Data Protection Update - January 2018

Author:Mr Jonathan Kirsop and Alison Llewellyn
Profession:Stephenson Harwood

Happy New Year and welcome to the latest edition of our Data Protection update, our review of key developments in Data Protection law covering December 2017 and January 2018.


EU Commission: "UK will be a 'third country' for personal data transfers from the point of Brexit"

The European Commission has confirmed that, subject to any transitional arrangement that may be agreed following Brexit, the UK will be considered a "third country" for data transfers as such transfer of personal data would constitute a transfer out of the EEA.

Unless EU and UK officials agree on transitional arrangements in the interim, businesses will no longer be able to automatically transfer personal data to the UK from 30 March 2019 in the comfort that such transfers will be compliant with EU data protection legislation, namely the General Data Protection Regulation (GDPR).

One way in which data could continue to be transferred between the EU and the UK, post Brexit, is if the Commission passes a decision that the UK's data protection legislative framework provides adequate protection of personal data (a so called "Adequacy Decision"). Examples of such countries which have been deemed adequate are Switzerland, Israel, Jersey and Argentina.

In the absence of an Adequacy Decision, the GDPR permits a data transfer to a third country if a controller or processor has an alternative appropriate safeguard (e.g. a compliant data transfer agreement/binding corporate rules) in place.

We will keep you updated of any developments as to UK to EU data transfers following Brexit. In the meantime if you have any questions with regards to transferring data to "third countries", do let us know.

To read the Commission's notice to stakeholders, please click here.

Article 29 Working Party releases draft guidelines on "Transparency" and "Consent under the GDPR"

The Article 29 Working Party (WP29) has published draft guidelines on consent and transparency under the GDPR.

As the guidelines are still in draft form, we have set out a high level overview of each below and will issue with more detailed summaries when the WP29 publish the finalised guidelines.


The transparency obligations contained in the GDPR require controllers to provide certain prescribed information to data subjects regarding the processing of their personal data. A common approach adopted by businesses looking to meet their transparency obligations is to provide such information in a privacy policy or 'fair processing notice'. Key takeaways from the draft guidelines include:

Controllers should present information efficiently. The WP29 recommends layered notices to avoid information fatigue. The first layer of these should provide a clear overview of intended processing (including information that will have the most impact on the data subject and processing activities which could surprise the data subject) and set out where further, more detailed, information can be found (e.g. via a hyperlink). Provide 'intelligible' notices. An 'intelligible' notice is one that can be understood by an average member of the intended audience. Controllers should regularly check notices are tailored to the actual audience. For complex, technical or unexpected processing, in addition to giving notice, it is best practice to also spell out the consequences of the specific processing to the individual. The individual should not have to work to find the information. Information should be clearly flagged to the data subject. For example: a website privacy notice should be clearly visible on each page of a website under a commonly used term ('Privacy', 'Privacy Policy' etc.); and for apps, notice should be made available from the online store prior to download. Once the app is installed, the WP29 state the privacy notice should never be "more than two taps away". Information should be provided in a simple manner. It should not be phrased in vague or abstract terms or leave room for different interpretations. Qualifications such as 'may', 'might', 'some', 'often' and 'possible' should ideally be avoided. Consent

The WP29's draft guidelines provide a thorough analysis of the notion of consent under the GDPR, including providing commentary on each of the required elements for obtaining valid consent. By way of reminder consent must be (i) freely given, (ii) specific...

To continue reading