DPAS Data Protection Bulletin – August 2022

Here is our round-up of the most significant data protection developments in the UK and overseas in recent weeks.

Categorised into:

  • Key Insights
  • Government Regulatory Activity
  • Enforcement Actions

KEY INSIGHTS

How Responsible are Senior Responsible Individuals?

The position of the Data Protection Officer is due to change, as we covered in our article analysing the Data Protection and Digital Innovation Bill here, but what exactly does that mean for the people who’ll be occupying the new ‘Senior Responsible Individual’ role if the bill is passed into law as is? What changes would come along with the new job title? Read our article here for our analysis: Senior Responsible Individuals Under the Data Protection and Digital Information Bill.

GOVERNMENT AND REGULATORY ACTIVITY

ICO and NCSC Guidance on Ransomware

On July 8, 2022, the UK Information Commissioner’s Office, together with the UK National Cyber Security Centre, published a joint letter addressed to the Law Society of England & Wales, stating that ransomware is the biggest cyber threat facing UK businesses. The letter requested that the Law Society remind its members that they should not default to advising clients to pay ransomware demands should they fall victim to a cyber-attack. The letter clarified the ICO’s stance that paying a ransom is not appropriate means to protect or restore the stolen data, doing so would not be viewed as a proper mitigation step, and would not result in a lower penalty if the ICO choose to exercise its enforcement powers. The key point reinforced throughout the letter was that organisations must take a proactive approach to securing personal data in their custody, through rigorous organisational and technical precautions.

Joint Statement Released by US and UK on Data Access Agreement

The US and the UK have released a joint statement stating that they will be putting a new data access agreement into effect on the 3rd of October, 2022. The goal will be to facilitate information sharing among investigators from both countries in law enforcement operations focused on countering serious crime. Although joint statement established that both countries will be working to maintain civil liberties and democratic standards in the accessing and sharing of personal data, the agreement may still have implications on the UK’s adequacy status with the EU which permits for unrestricted transfers of personal data. This is because of the risk of ‘onward transfers’ occurring, which is when personal data transferred from another country to the UK is then forwarded to non-adequate countries such as the USA.

UK and South Korea Agree Data Adequacy in Principle

The UK and South Korean governments announced that they have reached a data protection adequacy decision in principle. The decision, once it has received final approval on both sides, will facilitate the transfer of personal data between the countries without the need to implement additional mechanisms that would ordinarily be required to secure the rights of the data subjects whose data is being transferred. Although South Korea has been granted adequacy by the EU as well, the agreement would provide further clarity for UK businesses and reflect a strengthening of bilateral economic relations outside of the EEA framework, especially when considered in light of the Memorandum of Understanding for closer cooperation between the countries data protection supervisory authorities, which was also announced at the same time.

CPPA Board Opposes American Data Privacy and Protection Act

The American Data Privacy and Protection Act (ADPPA) is one of the more consequential pieces of legislation being considered globally. Beyond impacting residents of the United States of America, it could also have an effect on how businesses in the UK are able to share data with US-based partners or service providers. The bill is currently before the House of Representatives but has faced stiff opposition on a number of fronts, including from the California Consumer Privacy Agency, which has stated that the ADPPA, as currently drafted, would erode the data subject rights contained in the California Privacy Rights Act (CPRA). Bi-partisan efforts are ongoing to reach a compromise and advance the bill to the next stage.  

India Scraps Personal Data Protection Bill; Plans to Start Over

India’s status as a major emerging economy and a tech hub has long drawn calls for the nation to enact a comprehensive data protection legislation. Those calls have led to the introduction of a bill to regulate personal data processing in the country, in 2019, with the most recent plans being to enact it into law in early 2023. Recently however, that bill was pulled from the legislative docket following a parliamentary review which concluded that there was a need for a more comprehensive legal framework. Reportedly, the focus of the new bill will be on streamlining compliance requirements, with particular focus on cross-border data transfers. For UK businesses intending to transfer data to India, the requirements to conduct a Transfer Impact Assessment will still be in place, and the assessment will need to be based on the other relevant laws applicable to data protection.

ENFORCEMENT ACTIONS

Dutch Data Protection Authority Fines Tiktok Over Privacy

The Netherlands’ Data Protection Authority said Thursday it has fined TikTok 750,000 euros (£630,000) for not offering a privacy statement in Dutch. The basis of this decision was that many children who use the popular video sharing app would be unable to understand the information. This is relevant for businesses in the UK who offer, or intend to offer, their services overseas, but it’s also relevant to the responsibility that businesses have to ensure their privacy notices are tailored to their intended audience. The GDPR makes it clear that communicating to data subjects must not be treated as a one-size fits all activity.

France’s CNIL Fines Amazon 35 Million Euros for Cookies Breaches

In December 2020, France’s data protection supervisory authority (CNIL) issued a fine of €35 million against Amazon for failure to obtain explicit consent to deploy cookies that enable targeted adverts personalised for individual citizens. The basis of the fine was that Amazon had only provided “general and approximate” descriptions of the purposes of all the cookies on its website, instead of the clear and complete information required under the French Data Protection Act, which also required Amazon to provide easily understandable guidance on how to opt out. Amazon’s appeal to the Council of State, France’s highest national Court, was rejected, meaning that the company now has to pay the fine.

TikTok Class Action Settlement

A US federal judge has approved TikTok’s $92 million (£76m) class action settlement of various privacy claims that began in 2019 and that were filed under a combination of state and federal law. The lawsuits claimed that TikTok violated the Illinois Biometric Information Privacy Act and the federal Video Privacy Protection Act by improperly harvesting users’ personal data. As part of the settlement, the company is also committing to refrain from collecting and storing biometric information and also to stop transmitting or storing US user data outside of the country unless this is expressly disclosed in TikTok’s privacy policy and transferred in accordance with all applicable laws.

RECENT POSTS