DWF Data Protection Insights March 2022

This month's top story: UK IDTA and SCCs Addendum come into force

As of 21 March 2022 the approved International Data Transfer Agreement ("IDTA") or the UK Addendum to the EU SCCs (together the "UK IDTA") can be used for the purposes of international data transfers from the UK to third countries. From 21 September 2022, the old EU SCCs can no longer be used for such transfers and organisations have until March 2024 to repaper existing old transfer documents to use the new UK approach.  In practice if reliance is to be made on the new EU SCCs plus the UK Addendum this drives forward the repapering timescale to this September. 

The New Approach

As mentioned above, the new approach enables organisations to choose between two key options.

The IDTA is a full-form standalone data transfer agreement and is mostly appropriate for transfers to third countries only including UK personal data. However, the UK Addendum is a shorter document and is a useful mechanism when transfers are subject to both the UK and EU GDPR. This is a practical option for clients and means organisations have the option of not having two sets of transfer terms namely the EU SCCs and the (similar but different) UK IDTA - instead the Addendum enables reliance on the EU SCCs for both UK and EU transfers to third countries.

It is important to note that whether you use the IDTA or the UK Addendum as your transfer mechanism under the UK GDPR, you must carry out a Transfer Risk Assessment before any transfer is made. This is a similar exercise as required when using the new EU SCCs, where it is called a Transfer Impact Assessment.

What Next?

The new IDTA has a significant number of differences both structurally and from a risk and obligations point of view when compared to the new EU SCCs, which requires analysis and a tailored approach for organisations transferring personal data to third countries.

The ICO has stated that it will be publishing additional guidance on the new approach including the following:

• clause by clause guidance on the IDTA and UK Addendum
• how to use the IDTA
• guidance on the Transfer Risk Assessment
• general clarification around the IDTA

We anticipate the guidance will provide much needed clarification on the implementation of the new approach which we will publish more information on in due course.

Detailed Analysis of the UK IDTA

A detailed analysis of the new UK IDTA covering when to use which option, how organisations can think about implementing the UK IDTA, the risk and obligations implications of the new UK SCCs and how to carry our Transfer Risk Assessments can be found in our webinar – see the link below.

Webinar: The UK International Data Transfer Agreement and Addendum

On 28 March our international data transfer specialists ran this webinar, in which they explain the practical and organisational steps you will need to take when using the UK International Data Transfer Agreement and Addendum.

You can watch the recording and view the accompanying slides here: Webinar recording: Personal Data Transfers | DWF Group

Regulatory guidance/campaigns/other news from the Information Commissioner's Office (ICO)/European Data Protection Board (EDPB)/ European Data Protection Supervisor (EDPS)

ICO call for views: Anonymisation, pseudonymisation and privacy enhancing technologies guidance chapter 4 (Accountability and governance)

In the February 2022 issue of DWF Data Protection Insights we reported on the publication of chapter 3 (Pseudonymisation) of this draft guidance.  The ICO has now published chapter 4, which focuses on accountability and governance. Click here to read our summary of the key points.

ICO surveillance guidance

The ICO has published new guidance to help organisations in the public and private sector who use video surveillance systems to collect and process personal data. Click here to read our summary of the key points.

EDPB investigate the use of cloud-based services by the public sector

The 15^th of February saw the launch of the first coordinated enforcement action initiative via the coordinated enforcement framework (CEF) by the European Data Protection Board (EDPB).

The European Data Protection Supervisor (EDPS) is participating in the 2022 coordinated action of the EDPB by focusing on the EU institutions’, bodies’, offices’ and agencies’ compliance withRegulation (EU) 2018/1725 when using cloud-based services with a particular focus on controller-processor relationship and international transfers when public sector bodies use cloud-based services.

According to the EDPB, the COVID-19 pandemic has sparked a digital transformation of organisations, with many public sector organisations turning to cloud technology. However, in doing so, public bodies at national and EU level may face difficulties in obtaining Information and Communication Technology products and services that comply with EU data protection rules.

The supervisory authorities will investigate the use of cloud-based services by the public sector, which has kicked off with a series of actions that will be taken by the 22 participating supervisory authorities competent at national and EU level. The authorities will implement the CEF at their level in one or several of the following ways:

1. Fact-finding exercise;
2. Questionnaire to identify if a formal investigation is warranted;
3. Commencement of a formal investigation; and
4. Follow-up to ongoing formal investigations.

The investigations by the Supervisory Authorities will examine the challenges that public bodies face regarding GDPR compliance when using cloud-based services, including:

1. the safeguards and processes implemented when acquiring the cloud services; 
2. international transfer aspects; and 
3. the contractual provisions governing the controller-processor relationship. 

The EDPB states that more than 80 institutions will be part of the investigation throughout the EEA, including EU bodies, and across a wide range of sectors (naming specifically, health, finance, tax, education, central procurement and providers of IT services). 

The findings of this enforcement action will be analysed in a coordinated manner and national supervisory authorities will decide on possible further national supervision and enforcement actions.

A report on the general outcomes of this enforcement action is anticipated before the end of 2022. We will of course keep you updated in future issues of DWF Data Protection Insights.

Enforcement action

ICO fines solicitors £98,000 for failing to ensure security of personal data

The ICO has fined a law firm £98,000 for failing to process personal data, including special category data, in a manner that ensured appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

The firm experienced a ransomware attack which resulted in the unavailability of personal data (via encryption) and a loss of confidentiality (via access to, and exfiltration of, the personal data). The ICO decided that its failure to implement appropriate technical and organisation measures rendered it vulnerable to the attack, identifying the following failures:

• Lack of Multi-Factor Authentication (MFA);
• Failure to install patches promptly;
• Failure to encrypt personal data; and
• Continuing to store personal data after the end of end of its retention period.

The ICO's penalty notice provides a useful reminder of the following requirements of the GDPR/UK GDPR:

• implement appropriate technical and organisational measures to ensure that processing of personal data is secure, and this can be demonstrated;
• integrate the necessary safeguards into the processing (data protection by design and by default); and
• keep personal data in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.

ICO issues enforcement notice to IFA for failure to respond to subject access requests

The ICO has issued an enforcement notice to an IFA company for failing to respond to subject access requests in accordance with the GDPR/UK GDPR. If the company does not comply with the notice, the ICO may issue a fine.

While the above two fines show that the ICO has started to undertake more enforcement action in relation to breaches of GDPR, the following fines indicate that the ICO is continuing to enforce breaches of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) more frequently.

ICO fines Royal Mail £20,000 for sending marketing emails without consent

The ICO has fined the Royal Mail £20,000 for sending marketing emails to people without their consent, in breach of PECR. An incorrect customer group was added to a marketing campaign, meaning that 213,191 emails were received by users without their consent.  These users were previous customers who had either opted out of direct marketing or had checked out as guests and not been presented with the Royal Mail's privacy notice.

ICO fines five companies for marketing calls to people registered with TPS

The ICO has fined five companies a total of £405,000 for unwanted marketing calls to people registered with the Telephone Preference Service (TPS). The calls targeted older people, and some were made using lists bought in from a third party.

These fines show that you must exercise caution when conducting telephone marketing campaigns, including screening your list of numbers against the TPS. The ICO's direct marketing guidance  states that organisations buying or renting marketing lists must undertake rigorous checks to ensure that they can lawfully be used for their intended purpose.

If you would like guidance on how to conduct direct marketing in accordance with the law, please contact one of our privacy specialists.

ICO publishes Home Office data protection audit report

The ICO has published its report on its data protection audit of the Home Office.  The report is useful, as it can help organisations to assess their own areas for improvement.  While some of the areas for improvement are specific to public bodies, many of them are relevant to all organisations.

• The Record of Processing Activity (RoPA) was not sufficiently detailed;
• Data mapping was incomplete;
• The Information Asset Register (IAR) did not contain all the necessary information;
• No proof of appropriate logs of the use of automated processing systems;
• The DPO did not have sufficient resources and was not the only point of contact for IG/data protection queries;
• The information security policy framework was fragmented;.
• The organisational framework for records management was not sufficient or consistently applied;
• There were a large amount of unrecorded and unstructured data and assets;
• Retention of data was not being managed consistently or in line with legal requirements;
• Inconsistent Privacy notices: some lacked detail on data subject rights or were not sufficiently accessible;
• Heavy reliance on the lawful basis of public task, but a lack of supporting documentation;
• Where consent is the lawful basis for processing, insufficient assurances that it complied with the UK GDPR;
• Special category data and criminal offence data processed with no properly documented lawful basis;
• No sufficiently granular review of proposed data sharing to ensure that the correct lawful basis is identified;
• Fragmented governance of data sharing activities, risking a lack of oversight;
• No staff guidance on the requirements of international data sharing; and
• No requirement for the appropriate team to be informed of all international data sharing activity.

If you would like DWF's data protection team to audit your organisation to identify the areas in which you need to improve your data governance, please contact one of our specialists.

EU enforcement action

Italian SA fines Clearview AI €20 million

The Italian supervisory authority (the Garante) fined Clearview AI €20 million and imposed related orders for a number of GDPR breaches in connection with facial recognition products:

• processing personal data, including biometric and geolocation information, without an appropriate legal basis;
• infringing several fundamental principles of the GDPR, including transparency, purpose limitation, and storage limitation;
• failing to provide the information set out by Articles 13 and 14 of the GDPR;
• failing to deal with a subject access request within the due timeframe; and
• failing to designate a representative in the EU.

The Garante also imposed a ban on any further collection and processing of certain categories of personal data, ordered erasure of certain data and ordered Clearview to appoint an EU representative.

In November 2021 the ICO announced its provisional intent to impose a potential fine of just over £17 million on Clearview. It will be interesting to see whether the ICO proceeds to impose a fine of this level.

Polish DPA fines Pactum Poland Sp. z o.o. for lack of cooperation

The Polish DPA has fined a company approximately €4,000 for failing to cooperate with the DPA's investigation into complaints made about the company.

Industry news

The EU Commission and US reach agreement in principle on Trans-Atlantic Data Privacy Framework

The EU Commission and the US have announced that they have reached agreement in principle on a Trans-Atlantic Data Privacy Framework to replace the Privacy Shield, which was invalidated by the Court of Justice of the EU in 2020. While this is a positive development, the announcement contains only very high-level principles, which need to be translated into legal documents.  Once the Framework is in place, it will be possible to transfer the personal data of individuals in the EEA to participating US companies without an additional safeguard. Privacy activist Max Schrems, who brought the legal claims which led to the invalidation of the Privacy Shield and its predecessor Safe Harbor, has issued a statement in which he says that his organisation or another group will probably challenge the Framework if it is not in line with EU law.

While the Framework will not affect the transfer of the personal data of individuals in the UK, the UK government has stated that it is working on a 'data adequacy partnership' with a number of countries, including the US.

UK and Singapore sign Digital Economy Agreement ("UKSDEA")

On 25 February 2022, the UK signed its Digital Economy Agreement ("DEA") with Singapore.

The Agreement seeks to modernise digital trading rules for the benefit of goods and services exporters in both countries. It will help facilitate an ever-increasing digital environment, enable trusted data flows and support end-to-end digital trade through the use of electronic documents. The DEA also aims to strengthen and increase the UK's trading relationship with Singapore, which in 2020 was worth £20 billion.

The deal covers data rules, artificial intelligence (AI), financial technology (fintech), regulation technology (regtech), digital identities and legal technology.

The UK is the fourth country to sign a DEA with Singapore following Australia, New Zealand and Chile. The UKSDEA is deemed the world's most comprehensive digital trade deal with Singapore, which aims to capitalise on our strength as the world's second largest services exporter and leading digital hub. A third of our exports to Singapore are already digitally delivered including in finance, advertising and engineering. This deal will create new opportunities to expand digital trade and boost a sector that adds £151 billion to the economy.

Authors: Sam Morrow, Najiba Sultana, Niall O'Brien