Data Protection New Year's Resolutions 2021
Happy New Year! Here are our suggested resolutions to help you to meet the continuing data governance challenges in 2021.
- Deal with EEA to UK data transfers - While the 'bridging mechanism' announced in the EU-UK Trade and Cooperation Agreement (TCA) has removed the immediate requirement to put in place a safeguard for EEA to UK personal data transfers, we recommend that you continue to prepare for the risk that the mechanism may expire before the UK receives an adequacy decision, or an adequacy finding is granted and then declared invalid. See The EU-UK Trade and Cooperation Agreement below for more details about the TCA and our recommended approach.
- Appoint EU Representatives if needed - Remember that, while the bridging mechanism has (for now) removed the need to put in place a safeguard for EEA to UK data transfers, the other post-Brexit requirements still apply, including the need to appoint an EU representative (if your organisation falls within the scope of Article 27 of GDPR) and to update your privacy notice to identify your EU representative (if you have one) and to ensure that legal references are correct.
If you updated your privacy notice when GDPR became applicable in May 2018, but you have not reviewed it since, you should now update it in the light of Brexit and to reflect guidance given by the ICO and the EDPB during the intervening period. Our data protection specialists would be happy to review your existing privacy notice(s) and work with you to update them to reflect your business operations and the relevant law.
- Resolve US data transfers still relying on Privacy Shield - While the Court of Justice of the EU (CJEU)'s decision in the Schrems II case, which invalidated the EU-US Privacy Shield, was in August 2020, some organisations have not yet fully addressed this, due to Brexit preparations and dealing with the ongoing pandemic. Now that the bridging mechanism has relieved the urgent need to put in place safeguards for EEA-UK transfers, we recommend that you address your UK-USA transfers. If you are still relying on the Privacy Shield for such transfers, please remember that it was invalidated with immediate effect last year, so you need to take action to review whether those transfers can continue and, if so, put in place a valid mechanism, such as standard contractual clauses (SCCs).
Remember that the CJEU in the Schrems II case introduced new requirements for the SCCs, so you will need to comply with the EDPB's recommendations on supplemental measures and recommendations on the European Essential Guarantees for surveillance measures, noting that at the time of publication both of these are awaiting finalisation. See the November 2020 issue of DWF Data Protection Insights for details of the draft recommendations.
- Undertake a Data Sharing Review - As well as reviewing your cross-border transfers, you should review and consider updating your data sharing arrangements to reflect the ICO's new Data Sharing Code of Practice, which it published on 17 December 2020. See ICO Guidance below for an overview of the Code.
If you would like our support in mapping your data transfers, identifying legal relationships and updating your contractual and practical arrangements, please contact one of our data protection specialists.
- Ensure COVID-19 data processing is lawful - If you have started collecting or processing additional personal data in response to the pandemic, or processing personal data for additional purposes, if you have not already done so, ensure that you have identified an appropriate lawful basis for this collection or processing and complied with the transparency principle. Consider whether you need to update your privacy notice(s) and whether you need to communicate the changes to the data subjects affected. The ICO is continuing to update its data protection and coronavirus information hub to help organisations navigate their data protection obligations during the pandemic.
- Check your DPIAs - Before undertaking any new project involving personal data, consider whether you need to undertake a data protection risk assessment (DPIA) to identify and minimise any data protection risks. We can help you to identify when a DPIA is required and, if necessary, to conduct and document a DPIA. We have developed an online tool to streamline this process, so please feel free to contact one of our data protection specialists for a demonstration!
- Ensure direct marketing is compliant - Make sure that any direct marketing your organisation carries out complies with all relevant data protection law, including the Privacy and Electronic Communications Regulations (PECR). In recent issues of DWF Data Protection Insights (and see ICO enforcement below), we've reported on the ICO's continued focus on enforcing breaches of PECR.
- Prepare for changes to online services likely to be accessed by children - If your business includes online services which are likely to be accessed by children, you need to achieve compliance with the Age Appropriate Design Code by 2 September 2021. The Code came into force on 2 September 2020, with a 12-month transition period. Please note that the scope of the code is not limited to services specifically targeted at children, but applies to all 'information society services likely to be accessed by children'. The code provides specific rules which apply to different services and age groups, so we would be happy to provide advice tailored to your business and services. The ICO has launched a Children's Code hub, which includes a link to a survey about how the ICO can support your organisation to achieve compliance.
Critical Privacy Issues From 2020 That Will Impact New Year
Stewart Room, our Global Head of Data Protection and Cyber Security, has written this article, in which he discusses his top five data protection, privacy and security issues in 2020 that will have a lasting impact in 2021 and beyond:
- Legal flexibility for the Pandemic
- Globalisation - the rubber didn't actually hit the road
- UK is odds-on for a DP adequacy decision
- Financial penalty regime getting into its rhythm
- Automated Facial Recognition not a dead duck, but algorithm awareness increase
The EU-UK Trade and Cooperation Agreement
As referred to above, the EU-UK Trade and Cooperation Agreement (TCA) provides that personal data flows from the EEA to the UK can continue until adequacy decisions have been adopted. This 'bridging mechanism' will operate for four months from the TCA entering into force, extended by two months unless one of the parties objects, or (if earlier) until there is an adequacy finding for the UK. While the ICO has welcomed this announcement, it still recommends that organisations put in place alternative transfer mechanisms, to 'safeguard against any interruption to the free flow of EU to UK personal data'.
The transfer mechanism most likely to be appropriate is the standard contractual clauses (SCCs). As we reported in the November 2020 issue of DWF Data Protection Insights, the European Commission has published and consulted on an updated version of the SCCs, which is expected to be finalised and adopted early in 2021. Once the updated SCCs have been adopted, the previous version will be repealed with a one-year transitional period for contracts entered into before the new clauses come into force, provided the contract remains unchanged.
Note that the new version of the SCCs will only be valid for transfers from the EEA, not from the UK. The ICO has issued guidance which states that:
- it intends to consult on and publish UK SCCs during 2021, and UK organisations should continue to use the EU SCCs (amended as necessary – the ICO has published suggested version);
- the ICO and the Secretary of State will keep the transitional arrangements for SCCs under review;
- the EU SCCs may cease to be valid for new and/or existing restricted transfers from the UK, in which case the ICO will provide more information.
If you are considering whether to put SCCs in place now for transfers from the EEA to the UK or wait until the new version of the EU SCCs is finalised, you may want to consider the volume of contracts that require SCCs:
- If you have a large volume of such contracts, we recommend that you start now, using the existing SCCs, but including a clause in the contract agreeing to update them to the new SCCs when they are finalised. We would also recommend an "only comes into effect" clause, so that the SCCs only come into effect when they are needed, i.e. if the bridging mechanism expires before the UK receives an adequacy decision.
- If you only have a few contracts that would be affected, you may decide to wait and see what progress is made during the initial four-month period, and if by March the UK has not received an adequacy decision and the new SCCs have not been adopted, start putting in place the existing SCCs.
Remember that the bridging mechanism only applies to EEA-UK data transfers and does not delay the other post-Brexit requirements, such as the need to appoint an EU representative (if your organisation falls within the scope of Article 27), and to update your privacy notice to identify your EU representative (if you have one) and to ensure that legal references are correct.
Regulatory guidance/campaigns/other news from the Information Commissioner's Office (ICO)/European Data Protection Board (EDPB)
Binding Corporate Rules (BCRs) at the end of the transition period
The ICO has published guidance on BCRs following the expiry of the transition period, which provides guidance for holders of EU Binding Corporate Rules (EU BCRs) on the action they need to take now to continue relying on them as an appropriate safeguard for international data transfers with the European Economic Area (EEA) following the expiry of the transition period.
If your organisation transfers personal data from the UK to non-EEA countries in reliance on EU BCRs, you need to take action following Brexit, as outlined in the ICO guidance and the EDPB's information note. If the EU BCRs were authorised by the ICO (whether or not as lead supervisory authority), you need to produce a UK version (incorporating the changes required by the DPA 2018) immediately and submit it to the ICO on or before the next annual update due date. The ICO guidance states that the ICO will contact you to check that you have made the necessary changes.
If the EU BCRs were not authorised by the ICO, to be eligible for UK BCRs you need to produce a UK version and meet certain conditions as soon as possible, and in any event before 30 June 2021. Please contact one of our data protection specialists if you need advice on this point.
Data Sharing Code of Conduct
The ICO published a new Data Sharing Code of Practice on 17 December 2020. The Code is organised according to 'what you need to do or consider':
- Identify your objective in sharing the data
- Be clear as to what data you are sharing
- Understand the position following UK exit from the EU
- Consider the risks and benefits of sharing and not sharing
Carry out a Data Protection Impact Assessment (DPIA)
- Put in place a data sharing agreement
- Ensure you follow the data protection principles
- Check your data sharing is fair and transparent
- Identify at least one lawful basis for sharing the data before you start sharing it
- Put in place policies and procedures that allow data subjects to exercise their individual rights easily
- Be clear about sharing data under the law enforcement processing provisions of Part 3 DPA 2018, and sharing between the GDPR/Part 2 DPA 2018 and Part 3 DPA 2018
- Demonstrate a compelling reason if you are planning to share children’s data, taking account of the best interests of the child
- Share data in an emergency as is necessary and proportionate. Plan ahead as far as possible
- Document your decisions about the data sharing, evidencing your compliance with data protection law
- Put in place quality checks on the data
- Arrange regular reviews of the data sharing arrangement
- Agree retention periods and make arrangements for secure deletion
Alongside the code, the ICO has launched a data sharing information hub which includes FAQs, case studies and checklists. As above, please feel free to contact one of our data protection specialists if you would like us to review and advise on your data sharing arrangements.
Six things to consider when using algorithms for employment decisions
On 18 December 2020 the ICO published guidance called 'Six things to consider when using algorithms for employment decisions', which highlights the following points:
- Bias and discrimination are a problem in human decision making, so it is a problem in AI decision making, due to the influence of training data. You must carry out a data protection impact assessment (DPIA) before using AI if the processing is likely to result in a high risk to individuals’ rights and freedoms. This DPIA must include an assessment of whether AI is a necessary and proportionate solution.
- It is hard to build fairness, which is one of the data protection principles, into an algorithm. You need to address this in your DPIA, documenting how you will mitigate bias and discrimination, and ensuring that you comply with the Equalities Act 2010.
- The advancement of big data and machine learning algorithms is making it harder to detect bias and discrimination. The ICO states that this is an area where best practice and technical approaches continue to develop. You should monitor changes and invest time and resources to ensure you continue to follow best practice and your staff remain appropriately trained.
- You must consider data protection law AND equalities law when developing AI systems.
- Using solely automated decisions for private sector hiring purposes is likely to be illegal under the GDPR. Solely automated decision making that has a legal or similarly significant effect is illegal under the GDPR. There are three possible exceptions, but these are unlikely to apply to private sector recruitment. The ICO states that organisations should consider how they can bring a human element into AI-assisted decision making.
- Algorithms and automation can be used to address bias and discrimination, for example by detecting these problems at an early stage of a system's lifecycle.
If you are considering the use of AI, whether for employment decisions or any other type of decision, we recommend that you contact one of our data protection specialists, who can identify whether a DPIA is required, support you to conduct any DPIA required and address its findings, and work with you to achieve the principle of privacy by design while creating an AI solution.
The EDPB has published:
- Its strategy for 2021-2023, which is grouped around four main pillars: advancing harmonisation and facilitating compliance, supporting effective enforcement and efficient cooperation between supervisory authorities, a fundamental rights approach to new technologies and the global dimension.
- A statement on the end of the Brexit transition period. This describes the main implications for controllers and processors and covers data transfers to a third country as well as the consequences to the one-stop-shop mechanism. (Note that the information about EEA-UK transfers has been superseded by the EU-UK Trade and Cooperation Agreement.)
- Guidelines on restrictions of data subject rights under Article 23 of the GDPR. These provide an analysis of the criteria to apply restrictions, assessments that need to be observed, how data subjects can exercise their rights after restrictions are lifted, and the consequences of infringements. The guidelines are open for public consultation until 12 February 2021.
- Final version of the Guidelines on the interplay of the Second Payment Services Directive (PSD2) and the GDPR. These have been adopted after a public consultation and provide further guidance on the data protection aspects of the PSD2. The EDPB has added a section on fraud prevention to address comments received during the public consultation.
The ICO has continued to fine organisations for breaches of the Privacy and Electronic Communications Regulations (PECR), including making unsolicited calls and sending nuisance marketing texts to recipients who had not been given the opportunity to opt out of such texts. As we referred to above in our data protection new year's resolutions, these fines demonstrate the ICO's continuing focus on enforcing PECR, serving as a reminder to ensure that your direct marketing campaigns comply with all applicable data protection law. Please contact us if you would like our advice on how to conduct direct marketing legally.
Belgian DPA signs cooperation protocol with DNS Belgium
The Belgian DPA (Belgium's supervisory authority) has signed a cooperation protocol with DNS Belgium, the organisation that manages the '.be' top-level domain name. The protocol creates a process to enable DNS Belgium to suspend websites that are used for serious breaches of the GDPR. It will be interesting to see how this process works in practice and if other supervisory authorities follow Belgium's example. We will report on any news in future issues of DWF data protection insights.
ICO and Global Cyber Alliance sign Memorandum of Understanding
The ICO has announced that it has signed a Memorandum of Understanding (MoU) with the Global Cyber Alliance, an international non-profit organisation dedicated to reducing cyber risk. The MoU sets out the intention of both organisations to work together to help protect personal data from cyberattacks through:
- sharing technical information from cyber incident investigations (but no personal data), where appropriate, and where it is related to cybercrime and fraud;
- sharing and exchange of information and intelligence which enhances the ability to identify cyber threats, risks and trends; and
- joint research or studies to improve each parties’ understanding of the cyber landscape including its size, actors operating therein and the business models they are adopting.
EU-US: A new transatlantic agenda for global change
The European Commission has announced a new transatlantic agenda for global change. Under the heading 'Working together on technology, trade and standards' the Commission states that the EU wants to work closely with the US to:
- establish a new EU-US Trade and Technology Council;
- create a specific dialogue with the US on the responsibility of online platforms and Big Tech;
- work together on fair taxation and market distortions, and develop a common approach to protecting critical technologies;
- work together on Artificial Intelligence and data flows; and
- cooperate on regulation and standards.