14 December 2020
Radar - December 2020 – 3 of 8 Insights
It's been another busy year for data privacy. While 2019 ended with the Advocate General's Opinion suggesting the EU-US Privacy Shield would see off challenges, the Schrems II CJEU decision dramatically changed the landscape for data exports from the UK and EEA. In the UK, the introduction of the Children's Code was one of the more significant events. Here are some of this year's highlights. For full details and a raft of articles on all aspects of data privacy, see our Global Data Hub.
ICO Draft Code of Practice on direct marketing
NCSC draft guidance on security of voice, video and messaging communications
The National Cyber Security Centre (NSCS) published draft guidance for consultation to help organisations assess the security of voice, video and messaging communication services. The guidance is aimed at risk managers and security professionals who need to balance functionality and security when selecting telecommunications systems and is particularly relevant to those working in the government and public sector.
NCSC guidance on selecting mobile devices
The NCSC published guidance to help organisations, in particular business users, choose and secure mobile devices. The guidance is aimed at businesses buying equipment but can also be used by lawyers and risk managers to help draft appropriate policies and risk management procedures.
NCSC design guidelines for high assurance products
In February, the NCSC published design guidelines for high assurance products. They contain a set of principles which can be used to set high level security objectives which in turn can be used to guide design decisions and development processes. The guidelines are written for organisations that are at risk from elevated threats, or those seeking to develop products capable of resisting the threats.
Proposals for GDPR Codes of Conduct
The ICO began taking submissions for proposals for GDPR Codes of Conduct and Certification scheme criteria in March. It published guidance for organisations wanting to develop them.
Template DPIA for surveillance cameras
In March, the ICO and the Surveillance Camera Commissioner jointly published an updated version of the template DPIA which the SCC recommends organisations use to carry out a DPIA when introducing new or updated surveillance cameras or changing what they are doing with them.
The ICO's Children's Code
The ICO Children's Code (also known as the Age Appropriate Design Code) came into force in September. We expect this to be a major focus of activity for those businesses within scope next year. It will come into effect on 2 September 2021. Read more.
Guidance on obtaining a national security certificate
In September the Home Office and DCMS published guidance on obtaining a national security certificate under the Data Protection Act 2018 (DPA18). The guidance is non-binding but is intended to provide controllers with a common and consistent approach to application.
National data strategy
The DCMS launched a consultation on its National Data Strategy. The Strategy is intended to help the UK achieve a thriving digital sector and covers non-personal as well as personal data. Plans include:
BEIS response to Smart Data review
BEIS also published its response to its Smart Data review in September. In addition to introducing primary legislation as mentioned above, it intends to set up a cross-sector working group to accelerate existing Smart Data initiatives and support development and delivery of Smart Data infrastructure.
ICO draft statutory guidance
In October, the ICO published its draft Statutory guidance for consultation. It sets out the ICO's approach to the use of its regulatory and enforcement powers. The guidance covers the use of the full range of the ICO's powers from information notices to penalty notices, and the use of privileged communications during these processes. A nine-step plan sets out the process the ICO will use to assess the amount of any penalty and the factors it will take into consideration.
ICO detailed guidance on subject access
Also in October, the ICO published new detailed guidance on the right of access. There have been a number of changes as a result of consultation on the draft. In particular, clarity has been added stopping the clock for clarification and what can be included when charging a fee for excessive, unfounded or repeat requests.
ICO guidance on criminal offence data
In November, the ICO published detailed guidance for organisations processing criminal offence data The guidance looks at GDPR requirements for processing this data and at the additional protections it attracts.
Much of the ICO's resource this year was re-directed to dealing with personal data issues raised by the pandemic. We reported on developments in May and June and the ICO created a dedicated hub for guidance and information.
EDPS Preliminary Opinion on data protection and scientific research
The EDPS published a Preliminary Opinion on data protection and scientific research at the end of 2019. The EDPS says the Opinion is intended to build on work done by the EDPB and WP29, but stresses that it is not comprehensive.
Final guidelines on processing personal data through video devices
These guidelines aim to clarify how the GDPR applies to the processing of personal data when using traditional and smart video devices. They look at lawfulness of processing, processing of special category data, disclosure of footage, and the application of the household exemption.
EDPB draft guidelines on data protection and connected vehicles
The EDPB published draft guidelines on data protection and connected vehicles for consultation. The guidelines make a number of recommendations including in relation to data protection by design and default, data minimisation, information requirements, security and data subject rights.
ENISA studies on standardisation and cybersecurity certification
ENISA published a number of studies on standardisation and cybersecurity certification in February. The UK is no longer represented on the ENISA board and the government intends to repeal the Cybersecurity Act at the end of transition. The studies may, however, influence future UK policy.
EC European Strategy for Data
In February, the European Commission published a package of proposals on the EU's digital future to create a "Europe fit for the Digital Age", including a Communication on a European Strategy for Data.
Key proposals include:
See more on the draft Data Governance Act below.
EDPB republished guidance on consent
In May, the EDPB republished the Article 29 Working Party guidelines on consent and made clarifications on two issues reflecting the CJEU's decision in the Planet49 case: the validity of consent provided by the data subject when interacting with so-called "cookie walls", and the example on scrolling and consent. As a result, amendments have been made to paragraphs 38-41 (Conditionality) and 86 (Unambiguous indication of wishes).
EDPB guidelines on processing health data for COVID-19 scientific research
The EDPB published these guidelines in the context of the COVID-19 outbreak. While some of the guidance is highly specific to the situation, discussions about lawful basis, consent, anonymisation, the data protection principles and the use of health data, have wider application and are worth considering even if your data processing operations are unchanged during the pandemic.
EDPS Opinion on the European Data Strategy
In June, the European Data Protection Supervisor published Opinion 3/2020 on the European strategy for data. The EDPS stresses that one of the objectives should be to provide an example of transparency, effective accountability and a proper balance between the interests of the individual data subjects and the shared interest of society as a whole, moving away from the current model characterised by "unprecedented concentration of data in a handful of powerful players as well as pervasive tracking". The Opinion also takes into account the COVID-19 crisis and stresses that data protection is not the problem but part of the solution. The EDPS expects to be consulted on legislative steps.
Review of NIS Directive and creation of Cybersecurity Certification Group
In July, The EC launched a review of the NIS Directive and ENISA announced the creation of the Stakeholders Cybersecurity Certification Group (SCCG). It is made up of representatives from a range of stakeholders who will advise the Commission and ENISA on strategic issues regarding the cybersecurity certification framework.
EDPB draft guidelines on controller and processor
The EDPB adopted these draft guidelines in September. They cover an explanation of the concepts of controller and processor and the extent to which there are changes under the GDPR.
EDPB draft guidelines on targeting individuals through social media
The EDPB adopted guidelines aiming to provide practical guidance to stakeholders on targeting individuals through social media and setting out the roles and responsibilities involved.
EDPB guidelines on meaning of "relevant and reasoned objection" for Article 65 procedures
The EDPB adopted guidelines on the meaning of "relevant and reasoned" objection for the purposes of Article 65 GDPR procedures in October. Under the GDPR cooperation mechanism, supervisory authorities have a duty to exchange information. The Lead SA submits a decision to concerned SAs who can raise a relevant and reasoned objection within a specified timeframe. The guidelines set out what constitutes a relevant and reasoned objection and look at how to assess whether an objection "clearly demonstrates the significance of the risks posed by the draft decision" as required under Article 4(24) GDPR.
EDPB final guidelines on data protection by design and default
The EDPB adopted a final version of its guidelines on Data Protection by Design and Default in October.
ENISA guidelines on security and the IoT
ENISA published guidelines for securing supply chains for products and services used in the Internet of Things in November. They look at threats to the supply chain including deliberate physical attack, intellectual property loss, nefarious activity, unintentional damage or loss of information, and legal issues including contractual and data protection considerations. The guidelines go on to set out good practice security recommendations.
EDPBS preliminary opinion on the European Health Data Space
The EDPS published a preliminary opinion on the European Health Data Space (EHDS), part of the European Strategy for Data announced in February 2020. The EHDS is intended to be a common space in the area of health to help prevent, detect and cure diseases and enhance effectiveness, accessibility and sustainability of the healthcare systems. The EDPS strongly supports the objectives but underlines the necessity of building in data protection safeguards at the outset.
As we reported, the CJEU ruled in July that the EU-US Privacy Shield adequacy decision was invalid because it failed to protect EU personal data from unnecessary and disproportionate access by US intelligence agencies. While it upheld the adequacy decision on Standard Contractual Clauses (SCCs) as a data export mechanism, the same issues regarding access by intelligence authorities in the US apply to transfers made from the EEA to the US under them.
Going forward, the CJEU placed the onus on data exporters and importers to decide whether the data transferred to third countries under SCCs is adequately protected and to use enhanced protections if needed. If they do not, transfers may be open to challenge and to action by supervisory authorities (SAs) which can prohibit the transfers on a case by case basis. This may potentially impact data transfers from the EEA to the UK after Brexit if the UK does not get adequacy (see below). While SCCs can be used in theory, exporters will need to assess whether data transferred to the UK will be adequately protected, introduce supplementary measures if not, and cease transfers if they deem those measures to be insufficient.
In August, the US Department of Commerce issued updated FAQs on the continuing use of the Privacy Shield following its invalidation by the CJEU. While acknowledging that reliance on the Privacy Shield will no longer legitimise data transfers from the EEA, the FAQs suggest that signing up to the Privacy Shield remains a good way to demonstrate a high standard of data protection and security. The US then issued a White Paper, arguing that the CJEU had failed to take account of the full range of US protections available to EU data.
In November, the EDPB adopted recommendations on measures to supplement transfer tools to ensure personal data transferred to third countries is adequately protected. It also adopted recommendations on the European Essential Guarantees for surveillance measures.
The EDPB Chair underlines that responsibility for assessment rests with data exporters who must proceed with "due diligence and document their process thoroughly". Even then the Chair adds that it may not be possible to implement sufficient measures to allow the transfer to proceed and that there are no quick fixes or 'one size fits all' solutions. The recommendations will be submitted to public consultation and are applicable immediately following publication. See our article for more on the EDPB recommendations and listen to our webinars.
Discussions have begun between the US and the EU to "evaluate the potential for an enhanced EU-US Privacy Shield framework", but it's hard to see where they can go in light of the CJEU's ruling. The impact of the Schrems II decision goes far beyond the issue of EEA to US data transfers though and the EDPB recommendations do not resolve the issue of data transfers to third countries. This will be an ongoing issue in 2021.
New draft Standard Contractual Clauses
In November, the European Commission published the long-awaited draft implementing decision on Standard Contractual Clauses (SCCs) for the transfer of personal data to third countries together with draft new SCCs covering four different categories of transfer. The Commission says the new SCCs are intended to be modular so different processing scenarios can be woven into a single document tailored to the individual situation. As a result, more than two parties will be able to sign up to a single set of SCCs.
The SCCs already include some of the EDPB's recommendations on contractual supplementary measures to help provide additional protection for data transferred to a third country where required following the CJEU ruling in Schrems II. However, there does seem to be some slight divergence from the EDPB recommendations. The EDPB says that the assessment of whether supplementary measures are required to help protect data should be objective and focused on the legal regime, rather than on subjective issues like whether or not the data being transferred is likely to be of interest to government agencies. The SCCs suggest that a more risk-based approach might be appropriate.
The SCCs are open for consultation until 10 December 2020 and are expected to be adopted in 2021. Organisations will then have a year in which to replace their existing SCCs with the new versions.
Visit the Global Data Hub for more on the impact of Schrems II on data transfers.
After the end of the Brexit transition period on 31 December 2020, the UK's data protection regime will be governed by the Data Protection Act 2018 and the UK GDPR (the GDPR amended to work in post-Brexit UK), PECR and the NIS Regulations. If there is no EU-UK adequacy agreement by the end of the Brexit transition period on 31 December 2020, the UK will become a third country for the purposes of data transfers from the EEA.
The UK government updated its information about the status of data flows to and from the UK from 1 January 2021.
The last point is interesting as the statement arguably implies (although does not state) that the UK may diverge from the Schrems II judgment after the end of transition. Perhaps the most interesting aspect is the statement that "we are confident that adequacy decisions can be concluded by the end of the transition period". At the time of writing, we are still waiting to hear whether this optimism will be justified.
The draft Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2020 amend the 2019 data protection Brexit Regulations to change references to exit date to IP completion day. Other changes:
Both UK and EEA businesses will need to consider more than just data transfers as a result of Brexit including whether they need to appoint a representative, the location of their DPO, their Lead SA, and, possibly their data processing agreements. For more on the impact of Brexit on data transfers, see our articles.
ICO - breaches
Data breaches continue to be part of the privacy landscape. Strangely some of the highest profile breaches in the UK have involved the travel sector. Many of those found responsible for breaches are also facing class actions which could add to the economic fallout.
In March, the ICO fined Cathay Pacific the maximum amount under the Data Protection Act 1998, for security breaches which affected around 9.4m individuals from October 2014 to May 2018.
In May, easyJet informed the ICO that it had suffered a data breach as a result of a "highly sophisticated" cyberattack which it is believed to have become aware of in January 2020. Email addresses and travel details of around 9 million customers were stolen, as well as the credit card details of over 2,000 customers who were informed about this in April. EasyJet is facing a class action issued by a law firm on behalf of easyJet customers impacted by the breach. Estimates suggest that if it is successful, it could cost the firm £18bn and individuals could be awarded up to £2000 each. Given the relative lack of sensitivity of the majority of the data, this would be a considerable amount.
EasyJet is not the only airline to have suffered a major data breach. The ICO issued a notice of intent to fine British Airways £183 million for a 2018 data breach which affected 380,000 customers. In October, the fine was significantly reduced to £20 million but this is still the largest fine handed down by the ICO under the GDPR. The reduction has less to do with an appeal as to the severity of the breach and more to do with the ICO's assessment of the economic impact of COVID-19 on BA's business, which it is required by statute to undertake.
In November, the ICO fined the Marriott Group £18.4 million in relation to a data breach caused by a cyberattack in 2014. The penalty relates to the breach from 25 May 2018 when the GDPR came into effect, and the ICO acted as Lead Supervisory Authority on behalf of other EU regulators. The ICO found that Marriott had failed to put appropriate technical or organisational measures in place to protect the personal data processed on their systems but acknowledged that since the breach was discovered, Marriott had taken steps to mitigate the impact and improve its systems. These factors as well as the economic impact of COVID-19 resulted in the reduction of the fine from the original proposed sum of £99 million. In September, a class action was filed in the High Court under Part 19, CPR, by Martin Bryant of Big Revolution on behalf of English and Welsh residents who stayed in one of the Starwood brand hotels before 10 September 2018 and were impacted by the Marriott data breach. Individuals can opt out of the action.
A few others to note:
PECR enforcement – two examples among many
ICO Investigation into credit reference agencies
The ICO published the results of a two year investigation into credit reference agencies Equifax, Experian and Trans Union. The ICO found the three CRAs were trading, enriching and enhancing people's personal data without their knowledge. This resulted in products which were used by commercial organisations, political parties or charities to find new customers, identify people most likely to be able to afford goods and services, and build profiles. As a result of the investigation, all three CRAs made improvements to their businesses. The ICO found that no further action was required with respect to Equifax and TransUnion. However, it determined that Experian, while having made some progress, had not gone far enough. Experian now has to make the changes if it wants to avoid further enforcement action. It is appealing the notice.
ICO audit of political parties' use of personal data
The ICO completed its audit of seven UK political parties in November and concluded they need to take specific actions to improve their data protection practices. The ICO will be following up with the parties to ensure they have implemented the recommendations. Guidance will be issued over the coming months.
EU – a (very small) selection
The fine is the largest handed down by a data protection authority under the GDPR to date but the Conseil d'Etat said it was appropriate.
ICO investigation into adtech
In January, we discussed the latest on the ICO's investigation into the Adtech industry. The ICO said "given the lack of maturity in some parts of this industry…we anticipate it may be necessary to take formal regulatory action and will continue to progress our work on that basis". When the pandemic took hold, the ICO said it had suspended the investigation in order to focus on more urgent matters and it is unclear when we can expect results.
Google and tracking
Google Chrome published a blog updating progress on its Privacy Sandbox and outlining its plans to stop supporting third party cookies. Once approaches have been developed and Google has developed tools to mitigate workarounds, it will stop supporting third-party cookies in Chrome. The plan is to do this within 2 years. Google has begun limiting insecure cross-site tracking and is also developing techniques to detect and mitigate covert tracking and workarounds by launching new anti-fingerprinting measures. In November, Marketers for an Open Web (MOW), a group of technology and publishing companies, wrote to the CMA asking it to impose a legal block on Google's launch of its Privacy Sandbox technology. MOW alleges the technology will place the digital advertising ecosystem behind the Chrome browser and beyond regulatory scrutiny.
The CMA has said it will consider MOW's request.
CDEI report on online targeting
The Centre for data Ethics and Innovation (CDEI) published its final report on online targeting. The CDEI found that people did not object in principle to online targeting but that there was a lack of transparency and accountability and users wanted meaningful control over how they were targeted. The report makes three sets of recommendations centred around accountability, transparency and user empowerment.
Complaint by Irish Council for Civil Liberties
In September, the Irish Council for Civil Liberties submitted a report by Johnny Ryan to the Irish Data Protection Commission, alleging that two years on from its original complaint, the situation has worsened. Google and a number of leading data brokers are accused of breaching the GDPR and using real time bidding data including special data, to profile individuals. The Irish Data Protection Commissioner opened an investigation into Google nearly two ago but there have been no updates as to its progress. Google denies allegations that it breaches data protection law.
Belgian regulator finds IAB's TCF is not GDPR-compliant
The Belgian data protection regulator (APD) concluded its investigation of IAB Europe's Transparency and Consent Framework (TCF). The TCF is a voluntary standard intended to help adtech businesses comply with GDPR requirements. In a blow to the adtech industry, the initial (non-binding) APD report has apparently found that the TCF does not comply with the GDPR principles of transparency, fairness and accountability, does not provide adequate rules for processing of special data, and, therefore, that adhering to it does not result in lawful processing.
IAB Europe was also criticised for internal failings, including for failure to appoint a Data Protection Officer. IAB Europe published a statement saying it is considering the report but rejecting some of its findings, in particular, that IAB Europe is a data controller in the context of publishers' implementation of the TCF.
Apple changes to tracking practices
Apple announced privacy changes to iOS 14. From 8 December, developers will have had to obtain consent to tracking users across third-party apps and websites. Apps will have to request permission to track via the App Tracking Transparency framework in order to access Apple's identifier for advertising. Users will be provided with a binary option to allow or not to allow tracking and apps will only be able to ask permission once. Each app must include a "do not track" setting and users will be able to select individual permissions or to apply choices to all apps.
Lloyd v Google heads to Supreme Court
The Supreme Court gave Google leave to appeal the ruling of the Court of Appeal in Lloyd v Google on all issues. This is a significant case as if the Supreme Court sides with the Court of Appeal, it could open the floodgates to data breach class actions. It would certainly mean that that representative actions could be used in these situations to secure a compensation pot for an indeterminate number of affected individuals. Class actions are already on the rise in relation to data breaches (as detailed above) and issues around consent, with the latest involving Salesforce, Oracle, Facebook and YouTube.
Morrisons – employer not vicariously liable for actions of rogue employee
In April, the Supreme Court held that Morrisons was not vicariously liable for the data breach of a rogue employee, but as we explain, organisations may be vicariously liable for breaches of data protection law in other circumstances.
High Court awards damages for distress under Data Protection Act 1998
The High Court awarded two claimants damages for distress caused by the defendant's breach of Principle 4 of the Data Protection Act 1998 (DPA98). The damages were not confined to material loss and the claimants were awarded £18,000 each for distress caused by the breach.
Court of Appeal decision on use of facial recognition by South Wales police force
The Court of Appeal partially reversed a ruling by the Divisional Court relating to the use of automated facial recognition technology (AFRT) by the South Wales Police Force. The Surveillance Commissioner had welcomed the judgment and commended South Wales Police for its approach to the use of AFRT and its cooperation. The Commissioner said changes will be made to his guidance issued to police forces to ensure they are aware of the potential bias in systems. The Commissioner was highly critical of the Home Office, saying that the Home Secretary's Surveillance Code of Practice is in urgent need of an update, and that the Home Office and Secretary of State "have been asleep on the watch".
CJEU ruling on access to data by crime and national security agencies
The CJEU ruled in a case from the UK, and joined cases from France and Belgium, that EU law precludes national legislation requiring a provider of electronic communications services to carry out the general and indiscriminate transmission or retention of traffic data and location data for the purpose of combating crime in general or safeguarding national security. While the CJEU stopped short of declaring surveillance laws of particular countries unlawful, the judgment suggests that the UK's Investigatory Powers Act is incompatible with EU law. This is significant in that it may prevent the UK getting an EU adequacy agreement for data transfers after the end of the Brexit transition period.
CJEU ruling on consent
The CJEU followed the Advocate General's Opinion in a reference from Romania relating to a fine imposed by the Romanian data protection authority on Orange. The fine was in respect of Orange keeping copies of customer ID documents without their consent. The CJEU said that the onus is on the controller to demonstrate that the data subject has actively consented after having first received relevant information in an intelligible and clearly accessible, easy to understand form.
NIS Regulations review
In June, the government published a review of the NIS Regulations which have now been in place for two years. The review concludes that while it is too early to judge the long term impact of the Regulations, organisations are taking measures to secure networks and information systems as a result of the requirements under the Regulations. This has reduced risks to essential services and important digital services. The review also concluded that the Regulations and their implementation could be improved in a number of areas.
The existing version of the NIS Regulations has been amended to account for Brexit. The amended Regulations will take effect from 1 January 2021.
Telecommunications (Security) Bill
The government published the Telecommunications (Security) Bill in November. It introduces:
The Bill will allow the government to issue specific security requirements in secondary legislation. New codes of practice will demonstrate how providers should comply.
Another year has gone by without so much as an agreed draft of the ePrivacy Regulation. Various EU Council Presidencies have taken over the file and tinkered around with it but have failed to yield results. In March the Croatian Presidency published a revised text of the Regulation. It introduced changes to Article 6 (permitted processing of communications metadata) and Article 8 (protection of end-users' terminal equipment information including cookies rules) and related recitals. It aimed to simplify the text and further align with the GDPR, principally by introducing the possibility of processing based on legitimate interest in both cases, subject to conditions and safeguards.
This would have represented a major change, and meant that cookies would not necessarily require user consent which would have been a big win for adtech but In November, a leaked version of the latest draft suggested that the German Presidency had removed the clause permitting general processing of metadata on the basis of legitimate interests. The draft also suggests processing of metadata in online communications to monitor epidemics and help in natural or manmade disasters will be allowed and clarifies that nothing in the Regulation will prevent Member States carrying out lawful interception of electronic communications and requiring providers to help them.
The EDPB stressed in November, the need to adopt the new ePrivacy Regulation as soon as possible. It is concerned that discussions around enforcement of the Regulation are trending away from consistency which could lead to a fragmented approach.
Proposals to amend the ePrivacy Directive
Given the absence of an ePrivacy Regulation, the EC has proposed a new Regulation which would introduce a limited exemption to the obligations in Articles 5(1) and (6) of the ePrivacy Directive. The intention is to exempt providers of number-independent interpersonal communications services (eg VoIP, IM) from obligations to respect the confidentiality of communications and traffic data where those conflict with their voluntary activities to detect child sexual abuse online. These types of providers will come within the scope of the ePrivacy Directive once the European Electronic communications Code is implemented which must be by 21 December 2020 (in the EU and the UK). The proposed Regulation would apply until December 2025, or until relevant longer-term legislation is adopted if earlier.
Draft Data Governance Regulation
In November, the European Commission published a draft Data Governance Regulation. This is intended to facilitate data sharing across the EU and between sectors, and to "offer an alternative model to the data-handling practices of the big tech platforms". The Regulation provides for neutral and transparent data-sharing intermediaries who will not be able to deal with the data on their own account. It includes:
The Commission also comments that the Regulation supports wider international sharing of data provided it is under conditions that ensure compliance with European public interest and the legitimate interests of the data providers.
The Regulation is the first legislative initiative to come out of the European Data Strategy, published in February 2020 (see above). More dedicated proposals on common EU data spaces are expected in 2021 together with a Data Act to foster data sharing among businesses and between businesses and governments.