6 minute update on the latest developments in cyber law

31 Oct 2016 | 6 min read

38346226 - security lock on black computer keyboard - computer security conceptAmong the many challenges facing legal advisors, compliance officers and, indeed, boards of directors in the coming months and years, will be the requirement to review and, in most cases, substantially overhaul, their data protection and management practices.

Dean Armstrong QC
 gives us an overview of the latest developments in cyber law in the light of the latest political developments in the UK.

Why?

In May 2018, the General Data Protection Regulation (GDPR) comes into direct effect in the United Kingdom.

What is it?

This Regulation is the first attempt at unifying regulation of personal data attempted by the European Union. It is an acknowledgement of what is becoming a reality of life, the protection and care of an individual’s personal data is sacrosanct.

It’s a European Directive. What happens post Brexit?

Notwithstanding, it is almost certain that the UK will still be subject to EU law in May 2018, post-Brexit, in order to exchange data with EU corporates and EU subjects, the UK will have to adopt data protection regulation that is either as rigorous as the GDPR or more so.

There are currently three broad paths open to the UK post-Brexit:

  1. Joining the European Economic Area ('EEA'). This is the route adopted by Norway. Membership of the EEA will require the UK to implement rules and procedures that are equivalent to those of the European Union.
  2. UK signs bilateral trade deals with the EU. This is likely to result in the UK having to agree to a duty to apply laws that are at least as demanding as European Union legislation. This is the option that has been adopted by Switzerland.
  3. The other possibility is that the UK signs an, or a series of, independent trade deal/deals without taking on the burden of accepting equivalent EU obligations.

The government’s recent announcements make it likely that the third option may be followed, but significantly it has been indicated that the initial stance will be that all EU regulations will be adopted until repealed.

Under the first two options, it is clear that the UK would need to adopt data protection regulation that is at least as strict as the GDPR. Under the third option, the UK would still need to adopt 'adequate' protections in order for the EU to allow its members to pass information to the UK. In other words, the UK would still need to regulate to at least the standard of the GDPR.

To what does it apply?

The Regulation applies to the processing of personal data in the context of the activities of an establishment or controller or processor in the Union, regardless or whether the processing takes place in the Union or not.

Further, the Regulation applies to the processing of personal data of data subjects who are in the Union by controllers or processors not established in the Union, where either processing activities are related either to the offering of goods or services to such data subjects in the Union, or to the monitoring of their behaviour in as far as their behaviour takes place within the Union. The latter point is highly significant since many corporates monitor the behaviour of EU citizens online and that alone brings them within the scope of GDPR.

Here, personal data means any information relating to an identified or identifiable natural person ('data subject'). Controller means a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

The Regulation is built on six principles. Personal data must be:

  1. Processed fairly, lawfully and in a transparent manner in relation to the data subject ('lawfulness, fairness and transparency').
  2. Collected for specified, explicit and legitimate purposes and not processed in a manner which is incompatible with those purposes ('purpose limitation').
  3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ('data minimisation').
  4. Adequate and where necessary kept up to date ('accuracy').
  5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed ('storage limitation').
  6. Processed in a manner that ensures appropriate security of the personal data including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage using appropriate technical or organisational measures (integrity and confidentiality').

What happens if you don’t comply?

Before dealing with the draconian breaches envisaged by the Regulation, there is a direct right of action through the Regulation.

Article 82 gives a right to compensation to any person who has suffered material or non material damage as a result of an infringement of this Regulation. This outlines the real significance of the Regulation. It doesn’t have to be a major security breach which can attract sanction.

Within the Regulation are contained penalties of a magnitude not seen before. Infringements of articles 8, 11, 25-39, 42 and 43 shall be subject to fines of up to 10 million euros or, in the case of an undertaking, up to 2% of worldwide annual turnover for the preceding year; whichever is higher. These include failures in compliance in the areas of: processing of children’s data; notification of a data breach; data protection impact assessment; implementation of data protection by design or default.

Infringements of articles 5, 6, 7, 10-22, 44-49 and 43 shall be subject to fines of up to 20 million euros or, in the case of an undertaking, up to 4% of worldwide annual turnover for the preceding year; whichever is higher.

Breach of any of the six principles - principles of lawfulness; not getting proper consent; provision of required information where data are collected from the data subject; right of access by data subject; right of rectification; right to be forgotten; data portability; right of objection; and data transfers - attract these potential sanctions.

It is illustrative to note one example of where organisations affected by the Regulation will need to change their practices.

Article 7 sets out the conditions for consent. It states that, where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data. The data subject shall have the right to withdraw his or her consent at any time.

So now consent has to be active and demonstrable. You can’t assume consent unless you hear to the contrary. This will have a profound effect on how long and the purpose for which an organisation can keep personal data ( both subject to specific articles in the Regulation) and the importance of a continuing review. There will have to be an audit trail showing that consent is still active. If not, sanctions of up to 4% of worldwide turnover could be visited on an undertaking.

The prospective penalties for breach of compliance with the Regulation are so large that preparation for compliance cannot simply be put off. Organisations need to act now to ensure that they are not the ones making the headlines for all of the wrong reasons.

Filed Under: Practice of Law

Area of Interest