Welcome to the latest edition of our newsletter covering developments from June.
To listen to our podcast, click here >>
ICO
GDPR one year on
On 20 May the ICO published its paper to share reflections and learnings of the first year of GDPR implementation.
Project explAIn interim report
The ICO and the Alan Turing released their interim report on Project explAIn. This collaboration aims at creating practical guidance to assist organisations with explaining artificial intelligence decisions to affected individuals.
ICO Update Report on Adtech and Real Time Bidding
On 20 June the ICO published an update report on her office’s review of adtech and real time binding which is a form of auctioned online advertising.
Green v Group Ltd & others [2019] EWHC 954 (Ch)
This case relates to a claim arising from the processing of data by the group of companies informally known as 'Cambridge Analytica'. The High Court considered whether the administrators of the company were data controllers and personally responsible for compliance with the DPA 1998 in respect of processing by the company which had been put into administration including but not limited to compliance with subject access requests.
Dawson Damer v Taylor Wessing [2019] EWHC 1258
This High Court decision provides important clarifications on the definition of relevant filing system, the legal professional privilege exemption and reasonable and proportionate searches.
Advertising Standards Authority Limited v Robert Neil Whyte Mitchell [2019] EWHC 1469
This case relates to an application by the ASA for an injunction to prevent an unintended recipient of an email from using, publishing, communicating or disclosing any part of the email or its attachments on the grounds that the contents were confidential and in part legally privileged. As Mr Justice Warby puts it “just about everyone who uses email will have had an experience similar to the one that led to this application”.
DMCS consultation about public concerns around data protection (deadline 14 July):
On 10 June 2019, the Department for Digital, Culture, Media and Sport (DCMS) announced an open call for evidence for the government's intended National Data Strategy (NDS). The stated aims of the NDS are that it will empower government and the economy through the use of data, and ensure public trust in its use.
BEIS consultation about going beyond GDPR data portability (deadline 6 August 2019):
On 11 June 2019, the Department for Business, Energy and Industrial Strategy (BEIS) published a consultation on proposals following its Smart Data Review. The Smart Data Review has explored how government can accelerate the development and use of new data-driven technologies and services to improve consumer outcomes. In particular, it considered how such technologies can foster innovation and facilitate switching and data portability in regulated and digital markets.
On 4th June 2019, the European Data Protection Board (EDPB) held its most recent plenary meeting, adopting new guidance that will be of interest to organisations looking to benefit from the GDPR’s provisions on Codes of Conduct and Certification schemes.
New EU Regulation on non-personal data.
EU Regulation 2018/1807 on a framework for the free flow of non-personal data in the European Union (the “Non-personal Data Regulation" or "FFD") became directly applicable in all EU Member States on 29 May 2019. The main purpose of the FFD Regulation is to allow mobility of non-personal data across borders and ensure the freedom to provide data processing services within the EU, which are sometimes restricted by national legal requirements to locate data in a specific territory.
CNIL fine to real estate company amounts to 1% of its annual turnover
Sergic, a real estate company allowing individuals to upload any supporting documentation through their website was fined €400,000 by the CNIL (the French data protection authority) on 28 May for (i) failure to implement appropriate security measures and (ii) retention of personal data for longer than is necessary.
Tunisia becomes the 30th signatory to the Council of Europe's Protocol amending Convention 1081 ("Convention 108+").
Convention 108+ aims to modernise and improve Convention 108. Many of the changes correspond to changes to the EU's data protection regime brought in by the GDPR.
Morrocco is the sixth country in the African region and 55th State party to accede to Convention 108.
Morocco also signed-up to the Council of Europe's Additional Protocol to Convention 108. The Additional Protocol sets out requirements relating to supervisory authorities and transborder flows of personal data to recipients which are not party to Convention 108 (the "Additional Protocol").
Highlights This month we have seen a number of prosecutions for unlawfully obtaining data under the DPA 1998 as well as monetary penalties under PECR and an enforcement notice for failing to respond to a large number of subject access requests.