UK & EU Data Protection Bulletin: November 2020
Written By
Welcome to this month’s EU & UK Data Protection Bulletin covering developments from September and October.
We have had a flurry of important enforcement decisions, guidance and cases in the last few weeks which we have covered in a number of separate news alerts. For your convenience, this edition summarises and provides links to these updates in one place.
In this edition, we also cover:
- the ICO draft statutory guidance on regulatory action and finalised guidance on Rights of Access;
- highlights of the National Data Strategy;
- an overview of the CJEU judgments in C-623/17 Privacy International and C-511-512/18 La Quadrature du Net (the latter joined with C-520/18 Ordre des barreax francophones et Germanophone) which could impact the UK’s adequacy assessment for data transfer purposes; and
- recent ICO monetary penalties and enforcement activities in addition to those imposed upon BA and Marriott.
Use the links below to navigate through our newsletter:
ICO
ICO
ICO consults on draft statutory guidance on regulatory action
The ICO has launched a public consultation on its draft statutory guidance on regulatory action. The guidance sets out how the ICO will regulate and enforce data protection legislation in the UK following the end of the transition period.
New Guidance on Subject Access Rights
The ICO has now issued the finalised version of its detailed Rights of Access Guidance which updates the draft Guidance that went out for consultation back in December 2019.
UK cases
Lees v Lloyds Bank plc [2020] EWHC 2249 (Ch)
The claimant had sent Lloyds three data subject access requests (DSARs) to which Lloyds had replied. These were made alongside the claimant’s ongoing litigation against Lloyds in relation to claims for possession it was pursuing in respect of the three properties with buy-to-let mortgages granted to the claimant.
In this claim, the claimant asserted that Lloyds had failed to provide his personal data contrary to the Data Protection Act 2018 and the GDPR. The Court noted that given the dates of the three DSARs, the Data Protection Act 1998 was the applicable law. The Court dismissed the claim on the basis that Lloyds had provided the claimant with an adequate response to each of the DSARs.
Kathryn Hopkins v Revenue & Customs Commissioners [2020] 8 WLUK 232
The court struck out a claim by an HMRC employee who argued that the use of her criminal record information by her employer in disciplinary proceedings was unlawful under the GDPR and the DPA 2018.
The court contended that it was clear that the HMRC was the controller of the Claimant’s personal data when instituting the disciplinary proceedings, suspending the Claimant, handling her grievances and responding to her complaint to the ICO and this claim as it has processed the data on its own behalf rather than Merseyside Police or anyone else.
R (on the application of MAHA ELGIZOULI) v SoS for the Home Department & DPP EWHC 2516 (Admin)
The Divisional Court refused an urgent application from Maha Elgizouli for a judicial review of the Home Secretary’s 24 August 2020 decision to accede to a request for mutual legal assistance (“MLA”) from the United States’ Government under the US-US MLA Treaty, which would involve the transfer of personal data relating to Ms Elgizouli’s son (Mr El Sheikh) to the United States for the purpose of his possible prosecution there for alleged terrorist activities (the “August 2020 Decision”).
Other UK News
UK National Data Strategy published for consultation
On 9 September 2020 the Department for Digital, Culture, Media & Sport (“DCMS”) published a consultation on its Policy Paper on the UK National Data Strategy (“NDS”). According to the DCMS, the intention behind the NDS is to produce a forward-looking strategy that “takes into account public opinion and delivers real change in the way that data is used and shared in the United Kingdom” in order to unlock the value such data can bring. The focus is very clearly placed on freeing up the use of all data and is not just focused on personal data.
Government publishes latest draft Brexit Statutory Instrument
The Government has laid its latest statutory instrument related to the UK’s data protection framework following Brexit. Once in force, it will revise the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, which can be found here. It will also repeal the previous statutory instrument, The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) (No. 2) Regulations 2019.
EDPB
EDPB publishes draft guidelines on controllers and processors
The EDPB has released its draft guidelines on the concepts of controllers and processors, an area that the body has not reviewed in detail since the Article 29 Working Party produced its longstanding 2010 opinion, WP 169. The draft guidance, which was subject to public consultation until 19 October 2020, includes detailed assessment of the principled differences between controllers and processors, whilst also addressing the concept of joint controllership, as notably explored in a series of CJEU judgments in recent years. Our full article on these guidelines can be found here.
Click here to read more >
EDPB publishes draft guidelines on the targeting of social media users
Alongside it draft guidance on controllers and processors, the EDPB has also released draft guidance on the targeting of social media users. This guidance examines the various methods used by advertisers and social media platforms to collaborate and market products to social media users, and sets out the EDPB’s position on legal basis, joint controllership and other necessary compliance steps required to carry out certain types of marketing activity on such platforms. Our full article on these draft guidelines can be found here.
Draft Guidelines on “relevant and reasoned objection” under the cooperation mechanism (Art 60 GDPR)
On 13th October, the EDPB issued its draft Guidelines 09/2020 on relevant and reasoned objection under Regulation 2016/679. These Guidelines look at certain aspects of the cooperation mechanism between the lead supervisory authority (LSA) and other competent supervisory authorities (CSAs) in connection with Article 60 GDPR. Under this process, the LSA shall cooperate with the CSAs concerned in an endeavour to reach a consensus. The LSA is required to submit a draft decision to the CSAs to which they can raise a “relevant and reasoned objection” within a specified timeframe.
Data Protection by Design and by Default
On 20th October, the EDPB issued its final Guidelines on Data Protection by Design and by Default. These Guidelines were first issued in draft in November 2019 (a summary of which is contained here) and give general guidance and examples on the interpretation of the obligations of data protection by design and by default. In addition to covering these principles, the Guidelines also cover certification mechanisms for demonstrating compliance with Article 25 GDPR and enforcement by supervisory authorities.
CJEU cases
C-623/17 Privacy International v Secretary of State for Foreign and Commonwealth Affairs and Others
EU e-privacy laws apply to state communications surveillance
Hard on the heels of Schrems 2 came the 6 October 2020 CJEU judgments in C-623/17 Privacy International and C-511-512/18 La Quadrature du Net (the latter joined with C-520/18 Ordre des barreax francophones et Germanophone).
The judgments address a variety of bulk communications surveillance activities that one or other of the referring countries (UK, France and Belgium) had imposed on service providers: data retention, computerised analysis of retained data, and transmission to the authorities. The outcomes are more nuanced than the previous judgments, but reiterate that for most kinds of data, in most situations, general and indiscriminate data retention cannot be required. A requirement for general and indiscriminate data transmission to the authorities is never permissible.
The outcome of these judgments will have important implications for the UK adequacy talks.
Other EU News
EDPS: Strategy Document for Compliance with Schrems II
The EDPS has published its strategy for compliance of EU Institutions (EUIs) with the Schrems II judgment. The strategy contains short- and medium-term compliance actions, including carrying out Transfer Impact Assessments.
UK ICO Enforcement
Highlights
This month we include details of a number of monetary penalty notices for data breaches, unsolicited marketing calls, text messages and emails and an enforcement notice for direct marketing in the data broking sector.
