Natalie Barton-Howes: Morning everyone, welcome to our webinar this morning. Hot topics in data protection. This is the third in the series of webinars that we are running this autumn in place of our usual in person ThinkHouse Foundations events. My name is Natalie Barton-Howes and I am one of the co-chairs of ThinkHouse Foundations. I am a principal associate in the commercial litigation team here at Gowling WLG.
As you have joined us here today, you probably know that ThinkHouse Foundations is our programme aimed at in-house lawyers at the more junior end ranging from trainees and paralegals up to lawyers around five years PQE but we do still welcome you if this area is new to you or if you are looking for a refresher.
You might already have dialled in to the two webinars that we have had already this week. The first one a litigation survival guide webinar on Tuesday, that was delivered by my teammate Ana Lelliott from the commercial litigation team and then yesterday we had a webinar delivered by my colleague Jasmine Coyne from the employment team and that was on the topic of returning to the office. If you were not able to catch those webinars live, then do not worry, as we will be sending out recordings in the near future hopefully next week.
So on to the topic for today's webinar, hot topics in data protection. I am joined by Claire Van Ristell, a senior associate in our commercial IT and outsourcing team. Claire is going to take you through the basics, highlight some of the recent changes in the data protection and offer you some practical tips and takeaways from today's session. As many of you will know, data protection is constantly evolving and as in-house counsel, you have to stay up to date. The webinar is going to cover recent developments in data protection including international transfers and updated guidance from the ICO. Claire is going to speak for around 25 to 30 minutes and then we will have time for questions at the end and will draw the webinar to a close at around 11.15am.
Claire Van Ristell Thank you Natalie and thank you to you all for attending this morning's ThinkHouse Foundations webinar on data protection hot topics.
So today, I thought we would have a look at some hot topics in the world of data protection but, first of all, I thought it would be useful to start by having a quick look at the data protection regimes currently in place and some key terminology by way of a refresher. We will then have a look at international data transfers from the UK and the EU and finally, we are going to finish up by having a quick look at some other hot topics and things to keep an eye on.
So the data protection regime currently in place in respect of the use of personal data is the GDPR in the EU which you will all be very familiar with and the UK Data Protection Act and the UK GDPR here in the UK. In terms of e-privacy, the Privacy in Electronic Communications Regulations Act 2003 or PECR is currently in force but will be replaced with new e-privacy regulations which I will touch upon later.
While we go through the session this morning, you will hear me using some key words that you will be able to see on the slide in front of you. When we talk about personal data, this is any information related to a data subject. Anything that can identify you, such as your name, age, address, ID number, national insurance number, customer reference number et cetera. Special categories of personal data, this is personal data relating to health, ethnicity, religion, sexual orientation, medical opinion, genetics, biometrics or trade union data, and since an unauthorised disclosure of these types of data can cause much more damage to individuals than regular personal data, the rules around the use of them are strict.
If you employ staff, you will most definitely be processing special category personal data such as health data for the purpose of recording sickness or absence or health insurance purposes and you may also have other data for the purposes of monitoring equal opportunities such as religion, ethnicity and sexual orientation.
When we talk about data subjects, a data subject is an identified or identifiable living individual. This could be your customers, your employees, your contractors, although it does not included deceased people or a person who cannot be identified or distinguished from others.
What is a data controller? So a controller of data will determine the purpose for which and the manner in which personal data is processed. You can also have a joint controller scenario whereby two or more controllers jointly determine the purpose and means of processing and coming back to the employment scenario, your employer will be the data controller of the personal data it collects from you as part of the employment process. It will collect your name, your address, your data of birth, your national insurance number and your bank details for example.
A data processor processes personal data on behalf of the controller. So if your employer collects your bank details from you, it will most likely pass these on to a third party service supplier of payroll services. This payroll provider will be a data processor processing your personal data on the instructions of your employer the controller. When we talk about processing, this is a really wide definition that includes any operation that can be performed in personal data including collecting, storing, analysing or deleting. So as we have just talked about your employer will process your data by collecting it and storing it and transferring it to the payroll provider who in turn will then process your personal data for the purpose of ensuring you get paid.
Now especially when we come to talk about international transfers, I am going to speak about third countries. So these are states that fall outside of the GDPR zone EU member states plus Norway, Lichtenstein and Iceland. The GDPR restricts transfers of personal data to third countries unless personal data is protected in another way or an exception applies to that transfer.
Again when we come to talk about international transfers, I will be referring to adequacy. So this is a term that the EU uses to describe other countries' territories, sectors or international organisations that it deems to provide and essentially equivalent level data protection to that which exists within the EU.
So moving on, one of the hottest topics this year was the update to the EU standard contractual clauses (SCCs) and the international transfer regime in the EU.
So starting off with data transfers from the EU to the UK. After Brexit the UK became a third country under a different data protection regime. A decision was made on 28 June this year to grant the UK adequacy so the EU have decided that the UK has an essentially equivalent level of data protection to the EU and that data can continue to flow freely from the EU to the UK without the need for any further safeguarding mechanisms. However, this is not permanent and could be withdrawn in the future depending on the developments of the UK data protection law and how far this diverges from the EU regime. At the minute, it aligns with GDPR but this was going to be a constant one to watch. Interestingly there is also an automatic sunset clause for UK adequacy to expire in four years' time so keep your internal documentation detailing your data flows which I will refer to as data maps, up to date so you know where your data is going and what additional safeguarding mechanisms you may need to implement in the future if the adequacy decision were to change.
Moving on to EU to third country data transfers, you may be aware that a new set of updated EU SCCs, that is Standard Contractual Clauses as having published. Now just in case you are not familiar with SCCs, they are one method by which data can be transferred outside of the EU to those states which have not been granted adequacy, for example the USA, and the added level of protection.
On 4th June of this year, a new set of updated EU SCCs were approved by the EU Commission which addressed deficiencies in the old SCCs which pre-dated the GDPR and which were out of date with the current data protection regime. As of a few weeks ago, on 27 September, these new SCCs are mandatory and organisations will have until December 2022 to repaper the old style SCCs on to the new EU SCCs.
Just to tell you a bit about the new style SCCs. These SCCs have in built Schrems II clauses, which means that they have provisions to cover potential requests by third countries' governments or authorities to access personal data transfers. For anyone not familiar with the Schrems II case, I am going to talk a little bit more about it in a few minutes. They also have in-built attempted controller to processor clauses. You might know these as article 28 GDPR clauses which, once completed by the parties, should negate the need for separate data processing agreements to be put in place between a controller exporter and a processor importer of the data.
There is also four varieties or modules available so you can tailor your SCCs. There are controller to controller module, controller to processor, processor to processor and processor to controller. There is an optional docking clause at clause 5 which means that other parties can be become a party the SCCs either as a data importer or data exporter simply by signing annex 1a. So even if you do not have an additional party to add at the point at which you are agreeing your SCCs with your processor or controller organisation, we do recommend leaving this clause 5 in, in case it is needed for the future. For example, you may be a processor organisation and just to simplify things I will use the payroll provider example we talked about earlier, you may want to appoint a sub-processor to carry out some of your processing activities. You could use a docking clause to make your processor a party to the SCCs. So those new EU SCCs will only apply to international data transfers from the EU so it is really important to understand how the landscape is changing here in the UK too.
Where are we now? Just by way of background of some recent developments that have taken us up to where we are now with the transfers from the UK, in July 2020 with the Schrems II Judgment which I referred to earlier, so this was really high profile and this is a case in which the UK Justice of the European Union invalidated the EU US privacy shield and for anyone not familiar with what that was, it was a framework for regulating transatlantic exchanges of personal data for commercial purposes between the EU and the US.
The Court confirmed that the validity of the EU SCCs but it required exploring entities to carry out a risk assessment on case by case basis to verify whether the SCCs provided an adequate level of protection for the personal data transferred and to implement additional safeguards where that was not the case and of course we had Brexit.
So the transition period ended on 31 December last year meaning that on 1 January 2021 the UK became a third country with its own data protection laws, that being the Data Protection Act 2018 and the UK GDPR so this is the retained domestic law which sits along the DPA. The key principles, rights and obligations remain closely aligned with GDPR.
In June 2021, as I mentioned, we have the updated substantial contractual clauses from the EU. These were updated in light of GDPR and Schrems II and address a wider range of scenarios.
However, as a result of Brexit, the revised SCCs do not apply here in the UK and the UK must implement its own SCC but at the minute we do not have any. So, as a temporary measure, at the moment UK organisations are permitted to use old style SCCs as a transfer mechanism and to make changes to them so they make sense in a UK context. So provided you do not change the legal meaning of the SCCs we can make common sense changes like changing references from the old EU data protection to the UK GDPR, changing references to the EU or member states to the UK and changing references from a superior authority to the ICO. But we do not even need to do this at the minute because the ICO has helpfully created a UK version of the SCCs with guidance and the UK has suggested changes already made so if you do need to do any restrictive transfers we recommend you watch the ICO website for that information you need to carry out the transfer.
Using the old SCCs in this way is only going to be a temporary measure and the ICO must publish its own set of SCCs under the UK GDPR so as part of that process, on 11th August this year, the ICO lodged its consultation on its draft International Data Transfer Agreement which I will refer to throughout as an IDTA and also guidance for organisations on international transfers which then replace the EU SCCs.
The consultation closed on 11 October and once the IDTA is finalised it is that which is going to replace the EU SCCs here in the UK. I will chat through that in a few more details in a minute but I thought it would just be useful to mention this point the influence of the UK Government in the development of the new transfer regime here in the UK. So there is most definitely a political angle in the changes to the UK data law and the Department for Digital Culture, Media and Sport, that is DCMS, is looking to make existing rules governing data transfers of personal data to the UK from the UK to third countries more proportionate, flexible and interoperable.
You will see from the slides there, there is a lot of talk about building trust, delivering growth and firing up innovation when it comes to the IDTA. The proposed changes conclude, amongst other things, in pardoning organisations to develop and self-approve their own transfer mechanisms as opposed to relying on existing standards and align non-UK bodies to develop accredited international certification schemes which can be relied upon by UK companies to facilitate the free flow of the data.
The Secretary of State may also be granted pardon to introduce or approve new transfer mechanisms from time to time. So all in all it is a bit more flexible and less rigid than the UK position. It is also worth remembering that all of these reforms will only apply and govern the transfer of personal data which is subject to UK GDPR and the EU GDPR regime will continue to run separately and parallel and this is really important to remember. For example, your organisation is transferring personal data along to your employers to a service provider who may be in the US and you have UK employee and EU employee data to transfer. You will need to ensure you are fine in implementing the UK regime in respect of the UK employer data and then separately the EU regime in respect of the EU employer data so you will have two separate data transfer mechanisms in place and running at the same time.
So just to talk to you a bit further about the ICO consultation on data transfer, what was this all about? Well the ICO split this into three different sections. So they set up their proposal and plans for updates to guidance and international transfers. They also set out a proposed transfer risk assessment tool, a TRA, which need to be carried out and then they published a draft international data transfer agreement which will be the replacement for the SCC.
So just turning to the guidance, the consultation saw input on questions around the transfer of personal data but also included broader questions relating to the scope of the UK GDPR, legal economic and policy considerations and implications. So it looked like the ICO was very much looking at international transfers in the round.
The TRA produced by the ICO is supposed to be used to assist organisations when making routine transfers, although organisations also want to be free to use their own methods to assess risk and we are going to come on to the TRAs in a bit more detail shortly. Finally, the ICO issued a draft of international data transfer agreements, it has got a simple layout, it has got guidance and it looks a bit more user friendly than the EU SCCs.
So what is the TRA that the ICO is proposing? In advance of making any international data transfer from the UK, a risk assessment will need to be carried out so organisations will need to make sure that the IDTA works as they intended to in the country where the receiver of the data is based.
So the ICO's intention is that the TRA will check that the local laws and practices do not provide the protection provided by the IDTA. This is going to be a three-stage process for assessing the risk. First of all you need to decide is the tool suitable for the transfer. You will then need to understand is the IDTA enforceable in the destination country and then you have to do an assessment of the destination country's regime but regulating third party access to personal data including an assessment of surveillance laws. Organisations will really need to show that they have used their best efforts to complete a TRA when relying on the use of the IDTA as their safeguarding mechanism. As I said, it does not have to be the ICO's TRA that is used, you can use your own.
Moving on to IDTA itself. This is an agreement to be entered into between the exporter and importer of the data just like the SCCs but again it does not seem to be as rigid as the EU SCCs. There is an option to include extra data protection clauses. For example, when you complete your TRA, you may decide that the IDTA needs extra steps in order to provide the right level of protection. There is also an option to include commercial clauses agreed between the data exporter and importer provided that they do not contradict the IDTA.
When you transfer data, you will often have another agreement in place for the other party. For example, you may have a service agreement, a data sharing agreement or a data processing agreement in place. Under the IDTA, these are referred to as linked agreements as they link to the transfer you are making. They will often contain a lot of the same information you will need to complete the tables in the IDTA. So you can actually refer to back to the relevant sections of the linked agreements they needed rather than just repeating them verbatim.
The IDTA can also be a multiparty agreement and under a multiparty IDTA someone may be nominated to make decisions on everybody's behalf. Again, this is granting the different level of flexibility to that seen in the SCCs. We are going to have to watch this space to see what the outcome of the consultation will be, what the IDTA will have found and when the new transfer regime will come into force but it is definitely one we are keeping an eye on.
Just a note on adequacy. So now that we have left the European Union, the UK Government is able to dependently determine whether for the purposes of the UK GDPR a third country is adequate and that personal data can be transferred to that jurisdiction question without the need for additional transfer mechanisms.
So why are the Government so excited about this? Well their belief is that by making it easier to transfer personal data it is going to be easier for organisations to do business which will in turn have a positive impact on the economy, great for us all. UK decisions about adequacy will be granted by the Secretary of State. So as well as determining whether a country is adequate, the Secretary of State is also going to be able to designate territories within a country, sectors of an economy or even international organisations to that effect.
The UK Government has identified a number of priority territories that it wishes to strike data partnerships with. So you will see those on the slide, they are Australia, Colombia, Dubai International Finance Centre, the Republic of Korea, Singapore and the USA. The Government estimates that data enabled services for these jurisdictions alone are worth around 80 billion pounds.
There is also going to be a secondary list of long return priorities. So these are Brazil, Kenya, India and Indonesia. I thought it was also worth noting that the UK Government is going to award adequacy to those jurisdictions that the EU Commission deems adequate.
So what does all this mean for your organisation and how you transfer personal data? Whether you are transferring data from the EU or the UK it has all changed. So when transferring data from the EU to a third country, you are going to need to use the new EU SCCs to implement that transfer and you are going to need to make sure that you re-paper any old style SCCs before December 2022. With transfers from the UK there is new IDTA on the cards so we are going to need to watch this space and just use the old style EU SCCs found on the ICO website for now.
We really recommend that organisations understand how their international data flows. We need to carry out your data mapping exercises and for anyone not familiar with this, it is like an audit of your data flows. You need to know where you are collecting data, who from, what categories of data subject, how you are processing it, and how you are transferring it to third parties or out of the jurisdiction and you need to keep this up to date. If you are required to do so you need to put in place public data transfer mechanisms and you also need to remember that there are currently two separate data protection regimes now in place for the UK and the EU following Brexit.
So what about the other hot topics around data protection right now? As I mentioned we have the privacy regulations so this is a success with the PECR. It should have come into force with the GDPR as it has been in negotiation from 2017 but there has been some delays. And just for anyone not familiar with PECR, the regulations give data subjects specific privacy rights in relation to electronic communications so there are specific rules around marketing calls, emails and texts and cookies and some other technologies and on other things like the customer privacy as regards to traffic and location data for example.
E-privacy regulation will update the e-privacy directive to bringing in line the GDPR because at the minute, although PECR sits alongside the DP and UK GDPR it is really out of date. The regulation will also have extra territorial applications. So it is going to apply to business outside of the EU insofar as it relates to end users in the EU but it does not require the EU user to be expressly targeted.
I just have some key highlights about the new regulations to let you know about. It is going to have a broader remit than just cookies and websites. It is going to have application, internet of things (IoT) solutions, machine to machine, and over the top media services. The whole point is to address cookie consent fatigue. So consent is going to be pushed back to browser settings rather than collected at every website but browsers need to be developed to make that happen as currently the functionality is not in place. Users who have given consent will also need to be reminded every 12 months of the right to withdraw that consent. Of course the regulations are going to apply in Europe and it will not automatically apply here in the UK. Whilst cookies are initially getting prominence in the UK and at the G7 Summit in September the ICO did raise cookies as a key topic on which more global co-operation is needed. There has also been an increasing number of complaints about cookies to the ICO. So I think there has been around 2,000 in the past year and we are definitely seeing more claims coming through our door relating to breaches of PECR related cookie policies. It is anticipated that the e-privacy regulation will come into force for 2023 and that there will be a potential transitional period of 24 months meaning that any new regulations would not then come into effect until 2025. So it is a bit of a way off just yet.
The UK not following suit with the EU on this matter has potential to affect our adequacy decision. So I would imagine that PECR will also be updated and go in line with UK GDPR. Also because of the extra territorial application of the privacy regulation it is going to affect that they are applied to all UK businesses as regards to end users in the EU. So it may have implications for your organisation in any event. So it is definitely one that we need to keep an eye on for sure.
And just before we finish up I wanted to let you know about a few more hot topics that we will see that I have set out on the slide there. So we have the ICO data sharing code of practice. This is a statutory code, it came into force in December 2020. It was an update to the ICO's first data sharing code from 2011, so it was well overdue a re-fresh. It covers all different types of sharing from controller to processors, controller to controller, just controller and obviously party sharing. It highlights the importance of documentation for accountability and carrying out DPIS (that is Data Protection Impact Assessments). It sets out some really useful checklists at Annex A and it is really worth reviewing if you have not already and you can find this on the ICO's website.
The ICO have also recently issued the Children's Code or the Age of Appropriate Design Code. So this is another statutory code of practice. And according to the ICO, one in five UK internet users are children. But they are using an internet that was not designed for them. So what the ICO have set out in this code is 15 standards that online services need to follow in order to ensure they are compliant with the obligations under data protection law to protect children's data online. It helps provide built in protection to allow children to explore, learn and play online. Settings must be high privacy by default, only the minimal amount of personal data should be collected and retained. Children's data should not be shared and geo location services should be switched off by default. The online services covered by the code are wide ranging and include apps, games, connected toys and devices and news services but children are likely access your service even if they are not your target audience or user and you do need to consider the Children's Code. It is important to note that the code applies to UK based companies and non-UK companies who process personal data of UK children.
So moving on to the AI toolkit. So artificial intelligence is a continued area of focus in the world of data protection. In July the ICO introduced a new better version of its AI and data protection risk toolkit. So this contains risk statements to help organisations using AI to process personal data and understand the risks to individuals' information rights. It provides suggestions on best practice and organisation on measures that could be used to manage or mitigate the risks and it demonstrates compliance with data protection laws. The ICO's guidance on AI and data protection which they have co-chaired with the Alan Turing Institute so that is the UK national institute for data science and AI. They have spread this into three parts, it is over 200 pages long and it is very, very detailed. So it is some light reading if you are interested in AI.
And finally, I just want to touch upon the AdTech investigation. So you may have heard about this. It is an investigation into the real time bidding in the AdTech industry which is largely driven by cookies some of which are high privacy invasive. So this investigation was suspended during the pandemic but it re-started as of February this year. Just to let you know, real time bidding uses people's special category data to serve adverts and requires people's explicit consent to do so which is not happening in the industry at the minute. So sharing people's personal data without properly assessing or addressing the risks raises questions around the security and retention of that personal data. The ICO have advised all organisations operating in the AdTech space to assess how they use personal data as a matter of urgency. The intrusive nature of the technology makes it a real priority area for regulators and it is likely that the massively complex AdTech industry will have to adapt and provide much higher levels of transparency following the outcome of this investigation.
So I hope that has been a useful little tour through international data transfers and some other hot topics. I think we might now have some time for some questions Natalie.
Natalie: Yes we do. Yes, thank you Clare, that is really interesting and a lot for everyone to be thinking about I think there.
We have had some questions. One that I suspect probably comes up a lot is, does the GDPR still apply in the UK?
Clare Yes, so technically GDPR is an EU regulation but it does apply in the UK by virtue of the UK GDPR which is a retained domestic law that we retained following Brexit. So due to the legislation around Brexit we have retained law and the principles are still the same. Set out as UK GDPR there are some nuances but yes, the principles are still the same, we still refer back to Article 28, clauses, etc, etc, so yes, still applies.
Natalie: Thank you. So when is the UK International Data Transfer Agreement going to come into force and what do we do in the meantime? Do we just continue using the old SCCs?
Clare: Yes, well the ICO have said that they do want to try to have this new data transferred for 2021. As I mentioned the consultation closed just on 11 October so they want to take on board all the feedback on the consultation. They will then have to do what they need to do. If they need to reject their formatting of the IDTA or the transfer risk assessment tool. So I know the intention of the ICO was to put those tools in place at the end of this year but if it does not happen, hopefully it will be shortly into 2022. And yes, in the meantime, you just continue to use the old style EU SCCs. The ICO have amended these on their website, they are available there. There is guidance alongside as to how to fill them in and they are very useful. So that is what we would have been using for our clients with a need to effect international restrictive transfers in advance of that IDTA coming into force.
Natalie: OK. So what happens if a data subject has dual nationality? Which laws will apply?
Clare: Oh that is a very interesting one you know and I think that is something I am going to have to go back and have a think about.
Natalie There is no context there is there in terms of …
Clare I suppose it will depend as well in the context in which their data is being processed. So I will say, a Spanish employee, employed in the UK, with a UK employer, so they are not being targeted in the EU if you know what I mean, but definitely one I would like to have a think about and want to come back and say so properly and know the context.
Natalie Yes, so we can definitely do that, we can follow up with the person who has asked that question if there is context around it and that is something you want see.
Another questions around, if a country has adequacy status, are any contractual clauses still required.
Clare So if you have adequacy, you can freely transfer data, so the EU and as well following Brexit the UK Government have said that any countries that were already adequate for the commission they would now be adequate in terms of the UK data transfers too. So you can continue to transfer data without additional safeguards. Obviously if you do have any concerns about your data processor in that country or anything else, they cannot offer you the safeguarding mechanisms that you expect to see in place, etc, then do your due diligence. But in terms of if they are an adequate country, yes, then they should not need any additional safeguarding mechanisms.
Natalie OK that is really useful to understand.
I have got another question here that says, what would you advise a UK controller puts in place if sending data to a UK processor who then uses a sub-processor in a third country. That is not too technical, is it the responsibility of the processor to have their SUPs in place with the sub-processor and any additional measures?
Clare Yes, so that processor should have in place contractual arrangements and safeguarding mechanisms it needs to be able to transfer that data outside of the UK.
Natalie OK. So a nice short answer to quite a long question.
Clare And if I have not answered the questions appropriately for the requester, please do leave us your details and I can get back to you on that one.
Natalie OK, we have time for one more I think. Does viewing data constitute processing?
Clare I think again I would need to consider the context of how the data is being viewed and come back to that specifically knowing further information about that.
Natalie OK. Alright well I think on that note any further questions that are quite specific, can you please send them through still but I think that would be a follow up situation. There are many questions.
So thank you. I think we have through everything we needed to get through today so I am going to draw the webinar to a close. As I said at the beginning, we do hope that you have enjoyed our Autumn webinar series for the ThinkHouse Foundations programme. Fingers crossed we will be back in person in 2022.
Before I close, as I mentioned before, if you do have time to fill in those feedback questionnaires please do that if you can.
So thank you very much everyone for watching today and have a great day.
Clare: Goodbye, thank you.