We previously reported on Brexit's impact on data protection here and here.
Shortly before Christmas, the draft Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 ("Exit Regulations", available here) were laid before Parliament. In this blog, we outline the changes under the Exit Regulations and consider what impact they will have if Brexit leaves the UK in a no-deal scenario.
Preparing for a no-deal Brexit
As a brief reminder of the current legislative landscape in the UK, so long as the UK is in the EU the GDPR has direct effect. The Data Protection Act 2018 ("DPA") must be read alongside the GDPR and has multiple functions. Firstly, it supplements the GDPR and contains derogations that are permitted by the GDPR (such as providing for additional conditions around the processing of special categories of personal data and exemptions in respect of data subject rights). The DPA also applies a broadly equivalent regime to certain data processing activities which fall outside the scope of the GDPR. These relate to, for example, the processing of personal data for immigration purposes and manual unstructured data held by a public authority covered by the Freedom of Information Act 2000. Finally, the DPA covers processing by law enforcement bodies and UK intelligence services.
In the event that the UK leaves the EU without a withdrawal agreement, the GDPR will form part of UK domestic law as 'retained EU law' ("UK GDPR") by virtue of section 3 of the EU (Withdrawal) Act 2018 ("EUWA"). However, in its current form the UK GDPR will not function effectively on the day that the UK leaves the EU ("exit day", currently scheduled for 29 March 2019) due to the numerous references to EU laws and institutions and the fact that the UK will cease to be a Member State of the EU. The Exit Regulations, made under powers conferred in the EUWA, will be required to ensure that the UK's legal framework for data protection continues to function.
If there is a withdrawal agreement, then the Exit Regulations will not come into force and the UK will instead enter the "transition period" where EU law will continue to apply as if the UK were still an EU Member State (subject to certain exceptions).
1. Territorial scope and UK representative
By virtue of the Exit Regulations, the UK GDPR will apply to any controllers and processors based in the UK as well as those outside the UK but which offer goods and services in the UK or monitor the behaviour of UK individuals. The UK GDPR will therefore continue to have extra-territorial effect in the same way as the GDPR currently does.
Many controllers and processors, whether based outside of the EEA or in one of the remaining EEA countries, will have already considered whether they are subject to UK data protection law. However, they will now also need to consider the requirement to appoint a representative in the UK. This will impact both non-EEA controllers and processors who may have already appointed a representative in a non-UK Member State as well as EEA controllers and processors who don't have a UK presence (and for whom this will represent an entirely new obligation).
Equally, the ICO has also indicated that a UK-based controller or processor that does not have any offices or establishments in the EEA but offers goods or services to or monitors the behaviour of EEA individuals will need to consider appointing a European representative.
2. The merger of the GDPR and "applied GDPR"
As previously mentioned, the DPA currently provides for two separate regimes for general processing: one for processing that falls within the scope of the GDPR and a separate, broadly equivalent regime for processing that falls outside the scope of the GDPR (the so-called "applied GDPR"). Given that EU law will not apply in the UK after Brexit, there will no longer be a need to distinguish between processing within the competence of EU law and that which is governed solely by UK law. The Exit Regulations will therefore merge these two regimes on exit day to create a single, unified regime for all general processing activities.
However, it is worth mentioning that this will not be a complete merger. Under s6 of the EUWA, any question around the interpretation of retained EU law (including the GDPR) must be decided in accordance with EU case law and general principles of EU law as they apply immediately before the UK leaves the EU. However, the Exit Regulations indicate that may not be the case for processing under the applied GDPR, which governs the processing of personal data in areas where the EU has no competence.
3. Data transfers outside the UK
Currently, any transfer of personal data from the UK to a country outside the EEA may only be made if that country has been granted adequacy status by the EU Commission or by using one of the "appropriate safeguards" described under Article 46 of the GDPR (i.e., the EU Commission's standard contractual clauses or approved BCR).
The Exit Regulations maintain the same restrictions for data transfers outside the UK (whether to a non-EEA country or a remaining member of the EEA) but ensure that data flows are not disrupted on exit day. They specify that certain countries and bodies are considered to have adequate status: these include all of the remaining EEA countries as well as Gibraltar, non-EEA countries which have already been granted adequacy status by the EU Commission or granted adequacy status prior to exit day, and the EU institutions and bodies. The Exit Regulations also provide that the EU's authorised standard contractual clause and approved BCR may continue as potential mechanisms for transfers outside the UK, whether in their original form or as modified for a UK-specific context. Finally, the existing derogations under Article 49 of the GDPR will continue to be available.
Once the UK has left the EU, the Secretary of State will have sole authority to grant adequacy status (by way of regulations) in respect of transfers outside the UK and will be required to publish a list of those countries and territories it has deemed adequate. The ICO will continue to authorise BCR and will also be able to issue new UK-only standard clauses.
4. Co-operation and consistency
From exit day, the ICO will no longer be able to take part in the existing co-operation mechanism between EU supervisory authorities. Equally, the European Commission and European Data Protection Board will not have competence over the regulation of personal data in the UK. Unsurprisingly, therefore, Chapter VII - which lays the foundations of the co-operation and consistency mechanism - will be redundant and is removed entirely from the UK GDPR. Article 50, which addresses broader aims of international co-operation and mutual assistance in the area of data protection, will be retained.
Another expected amendment is the removal of provisions addressing the co-operation of Member State courts. Currently, under Article 81 of the GDPR, where proceedings are issued in a UK court against the same controller or processor and in relation to the same subject matter as a case already pending in another EU Member State, the UK court may either decline jurisdiction or suspend those proceedings until the other court has made its determination. Arguably, the removal of these provisions increases the possibility of concurrent claims in the UK and the EU.
5. ICO fines
The Exit Regulations confirm that the ICO will continue be able to issue the same level of fines as provided under the GDPR. In particular, they state that from exit day the ICO will be able to administer fines of up of £8.7m or 2% of the total worldwide annual turnover (whichever is higher) for less serious breaches and £17.5m or 4% (whichever is higher) for more serious breaches.
What will the new year bring in privacy and data protection legislation? Well, to name just a few highlights, we've got a handful of EU member states still needing to pass laws addressing the General Data Protection Regulation, India is in the midst of debate over a new law, Brazil's law will get the enforcement body it has been lacking, and there are talks of a U.S. federal privacy law. But that's just the tip of the iceberg. This week's Privacy Tracker roundup consists of contributions from IAPP members across the globe outlining their expectations (and occasionally their hopes) for privacy legislation in the coming year. With more than 30 contributions, this year's global legislative predictions issue is our most comprehensive yet.
By Pablo Palazzi
The year 2019 will see Argentina with an important landmark in its history of data protection law. In September 2018 the government sent to congress the data protection bill, based on the EU General Data Protection Regulation. Now it is up to Congress (first the Senate, then the House of Representantes) to openly debate the bill and approve it. Argentina was the first country in Latin America to adopt a full fledged EU data protection law and the first country to be considered adequate by the EU. Now, nearly 20 years later Argentina has again the chance to follow EU law again.
By Tim Van Canneyt, CIPP/E
2019 will be another important year for data protection in Belgium. First, we should finally see the appointment of the directors of the new data protection authority. At the moment, Belgium has an interim supervisory authority which is pretty much forced to act on a day-to-day management basis. When the directors of the DPA are appointed in 2019, the authority will be able to adopt its strategic vision, publish more guidelines to help companies and offer better protection to citizens. In addition, we should hopefully see the implementation of the NIS Directive into national law. Furthermore, the Belgian Supreme Court will have to assess the lawfulness of the recent government decision obliging every Belgian resident to provide their fingerprints for inclusion on the ID card's chip. Finally, it will be interesting to follow the class action brought against Facebook by consumer protection body TestAankoop.
By Renato Leite Monteiro, CIPP/E, CIPM
2019: The year of compliance and the Brazilian Data Protection Authority!
What a year! Nobody could guess in the beginning of 2018 that Brazil would finally have its own General Data Protection Law, known as LGPD (I myself have written this column for the last three years and I always thought my predictions were only in a wild guess!). And then, out of the blue, it was approved in August. However, the president vetoed one of its pillars: the creation of the national data protection authority. Even though some provisions would only have an effect if the authority was created. This lack of DPA made the LGPD weak.
Then, on the dawn of the year, Dec. 28, 2018, the Executive Order n° 869/18 promoted several alterations to the law. One of the most important was the creation of the Brazilian National Data Protection Authority. It is also altered the vacatio legis period for the LGPD to 24 months, changing the enforcement date from February 2020 to August 2020. During this period, the ANPD must exercise collaborative and consultative functions, aiming to provide assistance in the process of compliance to the new law. With the creation of the DPA, business will know to whom and what to look for. They will have a straight channel to communicate. The ANPD will provide for a much more stable application of the law, and, for instance, more legal certainty, what will probably spur technological and economic development.
Nonetheless, despite the DPA, enforcement actions might continue. The Distrito Federal and Territories Public Prosecution Office has been heavily conducting investigations on data breaches and other issues regarding personal data. Recently, the Minas Gerais Public Prosecution Office fined a drugstore chain for exchanging customers’ personal Taxpayer Id numbers for discounts in products, which in fact is a common practice in Brazil. The total amount of the fine was R$ 7,930.801.72 (BRL), the largest related to data protection yet. This condemnation was vastly reported in mainstream media, national and international. Such actions are likely to continue.
Also, since LGPD will enter into force in August 2020, 2019 will be year companies will rush to become compliant, a practice that has already become a new niche market. Consulting companies and law firms are heavily investing in personnel and privacy software to take advantage of the escalating demand. Proof is that the IAPP has partnered with the first official training center of Brazil. Data Privacy Brasil will provide training courses for both CIPP/E and CIPM certifications.
Therefore, we can say that 2019 will be an interesting year for the data protection scenario in Brazil!
The balance of this article requires membership to IAPP. If you are interested in a specific country/region, please email us and we will provide details.
UK software company Syrenis is delighted to announce the recent appointment of their new Canadian reseller, Newport Thomson.
UK software company Syrenis is delighted to announce the recent appointment of their new Canadian reseller, Newport Thomson. Newport Thomson serve the US, Canada and the EU, helping businesses to manage risk within their businesses by operationalising data and privacy best practices.
Syrenis is renowned for its Preference Centre, which has recently been expanded and rebranded to accommodate changes to the personal data and privacy landscape. Now known as Cassie, the personal information platform currently handles almost a billion marketing preferences for 118 million customer contacts worldwide, and securing knowledgeable new partners such as Newport Thomson brings the platform to more businesses with currently unmet personal data needs.
‘The level of expertise within Newport Thomson became clear from our very first conversations with them,’ says Glenn Jackson, CEO of Syrenis. ‘Naturally we’re delighted to have them on board and we look forward to a long partnership with them.’
‘Record keeping is the biggest compliance issue for any of these new laws being implemented globally, from GDPR to CCPA, including PIPEDA and CASL,’ states Derek Lackey, Managing Partner, Newport Thomson. ‘Our client’s data and privacy infrastructure was never designed to prove consent claims or any of the other details required by these new laws. In order to be compliant an organization must re-think the way they manage data, privacy, consent and data subject rights and Syrenis is an exceptional solution at the right price.’
The system has been engineered to be flexible and intuitive for users, allowing for better brand consistency and a positive preference management experience. It now offers improved support functions: previously hidden features have been made more accessible, such as a bank of FAQs for reference, and users can also submit and manage support requests from within their portal interface.
‘The changing privacy landscape on the North American continent is something that we have been watching with great interest,’ Glenn continues. ‘Having a partner with such strong bases in both the US and Canada allows us to work together to deliver the best possible personal data solutions for those markets.’
More information about Newport Thomson can be found at www.newportthomson.com.
With only days to go before Vermont’s data broker regulation law takes effect, the Vermont Attorney General has finally issued guidance that explains how businesses can comply with the law and the nature of the obligations it imposes on them.
The Vermont Statute
This past May, the Vermont legislature passed the first law in the United States specifically regulating data brokers, effective January 1, 2019. Data brokers must register with the state by January 31, 2019, and annually thereafter, and must provide specified information to the state when they register.
The law also imposes certain minimum data security standards on data brokers, and prohibits data brokers – and everyone else – from acquiring certain personal information of consumers through fraudulent means or with the intent to commit wrongful acts.
What Is a Data Broker?
As we discussed in a previous Alert, the Vermont law defines “data broker” as a business that knowingly collects and sells or licenses to third parties “brokered personal information” of a consumer with whom the business does not have a direct relationship. The new guidance from the Vermont Attorney General amplifies the definition by listing four questions that can determine if a particular business is a data broker for purposes of the law. If a business answers “yes” to these questions, and if its activities do not fall within certain very limited exceptions, the business is a data broker.
The questions are:
1. Does the business handle the data of consumers with whom it does not have a direct relationship?
Data brokers collect and sell or license the data of consumers with whom they do not have a direct relationship. For example, a retailer that sells information about its own customers is not a data broker because it has a relationship with its customers.
2. Does the business both collect and sell or license the data?
A business that collects data for its own use or analysis is not a data broker. As an example, an insurance company that buys data about individuals to set rates and develop new products but that does not resell or license the data, is not a data broker.
The guidance makes clear that “collection” is a broad term, and can include the purchase or license of data from someone else, or the collection from original sources such as court records, surveys, or internet search histories.
According to the guidance, sale or license does not include a one-time or occasional sale of the assets of a business as part of a transfer of control of those assets that is not part of the ordinary conduct of the business. It also does not include a sale or license that is “merely incidental to the business.”
3. Is the data about individuals residing in Vermont?
Vermont’s data broker regulation does not apply to a company that has no data on Vermont residents or who is not otherwise subject to jurisdiction in Vermont. Importantly, the guidance suggests that a national data broker has a “non-trivial chance” of possessing Vermonters’ data. It states that if a data broker does not maintain the state of residence of individuals whose data it collects, it might presume that there may be at least one Vermonter in its data set.
4. Is the data brokered personal information (BPI)?
BPI is defined broadly. It must be computerized as well as categorized or organized for dissemination to third parties. According to the guidance, data is BPI if it contains one or more of a person’s name, address, date of birth, place of birth, mother’s maiden name, biometric information, name or address of a member of the consumer’s immediate family or household, or Social Security number or other government-issued identification number.
The guidance also provides that BPI includes “other information that, alone or in combination with the other information sold or licensed, would allow a reasonable person to identify the consumer with reasonable certainty.”
By contrast, BPI does not include publicly available information to the extent that it is related to a business or profession. For example, a doctor’s office address or phone number is not BPI, but a doctor’s home phone number (assuming it is not used for business) is BPI.