UK & EU Data Protection Bulletin: March 2022
Written By
Legal Director
UK
I'm a legal director in our London Privacy and Data Protection Practice working with clients in many of our key sectors.
Partner
UK
I am based in London and co-head Bird & Bird's International Privacy and Data Protection Group. I enjoy providing practical advice and solutions to complex legal issues.
Of Counsel
France
I am a partner and co-head of our firm's International Data Protection Group. Thanks to many years of experience dedicated to data protection, I can provide innovative and practical solutions to clients around the world.
Related
Practices
Sectors
Trending Topics
Regions
Welcome to this month’s UK & EU Bulletin covering recent developments from last few months.
Particular highlights this month include:
- UK Court of Appeal case which considers territorial scope of data protection in allowing service out of jurisdiction;
- EDPB Guidelines on Examples regarding Personal Data Breach Notification and Guidance on Rights to Access;
- ICO Enforcement actions for data breaches, failing to respond to DSARs, unsolicited marketing as well as the ICO’s notice of intent to fine Clearview AI over £17 million for scraping images from the internet and offering biometric services to its customers.
We’ve also included links to our recent newsalerts on the Supreme Court judgment in LLoyd v Google, new UK Standard Contractual Clauses, EU Data Governance Act and updates from China.
Use the links below to navigate through our newsletter:
United Kingdom
Europe
Information Tribunal Appeal Cases
ICO
ICO issued provisional notice to fine Clearview AI over £17 million for scraping images from the internet and offering biometric services to its customers
Following a joint investigation between the ICO and the Office of the Australian Information Commissioner (“OAIC”), on 29 November 2021, the ICO announced its intent to impose a fine of just over £17 million on Clearview AI Inc, as well as issuing a provisional notice to ClearView AI to stop further processing of the personal data of people in the UK and to delete data. This follows alleged serious breaches of the UK's data protection laws.
On December 20, 2021, the UK Information Commissioner’s Office (“ICO”) launched a public consultation on its regulatory approach
The ICO has launched a consultation looking at three new draft documents addressing its regulatory approach – the ICO’s Regulatory Action Policy (“RAP 2021”), Statutory Guidance on the ICO’s Regulatory Action, and Statutory Guidance on the ICO’s PECR Powers.
UK cases
UK Court of Appeal considers territorial scope of data protection in allowing service out of jurisdiction (Soriano v Forensic News 2021 EWCA Civ 1952)
In this recent case, the Court of Appeal overturned the High Court’s decision to refuse permission to serve GDPR claims out of jurisdiction on US website publishers. More information on the High Court’s decision can be found in our February 2021 bulletin here. Warby LJ’s decision considered the potential application of the GDPR to the US websites activities, under Articles 3(1) and 3(2).
EDPB
EDBP Guidelines on Examples regarding Personal Data Breach Notification
In January, the EDPB published its Guidelines 01/2021 on Examples regarding Personal Data Breach Notification. These Guidelines provide detailed examples of personal data breaches and comment on the actions that controllers should take covering: 1) Internal documentation, 2) Notifications to supervisory authorities, and 3) Communication of the breach to data subjects.
EDPB Publishes Guidance on Right of Access
On the 28th January, the EDPB published a draft version of its Guidelines on the Right of Access. This version is subject to a public consultation, concluding on the 11th March 2022.
CJEU Cases
C-77/21: Hungarian Data Protection Authority requests a preliminary ruling from the Court of Justice of the European Union (CJEU)
In June 2020, the Hungarian Data Protection Authority (NAIH) imposed a record breaking administrative fine of approx. EUR 290,000 on Digi Távközlési Zrt. (Digi), a major e-communications provider in Hungary, as a result of a website security vulnerability. In summary, the main reason for the record fine was that Digi created a test database to which it had copied the personal data of around 322,000 subscribers.
ECtHR Cases
Ekimdzhiev v Bulgaria (Application No. 70078/12) (ECtHR): When surveillance safeguards fail
The 11 January 2022 Chamber judgment of the European Court of Human Rights (ECtHR) in Ekimdzhiev v Bulgaria (Application No. 70078/12) reads like an abject lesson in what can go wrong with surveillance powers when safeguards, such as having to apply to court for a warrant, break down.
UK ICO Enforcement
Highlights
This edition includes a number of monetary penalties and enforcement notices for data breaches, failing to comply with data subject access requests and unsolicited marketing.
Information Tribunal Appeal Cases
Highlights
We have also included a number of Information Tribunal Appeal cases including an unsuccessful appeal against a monetary penalty notice for failing to pay a registration fee.
Latest insights
More Insights
An “AI Playbook for the UK Government” has been released by the UK Government Digital Service – 5 key questions answered
Feb 14 2025