Welcome to this month’s EU & UK Data Protection Bulletin covering recent developments from the last couple of months. Links to our recent news alerts on the new EU Standard Contractual Clauses for data transfers and data processors are also included.
In this edition, recent highlights include:
Use the links below to navigate through our newsletter:ICO
Data Sharing Code of Practice – laid before Parliament on 18 May
The new Data Sharing Code of Practice published by the UK Information Commissioner’s Office (“ICO”) was laid before Parliament on 18 May 2021 and will come into force after 40 sitting days of Parliament. It replaces the ICO’s first Data Sharing Code which was published in 2011 and required updating to reflect the requirements of the UK General Data Protection Regulation (“UK GDPR”) and Data Protection Act 2018 (“DPA 2018”), as well as the enormous changes in the types and amounts of personal data collected by organisations and in the technology used to store and share such data in the intervening period.
ICO seeking views on the first chapter of its Anonymisation Guidance
The ICO has published the first draft chapter of its Anonymisation, Pseudonymisation and Privacy enhancing technologies draft guidance for consultation. This chapter examines the legal, policy and governance issues around the application of anonymisation and pseudonymisation in the context of data protection law. A copy of the chapter can be found here. The consultation closes on 28 November
Mohammed Belal Uddin v The Information Commissioner (EA/2020/0353/GDPR)
The First-tier Tribunal (General Regulatory Chamber) (“Tribunal”) struck out Mr Uddin’s application under sections 166(2) and 166(3) Data Protection Act 2018 (“DPA 2018”), because the DPA 2018 does not provide a right of appeal against the substantive outcome of a complaint investigation.
Ticketmaster UK Ltd v Information Commissioner (EA/2020/0359/FP)
This case relates to an appeal made by Ticketmaster against a penalty notice of £1.5million issued by the ICO in November 2020 relating to a data breach linked to a chatbot used on its website and provided to Ticketmaster by a third party, Inbenta Technologies Limited. The grounds of appeal include arguments that Ticketmaster did not breach its obligations under Articles 5(1)(f) and 32 of the GDPR, that the security incident resulted from an unforeseen and criminal attack on Inbenta and Inbenta’s failure to maintain appropriate security or alternatively that the penalty imposed was excessive.
Read more here >
Representative Action being brought against TikTok for breach of GPDR
A class action has been filed in the UK High Court against TikTok, alleging breaches of UK and EU data protection law in respect of the way in which the video-sharing app collects and uses personal data of children. The claim has been brought as a “representative action” under Civil Procedure Rule 19.6, the same mechanism used by Richard Lloyd in his well-publicised claim against Google. To bring such an action, a claimant must show that all those represented have the “same interest” in the claim.
Read more here >
R (Open Rights Group and the3million) v Secretary of State for the Home Department and Others  EWCA Civ 800
On May 26, 2021, the Court of Appeal handed down its judgment in the case of R (Open Rights Group and the3million) v Secretary of State for the Home Department and Others. Finding in favour of the claimant, the Court of Appeal held that the “immigration exemption” in Schedule 2 paragraph 4 UK 2018 Data Protection Act’s (“DPA 2018”) is non-compliant with GDPR (which was integrated into UK law by virtue of the European Union (Withdrawal) Act 2018).
Read more here >
Mr Baldo Sanso Rondon and LexisNexis Risk Solutions UK Limited  EWHC 1427 (QB)
This recent High Court judgment confirms the limited role played by data protection representatives appointed in accordance with Article 27 GDPR and finds that such representatives cannot be held liable for the action of their foreign data controllers. In this case, the claimant, an Italian based businessman, argued that the UK based representative (Lexis Nexis Risk Solutions UK Limited) was responsible for alleged breaches of GDPR by World Compliance Inc, the US based data controller it represents in respect of the profiles it maintained about the claimant in its financial screening database.
Opinion 16/2021 on the draft decision of the Belgian Supervisory Authority regarding the “EU Data Protection Code of Conduct for Cloud Service Providers” submitted by Scope Europe
On 20 May 2021, the Belgian Data Protection Authority (“BDPA”) approved the first transnational code of conduct for cloud services (“EU Cloud CoC”) to be adopted within the EU since the entry into force of the General Data Protection Regulation (EU) 2016/679 (“GDPR”). The EU Cloud CoC aims to establish good data protection practices for cloud service providers and intends to contribute to a better protection of personal data processed in the cloud. Several large industry players have endorsed the EU Cloud CoC.
Recommendations issued by EDPB on storage of credit card data after payment made for goods and/or services online
On 19 May 2021, the EDPB adopted its Recommendations on the legal basis for the storage of credit card data for the sole purpose of facilitating further online transactions On the question of whether online retailers are allowed to keep a customer’s credit card details after a purchase has been made (in case the customer wants to make another purchase in the future and to save them having to re-enter their card details, which might facilitate further purchases), the EDPB has concluded that consent under Article 6(1)(a) of the UK GDPR “appears to be the sole appropriate legal basis” for the storage of these details.
ECtHR rules UK surveillance violated ECHR
The European Court of Human Rights Grand Chamber has now delivered its twin bulk surveillance judgments in Big Brother Watch and Centrum för Rättvisa.
The Grand Chamber held that neither the former UK regime (under the Regulation of Investigatory Powers Act 2000) nor the Swedish regime considered in Rättvisa complied with the European Convention on Human Rights. However, it reached that conclusion on relatively narrow grounds. For the UK, the practical issue now is whether the decisions cast any doubt on the current Investigatory Powers Act 2016.
The high level takeaway is that the judgments lay down a revised set of criteria by which to assess bulk surveillance regimes against the requirements of the Convention, but do not forbid them as such.
The Court concluded that a decision to operate a bulk interception regime continues to be one that a Contracting State can make. A State’s freedom of choice in how to operate such a regime is, however, more constrained.
The ICO has been less active over the last couple of months with just three relatively small monetary penalties and no enforcement notices being issued against different organisations for breaching the PECR by sending unsolicited marketing emails.