Data Protection Bulletin - March 16 2023
Welcome to the latest edition of our bi-weekly Data Protection Bulletin, where we keep you informed on the latest key insights, government regulatory activity, and enforcement actions in the world of data protection.
In this issue,, we will be diving into the latest developments and trends in data privacy, discussing how businesses and organisations can stay compliant with data protection laws, and exploring the consequences of non-compliance. Whether you’re a data privacy professional or simply interested in staying informed, this bulletin is your go-to source for all things data protection.
- Key Insights
- Government Regulatory Activity
- Enforcement Actions
Missed our last update? Check out February’s bulletin.
UK Government Sends Updated Data Protection and Digital Information Bill to Parliament
The UK government has published draft legislation known as the Data Protection and Digital Information (No.2) Bill to amend the UK GDPR. The bill aims to reduce compliance paperwork and save businesses and charities up to £4.7bn over the next ten years while strengthening data protection and privacy. The proposed law includes reducing the compliance burden for businesses, increasing fines for nuisance calls and texts, reducing the number of cookie consent pop-ups, and introducing a new framework for optional digital identity verification.
The government believes that the legislation strikes a balance between protecting citizens’ personal data and allowing businesses to operate more efficiently. However, it is important to consider the potential implications on the UK’s EU adequacy status. The EU conducts a review of adequacy with the UK every four years, and the UK’s reform plans have already faced criticism from members of the European Parliament. The next adequacy decision is due on 27 June 2025.
The bill has now passed the first reading and is due for the second reading on a date to be announced soon.
GOVERNMENT AND REGULATORY ACTIVITY
China Releases the Standard Contract for Cross-Border Transfer of Personal Information
On February 22, 2023, the Cyberspace Administration of China released the final version of the standard contractual clauses for the cross-border transfer of personal information stipulated under the Personal Information Protection Law Measures for the Standard Contract for Cross-Border Transfer of Personal Information. Both are scheduled to take effect from June 1, 2023.
The SCCs can only be used by organisations that satisfy a number of conditions, failing which the alternative would be to undertake a security assessment by the CAC in order to obtain permission to transfer the data.
The new measures clarify that separate consent is only required when the lawful basis for the processing was originally consent. Further, the PIPL SCCs makes it clear that no substantive changes are allowed to modify the PIPL SCCs. Personal information controllers and overseas recipients can agree on matters not covered by the PIPL SCCs, provided that there is no conflict between the PIPL SCCs and those separately agreed upon by the parties.
European Data Protection Board Adopts Three New Guidelines
Following public consultation, the EDPB has adopted three sets of guidelines in their final version:
- Guidelines on the Interplay between the application of Art. 3 and the provisions on international transfers as per Chapter V GDPR: The Guidelines clarify the interplay between the territorial scope of the GDPR (Art. 3) and the provisions on international transfers in Chapter V. They aim to assist controllers and processors when identifying whether a processing operation constitutes an international transfer, and to provide a common understanding of the concept of international transfers.
- Guidelines on certification as a tool for transfers: The main purpose of these guidelines is to provide further clarification on the practical use of the transfer tool.
- Guidelines on deceptive design patterns in social media platform interfaces: The guidelines offer practical recommendations to designers and users of social media platforms on how to assess and avoid deceptive design patterns in social media interfaces that infringe on GDPR requirements. The guidelines give concrete examples of deceptive design pattern types, present best practices for different use cases and contain specific recommendations for designers of user interfaces that facilitate the effective implementation of the GDPR.
ICO Releases New Video Guidance on Privacy By Design
The ICO recently released the recordings from its online conference held on 23 February – ‘Privacy, Seriously’. The released videos have panels of design and product managers from various sectors speaking about how their organisations implement privacy by design.
US Federal Trade Commission Fines Better Help 7.8 Million
Online counselling company BetterHelp has been ordered to pay $7.8 million by the Federal Trade Commission for improperly sharing customers’ sensitive data with companies such as Facebook and Snapchat. The FTC alleges that BetterHelp “used and revealed consumers’ email addresses, IP addresses, and health questionnaire information to Facebook, Snapchat, Criteo, and Pinterest for advertising purposes,” despite promising not to use or disclose their personal health data except for limited purposes during sign-up. The commission alleges that BetterHelp’s actions brought in “tens of thousands of new paying users and millions of dollars in revenue” by instructing Facebook to target similar consumers with advertisements using their email addresses and the fact that they had previously been in therapy.
The proposed order would require BetterHelp to make some changes to how it handles customer data and ban the same behaviour in the future. The $7.8 million would go to customers who signed up for the service between August 1st, 2017, and December 31st, 2020 if the FTC’s order goes through.
ICO Issues Decision Notice Against the Met
On the 13th of March, the ICO issued a decision notice stating that the Metropolitan Police Service had breached section 10(1) of the Freedom Of Information Act by failing to provide a valid response to a request for information in the statutory time period. The complainant had requested information on the number of critical or major incidents declared relating to the Met’s ‘Connect’ software on 12 January 2023, and the request was acknowledged on 16 January 2023, but a substantive response was not issued within the 20-day period. Following the complaint to the ICO, the ICO The Commissioner reminded the MPS of its responsibilities and asked for a substantive response within ten working days, but the MPS failed to respond.
The decision notice states that the Commissioner requires the MPS to provide a substantive response to the request within 35 calendar days of the decision notice and that failure to comply may result in written certification to the High Court pursuant to section 54 of FOIA, which could lead to a contempt of court case.