The Schrems II decision, which invalidated the EU-US Privacy Shield, continues to dominate data protection news, as everyone affected considers how to address the impact of the decision.
On 10 August 2020, the US Department of Commerce and the European Commission issued a joint press statement on the future of the EU-US Privacy Shield. This states that they have initiated discussions to evaluate the potential for an enhanced Privacy Shield framework to comply with the ruling, recognising the vital importance of data protection and the significance of cross-border data transfers to citizens and economies on both sides of the Atlantic.
We will monitor announcements about the progress of these discussions and report on any developments in future issues of DWF data protection insights.
For bespoke advice to suit the international transfers you undertake or are planning to undertake, please get in touch.
Regulatory guidance/campaigns/other news from the Information Commissioner's Office (ICO)/European Data Protection Board (EDPB)
ICO Guidance: data protection and coronavirus hub
The ICO has continued to update its data protection and coronavirus hub. This includes a section on collecting customer and visitor details for contact tracing, which has been updated to reflect the differences between the legal position in England, Scotland and Wales.
Age Appropriate Design Code and Regulatory Sandbox
In the July 2020 issue of DWF data protection insights, we provided updates on the ICO's Age Appropriate Design Code and the beta phase of its regulatory sandbox.
On 12 August the ICO announced that the Age Appropriate Design Code will come into force on 2 September, with a 12-month transition period to enable service providers to achieve compliance.
On 19 August the ICO announced that it is reopening the sandbox and is accepting applications for projects which focus on children's privacy or data sharing. The ICO stated that:
- The projects should be at the cutting edge of innovation and may be operating in particularly challenging areas of data protection, where there is genuine uncertainty about what compliance looks like.
- The ICO is particularly interested in hearing from innovators concentrating on the issues posed by the implementation of the Age Appropriate Design Code or those developing products and services that support complex data sharing in the public interest.
- Protecting children’s privacy online is a high priority for the ICO. The sandbox aims to support innovators to improve confidence amongst children, young people and their parents and carers that their personal information is being properly protected when they are online.
- On data sharing the aim is to promote and enable confident, responsible and lawful data sharing in the wider public interest. In particular, the regulatory sandbox aims to help demonstrate that data protection legislation is not a barrier to proportionate sharing of personal data.
The ICO currently has only around five vacancies to participate in the sandbox. If you are considering launching any new project where you are uncertain about data protection compliance, one of our specialist privacy lawyers can provide advice and support, including helping you to conduct a DPIA (data protection impact assessment) and evaluate and mitigate any risks identified.
The ICO has fined a performance marketing business £100,000 for sending 21,166,574 unsolicited marketing emails in breach of the Data Protection Act 1998 and the Privacy and Electronic Communications (EC Directive) Regulations 2003 ("PECR").
It has also fined another organisation £80,000 for making 270,774 marketing calls to individuals registered with the Telephone Preference Service (TPS), which was a breach of PECR.
While the GDPR and the anticipated ePrivacy Regulation have received a lot of publicity and attention in the last few years, it's important to remember that cookies and marketing by phone, fax, email or text are currently governed by PECR, which is based on the existing ePrivacy Directive. If you need support on marketing your business using these means, please contact one of our specialist data protection lawyers.
In the case of R (Bridges) v Chief Constable of South Wales Police & Others the Court of Appeal decided that the data protection impact assessment (DPIA) performed by the South Wales Police Force in connection with their deployment of automated facial recognition in a pilot project failed to:
- properly assess the risks to the rights and freedoms of data subjects; and
- address the measures envisaged to mitigate the risks arising from the identified deficiencies,
as required by the Data Protection Act 2018.
The ICO issued a statement on the case, saying that facial recognition relies on sensitive personal data and emphasising the need to balance people’s right to privacy with the purpose for which the technology is used.
While consideration of facial recognition technology has focused on the police, private sector organisations also use it, for example to identify known shoplifters or people engaged in antisocial behaviour in stores, as well as to anonymously track the movements of customers for marketing purposes. If you are considering implementing such technology, it's essential to carry out a DPIA to identify the risks to individuals, balance them against the result that you are seeking to achieve and consider how to mitigate the risks. DWF's data protection specialists can help you to conduct a DPIA and address the risks identified.
Advertising to children
On 26 August the Advertising Standards Authority (ASA) published a report on the results of its latest online monitoring sweep. This was the first phase of a year-long project, which aims to identify and tackle age-restricted ads appearing in children’s media.
The sweep found that 35 advertisers placed age-restricted advertisements on 34 websites and 5 YouTube channels aimed at or attracting a disproportionately large child audience. These advertisements were for alcohol, gambling, e-cigarettes and HFSS (food or drink high in fat, salt or sugar).
Looking at this ASA project alongside the ICO's launch of its Age Appropriate Design Code and the new phase of its regulatory sandbox (see above), it appears that both authorities are currently focusing on protecting children. If your organisation promotes its goods or services to children, or allows children to access them, it's essential to ensure that you comply with both advertising law and data protection law. Contact one of our data protection specialists if you would like our support.
There have been no significant developments to report this month, but we recommend that you continue to prepare for the expiry of the transition period by identifying all transfers of personal data from the UK or from the EU/EEA to the UK, the relevant purpose and lawful basis, and whether you have a safeguard in place (bearing in mind the Schrems II decision) or can rely on an exemption.
Please contact one of our data protection specialists if you want to discuss your organisation's preparations, for example putting in place appropriate safeguards for the transfer of personal data between the UK and the EU and vice versa, or appointing an EU representative. We can help strategically with those, as well as by delivering mass contract updates through our group business DWF Mindcrest.
If you have any questions, please get in touch with JP Buckley.