We begin this year with a new EU-UK trade agreement, providing the data protection world with some comfort around data transfer flows from the EU/EEA to the UK. As the Covid-19 pandemic continues, HewardMills has highlighted data privacy trends and practical steps which organisations should take note of to ensure their data protection programmes are robust and refined.
WhatsApp privacy policy changes
WhatsApp, which was acquired by Facebook in 2014 and currently has over 2 billion active users worldwide, introduced its new Terms and updated Privacy Policy this month. It sent a push notification to users informing them about the changes. It outlined the mandatory updates, which users had to accept by February 8 2021 or risk losing their account if opting out. Part of the changes included that it was making it compulsory for all users outside of the “European Region” (EAA/UK/Switzerland, and Territories) to share their data with the “Facebook Companies”. Before this, users had the chance to opt-out of these services. With the new updates, it also announced the collection of usage and log information, phone number, mobile operator, Internet Service Provider (ISP) data, operating system information, browser information, cookies, hardware model, battery level, location information and transactions and payments data. WhatsApp, however, added that user messages once delivered are deleted from its servers. WhatsApp messages are encrypted meaning Facebook will not be able to see the contents of users’ messages but will be able to see who users message and the frequency of the messaging.
Since the original communication from the messaging app received controversial backlash, it has published a blog clarifying the upcoming changes. It states the changes are only in relation to a user messaging a business on WhatsApp. Due to the concerns, the app has decided to push back the deadline for users to agree by three months. The WhatsApp team is now scrambling to clear up the misinformation around its data-sharing policies and balance privacy as a priority alongside its ambitions to add commerce services to the WhatsApp messaging platform.
We believe that the right to privacy depends on people having a meaningful choice as to whether, when and with whom they share their personal data. Before WhatsApp’s U-turn, for the billions of WhatsApp users around the world who have already built up large networks around the platform, the decision to accept the company’s new terms was less of a real choice. It has already seen users shift to other platforms such as Telegram and Signal as a result. Although WhatsApp has changed and clarified its new T&Cs, what can companies take away from this? Trust and transparency are the most valuable characteristics needed in 2021.
As a global DPO, HewardMills supports the right to privacy of all people, regardless of jurisdiction. As global privacy laws evolve to support technological innovation, companies must engender trust by consistently prioritising transparency and dignity.
Brexit and data transfers
What’s happening:
EEA to UK
The UK officially left the EU with an EU-UK Trade and Cooperation Agreement (Cooperation Agreement) in place as of 1 January 2021. In the world of data protection under the GDPR, the UK has become a “third country”. To temporarily maintain the free flow of personal data from the EEA to the UK, the Cooperation Agreement contains a bridging mechanism, by which any transfer of personal data is not treated as made to a third country.
The bridging mechanism will last until an adequacy decision is granted, or until 1 July 2021, whichever comes first. An adequacy decision is where the Commission determines that a third country has an adequate level of protection for personal data and that any additional safeguards or use of derogations are not needed. It is envisaged (though not with certainty) that the UK will receive an adequacy decision given its robust data protection framework.
As a precaution, the ICO recommends that UK organisations working with EU and EEA organisations put in place alternative transfer mechanisms to safeguard against interruptions to the flow of personal data from the EU to the UK, or in the event an adequacy decision is not reached.
UK to EEA
Data transfers from the UK to the EEA will remain unchanged as the UK government recognises that EU laws offer adequate protections.
What actions you can take:
Organisations should ensure documents, such as privacy notices and Records of Processing Activities, reflect the UK’s new status as a third country. This includes removing references to “EU law” where no longer applicable.
Article 27 Representatives
What’s happening:
Notwithstanding the bridging mechanism under the Cooperation Agreement, UK entities without an EU establishment will still need to appoint an Article 27 Representative as required by the GDPR. Likewise, EU entities without an establishment in the UK will be required to appoint a representative in the UK under the UK GDPR.
What actions you can take:
Organisations should assess whether they are required to appoint a representative in the UK or the EU based on the relevant requirements. This analysis should be documented and approved by a senior decision maker or the DPO.
AdTech industry converges with data protection laws
What’s happening:
The past year has seen a steep increase in online shopping as a percentage of total retail sales in the UK.
More people shopping online means more personal data is being gathered and processed in the complex, opaque, multi-layered world of the adtech industry. So-called “invisible processing” has previously been a hot topic with the ICO.
It may be that the recent pause on regulatory enforcement in this area is lifted in 2021 and we will see regulators begin to pursue the bigger adtech players for breaches of data protection and/or competition law. Indeed, these two regulatory areas appear to be converging more and more as the terms on which market-dominant controllers allow (or don’t!) the reuse of their vast treasure troves of personal data come into sharper focus.
What actions you can take:
All commerce practices should be reviewed to ensure compliance with PECR (Privacy and Electronic Communications Regulations) and the GDPR, particularly those related to marketing and cookies.
Messaging services – innocent intermediary defence
What’s happening:
The EU has determined that the US is not an adequate third country in terms of data protection. One reason is the EU Court of Justice (CJEU) finding that its surveillance laws permit the national intelligence services to disproportionately and indiscriminately collect personal data.
These broad and deep legal powers have led some private sector providers of messaging services to offer their customers end-to-end encryption of their messages. This protects the content of the communications not only from intelligence services but also from the providers themselves. Because end-to-end encryption effectively blocks anyone but the sender and recipient from reading the messages, national intelligence services perceive it as an unconscionable boon to criminal organisations. Indeed, a lacuna in existing laws that allows providers to raise an “innocent intermediary” defence to government demands for assistance with state-sponsored surveillance activities is increasingly under challenge in the EU and the US.
In contrast, the UK government has “no current plans to change the UK’s intermediary liability regime or its approach to prohibition on general monitoring requirements.” This would indicate that the UK’s intermediary liability rules will diverge over time from those in the EU as the latter embarks upon its reform package. However, not to be left out of the zeal for reform, the UK plans to enact legislation in 2021 creating a new regulatory regime for online messaging platforms; responsibility will be shared among the new Digital Markets Unit of the Competition and Markets Authority, the ICO and Ofcom.
What actions you can take:
Organisations that engage in the provision of messaging services should monitor fast developments in the space; in particular, any regional or jurisdictional divergencies.
International data transfers – HewardMills methodology
What’s happening:
Although we have all had our eyes firmly fixed on the data protection implications for the UK of the Cooperation Agreement, let us not forget the wider issue of third countries which the EU Commission deems do not offer levels of data protection to those guaranteed by the EU. The fallout of the CJEU’s judgement in the Schrems II litigation will continue to be felt unless and until the US and EU reach a third deal with the Commission on an improved replacement for the now-defunct Privacy Shield. If the Commission can agree on such a replacement, it is likely that the UK’s ICO will similarly approve the transfer mechanism.
However, one quirk of the Cooperation Agreement is that the ICO’s hands are tied during the bridging period so it may not issue its own adequacy decisions or approve any new standard contractual clauses under the UK GDPR.
What actions you can take:
The consultation period for the draft EU Standard Contractual Clauses (SCCs) ended on 10 December 2020. In the meantime, businesses can continue to use the existing SCCs, keeping in mind the recently issued European guidance on supplementary measures for the transfer of personal data to third countries.
Organisations should carry out a data transfer analysis to understand the current safeguards that are in place and whether supplementary measures are needed for transferring data to third countries. HewardMills has developed a data transfer methodology to help you identify data transfer requirements, please let us know if you need our support.
Your global DPO partner
HewardMills continues to monitor developments in the UK and globally and provide updates. We look forward to engaging with clients and practitioners to champion data protection and diversity by design. As we navigate the start to a new year, we would love to hear your comments and what’s on your agenda in the first quarter of 2021.
