Test and trace: collecting personal data about customers
Much has been made in the press recently of the additional burdens which Government guidance has placed on businesses, particularly in the leisure and hospitality sectors, in terms of the personal data which they will have to collect about their customers and guests as they begin to ease out of lockdown.
For more information on this topic, please refer to the following article:
Test and Trace: collecting personal data about customers
Schrems II/Facebook Ireland: implications for personal data transfers out of the EEA
The big data protection story of the summer was the European Court (CJEU) judgment in Data Protection Commissioner v Facebook Ireland and Maximillian Schrems. In a reprise of the CJEU decision a number of years ago in Chapter I of the saga, which resulted in the demise of the US Safe Harbor Regime, the CJEU found that the EU-US Privacy Shield, which replaced the US Safe Harbor regime, could no longer be relied on either for safely transferring personal data from the EU to the US, in part, again, because it did not prevent US surveillance authorities from accessing such data.
The CJEU also examined the use of standard contractual clauses as a valid mechanism for transferring personal data from the EEA, and following much of the Advocate General's opinion from late 2019, found that such clauses were still valid for use by organisations to transfer data to non-whitelisted countries outside the EEA. However, there were important caveats, which are explained in more detail in our full briefing, together with the implications of the judgment for EU-UK data flows in light of Brexit and once the transition period ends.
We are awaiting further guidance from the European Data Protection Board on additional measures which organisations can take to supplement the standard contractual clauses, where appropriate, and ensure the safety of personal data in those countries whose data protection regimes are lacking in comparison to the regime in the EEA.
The European Commission has also announced plans for a new set of standard contractual clauses by the end of the year to address the points raised by the CJEU in Schrems II, along with a number of transfer scenarios which the current set of standard contractual clauses do not cover. Talks are also ongoing between the European Commission and the US to address the concerns raised with the EU-US Privacy Shield.
WM Morrisons Supermarkets v various claimants: data controllers take heed
In April, the Supreme Court finally exonerated Morrisons in the class action lawsuit brought by its own staff in respect of the leak of their personal data. A former employee, in a revenge attack, leaked the personal data of Morrisons staff online, using a USB stick to which he had transferred personal data from a work laptop.
The High Court originally found Morrisons vicariously liable for breach of the Data Protection Act 1998, breach of confidence and misuse of private information. The Supreme Court ultimately decided that Morrisons should be relieved of vicarious liability, as the embittered employee had effectively gone off on a frolic of his own.
However, the Supreme Court judgment made clear that the Data Protection Act did not as a general rule exclude vicarious liability. Therefore, an employer could, where an employee was acting in their capacity as a separate data controller (as in this case), have been liable for the acts of the employee in breaching its obligations as a data controller under data protection law.
The Morrisons case is a timely reminder of the importance of enforcing cybersecurity procedures (all the more important currently given the cybersecurity risks presented by employees working remotely). Even though Morrisons was exonerated, this was at a cost of significant time and resources in defending the claim. For further details please see our briefing.
The ICO is shortly expected to announce the final penalties levied against Marriott International and BA in respect of data breaches committed soon after the implementation of GDPR in May 2018. Since the ICO announcement, last summer, of plans to fine them £99m and £183m respectively, the companies have been busy making representations to the ICO. The impact of COVID on the travel and leisure sectors may influence the ICO's final decision.
Marriott is now the subject of a class action in respect of the same data breach, brought by a journalist on behalf of individuals whose personal data was exposed as a result of the breach, reflecting the new rights under GDPR and the Data Protection Act 2018 for individuals to mandate organisations to bring claims on their behalf. Similar action was taken against BA last autumn.
The Marriott class action is on an "opt-out" basis, meaning that the claim is brought on behalf of every member of the potential class of claimant unless they opt out (as opposed to claimants having to actively opt in). The opt-out basis increases the pool of claims exponentially, thereby increasing the downside litigation risk for the defendant.
Age Appropriate Design Code (and other ICO guidance)
The Age Appropriate Design Code came into force on 2 September and applies to online services (such as apps, websites, search engines, streaming services, and connected devices and toys), which are accessed by or likely to be accessed by children (defined as anyone under the age of 18), potentially a very wide remit.
The code essentially requires relevant providers (based on the target age range and whether the service is directed at children, or likely to be accessed by children) to ensure that their services are designed with the best interests of the child in mind. This will apply to the use of personal data and privacy settings, following 15 standards linked to GDPR core concepts such as privacy by design and default, transparency and accountability. The ICO has provided comprehensive guidance on the code, which can be found here. Organisations which are within scope have 12 months from 2 September 2020 to ensure compliance.
Other guidance released by the ICO in recent months includes:
- a framework for best practice in data protection compliance in designing an AI system or implementing a third party AI system, to ensure that personal data is processed fairly; and
- an accountability framework, aimed at helping organisations to assess their level of compliance with GDPR.