Data Protection – August/September 2019

A keyboard key with a padlock graphic on it Print publication


Walker Morris risk series stampLatest from the ICO, including no-deal Brexit guidance; developments in use of automated facial recognition technology; cybersecurity; and more.

No-deal Brexit guidance

The Information Commissioner’s Office (ICO) is urging businesses to “prepare for all scenarios” to maintain data flows when the UK leaves the EU. On 11 September 2019, it published dedicated guidance to help small and medium sized organisations prepare for the possibility that the UK leaves the EU without a deal. There is separate guidance available for large businesses and organisations and data protection specialists. Also see our recent ‘Countdown to Brexit’ briefing on data transfers, which explains what you should be doing now.

Change to response time for data subject access requests

On 15 August 2019, the ICO issued updated guidance on the timescales for responding to a data subject access request (DSAR) following a recent ruling of the Court of Justice of the European Union (CJEU). See our briefing for details.

It also added guidance on the meaning of “manifestly unfounded or excessive”.

In related news, a recently published test revealed that some companies are still not prepared for DSARs, over a year since the EU General Data Protection Regulation (GDPR) came into force. See our briefing for details.

Developments in use of automated facial recognition technology

In the recent case of R (on the application of Bridges) v Chief Constable of South Wales Police (Information Commissioner and another intervening) [1], the High Court considered, apparently for the first time in any court in the world, the use of automated facial recognition technology (AFR). The case concerned a pilot project run by South Wales Police (SWP) called ‘AFR Locate’. This involves the deployment of surveillance cameras to capture digital images of members of the public, which are then processed and compared with digital images of persons on watchlists compiled by SWP for the purpose of the deployment. The case was brought in order to seek the court’s early guidance on the legal parameters and framework relating to AFR while it is still in its trial phase. The court was satisfied both that the current legal regime is adequate to ensure the appropriate and non-arbitrary use of AFR Locate, and that SWP’s use to date has been consistent with the requirements of the Human Rights Act and data protection legislation.

AFR is a priority area for the ICO, which has launched an investigation following concerns reported in the media regarding AFR’s use in King’s Cross in London. See the Information Commissioner’s statement here. She says that she remains deeply concerned about the growing use of AFR in public spaces, not only by law enforcement agencies but also increasingly by the private sector. Organisations must have documented how and why they believe their use of AFR is legal, proportionate and justified. The ICO’s statement following the SWP ruling can be found here.

Other news from the ICO – round-up

  • Two firms were separately fined and ordered to stop their illegal marketing activity after making calls to people whose numbers were registered with the Telephone Preference Service.
  • On 5 August 2019, the ICO published a blog post which discusses some of the key safeguards organisations should implement when using solely automated artificial intelligence (AI) systems to make decisions with significant impacts on data subjects. This is one of a number of recent posts forming part of the ICO’s call for input on developing a framework for auditing AI.
  • The Information Commissioner has joined representatives of other data protection and privacy enforcement authorities worldwide in expressing shared concerns over the privacy risks posed by Facebook’s ‘Libra’ digital currency and infrastructure.
  • On 7 August 2019, the Information Commissioner provided an update on the ICO’s proposed code for protecting children online.
  • The ICO has launched a number of resources for local councils addressing the top three GDPR compliance challenges identified through sector feedback: own devices; data audits; and data sharing. See the blog post.
  • The ICO is consulting until 4 October 2019 on a new framework code of practice for the use of personal data in political campaigning.
  • Just after the June/July 2019 edition of the Regulatory round-up went to press, the ICO selected the first participants for its data protection sandbox, which is a new service supporting organisations developing innovative products and services using personal data with a clear public benefit.
  • On 5 September 2019, the ICO issued a warning about historical personal details accessed through work. It says that the Data Protection Act 2018 adds a new element of knowingly or recklessly retaining personal data without the consent of the data controller. It is advising anyone dealing with the personal details of others in the course of their work, whether in a police force, health trust or private business, to take note of this update, especially when employees are retiring or taking on a new job.
  • The ICO’s direct marketing code consultation is expected in the autumn.

Government issues new privacy notice guidance for schools and local authorities

On 21 August 2019, the government published an updated privacy notice user guide and suggested templates for schools and local authorities to issue to staff, parents and pupils about the collection of data. See this link.

Cybersecurity update

On 7 September 2019, the National Cyber Security Centre (NCSC) reminded organisations about its collection of guidance on mitigating against denial of service attacks.

On 19 September 2019, the NCSC published new guidance on cyber incident management. See this blog post with a link through to the guidance.

On 11 September 2019, the government issued a call for views on the proposed approach to cybersecurity certification following the UK’s departure from the EU. The document explains that the EU Cyber Security Act, which entered into force on 27 June 2019, provides the EU Cyber Security Agency with a strengthened and permanent mandate and establishes a cybersecurity certification framework under which EU-wide cybersecurity certification schemes will be developed and implemented.

The UK was actively engaged in the development of the Act, and remains committed to enabling improved cybersecurity across Europe and preventing unnecessary market fragmentation. It will seek to cooperate on approaches to cybersecurity certification with the EU and will therefore seek to enter into negotiations with the EU on mutual recognition arrangements. Responses are requested by 15 October 2019.

News from Europe

  • The third annual joint review of the EU-US Privacy Shield framework took place on 12 and 13 September 2019. The European Commission’s report on the functioning of the Privacy Shield is expected in October 2019.
  • The CJEU has ruled that website operators who embed Facebook ‘like’ buttons on their websites can qualify as joint controllers with Facebook in respect of the collection and transmission of personal data [2]. As a result of this judgment, website operators who embed third party features (arguably this includes cookies) will need to ensure that they take the necessary steps to comply with the relevant GDPR requirements.


[1] [2019] EWHC 2341 (Admin)
[2] Fashion ID GmbH & Co KG v Verbraucherzentrale NRW eV (Case C-40/17 – ECLI:EU:C:2019:629)