Radar - December 2016: Data Protection

Data protection

2016 was another busy year for data protection so we are just highlighting some of the main events in 2016. You can see our full data protection and cybersecurity news archive on our Global Data Hub.

General Data Protection Regulation

A lot happened in 2016 so the fact that after four years of negotiation, the General Data Protection Regulation (GDPR) was finally passed, may not be top of everyone's list of important events this year. It is, however, big news for any organisation processing EU personal data, whether as a data controller or a data processor, and whether inside or outside the EU.

The GDPR is a major overhaul of EU data protection law which gives new rights to individuals and brings an enhanced compliance burden for organisations processing personal data. The GDPR will apply across all Member States (including the UK) from 25 May 2018, and organisations should begin preparing for it if they haven't already started.

Our Global Data Hub features a wealth of information on all aspects of the GDPR and we will continue to focus on moving towards compliance in 2017. We can also expect to see guidance from regulators, some of which may be published before the end of the year.

ePrivacy Directive

Having completed the GDPR, the Commission is now reviewing the e-Privacy Directive. In response to the EC's consultation, the UK's ICO called for an overhaul to bring the Directive in line with the GDPR, introduce a harmonised opt-in approach for electronic marketing communications and bring consistency to enforcement. This approach was echoed by the Article 29 Working Party and the European Data Protection Supervisor. Both called for an extension of the scope of the legislation to include OTT services and went further than the ICO in arguing that consent requirements for the processing of traffic and location data should apply to all companies and not just telecoms operators.

The EC published a summary report on the response to the consultation on the review of the e-Privacy Directive in August.

Key findings included:

while the majority of individuals are in favour of OTT services coming within the e-Privacy regime, industry responders were divided on the issue; a similar division can be seen in terms of responses concerning cookies, with individuals largely of the view that providers should not be able to prevent access to services if users refuse cookies, and industry largely taking mostly the opposite stance; while there was general agreement that marketing rules should be harmonised, individuals mostly preferred opt-in, with industry largely advocating an opt-out approach; while 83% of individuals were in favour of rules to ensure confidentiality of communications, only 31% of industry responders agreed; there was more consistency on the overall review of the e-Privacy Directive. 76% of all participants believed it was not fit for purpose. Investigatory Powers Act

The controversial Investigatory Powers Act 2016 (IPA) has been given Royal Assent. While more than 1700 amendments were debated, it passed more easily than originally anticipated due, it is thought, to the diversion of the Referendum result. A petition to debate the legislation in the House of Commons has passed and it is thought the IPA will be the subject of legal challenges. It also has a bearing down the line on whether or not the UK gets a decision of adequacy for the purposes of data exports once it leaves the EU.

Background

Investigatory powers to intercept communications, acquire communications data and interfere with equipment have been dealt with under a patchwork of laws. These include the Regulation of Investigatory Powers Act (RIPA) and had included the Data Retention Directive until that legislation was declared invalid by the Court of Justice of the European Union in 2014 in the wake of the mass surveillance scandal. Attempts to introduce further powers, even before the demise of the Data Retention Directive under the so called 'snoopers' charter' failed after Nick Clegg withdrew his support in April 2013. The government introduced stop-gap legislation in the form of the Data Retention and Investigatory Powers Act 2014 (DRIPA) but needed to bring in more permanent legislation before the powers under DRIPA expired at the end of 2016.

When does it come into force?

The data retention provisions which replace those in DRIPA have been brought into force in time to replace them. Other provisions will not be in place "for some time" according to the government and existing provisions under RIPA will remain in force until expressly repealed. The government has said some of the provisions require extensive testing and there will be consultation with industry to help develop Codes of Practice and other secondary legislation required to bring the rest of the IPA into effect. The government plans to set out a timetable for this process "in due course".

What does the IPA do?

The IPA overhauls RIPA and, in many cases, extends its scope. In particular, it provides for:

Warranty powers to conduct interception, equipment interface (i.e. hacking in order to monitor) and obtaining of bulk communications data. The most intrusive warrants and notices which are issued by the Secretary of State must be approved by a senior judge or Judicial Commissioner. A range of public authorities have powers to issue different types of warrants. There is a requirement to take various matters including privacy and human rights into account before issuing, renewing or cancelling warrants. Interception and equipment interface warrants can be targeted, thematic or bulk. A prohibition on unlawful interception of communications. The offence is similar to that under RIPA but extends to cover all communications stored by the telecommunications system before as well as after transmission. A new Investigatory Powers Commissioner who will oversee use of powers under the IPA. A power for the Secretary of State to issue "technical capability notices". These will require telecommunications operators to institute semi-permanent interception capabilities. The notices can deal with interception, equipment interface, or bulk data sets. A power for the Secretary of State to serve "data retention notices". These can require telecommunications operators to generate, obtain and retain "communications data" about users for up to twelve months. The classes of communications data which may need to be retained can be very wide - up to "all data". The data can then be requested by a range of authorities for a range of purposes (largely to do with prevention of crime and terrorism and to protect...