UK & EU Data Protection Bulletin: March 2020
Written By
Of Counsel
France
I am a partner and co-head of our firm's International Data Protection Group. Thanks to many years of experience dedicated to data protection, I can provide innovative and practical solutions to clients around the world.
Partner
UK
I am based in London and co-head Bird & Bird's International Privacy and Data Protection Group. I enjoy providing practical advice and solutions to complex legal issues.
Legal Director
UK
I'm a legal director in our London Privacy and Data Protection Practice working with clients in many of our key sectors.
Related
Practices
Sectors
Trending Topics
Regions
Welcome to our March Data Protection Newsletter.
Highlights include:
• A Data Protection Bill proposing to grant representative bodies and organisations the power to exercise independent complaint and remedy rights on behalf of data subjects (in particular on behalf of more vulnerable groups)
• New EDPB Guidelines including on Connected Vehicles
• Update on AI developments in the EU
Use the links below to navigate through our newsletter:
ICO
UK Legislation
EDPB
Council of Europe cases
EU Legislation
Other EU news
UK ICO Enforcement
First Tier Tribunal
ICO
ICO warns Insolvency Practitioners on data sharing with claims companies
The ICO, the Financial Conduct Authority ("FCA") and the Financial Services Compensation Scheme ("FSCS") warned Insolvency Practitioners ("IPs") against unlawful data sharing with (FCA-regulated) Claims Management Companies ("CMCs") in a joint statement issued on 7 February 2020.
ICO issues draft guidance on the AI Auditing Framework for consultation
The ICO has recently opened for consultation a lengthy set of draft guidelines on how to understand data protection law in relation to AI and suggested best practice recommendations for ensuring data protection compliant AI. It comprises auditing tools and procedures that the ICO will use in audits and investigations and also includes indicative risk and control measures that organisations can deploy when using AI to process personal data and to audit the compliance of their own systems.
The ICO has published guidance for organisations wanting to develop GDPR Codes of Conduct or Certification schemes and organisations can submit their proposals for such Codes or Schemes to the ICO for approval.
UK Legislation
Data Protection (Independent Complaint) Bill [HL] 2019-20
Baroness Kidron, a keen advocate of the ICO's recently published Age Appropriate Design Code of Practice, introduced a private members' bill in the House of Lords on 29th January. Its purpose is to amend the Data Protection Act 2018 (adding a 's.187A' after s.187) to grant representative bodies and organisations the power to exercise independent complaint and remedy rights on behalf of data subjects.
EDPB
EDPB Plenary Sessions
The EDPB held plenary sessions in January and February. A number of new documents and guidelines have been published.
Council of Europe cases
Breyer v Germany (application no.50001/12)
On 30 January 2020, the European Court of Human Rights ("ECHR") delivered its judgement in Breyer v Germany stating that the compulsory collection of sim-card registration data under the German Telecommunications Law (Telekommunikationsgesetz, or "TKG") and the subsequently sharing of it with law enforcement was not a violation of Articles 8 and 10 of the European Human Rights Convention. Although the Court accepted that there was an interference with the applicant's right to privacy, nonetheless it concluded that the interference was limited and pursued legitimate aims of national security and therefore there was no human rights violation.
EU Legislation
Croatian Presidency introduces 'legitimate interests' into amended proposal]
The Croatian Presidency of the EU has issued an amended proposal for an e-Privacy Regulation, to be discussed during the meeting of the Working Party on Telecommunications and Information Society on March 5 and 12. Negotiations have been ongoing for a number of years and the previous Finnish Presidency had tried unsuccessfully to reach a political agreement last November.
Other EU news
EDPS publishes Guidelines on assessing the proportionality of measures that limit the fundamental rights to privacy and to the protection of personal dataThe European Data Protection Supervisor adopted Guidelines on assessing proportionality of measures that limit the fundamental rights to privacy and data protection on 19 December 2019. The Guidelines complement the EDPS Toolkit.
AI regulation – robustness and explainability
For a few years, a focus of the European Union has been AI. In the hope of becoming a global hub for AI research and applications, it has increased its investment into this area and set out a policy for AI development. At the same time, it is striving to provide a framework to regulate AI, to promote the EU as a thought leader in the ethical, societal and security implications of AI.
NOYB launches GDPRHub
Max Schrem's crowd-funded NOYB has launched a public wiki – GDPRHub – which is divided into a section on GDPR enforcement action, and a section on GDPR commentary. The former consists of 100+ decisions by national supervisory authorities and Member State courts regarding GDPR enforcement (the goal being to increase this to 500+ by the end of 2020). The latter consists of, "commentary on the first 21 GDPR Articles, profiles on 32 DPAs and profiles on 32 GDPR jurisdictions".
In January, the European Data Protection Supervisor (EDPS) issued a "Preliminary Opinion" discussing scientific research under the GDPR, as well as broader issues around society's interest in researchers being granted access to data held by large companies and public bodies.
Click here to read more
UK ICO Enforcement
Highlights
This month we include details of a prosecution for the unlawful sharing of personal data with a third party provider, a £500,000 monetary penalty under PECR for automated nuisance calls and a £500,000 monetary penalty under the former DPA 1998 for a security breach.
First Tier Tribunal Cases
EA/2019/0054-0059: Leave.EU Group Limited and Eldon Insurance Services Limited v ICO
This case concerns appeals by Leave.EU (a political campaign company) and Eldon (an insurance company), both of whom were members of the same corporate group, in respect of a number of statutory notices: namely PECR fines (£60k and £45K), enforcement notices and assessments notices which were issued by the ICO following its large scale investigation into the use of data analytics for political purposes following the Cambridge Analytica scandal. It contains some interesting points regarding unsolicited direct marketing communications which may be of broader interest.
