There's rarely a quiet week in data protection — and this one was no exception. Below are three developments from the past seven days that caught my eye.
Story #1: Time runs out on the old EU SCCs
Time moves slowly, but passes quickly.
It really does seem like yesterday that I was talking to clients about the introduction of the UK’s (then) new international data transfer contracts — the International Data Transfer Agreement and the UK Addendum to the EU SCCs. In fact, it was March 2022.
If you remember, there were a series of permutations regarding the date(s) by which organisations had to move from the existing ("old”, i.e., pre-2021) EU SCCs to the IDTA or Addendum + new EU SCCs, depending on whether their transfers were made in the context of existing or new contracts.
The final of those deadlines is now rapidly approaching. From 21 March 2024, organisations making international transfers of personal data that are subject to the UK GDPR will no longer be able to rely on the old EU SCCs to safeguard those transfers. That requirement applies to existing and new contracts.
In other words, you have around three weeks to review your current contracts and identify (and, ideally, update) those that rely on the old SCCs — or at least to put that process in motion.
You should also ensure that your privacy notices and contractual templates (DPAs, controller agreements, Terms of Business/Terms of Service, and so on) no longer cite or rely on the old SCCs, but rather use the IDTA and/or the Addendum + “new” (i.e., 2021) SCCs.
For what it’s worth, I now only see a small number of documents that were drafted post-2022 still containing the old SCCs, so your review and uplift exercise is likely to be light. But it’s still worth looking in the nooks and crannies of your systems to ensure that you’ve caught all of the stragglers.
*****
What happens if you don’t manage to get there by 21 March 2024?
The ICO doesn’t currently appear to be particularly focused on enforcing international transfers — at least in isolation. However, if those transfers are made in the context of processing that *does* relate to the ICO’s stated enforcement priorities (AI, children’s data, cookies), the risk of using outdated transfer safeguards is heightened.
As always, non-compliance can also be revealed in a targeted or general regulatory or contractual audit, or indeed a data subject rights request or complaint.
And the contractual risk of relying on the old SCCs is ever-present — even if disputes tend to arise relatively infrequently in practice. But if you’re working for a business that has (or is targeting) outside investment, it’s a compliance gap that will be picked up in the diligence process.
Story #2: FCA clampdown on “off channel” messaging
If you work at a financial services firm in the UK, particularly an institution with a U.S. footprint, you will be familiar with the regulatory focus on communications monitoring.
Across the pond, the Securities and Exchange Commission's enforcement sweep of "off channel" business communications has resulted in settlements with 40-plus organisations for not retaining business communications made through messaging apps that are more commonly used for personal communications.
To date, the UK's financial watchdog — the Financial Conduct Authority (FCA) — has taken a more hands off approach.
But a recent article in Financial News suggests that might change, with the FCA meeting firms to reiterate that they must have communications and recordkeeping policies in place — and adhere to them. The article is here.
Besides the regulatory issues discussed in the story, there are important data protection considerations involved in monitoring employees’ communications. Those considerations are particularly acute where employees use their own devices to conduct company business — whether on a "bring your own" device or a purely personal phone.
In the UK and EU, monitoring those devices can be challenging, both legally and practically.
For example, how do employers collect these communications? Typically, it's done via software downloaded onto employees' devices. But will that software collect and retain all communications made via, i.e., business-related and personal? If yes, is there a process to remove non-work chats from the retention pool?
Next, an employee may be comfortable with an employer retaining their personal messages. But what about those on the other side of the conversation? Do they need to receive an Article 13/14 privacy notice? In the corporate context, the provision of transparency information in this way may become normalised. But it's likely to be incongruous for personal communications.
Financial News says the FCA will be taking a more proportional and risk-based approach than its U.S. counterparts. But even if that's the case, an issue facing European outposts of U.S. companies is that the European records may need to be retained for compliance with U.S. laws.
Where that's the case, the European entity will (among other things) need to establish an EU/UK GDPR lawful basis for processing and sharing of personal data contained in the records.
The Art. 6(1)(c) compliance with legal obligation basis applies to EU/UK laws, and not those of the U.S. So, absent a local law imposing the same obligation, it may be a hard circle to square.
The employer's legitimate interests in meeting regulatory obligations may be appropriate, but this is highly context-dependent. Conducting a balancing test (and DPIA) is vital.
These are tricky issues — and that's only a (brief) look at legal bases. If you’d like help thinking them through, do get in touch.
Story #3: UK cookie enforcement to begin
“This is the last chance to change. Our next announcement in this space will be about enforcement action.”
As sign offs to regulatory press releases go, this week's statement from the UK ICO packs a punch.
The statement was made in the context of the ICO announcing a consultation to inform its approach to regulating “consent or pay” mechanisms — currently one of the hot button issues in European data protection.
I’ll be writing separately about that topic, but in a nutshell, a consent or pay model gives users of online services a choice between (1) using the service for free if they consent to their personal data being used for personalised advertising, and (2) paying for ad-free access to the service. As a central pillar of the online advertising ecosystem, it makes sense that the regulation of cookies(and similar technologies) has come sharply into focus.
For now, the ICO is focused on the more ostensibly straightforward issue of cookie banner compliance — i.e., whether users are given the choice to accept or reject some or all of the non/essential cookies that will, if they consent, be placed on their device.
In November 2023, the ICO wrote to 53 of the UK’s 100 biggest websites to warn them of enforcement action if they didn’t bring their cookie practices into compliance. At a conference last month, John Edwards reported that 38 of those organisations had changed their cookie banners, and four had committed to doing so by the end of March.
The eagle eyed among you may have spotted that, in its November announcement, the ICO said that it would “provide an update on this work in January, including details of companies that have not addressed our concerns”.
That didn’t happen. But assuming this really is the ICO’s last warning, there are three things I’ll be looking out for.
- Why, after having been contacted by the ICO, did the remaining websites choose not to comply? Do they believe that they’re already compliant? Or is it something more benign?
- “Enforcement” is not a synonym for “fine”. Indeed, the ICO typically issues reprimands and enforcement notices rather than monetary penalties. That said, and given the circumstances (the big lead up, recalcitrant controllers, wanting to make a statement), it’s not unreasonable to think that the ICO will issue a series of fines. But I wouldn’t put my mortgage on it.
- Presumably, the ICO will tie a penalty amount to the UK GDPR rather than PECR, whose ceiling is £500,000. But in any event, it seems unlikely that the amounts will get near the CNIL’s cookie-related fines (ranging between €5 million and €60 million).
If you’re not among the UK’s largest websites, you may conclude that that you’re not in the ICO’s sights — and that’s probably right, if for no other reason than the law of averages. But that’s unlikely to always be the case. So if you’ve been putting off addressing your cookie practices, now is a good time to start.
And lastly…
I co-wrote a piece for Law360 on the Digital Operational Resilience Act, aka DORA, a broad-ranging EU law that takes effect in less than a year (on 17 January 2025). If you're a financial services firm with an EU nexus, or provide important ICT services to those firms, you're likely to be in scope. In the article I look at what DORA requires — and some suggested next steps for meeting those requirements. The non-paywalled link is here.
Subscribe to Ropes & Gray Viewpoints by topic here.
Authors
Stay Up To Date with Ropes & Gray
Ropes & Gray attorneys provide timely analysis on legal developments, court decisions and changes in legislation and regulations.
Stay in the loop with all things Ropes & Gray, and find out more about our people, culture, initiatives and everything that’s happening.
We regularly notify our clients and contacts of significant legal developments, news, webinars and teleconferences that affect their industries.