Privacy & Data Snapshot – Quarterly Edition
Wednesday 13th December 2023
Welcome to Gordons latest Privacy & Data Snapshot
In this edition, we cover:
- The UK-US data bridge,
- Warnings about cookie banners,
- Changes to workplace monitoring,
- Advice on biometric data processing,
- ICO Workshop: A new regulatory approach to complaints?
The UK – US Data Bridge is now open
The US-UK Data Bridge formally opened on 12 October 2023, which allows a free-flow of personal data from the UK to the US where the recipient organisation in the US is self-certified with the UK Extension to the EU US Data Privacy Framework (DPF) Program. Where organisations in the US are self-certified, this should make contracts and risk assessments easier for companies sharing personal data with US-based organisations, and negate the need for additional safeguards such as the International Data Transfer Agreement or the Addendum to the Standard Contractual Clauses. For more information, please see here.
Warnings about cookie banners
The Information Commissioner’s Office (ICO) Deputy Commissioner, Stephen Bonner, has warned companies who fail to include a ‘reject all’ button in their cookie banners that they are risking enforcement action being taken against them. Bonner continued to state that, “The ICO is paying attention in this area and will absolutely issue fines if we see organisations are not taking that seriously”.
Although from historic enforcement data the ICO is keen to work with companies, rather than levy fines immediately, it is always beneficial to remain proactive in making any updates. Bonner suggested that the ICO is confident that their position on this is clear, and their warning is giving organisations an opportunity to ensure that their cookie banners are compliant.
Changes to workplace monitoring
On 3 October, the ICO released guidance covering employee monitoring. Monitoring at work captures a wide range of practices which are subject to the UK GDPR and a myriad of employment laws, therefore should be undertaken carefully and transparently.
In the context of developing technologies and remote working, the guidance provides valuable insight as to what businesses can expect and how best to safeguard. You can read the guidance here.
Explicit consent advised for biometric data processing
The ICO recently published draft guidance on the use of biometric data for public consultation, focusing on biometric recognition technology and outlining key considerations for organisations who have in place, or wish to use biometric recognition systems.
The ICO confirmed in the guidance that in most cases, the only lawful basis available for this type of processing is explicit consent.
The guidance also outlined additional steps if implementing these systems. Firstly, the use of biometric recognition systems, such as fingerprint scanners, are highly likely to result in a high risk to people’s rights and freedoms, which will trigger the requirement to complete a Data Protection Impact Assessment. Other risks associated with these systems should also be considered, such as accuracy, discrimination, and security. If these risks are not dealt with appropriately, an organisation may contravene both data protection laws and equalities legislation. The guidance can be accessed by clicking here.
ICO Workshop: A new regulatory approach to complaints?
The Information Commissioner’s Office recently held a workshop into the lifecycle of an ICO complaint. They vocalised their shifting approach towards dealing with complaints, which includes:
- prioritising cases which have the biggest impact on society and/or the individual involved;
- being more transparent – by sharing case studies and explaining their thinking more;
- upskilling their case officers;
- putting themselves in their customers’ shoes (‘customers’ meaning both organisations and individuals);
- providing regulatory certainty; and
- being more person-centric.
This provides some transparency over how complaints are handled and prioritised which will be welcome to many organisations.
What does the ICO need to do when it receives a complaint?
In ‘R’ (On the Application of Delo) v The Information Commissioner’s Office [2023] EWCA Civ 1141, an individual was unhappy with how an organisation responded to its DSAR, so it made a complaint to the ICO and wanted a definitive answer from the ICO on whether the organisation had breached data protection law.
The Court said the ICO did not need to give a definitive answer in the circumstances. The ICO just needs to handle complaints, and to inform individuals of the progress and outcome of the complaint to the “extent appropriate” – which is for the ICO to determine. “Outcome” does not necessarily mean reaching the view that the organisation (a) has, or (b) has not, breached data protection law, just forming an opinion on “likelihood”.
If the individual wanted a definitive answer, they have the right to bring action before the courts – the ICO isn’t a cost-free alternative to a civil claim.
If you would like to discuss any of these developments or have any data protection queries, please contact one of our experts.
Keep up to date with data protection news and privacy developments, by signing up for our privacy snapshot newsletter.
Our seasonal update provides you with an overview of legislation changes and recent case law, along with a summary of how they can impact you or your business.
> Subscribe here
