Regulatory guidance/campaigns/other news from the Information Commissioner's Office (ICO)/European Data Protection Board (EDPB)
ICO Guidance: data protection and coronavirus hub
The ICO has continued to expand its data protection and coronavirus hub by publishing the following guidance:
Coronavirus recovery - six data protection steps for organisations
While the ICO guidance on reopening businesses we covered in the May 2020 issue of DWF data protection insights focused on compliance with the data protection principles set out in the GDPR, they have now issued further guidance which focuses on six practical steps for organisations to take:
- Only collect and use what’s necessary – are you confident that you need this personal information to make your workplaces safer? Could you achieve the same goals without collecting the information?
- Keep it to a minimum – don't collect more information than you need and don't keep it for any longer than necessary.
- Be clear, open and honest with staff about their data – tell them what you're collecting, what you're going to use it for, who you're going to share it with and how long you're going to keep it.
- Treat people fairly – think about whether your collection and use of personal information may cause detriment to anyone, and ensure that it does not cause discrimination.
- Keep people’s information secure - as with all personal information you collect, you must ensure that it is held securely and for no longer than necessary in accordance with your retention policy.
- Staff must be able to exercise their information rights - you must inform individuals about their data protection rights and allow them to exercise those rights. You also need to identify a lawful basis for the use of the personal information and consider whether you need to undertake a DPIA (data protection impact assessment).
The ICO has also published a case study (which is apparently intended to be the first in a series) to illustrate the steps an organisation will need to take if it intends to ask its employees for information about their health.
DWF's data protection specialists are working with our clients to help them manage the reopening of their workplaces, including advising on DPIAs and updated workplace privacy notices and policies.
Age Appropriate Design Code
In the January 2020 issue of DWF data insights, we reported that the ICO had finalised its Age Appropriate Design Code. On 11 June, the ICO issued a statement that the code has been laid before Parliament, where it needs to go through a statutory process before it comes into force. There will then be a 12-month transition period before the code comes fully into force, which the ICO expects to be in autumn 2021.
DCMS has issued an explanatory memorandum on the code, which explains that the ICO is developing a package of support for industry over the 12-month transition period to aid compliance with the code. The Government has asked the ICO to produce an economic impact assessment of the code to inform the ICO’s support for businesses during the transition period.
The full code is 146 pages, so if your organisation provides online services which children are likely to access and you would like advice on how to comply with the code, please contact one of our specialists, who will be able to provide specific advice tailored to the service you are providing, and which age range of children are likely to access your service.
European Commission Report on Evaluation of GDPR
On 24 June the European Commission published its first report on the operation of the GDPR. While the report is positive, it acknowledged that more work is needed to improve the handling of cross-border cases and some national data protection authorities (DPAs) do not have sufficient resources. Stewart Room, Global Head of Data Protection & Cyber Security at DWF commented that the lack of empirical evidence to support the Commission's claims stands out. In particular, there isn't a benchmark available to substantiate progress made under the GDPR and there remain serious problems with the resourcing levels of the regulatory offices compared to the work that needs to be done and low levels of enforcement activity.
In addition to Stewart's comments, other data protection experts have commented on the need for:
− DPAs to focus on enforcing existing rules instead of creating new rules;
− greater transparency regarding the work of the EDPB (European Data Protection Board);
− better collaboration between the national DPAs to achieve more consistent guidance and enforcement;
− updated mechanisms for transferring personal data outside the EEA (see Brexit preparation below); and
− better guidance on data protection issues around scoring and profiling.
The European Data Protection Supervisor (EDPS) has published a statement that it welcomes the report and agrees with the Commission's positive evaluation. It agrees with the need for better collaboration to improve consistency and proposes setting up a Support Pool of Experts within the EDPB. This initiative could provide support to DPAs on complex and resource-demanding cases in a genuine expression of European solidarity and burden sharing.
The EDPS published its Strategy for 2020-2024 on 30 June. The strategy describes how the EDPS intends to carry out its statutory functions and deploy the resources available to address the challenges it faces. The EDPS explains that there are three pillars to the strategy, each reflecting its values:
- Foresight: commitment to being a smart institution that takes the long-term view of trends in data protection and the legal, societal and technological context.
- Action: proactively develop tools for EU institutions to be world leaders in data protection. To promote coherence in the activities of enforcement bodies in the EU with a stronger expression of genuine European solidarity, burden sharing and common approach. (Note that the European Commission review of the GDPR and data protection experts' response to it focused on the need for greater coherence and commonality of approach.)
- Solidarity: belief that justice requires privacy to be safeguarded for everyone, in all EU policies, while sustainability should be the driver for data processing in the public interest.
We will report on the strategy in more detail in the July 2020 issue of DWF data protection insights.
Belgian DPA fine for DPO conflicting roles
While the UK's ICO has not been actively enforcing data protection law in recent months, focusing on COVID-19 guidance, its Belgian equivalent recently imposed a €50,000 fine on an organisation due to its data protection officer (DPO)'s conflicting roles. Article 38 of the GDPR provides that, while a DPO may fulfil other tasks and duties, the organisation must ensure that any such tasks and duties do not result in a conflict of interests.
In the Belgian case, the DPO also acted as Head of Audit, Risk and Compliance, with responsibility for data processing. In addition, they had the power to decide whether employees should be dismissed, which was incompatible with the DPO's role as a confidential advisor for data protection matters.
If you are unsure whether your organisation needs a DPO, what the role involves, or if your DPO requires support, please contact one of our data protection specialists. We hold weekly calls with a number of our clients' DPOs to provide them with regular support, and can also provide an outsourced DPO service. Please contact JP Buckley if you would like to discuss either option.
CDEI paper on facial recognition technology
The Centre for Data Ethics and Innovation (CDEI) has published a snapshot paper on facial recognition technology (FRT). The paper acknowledges that, to date, scrutiny of FRT has focused on its use by the police, but it has seen increasing use in the private sector, for example to identify known shoplifters or people engaged in antisocial behaviour in stores, as well as to anonymously track the movements of customers for marketing purposes.
The paper states that the CDEI will continue to examine the impact of FRT on society, in particular how it is being used in the private sector, and whether the UK’s current arrangement of laws and oversight bodies is equipped to minimise the harms posed by this technology.
ENISA creation of Stakeholders Cybersecurity Certification Group
On 24 June the European Commission and the European Agency for Cybersecurity (ENISA) announced the creation of the Stakeholders Cybersecurity Certification Group (SCCG), which will advise them on strategic issues regarding cybersecurity certification and assist the Commission in the preparation of the EU's rolling work programme.
We will monitor the Group's work and provide updates in future issues of DWF data protection insights.
ePrivacy Regulation – progress report
In the February 2020 issue of DWF data protection insights we reported that the Croatian Presidency of the European Council had published its proposal for the ePrivacy Regulation, the key change being that it permitted service providers to rely on legitimate interests for placing tracking cookies, rather than consent, which is currently required.
On 3 June the Croatian presidency published a progress report, in which they reported that this proposal had received a mixed reaction from the other member states, but they would continue to work closely with the incoming German presidency to ensure smooth progress. Industry commentators have expressed the view that the German presidency is opposed to the proposed amendment, suggesting that it is likely to be dropped. Accordingly, it appears that the ePrivacy Regulation (which was intended to come into force in May 2018, at the same time as the GDPR) is still no closer to being finalised.
The need for the ePrivacy Regulation to be finalised is demonstrated by a recent French case, in which France's highest administrative court declared the CNIL (the French data protection authority)'s cookie guidelines invalid, because the CNIL had exceeded its powers by stating that cookie walls (which make access to a website or service subject to accepting cookies) are not permitted. This has caused confusion in France, despite the EDPB guidelines on consent (discussed in the May 2020 issue of DWF data protection insights) stating that cookie walls are not permitted.
In the meantime, if you need advice on cookie notices, policies or ensuring that your direct marketing campaigns comply with the GDPR and PECR (the UK Regulations based on the existing ePrivacy Directive), please contact one of our data protection specialists at the end of this article.
IAB publishes digital advertising guidance on special category data under the GDPR
The Internet Advertising Bureau (IAB), which is the UK industry body for digital marketing, has published guidance on special category data under the GDPR. The stated purpose of the guidance is to help to educate the digital advertising industry about:
− what special category data is, as defined in the GDPR (including how it may arise from the way in which other data is processed); and
− the legal provisions and requirements that apply if you need to process such data, to help companies understand their obligations, and how to comply with them in practice.
While the guidance is high level and therefore not a substitute for reading the ICO and EDPB guidance and/or taking legal advice, it is specifically aimed at the digital marketing industry, so it includes practical advice which is relevant to businesses in that industry.
On 15 June the president of the EDPB (European Data Protection Board) wrote to the European Parliament expressing concern that the UK-US agreement on exchanging personal data for the prevention of serious crime does not provide sufficient safeguards, and this would have to be taken into account when considering whether the UK can receive an adequacy decision.
As things stand, once the post-Brexit transition period expires on 31 December, a safeguard will be needed to transfer personal data from the EEA to the UK, including the transfer back of personal data which had previously been transferred from the UK to the EEA for processing. In the absence of an adequacy decision, this safeguard will usually be standard contractual clauses (often referred to as "model clauses"). The CJEU is due to deliver its decision on the validity of the standard contractual clauses in the case referred to as "Schrems II" on 16 July. It is likely, but not obliged, to follow the Advocate General's opinion, which stated that standard contractual clauses should remain a valid safeguard, subject to being updated for GDPR, but expressed concerns over the validity of the EU-US Privacy Shield.
We will continue to monitor developments and report further in future issues of DWF data protection insights. In the meantime, please contact one of our data protection specialists below if you want to discuss how to prepare for the expiry of the transition period, for example by putting in place appropriate safeguards for the transfer of personal data between the UK and the EU, or appointing an EU representative. We can help strategically or by delivering mass contract updates through our group business DWF Mindcrest.