The UK’s Information Commissioner’s Office (ICO) will soon be expanding their staff of 300 by adding 200 more lawyers, policy advisors, analysts, and investigators solely for enforcement efforts. They will be strictly enforcing new data protection laws aimed at curtailing the mishandling of consumers’ personal information. The ICO will have the ability to impose large fines for data breaches, up to 4 pc of global turnover, which could hold serious implications for clients doing business in the UK. The ICO will also strive to work with international data protection offices in order to eventually lobby for and craft an international treaty on standards. Read more here.
Privacy Shield is Safe, for Now
On January 25, 2017, U.S. President Donald J. Trump issued an Executive Order titled “Enhancing Public Safety in the Interior of the United States.” One specific provision in the order has caused some concern among privacy professionals: the provision, titled “Privacy Act,” reads as follows:
Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.
Technology journalists have been scrambling to understand what this section means for the recently negotiated EU-U.S. Privacy Shield, a framework which enables the transfer of personal data of EU citizens to the U.S. for processing. Because Privacy Shield was negotiated to ensure that the privacy rights of EU citizens are adequately protected in the U.S., the weakening of privacy protections for non-U.S. citizens has the potential to threaten the vitality of the framework and prompt EU lawmakers to suspend Privacy Shield if the U.S. can no longer ensure that EU citizens will receive adequate privacy protection.
In spite of the initial hubbub, a spokesperson for the European Commission has confirmed that Privacy Shield does not rely on the protections circumscribed by the President’s Executive Order. Nonetheless, the episode is a valuable reminder that businesses engaging in cross-border data processing face a legal landscape that is frequently shifting. The best way for businesses to guard against this uncertainty is to ensure that they have made contractual arrangements with their European partners that provide for specific privacy-related measures. Because participation in Privacy Shield is voluntary, working out the legal logistics of data protection by direct contractual arrangements can help businesses avoid the headache of Privacy Shield altogether—including the effects of any further executive action that might disrupt Privacy Shield.
Cyber Insurance Applications and Claims on the Rise in the UK
Cyber insurance applications and claims have soared in view of attacks and fears about fines under the General Data Protection Regulation, with Lloyds offering over 15 different types of cyber insurance policies. A 78 percent increase in claims on cyber policies between 2015 and 2016 means there is a growing amount of exposure for cyber threats to UK firms. Click here to learn more.
Identifying Your Independent Recourse Mechanism for Privacy Shield Certification
A U.S. based organization that is subject to the enforcement authority of either the U.S. Federal Trade Commission (FTC) or U.S. Department of Transportation (DOT) may join Privacy Shield by self-certifying its commitment to comply with the seven Privacy Shield Principles. The seventh Privacy Shield Principle—recourse, enforcement, and liability—requires that an organization seeking Privacy Shield self-certification identify an “independent recourse mechanism” through which EU individuals may have privacy-related complaints investigated and resolved at no cost to the individual.
The available choices for an independent recourse mechanism will depend in part on the type of data for which self-certification is sought. Organizations seeking Privacy Shield self-certification that will cover employees’ personal information are required to cooperate and comply with EU Data Protection Authorities (DPAs) as their independent recourse mechanism with respect to that data, while organizations seeking Privacy Shield self-certification for data transfers unrelated to employee data may either cooperate and comply with EU DPAs or choose to name a private sector dispute resolution service as their independent recourse mechanism. An organization relying on the DPAs must pay an annual fee of $50. The fees charged by private sector programs vary. Some providers, such as the Council of Better Business Bureaus and the Direct Marketing Association, charge flat annual fees based on the participating organization’s annual revenues. Other providers, such as the International Centre for Dispute Resolution and JAMS, charge on a pay-per-dispute basis without charging any upfront fees. Finally, a number of providers, such as PrivacyTrust, VeraSafe, and TRUSTe, offer to provide dispute resolution services in addition to assisting with Privacy Shield self-certification. Specific pricing info for these services may depend on the scope and nature of the services provided.
Privacy Shield contains six additional principles: Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, and Access. By participating in Privacy Shield, an organization commits to adhere to these principles in their treatment of the personal information of individuals living in the European Union.
UK Government to Fully Adopt GDPR in 2018
The UK government has announced it intends to ready themselves and their industry for a full implementation of the new General Data Protection Regulation (GDPR). Companies will need to be preparing for the effect of the exit sooner rather than later. Read more here.