Risk and Compliance Update - 10th June

Risk and Compliance Update - 10th June

In this issue:

Data protection

Financial crime

UK/EU divergence—have your say


Data protection

The new EU GDPR standard contractual clauses for international transfers

Information Law analysis: On 4 June 2021, the European Commission published its final Implementing Decision adopting new standard contractual clauses (SCCs) for the transfer of personal data to third countries. This follows the draft implementing decision and clauses issued by the Commission for consultation on 12 November 2020. The Implementing Decision is effective on the 20th day following its publication in the Official Journal of the EU (OJEU), which occurred on 7 June 2021, meaning that the clauses can be used from 27 June 2021. Ariane Mole, Ruth Boardman and Gabriel Voisin, partners at Bird & Bird explain.

See News Analysis: The new EU GDPR standard contractual clauses for international transfers, LNB News 04/06/2021 47 and LNB News 07/06/2021 21.

Commission publishes SCCs for arrangements between controllers and processors in the EEA

The European Commission has published a decision and associated SCCs to fulfil the requirements for contracts between controllers and processors in Article 28(3) and (4) of Regulation (EU) 2016/679, the EU’s General Data Protection Regulation (the EU GDPR) (and of equivalent requirements of Article 29(3) and (4) of Regulation (EU) 2018/1725 which governs the processing of personal data by EU institutions).

See: LNB News 07/06/2021 15.

Commission Implementing Decision on standard contractual clauses between controllers and processors published in Official Journal

Commission Implementing Decision (EU) 2021/915 of 4 June 2021 on SCCs between controllers and processors under Article 28(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council and Article 29(7) of Regulation (EU) 2018/1725 of the European Parliament and of the Council, has been published in the Official Journal.

See: LNB News 07/06/2021 20.

Liability of an EU representative appointed under Article 27 of the GDPR (Rondon v LexisNexis Risk Solutions)

The High Court has ruled that an EU representative appointed under Article 27 of Regulation (EU) 2016/679, the General Data Protection Regulation (GDPR) is not directly liable for the non-compliance of the entity it represents. The representative’s liability is instead limited to its compliance with its own statutory obligations (in its capacity as such). The ruling is a pragmatic and welcome interpretation of some ambiguity within Article 27 and Recital 80 of the GDPR, which had previously caused some uncertainty. It is worth noting that, following Brexit, businesses which are based outside the EU and UK and which process personal data of EU or UK data subjects now need to consider the appointment of not only an EU representative but also a UK representative. The analysis and decision of the High Court in this case applied in the context of the EU GDPR, but it should logically apply in the same way to the liability of a UK representative under the UK GDPR. Written by Hamish Corner, partner at Shoosmiths LLP.

See News Analysis: Liability of an EU representative appointed under Article 27 of the GDPR (Rondon v LexisNexis Risk Solutions).

ICO fines the Conservative Party £10,000 for sending unlawful emails

The Information Commissioner’s Office (ICO) has fined the Conservative Party £10,000 for sending 51 marketing emails to people who did not want to receive them. The fine has been issued following an ICO investigation relating to emails sent from the Conservative Party in the name of the Prime Minister Boris Johnson after he was elected Prime Minister in 2019. The emails promoting the party’s political priorities were directly addressed to the people they were sent to by name and included a link directing them to a website for joining the Conservative Party.

See: LNB News 03/06/2021 10.

ICO fines three companies for nuisance marketing

The ICO has fined Colour Car Sales Ltd (CCSL), Solarwave Ltd and LTH Holdings a total of £415,000 for sending nuisance marketing to people about car finance, solar panels and funeral plans. All three companies did not have the valid consent required to send direct marketing and this is against the Privacy and Electronic Communications Regulations 2003, SI 2003/2426.

See: LNB News 08/06/2021 72.

NOYB to launch plan to end deceptive cookie banners

NOYB, a non-profit organisation whose name is a play on ‘none of your business’, has announced that it has developed software to automatically detect websites that use deceptive practices to frustrate the public into consenting to cookies. The non-profit has said that 90% of users agree to cookies, when statistics show that only 3% actually want to agree. In an opening salvo, NOYB has sent draft GDPR complaints to 500 companies, and plans to send another 10,000 over the next year. NOYB has said that it will give companies a one-month grace period before filing official complaints.

See: LNB News 07/06/2021 50.

CPS updates money laundering offences guidance to encourage disclosure of suspicious activity

The Crown Prosecution Service (CPS) has updated its guidance on money laundering offences, particularly in relation to the prosecution of standalone ‘failure to disclose’ cases under section 330 of the Proceeds of Crime Act 2002 (POCA 2002). The guidance now clarifies that a POCA 2002, s 330 offence can be prosecuted after 2 June 2021 irrespective of whether an offence of money laundering has been substantiated. The updated guidance aims to encourage people to come forward to disclose any suspicion of money laundering to law enforcement.

See: LNB News 04/06/2021 40.

Law Commission launches consultation on corporate criminal liability reform

The Law Commission has opened a consultation on whether the law regarding corporate criminal liability can be improved to adequately punish offences committed by corporations, and if so, in which ways. Potential improvements suggested by the Law Commission include reforming the identification principle to encompass companies with complex decision-making structures, and extending the scope of ‘failure to prevent’ offences to cover fraud and other offences an employee may commit which benefit the company. Responses should be sent in by 31 August 2021.

See: LNB News 09/06/2021 86.

Warnings and guideposts from EU sanctions blocking case

Law360: International companies and their lawyers have long struggled to satisfy competing imperatives contained in US and EU legislation across myriad regulatory regimes.

See News Analysis: Warnings and guideposts from EU sanctions blocking case.

UK/EU divergence—have your say

Please click here to participate in our Customer Survey—UK/EU Divergence. The aim of the survey is to gather insight into customer needs and preferences for PSL coverage of how UK law diverges from EU law arising from the UK’s departure from the EU. The survey also covers potential for divergence within the devolved administrations of the UK (in areas where EU previously had competence), as well as needs around EU materials going forward. It should take around 20 minutes to complete.


Related Articles:
Latest Articles:
About the author:
Allison is a former partner of Shoosmiths, with extensive experience of legal management and practice compliance.