At a time when we have seen a broadening range of cyber handling headaches, attacks and regulatory change and with new IT software techniques and loopholes emerging constantly, those dealing with data handling in the UK now face another range of uncertainties which will be caused by Brexit. Penalties in civil and criminal cases have escalated.
GDPR and other European data and privacy regulations have created a regulatory minefield in the UK and across potentially multiple jurisdictions. We believe we can help you find a path through the obstacles.
Data breaches can arise from a range of vulnerabilities in company systems; from harmful agents introduced by innocent mistake; identity frauds; forced attacks and on top of these headaches for management – firms now have to worry about different potential laws in the UK from the rest of the EU.
Le Figaro in France recently reported that over 95,000 data breaches were reported across EU jurisdictions since the introduction of GDPR last May to respective European regulators and this is probably just the tip of the iceberg in terms of firms’ exposures.
The current UK Withdrawal Agreement and the accompanying draft Political Declaration of Cooperation certainly do not make it clear which path data regulation and cooperation will follow once the UK leaves the EU. For financial firms. the problems are compounded by the absence of detail in many areas of services provided on a cross-border basis.
Post Brexit, for many firms there will need to be a DPO and a European Representative and they will need to work together within the firm. If a UK company has a data processor that monitors EU data subjects then it will require an EU Representative. The EU Representative will need to have co-located in that Member State in which the monitoring is occurring. The EU Rep must be also available to the local DPA (Data Protection Authority (eg. In the UK, the ICO and in France, CNIL).
EU regulators are becoming more active as we have seen from recent Uber and other court decisions, particularly France’s CNIL. This comes against the background of increasing data breach reports to regulators; proliferation in cyber-attacks and growing sophistication of attack methodologies.
The CNIL took the view that both Uber Technologies Inc and Uber BV were data controllers and that the Dutch affiliate of Uber(Uber BV) was not the sole data controller. The CNIL successfully demonstrated that the US company, Uber Technologies Inc., played a key role in the determination of the purposes and means of the data processing. In reaching its decision, the CNIL referred to the 2014 decision of the European Court of Justice (“ECJ”) in Google v. Costeja which, in the case of a Spanish national, established the principle that internet search engines are also subject to Spain’s data protection laws and should be seen as data controllers and must properly protect personal data .
The CNIL considered the processing of Uber riders’ and drivers’ personal data to be carried out in the context of the activity of the French establishment of the two data controllers, Uber B.V. and Uber Technologies Inc. CNIL made it clear, in a related action, that liability rests with both the Controller and with the Processor.
Clients will need to give more attention to Standard Data Contract Clauses (SCCs) which have been developed in order to provide adequate safeguards for the protection of individual privacy and fundamental rights and freedoms. Similarly, review will be needed of Binding Corporate Rules (BCRs), which ensure that all data transfers within a corporate group are safe. They must contain privacy principles, such as transparency, data quality, effective security tools (such as audit, training, or complaint handling systems).
At present, under GDPR, personal data can only be transferred out of the EU/EEA if the transfer complies with Chapter V conditions set out in the GDPR. The significant amount of data that will be passing to and from the UK to the EU member states post-Brexit means that it will be vital for UK controllers and processors, including cloud operators and those in the EU to have a clear understanding of where such data transfers are permitted.
Linked to these developments are the debates raging over proper controls over the content of social media, particularly that impacting young and vulnerable users, as well as cases where cyber hacking of phones and the data recorded on mobile phones are central to crimes.
It is becoming clearer that the assassinated Saudi journalist, Jamal Kashoggi, had, prior to his death. been sending messages to a fellow Saudi dissident believing that by using What’s App, the messages were cloaked in security. In fact, all his messages it has been reported where compromised, together with the rest of his phone’s content, due to the phone being infected by malware software, called Pegasus, designed to spy on its users. This software had been developed for law enforcement and military security purposes but its use has now spread more widely. It employs an apparently innocent message which asks the recipient to update their phone settings. Once the phone is infected, the hacker can gain complete access to its microphone, camera, keyboard and data. The developer of the software, a company based in Israel, is now facing legal action by the recipient of Kashoggi’s messages who contends that the company that developed Pegasus was in breach of international law by selling the software to oppressive regimes.
These recent cases and data breaches along with the host of other misuses of software, devices and data and the burgeoning laws on data controls mean that every firm needs to have expert IT and legal advice in navigating the treacherous waters of data handling.