Privacy in the time of a Pandemic
While many have pressed pause on ‘business as usual’ as a result of Covid-19, the importance of privacy and compliance with data protection law has found itself in the spotlight. Regulators over the past five months have shown that the integrity of data protection is more important than ever in a time where businesses and services have moved online and data is at the forefront of communication, connection and the government’s test and trace. In this article we set out the recent developments in data protection law and how they have impacted businesses during this Covid-19 pandemic.
Restaurants and pubs have reopened and been asked by the UK government to support the NHS Test and Trace response by collecting contact details of their customers. As a result, businesses which may not previously have collected personal data must now comply with the applicable data protection laws in order to comply with the Test and Trace.
As offices reopen businesses are implementing measure to keep their workers safe including following government guidance on returning to work. Safety measures may include tracking who is in the office and when, routine temperature checks and/or surveys on symptoms, all of which include the collection of employee or visitor personal data.
This increase in the collection and processing of personal data must be done in compliance with applicable data protection law. Businesses must consider their lawful basis for processing the personal data and consider whether their collection of such personal data is necessary and proportionate for the purpose of protecting customers, employees and/or visitors against the Covid-19 virus. In addition, the personal data collected should only be processed for as long as is necessary for the purpose for which it was collected and must be stored security.
Schrems II – International data transfers
On 16th July 2020, the Court of Justice of the European Union (CJEU) invalidated the EU-US Privacy Shield as a mechanism by which to transfer personal data from the EU to the United States. Businesses can take some comfort as the judgement did state that the Standard Contractual Clauses (“SCCs”) remain valid, although it reinforced the obligation on businesses to verify the level of data protection offered by the importer prior to implementing the SCCs. For further background on this case, please see here.
This judgment reinforces the European Commission’s view that the protection of personal data is paramount and that the high standards of protection set by the GDPR should not be compromised. As such, all businesses relying on the Privacy Shield to transfer personal data to the US should review their data flows and consider what alternative transfer mechanisms are required.
Age Appropriate Design Code
The Information Commissioner’s Officer’s Age Appropriate Design Code (the “Code”) will come into force on 2nd September 2020 with a 12 month transition period. The purpose of the Code is to ensure that online service providers implement appropriate safeguards to protect children’s personal data. The Code introduces 15 standards, which the UK government’s explanatory memorandum has stated are not technical standards but are ‘a set of technology-neutral design principles and practical privacy features’ to put the protection of children’s personal data as a ‘default setting’.
The Code further entrenches the principles of ‘privacy by design’ implemented by the GDPR and the Data Protection Act 2018. Any business providing online products or services that process personal data and are likely to be accessed by children must implement the strict requirements of the Code in order to comply.
Interpol released a report on 4th August 2020 showing the increase in cyberattacks during Covid-19 and a shift in focus of cyber criminals from individuals and small businesses to major corporations, governments and critical infrastructure. The report found that cybercriminals are targeting their attacks in order to exploit the uncertainty caused by Covid-19 at a time of increased online dependency. The exploitation of Covid-19 in online scams and phishing attempts has seen cybercriminals entice victims into providing their personal data by impersonating government and health authorities.
Businesses need to be aware of this increased risk and should take this opportunity to ensure their cyber defences are up to date. This is particularly important considering the obligation to protect personal data from any unauthorised access under data protection law alongside businesses’ possible increase in processing of personal data, including sensitive personal data, in connection with measures implemented by businesses during Covid-19.
While the Schrems II judgement and the Age Appropriate Design Code have been in the pipeline for a number of years, their impact on them being handed down and implemented during Covid-19 cannot be underestimated. Both the judgment and the Code show a momentum towards, and a re-enforcement of, the high standards of privacy required to comply with the GDPR and Data Protection Act 2018. This reiteration of the primacy of data protection has come at a time where businesses have gone online, the collection of personal data has increased and the risk of cybercrime is on the rise. As such, businesses should review their internal practices and ensuring that they are compliant with data protection law as it is evolving in the context of our new working world.
Sponsor Licence Compliance: Key considerations & how to be audit ready
Join us for the third in our series of mini webinars on post Brexit immigration about sponsor licence compliance.
The Future of Property Careers
Join to our panel discussion and Q&A with industry leaders on the range of opportunities within the property and construction sector.
New tax on property developers - consultation paper published
The government published a consultation paper on the design of the new residential property developers tax.
Procuring modular housing: Is MMC becoming mainstream?
Is Modern Methods of Construction becoming mainstream? Read what it means for Development and Procurement here.
Dual class share structures: how do they work and what are the pros and cons?
Dual class share structures allow a shareholder, for example the founder, to retain voting control over a company.
Q&A: Talking the telecoms talk
Georgina Muskett and Jonathan Wills answer queries on Electronic Communications Code agreement.
Property Patter: Navigating the complexities of Pharmacy Property
Pharmacy property is a specialist area which contains many traps for the unwary.
COVID-19 Vaccination – can an employer make it compulsory for employees?
We review what legal issues to take into account when considering to make vaccination compulsory as an employer.
Music to our ears? Well, perhaps not for Apple.
A feud first began when the music streaming giant, Spotify, filed a complaint against music streaming provide rand competitor, Apple Inc.
Linking ESG and Executive Pay
How does a business go about embedding a focus on strong ESG performance into the structures and culture of its organisation?
National Security and Investment Act granted Royal Assent
The Act establishes a new regime for the review of mergers, acquisitions and other transactions that could threaten national security.
Recent Trends In Firewall Legislation: BVI, Bermuda And Gibraltar
Charles Russell Speechlys advises Waverton on acquisition of Cornerstone Asset Management
Established in July 2010 and with offices in Edinburgh and Glasgow, Cornerstone offers wealth management and financial planning advice.
What do the new Debt Respite Scheme Regulations mean for Landlords and Tenants?
This will provide legal protection from creditors in the form of either a breathing space or a mental health crisis moratorium.
Charles Russell Speechlys promotes five to Partner
The promotions are effective 1 May 2021 and are accompanied by one Legal Director and 15 Senior Associate promotions.
Risk allocation in commercial leases: the High Court considers rent suspension, insurance and frustration arguments
Read our summary of the full judgement on the latest Covid arrears case.
Charles Russell Speechlys boosts private wealth offering with the hire of an international tax team
Robert Reymond will be joined at the firm by Leigh Nicoll, Emma Tyrrell and Oliver Cooper.
Proposed Takeover Code Amendments – Key Changes
The Consultation Paper has now been followed by a corresponding response paper which made certain modifications to the initial proposals.
Competition and Markets Authority announces review of the EU vertical agreements block exemption
The UK Competition and Markets Authority is reviewing the future application of the EU vertical agreements block exemption in the UK.
Playing Copycat – Why have M&S begun legal action against Aldi over Colin the Caterpillar?
M&S’s chocolate caterpillar was the first of its kind to land on our supermarket shelves, over 30 years ago.