August 8, 2016

Global Data & Privacy Update - August 2016

Welcome to the August Global Data & Privacy Update. This update is dedicated to covering the latest legislative developments affecting the way data is managed and protected, as well as reporting on the most recent news governing data breaches and industry developments.

EU-US data transfers – Privacy Shield adopted

On 12 July 2016, the European Commission adopted the replacement to the Safe Harbor scheme, known as the EU-US Privacy Shield. US organisations will be able to self-certify from 1 August 2016. To be eligible to sign up, an organisation needs to be subject to the jurisdiction of the Federal Trade Commission (FTC) or the US Department of Transportation (DOT). This means most financial institutions (including insurers) and telecommunication service providers are ineligible.

An organisation wishing to self-certify is required to make certain privacy information publicly available, including a privacy policy, contact details for handling complaints and subject access requests and details of the independent redress mechanism. The US Department of Commerce has launched a website dedicated to providing individuals and organisations with information regarding the EU-US Privacy Shield.

The Article 29 Working Party (WP29), the independent advisory body made up of representatives from all the EU data protection authorities, has welcomed the improvements made to the final version of the EU-US Privacy Shield, but has also highlighted a number of concerns that remain with the final version. Such concerns relate to the commercial aspects of the EU-US Privacy Shield and the lack of commitment from US authorities that the practice of bulk collection of massive and indiscriminate data does not take place. Isabelle Falque-Pierrotin, the Chairwoman of WP29, announced that the WP29 will not challenge the adequacy of the EU-US Privacy Shield until the first annual joint review of the EU-US Privacy Shield by the European Commission and the US Department of Commerce has been completed. Max Schrems, the instigator behind the fall of the Safe Habor scheme, suggested that the lack of challenge by the WP29 was disappointing and commented that it was "sad to see how the [WP29] is about diplomacy politics [rather] than precise legal analysis and enforcement".

The adoption of the EU-US Privacy Shield should be welcomed by organisations as it restores a self-certification EU-US data transfer mechanism. However, the validity of the EU-US Privacy Shield is likely to be challenged in the courts, perhaps even by Max Schrems, since many observers do not feel it has gone far enough in addressing the issues that led to the invalidation of the Safe Harbor scheme.

Whilst organisations may wish to use alternative transfer mechanisms, these are not without disadvantages. For example, model contract clauses are a heavy administrative burden and are currently subject to challenge by Max Schrems on grounds similar to that which resulted in the Safe Harbor scheme being held to be invalid.

Google v Vidal-Hall – opening the floodgates for class actions and payments for distress

We understand that Google, Inc. has withdrawn its appeal to the UK Supreme Court in the case of Google v Vidal-Hall which may have wide implications in respect of class actions and nominal sums being awarded against organisations that are found to be in breach of data protection law.

The facts of the case relate to Google's use of cookies in the Safari web browser to track the claimants' privacy information without their knowledge and consent.  The claimants argued that Google's actions amounted to a misuse of their privacy information and Google had therefore breached its statutory duties under the Data Protection Act 1998 (DPA), which had caused them distress (although no financial loss) for which they should be compensated. In July 2015, the Court of Appeal upheld the judgment of the High Court, which classified the cause of action as a tort. The Court of Appeal also concluded that section 13(2) DPA is incompatible with human rights laws and should be struck out. 

With Google not pursuing its appeal, the Court of Appeal's judgment remains authoritative which means claimants are no longer required to demonstrate financial loss for an organisation's breach of data protection law. This may result in class actions for nominal sums for distress caused by a privacy intrusion becoming the norm. 

Cybersecurity reforms in force from 9 May 2018

Following the European Parliament's approval and its publication in the Official Journal, EU members states must implement the Network Information and Security Directive (NIS Directive) into national legislation by 9 May 2018.

The new rules will place cybersecurity obligations on the following organisations:

  • Operators of essential services – this includes critical sectors such as energy, transport, health and finance; and
  • Digital service providers – this includes online marketplaces, search engines and cloud services.

Click here for a copy of the legal text.

FCA guidance on outsourcing to cloud and IT service providers

On 7 July 2016, the Financial Conduct Authority (FCA) published its finalised guidance on outsourcing to the cloud and other third party IT services. Organisations regulated by the FCA should consider the guidance as part of planning their IT strategy.

Outsourcing to the cloud encompass a wide range of services including private, public and hybrid cloud, as well as Infrastructure as a Service (Iaas), Platform as a Service (Paas) and Software as a Service (Saas). The non-binding guidance applies to the entire lifecycle of the outsourcing arrangement including the decision to outsource, choosing a service provider and monitoring the same. Some of the key requirements include:

  • having a clear and documented business case or rationale if using a service provider(s) for critical or important operational functions or material outsourcing;
  • carrying out a risk assessment to identify risks and steps to mitigate them;
  • providing oversight by defining clear responsibility and accountability between the organisation and the service provider(s);
  • agreeing a 'data residency policy' with the service provider(s) that sets out the jurisdictions where the organisation's data can be stored, processed and managed; and
  • understanding the service provider(s) data security processing including data loss and breach notification.

In addition to the guidance, organisations regulated by the FCA should take account of the general outsourcing requirements outlined in Senior Management Arrangements, Systems and Controls sourcebook (SYSC) and other specific requirements that may apply to them based on the nature of their business.

Separately, the ICO is responsible for data protection enforcement in respect of outsourcing to the cloud. Any UK organisation, regardless of being regulated by the FCA, should consider the ICO's cloud guidance, which was published in 2012. 

Click here to view the FCA guidance.

Click here to view the ICO's cloud guidance.