On the date of the judgment, Stewart Room wrote this reaction piece for Forbes.
The following week, we held a DWF Tech & Data Leaders' Forum webinar on Schrems II: Impacts of the CJEU decision on international data transfers. The recording is now available.
If you need advice on data transfers to the US, or to other countries using the standard contractual clauses in the light of the judgment, please contact one of our data protection specialists.
Regulatory guidance/campaigns/other news from the Information Commissioner's Office (ICO)/European Data Protection Board (EDPB)
ICO Guidance: data protection and coronavirus hub
- The key data protection principles;
- What to tell customers/visitors;
- Compliance with government guidelines;
- Identifying a lawful basis, including guidance on whether you can rely on consent;
- How much data to collect;
- How long to keep the data;
- How to ensure that the data is accurate;
- Dealing with data subject rights;
- Sharing the data with contact tracing schemes;
- Using the data for other purposes; and
- Collecting data from children and teenagers.
DWF's data protection specialists are working with our clients to help them manage the reopening of their businesses, including advising on DPIAs and updated privacy notices and policies. Don't forget our DWF Rapid module on Virus Control in the Workplace – ask your usual team contact for more details of this free-to-use insightful data analysis platform.
Information Commissioner updates on the ICO’s regulatory approach during COVID-19 and beyond
On 13 July the ICO published a revised statement on its approach during the pandemic, which has been updated to reflect its ability to conduct audits remotely. The statement adds: 'We will have more to say soon on FOI and our expectations as public authorities return to greater capacity'.
ICO launches FOI toolkit
On 17 July the ICO launched the first phase of an FOI toolkit, which is designed to help public authorities self-assess their performance in responding to FOI requests. It generates a bespoke report which helps to identify areas for improvement and where action needs to be taken. The first phase of the toolkit focuses on timeliness, a fundamental requirement of the FOI Act. It is split into five modules covering response rates, handling requests, training and awareness, compliance and assurance, and governance structure. The ICO has stated that further toolkit developments will see other issues addressed, such as where the cost of compliance exceeds the appropriate limit.
CDEI publishes its first report on public sector data sharing
Also relevant to public authorities, the Centre for Data Ethics and Innovation (CDEI), which is part of DCMS, has published its first report on public sector data sharing. The report analyses projects where data has been shared between government departments, and with commercial organisations, identifying recurring barriers, and the steps that were taken to address them. It focuses on citizen trust, which the report argues needs to be addressed to maximise the value of data held, and includes a new framework to drive forward trustworthy data sharing in the public interest.
The report's key findings are:
- Common barriers to data sharing tend to fit into three broad categories: legal, technical and cultural. These include inconsistent security requirements, legal confusion and risk aversion.
- These barriers are reinforced by low public awareness of data sharing and an absence of a developed understanding of public acceptability, both of which give rise to an environment of ‘tenuous trust’. This uncertainty hinders the progression of projects that could be of huge societal benefit.
- Trust is also undermined by the inconsistent interpretation and application of legal mechanisms for data sharing, as well as the adoption of different security and technical standards. This creates a complex and confusing environment which hinders transparency.
- Data held by the public sector could be used to support areas of innovation that may bring significant public benefits. More work is needed to address public trust.
CDEI is working with other organisations to apply, test, and revise the framework in different contexts.
Age Appropriate Design Code
In the January 2020 issue of DWF data insights, we reported that the ICO had finalised its Age Appropriate Design Code, and in the June 2020 issue, we reported that the code has been laid before Parliament and is expected to come into force in autumn 2021.
The ICO has now published its impact assessment, which it will use to inform its plans about where to focus its support. It has also confirmed that it will review the code in August 2022, to understand whether it is working in line with the ICO's expectations.
The full code is 146 pages, so if your organisation provides online services which children are likely to access and you would like advice on how to comply with the code, please contact one of our specialists, who will be able to provide specific advice tailored to the service you are providing, and which age range of children are likely to access your service.
First reports published from the Regulatory Sandbox
The ICO has published the first two reports from participants in the beta phase of its regulatory sandbox, which is intended to support organisations who are developing products and services that use personal data in innovative ways.
The first report is from a not-for-profit organisation which works with universities and colleges to investigate the use of student activity data to improve their provision of student support services.
The second report is from an airport which is seeking to streamline the passenger journey through the airport using facial recognition.
The ICO has stated that it considers that the beta phase has been successful and has given it the opportunity to introduce improvements ahead of the full launch. It will be publishing details about this, the new themes it will be focusing on and how organisations can register their interest in the near future.
In the meantime, if your organisation is considering any innovative use of personal data, please contact one of our specialists, so that we can advise on whether a DPIA (data protection impact assessment) is required and, if so, support you with this.
Track and trace programme launched without DPIA
On the subject of DPIAs, the BBC has reported that the Department of Health launched its COVID-19 track and trace programme without conducting a DPIA, meaning that it was unlawful. This provides a useful reminder that before going ahead with an innovative use of personal data, you need to consider whether a DPIA is required. The rules are complex, based on a combination of the GDPR and guidance from the EDPB and the ICO guidance, but we have developed a process which enables us to assess relatively quickly whether a DPIA is required or recommended as a matter of best practice, and then to guide you through the process of risk assessing and ongoing management.
ICO, CMA and Ofcom set up Digital Regulation Cooperation Forum
The ICO has announced that, together with the Competition and Markets Authority (CMA) and Ofcom, it has set up a Digital Regulation Cooperation Forum, which is intended to help ensure online services work well for consumers and businesses in the UK. It aims to harness their collective expertise when data, privacy, competition, communications and content interact to support effective and efficient regulation across the digital landscape, while exploring emerging regulatory policy challenges and encouraging innovation.
Video teleconferencing and privacy
In the light of the sharp increase in the use of video teleconferencing (VTC) software since the onset of COVID-19, the ICO and other data protection authorities have written an open letter to remind VTC providers of their responsibilities under data protection law. While the letter is addressed to VTC providers, the issues raised are also relevant to organisations which use VTC software:
- Security: do you have appropriate measures in place? Do you allow files to be shared via the software? Do you need to restrict the sort of files which can be shared?
- Are you aware of the different privacy settings? Have you selected the most appropriate settings?
- Have you been transparent with your workers and clients about how their personal data will be used and shared? Do you have a lawful basis for this processing and sharing?
ICO guidance on AI and data protection
On 30 July the ICO published guidance on AI (Artificial Intelligence) and data protection. This comprises 4 parts:
- Accountability and governance in AI, including data protection impact assessments (DPIAs)
The ICO's executive summary emphasises the importance of the accountability principle, which requires organisations to:
• be responsible for the compliance of their system;
• assess and mitigate its risks; and
• document and demonstrate how their system is compliant and justify the choices they have made.
It also flags that, in the majority of cases, you are legally required to complete a DPIA if you use AI systems that process personal data.
We have developed a tool which streamlines the DPIA process (do ask for a demo!) and we are developing a tool which helps you to assess and demonstrate compliance with the accountability principle.
- Fair, lawful and transparent processing, including lawful bases, assessing and improving AI system performance, and mitigating potential discrimination
We can support you with identifying the appropriate lawful basis(es) and drafting/updating your privacy notices to ensure that you comply with the rules on fairness and transparency.
- Data minimisation and security; and
- Compliance with individual rights, including rights related to automated decision-making.
Note that this guidance complements 'Explaining decisions made with AI guidance’, published with the Alan Turing Institute, which we reported on in the May 2020 issue of DWF data protection insights.
The ICO has not published details of any enforcement action, reflecting its changed priorities at this time.
ePrivacy Regulation – progress report
In the June 2020 issue of DWF data protection insights we reported that the Croatian presidency had published a progress report and would continue to work closely with the incoming German presidency to ensure smooth progress.
On 6 July the German Presidency of the Council of the EU published a discussion paper on the draft ePrivacy Regulation (draft ePR). This states that the starting point will be the Croatian Presidency's compromise proposal.
Member states will be asked to give their opinions on a number of options in relation to the following:
- Vital interests: whether, in the light of the COVID-19 pandemic, they still support the provisions on the permission to process electronic communications metadata for the protection of vital interests.
- Legitimate interests: whether they support the processing of electronic communications metadata on the basis of legitimate interests subject to specific conditions and safeguards.
- Protection of and requirements for access to terminal devices: whether they support access to terminal devices based on legitimate interests, subject to specific conditions and safeguards and, if so, how security can be ensured.
Certain provisions relating to the detection of child abuse imagery remain highly controversial and the Presidency wants a separate discussion on these at a later date. The Presidency gave member states until 24 July to submit their written comments to assist in drafting a new compromise text. We will await publication of this new text and report in future issues of DWF data protection insights.
The ePR will not become directly applicable in EU member states until after the end of the transition period, at which point the UK will have to decide whether and how far it wants to mirror the ePR. Due to its territorial scope, it will probably still be relevant in the UK. In the meantime, if you need advice on cookie notices, policies or ensuring that your direct marketing campaigns comply with the GDPR and PECR (the UK Regulations based on the existing ePrivacy Directive), please contact one of our data protection specialists.
On 22 July the EDPB published an information note on binding corporate rules (BCRs) for groups of companies which have the ICO as the BCR lead supervisory authority. This provides that:
- From the end of the transition period the ICO will no longer be able to act as the lead supervisory authority for BCRs.
- Any BCRs that have been approved by the ICO under the GDPR must be approved by a new lead supervisory authority in the EEA before the end of the transition period to remain valid.
- The information note contains a checklist of elements which groups must include in their BCRs in order to get them approved by an EEA supervisory authority.
On 9 July the European Commission published a communication on readiness at the end of the transition period between the European Union and the United Kingdom. This states that the EU will use its best endeavours to conclude the assessment of the UK regime by the end of 2020 with a view to possibly adopting an adequacy decision if the United Kingdom meets the applicable conditions. The Commission is currently conducting this assessment and has held a number of technical meetings with the United Kingdom to gather information in order to inform the process.
However, please note that this communication was published before the CJEU decision in the Schrems II case, which most commentators agree is likely to have an adverse impact on the UK's chance of getting an adequacy decision before the end of the transition period, due in part to the UK-US agreement on exchanging personal data for the prevention of serious crime, and in part to political reasons.
We will continue to monitor developments and report further in future issues of DWF data protection insights. In the meantime, please contact one of our data protection specialists if you want to discuss how to prepare for the expiry of the transition period, for example by putting in place appropriate safeguards for the transfer of personal data between the UK and the EU and vice versa, or by appointing an EU representative. We can help strategically with those, as well as by delivering mass contract updates through our group business DWF Mindcrest.