Parliament fails to approve the EU Withdrawal Agreement: Data protection implications

Lara WhiteMarcus Evans (UK)Miranda Byrne Hill (UK)By Lara White, Marcus Evans (UK) and Miranda Byrne Hill (UK) on Posted in Compliance and risk management
Data Protection Report - Norton Rose Fulbright

On 25 November 2018 the UK Government and the EU agreed a draft withdrawal agreement which set out the terms of the UK’s departure from the EU and made a political declaration on the framework for their future relationship, as provided for under Article 50(2) of the Treaty on European Union (Withdrawal Agreement). The purpose of the Withdrawal Agreement is to set out the terms of the UK’s departure from the EU and provide a transition period during which a more nuanced and ambitious future relationship can be agreed.

Had the UK Parliament approved the Withdrawal Agreement, it would have become a legally binding international treaty. However, following yesterday’s Parliamentary vote, approval of the Withdrawal Agreement has not been given by the UK Parliament and the UK therefore faces continued uncertainty with regard to its future relations with the EU. The imminent withdrawal date of 29 March 2019 (Withdrawal Date), presents two principal scenarios in the context of data protection:

 1. “No-deal” Brexit: no agreement is reached before the Withdrawal Date

Whilst the UK Government may continue to seek further concessions from the EU over the period to the Withdrawal Date in order to obtain Parliamentary approval (and we set out in the second section of this post, below, what should happen if the current Withdrawal Agreement (or one with similar data protection provisions) is ratified). However, if no alternative proposals can be agreed (including any alternative models, such as the so called “Norway” or “Canada plus” options), the UK will cease to be a member of the EU on the Withdrawal Date and, from that date, the UK’s European Union (Withdrawal) Act 2018 (Withdrawal Act) will apply to transpose directly applicable EU laws into UK law.

This means that the obligations and provisions of the GDPR as they exist at the Withdrawal Date would continue to apply in the UK (alongside the UK’s Data Protection Act 2018). The UK would become a “third country” for the purposes of EU data protection regulation.

The impact on the data protection landscape would be as follows:

  • No UK “adequacy” – EEA to UK transfers: to continue to enable personal data to move from the EU to the UK without additional formalities, the UK would need to be subject to an “adequacy” decision from the EU. This would not be agreed before the Withdrawal Date, and it is entirely uncertain as to how long it will take for one to be given. The lack of an “adequacy” decision would mean that EU Model Clauses would need to be put in place in circumstances where there are transfers of personal data from the EU to UK (either intra-group or between organisations), in order to legitimise the export of personal data from the EU to the UK (unless Binding Corporate Rules or another export mechanism can be put in place);
  • UK to non-EEA/ white list transfers: the UK Government intends to recognise data transfers from the UK to the EEA and to EU Commission-approved adequate countries as being possible without further formalities. It also intends to recognise data transfers under EU Model Clauses and EU-approved Binding Corporate Rules without further formalities.  In order for the EU / US Privacy Shield to apply to data transfers from the UK, all US organisations relying on the Privacy Shield in respect of personal data transfers to the US would need to update their public commitment to comply with the Privacy Shield to include the UK. The US Department of Commerce’s International Trade Administration provides template language for making this public statement. UK data exporters would need to check these changes have been made;
  • Consider location of processing activities: because of the EU’s antipathy to certain processing operations being undertaken outside the EEA in countries without an adequacy finding, pan-European organisations / groups should consider whether heavy/sensitive data processing activities (such as e-disclosure, HR processing or anti-financial crime activities) should be moved into EU-based entities;
  • Additional EU and/or UK representatives for non-EU controllers: non-EU controllers that offer goods or services to data subjects in the EU and the UK would need to consider whether they need to have both EU and UK representatives. UK controllers with no presence in the EU, but which offer goods and services to data subject in the EU, would also need to appoint an EU representative;
  • Multiple Data Protection Authorities: organisations that operate across Europe would no longer be able to use the “one stop shop” and have a lead Data Protection Authority in the UK in relation to cross-EU border activities. Such groups will have to prepare to liaise with both an EU and a UK Data Protection Authority, for example, when reporting personal data breaches that concern/affect individuals in the UK and EU member states; and
  • Two data protection regimes: as the UK would be a “third country”, in theory personal data may be subject to two parallel data protection regimes, where processing is caught under the UK domestic data protection regime (consisting of the GDPR implemented into national law, and the Data Protection Act 2018) and the GDPR as an EU Regulation. Although generally aligned at present, these regimes may diverge over time, giving rise to potential conflicts. The UK would also have no vote or presence on the European Data Protection Board.

 2. A transition period: agreeing a withdrawal agreement before the Withdrawal Date

Following the voting down of the Withdrawal Agreement, the Prime Minister will need to come back to Parliament within three days with a statement on what she proposes to do next. No doubt this will include her continuing to seek further concessions from the EU over the coming weeks and / or softening the UK’s own “red lines” in order to reach an agreement with the EU that the UK Parliament could ratify.

If the Withdrawal Agreement (with or without any revisions) is subsequently ratified by the UK Parliament, the UK will cease to be a member of the EU on the Withdrawal Date but a transition period expected to last until the end of December 2020 (the Transition Period) would commence. During the Transition Period, the parties would attempt to agree the terms of the future relationship between the UK and the EU.

The Withdrawal Agreement provides that, during this Transition Period, EU law continues to apply to the UK, and references to “Member State” in EU law shall be construed as including the UK. This means that transfers from the EEA to the UK could continue for the time being without any further measures being put in place, and gives the UK some time to try and obtain an “adequacy” decision from the European Commission (so that EEA to UK transfers can continue unaffected after the Transition Period too).[1] It also appears to mean that transfers from the UK to non-EEA jurisdictions would remain unaffected, and the expectation from the UK data protection authority and the US Department of Commerce’s International Trade Administration seems to be that the Model Clauses and the Privacy Shield could apply un-amended until the end of the Transition Period.

As to the UK’s participation in the European Data Protection Board, the Withdrawal Agreement provides that the UK would cease to participate in the EU’s decision-making bodies. Therefore, unless a special provision were to be made for the UK’s data protection authority (the ICO), it appears that the ICO would not participate in the European Data Protection Board from the Withdrawal Date. The Withdrawal Agreement also provides that the UK will no longer participate in the “one stop shop” and consistency mechanisms. Instead, as with a no-deal Brexit, organisations would have to prepare to liaise with both a European and UK data protection authority, and revisit assessments they have made about their main establishment and lead authority.

Response priorities

Some UK businesses have worked through the consequences of both a no-deal Brexit and the main establishment / one stop shop impact of the Withdrawal Agreement being ratified before the Withdrawal Date. Many have not, having regard to the difficulty in calling the likelihood of no-deal, Withdrawal Agreement or remain outcomes.

Businesses which are starting contingency planning now should focus, first, on the consequences of the loss of the “one stop shop”, as this will apply in both the no-deal and Withdrawal Agreement scenarios. They should then move on to focus on identifying affected data transfers and suitable export mechanisms, particularly if they think their EU customers will refuse to transfer personal data to them without such a mechanism.

Those businesses either in the UK and outside the EU, or outside both the UK and the EU, should review if they need a new UK or EU representative.

Finally, we would not expect non-compliance enforcement by data protection authorities to be particularly quick following a no-deal Brexit; we would expect most of the pressure to come from EEA counterparties.

[1] The political declaration in the Withdrawal Agreement provides that, during the Transition Period the EU will work towards granting the UK an adequacy decision and to find ways for the UK and EU data protection authorities to cooperate. So ideally the UK will be given an adequacy finding, and some form of cooperation (not likely to be anyway near as extensive as the “one stop shop”) will be implemented before the Transition Period expires. If not, at the end of the Transition Period the position will be much the same as at no-deal Brexit.

 

Client Alert: CA Attorney General’s Office begins rulemaking process with first public hearing while Congress debates new federal privacy law

Jeewon Kim Serrato (US)Arleen Fernandez (US)By Jeewon Kim Serrato (US) and Arleen Fernandez (US) on Posted in Compliance and risk management, Enforcement, Regulatory response
UK NIS Regulations impose new cybersecurity obligations (and a new penalties regime) on operators of essential services and digital service providers in the UK | Norton Rose Fulbright

The California Consumer Privacy Act of 2018 (“CCPA”), California’s new privacy law which takes effect on January 1, 2020, requires the Attorney General to adopt implementing regulations that further the objectives of the CCPA. Much concern has been raised about the law as currently written, including by Attorney General Xavier Becerra himself. With regulations set to be issued on or before July 1, 2020, the Attorney General’s Office will host six public forums to give key stakeholders an opportunity to provide feedback on the law and help shape the implementing regulations. Continue reading

Transition period under New York Cybersecurity Regulation ends March 1, 2019

Kathleen Scott (US)Susan Ross (US)*Tristan Coughlin (US)By Kathleen Scott (US), Susan Ross (US) and *Tristan Coughlin (US) on Posted in Compliance and risk management, Cybersecurity, Enforcement, Fintech, General, Vendor management and transactions
Data Protection Report - Norton Rose Fulbright

The two-year transitional period under the New York State Department of Financial Services (“DFS”) Cybersecurity Regulation, 23 NYCRR 500 (the “Regulation”), will expire on March 1, 2019, with the final remaining requirement becoming effective. Entities covered by the Regulation that utilize third party service providers, which include not only banks and insurers, but also other financial services institutions and licensees regulated by the DFS, will be required to implement third-party risk management programs by March 1.

Continue reading

Pennsylvania Supreme Court holds common law duty for employers extends to protecting sensitive employee information

Andrea D'Ambra (US)Max Kellogg (US)By Andrea D'Ambra (US) and Max Kellogg (US) on Posted in Compliance and risk management, Data breach, General, Regulatory response
Data Protection Report - Norton Rose Fulbright

On November 21, 2018, the Pennsylvania Supreme Court broke new ground by holding that employers have a legal duty to take reasonable care to safeguard its employees’ sensitive personal information from cyberattacks. Dittman v. UPMC, 2018 Pa. LEXIS 6072199 (Pa. Nov. 21, 2018). Continue reading

EDPB clarifies territorial scope of the GDPR

Marcus Evans (UK)Anna Rudawski (US)By Marcus Evans (UK) and Anna Rudawski (US) on Posted in Compliance and risk management, Data breach, Regulatory response
Norton Rose Fulbright - Data Protection Report blog

On November 23, 2018, the European Data Protection Board (“EDPB”) issued highly anticipated draft Guidelines (the “Guidelines”) on the territorial scope of the GDPR. See our previous blog posts on the GDPR here and here. The Guidelines provide some clarity around the scope and applicability of the GDPR to data Controllers and Processors both inside and outside the EU. Continue reading

New China Guideline for Internet Personal Information Security Protection

Barbara Li (CN)Bohua Yao (CN)By Barbara Li (CN) and Bohua Yao (CN) on Posted in Compliance and risk management, Data breach, Regulatory response

On November 30, 2018 the Cyber Security Protection Bureau, under the auspices of the PRC Ministry of Public Security (the “MPS”), issued a draft Guideline for Internet Personal Information Security Protection (the “Guideline”) along with a request for public comments. Continue reading

Browsewrap agreements: Are you covered?

Spencer Persson (US)Shirley Kim (US)By Spencer Persson (US) and Shirley Kim (US) on Posted in Dispute resolution and litigation, General
Norton Rose Fulbright - Data Protection Report blog

In a recent decision, a California federal court held that an arbitration provision contained in Viacom, Inc.’s browsewrap agreement was unenforceable and denied Viacom’s request to stay the case pending arbitration.[1] The court’s decision in Rushing v. Viacom, Inc. is consistent with “courts’ traditional reluctance to enforce browsewrap agreements against individual consumers.”[2] Continue reading

Cybersecurity and the SEC

Susan Ross (US)Alexis Wilpon (US)By Susan Ross (US) and Alexis Wilpon (US) on Posted in Compliance and risk management, cybercrime
Data Protection Report - Norton Rose Fulbright

The U.S. Securities and Exchange Commission (“SEC”) may not be the first agency that comes to mind with respect to cybersecurity, but the SEC has been in the headlines recently with respect to cyber fraud in particular. Earlier this month, the SEC promulgated a report urging companies to take preventive measures against cyber fraud. Continue reading

Vicarious liability in the data breach context – bad news for UK employers?

Steven Hadwin (UK)Mya Joel (UK)Marcus Evans (UK)Catrina Smith (UK)Amanda Sanders (UK)By Steven Hadwin (UK), Mya Joel (UK), Marcus Evans (UK), Catrina Smith (UK) and Amanda Sanders (UK) on Posted in Data breach
Data Protection Report - Norton Rose Fulbright

The Court of Appeal has upheld a decision of the High Court  holding that an employer can be vicariously liable for data breaches caused by the actions of an employee, even where the employee’s actions were specifically intended to harm the employer. This decision is significant as it means a company can be held liable to compensate affected data subjects for loss caused by a data breach, even where the company has committed no wrongdoing and regardless of the employee’s motive. Continue reading

If you don’t know why November 1 is a big day in Canada, read this!

Ryan Berger (CA)By Ryan Berger (CA) on Posted in Compliance and risk management, Data breach

Like many organizations in Canada, yours is probably not fully prepared for the mandatory breach reporting requirements coming into force under the federal Personal Information Protection and Electronic Documents Act (PIPEDA) November 1, 2018.

Here are three measures your organization ought to take in preparation for mandatory breach reporting:

1. Implement internal breach reporting and response protocols.

Organizations subject to PIPEDA will be required to separately report to individuals and to the Privacy Commissioner of Canada breaches of “security safeguards” involving personal information that pose “a real risk of significant harm” to individuals.

It is likely few employees in an organization will know about this requirement, or understand what sort of breach must be reported. Due diligence requires organizations to have a breach reporting procedure in place, and training on it, to ensure information concerning a breach can be handled appropriately. Studies on breaches demonstrate that employees can be the weakest link. Let your employees help you. Also, prompt recognition and escalation of a real issue, and notifying people affected by a breach that their information may have been compromised can be matters of good customer service.

2. Review and update third-party vendor and service provider agreements.

Your organization will be responsible for personal information under its control, which includes information held by your vendors and service providers. Most third-party services agreements do not contemplate the type of breach reporting up the chain from the service provider required to satisfy the lead organization’s breach reporting and record-keeping requirements.

Most organizations rely on their service providers to safeguard and manage sensitive information. Do not let gaps in your agreements result in a breach of notification or record-keeping requirements, or leave any potential for embarrassing reputational risks.

3. Develop a plan for record retention: do not create evidence or waive privilege.

The new regulations require an organization to maintain a record of every breach of security safeguards for 24 months after the day on which the organization determines that the breach has occurred. This requirement is daunting and you may be asking yourself, “What is the extent of the records required?” and, “Are we just preserving evidence for a class action claim?”

The regulations say the records must contain any information that enables the Commissioner to verify compliance with the reporting requirements, particularly referencing the legal issue of whether it is reasonable in the circumstances to believe that the breach creates “a real risk of significant harm” to an individual. The Commissioner’s guidance on this point calls for a general description of the circumstances of the breach and, if a breach is not reported, a brief explanation as to why not.

Keeping the right records can be tricky. As demonstrated in Kaplan v. Casino Rama Services Inc., 2018 ONSC 3545, it may be too easy to waive privilege over investigation and forensics reports. You need a plan in place that will address the record-keeping requirements and help maintain privilege over records. Involve your legal counsel in the development of your incident response plans and breach response to ensure you get this right.

If you have questions about whether your organization is subject to PIPEDA and a particular data breach needs to be reported, you can ask Parker, our privacy chatbot.

LexBlog