Data Protection – January 2019

Binary Code Print publication


Google’s €50 million GDPR fine; latest from the ICO; ‘no deal’ guidance; Privacy Shield update; and Walker Morris risk series stampmore.

Google hit with €50 million GDPR fine – says it will appeal…

France’s national data protection regulator CNIL handed Google LLC a record €50 million fine under the EU General Data Protection Regulation (GDPR) in relation to two complaints filed by non-profit organisations noyb (set up by Austrian privacy campaigner Max Schrems and meaning “None of Your Business”) and La Quadrature du Net over the issue of forced consent. The company was fined for lack of transparency, inadequate information and lack of valid consent regarding ad personalisation. See the press release from CNIL . It has been widely reported in the media that Google intends to appeal the fine.

… as more complaints are filed

Google’s fine came shortly after noyb filed complaints with the Austrian Data Protection Authority against eight companies, including Amazon, Netflix, Spotify and YouTube, alleging violations of the right-to-access provisions under GDPR.

Insurers seek clarity over insurability of fines and penalties

In a submission on cyber issues to the Organisation for Economic Co-operation and Development, the Global Federation of Insurance Associations referred to the fact that there is international confusion as to the insurability of fines and penalties, and said that work to clarify this issue would benefit consumer and insurer contract certainty. This is a grey area and it is particularly relevant in the context of the (potentially massive) fines that could be imposed on organisations for violations of GDPR.

Latest from the ICO

  • The UK Information Commissioner’s Office (ICO) published a new Guide to Data Protection, which covers the Data Protection Act 2018 and GDPR as it applies in the UK.
  • In her latest “myth-busting” blog, the Information Commissioner looks at how personal data will continue to flow post-Brexit. The blog links though to the ICO’s various guidance and resources on this topic.
  • The ICO is consulting until 8 March 2019 on its proposed access-to-information strategy for the next three years. A final version will be launched later in 2019. In a blog post introducing the draft strategy, which is called ‘Openness by Design’, the ICO’s Director of Freedom of Information noted that, every year, the ICO receives more and more requests to independently review decisions made by public authorities about information requests under the Freedom of Information Act 2000 (FOIA) or the Environmental Information Regulations 2004 (EIR). Among other things, the draft sets out how the ICO will tackle issues of non-compliance among public authorities, especially around timeliness and quality of responses. Feedback is sought from a wide range of stakeholders.
  • In a related development, the ICO laid a report before Parliament on 28 January 2019 called ‘Outsourcing Oversight? The case for reforming access to information law’, which calls for an update to FOIA and EIR to include organisations providing a public function. See this link.
  • This topic was also discussed in a recent speech delivered by the Information Commissioner titled ‘Data, Transparency and Trust: How information rights can promote a culture of accountability’, in which she noted that two high profile incidents – the Grenfell Tower tragedy and the collapse of Carillion – sharpened her resolve to call for an extension of access-to-information laws.
  • On 9 January 2019, the ICO published a blog post on the recent law changes on pension cold calling.
  • In recent enforcement action, Cambridge Analytica was fined £15,000 for failing to respond to an ICO enforcement notice which ordered it to respond in full to a data subject access request made by an academic in the US.
  • And finally, on 30 January 2019, the ICO published a discussion paper and opened an ‘intention to apply’ survey in relation to its regulatory sandbox. See the blog post for details.

Government ‘no deal’ Brexit guidance

On 28 January 2019, the government published further guidance on data protection and Brexit. As we reported previously, more detailed guidance was published on 13 December 2018. See this link.

Just after the November/December 2018 edition of the Regulatory round-up went to press, the government published guidance for digital service providers under the Network and Information Systems Regulations 2018 on how they can prepare for a no deal scenario.

European Commission adopts Japan adequacy decision for free flow of personal data

On 23 January 2019, the European Commission adopted its adequacy decision on Japan, allowing personal data to flow freely between the two economies. This is the first adequacy decision adopted since GDPR came into force. See the Commission’s press release. The UK will be seeking its own adequacy decision post-Brexit, as part of its future relationship with the EU.

Update on EU-US Privacy Shield

In a press release following its latest plenary session, the European Data Protection Board (EDPB) said that it welcomed efforts made by the US authorities and the European Commission to implement the Privacy Shield (including the announcement of the appointment of a permanent Ombudsperson – one of the key demands of the Commission following the annual joint review conducted in October 2018), but it also set out a series of remaining concerns, including the lack of concrete assurances over indiscriminate collection and access of personal data for national security purposes. Board Members adopted the EDPB’s non-binding report on the second annual joint review. The report sets out the EDPB’s findings on the commercial aspects of the Privacy Shield and on access by public authorities to data transferred to the US under the Privacy Shield.

The official Privacy Shield website has published a set of Privacy Shield and the UK FAQs, explaining the steps that Privacy Shield participants need to take ahead of Brexit.

Decision awaited in Facebook appeal over standard contractual clauses

The Irish Supreme Court recently heard Facebook’s appeal in the Schrems litigation. The appeal concerns the Irish High Court’s referral of questions over the validity of the European Commission’s adequacy decisions on standard contractual clauses to the Court of Justice of the European Union. The Supreme Court will rule on the appeal at a later date. Walker Morris will continue to monitor and report on developments.