MAY 2014
ISSUE 01
Data Protection
Selected legal and regulatory developments in data protection
If you would like to find
out more about our data
protection practice click here.
If you require advice on a
data protection and privacy
matter, please contact your
usual Slaughter and May
adviser or:
Rob Sumroy
T:+44 (0)20 7090 4032
E:rob.sumroy@
slaughterandmay.com
Rebecca Cousin
T:+44 (0)20 7090 3049
E:rebecca.cousin@
slaughterandmay.com
Cindy Knott
T:+44 (0)20 7090 5168
E:cindy.knott@
slaughterandmay.com
To unsubscribe click here.
In this Issue
EU REFORM
The latest on the reform of data protection legislation
…more
REGULATORY GUIDANCE
New guidance on privacy impact assessments
…more
The ICO looking to the future
…more
ARTICLE 29 WORKING PARTY GUIDANCE
Processing data for your legitimate interests
…more
A solution for data transfers from EU processors to non-EU processors?
…more
EU reform
THE LATEST ON THE REFORM OF DATA PROTECTION LEGISLATION
It is now over two years since the EU Commission published its proposal for a reform
of the EU data protection regime. The proposal comprised two draft instruments:
a general data protection regulation (the Regulation) and a directive relating to
police and criminal justice processing. The Regulation is relevant to all private sector
organisations and to a large part of the work undertaken by the public sector. To
become law, the Regulation has to go through the EU ordinary legislative procedure,
which gives equal weight to the EU Parliament and the Council of the EU in terms of
decision-making.
What stage is the Regulation at now?
The EU Parliament has voted on the Regulation on 12 March 2014, confirming the
position voted on in October 2013 by the Civil Liberties, Justice and Home Affairs
DATA PROTECTION
May 2014
parliamentary committee1. This means that Parliament has fixed its position on the Regulation and will not be able
to deviate from it following the parliamentary elections in May this year.
The Council’s progress has been significantly slower but there is evidence of continuing work. The Irish Presidency
(January-June 2013) published draft amendments2 to chapters I-IV of the Regulation that it submitted to the
Council on 31 May 2013 with a view to securing broad support among the Council for its approach. The current
Greek Presidency (January-June 2014) published a progress report with revisions to those chapters on specific
points and some further amendments to chapter V in February.
It is still not clear whether the final instrument will be in the form of a regulation or whether the Council
will successfully push for a directive instead (allowing Member States greater flexibility in how the regime is
implemented at a national level). The Council has to date refused to adopt a view on this until other points have
been addressed. However, the Council appears to be struggling to reach agreement amongst its members on items
such as the “one-stop shop” mechanism (i.e. whether one EU regulator can act on behalf of others or whether a
‘lead authority’ should be responsible for co-ordinating a common position between relevant regulators on matters
such as enforcement action).
What does this mean for the timing more generally?
Although it is still possible that agreement will be reached on a final text before the end of the year, many now
think that is not realistic. Speaking at the ICO’s Data Protection Practitioner’s conference in Manchester on 3
March, the Deputy Commissioner, David Smith, was of the view that it is unlikely that a final text will be agreed
in 2014 and that 2015 – or even later – would be more likely. This would mean the Regulation would not apply in
Member States before 2017 at the earliest. In the meantime, reviewing current processes and complying with best
practice continue to be good strategies to prepare for whatever the future may hold.
Regulator guidance
NEW GUIDANCE ON PRIVACY IMPACT ASSESSMENTS
On 25 February, the Information Commissioner’s Office (ICO) published a new code of practice on privacy impact
assessments (the Code) to replace its previous Handbook. Privacy impact assessments (PIAs) enable organisations
to identify and reduce the privacy risks of a project. As the ways in which we transfer, store and share data continue
to evolve and the financial and reputational risks posed by data protection related issues continue to increase,
tools such as PIAs are becoming essential for organisations of all sizes. Further, although currently there is no
requirement in the UK to carry out PIAs, this is likely to change under the European reform proposals discussed
earlier. The Code is particularly useful as it can be used by non-data protection experts and includes template
reports and questions. It also explains how PIAs can be integrated into common project management frameworks
such as PRINCE2 and Agile methodologies. For further information on PIAs and the Code published by the ICO,
please see our Client Briefing (March 2014).
1
2
For further details on the consolidated version of the Regulation voted on by the Civil Liberties, Justice and Home Affairs parliamentary committee, please
see our Client Briefing (November 2013).
See Note from Presidency to Council and Addendum, 31 May 213.
02
DATA PROTECTION
May 2014
THE ICO LOOKING TO THE FUTURE
The ICO faces some of its most daunting challenges in the next five to ten years. As a result of the changing nature
of the global information rights society, the increased exploitation of ‘big data’ and ‘open data’ as business tools
and the growing awareness and concern for privacy among citizens and consumers, the ICO is witnessing record
levels of business. Combine this with legislative proposals that would alter the role of the ICO, potentially adding a
number of responsibilities and creating an almost crushing lack of funding3 and it is clear the ICO has some serious
thinking to do.
To address these concerns, the ICO held two public consultations:
•
“Our new approach to data protection concerns”, which closed on 31 January 2014 (the ‘First Consultation’);
and
•
“Looking ahead, staying ahead: Towards a 2020 vision for information rights” (the ‘Second Consultation’),
which closed on 7 February.
The ICO published its responses to those consultations, along with its corporate plan for the years 2014-217 (the
‘Plan’) and a new guide for data controllers on ‘How we deal with complaints and concerns’. The Plan took effect on
1 April.
Has the ICO changed its approach and strategy?
The Plan has not changed significantly from its previous version (published in February 2013) but there is evidence
of progress on some issues. For example, in relation to the ICO’s potential funding crisis, the ICO appears to now
be working with the Ministry of Justice on proposals that will be part of draft legislation for the next Parliament.
Last year’s plan referred only to funding options to be agreed for 2014/2015. The Plan also illustrates the progress
made in relation to the ICO’s powers to carry out compulsory audits of the NHS (with draft legislation to be laid
before Parliament in May this year) and provides evidence of increased international co-operation with other
regulators. The need for better management of cross-border issues (including in terms of consistency of approach
from different regulators and co-operation in enforcement action) was highlighted by respondents to the Second
Consultation as an area of concern.
New elements in the Plan include:
•
an acknowledgement of the growing awareness and concern for privacy by individuals, including as a result of
the Snowden surveillance revelations;
•
mention of ‘Big Data’ (as a development that “raises the stakes still higher”);
•
a framework for an ICO sponsored pathfinder scheme to be in place by March 2015 in relation to accreditation,
trust marks and seals for organisations; and
•
planned engagement by the ICO with various parliamentary committees in relation to the growth in
surveillance.
3
Currently, the ICO’s data protection work is funded by the notification fees it receives from data controllers. However, draft EU legislation to reform the
data protection regime proposes to remove the notification system. For further detail on the reform, please see our website.
03
DATA PROTECTION
May 2014
In addition, the Plan no longer appears to consider the issuing of civil monetary penalties for serious breaches of
the Privacy and Electronic Communications Regulations 2003 (‘PECR’) by the ICO as one of the ways in which to
improve compliance by organisations. Following some of the successful appeals by organisations against ICO fines
this year, the ICO’s approach to PECR compliance is now only to seek to enforce it “in a proportionate and effective
way”.
However, speaking at the ICO’s Data Protection Practitioner’s conference in Manchester on 4 March, Simon
Hughes MP, Minister of State for Justice and Civil Liberties, outlined plans to lower the threshold at which the ICO
can issue civil monetary penalties for breaches of PECR.
What about the handling of customer complaints?
A number of respondents to the First Consultation were concerned that the ICO’s new approach would mean
it would no longer be willing to accept concerns reported by the public or to carry out assessments of an
organisation’s compliance following a complaint. This would clearly mark the end of the ICO’s role as ombudsmen.
In addition, concerns have been raised that declining to intervene because a matter only has personal and
individual consequences rather than revealing systemic problems may be illegal as it would not reflect proper
implementation of the Data Protection Directive.
The ICO’s response to the above is to clarify that it will only refer an individual back to the organisation where that
individual was not provided with a clear explanation of the processing by the organisation. The ICO also plans to
make greater use of its discretion to carry out assessments following a complaint. This will ensure the depth of the
ICO’s investigation is proportionate to the potential severity of the matters involved. In practice, this means that
if an organisation breaches data protection legislation and a complaint is made to the ICO, the ICO is unlikely to
investigate the matter further provided:
•
the organisation has given the individual a clear explanation of the processing,
•
the breach is minor4; and
•
the breach does not provide a realistic opportunity for the organisation to improve its information rights
practice.
However, the ICO would always inform the organisation of the breach and keep the details on file to inform future
regulatory decisions or to help the ICO spot systemic problems.
Finally, the ICO’s response to the First Consultation also provided further details about its plans to publish reports
naming organisations responsible for generating the most data protection concerns and complaints (irrespective
of whether the concern or complaint resulted in enforcement action being taken). The ICO attempts to soothe
respondents by stating that it will allow organisations to add a narrative to their entry and will always include a
statement explaining that organisations processing high volumes of personal information are likely to generate a
proportionate number of concerns to the regulator. This is unlikely to be sufficient to alleviate the concerns of those
‘named and shamed’.
4
‘How we deal with complaints and concerns’ (April 2014). The ICO’s response to the First Consultation refers to where an issue is not serious (rather than
where the breach is minor).
04
DATA PROTECTION
May 2014
What does this all mean for the future?
The ICO is clearly starting to prepare for various legislative outcomes (including new EU data protection legislation,
potential changes to the freedom of information regime and the possible incorporation of some of the Leveson
recommendations into UK data protection law) whilst also grappling with fast-paced technological developments.
However, given the current level of uncertainly on the progress of these legal developments and the amount of
everyday work the ICO has to deal with, it is perhaps not too surprising that much of what is in the ICO’s responses
and Plan builds on previous plans and strategies without yet committing to any major changes.
Article 29 Working Party Guidance
PROCESSING DATA FOR YOUR LEGITIMATE INTERESTS
A substantial amount of data processing that takes place today in the EU, and particularly in the UK, relies on the
‘legitimate interests’ ground. This is one of six legal grounds on which organisations can rely to justify their data
processing activities under EU data protection legislation. It requires a balancing of the legitimate interests of the
organisation, or of any third parties to whom the data are disclosed, against the interests or fundamental rights of
the individual(s) whose data the organisation is processing.
To address the lack of harmonised interpretation of the legitimate interests ground across EU Member States, the
Article 29 Working Party (WP) has recently published an opinion (the ‘Opinion’). The Opinion sets out the factors
to be taken into account when carrying out the balancing test, supported by a number of practical examples.
In the context of the European reform proposals discussed above, there had been proposals put forward to narrow
the scope of this ground and only allow organisations to rely on it in exceptional cases5. Thankfully, subsequent
legislative developments indicate that such a limiting approach is unlikely to form part of any final text6. The WP
supports this view by explicitly recognising the significance and usefulness of the legitimate interests ground.
However, the Opinion also clarifies that the legitimate interests ground should not be automatically chosen, or its
use unduly extended on the basis of a perception that it is less constraining than the other grounds set out in the
current legislation.
It remains to be seen whether the recommendations the Opinion puts forward (including a requirement that
organisations document and communicate their assessment of the application of the legitimate interests ground)
will be taken on board by policy makers as they consider the EU reform proposals.
Further details on the Opinion will be included in our next Client Briefing.
A SOLUTION FOR DATA TRANSFERS FROM EU PROCESSORS TO NON-EU PROCESSORS?
The Article 29 Working Party (WP) has published draft clauses for the transfer of personal data from an EU
processor to a non-EU sub-processor (the ‘Clauses’). The Clauses aim to fill a gap in the current set of model
clauses approved by the EU Commission for transfers of data out of the EEA. Those clauses covered transfers
from an EEA controller to a non-EEA controller and transfers from an EEA controller to a non-EEA processor.
EU processors wishing, for example, to off-shore their services to a foreign sub-processor or use non-EEA cloud
5
6
Draft Report of the Civil Liberties, Justice and Home Affairs on the proposal for General Data Protection Regulation (17 December 2012)
Please see our Client Briefing (November 2013).
05
DATA PROTECTION
May 2014
services were therefore deprived of the blanket protection afforded by such model clauses. The WP had published
FAQs to address this issue, offering possible solutions (such as direct contracts between EEA-based controllers
and non-EEA-based processors; a clear mandate from EEA-based controllers to EEA-based processors to use the
relevant approved model clauses in their name and on their behalf; or ad-hoc contracts). The Clauses have yet to be
approved by the EU Commission and are likely to require some work before then but they are a welcome first step.
London
T +44 (0)20 7600 1200
F +44 (0)20 7090 5000
Brussels
T +32 (0)2 737 94 00
F +32 (0)2 737 94 01
Hong Kong
T +852 2521 0551
F +852 2845 2125
Published to provide general information and not as legal advice. © Slaughter and May, 2014.
For further information, please speak to your usual Slaughter and May contact.
www.slaughterandmay.com
Beijing
T +86 10 5965 0600
F +86 10 5965 0650