Privacy & Data Snapshot: Winter Edition
Thursday 2nd March 2023
Welcome to the winter edition of our quarterly privacy and data protection snapshot which gives you a high-level summary of current issues and news in relation to privacy and data protection…
ICO Naming & Shaming
The Information Commissioner’s Office (ICO), the UK’s privacy regulator, has taken a significant measure by naming organisations which have been subject to reprimands. Previously, reprimands were private.
The ICO’s new approach towards enforcement can be seen as a deterrent for organisations if they don’t process personal data lawfully or action privacy requests properly. Since November 2022, 28 reprimands have been made public, the majority of which are against public bodies, councils and the police; although private companies are also being named.
Cyber Attacks
The headlines are full of reports that organisations have become subject to cyber incidents, which also often constitute reportable personal data breaches. In January, Royal Mail suffered severe disruption to its overseas deliveries due to a ransomware attack, the effects of which are still ongoing. Sportswear chain JD Sports was also subject to a cyber incident in late January in which the personal data of 10 million of its customers was exposed.
As attacks become more sophisticated and prevalent, organisations need to plan accordingly by shifting focus from pure prevention to ongoing detection and response planning. You can see our expert’s comments in the news here.
The Future of Trans-Atlantic Personal Data Transfers
Since the Court of Justice of the European Union (CJEU) ruled that the US did not offer an adequate level of protection for personal data in July 2020 (often called Schrems 2.0), any personal data transfers from the UK and the EU across the pond have been predominantly reliant on having appropriate contractual safeguards in place.
In the UK these contractual safeguards are now the UK’s International Data Transfer Agreement and the UK International Data Transfer Addendum to the EU Standard Contractual Clauses. Organisations must also risk assess any such transfers. However, President Biden signed an Executive Order in October 2022 which was recognised as the first step in restoring the USA to offering an “adequate” standard of protection of personal data.
Although this isn’t a done deal by any means, both the UK and EU are reportedly aiming to give the green light by early 2023, potentially resulting in the free movement of data between the US and UK/EU and which would no doubt release the burden on organisations with respect to their processing agreements.
A Warning on the Importance of Data Retention
In November 2022, the French Data Protection Authority fined Discord (an instant messaging platform) €800,000 for several breaches of the GDPR. Among these breaches was a failure to define and respect a data retention period for personal data it held about individuals. Discord did not have a written data retention policy and continued to process details of accounts that had not been used for more than five years.
This decision highlights the importance of having a written data retention policy and the risks that keeping data for longer than necessary pose to organisations.
Online Safety Bill
The Online Safety Bill continues to be fiercely contested, with the latest headlines suggesting that amendments now include personal criminal liability for Big Tech directors who fall short of their obligations.
The second reading of the bill in the House of Lords was completed on 1 February, with a date yet to be announced for the bill’s committee stage reading. Please see here
for a summary of everything we know about the current draft. Whilst we await details on the updated content, we can be sure that stronger obligations will be placed on tech companies to police their platforms for illegal content when this eventually becomes law.
Processing Child Personal Data & Age Verification
We are seeing more regulation around child data protection, with both TikTok and Instagram being subject to regulatory enforcement measures for failure to protect child personal data in late 2022. This month, US-based virtual friendship app Replika was temporarily restricted from processing any personal data about Italian data subjects by the Italian Data Protection Authority due to child safety concerns – namely a lack of app age verification measures, meaning inappropriate content was shared with minors. This essentially means Replika had to switch off its service in Italy.
It will be interesting to see whether other UK and EU-based regulators will follow suit, but this highlights the wide powers given to supervisory authorities under the GDPR and what can happen to organisations who do not appropriately consider child protection in the development and delivery of their services.
Back to Basics- Data Protection Laws in the UK
If you’re looking to refresh your data protection knowledge, our experts have put together some short and digestible materials on basic data protection concepts and principles.
This includes content on: Controllers and processors under data protection laws, direct marketing, the six lawful bases for processing personal data, and data subjects’ rights.