Some DP Updates

Time for a few data protection-related updates which don’t merit a full post of their own (or at least, not one I can be bothered to write) but which readers may or may not have missed.

First, the Irish High Court has referred a series of questions to the CJEU in Data Protection Commissioner v Facebook Ltd & Schrems [2016 No.4809 P] concerning the compatibility of standard contractual clauses – as approved by European Commission Decisions – with the legal rights of data subjects under the Directive and the Charter. This is the latest in the endless legal battles of Mr Schrems against Facebook (directly) and the level of protection for European data subjects in the USA (indirectly). Nothing about the reference invalidates standard clauses for the moment; that must await a CJEU judgment. But with continuing concerns about the Privacy Shield, and the availability of binding corporate rules realistically limited to corporate groups, a successful impeachments of standard clauses would be practically very significant to transfers of data out of the EU. The approach taken by the CJEU will also, of course, have real interest to everyone waiting to see how the UK’s position is to be addressed after Brexit. The Irish Court judgment is extremely long, and a helpful summary is here.

Second, the second reading of the Data Protection Bill in the House of Lords will take place this afternoon, with various Lords Spiritual and Temporal listed to speak (including a Lord Knight of Weymouth who is, regrettably, no relation). Doubtless all of our readers will be glued to the Parliament channel, as we get a sense of the degree to which there will be detailed work done by the Lords during the Committee stage which follows.

Third, all that excitement about how the GPDR didn’t seem to make any provision for the ICO to make all data controllers register and pay a fee may subside a little now as the ICO has reminded people that although the registration requirement will disappear, the Digital Economy Act 2017 (section 108) makes provision for regulations to be made imposing a fee system on data controllers. The ICO confirms that that is going to happen and the details are being developed, with more details likely before the end of the year. Given the massive black hole in ICO funding which would have occurred otherwise (and an unsurprising lack of desire from Government to stump up the money), the re-introduction of a new fee system is probably just as well. Sections 108-110 do not make provision for a criminal offence to be created if the fee is not paid.

Fourth, the build-up to the GDPR continues in Brussels as the Article 29 Working Party has now published three sets of finalised guidelines on: Data Portability, Data Protection Officers and Lead Supervisory Authorities. It has also announced the adoption of guidelines on Impact Assessments and High Risk Processing. All of these can be found on the A29WP page here.

Christopher Knight