I OVERVIEW

Like other countries in Europe, the United Kingdom has adopted an omnibus data protection regime implementing the EU Data Protection Directive 95/46/EC (the Data Protection Directive),2 which regulates the collection and processing of personal data across all sectors of the economy. From 25 May 2018, the EU General Data Protection Regulation (the Regulation)3 will have direct effect in the United Kingdom and will repeal the Data Protection Directive. The government of the United Kingdom is also proposing a Data Protection Bill to implement the Regulation before it takes effect on 25 May 2018.

II THE YEAR IN REVIEW

On 21 June 2017 the Queen’s Speech outlined the UK government’s legislative priorities for the next two years. This speech confirmed not only that the United Kingdom will still be an EU Member State when the Regulation takes effect, but also that the government intends to introduce legislation implementing the Regulation so that after Brexit, the United Kingdom will have a law on its books that implements the Regulation. A draft of this new Data Protection Bill was expected to be published in September 2017 and consultation documents, including the official Statement of Intent suggest that it will faithfully implement the Regulation.4 After Brexit, the UK government could of course amend this data protection law so that it diverges from the Regulation. However, were the government to do this, the wide extraterritorial scope of the Regulation means that many UK companies would still need to comply with the new requirements under the Regulation.

In the past months, the Information Commissioner’s Office (ICO) has begun to publish guidance in respect of the Regulation. In March 2017, the ICO published draft consent guidance for public consultation,5 and in April the ICO published a feedback request in relation to the profiling requirements under the Regulation. The ICO expects to publish additional Regulation guidance before May 2018 and is currently considering whether to issue entirely new guidance documents or to adapt its existing guidance for the Regulation. On 29 November 2016, the Investigatory Powers Bill received royal assent and became know as the Investigatory Powers Act 2016 (IPA).6 The IPA, once brought fully into force, will reform the regime under which UK law enforcement bodies, intelligence agencies and the government can intercept communications, interfere with equipment and acquire and intercept bulk communications data.

III REGULATORY FRAMEWORK

i Privacy and data protection legislation and standards
Privacy and data protection laws and regulations

Until May 2018 (or until the date on which the proposed Data Protection Bill takes effect, if before 25 May 2018), data protection in the United Kingdom is mainly governed by the Data Protection Act 1998 (DPA), which implemented the Data Protection Directive into national law and entered into force on 1 March 2000.

The Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended by the Privacy and Electronic Communications (EC Directive) (Amendments) Regulations 2011) (PECR) regulate direct marketing, but also the processing of location and traffic data and the use of cookies and similar technologies. The PECR have implemented Directive 2002/58/EC7 (as amended by Directive 2009/136/EC) (the ePrivacy Directive). On 10 January 2017, the European Commission issued a draft of the proposed Regulation on Privacy and Electronic Communications (the ePrivacy Regulation) to replace the existing ePrivacy Directive.8 The ePrivacy Regulation will complement the Regulation, have direct effect in Member States including the United Kingdom (unless the United Kingdom exits the European Union before the ePrivacy Regulation takes effect) and provide additional sector-specific rules including in relation to marketing and the use of website cookies.

The key changes in the proposed ePrivacy Regulation will:

  • a require a clear affirmative action to consent to cookies;
  • b attempt to encourage the shifting of the burden of obtaining consent for use of cookies to website browsers; and
  • c make consent for direct marketing harder to obtain and require it to meet the standard set out in the Regulation; however, existing exceptions (such as the exemption that applies where there is an existing relationship and similar products and services are being marketed) are likely to be retained.

The European Commission’s original timetable for the ePrivacy Regulation was for it to apply from 25 May 2018 and coincide with the Regulation. However, it is increasingly unlikely that this deadline will be met, both because the ePrivacy Regulation is tied to a wider reform of EU telecommunications regulation and also because of the number of issues with the proposal that have been identified.

In April 2017, the Article 29 Working Party issued an opinion on the proposed ePrivacy Regulation, which welcomed some elements of the proposal but also identified areas of ‘grave concern’, including with regard to cookie tracking walls.9 It is currently uncertain when the ePrivacy Regulation will be finalised and when it will take effect.

Key definitions under the DPA
  • a Data controller: a person who (either alone, or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed;10
  • b data processor: any person (other than the employee of a data controller) who processes the data on behalf of the data controller;11
  • c data subject: an individual who is the subject of personal data;12
  • d personal data: data that relate to a living individual who can be identified from that data, or from that data and other information that is in the possession of, or is likely to come into the possession of, the data controller;13
  • e processing (in relation to information): obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including:

• organisation, adaptation or alteration of the information or data;

• retrieval, consultation or use of the information or data;

• disclosure of the information or data by transmission, dissemination or otherwise making available; or

• alignment, combination, blocking, erasure or destruction of the information or data;14 and

  • f sensitive personal data: personal data consisting of information as to the racial or ethnic origin of the data subject, his or her political opinions, his or her religious beliefs, or information of a similar nature, whether the subject is a member of a trade union, his or her physical or mental health or condition, sexual life, the commission or alleged commission by him or her of any offence, or any proceedings for any offence committed or alleged to have been committed by him or her, the disposal of such proceedings or the sentence of any court in such proceedings.15
Data protection authority

The DPA and PECR are enforced by the ICO and from 25 May 2017, the ICO will enforce the Regulation in the United Kingdom and any UK legislation implementing the Regulation. Once the ePrivacy Regulation is finalised and takes effect, the ICO will also enforce the ePrivacy Regulation and any UK implementing legislation in the United Kingdom. The ICO also enforces and oversees the Freedom of Information Act 2000, which provides public access to information held by public authorities. The ICO has independent status and is responsible for:

  • a maintaining the public register of data controllers;
  • b promoting good practice by giving advice and guidance on data protection and working with organisations to improve the way they process data through audits, arranging advisory visits and data protection workshops;
  • c ruling on complaints; and
  • d taking regulatory actions.
ii General obligations for data handlers

Under the DPA, data controllers must comply with the eight data protection principles16 and ensuing obligations.

First principle: fair and lawful processing

Personal data must be processed fairly and lawfully. This essentially means that the data controller must:

  • a have a legitimate ground for processing the personal data;
  • b not use data in ways that have an unjustified adverse effect on the individuals concerned;
  • c be transparent about how the data controller intends to use the personal data, and give the data subject appropriate privacy notices when collecting their personal data;
  • d handle a data subject’s personal data only in ways they would reasonably expect and consistent with the purposes identified to the data subject; and
  • e make sure that nothing unlawful is done with the data.

Legal basis to process personal data

As part of fair and lawful processing, the processing must be justified by at least one of six specified grounds listed in Schedule 2 to the DPA.

The DPA applies a stricter regime in the case of sensitive personal data,17 which may only be processed on the basis of certain limited grounds, including where the data controller has obtained the explicit consent of the data subject.18

Registration with the ICO

Under the DPA, a data controller processing personal data must make a notification to the ICO19 unless certain limited exemptions apply. A data controller who is not established in the United Kingdom, or any other European Economic Area (EEA) state, but is using equipment in the United Kingdom for processing personal data other than merely for the purposes of transit in the United Kingdom, has to appoint a representative in the United Kingdom and provide the contact name and details of the representative to the ICO in the registration form. Notification of the ICO consists of filling in a form and the payment of a fee, which must be paid when the data controller registers for the first time and then every year when the registration is renewed.

Data protection officer

There is no current legal requirement to appoint a data protection officer.

Information notices

Data controllers must provide data subjects with information on how their personal data is being processed. In general terms, an information notice should, according to the ICO,20 state the data controller’s identity and, if the data controller is not based in the United Kingdom, the identity of its nominated UK representative; the purposes for which the processing of personal data is intended; and any additional information the data controller needs to give individuals in the circumstances to be able to process the data fairly.21

Second principle: processing for specified and lawful purposes

Personal data can only be obtained for one or more specified and lawful purposes, and must not be processed in a way that is incompatible with those purposes.

Third principle: personal data must be adequate, relevant and not excessive

A data controller must ensure that it holds sufficient personal data to fulfil its intended lawful purposes, but that personal data must be relevant and not excessive to those purposes.

Fourth principle: personal data must be accurate and kept up to date

Data controllers must ensure that personal data is accurate and, where necessary, kept up to date. The ICO recommends22 data controllers take reasonable steps to ensure the accuracy of any personal data obtained, ensure that the source of any personal data is clear, and carefully consider any challenges to the accuracy of information and whether it is necessary to update the information.

Fifth principle: personal data must not be kept for longer than necessary

Personal data processed for particular purposes should not be kept for longer than is necessary for those purposes. In practice, this means that the data controller must review the length of time it keeps personal data and consider the purpose or purposes it holds the information for in deciding whether (and for how long) to retain this information. Data controllers must also securely delete personal data that is no longer needed for this purpose or these purposes, and update, archive or securely delete information if it goes out of date.

It is good practice to establish standard retention periods for different categories of information (e.g., employee data and customer data). To determine the retention period for each category of information, data controllers should take into account and consider any legal or regulatory requirements or professional rules that would apply.23

Sixth principle: personal data must be processed in accordance with the rights of data subjects

Personal data should be processed in accordance with the rights of data subjects under the DPA. In particular, the data controller must:

  • a provide information in response to a data subject’s access request;24
  • b comply with a justified request to prevent processing that is causing or will be likely to cause unwarranted damage or distress to the data subject or another person;
  • c comply with a notice to prevent processing for the purposes of direct marketing; and
  • d comply with a notice objecting to the taking of automated decisions.
Seventh principle: measures must be taken against unauthorised or unlawful processing of personal data

Appropriate technical and organisational measures must be taken by the data controller against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, the personal data. Where a data controller uses a data processor to process personal data on its behalf, then the data controller must ensure that it has entered into a written contract that obliges the data processor to process only the personal data on the instructions of the data controller and to comply with obligations equivalent to those imposed on the data controller by the seventh principle.

Eighth principle: transfers of personal data to a country or territory outside the European Economic Area

See Section IV.

iii General obligations of data controllers and processors

For a summary of the general obligations of data controllers and processors under the Regulation, see Section III of the European Union Overview chapter.

iv Technological innovation and privacy law
Anonymisation

Neither the DPA nor the Regulation applies to anonymous data. However, there has been a lot of discussion over when data is anonymous and the methods that could be applied to anonymise data.

The ICO in its guidance on anonymisation25 recommends organisations using anonymisation to have in place an effective and comprehensive governance structure that should include:

  • a a senior information risk owner with the technical and legal understanding to manage the process;
  • b staff trained to have a clear understanding of anonymisation techniques, the risks involved and the means to mitigate them;
  • c procedures for identifying cases where anonymisation may be problematic or difficult to achieve in practice;
  • d knowledge management regarding any new guidance or case law that clarifies the legal framework surrounding anonymisation;
  • e a joint approach with other organisations in the same sector or those doing similar work;
  • f use of a privacy impact assessment;
  • g clear information on the organisation’s approach to anonymisation, including how personal data is anonymised and the purpose of the anonymisation, the techniques used and whether the individual has a choice over the anonymisation of his or her personal data;
  • h a review of the consequences of the anonymisation programme; and
  • i a disaster-recovery procedure should re-identification take place and the individual’s privacy is compromised.
Big data

The DPA does not prohibit the use of big data and analytics. However, because it raises various data protection issues, the ICO issued guidance in July 2014 and revised it in August 201726 considering data protection issues raised by big data. The ICO suggests how data controllers can comply with the DPA and, from May 2018, the Regulation while using big data, covering a broad range of topics including anonymisation, privacy impact assessments, repurposing data, data minimisation, transparency and subject access. The guidance included three questions on which the ICO invited feedback. A summary of feedback on big data and data protection and the ICO position was published in April 2015.27

In addition, the Financial Conduct Authority (FCA) published in March 2017 a feedback statement following its Call for Inputs on Big Data on retail general insurance.28 The FCA’s key findings were that that although big data is producing a range of benefits for consumers in motor and home insurance, there are also concerns about its impact on data protection. To address some of these concerns the FCA proposed to co-host a roundtable with the ICO and various stakeholders to discuss data protection and the use of personal data in retail general insurance.

‘Bring your own device’ (BYOD)

The ICO has published guidance for companies on implementing BYOD29 programmes allowing employees to connect their own devices to company IT systems. Organisations using BYOD should have a clear BYOD policy so that employees connecting their devices to the company IT systems clearly understand their responsibilities.

To address the data protection and security breach risks linked to BYOD, the ICO recommends that companies take various measures, including:

  • a considering which type of corporate data can be processed on personal devices;
  • b how to encrypt and secure access to the corporate data;
  • c how the corporate data should be stored on the personal devices;

d how and when the corporate data should be deleted from the personal devices; and

  • e how the data should be transferred from the personal device to the company servers.

Organisations should also install antivirus software on personal devices, provide technical support to the employees on their personal devices when they are used for business purposes, and have in place a ‘BYOD acceptable-use policy’ providing guidance to users on how they can use their own devices to process corporate data and personal data.

Cloud computing

The use of cloud computing and how it complies with EU data protection requirements has been a subject of much discussion recently. The ICO, like many other data protection authorities in the EU, has published guidance on cloud computing.30

Cloud customers should choose their cloud provider based on economic, legal and technical considerations. According to the ICO, it is important that, at the very least, such contracts allow cloud customers to retain sufficient control over the data to fulfil their data protection obligations.

The ICO proposes a checklist that organisations can follow prior to entering into an agreement with a cloud provider, with questions on confidentiality, integrity, availability, and other legal and data protection issues.31

Cookies and similar technologies

In 2009, the e-Privacy Directive 2002/58/EC was amended.32 This included a change to Article 5(3) of the e-Privacy Directive requiring consent for the use of cookies and similar technologies. This new requirement was implemented in the United Kingdom through the PECR. As a result, organisations now have an obligation to obtain consent of website users to place cookies or similar technologies on their computers and mobile devices.33 The consent obligation does not apply where the cookie is used ‘for the sole purpose of carrying out the transmission of a communication over an electronic communication network’ or is ‘strictly necessary’ to provide the service explicitly requested by the user. This exemption is applied restrictively and so could not be used when using analytical cookies. Organisations must also provide users with clear and comprehensive information about the purposes for which the information, such as that collected through cookies, is used.

The ICO has published guidance on the use of cookies, and provides recommendations on how to comply with the requirements and how to obtain consent. The ICO considers that implied opt-in consent is a valid form of consent if the consenting individual has taken some action from which the consent can be inferred, such as visiting the website and going from one page to another by clicking on a particular button.34

On 10 January 2017, the European Commission issued a draft of the proposed Regulation on Privacy and Electronic Communications (the ePrivacy Regulation) to replace the existing ePrivacy Directive.35 The ePrivacy Regulation will complement the Regulation and provide additional sector-specific rules, including in relation to the use of website cookies.36

v Specific regulatory areas
Employee data

There is no specific law regulating the processing of employee data. However, the ICO has published an employment practices code and supplementary guidance to help organisations comply with the DPA and to adopt good practice.37

The code contains four parts covering:

  • a recruitment and selection, providing recommendations with regard to the recruitment process and pre-employment vetting;
  • b employment records, which is about collecting, storing, disclosing and deleting employees’ records;
  • c monitoring at work, which covers employers’ monitoring of employees’ use of telephones, internet, email systems and vehicles; and
  • d workers’ health, covering occupational health, medical testing and drug screening.
Employee monitoring38

The DPA does not prevent employers monitoring their employees. However, monitoring employees will usually be intrusive, and workers have legitimate expectations that they can keep their personal lives private. Workers are also entitled to a degree of privacy in their work environment.

Organisations should carry out a privacy impact assessment before starting to monitor their employees to clearly identify the purposes of monitoring, the benefit it is likely to deliver, the potential adverse impact of the monitoring arrangement, and to judge if monitoring is justified, as well as take into account the obligation that arises from monitoring. Organisations should also inform workers who are subject to the monitoring of the nature, extent and reasons for monitoring unless covert monitoring is justified.

Employers should also establish a policy on use by employees of electronic communications, explaining acceptable use of internet, phones and mobile devices, and the purpose and extent of electronic monitoring. It should also be outlined how the policy is enforced and the penalties for a breach of the policy.

Opening personal emails should be avoided where possible and should only occur where the reason is sufficient to justify the degree of intrusion involved.

On 8 June 2017, the Article 29 Working Party adopted an opinion on data processing at work that also addressed employee monitoring.39 This opinion is unlikely to fundamentally change the ICO’s approach to employee monitoring in the United Kingdom. However, it does include a number of new recommendations, including that where it is possible to block websites rather than continually monitoring internet usage, employers should prefer prevention to detection.

Whistle-blowing hotlines

Under the DPA, the use of whistle-blowing hotlines (where employees and other individuals can report misconduct or wrongdoing) is permitted and their use is not restricted by the ICO. There is no specific UK guidance on the use of whistle-blowing hotlines. However, organisations using them in the United Kingdom will have to comply with the data-protection principles under the DPA and, from 25 May 2018, the Regulation.40

Electronic marketing41

Under the PECR, unsolicited electronic communication to individuals should only be sent with the recipient’s consent.42 The only exemption to this rule is known as ‘soft opt-in’, which will apply if the sender has obtained the individual’s details in the course of a sale or negotiations for a sale of a product or service; the messages are only marketing for similar products; and the person is given a simple opportunity to refuse marketing when his or her details are collected, and if he or she does not opt out, he or she is given a simple way to do so in future messages. These UK rules on consent do not apply to marketing emails sent to companies and other corporate bodies.43

Senders of electronic marketing messages must provide the recipients with the sender’s name and a valid contact address.44

The ICO has created a direct-marketing checklist, which enables organisations to check if their marketing messages comply with the law and which also proposes a guide to the different rules on marketing calls, texts, emails, faxes and mail. The ICO has also published guidance on direct marketing, which it updated in March 2016.45

The proposed ePrivacy Regulation, which will have direct effect in the United Kingdom if it takes effect before the United Kingdom exits the European Union, will supersede the PECR. The current draft of the ePrivacy Regulation would require a higher standard of consent for direct marketing, equivalent to the consent standard in the Regulation. However, it is possible that existing exemptions such as the soft opt-in may be retained.46

Financial services

Financial services organisations, in addition to data protection requirements under the DPA, also have legal and regulatory responsibilities to safeguard consumer data under the rules of the FCA, which include having adequate systems and controls in place to discharge their responsibilities.

This includes financial services firms taking reasonable care to establish and maintain effective systems and controls for countering the risk that the firm might be used to further financial crime, such as by misuse of customer data.47

Failure to comply with these security requirements may lead to the imposition of significant financial penalties by the FCA.

IV INTERNATIONAL DATA TRANSFER

Under the eighth principle of the DPA, and under Article 45 of the Regulation, personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of their personal data.48 The DPA and the Regulation provide various exemptions to permit transfers of personal data from the EEA to countries outside the EEA that do not provide an adequate level of protection, including:

  • a Consent: with the consent of the data subject, although as the ICO comments, valid consent means the data subject must have a real opportunity to withhold consent without incurring a penalty, or to subsequently withdraw consent. As a result, consent is unlikely to provide an adequate long-term framework in cases of repeated or structured transfer.
  • b EU–US Privacy Shield: US companies that self-certify under the Privacy Shield will be able to receive personal data from the EU in compliance with EU data protection requirements. The Privacy Shield was adopted on 12 July 2016 and replaces the US–EU Safe Harbor framework, which was invalidated by the CJEU in October 2015, in the iconic Schrems decision.49 US companies have been able to self-certify their compliance to the Privacy Shield Principles since 1 August 2016.
  • c EU Model Contract Clauses: where the EU’s standard contractual clauses (model contracts) for the transfer of personal data from a data exporter in the EEA to a data importer outside the EEA are entered into.
  • d Binding corporate rules: where the data controller has entered into binding corporate rules. As the lead data protection authority, the ICO has approved the binding corporate rules of 31 organisations so far.50
  • e Adequacy assessment: where in the view of the data controller there is an adequate level of protection for the personal data to be transferred. This requires an assessment of the circumstances of the transfer (such as the nature of the data, the purposes of the transfer, security measures taken, etc.) and an assessment of the law in force in the country where the data is to be transferred.
  • f Other exceptions under the DPA and the Regulation are:

• where it is necessary for carrying out certain types of contract or if the transfer is necessary to set up the contract;

• where it is necessary for reasons of substantial public interest (e.g., preventing and detecting crime, national security and collecting tax);

• where it is necessary for the protection of the vital interests of the individual (e.g., matters of life and death);

• where the personal data is part of a public register, as long as the person to whom the data is transferred complies with any restrictions on access to, or use of, the information in the register; and

• where it is necessary in connection with legal proceedings (including future proceedings not yet under way), to get legal advice or where exercising or defending legal rights.

V DISCOVERY AND DISCLOSURE

The ICO has not published any specific guidance on this topic.51 E-discovery procedures and the disclosure of information to foreign enforcement agencies will, most of the time, involve the processing of personal data. As a result, organisations will have to comply with the data protection principles under the DPA in relation to e-discovery and from 25 May 2018 must comply with the requirements of the Regulation.

In practice, this will mean informing data subjects about the processing of their personal data for this purpose. Organisations will also have to have a legal basis for processing the data. In the United Kingdom, companies may be able to rely on the legitimate-interest basis to disclose personal data unless the data contain sensitive data, in which case consent of the data subject will have to be obtained, or where the processing is necessary for the purposes of establishing, exercising or defending legal rights.52

A data transfer solution will also have to be implemented if the data is sent to a country outside the EEA that is not deemed to provide an adequate level of protection as discussed in Section IV.

VI PUBLIC AND PRIVATE ENFORCEMENT

i Enforcement agencies

The ICO is responsible for enforcing the DPA. In the event of a breach the ICO may:

  • a issue information notices requiring organisations to provide the ICO with specified information within a certain period;
  • b issue undertakings committing an organisation to a particular course of action to improve its compliance;
  • c issue enforcement notices and ‘stop now’ orders where there has been a breach, requiring organisations to take (or refrain from taking) specified steps to ensure they comply with the law;
  • d conduct consensual assessments (audits) to check organisations are complying. In the past, the ICO’s audit activities have been limited to assessments carried out with the consent of the organisations concerned. Now, however, the ICO may also issue an ‘assessment notice’, which enables it to inspect a government department or an organisation of a designated description to see whether it is complying with the data protection principles. The ICO does not need the organisation’s consent to do this if it has issued the notice;
  • e issue assessment notices to conduct compulsory audits53 to assess whether organisations processing personal data follow good practice (data protection only);
  • f issue monetary penalty notices, requiring organisations to pay up to £500,000 for serious breaches of the DPA occurring on or after 6 April 2010, or serious breaches of the PECR occurring on or after 26 May 2011;
  • g prosecute those who commit criminal offences under the DPA. The ICO liaises with the Crown Prosecution Service to bring criminal prosecutions against organisations and individuals for breaches of the DPA; and
  • h report to Parliament on data protection issues of concern.

The FCA also has enforcement powers and can impose financial penalties on financial services organisations for failure to comply with their obligations to protect customer data.

From 25 May 2018, the ICO will be responsible for enforcing the Regulation in the United Kingdom. In the event of a breach of the Regulation, the ICO may take the same actions as are available to it under the DPA, with the exception that the ICO will be able to issue monetary penalty notices of up to €20 million (or £17 million as proposed in the Data Protection Bill) or 4 per cent of annual worldwide turnover, whichever is greater.

ii Recent ICO-led enforcement cases

In May 2016, an NHS trust was issued with a £185,000 monetary penalty notice for publishing an equality and diversity spreadsheet on its website that contained confidential and sensitive personal data relating to a large number of employees and that was available to and accessible by the public for a number of months.

In August 2016, a GP surgery was issued with a £40,000 monetary penalty notice for releasing confidential information about a woman and her family to her estranged ex-partner.

In August 2016, a county council was issued with a £100,000 monetary penalty notice for leaving in an unlocked cupboard files containing confidential and sensitive personal data about 100 of its social care clients.

In October 2016, a telecom company was fined a record amount of £400,000 by the ICO for security failings that allowed an attacker to access large volumes of customers’ personal data.

In January 2017, the ICO fined an insurance company £150,000 following the loss of the personal data of nearly 60,000 customers.

In July 2017, an NHS trust was issued with a request to sign an undertaking in respect of its failure to comply with the DPA when sharing patient details with an AI system.

In August 2017, the ICO issued a telecom company with a monetary penalty notice of £100,000 after it failed to protect the personal data of up to 21,000 customers.

vii CONSIDERATIONS FOR FOREIGN ORGANISATIONS

The DPA applies to a data controller established in the United Kingdom and processing personal data in the context of that establishment. It also applies to foreign organisations not established in the United Kingdom, or in any other EEA state, that use equipment located in the United Kingdom (e.g., a service provider processing personal data in the United Kingdom) for processing personal data otherwise than for the purposes of transit through the United Kingdom. Data controllers not established in the United Kingdom or any other EEA country and processing personal data through equipment located in the United Kingdom must nominate a representative established in the United Kingdom and comply with the data principles and requirements under the DPA.

The Regulation will apply to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EEA, regardless of whether or not the processing takes place in the EEA. The Regulation will also apply to controllers or processors not established in the EEA that process the personal data of data subjects in the EEA in relation to the offering of goods and services to those data subjects in the EEA and to the monitoring of the behaviour of those data subjects in the EEA. Data controllers not established in the EEA but still subject to the Regulation nominate a representative established in one of Member States of the EEA.

VIII CYBERSECURITY AND DATA BREACHES

i Cybersecurity
Investigatory Powers Act 2016 (the Investigatory Powers Act)

The Investigatory Powers Act received Royal Assent on 29 November 2016. The Act prohibits the interception of communications without lawful authority and sets out the situations in which there is lawful authority. Various law enforcement and intelligence authorities can, under the Investigatory Powers Act, make targeted demands on telecommunications operators.

Under the Investigatory Powers Act, the Secretary of State may by giving notice require a public telecommunications operator to retain communications data for a period that must not exceed 12 months if he or she considers that this is necessary and proportionate for one or more of the purposes for which communications may be obtained under the Investigatory Powers Act. The Investigatory Powers Act also expands the data retention requirements in the DRIP Act that it replaces (see below) to a broader range of communications data, such as site browsing histories.

The Investigatory Powers Act is controversial and like its predecessor, the DRIP Act, it has been criticised for lacking basic safeguards and for granting overly expansive powers for the bulk collection of data. The legality of the Investigatory Powers Act has already been called into question following a ruling of the CJEU on the data retention provisions in the DRIP Act. One year after receiving Royal Assent, the English High Court issued a landmark judgment declaring the DRIP Act unlawful. The High Court ruled that a number of the provisions in the DRIP Act were incompatible with EU human rights law. However, the ruling was suspended until 31 March 2016 to give UK legislators time to implement appropriate safeguards. Preliminary questions were referred to the CJEU by the English Court of Appeal. On 21 December 2016, the CJEU issued a landmark ruling that effectively upheld an original decision of the High Court in relation to the validity of the provisions of the DRIP Act.54 Although the ruling concerned the DRIP Act, the Investigatory Powers Act does little to address the criticisms of the DRIP Act in the CJEU’s judgment and in some cases provides for even more extensive powers than under the DRIP Act. The case has now been returned to the Court of Appeal, which initially referred questions to the CJEU for a preliminary ruling. As of August 2017, the Court of Appeal had not issued its judgment, but it is possible that one potential consequence of the judgment, once eventually received, is that the Investigatory Powers Act will need to be amended, either by further primary legislation or a statutory instrument.

The Regulation of Investigatory Powers Act 2000 (RIPA)

The interception powers in Part 1, Chapter 1 of RIPA have been repealed and replaced by a new targeted interception power under the Investigatory Powers Act.

The DRIP Act

The DRIP Act has now been repealed and replaced by the Investigatory Powers Act. The DRIP Act was an emergency piece of legislation, and was due to expire on 31 December 2016.

UK cybersecurity strategy

In November 2011, the Cabinet Office published the UK Cyber Security Strategy: Protecting and promoting the UK in a digital world, with four objectives for the government to achieve by 2015:

  • a tackling cybercrime and making the United Kingdom one of the most secure places in the world to do business;
  • b to be more resilient to cyberattacks and better able to protect our interests in cyberspace;
  • c to create an open, stable and vibrant cyberspace that the UK public can use safely and that supports open societies; and
  • d to have the cross-cutting knowledge, skills and capability it needs to underpin all our cybersecurity objectives.

In March 2013, the government launched the Cyber-security Information Sharing Partnership to facilitate the sharing of intelligence and information on cybersecurity threats between the government and industry.

The government has also recently developed the Cyber Essentials scheme, which aims to provide clarity on good cybersecurity practice.

Along with the Cyber Essentials scheme, the government has published the Assurance Framework, which enables organisations to obtain certifications to reassure customers, investors, insurers and others that they have taken the appropriate cybersecurity precautions. The voluntary scheme is currently open and available to all types of organisation.

In June 2015, the government launched a new online cybersecurity training course to help the procurement profession stay safe online.

In July 2015, the government announced the launch of a new voucher scheme to protect small businesses from cyberattacks, which will offer micro, small and medium-sized businesses up to £5,000 for specialist advice to boost their cybersecurity and protect new business ideas and intellectual property.

In January 2016, the government announced plans to assist start-ups offering cybersecurity solutions. Such start-ups will be given help, advice and support through the Early State Accelerator Programme, a £250,000 programme designed to assist start-ups in developing their products and bringing them to market. The programme is run by Cyber London and the Centre for Secure Information Technologies, and is funded by the government’s National Cyber Security Strategy programme.

In March 2016, the government announced that the United Kingdom’s new national cyber centre (announced in November 2015) would be called the National Cyber Security Centre (NCSC). The NCSC, which is based in London, opened in October 2016 and is intended to help tackle cybercrime.

Data breaches

Under the DPA, there is no requirement to report security breaches to the ICO and the individuals involved. Although there is no legal obligation on data controllers to report security breaches, the ICO believes that serious breaches should be brought to its attention. According to the ICO, there should be a presumption to report a breach to the ICO if a significant volume of personal data is concerned and also where smaller amounts of personal data are involved but there is still a significant risk of individuals suffering substantial harm.55 The ICO has issued varied guidance on how to manage security breaches and how to make a security-breach notification.56

In addition, under the PECR57 and the Notification Regulation,58 internet and telecommunication service providers must report breaches to the ICO no later than 24 hours after the detection of a personal data breach where feasible.59 The ICO has published guidance on this specific obligation to report breaches.60

From 25 May 2018, under the Regulation there will be a requirement for data controllers to report personal data breaches to the ICO without undue delay and, where feasible, no later than 72 hours after the controller becomes aware of the breach.61 If a controller does not report the data breach within 72 hours, it must provide a reasoned justification for the delay in notifying the ICO. The controller is also subject to a concurrent obligation to notify affected data subjects without undue delay when the notification is likely to result in a high risk to the rights and freedoms of natural persons.62 Under the Regulation, data processors also have an obligation to notify the data controller of personal data breaches without undue delay after becoming aware of a personal data breach.63 According to its programme of work for 2017, the Article 29 Working Party is expected to produce guidelines on the notification of personal data breaches later in 2017.

IX OUTLOOK

The Regulation will apply in Member States from 25 May 2018. How long it will remain directly applicable in the United Kingdom will depend on how quickly the United Kingdom exits the European Union, and on the nature and content of any transitional agreement. The Queen’s Speech in June 2017 confirmed that the United Kingdom will still be an EU Member State when the Regulation takes effect and that the government intends to introduce legislation implementing the Regulation. After Brexit, it is therefore likely that the United Kingdom will have passed a law, the proposed Data Protection Bill, that implements the Regulation. A draft of this new Data Protection Bill was expected to be published in September 2017. After Brexit, the UK government would be free to amend this data protection law so that it diverges from the Regulation; however, the government has not indicated an intention to do so. Instead, the UK government has published a position paper that proposes a close and ambitious model for UK–EU data protection cooperation after Brexit that will provide for ‘continued regulatory cooperation between the UK and EU data protection regulators and promote certainty for business, public authorities and citizens’.64

The ICO has indicated that it intends to develop its Overview of the General Data Protection Regulation into a more detailed Guide to the General Data Protection Regulation, which will form the core of its guidance in respect of the Regulation. In addition, the ICO is scheduled to finalise its guidance on consent under the Regulation before the end of 2017 and to produce draft guidance on contracts and liability under the Regulation.

In the coming months, it is also likely to become clearer how the United Kingdom will implement the Network and Information Systems Directive (the NIS Directive).65 The NIS Directive was adopted in June 2016 by the European Parliament and, among other things, introduces stringent new information security requirements for ‘operators of essential services’ and ‘digital service providers’. Member States have until 9 May 2018 to implement the NIS Directive. The UK government confirmed that the NIS Directive would be implemented in the United Kingdom in a report published in December 2016.66 In August 2017, the government published a consultation on its plans to transpose the NIS Directive.67 The consultation closed on 30 September 2017 and, importantly, it considered the essential services that the NIS Directive should cover.

1 William RM Long is a partner, Géraldine Scali is a counsel and Francesca Blythe is an associate at Sidley Austin LLP.

2 European Parliament and Council Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

3 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

4 Department for Digital, Culture, Media and Sport, A new Data Protection Bill: Our Planned Reforms.

5 Information Commissioner’s Office, Draft Consultation: GDPR Consent Guidance, 2 March 2017.

6 Investigatory Power Act 2016.

7 Directive 2002/58/EC of the European Parliament and Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector.

8 Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications).

9 Opinion 01/2017 on the Proposed Regulation for the ePrivacy Regulation (2002/58/EC).

10 Section 1 DPA.

11 Ibid.

12 Ibid.

13 Ibid.

14 Ibid.

15 Section 2 DPA.

16 Schedule 1 to the DPA.

17 See definition at Section III.i.

18 Schedule 3 to the DPA.

19 Section 18 DPA.

20 ICO, Privacy Notices Code of Practice, December 2010.

21 ICO, Guide to Data Protection, Part B1, Paragraph 25.

22 ICO, Guide to Data Protection.

23 Ibid.

24 ICO, Subject Access Code of Practice, V.1.1, February 2014.

25 In November 2012, the ICO published a code of practice on managing data protection risks related to anonymisation. This code provides a framework for organisations considering using anonymisation and explains what it expects from organisations using such processes.

26 ICO, Guidelines on Big Data and Data Protection, 28 July 2014 and revised 18 August 2017.

27 ICO, Summary of Feedback on Big Data and Data Protection and ICO Response, 10 April 2015.

28 FCA, FS16/5, Call for Inputs on Big Data in retail general insurance.

29 ICO, Guidelines on Bring Your Own Device (BYOD), 2013.

30 ICO, Guidance on the Use of Cloud Computing, 2012.

31 See the European Union Overview chapter for more details on cloud computing.

32 Directive 2009/136/EC.

33 PECR Regulation 6.

34 ICO, Guidance on the Rules on Use of Cookies and Similar Technologies, May 2012.

35 Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications).

36 See the European Union Overview chapter for more details on the proposed ePrivacy Regulation.

37 ICO, The Employment Practices Code: Supplementary Guidance, November 2011.

38 Ibid.

39 WP 249: Opinion 2/2017 on data processing at work, adopted 8 June 2017.

40 For guidance on how to comply with data protection principles under the DPA see WP 117: Opinion 1/2006 on the application of EU data protection rules to internal whistle-blowing schemes in the fields of accounting, internal accounting controls, auditing matters, and the fight against bribery, banking and financial crime adopted on 1 February 2006.

41 ICO, Guide to the Privacy and Electronic Communications Regulations, 2013, and Direct Marketing Guidance, V.2.2.

42 PECR Regulation 22(2).

43 ICO, Direct Marketing Guidance, V.2.2.

44 PECR Regulation 23.

45 ICO, Direct Marketing Guidance, V.2.2.

46 See the European Union overview chapter for more details on the proposed ePrivacy Regulation.

47 SYSC 3.

48 Schedule 1 to the DPA, and Article 45 of the Regulation.

49 Case C-362/14 Schrems v. Data Protection Commissioner [2014].

50 To find the list of authorised binding corporate rules by the ICO see http://ec.europa.eu/justice/data
-protection/document/international-transfers/binding-corporate-rules/bcr_cooperation/index_en.htm.

51 The Article 29 Working Party has, however, published a working document on this topic. See the European Union Overview chapter for more details.

52 Schedule 3(6)(c) to the DPA.

53 For central government organisations.

54 Case C-698/15 Secretary of State for the Home Department v. Tom Watson, Peter Brice and Geoffrey Lewis.

55 ICO, Guidance on Notification of Data Security Breaches to the Information Commissioner’s Office, 27 July 2012.

56 ICO, Guidance on Data Security Breach Management, 12 December 2012, and Guidance on Notification of Data Security Breaches to the Information Commissioner’s Office, 27 July 2012, and the previous version published on 27 March 2008.

57 PECR Regulation 5A(2).

58 Commission Regulation No. 611/2013 of 24 June 2013 on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC of the European Parliament and of the Council on privacy and electronic communications (the Notification Regulation), which entered into force on 25 August 2013.

59 Article 2 of the Notification Regulation. The content of the notification is detailed in Annex 1 to the Notification Regulation.

60 ICO, Guidance on Notification of PECR Security Breaches, 26 September 2013.

61 Article 33(1) of the Regulation.

62 Article 34 of the Regulation.

63 Article 33(2) of the Regulation.

64 ‘The exchange and protection of personal data: a future partnership paper’, August 2017.

65 Directive (EU) 2016/1148 of the European Parliament and the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union.

66 Cyber Security Regulation and Incentives Review, December 2016.

67 Consultation on the Security of Network and Information Systems Directive, August 2017.