UK & EU Data Protection Bulletin: December 2022
Written By
Legal Director
UK
I'm a legal director in our London Privacy and Data Protection Practice working with clients in many of our key sectors.
Partner
UK
I am based in London and co-head Bird & Bird's International Privacy and Data Protection Group. I enjoy providing practical advice and solutions to complex legal issues.
Of Counsel
France
I am a partner and co-head of our firm's International Data Protection Group. Thanks to many years of experience dedicated to data protection, I can provide innovative and practical solutions to clients around the world.
Related
Practices
Sectors
Regions
Welcome to our European Data Protection Bulletin covering recent developments from the last few months.
Particular Highlights include:
- EDPB Guidance on personal data breach notifications, lead supervisory authority, EU BCRs and the Europrivacy certification mechanism
- CJEU Advocate General's Opinion on the scope of GDPR damages
- Updated ICO Guidance on direct marketing and data transfer impact tools
Information Tribunal Appeal Cases
EDPB
Opinion 28/2022 on the Europrivacy Certification
On the 10 October 2022, the EDPB adopted its Opinion on the Europrivacy criteria of certification, approving its certification mechanism as a data protection seal under GDPR Article 42(5).
Updated Guidelines on Personal Data Breach Notification - More Stringent Rules for Non-EEA companies
In October, the EDPB opened a public consultation (now closed) on a specific section (para 73) of its Guidelines on Personal Data Breach Notification creating more onerous data breach reporting requirements for businesses based entirely outside of the EEA.
Guidelines identifying a controller or processor's lead supervisory authority
On 21st October 2022, the EDPB opened a public consultation on specific sections of its guidelines on identifying a controller or processor's lead supervisory authority. The sections subject to consultation relate to the designation of a lead supervisory authority in joint controllership situations.
Latest updates to EU BCRs - what you need to know
On 17 November, the EDPB published its long awaited draft recommendations to update the Controller Binding Corporate rules Application Form and Requirements table (now called "Elements and Principles to be found in BCR-C") which are open to consultation until 10 January 2023.
CJEU
CJEU Advocate General's opinion on GDPR damages: No punitive damages - no damages without proof - no "de minimis" damages
In an opinion delivered on 6 October, the Advocate General of the European Court of Justice ("AG") delivered his long-awaited view on fundamental questions regarding non-material damages under Art. 82 GDPR.
ICO
Updated Guidance on Governance of CCTV, Video Surveillance post deployment
The ICO has updated its existing video surveillance guidance. This guidance provides advice for organisations who operate video surveillance systems that view or record individuals.
Employment practices: Monitoring at Work and Information about Worker's Health Guidance
The ICO is currently producing specific guidance on employment practices and data protection. On 12th October, the ICO released its draft guidance on Monitoring at Work. This guidance is open for consultation until 11 January 2023.
Two New Research Reports published on Biometrics technologies
The ICO has published two new reports to help support businesses who are using new emerging biometrics technologies: Biometrics: Insight and Biometrics: Foresight. The ICO has heavily emphasised why technologies should be curated with privacy and the protection of humans at the forefront from the outset and during the design.
How to use AI and Personal Data
On 11 November, the ICO published a document which provides top tips providing a brief introduction to some of the most important considerations organisations should make when using AI and personal data.
ICO publishes new data transfer impact assessment tool and guidance
The ICO has published its new guidance and tool for completing data transfer impact assessments, which it sets out as an alternative to the EDPB's approach.
ICO publishes updated Detailed Guidance on Direct Marketing
The ICO has published its new detailed direct marketing guidance. This follows on from the ICO's publication, in January 2020, of its draft replacement for its statutory direct marketing code of practice.
Other UK News
Update on UK Data Reform
The Data Protection and Digital information Bill was laid before Parliament on 18 July 2022 and was scheduled for its second reading on 5 September 2022. The second reading was removed until further notice, following the election of Elizabeth Truss as new Conservative Party leader and the appointment of a new Secretary of State for Digital, Culture, Media and Sport, to allow ministers to consider the legislation further.UK ICO Enforcement
Highlights
This month we include details of a £30,000 fine issued by the ICO against Halfords for sending unsolicited marketing emails to individuals without their consent as well as a number of PECR enforcements.
Information Tribunal Appeal Cases
Highlights
This month we include details of Seaview Broker Ltd's ("Appellant") unsuccessful challenge of two notices served by the ICO ("Respondent") for using a public telecoms service for the purpose of making unsolicited direct marketing calls, in violation of PECR.
Other recent articles/ videos/ tools
- Global Cookie Review – Second Edition
- Consumer Class Actions - Implementation of the new EU Directive tracker
- Watch now: Children in the Digital World
- The Metaverse
- NIS2 Directive – the most important EU cybersecurity act finally adopted
- Commission plans initiatives in the domain of virtual worlds, mobility and online piracy
- EU institutions discuss and amend new rules on access and use of data
- Double-hat DPOs: Berlin Data Protection Authority fines an e-commerce platform for breaching DPO conflict of interest requirements
- Data transfers: the US signed an Executive Order to comply with EU law
- The German Federal Labour Court refers questions on damages pursuant to Art. 82 GDPR and on the legitimacy of data processing based on a collective agreement to the ECJ
- Watch now: How to Create a Child-Safe Platform & Meet Data Privacy Laws
- Watch now: The Future of Tech & Data Law
