UK & EU Data Protection Bulletin: March 2023

Particular Highlights include:

• EDPB Report on the work undertaken by the Cookie Banner Task Force
• CJEU cases looking at what constitutes personal data, erasure requests and the right to know the identity of recipients with whom data may have been shared
• UK proposals to update the NIS Regulations
• Criminal sanction brought against an employee for wrongfully accessing and disclosing data
  
  

EDPB

EDPB adopted a report on the work undertaken by the Cookie Banner Task Force

On the 18th January, the EDPB’s Cookie Banner taskforce on cookie banners released its report. This taskforce was set up in response to the ongoing project by the campaign group, NOYB, which has written to a variety of companies to allege their cookie banners breach of either the ePrivacy Directive, or the GDPR.

Read more here 

EDPB adopts a work programme for 2023/2024

This is a continuation of existing activities (guidance; consistency and co-ordination; opinions to EU bodies). There is a list of planned guidance – many of the entries in this are carried forward from the previous period, where the EDPB has not been able to conclude the guidance in the time planned.

Read more here 

EDPB adopts guidelines on deceptive design patterns, certification as a tool for transfers and the interplay between Art. 3 and Chapter V

On the guidance on the interplay between Art.3 and Chapter V it's worth noting that the EDPB has added in new content addressing the appointment of processors within the EU, but which could be subject to laws with extra-territorial effect, obliging them to disclose personal data to public authorities in third countries.

Read more here 

CJEU

AG limits the expansive interpretation of what constitutes personal data

The Advocate General’s (“AG”) opinion, published on 16.12.2022, considers whether an individual is entitled to learn which natural person has accessed that person’s personal data. In other words: When a person in an organization views your personal data, is the identity of the person viewing your data actually your personal data?

Read more here

TU and RE v Google LLC Case C-460/20: impact of inaccuracy on erasure requests to search engines; and CJEU confirms the adage that a picture is worth a thousand words

TU and RE made de-listing requests to Google relating to three articles published about them, on the basis that the articles contained inaccurate claims and defamatory opinions. They also made requests for the images to be removed from the thumbnails in the search results.

Read more here

C154/21 Österreichische Post): Information about the recipients or categories of recipient to whom the personal data has been or will be disclosed

In its decision from 12th January 2023, the CJEU ruled on certain aspects of the data subjects’ right of access pursuant to Art. 15 GDPR. Art. 15 (1)(c) GDPR implies that where personal data have been or will be disclosed to recipients, the controller is obligated – upon their request – to provide data subjects with the actual identity of those recipients.

Read more here

X-FAB Dresden GmbH & Co. KG Case C-453/21: DPOs can't take decisions about personal data processing without breaching independence duties

FC had been the DPO of X-Fab since 1993. He was also the chair of the group’s Works Council. In 2017, the group dismissed FC as DPO, on the basis that his role as chair of the works council was incompatible with his role as DPO.

Read more here

ICO

Tech Horizons Report

In mid-December, the ICO released its first annual Tech Horizons Report to establish its views on key emerging technologies, foster trust for personal data processing, and support innovation. The Report provides an in-depth analysis of four emerging technologies and outlines key privacy considerations and challenges for each of them.

Read more here

Other UK News

Proposals to update the UK NIS Regulations

Following a consultation in 2022, the Department for Digital, Culture, Media and Sport has announced its intention to update the NIS regulations to improve the UK’s cyber resilience. The changes come as part of a £2.6 billion National Cyber Strategy aimed at making the UK digital economy more secure and prosperous, whilst encouraging at-risk businesses to improve their cyber resilience.

Read more here

UK issues Adequacy Regulations in respect of South Korea

The Data Protection (Adequacy) (Republic of Korea) Regulations 2022 came into effect on 19 December 2022. This is the UK’s first decision to recognise a priority country as adequate post-Brexit. The decision demonstrates that each country is comfortable with the level of protection of personal data provided by the other and enables the transfer of data between countries without the need for contractual protections.

Read more here

UK ICO Enforcement

Highlights

This month we include details of a £5,000 fine issued by the ICO against Mr Khan, for a breach of s170 of the DPA 2018.

We also cover details of a £200,000 fine and enforcement notice issued by the ICO against It’s OK Limited for a “sustained and exploitative” campaign of nuisance calls potentially targeting many elderly people and a fine of £630 issued against an NHS 111 call advisor for unlawfully accessing medical records.

Read more here

First-tier Tribunal Appeal Cases

Highlights

This month we include details of Lloyd v Information Commissioner which concerned the First Tier Tribunal’s handling of the definition of “Personal Data”, in particular considering the test of whether a person was identifiable from the data.

We also cover Bartosik v Information Commissioner which concerned Police Scotland’s handling of an erasure request for information submitted by the Applicant and Experian v Information Commissioner where the First-tier Tribunal overturned an Enforcement Notice served by the Information Commissioner on Experian.

Read more here

Other News

OECD Countries to limit government access to personal data

In December, Ministers and high level representatives of OECD Members and the European Union adopted the first intergovernmental agreement on common approaches to safeguarding privacy and other human rights and freedoms when accessing personal data for national security and law enforcement purposes.

Read more here

Other recent articles

• Meta – DPC & EDPB Decisions on lawful basis of processing and transparency - 30th January 2023
• Third parties can now appeal Belgian DPA decisions before the Market Court - 19th January 2023
• France: Publication of CNIL standards on health data processing implemented in the context of early access and compassionate use authorisations - 16 January 2023
• NIS 2 Directive, RCE Directive and DORA – Important EU cybersecurity-related legislative acts come into force - 13th January 2023
• Practical assistance from the Courts in relation to ransomware attacks: XXX v Persons Unknown (2022) - 19th December 2022
• An Overview of the Implementation of the Whistleblowing Directive in the Nordics - 19th December 2022
• How would the European Commission's new directive change AI-related liabilities - 9th December 2022
• Latest Updates to EU BCRs – what you need to know - 1st December 2022

Previous and upcoming events

• How to prepare for the Swiss Data Protection Act - 11th January 2023