Data Blast: US-UK data agreement; Facebook settles with UK ICO; California update; German fining model; and China’s children policy….

UK and US enter into Bilateral Data Access Agreement

On October 3rd, the UK and United States entered into the first ever COULD Act Agreement, the US-UK Bilateral Data Access Agreement, under which UK and American law enforcement agencies may request e-data pertaining to serious crime and terrorism with fewer legal barriers.

Currently, such requests are dealt with under law established in the 1980s, and may take up as long as two years to effect. The Agreement seeks to reduce this time frame considerably, while (according to the US Justice Department) protecting privacy and enhancing civil liberties.

The agreement lifts restrictions on several investigation classes, and seeks to assure data providers that any disclosures under the agreement will comply with relevant data protection law. Both nations have also committed to obtain the others permission for data gained under the agreement in prosecutions relating to essential interests, namely freedom of speech cases in the UK and death penalty prosecutions in the US.

Key to the agreement is that, after appropriate court authorisation, law enforcement may access data directly from tech companies in the other country, rather than having to go through their corresponding branch of government. All data access requests will require independent judicial authorisation and oversight.

Effectively, the agreement provides UK authorities the right to issue a data request that is equivalent to that of a US court, while US authorities have a corresponding right in the UK.

While concerns abound that law enforcement will later seek to interpret the agreement to grant greater access than was initially envisioned, it helps deal with the problem faced by investigators who seek vital evidence from communication services companies based in different jurisdictions.

ICO and Facebook reach settlement agreement

The ICO reached an agreement with Facebook in relation to a monetary penalty notice of £500,000 issued on October 24th 2018.

Issued under the Data Protection Act (DPA) 1998, the notice was made in relation to an investigation launched in 2017 by the ICO regarding the misuse of personal data in political campaigns. Specifically, the notice identified failings related to compliance with UK data protection principles, including lawful processing.

Facebook appealed the notice in November 2018, and in June the First Tier Tribunal issued an interim decision stating that allegations of bias on the part of the ICO and procedural fairness issues should form part of the appeal, a decision which the ICO then appealed.

Under the agreement, Facebook will pay the £500,000 fine but make no admission of liability, and each party will pay its own legal costs. Furthermore, Facebook will be allowed to retain documents disclosed by the ICO relating to its investigation into Cambridge Analytica.

California breach notification law updated

In early October, California Governor Gavin Newsom signed into law AB1130, broadening personal data types that fall under California’s data breach notification law, effective January 1st 2020.

When included with a person’s name, this data will now include additional government identifiers such as passport numbers, military numbers and other government ID used to verify a person’s identity. Also included is biometric data generated from human the analysis or measurement of the human body, such as retinal or fingerprint images, used to identify individuals.

These additions do not include digital or physical photographs, save when they are stored or used for the purposes of facial recognition.

Importantly, AB1130 requires reporting entities, when reporting biometric data breaches, to instruct ‘on how to notify other entities that used the same type of biometric data as an authenticator to no longer rely on that data for authentication purposes.’

California breach notification law updated

In early October, California Governor Gavin Newsom signed into law AB1130, broadening personal data types that fall under California’s data breach notification law, effective January 1st 2020.

When included with a person’s name, this data will now include additional government identifiers such as passport numbers, military numbers and other government ID used to verify a person’s identity. Also included is biometric data generated from human the analysis or measurement of the human body, such as retinal or fingerprint images, used to identify individuals.

These additions do not include digital or physical photographs, save when they are stored or used for the purposes of facial recognition.

Importantly, AB1130 requires reporting entities, when reporting biometric data breaches, to instruct ‘on how to notify other entities that used the same type of biometric data as an authenticator to no longer rely on that data for authentication purposes.’

The German data protection authority publishes new GDPR fining model

The German Datenschutzkonferenz (DSK) has published details of a model which it intends to use to calculate fines under Article 83 of the GDPR.

Since the introduction of the GDPR last year there have been surprisingly few large fines imposed by the German authorities.  This is in contrast to the large fines imposed by other national data authorities.  It is understood that one of the main drivers for the new model is that the German authorities have lacked a systematic, transparent and comprehensive approach to the calculation of fines.

The proposed model incorporates 5 steps, as outlined below:

  1. The violator is assigned to a group based on its total global turnover in the previous year;
  2. The DSK determines the average annual turnover of the undertaking based on the specific group;
  3. The DSK calculates the daily rate;
  4. The DSK undertakes a severity assessment of the offence to establish the ‘fine corridor’; and
  5. The DSK modifies the fine to take into account the nature of the offence and the effect on the data subject.

It is predicted that the application of the new model will lead to significantly higher fines than those imposed by the German authorities since the GDPR came into force.  It will be interesting to see if other countries adopt a similar formulaic mechanism for the calculation of fines in the future.

China’s first regulation on children’s online privacy

China’s Regulation on Cyber Protection of Children’s Personal Information (the ‘Regulation’) finally became effective on October 1st 2019.  We first reported on the draft Regulation proposed by the Cyberspace Administration of China (CAC) in an earlier Blast here.

Children are defined in the Regulation as minors under 14 years old.  The Regulation applies to the collection, storage, use, transfer and disclosure of children’s personal information through online networks.  The Regulation requires data controllers to treat the personal information of children as sensitive personal information and to obtain express consent from the children’s guardians for processing of personal information.

The Regulation marks an important milestone in the development of China’s data protection laws as they are the first rules focused on the protection of children’s personal information in China. The Regulation does not apply to activities conducted outside China or to activities conducted offline.

For more information please contact Partner, James Tumbridge at jtumbridge@vennershipley.co.uk.