Practical Law

The autumn agenda highlighted two key themes that remain at the top of the agenda for in-house lawyers with a data privacy remit. These are: the potential outcomes of the ICO consultation on international data transfers post-Brexit; and the possible repercussions of the DCMS consultation on potentially far-reaching reforms to the UK’s data protection regime. Both of these topics are dealt with in some depth in our blog post, What’s keeping data privacy professionals busy?

International data transfers: a state of flux

We will probably have to wait until at least early 2022 for the finalised UK approach to this key topic. Businesses will remain vexed as to how best to approach transfers in the meantime and how to plan for the future. For more on the ICO data transfers consultation see Article, ICO consultation on international data transfers: what to do now.

DCMS consultation: a watching brief

Details of the DCMS proposed reforms are set out in Data: A new direction. While the consultation has now closed the potential impacts will be at front of mind for many in-house lawyers. In October, the ICO published its response to the proposals which will provide some indication of the direction of travel over the coming months (see Legal update, ICO published its response to the DCMS consultation).

Practical Law has published Article, DCMS data protection reforms: summary of consultation proposals which provides a detailed summary of the proposed reforms.

Lloyd v Google: grounds for relief

The Supreme Court’s November judgment in Lloyd v Google LLC provides the other major talking point over the autumn. The court rejected Mr Lloyd’s representative class action for compensation, brought against Google LLC in respect of its use of “Safari Workaround” technology.

Controllers will be extremely relieved because, had Mr Lloyd been successful in his bid to break new legal ground, this could have opened a wave of compensation claims under the UK GDPR and the Data Protection Act 2018, changing the way in which claims are brought in the UK and broadening their scope. For a detailed summary, see Legal update, Mr Lloyd’s representative class action in connection with Google’s “Safari Workaround” rejected (Supreme Court) (Full update).

Looking back: Autumn 2021

In case you missed them, here are some of the key developments that took place over the autumn:

• On 5 October, the ICO statutory data sharing code of practice, produced under section 121 of the Data Protection Act 2018, came into force.
• On 6 October, the ICO published its response to the DCMS consultation on the future of data protection in the UK, “Data: a new direction”.
• On 12 October, the County Court upheld claims for harassment under the Protection from Harassment Act 1997 and breach of the Data Protection Act 2018 arising out of the defendant’s use of a video doorbell and security cameras.
• On 2 November, the ICO published a paper setting out a framework for considering the impact of end-to-end encryption (E2EE) on online safety.
• On 10 November, in Lloyd v Google LLC the Supreme Court unanimously rejected Mr Lloyd’s representative class action for compensation, brought against Google LLC in respect of its use of “Safari Workaround” technology.
• On 24 November, DCMS published its National Data Strategy Mission 1 Policy Framework: Unlocking the value of data across the economy.
• On 25 November, the Information Commissioner, Elizabeth Denham, published an opinion (under Article 58(3)(b), UK GDPR) on data protection and privacy expectations for online advertising proposals.
• On 29 November, the ICO announced it has issued a notice of intent to impose a fine of just over £17 million on Clearview AI Inc and a preliminary enforcement notice requiring the company to cease further processing of the personal data of data subjects in the UK and delete the data it holds, due to alleged serious breaches of the UK GDPR and the Data Protection Act 2018.
• On 10 December, the ICO published a paper reflecting on some of the key themes and emerging issues in information rights regulation that it has engaged with since the outbreak of COVID-19.

Key dates: Winter 2021/22

Key forthcoming dates include:

• 10 January 2022. ICO consultation on its draft journalism code and draft economic impact assessment ends (see more).
• 12 January 2022. Updated Surveillance Camera Code of Practice comes into force. (see more).
• 31 January 2022. EDPB consultation on Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR ends. (see more).

New Practical Law content

Over the course of the autumn, Practical Law has published:

• Practice note, Whistleblower Programs and EU Data Protection Law Compliance: Overview, an overview of issues relating to whistleblowing programs and data protection law compliance in the EU.
• Checklist, Responding to data subject requests (UK), a checklist outlining the key steps controllers should take when responding to data subjects who exercise their rights under the UK GDPR and Data Protection Act 2018.
• Article, The adtech challenge: thriving in an e-commerce world, an article explaining the privacy and other legal challenges that advertisers face in navigating the online advertising industry and, in particular, the use of adtech.
• Article, Lloyd v Google: one door closes but another one opens?, discussing the recent Supreme Court case.
• Article, Facial recognition technology: the risks unfold, discussing the need for regulation in this fast-growing sector.
• Standard document, Data protection audit questionnaire (UK), a high-level data protection audit questionnaire to assess the adequacy of an organisation’s data protection programme and current levels of compliance.
• Standard clauses, Data sub-processing clauses (UK), comprising a set of personal data sub-processing clauses designed to facilitate compliance with the UK GDPR and Data Protection Act 2018.

Practical Law has also published a new suite of standard clauses for personal data transfers from the EU to a third country.

Featured Asks

We have also published the following Asks potentially of interest to in-house lawyers:

• Can you confirm whether in an MSA, it is always the case that there is a controller and a processor (rather than a processor and a subprocessor)?
• Could a supplier of an SaaS product still be a processor for the purposes of data protection laws, even if they do not host the product (that is, the product is hosted on the servers of the supplier’s clients)?
• Is a payment provider or payment-processor who facilitates credit card payments over the internet a processor or controller?
• Is there a document or table of all retention periods for personal data such as financial data, accounting, contracts etc with the reference to the relevant legislation?
• Are pop-ups for cookies mandatory to facilitate consent under PECR and the UK GDPR?
• Clients and employees have provided permission to use their personal data including photos for marketing purposes. How long would such a permission last to meet the consent criteria under the UK GDPR?
• What data protection requirements and formalities need to be followed when transferring client data between an incumbent and replacement software provider?
• With regards to Article, 28, UK GDPR, where does it set out, either in the legislation or within ICO guidance, the extent of the due diligence a controller must undertake?
• What constitutes personal data in relation to Sequence of Events data files recorded in relation to external calls from service users?
• Can a processor carry out a Data Protection Impact Assessment in relation to processing activities on behalf of a controller?
• Can our Money Laundering Reporting Officer also be appointed as our data protection officer?
• Is there any guidance about the sending of encrypted emails to the Court or the Tribunals?
• What information are you legally required to include in a data sharing agreement (controller to controller) now that the Data Sharing Code has been published?
• Can an international organisation use a single, global privacy notice to cover all data processing undertaken by its companies and subsidiaries, which are located in various jurisdictions including the UK, EEA, USA and Canada?
• Can the terms and conditions, and privacy policy for a sales promotion be included in one document or is it best that the two are separate?
• What are the UK GDPR lawful basis grounds a seller can rely on during the acquisition process?
• What are the main legal issues to consider for live shopping online, for example, via video on social media?
• Can I refuse to comply with an erasure request if personal data is kept to comply with our company’s record and retention policy?
• What options do we have to narrow the scope of a DSAR when there are large volumes of personal data?