This month's top story
This month's big story is the government's response to its consultation on post-Brexit data protection law reform. Click here to read our article about the key points.
We've been following this development closely – and continue to do so - and the 3 key questions we ask (and answer) at the end of the article are well worth looking at for your organisation now.
Our Global Head of Data Protection and Cyber Security, Stewart Room, also published this article in Forbes that the significant reduction in scope of data subject access requests in the UK which is likely to result from the new regime once it is brought in. This will significantly reduce the burden on many businesses who receive these as a weapon in other matters – be it Employment Tribunal proceedings, director disputes or consumer complaints. However it does start to undermine individual rights – so may put into question the EU's adequacy decision for the UK.
Regulatory guidance/campaigns/other news from the Information Commissioner's Office (ICO)/European Data Protection Board (EDPB)/ European Data Protection Supervisor (EDPS)
European Commission Q&A on SCCs
The European Commission has published a set of 44 questions and answers on use of the EU Standard Contractual Clauses (SCCs) which provide a safeguard for exporting personal data relating to EEA individuals to countries outside the EEA which have not received an adequacy decision. They can also be used to transfer data relating to UK individuals in conjunction with the UK International Data Transfer Addendum issued by the ICO. Some of the key points covered are:
- an explanation of how the EU SCCs can be incorporated into commercial contracts, including signature and modification (our big takeaway being that incorporation by reference is now risky for EU law compliance purposes, and so we now advise clients to avoid it);
- requirements around local law and government access, aimed at clarifying the requirement to conduct a transfer impact assessment in accordance with the Schrems II decision;
- the purpose of the "docking clause", which is an optional clause by which the parties can agree that additional parties may join the contract in the future;
- choosing the right module (i.e. the section of terms used depending on the data protection relationship(s) involved;
- procedures in relation to sub-processors; and
- liability under the SCCs and related commercial contracts.
If you require advice on transferring personal data outside the UK/EEA including intra-group arrangements, please speak to one of our privacy specialists.
ICO enforcement action
ICO fines facial recognition database company Clearview AI Inc more than £7.5m and orders UK data to be deleted
In December 2021 the ICO announced its intention to fine Clearview AI Inc £17 million for breach of data protection laws. Clearview, a US company provided a facial recognition search tool which allowed users (including overseas law enforcement agencies) to search faces against a database of over 10 billion images. The ICO noted that the database was likely "to include the data of a substantial number of people from the UK and may have been gathered without people’s knowledge from publicly available information online, including social media platforms." Amongst other alleged breaches, the ICO considered that Clearview may have failed to meet the higher standard required for biometric data ('special category data' under GDPR and UK GDPR).
The ICO has now fined Clearview £7,552,800. While this is significantly lower than the proposed fine initially announced, it is still a substantial fine.
You can read the ICO press release here.
EU enforcement action
The challenges to businesses using cookies in the EU continues, with the French Council of State declaring that the CNIL (France's data protection regulator) has competence to issue fines for cookies compliance even outside the GDPR's "One Stop Shop" single regulatory lead regime. This increases the attack vector of regulators in France above the GDPR. Will we see other countries following suit? One thing isn't in doubt – the cookies enforcement issue isn't going away in the EU.
EU-US data transfer agreement may be in place by the end of March 2023 – so will there be "Schrems 3"?
It has been reported that Didier Reynders, the EU Justice Commissioner leading the negotiations for the EU, has stated that the EU-US data transfer agreement should be in place by the end of March 2023. This agreement is the planned replacement for the EU-US Privacy Shield, which was invalidated by the Court of Justice of the EU in 2020, which in turn replaced the Safe Harbor in 2015. However, privacy activist Max Schrems has published an open letter to Reynders and other policymakers, warning them that the announced framework risks sharing the same fate as its two predecessors in front of the CJEU unless substantive (legislative) reforms are conducted in the United States and calling on them to continue working for a long-standing, privacy-preserving solution for trans-Atlantic flows to avoid a “Schrems III” decision. We are monitoring the developments and will update you in future issues of DWF Data Protection Insights.
If you need advice on transferring personal data from the UK/EEA to the United States or any other jurisdiction, please contact one of our privacy specialists, who can support you with the appropriate documentation and risk assessment, and also seek to future-proof your contracts as far as possible.
Government publishes guidance on Data Sharing Governance Framework
The Central Digital and Data Office has published guidance on the Data Sharing Governance Framework which lays out the UK’s ambitions to improve data usage in government and highlights the importance of sharing data to deliver better services and outcomes for individuals and businesses. The Framework:
- supports the commitments of the National Data Strategy;
- provides principles and measures to remove or decrease common non-technical barriers to data sharing; and
- shows the relationship between technical data standards and wider data governance.
The Framework is aimed at data requesters, data management specialists, data sharing practitioners and senior leaders responsible for setting relevant strategies. It applies to Government departments and agencies, but excludes councils. It sets out the following principles, plus actions to take to achieve compliance with each principle:
- Commit to leadership and accountability for data sharing.
- Make it easy to start data sharing.
- Maximise the value of the data you hold.
- Support responsible data sharing.
- Make your data findable, accessible, interoperable and reusable.
For advice on these issues, please contact one of the authors or our data protection specialists.