European Data Protection Bulletin: May 2022
Written By
Partner
UK
I am based in London and co-head Bird & Bird's International Privacy and Data Protection Group. I enjoy providing practical advice and solutions to complex legal issues.
Of Counsel
France
I am a partner and co-head of our firm's International Data Protection Group. Thanks to many years of experience dedicated to data protection, I can provide innovative and practical solutions to clients around the world.
Legal Director
UK
I'm a legal director in our London Privacy and Data Protection Practice working with clients in many of our key sectors.
Welcome to our European Data Protection Bulletin covering recent developments from last few months.
Particular highlights in this edition include:
- Updates on ICO Guidance on video surveillance, anonymisation and research; and
- EDPB Guidelines on Codes of Conduct for Data Transfers and draft Guidelines on the use of Dark Patterns in Social Media.
Use the links below to navigate through our newsletter:
European Union
United Kingdom
UK Enforcement
Information Tribunal Appeal Cases
EDPB
The EDPB has recently issued finalised Guidelines on Codes of Conduct as tools for transfers as well as publishing Draft Guidelines on dark patterns in social media platform user interfaces. These Draft Guidelines examine a number of dark patterns through examples and use cases and provide recommendations to designers and users of social media platforms on how to assess and avoid such practices.
Information Commissioner’s Office (ICO)
The ICO has issued updated Guidance on Video Surveillance which focusses mainly on CCTV but also addresses other technologies such as Facial Recognition Technology, ANPR, machine learning algorithms, dashcams and smart doorbells and contains recommendations for ensuring that their use is aligned with data protection law requirements. The ICO has also released two further chapters of its Anonymisation Guidance for consultation: Chapter 3 (Pseudonymisation) and Chapter 4 (Accountability and governance). Lastly, in April 2022, the ICO closed a consultation into its new proposed guidance on the research provisions in the UK GDPR and the DPA 2018.
UK Cases
In this month's bulletin, we discuss the recent Court of Appeal decision of 'Brake v. Guy [2022] EWCA Civ 235 which found that an employee had no reasonable basis to expect privacy in respect of personal emails sent using a shared work account. This case focuses on the law of misuse of private information and the factors which will undermine a reasonable expectation of privacy.
UK ICO Enforcement
The ICO has been particularly active in the last couple of months with PECR monetary penalties and enforcement notices particularly against organisations making unsolicited marketing calls to vulnerable older individuals. There has also been an Enforcement Notice for failing to respond to a DSAR and a monetary penalty for a security breach caused by a ransomware attack under the GDPR.
Information Tribunal Appeal Cases
The case that we present this month an Information Tribunal appeal against the imposition of a monetary penalty for failure to pay the £60 data protection fee. Click on the link below to discover the outcome.
