19 January 2021

Data Blast: UK and EU agree to post-Brexit ‘grace period’ for data flows and much more…

See below for the latest Data Blast from our Legal team: UK and EU agree to post-Brexit ‘grace period’ for data flows; Facebook moves UK user data responsibility to its California parent; Irish regulator issues €450K data breach fine against Twitter; UK ICO pursues marketing company director personally to recover unpaid fines…

EU-UK Trade Agreement includes ‘bridging mechanism’ to maintain data flows until adequacy decision is reached

On 24 December 2020, the United Kingdom and European Union concluded the EU-UK Trade and Cooperation Agreement (Trade Agreement), formalising a number of key post-Brexit aspects of the relationship.

Notably, on data protection, the Trade Agreement provides for data flows between the EU and the UK for business and law enforcement purposes to continue uninterrupted for a period of up to 6 months, in order to allow the European Commission (EC) to conclude its decision making process on the adequacy of the UK data protection regime. The interim measures agreed include commitments by the UK and EU to refrain from introducing measures that would restrict EU-UK data flows, or which could otherwise operate as data localisation requirements. Further, the UK has agreed to refrain from exercising certain powers during the period of EC deliberation on the question of adequacy, including approving any new Binding Corporate Rules.

The interim agreement to maintain data flows is sensible and welcome, and should provide the time required for the EC to conclude its adequacy determination in relation to the UK’s data protection regime. We have previously reported on the concerns raised that the UK’s approach to some national security data uses may pose an impediment to an adequacy finding by the EC (here). The UK has adopted the GDPR into domestic law via the Data Protection Act 2018, and has a data protection approach which approximates the EU’s level of protection more than any other third country; it has been observed that an EC refusal to accept the UK’s protection as ‘adequate,’ would necessarily imperil the existing adequacy decisions for third countries including Canada, New Zealand, and Israel. We shall report further as the process unfolds.

Facebook to shift responsibility putting UK user data under California purview post-Brexit

On 15 December 2020, it was announced that Facebook will shift responsibility for UK user data from Facebook Ireland to California-based Facebook Inc. The change follows Google’s decision in February to migrate responsibility for its UK user data to its California headquartered parent company starting in 2021.

In a statement explaining the decision, Facebook announced that ‘like many other companies, [it] had to make changes to respond to Brexit and that the changes would come into effect in 2021.’ UK users will be notified by updated terms of service at some point in the first half of this year.

The change of corporate entity responsible for Facebook users in the UK means that only the UK Information Commissioner’s Office (ICO) will be competent to handle data protection complaints, whereas the Irish Data Protection Commission has jurisdiction over Facebook Ireland. Much public reporting on Facebook’s announcement has mischaracterised the change of approach as an attempt to diminish users’ rights; as noted by the ICO, the ‘UK GDPR’ forms part of the UK’s domestic law and sits alongside the UK Data Protection Act 2018, mirroring the user protections afforded under the EU GDPR. Facebook users in the UK will be able to enforce their rights against Facebook via the ICO, rather than the Irish Data Protection Commission.

Irish Data Protection Commission fines Twitter for 2019 data breach

On 15 December 2020, the Irish Data Protection Commission (DPC) fined Twitter Inc. (Twitter) €450,000 for GDPR violations related to a 2019 data breach. The fine marks the first time the DPC has issued a GDPR fine against a multinational company, and also the first to be subjected to the GDPR’s Article 65 dispute resolution mechanism involving other EU regulators.

In a statement, the DPC explained that an ‘inquiry was opened following the receipt of a breach notification from Twitter in January 2019, and it was specifically focused on Twitter’s compliance with Articles 33(1) and 33(5) of the GDPR.’ Article 33(1) requires a data controller that suffers a serious breach to notify a supervising authority without undue delay (and not later than 72 hours after having become aware of it), while Article 33(5) requires the data controller to documents all facts, effects and remedial action taken in respect of that breach.

The DPC’s enforcement decision focussed on the fact that Twitter had not provided notification to the DPC within the mandated 72-hour window, which was the key issues raised by other EU supervisory authorities during the review of the DPC’s draft decision under the Article 65 dispute-resolution mechanism. Other EU supervisory authorities were concerned that the DPC had not proposed to take enforcement action against Twitter for failing to have in place appropriate security measures, which resulted in the data breach. It has been suggested that the DPC may still in future issue a finding in respect of Twitter’s data security arrangements.

In a statement, Twitter Chief Privacy Officer Damien Kieran explained that the company had worked closely with the DPC on the matter, and that it would respect the decision, stating ‘we appreciate the clarity this decision brings for companies and consumers around the GDPR’s breach notification requirements.’ The relatively small fine is likely to be viewed with some relief by other large technology companies, as the DPC is expected to conclude numerous ongoing ‘big tech’ investigations this year, including those against Facebook and Whatsapp. In its most recent company accounts, Facebook Ireland set aside €302M to cover potential regulatory fines; Whatsapp reported that it had set aside €77.5M.

UK ICO initiates recovery proceedings against Manchester firm

On 16 December 2020, the Financial Recovery Unit (FRU) of the UK ICO announced that it would initiate proceedings for the recovery of £250,000 against Pownall Marketing Limited (PML), a Manchester claims management firm recently fined by the ICO for making over 350,000 nuisance calls.

The ICO began investigating PML after receiving complaints concerning nuisance marketing calls made by the company. The investigation found that, between 1 January and 28 May 2019, PML made over 365,000 nuisance calls to people who had not consented to receive them, in violation of the Privacy and Electronic Communications Regulations (PECR).

The PECR prohibits direct marketing to consumers by companies that transmit or instigate the transmission of unsolicited e-communications, unless the recipient of such communications has given prior consent or the sender can demonstrate an existing commercial relationship with the recipient. A 2018 amendment to the PECR banned nuisance calls by claims management services, and introduced director liability for serious breaches of PECR rules.

PML has attempted to strike itself off from the Companies House register three times, all of which have been blocked by the FRU, in order to allow the ICO’s regulatory action to continue. If PML fails to pay the penalty, the FRU may petition for the winding up of the company and exercise the ICO’s rights as a creditor in any resultant insolvency proceedings.

In a statement, the ICO’s Head of Investigations stated that ‘[d]espite this company’s attempt to formally cease trading, we continue with our enforcement action due to the seriousness of the contraventions, and because we can take further we can take further action against the director.’

For more information please contact Partner, James Tumbridge at