logo text

Friday, 17 July 2020

Court Decision Affects How Businesses Transfer Data to the USA

The European Court of Justice (ECJ) has today delivered its verdict on a long-running case between Facebook Ireland and Max Schrems, an Austrian lawyer and privacy activist. For many businesses that transfer personal data from the EU to the USA, and indeed to many other jurisdictions outside the EU, this decision has fundamental impact.

Validity of Privacy Shield

The court decided that the EU–US Privacy Shield (Privacy Shield) was no longer valid, on the basis that the US regulatory regime does not adequately protect EU citizens’ data rights. US legislation allows US government agencies to have access to EU personal data, for example, when running surveillance programs. The court found that the USA offered inadequate protection of EU citizens’ rights, and no effective rights or legal remedy in the USA. Crikey! Any businesses relying on the Privacy Shield should look at their situation urgently, and decide how best to manage transfers from the UK/EU to the USA.

Validity of SCCs

The court also considered the validity of the EU’s standard contractual clauses (SCCs) for transfers of EU personal data outside the EU and made the following findings:

  • The SCCs were valid, but it was for the parties transferring the personal data to assess the adequacy of the regulatory regime in the non-EU jurisdiction (in particular, the recipient organisation must tell the data exporter whether the local laws allow it to comply with the SCCs!).
  • If the guarantees contained within the SCCs were not upheld, data protection regulators like the UK’s Information Commissioner’s Office (ICO) should suspend the data transfers that rely on them. 
Gulp! Businesses using the SCCs need to conduct a review of the local regulatory regime wherever they (or indeed their sub-contractors or their sub-contractor’s sub-contractors…) are processing their personal data.

This, of course, is not an easy task: European regulators take years to assess whether a country’s data protection regime is adequate!


If the court saw fit to invalidate the Privacy Shield on the grounds that the US regulatory regime offered inadequate protection, does that mean that any analysis of the US regime for the purposes of using the SCCs fails, too?

The Irish Data Protection Commission is certainly looking to explore that question. In its reaction to the court’s decision, it stated, “the application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable.” The Hamburg Data Protection Commissioner has also offered many helpful observations.

However, it may take time to get a definitive answer: so far, we haven’t seen any guidance from the European Data Protection Board, and the ICO has only issued a preliminary holding statement.

The court kindly pointed out that there are other mechanisms for international transfers (such as where they are necessary for a contract, or based on the consent of each individual, etc.), but that is little help to businesses conducting large-scale, ongoing or regular transfers of personal data, or where consent simply isn’t practical (especially given that obtaining consent that complies with the General Data Protection Regulation (
GDPR) is itself a tricky task).

Our thoughts

The ECJ’s verdict is not unexpected, especially given ongoing criticism of the Privacy Shield by various EU bodies in recent months.

However, it is, of course, disappointing for the European Commission, who have to start again to find a new solution; for the affected US companies themselves; and for all those organisations who rely on services or business involving the USA.

So, what next? Well, before panic sets in, remember that we have been here before. Back in 2015, Max Schrems’ earlier legal challenge against Facebook Ireland led to the invalidation of the previous EUUS Safe Harbor Framework (the predecessor to the Privacy Shield). It wasn’t the end of the world then, and it is unlikely to be now.

In 2015, EU regulators were sympathetic in the aftermath of the decision, and gave organisations some time to put in place other compliance measures (mostly the SCCs). Almost immediately, work also began to craft a new EUUS-compliant mechanism, which evolved into the Privacy Shield. It is likely that similar approaches will follow over the coming months.

What is clear is that a better mechanism will be needed this time around, to avoid more legal challenge and uncertainty for businesses. It is likely that most organisations will now turn to SCCs for, at the very least, an interim solution.

However, those SCCs are not in great shape: they have yet to be updated for the GDPR and there are countless other issues with them, given how dated they are. New versions have been worked on for some time, so what next? Wait for new SCCs to be published (but risk non-compliance in the meantime) or scrabble around to put new terms in place ASAP, knowing they will need to be changed again before long? It’s not an easy decision to make!

Alternatives to SCCs

Organisations must bear in mind that they will now be expected to consider whether the data protection regime adequately protects the data rights of EU individuals in the USA, or any other jurisdiction outside the European Economic Area (EEA) with no adequacy decision, for that matter.

And lets remember: the UK comes out of the Brexit transition period on 1 January 2021. Businesses need to keep an eye on whether the EU will decide if the UK is an adequate jurisdiction and therefore whether the EU will enable free flows of personal data to the UK. As part of those developments, we will all need to monitor how UK data protection law evolves, once the UK has worked out how to take back control and retain a data protection regime that is sufficiently similar to the EU to enable businesses to continue free flows of personal data!

Now could be a good time to consider some alternatives to SCCs:
  • We’ve already received approaches in relation to whether binding corporate rules (BCRs) are the new golden ticket and need serious consideration now. We wonder whether BCRs will be worth the effort, though, if the USA can’t offer adequate protection to EU citizens without some serious changes to their regime.
  • What extra safeguards can you put in place in addition to the SCCs? Are there ways to bolster the SCCs themselves by adding clauses that go above and beyond the base set of provisions? Is there a way to limit the personal data being processed in the USA? Suppliers will make offers as quickly as the day of the ECJ’s verdict even – to offer fully contained EU data solutions that don’t depend on transfer to the USA at all.
  • Remember that there are other ways to transfer data internationally – particularly if you only send personal data occasionally or it’s for a specific contract with the individual (like a foreign hotel booking).

Next steps

Sadly, it’s time to pull the contracts out of the drawer – again.

We understand that there will be a lot of uncertainty in light of the judgment, so if you need any advice about your organisation’s approach to transferring personal data to and from the USA, or indeed other jurisdictions outside the EU, please don’t hesitate to contact us at Pritchetts for advice on next steps.

Wednesday, 22 April 2020

Coronavirus and data protection in the workplace: your questions answered

As the coronavirus pandemic has swept the globe, news reports have understandably tended to focus on the potential impact on the population both at home and at work, as well as the government’s response. However, as organisations grapple with how best to maintain their business operations while protecting their workforce, questions related to data protection continue to arise.

The UK data protection regulator, the Information Commissioner’s Office (“ICO”), is issuing guidance via its data protection and coronavirus information hub. It has also updated its regulatory strategy to reflect the changed environment, saying, “We recognise that the current reduction in organisations’ resources could impact their ability to comply with aspects of the law. We are committed to an empathetic and pragmatic approach, and will demonstrate this through our actions.” So, if you find that you need to redirect your usual efforts due to the current working constraints, this is a great time to get your house in order and tick off some of those data protection compliance jobs you’ve been saving for a rainy day.

As data protection experts, we thought it might be helpful to share our expertise and answer some common questions that we’ve encountered from our clients.

Q: We want to follow the government guidance for minimising the spread of coronavirus by enabling our staff to work from home. What data protection issues should we be aware of?

The security principle of the General Data Protection Regulation (“GDPR”) requires you to establish and maintain appropriate security measures to protect the personal data you hold. With information moving off-site, away from the security established at the workplace, these measures need careful review. 

If you don’t already have a policy to cover remote working, some items to consider are:
  • Is the device that will be used remotely and/or the data encrypted? If so, this is good news because the data should not be accessible without the encryption code. 
  • If encryption isn’t an option, is the data pseudonymised, i.e. has information been replaced/removed so that it no longer identifies an individual? 
  • Has access to personal email been blocked from work devices? 
  • Will the worker be using a secure private network rather than a public network on the remote device? 
  • Will the remote device and any accessories be stored securely when not in use, e.g. in a locked room or in a locked bag?
For more information, see the guidance from the National Cyber Security Centre and the ICO’s advice on working from home.

We have worked with many clients on creating various data protection policies including home-working, so please contact us if you would like our help with this.

Q: A major part of my job is responding to subject access requests and other individual rights requests. However, coronavirus has really disrupted our business, so I’ll struggle to meet the response times set out in the GDPR. Will my organisation get fined for non-compliance?

The ICO is the data protection body with the power to issue fines. It has reassured people that it won’t penalise organisations that need to prioritise other areas during these unprecedented times.

The timescales set out in the GDPR are enshrined in law, so they cannot be extended, but the ICO has committed to warning people that they may experience “understandable delays” in the progress of any information rights requests during the pandemic. Its updated regulatory strategy states, “Organisations should continue to report personal data breaches to us, without undue delay. This should be within 72 hours of the organisation becoming aware of the breach, though we acknowledge that the current crisis may impact this. We will assess these reports, taking an appropriately empathetic and proportionate approach.

Q: Some of our employees have informed us that they will be self-isolating because they are experiencing some symptoms of coronavirus. Are we allowed to pass on this info to other staff? How can we do this in a GDPR-compliant way?

Yes, as part of your duty of care to your staff, you should keep them informed about cases (whether possible or confirmed) of coronavirus in the organisation.

To do so in a GDPR-compliant way, there are three main elements of the GDPR to bear in mind:

  • The purpose limitation principle requires you to have specified the purposes that the data would be put to when you collected it and not process the data further in a way that is incompatible with those purposes. 
  • The data minimisation principle requires you to identify the minimum amount of personal data that you need to fulfil your purpose. In this example, think hard about whether you need to name the affected individuals and make sure that you don’t provide more information than is strictly necessary.
  • Health data is one of the special categories of personal data, which means that there are more stringent conditions in place for processing it. As with standard data, you must identify a lawful basis for processing under Article 6 of the GDPR, but you must also identify a separate condition for processing under Article 9.
Think carefully. Do you need to name the affected individuals? It’s unlikely. How much information do you need to provide? It’s probably less than you think. Be sensitive to the fact that, even if you do not name the person, it might be obvious who the individual is, given their role and/or the size of your organisation.

Q: We want to tell our customers how coronavirus will affect our business and their dealings with us. Are we allowed to do this, or will we be breaching marketing laws?

It depends on the thrust of your message. If you confine your communication to routine information about service interruptions, delivery arrangements, etc. brought on by the impact of the coronavirus pandemic on your business, this is unlikely to count as direct marketing and you could rely on legitimate interests as your basis for communicating.

However, if you include promotional material that, for example, is aimed at getting customers to buy extra products or services, the message would be classed as direct marketing and other rules would apply, in particular where you are sending emails or other electronic direct marketing messages. The ICO states, “You can still rely on legitimate interests for marketing activities if you can show that how you use people’s data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object – but only if you don’t need consent under PECR.” (The Privacy and Electronic Communications Regulations (“PECR”) sit alongside the GDPR and give people specific privacy rights in relation to electronic communications.) For more information, see the ICO’s Guide to PECR.

To be fully GDPR-compliant, don’t forget to document your decisions on legitimate interests. You still need to do this to meet the requirements of the GDPR’s accountability principle in terms of demonstrating compliance.

Q: Data protection is just one of our many worries, how on earth should I prioritise everything?

Here at Pritchetts, we’ve created a whizzy spreadsheet that helps organisations to track risks, prioritise them and document next steps. If you’d like a copy, please get in touch.

And finally…

Q: With schools closed, I’m trying to work from home at the same time as looking after my kids. Any tips?!

You’ll be needing a tip-top Internet connection, buckets of patience and coffee. Lots of coffee! Also, a space to retreat to when you just need a few minutes to yourself. Fortunately, there’s a wealth of online resources out there to help those of us in this brave new world:
Plus, dance, drawing, Minecraft and a whole lot more – all available for free! Best of luck!

If you have a question that you’d like us to include here, please get in touch and we’ll update the blog as soon as possible.

Monday, 21 October 2019

Pritchetts Law LLP: a leading UK law firm

Here at Pritchetts, we are celebrating our success after being ranked in the UK’s leading legal directories for the fourth year running.

The Legal 500 UK and Chambers and Partners, the UKs foremost independent legal directories, carry out extensive research to arrive at their annual list of the best law firms and individual solicitors, including conducting thousands of interviews with clients and legal peers. Both directories have recently published their research findings for the period from late 2018 into 2019 and have once again recognised our firm’s solid reputation for outstanding legal advice, practical approach and friendly attitude.

In The Legal 500 UK 2020: South West, Pritchetts has been recognised and ranked as a Leading Firm in the IT and Telecoms practice area, highlighting our “particular specialism in data protection” and diverse range of clients, from international companies to local SMEs and charities. Stephanie Pritchett, Ben Wootton and Al Goodwin of Pritchetts have all been singled out as recommended lawyers for IT, Telecoms and Data Protection.

Stephanie Pritchett has also maintained her ranking as a Recognised Practitioner in the recently published Chambers and Partners 2020 guide. In addition, Ben Woottons huge contribution to the firm has been acknowledged through his first-time ranking as a Recognised Practitioner in the same publication.

We are very grateful to all of our clients who gave their valuable time to provide incredible feedback and testimonials – we know that you have other priorities, but as a niche player in an extremely competitive market, the benefit to us is huge. It continues to help us in punching considerably above our weight! Thank you.

Information about the services that Pritchetts offers is available on our website, including many reviews from satisfied clients. Were delighted to be planning a relaunch of our website soon, with a fresh new site to celebrate the firms tenth anniversary.

To get in touch and find out more about us, you can also email us at info@pritchettslaw.com.

Tuesday, 9 July 2019

ICO issues two notices in two days of its intention to levy multimillion pound fines under GDPR

You know how you can be standing at a bus stop for ages, only to have two buses come along at once? Well, it’s been over a year since the General Data Protection Regulation (“GDPR”) came into force and data protection professionals across the UK have been watching and waiting for the first GDPR fine to be issued by the Information Commissioner’s Office (“ICO”). That wait looks like it will soon be over because in the last two days, the ICO has announced its intention to levy huge fines for data breaches under the GDPR on not one, but two organisations.

Back in October 2018, there had been some false hope around the case of Facebooks involvement in the Cambridge Analytica data scandal, where the penalty levied was trumpeted as the largest ever awarded by the ICO. However, the case began under pre-GDPR data protection rules, so £500 million was the maximum fine that could be levied.

Instead, according to the ICOs latest statements, British Airways (“BA”) and Marriott International (Marriott) could end up being the first organisations in the UK to feel the impact of the GDPRs penalty system, where maximum fines can reach €20 million or 4% of annual global turnover, whichever is greater.

What happened?

At BA, the case began when it notified the ICO in September 2018 of a cyber incident whereby users of its website had been diverted to a fraudulent site. Hackers used this false site to harvest customer details, compromising the personal data of about 500,000 customers, according to the ICOs investigation. The ICO believes that the breach began in June 2018 and that data relating to logins, payment cards, travel booking details, names and addresses was compromised by poor security arrangements at the company”. It intends to fine the airline £183.39 million.

In the case of Marriott, it notified the ICO in November 2018 of a cyber incident involving the exposure of personal data contained in approximately 339 million guest records. Of these, 30 million related to residents in the European Economic Area (EEA), of which 7 million related to UK residents. The vulnerability is believed to have begun in 2014, in the computer systems of the Starwood hotels group. Marriott acquired Starwood in 2016, but it was two more years before the exposure of personal data was discovered. The ICOs investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems”. It intends to fine the US hotel group more than £99 million.

Can the organisations appeal?

The two fines (BAs amounts to about 1.5% of its £11.6 billion global turnover last year) arent a done deal. Both organisations can now make representations to the ICO about its findings and the proposed sanction. 

Willie Walsh, the chief executive of BAs parent company, International Airlines Group (IAG), has declared his intention to do so, saying, We intend to take all appropriate steps to defend the airlines position vigorously, including making any necessary appeals.” 

Marriotts president, Arne Sorenson, confirmed that it would be taking the same approach, saying, We are disappointed with this notice of intent from the ICO, which we will contest.

After reviewing the representations, the ICO will decide whether to proceed as intended with the monetary penalty notice, or indeed apply a different penalty. If the ICO issues a penalty notice, BA and Marriott would have 28 days to pay the fine or lodge an appeal at the Tribunal. If they pay on time, they get a 20% discount!

Does anyone else get a say?

The ICO has been conducting its investigations into BA and Marriott as the lead supervisory authority acting on behalf of data protection authorities (DPAs) in other EU member states. Therefore, in accordance with the GDPRs one-stop-shop mechanism, the ICO will be inviting comment on its findings from those EU DPAs whose residents have been affected. It has announced that it will consider carefully representations from the two organisations and other DPAs before making its final decision.

It will be fascinating to see how the one-stop-shop mechanism will work across the EU. Interestingly, if the UK was outside the EU, BA and Marriott would be dealing with the UKs ICO and a lead supervisory authority for the EU.

Where does the money go?

Whatever sum the ICO arrives at, the penalty will be split among the EU DPAs, with the ICOs share going directly to the UK Treasury. Individuals who are affected by the data breach and seeking compensation will need to claim money from BA or Marriott direct – the ICO does not have the power to award compensation directly to individuals.

As yet, the ICO has not released any further details about the reasoning behind its intentions to fine BA and Marriott, so we will comment further when more information comes to light.

At Pritchetts Law, we can help you with all aspects of data protection compliance, including preparing for or handling personal data breaches when they happen as well as taking preventative steps such as carrying out audits and implementing policies and procedures. Please get in touch to find out more.