Many companies have started the potentially lengthy process of auditing their service provider contracts to make sure that they comply with the requirements of the General Data Protection Regulation, which comes into force on May 25, 2018.

Fortunately for those companies that are trying to kick-start their contract audit process, the UK Information Commissioner’s Office (ICO) is forging ahead with its promised series of guidance documents to help companies get ready for the GDPR. The latest addition is a draft guidance note on the GDPR’s requirements for contracts between data controllers (the folks who make decisions about what personal data will be processed, and for what purposes) and data processors (the folks who carry out processing activities on behalf of a data controller).

The requirement that there be a contract between data controllers and their data processors is not itself new.  Current EU data protection law requires data controllers to have contracts with data processors governing the security of the personal data held by the processor and requiring processor to process the personal data solely in accordance with the instructions of the controller.

But the contract requirements under the GDPR are much more expansive. Continue Reading Have you started auditing your contracts with your service providers that handle EU personal data?  UK Information Commissioner’s Office issues draft guidance for compliance with the GDPR’s contracting requirements.  

When small and mid-size companies start expanding their apps or web presence into Europe, they need to start thinking about EU data protection laws.  It’s tempting to take a look at what one or two of the “big guys” do about EU data protection compliance and think that whatever  the big guys do in Europe must be good enough.  But the ongoing saga between Google and the EU’s data protection authorities shows that this approach shouldn’t be adopted uncritically.

In the latest Google EU privacy development, Google has signed an undertaking (binding commitment) with the UK’s data protection office (the ICO) to make a number of changes to its privacy policy.  Google has been in dialogue with EU data protection offices both at the country level and through the Article 29 Working Party since Google adopted a unified privacy policy across its products and businesses in 2012.  While the ICO has recognized that Google has made progress since 2012, the ICO has recently determined that “further improvements” are needed.  Google has agreed to a number of specific requirements, including:

  • Making it easier for users to find information about Google’s privacy policy.
  • Describing its data processing activities more clearly in its privacy policy, including clarifying the types of information that it processes, the purposes, and how users can exercise their rights.
  • Providing “clear, unambiguous and comprehensive information” regarding its data processing,” including an “exhaustive list of the types of data . . . and purposes.”
  • Providing more information about its use of anonymous identifiers (a next-generation tracking/behavioral profiling technology that’s being developed and may eventually replace cookies).
  • Educating its employees better concerning notice and consent requirements.
  • Making sure that users are equally protected regardless of what device they are using (mobile phones, tablets, desktops, and any new devices that are invented).

Google has committed to putting these changes into effect by June 30, 2015.  In the meantime, Google’s undertaking provides a useful spotlight on the areas of EU data protection compliance that the ICO (and other data protection offices) think require significant attention.

Written by Susan Foster, Solicitor England & Wales/Admitted in California

 (LONDON) The UK’s Information Commissioner’s Office (ICO) is accepting comments from the public on a proposed UK privacy seal program.  The deadline for comments is October 3, 2014.

The ICO intends to endorse at least one privacy seal program in 2015.   Privacy seal programs are voluntary privacy frameworks (such as TRUSTe, BBBOnLine and WebTrust) that are run by third party organizations.   The ICO is seeking UK-specific programs and has articulated various requirements for such programs.  The draft criteria and consultation document are available on the ICO website.


Written by Susan Foster, Solicitor England & Wales/Admitted in California

(LONDON) The UK ICO has come through yet again with some clear guidance as to how to apply the UK’s data protection laws in connection with requests by individuals for access to their personal data.  While we are waiting with bated breath for a final version of the new Data Protection Regulation (earlier posts here and here), it’s worth remembering that compliance with the existing regime is still vital – and any guidance from the ICO regarding the current statutory requirements is certainly worth noting.

The Data Protection Act 1998 (Section 7) gives individuals the right to request disclosure of the information that an organization holds about them.  (Other EU countries have similar access rights, as required by the current Data Protection Directive.) The latest guidance from the ICO addresses the potentially daunting question of how to respond to such “subject access requests.”

In a nutshell, individuals have the right to know what personal information is held by an organization, the source of the information, whether their personal information is being processed and for what reasons, and whether it will be shared with third parties.  Individuals are entitled to receive a copy of their personal information.  Individuals can also request information about the reasoning behind any automated decisions (such as assessments of creditworthiness).

Answering subject access requests may involve significant resources, but organizations are allowed to charge no more than £10 (around $15) for responding.  As individuals become more aware of their access rights, it is becoming more critical for organizations to hold and process personal data in highly traceable ways that will allow a streamlined, low-cost response to such requests.  Organizations should also be aware that subject access requests are likely to crop up if there is a brewing dispute with a consumer.

If you are faced with a subject access request, you can get quick, high-level guidance via the ICO’s online checklist.   The checklist provides a useful first cut, but it is likely that most organizations will want more guidance.  For that, see the new fifty-eight page Subject Access Code of Practice – and consider contacting a member of your Mintz Levin privacy team to help you respond appropriately within the permitted 40 day response period.  A quick and appropriate response is not only a legal requirement – it’s also a good way to avoid negative publicity! 

Written by Susan Foster, Solicitor England & Wales/Admitted in California


EC Cloud Partnership

The European Commission recently announced a €10 million campaign aimed at establishing standards and voluntary certification programs to make cloud computing services better aligned with European data protection laws.  The EC intends to leverage the purchasing power of national and local governments throughout Europe to persuade cloud providers to adapt their services to meet European levels of data security and portability, as well as improving transparency to end users concerning how and where their data are processed.  Although the EC stresses that compliance will be voluntary, it’s clear that there will be significant commercial pressure on cloud providers to meet the EC standards, which are to be defined by the end of 2013.

In a nutshell, the EC wants to ensure that individuals, governmental entities, companies and other organizations that want to use cloud services will not need to be concerned that cloud service providers will fail to meet the relatively stringent European data protection requirements.  The EC sees this concern as an obstacle to wider adoption of cost-saving cloud services in Europe.  The EC solution will include both technical (standard setting) and legal elements.  The EC has already signaled that it intends to develop model contract terms covering data preservation after a cloud service contract ends, data disclosure and integrity, data location, data transfer, ownership of data and liability.

EU Press Release:  Digital Agenda: New strategy to drive European business and government productivity via cloud computing

EU Memo: Unleashing the Potential of Cloud Computing in Europe – What is it and what does it mean for me? 

ICO Guidance on Personal Data and Cloud Computing

The recent announcements from the EC concerning cloud computing are complemented by useful guidance published by the United Kingdom’s Information Commissioner’s Office on personal data and cloud computing.  None of the recommendations in the UK’s new guidance are startling – the basic proposition is that data controllers remain responsible for the processing of personal data whether done via the cloud or more traditional means.  However, there are examples that could be useful in determining how the UK’s data protection laws can be satisfied in the context of cloud services.  The ICO has also provided a helpful checklist of things to consider when using cloud services – this list could be particularly useful when reviewing a new contract for cloud services, or doing a contract audit to check whether current arrangements are adequate.  And to its credit, the ICO managed to fit the checklist on a single, user-friendly page.

ICO Guidance on the Use of Cloud Computing (see page 23 for the useful checklist)