United Kingdom (UK)

On September 13, 2018, the UK government published a series of technical notices on how to prepare for a scenario in which the UK leaves the EU without agreement on March 29, 2019 (“no-deal Brexit”).  The government stressed that a no-deal Brexit “remains unlikely given the mutual interests of the UK and the EU in securing a negotiated outcome,” but that “it’s our duty as a responsible government to prepare for all eventualities.”  One of the notices, “Data protection if there’s no Brexit deal,” sets out the UK government’s position on data flows between the UK and EU and recommends actions that organizations should take to help ensure the continued flow of personal data from the EU to the UK if no agreement is reached.

Data privacy standards in the UK to remain the same

In the event of a no-deal Brexit, the technical notice is clear that the UK will maintain the same data protection standards as exist today.  This is because the General Data Protection Regulation (“GDPR”) currently applies in the UK (as it remains, for now, an EU Member State), and, at the point of a no-deal Brexit, the UK would incorporate the GDPR into UK law.  The GDPR rules — now and following Brexit — are supplemented by the UK Data Protection Act 2018, which sets out how certain aspects of the GDPR apply in the UK (e.g., in relation to children’s data).
Continue Reading UK “No-Deal Brexit” Technical Notice Sets Out Plans on EU – UK Data Flows

As we summarized last fall, the EU Commission published a new Cybersecurity Communication in September that, among other things, sets out proposals for an EU cybersecurity certification framework as part of ‎an EU “Cybersecurity Act” (see our post here and a more detailed summary here).  Just before the
Continue Reading UK Government Consults on EU Cybersecurity Plans

On September 13, 2017, the UK Government published a new Data Protection Bill regulating the use of individuals’ personal data.

The Bill, which is intended to replace the UK Data Protection Act 1998, would serve a range of functions, most notably setting out how the UK intends to make use of its leeway to derogate from basic rules in the new EU General Data Protection Regulation 2016/679 (the “GDPR”).  For instance, the GDPR allows countries in the EU to modify its rules or introduce additional sanctions where necessary to protect freedom of expression, research, or other public interest objectives.

The Bill would also apply “GDPR-like” rules to data that is not covered by the GDPR (such as data in unstructured paper-based files), implement of the new EU Police and Criminal Justice Data Protection Directive (the “PCJ DPD”), and set down privacy and data security rules for its intelligence agencies.

The Bill will now undergo further debate and amendment, and should hopefully clear both Houses of Parliament in advance of May 25, 2018, when the GDPR will become law in the UK subject to any modifications implemented by the Bill.

This post discusses some of the Bill’s salient points for commercial organizations.
Continue Reading UK Government Publishes New Data Protection Bill

Earlier this month, the UK Government published a consultation on plans to implement the EU Directive on security of network and information systems (the “NIS Directive”, otherwise known as the Cybersecurity Directive).  The consultation includes a proposal to fine firms that fail to implement “appropriate and proportionate security measures” up to EUR 20 million or 4% of global turnover (whichever is greater).

We summarise the UK Government’s plans below, including which organisations may be in scope — for example, in the energy, transport and other sectors, as well as online marketplaces, online search engines, and cloud computing service providers — and the proposed security and incident reporting obligations.

Organisations that are interested in responding to the consultation have until September 30, 2017 to do so.  The UK Government will issue a formal response within 10 weeks of this closing date, and publish further security guidance later this year and next.  A further consultation on incident reporting for digital service providers will be run later this year; the Government invites organisations that are interested in taking part to provide appropriate contact details.
Continue Reading UK Government Proposes Cybersecurity Law with Serious Fines

As we approach the May 2018 effective date of the EU General Data Protection Regulation (“GDPR”), there have been a number of global developments over the last few months with respect to the so-called “right to be forgotten,” which will be codified under Article 17 of the GDPR.

European Developments

In the EU, we previously reported on a Court of Justice of the EU (“CJEU”) decision that limits the right to be forgotten with respect to public records.  And in February, A French high administrative court raised several questions to the CJEU relating to the right to be forgotten in light of the Google v. Costeja Gonzalez decision.  The questions address whether and in what circumstances search engines must delist links to websites in response to requests from data subjects, and arose in the context of a pending dispute between Google and CNIL, the French data protection authority.

A decision by a Circuit Court in Ireland recognized the right of a former election candidate to request the removal of information posted about him on Reddit under the right to be forgotten.  And the UK recently solicited views on its own implementation of the GDPR, including input regarding the interplay between the right to be forgotten and freedom of expression in the media.
Continue Reading Developments in the Right to Be Forgotten

On Thursday, April 20th, the UK government launched a “Call for Views” regarding the UK’s options for the implementation of the new EU General Data Protection Regulation (GDPR) at national level.  The consultation deadline is May 10th, at mid-day UK time.

Although the GDPR was an effort to bring greater harmonization to data protection regimes throughout the EU, it nevertheless contains a number of areas in which national laws can deviate from its default position – for instance to permit researchers to store and use health data without having to repeatedly seek consents, or to ensure that freedom of expression is not unfairly curtailed by the “right to be forgotten.”
Continue Reading UK Starts 3-Week Consultation on GDPR Implementation

On April 2, 2017, the Information Commissioner’s Office (“ICO”) released a consultation paper for UK organizations to comment on how the new profiling provisions under the General Data Protection Regulation (“GDPR”) could be interpreted and applied when the GDPR comes into force in May 2018.

The public consultation on what is described as “initial thoughts on some key issues” which require “further debate” expires on April 28, 2017.  Stakeholders and the public can review the paper and provide their views on the ICO’s website.  The ICO will then publish a summary of the feedback it receives.  Guidance on profiling is anticipated from the Article 29 Working Party, which has prioritized it for release in 2017.

Profiling under the GDPR is the automated processing of personal data  to evaluate personal aspects of an individual, in particular to analyze or predict professional performance, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.  In interpreting this definition, the ICO has asked for feedback on whether stakeholders agree that there must be “a predictive element, or some degree of inference for the processing to be considered profiling.” 
Continue Reading The Information Commissioner’s Office Publishes a Consultation Paper on Profiling and Automated Decision-Making under the GDPR

The UK Information Commissioner’s Office (ICO), which enforces data protection legislation in the UK, has fined a company £20,000 (approximately 24,000 USD / 23,000 EUR) for not exercising sufficient due diligence when buying and using marketing databases.

The ICO found that over 580,000 individuals’ contact details had been obtained by The Data Supply Company Ltd (“TDSC”) from sources such as financial institutions and competition websites, and then sold on to third parties.  This had led to at least 21,045 unsolicited text messages and 174 complaints.

Because the data was used for direct electronic marketing (by email, SMS, etc.), TDSC was not entitled to rely on its data sources’ generic consent requests, such as “We may share your information with carefully selected third parties where they are offering products or services that we believe will interest you”, nor even fuller notices that disclosed “long lists” of general categories of possible recipients of the data.
Continue Reading UK Company Fined For Buying And Selling Non-Compliant Marketing Databases

On March 2, 2017, the Information Commissioner’s Office (“ICO”) released draft guidance for UK organizations on how the notion of consent will be interpreted and applied when the General Data Protection Regulation (“GDPR”) comes into force in May 2018.

The ICO is currently engaging in a public consultation on the
Continue Reading UK Information Commissioner’s Office Publishes Draft Guidance on Consent under the GDPR