With the end of the Brexit transition period quickly approaching on 31 December 2020, the future of international data transfers between the UK and the European Union (EU) and European Economic Area (EEA) remains somewhat unclear.

As background, Article 44 of the General Data Protection Regulation (GDPR) prohibits the transfer of personal data from the EU/EEA to recipients in jurisdictions outside the EU/EEA, unless specific conditions are met. One such condition under the GDPR is an “adequacy decision” granted by the European Commission. If a third country is deemed adequate by the European Commission, the personal data can be transferred to that country without any additional safeguards being required.

Continue Reading The UK is preparing its adequacy decisions post Brexit

Earlier this year, the Information Commissioner’s Office (ICO) issued a consultation on a draft code of practice for designing age-appropriate access for children accessing online services (Code). The consultation closed on 31 May 2019 but the ICO has recently released an update on its progress in producing the Code.

The finalised Code will be informed

The UK Information Commissioner’s Office (ICO) issued a consultation on a draft code of practice for designing age-appropriate access for children accessing online products and services provided by information society services (ISS). The consultation closes on 31 May 2019. The draft code sets out principles for any online service accessed by children under the age of 18.

Best interests of the child at the core

This code of practice is based on the key principle in the United Nations Convention on the Rights of the Child that the best interests of the child should be a primary consideration in all actions concerning children. In the context of today’s myriad of online services, it has become increasingly difficult for both parents and children to make informed choices or exercise control over the way services use children’s personal data. The code aims to respect the rights and duties of the parents but also the children’s evolving capacity to make their own choices.

16 headline ‘standards of age-appropriate design’

The code requires ISS providers to abide by 16 cumulative standards when processing personal data of children through their services:
Continue Reading Protection of children’s online space: ICO issues code of practice on age-appropriate design

Article 23 of the General Data Protection Regulation (GDPR) allows EU Member States to restrict the scope of data subjects’ GDPR rights and organisations’ GDPR obligations.

The Irish data protection authority, the Data Protection Commission (DPC), released guidelines (Guidelines) on GDPR Article 23 on 19 June 2018. The Irish Data Protection Act 2018 (the Act) was recently passed by the Irish parliament. The Act fills in the details of the derogations left to EU Member States under GDPR.

The Guidelines’ purpose is to provide advice for the Irish government when drafting regulations that restrict data subjects’ rights and organisations’ obligations.

GDPR Article 23

Any proposed restriction requires a detailed analysis of the following conditions to justify why it is required and how it will apply. Restrictions must:

Continue Reading Ireland: New guidelines on restrictions on data subject rights

On 7 June 2018, the UK government published a technical note detailing options for future UK-EU cooperation on data protection, post-Brexit. The technical note is part of a series of papers produced by the UK Brexit negotiation team for discussion with the EU, in order to assist with the development of future EU-UK relations.

The UK government suggests that a new data protection agreement should be executed between the UK and the EU. The agreement would build on the current concept of the “adequacy” of data-sharing laws between the EU and UK after Brexit and enable the Information Commissioner’s Office (ICO) to continue to play an important role in the EU’s data protection decisions. A failure to maintain the flow of information between the UK and the EU is one of many concerns facing multinational companies as the UK prepares to leave the EU.

This blog will look at the key themes put forward in the technical note.

Continue Reading UK Government publishes technical note on data protection

On 6 February 2018, the Article 29 Working Party (WP29) adopted revised guidelines on binding corporate rules (BCRs). These were issued following a period of public consultation that concluded on 17 January 2018. Technology Law Dispatch previously covered the issuing of the draft guidelines last December, in a blog setting out the key elements of both guidelines. 

In simple terms, BCRs are a business-specific framework that allows intra-organisational cross-border transfers of data from organisations within the European Union to their affiliates outside of the EU. BCRs underpin shared data processing standards compatible with the General Data Protection Regulation (GDPR) and wider EU data protection law. The GDPR incorporates BCRs into legislation and sets out various conditions at article 47 that must be met when businesses utilise them.

The revised guidelines (WP256 for Controllers and WP257 for Processors) address the principles and elements businesses should incorporate in their BCRs. The guidelines have revised the original guidance, although they remain largely similar to what was published in draft last year.

Continue Reading Binding corporate rules – Article 29 Working Party issues revised guidelines

On 20 February 2018, The Data Protection (Charges and Information) Regulations 2018 (the Regulations) were laid before the UK parliament. The Regulations affect what businesses have to pay when registering their data protection arrangements with the Information Commissioner’s Office (ICO). On 21 February 2018, the ICO issued a guide for data controllers about the proposed data protection fees that the Regulations will levy.

The Regulations replace the previous system of notification under the Data Protection Act 1998. They will come into effect simultaneously with the General Data Protection Regulation on 25 May 2018.

Under the Regulations, data controllers who have a current registration or notification with the ICO will not need to pay the new fees until their existing registration expires. Registration does not automatically expire on 25 May 2018.

1. How the fees are calculated

The Regulations set out three tiers of organisations with accompanying fee levels for each tier. The tier an organisation falls into depends on: (i) how many staff members it has; (ii) its annual turnover; (iii) whether it is a public authority; (iv) whether it is a charity; and (v) whether it is a small occupational pension scheme.

These tiers are clarified below:

Tier 1 – Micro Organisations

  • Maximum turnover of £632,000 for the financial year OR no more than 10 members of staff.
  • Tier 1 fee = £40.

Tier 2 – Small and Medium Organisations

  • Maximum turnover of £36 million for the financial year OR no more than 250 members of staff.
  • Tier 2 fee = £60.

Tier 3 – Large Organisations

  • Organisations that exceed the caps of the Tier 1 or Tier 2 criteria.
  • Tier 3 fee = £2,900.

Importantly, all data controllers are to be regarded as Tier 3 unless they tell the ICO otherwise.

Continue Reading New data protection fees for UK businesses – Draft Data Protection (Charges and Information) Regulations 2018 and ICO guide published

The UK’s Information Commissioner’s Office (‘ICO’) has published what appears to be its first public enforcement notice based upon “the right to be forgotten” against Google Inc. The “right to be forgotten” was introduced by the ECJ last year when it held that data subjects have a right to compel search engines to remove results linking to websites containing their personal information, if those results were outdated or irrelevant.

In the current case, Google originally agreed with the data subject’s initial right-to-be forgotten request, namely that its historic criminal conviction was no longer relevant, and removed the link. Unfortunately for the data subject, the removal drew more attention to the story causing new articles to be written, and Google refused to remove the subsequent links on the basis that they were relevant and in the public’s interest.
Continue Reading UK first: right-to-be-forgotten notice issued against Google Inc.

On 23 June, the UK government introduced a new online cyber security training course designed to assist the procurement profession to stay safe online.

After a recent government survey found that half of the worst breaches were caused by human error, the government aims to increase awareness and help organisations reduce risk. The course, freely available online, has been designed to help persons in the procurement industry protect themselves, their businesses and their suppliers from cyber attack.
Continue Reading UK offers improved cyber security training to boost procurement profession