Data Protection Bulletin - July 27 2023
Welcome to the latest edition of our bi-weekly Data Protection Bulletin, where we keep you informed on the latest key insights, government regulatory activity, and enforcement actions in the world of data protection.
Here is our round-up of the most significant data protection developments in the UK and overseas in recent weeks. Visit our website for more news.
Key Insights
ICO Publishes ‘Takeaways’ From Its Q1 Enforcement Activities
In its Q1 2023/24 enforcement insights, the UK Information Commissioner’s Office (ICO) outlined three key lessons for organisations to improve their data protection practices, based on patterns it had spotted in complaints it had received and resultant enforcement actions:
- Data Breaches: The ICO emphasised the necessity of preventing inappropriate disclosure of personal information. They highlighted the need for comprehensive policies and rigorous staff training. Five organisations, including the Ministry of Justice, were reprimanded for mishandling personal data due to lack of appropriate processes, policies, and training. The ICO suggested a thorough review of all data protection policies, provision of adequate training for staff responsible for redactions and disclosures, and the establishment of appropriate measures to secure internal emails containing personal information.
- Information Access Requests: The ICO underscored the importance of timely responses to Subject Access Requests (SARs). Two councils, Plymouth City Council and Norfolk County Council, were reprimanded for failing to respond to SARs within the statutory timeframe of one month, extendable by up to two months for complex requests. All organisations were encouraged to be prepared and proactive when dealing with such requests.
- Privacy by Design: Lastly, the ICO advised adopting a ‘data protection by design and default’ approach. Sussex and Surrey Police received reprimands for unlawfully capturing personal information via an app, highlighting the need for comprehensive planning and employee training before deploying any new app, product, or service that utilises personal data.
The ICO stressed the expectation for improvements in practices following any reprimands, and encouraged other organisations to learn from these incidents to ensure appropriate handling of personal information.
Government Regulatory Activity
European Commission Adopts EU-US Adequacy Decision
The European Commission has adopted an adequacy decision approving the EU-U.S. Data Privacy Framework (DPF). This pivotal decision signals a crucial stride towards facilitating personal data transfers between the two regions, with both the EU and US saying that the DPF provides personal data transferred under a similar level of protection as is obtainable under the EU’s General Data Protection Regulation (GDPR).
The new framework, which entered into force on 11 July 2023, allows for organisations to transfer personal data out from the EEA to the US without the requirement for the use of GDPR Article 46 transfer mechanisms such as standard contractual clauses, provided that the organisations self-certify their adherence with a prescribed extensive set of standards. However, there have been indications that the DPF will face similar legal challenges as those that resulted in the voiding of the Privacy Shield and Safe Harbor agreements which preceded the DPF.
For UK organisations, the DPF does not change the current requirements for compliance in respect of international personal data transfers, although they are also able to self-certify to the DPF. The provisions will not cover any transfers until the UK-US Data Bridge (which is covered in more depth below) enters into force.
Court Postpones the Suspension of Meta’s EU-US Data Transfers
Meta, Facebook’s parent company, has been granted an extension until the end of July on the interim postponement against the decision requiring the suspension of transatlantic user data transfer and storage, which could have seen the social media giant’s services shut down across the EU. According to the DPC, the European Commission is expected to decide next month whether the US provides adequate data protection – an “adequacy decision” which could potentially make the suspension unnecessary.
The DPC had previously fined Meta Platforms Ireland Ltd €1.2 billion and ordered the cessation of unlawful processing and storage of personal data of millions of Facebook users from the European Economic Area. This action came after a successful legal challenge by Austrian privacy activist Max Schrems over concerns regarding insufficient protection of EEA users’ data from US intelligence agencies during transatlantic transfer. The extension will continue until July 31st, with further proceedings expected on the full stay application.
Google Forced to Postpone Bard Chatbot’s EU Launch Over Privacy Concerns
Google has had to delay the launch of its artificial intelligence (AI) chatbot, Bard, in the European Union (EU) due to privacy concerns raised by the Irish Data Protection Commission. The regulator stated that Google had not provided sufficient information about how Bard complies with the EU’s General Data Protection Regulation (GDPR). The commission had not received a detailed briefing or a data protection impact assessment for Bard before the intended launch.
The regulator has stated that it is awaiting urgent answers from Google and is continuously examining the matter, planning to share information with other European data agencies as soon as possible. Google has already launched Bard, a competitor to OpenAI’s ChatGPT and Microsoft’s Bing Chat, in 180 countries, but it has so far avoided EU countries.
UK And US Reach Commitment In Principle Over ‘Data Bridge’
The UK and US governments have agreed in principle to create a ‘data bridge’, facilitating the seamless flow of personal data between the two countries, based on an extension of the EU-US Data Privacy Framework. The proposed UK-US ‘data bridge’ represents a significant development in international data transfer policies. Currently, businesses transferring personal data from the UK to the US are subject to complex GDPR compliance procedures. The ‘data bridge’, functioning as an extension to the yet-to-be-finalised EU-US Data Privacy Framework, aims to simplify these procedures.
However, the proposed framework’s implications remain uncertain. Past frameworks like the EU-US Privacy Shield were invalidated due to concerns over data access and interception by the US government, hinting at potential challenges for the new framework. Not all US businesses would be eligible under the new framework, only those regulated by specific entities, suggesting a limited scope. Moreover, since the Privacy Shield 2.0 and, by extension, the UK-US data bridge, are subject to legal contestations, their final forms may differ significantly from the current proposal. Therefore, while the data bridge represents a potentially promising simplification of data transfer procedures, businesses should remain cautious and prepared for a complex and evolving legal landscape in international data transfers.
Enforcement Actions
CNIL fines Adtech Giant Criteo €40M Fine for User Privacy Violations
French AdTech company, Criteo, has been handed a revised fine of €40 million ($44 million) by France’s data privacy watchdog, Commission nationale de l’informatique et des libertés (CNIL), over its failure to obtain user consent for targeted advertising. This decision comes after Privacy International and Austria-based non-profit None of Your Business (NOYB) filed a complaint in 2018, citing concerns about Criteo’s data processing activities and “behavioural retargeting”. CNIL identified five GDPR breaches, including failure to demonstrate user consent, lack of transparency, and the neglect of data erasure requests.
Criteo, which initially faced a €60 million fine, appealed for a reduction, arguing the actions were non-deliberate and resulted in no harm. The company also expressed that the fine was disproportionately high compared to others issued to tech giants such as Google and Meta. The CNIL reduced the fine by one-third, however, Criteo has announced plans to appeal the decision, citing it as “vastly disproportionate”. CNIL, on the other hand, maintains that Criteo’s practices were intrusive and involved a very large number of EU users, allowing the company to profit significantly from its role as an advertising intermediary.
Spotify Fined €5 Million For Data Subject Access Requests Failures
Spotify, the music streaming giant, has been fined approximately €5 million ($5.4M) by the Swedish authorities due to alleged violations of European Union users’ data access rights. The penalty comes after a complaint lodged by the privacy rights non-profit, NOYB, which claimed that Spotify did not provide full information about personal data it processes in response to individual requests.
The complaint accused Spotify of not supplying all the personal data requested, failing to provide information on data processing purposes, the recipients of the data, and details of international data transfers. After several years of delay, the Swedish data protection authority, IMY, finally ordered Spotify to provide the complete set of data.
ICO Reprimands Thames Valley Police For Accidentally Revealing Witness’ Address To Suspected Criminals
The Information Commissioner has issued a reprimand to Thames Valley Police (TVP) for breaches of the Data Protection Act 2018 (DPA 2018), particularly S.40 pertaining to security. The investigation revealed that TVP had inappropriately disclosed information, which led to suspected criminals discovering a witness’s address. The disclosure was linked to a lack of appropriate organisational measures to ensure officers understood disclosure and redaction procedures. Despite the existing guidance, the officer who inadvertently revealed the witness’s address had not received redaction training or been made aware of the policies for information sharing.
In response to the incident, TVP has taken remedial steps including information management refresher training for the officer involved, updating operational guidance, and enhancing their policy documents around redactions. While these measures are appreciated, the Commissioner expects more proactive steps to prevent such incidents. The Commissioner’s recommendations for TVP include: providing redaction training to all staff involved in disclosures, ensuring all policy updates are promptly communicated to officers, and regularly reviewing and updating data handling policies, with reminders issued frequently to the staff.
ICO Fines Two Energy Firms A Combined Total Of £250,000 For Making Unlawful Marketing Calls
The Information Commissioner’s Office (ICO) has fined two energy companies a total of £250,000 for bombarding people and businesses on the UK’s ‘do not call’ register with unlawful marketing calls.
Maxen Power Supply Ltd, an energy supplier from Ilford, Essex, was issued a fine of £120,000 and Crown Glazing Ltd, a green energy firm based in Preston, Lancashire, was issued a fine of £130,000. According to the ICO, both made unsolicited marketing calls to people and businesses while falsely claiming to represent other organisations – such as the National Grid, other energy suppliers or the UK Government.
How can we help you?
At DPAS, we provide Data Protection and Information Security Consultancy and Training internationally. We support businesses to achieve their organisational objectives and goals, by transforming data protection compliance from an obstacle into a value-added asset.
Take a look at our website to see what we can do for you.
