UK & EU Data Protection Bulletin: November 2019

By Ruth Boardman, Ariane Mole, Elizabeth Upton

11-2019

Welcome to the November edition of our UK & EU Data Protection Bulletin.

Particular highlights this month include:

  • Court of Appeal decision in LLoyd V Google paving the way for representative actions

  • UK-US data sharing agreement

  • Update on ePrivacy Regulation

View the full bulletin >


ICO

ICO – DSARs for the Public

The ICO has published new guidance on subject access requests but this time from the point of view of the data subject. The guidance explains briefly what a SAR is, how to make a SAR (including a template), what companies have to do and how a data subject can complain if they're not satisfied with the outcome. 

Click here to read more >


Agreement reached between ICO and Facebook

The ICO and Facebook have reached an agreement over the ICO’s investigation into Facebook over Cambridge Analytica. 

Click here to read more >


UK cases

R (Bridges) v Chief Constable of South Wales Police and Others [2019] EWHC 2341

The Divisional Court has dismissed a challenge against use of Automated Facial Recognition technology ('AFR') by South Wales police ('SWP’) which was brought on the basis of interference with the right to privacy and breaches of data protection and equality laws.

Click here to read more >


(1) Al-Ko Kober Ltd (2) Paul Jones v Balvinder Sambhui [2019] 9 WLUK 139

This case examined a claim for unlawful processing of personal data alongside defamation and malicious falsehood claims made in relation to publishing videos with derogatory content on YouTube. 

Click here to read more >


Automotive Software Solutions Ltd v The Information Commissioner [EA/2019/0083]

In a recent case on the Freedom of Information Act and the disclosure of personal data, the first tier Tribunal held that a local authority could withhold disclosing Vehicle Registration Marks (VRMs) where such disclosure would prejudice the prevention or detection of crime. The case also confirmed that vehicle registration numbers would be personal data, on the basis that they could indirectly identify an individual by querying the owner through the Driver and Vehicle Licensing Agency. 

Click here to read more >

Lloyd v Google LLC [2019] EWCA Civ 1599

On 2 October, the Court of Appeal allowed an appeal in Lloyd v Google permitting the use of the representative action procedure and also decided that damages are in principle capable of being awarded for loss of control even if there is no pecuniary loss or distress.    

Click here to read more >

R (on the application of (1) Open Rights Group (2) The3Million ) (Claimants) v (1) Secretary of State for the Home Department (2) Secretary of State for Digital, Culture, Media & Sport (Defendants) & (1) Liberty (2) Information Commissioner (Interveners) [2019] EWHC 2562 (Admin)

Mr Justice Supperstone found against The3Million and Open Rights Group (the "Claimants") in his judgment on 3 October 2019 concerning the Claimants' judicial review of the "Immigration Exemption" in Schedule 2, Part 1, paragraph 4 of the Data Protection Act 2018 ("DPA 2018").      

Click here to read more >

Mustard v Flower and Others [2019] EWHC 2623 (QB)

This case related to Ms Mustard who was injured in a traffic accident and wanted to claim compensation. She was examined by medical experts appointed by the insurer and was advised by her solicitor to record the examinations. She covertly recorded two of the examinations and wished to use those recordings in evidence in support of her claim. The insurer objected, arguing that the recordings constituted unlawful processing contrary to the GDPR and the DPA 2018.

Click here to read more >


Other UK News

UK-US agreement facilitates reciprocal gathering of overseas evidence for criminal investigations

On 4th October 2019, the UK and US governments announced the signing of an agreement that will facilitate the ability of UK and US authorities to demand certain documents or other data from companies and individuals, if they are based or operating in the US and UK, respectively. 

Click here to read more >


EU: What a difference a Brexit deal makes

The European Commission's ('the Commission') Task Force for the Preparation and Conduct of the Negotiations with the United Kingdom under Article 50 of the Treaty on European Union released, on 17 October 2019, a revised text of the Political Declaration setting out the framework for the future relationship between the European Union and the United Kingdom as agreed at negotiators' level ('the Revised Political Declaration').    

Click here to read more >


EDPB

EDPB 14th Plenary Session

On 8 and 9 October, the European Data Protection Board (EDPB) met for its fourteenth plenary session. During the plenary, the following topics were discussed, amongst others:

• The 3rd annual review of the Privacy Shield

• The guidelines on processing necessary for the performance of a contract, in the context of the provision of online services.

Click here to read more > 


CJEU cases

Should search engines implement de-listing requests globally? And do they have to remove sensitive data as a matter of course?

The CJEU has considered two further right to be forgotten cases. The first is on territorial scope of the right to be forgotten. Here, the CJEU concluded that de-listing requests should be implemented across the EU, not just in the member state applicable to the relevant data subject.

Click here to read more >


Planet49: CJEU Rules on Cookie Consent

On 1 October 2019 the Court of Justice of the European Union (the 'CJEU') delivered its judgment in Planet49, a case analysing the standard of transparency and consent for the use of cookies and similar technologies. 

Click here to read more >

Are You Inadvertently Processing European Criminal Conviction Data? The Overlooked Impact of GC v CNIL

Google continues to drive the development in case law of the Court of Justice of the European Union (CJEU) on the right to be forgotten in two recent cases.

Click here to read more >


Other EU news

The Council of European Union has set out its position and findings on the application of the GDPR

The Council of European Union has set out its position and findings on the application of the GDPR from 19 Member States in preparation for its 2020 review of GDPR. See here. 

Click here to read more >


ePrivacy Regulation update

On 17 October, the Council of the European Union (the ‘Council’) published its latest draft of the proposed e-Privacy Regulation. [Note that this since this article was written the Council issued a further draft on 30 October – further updates will follow]. 

Click here to read more >


EU Enforcement

Belgian DPA imposes €10,000 fine on a merchant for its disproportionate use of the Belgian electronic ID card.

The Council of European Union has set out its position and findings on the application of the GDPR from 19 Member States in preparation for its 2020 review of GDPR. See here. 

Click here to read more >

ePrivacy Regulation update

On 17 October, the Council of the European Union (the ‘Council’) published its latest draft of the proposed e-Privacy Regulation. [Note that this since this article was written the Council issued a further draft on 30 October – further updates will follow]. 

Click here to read more >


EU Enforcement

Romanian DPA imposes its first GDPR fine to Unicredit Bank SA for breach of Article 25 of the GDPR (Privacy by Design) and failure to implement appropriate technical and organizational measures 

Click here to read more >


Polish DPA fines morele.net €645,000 (PLN 2.8 million) for insufficient organisational and technical safeguards 

Click here to read more >


Greek DPA fines a Greek telecommunications provider €400,000 for breaches of the accuracy principle and data protection by design and also for a failure to satisfy the right to object 

Click here to read more >


Spanish DPA fines Vueling €30,000 for the cookie policy used on its website
 

Click here to read more >


UK ICO Enforcement

Highlights

Superior Style Home Improvements Ltd was issued with a monetary penalty notice of £150,000 after making unsolicited marketing calls.

Click here to read more >