Archive for the ‘Data sharing’ Category

EU Parliament’s LIBE Committee Issues Report on State Surveillance

Posted on February 19th, 2014 by

Last week, the European Parliament’s Civil Liberties Committee (“LIBE“) issued a report into the US National Security Agency (“NSA“) and EU member states’ surveillance of EU citizens (the “Report“). The Report was passed by 33 votes to 7 with 17 abstentions questioning whether data protection rules should be included in the trade negotiations with the US. The release of the report comes at a crucial time for both Europe and the US but what does this announcement really tell us about the future of international data flows in the eyes of the EU and the EU’s relationship with the US?

Background to the Report

The Report follows the US Federal Trade Commission (“FTC“)’s recent response to criticisms from the European Commission and European Parliament following the NSA scandal and subsequent concerns regarding Safe Harbor (for more information on the FTC – see this previous article). The Report calls into question recent revelations by whistleblowers and journalists about the extent of mass surveillance activities by governments. In addition, the LIBE Committee argues that the extent of the blanket data collection, highlighted by the NSA allegations, goes far beyond what would be reasonably expected to counter terrorism and other major security threats. The Report also criticises the international arrangements between the EU and the US, and states that these mechanisms “have failed to provide for the necessary checks and balances and for democratic accountability“.

LIBE Committee’s Recommendations

In order to address the deficiencies highlighted in the Report and to restore trust between the EU and the US, the LIBE Committee proposes several recommendations with a view to preserving the right to privacy and the integrity of EU citizens’ data, including:

  • US authorities and EU Member States should prohibit blanket mass surveillance activities and bulk processing of      personal data;
  • The Safe Harbor framework should be suspended, and all transfers currently operating under this mechanism should stop immediately;
  • The status of New Zealand and Canada as ‘adequate’ jurisdictions for the purposes of data transfers should be reassessed;
  • The adoption of the draft EU Data Protection Regulation should be accelerated;
  • The establishment of the European Cloud Partnership must be fast-tracked;
  • A framework for the protection of whistle-blowers must be established;
  • An autonomous EU IT capability must be developed by September 2014, including ENISA minimum security and privacy standards for IT networks;
  • The EU Commission must present an European strategy for democratic governance of the Internet by January 2015; and
  • EU Member States should develop a coherent strategy with the UN, including support of the UN resolution on ‘the right to privacy in the digital age‘.

Restoring trust

The LIBE Committee’s recommendations were widely criticised by politicians for being disproportionate and unrealistic. EU politicians also commented that the Report sets unachievable deadlines and appears to be a step backwards in the debate and, more importantly, in achieving a solution. One of the most controversial proposals in the Report consists of effectively ‘shutting off‘ all data transfers to the US. This could have the counterproductive effect of isolating Europe and would not serve the purpose of achieving an international free flow of data in a truly digital society as is anticipated by the EU data protection reform.

Consequences for Safe Harbor?

The Report serves to communicate further public criticism about the NSA’s alleged intelligence overreaching.  Whatever the LIBE Committee’s position, it is highly unlikely that as a result Safe Harbor will be suspended or repealed – far too many US-led businesses are dependent upon it for their data flows from the EU, meaning a suspension of Safe Harbor would have a very serious impact on transatlantic trade. Nevertheless, as a consequence of these latest criticisms, it is now more likely than ever that the EU/US Safe Harbor framework will undergo some changes in the near future.  As to what, precisely, these will be, only time will tell – though more active FTC enforcement of Safe Harbor breaches now seems inevitable.


ICO’s draft code on Privacy Impact Assessments

Posted on August 8th, 2013 by

This week the Information Commissioner’s Office (‘ICO’) announced a consultation on its draft Conducting Privacy Impact Assessments Code of Practice (the ‘draft code’). The draft code and the consultation document are available at  and the deadline for responding is 5 November 2013.

When it comes into force, the new code of practice will set out ICO’s expectations on the conduct of Privacy Impact Assessments (‘PIAs’) and will replace ICO’s current PIA Handbook. So why is the draft code important and how does it differ from the PIA Handbook?

  • PIAs are a valuable risk management instrument that can function as an early warning system while, at the same time, promoting better privacy and substantive accountability. Although there is at present no statutory requirement to carry out PIAs, ICO expects them.
  • For instance, in the context of carrying out audits, ICO has criticised controllers who had not rolled out a framework for carrying out PIAs. More importantly, the absence or presence of a risk assessment is a determinative factor in ICO’s decision making to take enforcement action or not. When ICO talks about the absence or presence of a risk assessment, it means the conduct of some form of PIA.
  • Impact assessments are likely to soon become a mandatory statutory requirement across the EU, as the current version of the draft EU Data Protection Regulation requires ‘Data Protection Impact Assessments’. Note, however, that the DPIAs mandated by article 33 of the Draft Regulation have a narrower scope than PIAs.  The former focus on ‘data protection risks’ as opposed to ‘privacy risks’, which is a broader concept that in addition to data protection encompasses broader notions of privacy such as privacy of personal behaviour or privacy of personal communications.
  • The fact that ICO’s guidance on PIAs will now take the form of a statutory Code of Practice (as opposed to a ‘Handbook’) means that it will have increased evidentiary significance in legal proceedings before courts and tribunals on questions relevant to the conduct of PIAs.

The PIA Handbook is generally too cumbersome and convoluted. The aim of the draft code is to simplify the current guidance and promote practical PIAs that are less time consuming and complex, and as flexible as possible in order to be adapted to an organisation’s existing project and risk management processes.  However, on an initial review of the draft code I am not convinced that it achieves the optimum results in this regard.  Consider for example the following expectations set out in the draft code which did not appear in the PIA Handbook:

  • In addition to internal stakeholders, organisations should work with partner organisations and with the public. In other words, ICO encourages controllers to test their PIA analysis with the individuals who will be affected by the project that is being assessed.
  • Conducting and publicising the PIA will help build trust with the individuals using the organisation’s services. In other words, ICO expects that PIAs will be published in certain circumstances.
  • PIAs should incorporate 7 distinct steps and the draft code provides templates for questionnaires and reports, as well as guidance on how to integrate the PIA with project and risk management processes.

Overall, although the draft code is certainly an improvement compared to the PIA Handbook, it remains cumbersome and prescriptive.  It also places a lot of emphasis on documentation, recording decisions and record keeping.  In addition, the guidance and some of the templates include privacy jargon that is unlikely to be understood by staff who are not privacy experts, such as project managers or work-stream leads who are most likely to be asked to populate the PIA documentation in practice.

Many organisations are likely to want a simpler, more streamlined and more efficient PIA process with fewer steps, simpler tools / documents and clearer guidance, and which incorporates legal requirements and ICO’s essential expectations without undully delaying the launch of new processing operations. Such orgaisations are also likely to want to make their voice heard in the context of ICO’s consultation on the draft code.

How PRISM will affect the EU Data Protection Regulation

Posted on June 10th, 2013 by

Politics aside, we can take it for granted that the recent revelations about the PRISM programme are likely to have a direct effect on the EU data protection legislative reform. Details of the programme are still pouring in but according to the reports already in the public domain, under PRISM the US intelligence services have direct access to the content and traffic data available in the servers of all of the leading Internet communications companies. Whether those reports are entirely accurate will now hardly matter from an EU public policy perspective. You can count on the PRISM story being used as a strong argument in favour of a tough stand on the future EU privacy framework.

Apart from the obvious ‘I told you so’ justifications for a strict and wide reaching data protection regime in Europe that will populate much of the political rhetoric from now on, there are specific provisions in the draft Data Protection Regulation that may end up being the perfect recipe for a conflict of international laws. In particular, the PRISM revelations will increase the reluctance of the EU Parliament to allow disclosures of personal data in response to a legal obligation or public interest duties which do not specifically emanate from EU law. Therefore, any hopes of widening the current references in the draft Regulation to “European Union law or the law of the EU Member State to which a controller is subject” as a basis for either justifying data processing operations which are necessary for compliance with a legal obligation or the performance of a task carried out in the public interest are now substantially smaller. What this means in practice is that global organisations operating in the European Union may be left facing a conflict between complying with legally binding non-EU duties or avoiding a breach of EU data protection law.

The other aspect of EU data protection law directly affected by the PRISM story is the restriction on international data transfers. This is indisputably one of the greatest compliance challenges for EU organisations and one that many of us were hoping would be more pragmatically addressed in the new law. What are the chances of that now?? My guess is that this sort of story is the perfect ammunition for those who seek to maintain the pureness of ‘adequacy findings’ and therefore, it will make it more difficult for any country – not least the USA – that wishes to be regarded as providing an adequate level of data protection. In addition to that, all of the other mechanisms and exemptions to overcome the restrictions on international data transfers – Safe Harbor, contractual arrangements, BCR, transfers made on the grounds of public interest – will be much more closely scrutinised, so global data flows will remain a focus of regulatory attention.

At times like this, it becomes more essential than ever to keep a clear head and get the facts right, because achieving a realistic and balanced legislative outcome with the appropriate safeguards and a degree of pragmatism is as important as respecting our privacy.

Smart Meters – new data access and privacy rules for the energy sector

Posted on February 21st, 2013 by

The Department of Energy and Climate Change (DECC) carried out numerous studies and soundings in preparation for the rollout of smart energy meters to over 30 million UK homes between 2014 and 2019, but the most polemical press coverage was elicited by the consultation in Spring 2012 on the data access and privacy issues raised by the valuable energy consumption data (Consumption Data) generated by these new metering devices. Some newspapers cited warnings of “cyber attacks by foreign hackers” and “a spy in every home”, and there was much interest in the concerns highlighted in a report published in June by the European Data Protection Supervisor that the most granular real-time Consumption Data could reveal details such as the daily habits of household members or even tell burglars when a house was unoccupied.

The UK government’s response to this consultation, published on 12th December 2012, sheds considerable light on the data protection compliance measures that must be put in place by energy companies, network operators and others who access Consumption Data such as ‘switching’ websites and energy services suppliers. These requirements will apply alongside (and in addition to) those already set out in the Data Protection Act 1998. The measures will be implemented via amendments to the licence conditions adhered to by energy suppliers (enforced by Ofgem) and a new Smart Energy Code overseen by a dedicated Smart Energy Code Panel. A central information hub controlled by a body known as the Data and Communications Company (DCC) will enable remote access to Consumption Data for suppliers and third parties that have agreed to be bound by the Code.

Background: The aim of the UK government’s smart meters programme is to give consumers real-time information about their energy consumption in the hope that this will help to control costs and eliminate estimated energy bills, on top of the environmental and cost-saving side effects of the behavioural changes such information may encourage. In the long term, it is hoped that smart energy data will lead to fluctuating, real-time energy pricing, enabling consumers to see how expensive it will be to use gas or electricity at any given time of day.

Key rules: There are some key elements to the new framework which apply differently to energy suppliers (such as British Gas and EDF Energy), network operators (companies that own and lease the infrastructure for delivering gas and electricity to premises) and “third parties” such as switching websites and energy companies when they are not acting in the capacity as a supplier to the relevant household.

A crucial aspect of the rules that applies to all parties is the requirement to obtain explicit, opt-in consent before using Consumption Data for any marketing purposes. For other uses, third parties will always need opt-in consent to remotely access Consumption Data of any level of granularity, whereas in order to remotely access the most detailed level of Consumption Data (relating to a period of less than one day), energy suppliers will also be required to obtain opt-in consent.

From a consumer protection perspective, perhaps the most important safeguards introduced by the Stage 1 draft of the Smart Energy Code published in November 2012 are the requirements on third parties requesting Consumption Data from the DCC to:

(a)  take measures to verify that the relevant household member has solicited the services connected with the third party’s data request;

(b)  self certify that the necessary consent has been obtained; and

(c)   provide reminders to consumers about the Consumption Data being collected at appropriate, regular intervals.

Privacy Impact Assessments: In line with Privacy by Design principles promoted by data protection authorities globally, the UK government has developed its own Privacy Impact Assessment to assess and anticipate the potential privacy risks of the smart metering programme as a whole. The idea is that the government’s PIA will be an “umbrella document” and every data controller wishing to access Consumption Data is expected to carry out its own PIA before the new framework comes into force (likely to be this summer). The European Commission is also developing a template PIA for this purpose.

Apart from helping to identify risks to customers and potential company liabilities, PIAs are lauded by the UK Information Commissioner as the best way to protect brand reputation, shape communication strategies and avoid expensive “bolt-on” solutions.

Conclusions: Research carried out as part of the UK government’s Data Access and Privacy consultation showed that the overwhelming concern of consumers questioned was that smart meter data would lead to an increase in direct marketing communications. Many participants did not identify the potential for misuse of Consumption Data until it was explained to them. The less obvious nature of the potential for privacy intrusion of this new data underlines the fact that consent is not a panacea in the case of smart meters (despite the considerable focus on this in the consultation responses).

So, clear and comprehensive information is key. As part of preparing for compliance, companies planning to access Consumption Data should build clear messaging into all customer-facing procedures, including those in respect of all in-person, online and call centre interaction. And whilst some of the finer details of the new rules are yet to be ironed out, it’s clear that every organisation concerned will be expected to digest the details of the new framework now and be fully prepared – including by completing Privacy Impact Assessments – in time for when the regulatory framework comes into force, expected to be June 2013.

A longer version of this article was first published in Data Protection Law & Policy in February 2013.


Proportionality – the key to compliant anti-bribery due diligence

Posted on July 20th, 2011 by

On 1 July, the long anticipated Bribery Act 2010 came into force.   The Act attracted significant debate during its passage into law, largely due to concerns about how the newly-created s.7 offence of “failure by a commercial organisation to prevent bribery” would apply in practice. 

At an overview level, any organisation carrying on business in the UK can potentially be liable under s.7 for a bribe paid by its “associated persons” (including employees, contractors and subsidiaries), whether or not it knew of the bribe.  There is no requirement that the bribe must take place in the UK – organisations can attract liability for bribes paid by “associated persons” in overseas jurisdictions.  Criminal penalties apply for breach, including unlimited fines and even the prospect of personal liability (including jail time) for directors.  These onerous liabilities, coupled with the wide jurisdictional reach of s.7, are enough to give any senior executive sleepless nights.

“Adequate procedures” to guard against bribery risk

Organisations charged under s.7 have a defence if they can show that they had implemented “adequate procedures” to protect against bribery risk.  With a view to clarifying the anti-bribery measures it expects organisations to adopt, the Government published guidance on implementing “adequate procedures” in March this year (available here:  This explained that implementation of “adequate procedures” by an organisation to guard against bribery risk should be informed by six principles: (i) Proportionate procedures; (ii) Top-level commitment; (iii) Risk assessment; (iv) Due diligence; (v) Communication (including training); and (vi) Monitoring and review of anti-bribery policies and procedures.  

FFW has separately published detailed overviews (including FAQs) of the Bribery Act and the Government’s “adequate procedures” guidance at

Due diligence and data protection

With the excitement surrounding s.7 and the need to mitigate bribery risk by implementing “adequate procedures”, it’s all too easy for organisations to overlook their privacy compliance responsibilities.  However, organisations that do not take proper account of the privacy consequences of implementing “adequate procedures” risk jumping out of the frying pan and into the fire – on the one hand, mitigating risk under the Bribery Act while on the other hand exposing themselves to a raft of potential liabilities under UK and European data protection legislation.

This is particularly the case with counterparty due diligence.  Undertaking appropriate due diligence will be a compliance cornerstone in guarding against risk under the Bribery Act.  Of critical importance – for both data privacy and Bribery Act purposes – is that any due diligence conducted must be proportionate to its aims. The level of due diligence appropriate in any given situation will necessarily depend on a variety of factors, including the nature of the role and the organisation concerned, the services to be provided, and any other readily identifiable business or bribery risks. 

In the course of conducting due diligence, businesses will undoubtedly handle sensitive personal data relating to prospective clients, employees and contractors – such as information relating to criminal convictions and proceedings, political affiliations (e.g. if the data subject is a ‘politically exposed person’), trade union membership or otherwise.  This raises a number of issues, not least in terms of the need to make (or update) suitable data processing registrations with the Information Commissioner’s Office in order to reflect any sensitive data processed – bearing in mind that failing to make and maintain accurate and up-to-date registrations is, itself, a criminal offence. 

In particular, sensitive data benefits from enhanced protection under data protection law, and organisations must establish a lawful basis to legitimise their sensitive data processing in the first place.  In this context, it is important to note that the Bribery Act does not create a legal obligation to conduct due diligence or to process sensitive data.  It says only that “adequate procedures”, where implemented, are a defence to liability under the Bribery Act.  For this reason, simply assuming that the Bribery Act itself legitimises due diligence processing of sensitive data is misguided.  Businesses must instead consider the sensitive data processing grounds set out in the Data Protection Act 1998 and identify those that permit the specific due diligence processing in question.  Whilst various grounds potentially exist, it is important to identify the specific grounds that will be relied on in any given case, and to ensure that the sensitive data processing keeps within the scope of those grounds.  In many cases, it may be necessary to obtain explicit, informed consent directly from the due diligence subject to enable processing of his or her sensitive data.

The jurisdictional reach of the Bribery Act also has the potential to strain data privacy compliance.  Given their potential liability for acts of bribery conducted by overseas employees, subsidiaries and contractors, a natural response for UK organisations would be to conduct due diligence on any overseas counterparty they engage, either directly or through a subsidiary.  However, overseas data protection regimes may not readily permit processing of sensitive data for due diligence activities designed to mitigate risk under UK law (Spanish and Belgian data protection regimes, for example, impose strict requirements for sensitive data processing).  As a consequence, overseas subsidiaries and contractors that want to process and share due diligence data with UK businesses for Bribery Act compliance purposes may find themselves hindered by their national data protection regimes.  Likewise, overseas organisations that carry on business in the UK may want to implement due diligence procedures to guard against Bribery Act risk, but find themselves constrained by their local data protection laws.   Organisations therefore need to consider carefully how to implement “adequate procedures” in a way that fully addresses the requirements of wider European (and other) data protection regimes where these apply.

Why this matters

Any organisation implementing “adequate procedures” to mitigate Bribery Act risk must consider carefully its responsibilities under data protection law.  Without doing this, it runs the risk of implementing procedures that, while carefully designed to protect against bribery risk, attract liabilities under data protection law.  Due diligence is just one example, but organisations also need to consider other data privacy liabilities arising when, for example, implementing ‘speak up’ or whistleblowing procedures, or when conducting internal investigations into allegations of bribery by staff.

At first glance, the Bribery Act and data protection law might appear to impose conflicting demands on organisations that are difficult to resolve.  However, proportionality is at the heart of both regimes: whatever the “adequate procedures” implemented, they must be proportionate in light of the actual risks to the organisation.   For this reason, rather than considering data protection as a barrier to Bribery Act compliance, it should be viewed as an enabler to implementing effective and proportionate Bribery Act compliance mechanisms.  By considering and identifying potential privacy risks at the outset and rolling out “adequate procedures” that take account of these risks, a happy – and compliant – compromise can be achieved.

If you would like more information, please contact Phil Lee, Senior Associate, at