Welcome to the February 2016 edition of our Data Protection update, our monthly review of key developments in Data Protection law. As always, do let us know if you have any feedback or suggestions for future editions.
Coverage this month includes details of the new EU/US agreement to replace Safe Harbor (the so-called "EU-US Privacy Shield"), the recent steps taken by the UK and France towards implementing the General Data Protection Regulation and a review of the European Data Protection Supervisor's opinion on the EU/US Umbrella Agreement. In our cybersecurity section, we consider the cost of last year's cyber-attack on Talk Talk. We also include an overview of the latest actions taken by the ICO.
A new deal
On 2 February 2016, the EU Commission announced that it had come to a political agreement with the United States on transfers of personal data from the EU to the US, dubbed the "EU-US Privacy Shield". The framework itself will take the form of an adequacy decision, a draft of which is expected soon, and seeks to provide stronger obligations for US entities to protect the personal data of Europeans.
The US Government has given written assurances that access to personal data by public authorities for national security or law enforcement purposes will be subject to clear limitations, safeguards and oversight. Any such access must be necessary and proportionate. It has also ruled out indiscriminate mass surveillance of personal data transferred under the new arrangement.
US companies importing personal data from the EU will be required to commit to obligations on how personal data is processed and individual rights are guaranteed. The Department for Commerce will monitor such commitments.
A multi-tiered redress mechanism will include an obligation for companies to reply to complaints within specified deadlines and offer a free alternative dispute resolution procedure. In addition, a US Ombudsman will be appointed to deal with complaints of access by national intelligence authorities. EU data protection authorities will also be able to refer complaints to the Department of Commerce and FTC.
Concerns have already been raised over the similarity of the framework with Safe Harbor and that the basis for the adequacy decision will be an "exchange of letters" setting out the US Government's assurances over access by intelligence agencies to personal data. Given the CJEU's views in Schrems, discussed in our previous alert, it is possible that another legal challenge may be launched.
Article 29 Working Party Statement
On 3 February, the Article 29 Working Party of European data protection authorities issued a statement on the consequences of the Schrems decision in light of the agreement over the EU-US Privacy Shield. The Working Party set out four fundamental guarantees in respect of intelligence gathering: (i) processing should be based on clear, precise and accessible rules; (ii) necessity and proportionality with regards to a legitimate objective; (iii) an independent oversight mechanism should exist that is both effective and impartial; and (iv) effective remedies need to be available to individuals.
The Working Party stated that it still has concerns that the legal framework in the US and the practices of US intelligence agencies do not fully protect those guarantees. It also stated that EU data protection authorities may deal with cases related to transfers under Safe Harbor on a case-by-case basis.
The Working Party called on the Commission to publish the proposed text of the Privacy Shield framework by the end of February, following which it will complete an assessment and provide an opinion by the last two weeks of April. The group will also consider whether other transfer mechanisms, such as binding corporate rules and standard contractual clauses, can still be used for transfers to the US.
Current estimates are that the adoption of the new framework will not be complete until the Summer at the earliest.
On 12 February, the European Data Protection Supervisor ("EDPS") expressed support for the EU-US "Umbrella Agreement". This agreement covers all personal data exchanged between the EU and the US for the purpose of prevention, detection, investigation and prosecution of criminal offences, including terrorism. This Umbrella Agreement is separate from, but will need to be considered in conjunction with, the EU-US Privacy Shield. It is anticipated that further consideration may be necessary to establish the interaction between the EU-US Privacy Shield, the Umbrella Agreement and the reform of the EU's data protection framework.
Whilst supporting the agreement, the EDPS recommended three essential improvements that should be made (in addition to encouraging several other changes):
- clarification that the safeguards apply to all individuals, not only to EU nationals;
- ensuring judicial redress provisions are effective within the meaning of the Charter of Fundamental Rights of the European Union; and
- clarification that transfers of sensitive data in bulk are not authorised.
On 9 February, President Obama signed an Executive Order creating the Federal Privacy Council (the "FPC"). The FPC will serve as the primary interagency forum to improve the privacy practices of US Government agencies and entities acting on their behalf, to build on existing interagency efforts to protect privacy and provide expertise and assistance to agencies. The FPC aims to expand the skill and career development opportunities of agency privacy professionals, improve the management of agency privacy programs, and promote collaboration between and among agency privacy professionals.
On 24 February, the amended Judicial Redress Act was signed into law by President Obama. The Act, which provides non-US citizens with certain rights, including a right of action for privacy violations in the US and other rights that are granted to US citizens under the US Privacy Act 1974, is an important element in both the US's commitments under the new Privacy Shield and the Umbrella Agreement.
Russia's data protection authority, Roskomnadzor, has issued its 2016 inspection plan to ensure compliance with the Russian Data Localisation Law. The Data Localisation Law came into force in September 2015 and requires, amongst other provisions, that when collecting personal data a data operator must process the personal data of Russian citizens within Russia.
The inspection plan indicates that numerous large non-Russian organisations which have online presences in Russia will be subject to inspections. These companies include Microsoft, Samsung and Volkswagen.
On 24 February, Germany's Act to Improve the Civil Enforcement of Consumer Protection Provisions of Data Protection Law (the "Act") entered into force. The Act amends the German Act on Injunctive Relief and enables consumer groups to seek injunctive relief to enforce an expanded set of data protection rights of individuals against businesses. No damages are available to the consumer groups. In addition, the new provisions are subject to a grace period until 30 September 2016 for companies who previously relied on the recently invalidated Safe Harbor framework.
Previously, registered consumer groups were only able to enforce orders against businesses whose general terms were in breach of data protection law. The Act extends the power of consumer groups to enforce provisions of certain consumer laws in the context of the processing or collection of personal data for the purpose of, amongst others, advertising and marketing, opinion research, certain profiling and the sale of addresses.
European Council adopts political agreement
On 12 February, the European Council adopted a political agreement on the texts of (i) the General Data Protection Regulation ("GDPR") and (ii) the Directive on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data (the "Directive"). This means that the final texts have been agreed.
After a further review, the GDPR and the Directive will be submitted for adoption by the Council and the Parliament. Both are likely to enter into force this Spring, and shall apply two years thereafter, in Spring 2018.
UK implementation of Article 43(a)
On 4 February, the UK Government announced that it would not be opting-in to Article 43(a) of the proposed text of the GDPR. Article 43(a) provides that "any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter."
As the Article deals with the recognition and enforcement of judgments, it triggers the UK’s Judicial and Home Affairs opt-in right, under which it may choose whether to opt-in to certain European provisions. On the basis that the text restricts a Member State from enforcing a judgment requiring the transfer or disclosure of personal data where there is no international agreement or treaty, which could have an impact on the integrity of the UK legal system, the UK Government has decided it will not exercise its right.
French early implementation of provisions aligned to the GDPR
In late January, the French National Assembly adopted the Digital Republic Bill. The Bill, which is expected to become law later this year, contains various provisions which are aligned to the GDPR. These include an amendment to the current and relatively limited right to erasure of data, a right to data portability, additional obligations to provide information to data subjects and vastly increased fines of up to the higher of €20,000,000 or 4% of an organisation's global turnover.
Article 29 Working Party Action Plan
In anticipation of the implementation of the GDPR later this year, the Article 29 Working Party has issued a statement on its 2016 Action Plan.
The Action Plan is based on four priorities, namely (i) the setting up of the administrative functions of the European Data Protection Board, including its HR function, budget and in particular its IT systems which will be essential in the functioning of the "one stop shop"; (ii) preparing the one stop shop and the consistency mechanism, including the designation of a lead data protection authority; (iii) issuing guidance for data controllers, including in relation to the right of data portability, the notion of "high risk", data protection impact assessments and data protection officers; and (iv) general communication around the GDPR and European Data Protection Board
Talk Talk releases details of the cost of its cyber-attack
Talk Talk has announced that the total cost of the cyber-attack it suffered in October 2015 was in the region of £60 million. In a trading statement, the company announced that there had been a trading impact of around £15 million and exceptional costs (including restoring online capability with enhanced security features, associated IT, incident response and consultancy costs, and free upgrades) of between £40-45 million.
We outline below a selection of recent ICO actions.
Direct Security Marketing Limited
On 15 February, the ICO fined Direct Security Marketing Limited £70,000 for a breach of regulations 19(1) and 19(2) of The Privacy and Electronic Communications (EC Directive) Regulations 2003 ("PECR"). The ICO found that the company made 39,214 automated calls on 24 August last year to sell burglar alarms. 9,775 of these calls were made between 1am and 6am. The calls were made without the consent of the recipients.
A copy of the Monetary Penalty Notice can be found here.
On 15 February, the ICO fined MyIML Ltd £80,000 for a breach of PECR. The ICO found that the company had made 1,048 unsolicited calls for direct marketing purposes to recipients who were TPS subscribers and who had not given prior consent to receive calls. The ICO also considered the fact that the company had been aware of its obligations under PECR since December 2013, when the ICO first raised concerns with it. The TPS had also contacted the company 779 times regarding complaints.
A copy of the Monetary Penalty Notice can be found here.