Moving on from GDPR

With the end of the Brexit transition period, the GDPR became the UK GDPR in (obviously) the UK. 

In May, the government published its response to the consultation on its National Data Strategy.   As a result of the consultation, the government concluded the framework set out in the Strategy is fit for purpose but identified areas for continued conversation

Soon after EU adequacy decisions had been adopted, the UK published its plans for data protection suggesting a move away from the EU in some areas.  In a package of plans the government announced:

• a focus on agreeing new adequacy arrangements, initially with six priority countries – the USA, Australia, South Korea, Dubai International Finance Centre, and Columbia.  After that it will look at India, Brazil, Kenya and Indonesia
• a mission statement on the UK's approach to international data transfers and a UK Adequacy Manual which will be used to inform the assessment of a territory's commitment to high data protection standards.  This includes an international data transfers toolkit which sets out existing and planned transfer mechanisms (for example, the new International Data Transfer Agreement or IDTA, which will replace Standard Contractual Clauses and is currently the subject of a separate consultation)
• plans for an International Data Transfers Expert Council to support the facilitation of international data flows
• John Edwards as the government's preferred nominee as the new ICO with an enhanced role  
• an upcoming consultation on the future of the UK's data protection regime.

In September came the promised consultation on the government's proposals for an overhaul of the UK GDPR and DPA18 as we discussed here.  Many of the proposals aim to cut 'red tape' around current EU GDPR-derived rules and would certainly involve departures from the letter if not the spirit of the current regime.  The ICO also consulted on amending the incident reporting framework under the NIS Regulations.

As the ICO commented in her response to the government's proposals, the devil will be in the detail. The main message of the response seems to be that more information would be needed about the plans to enable an assessment. 

The ICO, unsurprisingly, emphasises maintaining current privacy standards and, on the issue of data transfers, underlines the importance of maintaining EU adequacy.  At the same time she is supportive, in principle, of measures which would increase flexibility and reduce administrative and regulatory obligations providing that does not result in a fall in standards.

The strongest language is used in response to the government's proposals to reform the ICO.  While the ICO supports a regulatory governance model involving a supervisory board with separate Chair and CEO, she says "there are specific proposals where I have strong concerns because of their risk to regulatory independence".

We should know more this time next year.

Cybersecurity

The government published draft Regulations to be made under the Telecommunications (Security) Bill 2020 in February. The Bill became law at the end of November and it and the related Regulations are intended to strengthen cybersecurity of the UK's communications infrastructure including 5G and full fibre networks. The newly published draft Regulations are made under ss 105B and D of the Communications Act 2003 (as it will be amended by the Bill) and relate to requirements to take specific security measures and take specified steps in relation to any security breaches.

In November, the government has published a response to its call for views on amending the incident reporting framework for digital service providers under the NIS Regulations.  The government is proposing to move incident thresholds out of legislation and into the control of the ICO. 

While some respondents disagreed with this approach, over 70% agreed and therefore the government continues to believe this is the best approach, stating that current reporting thresholds are not fit for purpose and result in too few incidents being reported.  The ICO launched consultations on threshold models in September (see below).

The government  published a response to its call for views on measures to enhance the security of digital supply chains and third-party IT services.  The government's proposals received broad support including around certification of assurance marks and minimum requirements in public procurement.  The majority of respondents agreed that new or updated legislation would be a sensible way to address issues.  The government will set out further policy objectives, probably as part of its upcoming National Cyber Strategy.

Controversial NHS data sharing scheme delayed

The UK government confirmed a delay to controversial proposals to add patient data from GP records to a central NHS digital database in near real time.

As usual the ICO has been busy producing guidance and consultations. The Children's Code came into full force in September and the Data Sharing Code of Practice in October.  Towards the end of the year, the ICO also began consulting on the Journalism Code of Practice.  We're still waiting for the revised Direct Marketing Code of Practice to be finalised, and for the outcome of the ICO's investigation into real time bidding which got delayed by the pandemic.

Elizabeth Denham is being replaced as ICO by John Edwards who takes up his post on 3 January 2022 and it will be interesting to whether there is a noticeable change of approach.  In the meantime, here is some of the key output in terms of guidance and consultations from 2021.

Algorithms for employment decisions

The ICO published a list of six things to consider when using algorithms for employment decisions. These focus on fairness and preventing bias and discrimination. The ICO reminds users that AI systems must be developed based on both data protection and equalities law.

Investigation into real time bidding

The ICO announced the resumption of its investigation into real time bidding (RTB) and the adtech industry in January. Work resumed with a series of audits focusing on digital market platforms. The ICO has been issuing assessment notices to individual companies as well as reviewing the role of data brokers in the adtech ecosystem. The ICO recommends "all organisations operating in the adtech space should be assessing how they use personal data as a matter of urgency" and we expect the results of the investigation next year.

Adtech

The ICO announced the resumption of its investigation into real time bidding (RTB) and the adtech industry in January. Work resumed with a series of audits focusing on digital market platforms. The ICO has been issuing assessment notices to individual companies as well as reviewing the role of data brokers in the adtech ecosystem.

The ICO published an Opinion on Data protection and privacy expectations for online advertising proposals at the end of November.  This comes out of the ICO's study into adtech and addresses developments since that report.  The ICO considers these are not sufficiently mature to assess in detail (for example Google's plan to replace third party cookies).  As such, the ICO considers there is an opportunity to ensure proposals currently in development progress in a privacy compliant way.  The Opinion therefore sets out expectations for proposal developers.  Any proposal should: 

• engineer data protection requirements by default into the design of the initiative
• offer users the choice of receiving adverts without tracking, profiling or targeting based on personal data
• be transparent about how and why personal data is processed across the ecosystem and who is responsible for that processing
• articulate the specific purposes for processing personal data and demonstrate how this is fair, lawful and transparent
• address existing privacy risks and mitigate any new privacy risks that the proposal introduces.

The ICO calls on Google and other participants to demonstrate that their proposals meet the expectations in the Opinion. New initiatives must address the risks that adtech poses and take account of data protection at the outset.  Any proposal which has the effect of maintaining or replicating existing tracking practices (such as those described in the ICO's 2019 report) is not an acceptable response to data protection risks.

Data analytics toolkit

In February, the ICO  launched a data analytics toolkit designed to help ensure data protection by design when using data analytics to process personal data. The toolkit takes organisations through some of the key issues they need to think about under the UK GDPR and/or the Data Protection Act 2018, at the outset of a project. It is intended as a starting point for considering compliance and is part of the ICO's priority work on AI.

ICO guidance on political campaigning

The ICO published updated guidance on the use of personal data in political campaigning in February. The revised guidance takes into account the UK GDPR and the use of personal data in modern campaigning practices, particularly digital ones. It covers the full lifecycle of political campaigning with a focus on complex areas such as the processing of special category data.

Ofcom and ICO joint action plan on nuisance and scam calls

Ofcom and the ICO published an update to their joint action plan for tackling nuisance and scam calls.  They will continue to focus on five key areas outlined in their 2019 update which cover:

• taking action against rule breakers
• raising awareness of COVID-19 nuisance calls and scams
• working with telecoms providers to improve actions to disrupt and prevent nuisance calls
• working with other regulators and enforcement agencies
• sharing intelligence with international and local partners and enforcement agencies.

ICO position paper on UK's proposed digital identity and attributes trust framework

In April, the ICO published a position paper on trusted digital identity systems in response to DCMS's prototype trust framework published in February 2021.  The framework sets out draft rules for organisations wanting to use digital identity verification products and services, to allow individuals to prove who they are without needing paperwork, for example, to buy a house or open a bank account, or to access age-restricted goods.

ICO call for views on anonymisation guidance

The ICO issued a call for views on the first chapter of its anonymisation guidance.  This includes the definitions of anonymisation and pseudonymisation.  A full consultation will follow.

ICO Opinion on use of live facial recognition technology in public places

The ICO published a Commissioner's Opinion on the use of live facial recognition (LFR) in July.  It focuses on the use of LFR in public places by private companies and public organisations.  See here for more.

ICO approval of certification criteria

In August the ICO approved the criteria for three certification schemes under the UK GDPR:

• ADISA has developed a scheme to certify that personal data has been handled lawfully on re-use or disposal of IT equipment
• Age Check Certification Scheme has had two schemes approved around age verification and children's online privacy.

These are the first schemes to gain ICO approval.

ICO call for views on data protection and employment practices guidelines

The ICO issued a call for views to help it develop new data protection and employment practices guidance and products to help employers and staff comply with relevant data protection legislation.  The existing guidance has not been updated since the Data Protection Act 2018 (DPA 18) came into effect.  The revised guidance will cover a range of topics from recruitment and selection, to employment and employer health records. 

ICO direct marketing guidance for the public sector

The ICO published guidance on direct marketing for the public sector.  The guidance is intended to help public sector organisations understand when they are sending direct marketing communications and sets out compliance requirements. 

ICO approval of first qualified trust service provider

The ICO approved GMO GlobalSign as the UK's first qualified trust service provider under the UK eIDAS Regulation.  GlobalSign can now issue qualified certificates for electronic signatures and seals.

ICO Children's Code

The ICO's Age Appropriate Design Code (or Children's Code) came into full force in September.  The ICO said it would be proactive in requiring social media platforms, video and music streaming sites, and the gaming industry, to tell it how their services are designed in line with the code.  In an open letter to campaign group 5Rights in November, the ICO said it had written to 40 organisations, with a further nine to follow.  Based on responses which are expected by the end of the year, the ICO will then decide whether to act formally.  Any formal steps are expected to happen in spring 2022. 

The ICO has also contacted Apple and Google in response to concerns raised about age ratings of apps about the extent to which the risks associated with the processing of personal data are a factor when determining the age rating for an app.

We held a webinar with the ICO's Acting Head of Regulatory Futures to discuss the impact of the Children's Code and how to comply on 14 September and you can read more about the Code here. 

The ICO also published an Opinion on age assurance and issued a call for evidence on its use in the context of the Children's Code.  While detailed guidance on compliance with the Code was not forthcoming, the ICO did publish related blog posts including one dealing with the requirement to complete a Data Protection Impact Assessment. 

Data Sharing Code of Practice

The ICO's new Data Sharing Code of Practice came into force on 5 October 2021.  The Code provides guidance on sharing personal data under the UK GDPR and DPA 18.  It covers issues including transparency, lawful basis and accountability.  The Code and other resources around data sharing can be found on the ICO's data sharing support hub.   As a statutory Code of Practice, the Code is admissible in court as evidence.

ICO consultation on draft Journalism Code of Practice

The ICO published its long-awaited Code of Practice on Journalism in draft for consultation in November.  The Code sets out the manner and extent to which data protection law applies to journalistic content, particularly in terms of the protections for journalism and freedom of expression.  It builds on the 2014 version but under the DPA 18, it will gain statutory force. 

ICO consultation on AI and data protection risk toolkit

The ICO consulted on the beta version of its AI and data protection risk toolkit.  The toolkit was published last July and contains risk statements to help organisations that use AI to process personal data.  It gives examples of organisational and technical measures which can help mitigate risk and demonstrate compliance with data protection law.  The consultation closed on 1 December 2021.

ICO joint statement on video teleconferencing companies

The ICO published a joint statement and observations on global privacy expectations of VTCs.  These set out good practice in relation to security, transparency, privacy by design and end-user control, as well as use of secondary data and data centres.

ePrivacy Regulation – are we nearly there?

There was some real progress on the ePrivacy Regulation this year.  In February, the Council of the EU agreed its negotiating mandate on the ePrivacy Regulation. The Portuguese Presidency can now begin negotiations with the European Parliament on the final text.

The EDPB has welcomed the Council's agreement on the draft ePrivacy Regulation but has made a number of comments relevant to the continuing negotiations including that cookie walls should be expressly prohibited.

Seemingly giving up on seeing a completed ePrivacy Regulation this year, the EC instead adopted a Regulation allowing a temporary derogation to the ePrivacy Directive.  This allows providers of independent interpersonal communications services to use technology and human review and process personal data in order to detect, report and remove child sexual abuse content online.  The Regulation has been published in the Official Journal and will apply for not more than three years.

AI Regulation

As discussed in the section on Disruptive Tech, the EC published a draft AI Regulation in April. 

The EDPS and EDPB adopted an Opinion on it in June.  Most significantly they call for a general ban on the use of AI for automated recognition of human features in publicly accessible spaces.  They also recommend a ban on AI systems using biometrics to categorise individuals into clusters based on ethnicity, gender, political or sexual orientation or other grounds on which discrimination is prohibited under Article 21, Charter of Fundamental Rights, as well as a ban on AI for social scoring.

In addition, the EDPB and EDPS consider that the use of AI to infer emotions of a natural person is highly undesirable and should be prohibited except for very specific cases, such as some health purposes where patient emotion recognition is important.

Data Governance Act

As we discussed in January, the EC published a proposal for a Data Governance Act in December 2020.  The Data Governance aims to facilitate the re-use of public-sector data for research and the benefit of society across sectors and borders. 

By the end of 2021, this had progressed fairly smoothly with political agreement on the final version agreed in December. 

Cybersecurity strategy and legislation

The year began with the EC's new EU Cybersecurity Strategy and the adoption of a proposal for a revised NIS Directive (popularly referred to as NIS2).  By the end of the year, NIS2 had got to the trilogue stage and we can expect it to be finalised in 2022. 

ENISA begain working on a cybersecurity certification scheme for 5G in February and the Regulation establishing the European Cybersecurity Industrial, technology and Research Centre and the Network of National Co-ordination Centres, was published in the Official Journal on 8 June 2021.  The Regulation aims to ensure the EU has appropriate technological and industrial cybersecurity capability to maintain the Digital Single Market.  It sets out rules for the establishment of the Cybersecurity Competence Community and for the nomination of national coordination centres.

In November, The EC proposed a Delegated Regulation under the Radio Equipment Directive to strengthen cybersecurity of connected devices which use radio technology.  The Regulation will cover a wide range of connected devices but some are excluded from scope because they are covered by other legislation, for example, connected vehicles and medical devices. 

The Regulation is expected to come into force in 2024 following a 30-month transition period.  The Commission also plans a Cyber Resilience Act which will cover a wider range of products throughout their lifecycle.

EC consultation on European Health Data Space

The EC began consulting on its plans for a common European Health Data Space (EHDS).  The consultation was directed at a wide range of stakeholders, focusing on:

• access to and use of health data for healthcare provision, research, innovation, policy-making and regulatory decisions
• fostering a genuine single market for digital health services and products including innovative ones (with a section of the questionnaire relating to the use of AI in healthcare).

The consultation closed on 26 July 2021.  We are yet to see action from this but, perhaps sensing the direction of travel, Microsoft announced it would enable commercial and public sector cloud services customers in the EU, to keep their data within EU borders by the end of 2022.  The EU Data Boundary for Microsoft Cloud plan will apply across all Microsoft's core cloud services, Azure, Microsoft 365, and Dynamics 365.  Data centres will operate in 13 EU Member States.

EU Digital Identity Framework

The EC published a proposal to create an EU-wide framework for electronic identities in June.  These will be used across the EU to identify and authenticate individuals to allow them to access public and private sector services and share electronic documents without having to use private identification methods or share personal data unnecessarily.  The proposal will take effect as an amendment to the eIDAS Regulation.  The digital wallets will link to national digital identities which provide proof of identity, like driving licences.

EDPB Guidelines

In January, The EDPB published draft guidelines on Examples regarding data breach notification. They are intended to help controllers respond to breaches and assess risk in order to determine which if any notification procedure to follow.

In February, the EDPB published final guidelines on Connected Vehicles.

At its 48^th plenary, the EDPB adopted final guidelines on targeting of social media users, and draft guidelines on the application of Article 65(1) GDPR.

In July, the EDPB adopted the following guidelines:

• Final guidelines on concepts of Controller and Processor – these have been updated following public consultation on the previous version but do not contain substantive changes.
• Final guidelines on virtual voice assistants – the EDPB confirms these fall within the scope of the GDPR and the ePrivacy Directive and offers recommendations on how to address compliance challenges.
• Guidelines on Codes of Conduct as a tool for data transfers – these clarify the application of Articles 40(3) and 46(3)(e) of the GDPR. 

In October, the EDPB adopted final Guidelines on the restrictions of data subject rights under Article 23 GDPR. 

In November, the EDPB adopted guidelines on the interplay between Article 3 and Chapter V of the GDPR (see section on data transfers for more).

EDPS activity

The EDPS produced a lot of commentary on various EC legislative initiatives, in particular around health data, AI and the draft AI Regulation, the Digital Services and Digital Markets Acts, the ePrivacy Regulation and the Data Governance Act.  In addition, together with the EDPB, he called for a ban on the use of automated facial recognition technology in public places.  He also produced myth busters on anonymisation together with the Spanish DPA.

EC study and actions on adtech

In June The EC opened a formal investigation to assess whether Google is infringing EU competition law by favouring its own online display adtech services to the detriment of competitor service providers, advertisers and online publishers.  The Commission will look at whether Google is distorting competition by restricting third party access to user data while using it itself for advertising purposes on websites and apps.

The EC also launched a study on the impact of recent developments in adtech and their impact on privacy, the publishers and advertisers which closed on 6 September. 

In November, IAB Europe published a press release saying it expects the Belgian DPA to identify that it has infringed the GDPR when it publishes its draft ruling.  The Belgian DPA has been investigating IAB Europe's role in the Transparency and Consent Framework (TCF).  It is expected to find that IAB Europe is a data controller for TC Strings – the digital signals created on websites to capture data subjects' choices about the processing of their personal data for advertising - that TC Strings are personal data, and that IAB Europe is a joint controller for them in the specific context of real time bidding.

While the Belgian ruling can be amended by other regulators under the cooperation and consistency mechanism, this looks to be good news for the adtech industry as the main issue appears to be with the role of IAB Europe in the TCF rather than with the TCF itself.  Those signed up to the framework may be required to make minor changes to their privacy policies as a result of the ruling but should wait until it is finalised.

Data transfers were one of the dominant issues of 2021.  The fallout from the Schrems II decision, new Standard Contractual Clauses, and the issue of whether the EU would grant the UK adequacy for the purposes of data transfers were top of the agenda.  You can see our Global Data Hub focus on this here.

EU-UK adequacy

At the end of the Brexit transition period, the EU agreed that personal data could continue to flow freely to the UK without the need for additional transfer mechanisms for a limited period of up to a maximum of six months.  Towards the end of that period and to audible sighs of relief, the EU adopted adequacy decisions in June as we discussed here.  The sting in the tail is that they can be withdrawn any time the UK steps out of the EU line which may reign in the UK's plans to depart from the GDPR.

Schrems II

In July we looked at the EDPB's has final guidance on supplementary measures for transfer tools to ensure that data transferred to third countries which do not benefit from an EU adequacy decision, is protected in a manner essentially equivalent to that in the EU.  This guidance had been keenly awaited since the Schrems II decision in 2020.

EU/UK-US adequacy

Despite everyone agreeing that a replacement for the EU-US Privacy Shield would be 'a good thing', agreement on what that would look like given the Schrems II judgment, has not been forthcoming.  A LIBE report published in July concluded that it will be difficult if not impossible for the US to enact any broad federal privacy law that can essentially meet the substantive requirements of EU data protection law and impose those standards on US corporations. 

The UK has said it will prioritise facilitating data transfers with third countries, in particular the US, but if it presses ahead, it could put its EU adequacy decisions at risk. 

New Standard Contractual Clauses

The EU updated its Standard Contractual Clauses in July as we discussed, adopting new versions which take a modular approach to cover a wider range of data processing models, and make provision for the Schrems II criteria and data transfer impact assessments. 

The UK is still using the previous iterations which pre-date the GDPR and cover limited transfer situations.  In August, the ICO launched a consultation on its draft International Data Transfer Agreement (IDTA) and guidance.

You can read more here.  For more on the UK's policy on transfers, see the section on proposed revisions to UK data protection law.

South Korea approaches EU adequacy

South Korea has nearly completed the EU adequacy process.  If an EU decision is adopted, it seems likely that the UK will take a similar decision.

EDPB guidelines on the interplay between Article 3 and Chapter V GDPR

The EDPB adopted Guidelines on the interplay between Article 3 (territorial scope) and Chapter V (data transfers) of the GDPR in November.  They aim to assist controllers and processors in the EU in identifying whether a processing operation constitutes an international transfer and to provide a common understanding of the concept of international transfers.  The Guidelines cite three cumulative criteria that qualify an operation as a transfer:

• The data exporter (a controller or processor) is subject to the GDPR for the given processing.
• The data exporter transmits or makes available the personal data to the data importer (another controller, joint controller or processor).
• The data importer is in a third country or is an international organisation.

Clearing up some confusion which emerged from the guidelines on supplementary measures for data transfers, the EDPB says that processing will be considered a transfer regardless of whether the importer established in a third country is already subject to the GDPR under Article 3.  However, where the importer is subject to GDPR by virtue of Article 3(2) for the given processing, less protection or fewer additional safeguards will be needed. 

Transfer tools in that situation should take that into account and not duplicate the GDPR provisions but instead address the elements and principles that are missing – ie fill in the gaps relating to conflicting national laws and government access, enforcement and redress.  They should deal with conflict of laws and measures to be taken in the event of third country legally binding requests for disclosure of data.  The EDPB has said it will help develop a transfer tool that deals with these issues.

The guidelines also clarify that the collection of EU data by a third country organisation which is done directly from data subjects is not a Chapter V data transfer because the transfer is not from an EU establishment, and that a data transfer from an EU processor to a non-EU controller is a Chapter V data transfer.

We've picked out some of the highlights across a range of different breaches, jurisdictions and DPA actions. 

UK and EU competition investigations into Facebook

The CMA and the European Commission separately announced investigations into Facebook's collection and use of data in the context of providing online advertising services in the spring.  Attention is focused particularly on the single sign-on function and whether Facebook unfairly uses data from this and its advertising to prioritise its own services.  The Commission is also looking at whether Facebook harms competition in neighbouring markets as a result of its market position in social networking and online advertising, and whether it uses data from competing providers, obtained through their advertising on Facebook, to gain an unlawful competitive advantage.

ICO issues enforcement notice for failure to respond to a SAR

In September, the ICO issued First Choice Selection Services Ltd with an enforcement notice relating to its failure to comply with a Data Subject Access Request.  First choice received the request from a data subject who was also making an employment tribunal claim.  It said it would only release information on instruction from the tribunal at which point the data subject complained to the ICO. 

The ICO found First Choice had misled it by falsely claiming the employment tribunal said it should not release the data until instructed to do so.  First Choice must now respond to the SAR and make changes to its internal systems and procedures to ensure it deals properly with future SARs.

Irish regulator investigates TikTok's data protection practices

The Irish Data Protection Commissioner launched two own-volition inquiries into TikTok's GDPR compliance in September.  The first looks at its compliance with the principle of design and default, particularly in relation to the default settings for users under 18 and age verification measures for under-13s.  It will also look at whether TikTok has complied with transparency requirements in the context of processing children's personal data.  The second inquiry will look at TikTok's data transfer practices to third countries, and, especially to China.

TikTok has said privacy is "our highest priority".  It has made changes to its privacy practices including making all under-16 accounts private by default, deleting accounts of under-13s and suspending push notifications to children's accounts at certain times to protect their sleep patterns. 

EDPB sets up cookie banner taskforce

In September, the EDPB set up a task force to coordinate the responses to a number of complaints about cookie banners which have been filed with various Member State regulators by NOYB.  The taskforce aims to promote cooperation, information sharing and best practices between the SAs. 

CMA investigation into Google's plans to remove third party cookies on browsers           

The CMA is consulting on its notice of intention to accept binding commitments from Google regarding its proposals to remove third party cookies on Chrome and give main functionality to Chrome by offering 'privacy sandbox' tools. The CMA is concerned that Google's proposals would distort competition in the market for the supply of adtech services by restricting tracking functionality for their parties while retaining it for itself. Google is offering a range of commitments to address the CMA's concerns which the CMA is recommending be accepted.

Irish DPC provisionally finds Facebook does not need consent to data processing for targeted advertising

In October, the Irish Data Protection Commissioner provisionally found that Facebook's terms and conditions (rather than its privacy policy) form a contract for the processing of personal data for targeted advertising purposes.  As such, it is, as it claims, entitled to rely on Article 6(1)(b) (processing necessary for a contract) rather than on consent for the processing. 

Facebook had, however, failed to provide the necessary information regarding the lawful basis of processing in its terms and conditions and had not been sufficiently transparent.  As a result, the DPC proposed fining Facebook up to EUR 36m.

NOYB, which brought the complaint, argues that the decision effectively greenlights bypassing consent by allowing businesses "to just write the processing of data into a contract". The draft decision will go through the Article 60 process of approval by other regulators.  It will be interesting to see how they respond. 

EDPB coordinated action on use of cloud-based services by public sector

In October, the EDPB launched a proposal for its first coordinated action to focus on the use of cloud-based services by the public sector.  Assuming the proposal moves forward, national regulators will take up action at a local level but the results will be analysed and addressed together in order to create a plan of follow-up actions, both at Member State and EU level if necessary.

Luxembourg and French DPAs look at role of DPO

DPOs have been in the spotlight towards the end of the year. The Luxembourg DPA issued a number of fines to companies for failures around the appointment and role of DPOs.  There are several points to emerge from the rulings which are helpful given the lack of recent EU-level guidance on the issue. 

The Luxembourg regulator suggested a DPO needs to be a recognised privacy professional with at least three years' experience in data protection.  A DPO role should equate to at least one full time role.  If an external DPO is appointed, there needs to be a formal relationship with a control plan and monitoring procedures in place.  Whether internal or external, the DPO should be allocated sufficient time and resources to enable them to fulfil their functions.  The need for independence from the company was also stressed.

Separately, the CNIL published guidance for DPOs  which outlines the requirements of the role and best practice recommendations. 

Fines and breaches

As ever, each week brought revelations of new data breaches with ransomware attacks particularly prevalent.  One of the most high profile was the Facebook data breach which exposed the data of 533m users.  This is being investigated by the Irish regulator as Lead SA for the EU, and the ICO is also reportedly considering an investigation.

Health data was a particular target with reports of unsecured data and a number of ransomware attacks affecting organisations which process health data.  One of the more recent is the attack suffered by Stor-a-file which impacted at least six healthcare organisations.

There were also some record fines handed down by regulators this year, notably targeted at the tech giants.  Some, but by no means all were for security breaches.

Amazon fights EUR 768m fine

Amazon disclosed a pending fine from the Luxembourg data protection authority, acting as lead regulator, of a record EUR 768m for failure to obtain valid consent to targeted advertising.  The fine has not yet been published.  It is made in response to a complaint originally to the CNIL by privacy campaigners la Quadrature du Net.  The amount of the fine is unprecedented and Amazon is appealing it.  It says "There has been no data breach, and no customer data has been exposed to any third party…These facts are undisputed….We strongly disagree with the CNPD's ruling".

WhatsApp fined Euro 225m

The Irish Data Protection Commission fined WhatsApp EUR225m for breaches of the GDPR. The fine relates to breaches of transparency requirements, particularly relating to the sharing of WhatsApp data with its parent company Facebook. 

The Irish regulator, acting as Lead Supervisory Authority, had originally intended a lower fine of between EUR 30-50m, however, its provisional decision was rejected by other regulators.  The EDPB subsequently issued a binding decision under the Article 65 procedure requiring the fine to be increased.  It also specified that WhatsApp be given a reduced time of three months to take required remedial actions to its privacy practices.

WhatsApp is appealing the decision, arguing that the Irish DPC's decision is unconstitutional as it amounts to a criminal sanction and interferes with its property rights. It also argues the decision is incompatible with the European Convention on Human Rights in that it breaches the right to fair procedure.  WhatsApp also plans to challenge the EDPB instructions to the Irish DPC which caused a huge increase to the planned fine, before the CJEU.  It has, however, announced it is making changes in the meantime.

Grindr fined nearly EUR10m for data breaches

The Norwegian Data Protection Authority notified dating app Grindr of its intention to fine it nearly EUR10m for unlawfully sharing personal data with third parties. The DPA says Grindr failed to obtain valid consent to share the data and did not treat it as special data. Users had no option but to accept the privacy policy in its entirety and there was insufficient transparency around how their data would be shared. This is currently a draft decision and the amount of the fine is approximately 10% of Grindr's annual global turnover. Grindr will now have an opportunity to respond before a final decision is reached.

Italian regulator fines Deliveroo EUR 2.5m

The Garante, the Italian data protection regulator, fined Deliveroo EUR2.5m for its lack of transparency around algorithms it used to manage its workers when assigning orders and booking shifts.  Deliveroo was also held to have breached the purpose limitation principle in its use of geolocation data used to track its riders.  Deliveroo stopped using the shift booking system in 2020.  Deliveroo was given six months to rectify issues and a further 90 days to make any required changes to its algorithms.

TikTok under the spotlight in relation to children's privacy

The Dutch data protection regulator fined TikTok EUR75,000 for failing to provide its privacy policy in Dutch.  As a result, the regulator found that TikTok users, many of whom are children, were not given clear and adequate information about how their personal data would be processed.  TikTok did make changes to its app to make it safer for under-16s following an initial report by the DPA as a result of its initial investigation. 

Former Children's Commissioner Anne Langford is bringing proceedings against TikTok.  The action alleges TikTok has breached UK privacy law and the GDPR, notably by failing to get proper consent and not being transparent about the use and transfer of the data.  This is a representative action and the claim is being brought on behalf of all children who have used TikTok since the GDPR came into effect.

As part of its response, TikTok announced it will be opening a European Transparency and Accountability Centre in Ireland to give EU regulators and policy makers insight into its recommendation algorithm, use of personal data, and moderation of sensitive and harmful content.

Facebook fined EUR 7m over data protection practices

The Italian competition authority fined Facebook EUR 7 million for failing to comply with a 2018 order to change its data protection practices. The regulator said Facebook had failed to stop misleading practices and has not displayed the order on its Italian homepages. Facebook's appeal against the original decision is pending. It says it had already made changes to its terms to explain its use of personal data.

Italian food delivery firm fined for using discriminatory algorithms

Italian food delivery firm Foodinho, was fined EUR2.6m for failing to be transparent about its use of algorithms to rate riders.  The investigation by the Garante, the Italian data protection regulator, found that the rating system produced discriminatory outcomes which could exclude riders from jobs.

Charity fined for GDPR breaches

Transgender charity Mermaids was fined £25,000 by the ICO for breaches of the GDPR. The ICO found that Mermaids had failed to apply appropriate security to an email group which resulted in 780 pages of confidential emails relating to 550 individuals being searchable and viewable online for nearly three years.  Given the nature of the charity, some of this data was special category data and data relating to children. The size of the fine did, however, reflect mitigating factors including Mermaids' prompt reaction when finding out about the breach, its cooperation with the ICO, and the improvements it has made to its data protection practices.

Swedish regulator fines Medhelp EUR 1.1m for health data breaches

The Swedish DPA fined Medhelp EUR1.1m for a data breach which exposed patient data on an unprotected server and other GDPR failings around data transfers, backing up the data, and using a Thai sub-contractor against Swedish healthcare law. Medhelp supplied a medical advice hotline to three regions in Sweden.

IKEA fined EUR 1m in France and former CEO given custodial sentence

The Versailles Criminal Court fined IKEA France EUR1m and handed its former CEO a two year prison sentence after it engaged in covert surveillance.  IKEA France targeted employees, using private detectives and police officers to collect their personal data.  It used surveillance to vet job applicants and employees, gaining illegal access to their criminal records and bank accounts.

Dutch DPA fines Booking.com for failure to notify data breach

The Dutch Data Protection Authority fined Booking.com EUR 475,000 for failure to report a data breach within the prescribed 72 hour time limit.  The data breach occurred in December 2018, when data was obtained from 40 hotels in the UAE through vishing (voice phishing).  While Booking.com found out about the beach on 3 January 2019, it only notified the regulator on 7 February, and affected individuals on 4 February.

ICO to fine Clearview AI Inc £17m for breaches of GDPR and DPA 18

In December, the ICO issued Clearview AI Inc. with a notice of intent to fine it just over £17m following a joint investigation with the Australian regulator.  The ICO's preliminary view is that the scraping of images of individuals from the internet by Clearview to build a facial recognition database, breached UK data protection law in a number of ways.  These included:

• failure to comply with requirements around special data processing
• failure to comply with the principle that personal data be processed fairly, lawfully and in a transparent manner
• failure to comply with data retention and minimisation requirements.
  

Nuisance marketing

Fines continued to be issued for breach of PECR rules on nuisance marketing.  Just by way of example, the ICO fined two firms for sending out nuisance marketing texts and messages during the pandemic. Lead Works Ltd was fined £250,000 for sending 2.6 million texts without valid consent. The ICO found they sought to exploit financial insecurity as a result of lockdown. Similarly, Valca Vehicle Ltd was fined £80,000 for sending 95,000 texts without permission. Again the texts targeted those whose finances had been affected by the pandemic.

The ICO  fined Tested.me Ltd £8,000 after it sent 84,000 unsolicited marketing emails using data collected through a QR code for test and trace purposes.   

American Express was fined £90,000 by the ICO for sending over four million unsolicited marketing emails between 1 June 2019 and 21 May 2019.  Recipients included those who had previously opted out of receiving marketing emails.  American Express argued the emails were service messages, not marketing emails.  The ICO disagreed because the emails included details on rewards for using Amex for online shopping as well as information about how to get the best out of using the card, and encouraged users to download the Amex app.  The ICO found the inclusion of this information was a deliberate action for financial gain by the organisation.  It also criticised American Express for failing to review its marketing model following user complaints.

In progress

Schrems v Facebook

The Irish High Court dismissed an application for judicial review by Facebook seeking to challenge the Irish regulator's preliminary order warning Facebook that it might have to stop sending personal data to the USA.  The court is expected to lift the stay on proceedings.  The Irish DPC will now continue to pursue its own enquiry into Facebook's data flows, during which time it has suspended its investigation into the original Schrems complaint.

Germany refers Facebook competition case to the CJEU

Germany asked the CJEU to consider whether Germany's competition regulator, the Bundeskartellamt, was correct in its assessment that Facebook abused its dominant position as a provider of social networks in Germany, by processing user data in breach of the GDPR. 

In 2019, The Bundeskartellamt ordered Facebook to change its terms and conditions after finding that it infringed competition law by unlawfully collecting data from different sources including third party websites and apps and combining them with personal data from Facebook user accounts.  Facebook could not collect valid consent to the practice because there was no way to use the service without providing the consent which meant there was no genuine choice.  The Bundeskartellamt found that the resulting data dominance gave Facebook an unfair competitive advantage.  The Regional Court of Dusseldorf has now questioned the decision and said that the issue cannot be decided without a reference to the CJEU.

 CJEU decision on proceedings in cross-border processing cases

The CJEU confirmed that under certain circumstances, a national data protection supervisory authority can bring court proceedings for alleged GDPR infringement relating to cross-border processing in its own Member State, even where it is not the lead regulator. The CJEU ruled that the Belgian regulator could take legal action against Facebook despite its lead SA being the Irish Data Protection Commissioner.

The court held that there are limited exceptions to the one stop shop mechanism which could allow another regulator to bring proceedings and provided that the cooperation and consistency mechanism is respected.  This might include the adoption of provisional measures under the urgency procedure (Article 66), where the lead SA has not provided requested information.  A local SA might also be able to proceed where it receives a local complaint which relates only to an establishment in its own Member State or it relates to matters which substantially only affect data subjects in that Member State (Article 56(2).  It is not a requirement that the controller has a main establishment or another establishment there.

Representative action against Google's DeepMind

Mischon de Reya is bringing a representative action against Google's subsidiary DeepMind Technologies on behalf of 1.6m people.  Google's DeepMind Technologies had a data sharing arrangement with the Royal Free NHS Trust.  A data breach resulted in medical records being shared with tech companies without the knowledge or consent of the relevant individuals.  The ICO found a breach had occurred but did not fine the NHS Trust.  This action does not cite the Trust.

Uber faces employment tribunal claims around its use of facial recognition technology

The IWGB and ADCU unions are backing two employment tribunal claims against Uber made by a total of three drivers alleging that Uber's facial recognition system made by Microsoft is racially biased and can lead to drivers being unfairly suspended from the platform.  FRT systems have been shown by some studies to be less effective for non-white people. TFL estimates 94% of PHV drivers are black, Asian and minority ethnic.  In response to the allegations , Uber says "The system includes robust human review to make sure that this algorithm is not making decisions about someone's livelihood in a vacuum without oversight". 

AG Opinion on consumer protection associations bringing GDPR infringement proceedings

AG de la Tour opined in December that the CJEU should rule that the GDPR does not preclude national legislation which allows consumer protection associations to bring representative actions based on alleged breaches of data protection law.  The action may be brought on the basis of the prohibition of unfair commercial practices, infringement of a law relating to consumer protection, or the prohibition of the use of invalid general terms and conditions, provided that the purpose of the action is to ensure observance of the rights derived by the individuals concerned from the GDPR.

The AG relied on the Fashion ID judgment which concerned the Data Protection Directive, saying that the GDPR does not change the effect of the ruling.  His view is that Member States can provide for entities to bring representative actions designed to protect the collective interests of consumers without a mandate from the data subjects and without a need to claim the existence of actual cases affecting named individuals.

The AG went further and suggested that the defence of collective interests of consumers is particularly suited to the objective of the GDPR of establishing a high level of data protection.

Decisions and settlements

Representative actions

The Supreme Court handed down the long-awaited judgment in the data privacy case of Lloyd (Respondent) v Google LLC (Appellant) [2021] UKSC 50. The court reversed the decision of the Court of Appeal, holding that Mr Lloyd could not proceed with a representative action to claim damages from Google regarding the acknowledged fact that, for a period of several months, it tracked the activity of 4 million iPhone users without their knowledge or consent in breach of the Data Protection Act 1998 (DPA98 since replaced by the UK GDPR and the Data Protection Act 2018 (DPA18)). The decision is significant because of the impact it has on the viability of litigation-funded opt-out class actions, in particular for breaches of data protection law.  Read more.

Prior to the Lloyd v Google judgment, British Airways settled the data breach class action against it for an undisclosed amount on confidential terms.  The settlement does not include any admission of liability.  A number of other actions were stayed pending the outcome of Lloyd v Google.

Earlier in the year, the UK government published a review of the provisions on representative actions under the UK GDPR and the Data Protection Act 2018 as required under s189 DPA18.

Under the current framework, individuals can ask relevant non-profit organisations to act on their behalf to complain to the ICO or bring legal proceedings against a data controller for non-compliance with UK data protection legislation. The government concluded there is not a strong enough case to introduce new legislation. This is partly because the ICO can investigate serious breaches of legislation and systemic failings across sectors.

Hight Court ruling sheds light on causes of action for data breaches

The High Court upheld an application to strike out claims for compensation for distress for misuse of private information (MPI), breach of confidence (BoC) and negligence, brought against DSG Retail Ltd in relation to a cyberattack on a point of sale system at Curry's PC World in 2018.  A separate claim for breach of the Data Protection Act was stayed pending the outcome of an appeal by DSG before the First Tier Tribunal against an ICO fine of £500,000.

Saini J said that while data protection legislation imposed a positive duty around data security, BoC and MPI do not.  The wrong was a failure which allowed the cyberattack rather than positive conduct by DSG which would be required for BoC or MPI.

In relation to the negligence claim, the judge said there was no need to impose a duty of care in negligence where statutory duties apply under data protection law.  In addition, no loss had been suffered.  Any distress suffered was not enough to constitute tortious damage, and there was no pecuniary loss.

The decision is significant as it clarifies which and when causes of action apply in relation to cyberattacks.

EctHR Grand Chamber upholds decision that aspects of UK surveillance regime were unlawful

The Grand Chamber of the European Court of Human Rights upheld the Chamber ruling that aspects of the UK's surveillance regime under the now superseded Regulation of Investigatory Powers Act 2000, did not comply with Articles 8 and 10 of the European Convention on Human Rights.  The Court said that a bulk interception regime would not necessarily violate the ECHR, but it must provide end-to-end safeguards including assessment of necessity and proportionality at each stage of the process.  Independent authorisation would be required at the beginning of an operation and the operation should be subject to independent supervision and review.  The bulk interception regime under RIPA did not meet these criteria and neither did the UK's regime for obtaining communications data from communication service providers.

DPA Immigration Exemption unlawful, says Court of Appeal

The Court of Appeal ruled the Immigration Exemption in paragraph 4 of part 1, Schedule 2 of the Data Protection Act 2018, unlawful.  This exempts controllers from needing to comply with specified provisions of the DPA18 and the UK GDPR, where personal data is processed for the maintenance of effective immigration control or the investigation or detection of activities which would undermine effective immigration control, to the extent that compliance would prejudice these measures.  The effect of this decision has been stayed temporarily to allow the government to make changes to the law.

High Court considers reach of the GDPR

The High Court considered whether a US news website was caught by the GDPR in a preliminary hearing.

The US news website Forensic News is based in California and has no employees or representatives in the UK.  It does have some readers in the UK but only a small number of UK donation subscriptions had been solicited.

The judge did not consider that the company had stable arrangements in the UK which meant it did not have a UK establishment in the context of which its activities were processed.  There was nothing to suggest that the company was targeting the UK market in relation to its goods or services, even though both goods (merchandise) and services were accessible in the UK – the news service was aimed at a US audience.  Even if it were considered to be offering goods and services in the UK, the processing complained of was not related to any offering.

Perhaps more controversially, the judge held that the monitoring of website access by European (UK) individuals, for the purpose of targeting advertising, was not part of Forensic News's core business and was therefore not meant to be caught by the 'monitoring of the behaviour of EU (UK) individuals' limb of the territorial scope provisions in Article 2(b) GDPR. This was because the behavioural profiling was not related to the processing activities which were the subject of the complaint.

Consequently, the judge found that the (UK) GDPR did not apply to the processing which was the subject of the complaint.

Berlin Court overturns GDPR fine

The Regional Court of Berlin overturned a fine issued by the Berlin Data Protection Commissioner to Deutsche Wohnen. The EUR 14.5 million fine was issued on the basis that the real estate company had failed to put in place measures to regularly delete tenant data which was no longer needed. The Court found, however, that the decision was invalid because the regulator had not been sufficiently specific about the alleged GDPR breaches. The Deutsche Wohnen fine was the first GDPR fine to be issued in Germany and is now the second to have been overturned.