UK & EU Data Protection Bulletin: May 2020
Written By
Welcome to the May edition of our UK & EU Data Protection update focused on recent developments in March and April.
Highlights include:
• Updated ICO and EDPB Guidance on COVID-19; and
• Coverage of the Supreme Court decision in Morrisons on vicarious liability and the Court of Appeal in Dawson-Damer examining the definition of a "relevant filing system".
Use the links below to navigate through our newsletter:
ICO
UK Legislation
EDPB
CJEU cases
Other EU news
UK ICO Enforcement
ICO
New CCTV Guidance and Templates
The Surveillance Camera Commissioner and the ICO updated their CCTV DPIA guidance and template on 1 April 2020 to fully reflect the requirements under GPDPR and the Data Protection Act 2018. It has been designed for entities that have to comply with the Surveillance Camera Code of Practice under Section 33(5) of the Protection of Freedoms Act 2012 such as local authorities and police forces etc. However, it can also be used by private companies that deploy surveillance cameras in the UK.
How the ICO will regulate during the Coronavirus
The ICO has issued a short paper about how it will regulate during the Covid-19 pandemic in order to take account of the fact that organisations are facing staff and operating capacity shortages as well as acute financial pressures and many public bodies are facing severe front-line pressures and are redeploying resources to meet those demands.On the 5 May, the ICO also updated its priorities for data protection during Covid-19 and beyond.
Videoconferencing: ICO Tips
The ICO's Director of Assurance has released a short blog advising organisations about how to safely roll out the latest video conferencing technology to ensure that staff can communicate securely.
Using new technologies and tracking to combat the pandemic: Key Data Protection Questions to consider
Elizabeth Denham released a new blog examining some of the relevant privacy issues that organisations exploring the possibility of using contact tracing and location tracking technologies to combat the Covid-19 will need to think about. The ICO states that it is here to offer advice and guidance to organisations ahead of such projects and can provide assurance via audit once a project is up and running.
UK Legislation
Leighton v Information Commissioner (No.2) [2020] UKUT 23(AAC)
In this case, Mr Leighton had made a subject access request to the police under s45 DPA 2018 which he did not think that the police had dealt with properly so he complained to the ICO. The ICO concluded that the police had complied with their obligations but Mr Leighton appealed that conclusion to the FTT using section 166 DPA 2018 which entitles a data subject to order the ICO to progress a complaints that has been made to it under section 165 DPA 2018. This case examines the scope of the FTT powers under this provision in more detail.
Scott v LGBT Foundation Ltd [2020] EWHC 483 (QB)
In this judgment, Saini J in the High Court struck out claims for breach of the Data Protection Act 1998 (DPA), the law of confidence and the Human Rights Act 1998 (HRA) which stemmed from an allegedly non-consensual, verbal disclosure of information about the claimant by a charity to the claimant's GP.
Hands down – no representative action for Equifax
Counsel for Equifax blogged on 1 April 2020 that the representative action brought by Richard Atkinson in the High Court of England and Wales had been withdrawn.
Atkinson's claim, brought under the Data Protection Act 1998, stemmed from a large scale personal data breach at Equifax in 2017 which was the resulted from a malicious cyber-attack. One of the interesting points in the claim was Atkinson's attempt to claim damages in this scenario under the novel "loss of control" head (i.e., without proving pecuniary loss or distress). Many data elements collected by Equifax were (as expected, for a credit reference agency) not collected from data subjects directly, but from third party data controllers.
In a unanimous decision on 1 April 2020, the Supreme Court reversed the Court of Appeal’s decision that found Morrisons vicariously liable for a data breach committed by a rogue employee. The Supreme Court held that the Court of Appeal “misunderstood the principles governing vicarious liability in a number of relevant respects”.
Elgizouli (Appellant) v Secretary of State for the Home Department (Respondent) [2020] UKSC 10
In its judgment on the Elgizouli case, the Supreme Court unanimously held that the Secretary of State breached the Data Protection Act 2018 by transferring personal data to the US law enforcement authorities for use in capital criminal proceedings.
Dawson-Damer Court of Appeal [2020] EWCA Civ 352
On 12 March the Court of Appeal handed down its second judgment in the long running case of Dawson Damer v. Taylor Wessing
Readers may recall the appellants were beneficiaries under a Bahamian Trust. The trustees had appointed the majority of the trust fund to new trustees to hold for the beneficiaries, excluding the appellants. The appellants challenged this arrangement. As part of this, they made a subject access request to Taylor Wessing LLP which acted for the trustees of one of the trusts.
EDPB
Data processing and Covid-19 – EDPB statement
Like many national authorities around the EU, the European Data Protection Board released a statement about data processing in the context of the current pandemic. The EDPB underlines that data protection is not a barrier to combatting the Coronavirus, but that personal data must continue to be protected despite the unprecedented situation.
Click here to read more >
Following its remote plenary meeting on 3 April 2020, the EDPB has adopted further Guidance on data protection issues arising in the context of the COVID-19 crisis.
EDPB published updated guidance on consent
On the 04 May the European Data Protection Board (EDPB) adopted a slightly updated version of its guidelines on consent under the GDPR to address implied consent and cookie walls.
CJEU cases
Orange România SA v Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP) (Cases C-61/19) Advocate General's Opinion: Examining the definition of "consent"
On 5 March 2020, the CJEU's Advocate General (AG Szpunar) handed down his Opinion in Case C 61/19 Orange România SA, a case which could impact how companies across a wide range of sectors obtain GDPR consents, offline or online.
When signing up for Orange Romania's mobile telecoms services, Orange Romania's practice was to take a copy of customers' identity documents, which it would then store as an attachment to the signed customer contracts. The contract wording included, inter alia, a relatively lengthy passage about this practice, including a statement that the customer had been fully informed of, and had freely and expressly consented to, the collection and storage of those copies. This consent was further demonstrated by the customer ticking boxes on the contract itself.
Other EU news
EDPS Publishes its 2019 Annual Report
The EDPS has published its Annual Report which provides an insight into all its activities over the past year.
EDPS Guidance to use of Photo Booths
On a lighter note, the EDPA has just published some new guidance on the use of photo booths by EU institutions recognising that these are a great way for such institutions to reach out to the public and they are frequently used during events. Given that photo booths are used publicly, with the aim of generating a positive customer experience, it would be counterproductive for EU institutions to use them in a way that could violate anyone’s fundamental right to data protection. Once we are all back to work again, this guidance could be of more general interest to other organisations who hire out or use such booths at their events.
Using Telecoms Data for Covid-19 tracking – comments from the EDPS
The European Commission announced plans to monitor the spread of coronavirus using telecommunications data. The European Data Protection Supervisor (EDPS) was consulted and provided their comments in an open letter to the Commission.
UK ICO Enforcement
Highlights
This month we include details of a prosecution for the deletion of a record of a council meeting under FOIA and a £171,000 monetary penalty under PECR for unsolicited direct marketing calls.
Latest insights
More Insights
Balancing the candid disclosure of information to regulators, with the desire to maintain privilege: Recent developments regarding voluntary disclosure agreements
Apr 19 2024
Navigating the legal landscape of plastics – balancing utility with environmental responsibility
Apr 19 2024