processing needs the full database, or only the transfer of a limited dataset.
  
• Adoption of standards and best practices - strict data security and data privacy policies, based on EU certification or codes of conducts or on international standards (e.g. ISO norms) and best practices (e.g. ENISA) with due regard to the state of the art, in accordance with the risk of the categories of data processed and the likelihood of attempts from public authorities to access it. 
  
• Take any formal procedural steps the adoption of your supplementary measure may require, depending on the transfer tool you are relying on - You may need to consult your competent supervisory authorities on some of them.
  
• Re-evaluate at appropriate intervals the level of protection afforded to the data you transfer to third countries and monitor if there have been or there will be any developments that may affect it – The accountability principle requires continuous review of the level of protection of personal data.

New standard contractual clauses between controllers and processors
These are for use where both the controller and the processor are based in the EEA.  While it will not be compulsory to use them, they provide a standard data processing agreement that meets the requirements of the GDPR and indicate the level of detail that the EDPB expects to see in a controller-processor contract.

Updated standard contractual clauses for the transfer of personal data to third countries
These will replace the existing standard contractual clauses (SCCs or "model clauses") for the transfer of data from the EEA to countries outside the EEA.  They include updated versions of the existing controller to controller and controller to processor clauses, and add new clauses for transfers from processors to sub-processors, and from EEA processors to non-EEA controllers (which will be particularly useful following the expiry of the Brexit transition period).

The European Commission states that the clauses are a modernisation of the previous clauses, designed to better reflect the use of multiple parties, complex processing chains and evolving relationships. They are designed to be flexible and allow for a number of parties, including for parties to accede to the clauses later ("docking clause"). They are drafted in a modular approach with general clauses followed by options for different processing circumstances.  The EDPB has emphasised that they are not a 'catch-all' solution, but must be used in conjunction with the supplementary measures outlined above.

Once the updated SCCs have been finalised and adopted, the previous version of the SCCs will be repealed with a one-year transitional period for contracts entered into before the new clauses come into force, provided the contract remains unchanged. This is likely to create a large burden for organisations in updating contracts within the course of a year, or earlier if contracts are amended.  The process for finalising the SCCs will not be complete until early 2021, by which time the post-Brexit implementation period will have expired.  This means that they will not form part of retained EU law, but it is likely that the UK will adopt similar clauses.

While the updated SCCs have not yet been finalised, we recommend planning how to manage your organisation's transition to the new version.  Please contact one of our data protection specialists if you want to discuss your organisation's plans.  We can help strategically with those, as well as by delivering mass contract updates through our group business DWF Mindcrest. 

ICO statement on the EDPB's recommendations and the new SCCs
The ICO has published a statement on the EDPB's recommendations and the new SCCs.  This includes the following points:

• The ICO is reviewing the recommendations and the draft SCCs and will consider whether it needs to publish its own guidance in due course.
• The ICO reiterates its advice that organisations should take stock of the international transfers they make, and update their practices as guidance and advice become available.
• The ICO continues to apply a risk-based and proportionate approach to its oversight of international transfers in accordance with our Regulatory Action Policy.

Recommendations on the European Essential Guarantees for surveillance measures
On 10 November the EDPB published these recommendations, which state that aim of the updated European Essential Guarantees is to provide data exporters with guidance on how to assess whether surveillance measures allowing access to personal data by public authorities (national security agencies or law enforcement authorities in a third country) can be regarded as a justifiable interference. There are four European Essential Guarantees: 

1. Processing should be based on clear, precise and accessible rules.
2. Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated.
3. An independent oversight mechanism should exist.
4. Effective remedies need to be available to the individual.

The recommendations set out details of how to assess whether a third country's surveillance measures are compatible with these essential guarantees.

ICO Guidance
Two more reports published from the Regulatory Sandbox In the July 2020 issue of DWF data protection insights, we reported on the ICO's publication of the first two reports from the regulatory sandbox.  On 5 November, the ICO published two further reports, which both cover measures to combat financial crime:

• ensuring that use of biometric identity verification technology is fair and inclusive, identifying and mitigating any bias; and
• sharing pseudonymised data to detect and tackle financial crime.

Organisations who are considering developing tools and services in data sharing and children’s privacy online can register their interest with the ICO to take part in the next phase of the sandbox. In the meantime, if your organisation is considering any innovative use of personal data, please contact one of our specialists, so that we can advise on whether a DPIA (data protection impact assessment) is required and, if so, support you with this.

---

Enforcement action

ICO enforcement

The ICO has reported that the Insolvency Service has banned the director of a marketing company from becoming involved in the promotion, formation or management of a company for six years, for causing the company to make multiple unsolicited marketing calls, in breach of the Privacy and Electronic Communications Regulations (PECR).  While in several recent issues of DWF data protection insights we've reported on the ICO imposing fines for PECR breaches, this case provides a reminder that the ICO also works with other agencies, which can result in personal consequences for the directors responsible.

If you would like DWF's support to ensure that your direct marketing activities comply with data protection law, including PECR, please contact one of our data protection specialists.

---

Industry news

European Commission proposed European data governance regulation
On 25 November the European Commission published a proposal for a new regulation on data governance.  The proposal's stated aim is to increase trust in providers of data sharing services (data intermediaries) and strengthen data-sharing mechanisms across the EU. It will seek to encourage the sharing of data (both personal and non-personal) generated by public authorities, private sector organisations and individual citizens (data holders) by providing for:

• Data governance standards consistent with protections established in EU laws, including GDPR and the ePrivacy Directive (on which PECR is based).  Data holders will be encouraged to share data in the knowledge that it will be protected under the data sharing mechanisms and rules being introduced.
• Data intermediaries to function as trustworthy recipients and distributors of data. To establish trust and maintain neutrality, a data-sharing intermediary cannot exchange the data for its own interest (e.g. by selling it or using it to develop their own product based on the data) and will have to comply with strict requirements.
• Common European data spaces in nine strategic domains, covering data use in health, environment, energy, agriculture, mobility, finance, manufacturing, public administration and skills, to facilitate the exchange of data sharing across these sectors. 

The consultation on the proposal is open until 21 January, so we will monitor developments and report in a future issue of DWF data protection insights on the impact of the new regulation on UK businesses.

ePrivacy Regulation – progress report
In the July 2020 issue of DWF data protection insights, we reported that the German Presidency of the Council of the EU had published a discussion paper on the draft ePrivacy Regulation (draft ePR).  On 4 November it published a revised draft of the ePR, but it has been reported that the draft has been widely criticised, and on 20 November the EDPB published a statement expressing its concerns, so it appears unlikely to break the long-running deadlock.  On that basis, we will not report further on the draft at this time, but we will continue to monitor developments and report on any proposals which are likely to shape the new Regulation, and how these will affect UK businesses.

In the meantime, UK organisations need to continue to comply with the Privacy and Electronic Communications Regulations (PECR), which implement the existing EU Directive into UK law and will continue to apply following expiry of the post-Brexit transition period.

FCA warns firms to be responsible when handling client data
The FCA has published a warning to FCA-regulated firms to remind them of the importance of processing and transferring client data in accordance with data protection law.  In particular, it reminds them that they must:

• provide clients with clear information about the purposes for which they are collecting or processing their data, and the clients' legal rights;
• maintain a record of how and why they process, share and retain personal data; and
• record the lawful basis for processing data.

The warning is brief, but provides a useful reminder to FCA-regulated firms that, if they breach data protection law, they risk action by both the ICO and the FCA.

---

Brexit preparation

Updating your privacy notice for the expiry of the post-Brexit transition period
The ICO has reminded businesses to review their privacy notices to prepare them for the expiry of the transition period to:

• reflect changes to international transfers;
• review references to lawful bases or conditions for processing if any refer to ‘Union law’ or other terminology changed in the UK GDPR; and 
• identify their EU representative (if required).

DCMS Guidance on using personal data in your business or other organisation from 1 January 2021
DCMS has updated its guidance to emphasise that 'with only weeks to go, the EU has yet to make a decision as to whether they accept that the UK’s data protection regime is still adequate'.  The guidance has added a new warning in bold: 'Given time is running out before the end of the transition period, you need to act now in order to keep personal data flowing lawfully.'

While we have reported in previous issues of DWF data protection insights that UK government representatives had been expressing confidence that the UK would receive an adequacy decision, we have been advising organisations to prepare for the possibility that this will not be given before the expiry of the transition period.

Please contact one of our data protection specialists if you want to discuss your organisation's preparations, for example putting in place appropriate safeguards for the transfer of personal data between the UK and the EU and vice versa, or appointing an EU representative.  We can help strategically with those, as well as by delivering mass contract updates through our group business DWF Mindcrest. 

Please get in touch with your usual DWF contact, or one of the contacts below, if you have any questions.