UK & EU Data Protection Bulletin: February 2021

Welcome to this month’s EU & UK Data Protection Bulletin covering developments from November to January.


In this edition we cover:

  • The ICO’s new Data Sharing Code of Practice;
  • A High Court Judgment accepting new arguments regarding the limits of the GDPR’s territorial reach in a case concerning online articles written about a UK resident together with a Court of Appeal decision looking at data sharing for law enforcement purposes;
  • EDPB Guidelines on data breach notification examples, Article 23 restrictions to data subject rights and its joint opinion on the data transfer clauses;
  • Updates on enforcement from the ICO, the CNIL and the Irish DPC.

We have also included our earlier article reminding readers about the impact of Brexit on the UK data protection landscape.

Use the links below to navigate through our newsletter:

ICO

UK Cases

UK Law

EDPB

CJEU Cases

Other EU news

UK ICO Enforcement

Download bulletin here


ICO

On 17th December, the ICO submitted its Data Sharing Code of Practice, which was prepared under section 121 of the Data Protection Act 2018 (“DPA 2018”), to the Secretary of State which will lay the code before Parliament for its approval as soon as reasonably practicable. Once the Code has been laid it will remain before Parliament for 40 sitting days. If there are no objections, it will come into force 21 days after that.  

Read more here


UK Cases

Soriano v Forensic News LLC & Ors [2021] EWHC 56 (QB)

The English High Court has accepted new arguments regarding the limits of the GDPR’s territorial reach, in a case concerning online articles written about a UK resident.

Noting that each of the defendants was a US resident, and not “established” in the UK for GDPR purposes (some UK-directed online activity being insufficient to qualify for those purposes), the High Court judge held that their publication of these articles could not be caught by GDPR Article 3(1) - the GDPR’s “establishment” test. The judge focused instead on the GDPR’s alternative territoriality tests: data processing is caught by the GDPR when it is related to the offer of goods or services to the data subject (Article 3(2)(a)), or to the monitoring of their behaviour (Article 3(2)(b)).

Read more here

R (on the application of M) v Chief Constable of Sussex & Brighton & Hove Business Crime Reduction Partnership [2021] EWCA Civ 42

This recent Court of Appeal decision looks at data sharing in the context of law enforcement purposes (under Part 3 of the DPA 2018 rather than under the GDPR) and involves M, a vulnerable teenager with previous criminal convictions who had been assessed as being at risk of child sexual exploitation, the police and a local crime reduction partnership (CRP) made up of more than 500 local businesses, retailers, bars and nightclubs.

Read more here


UK Law

Data Protection Act 2018 and UK GDPR amended by Data Protection, Privacy and Electronic Communications (Amendments etc)(EU Exit) Regulations 2020

As a result of the UK exiting the transition period of the UK-EU Withdrawal Agreement, and the marking of ‘IP Completion Day’, the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (as amended by the 2020 Regulations we reported on in November) came into force.

Read more here


EDPB

Guidelines 10/2020 on restrictions under Article 23 GDPR (currently under public consultation)

In December, the EDPB issued draft guidelines for consultation which aim to provide guidance as to the application of the Article 23 restrictions to data subject rights. Considering that the term “restrictions’’ is not defined in the GDPR, the guidelines include a definition of “restrictions’’ and provide a thorough analysis of the criteria to apply restrictions, the assessments that need to be observed, how data subjects can exercise their rights once the restriction is lifted and the consequences for infringements of Article 23.

Read more here

 

EDPB and EDPS issue joint opinions on the Standard Contractual Clauses for data transfers and for data processors

The EDPB and EDPS recently issued their joint opinions on the recent draft Standard Contractual Clauses put forward by the Commission in November 2020 to address data transfers to third countries and Article 28 provisions between controllers and processors.

Read more here

 

New guidelines on examples regarding data breach notification

On 18 January, the EDPB adopted guidelines to complement the WP 29 guidance on data breach notification by providing practical examples of data breaches. They aim to help data controllers in deciding how to handle data breaches and what factors to consider during risk assessment.

Read more here


CJEU

Orange România SA v Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP) C-61/19

In November 2020, the CJEU issued its decision on the Orange Romania case (C-61/19) which examines the concept of consent. Earlier this year we had looked into Advocate General’s opinion on the same case.

The referral was made in the context of a dispute between Orange Romania and the Romanian Data Protection Authority, the ANSPDCP, in which Orange Romania challenged the ANSPDCP’s decision to issue a fine against it for storing copies of customers’ identity documents without demonstrating that those customers had provided valid consent and the ANSDPCP’s order to Orange Romania to destroy the relevant data.

Read more here


Other EU News

Cookies: CNIL issues fines to Google and Amazon for a total of €135 million

On 10th December, the French Data Protection Authority (i.e. the CNIL) released details of two financial penalties issued against Google (€100 million in total – €60 million for GOOGLE LLC and €40 million for GOOGLE IRELAND LTD) and Amazon Europe Core (€35 million). These sanctions have been issued on the basis of rules that were in place in the CNIL’s 2013 cookie guidance (rather than the revised guidelines issued in October 2020 and to which a 6 month grace period applies.

Read more here

Conclusion of investigation into Twitter

On 15th December, the Irish Data Protection Commission (DPC) announced a conclusion to a GDPR investigation it conducted into Twitter International Company. The DPC’s investigation commenced in January, 2019 following receipt of a breach notification from Twitter and the DPC has found that Twitter infringed Article 33(1) and 33(5) of the GDPR in terms of a failure to notify the breach on time to the DPC and a failure to adequately document the breach. The DPC has imposed an administrative fine of €450,000 on Twitter for these breaches.

Read more here


UK ICO Enforcement

This month, we include details of a monetary penalty against Ticketmaster for data breaches together with various enforcement actions relating to nuisance calls.

Read more here

Latest insights

More Insights