This month's highlights include:
- the new EU standard contractual clauses for personal data transfers;
- the final version of the EDPB guidance on supplemental measures; and
- the ICO and EDPB/EDPS opinions on facial recognition technology.
This month's top story
This month's top news is the publication of the new EU standard contractual clauses for personal data transfers. Read our summary here >
Regulatory guidance/campaigns/other news from the Information Commissioner's Office (ICO)/European Data Protection Board (EDPB)/ European Data Protection Supervisor (EDPS)
EDPB guidance and news
EDPB publishes final version of recommendations on supplemental measures
On 21 June the EDPB published the final version of its recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data. These apply when transferring personal data to a country outside the UK and the EEA which does not have an adequacy decision, and were published in draft in November 2020, following the Schrems II decision. See our overview of the draft recommendations in the November 2020 issue of DWF Data Protection Insights. The key changes in the final version are:
- emphasis on the importance of determining whether the third country's law or public authority practices affect the effectiveness of the chosen transfer tool (which will usually be the standard contractual clauses);
- the exporter may assess the importer's previous experience of dealing with access requests from public authorities in the third country; and
- clarification that if the third country's laws allow its authorities to access the data transferred, this may affect the effectiveness of the transfer tool.
While the UK has left the EU, the ICO has stated that EDPB guidance is still relevant. If you would like our support in ensuring that your personal data transfers to third countries comply with data protection law, please contact one of our specialist lawyers.
ICO guidance and news
ICO call for views: Anonymisation, pseudonymisation and privacy enhancing technologies guidance
On 28 May the ICO published a consultation draft of the first chapter of its anonymisation, pseudonymisation and privacy enhancing technologies guidance. Read our overview here >
ICO blog post: How the digital design community can help shape the ICO’s work on the Children’s Code
The ICO continues to focus on providing guidance on its Children's Code. On 27 it published a blog post in which it stated that it is working with a design studio to develop practical guidance to help designers to understand, implement and embed the Children’s Code into their practices and create a better digital world for children.
Remember that the application of the Children's Code is not limited to services which target children, but also applies to services likely to be accessed by children. If your organisation provides such services, such as apps, online games, and web and social media sites and you want advice on how to comply with the Children's Code, please contact one of our data protection specialists.
Facial recognition update: ICO opinion and EDPB/EDPS joint opinion
The ICO and the EDPB/EDPS have published opinions about facial recognition in public places and the related use of AI. Read our summary here >
Enforcement action
ICO enforcement
ICO fines Conservative party for sending unlawful emails
The ICO has continued to focus its enforcement action on PECR (the Privacy and Electronic Communications Regulations 2003) by fining the Conservative party £10,000 for sending marketing emails to people who did not want to receive them. The ICO concluded that the party did not have the necessary valid consent for the marketing emails received by the 51 complainants. The party failed to ensure that the records of those who had unsubscribed from its marketing emails were properly transferred when it changed email provider.
ICO fines for companies £415,000 for nuisance marketing
On 8 June the ICO announced that it had fined three companies a total of £415,000 for breaches of PECR and on 15 June it announced an additional fine of £10,000, also for a PECR breach. The breaches included:
- sending spam text messages without consent;
- incorrectly relying on the soft opt-in to send marketing texts without consent, where this did not apply because the individuals had not been provided with a privacy notice or given the option to opt out; and
- making unsolicited marketing calls to people who were registered with the Telephone Preference Sevice (TPS).
This enforcement action demonstrates the importance of:
- ensuring that you have valid consent for sending marketing emails or texts, or that you can rely on the soft opt-in;
- if you rely on the soft opt-in, ensuring that you understand how this works, including telling the data subject how you intend to use their data and giving them the option to opt out; and
- checking the TPS list and not making marketing calls to people registered on it.
EU enforcement
Greek DPA fines organisation for erasure failure due to duplicate records
The Greek DPA has fined an organisation €5000 for failing to carry out a data subject's erasure request correctly, due to technical errors and the duplication of his email address. This decision provides a useful reminder to ensure that your organisation's process for dealing with erasure requests would identify any duplicated records to enable you to deal with them appropriately.
Industry news
European Commission proposes digital identity framework
On 3 May the European Commission announced its plan for a digital identity framework which will be available to all EU citizens, residents and businesses in the EU. The announcement states that:
- EU Member States will offer citizens and businesses digital wallets that will be able to link their national digital identities with proof of other personal attributes (e.g. driving licence, diplomas and bank accounts). These wallets may be provided by public authorities or by private entities, provided they are recognised by a Member State.
- The new European Digital Identity Wallets will enable Europeans to access services online without having to use private identification methods or unnecessarily sharing personal data.
In the UK, in September 2020 DCMS (the Department for Digital, Media, Culture and Sport) published its response to its consultation on a UK digital identity system, so it will be interesting to see how the two systems work and whether there will be any crossover. We will monitor developments and report in future issues of DWF Data Protection Insights.
High Court rules that EU representative is not directly liable for non-compliance of entity it represents
On 28 May the High Court ruled that an EU representative appointed under Article 27 of the GDPR is not liable for the non-compliance of the entity it represents. The wording of two paragraphs of Article 27 (which is replicated in the UK GDPR to create the obligation to appoint a UK representative) is somewhat ambiguous, so this provides useful clarification.
For more information about the obligation to appoint an EU or UK representative, watch our recent webinar Data protection & barriers to international trade.