Welcome to this month's data protection newsletter where we have highlighted recent developments over the summer months. It's been a busy period for cases and new guidance!
• Draft ICO data sharing code (for sharing between data controllers)
• ICO updates guidance on timings for responding to a DSAR
• Changes to Civil Procedure Rules regarding how data protection claims should be brought before the English Courts (in effect from 1 October)
• EDPB draft guidelines on video surveillance
• ECJ Fashion ID case confirms that the operators of websites can be joint controllers with Facebook in respect of the collection and transmission to Facebook of visitor data (but not in respect of subsequent processing)
ICO guidance on cookies
In July, the ICO published its cookie guide, accompanied by a short myth-busting article on the topic. The ICO's cookie consent banners have also been changed, to reflect the new guidance.
Data sharing: ICO publishes new draft code on data sharing
On 16 July 2019, the ICO published an updated draft data sharing code of practice, which explains and advises on changes to data protection legislation relevant to data sharing.
The ICO has selected its first 10 participants (out of 64 applications) for the initial beta phase of its data protection Sandbox.
Research issued by the ICO in July shows top concerns from respondents.
ICO published Annual Report 2018-19
The ICO has reported that last year's trends have continued, with members of the public increasingly aware of their privacy rights and an increase in complaints as a consequence of this.
Update on Progress of the Children’s Code
Since its publication in April, the ICO has received over 450 written responses and met with more than 40 key stakeholders. In her latest blog post, the Commissioner expressed optimism that the consultation has helped ensure the final Code is effective, proportionate and achievable.
ICO changes guidance on meaning of a 'month' on data request responses
The ICO has updated its guidance on the meaning of a month.Click here to read more >
C v Chief Constable of the Police Service of Scotland  CSOH 48;  6 WLUK 447 (OH)
In the course of a police investigation into a sexual offence, an officer seized a suspect’s phone and discovered offensive Whatsapp messages between other officers unrelated to the investigation. The 10 police officers involved were seeking an order to prevent the Whatsapp conversations being used in relation to misconduct charges against them, on the basis that it would be an infringement of their common law right of privacy and incompatible with their right to respect for their private and family life under Article 8 of the ECHR.
Mircom International Content Management & Consulting Ltd, Golden Eye & Ors v Virgin Media Ltd & persons unknown  EWHC 1827 (Ch)
In this case, the High Court considered the correct legal approach to granting a Norwich Pharmacal order requiring an internet service provider (Virgin Media) to disclose the names and addresses of tens of thousands of residential broadband subscribers accused of unlawfully downloading pornographic films to the Claimants.
Liberal Democrats v ICO: Information Rights Decision Notice, EA/2019/0161
This case related to an appeal against an Assessment Notice issued against the Liberal Democrats on 27 February 2019 which required the organization to give access to its premises and records during the period 10-14 June 2019 to enable the ICO to examine the processing of personal data. The main purpose of this audit was to "demonstrate to the Commissioner that the Liberal Democrats are complying with the data protection legislation, to highlight to the Liberal Democrats areas of risk to their compliance, and to make recommendations in areas that require improvement".Click here to read more >
‘Immigration exemption’ under scrutiny
The High Court in London began hearing an application for judicial review brought in respect of the ‘immigration control’ exemption in Schedule 2, Part 1, paragraph 4 of the Data Protection Act 2018. The exemption dis-applies a number of data subject rights, including the right to erasure, the right to access and the right to transparent information about the use of personal data to extent that complying with these rights would prejudice the maintenance of effective immigration control, or investigation or detection of activities that would undermine the maintenance of effective immigration control.
UK Government publishes its approach to regulating non-UK Digital Service Providers under the NIS Regulations after Brexit
The EU Security of Network and Information Systems Directive ("NIS Directive") aims to improve the security of network and information systems across Europe by introducing a legal framework with which Operators of Essential Services and Digital Service Providers ("DSPs") which offer services in the EU must comply. In the UK, this was implemented into national law via the Network and Information Systems Regulations 2018 ("NIS Regulations"), which will continue to apply after the UK exits the EU.
Changes in Civil Procedure Rules re DP Claims
The latest round of updates to the Civil Procedure Rules come into force on 1 October 2019 and contain significant developments in how data protection claims should be brought before the English Courts.
Click here to read more >
The Data Protection Act 2018 (Commencement No. 2) Regulations 2019 – (in force September 16)
The Data Protection Act 2018 (Commencement No. 2) Regulations 2019 have been passed bringing provisions of Part 4 of the Data Protection Act 2018 (intelligence services processing), so far as not already in force.Click here to read more >
EDPB holds 12th plenary session; adopts new guidance
On July 9th and 10th 2019, the European Data Protection Board (EDPB) held its most recent plenary meeting, adopting a raft of new guidance and opinions.
EDPB and EDPS: European Commission is a processor of patient data in the eHealth Digital Service Infrastructure
On 12th July 2019, the European Data Protection Board (“EDPB”) and the European Data Protection Supervisor (“EDPS”) adopted Joint Opinion 1/2019 on the processing of patients’ data and the role of the European Commission within the eHealth Digital Services Infrastructure (eHDSI).
EDPB’s review of the Austrian requirements for code of conduct monitoring bodies
On 9th July 2019, the European Data Protection Board (“EDPB”) adopted Opinion 9/2019 on the Austrian data protection supervisory authority draft accreditation requirements for a code of conduct monitoring body pursuant to article 41 GDPR following the submission by the Austrian data protection authority of its draft decision containing the accreditation requirements for a code of conduct monitoring body (the “Draft Decision”). The Opinion was adopted in furtherance of the GDPR’s consistency mechanism enshrined for present purposes in the EDPB’s Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679 (the “Guidelines”).
Schrems II: International Transfer Methods under the magnifying glass
On 9th July, the ECJ heard arguments on whether the Standard Contractual Clauses (SCCs) are effective to provide adequate protection for personal data, both as regards transfers to the US and in general (the so-called “Schrems II” case).
This ECJ decision deals mainly with the issue of “joint controllership” between Facebook and website operators using Facebook's 'Like' button on their website.
Gorlov and Other v Russia [ECtHR: 27057/06]
The ECtHR unanimously concluded that the right to respect for private life of detainees in prisons had been violated by a lack of safeguards in the national law regarding the use of CCTV in penal facilities. In the applicant's specific situation they were subject to constant CCTV monitoring in their cells that was not based on an individual decision and no process was in place to allow for regular review of whether such surveillance was appropriate.
On 10 July 2019 the Grand Chamber of the European Court of Human Rights ('ECtHR') held a hearing in the case of Big Brother Watch and others v the United Kingdom (58170/13). The hearing concerns three joined applications brought against the UK government by a total of 16 organisations and individuals who are journalists or actively campaign on civil liberties issues, relating to three different surveillance regimes: (i) bulk interception of communications; (ii) intelligence sharing with foreign governments; and (ii) obtaining communications data from communications service providers.
European Data Protection Supervisor: Guidelines for European Institutions on International Data Transfers after Brexit
The European Data Protection Supervisor ("EDPS") has issued guidelines for European Institutions on transfers to the UK following a 'hard/ no-deal Brexit' on 1 November 2019 i.e. if no withdrawal agreement is signed before this date. A withdrawal agreement would ensure the continued application of the GDPR, ePrivacy Directive and the Law Enforcement Directive in the UK until 31 December 2020 (with the possibility of a further extension, to 31 December 2022), such that, the UK would not constitute a third country before that date.
On 24 July the European Parliament published a study regarding blockchain and the General Data Protection Regulation ("GDPR").
To mark the one year anniversary of the GDPR coming into force (May 2018), the European Commission has published a 'reflective' report on progress made since that date.
The European Commission has referred Greece and Spain to the ECJ for failing to implement Directive (EU) 2016/680 (i.e. the Law Enforcement Directive) into national law by the 6 May 2018 deadline; recommending that prescribed administrative fines (lump sum penalties and daily penalty payments) should be imposed pursuant to Article 260 (3) of the Treaty on the Functioning of the EU ("TFEU").
Romanian DPA imposes its first GDPR fine to Unicredit Bank SA for breach of Article 25 of the GDPR (Privacy by Design) and failure to implement appropriate technical and organizational measures
For payments made via Unicredit Bank's online system as well as on bank statements, the payers' addresses and sometimes their national ID number was made accessible to the payment recipients. 337,042 individuals were affected by this breach.
In reaction to the announcement of a major Dutch bank that that it will use payment information to send targeted offers (direct marketing) to its customers and to a several complaints, the Dutch DPA sent a letter to Dutch banks asking them to review and reconsider their marketing practices.
The Danish DPA upheld the decision and confirmed the company's arguments.
The DPA of Hesse published a statement on July 9 addressing the legality of using Office 365 in German schools. The DPA argued that the use of Office 365 was not compliant with data protection regulations. It found data was stored in a datacentre to which US authorities have access to and that telemetry information (the extent of which is unclear) was sent back to the US.
In response to a complaint, the Greek DPA conducted an investigation on the lawfulness of processing of the personal data of PWC employees. PWC gave the impression that it relied on its employees' consent to process their personal data whereas, in reality, it relied on another legal basis.
The Swedish DPA has fined a municipality 200 000 SEK (approximately 20 000 euros) for using facial recognition technology to monitor the attendance of students in school.
This month we have seen a number of monetary penalties for data breaches and unsolicited marketing calls and an enforcement notice for failing to respond to a subject access request.