UK & EU Data Protection Bulletin: April 2021
Written By
Welcome to this month’s EU & UK Data Protection Bulletin covering developments from February and March.
In this edition, recent highlights include:
- UK cases which include one which covers the use of exemptions for the processing of personal data for journalistic exemptions and one which confirms that the PECR covers instigation as well as transmission of unsolicited direct marketing messages and that even an email banner or footer containing advertising is enough to make the entire communication constitute a direct marketing communication
- An update on the Government’s review into representative actions under S189 DPA 2018
EDPS/EDPB Joint Opinion on the Data Governance Act
Use the links below to navigate through our newsletter:
ICOUK cases
UK Legislation
EDPB
CJEU cases
UK ICO Enforcement
Download the Bulletin here >
ICO
Data analytics toolkit launched
The toolkit is aimed at those using software to automatically discover patterns in data sets containing personal data – including use of AI (but not limited to this). The toolkit asks a series of questions to give guidance on lawfulness of processing; accountability and governance; data protection principles and data subject rights. The output is in the form of a report with tailored advice. ICO advises that use of the toolkit is anonymous and that ICO cannot view the information submitted to it.
New Guidance on Political Campaigning
ICO has published its final guidance on this, following a public consultation launched in October 2019. The Guidance summarises the impact of existing laws on political campaigning: it does not change the law.
Read more here >
Digital Regulation Co-operation Forum publishes first annual plan of work
The Forum consists of the Competition and Markets Authority, ICO and Ofcom. As from April 2021, the Financial Conduct Authority will join the Forum.
Read more here >
ICO announces plan to update anonymisation guidance
Ali Shah, the ICO’s Head of Technology Policy, has blogged about the ICO’s plan to update its anonymisation guidance. ICO is interested in engaging with experts ahead of public consultation
UK cases
True Vision Productions v Information Commissioner [2021] UKFTT 2019 EA 0170
The case is useful in showing how exemptions in data protection legislation relating to processing of personal data for journalistic purposes should be applied. The First Tier Tribunal found that filming of mothers – at the moment they received a diagnosis that their unborn child had died – breached data protection legislation because the filming was carried out without notice, whereas notice could have been provided.
Koypo Laboratories Limited v Information Commissioner [2021] UKFTT EA/2020/0263P
This case relates to an appeal against a monetary penalty issued by the ICO in August 2020 relating to a breach of Regulation 22 of PECR.
Read more here >
Weaver and others v British Airways plc [2021] EWHC 217 (QB)
Data protection claims are one of the driving forces behind the ongoing debate concerning the way group actions are conducted in the UK. This recent High Court decision was made after a costs and case management conference in the group litigation which follows the high-profile British Airways data breach.
Read more here >
Phones 4U LTD (In Administration) v EE Ltd & 7 ORS
After going into administration in 2014, Phones 4U brought a competition claim against a number of mobile phone companies alleging anti-competitive behaviour. It claimed that the defendants forced it into administration by colluding to terminate their contracts. It submitted that current and former employees of the defendants had used their personal devices to collude.
Read more here >
Leave.EU Group Ltd (2) Eldon Insurance Services Ltd v Information Commissioner
The Upper Tribunal rejected all arguments by Leave.EU and Eldon Insurance Services against enforcement action taken against them in relation to newsletters about Brexit which also contained advertising material about GoSkippy insurance products.
Read more here >
HRH Duchess of Sussex v Associated Newspapers [2021] EWHC 273 (Ch)
This High Court judgment relates to a letter sent by the Duchess of Sussex to her father which was reproduced in large parts in articles published by the Associated Newspapers in the Mail on Sunday and MailOnline.
Read more here >
Collette Lloyd v Information Commissioner
Collette Lloyd made a Freedom of Information request to Airedale NHS Foundation Trust i.a. for the numbers of live births per year of children with Down Syndrome. The Trust explained that it was a small NHS Trust and that numbers would be below 5 per year. Accordingly, it concluded that release of the data would amount to disclosure of personal data and that this meant that it should not provide the information. The Information Commissioner agreed with the Trust. Ms Lloyd appealed against this decision.
UK Legislation
Update on S189 DPA: Representative ActionsThe UK Government recently undertook a review of the representative action provisions of the DPA 2018. Currently, the UK DPA 2018 (section 187) provides that data subjects can authorise a representative body to, on their behalf, (1) lodge a complaint with the ICO (2) obtain an effective judicial remedy in respect of a decision made by the ICO which impacts that data subject; (3) obtain an effective judicial remedy (non-financial) against a data controller or processor for an infringement; and (4) receive compensation for damage suffered by the data subject as a result of an infringement.
EDPB
On 10th of March, the EDPS and the EDPB published a joint opinion on the EU Commission Proposal for a Data Governance Act (DGA) here. (Link to PDF page 16)CJEU cases
CJEU clarifies limits on public authority access to retained traffic and location dataH.K. v Prokuratuur Case C-746/18 (Grand Chamber, 2 March 2021)
Prokuratuur is the latest in a series of CJEU judgments on the ability of public authorities to access communications data retained by communications service providers. In October 2020, in its Privacy International/La Quadrature judgments, the Court reinforced its generally strict approach. However, it also identified some limited permissible exceptions to the prohibition on mandatory generalised retention. This new judgment considers the constraints on targeted access to retained traffic and location data.
UK ICO Enforcement
HighlightsThe ICO has been active over the last couple of months with 11 monetary penalties and some enforcement notices being issued against a variety of organisations for breaching the PECR in respect of marketing emails, phone calls and text messages.
