Welcome to to this month’s edition of our UK & EU Data Protection Bulletin.
In this edition, we discuss several interesting UK cases including a case touching on whether the implication of criminality is sufficient to amount to sensitive personal data (under the old Data Protection Act 1998) as well as the Court of Appeal decision in Bridges which overturned the High Court decision and held that the use of facial recognition technology by South Wales Police was in fact unlawful.
We also include updates from the EDPB in respect of its Guidelines on the interplay between PSD2 and the GDPR and a BCR Information Note for organisations which have the UK ICO as their BCR Lead Authority and which need to switch to an EEA Supervisory Authority before the end of the Brexit transition period. We also reference our previous news alerts on the CJEU Schrems II decision. Further news alerts will be issued shortly on the EDPB’s latest guidelines on controllers and processors and on targeting social media users.
Finally, on enforcement, we cover some recent PECR fines which highlight some due diligence measures which organisations relying on third party lists should take into consideration.
Regulatory approach continues to evolve for COVID 19 and beyond – page 4
On 14 July 2020, the ICO released a (slightly) updated version of its document outlining its regulatory approach during the coronavirus public health emergency. In an accompanying blog, the Commissioner explained just a few additions had been made to policy, e.g. to reflect that the ICO may now carry out audits remotely, given contact and travel restrictions.
Guidance for teachers and schools on students’ access to information about their exam results – page 4
The ICO has published guidance for teachers and schools on students' access to information about their exam results during the coronavirus pandemic.
Finalised Guidance to AI and Data Protection – page 5
As previewed in our March newsletter, the ICO has now finalised and issued its guidance on Artificial Intelligence – a comprehensive document exploring how to ensure that the design and use of artificial intelligence complies with EU and UK data protection law.
ICO's Children's Code in force – page 6
The ICO's Age Appropriate Design Code (the “Children's Code”) has completed the parliamentary process and came into force on 2 September, with a 12-month transition period to give affected organisations the chance to conform. This applies to organisations providing online services and products likely to be accessed by children up to the age of 18.
ST (A Child) v L Primary School (2020) EWHC 1046 (QB) – page 7
In this case, the High Court examined a claim brought by a child and her mother against the child’s primary school, i.a. for breach of the Data Protection Act 1998 and for misuse of private information. The claim related to the school sending out - without the mother’s consent- a letter to 60 parents with information about the child’s condition (Down Syndrome) and her disruptive behaviour, with a view to reassuring them that the school’s staff could handle the situation.
(1) Petr Aven (2) Mikhail Fridman (3) German Khan V Orbis Business Intelligence Ltd (2020) – page 7
Orbis, an intelligence consultancy, was commissioned by a law firm to provide intelligence relating to the investigation on the links between Donald Trump and Russia. The law firm had been instructed to do this by their client, the US Democratic Party. The Orbis report was disclosed to the US consultancy Fusion and to UK politicians, as well as to the Democratic Party which has commissioned it. The claimants stated that the report contained inaccurate information about them, which has been processed unfairly or unlawfully in the report. The claimants requested Orbis to rectify the data. The case was brought under the old Data Protection Act 1998, as the claim was brought prior to the new Act coming into force.
Johnson v Secretary of State for the Home Department  EWCA Civ 1032 – page 8
This Court of Appeal case concerned the lawfulness under GDPR of the transfer of personal data to the British High Commission in Kingston, Jamaica for the purposes of an out of country appeal. The appellant (the data subject) argued that such a transfer was not permissible absent his consent and, as a consequence, the only way to ensure that he could exercise his rights was to permit him to exercise a right of appeal in the UK.
The Court of Appeal dismissed the appellant’s appeal.
On 11 August 2020, the Court of Appeal (“CA”) ruled that the use of facial recognition technology (“FRT”) by the South Wales Police (“SWP”) was unlawful due to the lack of a sufficient legal framework that would regulate the deployment of FRT by the law enforcement bodies in public places.
The CA overturned the Divisional Court’s judgement which had determined that the lack of sufficiently defined legal framework could be excused by the fact that the FRT was a novel technology and that the existing primary and secondary legislation cumulatively provided a general legal framework sufficient to make the processing lawful.
New EDPB Guidelines on the interplay between PSD2 and GDPR – page 12
On 17th July 2020, the European Data Protection Board (“EDPB”) adopted the long-awaited Guidelines 06/2020 on the interplay between the Second Payment Services Directive and the GDPR (the “Guidelines”) for public consultation. The Guidelines largely confirm the EDPB’s previous views on the two laws. For example, the EDPB states consent under PSD2 is ‘contractual consent’ which corresponds to processing necessary for the performance of a contract under Article 6(1)(b) of the GDPR.Click here to read more >
Information note on BCRs for Groups of undertakings / enterprises which have ICO as BCR Lead SA – page 12
The EDPB has adopted an information note outlining the steps that organisations which have the ICO as their BCR Lead Supervisory Authority will need to take in preparation for the end of the Brexit transition period (31 December 2020) to ensure they have identified a new BCR Lead in the EEA.
EDPB FAQs on the Schrems II decision – page 13
On 24th July, the EDPB provided further "guidance" on the CJEU Schrems II decision. It was hoped that this would provide more clarity on how the judgment now needs to be implemented by companies that transfer personal data to countries outside the EEA. However, whilst the EDPB addresses important questions,it still appears to struggle with the consequences of the Court’s judgment. It is still in the process of analysing the kind of supplementary measures that may be provided in addition to SCCs or BCRs to provide a sufficient level of guarantees.
Schrems II judgment: Privacy Shield invalid, SCCs survive, but... what happens now? – page 14
Of course, one of the most significant developments over the summer months was the CJEU Schrems II decision on 16th July which invalidated the EU-US Privacy Shield Framework but also made important statements concerning the continued use of Standard Contractual Clauses for data transfers. We have republished a link to our earlier news alert on this important case.
Highlights – page 16
This month we include details of a number of fines under PECR for unsolicited direct marketing emails and calls.