UK & EU Data Protection Bulletin: December 2021
Written By
Welcome to this month’s EU & UK Data Protection Bulletin covering recent developments from the Autumn.
Particular highlights this month include:
- updates from the ICO including its response to the UK Government’s Consultation on Data Protection Reform, its draft Journalism Code of Practice and its Opinion on data protection and privacy expectations for online advertising proposals;
- a number of UK cases including a neighbour’s use of home security devices which was found to be in breach of data protection laws and 3 cases attempting to bring damages claims for small accidental data disclosures;
- EDPB draft guidelines on the interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR and in particular considering the meaning of a “transfer"
- a CJEU case which held that an online display advert that was made to look like an ordinary email in a webmail user’s inbox, fell within the scope of the ePrivacy rules requiring prior consent; and
- recent ICO enforcement activity with a number of monetary penalties for direct marketing breaches. The cases touch on the meaning of solicited emails, indirect consents, the soft opt in exemption, unsolicited calls and the disclosure email addresses of vulnerable individuals as part of a communication from an HIV Charity.
Use the links below to navigate through our newsletter:
ICOUK cases
EDPB
EU cases
ICO Enforcement
ICO
ICO launches consultation on the Draft Journalism Code of Practice
On 13 October 2021, the Information Commissioner’s Office (“ICO”) opened a consultation seeking feedback on the Draft Journalism Code of Practice (the “Code”). The Code provides practical guidance for organisations processing personal data for the purposes of journalism, and is aimed at individuals with data protection responsibilities within controller journalistic roles.
ICO publishes draft second chapter of its Anonymisation Guidance
The ICO has published the second draft chapter of its Anonymisation, Pseudonymisation and Privacy enhancing technologies guidance for consultation. This chapter looks at “how do we ensure anonymisation is effective” and has two parts: the first broadly follows the WP29 opinion on anonymisation techniques, and the second part provides detailed examples on how to anonymise in practice.
ICO responds to UK Government consultation on data protection reform
In September, the UK’s Department for Digital, Culture, Media & Sport (DCMS) released a consultation document about the future of data protection law in the UK. The proposals were wide ranging, addressing both uncertainties and clarifications in data protection law as well as significant changes to the way the law operates in the UK.
ICO’s Opinion on Age Assurance for the Children’s Code
On 14 October 2021, the ICO issued an opinion on Age Assurance for the Children’s Code (the ‘Opinion’). The Children’s Code (or ‘Age Appropriate Design Code’), which applies to online services likely to be accessed by children, requires online services to take a risk-based approach in recognising the age of their users, so as to ensure that they effectively apply the Code’s standards to child users.
ICO’s Opinion on “Data Protection and Privacy expectations for online advertising proposals”
On Thursday 25 November 2021, the Information Commissioner published an Opinion entitled “Data protection and privacy expectations for online advertising proposals”. This is part of the Information Commissioner’s Office’s (‘ICO’) broader adtech and real-time bidding (‘RTB’) investigation (here), which had been put on pause during the COVID-19 pandemic.
UK cases
Fairhurst v Woodard (Case No: G00MK161)
Fairhurst v Woodard involved a dispute between two neighbours over the use of home security devices. The Court found that the use of such devices in this instance went beyond what was necessary and proportionate to achieve the aim of preventing crime and was therefore in breach of data protection laws.
R (Open Rights Group & the3million) v Secretary of State for the Home Department and Others [2021] EWCA Civ 1573
On 29 October the Court of Appeal handed down its judgment on a suspension of relief, following an earlier judgment in May 2021 which found that the immigration exemption under Schedule 2 Paragraph 4 of the Data Protection Act 2018 is incompatible with Article 23(2) of UK GDPR. GDPR allows jurisdictions to incorporate exemptions to derogate from provisions in specific and limited circumstances according to criteria set out in Article 23(2).
Read more here >
Rolfe & Ors v Veale Wasbrough Vizards LLP [2021] EWHC 2809 (QB),
Ashley v Amplifon Limited [2021] EWHC 2921 (QB), [Judgement not yet on BAILII]
Johnson v Eastlight Community Homes Ltd [2021] EWHC 3069 (QB)
These cases all concern a single, accidental disclosure of small amounts of personal data to a third party, which were quickly rectified. All three were then brought before the High Court, with the data subject claiming damages under (at least) breach of UK GDPR, misuse of private information (MPI) and breach of confidence, with the defendant requesting summary judgement or striking out.
EDPB
EDPB adopts guidelines on restrictions on data subject rights under GDPR
Following public consultation, the European Data Protection Board has adopted Guidelines 10/2020 on restrictions under Article 23 of the EU General Data Protection Regulation. Article 23 of the GDPR allows Member States to put restrictions on data subject rights (those set out in Articles 5, 12-22 and 34), to the extent such restrictions “respect the essence of the fundamental rights and freedoms and [are] a necessary and proportionate measure in a democratic society to safeguard” e.g. national security, defence or public security.
EDPB adopts draft guidelines on the interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR
The EDPB has adopted draft Guidelines 05/2021 with the intent to clarify what constitutes an international data transfer in accordance with the GDPR (the “Guidelines”). The Guidelines are open to public consultation until the end of January. Chapter V of the GDPR sets out rules for the transfer of personal data to third countries or international organizations. However, the GDPR does not contain a definition of "transfer." In these Guidelines the EDPB outlines three cumulative conditions for what it considers a transfer to be.
EU cases
Case C-102/20
In a ruling dated 25 November 2021, the CJEU broadened the typically-understood scope of EU/EEA anti-spam rules to include, for the first time at EU level, certain forms of web or in-app display ads. In this new ruling, dubbed Pegnitz, the CJEU held that an online display advert that was made to look somewhat like an ordinary email in a webmail user’s inbox, fell within the scope of those anti-spam rules.
ICO Enforcement
Highlights
There have been a number of monetary penalties and enforcement notices for direct marketing breaches. These include cases touching on the meaning of solicited emails, indirect consents, the soft opt in exemption, unsolicited calls and the disclosure email addresses of vulnerable individuals as part of a communication from an HIV Charity. We also cover a number of Information Tribunal cases appealing monetary penalty notices (re direct marketing and data protection fees) and orders to progress a complaint (under S166 DPA 2018).
