DPAS Data Protection Bulletin – December 2022

Here is our round-up of the most significant data protection developments in the UK and overseas in recent weeks.

Categorised into:

  • Key Insights
  • Government Regulatory Activity
  • Enforcement Actions

KEY INSIGHTS

International Transfers have been on the front burner of governments and organisations globally throughout this year.
In the past couple of months, the UK has announced an adequacy decision covering South Korea, and the European Union has issued a draft adequacy decision for the US, subject to confirmation. 

In the UK, the ICO recently released new guidance on international transfers, to be applied when conducting Transfer Risk Assessments – which we covered in more depth HERE.

For organisations operating internationally, staying on top of these developments, and ensuring that offshore processing and transfers are compliant with the latest rules must be a priority.

GOVERNMENT AND REGULATORY ACTIVITY

European Commission publishes draft adequacy decision on EU-US data flows

The European Commission initiated the formal process for adopting an adequacy decision on the EU-US Data Privacy Framework on Tuesday 13th December. This followed the US government’s release on October 7th of the new EU-U.S. Data Privacy Framework, which sought to remedy the issues that had resulted in the European Court of Justice; nullifying the two previous frameworks for EU – US data transfers (Safe Harbor and Privacy Shield). 

The new DPF includes three components: commercial data protection principles to which U.S. organisations may self-certify, a presidential executive order and Department Of Justice regulations which are intended to provide a means for aggrieved data subjects to seek remedy for abuses of their privacy rights. All those measures are targeted at allaying European concerns over potential American bulk surveillance, but there have already been initiatives seeking to challenge their sufficiency in court. The judgements in those court cases could affect the newly proposed adequacy decision.

OECD Adopts Declaration on Safeguarding Privacy In Law Enforcement And National Security Data Access 

At the OECD’s 2022 Digital Economy Ministerial Meeting, the 38 OECD countries (including the UK) and European Union adopted the OECD Declaration on Government Access to Personal Data Held by Private Sector Entities.

The treaty is targeted at improving trust in cross-border data flows – which are central to the digital transformation of the global economy – by clarifying how national security and law enforcement agencies can access personal data under existing legal frameworks. The Declaration is also open for adherence by other countries.

The principles set out how legal frameworks regulate government access; the legal standards applied when access is sought; how access is approved, and how the resulting data is handled, as well as oversight and opportunities for data subjects to seek redress. Although not binding, the Declaration is likely to be hugely influential in how countries craft their local laws, as with the original OECD Privacy Principles of 1980.

CJEU Declares Meta’s Personalised Ads Without User Consent Illegal

In the EU (as with the UK) all organisations processing data must do so on the basis of one of the options listed in the GDPR.

The choice of which one to adopt is one of the most fundamental decisions which we often help clients with at DPAS because getting it wrong can mean that the entirety of an organisational system, product feature or even business model can be deemed illegal down the line.

In Meta’s (parent company of Facebook, Instagram and WhatsApp), they had chosen to process personal data for the purpose of serving advertisements on their platforms using the contract basis, by adding a provision to that effect in the terms and conditions. On 25 May 2018, the digital rights organisation NOYB filed complaints with the relevant Data Protection Authorities (DPAs). Now, 4.5 years later, the European Data Protection Board (EDPB) found Meta’s alleged “bypass” of the GDPR illegal. The EDPB also rejected the view of the Irish Data Protection Commission (DPC) who previously sided with Meta.

ENFORCEMENT ACTIONS

ICO Fines Two Lead Generation Companies £195,000

On the 14th of December, The ICO fined two lead generation companies £195,000 for their involvement in sending unsolicited SMS AND email marketing messages to people without their consent. 

Ryan Hill Partners was fined £70,000, whilst Monetise Media Ltd was fined £125,000. 

The ICO announced that it had received hundreds of complaints about both companies. 

ICO Fines Five Businesses Total Of £435,000 For Unlawful Marketing Calls

The Information Commissioner’s Office (ICO) has fined five companies a total of £435,000 for making nearly half a million unlawful marketing calls to people registered with the Telephone Preference Service (TPS).

It is against the law to make a live marketing call to anyone who is registered with the TPS, unless they have told the specific organisation that they do not object to receiving calls from them.

According to the ICO, the companies collectively made nearly half a million unlawful marketing calls, some of which appeared to be directed at elderly vulnerable people who had taken action to block the calls by registering with the TPS.

The ICO’s investigation concluded that the companies had breached regulations 21 and 24 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) by calling people repeatedly without their consent and in some cases despite being registered on the Telephone Preference Service (TPS).

Clubhouse App fined €2 million for Transparency Shortcomings

Italy’s privacy regulator, the Garante, said it had found “numerous violations” of the GDPR by the app, which is owned by U.S. firm Alpha Exploration, and issued a fine of 2 Million Euros (£1.75 Million).

The Garante said the app was not transparent enough about the use of users’ data; that it gave users the ability to store and share audio without others’ consent; that it profiled and shared account information without identifying a proper legal basis; and that it had indefinite retention periods of the recordings made by the social network.

In addition to the fine, the regulator has mandated Clubhouse to introduce several new measures to promote transparency on its platform, including pre-emptively notifying users when recordings are being made, and to specify its data retention periods.

 

To view our last bulletin, for any updates you may have missed, click here.

RECENT POSTS