Practical Law

At the time I wrote the Spring agenda piece COVID-19 was still a rather a remote and abstract force. It’s no understatement to say the whole world has changed since then as the pandemic has ravaged healthcare systems and economies across the globe. This includes the place in the world occupied by data protection, privacy and cyber security.

Indeed, as governments around the world have scrambled to adopt technological solutions to the track and trace conundrum, privacy concerns have been to the fore (see our blog post). The rapid move to working from home has brought with it substantially greater data privacy and security risks (see this article on key cyber risks and this blog post on avoiding GDPR traps). We have also published a brief overview of the broader data protection issues.

UK and EU authorities (including the UK government, European Data Protection Board and the ICO) have all delivered a raft of guidance for navigating these risks and more generally in relation to COVID-19.

Pandemic aside, the spectre of Brexit remains. The clock is ticking and the prospect of no deal being struck at the end of the transition period now looms large. Our blog post, Data protection: what should companies be doing during the Brexit transition period?, remains a useful starting point for assessing what you may still need to do to prepare.

Roundup for Spring 2020

It would be impossible to cover all of the developments that have taken place over the spring. The COVID-19 pandemic has brought with it a tsunami of legislation and regulatory guidance as well as drastic emergency policy making that has provoked searching privacy- and security-related questions. Here are some key edited highlights:

• On 28 February, the ICO started to allow organisations to submit proposals for GDPR codes of conduct and certification schemes for approval.
• On 4 March, the ICO issued its intention to fine Cathay Pacific Airways Ltd the maximum permitted £500,000 under the Data Protection Act 1998 for a security breach affecting around 9.4 million data subjects.
• On 18 March, the ICO and the Surveillance Camera Commissioner (SCC) published an updated version of the SCC’s surveillance camera specific data protection impact assessment (DPIA) template.
• On 11 March, the Supreme Court granted Google LLC permission to appeal against the Court of Appeal’s order in Richard Lloyd v Google LLC. Mr Lloyd is alleging no financial loss or distress, focusing on infringement of data protection rights, commission of a wrong and loss of control over personal data.
• On 19 March, the European Data Protection Board (EDPB) adopted a statement on the processing of personal data in the context of the COVID-19 outbreak.
• Around the end of March, the ICO provided guidance for community groups charities and other services on handling personal data during the COVID-19 pandemic.
• On 1 April, in Wm Morrison Supermarkets plc v Various Claimants, the Supreme Court overturned judgments of the High Court and Court of Appeal and decided that a supermarket was not vicariously liable for unauthorised breaches of the Data Protection Act 1998 committed by an employee.
• On 15 April, the ICO blogged on issues for organisations to consider with increased use of video conferencing.
• Also on 15 May, the ICO published a document setting out its regulatory approach during the COVID-19 pandemic.
• On 17 April, the Information Commissioner published a blog setting out data protection considerations to help ensure contact tracing and location data technologies are used fairly and proportionately to overcome COVID-19.
• On 4 May, the ICO published a discussion document setting out its expectations and recommended best practice for the development and deployment of COVID-19 contact tracing apps.
• On 4 May, the EDPB updated its guidelines on consent under the GDPR.
• On 5 May, the ICO blogged about the data protection issues arising from the COVID-19 pandemic that it will be prioritising in the months ahead.
• On 7 May, the ICO announced it had paused its investigation into the Adtech industry in the light of the COVID-19 pandemic.
• On 14 May, the ICO published a set of FAQs on workplace testing for employers in light of the COVID-19 pandemic and the move out of lockdown.
• Around 21 May, the ICO and Alan Turing Institute published guidance on explaining decisions made with AI.

Looking ahead

The summer is of course traditionally a quiet time for practitioners and the COVID-19 crisis has played a part in further sidelining initiatives. There are a couple of key dates to keep an eye on:

• The ICO is expected to publish the associated guidance for organisations on the final AI auditing framework on 29 May 2020. The draft guidance can be found here.
• The judgment of the much-anticipated “Schrems 2” case (Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Case C-311/18)) is due out on 16 July 2020. Following his successful invalidation of the Safe Harbor Framework in “Schrems I”, Mr Schrems has challenged data transfers between EEA and non-EEA countries on the basis of the European Commission adopted standard contract clauses. AG Saugmandsgaard Øe gave his opinion that the SCCs are valid in December last year.

New Practical Law content

In addition to the various blog posts and articles referred to above, Practical Law has added the following to its content set in the past three months:

• GDPR key messages: presentation materials, training slides that focus on important areas of GDPR understanding and can be used as an intermittent refresher as part of a more comprehensive training programme.
• GDPR in depth: presentation materials, training slides that provide detailed background of the core principles of the GDPR and focus on important areas of understanding for staff who need a more thorough understanding.
• Article, COVID-19: summary of relevant lawful bases for processing of personal data which provides summary tables showing the potential lawful bases under EU and UK law for the processing of personal data in the context of the COVID-19 pandemic.
• Article, Employee privacy during the COVID-19 pandemic: UK and international approaches which explores the differing approaches of international regulators to employee privacy during the COVID-19 pandemic and provides a recap of the relevant provisions of the GDPR and the UK’s Data Protection Act 2018.
• Article, COVID-19 and contact tracing: putting privacy first which discusses contact tracing apps as a key tool in helping governments to ease the lockdown measures imposed in response to the 2019 novel coronavirus crisis.
• Practice note, Cyber risk roadmap, a roadmap for a cyber risk management program, based on the Cyber Assessment Framework published by the National Cyber Security Centre.
• Practice note, Data subject rights under the GDPR (GDPR and DPA 2018) (UK) which provides an overview of data subject rights and controller’s related obligations under the GDPR and how these have been implemented and modified by the Data Protection Act 2018.
• GDPR and DPA 2018 consent: checklist (UK) which outlines the key issues to consider when relying on consent as a lawful basis for processing data under the General Data Protection Regulation ((EU) 2016/679) (GDPR).
• Article, Latest e-Privacy Regulation proposals: breaking the deadlock? which covers the latest developments in the long-running saga of the e-Privacy Regulation.