UK Government guidance on continued EU-UK data flows upon a no deal Brexit

Data Protection Report - Norton Rose Fulbright

On 13 September 2018 the UK government’s Department for Digital, Culture, Media & Sport published a notice, Data Protection If There’s No Brexit Deal (the Notice). The Notice sets out the actions UK organisations should take to enable the continued flow of personal data between the UK and the EEA in the event that the UK leaves the EU in March 2019 with no exit agreement in place. If this happens, there would be no immediate change in the UK’s own data protection laws because the Data Protection Act 2018 would remain in place and – more importantly – the UK’s European Union (Withdrawal) Act 2018 would incorporate the GDPR into UK domestic law.

Under the GDPR, organisations are only permitted to transfer personal data outside the EEA if certain conditions are met. The least onerous route for the exporting entity is where the third country to which the proposed transfer is to be made has an adequate data protection regime in place, as assessed by the EU Commission in making an “adequacy decision”.

Once the UK becomes a third country by virtue of Brexit, EU organisations wishing to continue to send personal data to the UK will typically want to rely on such an adequacy decision. Conversely, under UK data protection law (as it currently stands), personal data could continue to flow from the UK to the EEA on the legal basis that EU data protection law is already adequate (in terms of the requirements of UK legislation). The Notice clarifies that this is how the UK government will interpret the export requirements under UK (although it notes that it will keep this under review).

The European Commission has stated that, if it deems the UK’s level of personal data protection essentially equivalent to that of the EU, it would make an adequacy decision, allowing the transfer of personal data to the UK without restrictions.

However, if the European Commission has not made an adequacy decision regarding the UK at the point of Brexit (which is certainly possible in the event of a no-deal Brexit), the Notice suggests that UK businesses wishing to receive personal data from organisations established in the EEA should consider assisting its EEA counterpart in identifying an alternative legal basis for the EEA to UK transfers.

For the majority of UK businesses, the Notice suggests that the most relevant alternative legal basis for transfer to the UK would be the EU standard contractual clauses. These are model data protection clauses that have been approved by the European Commission and enable the free flow of personal data when included in a contract. The clauses contain contractual obligations on both the recipient of personal data (in this context, a UK business) and the EEA counterpart, and provide for directly enforceable rights for the individuals whose personal data is transferred in certain circumstances.

Our take

Given the inflexible nature of the EU data protection export regime and the time and effort it can take to re-paper data processing or sharing agreements, UK businesses should start to review client, business partner and intra-group agreements with EEA counterparties and consider incorporating EU standard contractual clauses covering data flows from the EEA counterparties to the UK now. These standard contractual clauses should bite should there be a “no deal Brexit” and the UK becomes a third country without an adequacy finding.

Businesses should also consider their contingency positions if personal data is unable to flow as freely from EEA subsidiaries to parent companies or European HQs established in the UK as it does today. For example, initial reviews for e-discovery for US litigation or regulatory disclosure might need to be undertaken in an EEA country rather than in the UK in these circumstances.

The work that businesses have undertaken to understand and map their processing to comply with the GDPR will make identifying impacted personal data operations more straightforward.

For more information on the Notice and the UK government’s guidance, see DCMS advises regarding continued UK-EU data flow upon a no deal Brexit.

California Consumer Privacy Act: Disclosure requirements

Data Protection Report - Norton Rose Fulbright

This is the Data Protection Report’s fourth blog in a series of blogs that will break down the major elements of the CCPA which will culminate in a webinar on the CCPA in October. Stay tuned for additional blogs and information about our upcoming webinar on the CCPA.

The California Consumer Privacy Act (the “CCPA” or “Act”) includes significant and new disclosure requirements for businesses that collect and or sell or disclose California residents’ personal information. Below we have outlined: (1) disclosures businesses must make in their privacy policy; (2) disclosures businesses must make upon receipt of a “verifiable consumer request”; and (3) Norton Rose Fulbright’s takeaways.

Continue reading

Singapore’s new Cybersecurity Act comes into force: Here’s what you need to know

The much discussed Cybersecurity Act 2018 (Act. 9 of 2018) (the Act), which was passed by the Singapore Parliament on 5 February 2018, came into force on 31 August 2018 [1]. The new law creates a regulatory framework for the monitoring and reporting of cybersecurity threats to essential services in Singapore through the appointment of the Commissioner of Cybersecurity.  It also creates a licensing regime that will require certain data security service providers in Singapore to be registered.

Continue reading

Norton Rose Fulbright – cyber law firm of the year nomination

Data Protection Report - Norton Rose Fulbright

We are grateful to our clients and industry contacts for nominating us as cyber law firm of the year at the 2018 Insurance Insider Cyber Rankings Awards. The winner will be determined from the results of a wide-ranging survey of insurers and brokers and will be announced on September 21, 2018.

California Consumer Privacy Act: GDPR-like definition of personal information

Data Protection Report - Norton Rose Fulbright

This is the Data Protection Report’s third blog in a series of blogs that will break down the major elements of the CCPA which will culminate in a webinar on the CCPA in October. This blog focuses on the CCPA’s broad definition of Personal Information. Stay tuned for additional blogs and information about our upcoming webinar on the CCPA.

Continue reading

New law imposes disclosure requirements on software licensors

UK NIS Regulations impose new cybersecurity obligations (and a new penalties regime) on operators of essential services and digital service providers in the UK | Norton Rose Fulbright

As a result of the 2019 National Defense Authorization Act, the Secretary of Defense implemented new disclosure obligations on software licensors whose software code has been reviewed or accessed by a foreign government. The Act was signed into law on August 13, 2018 and will significantly impact software licensors who engage with the federal government’s defense agencies relating to “obligations to foreign governments.” Continue reading

California Consumer Privacy Act blog series: Covered entities

Data Protection Report - Norton Rose Fulbright

This is the Data Protection Report’s second blog in a series of blogs that will break down the major elements of the CCPA which will culminate in a webinar on the CCPA in October. This blog focuses on covered entities. Stay tuned for additional blogs and information about our upcoming webinar on the CCPA. Continue reading

FERC issues notice of proposed rulemaking to extend reporting requirements for cyberattacks targeting the energy sector

Data Protection Report - Norton Rose Fulbright

On July 23 and 25, 2018, the U.S. Department of Homeland Security (DHS) held public briefings about an attempt by a state-sponsored Russian hacking group to target control systems for U.S. electrical grids and power plants. DHS’ webinar explained that the hackers obtained access to vendors providing computer services to electric utilities companies. This initial access enabled the hackers to gain entry to power company control systems through a complex series of security compromises lasting quite some time. Continue reading

Overview of Thailand Draft Personal Data Protection Act

Data Protection Report - Norton Rose Fulbright

Data protection laws in Asia continue to be introduced and updated. One of the most recent developments in South East Asia is in Thailand. On 22 May 2018, the Thai Cabinet approved in principle a revised draft of Thailand’s first personal data protection act (Draft Act). This Draft Act is currently under consideration by the Council of State.

Thailand currently does not have any specific law regulating data protection. The Office of the Prime Minister first published the Draft Act in 2014. The Draft Act has undergone several rounds of changes and this article aims to give a high level overview of the recently approved version of the Draft Act.

The Draft Act has been revised to replicate many of the concepts and obligations which are common across global data protection laws and in particular the GDPR. We have highlighted some of those key obligations below.

Key definitions

The new law has some key definitions which are similar to data protection laws elsewhere:

  • Personal data” is broadly defined as information that is able to directly or indirectly identify a living individual.
  • Data controller” is a person (whether a natural or legal person) who has authority to make decisions on collection, usage or disclosure of Personal Data.
  • Data processor” is a person (whether a natural or legal person) who collects, uses or discloses Personal Data in compliance with the orders of data controller.

Extraterritorial application

The Draft Act regulates both data controllers and data processors, whether or not they are in Thailand, who collect, use or disclose Personal Data collected from individuals in Thailand (whether or not those individuals are Thai citizens). This means that organizations outside of Thailand may be subject to the Draft Act.

General protections

Specific consent is required from the data subject, in writing or via electronic means, prior to or at the time of collection, use or disclosure of personal data, unless one of the prescribed exceptions applies. A data subject may at any time revoke his/her consent, unless there is a restriction under the law or contract on revoking such consent.

Collection of personal data

Collection of personal data must be for a lawful purpose and be directly relevant to, and necessary for, the activities of the data controller. The data controller must inform the data subject of the following, prior to or at the time personal data is collected:

  1. the purpose of the collection;
  2. the personal data to be collected;
  3. to whom the personal data might be disclosed;
  4. contact information of the data controller; and
  5. the rights of the data subject.

This information would usually be provided by way of a collection notice.

Except under limited circumstances prescribed under the Draft Act, personal data must be collected directly from the data subject. Also, the collection of sensitive personal data, such as religious belief, political preference, sexual behaviour or medical records, is prohibited except under limited circumstances prescribed under the Draft Act or ministerial regulation. Examples of the permitted circumstances for collection of sensitive data include where sensitive data is collected to protect or prevent harm to a person’s life, body or health, or to comply with any legal requirement on the data controller.

Cross-border transfer of personal data

Personal data can only be transferred to a country with rigorous data protection measures and in accordance with guidelines to be prescribed by the Personal Data Protection Committee, unless:

  1. the transfer is made pursuant to any applicable law;
  2. consent is obtained from the data subject;
  3. the transfer is in compliance with the contract entered into between the data subject and the data controller;
  4. the transfer is in the interests of a data subject who is incapable of giving consent; or
  5. as otherwise prescribed by ministerial regulation.

Rights of data subject

A data subject is entitled to access his/her own personal data which is held by the data controller, or to request the data controller to disclose the sources of information where such personal data is collected without his/her consent. In the event that the data controller fails to comply with any provision of the Draft Act, a data subject is entitled to request the data controller to delete, destroy, temporarily suspend the use of or anonymize personal data.

Fines and penalties

Both civil and criminal penalties can be imposed on the data controller for violation of the provisions of the Draft Act.

Grandfathering provisions

The data controller may continue to use personal data collected prior to the date that the Draft Act comes into force, provided that:

  1. such personal data is only used for the purpose for which it was originally collected; and
  2. a mechanism is made available and publicised by the data controller for the data subject easily to request deletion of his/her personal data.

Next steps

If the council of state approves the Draft Act, the Draft Act will be forwarded to the Thai cabinet and subsequently to the national legislative assembly for approval before coming into force. No official time frame for this process has been announced so it is difficult at this stage to anticipate the enactment date of the Draft Act.


The Draft Act means that companies doing business in Thailand or handling the data of Thai citizens will need to reconsider their policies and procedures for handling personal data in accordance with the new law once passed. Fortunately, it seems that the approach taken under the Draft Act is not inconsistent with many major data protection laws around the world, so companies with a robust data protection regime in place may not have to make too many changes to accommodate the new law.

The European Parliament asks for the suspension of the privacy shield

Norton Rose Fulbright - Data Protection Report blog

On July 5, the European Parliament passed a non-binding resolution, asking the European Commission, the EU’s executive body, to suspend the Privacy Shield framework. The EU-US Privacy Shield, designed by the US Department of Commerce and the European Commission, provides a mechanism for companies to transfer personal data between the EU and the US while remaining compliant with EU data protection laws.

The European Commission passed the data-sharing privacy framework on July 12, 2016, after its precursor, Safe Harbor, was struck down by the European Court of Justice on October 6, 2015.

Since the European Parliament’s resolution is non-binding, the European Commission could choose to ignore it.  However, the Commission will no doubt take the Parliament members’ concerns into consideration in its annual review of the Shield which is due in September.

Further discussions on whether to renegotiate the Privacy Shield is also on the table since the Shield is based on the now defunct EU directive 95/46, which the European Union General Data Protection Regulation replaced when it went into effect on May 25, 2018.

Continue reading