If the UK leaves the EU and EEA, will it be "adequate" for data transfers from the EU? Evidemnce suggests not, especially following the passing of the IP Act and the Tele2/Watson CJEU decision.
1. DP, IP, the UK and Brexit
The Great Data Protection Law Reform Saga of 2012-8 (?)
Lilian Edwards
Professor of E-Governance
University of Strathclyde
Lilian.edwards@strath.ac.uk
@lilianedwards
2. A. From the DPD to the GDPR
• Directive 95/46/EC of EU on the protection of individuals with regard
to the processing of personal data and on the free movement of such
data. Human rights based. Much case law now draws on Charter of
Rights and ECtHR as well as European Court of Justice.
• Intended to address computerisation/databases but NOT the Internet
• Implemented in UK by DPA 1998 and many SIs
• DPD extended to deal with technological challenges eg spam, cookies,
location data, by Privacy and Electronic Communications Directive
2002/58/EC revised Oct 2009, i/f May 2011 (the “cookie” or E-Privacy
Directive)(UK: PECD Regs
• Reform by General DP Regulation (GDPR), plus Directive on policing –
1st draft, Jan 25 2012; final compromise, Jan 2016; official text May
2016
• 2 yrs for member states (MSs) to implement by May 2018 - DIRECT
EFFECT OF REG – ICO says this is on track
• ? Would a post Brexit UK implement GDPR?
3. Key Definitions in the DPD – art 2
• “Data” means information which is being processed
by means of equipment operating automatically, or is
recorded with the intent that it should be processed
by this equipment, or is recorded as a part of a
relevant manual filing system. (see ECJ case,
Lindqvist)
• “Data controller”: a person or company who
determines the purpose and means of the data
processing.
• “Data processor” is the person who processes the
data on behalf of the data controller.
• “Data subject” is defined in art 2 as part of concept
of personal data..
4. Personal data
• Scope of DPD restricted to “processing” of
“personal data” = “
• “information relating to an identified or
identifiable natural person ('data subject'); an
identifiable person is one who can be identified,
directly or indirectly, in particular by reference to
an identification number or to one or more
factors specific to his physical, physiological,
mental, economic, cultural or social identity”
• + see recital 26 [itals added]
• “Processing” – very widely defined..
5. DPD Principles(primarily art 6)
1. Personal Data shall be processed lawfully and fairly
(“collection limitation”) (-> grounds including consent)
2. Personal Data shall be obtained only for one or more
specified and lawful purposes, and shall not be further
processed in a manner incompatible with those purposes
(“purpose /use limitation”).
3. Personal data shall be adequate, relevant and not excessive
in relation to the purpose for which it was processed
4. Personal data shall be accurate and kept to date if necessary
(“data quality”).
5. Personal data shall not be kept for a longer time than it is
necessary for purpose of processing. (“retention”)
6. Personal data can only be processed in accordance with the
rights of the data subjects (“openness”) (eg SARs)
7. Appropriate technical and organisational measures shall be
taken against unauthorised or unlawful processing
(“security”).
8. Data export principle – EU personal data only to be exported
outside EU to countries with “adequate” privacy protection
6. (not) Key reforms under the GDPR
• Principles – added principle of minimisation of
data processed; and accountability principle for
DCs (notification dropped)
• (?)Personal data – not much change to definition
in arts, but cf recital 26 and “singling out” ;
however new category of pseudonymous data
introduced (still personal) (UK – more restrictive definition?)
• (?)Data controller/data processor – some
changes to increase control over cloud provider
by DC
7. Key reforms under GDPR
1. Consent
DPD , Art 2 “any freely given specific and informed indication of his
wishes by which the data subject signifies his agreement to personal
data relating to him being processed.”
No explicit definition in UK DPA
GDPR art 4 (11) adds unambiguous
And revocability as key aspect of valid consent (GDPR art 7(3)).
And “a clear affirmative action” ie silence is not acceptance
Arguably new(er) requirements in GDPR (art 7(2) and (4))
– written consent to processing should not be “bundled” ie one consent
to everything at once
- consent not free if tied to providing a service but the processing not
necessary for that service(cf FB etc)
BUT
NOT required all consent be “explicit” – sensitive PD only
NOT explicit that consent void if “significant imbalance of power”
Privacy icons NOT required for policies but are encouraged
8. New user rights
2. Right to be forgotten (RTBF) – GDPR, art 17. Right of DS to “obtain from
the DC the erasure of personal data” if
– data no longer necessary for original purpose
– DS withdraws consent
– DS objects to their PD being used for profiling
– They have been “unlawfully processed”
• Aimed at hosts/publishers, inc social networks, cloud hosts. NOT JUST
SEARCH ENGINES – see Google Spain v Costeja.
• Exceptions – see art 17(3).
– Freedom of expression
– Archives, historical, statistical and scientific research? (cf Wikipedia
on criminal convictions)
– For proof in legal claims
• Not liked in UK HL EU Committee report, 2014 (re G Spain)
9. 3. Right to data portability
• Right to data portability, ie, for DS to get a copy of their data to
take elsewhere (GDPR art 20) - “in in a structured, commonly used
and machine-readable format”
• Also right to have such data transmitted directly from co A to B
“where technically feasible”
– Aimed at breaking “lock in” to sites like Facebook – network
effects
– Some see as additional burden for service providers
– But UK has promoted as new market opportunity for
infomediaries
– UK MiData initiative – mainly re energy cos, also banks, mobile
phone cos – see Enterprise & Regulatory Reform Act 2013 – powers
in reserve, not yet implemented
10. Increased enforcement - 1
4. Mandatory security breach notification (GDPR art
33-34).
• Already introduced for telcos/ISPs in PECD art 17(1)
• Devil in the details:
– what triggers (all PD breaches “unless the personal data breach
is unlikely to result in a risk to the rights and freedoms of natural
persons – data encrypted or pseudonymised?);
– Tell DPA – for UK, ICO
– communication to individual DSs only if “high risk” of above
– how long to fix before notifying (within 72 hours if feasible)
– Parallel notification under EU Network Information Security
Directive (NIS) likely (affects non PD breaches as well)
• How effective? US, Japanese experience found SBN
not that helpful. Lack of US style class action rules
tho Vidal-Hall v Google may help
11. Increased enforcement - 2
5. Penalties
• GDPR originally suggested penalties of up to €1
million or up to 2% of the global annual turnover of a
company. EU Parl suggested 5% turnover, up to 100
mn Euros.
• Final GDPR – two levels
– Up to 10 mn Euros or 2% annual global turnover
– Up to 20 mn Euros or 4% global turnover for more severe
infringements
• Cf USA –big privacy breach cases, FTC large fines –
2012, Google fined $22.5m (but < 1 day’s profit) ; FB,
2012, no fine but $16,000/day per violation of
agreed privacy settlements & 20 years audit
12. New approaches?
• 6. “Privacy by design and default” etc
• Mandatory! “the controller shall.. having regard to the state of
the art and the cost of implementation” (art 25)
– Implement “technical and organisational” measures to
implement DP principles
– Art 35; DP impact assessments – if “high risk” processing,
esp using “new technologies”, DPIA to be carried out
before processing
– Esp likely for automated profiling systems, or “systematic
monitoring of public areas”
– Little enthusiasm from private sector
– BUT - UK ICO has lead EU on PIAs?
13. Effect of non implementation GDPR?
• Adequacy
• GDPR art 45 – EU personal data can only be transferred to third
countries where Commission has decided “adequate level of
protection”
• US avoided this with safe harbor agreement but..
• Hard line on this from EU since Schrems (CJEU, 2014)
– DP has the status of a fundamental right, therefore review has to be
strict
– “adequate” does not mean identical to EU law but “equivalent”
– Vital for state authorities to be bound as much by guarantees as
private actors
– Derogations on ground state security possible but must not be vague,
pass necessity & proportionality test and give redress rights to EU
subjects
• Concerns continue into Privacy Shield (EDPS, A29 etc)
• Tweaks to GDPR unlikely to violate “adequacy” but Investigatory
Powers Act 2016?
14. Investigatory Powers Act 2016
• Likely issues in the IP Act? “one of the most
extreme surveillance laws ever passed in a
democracy”
– Collection of bulk personal data sets
– Internet Connection Records
– Bulk retention of meta data (eg web traffic for a year
of all users) (cf DRI Ireland, CJEU, 2014 vs Davis/
Tele2, CJEU, Opinion July 2016 – judgment due
December 21)
• Opinion laid down 5 stringent conditions for general
retention to be legal
– “Equipment interference” (legalised covert state
hacking)
15. Alternatives to “adequacy”?
• Explicit consent of DS (art 49(1(a))
– But (recital 111) only where transfer is “occasional” and
“necessary”; and where other grounds aren’t useable (rec
113)
• Standard contractual clauses (SCCs)(art 46)
• Binding corporate rules (BCRs)(art 47)
• Special adequacy decision eg Privacy Shield
• However
• All but BCRs under challenge & BCRs of limited application
(intra company transfers)
– DRI vs Privacy Shield (CJEU, Sept 2016)
– Irish DPC has referred SCCs to CJEU, May 2016 – Ustaran -
“The prospect of the standard contractual clauses being
declared invalid is the Armageddon of lawful global data
flows.”
Editor's Notes
What effect if it doesn’t// what parts might be tweaked or left out? Discretion – c 50 provisions leave MS discretion