Data Protection Updates… What’s new?
As Autumn is swiftly approaching and the restrictions around coronavirus are gradually lifting normality resumes, there may be some data protection updates that have taken place that you have missed which could affect your business.
We have provided a round up of some of the changes that we think could be of use to you.
Transferring Personal Data To The US
The General Data Protection Regulation (“GDPR”) is a regulation in EU law that governs the lawful use of personal data in Europe, the regulations of which are incorporated into the Data Protection Act 2018 enforced in the UK. Personal data is restricted from being transferred outside of the European Economic Area, if you need to make such a transfer, you should consider whether the destination you are transferring to has an “adequacy decision”.
What is an “Adequacy Decision” we hear you ask? It is “a finding by the Information Commissioner’s Office that the legal framework in place in that country, territory, sector or international organisation provides ‘adequate’ protection for individuals’ rights and freedoms for their personal data,” i.e. these are safe countries to be receiving personal data.
Data transferred to the US was considered to be adequate so long as the business receiving the personal data was part of the EU-US Privacy Shield (which is a certification scheme where US companies are required to show they meet particular privacy standards in accordance with GDPR).
Recently, a user of Facebook Ireland complained about the transfer of their personal data from Ireland to the US. The case reviewed the Privacy Shield and found that the standards were not compliant with GDPR and, US laws were incompatible with EU data protection laws. The fundamental right to privacy could be superseded, with priority given to national security, law enforcement and public interest. The adequacy decision for the US has therefore been reversed and the Privacy Shield is now considered invalid.
If you are a business that makes transfers of personal data to the US and/or previously relied on the Privacy Shield, you should carefully consider whether any binding corporate rules should be used for internal transfers to any part of your business that may reside in the US. We suggest you, ensure that Standard Contract Clauses governing personal data approved by the Commission (known as “SCC”) are included in any contracts you have with US based businesses. Also bear in mind, that simply using SCC in your contract is not enough, you will need to also consider whether the country you are transferring data to, and the organisation itself, are able to meet the obligations of the standard data protection clauses.
The European Data Protection Board is currently working on its guidance in relation to International Transfers, which will be published by the ICO in their updated guide. Watch this space.
Protection Of Personal Data During Covid-19
There has been concern regarding the data protection challenges that have arisen due to the coronavirus pandemic.
A recent report of an employee misusing a customer’s personal data in New Zealand has gone viral and is a cautionary tale of the pitfalls of companies having inadequate data protection training and processes in place.
A customer had allegedly visited a Subway branch in Auckland, and provided the required track and trace information (name, address, phone number etc), to then receive “pestering” messages on a variety of social media platforms from the fast food chain’s employee, who collected the personal information. The employee is reported to have since been suspended.
Since the re-opening of hospitality venues such as bars, restaurants, pubs and hotels the collection of personal data ranging from temperatures to contact data has been necessary for safeguards such as, track and trace. The ICO have now provided a coronavirus hub which gives guidance to organisations required to collect such data and the key principles are:
- Ask for only what’s needed;
- Be transparent with customers;
- Carefully store the data;
- Don’t use it for other purposes; and
- Erase it in line with government guidance.
Similar concerns have been raised over businesses’ abilities to moderate the protection of personal data whilst employees have been working from home. As employees are starting to return to the office, the ICO has provided a “Coronavirus Recovery – six data protection steps for organisations” guidance note which essentially mimics the above listed principles, but also adds emphasis on ensuring that “staff must be able to exercise their information rights.” Dealing with data subject access requests from staff can be burdensome when also juggling the commercial impacts of coronavirus. The ICO has stated that they understand that resources may be stretched and are committed to an “empathetic and pragmatic” regulatory approach during this time.