Government announces proposals for a new Data Protection Bill

The government has released a Statement of Intent (“the Statement”) for a new Data Protection Bill (“the Bill”). The Bill was originally announced in the Queen’s Speech earlier this year (see our previous blog on this). This Statement provides further detail on the government’s proposed reforms to data protection laws in the UK.

The Bill is intended to “bring EU law into domestic law” – referring to both the General Data Protection Regulation (“GDPR”) and the Data Protection Law Enforcement Directive (“DPLED”), which come into force next year. Essentially, the Bill helps the UK to prepare for post-Brexit and facilitate the uninterrupted flow of data between the UK and the EU.

The Bill will repeal the Data Protection Act 1998 (“DPA”). It will remove inconsistencies and avoid any confusion as to which data protection standards apply. The Bill will apply to “all general data”, not just areas of EU competence – this is to ensure that businesses have a single standard which they can operate.

The Proposals

Like the GDPR, the Statement introduces new measures for organisations which process personal data. For example, these include:

  • Tougher rules on consent
  • Enhanced rights for individuals
  • Increased powers for the UK Information Commissioner’s Office (“ICO”)

In relation to the ICO’s powers, the Bill will allow the ICO to issue fines of up to £17 million, or 4% of global turnover, which is in line with the GDPR. The Information Commissioner, Elizabeth Denham, has commented on these proposed increased fines, stating she intends to use these powers “proportionately and judiciously” (see the recent ICO blog). She added that it would be “scaremongering” to make early examples of organisations for minor infringements, or for these maximum fines to become the norm. Businesses might take some comfort from these initial views of the ICO. Continue Reading

UK government posts new NIS Directive consultation addressing cybersecurity threats

The security and reliability of the UK’s IT infrastructure remains a key priority for the government. In August 2017, the Department for Digital, Culture, Media and Sport launched a public consultation on its plans to transpose the Network and Information Systems Directive (‘NIS Directive’) into UK legislation. (As we reported earlier this year, the UK has until 9 May 2018 to implement the NIS Directive into its national laws.) The closing date for responses is 30 September 2017, and the consultation is aimed at industry participants, regulators and other interested parties.

Tackling growing cyber risks

As society becomes increasingly reliant on information technology, the potential impact of failure in those systems is also rising. Recent events point towards an increase in the scale, frequency and gravity of cyber  attacks. The recent WannaCry ransomware attack illustrates only too well the adverse effects that can result from a security breach.

The European Commission’s aim with the NIS Directive is to increase the security of network and information systems within the EU. The government has announced that it supports that overall aim, and recognises the need to improve the security of UK network and information security systems, with a particular focus on “essential services”. The proposal is that (subject to meeting certain thresholds) service providers operating in the following sectors should qualify as an “essential service”: energy, health, digital and transport (air, road and maritime). Among the NIS Directive’s provisions are a duty for operators of essential services to:

  1. Take appropriate and proportionate technical and organisational measures to manage security risk; and
  2. Take appropriate measures to prevent and minimise the impact of any incidents affecting the security of the network and system used to provide the service.

Continue Reading

Europe Explores Data Ownership

Machine-generated data is a hot commodity, but who owns this information? As more and more valuable data are generated, should there be legislation to establish ownership and, potentially, access rights? The European Commission conducted a public consultation, “Building a European Data Economy,” to find out.

The consultation addressed key factors, such as the question to what extent digital non-personal machine-generated data are traded and exchanged. The Commission also wanted to determine whether the changing technological landscape warrants the formation of an ownership-type right to machine-generated data.

The “Building a European Data Economy” consultation ended in April 2017. The European Commission has not yet released a final report with conclusions, but a preliminary summary was made public. The summary indicates that several participating businesses were concerned over the right to data. Continue Reading

Seventh Circuit Affirms Dismissal of FCRA Class Claims Based on Job Application Credit Reports Due to Lack of Standing

In yet another appellate court decision signaling the strength of the United States Supreme Court’s 2016 Spokeo decision, the U.S. Court of Appeals for the Seventh Circuit affirmed the dismissal of a pair of putative class actions against Time Warner Cable, Inc. (“TWC”) and Great Lakes Higher Education Corporation (“Great Lakes”) alleging Fair Credit Reporting Act (“FCRA”) violations because plaintiff job applicant failed to plead an injury sufficient to establish Article III federal standing post-Spokeo.

Plaintiff Cory Groshek (“Plaintiff”) filed the pair of suits alleging that TWC and Great Lakes violated the FCRA by requesting consumer credit reports on him as part of the job application process without complying with 15 U.S.C. section 1681b(b)(2)(A).  That provision bars prospective employers such as TWC and Great Lakes from obtaining consumer reports for employment purposes unless (a) a clear and conspicuous disclosure has been made in writing to the job applicant at any time before the report is procured, in a document that consists solely of the disclosure that a consumer report may be obtained for employment purposes (commonly known as the “stand-alone disclosure requirement”); and (b) the job applicant has authorized in writing the procurement of the report.  According to Plaintiff, TWC and Great Lakes did not provide clear and conspicuous disclosures, and as a result, the authorization he provided permitting the companies to obtain consumer reports was invalid.

The trial court agreed with TWC and Great Lakes’ arguments that Plaintiff had not suffered a concrete injury over Plaintiff’s claims that he suffered concrete informational and privacy harms. In light of Spokeo, the Seventh Circuit analyzed whether “the common law permitted suit in analogous circumstances,” and whether the alleged statutory violation presented an “appreciable risk of harm” to the concrete interest Congress sought to protect via statute.  In a concise opinion, the Seventh Circuit found that Plaintiff’s claims did not confer Constitutional standing to bring suit in federal court based on either analysis.

Continue Reading

SEC Increases Focus on Cyber Incident Response

In the past few years, we have seen an uptick in agencies beginning to focus on the cybersecurity readiness and response of organizations subject to their jurisdiction.

The U.S. Securities and Exchange Commission (SEC), for example, has identified cybersecurity as a top priority for many years. This past June, the SEC named Stephanie Avakian and Steven Peikin as the new co-directors of the enforcement division. Peikin noted that “[t]he greatest threat to our markets right now is the cyber threat.” What has generally been a focus on urging companies to bolster their cybersecurity prevention efforts may be making a shift toward an expectation that companies respond efficiently and effectively in the wake of a data breach. Such a shift is not surprising, given that many experts believe that security breaches are increasingly inevitable.

Given the growing recognition that, even with robust and mature information security programs, incidents will occur, the SEC and others are looking to frame appropriate regulatory responses. Recent SEC comments place an increased importance on how companies are identifying and responding to cybersecurity incidents.

By increasing regular examination of regulated entities, such as broker dealers and investment advisers, these entities will likely have more direct oversight and scrutiny of their information security programs. In addition, direct regulatory oversight of financial institutions subject to the SEC’s jurisdiction, and broader scrutiny of public companies and their security breach-related disclosures, seems probable.  “In the wake of a breach, we are going to ask questions and look at disclosures before and after an incident,” said Avakian.

The SEC is cognizant of the fact that enforcement in the form of fines on public companies can lead to negative consequences to seemingly innocent parties, such as shareholders. However, the SEC has brought several enforcement actions against registered firms, including a $1 million fine related to allegations of a failure to meet the “safeguards” rule under the Gramm-Leach-Bliley Act. As the SEC’s focus shifts more resources to cybersecurity enforcement, it would not be surprising to see the agency examine disclosures relating to data breaches, or the timing of disclosure of such incidents, more closely. Now more than ever, companies may be held accountable if they fail to invest in data security, or prepare and respond to cyber-attacks adequately. While the companies may view themselves as victims, the market, and those tasked with protecting investors and the market, seemingly do not.

ECPA Reform Legislation on the Horizon (Again)

Three bipartisan Senate bills are up for consideration in Congress that would attempt to modernize the legal standards under which the U.S. government can access communications electronically stored by email service providers and cloud computing companies.

The proposed bills, introduced July 27, 2017, each provide a different scheme in updating the Electronic Communications Privacy Act (ECPA), which has been criticized for being woefully outdated, given the rise of the Internet of Things and how people currently share, store, and use information. Accordingly, many have publicly called for Congress to completely overhaul the Reagan-era statute.

Current Framework: The ECPA

Although ECPA has undergone amendment since its passage in 1986, the most scrutinized aspects of the law, such as those related to email retention, remain unchanged from when it was passed more than 30 years ago.

ECPA currently requires law enforcement officials to obtain a warrant in order to access data less than 180 days old. A warrant requirement is a strict legal standard, requiring that any request be supported by probable cause – a reasonable suspicion of criminal activity based on articulable facts.

However, if the data is more than 180 days old, ECPA considers those older communications to be abandoned, and therefore not subject to a reasonable expectation of privacy. Thus, law enforcement officials are entitled to access those emails and other electronic communications without a warrant.  Instead, government officials need only issue a subpoena for the information or obtain a court order. Continue Reading

Fines under GDPR – German DPAs provide guidance

The German Data Protection Authorities (“DPAs”) released a paper on fines under Art. 83 General Data Protection Regulation (“GDPR”) in July 2017. Fines are hanging like a Sword of Damocles over the organizations that are getting ready for GDPR, since the upper limits of fines have been increased substantially. For example, German DPAs can currently impose fines of up to EUR 300,000. Under the GDPR, fines can amount to up to EUR 20 million or 4% of the worldwide annual turnover.

Levels of fines

The DPAs explain the different levels of fines that can be imposed against a controller or processor, and give examples of the relevant cases.

  • Fines of up to EUR 10 million or, in case of an “undertaking”, 2% of the total worldwide annual turnover of the preceding business year, whichever is higher, can be imposed, e.g., for the failure to implement appropriate technical and organizational security measures.
  • “Particularly serious infringements” can result in fines up to EUR 20 million or, in case of an “undertaking”, 4% of the total worldwide annual turnover of the preceding business year, whichever is higher. Particularly serious infringements include violations of the rights of data subjects or processing without a justification.
  • Non-compliance with an order by the supervisory authority under Art. 58 (2) GDPR may be subject to fines up to EUR 20 million or, in case of an “undertaking”, 4% of the total worldwide annual turnover of the preceding business year, whichever is higher.

Continue Reading

House of Lords publishes report on Brexit and the EU Data Protection Package

The House of Lords EU Home Affairs Sub-Committee (“the Committee”) has published a report on the EU Data Protection Package and the impact of Brexit (“the Report”). The Report considers the implications of the UK’s exit from the EU for cross-border data transfers, and for UK data protection policy more generally.

The Report looks at four elements of the EU’s data protection package: (1) the General Data Protection Regulation (“GDPR”), (2) the Police and Criminal Justice Directive (“PCJ”), (3) the EU-U.S. Privacy Shield, and (4) the EU-U.S. Umbrella Agreement. Upon leaving the EU, the UK will become a ‘third country’ under EU data protection rules, and all four measures of this data protection package will cease to apply to the UK. However, the legal controls placed by the EU on transfers of personal data outside its territory will apply when data is transferred from the EU to the UK.

The Government says it wants to maintain unhindered and uninterrupted data flows with the UK post-Brexit. According to the Report, the Committee supports this objective, but is concerned by the lack of detail on how the Government plans to achieve this outcome. The Committee is concerned that any arrangement that creates greater friction around data transfers between the UK and EU, post-Brexit, risks (1) hindering police and security cooperation, and (2) presenting a non-tariff barrier to trade, particularly in services, putting companies operating out of the UK at a competitive disadvantage. In the Committee’s view, the Government should set out clearly, as soon as possible, how it plans to deliver this objective. Continue Reading

CJEU has released Opinion on EU-Canada Passenger Name Record Agreement – What it means for international data transfer mechanisms

In the Opinion 1/15 of 26 July 2017 (“Opinion”), the Court of Justice of the European Union (“CJEU”) held that the proposed agreement between the EU and Canada on the transfer and processing of Passenger Name Record (“PNR”) data may not be concluded in its current form. The Opinion is available here. The CJEU said that the agreement violates EU privacy and data protection laws.


The EU and Canada negotiated an agreement on the transfer and processing of PNR data (“PNR Agreement”). The European Parliament, which was asked to approve the PNR Agreement, called upon the CJEU to give a ruling on its compatibility with the EU Charter of Fundamental Rights. It is the first time the European Parliament or any other EU institution obtained the opinion of the CJEU regarding the question whether a draft international agreement is compatible with EU law.

PNR Agreement

The PNR Agreement permits the systematic and continuous transfer of PNR data of all airplane passengers flying between the EU and Canada to a Canadian authority. The PNR data includes, for example, the names of air passengers, the dates of intended travel, the travel itinerary, and information relating to payment and baggage. The PNR data may reveal travel habits, relationships between two individuals, information on the financial situation or the dietary habits of individuals. For the purpose of combating terrorism and transnational crime, the PNR Agreement provides that the PNR data can be retained and transferred to other authorities and to other non-member countries. The PNR Agreement stipulates a data storage period of five years. Continue Reading

House of Commons publishes briefing paper on Brexit and data protection

The House of Commons Library, which aims to provide impartial research and analysis to MPs and their staff, has published a briefing paper on the impact of Brexit on data protection law in the UK (“the Paper”).

The Paper summarises the background to EU data protection law and notes that inconsistent implementation of the Data Protection Directive (95/45/EC) across EU Member States led to the European Commission proposing a new legislative framework for data protection. In its now finalised form, this has two elements:

  • The General Data Protection Regulation (Reg 2016/679), which came into force 24 May 2016, with a two-year implementation period (“GDPR”); and
  • The Directive on data transfers for policing and judicial purposes (2016/680/EU), which came into force 5 May 2016, and must be transposed into national law by Member States by 6 May 2018

The GDPR will apply in the UK from 25 May 2018, although part of the Data Protection Act 1998 will need to be repealed to avoid any duplications or inconsistencies with the GDPR. Matt Hancock, Minister for Digital and Culture, told the House of Lords Select Committee on the European Union earlier this year that the Government “will bring forward legislation in the next session in order to put that into practice”. The Queen’s Speech of 21 June 2017, also introduced a new Data Protection Bill which “will ensure that the United Kingdom retains its world-class regime protecting personal data”. (See our recent blog on this for further details.) Continue Reading