Welcome to our European Data Protection Bulletin covering recent developments from the last few months.
Particular Highlights include:
Download the Bulletin
EDPB adopted a report on the work undertaken by the Cookie Banner Task Force
On the 18th January, the EDPB’s Cookie Banner taskforce on cookie banners released its report. This taskforce was set up in response to the ongoing project by the campaign group, NOYB, which has written to a variety of companies to allege their cookie banners breach of either the ePrivacy Directive, or the GDPR.
EDPB adopts a work programme for 2023/2024
This is a continuation of existing activities (guidance; consistency and co-ordination; opinions to EU bodies). There is a list of planned guidance – many of the entries in this are carried forward from the previous period, where the EDPB has not been able to conclude the guidance in the time planned.
EDPB adopts guidelines on deceptive design patterns, certification as a tool for transfers and the interplay between Art. 3 and Chapter V
On the guidance on the interplay between Art.3 and Chapter V it's worth noting that the EDPB has added in new content addressing the appointment of processors within the EU, but which could be subject to laws with extra-territorial effect, obliging them to disclose personal data to public authorities in third countries.
AG limits the expansive interpretation of what constitutes personal data
The Advocate General’s (“AG”) opinion, published on 16.12.2022, considers whether an individual is entitled to learn which natural person has accessed that person’s personal data. In other words: When a person in an organization views your personal data, is the identity of the person viewing your data actually your personal data?
TU and RE v Google LLC Case C-460/20: impact of inaccuracy on erasure requests to search engines; and CJEU confirms the adage that a picture is worth a thousand words
TU and RE made de-listing requests to Google relating to three articles published about them, on the basis that the articles contained inaccurate claims and defamatory opinions. They also made requests for the images to be removed from the thumbnails in the search results.
C154/21 Österreichische Post): Information about the recipients or categories of recipient to whom the personal data has been or will be disclosed
In its decision from 12th January 2023, the CJEU ruled on certain aspects of the data subjects’ right of access pursuant to Art. 15 GDPR. Art. 15 (1)(c) GDPR implies that where personal data have been or will be disclosed to recipients, the controller is obligated – upon their request – to provide data subjects with the actual identity of those recipients.
X-FAB Dresden GmbH & Co. KG Case C-453/21: DPOs can't take decisions about personal data processing without breaching independence duties
FC had been the DPO of X-Fab since 1993. He was also the chair of the group’s Works Council. In 2017, the group dismissed FC as DPO, on the basis that his role as chair of the works council was incompatible with his role as DPO.
Tech Horizons Report
In mid-December, the ICO released its first annual Tech Horizons Report to establish its views on key emerging technologies, foster trust for personal data processing, and support innovation. The Report provides an in-depth analysis of four emerging technologies and outlines key privacy considerations and challenges for each of them.
Proposals to update the UK NIS Regulations
Following a consultation in 2022, the Department for Digital, Culture, Media and Sport has announced its intention to update the NIS regulations to improve the UK’s cyber resilience. The changes come as part of a £2.6 billion National Cyber Strategy aimed at making the UK digital economy more secure and prosperous, whilst encouraging at-risk businesses to improve their cyber resilience.
UK issues Adequacy Regulations in respect of South Korea
The Data Protection (Adequacy) (Republic of Korea) Regulations 2022 came into effect on 19 December 2022. This is the UK’s first decision to recognise a priority country as adequate post-Brexit. The decision demonstrates that each country is comfortable with the level of protection of personal data provided by the other and enables the transfer of data between countries without the need for contractual protections.
This month we include details of a £5,000 fine issued by the ICO against Mr Khan, for a breach of s170 of the DPA 2018.
We also cover details of a £200,000 fine and enforcement notice issued by the ICO against It’s OK Limited for a “sustained and exploitative” campaign of nuisance calls potentially targeting many elderly people and a fine of £630 issued against an NHS 111 call advisor for unlawfully accessing medical records.
This month we include details of Lloyd v Information Commissioner which concerned the First Tier Tribunal’s handling of the definition of “Personal Data”, in particular considering the test of whether a person was identifiable from the data.
We also cover Bartosik v Information Commissioner which concerned Police Scotland’s handling of an erasure request for information submitted by the Applicant and Experian v Information Commissioner where the First-tier Tribunal overturned an Enforcement Notice served by the Information Commissioner on Experian.
OECD Countries to limit government access to personal data
In December, Ministers and high level representatives of OECD Members and the European Union adopted the first intergovernmental agreement on common approaches to safeguarding privacy and other human rights and freedoms when accessing personal data for national security and law enforcement purposes.
Other recent articles