DWF Data Protection Insights January 2021

The Breach Counsel Forum and other data protection webinars

On 20 January some of our data protection specialists spoke at the inaugural Breach Counsel Forum webinar, covering the following issues:

• What are the regulatory priorities that will play out if there is a breach?
• What are privacy activists, claims farms and law firms up to?
• What does the threat landscape look like?

You can listen to the recording here >

On Thursday 4 February we are running a Trading with Europe and Data Protection seminar, during which we will consider how the end of the transition period impacts your use of personal data for doing business in Europe. Click here to register >

Regulatory guidance/campaigns/other news from the Information Commissioner's Office (ICO)/European Data Protection Board (EDPB)

ICO Guidance

ICO updates FAQs on information rights following the end of the Brexit implementation/transition period
The ICO has updates its FAQs on information rights following the end of the Brexit transition period.  This covers a number of post-Brexit issues, including:

• What effect does the trade deal have on data protection?
• Do we need a European representative?
• Does the GDPR still apply?
• What is the UK data protection law now the Brexit transition period has ended?
• Can we still transfer data to and from Europe?
• What about EEA processors sending data back to UK controllers?
• What do I need to do with data collected before the end of the transition period?
• Do we need to appoint a UK representative?
• Does PECR still apply? 
• Does FOIA still apply? 

While the answers to the FAQs provide some useful high-level guidance, if you need more detailed, bespoke advice on any of these questions, or any other data protection issues, please contact one of our specialist lawyers.

ICO resumes adtech investigation
On 22 January the ICO announced that it has resumed its investigation into real time bidding (RTB) and the adtech industry, which it paused in May 2020 to focus on its response to the pandemic.  We wrote about the ICO's Adtech Update Report in the January 2020 issue of DWF Data Protection Insights. The statement says:

• Enabling transparency and protecting vulnerable citizens are priorities for the ICO. RTB can use sensitive personal data to serve adverts and requires people’s explicit consent, which is not happening right now.
• The ICO will conduct audits focusing on digital market platforms and issue assessment notices in the coming months.
• The ICO will review the role of data brokers in the adtech ecosystem.
• Because of the sensitivity of the work, there will be times where it won’t be possible to provide regular updates. The ICO will publish its final findings once the investigation is concluded.
• All organisations operating in the adtech space should be assessing how they use personal data as a matter of urgency.  Organisations should ensure that they are complying with all relevant ICO guidance, particularly in respect of consent, legitimate interests, data protection by design and data protection impact assessments (DPIAs).

Norwegian DPA announces intention to fine Grindr for sharing user data for marketing without consent
While the ICO has only just resumed its adtech enforcement activities, the Norwegian DPA (the equivalent of the ICO) has announced its intention to fine Grindr 100 000 000 NOV (€10 million, or approximately 10% of its annual worldwide turnover) for sharing user data with third parties for marketing purposes without consent.  This is a draft decision and Grindr has until 15 February to respond, but it indicates that the ICO is not alone in stepping up its enforcement action against data processing for adtech purposes without consent.

If you are using adtech or RTB in your organisation, or working with other organisations which do so, our data protection specialists can provide advice and support to ensure that this use is lawful.

ICO Sandbox update: focus on children and other vulnerable people
The ICO is continuing to emphasise its focus on the privacy of children and other vulnerable people by announcing the latest projects to join its regulatory sandbox.  Two projects are focused on children's privacy: the first aims to offer age appropriate child-centred content moderation, together with privacy information and accessible parental consent options.  The second participant is working with the ICO to enhance its Consent Management Platform, which provides child privacy consent management.  The ICO is working with three other participants in relation to the privacy of other vulnerable people, focusing on online gambling harms, supporting ex-service men and women get the care they need, and a platform to help fight against cyber-criminals.

One of our recommended Data Protection New Year's Resolutions 2021, which we shared in the December 2020 issue of DWF Data Protection Insights, is to ensure that your organisation achieves compliance with the Age Appropriate Design Code (often referred to as "the Children's Code") by 2 September 2021.  If your business includes online services which are likely to be accessed by children, please contact one of our data protection specialists for advice on how to ensure that you comply with the Children's Code.

Updated FAQs in Children's Code hub
The ICO has added new FAQs to its Children's Code hub, which ask the ICO to clarify:

• when a website is likely to be accessed by a child;
• the rules on different control options for the age brackets, when an ISS is not targeted to children but they may access it;
• the standard on "nudge techniques";
• personal data collection from a child who uses a service without being the account holder;
• how global organisations can achieve compliance with the requirements in the UK and other jurisdictions;
• the rules on age verification and the requirement to retrospectively verify the age of existing users;
• the rules on parental/adult consent;
• use of QR codes; cookies and geolocation data; and
• achieving transparency through age-appropriate language.

These FAQs demonstrate some of the complexities in complying with data protection law and the Children's Code, so please contact one of our data protection specialists if you need our support to achieve compliance.

EDPB Guidance

EDPB and EDPS publish joint opinions on draft Standard Contractual Clauses
In the November 2020 issue of DWF Data Protection Insights we reported that the European Commission had published consultation drafts of two sets of Standard Contractual Clauses (SCCs):

• An updated version of the SCCs for transferring personal data from the EEA to third countries ("Third Country SCCs"); and
• New SCCs for use between controllers and processors within the EEA ("Controller-Processor SCCs").

On 15 January 2021 the EDPB published joint opinions of the EDPB and the European Data Protection Supervisor (EDPS), in which they broadly welcome both sets of SCCs, but state that some clarification is needed.

As we reported in the December 2020 issue of DWF Data Protection Insights, while the updated Third Country SCCs will, once finalised, provide a safeguard for the transfer of personal data from the EEA to the UK, they will not provide a valid safeguard for transfers from the UK to third countries. Until they are finalised, you can continue to use the existing version of the Third Country SCCs, or the UK version ("UK SCCs") published by the ICO.  The ICO has stated that it will consult on and publish updated UK SCCs during 2021.

While the Controller-Processor SCCs are intended for use where the controller and processor are both based in the EEA, they provide a useful indication of the level of detail that controller to processor data processing clauses should contain in order to meet the requirements of the GDPR.

Remember that the CJEU in the Schrems II case introduced new requirements for the SCCs, so you will need to comply with the EDPB's recommendations on supplemental measures and recommendations on the European Essential Guarantees for surveillance measures, noting that at the time of publication both of these are awaiting finalisation. See the November 2020 issue of DWF Data Protection Insights for details of the draft recommendations.

EDPB Guidelines on examples regarding data breach notification
On 19 January the EDPB published for consultation draft guidelines on examples regarding data breach notification.  The consultation runs until 2 March 2021.

The EDPB states that the guidelines complement the WP29 (the EDPB's predecessor) guidance on data breach notification by introducing more practice-orientated guidance and recommendations. They aim to help data controllers to decide how to handle data breaches and what factors to consider during risk assessment. The guidelines contain an inventory of data breach notification cases deemed most common by the national supervisory authorities (SAs), including:

• ransomware attacks; 
• data exfiltration attacks, including exfiltration of job application data or a hashed password from a website;
• lost or stolen devices and paper documents; and
• misdirected mail (email and "snail mail") containing personal data.

For each category, the guidelines present the most typical good or bad practices, advice on how risks should be identified and assessed, highlight the factors that should be given particular consideration, and identify in which cases the controller should notify the supervisory authority and/or notify the data subjects.

While the UK has now left the EU, the UK has retained the GDPR (with very minor amendments) in national law, so EDPB guidelines are still relevant to help UK organisations achieve compliance with data protection law.

EDPB Strategy 2021-2023
On 4 January the EDPB published its strategy for 2021-2023.  This focuses on four "pillars" and sets out three key actions under each pillar:

Pillar 1: Advancing harmonisation and facilitating compliance:

• focus on providing further guidance on key notions of EU data protection law e.g., on the concept of legitimate interest, on the scope of data subjects’ rights;
• further promote development and implementation of compliance mechanisms for controllers and processors, including training to stimulate the development of tools to promote compliance;
• foster the development of common tools for a wider audience and engage in awareness raising and outreach activities, including tools specifically tailored for non-expert professionals, such as SMEs, and for data subjects, in particular children.

Pillar 2: Supporting effective enforcement and efficient cooperation between national supervisory authorities:

• encourage and facilitate use of the full range of cooperation tools enshrined in data protection law;
• implement a Coordinated Enforcement Framework to facilitate joint actions in a flexible but coordinated manner;
• establish a Support Pool of Experts on the basis of a pilot project, intended to provide expertise to support investigations and enforcement activities of significant common interest;

Pillar 3: A fundamental rights approach to new technologies:

• monitoring, assessing and establishing common positions and guidance as regards new technological applications in areas such as artificial intelligence (AI), biometrics, profiling, adtech and continuous evaluation of existing positions on applications such as cloud services, blockchain etc.;
• reinforcing data protection by design and by default and accountability: provide clear guidance on how to implement data protection principles effectively, what individuals are entitled to expect and what organisations can do to further improve the ability of individuals to exercise control over their personal data and demonstrate compliance with their obligations;
• intensify engagement and cooperation with other regulators (e.g. consumer protection and competition authorities) and policymakers to ensure that individuals receive optimal protection;

Pillar 4: The global dimension:

• promote the use of transfer tools ensuring an essentially equivalent level of protection and increase awareness on their practical implementation;
• engage in dialogue with international organisations and institutional networks to provide leadership in data protection and promote high standards of protection worldwide; and
• facilitate the engagement between EDPB members and the supervisory authorities of third countries with a focus on cooperation in enforcement cases involving controllers/processors located outside the EEA.

Enforcement action

ICO enforcement

Motor industry employee sentenced in ICO Computer Misuse Act prosecution
The ICO has reported that a motor industry employee has been sentenced to eight months' imprisonment, suspended for two years, in a prosecution brought by the ICO.  The employee had transferred personal data to an accident claims management firm without authorisation.

This case serves as a useful reminder that breach of data protection law and related legislation, such as the Computer Misuse Act 1990, can result in criminal prosecution.

PSA (Phone-paid Services Authority) Enforcemen
The PSA has fined a company £885,000 and banned it from the market for three years after it committed eight breaches of the PSA Code of Practice, by sending chargeable texts containing voucher alerts and discount codes without consent.

This case provides a reminder that, while data protection law (including the GDPR and the Privacy and Electronic Communications Regulations) governs the sending of marketing materials such as emails and texts, chargeable texts are also subject to the PSA Code, breach of which can result in large fines.

Industry news

(Another!) ePrivacy Regulation update
In the latest development in this long-running saga, the Council of the EU, which is chaired by Portugal for six months from 1 January, published a revised draft text on 5 January, with the key changes relating to cookies and metadata. We will monitor how the other EU member states respond to the draft and continue to provide updates in future issues of DWF Data Protection Insights.  While the new Regulation, once finalised, will not automatically bind the UK, it appears likely that the UK will adopt similar rules, and UK organisations will need to comply with the Regulation with regard to individuals in the EU.

CMA consultation on Algorithms: How they can reduce competition and harm consumers
In the December 2020 issue of DWF Data Protection Insights we reported on the ICO's guidance on using algorithms for employment decisions.  On 19 January 2021, the CMA (Competition & Markets Authority) published a consultation paper on how algorithms can reduce competition and harm consumers.  The paper starts by recognising the potential benefits of algorithms, including improvements to the quality of products and services and increased efficiency, which can improve innovation and competition, but then focuses on the potential harms, including:

• If personalisation is not transparent, it can be exploitative;
  
• exploiting consumers' limited attention, loss aversion or inertia, leading to susceptibility to default options, causing them to make purchasing decisions that they would not otherwise have made;
• enabling businesses to exclude or marginalise competitors;
• some uses of personalisation can cause discrimination; and
• potential collusion through pricing algorithms.

The paper then goes on to address techniques that can be used to investigate those harms and consider the role of regulators.

While the consultation does not focus on data protection, it considers the relationship between algorithms and data protection law, and stresses the importance of undertaking a data protection impact assessment (DPIA) before starting to process personal data using algorithms.  It also refers to the ICO guidelines on explaining decisions made with AI, developed with the Alan Turing Institute, on which we reported in the May 2020 issue of DWF Data Protection Insights. The paper concludes by stating that the CMA will work with others to identify problematic markets and firms violating consumer or competition law and take cases forward where action is required.

The House of Lords Liaison Committee report: 'AI in the UK: No Room for Complacency'
The House of Lords Liaison Committee has published a report called 'AI in the UK: No Room for Complacency'.  This concludes that:

• the Government needs to better coordinate its artificial intelligence (AI) policy and the use of data and technology by national and local government; and
• ethical AI is the only sustainable way forward, and the time has come for the Government to move from deciding what the ethics are, to how to instill them in the development and deployment of AI systems.

AI Council roadmap and recommendations
On 6 January DCMS (the Department for Digital, Culture, Media and Sport) published a report on artificial intelligence (AI) carried out by the AI Council providing a roadmap and 16 recommendations for the UK National AI Strategy.

These developments relating to algorithms and other forms of AI suggest that these will be subject to an increased government focus in the coming months. Organisations using AI to make decisions about individuals, including personalisation of content or pricing, need to consider compliance with all relevant laws, including consumer protection and competition law, as well as data protection law.  If you need advice on any legal aspect of AI use, feel free to get in touch with your usual DWF contact, who can introduce you to our other specialist lawyers.

Post-Brexit transition

UK adequacy decision
On 11 January John Whittingdale, Secretary of State for Digital, Culture, Media and Sport, made a statement to Parliament: 'Given we have an existing data protection framework that is equivalent to the EU’s, we see no reason why the UK should not be awarded adequacy and we expect the process to be concluded promptly'.  On 14 January Bruno Gencarelli, the European Commission’s head of international data flows and protection, said that the Commission hopes to complete the process before the bridging mechanism for data flows expires at the end of June 2021.

However, commentators continue to express concerns that any adequacy decision that is granted is likely to be challenged in the courts, due to the UK's surveillance laws and the government's expressed intention to start to exercise independence over its data protection laws, including making its own adequacy findings in respect of additional countries.  Privacy activist Max Schrems' "noyb" organisation's newsletter "GDPRtoday" reported Whittingdale's statement quoted above with the comment "Let’s all reserve judgement until we see what happens!".

Due to the ongoing uncertainty, we recommend continuing to map your international data flows, including those from the EEA to the UK (or back to the UK).  Depending on the number of contracts affected, you may wish to start putting safeguards in place, such as the new UK Standard Contractual Clauses published by the ICO, or continue to monitor the position for the next couple of months and then decide what action to take, depending on what progress is made.  We will of course monitor developments closely and report on them in future issues of DWF Data Protection Insights, but please contact one of our data protection specialists if you require tailored advice at any time.

Information Commissioner blogpost: Maintaining data flows for a digital world
On 22 January the Information Commissioner published a blogpost looking at the data protection aspects of the UK-EU trade agreement.  The key points to note are:

• While we wait for an adequacy decision, the UK must notify the EU–UK Partnership Council, as far as reasonably possible, of any new international agreement between public authorities for international transfers. Should any UK public authority be intending to enter into such an agreement, it should notify the Department for Digital, Culture, Media and Sport (DCMS).
• There is no guarantee that the EU will grant the UK an adequacy decision, so businesses should continue to take sensible precautions for any eventuality.