EDPB Opinions on draft UK adequacy decisions

The European Data Protection Board has published two opinions on the European Commission draft implementing decisions on the adequate protection of personal data in the United Kingdom.

Opinion 14/2021 is based on the GDPR and assesses general data protection aspects and government access to personal data transferred from the EEA whereas Opinion 15/2021 is based on the Law Enforcement Directive and provides an assessment of the adequacy of the level of protection given to persons in the United Kingdom.

The EDPB’s Opinion is non-binding but will be persuasive.

The adequacy decision will be formally adopted if it is approved by the EU Member States acting through the European Council.

If the adequacy decision is adopted, transfers of personal data from the EU to the UK may continue following the end of the post-Brexit transition period without the implementation of a data transfer mechanism under the GDPR such as Standard Contractual Clauses.

The EDPB stated in its press release that there were key areas of strong alignment between the data protection regimes in the EU and UK but warned that this alignment would need to continue in the future if an UK adequacy decision is to be maintained. The EDPB welcomes the European Commission’s ongoing monitoring of the UK data protection regime and proposed review of any adequacy decision within four years.

Supreme Court date listed for Lloyd v Google

On the 28 and 29 April 2021, the Supreme Court will be hearing the appeal by Google LLC against the order of the Court of Appeal in the case of Lloyd v Google LLC ([2019] EWCA Civ 1599) granting Mr. Lloyd, the representative claimant permission to serve a representative claim out of the jurisdiction in the USA.

The action is brought on behalf of an estimated 4.4 million iPhone users against Google’s alleged unlawful gathering and exploitation of browser generated information (“BGI”) on Apple’s Safari browser, in breach of section 4(4) of the UK Data Protection Act 1998. Interpretation of the 1998 Act is nonetheless likely to be relevant to the current legislative regime, i.e. the GDPR and the Data Protection Act 2018.

This is a much awaited decision which may pave the way for new “opt-out” representative actions for data breach claims on the basis that all the claimants have lost control of their data.

The Supreme Court will decide whether the Court of Appeal was correct to decide that:

  • a non-trivial infringement of the DPA which does not cause any material damage or distress can result in “uniform per capita” damages being awarded for “loss of control” of personal data; and
  • it is not necessary for the members of a class to be identified in order to demonstrate the “same interest” when pursuing a representative class action under CPR 19.6(1)

Ticketmaster UK v the Information Commissioner - delay granted

Ticketmaster UK has successfully applied for ia stay of its appeal from the First-Tier Tribunal General Regulatory Chamber. The appeal is against a penalty notice issued by Information Commissioner’s Office for £1.25m for an infringement of Articles 5(1)(f) and 32 of the General Data Protection Regulations. It means the Tribunal decision is now anticipated in December 2022, over five years after the infringement took place. Ticketmaster applied for the stay in view of ongoing related High Court proceedings concerning the incidents that had given rise to the penalty notice.

DPC to investigate Facebook data leak

The Irish Data Protection Commission (DPC) has launched an inquiry into Facebook in relation to a collated dataset of user personal data made available on the internet. The own-volition inquiry has been prompted by media reports highlighting the availability of data relating to 533 million Facebook users from 106 countries.

The DPC's role in this investigation is perceived to be key as Facebook's European headquarters are in Dublin. Having considered responses from Facebook Ireland the DPC is of the opinion that one or more provisions of the GDPR and/or the Data Protection Act 2018 may have been, and/or are being, infringed in relation to Facebook Users’ personal data. Firms found to be in breach of GDPR face fines of up to 4% of their annual global turnover.

Facebook have said that they are 'co-operating fully' stating that the inquiry: "relates to features that make it easier for people to find and connect with friends on our services […] These features are common to many apps and we look forward to explaining them and the protections we have put in place."

Dutch court orders Uber to reinstate 'auto-fired' drivers

The Court of Amsterdam has ordered Uber to reinstate six drivers who the litigants claim were unfairly terminated 'by algorithmic means'; the court also required Uber to pay the drivers compensation. Uber is arguing that the default judgment was not correctly served.

The litigants are being supported by the App Drivers & Couriers Union (ADCU) and Worker Info Exchange (WIE) who are referencing GDPR Article 22 which provides protection for individuals against purely automated decisions with a legal or significant impact.

WIE activists claim that this judgment specifically addresses Uber’s Hybrid Real-Time ID System, which incorporates facial recognition checks, and is the first time a court has ordered the overturning of an automated decision to dismiss workers from employment.

Civil rights organisations lobby EU to protect privacy rights

Amnesty International, Privacy International and 28 other civil and human rights groups have published an open letter to the EU in response to the proposal for a Digital Markets Act (DMA). The signatories argue that the proposals fail to consider the perspective of end users and are too heavily focussed on the relationships between core platforms and their business users.

The letter states: "individual gatekeepers can dictate a quality standard in the market that affects, among other things, the protection of users’ data, their freedom of expression and their right not to be discriminated against." The signatory organisations appear to be particularly concerned that the EU appears to have removed or weakened some clauses that would protect internet users from tracking and monitoring whether by cookies or other technological means or ban tracking or cookie walls from the negotiations.

The letter has been sent to Members of the European Parliament, including Chairs and vice chairs of IMCO and ECON, and Rapporteurs and (so far known) Shadow Rapporteurs for Digital Markets Act (DMA) and Digital Services Acts (DSA) which the signatories also argue should be considered holistically.