DWF Data Protection Insights May 2020

COVID-19

DWF has launched a new Managing your workplace post-lockdown hub.  Among other useful information, this includes:

• A link to our webinar recorded on 15 May, which provides legal insight on everything from health and safety measures such as risk assessments, temperature checks and social distancing at work to revising contracts of employment and key policies and procedures to adapt to the new working environment.
• A checklist of data protection considerations for returning your workforce to the workplace.

Regulatory guidance/campaigns/other news from the Information Commissioner's Office (ICO)/European Data Protection Board (EDPB)

ICO data protection and coronavirus information hub

The ICO has published guidance for employers on testing employees for COVID-19 or its symptoms.  The key points are as follows:

• You must have a lawful basis for testing.  Because this will involve health data, which is special category data, you need a lawful basis under each of Article 6 and Article 9 of GDPR.  Legitimate interests is likely to be the appropriate basis under Article 6, and necessity for the purposes of carrying out the controller's obligations in the field of employment is likely to provide an Article 9 basis.  When processing special category data, remember that Schedule 1 of the Data Protection Act 2018 applies and processing for employment purposes or protecting the public requires an appropriate policy document.
• You need to meet the accountability principle, meaning that you must be able to demonstrate that your testing process complies with data protection law.  Conducting a data protection impact assessment (DPIA) and keeping proper records are key.
• You need to comply with the accuracy and data minimisation principles – ensure that the data you collect is adequate for your purpose, relevant, accurate and limited to what is necessary.
• You can keep lists of employees who either have symptoms or have been tested as positive, but you must comply with the accuracy and data minimisation principles, keep the data secure and consider your duty of confidentiality to your employees.
• You must abide by the transparency principle by being honest and open with you staff about what you're doing in a way that is accessible and easy to understand. You should at least let your staff know what personal data is required, what it will be used for, and who you will share it with.
• You need to give your staff a way to exercise their information rights, e.g. the right of access.
• You should keep staff informed about potential or confirmed COVID-19 cases amongst their colleagues. However, you should avoid naming individuals if possible, and you should not provide more information than is necessary.  If you want to share the data with a third party organisation, you need to check that you have a lawful basis for doing so.
• When considering the use of technology, e.g. thermal cameras, you need to ensure that this is proportionate and think about whether you can achieve the same results through other, less privacy intrusive, means. If so, then the monitoring may not be considered proportionate.

If you need advice about the data protection aspects of reopening your workplace following the relaxation of the lockdown, please contact one of our specialists.  For example, we can help you to design and conduct a DPIA and we are developing a tool to help you to comply with the accountability principle.

EDPB guidelines

EDPB updated guidelines on consent

On 6 May the EDPB published an updated version of its guidelines on consent.  The preface to the guidelines explains that the updates clarify two points:

• The validity of consent provided by the data subject when interacting with so-called “cookie walls”.  The guidelines now state that, in order for consent to be freely given, access to services and functionalities must not be made conditional on the user consenting to the storage of information, or giving the provider access to information already stored, in the user's terminal equipment (i.e. cookie walls). A new example 6a has been added for illustration. Related updates further clarify that a controller cannot argue that a choice exists between its service that includes consenting to the use of personal data for additional purposes and an equivalent service offered by another controller.
• Example 16 on scrolling and consent. The updates make it clearer that actions such as scrolling or swiping through a webpage or similar user activity will not satisfy the requirements for consent.

EDPB Annual Report

On 18 May the EDPB published its annual report for 2019.  This provides a useful reminder of the guidelines and other publications the EDPB has produced during the year, which include:

• Guidelines on codes of conduct
• Guidelines on the processing of personal data in the context of online services
• Guidelines on the processing of personal data through video devices
• Guidelines on data protection by design and by default
• Guidelines on the right to be forgotten
• Guidelines on certification and identifying certification criteria
• Guidelines on accreditation and certification bodies
• Guidelines on territorial scope
• Consistency opinions on the member states' lists of when a DPIA is required (NB this included the UK)
• Opinion on the interplay between the ePrivacy Directive and the GDPR
• Opinion on the competence of a Supervisory Authority in case of a change in circumstances relating to the main or single establishment
• Report on the second annual review of the EU-US Privacy Shield
• Statement on the future ePrivacy Regulation
• Information note on data transfers under the GDPR in the event of a no-deal Brexit
• Information note on Binding Corporate Rules for companies which have the UK Information Commissioner’s Office as BCR Lead Supervisory Authority

Looking at this (incomplete) list shows that although GDPR has now been in force for two years the guidance on how to comply with it is still developing, and provides a reminder of the complexity of complying with data protection law.  Our data protection specialists can help you to navigate the relevant guidance (at EU and UK level) and ensure that any GDPR compliance programmes you undertook before 25 May 2018 are still fit for purpose.

ICO guidelines on explaining decisions made with AI

The ICO has published guidelines on explaining decisions made with AI.  These were developed with the Alan Turing Institute and are divided into three sections:

1. The basics of explaining AI: This defines the key concepts and outlines a number of different types of explanations. It is is aimed at DPOs and compliance teams, but intended to be relevant for all members of staff involved in the development of AI systems.

2. Explaining AI in practice: This covers the practicalities of explaining these decisions and providing explanations to individuals. While it is aimed at technical teams, the ICO intends that DPOs and compliance teams will also find it useful.  This part sets out 6 tasks that an organisation should undertake:

• Select priority explanations by considering the domain, use case and impact on the individual
• Collect and pre-process your data in an explanation-aware manner
• Build your system to ensure you are able to extract relevant information for a range of explanation types
• Translate the rationale of your system’s results into useable and easily understandable reasons
• Prepare implementers to deploy your AI system
• Consider how to build and present your explanation
  and provides checklists to help organisations identify how to perform those tasks.

3. What explaining AI means for your organisation: this goes into the various roles, policies, procedures and documentation that an organisation can put in place to ensure that it is set up to provide meaningful explanations to affected individuals. This is primarily targeted at senior management, but the ICO intends that DPOs and compliance teams will also find it useful.

European Parliament study on new aspects and challenges in consumer protection:  digital services and AI

The European Parliament has published a study on digital services and artificial intelligence.  While the focus in on consumer protection rather than data protection, the study highlights how these overlap.  The study finds that use of AI, e.g. adtech, can cross the line into manipulation.

If your organisation is using or intends to use AI to make decisions about individuals, our data protection specialists can support you to comply with the law and the relevant guidance, including the ICO guidelines discussed above and the EDPB guidelines on automated individual decision-making and profiling.

Surveillance Camera Commissioner publishes 2020-2023 strategy

The Surveillance Camera Commissioner has published its strategy for 2020-2023.  Its objectives for that period include:

• Consolidate the spectrum of Surveillance Camera Commissioner certification schemes and embed across industry and end users to provide a full system approach to certification
• Make information freely available to the public about the operation of surveillance camera systems
• Develop systems and processes to establish efficient working practices regarding the operation of surveillance cameras in order to protect communities rather than spy on them complying with all relevant legislation
• Those not required to legally adopt the Surveillance Camera Code of Practice are incentivised and enabled to do so voluntarily
• Organisations involved in the manufacture, planning, design, installation, maintenance and monitoring of surveillance camera systems are empowered to do so through good practice and guidance
• Make information freely available about training requirements and provision for all those who operate, or support the operation of, surveillance camera systems and those who use the data for crime prevention/ detection or public safety purposes
• Maintain synergies between regulators and those with audit and oversight responsibilities in connection with surveillance cameras
• Foregrounding human rights and civil liberties standards in the use of surveillance camera technologies for the provision public safety

If you operate surveillance cameras or are considering introducing them, e.g. to monitor social distancing, please contact one of our data protection specialists for advice.  We can help you to design and conduct a data protection impact assessment and draft appropriate policies and notices.

ICO updated priorities

On 5 May the Information Commissioner (IC) published a blog post setting out the ICO's new priorities for UK data protection.  This states that over the coming months the ICO will focus on the following priorities:

1. Protecting vulnerable citizens
The IC states that the ICO is responding to the immediate privacy and information rights risks, issues and opportunities presented by COVID-19 in order to support frontline workers and protect the public. It is identifying and taking action against those seeking to use or obtain personal data unlawfully or inappropriately during COVID-19 so that the public and businesses feel confident that the ICO is protecting them at this time when they may be especially vulnerable to financial or other loss.

2. Supporting economic growth and digitalisation, including for small businesses
By providing access to clear information, support and practical tools for businesses they are able to grow and offer services safely when sharing personal data or developing AI technology, in ways which inspire public trust and confidence and comply with the law.

3. Shaping proportionate surveillance
The IC writes that the ICO is maintaining a high level of awareness and insight of the medium term privacy and information rights impact of COVID-19, which include contact tracing, testing and other emerging surveillance issues.
 
4. Enabling good practice in AI
The blog post states that the ICO is prepared and shaping the ongoing development and use of AI in response to COVID-19, to ensure privacy considerations are engineered into the use of AI across the digital economy, from consumer products to surveillance applications.

5. Enabling transparency
The ICO is supporting organisations to be transparent about decisions taken that affect citizens, including how personal data is used, in order to improve public confidence about and civil participation in those decisions.

6. Maintaining business continuity: developing new ways of working in readiness for recovery
The IC writes that the ICO is effectively managing and coordinating activity during the pandemic, supporting staff and managing its response and recovery so that its infrastructure, planning, resources and people are in place to deliver the right work, at the right time, throughout the pandemic period and it is prepared for the future.

This leaves a key angle of challenge against organisations not from the ICO but from individuals and from data breaches when complaints and Data Subject Access Requests are often used to find out more pre-action.  For direction as to how to mitigate these risks, please contact one of our team who would be happy to help. 

Adtech

ICO statement on adtech work

In the January 2020 issue of DWF data protection insights we wrote about the ICO's adtech campaign, which focused on real-time bidding (RTB).  On 7 May the ICO published a statement that it has paused its work on adtech due to the need to reassess its priorities and resources during the pandemic (as noted above).

DMA/ISBA adtech guide

On 12 May the Direct Marketing Association and International Society of British Advertisers jointly published a guide on how to address the privacy issues raised by Real Time Bidding (RTB), which was produced in consultation with the ICO.

The guide is divided into seven steps:

1. Education and Understanding: introduction to cookies and programmatic advertising plus glossary of terms
2. Special Category Data: how to use special care when handling special category data
3. Understanding the Data Journey: how to complete a Record of Processing Activities as well as introducing the IAB (Interactive Advertising Bureau)'s Transparency and Consent Framework.
4. Conduct a DPIA (Data Protection Impact Assessment): what it is, when to use it and what questions to ask.
5. Audit the Supply Chain: audit checklists and questions you need answered when auditing suppliers.
6. Measure Advertising Effectiveness: links to reference materials for improving insights into advertising
effectiveness to allow for a proportionate approach to using personal data.
7. Alternatives to Third Party Cookies – what does a post third-party cookie world look like? Suggestions about alternative methods of targeting, including the adoption of contextual targeting. It also provides references to some industry initiatives which are exploring different ways of targeting in a less intrusive manner.

While this guide does not have any binding status, it provides useful practical advice for how organisations can seek to comply with UK data protection law.  Despite the ICO's announcement that it has paused its work on adtech, this will presumably resume once the ICO is able to do so.  Accordingly, businesses should continue to review their use of adtech, in particular real-time bidding, to ensure that it is lawful.

Please contact one of our data protection specialists if you need advice on any aspect of adtech.

Enforcement action

The ICO did not publish details of any enforcement action during May, reflecting its changed priorities at this time.

Brexit preparation

Following the third round of negotiations, on 15 May the UK government and the European Commission published statements indicating that little progress had been made on the key issues.  On the same date, Michel Barnier made a speech in which he said that the UK is refusing to commit to guarantees protecting fundamental rights and individual freedoms resulting from the European Convention on Human Rights, as agreed in the Political Declaration, and in particular is insisting on lowering current standards and deviating from agreed mechanisms of data protection.

We will continue to monitor developments and report further in future issues of DWF data protection insights.  In the meantime, please contact one of our data protection specialists if you want to discuss how to prepare for the expiry of the transition period, for example by putting in place appropriate safeguards for the transfer of personal data between the UK and the EU, or appointing an EU representative.  We can help strategically or by delivering mass contract updates through our group business DWF Mindcrest. 

Industry news

A date for your diary: Schrems II decision

It has been widely reported that the European Court of Justice will publish its decision on the validity of standard contractual clauses (also known as model clauses) in the case commonly known as "Schrems II" on 16 July.  The Advocate General delivered his opinion (which the Court is likely, but not bound, to follow) in December 2019, which is that the clauses are valid.  However, he expressed concerns about the EU-US Privacy Shield, which currently provides a safeguard for the transfer of personal data to US organisations which have self-certified under the scheme.

Of course this date is also in our diaries and we will report on the decision and any necessary actions in July.

DWF International insights: focus on Singapore and Ireland

Singapore

On 14 May 2020, the Singapore Ministry of Communications and Information and the Personal Data Protection Commission (PDPC) jointly announced a two week public consultation on proposed amendments to the Personal Data Protection Act 2012. The aim of the amendments is to enable the legislation to keep pace with the evolving technological and business landscape and continue to provide effective protection of personal data. The key proposed amendments are:

• Mandatory data breach notification to the PDPC, where there has been significant harm to data subjects (“significant harm” to be elaborated in separate Regulations) or the breach is of a significant scale (affecting 500 or more individuals). Data subjects themselves must also be notified of the breach where significant harm occurs to them from the breach. There are limited exceptions from the requirement to notify data subjects e.g. data breached was encrypted to a reasonable security standard.
• New offences at a personal level for egregiously mishandling personal data belonging to an organisation e.g. knowing or reckless unauthorised disclosure. Fine not exceeding SG$5,000 or imprisonment not exceeding 2 years, or both.
• New data portability obligation: data subject can request a copy of his/her personal data be transferred to another organisation. Meant as an aid to customers freely switching between service providers. Associated rules, requirements & exceptions to be further elaborated in a set of separate Regulations.
• Expand the definition of “deemed consent” for collection and use of personal data (e.g. where data collection and use is compelled by contractual necessity), and the exceptions where consent for collection & use of personal data is not required e.g. (i) data collection, use or disclosure is in the legitimate interests of the organisation and the benefits to the general public outweigh adverse effects on the data subject e.g. for the detection and prevention of illegal activities; and (ii) lawfully collected personal data may be used without additional consent for “business improvement” e.g. developing or enhancing services; operational improvements, etc. 
• Provisions relating to the “Do Not Call” registers will be updated to reflect new technological advances and methods of marketing not covered by existing legislation.
• Increased financial penalties: Breaches will be fined to a maximum of SG$1 million or 10% or annual gross turnover in Singapore, whichever is higher. Maximum fine is currently SG$ 1 million.

For advice on data protection in Singapore, contact Jonathan Goacher, a partner in DWF's Singapore office.

Ireland

DPC publishes Cookies Report & Guidance 

The Irish Data Protection Commission ("DPC"), on 6 April published a report in relation an investigation it conducted into the websites of 38 organisations and then further published guidance based on the report establishing guidelines for cookies and other tracking technologies. 

The Report 

The report was commissioned between August and December 2019 where the DPC conducted a cookie sweep of 40 data controller websites where the investigation team classified each controller using a simple GREEN, AMBER, and  RED, coding system. Only 38 controllers participated in the investigation.

• GREEN indicated a very good response, substantially compliant, any concerns straightforward and easily remedied.
• AMBER signalled a good response and approach to compliance, but at least one serious concern.
• RED classification was a poor or incomplete response or questions not understood, with several serious concerns.

The Results

Twenty of the controllers examined were given an AMBER grading. Three were given a borderline AMBER to RED grade. Twelve controllers were given a RED grading. Of the remaining three controllers surveyed two were given a GREEN rating and one a borderline GREEN to AMBER rating.

The most common failings were to do with implied consent, labelling cookies as "necessary" where they are not exempt, badly designed cookie banners, bundling of consents and an inability to withdraw consent.

The Cookies Guidance and the 6 October 2020 deadline

Takeaways from the guidance provided are:

• Obtaining valid consents: Websites should not “nudge” users to accept cookies by way of the design of a banner or a pre-ticked box.
• Retention Periods: Data controllers should not retain personal data for any longer than is necessary.
• Consent Administration: Parties using a website should be given a readily identifiable option to change their consent.
• Joint Controllers: As a result of the Fashion ID case controllers should assess third party tracking technologies and social media plugins on their websites as they may be considered joint controllers in respect of that data.

The DPC will allow a period of six months from the publication of this guidance for controllers to bring their products, including websites and mobile apps, into compliance, after which enforcement action will commence.
DWF are currently working with their clients to address the new cookies guidance provided by the DPC amending and updating privacy and cookies policies where needed ahead of the October 2020 deadline. 

For advice on data protection in Ireland, and to help mitigate the challenges of the above, please contact Niall O'Brien.