So we have a Brexit Trade Deal. What now for GDPR and international transfers?

blur cartography close up concept
Photo by slon_dot_pics on Pexels.com

So finally the UK has completed a trade deal with the EU which, subject to formal approval by both sides, will come into force on 1st January 2021. The full agreement has now been published and answers a question troubling data protection officers and lawyers alike.

Internation Transfers

On 1st January 2021, the UK was due to become a third country for the purposes of international data transfers under the EU GDPR. This meant that the lawful transfer of personal data from the EU into the UK without additional safeguards (standard contractual clauses etc) being required would only have been possible if the UK achieved adequacy status and joined a list of 12 countries. This was proving increasingly unlikely before the deadline and would have caused major headaches for international businesses.

The problem has been solved albeit temporarily. Page 406 and 407 of the UK-EU Trade and Cooperation Agreement contains provisions entitled, “Interim provision for transmission of personal data to the United Kingdom.” This allows the current transitional arrangement to continue i.e. personal data can continue to flow from the EU (plus Norway, Liechtenstein and Iceland) to the UK for four months, extendable to six months, as long as the UK makes no major changes to its data protection laws (see UK GDPR below). This gives time for the EU Commission to consider making an adequacy decision in respect of the UK, which could cut short the above period. Will the UK achieve adequacy during these 4-6 months? Whilst there is much for the EU to consider in such a short time, I suspect that pragmatism and economic factors will swing the decision in the UK’s favour.

The UK GDPR

Despite the last minute trade deal, on 1st January 2021 The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 will still come fully into force. These regulations will amend GDPR and retitle it as “UK GDPR”. The amendments are essentially a tidying up exercise. The UK GDPR also deals with post Brexit international data transfers from the UK. More here.

These and other GDPR developments will be discussed in detail in our online GDPR update workshop. 

Whilst staff are still working from home, what better time to train them on GDPR and keeping data safe. Our  GDPR  Essentials  e  learning course can help you do this in less than 45 minutes. 

The Brexit Trade Deal: Implications for Data Protection and International Transfers

cytonn-photography-n95VMLxqM2I-unsplash

December 2020 Update: This post was originally titled “Brexit, Trade Deals and GDPR: What happens next?’ and published in September 2020. It was updated on 26th December 2020.


So finally the UK has completed a trade deal with the EU which, subject to formal approval by both sides, will come into force on 1st January 2021. The full agreement has now been published and answers a question troubling data protection officers and lawyers alike.

Internation Transfers

On 1st January 2021, the UK was due to become a third country for the purposes of international data transfers under the EU GDPR. This meant that the lawful transfer of personal data from the EU into the UK without additional safeguards (standard contractual clauses etc) being required would only have been possible if the UK achieved adequacy status and joined a list of 12 countries. This was proving increasingly unlikely before the deadline and would have caused major headaches for international businesses.

The problem has been solved albeit temporarily. Page 406 and 407 of the UK-EU Trade and Cooperation Agreement contains provisions entitled, “Interim provision for transmission of personal data to the United Kingdom.” This allows the current transitional arrangement to continue i.e. personal data can continue to flow from the EU (plus Norway, Liechtenstein and Iceland) to the UK for four months, extendable to six months, as long as the UK makes no major changes to its data protection laws (see UK GDPR below). This gives time for the EU Commission to consider making an adequacy decision in respect of the UK, which could cut short the above period. Will the UK achieve adequacy during these 4-6 months? Whilst there is much for the EU to consider in such a short time, I suspect that pragmatism and economic factors will swing the decision in the UK’s favour.

The UK GDPR

Despite the last minute trade deal, on 1st January 2021 The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 will still come fully into force. These regulations will amend GDPR and retitle it as “UK GDPR”. The amendments are essentially a tidying up exercise. The UK GDPR also deals with post Brexit international data transfers from the UK. More here.

These and other GDPR developments will be discussed in detail in our online GDPR update workshop. 

Whilst staff are still working from home, what better time to train them on GDPR and keeping data safe. Our  GDPR  Essentials  e  learning course can help you do this in less than 45 minutes. 

Boris, Brexit and GDPR: What next?

 

Big BenBig Ben and Westminster abbey in London, England

Boris Johnson’s election victory means that we are almost certainly heading for Brexit on 31st January 2020 with his version of a deal. Having won a large Conservative majority in the House of Commons, it should be relatively easy for him to pass the Withdrawal Agreement Bill which is likely to be re-introduced to Parliament this week.

What are the implications for the UK’s data protection regime in the form of the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA2018). Can we bin them on the 31st January with our red EU passports? The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 were made earlier this year. Some of the sixty one pages of regulations (dealing with minor issues) came into force on 29th March 2019, with the rest coming into force on exit day (now 31st January 2020 unless something, akin to Elvis returning from the moon, happens in the next few weeks!).

With Boris’s deal likely to be approved by Parliament, the implications of the above regulations will not be felt until the end of the transition period (currently 31stDecember 2020). Until then GDPR will apply “as is”. Unless the transition period is extended (it was a Conservative manifesto pledge not to do so) a revision of GDPR, to be known as the “UK GDPR”, will come into force on 1stJanuary 2021. A brief summary of the key changes follows.

The EU version of GDPR, contains many references to EU laws, institutions, currency and powers, amongst other things, which will cease to be relevant in the UK after Brexit. The regulations amend GDPR to remove these references and replace them with British equivalents where applicable. The functions that are assigned to the European Commission will be transferred to the Secretary of State or the Information Commissioner.

The regulations also deal with post Brexit international data transfers from the UK by amending the GDPR and adding additional provisions to the DPA 2018. Broadly these mirror the current arrangements in the GDPR so that the UK will

  • Recognise all EEA/EU countries (and Gibraltar) as ‘adequate’ as well as those countries subject to an EU adequacy decision
  • Give powers to the Secretary of State to determine or revoke adequacy
  • Recognise current EU Standard Contractual Clauses as valid for international transfers but the ICO will have the power to issue more clauses
  • Recognise all Binding Corporate Rules authorised before Exit Day
  • Introduce an extraterritoriality into the UK data protection regime

Of course from Exit Day, the UK will become a third country for the purposes of international data transfers under GDPR. This means that after the end of the transitional period, the lawful transfer of personal data from the EU into the UK without additional safeguards being required will only be possible if the UK achieves adequacy status and join a list of 12 countries. The regulations attempt to make the UK version of GDPR as robust as the EU version and hopefully achieve an adequacy decision quickly, but this is by no means a certainty. It is very unlikely to be achieved by 1st January 2021 which means that Data Controllers and Processors have to start putting in additional safeguards now to maintain the free flow of data.

The new regulations also amend the DPA 2018 which must be alongside GDPR.
Chapter 3 of Part 2 of the DPA 2018 currently applies a broadly equivalent data protection regime to certain types of data processing to which the GDPR does not apply (“the applied GDPR”). For example, where personal data processing is related to immigration and to manual unstructured data held by a public authority covered by the Freedom of Information Act 2000 (FOI). This will become part of the UK GDPR.

More on Brexit and the new regulations here. All Data Controllers and Processors need to prepare now for the UK GDPR.

Ibrahim Hasan is presenting a webinar in January on this topic. These and other GDPR developments will be discussed in detail in our GDPR update workshop.

GDPR and Brexit: What next?

canstockphoto15551787-1

We are heading for a No Deal Brexit it seems (at least today!). What are the implications for the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA2018)?  Can we bin them on the 31st October with our red EU passports? The answer is no. GDPR and the DPA are here to stay albeit there will be immediate amendments coming into force if Boris does not “pull a rabbit out of the hat.”

The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 were made earlier this year. Some of the sixty one pages of regulations (dealing with minor issues) came into force on 29thMarch 2019, with the rest coming into force on exit day (currently 31stOctober unless something happens in the next few weeks like a General Election!).

The new regulations will only apply if we crash out of the EU without a deal. If Boris gets a deal then GDPR will apply “as is” until the end of the transitional period (currently December 2020). But no deal will mean no transitional period and changes to GDPR as we know it.

The current (EU) version of GDPR, contains many references to EU laws, institutions, currency and powers, amongst other things, which will cease to be relevant in the UK after Brexit. The new regulations amend GDPR to remove these references and replace them with British equivalents where applicable. The functions that are assigned to the European Commission will be transferred to the Secretary of State or the Information Commissioner. From exit day this new amended version of GDPR will be imaginatively titled, the “UK GDPR”.

In a no deal scenario, the UK will immediately become a third country under GDPR and so EU Data Controllers will not be able to transfer data to the UK unless additional safeguards are in place. The regulations deal with post Brexit international data transfers from the UK by amending the GDPR and adding additional provisions to the DPA 2018. Broadly these mirror the current arrangements in the GDPR. However for the lawful transfer of personal data from the EU into the UK without additional safeguards being required, the UK will need to apply to the EU for adequacy status and join a list of 12 countries. The regulations attempt to make the UK version of GDPR as robust as the EU version and hopefully achieve an adequacy decision quickly. However the UK government has acknowledged that there would be no prospect of a positive adequacy decision in the foreseeable future.

The new regulations also amend the Data Protection Act 2018 (DPA 2018) which must be read alongside GDPR. Chapter 3 of Part 2 of the DPA 2018 currently applies a broadly equivalent data protection regime to certain types of data processing to which the GDPR does not apply (“the applied GDPR”). For example, where personal data processing is related to immigration and to manual unstructured data held by a public authority covered by the Freedom of Information Act 2000 (FOI). The DPA 2018 applies GDPR standards to such data whilst adjusting those that would not work in the national context.Amongst other things, the new regulations merge this part into the UK GDPR.

All Data Controllers and Processors need to assess their EU/UK data flows and think what measures they can put into place to ensure continuity post No Deal Brexit.

The uncertainty around Brexit means that it is an interesting time for Data Protection Officers and advisers. Watch this space!

More on these and other developments in our GDPR update workshop presented by Ibrahim Hasan. Looking for a GDPR qualification? Our practitioner certificate is the best option.

The Data Protection Act 2018 – Pre and Post Brexit

adobestock_85090086.jpeg

The Data Protection Act 2018 (DPA 2018) came into force on 25th May 2018, alongside the General Data Protection Regulation (GDPR). Much has been written about it, both right and wrong.

The purpose of the DPA 2018 is nicely summarised by the Information Commissioner in her blog:

“The new Act updates data protection laws in the UK, and sits alongside the General Data Protection Regulation (GDPR) … The Act implements the EU Law Enforcement Directive, as well as extending domestic data protection laws to areas which are not covered by the GDPR.”

Part 2 of the Act supplements the GDPR i.e. it fills in some of the gaps by enacting “derogations”; where Members states are allowed to make their own rules e.g. about exemptions. This part has to be read alongside the GDPR.

Chapter 3 of Part 2 applies a broadly equivalent regime to certain types of processing to which the GDPR does not apply. For example, where personal data processing is related to immigration and to manual unstructured data (held by a public authority covered by FOI). The Act applies GDPR standards to such data whilst adjusting those that would not work in the national context.

Part 3 of the Act regulates the processing of personal data for law enforcement purposes implementing the Law Enforcement Directive (EU) 2016/680. The provisions here are a cut down version of GDPR. This part will only apply to competent authorities i.e. those that process personal data for the purposes of criminal offences or threats to public security e.g. the police, trading standards departments etc.

Read a full summary of the Act here.

What will happen to the Act and indeed GDPR post Brexit? Well this depends on whether we have a deal or no deal! More on our blog post here.

Act Now’s series of workshops on the DPA 2018 are proving very popular amongst GDPR practitioners. The next course in Belfast is fully booked. Forthcoming venues include London, Edinburgh, Leeds and Manchester. Our experts will explain the Act in detail in plain English busting some myths on the way and discussing what lies ahead in the post Brexit situation.

Book early to avoid disappointment. Click on the flyer below to see what we cover on the course.

DPA Image for Blog

Ibrahim Hasan is a solicitor and director of Act Now Training (www.actnow.org.uk)

Making GDPR British: New Regulations set out the UK’s post Brexit DP landscape

On 19thDecember 2018, just when you thought that you have finally made sense of the UK’s data protection regime, the government published new regulations with the catchy title, “The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.” There are sixty one pages of regulations to navigate, before 29thMarch 2019, with only one page of explanatory notes. And you though Theresa May had problems!

robert-tudor-704838-unsplash

On 19th December 2018, just when you thought that you have finally made sense of the UK’s data protection regime, the government published new regulations with the catchy title, “The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.” There are sixty one pages of regulations to navigate, before 29th March 2019, with only one page of explanatory notes. And you thought Theresa May had problems!

Before you start reaching for the highlighters, marker pens and sticky notes (and maybe even smelling salts) it is important to bear in mind that the primary aim of the new regulations is “to make GDPR British” (my phrase). Yes dear readers, we will soon have our own (red, white and blue) version of GDPR. All the pain and cost of Brexit will have been worth it!

To understand the new regulations, we have to go “back to basics” (not my phrase). The General Data Protection Regulation (GDPR) came into force on 25th May 2018. Despite the UK leaving the EU on 29th March (or later – you never know! – or never, in which case ignore everything and wait for more blog posts!!!!), all EU laws, including GDPR, will automatically become part of UK domestic law due to the provisions of the European Union (Withdrawal) Act 2018.

The EU version of GDPR, which the UK is bound by until exit day, contains many references to EU laws, institutions, currency and powers, amongst other things, which will cease to be relevant in the UK after Brexit. The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 amend GDPR to remove these references and replace them with British equivalents where applicable. From exit day this new amended version of GDPR will be imaginatively titled, the “UK GDPR”.

The new regulations also amend the Data Protection Act 2018 (DPA 2018) which must be read alongside GDPR. (Read our summary and blog post busting some of the myths).

Chapter 3 of Part 2 of the DPA 2018 currently applies a broadly equivalent data protection regime to certain types of data processing to which the GDPR does not apply (“the applied GDPR”). For example, where personal data processing is related to immigration and to manual unstructured data held by a public authority covered by the Freedom of Information Act 2000 (FOI). The DPA 2018 applies GDPR standards to such data whilst adjusting those that would not work in the national context. Amongst other things, the new regulations merge this part into the UK GDPR.

Other provisions to note include:

  • Regulation 5 makes provision concerning interpretation in relation to processing that prior to exit day was subject to the applied GDPR.
  • Regulation 6 introduces Schedule 3, which makes consequential amendments to other legislation.
  • Regulation 8 makes amendments to the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) in light of provision made by the GDPR relating to the meaning of “consent”.

Part 3 of the DPA 2018 regulates the processing of personal data for law enforcement purposes implementing the Law Enforcement Directive (EU) 2016/680. This part will continue to apply, even after exit day, to competent authorities i.e. those that process personal data for the purposes of criminal offences or threats to public security e.g. the police, trading standards departments etc. Some minor amendments will be made to reflect the UK GDPR. Similarly Part 4 of the Act (processing of personal data by the Intelligence Services) and Parts 5 and 6 (Information Commissioner Powers and Enforcement) will remain in force.

The new regulations also deal with post Brexit international data transfers from the UK by amending the GDPR and adding additional provisions to the DPA 2018. However for the lawful transfer of personal data from the EU into the UK without additional safeguards being required, the UK will need to apply to the EU for adequacy status and join a list of 12 countries. These regulations attempt to make the UK version of GDPR as robust as the EU version. We will have to wait and see if the EU agrees.

The new regulations are currently in draft (you can follow their progress here). If approved they come into force on exit day, which is currently scheduled to be 29th March 2019, although it could be later. With all the uncertainties over the Brexit deal, I would not get the markers out just yet nor tear up your Act Now GDPR handbook!

STOP PRESS – The Regulations were made on 28th February 2018 and will come into force as set out in Regulation 1.

If you want to know more about the new regulations, Ibrahim Hasan is presenting a webinar soon.

Make 2019 the year you achieve a GDPR qualification. Our next few GDPR Practitioner Certificate courses are almost fully booked!

European Parliament approves text of forthcoming EU Regulation on the Free Flow of Non-Personal Data within the European Union

EP-054128A_TEST_PANO

On 4th October 2018 the European Parliament (by 520 to 81 votes) agreed the text of the proposed EU Regulation on the Free Flow of Non-Personal Data in the European Union. The draft Regulation was proposed by the European Commission in 2017, as part of its Digital Single Market Strategy. The European Parliament, Council of Ministers and the European Commission reached a political consensus on it in June 2018. This adoption by the Parliament brings the regulation one step closer to becoming law. All that remains now is for the Council of Ministers to agree it on 6th November. It will then enter into force by the end of the year, although Member States will have 6 months to apply the new rules. This mean that it will enter into force before the UK exits the European Union in March 2019.

Background to the proposal

The European Commission proposed this regulation as part of its Digital Single Market Strategy.

According to the EU Commission the value of the EU data market in 2016 was estimated to be almost 60 billion Euros, with one study suggesting it could increase to more than 106 billion Euros by 2020.  The new regulation is designed to unlock this potential by improving the mobility of non-personal data across borders. According to the EU Commission, the free flow of non-personal data is hampered by:

  • National rules and administrative practices that restrict where data can be processed and stored. The regulation refers to such rules as data localisation requirements;
  • Uncertainty for organisations and the public sector about the legitimacy of national restrictions on data storage and processing;
  • Private restrictions (legal and contractual and technical) that hinder or prevent users of data storage or other processing services from porting their data from one service provider to another or back to their own IT systems (so called vendor lock-ins).

The aims and outline of the regulation

The regulation only apples to the processing of non-personal electronic data. However, like the GDPR, its territorial scope is wide and includes the processing of electronic data which is:

  • provided as a service to users residing or having an establishment in the EU, regardless of whether the service provider is established in the EU; or
  • is carried out by a natural or legal person (an individual, business, organisation or a public authority) residing or having an establishment in the EU for its own needs.

Processing is also defined in very similar terms to the GDPR – as meaning any operation or set of operations which is performed on data or on sets of data in electronic format, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Unlike the GDPR, it only relates to data in electronic format. Its application is wide and encompasses outsourced data storage, processing of data on platforms, or in applications.

The regulation does not apply to personal data (see below).

National rules on data storage (data localisation requirements)

The regulation aims to ensure the free movement of non-personal data within the European Union by laying down a set of rules relating to national data processing localisation rules.   These are essentially any rules, laws or administrative practices that restrict, prohibit, limit or impose conditions on where data can be processed. The regulation states that such data localisation requirements are prohibited. Member States have 24 months to repeal any such laws.

However, Member States can retain or introduce data localisation rules provided they are justified on the grounds of public security and that the rules are proportionate. In the original proposal Member States would have only had 12 months, but this was extended to 24 months by the European Parliament. Although the main body of the regulation doesn’t define public security, the recitals refer to the fact that the term has been interpreted widely to include both internal and external public security, as well as issues of public safety.

Data Availability for Competent Authorities

The regulation does not affect the powers of ‘competent’ authorities to request or obtain access to data for the performance of their official duties. The definition of competent authority is wide and includes any authority of a Member State, or any other entity authorised by national law to perform a public function or to exercise official authority, that has the power to obtain access to data processed by a natural or legal person for the performance of its official duties, as provided for by Union or national law. It therefore includes central and local government but can also include other organisations that fulfil statutory functions.

This is important, particularly if data is going to be processed in another Member State. The aim is to ensure that the powers of competent authorities to request and receive data, to enable them to fulfil their functions and regulatory powers, remain unaffected by the free movement of data. Consequently, the regulation including a procedure for cooperation between national authorities and the possibility of Member States imposing penalties for failure to comply with an obligation to provide data.

The regulation also establishes a single point of contact for each Member State, to liaise with the contacts in other Member States, and the Commission. The aim is to ensure the effective application of the new rules.

Data Portability

The Regulation also seeks to encourage and facilitate data portability via the use of self-regulatory codes of conduct and certification schemes. The European Commission’s role is to encourage, for example, cloud service providers to develop self-regulatory codes of conduct for easier switching of service provider and porting back data to in house servers. These must be implemented by

Reference is also made to certification schemes that facilitate comparison of data processing products and services for professional users. Such certification schemes may relate to quality management, information security management or environmental management.

Actions to encourage cloud service providers to develop self-regulatory codes of conduct for easier switching of provider and porting data back to in-house servers, which must be implemented within 18 months of the regulation coming into force (mid 2020).

The European Commission is tasked with monitoring development and implementation of these codes of conduct.

The new regulation does not apply to personal data

The regulation concerns non -personal data and does not cover personal data. Data Protection practitioners will no doubt be relieved to know that this means it will have no impact on the GDPR.  According to the European Commission, the two regulations will operate together to enable the free flow of any data-both personal and non-personal “creating a single European space for data”.

In the case of a data set composed of both personal and non-personal data, this new Regulation applies to the non-personal data part of the data set. Where personal and non-personal data in a data set are inextricably linked, this Regulation shall not prejudice the application of Regulation (EU) 2016/679.

The difficulty that this raise will inevitably be a practical one; applying two different regulations to a single data set that contains both person and non-personal data. The regulation rests on the assumption of a clear personal/non-personal data dichotomy, which is practice may be difficult to distinguish.

The impact of Brexit

If the new Regulation enters into force at the end of the year it will apply directly in the UK as per any other Member State. It will remain in force after the date of exit because of the provisions of the EU Withdrawal Act 2018.

After the date of exit, the UK will no longer be a Member State. The regulation effectively allows for any non personal data to be stored and processed anywhere in the EU. It does not extend this ‘right; to storage and processing in third countries. There is of course concern that data localisation rules could be applied against data processors outside the EU, which in turn could have significant adverse business implications for UK data processors.

We are running GDPR and DPA 2018 workshops throughout the UK. Head over to our website to book your place now. New Dates added for London!

Need to train frontline staff quickly? Try our extremely popular GDPR e-learning course.

Dont forget about our GDPR Helpline, its a great tool to use for some advice when you really need it.

The role of the Court of Justice of the European Union ( CJUE) post Brexit

canstockphoto15724171

By Susan Wolf

In our previous Blog, we examined the European Union (Withdrawal) Act 2018 and explained that the GDPR, EIR and PECR will remain on the domestic statute book post Brexit. In other words they will continue to be legally binding after the date that the UK leaves the European Union in March 2019.

In this blog we briefly examine the role of the Court of Justice of the EU (or CJEU) post Brexit. We explain how, despite leaving the EU, the interpretive rulings of the CJEU in relation to the following legislation, will continue to have relevance for UK organisations and practitioners:

  • The GDPR 2016
  • The Law Enforcement Directive 2016/680
  • The Directive on Public Access to Environmental Information 2003/4
  • The Privacy and Electronic Communications Directive 2002/58

Preliminary Rulings of the CJEU

Any national court or tribunal of a Member State has the right to request a ‘preliminary ruling’ from the CJEU, where it considers that a ruling is ‘necessary’ to enable it to give judgment in a case involving the interpretation of EU law.  The CJEU has jurisdiction to interpret EU Law, but it does not rule on the outcome of a case. This task falls to the national court that has requested the ruling. However, the national court is bound to follow the interpretive ruling, which is binding. The ruling is also authoritative and must be followed by the courts and tribunals of all the Member States.

For example in East Sussex County Council v the ICO (2013), the First Tier  (Information Rights) Tribunal requested a ruling from the CJEU on the meaning of the ‘reasonable charges’ for the supply of environmental information.  Quite clearly, the CJEU’s interpretation has had major implications for public authorities subject to the EIR 2004, particularly those providing property search information. But the interpretation given by the CJEU is also binding on public authorities throughout the EU.

The purpose of the procedure is to ensure that EU Law is interpreted ‘uniformly.’ This is particularly important given that the EU currently comprises 28 Member States and has 24 official languages and each country has a different and unique legal tradition and culture.

A Red Line not to be crossed

The role of the Court of Justice, post Brexit, has been one of the controversial aspects of the Brexit negotiations, with the Prime Minister Teresa May suggesting that its continued jurisdiction was a ‘red line’ not to be crossed.  In fact the position is more complex and nuanced.

Under the terms of the EU Withdrawal Act 2018, the UK national courts and tribunals, including the First Tier (Information Rights) Tribunal, will no longer be allowed to refer questions about the interpretation of EU law to the Court of Justice. However, in the interest of certainty, these previous rulings, in so far as they relate to retained EU law provisions, are still to be regarded as binding.  Therefore, anyquestions as to the meaning of EU retained law will be determined by the UK courts by reference to the CJEU’s case law as it exists on the day the UK leaves the EU.  For example, the CJEUs ruling on the interpretation of the Privacy and Electronic Communications Directive in a German case  (Deutsche Telekom AG v Bundesrepublik Deutschland (2011) continues to be binding on the UK courts.

The Supreme Court

The position is different for the Supreme Court  (or High Court of Justiciary in Scotland). Under the EU (Withdrawal) Act both the English and Scottish highest courts can depart from any retained EU case law if it appears ‘right to do so’. In deciding whether to do this the court must apply the same test as it would apply in deciding whether to depart from its own case law. In practice, this power is exercised rarely and there is no reason to suggest that the Supreme Court will seek to depart from any existing CJEU rulings, at least in the immediate future.

What about future CJEU rulings?

There can be no doubt that the GDPR and the Law Enforcement Directive 2016 will raise significant questions of interpretation in the future.  Inevitably the  CJEU will soon be faced with preliminary ruling requests on key questions, such as the interpretation of the ‘right to be forgotten’in the GDPR.  However, given the time it takes to obtain a preliminary ruling (often over a year), it will be some time before the Court is able to cast some light on these new provisions.

As one might expect, the EU Withdrawal Act makes it clear that the domestic national courts and tribunals are no longer bound by any principles laid down, or any decisions made by the CJEU on or after the date of exiting the EU. This comes as no surprise. However, what is perhaps less well known is that the national courts and tribunals may have regardto post Brexit rulings if the national court ‘considers it appropriate to do so’.  Of course, it remains to be seen how willing the national courts will be to ‘follow’any future rulings. However, it would be prudent to suggest that information rights /data protection practitioners and lawyers should still play close attention to future CJEU rulings on the interpretation of EU information rights and data protection laws, post March 2019.

(Future CJEU preliminary rulings will be posted on the Act Now Blog).

We are running GDPR and DPA 2018 workshops throughout the UK. Head over to our website to book your place now.

There is one space remaining on our GDPR Practitioner Certificate Intensive course in London starting on 20th August. Book now.

Need to train frontline staff quickly? Try our extremely popular GDPR e-learning course.

Dont forget about our GDPR Helpline, its a great tool to use for some advice when you really need it.

 

 

Act Now Launches GDPR Handbook

We all know that the General Data Protection Regulation (GDPR) cannot be read in isolation.

In September, the DCMS published the Data Protection Bill. Amongst other things, it sets out how the UK Government intends to exercise its GDPR “derogations”; where Members states are allowed to make their own rules.

There are also a number of guidance documents from the Information Commissioner’s Office as well as the Article 29 Working Party on different aspects of GDPR. Wouldn’t it be useful to have one version of the GDPR containing clear signposts to the relevant provisions of the Bill and official guidance under each Article/Recital?

Act Now is pleased to announce the launch of its GDPR Handbook. This is a B5 size colour document. It is designed for data protection practitioners who want a single printed resource on the GDPR. It contains the full text of the GDPR together with:

  • Corresponding GDPR Recitals under each Article
  • Notes on the relevant provisions of Data Protection Bill
  • Links to official guidance and useful blog posts
  • Relevant extracts of the Data Protection Bill (in the Appendices).

A lot of the useful explanation of the provisions (Articles) is contained in the Recitals, which are at the front of the official text of the GDPR. Consequently, the reader has to constantly flick back and forth between the two. By placing the corresponding Recitals under each Article, the Act Now GDPR Handbook allows a more natural readying of the GDPR.

The Act Now GDPR Handbook is currently on sale at the special introductory price of £29.99. There is a 33% discount for the public sector and charities.

This will be a very useful document for those acting as Data Protection Officer under GDPR as well as data protection lawyers and advisers.

CHARITY DONATION

In recent weeks, half a million people, mostly Rohingya women and children, have fled violence in Myanmar’s (Burma) Rakhine state. They are seeking refuge in Bangladesh, where they urgently need food, water, shelter and medical care.

For each copy of the GDPR handbook you order, Act Now Training will donate £1 to the Disasters Emergency Committee’s Emergency Appeal.

By popular demand, we have added an extra course in Manchester for our GDPR Practitioner Certificate. Our first workshop on the Data Protection Bill course is fully booked. We have places left in London and Manchester.

The GDPR, the Data Protection Bill and Complaints

canstockphoto16242260.jpg

By Scott Sammons

The General Data Protection Regulation (GDPR) and the recently announced Data Protection Bill (DP Bill) are bigger pieces of legislation than the old Data Protection Act 1998. We already know that remedies and complaints under the Regulation are more wide ranging and entities, in effect, are now to be seen as guilty until proven innocent (reference the need to be able to ‘demonstrate compliance’ in Article 5(2)).

Both the GDPR and the DP Bill give the Data Subject the right to lodge a complaint with the Information Commissioner if the Data Subject considers that, in connection with personal data relating to him or her, there is an infringement of the GDPR (GDPR Article 57 and DP Bill Section 156).

In Article 38 (4) of the GDPR, it implies that Data Subjects can raise matters (complaints) with the Data Protection Officer but doesn’t explicitly state that Data Subjects can ‘lodge a complaint with the controller or processor’. The GDPR outlines that they can exercise their rights on the controller/processor (some of which, like the right to object to automated decision making, are often only really used if the Data Subject is unhappy about something). Therefore, as with today, you will want to encourage Data Subjects (should they have a concern) to bring it to you directly rather than go to the Information Commissioner. It is likely that the ICO will continue their stance of referring complainants back to the organisation concerned first if they have just gone straight to the ICO, but I wouldn’t rely on this if I was you. The world is changing, and in order to truly embed the transparency and accountability requirements of GDPR it is far better to have a visible complaints process for Data Subjects up front.

Also, neither the GDPR nor the DP Bill explicitly states that the Data Protection Officer should be the one to investigate and resolve GDPR related complaints. They do however, in Article 39 (1)(b) and Section 69 (1)-(3) respectively, state that the DPO should ‘monitor compliance’ with the GDPR and DP Bill. Therefore the DPO should definitely be part of the complaints process, especially for ‘high risk’ complaints, but as for investigating every single complaint, I can’t see an explicit requirement for that. Therefore if you’re the DPO for your organisation reading this or the IG/DP team member that will investigate DP complaints from data subjects then this may be of use to you.

Due to the above, however, this does mean that when investigating complaints and/or accusations of non-compliance with the GDPR (or the DP Bill), you will need to be more thorough and more specific in determining exactly where a ‘breach’ may or may not lie.

For many of you this will be old news and you are most probably already doing this, but to many people formal training in ‘complaint handling’ and investigation is something new. Hopefully you’ll find this useful, and it should follow the same sort of process and standards many organisations (especially those that are regulated) will have in place.

Firstly, many people will accuse you / your organisation of wrong doing and often provide a list of areas where they believe you have gone wrong. Some will be genuine and some will be utter nonsense. But you will need to be thorough to ensure that you can genuinely separate out what is a valid complaint and what is someone’s misunderstandings/ventings/vendettas. Always start from a position of an ‘accusation is not a fact’, regardless of the ICO position of ‘guilty until proven innocent’, any failing in your compliance controls will need evidencing and a thorough complaint investigation will determine that. Each accusation should be taken seriously but it will need to be investigated and evidenced to determine whether or not it is a valid complaint and there is a ‘case’ to be answered.

When investigating the matter at hand start at the very beginning. What started this person down this path to lodge a complaint? What were the interactions with your service? Were things done correctly? Can you evidence that a particular action (either good or bad) was actually carried out or is it a case of a staff member’s word vs the complainants? As you would with a legal case look for evidence to establish facts, the less evidence you have the more likely you are to have a weak case to defend. The more evidence you have the more you can prove one way or another what occurred and if the complaint has merit.

It is likely that during your investigation you’ll determine that x process was not followed or y system failed resulting in the errors causing the complaint. If you are able to come to the conclusion that processes, systems or any controls have indeed failed it may also be worth logging an ‘adverse incident’ on the controls that have failed.

For those that have seen any of my previous post on Information Risk, when you put things in place to prevent your risks from materialising these are referred to as “controls”. These controls can range from policies, procedures, training, technical solutions, and system design to anything really that helps you control that risk. When a control or controls fails this should be recorded as an ‘incident’ so that  you can monitor the effectiveness of your controls and ensure whatever remedy you put in place to stop it re-occurring, actually helps that control (and isn’t just a default response of punish or train the staff member).

But I digress; let us go back to the complaint. Once your investigation is complete and for each aspect of the complaint you can conclude what has and what has not occurred you can start to draft a response and determine what parts of the complaint are ‘upheld’, ‘not upheld’ or ‘partially upheld’. If you imagine the ‘shopping list’ of accusations I referenced above, for each item on that list you should have a position of upheld, not upheld or partially upheld. If at any point:

Upheld is where you agree with the complainant and there is a case to be answered for. It is then up to you how you want to proceed with that complaint based on what standards and approach your organisation takes to resolving complaints. Where a complaint does look like it is to be upheld (and indeed with any ‘high risk’ complaints) you will also need to agree the outcome and actions with the Data Protection Officer.

Partially upheld are, as it says on the tin, areas where there is some merit to their complaint but it didn’t occur as they outline and/or the impacts they describe are heavily inflated / incorrect. This may still be a ‘high risk’ area even though it may only be partially upheld, therefore you may still need to ensure you have DPO sign off before issuing the response.

Not upheld are simply where you cannot evidence that what the complainant says occurs actually occurred or you have evidence to the contrary therefore their complaint is unfounded and can be, for want of a better word, rejected.

When responding back to the complainant you will need to run through each aspect of their complaint and outline your findings and why you have upheld or not upheld that aspect of their complaint. There could, for large complaints, be a mixture of upheld, partially upheld, and not upheld for the various different areas they are claiming you have not complied with the law.

If you can record all of the above, with the supporting evidence, should the complainant indeed then take their complaint to the ICO the majority of your investigative work should be complete. It can then be quickly investigated or even ‘reviewed’ by another party if that’s what your organisation prefers. In any event, if you’re the DPO or the person supporting the DPO in their tasks, this should make it easier to log, track, resolve and learn from complaints if and when you get them. Of course the ideal would be to not get any complaints, but in this world however that is never going to happen.

Life is far too imperfect, but a ‘close to perfect’ complaints and incidents process should help you manage your GDPR compliance and give you useful insight into what is going right and wrong in your organisation.

 

Scott Sammons FIIM, CIPP/E, AMIRMS is Chair of the Information and Records Management Society (IRMS) and sits on the Exam Board for our GDPR Practitioner Certificate courses (3 out of the next 5 are fully booked).

 

We have added a new course on the Data Protection Bill to our programme.

%d bloggers like this: