Freeths Data Protection Update: Spring 2022

Welcome to the Spring edition of the Freeths Data Protection Update.

In this edition we discuss the current crisis in Ukraine, and its implications on cybersecurity risk to organisations and companies operating internationally. We will also consider how the UK's new data transfer agreements apply to your international data transfers, the crackdown on cookie notices by French regulator CNIL, and the maiden speech from the incoming Information Commissioner, John Edwards.

• Ukraine Crisis - Data and Cybersecurity
• Data Protection and Brexit - How will the UK's new data transfer agreements apply to your international data transfers?
• CNIL imposes 150 and 60 million euro fines on Google and Facebook
• Freeths in attendance for new Information Commissioner's maiden speech

---

Ukraine Crisis - Data and Cybersecurity (Luke Dixon)

The ongoing crisis in Ukraine has caused an increased cybersecurity risk to organisations outside that country, including in the UK. The UK's National Cyber Security Centre (NCSC) has issued guidance advising UK businesses to act in the wake of the crisis.  It has advised businesses that they should act on improving their cyber resilience in response to the increased threat of cyber-attacks from Russia. The NCSC is a UK governmental organisation that provides advice and support for the public and private sector in how to avoid computer security threats. Most organisations cannot influence the level of cyber threat risk and so they should concentrate on reducing their vulnerability to cyber threats instead. The NCSC recommends that UK businesses take the following actionable steps to reduce their exposure to the threat of cyber-attacks:

• Balance Cyber Risk and Defence - UK organisations should strike a balance between the current threat, the measures needed to defend against it, the implications and cost of those defences and the overall risk this presents to the organisation.
• Incident Response Plan. Do you have one? Is it up to date, with clear lines of escalation and contact points? Is it clear on who has authority to make certain decisions?
• Check your system patching. Ensure that user devices, firmware and internet-facing services are patched.
• Verify access controls. Ensure that staff passwords are strong and unique and carefully review old or unused accounts.
• Ensure defences are working. Check your firewalls and ensure that antivirus software is installed.
• Log and monitor. Understand your logging and monitor key logs (especially antivirus logs).
• Review back-ups. Check that back-ups are working properly and that you have offline back-up; also check that machine state and critical external credentials are backed-up.
• Check your internet footprint. Are your organisation's records of your external internet-facing footprint correct and up to date? Perform an external vulnerability scan of your whole internet footprint and check that everything you need to patch has been patched.
• Third party access. If third parties have access to your IT systems, ensure that you understand what privileges they have. Remove access that is no longer needed and understand the security practices of your third parties.

UK organisations should also raise awareness amongst their staff of the heightened threat and its potential implications, training them on how to recognise and report phishing attacks. If you are a large organisation, you should consider further action in addition to the above, including the accelerating measures to limit cyber risk; delaying significant system changes that are not security-focused; and applying software patches aggressively and at scale.

 Freeths Comment

Whilst the NCSC is not currently aware of any specific threats to UK organisations, it notes that there has been a history of cyber-attacks on Ukraine that have had international consequences.  For example, we note from media reports that a “wiper” malware has been discovered in Ukraine that deletes data from infected computers. There is concern that this type of malware could spread to other countries.The ongoing crisis has heightened cybersecurity risk such that UK organisations cannot proceed on a “business as usual” basis. That risk may increase, should the crisis escalate further. UK businesses should therefore benchmark their cyber threat response against the NCSC's guidance and keep an active watching brief as the situation develops.

Data Protection and Brexit - How will the UK's new data transfer agreements apply to your international data transfers? (Luke Dixon)

The UK Government has laid before Parliament its new proposed International Data Transfer Agreement (IDTA) and international data transfer addendum to the European Commission's standard contractual clauses for international data transfers (the Addendum), plus transitional provisions.  This follows a consultation period on these documents that the UK Information Commissioner's Office (ICO) conducted during 2021.This is an important step into a post-Brexit world for organisations that transfer data from the UK internationally.

Why are the IDTA and Addendum important?

The UK has incorporated GDPR into its national law as “UK GDPR” post-Brexit.  The UK GDPR restricts organisations from transferring personal data to “non-adequate” third countries, unless they have put in place mechanisms permitted under UK GDPR to safeguard the data transferred.Whilst the EU is “adequate” for these purposes, countries such as USA, India and China (amongst many others) are not.The IDTA and the Addendum are suitable mechanisms under UK GDPR for safeguarding the international transfer of personal data from the UK to non-adequate third countries going forward.  We expect UK businesses to regard them as a popular solution for legitimising such data transfers going forward.

How do they Work?

Firstly, businesses will be relieved to hear that both documents have been drafted with plain English in mind!The IDTA and the Addendum replace the previous EU-approved standard contractual clauses (EU SCCs) that organisations have become used to applying to their data transfers over the years, and which the EU has recently updated. Importantly, they also account for the seismic “Schrems II” judgment of the European Court of Justice in July 2020, which required the “old” EU SCCs to be supported by supplementary measures and transfer risk assessments going forward.The IDTA is structured in a slightly different way to the EU SCCs. It contains sections that cover the details of the transfer, including the parties involved; data transferred; purposes of the transfer and security measures to be applied to the transfer. It also contains some “mandatory clauses” that set out the obligations of the exporter and the importer in relation to the transferred data.The Addendum is a more straightforward document. It simply incorporates and replace references to EU law with UK law references. It allows an organisation to apply the EU SCCs to its international data transfers from the UK as well the EEA.

Which should we use?

It is perhaps too early to say, pending more detailed guidance from the ICO. We expect that many businesses will find it easier to use the Addendum in arrangements where they also transfer data from the EU.  The IDTA is more likely to find favour with businesses that only transfer data from the UK (or that have not put in place EU SCCs).When should we start using the IDTA and Addendum?The transitional provisions allow organisations to use the current EU SCCs until 21 September 2022.  However, many businesses will be thinking about using the new documents before then.The IDTA and the Addendum came into force on 22 March 2022. Under the transitional provisions, the backstop date for re-papering transfers is 21 March 2024.

Freeths Comments

Whilst is seems that businesses may start using the IDTA and Addendum, they will have to wait a little longer for detailed guidance from the ICO on how best to use them. The ICO has promised a clause by clause walk-though of both documents, in addition to further commentary on how to use the IDTA.Businesses should note that legitimising data transfers does not stop with the IDTA or the Addendum. They also need to do a transfer risk assessment before proceeding to transfer their data internationally. We await the ICO's further guidance on how to conduct such assessments with interest.

CNIL imposes 150 and 60 million euro fines on Google and Facebook (Mona Schroedel)

The crackdown on cookie notices continues on the continent. The French regulator CNIL investigated Google and Facebook for breaches in relation to cookie notices in France and found them lacking. The fines imposed were a substantial 150 million euros for Google and 60 million euros for Facebook. Additionally, CNIL has ordered Google and Facebook to provide better cookie notice solutions within 3 months or face ongoing daily penalties of 100,000 euros. The basis of the decision is that all but essential cookies can only be placed with user consent. For that consent to be meaningful, refusing cookies should be as simple as accepting them. This means there should not just be a button to allow for easy acceptance of cookies but an alternative button which just as easily allows the user to reject the placement of cookies. We have all been faced with cookie notices which make it much more tempting to press the accept button instead of going through various layers of the notice in order to find the hidden option to reject all cookies. It is exactly this biased choice that regulators are trying to stamp out. While the decisions are by CNIL, we have no doubt that the wind of change in relation to tolerating big companies circumventing the requirement that refusing cookies should be just as easy as accepting them will be felt all over Europe. The big question, for our clients, is going to be the extent to which the UK regulator feels obliged to follow the same course. As always, if you have any questions in relation to your own cookie notice/banner compliance, we are more than happy to help.

Freeths in attendance for new Information Commissioner's maiden speech (Will Richmond-Coggan)

Will Richmond-Coggan and Luke Dixon attended this year's IAPP London Intensive Conference in March 2022. Having drawn straws, Will was fortunate enough to attend the maiden speech of the incoming Information Commissioner, John Edwards, newly arrived from his post heading the equivalent to the UK's ICO in New Zealand. In a speech that was full of encouraging signs for data controllers and processors about the new attitude likely to prevail at the ICO's Wilmslow HQ, he opened by saying that his first task has been to embark on a major nationwide listening exercise, having felt it presumptuous to arrive with plans before knowing what really matters to the stakeholders in the UK's data protection system. Having completed that exercise, one of the key points that he had noted (which echoes our own experience in discussions with clients) is a wide-spread concern about further mooted changes to the UK data protection regime. After the significant change during the 2017-9 period brought about by GDPR coming into force, there is scant enthusiasm for the cost to businesses of another round of compliance-led adaptations. But in this instance, there is also a broader concern about the impact that such reforms might have on the UK's adequacy decision from the EU, and the consequential free movement of data across the UK/EU borders. Responding to those concerns, the new commissioner said that he came to the conference with a message of reassurance. He spoke about the British “obsession” with privacy, and asserted that long before European legislation, notions of privacy informed much of what it meant to be British. He illustrated this with a reference to the 1765 case of Entick v Carrington (where bailiffs entered a house without a warrant, searching for seditious material) and a reference to William Pitt's famous comment of a couple of years earlier: “The poorest man may in his cottage bid defiance to all the forces of the Crown. It may be frail; its roof may shake; the wind may blow through it; the storm may enter; the rain may enter; but the King of England cannot enter.” But Mr Edwards made clear that he was not only looking to the past. He reminded the audience that the stated goal of the DCMS reform consultation is not simply change for its own sake. Instead, there is an objective to encourage innovation and create a digital dividend (while acknowledging, politically, that it may be the objective of a Brexit dividend that is also driving the timing of the proposed reforms). But his view was that innovation was not antithetical to a robust data protection regime; indeed, his view is that a good data protection model is essential to protect the biggest asset that most companies have, which doesn't appear on their balance sheet. Finally, the Commissioner gave an insight into the priorities for the ICO's enforcement arm, and again there was much to encourage those listening from the side of corporate controllers and processors. More consistent enforcement decision-making is the aim, both in terms of the types and levels of sanctions imposed, but also in terms of where the ICO focuses its enforcement resources. These will, according to Mr Edwards, be directed to the areas of greatest risk, making it increasingly important that controllers (and particularly those who intend to innovate around personal data) are able to demonstrate that they have considered the security of that data from the outset by following privacy by design standards, and have undertaken robust and diligent data protection impact assessments. Perhaps most encouragingly of all, he referred to an ambition to move the ICO into a position where it can start to advise, and give clearances, pro-actively in connection with planned activities involving data - rather than exercising retrospective control after harm has already occurred through the blunt tools of fines and decision letters. It is early days, and it remains to be seen how much of this ambitious programme the newly arrived Commissioner can manage to deliver, but for the time being there is much to be encouraged by. Freeths will of course be continuing to engage with the ICO in all of its consultations and on behalf of individual clients, and we will continue to share what we learn from those exercises through these newsletters. But for any client who is interested in learning more about the direction of travel in this area and how it might specifically impact their business, we are always happy to arrange one-to-one strategic discussions on this topic.