UK & EU Data Protection Bulletin: May 2020

By Elizabeth Upton, Ruth Boardman, Ariane Mole

05-2020

Welcome to the May edition of our UK & EU Data Protection update focused on recent developments in March and April.

Highlights include:

• Updated ICO and EDPB Guidance on COVID-19; and 
 
• Coverage of the Supreme Court decision in Morrisons on vicarious liability and the Court of Appeal in Dawson-Damer examining the definition of a "relevant filing system". 

View the full bulletin >

Use the links below to navigate through our newsletter:

ICO

UK Legislation

EDPB

CJEU cases

Other EU news

UK ICO Enforcement


ICO

New CCTV Guidance and Templates  

The Surveillance Camera Commissioner and the ICO updated their CCTV DPIA guidance and template on 1 April 2020 to fully reflect the requirements under GPDPR and the Data Protection Act 2018. It has been designed for entities that have to comply with the Surveillance Camera Code of Practice under Section 33(5) of the Protection of Freedoms Act 2012 such as local authorities and police forces etc. However, it can also be used by private companies that deploy surveillance cameras in the UK.

Click here to read more > 

How the ICO will regulate during the Coronavirus 

The ICO has issued a short paper about how it will regulate during the Covid-19 pandemic in order to take account of the fact that organisations are facing staff and operating capacity shortages as well as acute financial pressures and many public bodies are facing severe front-line pressures and are redeploying resources to meet those demands.On the 5 May, the ICO also updated its priorities for data protection during Covid-19 and beyond.

Click here to read more >

Videoconferencing: ICO Tips

The ICO's Director of Assurance has released a short blog advising organisations about how to safely roll out the latest video conferencing technology to ensure that staff can communicate securely.

Click here to read more >

Using new technologies and tracking to combat the pandemic: Key Data Protection Questions to consider 

Elizabeth Denham released a new blog examining some of the relevant privacy issues that organisations exploring the possibility of using contact tracing and location tracking technologies to combat the Covid-19 will need to think about. The ICO states that it is here to offer advice and guidance to organisations ahead of such projects and can provide assurance via audit once a project is up and running. 

Click here to read more >


UK Legislation

Leighton v Information Commissioner (No.2) [2020] UKUT 23(AAC) 

In this case, Mr Leighton had made a subject access request to the police under s45 DPA 2018 which he did not think  that the police had dealt with properly so he complained to the ICO. The ICO concluded that the police had complied with their obligations but Mr Leighton appealed that conclusion to the FTT using section 166 DPA 2018 which entitles a data subject to order the ICO to progress a complaints that has been made to it under section 165 DPA 2018. This case examines the scope of the FTT powers under this provision in more detail.

Click here to read more >

Scott v LGBT Foundation Ltd [2020] EWHC 483 (QB) 

In this judgment, Saini J in the High Court struck out claims for breach of the Data Protection Act 1998 (DPA), the law of confidence and the Human Rights Act 1998 (HRA) which stemmed from an allegedly non-consensual, verbal disclosure of information about the claimant by a charity to the claimant's GP. 

Click here to read more >

Hands down – no representative action for Equifax

Counsel for Equifax blogged on 1 April 2020 that the representative action brought by Richard Atkinson in the High Court of England and Wales had been withdrawn. 

Atkinson's claim, brought under the Data Protection Act 1998, stemmed from a large scale personal data breach at Equifax in 2017 which was the resulted from a malicious cyber-attack. One of the interesting points in the claim was Atkinson's attempt to claim damages in this scenario under the novel "loss of control" head (i.e., without proving pecuniary loss or distress). Many data elements collected by Equifax were (as expected, for a credit reference agency) not collected from data subjects directly, but from third party data controllers.

Click here to read more >

Employers breathe a sigh of relief following the Supreme Court decision in Morrisons

In a unanimous decision on 1 April 2020, the Supreme Court reversed the Court of Appeal’s decision that found Morrisons vicariously liable for a data breach committed by a rogue employee. The Supreme Court held that the Court of Appeal “misunderstood the principles governing vicarious liability in a number of relevant respects”.

Click here to read more >

Elgizouli (Appellant) v Secretary of State for the Home Department (Respondent) [2020] UKSC 10

In its judgment on the Elgizouli case, the Supreme Court unanimously held that the Secretary of State breached the Data Protection Act 2018 by transferring personal data to the US law enforcement authorities for use in capital criminal proceedings.  

Click here to read more >

Dawson-Damer Court of Appeal [2020] EWCA Civ 352 

On 12 March the Court of Appeal handed down its second judgment in the long running case of Dawson Damer v. Taylor Wessing 

Readers may recall the appellants were beneficiaries under a Bahamian Trust. The trustees had appointed the majority of the trust fund to new trustees to hold for the beneficiaries, excluding the appellants. The appellants challenged this arrangement. As part of this, they made a subject access request to Taylor Wessing LLP which acted for the trustees of one of the trusts.


EDPB

Data processing and Covid-19 – EDPB statement 

Like many national authorities around the EU, the European Data Protection Board released a statement about data processing in the context of the current pandemic. The EDPB underlines that data protection is not a barrier to combatting the Coronavirus, but that personal data must continue to be protected despite the unprecedented situation.

Click here to read more >

Following its remote plenary meeting on 3 April 2020, the EDPB has adopted further Guidance on data protection issues arising in the context of the COVID-19 crisis. 

Click here to read more >

EDPB published updated guidance on consent

On the 04 May the European Data Protection Board (EDPB) adopted a slightly updated version of its guidelines on consent under the GDPR to address implied consent and cookie walls. 

Click here to read more >


CJEU cases

Orange România SA v Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP) (Cases C-61/19) Advocate General's Opinion: Examining the definition of "consent" 

On 5 March 2020, the CJEU's Advocate General (AG Szpunar) handed down his Opinion in Case C 61/19 Orange România SA, a case which could impact how companies across a wide range of sectors obtain GDPR consents, offline or online.  

When signing up for Orange Romania's mobile telecoms services, Orange Romania's practice was to take a copy of customers' identity documents, which it would then store as an attachment to the signed customer contracts.  The contract wording included, inter alia, a relatively lengthy passage about this practice, including a statement that the customer had been fully informed of, and had freely and expressly consented to, the collection and storage of those copies. This consent was further demonstrated by the customer ticking boxes on the contract itself.

Click here to read more > 


Other EU news

EDPS Publishes its 2019 Annual Report  

The EDPS has published its Annual Report which provides an insight into all its activities over the past year. 

Click here to read more >

EDPS Guidance to use of Photo Booths

On a lighter note, the EDPA has just published some new guidance on the use of photo booths by EU institutions recognising that these are a great way for such institutions to reach out to the public and they are frequently used during events. Given that photo booths are used publicly, with the aim of generating a positive customer experience, it would be counterproductive for EU institutions to use them in a way that could violate anyone’s fundamental right to data protection. Once we are all back to work again, this guidance could be of more general interest to other organisations who hire out or use such booths at their events.

Click here to read more >

Using Telecoms Data for Covid-19 tracking – comments from the EDPS 

The European Commission announced plans to monitor the spread of coronavirus using telecommunications data. The European Data Protection Supervisor (EDPS) was consulted and provided their comments in an open letter to the Commission. 

Click here to read more >


UK ICO Enforcement

Highlights

This month we include details of a prosecution for the deletion of a record of a council meeting under FOIA and a £171,000 monetary penalty under PECR for unsolicited direct marketing calls.

Click here to read more >

 
Data Protection View all newsletters here