Data beyond Brexit

In this roundup we discuss (1) the recent memorandum of understanding between the Department for Digital, Culture, Media & Sport (“DCMS”) and the Information Commissioner’s Office, which sets out the ICO’s role in future UK adequacy assessments; (2) the ICO’s announcement that it will update its guidance on anonymisation; (3) the practical implications of the Schrems II judgment on organisations wishing to use standard contractual clauses (“SCCs”) to transfer data outside the UK; and (4) the ICO’s ongoing investigation into the adtech industry, which was temporarily paused due to the COVID-19 pandemic.

1. ICO role in adequacy assessments

Prior to 1 January 2021 (and the end of the Brexit transition period), the European Commission had the power to make “adequacy decisions” in favour of non-EU countries that were deemed to have a level of data protection that was equivalent to that in the EU under the GDPR. UK organisations could freely transfer personal data to these “adequate” countries without the need to implement an international transfer safeguard under GDPR (which for most organisations usually meant entering into Commission-approved SCCs with the non-EU data recipient).

Post-Brexit, the Data Protection Act 2018 now empowers the Secretary of State for the DCMS to make UK “adequacy regulations” in favour of non-UK countries that are considered to have a level of data protection equivalent to that in the UK. Before making these regulations, the Secretary of State must consult with the ICO. While the UK has already adopted the European Commission’s existing list of adequacy decisions for the purposes of post-Brexit data transfers out of the UK, the Secretary of State will be responsible for expanding this list in future. The ICO and DCMS have now agreed a memorandum of understanding (“MoU”) that sets out the ICO’s roles and responsibilities in relation to future UK adequacy assessments by the Secretary of State.

The MoU breaks down the DCMS’s adequacy assessment process into four key stages, and sets out the ICO’s role in relation to each:

Part 1, gatekeeping, involves deciding whether or not to start an adequacy assessment in respect of a third country: the ICO’s role is to provide advice to DCMS on the third country’s data protection laws and practices.

Part 2, assessment, is the process of assessing the level of data protection in the third country: again, the ICO’s role is to provide advice to DCMS on the third country’s data protection laws and practices (e.g. the role and effectiveness of the country’s regulator).

Part 3, recommendation, involves the DCMS team making a recommendation to the Secretary of State, who decides whether to make a finding of adequacy in respect of that third country: the ICO will provide a response on the draft conclusions of the DCMS’s assessment of the third country, so this can be factored in to the recommendation to the Secretary of State and ultimately into their decision making.

Part 4, procedural, is the final phase, during which the relevant UK adequacy regulations are created, laid before Parliament and the ICO’s opinion is published: the ICO will provide advice and/or an opinion to Parliament.

Whilst the MoU defines the scope and extent of the ICO’s involvement in the adequacy assessment process, the Secretary of State is not bound by the ICO’s opinions and recommendations.

2. ICO guidance on anonymisation

The UK GDPR only applies to personal data (i.e. information from which a person can be identified). The practical consequence is that if data is anonymised – so that an individual can no longer be identified from it – it is no longer subject to these rules.

From a data protection perspective, anonymising data raises a number of difficult issues. Chief amongst these is the question of what level of “de-identification” has to be achieved in order for information to be considered anonymised under data protection law. This can be a complex assessment, and often involves making a judgment call on the likelihood or possibility of an individual still being identified – which creates the risk of subjective and divergent approaches from one organisation to the next.

The ICO’s current guidance on anonymisation was published in line with the Data Protection Act 1998, now replaced by the 2018 Act. Some data protection practitioners have expressed dissatisfaction that the guidance is lacking as it does not provide enough clarity on how to assess the degree of “de-identification” necessary to achieve anonymisation. This is not helped by the fact that, per the guidance, the assessment is to include consideration of “other information” that is available (e.g. in public), or that may become available in future – an unpredictable and sometimes unfeasible task.

However, help may be on the way. In a recent statement on its blog (19 March 2021), the ICO announced that it will be updating its guidance. This will include the spectrum of identifiability to be considered, and managing re-identification risk (covering concepts such as the “reasonably likely” and “motivated intruder” tests). Given the passage of time since the current guidance was published, and advancements in technology and data management practices, the updated guidance will also include guidance on privacy enhancing technologies and technological solutions for anonymisation. This is a welcome announcement from the ICO, and one that will hopefully bring more clarity to this often complex issue.

3. Standard contractual clauses

On 16 July 2020, the Court of Justice of the European Union handed down its eagerly anticipated judgment in the Schrems II case, which invalidated the EU-US Privacy Shield and set out additional requirements that must be satisfied when using SCCs to make international transfers of personal data outside the EU. The judgment requires that companies undertake additional diligence when relying on SCCs, to ensure that there is nothing under local laws in the receiving country that undermines the protections afforded in the SCCs. This is most relevant where there is potential for access to the personal data by public authorities (e.g. law enforcement and intelligence agencies). Where this is the case, the judgment requires that “supplementary measures” are put in place to provide additional safeguards.

The European Data Protection Board (EDPB) has published draft guidance on the necessary supplementary measures. While the UK is no longer part of the EU, this guidance remains relevant as the Schrems II judgment is, strictly speaking, applicable in the UK. The ICO has stated on its website, however, that it will publish UK guidance on supplementary measures in due course.

Given the complexity and divergence in data protection laws from country to country, the assessment to be carried out when using SCCs will likely be a complicated exercise for the majority of organisations – and one that will likely require specialist input. However, the EDPB guidance sets out a number of useful steps that organisations can take to assess what supplementary measures should be adopted when using SCCs to transfer data abroad.

1. Know your transfers: You should map out the data that you are transferring to a third country, and ensure the data transferred are limited to what is necessary to achieve the purposes of the transfer.
2. Assess the effectiveness of SCCs: You should assess whether there is anything in the law or practice of the third country that would make the protection afforded in the SCCs ineffective. This assessment should primarily be focused on legislation in the third country that impacts on the data being transferred under the SCCs (e.g. local laws that allow access to personal data or surveillance by law enforcement authorities and public bodies).
3. Identify and adopt supplementary measures: Where your assessment reveals that the effectiveness of the SCCs will be impinged on by the laws and practices of the third country, you must identify and adopt appropriate supplementary measures to address this risk. The measures adopted should be in the context of your specific transfer, and the risks you have identified in the third country’s laws and practices.
   A non-exhaustive list of supplementary measures is included in the EDPB guidance. These include technical measures (e.g. encrypting the data at rest and in transit, or using pseudonymisation), additional contractual measures (e.g. contractually obliging the data recipient to use specific technical measures, or to challenge any request or order for access to data by a public authority or law enforcement agency), and organisational measures (e.g. requiring the data recipient to implement internal policies for the management and transfer of personal data, or to adopt strict and granular restrictions on data access and confidentiality within its organisation on a need-to-know basis).
   It is important to note that there may be circumstances where there are no supplementary measures that will ensure an appropriate level of data protection, and in these circumstances the transfer should not be made, or where it is already being made it should be suspended or terminated (and any data already transferred should be returned or destroyed).
4. Procedural steps for adopting supplementary measures: You should take any formal procedural steps that are necessary to adopt the supplementary measures. For example, the supplementary measures must not reduce the protections afforded in the SCCs, and where they modify or contradict the terms of the SCCs, they must be approved by a supervisory authority (the ICO in the UK).
5. Re-evaluate at appropriate intervals: You should re-evaluate at appropriate intervals the level of data protection afforded to the data you have transferred, including monitoring developments in the third country to identify any changes that might impact on your initial risk assessment.

4. Adtech: ICO’s investigation

On 22 January, the ICO issued a statement confirming the resumption of its investigation into real time bidding (“RTB”) and the adtech industry, which was paused in May 2020 to allow the ICO to prioritise activities responding to the COVID-19 pandemic. RTB is the process through which a website publisher auctions off advertising space on their website to advertisers that want to target the particular audience who will visit that site. This allows the ads that people are shown on a website to be specifically selected for them. This process often involves hundreds of companies, and is completed in a matter of milliseconds.

In June 2019, the ICO issued a report on its investigation into adtech and RTB, which outlined its concerns in relation to the industry’s compliance with data protection and e-privacy laws. In particular, the ICO was of the view that the creation and sharing of personal data profiles about people, and the scale on which this was happening, was “disproportionate, intrusive and unfair, particularly when people are often unaware it is happening”. The ICO also found that sensitive data (e.g. about a person’s health) were being used without people’s consent.

The ICO’s continuing investigation will include a series of audits on data management platforms (for which assessment notices will be issued to specific companies in the coming months), and will also review the role of data broking, which plays an important part in the RTB process.

The ICO has advised that organisations operating in the adtech industry should assess how they process personal data “as a matter of urgency” – a possible early indication that heavier regulatory oversight and enforcement action in this area are likely to follow.