Data in the News – January 2020
According to the Financial Times, the UK is at the “end of the queue” for a deal to allow data to continue to flow freely with the EU after Brexit, according to a senior European official.
Talks over the future trade relationship between the UK and the EU will begin early next year, but officials in Brussels have warned that with only 11 months until a Brexit transition period ends in December 2020, the window may be too tight for an agreement on data.
Wojciech Wiewiorowski, the EU’s new data protection supervisor, said the UK was “13th in the row” of countries that are negotiating data deals with Brussels. Allowing the UK to skip the queue “would be a little bit unfair towards those who have already prepared themselves for this process,” he added.
The government has apologised "to all those affected" after it accidentally published addresses of more than 1,000 New Year Honour recipients online. The file, which included details of senior police officers and politicians, was uploaded to an official website on Friday evening and removed on Saturday. The Cabinet Office told the BBC it was "looking into how this happened".
Among the addresses were those of Sir Elton John and former director of public prosecutions Alison Saunders. Also on the list of 1,097 honours recipients were high-profile names such as cricketer Ben Stokes, former Conservative Party leader Iain Duncan Smith, TV cook Nadiya Hussain, and former Ofcom boss Sharon White.
The data breach was described as "farcical and inexcusable" by privacy campaign group Big Brother Watch.
As the UK struggles to chart out its post-Brexit response to GDPR, other geographies are going ahead with their own privacy initiatives inspired by the European Union’s regulation. California joined the list on 1 January, bringing the California Consumer Privacy Act (CCPA) into effect.
The implications of the Act will be felt in the UK too, privacy regulation experts told SC Media UK.
Cleared unanimously in June 2018, the legislation -- the first US legislation to have a comprehensive group of regulations around consumer data -- came to effect after braving strong dilution attempts from the powerful tech lobby in the country.
Stripped to the bones, the law allows residents of California to see the data about them collected by companies, know whether the data was sold and which companies bought it, direct businesses to stop selling that data to third parties and even demand deleting the entire dataset.
Companies, from tech giants Apple, Google and Facebook to public service websites that accesses user information, come under the ambit of the law.
The transfer of personal data lies at the heart of much of online activity. Since many of the leading online companies were founded and have their headquarters in the US, that typically means that huge quantities of personal data cross the Atlantic every day. If information concerns EU citizens, those data flows are governed by a variety of privacy laws, most notably the GDPR. Under EU law, for data transfers outside the region to be legal, they must be to locations that offer “adequate” privacy protection. “Adequacy” is decided by the European Commission, which tends to take a fairly lenient view of things in order to facilitate international data transfers.
Privacy activists naturally take a more stringent approach and have turned to the courts in order to challenge the Commission’s adequacy decisions. This happened most famously to the Safe Harbor framework, which had been agreed between the US and EU in order to provide what the European Commission considered to be adequate protection. In 2015, the EU’s top court, the Court of Justice of the European Union (CJEU) ruled that the “adequacy” ruling was “invalid”. To prevent most transatlantic data transfers becoming illegal as a result, the US and EU hurriedly drew up a replacement scheme, Privacy Shield, which was designed to address the concerns of the CJEU.