Data Blast: Privacy in the spotlight as Home Office criticises encryption for online messaging and much more…

See below for the latest Data Blast from our legal team: Privacy in the spotlight as Home Office criticises encryption for online messaging; Organisations are advised to establish internal data breach handbook to meet compliance obligations; French regulator issues guidance on the reuse of personal data for new purposes; UK establishes expert panel on data transfers; Austrian regulator prohibits transfer of website analytics data to the US…

Information Commissioner diverges from the Home Office over end-to-end encryption

When it comes to child safety online, everyone agrees that something must be done – but there is often no agreement on what that something should be. Facebook’s parent company, Meta, is planning to add end-to-end encryption for messages sent via its Facebook Messenger and Instagram apps, which would bring those apps in line with other messaging apps, such as WhatsApp, iMessage, and Signal.

The Home Office has backed a campaign, ‘No Place to Hide’, which says that Facebook should abandon its plans, as end-to-end encryption makes it more difficult to detect possible child abuse online. The ICO disagrees, and said that such encryption strengthens the safety of children online. Stephen Bonner, ICO executive director for innovation and technology, said that end-to-end encryption did not allow ‘criminals and abusers to send [children] harmful content or access their pictures or location’.

The Home Office said: ‘Our view is that online privacy and cyber-security must be protected, but that these are compatible with safety measures that can ensure the detection of child sexual exploitation and abuse,’ but declined to respond to the remarks made by the ICO.

The Online Safety Bill piloted by the Department of Communications, Media and Sport (DCMS), is currently making its way through Parliament; one of the key aims being said to be the prevention of online child abuse. Critics of the Bill have noted that the increased onus on service providers such as Meta to detect and remove potentially harmful material, including material aimed at or involving children, is likely to mean that end-to-end encryption would be either weakened or withdrawn. The Bill was considered by the Parliamentary Joint Committee in December 2021, and DCMS has since proposed amendments to expand certain aspects of the legislation; we shall report further as the Bill progresses through Parliament.

EDPB recommends handbook to manage data breaches

The European Data Protection Board (EDPB) has published guidelines (here), providing examples of how to handle data breaches and suggesting that data controllers and processors should create and maintain a handbook of processes for personal data breaches. The handbook should ‘establish facts for each facet of the processing at each major stage of the operation’:

‘Such a handbook prepared in advance would provide a much quicker source of information to allow data controllers and data processors to mitigate the risks and meet the obligations [for controller and processors, in the event of a personal data breach] without undue delay. This would ensure that if a personal data breach was to occur, people in the organisation would know what to do, and the incident would more than likely be handled quicker than if there were no mitigations or plan in place.’

Whilst EDPB Recommendations do not directly apply to controllers and processors subject only to UK law, similar considerations apply and the guidelines will be useful reading for those charged with compliance for UK based organisations. In particular, UK controllers and processors should be mindful of the obligation to report certain breaches within 72 hours, and should maintain up to date policies and procedures, together with conducting appropriate staff training in order to be prepared in the event of breach.

French regulator publishes guidance on the reuse of personal data by data processors

In a decision which may well be followed by other regulators around Europe, the CNIL (the French equivalent of the ICO) has published guidelines (here) on the reuse of personal data by a data processor for the processor’s own purposes. The guidelines apply to circumstances where a data processor receives personal data from a controller and processes it in accordance with the contract between the parties; in addition, the processor uses the personal data for another purpose such as improving its own services (a common secondary use for AI based services which often rely upon large volumes of training data to refine the algorithm).

The issues arising from secondary use of personal data by a processor include the obligation to provide transparent information to the data subject (e.g. has the controller notified individuals that a processor may also use personal date to improve the processor’s own services?), and whether there is a legal basis for that secondary processing (if the legal basis is consent, has the individual consented to the secondary data use by the processor?).

The CNIL guidance concludes that reuse of personal data by a processor must meet two conditions: (i) the controller grants explicit permission for the further processing (on a case-by-case basis), and (ii) the further processing is compatible with the original purpose communicated to individuals. Importantly, the test may not allow further processing to take place where the legal basis of consent is relied upon, as a ‘compatibility analysis’ under the GDPR can only be carried out where the legal basis is not consent; in such a case, it would be necessary to notify the individual of the intent to process data for a further purpose, and to obtain the individual’s consent. A further consideration for a processor seeking to use personal data for its own purposes is that the reuse of that personal data means the processor becomes a data controller in its own right, with all the attendant obligations of data controllers under the GDPR.

UK Government announces creation of an expert panel on international data transfers

The UK government has announced the creation of a new ‘International Data Transfer Expert Council’ which will advise the government on its plans to ‘unlock benefits of free and secure data flows after leaving the EU.’ The panel comprises representatives from leading technology companies, industry groups, academics and data protection lawyers; also notable, is a representative from the NHS. We have previously reported on the UK government’s ambitions to achieve new data transfer arrangements as part of its National Data Strategy, together with plans to diverge from some requirements of the EU GDPR which are seen to be particularly onerous and costly for SMEs in particular. This can be found here.

The first meeting of the expert panel was set for January 2022, and an immediate focus will be how the UK ‘can be a global leader in removing barriers to cross-border data flows.’ The government also aims to develop a new international data transfer mechanism to sit alongside the existing options of standard contractual clauses and binding corporate rules; those contractual mechanisms must be implemented as additional safeguards in most cases where personal data is transferred from the UK to a jurisdiction that does not benefit from an adequacy finding. Following its departure from the EU, the UK adopted the existing adequacy decisions for data transfers from the EU, and mutual adequacy between the UK and the EU was also adopted to ensure continued data transfers post-Brexit.

The UK government also intends to prioritize ‘adequacy partnerships’ to facilitate personal data flows with a number of ‘priority’ countries: the United States, Australia, the Republic of Korea, Singapore, the Dubai International Finance Centre and Colombia. The United States has previously benefited from personal data transfer regimes with the EU – the Safe Harbour, and later the Privacy Shield – both of which were invalidated by the European Court; whilst negotiations continue, the EU and the US have not to date agreed a replacement for Privacy Shield.

In entering new ‘adequacy partnerships’ the UK will need to consider the present arrangements permitting the free flow of personal data from the EU, as such data could then be freely transferred out of the UK; this could cause concern within the EU that personal data transferred to the UK would not be subject to sufficient safeguards. Of the priority countries identified by the UK for future data transfer arrangements, only the Republic of Korea is deemed by the EU to provide ‘adequate’ protection for personal data.

The government announcement on the Data Transfer Expert Council is here.

Austrian DPA finds analytics data processed in the US non compliant with the GDPR

The Austrian Data Protection Authority (ADPA) has recently published its decision in a case brought by None of Your Business (NOYB) against an Austrian website provider in relation to its website analytics tool, Google. The ADPA ruled that the use of cookies on the website for analytics purposes violated the international data transfer requirements of the GDPR.

The ADPA found that the analytics cookies collected and transferred personal data to the United States, including the unique user ID number, IP address and browser parameters for each user. The ADPA also found that the Standard Contractual Clauses (SCCs) which applied to the personal data transferred to the US did not – without additional safeguards – provide sufficient protection for that data, as the SCCs did not act as a sufficient guard against potential surveillance by US intelligence services. The ADPA rejected the argument that the data at issue was not personal data, and found that IP addresses and online identifiers count as personal data because they allow individuals to be identified. An important feature of the case is that the Austrian website had not configured the analytics tool to collect only a partial IP address for users, which could see the ADPA’s decision distinguished on the facts from other implementations of website analytics services.

The export of personal data to the US remains a highly contentious matter at present, with other data protection authorities having recently proposed that all such exports to the U.S. are incompatible with the GDPR. The Irish Data Protection Commission (DPC) has provisionally ordered Facebook Ireland to cease transferring personal data to its US parent, a decision which is expected to be challenged.

The European Commission and the US Department of Commerce are reportedly working diligently on a replacement data transfer mechanism following the invalidation of the Privacy Shield framework in 2020, also resulting from a complaint by NOYB.

The decision of the ADPA can be read here (in German) and a machine translation can be found here.

For more information please contact Partners, James Tumbridge at jtumbridge@vennershipley.co.uk or Robert Peake at rpeake@vennershipley.co.uk.