UK & EU Data Protection Bulletin: March 2020

By Elizabeth Upton, Ruth Boardman, Ariane Mole

03-2020

Welcome to our March Data Protection Newsletter.

Highlights include:

• A Data Protection Bill proposing to grant representative bodies and organisations the power to exercise independent complaint and remedy rights on behalf of data subjects (in particular on behalf of more vulnerable groups)

• New EDPB Guidelines including on Connected Vehicles

• Update on AI developments in the EU

View the full bulletin >

Use the links below to navigate through our newsletter:

ICO

UK Legislation

EDPB

Council of Europe cases

EU Legislation

Other EU news

UK ICO Enforcement

First Tier Tribunal 


ICO

ICO warns Insolvency Practitioners on data sharing with claims companies

The ICO, the Financial Conduct Authority ("FCA") and the Financial Services Compensation Scheme ("FSCS") warned Insolvency Practitioners ("IPs") against unlawful data sharing with (FCA-regulated) Claims Management Companies ("CMCs") in a joint statement issued on 7 February 2020.

Click here to read more> 

ICO issues draft guidance on the AI Auditing Framework for consultation

The ICO has recently opened for consultation a lengthy set of draft guidelines on how to understand data protection law in relation to AI and suggested best practice recommendations for ensuring data protection compliant AI. It comprises auditing tools and procedures that the ICO will use in audits and investigations and also includes indicative risk and control measures that organisations can deploy when using AI to process personal data and to audit the compliance of their own systems.

Click here to read more>

The ICO has published guidance for organisations wanting to develop GDPR Codes of Conduct or Certification schemes and organisations can submit their proposals for such Codes or Schemes to the ICO for approval.

Click here to read more >



UK Legislation

Data Protection (Independent Complaint) Bill [HL] 2019-20

Baroness Kidron, a keen advocate of the ICO's recently published Age Appropriate Design Code of Practice, introduced a private members' bill in the House of Lords on 29th January. Its purpose is to amend the Data Protection Act 2018 (adding a 's.187A' after s.187) to grant representative bodies and organisations the power to exercise independent complaint and remedy rights on behalf of data subjects.

Click here to read more > 


EDPB

EDPB Plenary Sessions

The EDPB held plenary sessions in January and February. A number of new documents and guidelines have been published.

Click here to read more >


Council of Europe cases

Breyer v Germany (application no.50001/12)

On 30 January 2020, the European Court of Human Rights ("ECHR") delivered its judgement in Breyer v Germany stating that the compulsory collection of sim-card registration data under the German Telecommunications Law (Telekommunikationsgesetz, or "TKG") and the subsequently sharing of it with law enforcement was not a violation of Articles 8 and 10 of the European Human Rights Convention. Although the Court accepted that there was an interference with the applicant's right to privacy, nonetheless it concluded that the interference was limited and pursued legitimate aims of national security and therefore there was no human rights violation.

Click here to read more >


EU Legislation

Croatian Presidency introduces 'legitimate interests' into amended proposal]

The Croatian Presidency of the EU has issued an amended proposal for an e-Privacy Regulation, to be discussed during the meeting of the Working Party on Telecommunications and Information Society on March 5 and 12. Negotiations have been ongoing for a number of years and the previous Finnish Presidency had tried unsuccessfully to reach a political agreement last November.

Click here to read more >


Other EU news

EDPS publishes Guidelines on assessing the proportionality of measures that limit the fundamental rights to privacy and to the protection of personal data

The European Data Protection Supervisor adopted Guidelines on assessing proportionality of measures that limit the fundamental rights to privacy and data protection on 19 December 2019. The Guidelines complement the EDPS Toolkit.

Click here to read more >


AI regulation – robustness and explainability

 For a few years, a focus of the European Union has been AI. In the hope of becoming a global hub for AI research and applications, it has increased its investment into this area and set out a policy for AI development. At the same time, it is striving to provide a framework to regulate AI, to promote the EU as a thought leader in the ethical, societal and security implications of AI.

Click here to read more >


NOYB launches GDPRHub

 Max Schrem's crowd-funded NOYB has launched a public wiki – GDPRHub – which is divided into a section on GDPR enforcement action, and a section on GDPR commentary. The former consists of 100+ decisions by national supervisory authorities and Member State courts regarding GDPR enforcement (the goal being to increase this to 500+ by the end of 2020). The latter consists of, "commentary on the first 21 GDPR Articles, profiles on 32 DPAs and profiles on 32 GDPR jurisdictions".

Click here to read more >

In January, the European Data Protection Supervisor (EDPS) issued a "Preliminary Opinion" discussing scientific research under the GDPR, as well as broader issues around society's interest in researchers being granted access to data held by large companies and public bodies.

Click here to read more


UK ICO Enforcement

Highlights

This month we include details of a prosecution for the unlawful sharing of personal data with a third party provider, a £500,000 monetary penalty under PECR for automated nuisance calls and a £500,000 monetary penalty under the former DPA 1998 for a security breach.

Click here to read more >


First Tier Tribunal Cases

EA/2019/0054-0059: Leave.EU Group Limited and Eldon Insurance Services Limited v ICO

This case concerns appeals by Leave.EU (a political campaign company) and Eldon (an insurance company), both of whom were members of the same corporate group, in respect of a number of statutory notices: namely PECR fines (£60k and £45K), enforcement notices and assessments notices which were issued by the ICO following its large scale investigation into the use of data analytics for political purposes following the Cambridge Analytica scandal. It contains some interesting points regarding unsolicited direct marketing communications which may be of broader interest.

Click here to read more >