UK & EU Data Protection Bulletin: Summer 2019 Highlights

Welcome to this month's data protection newsletter where we have highlighted recent developments over the summer months. It's been a busy period for cases and new guidance!

Particular highlights include:

• Draft ICO data sharing code (for sharing between data controllers)

• ICO updates guidance on timings for responding to a DSAR

• Changes to Civil Procedure Rules regarding how data protection claims should be brought before the English Courts (in effect from 1 October)

• EDPB draft guidelines on video surveillance

• ECJ Fashion ID case confirms that the operators of websites can be joint controllers with Facebook in respect of the collection and transmission to Facebook of visitor data (but not in respect of subsequent processing) 

View the full bulletin >

UK and EU Data protection podcast

To listen to our podcast, click here >>


ICO guidance on cookies

In July, the ICO published its cookie guide, accompanied by a short myth-busting article on the topic. The ICO's cookie consent banners have also been changed, to reflect the new guidance.

Click here to read more >

Data sharing: ICO publishes new draft code on data sharing

On 16 July 2019, the ICO published an updated draft data sharing code of practice, which explains and advises on changes to data protection legislation relevant to data sharing.

Click here to read more >

ICO's Sandbox

The ICO has selected its first 10 participants (out of 64 applications) for the initial beta phase of its data protection Sandbox.

Click here to read more >

ICO's Information Rights Strategic Plan: Trust and Confidence

Research issued by the ICO in July shows top concerns from respondents.

Click here to read more >

ICO published Annual Report 2018-19

The ICO has reported that last year's trends have continued, with members of the public increasingly aware of their privacy rights and an increase in complaints as a consequence of this.

Click here to read more >

Update on Progress of the Children’s Code

Since its publication in April, the ICO has received over 450 written responses and met with more than 40 key stakeholders. In her latest blog post, the Commissioner expressed optimism that the consultation has helped ensure the final Code is effective, proportionate and achievable.

Click here to read more >

ICO changes guidance on meaning of a 'month' on data request responses

The ICO has updated its guidance on the meaning of a month.

Click here to read more >

UK cases

C v Chief Constable of the Police Service of Scotland [2019] CSOH 48; [2019] 6 WLUK 447 (OH)

In the course of a police investigation into a sexual offence, an officer seized a suspect’s phone and discovered offensive Whatsapp messages between other officers unrelated to the investigation. The 10 police officers involved were seeking an order to prevent the Whatsapp conversations being used in relation to misconduct charges against them, on the basis that it would be an infringement of their common law right of privacy and incompatible with their right to respect for their private and family life under Article 8 of the ECHR.

Click here to read more >

Mircom International Content Management & Consulting Ltd, Golden Eye & Ors v Virgin Media Ltd & persons unknown [2019] EWHC 1827 (Ch)

In this case, the High Court considered the correct legal approach to granting a Norwich Pharmacal order requiring an internet service provider (Virgin Media) to disclose the names and addresses of tens of thousands of residential broadband subscribers accused of unlawfully downloading pornographic films to the Claimants.

Click here to read more >

Liberal Democrats v ICO: Information Rights Decision Notice, EA/2019/0161

This case related to an appeal against an Assessment Notice issued against the Liberal Democrats on 27 February 2019 which required the organization to give access to its premises and records during the period 10-14 June 2019 to enable the ICO to examine the processing of personal data. The main purpose of this audit was to "demonstrate to the Commissioner that the Liberal Democrats are complying with the data protection legislation, to highlight to the Liberal Democrats areas of risk to their compliance, and to make recommendations in areas that require improvement".

Click here to read more >

Other UK News

‘Immigration exemption’ under scrutiny

The High Court in London began hearing an application for judicial review brought in respect of the ‘immigration control’ exemption in Schedule 2, Part 1, paragraph 4 of the Data Protection Act 2018. The exemption dis-applies a number of data subject rights, including the right to erasure, the right to access and the right to transparent information about the use of personal data to extent that complying with these rights would prejudice the maintenance of effective immigration control, or investigation or detection of activities that would undermine the maintenance of effective immigration control.

Click here to read more >

UK Government publishes its approach to regulating non-UK Digital Service Providers under the NIS Regulations after Brexit

The EU Security of Network and Information Systems Directive ("NIS Directive") aims to improve the security of network and information systems across Europe by introducing a legal framework with which Operators of Essential Services and Digital Service Providers ("DSPs") which offer services in the EU must comply. In the UK, this was implemented into national law via the Network and Information Systems Regulations 2018 ("NIS Regulations"), which will continue to apply after the UK exits the EU.

Click here to read more >

Changes in Civil Procedure Rules re DP Claims

The latest round of updates to the Civil Procedure Rules come into force on 1 October 2019 and contain significant developments in how data protection claims should be brought before the English Courts.

Click here to read more >

UK Legislation

The Data Protection Act 2018 (Commencement No. 2) Regulations 2019 – (in force September 16)

The Data Protection Act 2018 (Commencement No. 2) Regulations 2019 have been passed bringing provisions of Part 4 of the Data Protection Act 2018 (intelligence services processing), so far as not already in force.

Click here to read more >


EDPB holds 12th plenary session; adopts new guidance

On July 9th and 10th 2019, the European Data Protection Board (EDPB) held its most recent plenary meeting, adopting a raft of new guidance and opinions.

Click here to read more >

EDPB and EDPS: European Commission is a processor of patient data in the eHealth Digital Service Infrastructure

On 12th July 2019, the European Data Protection Board (“EDPB”) and the European Data Protection Supervisor (“EDPS”) adopted Joint Opinion 1/2019 on the processing of patients’ data and the role of the European Commission within the eHealth Digital Services Infrastructure (eHDSI).

Click here to read more >

EDPB’s review of the Austrian requirements for code of conduct monitoring bodies

On 9th July 2019, the European Data Protection Board (“EDPB”) adopted Opinion 9/2019 on the Austrian data protection supervisory authority draft accreditation requirements for a code of conduct monitoring body pursuant to article 41 GDPR following the submission by the Austrian data protection authority of its draft decision containing the accreditation requirements for a code of conduct monitoring body (the “Draft Decision”). The Opinion was adopted in furtherance of the GDPR’s consistency mechanism enshrined for present purposes in the EDPB’s Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679 (the “Guidelines”).

Click here to read more >

ECJ cases

Schrems II: International Transfer Methods under the magnifying glass

On 9th July, the ECJ heard arguments on whether the Standard Contractual Clauses (SCCs) are effective to provide adequate protection for personal data, both as regards transfers to the US and in general (the so-called “Schrems II” case).

Click here to read more >

Fashion ID GmbH & Co.KG v Verbraucherzentrale NRW C-40/17

This ECJ decision deals mainly with the issue of “joint controllership” between Facebook and website operators using Facebook's 'Like' button on their website.

Click here to read more >

CoE cases

Gorlov and Other v Russia [ECtHR: 27057/06]

The ECtHR unanimously concluded that the right to respect for private life of detainees in prisons had been violated by a lack of safeguards in the national law regarding the use of CCTV in penal facilities. In the applicant's specific situation they were subject to constant CCTV monitoring in their cells that was not based on an individual decision and no process was in place to allow for regular review of whether such surveillance was appropriate.

Click here to read more >

European Court of Human Rights Grand Chamber Hearing on UK surveillance regimes

On 10 July 2019 the Grand Chamber of the European Court of Human Rights ('ECtHR') held a hearing in the case of Big Brother Watch and others v the United Kingdom (58170/13). The hearing concerns three joined applications brought against the UK government by a total of 16 organisations and individuals who are journalists or actively campaign on civil liberties issues, relating to three different surveillance regimes: (i) bulk interception of communications; (ii) intelligence sharing with foreign governments; and (ii) obtaining communications data from communications service providers.

Click here to read more >

Other EU news

European Data Protection Supervisor: Guidelines for European Institutions on International Data Transfers after Brexit

The European Data Protection Supervisor ("EDPS") has issued guidelines for European Institutions on transfers to the UK following a 'hard/ no-deal Brexit' on 1 November 2019 i.e. if no withdrawal agreement is signed before this date. A withdrawal agreement would ensure the continued application of the GDPR, ePrivacy Directive and the Law Enforcement Directive in the UK until 31 December 2020 (with the possibility of a further extension, to 31 December 2022), such that, the UK would not constitute a third country before that date.

Click here to read more >

Blockchain and the General Data Protection Regulation – can distributed ledgers be squared with European data protection law?

On 24 July the European Parliament published a study regarding blockchain and the General Data Protection Regulation ("GDPR").

Click here to read more >

EU Commission report on impact of GDPR and how implementation can be improved

To mark the one year anniversary of the GDPR coming into force (May 2018), the European Commission has published a 'reflective' report on progress made since that date.

Click here to read more >

EU Commission is asking the ECJ to impose financial sanctions on Greece and Spain for failing to transpose the rules on the Data Protection Law Enforcement Directive before the 6 May 2018, deadline

The European Commission has referred Greece and Spain to the ECJ for failing to implement Directive (EU) 2016/680 (i.e. the Law Enforcement Directive) into national law by the 6 May 2018 deadline; recommending that prescribed administrative fines (lump sum penalties and daily penalty payments) should be imposed pursuant to Article 260 (3) of the Treaty on the Functioning of the EU ("TFEU").

Click here to read more >

EU Enforcement

Romanian DPA imposes its first GDPR fine to Unicredit Bank SA for breach of Article 25 of the GDPR (Privacy by Design) and failure to implement appropriate technical and organizational measures

For payments made via Unicredit Bank's online system as well as on bank statements, the payers' addresses and sometimes their national ID number was made accessible to the payment recipients. 337,042 individuals were affected by this breach.

Click here to read more >

Dutch DPA announces that Banks cannot use payment data for marketing purposes as both purposes of processing are not compatible

In reaction to the announcement of a major Dutch bank that that it will use payment information to send targeted offers (direct marketing) to its customers and to a several complaints, the Dutch DPA sent a letter to Dutch banks asking them to review and reconsider their marketing practices.

Click here to read more >

Danish DPA confirms a decision of the Metro Service not to provide access to CCTV data of an individual

The Danish DPA upheld the decision and confirmed the company's arguments.

Click here to read more >

German DPA of Hesse banns Office 365 (and others) from German public schools

The DPA of Hesse published a statement on July 9 addressing the legality of using Office 365 in German schools. The DPA argued that the use of Office 365 was not compliant with data protection regulations. It found data was stored in a datacentre to which US authorities have access to and that telemetry information (the extent of which is unclear) was sent back to the US.

Click here to read more >

Greek DPA fined PWC €150,000 for using the wrong legal basis to process employee personal data

In response to a complaint, the Greek DPA conducted an investigation on the lawfulness of processing of the personal data of PWC employees. PWC gave the impression that it relied on its employees' consent to process their personal data whereas, in reality, it relied on another legal basis.

Click here to read more >

Swedish DPA issues a fine for facial recognition technology

The Swedish DPA has fined a municipality 200 000 SEK (approximately 20 000 euros) for using facial recognition technology to monitor the attendance of students in school.

Click here to read more >

UK Enforcement


This month we have seen a number of monetary penalties for data breaches and unsolicited marketing calls and an enforcement notice for failing to respond to a subject access request.

Click here to read more >


Latest insights

More Insights