On January 21, 2019 the French data protection authority (the CNIL) imposed a major fine on the US Google entity, Google LLC. It follows two complaints filed as soon as the GDPR came into force by two consumer rights associations, None of Your Business and La Quadrature du Net.
On 25 November 2018 the UK Government and the EU agreed a draft withdrawal agreement which set out the terms of the UK’s departure from the EU and made a political declaration on the framework for their future relationship, as provided for under Article 50(2) of the Treaty on European Union (Withdrawal Agreement). The purpose of the Withdrawal Agreement is to set out the terms of the UK’s departure from the EU and provide a transition period during which a more nuanced and ambitious future relationship can be agreed.
Had the UK Parliament approved the Withdrawal Agreement, it would have become a legally binding international treaty. However, following yesterday’s Parliamentary vote, approval of the Withdrawal Agreement has not been given by the UK Parliament and the UK therefore faces continued uncertainty with regard to its future relations with the EU. The imminent withdrawal date of 29 March 2019 (Withdrawal Date), presents two principal scenarios in the context of data protection:
1. “No-deal” Brexit: no agreement is reached before the Withdrawal Date
Whilst the UK Government may continue to seek further concessions from the EU over the period to the Withdrawal Date in order to obtain Parliamentary approval (and we set out in the second section of this post, below, what should happen if the current Withdrawal Agreement (or one with similar data protection provisions) is ratified). However, if no alternative proposals can be agreed (including any alternative models, such as the so called “Norway” or “Canada plus” options), the UK will cease to be a member of the EU on the Withdrawal Date and, from that date, the UK’s European Union (Withdrawal) Act 2018 (Withdrawal Act) will apply to transpose directly applicable EU laws into UK law.
This means that the obligations and provisions of the GDPR as they exist at the Withdrawal Date would continue to apply in the UK (alongside the UK’s Data Protection Act 2018). The UK would become a “third country” for the purposes of EU data protection regulation.
The impact on the data protection landscape would be as follows:
- No UK “adequacy” – EEA to UK transfers: to continue to enable personal data to move from the EU to the UK without additional formalities, the UK would need to be subject to an “adequacy” decision from the EU. This would not be agreed before the Withdrawal Date, and it is entirely uncertain as to how long it will take for one to be given. The lack of an “adequacy” decision would mean that EU Model Clauses would need to be put in place in circumstances where there are transfers of personal data from the EU to UK (either intra-group or between organisations), in order to legitimise the export of personal data from the EU to the UK (unless Binding Corporate Rules or another export mechanism can be put in place);
- UK to non-EEA/ white list transfers: the UK Government intends to recognise data transfers from the UK to the EEA and to EU Commission-approved adequate countries as being possible without further formalities. It also intends to recognise data transfers under EU Model Clauses and EU-approved Binding Corporate Rules without further formalities. In order for the EU / US Privacy Shield to apply to data transfers from the UK, all US organisations relying on the Privacy Shield in respect of personal data transfers to the US would need to update their public commitment to comply with the Privacy Shield to include the UK. The US Department of Commerce’s International Trade Administration provides template language for making this public statement. UK data exporters would need to check these changes have been made;
- Consider location of processing activities: because of the EU’s antipathy to certain processing operations being undertaken outside the EEA in countries without an adequacy finding, pan-European organisations / groups should consider whether heavy/sensitive data processing activities (such as e-disclosure, HR processing or anti-financial crime activities) should be moved into EU-based entities;
- Additional EU and/or UK representatives for non-EU controllers: non-EU controllers that offer goods or services to data subjects in the EU and the UK would need to consider whether they need to have both EU and UK representatives. UK controllers with no presence in the EU, but which offer goods and services to data subject in the EU, would also need to appoint an EU representative;
- Multiple Data Protection Authorities: organisations that operate across Europe would no longer be able to use the “one stop shop” and have a lead Data Protection Authority in the UK in relation to cross-EU border activities. Such groups will have to prepare to liaise with both an EU and a UK Data Protection Authority, for example, when reporting personal data breaches that concern/affect individuals in the UK and EU member states; and
- Two data protection regimes: as the UK would be a “third country”, in theory personal data may be subject to two parallel data protection regimes, where processing is caught under the UK domestic data protection regime (consisting of the GDPR implemented into national law, and the Data Protection Act 2018) and the GDPR as an EU Regulation. Although generally aligned at present, these regimes may diverge over time, giving rise to potential conflicts. The UK would also have no vote or presence on the European Data Protection Board.
2. A transition period: agreeing a withdrawal agreement before the Withdrawal Date
Following the voting down of the Withdrawal Agreement, the Prime Minister will need to come back to Parliament within three days with a statement on what she proposes to do next. No doubt this will include her continuing to seek further concessions from the EU over the coming weeks and / or softening the UK’s own “red lines” in order to reach an agreement with the EU that the UK Parliament could ratify.
If the Withdrawal Agreement (with or without any revisions) is subsequently ratified by the UK Parliament, the UK will cease to be a member of the EU on the Withdrawal Date but a transition period expected to last until the end of December 2020 (the Transition Period) would commence. During the Transition Period, the parties would attempt to agree the terms of the future relationship between the UK and the EU.
The Withdrawal Agreement provides that, during this Transition Period, EU law continues to apply to the UK, and references to “Member State” in EU law shall be construed as including the UK. This means that transfers from the EEA to the UK could continue for the time being without any further measures being put in place, and gives the UK some time to try and obtain an “adequacy” decision from the European Commission (so that EEA to UK transfers can continue unaffected after the Transition Period too). It also appears to mean that transfers from the UK to non-EEA jurisdictions would remain unaffected, and the expectation from the UK data protection authority and the US Department of Commerce’s International Trade Administration seems to be that the Model Clauses and the Privacy Shield could apply un-amended until the end of the Transition Period.
As to the UK’s participation in the European Data Protection Board, the Withdrawal Agreement provides that the UK would cease to participate in the EU’s decision-making bodies. Therefore, unless a special provision were to be made for the UK’s data protection authority (the ICO), it appears that the ICO would not participate in the European Data Protection Board from the Withdrawal Date. The Withdrawal Agreement also provides that the UK will no longer participate in the “one stop shop” and consistency mechanisms. Instead, as with a no-deal Brexit, organisations would have to prepare to liaise with both a European and UK data protection authority, and revisit assessments they have made about their main establishment and lead authority.
Some UK businesses have worked through the consequences of both a no-deal Brexit and the main establishment / one stop shop impact of the Withdrawal Agreement being ratified before the Withdrawal Date. Many have not, having regard to the difficulty in calling the likelihood of no-deal, Withdrawal Agreement or remain outcomes.
Businesses which are starting contingency planning now should focus, first, on the consequences of the loss of the “one stop shop”, as this will apply in both the no-deal and Withdrawal Agreement scenarios. They should then move on to focus on identifying affected data transfers and suitable export mechanisms, particularly if they think their EU customers will refuse to transfer personal data to them without such a mechanism.
Those businesses either in the UK and outside the EU, or outside both the UK and the EU, should review if they need a new UK or EU representative.
Finally, we would not expect non-compliance enforcement by data protection authorities to be particularly quick following a no-deal Brexit; we would expect most of the pressure to come from EEA counterparties.
 The political declaration in the Withdrawal Agreement provides that, during the Transition Period the EU will work towards granting the UK an adequacy decision and to find ways for the UK and EU data protection authorities to cooperate. So ideally the UK will be given an adequacy finding, and some form of cooperation (not likely to be anyway near as extensive as the “one stop shop”) will be implemented before the Transition Period expires. If not, at the end of the Transition Period the position will be much the same as at no-deal Brexit.
The California Consumer Privacy Act of 2018 (“CCPA”), California’s new privacy law which takes effect on January 1, 2020, requires the Attorney General to adopt implementing regulations that further the objectives of the CCPA. Much concern has been raised about the law as currently written, including by Attorney General Xavier Becerra himself. With regulations set to be issued on or before July 1, 2020, the Attorney General’s Office will host six public forums to give key stakeholders an opportunity to provide feedback on the law and help shape the implementing regulations. Continue reading
The two-year transitional period under the New York State Department of Financial Services (“DFS”) Cybersecurity Regulation, 23 NYCRR 500 (the “Regulation”), will expire on March 1, 2019, with the final remaining requirement becoming effective. Entities covered by the Regulation that utilize third party service providers, which include not only banks and insurers, but also other financial services institutions and licensees regulated by the DFS, will be required to implement third-party risk management programs by March 1.
On November 21, 2018, the Pennsylvania Supreme Court broke new ground by holding that employers have a legal duty to take reasonable care to safeguard its employees’ sensitive personal information from cyberattacks. Dittman v. UPMC, 2018 Pa. LEXIS 6072199 (Pa. Nov. 21, 2018). Continue reading
On November 23, 2018, the European Data Protection Board (“EDPB”) issued highly anticipated draft Guidelines (the “Guidelines”) on the territorial scope of the GDPR. See our previous blog posts on the GDPR here and here. The Guidelines provide some clarity around the scope and applicability of the GDPR to data Controllers and Processors both inside and outside the EU. Continue reading
On November 30, 2018 the Cyber Security Protection Bureau, under the auspices of the PRC Ministry of Public Security (the “MPS”), issued a draft Guideline for Internet Personal Information Security Protection (the “Guideline”) along with a request for public comments. Continue reading
In a recent decision, a California federal court held that an arbitration provision contained in Viacom, Inc.’s browsewrap agreement was unenforceable and denied Viacom’s request to stay the case pending arbitration. The court’s decision in Rushing v. Viacom, Inc. is consistent with “courts’ traditional reluctance to enforce browsewrap agreements against individual consumers.” Continue reading
The U.S. Securities and Exchange Commission (“SEC”) may not be the first agency that comes to mind with respect to cybersecurity, but the SEC has been in the headlines recently with respect to cyber fraud in particular. Earlier this month, the SEC promulgated a report urging companies to take preventive measures against cyber fraud. Continue reading
The Court of Appeal has upheld a decision of the High Court holding that an employer can be vicariously liable for data breaches caused by the actions of an employee, even where the employee’s actions were specifically intended to harm the employer. This decision is significant as it means a company can be held liable to compensate affected data subjects for loss caused by a data breach, even where the company has committed no wrongdoing and regardless of the employee’s motive. Continue reading