The Information Commissioner’s Office (ICO) and the UK Department for Culture, Media and Sport (DCMS) have each issued no-deal Brexit data protection guidance.

EU/UK personal data transfers

The UK government has committed to incorporating the General Data Protection Regulation (GDPR) into domestic UK law when the UK leaves the EU. This means there will not be any substantive changes to the data protection rules that companies in the UK must follow.

However, companies that transfer personal data between the UK and the European Economic Area (EEA), and vice versa, will be affected.

Elizabeth Denham, the UK Information Commissioner, recently published a blog post about the transfer of personal data from the EEA to the UK. The current free flow of personal data from the EEA to the UK will no longer be possible. A withdrawal agreement must therefore specifically provide for the status quo to continue.

Continue Reading ‘No deal’ Brexit: ICO and UK government issue data protection guidance

On 6 July 2018, the Information Commissioner’s Office (ICO) issued an enforcement notice against AggregateIQ for failing to comply with the General Data Protection Regulation 2016/679 (GDPR). The enforcement notice was issued as part of the ICO’s investigation into whether personal data was misused by both sides during the Brexit referendum.

AggregateIQ

The terms of the enforcement notice require AggregateIQ to “cease processing any personal data of UK or EU citizens obtained from UK political organisations or otherwise for the purposes of data analytics, political campaigning or any other advertising purposes”, within 30 days of the date of the notice.

AggregateIQ contracted with UK political organisations to receive personal data of UK individuals during the Brexit campaign. In particular, AggregateIQ contracted with a number of pro-Brexit groups, including Vote Leave, BeLeave, Veterans for Britain and the DUP Vote to Leave campaign. AggregateIQ processed this personal data to target individuals with political advertising messages on social media.

Continue Reading ICO takes enforcement action against Brexit campaigners

The government has published guidance for UK organisations on transfers of personal data in the event of a so-called no-deal Brexit. In particular, the guidance sets out actions for UK organisations to take to enable the continued flow of personal data between the UK and the European Union (EU) in such an event.

While emphasising the fact that a no-deal Brexit is “unlikely”, the guidance notes that it is important to prepare for all eventualities.

The guidance forms part of the government’s series of notices on a no-deal Brexit, aimed at businesses and citizens.

The current position

The UK has a comprehensive data protection framework, consisting of the Data Protection Act 2018, which is a UK-specific law, and the General Data Protection Regulation (GDPR), which applies across the EU Member States.

The GDPR does not restrict transfers of personal data within the EU. Transfers can also be made outside of the EU if there is an appropriate legal basis for doing so.

Continue Reading The impact of a no-deal Brexit on data protection

The Information Commissioner’s Office (ICO) has published new guidance on international data transfers (the guidance) under the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR).

Ex-EU personal data transfers

The GDPR restricts the transfer of personal data to non-EU countries or international organisations.

The ICO has clarified that a transfer is restricted if:

  • The GDPR applies to the processing of in-scope personal data. GDPR Articles 2 and 3 set out the GDPR’s scope. The ICO states that the GDPR generally applies “if you are processing personal data in the EU”. The GDPR may also apply “in specific circumstances if you are outside the EU and processing personal data about individuals in the EU”.
  • An organisation sends personal data, or makes it accessible, to a receiver to which the GDPR does not apply. This will usually be because the receiver is located outside of the EU.
  • The receiver is a separate organisation or individual. The receiver could be an affiliate or subsidiary company, but not an employee of the transferring organization.

Transfer or transit?

The ICO states that transit of personal data is not the same as a transfer of personal data. If personal data is just electronically routed between EU countries via a non-EU country, no restricted transfer has taken place. The ICO gives the example of personal data transferring between Irish and French controllers through a server in Australia. No restricted transfer occurs where there is no intention that the personal data can be accessed or manipulated during transit.

Continue Reading ICO issues new guidance on international data transfers under GDPR

In November 2017, the House of Commons Committee on Exiting the European Union (the Committee) published impact assessment reports of Brexit on various UK business sectors. The Report on the Technology (ICT) Sector (the Report) is a mix of qualitative and quantitative analysis. For each business sector, the Report includes: (i) a description of the sector; (ii) the current EU regulatory regime in which the sector operates; and (iii) an explanation of the frameworks governing how trade is facilitated between countries in the sector. Information provided by the government to the Committee about specific sector views has been withheld by the Committee.

Sector overview

The UK digital sector is vast. It covers digital goods, digital services and digitally enabled transactions of goods and services. It includes the following services and products: (i) audio-visual; (ii) e-commerce; (iii) telecommunications; (iv) data; (v) emerging industries, such as artificial intelligence; (vi) FinTech (dealt with in a separate report); (vii) the Internet of Things; and (viii) cybersecurity. Though London is a prominent hub, digital companies are spread across the UK. Several other cities have highly ranked digital clusters.

The Report highlights:

  • the extent of the UK’s investment in the digital sector;
  • how tech companies are investing in the UK since the Brexit referendum; and
  • information about the value added by the ICT industry, including its contribution to national economy statistics, employment, national balance of trade and international trade.


Continue Reading Brexit sectoral analysis – ICT report

The House of Lords Library, which provides research and information services to Members of the House of Lords, has published a briefing on the Data Protection Bill (“Bill”) which sets out an overview of and reactions to the Bill (“Briefing”). The Briefing was prepared in advance of the Bill’s second reading in the House of Lords, which took place 10 October.

Some of the key points to note from the Briefing are as follows:

The Bill in the context of Brexit

The Briefing highlights the recommendations of the House of Lords European Union Committee that the government should:

  • Pursue and maintain regulatory equivalence with the EU for data protection to ensure unhindered data flows between the UK and EU post-Brexit
  • Seek an adequacy decision from the European Commission

The Committee noted that “stakes are high” because any post-Brexit arrangement that results in greater friction around data transfers between the UK and the EU could present a non-tariff trade barrier, putting the UK at a competitive disadvantage. It could also hinder police and security cooperation.

This is particularly relevant considering the estimate cited in the Department for Exiting the European Union’s government position paper that 75 percent of the UK’s cross-border data flows are with EU countries.
Continue Reading House of Lords publishes briefing on Data Protection Bill

The European Commission has issued a proposal for a new Regulation on the free flow of non-personal data (“the Proposal”).

Background

The Commission adopted a Communication in January 2017 on “Building a European Data Economy”, in which its work on free flow of data was announced in the context of actions to enhance the data economy. The Commission then launched a public consultation and dialogue with stakeholders to gather further evidence on the issues restricting the free flow of data.

The Commission has identified the main obstacles that preclude free flow of data in the Digital Single Market as follows:

  • Unjustified data localisation restrictions by Member States’ public authorities
  • Legal uncertainty about legislation applicable to cross-border data storage and processing
  • A lack of trust in cross-border data storage and processing linked to concerns among Member States’ authorities about the availability of data for regulatory scrutiny purposes
  • Difficulties in switching service providers (such as cloud) because of vendor lock-in practices. The Proposal is intended to address these obstacles and remove barriers to data mobility. This is important for the data economy because removing data localisation restrictions is expected to generate additional growth of up to 4% GDP by 2020 (as estimated by Deloitte in one of the support studies). It will also drive down the cost of data services, providing customers greater flexibility in organising their data management and data analytics, while expanding their use and choice of providers.

In practice, these obstacles mean that a business may not be or feel free to make full use of cloud services, choose the most cost-effective locations for IT resources, switch between service providers, or port its data back to their own IT systems. The Commission considers that with the principle of free flow of non-personal data, businesses can avoid duplication of data at several locations, may feel more confident to enter new markets, and scale-up their activities more easily.

The Proposal is intended to address these obstacles and remove barriers to data mobility. This is important for the data economy because removing data localisation restrictions is expected to generate additional growth of up to 4% GDP by 2020 (as estimated by Deloitte in one of the support studies). It will also drive down the cost of data services, providing customers greater flexibility in organising their data management and data analytics, while expanding their use and choice of providers.
Continue Reading Proposal for a Regulation on the free flow of non-personal data in the EU

The UK Government has published a position paper (“the Paper”), which will form part of a series of papers setting out key issues forming the Government’s vision for their partnership with the EU post-Brexit. The Paper explains how it intends to resolve the much-debated issue of UK-EU data transfers post-Brexit. This issue is a real concern for businesses that currently enjoy the ability to transfer data freely within the EEA, as well as with third countries that are recognised by the European Commission as providing an ‘adequate’ level of protection under EU law.

Some of the key points to note are as follows:

The Government wants to explore a UK-EU model which allows free flows of data to continue after the UK leaves the EU.

It proposes that this could build on the adequacy model that is currently provided under the EU Data Protection Directive (95/46/EC) (“Directive”), and is set out in the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”)). Both the Directive and the GDPR allow the European Commission to formally recognise that a third country – i.e., a country outside the EEA – provides an ‘adequate’ level of data protection under EU law. To date, the Commission has adopted 12 adequacy decisions under the Directive. Two of these decisions are partial: in Canada, the decision applies only to transfers of data to Canadian recipients who are subject to the PIPED Act; and the EU-US Privacy Shield applies only to transfers to those companies in the United States that have self-certified to the standards set out in the Privacy Shield framework.
Continue Reading UK Government publishes its position on UK-EU data transfers post-Brexit

The House of Lords EU Home Affairs Sub-Committee (“the Committee”) has published a report on the EU Data Protection Package and the impact of Brexit (“the Report”). The Report considers the implications of the UK’s exit from the EU for cross-border data transfers, and for UK data protection policy more generally.

The Report looks at four elements of the EU’s data protection package: (1) the General Data Protection Regulation (“GDPR”), (2) the Police and Criminal Justice Directive (“PCJ”), (3) the EU-U.S. Privacy Shield, and (4) the EU-U.S. Umbrella Agreement. Upon leaving the EU, the UK will become a ‘third country’ under EU data protection rules, and all four measures of this data protection package will cease to apply to the UK. However, the legal controls placed by the EU on transfers of personal data outside its territory will apply when data is transferred from the EU to the UK.

The Government says it wants to maintain unhindered and uninterrupted data flows with the UK post-Brexit. According to the Report, the Committee supports this objective, but is concerned by the lack of detail on how the Government plans to achieve this outcome. The Committee is concerned that any arrangement that creates greater friction around data transfers between the UK and EU, post-Brexit, risks (1) hindering police and security cooperation, and (2) presenting a non-tariff barrier to trade, particularly in services, putting companies operating out of the UK at a competitive disadvantage. In the Committee’s view, the Government should set out clearly, as soon as possible, how it plans to deliver this objective.
Continue Reading House of Lords publishes report on Brexit and the EU Data Protection Package

The House of Commons Library, which aims to provide impartial research and analysis to MPs and their staff, has published a briefing paper on the impact of Brexit on data protection law in the UK (“the Paper”).

The Paper summarises the background to EU data protection law and notes that inconsistent implementation of the Data Protection Directive (95/45/EC) across EU Member States led to the European Commission proposing a new legislative framework for data protection. In its now finalised form, this has two elements:

  • The General Data Protection Regulation (Reg 2016/679), which came into force 24 May 2016, with a two-year implementation period (“GDPR”); and
  • The Directive on data transfers for policing and judicial purposes (2016/680/EU), which came into force 5 May 2016, and must be transposed into national law by Member States by 6 May 2018

The GDPR will apply in the UK from 25 May 2018, although part of the Data Protection Act 1998 will need to be repealed to avoid any duplications or inconsistencies with the GDPR. Matt Hancock, Minister for Digital and Culture, told the House of Lords Select Committee on the European Union earlier this year that the Government “will bring forward legislation in the next session in order to put that into practice”. The Queen’s Speech of 21 June 2017, also introduced a new Data Protection Bill which “will ensure that the United Kingdom retains its world-class regime protecting personal data”. (See our recent blog on this for further details.)
Continue Reading House of Commons publishes briefing paper on Brexit and data protection