DWF Data Protection Insights September 2020

The European Data Protection Board has had a busy month, so we report on two sets of draft guidelines it has issued during September. The ICO has also been relatively busy, and we report on two enforcement actions, coronavirus updates and top tips for innovators. As we approach the expiry of the transition period, we also include our regular Brexit watching brief.

Regulatory guidance/campaigns/other news from the Information Commissioner's Office (ICO)/European Data Protection Board (EDPB)

ICO Guidance: data protection and coronavirus hub
The ICO has continued to update its data protection and coronavirus hub, adding the following items:

• Blogpost: Data protection considerations and the NHS COVID-19 app – the Information Commissioner writes that she is pleased that the Department of Health and Social Care (DHSC) has made changes to the NHS contact tracing app in response to ICO feedback.  She emphasises that the ICO will audit the Track and Trace ecosystem, to ensure that data protection obligations are being met.
• Updated Data protection guidance for collecting customer information - this has been updated to reflect the legal changes made by the UK, Welsh and Scottish governments.  The ICO has also added Case Study 4: Manually collecting customer contact details to provide an illustration of how this should work in practice.

Updated ICO regulatory approach document
On 24 September the ICO published an updated regulatory approach document, accompanied by an open letter from the Information Commissioner. The key points are:

• The ongoing pandemic means that the ICO must continue to focus its resources on issues likely to cause the greatest public harm, including tackling the spread of coronavirus and taking action against those seeking to exploit the emergency through nuisance calls or by misusing personal information.
• The ICO will focus on accelerating and expanding its sandbox and supporting innovation.
• While the ICO accepted that organisations' need to respond to the pandemic impacted their ability to respond to information rights complaints, it now expects them to have robust recovery plans in place to deal with any backlogs.
• Organisations are still subject to the obligation to notify data breaches to the ICO within 72 hours of becoming aware of them.
• The ICO will continue to keep its work on adtech and real time bidding, which it paused in May, under regular review and will publish a separate update in due course. 

ICO Blog: Ten top tips for innovators
The ICO has published ten top tips for innovators. These tips include:

• Take a data protection by design and default approach. Data protection compliance should be built into your product from the start, as this is more efficient than 'retro-fitting' your processes to the law at a later date.
• Carry out a DPIA. If you are looking to process personal data in innovative ways or use a new technology, a Data Protection Impact Assessment might be obligatory.
• Decide what you are doing with data. Identify the purpose for which you need to use personal data and the lawful basis for such use. Ensure that you only collect the personal data which is necessary for that purpose.
• Tell data subjects who you are sharing their personal data with. Use appropriate security to prevent unauthorised sharing.
• Consider using synthetic data for testing purposes. If this is not possible, try to use anonymised or pseudonymised data.  If you decide that this won't achieve your purposes, record your reasons.
• If your product uses AI, know your obligations. These include explaining to data subjects what you're doing with their data and complying with requirements on automated decision-making and profiling

DWF's data protection specialists can assist you to comply with these recommendation, including identifying the most appropriate lawful basis, conducting a DPIA (if required), drafting appropriate privacy notices, complying with the automated decision-making and profiling requirements and keeping the necessary records to ensure compliance with the accountability principle.

EDPB Guidance

Guidelines on the targeting of social media users
The EDPB has published a consultation draft of guidelines on the targeting of social media users.The guidelines state that their main aim is to clarify the roles and responsibilities of the social media provider and the targeter. They seek to address:

• the rights and freedoms of individuals;
• the main actors and their roles - this covers "targeters" (advertisers, political campaigners, etc.) and the adtech ecosystem as well as the user and social media provider;
• the application of key data protection requirements (such as lawfulness and transparency, DPIAs, etc.); and
• key elements of arrangements between social media providers and targeters.

The consultation is open until 19 October.

Guidelines on the concepts of controller and processor in the GDPR
The EDPB has also published a draft for consultation of guidelines on the concepts of controller and processor in the GDPR. These seek to clarify some complex issues relating to:

• The meanings of controller and processor, including examples to illustrate some situations where this is unclear;
• How to identify a joint controller relationship and the consequences of joint controllership;
• The meanings of third party and recipient;
• Guidance on the requirements of GDPR, in particular Article 28, in relation to controller to processor contracts; and
• The guidance includes an annex containing flowcharts to help to correctly identify the parties' relationship.

EDPB Schrems II taskforce
The EDPB has announced that it has set up taskforces to:

• Look into the 101 complaints filed by Max Schrems' NOYB organisation against controllers in the EEA member states; and
• Prepare recommendations to assist controllers and processors with their duty to identify and implement appropriate supplementary measures to ensure adequate protection when transferring data to third countries.

We will monitor the work of these taskforces and report on them in future issues of DWF data protection insights.

---

Enforcement action

ICO enforcement

Unsolicited direct marketing calls relation to pension schemes
The ICO has fined an organisation £130,000 for breaching the DPA 1998 and the Privacy and Electronic Communications Regulations 2003 (PECR). The breach was making unsolicited direct marketing calls in relation to occupational and personal pension schemes, contrary to regulation 21B of PECR, which was introduced in 2019.

Nuisance marketing texts to profiteer from coronavirus pandemic
The ICO has fined another organisation £60,000 for breaching PECR by sending nuisance marketing texts promoting a hand sanitiser stated to be effective against coronavirus. The ICO has stated that it will prioritise action against organisations like this, which play upon people's concerns during this time of uncertainty, with a blatant disregard for the law.

These fines demonstrate that the ICO's enforcement action continues to focus on breaches of PECR, so it is essential to ensure that all your direct marketing activity complies with GDPR, the DPA 2018 and PECR. Our data protection specialists can work with you to ensure that your processes and communications comply with all aspects of the law.

High Court enforcement
In the recent case of Hopkins, the claimant made 20 claims for breach of data protection law against her employer.  The High Court dismissed 19 of those claims, because her employer could demonstrate that it had complied with the law in the following ways:

• It had a lawful basis for processing and sharing the claimant's data;
• It had an appropriate policy document in place, as required by the DPA 2018 for processing special category data; and
• The necessary information about the processing of employee data was widely available on the staff intranet and provided to the employee.

This decision provides a useful reminder of the importance of identifying and documenting a lawful basis for each processing activity, making a suitable privacy notice available to the data subjects and putting in place an appropriate policy document for processing special category data. Because this last requirement is contained in the DPA 2018, not the GDPR, it has received less attention than the other requirements, so is often overlooked.

Please contact one of our specialists if you would like our support to ensure that your business can demonstrate that it meets these requirements, including putting in place an appropriate policy document.

---

Industry news

Connected vehicles: European Commission report on the ethics of connected and automated vehicles
The European Commission has published a report on the ethics of connected and automated vehicles (CAV), which contains a number of recommendations in relation to the data protection aspects of CAV:

• Safeguard informational privacy and informed consent – personal data should only be processed on the basis of consent to GDPR standard
  
• Enable user choice, seek informed consent options and develop related best practice industry standards – CAV operators need to explore an ethical alternative to a "take-it-or-leave-it" consent model, bearing in mind that CAV users may sometimes be considered vulnerable.
  
• Develop measures to foster protection of individuals at group level – this identifies that multiple individuals may share a ride in a CAV and may all be identified without their awareness.  This recommendation states that further research and consideration is needed.
  
• Develop transparency strategies to inform road users about data collection and associated rights - Policymakers should work with manufacturers and deployers to develop meaningful, standardised transparency strategies to inform road users, including pedestrians, of data collection in a CAV operating area that may, directly or indirectly, cause risks to their privacy as they travel through such areas.

Contact one of our data protection specialists if you need advice on the privacy law aspects of connected vehicles.

---

Brexit preparation

It has been reported that the Minister of State for Media and Data has told MPs that the UK government 'fully expects' to get an adequacy decision at the end of the transition period. However, it has also been reported that the European Commission has concerns that, following the expiry of the transition period, the UK may adopt less stringent data protection laws. The National Data Strategy, published on 9 September, contains numerous references to the UK having left the EU and become an independent, sovereign nation, indicating an intention to diverge from EU data protection law. The Guardian has reported that EU officials have concerns about this approach, which could impact the UK's chances of an adequacy decision.

Due to the continuing uncertainty, we recommend that you continue to prepare for the expiry of the transition period by identifying all transfers of personal data from the UK or from the EU/EEA to the UK, the relevant purpose and lawful basis, and whether you have a safeguard in place (bearing in mind the Schrems II decision) or can rely on an exemption.

Please contact one of our data protection specialists if you want to discuss your organisation's preparations, for example putting in place appropriate safeguards for the transfer of personal data between the UK and the EU and vice versa, or appointing an EU representative.  We can help strategically with those, as well as by delivering mass contract updates through our group business DWF Mindcrest.