Category: UK

Google launches “Reject All” button on cookie banners

22. April 2022

After being hit with a €150 million fine by France’s data protection agency CNIL earlier in the year for making the process of rejecting cookies unnecessarily confusing and convoluted for users, Google has added a new “Reject All” button to the cookie consent banners that have become ubiquitous on websites in Europe. Users visiting Search and YouTube in Europe while signed out or in incognito mode will soon see an updated cookie dialogue with reject all and accept all buttons.

Previously, users only had two options: “I accept” and “personalize.” While this allowed users to accept all cookies with a single click, they had to navigate through various menus and options if they wanted to reject all cookies. “This update, which began rolling out earlier this month on YouTube, will provide you with equal “Reject All” and “Accept All” buttons on the first screen in your preferred language,” wrote Google product manager Sammit Adhya in a blog post.

According to Google they have kicked off the rollout of the new cookie banner in France and will be extending the change to all Google users in Europe, the U.K., and Switzerland soon.

Google’s plan to include a “Reject All” button on cookie banners after its existing policy violated EU law was also welcomed by Hamburg’s Commissioner for Data Protection and Freedom of Information Thomas Fuchs during a presentation of his 2021 activity report.

But the introduction of the “Reject All” button is likely to be only an interim solution because the US giant already presented far-reaching plans at the end of January to altogether remove Google cookies from third-party providers by 2023.

Instead of cookies, the internet giant wants to rely on in-house tracking technology for the Google Privacy Sandbox project.

UK’s new data protection clauses now in force

31. March 2022

After the British government announced reforms to UK’s data protection system last year, the Secretary of State submitted on February 2nd, 2022, a framework to the Parliament to regulate international data transfers and replace the EU Standard Contractual Clauses (SCC). As no objections were raised and the Parliament approved the documents, they entered into force on March 21st, 2022.

The set of rules consists of the International Data Transfer Agreement (IDTA), the International Data Transfer Addendum to the European Commission’s SCC for international data transfers (Addendum) and a Transitional Provisions document. The transfer rules are issued under Section 119A of the Data Protection Act 2018 and take into account the binding judgement of the European Court of Justice in the case commonly referred to as “Schrems II”.

The documents serve as a new tool for compliance with Art. 46 UK GDPR for data transfers to third countries and broadly mirror the rules of the EU GDPR. The UK government also retained the ability to issue its own adequacy decisions regarding data transfers to other third countries and international organizations.

The transfer rules are of immediate benefit to organizations transferring personal data outside the UK. In addition, the transitional provisions allow organizations to rely on the EU SCC until March 21st, 2024, for contracts entered into up to and including September 21st, 2022. However, this is subject to the condition that the data processing activities remain unchanged and that the clauses ensure adequate safeguards.

ICO releases Guidance on Video Surveillance

7. March 2022

At the end of February 2022, The UK Information Commissioners’ Office (ICO) published a guidance for organizations that capture CCTVs footage in order to provide advice for when they operate video surveillance systems that view or record individuals.

The recommendations aim to focus on best practices for data activities related to “emerging capabilities that can assist human decision making, such as the use of Facial Recognition Technology and machine learning algorithms.” As per the Guidance, surveillance systems specifically include traditional CCTV, Automatic Number Plate Recognition, Body Worn Video, Drones, Facial Recognition Technology, dashcams and smart doorbell cameras.

In their Guidance, the ICO offers checklists with points that controllers can use in order to monitor their use of video surveillance and keep track of their compliance with the applicable law. It further touches on the principles of data protection and how they specifically apply to video surveillance. In addition, it helps companies with the documentation of a Data Processing Impact Assessment.

The Guidance gives in depth advice on video surveillance at the workplace as well as if video feeds should also record audio.

Overall, the Guidance aims to sensibilize controllers regarding the various issues faced with when using video surveillance, and gives them in depth help on what to do to be compliant with the data protection regulations in the UK.

(Update) Processing of COVID-19 immunization data of employees in non-EEA countries

21. January 2022

With COVID-19 vaccination campaigns well under way, employers are faced with the question of whether they are legally permitted to ask employees about their COVID-19 related information and, if so, how that information may be used.

COVID-19 related information, such as vaccination status, whether an employee has recovered from an infection or whether an employee is infected with COVID-19, is considered health data. This type of data is considered particularly sensitive data in most data protection regimes, which may only be processed under strict conditions. Art. 9 (1) General Data Protection Regulation (GDPR)(EU), Art. 9 (1) UK-GDPR (UK), Art. 5 (II) General Personal Data Protection Law (LGPD) (Brazil), para. 1798.140. (b) California Consumer Privacy Act of 2018 (CCPA) (California) all consider health-related information as sensitive personal data. However, the question of whether COVID-19-related data may be processed by an employer is evaluated differently, even in the context of the same data protection regime such as the GDPR.

Below, we discuss whether employers in different European Economic Area (EEA) countries are permitted to process COVID-19-related data about their employees.

Brazil: According to the Labor Code (CLT), employers in Brazil have the right to require their employees to be vaccinated. The employer is responsible for the health and safety of its employees in the workplace and therefore has the right to take reasonable measures to ensure health and safety in the workplace. Since employers can require their employees to be vaccinated, they can also require proof of vaccination. As LGPD considers this information to be sensitive personal data, special care must be taken in processing it.

Hong-Kong: An employer may require its employees to disclose their immunization status. Under the Occupational Safety and Health Ordinance (OSHO), employers are required to take all reasonably practicable measures to ensure the safety and health of all their employees in the workplace. The vaccination may be considered as part of  COVID-19 risk assessments as a possible additional measure to mitigate the risks associated with infection with the virus in the workplace. The requirement for vaccination must be lawful and reasonable. Employers may decide, following such a risk assessment, that a vaccinated workforce is necessary and appropriate to mitigate the risk. In this case, the employer must comply with the Personal Data Protection Regulation (PDPO). Among other things, the PDPO requires that the collection of data must be necessary for the purpose for which it is collected and must not be kept longer than is necessary for that purpose. According to the PDPO, before collecting data, the employer must inform the employee whether the collection is mandatory or voluntary for the employee and, if mandatory, what the consequences are for the employee if he or she does not provide the data.

Russia: Employers must verify which employees have been vaccinated and record this information if such vaccinations are required by law. If a vaccination is not required by law, the employer may require this information, but employees have the right not to provide it. If the information on vaccinations is provided on a voluntary basis, the employer may keep it in the employee’s file, provided that the employee consents in writing to the processing of the personal data. An employer may impose mandatory vaccination if an employee performs an activity involving a high risk of infection (e.g. employees in educational institutions, organizations working with infected patients, laboratories working with live cultures of pathogens of infectious diseases or with human blood and body fluids, etc.) and a corresponding vaccination is listed in the national calendar of protective vaccinations for epidemic indications. All these cases are listed in the Decree of the Government of the Russian Federation dated July 15, 1999 No 825.

UK: An employer may inquire about an employee’s vaccination status or conduct tests on employees if it is proportionate and necessary for the employer to comply with its legal obligation to ensure health and safety at work. The employer must be able to demonstrate that the processing of this information is necessary for compliance with its health and safety obligations under employment law, Art. 9 (2) (b) UK GDPR. He must also conduct a data protection impact assessment to evaluate the necessity of the data collection and balance that necessity against the employee’s right to privacy. A policy for the collection of such data and its retention is also required. The information must be retained only as long as it is needed. There must also be no risk of unlawful discrimination, e.g. the reason for refusing vaccination could be protected from discrimination by the Equality Act 2010.

In England, mandatory vaccination is in place for staff in care homes, and from April 2022, this will also apply to staff with patient contact in the National Health Service (NHS). Other parts of the UK have not yet introduced such rules.

USA: The Equal Employment Opportunity Commission (EEOC) published a document proposing that an employer may implement a vaccination policy as a condition of physically returning to the workplace. Before implementing a vaccination requirement, an employer should consider whether there are any relevant state laws or regulations that might change anything about the requirements for such a provision. If an employer asks an unvaccinated employee questions about why he or she has not been vaccinated or does not want to be vaccinated, such questions may elicit information about a disability and therefore would fall under the standard for disability-related questions. Because immunization records are personally identifiable information about an employee, the information must be recorded, handled, and stored as confidential medical information. If an employer self-administers the vaccine to its employees or contracts with a third party to do so, it must demonstrate that the screening questions are “job-related and consistent with business necessity.”

On November 5th, 2021, the U.S. Occupational Safety and Health Administration (OSHA) released a emergency temporary standard (ETS) urging affected employers to take affirmative action on COVID-19 safety, including adopting a policy requiring full COVID-19 vaccination of employees or giving employees the choice of either being vaccinated against COVID-19 or requiring COVID-19 testing and facial coverage. On November 12th, 2021, the court of appeals suspended enforcement of the ETS pending a decision on a permanent injunction. While this suspension is pending, OSHA cannot take any steps to implement or enforce the ETS.

In the US there are a number of different state and federal workplace safety, employment, and privacy laws that provide diverging requirements on processing COVID-19 related information.

ICO opens public consultation on its Regulatory Action Policy

6. January 2022

On December 20th, 2021, the UK Information Commissioner’s Office (ICO) launched a public consultation on its regulatory approach.

The public consultation is aimed at three separate documents which are the basis of the ICO’s regulatory process. The documents are the Regulatory Action Policy (RAP), the Statutory Guidance on the ICO’s Regulatory Action, and Statutory Guidance on the ICO’s PECR Powers.

The RAP in particular identifies the ICO’s risk-based approach to regulatory action and explains the factors that play a role in the ICO’s consideration before taking regulatory action. It also sets forth how the ICO cooperates with other regulators and enforces the legislation for which it is responsible.

In conjunction, the three documents illustrate how the ICO aims to enforce information rights for data subjects in the UK.

The ICO indicated that the purpose for updating these documents was to provide further explanation about its regulatory powers. It aims to give the public a chance to their views on the approach the Commissioner should take with regards to the regulatory approach of his office.

The public consultation period will conclude on March 24, 2022.

UK Supreme Court opposes billion-dollar privacy class action against Google

15. November 2021

On November 10th, 2021, the UK Supreme Court issued a long-awaited judgment in the Lloyd v Google case and denied the class-action lawsuit against Google over alleged illegal tracking of millions of iPhone users back in 2011 and 2012 to proceed further. The 3 billion GBP lawsuit, which was filed on behalf of 4.4 million residents in England and Wales, had implications for other class-action lawsuits filed in the U.K.

The case was originally filed by Richard Lloyd on behalf of the group “Google You Owe Us.” The group accused Google of bypassing Apple iPhone security by collecting personal information of users on the phone’s Safari web browser between August 2011 and February 2012. A U.K. court dismissed the case in October 2018, but it was later overturned by the UK Court of Appeal.

In a final decision in the case dating from last week, the Supreme Court ruled in favor of Google, deciding that the representative claim against Google under the Data Protection Act 1998 (DPA) should not be allowed to proceed. In reaching its decision, the Supreme Court considered the following points:

  • the statutory scheme of the DPA does not permit recovery of compensation for the mere “loss of control” of personal data and
  • the representative claim by Lloyd on behalf of the 4.4 million affected individuals should not be allowed to proceed, as Lloyd was unable to demonstrate that each of those individuals who he represented in the claim had suffered a violation of their rights under the DPA and material damage because of that violation.

“The claimants seeks damages,” Judge George Leggatt stated the decision, “for each individual member of the represented class without attempting to show that any wrongful use was made by Google of personal data relating to that individual or that the individual suffered any material damage or distress as a result of a breach.” Judge Leggatt also said, “Without proof of these matters, a claim for damages cannot succeed.”

The decision will be welcomed by controllers, as it limits the prospects of representative claims of the nature of that advanced by Lloyd and further provides reassurance that mere technical breaches of the UK GDPR that do not result in material damage to data subjects do not represent sufficient ground for compensation.

Processing of COVID-19 immunization data of employees in non-EEA countries

27. October 2021

As COVID-19 vaccination campaigns are well under way, employers are faced with the question of whether they are legally permitted to ask employees about their COVID-19 related information (vaccinated, recovered) and, if so, how that information may be used.

COVID-19 related information, such as vaccination status, if an employee has recovered from an infection or whether an employee is infected with COVID-19, is considered health data. This type of data is considered particularly sensitive data in most data protection regimes, which may only be processed under strict conditions. Art. 9 (1) General Data Protection Regulation (GDPR)(EU), Art. 9 (1) UK-GDPR (UK), Art. 5 (II) General Personal Data Protection Law (LGPD) (Brazil), para. 1798.140. (b) California Consumer Privacy Act of 2018 (CCPA) (California) all consider health-related information as sensitive personal data.

The following discusses whether employers in various non-EEA countries are permitted to process COVID-19-related information about their employees.

Brazil: According to the Labor Code (CLT), employers in Brazil have the right to require their employees to be vaccinated. This is because the employer is responsible for the health and safety of its employees in the workplace and therefore has the right to take reasonable measures to ensure health and safety in the workplace. Since employers can require their employees to be vaccinated, they can also require proof of vaccination. Because LGPD considers this information to be sensitive personal data, special care must be taken in processing it.

Hong-Kong: An employer may require its employees to disclose their immunization status. Under the Occupational Safety and Health Ordinance (OSHO), employers are required to take all reasonably practicable steps to ensure the safety and health of all their employees in the workplace. The vaccine may be considered as part of COVID-19 risk assessments as a possible additional measure to mitigate the risks associated with contracting the virus in the workplace. The requirement for vaccination must be lawful and reasonable. Employers may decide, following such a risk assessment, that a vaccinated workforce is necessary and appropriate to mitigate risk. If the employer does so, it must comply with the Personal Data Privacy Ordinance (PDPO). Among other things, the PDPO requires that the collection of data must be necessary for the purpose for which it is collected and must not be kept longer than is necessary for that purpose. Under the PDPO, before collecting data, the employer must inform the employee whether the collection is mandatory or voluntary for the employee and, if mandatory, what the consequences are for the employee if he or she does not provide the data.

UK: An employer may inquire about an employee’s vaccination status or conduct tests on employees if it is proportionate and necessary for the employer to comply with its legal obligation to ensure health and safety at work. The employer must be able to demonstrate that the processing of this information is necessary for compliance with its health and safety obligations under employment law, Art. 9 (2) (b) UK GDPR. He must also conduct a data protection impact assessment to evaluate the necessity of the data collection and balance that necessity against the employee’s right to privacy. A policy for the collection of such data and its retention is also required. The information must be retained only as long as it is needed. There must also be no risk of unlawful discrimination, e.g. the reason for refusing vaccination could be protected from discrimination by the Equality Act 2010.

USA: The Equal Employment Opportunity Commission (EEOC) published a document in which it suggests that an employer may implement a vaccination policy as a condition of physically returning to the workplace. Before implementing a vaccination requirement, an employer should consider whether there are any relevant state laws or regulations that might change anything about the requirements for such a provision. If an employer asks an unvaccinated employee questions about why he or she has not been vaccinated or does not want to be vaccinated, such questions may elicit information about a disability and therefore would fall under the standard for disability-related questions. Because immunization records are personally identifiable information about an employee, the information must be recorded, handled, and stored as confidential medical information. If an employer self-administers the vaccine to its employees or contracts a third party to do so, the employer must demonstrate that the screening questions are “job-related and consistent with business necessity.”

UK Ministry of Defence Data Breaches put more than 300 Afghans in Danger

23. September 2021

On Monday, 20 September 2021 the UK Ministry of Defence launched an investigation into a recent data breach. The breach has affected more than 250 Afghan interpreters who have cooperated with Western forces in Afghanistan and who have applied for relocation to the UK. The Ministry sent an e-mail to these Afghan individuals who are still in Afghanistan and are reportedly eligible for relocation. The e-mail included all e-mail addresses, names, and some associated profile pictures in copy (“cc”) instead of blind copy (“bcc”), thus exposing the personal information to all recipients. It was reported that some Afghans have sent reply e-mails to all recipients in the mailing list, even sharing details about their current personal situation.

The following Tuesday, Britain’s Defence Minister Ben Wallace apologised for the data breach publicly in Parliament. He explained that he is aware of the compromise of safety of the Afghan interpreters and has suspended an official as a result of the breach. Upon discovery, the Ministry sent out another e-mail advising the affected individuals to delete the previous e-mail and to change their e-mail addresses. Additionally, the Ministry of Defence will offer extra support to those affected by the incident. The Minister also stated that correspondence processes have already been changed.

In the meantime, a second data breach by the Ministry of Defence was uncovered on Wednesday. This time, an e-mail was sent to 55 people requesting them to update their details after the UK officials were unable to contact them. At least one of the recipients is a member of the Afghan National Army. Again, the e-mail was sent with all recipients in “cc” and not in “bcc”.

Military experts and politicians have criticised the Ministry for the data breaches which unnecessarily endanger the safety of Afghans, many of whom are hiding from the Taliban. The investigation into data handling by the “Afghan Relocation and Assistance Policy” team within the Ministry of Defence is still ongoing, a spokesperson of the Ministry has said.

UK intents to deliver own Adequacy Decisions for Data Transfers to Third Countries

30. August 2021

On August 26, 2021, the UK Department of Culture, Media and Sport (DCMS) published a document in which it indicated the intent to begin making adequacy decisions for UK data transfers to third countries.

As the UK has left the EU, it has the power under Chapter V of the UK General Data Protection Regulation (UK GDPR) to independently assess the standard of data protection in other jurisdictions, and recognize certain jurisdictions as adequate for the purpose of foreign UK data transfers. This was announced by the DCMS in a Mission Statement including reference to international data transfers, “International data transfers: building trust, delivering growth and firing up innovation“.

“In doing so we want to shape global thinking and promote the benefits of secure international exchange of data. This will be integral to global recovery and future growth and prosperity,” writes the UK Secretary of State for Digital, Culture, Media and Sport, Oliver Dowden and Minister for Media and Data John Whittingdale.

The UK has developed and implemented policies and processes for reaching adequacy agreements with its partners. So far it has identified 10 countries as “priority destinations” for these deals. The countries include Australia, Brazil, Columbia, The Dubai International Financial Centre, India, Indonesia, Kenya, The Republic of Korea, Singapore and the USA.

The adequacy of a third country will be determined on the basis of whether the level of protection under the UK GDPR is undermined when UK data is transferred to the respective third country, which requires an assessment of the importing jurisdiction’s data protection laws as well as their implementation, enforcement and supervision. Particularly important for the consideration will be the third country’s respect for rule of law and the fundamental human rights and freedoms.

The Mission Statement specifies four phases in assessing the adequacy of a jurisdiction. In the first phase, the UK Adequacy Assessment team will evaluate if an adequacy assessment will take place. The second phase involves an analysis of the third country’s level of data protection laws, the result of which will influence the third phase, in which the UK Adequacy Assessment team will make a recommendation to the UK Secretary of State. In the fourth and last phase, the relevant regulations will be presented to Parliament to give legal effect to the Secretary of State’s determination.

Adequacy decisions are planned to be reviewed at least once every four years, and may be subject to judicial review.

Case dismissed by UK High Court after DSG data breach

20. August 2021

On 30 July 2021, in Warren v DSG Retail Ltd [2021] EWHC 2168 (QB), the UK High Court handed down a judgment that the claimant could not (for the time being) recover damages for data protection breaches.

The litigation was based on the following case: In 2018, DSG Retail Limited (“DSG”) was the victim of a cyber-attack. Hackers had gained access to DSG’s systems and installed malware. DSG was fined £500,000 (EUR 530,000) by the UK Data Protection Authority for failing to take adequate technical and organisational security measures. The company is accused of breaching the seventh data protection principle (“DPP7”) of the Data Protection Act 1998 (“DPA”). This fine has been appealed and is currently under legal review.

This cyber attack also affected the data of the plaintiff Darren Lee Warren.

He based the lawsuit on the theories of breach of confidence (“BoC”), misuse of private information (“MPI”), breach of the Data Protection Agreement (DPA) and common law negligence. The data breach affected data such as name, address, phone number, date of birth and email address.

Warren, however, failed to convince the court with any of his arguments. DSG successfully defended itself against the claim by arguing that it had not itself committed an active unlawful act, but that the breach was caused by an external attack. It also argued that negligence claims were not possible if breaches of the DPA were alleged at the same time. In addition, the DSG argued that a negligence claim required the assertion of compensable damages. Warren was not able to assert such damages.

However, the question of whether a claim for breach of DPP7 could be affirmed was stayed pending a final decision on DSG’s appeal of the ICO fine. Nevertheless, the claim was dismissed on all other points.

Pages: 1 2 3 4 5 6 7 8 Next
1 2 3 8