Welcome to the November edition of our UK & EU Data Protection Bulletin.
Particular highlights this month include:
- Court of Appeal decision in LLoyd V Google paving the way for representative actions
- UK-US data sharing agreement
- Update on ePrivacy Regulation
ICO
ICO – DSARs for the Public
The ICO has published new guidance on subject access requests but this time from the point of view of the data subject. The guidance explains briefly what a SAR is, how to make a SAR (including a template), what companies have to do and how a data subject can complain if they're not satisfied with the outcome.
Agreement reached between ICO and Facebook
The ICO and Facebook have reached an agreement over the ICO’s investigation into Facebook over Cambridge Analytica.
UK cases
R (Bridges) v Chief Constable of South Wales Police and Others [2019] EWHC 2341
The Divisional Court has dismissed a challenge against use of Automated Facial Recognition technology ('AFR') by South Wales police ('SWP’) which was brought on the basis of interference with the right to privacy and breaches of data protection and equality laws.
(1) Al-Ko Kober Ltd (2) Paul Jones v Balvinder Sambhui [2019] 9 WLUK 139
This case examined a claim for unlawful processing of personal data alongside defamation and malicious falsehood claims made in relation to publishing videos with derogatory content on YouTube.
Automotive Software Solutions Ltd v The Information Commissioner [EA/2019/0083]
In a recent case on the Freedom of Information Act and the disclosure of personal data, the first tier Tribunal held that a local authority could withhold disclosing Vehicle Registration Marks (VRMs) where such disclosure would prejudice the prevention or detection of crime. The case also confirmed that vehicle registration numbers would be personal data, on the basis that they could indirectly identify an individual by querying the owner through the Driver and Vehicle Licensing Agency.
Lloyd v Google LLC [2019] EWCA Civ 1599
On 2 October, the Court of Appeal allowed an appeal in Lloyd v Google permitting the use of the representative action procedure and also decided that damages are in principle capable of being awarded for loss of control even if there is no pecuniary loss or distress.
R (on the application of (1) Open Rights Group (2) The3Million ) (Claimants) v (1) Secretary of State for the Home Department (2) Secretary of State for Digital, Culture, Media & Sport (Defendants) & (1) Liberty (2) Information Commissioner (Interveners) [2019] EWHC 2562 (Admin)
Mr Justice Supperstone found against The3Million and Open Rights Group (the "Claimants") in his judgment on 3 October 2019 concerning the Claimants' judicial review of the "Immigration Exemption" in Schedule 2, Part 1, paragraph 4 of the Data Protection Act 2018 ("DPA 2018").
Mustard v Flower and Others [2019] EWHC 2623 (QB)
This case related to Ms Mustard who was injured in a traffic accident and wanted to claim compensation. She was examined by medical experts appointed by the insurer and was advised by her solicitor to record the examinations. She covertly recorded two of the examinations and wished to use those recordings in evidence in support of her claim. The insurer objected, arguing that the recordings constituted unlawful processing contrary to the GDPR and the DPA 2018.
Other UK News
UK-US agreement facilitates reciprocal gathering of overseas evidence for criminal investigations
On 4th October 2019, the UK and US governments announced the signing of an agreement that will facilitate the ability of UK and US authorities to demand certain documents or other data from companies and individuals, if they are based or operating in the US and UK, respectively.
EU: What a difference a Brexit deal makes
The European Commission's ('the Commission') Task Force for the Preparation and Conduct of the Negotiations with the United Kingdom under Article 50 of the Treaty on European Union released, on 17 October 2019, a revised text of the Political Declaration setting out the framework for the future relationship between the European Union and the United Kingdom as agreed at negotiators' level ('the Revised Political Declaration').
EDPB
EDPB 14th Plenary Session
On 8 and 9 October, the European Data Protection Board (EDPB) met for its fourteenth plenary session. During the plenary, the following topics were discussed, amongst others:
• The 3rd annual review of the Privacy Shield
• The guidelines on processing necessary for the performance of a contract, in the context of the provision of online services.
CJEU cases
Should search engines implement de-listing requests globally? And do they have to remove sensitive data as a matter of course?
The CJEU has considered two further right to be forgotten cases. The first is on territorial scope of the right to be forgotten. Here, the CJEU concluded that de-listing requests should be implemented across the EU, not just in the member state applicable to the relevant data subject.
Planet49: CJEU Rules on Cookie Consent
On 1 October 2019 the Court of Justice of the European Union (the 'CJEU') delivered its judgment in Planet49, a case analysing the standard of transparency and consent for the use of cookies and similar technologies.
Are You Inadvertently Processing European Criminal Conviction Data? The Overlooked Impact of GC v CNIL
Google continues to drive the development in case law of the Court of Justice of the European Union (CJEU) on the right to be forgotten in two recent cases.
Other EU news
The Council of European Union has set out its position and findings on the application of the GDPR
The Council of European Union has set out its position and findings on the application of the GDPR from 19 Member States in preparation for its 2020 review of GDPR. See here.
ePrivacy Regulation update
On 17 October, the Council of the European Union (the ‘Council’) published its latest draft of the proposed e-Privacy Regulation. [Note that this since this article was written the Council issued a further draft on 30 October – further updates will follow].
EU Enforcement
Belgian DPA imposes €10,000 fine on a merchant for its disproportionate use of the Belgian electronic ID card.
The Council of European Union has set out its position and findings on the application of the GDPR from 19 Member States in preparation for its 2020 review of GDPR. See here.
ePrivacy Regulation update
On 17 October, the Council of the European Union (the ‘Council’) published its latest draft of the proposed e-Privacy Regulation. [Note that this since this article was written the Council issued a further draft on 30 October – further updates will follow].
EU Enforcement
Romanian DPA imposes its first GDPR fine to Unicredit Bank SA for breach of Article 25 of the GDPR (Privacy by Design) and failure to implement appropriate technical and organizational measures
Polish DPA fines morele.net €645,000 (PLN 2.8 million) for insufficient organisational and technical safeguards Greek DPA fines a Greek telecommunications provider €400,000 for breaches of the accuracy principle and data protection by design and also for a failure to satisfy the right to object Spanish DPA fines Vueling €30,000 for the cookie policy used on its website
UK ICO Enforcement
Highlights
Superior Style Home Improvements Ltd was issued with a monetary penalty notice of £150,000 after making unsolicited marketing calls.
