UK & EU Data Protection Bulletin: March 2023
Written By
Legal Director
UK
I'm a legal director in our London Privacy and Data Protection Practice working with clients in many of our key sectors.
Partner
UK
I am based in London and co-head Bird & Bird's International Privacy and Data Protection Group. I enjoy providing practical advice and solutions to complex legal issues.
Of Counsel
France
I am a partner and co-head of our firm's International Data Protection Group. Thanks to many years of experience dedicated to data protection, I can provide innovative and practical solutions to clients around the world.
Related
Practices
Sectors
Regions
Welcome to our European Data Protection Bulletin covering recent developments from the last few months.
Particular Highlights include:
- EDPB Report on the work undertaken by the Cookie Banner Task Force
- CJEU cases looking at what constitutes personal data, erasure requests and the right to know the identity of recipients with whom data may have been shared
- UK proposals to update the NIS Regulations
- Criminal sanction brought against an employee for wrongfully accessing and disclosing data
EDPB
CJEU
ICO
Other UK news
ICO Enforcement
First-tier Tribunal Appeal Cases
Other News
Download the Bulletin
EDPB
EDPB adopted a report on the work undertaken by the Cookie Banner Task Force
On the 18th January, the EDPB’s Cookie Banner taskforce on cookie banners released its report. This taskforce was set up in response to the ongoing project by the campaign group, NOYB, which has written to a variety of companies to allege their cookie banners breach of either the ePrivacy Directive, or the GDPR.
EDPB adopts a work programme for 2023/2024
This is a continuation of existing activities (guidance; consistency and co-ordination; opinions to EU bodies). There is a list of planned guidance – many of the entries in this are carried forward from the previous period, where the EDPB has not been able to conclude the guidance in the time planned.
EDPB adopts guidelines on deceptive design patterns, certification as a tool for transfers and the interplay between Art. 3 and Chapter V
On the guidance on the interplay between Art.3 and Chapter V it's worth noting that the EDPB has added in new content addressing the appointment of processors within the EU, but which could be subject to laws with extra-territorial effect, obliging them to disclose personal data to public authorities in third countries.
CJEU
AG limits the expansive interpretation of what constitutes personal data
The Advocate General’s (“AG”) opinion, published on 16.12.2022, considers whether an individual is entitled to learn which natural person has accessed that person’s personal data. In other words: When a person in an organization views your personal data, is the identity of the person viewing your data actually your personal data?
TU and RE v Google LLC Case C-460/20: impact of inaccuracy on erasure requests to search engines; and CJEU confirms the adage that a picture is worth a thousand words
TU and RE made de-listing requests to Google relating to three articles published about them, on the basis that the articles contained inaccurate claims and defamatory opinions. They also made requests for the images to be removed from the thumbnails in the search results.
C154/21 Österreichische Post): Information about the recipients or categories of recipient to whom the personal data has been or will be disclosed
In its decision from 12th January 2023, the CJEU ruled on certain aspects of the data subjects’ right of access pursuant to Art. 15 GDPR. Art. 15 (1)(c) GDPR implies that where personal data have been or will be disclosed to recipients, the controller is obligated – upon their request – to provide data subjects with the actual identity of those recipients.
X-FAB Dresden GmbH & Co. KG Case C-453/21: DPOs can't take decisions about personal data processing without breaching independence duties
FC had been the DPO of X-Fab since 1993. He was also the chair of the group’s Works Council. In 2017, the group dismissed FC as DPO, on the basis that his role as chair of the works council was incompatible with his role as DPO.
ICO
Tech Horizons Report
In mid-December, the ICO released its first annual Tech Horizons Report to establish its views on key emerging technologies, foster trust for personal data processing, and support innovation. The Report provides an in-depth analysis of four emerging technologies and outlines key privacy considerations and challenges for each of them.
Other UK News
Proposals to update the UK NIS Regulations
Following a consultation in 2022, the Department for Digital, Culture, Media and Sport has announced its intention to update the NIS regulations to improve the UK’s cyber resilience. The changes come as part of a £2.6 billion National Cyber Strategy aimed at making the UK digital economy more secure and prosperous, whilst encouraging at-risk businesses to improve their cyber resilience.
UK issues Adequacy Regulations in respect of South Korea
The Data Protection (Adequacy) (Republic of Korea) Regulations 2022 came into effect on 19 December 2022. This is the UK’s first decision to recognise a priority country as adequate post-Brexit. The decision demonstrates that each country is comfortable with the level of protection of personal data provided by the other and enables the transfer of data between countries without the need for contractual protections.
UK ICO Enforcement
Highlights
This month we include details of a £5,000 fine issued by the ICO against Mr Khan, for a breach of s170 of the DPA 2018.
We also cover details of a £200,000 fine and enforcement notice issued by the ICO against It’s OK Limited for a “sustained and exploitative” campaign of nuisance calls potentially targeting many elderly people and a fine of £630 issued against an NHS 111 call advisor for unlawfully accessing medical records.
First-tier Tribunal Appeal Cases
Highlights
This month we include details of Lloyd v Information Commissioner which concerned the First Tier Tribunal’s handling of the definition of “Personal Data”, in particular considering the test of whether a person was identifiable from the data.
We also cover Bartosik v Information Commissioner which concerned Police Scotland’s handling of an erasure request for information submitted by the Applicant and Experian v Information Commissioner where the First-tier Tribunal overturned an Enforcement Notice served by the Information Commissioner on Experian.
Other News
OECD Countries to limit government access to personal data
In December, Ministers and high level representatives of OECD Members and the European Union adopted the first intergovernmental agreement on common approaches to safeguarding privacy and other human rights and freedoms when accessing personal data for national security and law enforcement purposes.
Other recent articles
- Meta – DPC & EDPB Decisions on lawful basis of processing and transparency - 30th January 2023
- Third parties can now appeal Belgian DPA decisions before the Market Court - 19th January 2023
- France: Publication of CNIL standards on health data processing implemented in the context of early access and compassionate use authorisations - 16 January 2023
- NIS 2 Directive, RCE Directive and DORA – Important EU cybersecurity-related legislative acts come into force - 13th January 2023
- Practical assistance from the Courts in relation to ransomware attacks: XXX v Persons Unknown (2022) - 19th December 2022
- An Overview of the Implementation of the Whistleblowing Directive in the Nordics - 19th December 2022
- How would the European Commission's new directive change AI-related liabilities - 9th December 2022
- Latest Updates to EU BCRs – what you need to know - 1st December 2022
Previous and upcoming events
- How to prepare for the Swiss Data Protection Act - 11th January 2023
