2019 saw the first of the much-anticipated big GDPR fines, with the Information Commisioner's Office (the ICO) announcing, last summer, its intention to fine BA a colossal £183m (equivalent to 1.5% of its annual global turnover) and Marriot £99m in respect of data breaches that took place in the previous year.
Both organisations will have had a period of six months in which to make submissions with regard to matters such as the level of the fine and the degree of their responsibility for the breach. Further news on where the ICO finally lands is expected soon.
We also expect that 2020 will continue to see a steady rise in class actions coming out of data breaches, following news last year that the courts had given permission for class actions against Google and BA in respect of breach of data protection laws.
WM Morrisons Supermarkets v various claimants
We are expecting the Supreme Court judgment in the case of WM Morrisons v various claimants shortly. To recap, in 2018, the Court of Appeal found that Morrisons was vicariously liable for the acts of a vengeful employee who brought about a data breach by posting the personal data of almost 100,000 Morrisons employees online (and then launched an action against their employer). Morrisons appealed that decision in the Supreme Court in early November 2019, and we now await the judgment of the court.
Whilst the issue is essentially one of vicarious liability, there are implications for those responsible for data protection compliance if the Supreme Court decides that it agrees with the Court of Appeal's conclusions, to make sure that their policies and procedures in terms of keeping personal data secure and controlling internal access, are as tight as possible, given the sanctions which are now available under GDPR for data breach.
Schrems/Facebook round 2
The saga of Max Schrems' quest against Facebook continues. His initial successful swipe, a number of years ago, resulted in the dismantling of the safe harbour regime as a safeguarding mechanism for transferring personal data from the EEA to the US, and its replacement by the current EU/US Privacy Shield.
The latest round of proceedings has resulted in a number of questions being put before the CJEU, including the validity of the current version of the European Commission's approved standard contractual clauses as a safeguarding mechanism for transferring personal data out of the EEA to the US (and to other countries which are not the subject of an EU adequacy decision).
The Advocate General (AG) released his opinion just before Christmas as an early gift to the many businesses which rely on standard contractual clauses to transfer their personal data outside the EEA. The opinion confirmed that such standard clauses remain a valid safeguarding transfer mechanism, but with a warning that they create obligations to maintain the safety of transferred data – not just to ensure that the data importer puts appropriate measures in place, but to consider the wider context and the privacy and other applicable laws of the destination country, and how this will impact on the data which is transferred.
The AG's opinion is non-binding (though is often an early indication of where the CJEU will come down), and we therefore await the CJEU's eventual decision, expected soon, with interest.
New eprivacy regulation - what has happened to it?
2020 had been hotly tipped to be the year in which we would finally see agreement of the much-heralded new version of the EU's Regulation on Privacy and Electronic Communications. However, a stalemate has resulted in the recent announcement that Member States have decided to go back to the drawing board and attempt to come up with a new proposal.
So, it looks like the current legislation, including rules on obtaining opt-in style consent for all but strictly necessary website cookies, is here to stay for at least a little while longer. It is highly unlikely that the new regulation will be in place before the UK leaves the EU, though it will still affect those businesses which market to EU citizens.
Both the European Data Protection Board (EDPB) and the ICO were busy issuing practical guidance on a variety of issues in 2019, including GDPR's extra-territorial scope (in the case of the EDPB), and, currently at consultation stage, the ICO's draft guidance on data access rights under GDPR.
It is also worth looking out for the ICO's accountability toolkit, the consultation for which closed in December 2019, and guidance on the use of AI and the steps which organisations should consider when developing AI decision-making systems.
General Election/Brexit fall out
As far as we know, post-Brexit plans for data protection haven't changed: under the EU Withdrawal Act, GDPR will become part of English law, anglicised where necessary to ensure that it operates effectively.
Data transfers to the EU can continue without the need for additional measures to be put in place, but from the end of December 2020, unless there is an extension to the transition period, personal data moving from the EEA to the UK will need to be transferred using a GDPR safeguarding mechanism such as standard contractual clauses. It is hoped that if/when the EU grants an adequacy decision, this additional hoop will fall away, but such a decision is by no means guaranteed. Much will depend on wider negotiations on a trade deal, and, for example, on how relations with the US develop under the new Government, particularly with US tech companies who may be looking forward to greater access to UK personal data.
California Consumer Privacy Act
And finally, a quick reminder that 1 January 2020 marked the effective date of the much talked-about CCPA, which is relevant to businesses which collect or store personal information about Californian residents and meet certain size threshold tests (those which have annual gross revenues over $25 million, buy, deal with the personal information of 50,000 + consumers, households or devices, or derive 50% or more of annual revenues from selling consumers' personal information).
Briefly, the CCPA imposes transparency obligations on such businesses, and creates enhanced rights for those Californian residents who benefit from it in relation to their data, including the right to refuse the sale of their information by a business.
For more information, please contact:
Partner, Commercial, Intellectual Property and Technology
+44 20 7295 3344