Welcome to this month's data protection newsletter where we focus on developments between November and January.
• Updates on ICO consultations on draft guidance on special category data, subject access rights, AI and direct marketing;
• Advocate General’s Opinion on Standard Contractual Clauses;
• Changes to Civil Procedure Rules regarding how data protection claims should be brought before the English Courts (in effect from 1 October)
• CJEU case on relying on legitimate interests to justify the use of CCTV;
• ICO GDPR fine for breach of security.
Updated ICO Guidance on Special Category Data
In November, the ICO announced that it had updated its Guidance on the processing of Special Category Data. This includes data revealing a person's race or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, and biometric data (where used to uniquely identify someone) and data concerning health, sex life or sexual orientation.
Draft ICO Guidance on AI-assisted decisions
On 2 December 2019, the ICO and the Alan Turing Institute issued guidance on the explainability of AI-assisted decisions. The guidance, which forms part of ongoing efforts to address the implications of transparency and fairness in AI decisions, provides good practice guidance on AI explainability, but is not a statutory code of practice.
The UK Information Commissioner has issued a consultation on new, draft, guidance on dealing with subject access request. The call for comments closes on Wednesday, 12th February 2020.
On 08 January 2020 the UK Information Commissioner published its draft Code of Practice on Direct Marketing (the ‘Code’). The Code will be open for public consultation until 4th March 2020.
Information Commissioner publishes Age Appropriate Design Code
On 22nd January 2020, the UK Information Commissioner published her Age Appropriate Design Code. The code applies to organisations in the UK. It also applies on a worldwide basis to organisations that monitor kids in the UK, or where it's apparent that they intend to offer online services or goods to kids in the UK. The code is not limited to child-directed sites: it applies whenever it's more likely than not that under 18s will use the site. The code is expected to be fully effective from Autumn 2021.
Dr Kaleem Siddiqui v Information Commissioner (EA/2019/0289)
The First Tier Tribunal (Information Rights) (the FTT) has held that the maximum penalty which can be imposed by the Information Commissioner under the Data Protection Act 2018 ('DPA 2018') on an organisation which fails to pay the annual data protection fee is 150% of the highest data protection fee (i.e. the tier 3 fee), rather than 150% of the data protection fee payable by the organisation in question (based, primarily, on its size and turnover).
Hall And Hanley Ltd v Financial Conduct Authority (Rev 1)  UKFTT CMS-2019-0001 (GRC) - due diligence recommendations for electronic marketing when relying on indirect consent
Hall & Hanley ('H&H') is a claims management service that manages PPI claims on behalf of its customers. The Claims Management Regulator ('CMR', the regulator which has now been replaced by the FCA) determined that H&H had failed to conduct sufficient due diligence on various companies sending electronic marketing on its behalf to consumers over a number of years, and subsequently electronic messages were sent to consumers without the proper consents in place, in breach of regulation 22 of the Privacy and Electronic Communications Regulations ('PECR'). As a result, in March 2019, the CMR issued a fine of £91,000 which H&H subsequently appealed.
EDPB Publishes Finalised Guidelines on Territorial Scope
On 15th November 2019, the European Data Protection Board ('EDPB') published its finalized Guidelines on the Territorial Scope of the GDPR.
EDPB Publishes Guidelines on Data Protection by Design and by Default
On 20th November 2019, the European Data Protection Board (“EDPB”) published its draft guidelines on the principles of Data Protection by Design and Default (the “Guidelines”) under Article 25 of the EU General Data Protection Regulation (“GDPR”).
EDPB 16th Plenary Session
On 2nd and 3rd December 2019, the EDPB held its 16th Plenary Session.
Click here to read more >
How legitimate is your CCTV?
On 11th December 2019, the Court of Justice of the European Union ("CJEU") rendered its decision in Case C-708/18 TK v Asociaţia de Proprietari bloc M5A-ScaraA on conditions under which the processing of personal data by way of CCTV may be based on legitimate interests.
Opinion of Advocate General upholds standard contractual clauses in Schrems 2
On 19th December 2019, Advocate General Saugmandsgaard OE gave his Opinion in Data Protection Commissioner v Facebook Ireland Limited, Maximilian Schrems and interveners (C-311/18) (Schrems 2).
This month we have seen a GDPR monetary penalty of £275,000 and an enforcement against Doorstep Dispensaree Ltd and a £500,000 fine against DSG Retail Limited (under the old DPA), both of which related to security breaches.