The GDPR turned 3 years old on 25th May 2021. The 2018 regulation has caused a paradigm shift in how organisations and nations around the world control and process personal data, and has made clear to Europeans their right to have their data protected and only used in a manner for which they approve. With Brexit implemented, a major hurdle for regulators is to finalise rules for UK-EU data transfers.
Please find below the most recent and important Data Protection updates.
New Standard Contractual Clauses for International Data Transfers under the GDPR
The Information Commissioner’s Office (ICO) is in consultation over the Summer to create new UK-Specific Standard Contractual Clauses (UK SCCs) to facilitate transfers of personal data outside the UK as a key part of new international transfer mechanisms for restricted transfers outside the UK. The new UK SCCs are unlikely to be substantially different from the EU SCCs, but will be specific to the UK. Data Controllers will need to have UK SCC agreements in place to continue making restricted transfers from the UK.
The ICO intends to publish draft UK SCCs for public consultation in summer 2021. In the meantime, organisations can continue to rely on the current SCCs for restricted transfers outside the UK. Once agreed upon, it is expected that the ICO will give organisations around 18 months to implement the new UK SCCs into their data import/export arrangements.
New EU standard contractual clauses adopted: 18-month deadline to reassess international transfers of personal data from Europe
On 4th June 2021, the European Commission has formally adopted new standard contractual clauses for international personal data transfers from the European Union to third countries (“New EU SCCs”). These New EU SCCs take into account both the Schrems II decision and the requirements of the EU GDPR and enable businesses to account for a variety of complex data transfers.
The New EU SCCs bring in new rules for restricted data transfers, but are also somewhat more flexible than the existing SCCs. The New EU SCCs take a modular approach to implementation and cover a broad range of transfer scenarios including controller-to-controller, controller-to-processor, processor-to-processor and processor-to-controller transfers. The New EU SCCs include form provisions for granting specific or general authorization for processors to engage sub-processors in the context of controller-to-processor and processor-to-processor transfers and prohibit onward transfers to additional recipients in third countries unless the onward transfer recipient agrees to be bound by the SCCs, or another specified exemption applies.
The new standard contractual clauses will come into effect June 27, 2021. The old SCCs will be repealed three months following publication of the implementation decision, after which they may no longer be used for new data transfers. Businesses will have 18 months to update their existing data export/import arrangements with the New EU SCCs. It is important that businesses take the next 18 months to analyse the new SCCs to determine whether the new terms affect operational processes and update their existing data-transfer agreements.
Adequacy Decision
The UK is awaiting an adequacy decision from the European Commission for free transfers of personal data from the EU/EEA to the UK. The draft adequacy decision from the European Commission does not allow the UK to deviate from the protections guaranteed by the EU GDPR. Despite the transfer tools being broadly the same, organisations are facing a prospect of having separate SCCs for transfers to third countries from the EU/EEA and from the UK.
While the draft adequacy decision from the European Commission was broadly positive, MEPs recently voted to re-evaluate the draft decision; reviews are ongoing a final decision is expected in the coming months. In the meantime, it is key that appropriate safeguards (e.g. SCCs) are in place in order to ensure data transfers remain possible if an adequacy decision cannot be made by July 2021 and no extension is agreed.
Data Sharing Code of Practice is laid before Parliament
On 18 May 2021, the ICO’s Data Sharing Code of Practice was laid before Parliament.
The new Code is a statutory code of practice, which the ICO is required to publish under the Data Protection Act 2018. The ICO is also required to take the new Code into account when considering whether an organisation has complied with data protection law when sharing personal data.
The Code aims to address misconceptions regarding data sharing, such as misconceptions surrounding consent, and that the GDPR and Data Protection Act 2018 prevent data sharing.
The ICO issued a statement on 18 May 2021, stating ““The new data sharing code aims to give businesses and organisations the confidence to share data in a fair, safe and transparent way, and it dispels many of the remaining myths about data sharing. The code will guide organisations through the practical steps they need to take to share data while protecting people’s privacy.”
The new Code will now lay before Parliament for 40 sitting days before coming into force.
In addition to the Code, the ICO has published additional resources on its data sharing information hub. Organisations should familiarise themselves with the Data Sharing Code of Practise so as to avoid confusion surrounding their rights and obligations under UK GDPR and the DPA 2018.
News, Fines and Breaches
Latest enforcement action by the UK’s Information Commissioner’s Office (“ICO”):
The ICO had handed down several fines in the past month. Most of these related to the sending of unsolicited marketing materials by email and text. It may be helpful to review some of these fines and the reasons behind them to ensure your organisation doesn’t fall into the same situation:
Solarwave Of Grays, Essex, Has Been Fined £100,000 For Making 73,217 Unsolicited Marketing Calls
Solarwave of Grays, Essex, has been fined £100,000 for making 73,217 unsolicited marketing calls about solar panel maintenance between January and October 2020. These were made to people who were registered with the Telephone Preference Service (TPS) list and who should not have received them The company was also issued with an enforcement notice ordering it to stop marketing until consent had been obtained.
The ICO has fined Tested.me Ltd (TML) of St Albans for sending direct marketing emails to people who provided their personal data for contact tracing purposes.
Tested.me Ltd (TML), provides digital contact tracing services which work by offering people a QR code to scan when arriving at businesses’ premises. The company sent nearly 84,000 nuisance emails at the height of the Covid-19 pandemic between September and November last year, when businesses were using private QR code providers to collect personal data to meet the government’s contact tracing rules.
Conservative Party Fined £10,000 For Sending Unlawful Emails
The Information Commissioner’s Office (ICO) has fined the Conservative Party £10,000 for sending 51 marketing emails to people who did not want to receive them. It follows an ICO investigation relating to emails sent from the Conservative Party in the name of Rt Hon Boris Johnson MP during the eight days in July 2019 after he was elected Prime Minister. The emails were addressed to the people they were sent to by name and promoted the party’s political priorities, with the last sentence including a link directing them to a website for joining the Conservative Party.
The ICO found the Conservative Party failed to retain clear records of the basis upon which people had consented to receive marketing emails, as required by law, and concluded the party did not have the necessary valid consent for the 51 marketing emails received by the complainants.
Amex Fined For Sending Four Million Unlawful Emails
The ICO has fined American Express Services Europe Limited (Amex) £90,000 for sending more than four million marketing emails to customers who did not want to receive them. During the investigation the ICO found that Amex had sent over 50 million, of what it classed as ‘servicing emails’ to its customers. The ICO revealed that 4,098,841 of those emails were actually ‘marketing emails’, designed to encourage customers to make purchases on their cards which were sent illegally without explicit consent of the customer. Amex also did not review its marketing model following customer complaints.
Data Protection and Cyber in the News:
Below is a selection of Data Protection and cyber security stories from the past month:
The organizing committee of the Tokyo Olympics is the latest victim of a breach of a government contractor’s data-sharing tool.
Hackers responsible for causing widespread disruption to the Irish health system have unexpectedly gifted it with the tool to help it recover.
Colonial Pipeline’s CEO addressed a Senate committee on the Russia-based ransomware attack that crippled fuel deliveries up and down the East Coast.
India’s national airline Air India has said a cyber-attack on its data servers affected about 4.5 million customers around the world.
A cyber-attack on a third-party supplier of Canada Post has resulted in a data breach impacting 950,000 parcel recipients,
On May 31 2021, privacy group NOYB led by Max Schrems filed over 500 draft complaints to websites in the EU for using unlawful cookie banners.
As always, if you require any assistance with data protection related issues, please contact us.
Follow TenIntelligence
For further information, visit Corporate Security, where you can find out how we support clients with Corporate Security and digital forensics support. Email us at info@tenintel.com and follow us on LinkedIn and Twitter @TenIntelligence for all updates.
