Contributed By Sidley Austin LLP
The EU General Data Protection Regulation 2016/679 (GDPR) came into force on 25 May 2018 and regulates the collection and processing of personal data of individuals in the EU, by imposing obligations on controllers, ie, organisations that determine the means and purposes of processing, and processors, which process personal data on behalf of the controller, when processing personal data of EU individuals.
As a directly applicable Regulation, the legal obligations contained in the GDPR have direct effect in the UK without any national implementing measures. However, the GDPR contains a number of derogations that provide EU Member States with discretion to introduce specific derogations on how certain provisions of the GDPR will apply in Member State law.
The UK has introduced specific derogations in UK law through the UK Data Protection Act 2018 (‘DPA 2018’). The DPA 2018 repealed the UK Data Protection Act 1998, which had implemented the EU Data Protection Directive 95/46/EC into UK law. The DPA 2018 supplements the adoption of the GDPR into UK law by dealing with UK derogations and the transposition of the Law Enforcement Directive 2016/680, as well as implementing national security provisions and setting out the powers and duties of the national data supervisory authority, the UK’s Information Commissioner’s Office (ICO).
In light of the UK’s scheduled departure from the EU on 29 March 2019 (‘Brexit’), the UK government has introduced the draft Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (‘Draft Regulations’), which make amendments to the DPA 2018 to ensure UK data protection law functions effectively post-Brexit. For example, the Draft Regulations replace references to EU Member States and EU institutions, practices and procedures that will no longer be directly relevant to UK data protection law post-Brexit, with UK equivalents. In addition, references to the GDPR have been amended to refer to the UK GDPR and references to the ICO’s obligations to co-operate with other Member State data supervisory authorities have been revoked under the Draft Regulations.
The Draft Regulations also maintain the extra-territorial application of the GDPR for the UK. As such, controllers and processors established outside of the UK who are processing the personal data of individuals in the UK for the purposes of providing goods or services to, or monitoring the behaviour of, individuals in the UK will be subject to the UK GDPR.
The Draft Regulations also impose a requirement for organisations, outside of the UK who are subject to the UK GDPR by virtue of its extra-territorial application, to appoint a data protection representative in the UK, (ie, in line with Article 27 of the GDPR). To the extent there is a ‘no deal’ Brexit (see Section 1.3 for further information) the requirement to appoint a UK data protection representative would extend to companies in the EU.
The European Commission, European Council and European Parliament are currently in negotiations on the replacement of the e-Privacy Directive with the e-Privacy Regulation. The e-Privacy Regulation, which will complement the GDPR and have direct effect in Member States, aims to reinforce trust and security in the digital single market by updating the legal framework on e-Privacy and provides additional sector-specific rules including in relation to online marketing and the use of website cookies. However, the e-Privacy Regulation is not expected to come into force until late 2021 at the earliest, by which point the UK will no longer be an EU Member State, should Brexit occur.
The UK’s Freedom of Information Act 2000 (FOIA) creates a public ‘right of access’ to information held by public authorities. The full provisions of the FOIA came into force on 1 January 2005 alongside the Environmental Information Regulations 2004, which is a UK statutory instrument (SI 2004 No 3391) that provides a statutory right of access to environmental information held by UK public authorities.
The UK’s national data supervisory authority is the ICO, headed by the Information Commissioner. The ICO is a non-governmental public body that reports directly to the UK parliament and is sponsored by the UK government’s department for digital, culture, media and sport (DCMS). It is the independent regulatory office dealing with the DPA 2018, PECR, the FOIA and the Environmental Information Regulations 2004 in England, Wales and Northern Ireland and, to a limited extent, in Scotland.
The ICO has several enforcement powers under the DPA 2018 in the UK, including, inter alia, the power to issue the following:
As the DPA 2018 came into effect on 23 May 2018, any information notices issued by the ICO to commence possible investigations or assessment or enforcement notices served prior to 23 May 2018 and thus under the Data Protection Act 1998, continue to have effect under the DPA 2018.
In a speech at the data protection practitioners’ conference on 9 April 2018, the Information Commissioner, Elizabeth Denham, stated that “enforcement is a last resort” and that she has “no intention of changing the ICO’s proportionate and pragmatic approach after the 25th of May.” She added: “Hefty fines will be reserved for those organisations that persistently, deliberately or negligently flout the law,” and that “those organisations that self-report, engage with us to resolve issues and can demonstrate effective accountability arrangements can expect this to be a factor when we consider any regulatory action.” See 1.4 Key Developments for further information on the fines issued by the ICO.
In addition, the ICO is responsible for promoting public awareness and in particular raising awareness amongst controllers and processors of their obligations under the GDPR and DPA 2018. The ICO has published extensive guidance on complying with the GDPR, and an overview of the DPA 2018.
On 23 June 2016, the UK voted in a referendum to leave the European Union by 51.9% to 48.1%. On 29 March 2017, the UK Government invoked Article 50 of the Treaty on European Union (TEU), which triggered a two-year withdrawal process from the EU, with the UK scheduled to depart the EU on 29 March 2019.
On 26 June 2018, the European Union (Withdrawal) Act 2018 was given royal assent and officially became law, repealing the European Communities Act 1972, the Act that provided the legal basis for the UK’s accession to the then European Community.
On 15 January 2019, the UK Parliament rejected the draft Withdrawal Agreement, negotiated by Britain’s Prime Minister Theresa May and the EU, by 432 votes to 202. Under the terms of the Withdrawal Agreement, the UK would have remained a member of the EU until 31 December 2020 (ie, the transitional period).
As it currently stands, the UK Government is in negotiations with the EU to try to secure further amendments to the Withdrawal Agreement, in order to gain approval from the UK Parliament in a second vote.
In the event of a ‘no deal,’ a valid international data transfer solution will need to be put in place in order to legitimise transfers of personal data from the EU to the UK (eg, European Commission approved standard contractual clauses or ‘model contracts’). In the long term, the UK is hoping for an adequacy decision from the European Commission to permit the free flow of personal data from the EU to the UK, post-Brexit. However, the UK is unlikely to be prioritised in this regard in the event of a no deal. Importantly, the UK Government has confirmed that no restrictions will be put in place for the transfer of personal data from the UK to the EU.
As of February 2019, the ICO had published one enforcement action under the DPA 2018, which was against a global data services company. The ICO imposed a total ban on its processing of personal data due to its failure to comply with the data protection principles under the DPA 2018.
The ICO has also continued to take other enforcement action under the previous Data Protection Act 1998, due to the timing of the relevant breach and the legislation in place at the time, including, inter alia:
On 11 April 2018, the UK government passed the UK Data Protection (Charges and Information) Regulations 2018, which require controllers to pay a fee to the ICO, subject to tiered criteria. Importantly, the ICO, in November 2018, started issuing fines against organisations in the finance, business, construction, health, childcare and manufacturing sectors for failing to pay the fee.
The ICO, in its draft regulatory action policy, has set out the practical and policy approach the ICO is going to take towards discharging its role as the UK’s data supervisory authority. In the draft policy, the Information Commissioner states the approach her office adopts is “always try to select the most suitable regulatory tool by assessing the nature and seriousness of a failure, the sensitivity of the subject matter, whether and how individuals are affected, the novelty and duration of the concerns, the public interest, and whether other regulatory authorities are already taking action on the matter.” The draft policy is currently subject to consultation with the UK parliament and is not expected to be approved before spring 2019.
The ICO recognises that “privacy and innovation go hand in hand” and has established a ‘regulatory sandbox’ that will enable organisations to beta-test new initiatives, support innovative digital products and services, whilst ensuring the appropriate safeguards continue to remain in place. The ICO intends to open applications in April 2019.
Data Protection Officers
The appointment of a data protection officer (DPO) in the private sector is required where an organisation’s core activities (ie, the primary business activities of an organisation) involve:
The ICO states in its guidance on the appointment of DPOs that, regardless of whether the GDPR requires an organisation to appoint a DPO, the organisation must ensure that it has sufficient staff and resources to discharge its obligations under the GDPR, and that a DPO can be seen to play a key role in an organisation’s data protection governance structure and help improve accountability. The guidance further advises that, should an organisation decide that it does not need to appoint a DPO, it is recommended that this decision be recorded in order to help demonstrate compliance with the accountability principle.
The GDPR requires an organisation to publish the contact details of the DPO and to communicate such details to the ICO. To notify the ICO, organisations should send an email to email@example.com, with the subject line ‘Add a DPO.’ The email should include:
Application of “Privacy by Design” or “by Default”
Data protection by design and by default requires controllers to put appropriate technical and organisational measures in place to implement the data protection principles and safeguard individual rights. Although not a new concept, it was historically viewed as ‘good practice’ under the previous Data Protection Act 1998. The GDPR has now made this a legal requirement, essentially requiring controllers to consider data protection and privacy issues at the outset, and by default process the minimum amount of personal data necessary to achieve the specific purpose (ie, data minimisation).
Data Protection by Design
In its guidance on data protection by design and by default, the ICO states that data protection by design is about adopting an organisation-wide approach to data protection, and ‘baking in’ privacy considerations into any processing activity undertaken. Indeed, in considering whether or not to impose a penalty, the ICO has advised that it will take into account the technical and organisational measures a controller has put in place in respect of data protection by design.
Data Protection by Default
Practically, the ICO recognises in its guidance that controllers will need to process personal data in order to achieve their purposes. However, ‘privacy by default’ requires the controller to inform individuals appropriately prior to processing and only process the personal data needed for the specified purposes. The ICO acknowledges that what actions are required to be taken will depend on the circumstances of the processing and the risks posed to individuals.
In its guidance, the ICO encourages controllers to develop a set of practical, actionable guidelines that can be used in its organisation, framed by the controller’s assessment of the risks posed and the measures available to it. The ICO suggests that these guidelines could be based on the seven foundational principles of privacy by design, as developed by the Information Commissioner of Ontario.
Data Protection Impact Assessments (DPIAs)
Controllers are under an obligation to carry out a DPIA where the processing is likely to result in a high risk to individuals. Processors are required under Article 28 of the GDPR to provide assistance to the controller in carrying out a DPIA. Whilst the GDPR provides three specific examples where a DPIA should be carried out, the ICO in its updated guidance on DPIAs states that it is also good practice to perform a DPIA for any other major project that requires the processing of personal data. The ICO has also published a DPIA screening checklist, which sets out instances where a DPIA should always be carried out (eg, processing special categories of personal data or criminal offence data on a large scale, or processing personal data without providing a privacy notice directly to the individual) and instances where a DPIA should be considered (eg, processing on a large scale, or using innovative technological or organisational solutions). The updated guidance also recommends that, where a controller decides not to carry out a DPIA, the reasons for this decision are documented.
Privacy Policies and Notices
The implementation of internal privacy policies may assist organisations in meeting the principle of accountability as required under Article 5(2) of the GDPR, as well as the requirement under Article 24(2) of the GDPR to implement appropriate data protection policies where this is proportionate in relation to the processing activities.
Individuals have a right to be informed about the collection and use of their personal data. The information to be provided is set out in Articles 13 and 14 of the GDPR. Where personal data is collected directly from the individual, this transparency information must be provided at the time the personal data is collected. Where personal data is collected from another source, the transparency information must be provided within a reasonable period of time, no longer than one month. The ICO has published detailed guidance on the right to be informed, which requires the transparency information to be reviewed regularly and, where necessary, updated.
The DPA 2018 includes a number of exemptions from the requirement to provide information as required under Articles 13 and 14 of the GDPR, in addition to those provided for in the GDPR. These exemptions are set out in Schedule 2 of the DPA 2018 and include:
Data Subject Rights
The GDPR affords individuals certain rights under the GDPR, in relation to their personal data, which include:
(i) the right to be informed (see above);
(ii) the right of access;
(iii) the right to rectification;
(iv) the right to erasure;
(v) the right to restrict processing;
(vi) the right to data portability;
(vii) the right to object; and
(viii) rights in relation to automated decision-making and profiling.
The ICO has published guidance on each of the rights.
Right of Access
Individuals have a right to receive confirmation of whether the controller is processing personal data concerning them, receive a copy of the personal data, and receive certain supplemental information.
Right to Rectification
Individuals have a right to obtain rectification of inaccurate personal data concerning themselves. An individual also has the right to have incomplete personal data completed, including by means of providing a supplementary statement. The DPA 2018 defines ‘inaccurate’ as “incorrect or misleading as to any manner of fact.”
Right of Erasure
Individuals have a right to have their personal data erased without undue delay in certain circumstances (eg, where the personal data is no longer needed for the purpose for which it was collected or processed).
Right of Restriction
Individuals have the right to restrict the processing of their personal data in certain circumstances (eg, where the business no longer needs the personal data for the purposes of the processing but the individual requires it for the establishment, exercise or defence of legal claims).
Right to Data Portability
Where an individual has provided their personal data to the controller, the right to data portability allows an individual to receive that personal data in a structured, commonly used and machine readable format, and to cause the controller to transmit that data to another controller, when the controller is processing the personal data based on either consent or the legal ground of where the processing is necessary for the performance of a contract with the individual, and the processing is carried out by automated means (ie, performed by a computer).
Right to Object
Individuals have the right to object to:
Although the DPA 2018 does not afford individuals additional rights over and above those in the GDPR, it does include a number of exemptions that disapply the data subject rights identified in (i) to (vii) above, in certain circumstances. These include, for example:
The DPA 2018 includes a further exemption from the requirement to comply with a subject access request (ie, Article 15 of the GDPR) where doing so would involve disclosing information relating to another individual who can be identified from that information. However, this exemption does not apply where the other party has consented to the disclosure, or if it is reasonable to disclose the personal data without the consent, having regard to all the relevant circumstances.
A controller is also exempt from requirements to comply with a subject access request in, for example:
The DPA 2018 makes it a criminal offence – in certain circumstances and in relation to certain information – to require an individual to make a subject access request.
The GDPR requires a controller to respond to a request without undue delay, and within one month. This time-period can be extended by a further two months if the request is complex or if the controller has received a number of requests from the individual. However, guidance published by the ICO states that, in its view, it is unlikely to be reasonable to extend the time-limit if the request is manifestly unfounded or excessive, if an exemption applies, or if the controller is requesting proof of ID.
Anonymisation, De-Identification, Pseudonymisation
The DPA 2018 does not apply to anonymous data (ie, information that does not relate to an identified or identifiable individual). When assessing whether an individual is identifiable, guidance published by the ICO states that the information processed together with all the means reasonably likely to be used by either the controller or any other person to identify that individual should be considered. The ICO also acknowledges that it is possible that the same information is personal data for one controller’s purposes but is not personal data for the purposes of another controller.
The DPA 2018 does apply to pseudonymised data (ie, where the separation of personal data from direct identifiers has occurred so that the linkage of the identity is not possible without the use of additional information). The ICO acknowledges that pseudonymised data can help reduce privacy risks by making it more difficult to identify individuals.
The GDPR distinguishes between personal data and a narrower special category of personal data (or sensitive data). Special categories of personal data include personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning an individual’s sex life or sexual orientation.
In order to process special categories of personal data lawfully, controllers must identify a legal ground under Article 6 of the GDPR and a condition under Article 9 of the GDPR. The DPA 2018 includes certain conditions in relation to employment, health and research, which are:
Part 2 of Schedule 1 of the DPA 2018 includes 23 conditions in relation to processing that are necessary for reasons of substantial public interest, including inter alia:
Criminal records and offences data is not included within the scope of special categories of personal data. The DPA 2018 states that references in the GDPR to criminal records and offences data include personal data relating to the alleged commission of offences by the individual, or proceedings for an offence committed or alleged to have been committed by the individual.
In order to process criminal records and offences data lawfully, controllers must identify a legal ground under Article 6 of the GDPR, and carry out the processing under the control of the official authority or have legal authority for the processing under Article 10 of the GDPR. Where the processing of criminal records and offences data is not carried out under the control of the official authority, such processing is authorised by UK law for the purposes of Article 10 only if the processing meets a condition in Part 1, 2 or 3 of Schedule 1 of the DPA 2018.
Part 3 of Schedule 1 of the DPA 2018 sets out a number of conditions for the processing of criminal records and offences data, including, inter alia, those that relate to:
Part 3 also permits a controller to rely on a Part 2 condition, and the requirement that the processing be in the substantial public interest can be disapplied.
Where processing sensitive data in reliance on a condition under the DPA 2018, the controller will need to have an ‘appropriate policy document’ in place that explains the controller’s procedures for securing compliance with the principles in Article 5 of the GDPR, and explains the controller’s policies as regards the retention and erasure of personal data processed in reliance on the DPA 2018 condition.
Data concerning health falls within the scope of sensitive data under Article 9 of the GDPR. The GDPR defines ‘data concerning health’ as “personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.”
Article 9(2)(j) of the GDPR sets out the legal ground where the processing is necessary for scientific research purposes. To rely on this legal ground, the processing must comply with Article 89(1) of the GDPR, which requires the processing be subject to appropriate safeguards, in particular to comply with the principle of data minimisation. The DPA 2018 states that the processing will not meet these requirements where it is likely to cause substantial damage or distress to an individual, or where the processing is carried out to support measures or decisions relating to a particular individual, unless this includes the purposes of approved medical research.
The DPA 2018 includes exemptions from data subject rights for data concerning health where:
The DPA 2018 also includes an exemption from the subject access right to health data where the disclosure would likely cause serious harm to the physical or mental health of the individual or another person.
The DPA 2018 states that where a controller is relying on consent as the legal ground for processing personal data when offering an information society service directly to a child, only children aged 13 years or over are able to provide their own consent. Where a child is under 13 years, the processing will only be lawful where consent is given or authorised by a parent or guardian, unless the information society service is an online preventive or counselling service.
The DPA 2018 requires the ICO to prepare an age-appropriate design code for information society services that are likely to be accessed by children. The ICO has also published detailed guidance on children and the GDPR, which includes guidance on direct marketing to children, the profiling of children and the sharing of children’s data.
The DPA 2018 defines direct marketing as the communication (by whatever means) of advertising or marketing material directed to particular individuals. Where direct marketing involves the processing of personal data – for example, where the organisation knows the name of the individual it is contacting – the sender must comply with the GDPR and the DPA 2018 in its treatment of that personal data.
Individuals are given a right to object to their personal data being processed for direct marketing purposes. This is an absolute right and an individual can request an organisation to stop processing their personal data at any time. In its guidance on direct marketing, updated in March 2018 in the context of the GDPR, the ICO recommends that it is good practice to acknowledge the request and confirm that the marketing will stop. The ICO guidance expects that any communications should stop within 28 days of receiving the objection (and providing two months for postal communications). However, if an organisation can reasonably stop direct marketing communications sooner, then it should do so.
The ICO has also created a direct marketing checklist that enables organisations to check if their marketing messages comply with the law, and is currently developing a Direct Marketing Code of Practice as mandated by the DPA 2018, which will replace and update the current guidance.
In addition to compliance with the GDPR and the DPA 2018, organisations that conduct electronic direct marketing will also need to comply with the PECR. Although the PECR has not yet been updated following the coming into force of the GDPR, organisations will still be required, for example, to use the new standard of GDPR consent when complying with the PECR. Under the GDPR, consent must be freely given, specific, informed and an unambiguous indication of the individual’s wishes, in order to be valid.
Special Categories of Personal Data
The processing of special categories of personal data for employment law purposes is permitted under the DPA 2018 where the controller meets the condition as set out in Part 1 of Schedule 1 of the DPA 2018, which requires that:
The DPA 2018 does not specifically address employee monitoring. However, the ICO’s guidance on DPIAs states that a controller should carefully consider carrying out a DPIA for processing that involves monitoring of vulnerable individuals (ie, employee monitoring).
The ICO has also published its Employment Practices Code and Supplementary Guidance (the ‘Code’), which addresses monitoring at work and covers employers’ monitoring of employees’ use of telephones, internet, email systems and vehicles. However, the Code was prepared under the previous Data Protection Act 1998 and has not yet been updated to reflect the position under the GDPR and DPA 2018.
Whistle-blower Hotlines and Anonymous Reporting
The DPA 2018 does not specifically address the use of whistle-blowing hotlines (ie, where employees and other individuals can report misconduct or wrongdoing via a hotline), nor does it offer specific legislative protection for whistle-blowing. However, controllers using whistle-blower hotlines in the UK will need to comply with the data protection principles under the GDPR and the DPA 2018.
The ICO has not published any general guidance on the use of whistle-blowing hotlines but has published guidance on protection for whistle-blowers who disclose information to the ICO about concerns that their employer may be contravening requirements of legislation relating to data protection and freedom of information.
Anonymous reporting is not strictly prohibited in the UK and there is no specific obligation under the DPA 2018 to keep the identity of the accused confidential.
As referred to above, the DPA 2018 provides the ICO with various enforcement powers, including the ability to issue, in sequence, information notices, assessment notices, a notice of intent, enforcement notices and penalty notices to controllers or processors that it considers to have breached the data protection legislation.
As under the GDPR, the DPA 2018 provides two levels of financial penalties. The higher maximum amount is EUR20 million or 4% of the undertaking’s total annual worldwide turnover in the preceding financial year, whichever is higher, and the standard maximum amount is EUR10 million or 2% of the undertaking’s total annual worldwide turnover in the preceding financial year, whichever is higher. The level of penalty imposed will depend on the context of the breach, and the DPA 2018 provides a number of factors that must be taken into account by the ICO when determining the penalty level within the two bands.
The ICO is required to produce guidance on its enforcement powers under the DPA 2018.
The GDPR and the DPA 2018 also provide individuals with the right to lodge a complaint with the ICO if they consider that there has been an infringement of the GDPR, in connection with personal data relating to them.
Where the ICO receives a complaint, the DPA 2018 requires that the ICO:
A number of laws relating to law enforcement access to data are applicable in the UK, but the following focuses on the application of the Law Enforcement Directive 2016/80.
Law Enforcement Directive and DPA 2018: Key Principles
The transposition of the Law Enforcement Directive into UK law, via the DPA 2018, introduced further requirements to comply with the data protection principles when processing personal data for law enforcement purposes.
Under the DPA 2018, processing for law enforcement purposes in the UK is only lawful if it is based on law and if either the data subject has given consent to the processing of his or her personal data for that purpose or if the processing of the personal data is necessary for the performance of a task carried out for law enforcement purposes by a competent authority. This includes the UK government, a UK police authority, the UK's revenue and customs, the director general of the national crime agency, the director of the serious fraud office, the financial conduct authority, a court or tribunal, or the ICO.
Additionally, the DPA 2018 requires controllers to comply with the principle of collecting personal data for specified, explicit and legitimate purposes when processing personal data for law enforcement purposes.
In accordance with the accuracy data protection principle, where personal data is being processed for law enforcement purposes in the UK, the controller must take every reasonable step to ensure that inaccurate personal data is erased or rectified without delay, having regard to the law enforcement purposes for which it is processed. When processing personal data for UK law enforcement purposes, controllers must also ensure:
Moreover, controllers must ensure that all reasonable steps are taken to ensure that personal data that is inaccurate, incomplete or no longer kept up to date is not transmitted or made available for any law enforcement purposes.
The DPA 2018 also imposes a requirement for appropriate time-limits to be established for the periodic review of the need for the continued storage of personal data for law enforcement purposes.
Law Enforcement Directive and DPA 2018: transfers of data outside of the EEA
The DPA 2018 also introduces further derogations for the transfer of personal data from the UK to a country outside of the EEA, where the transfer:
The GDPR prohibits the transfer of personal data outside of the EEA to third countries, unless:
Such safeguards and derogations are not considered in detail here, but a salient point from a UK perspective is that under the Data Protection Act 1998, controllers were allowed to determine for themselves that their transfers of personal data outside of the EEA were adequately protected. The DPA 2018 does not contain such a provision. However, the GDPR contains a more limited version of the Data Protection Act 1998 self-determination provision, and allows transfers:
The DPA 2018 also introduces a derogation where the transfer is a necessary and proportionate measure for the purposes of the controller’s statutory function.
In addition, see 1.3 Multilateral and Subnational Issues regarding the UK’s proposals in relation to data transfers following Brexit.
In general, controllers may provide personal data in relation to non-EEA civil discovery requests, if:
Article 48 of the GDPR
Article 48 allows the transfer of personal data from the EU to a third country on the basis of a judgment of a court or tribunal or any decision of an administrative authority of the third country, where the transfer is based on (for example) a mutual legal assistance treaty (MLAT) between the requesting third country and the EU member state concerned. Importantly, Article 48 acknowledges that a transfer is also permissible if a safeguard or a derogation applies. As MLATs between EU Member States and third countries are not widespread, controllers can rely on the exemptions referred to above or the specific derogations below, as Article 48’s applicability is without prejudice to other grounds of transfer.
Interestingly, the UK has sought an opt-out from the restrictions contained in Article 48 – that is, the UK does not want to be restricted in terms of foreign law data access rights by the restrictions contained in Article 48. In particular, the UK has sought to rely on Article 3 of Protocol 21 to the Treaty on the Functioning of the European Union to attempt to secure this opt-out. However, it is not clear whether the UK has successfully opted out of this protocol. In addition, it is not clear how this opt-out would work in practice; for example, could an organisation in Germany circumvent the requirements in Article 48 by first transferring the data to the UK before transferring it outside the EEA? In any event, as noted above, Article 48 itself acknowledges that transfers (that do not satisfy the requirements of Article 48) may nonetheless occur if another legal safeguard or derogation set out in the GDPR applies.
Data Protection Safeguards
The most commonly used safeguard is the European Commission-approved model contracts for data transfers, as these may be entered into with (for example) e-discovery vendors and document review-providers.
The most relevant derogations are that the transfer is:
• necessary for important reasons of public interest – for example, the transfer is needed to prevent money laundering or for purposes of public health;
Big Data analytics
The ICO issued guidance regarding Big Data in July 2014, and revised this in 2017. This guidance covers a broad range of topics including anonymisation, privacy impact assessments, repurposing data, data minimisation, transparency and subject access.
Key points raised in the ICO’s guidance include:
• the ICO recommends performing DPIAs. If particular issues are identified through such an assessment, the controller would then be able to identify and implement measures to address such issues and protect individuals’ privacy;
• the ICO identified quality and reliability of data as a potential issue for Big Data analytics. These issues arise in particular because the frequency of data processing increases the risk of inaccuracies where the data has been partially de-identified or anonymised and cannot be easily reconnected with the original data subject. As a result of such inaccuracies, data subjects may be subjected to inaccurate profiling, discrimination, or other forms of prejudice;
• the ICO recommends conducting a compatibility analysis in order to determine whether the purpose limitation principle has been satisfied. In particular, the purpose limitation principle may be a barrier to the development of Big Data analytics, as many secondary uses may not have been considered when the data was first collected. Controllers may also wish to consider whether the ‘research’ exemption is also available;
The key data security obligations under UK law are provided in:
Only the NIS Regulations are considered here, as they represent the most significant recent change in UK data security laws (outside of the GDPR and the DPA 2018).
Organisations Subject to the NIS Regulations
The UK government implemented the Network and Information Systems Directive (NIS Directive) into national law in the form of the NIS Regulations, which came into force on 10 May 2018. The NIS Regulations (like the NIS Directive) impose security incident obligations on operators of essential services (OESs) – ie, energy, transport, digital infrastructure, the health sector and drinking water supply and distribution services. While the UK was permitted (under the NIS Directive) to designate organisations as OESs within the banking and financial markets infrastructure sectors, the UK elected (in the NIS Regulations) not to do so. In order to be considered an OES, the organisation must provide an essential service of the kind identified in Schedule 2 of the NIS Regulation, and that service must rely on network and information systems, and meet specific threshold requirements.
The NIS Regulations also impose security obligations on relevant digital service providers (DSPs) – ie, online marketplace providers, online search engines and cloud computing service providers. An organisation may be a DSP if:
Key Features of the NIS Regulations
The NIS Regulations:
i) preparing and publishing guidance for OESs and DSPs;
ii) receiving incident reports;
iii) conducting incident investigations; and
iv) enforcing the NIS Regulations.
The NIS Regulations also impose a tiered system of fines in proportion to the impact of the security incident, with a maximum fine of GBP17 million, imposed where a competent authority decides the incident has caused or could cause an immediate threat to life or a significantly adverse impact on the UK economy. CAs are also vested with a number of enforcement-related powers under the NIS Regulation.
In general, OESs and DSPs must take appropriate and proportionate technical and organisational measures to:
Data-breach notification obligations under the GDPR, the DPA 2018 and the NIS Regulations are considered below; there may be additional sector-specific data-breach notification obligations such as for organisations that are regulated by the UK Financial Conduct Authority (FCA).
GDPR and DPA
Controllers have an obligation to report personal data breaches to the ICO within 72 hours of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of the data subject. Controllers are also required to inform the data subject where such breach is likely to result in a high risk to their rights and freedoms.
When a personal data breach is reported to the ICO, the GDPR requires to be provided:
Where controllers do not have all of the required information, the ICO requires them to notify the breach as soon as they become aware of it, and to note that submission of further information will follow as soon as possible. If full details cannot be provided within 72 hours, any such delay should be communicated to the ICO and when that further information will be expected.
The ICO provides an online personal data-breach reporting form for any personal data breach to be notified to the ICO online and has also published guidance on reporting a personal data breach.
An OES must notify its designated CA about any incident that has a significant impact on the continuity of the essential service provided by the OES. The NIS Regulations set thresholds in relation to determining whether notice must be provided by OESs. If such a notice must be given, it should be given ‘without undue delay’ and in any event within 72 hours.
A DSP must notify the ICO (its CA) about any security incident that has a substantial impact on the provision of specified digital services. The NIS Regulations set out thresholds in relation to determining whether notice must be provided by DSPs. If such a notice must be given, it should be given ‘without undue delay’ and in any event within 72 hours.
In certain circumstances, the relevant CA is required to share information regarding the incident with the CSIRT. The CA may also notify the public itself, or direct the relevant OES or DSP to do so.