Happy Data Privacy Day! And what’s coming up in 2020?

Since 2006, 28 January has marked the anniversary of the first international law in the field of data protection – who knew?

A lot has happened since then. Data protection and privacy is now a rapidly expanding area of law of ever-increasing importance. As we head towards the second anniversary since the GDPR came into force, we review current developments and look ahead at what to expect in 2020.

Our special Data Privacy Day newsletter covers the following topics:

Accountability – sounds good, but what does it actually mean?
International transfers and Brexit
What’s cooking with cookies?
Whatever happened to the ePrivacy Regulation?
The growing culture of Data Subject Access Requests (DSARs)
Adtech – under regulator scrutiny
Artificial Intelligence (“AI”) and data protection
Data security – what’s appropriate?
Fines – more to come …
Class action compensation claims

Meanwhile, please make a diary note of our annual Data Protection Update seminar, which will be held on 14 May 2020.

Please do contact us if you have any questions or if our data protection team can assist you in any way.

Continue reading

Whatever happened to the ePrivacy Regulation?

The ePrivacy Regulation is due to replace the current ePrivacy Directive, which is the European law behind the Privacy and Electronic Communications Regulations (PECR). These are the rules which govern the use of cookies and similar tracking technologies, as well as digital marketing. The new Regulation is intended to bring the ePrivacy Directive into alignment with the GDPR and to introduce changes to the rules governing electronic marketing.

Originally intended to coincide with the GDPR, the introduction of the ePrivacy Regulation has been highly contentious and has met with considerable delay. Towards the end of 2019, the latest draft was rejected by the Council of Europe leading to further delays in its adoption.

The ePrivacy Regulation promised a simpler set of rules on cookies. It would remove the need for cookie banners and notices and allow browser settings to provide a way for users to indicate whether they accept or refuse cookies and other identifiers. It would clarify that consent is not needed for non-privacy intrusive cookies that improve internet experience (e.g. remembering shopping cart history) or analytics cookies used by a website to count visitors.

The new rules would also ban cookie walls (where a website requires users to accept cookies as a condition of being able to access the website’s content).

The proposal will also continue the ban on unsolicited electronic communications by emails, SMS and automated calling machines. However, it is not yet known if this will extend to B2B communications, or simply apply to B2C marketing as at present.

The draft Regulation also introduces more stringent penalties for non-compliance, and bring the sanctions regime and remedies available broadly into line with the GDPR.

It is uncertain what the final form of the Regulation will be. However, given the latest delay, Brexit has now intervened and so the Regulation will not be directly applicable in the UK. Despite that, it is likely that the UK will adopt the new rules as and when introduced. While the UK may be able to make its own decision on this following Brexit, if the UK does not implement the new Regulation that may stand in the way of the adequacy decision the UK needs in order to allow the free flow of data to and from the EEA. Also, the proposed extra-territorial scope of the new Regulation (like the GDPR) means that it will remain directly applicable to UK businesses targeting the EEA.  Who said that after Brexit the UK will take back control of its laws?!

Meanwhile, the ICO has also published a draft direct marketing code of practice for consultation. The consultation closes on 4 March 2020 and the ICO expects to finalise it in 2020. The ICO plans to produce additional practical tools such as checklists to go alongside the code.

Some key points include:

  • The two lawful bases most likely to be applicable to direct marketing are consent and legitimate interests. However, where PECR applies and requires consent, then in practice consent should also be your lawful basis under the GDPR.
  • It is important to keep personal data accurate and up to date. It should not be kept for longer than is necessary. It is harder to rely on consent as a genuine indication of wishes as time passes.
  • If you are considering buying or renting direct marketing lists, you must ensure you have completed appropriate due diligence
  • Profiling and enrichment activities must be done in a way that is fair, lawful and transparent.
  • If you are using new technologies for marketing and online advertising, it is highly likely that you will be required to conduct a data protection impact assessment (DPIA).
  • If someone objects you must stop processing for direct marketing purposes. You should add their details to your suppression list so that you can screen any new marketing lists against it.

Once the draft ePrivacy Regulation is finalised and the UK’s position on Brexit is clear, the ICO has indicated that it will update the direct marketing code to take into account of the ePrivacy Regulation.

Return to Data Privacy Day 2020 index

What’s cooking with cookies?

Cookies have become a hot topic for the ICO, with it receiving many complaints about websites’ (often unlawful) use of cookies. This theme looks set to continue into 2020.

This is particularly the case since a huge number of organisations, including some of the largest businesses in the UK, have still not updated their practices to ensure they comply with the rules. This is despite the fact that the ICO published clear guidance concerning the requirements for the lawful use of cookies in summer 2019.

It is likely that the ICO will start taking enforcement action against organisations which do not follow the rules, and this could lead to fines. As such, businesses which are not yet compliant should take steps to ensure compliance now.

At a high level, the following are the main rules when using cookies on websites:

  1. User consent must be obtained (except in relation to “strictly necessary cookies”)

The ICO confirmed that the standard of consent for using cookies is the same high standard as under the GDPR, even for cookies which do not involve the processing of personal data. This means that implied or inferred consent can no longer be relied on for cookies. For consent, a clear affirmative act is needed; pre-ticked boxes or inactivity does not constitute consent.

Websites which use non-essential cookies without specifically requiring users to consent to these when accessing a site (e.g. by specifying that continued use entails consent) are, therefore, not compliant. This also means that all non-essential cookies should be switched off by default. It also means that such cookies should only be served on the user if and when the user consents.

“Strictly necessary cookies”, which do not require consent, are those which are essential to provide a user with the service they have requested or to comply with applicable law. Analytics cookies and advertising cookies do not fall within this exemption.

  1. Provide clear and transparent information to users concerning the cookies you use

The ICO Guidance emphasises the need to provide users with transparent information about cookies. The information must be in accordance with the higher standards of transparency as required by the GDPR; it must be presented in a “concise, transparent, intelligible and easily accessible form, using clear and plain language”.

In relation to cookies, this means that online retailers need to review and update their cookies policies to ensure that these are drafted in a sufficiently clear and easily accessible manner for a normal user to be able to understand how the different types of cookies are being used on the website. Failure to provide clear information will breach the transparency requirement, and will also undermine any “consent” if the consent cannot be said to be sufficiently informed.

Highlighting the importance of transparency and consent, in January 2019, the French data protection regulator imposed a fine of €50 million on Google for lack of transparency, inadequate information and lack of valid consent regarding ads personalization on mobile devices. For more information on this, see further https://idatalaw.com/2019/01/25/e50m-fine-for-google-in-france/

Return to Data Privacy Day 2020 index

Artificial Intelligence (“AI”) and data protection

In the past few years, we have seen an increasing number of organisations developing or using AI solutions. Although the business case for the use AI is compelling, tensions can arise where its use is at odds with data protection laws.

These tensions between AI and data protection include the following:

  • Transparency – the GDPR requires you to provide individuals with notice setting out how you are using their personal data. Where there is an element of automated decision-making which results in legal effects or otherwise has a significant effect on an individual (as there often is with AI), the controller is required to provide affected individuals with “meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject”. Given the complexities with AI and the fact that some types of AI can develop in an unsupervised environment, without human intervention, it can sometimes be difficult to meet these requirements.
  • Purpose limitation, data minimisation and storage limitation – the GDPR requires that processing of personal data is carried out for specific purposes, no more personal data than is adequate to achieve those purposes is processed and that personal data is only processed for as long as necessary to achieve those purposes. There is often tension between these principles and AI, since the development of an AI system can often result in data being used for unexpected purposes, and often requires vast amounts of data to be inputted into the system in order for it to meaningfully detect patterns and trends.

In respect of the transparency issue, the ICO has developed draft guidance along with the Alan Turing Institute (the UK’s national institute for data science and artificial intelligence) dealing with explaining AI. The guidance provides detailed information on the different ways in which businesses can seek to explain the processing they undertake using AI to the individuals concerned and seeks to address some of the concerns businesses may have in providing such explanations.

In addition to the above, the ICO is also working on finalising its AI auditing framework which will address the following specific issues:

  • Accountability – which will discuss the measures that an organisation must have in place to be compliant with data protection law.
  • AI-specific risk areas – which will discuss the key risk areas the ICO has identified in relation to the use of AI in the field of data protection.

As the use of AI becomes more widespread, it is hoped that the guidance issued by the ICO will help businesses better understand and comply with their data protection obligations whilst still allowing them to develop AI systems which can benefit organisations and individuals alike as our knowledge in this area continues to grow.

Return to Data Privacy Day 2020 index

Class action compensation claims

The GDPR provides supervisory authorities the power to issue huge administrative fines (and we have seen the ICO demonstrate its intent to levy such fines). It also provides individuals with the right to seek compensation against controllers and processors which fail to comply with its provisions. This is set to provide fertile ground for claimants bringing actions in this area, and we expect the number of claims for data protection violations to increase significantly over the course of 2020.

Of particular interest, is the rising number of class actions being brought for data protection related offences.

Towards the end of 2019, in the case of Lloyd v Google LLC, the Court of Appeal overturned an earlier decision of the High Court, allowing proceedings to be served against Google in the US for its allegedly unlawful use of cookies on iPhone users’ devices from a period running from 2011 to 2012. This secret use of cookies (referred to as the “Safari workaround” in the case) allowed Google to gather and subsequently sell certain user data.

The decision of the Court of Appeal was significant since it allowed the case to be brought on behalf of all iPhone users affected by Google’s conduct over the relevant period on an opt-out basis. The Court of Appeal found this to be acceptable since all members of the class had the same “interests” (i.e. they had all suffered the same alleged wrong). This could potentially have broad ramifications in the area of data protection since violations will often impact upon a large number of individuals, rather than being one-off events affecting specific individuals (e.g. where an organisation is sending marketing communications to its entire mailing list unlawfully).

Many commentators have therefore suggested that the decision by the Court of Appeal in Lloyd v Google LLC could result in the floodgates opening for class action claims in relation to data protection violations. To a certain extent, this has already materialised, with a number of data protection class actions currently being fought out in the UK courts. Organisations which have suffered security incidents would appear to be at particular risk, with each of Morrisons, Equifax and British Airways currently litigating class actions in the aftermath of high-profile data breaches.

While the amounts awarded to individuals may be modest, in the event of a class action involving a large number of claimants, the potential total damages could dwarf the fines that could be imposed by the regulator.

Return to Data Privacy Day 2020 index