Privacy and Data Protection Autumn Snapshot
Monday 21st October 2024
In this edition, we cover:
- the new set of standard contractual clauses due in Q2 2025 following a fine against Uber for not adopting correct transfer mechanisms intra-group;
- the ICO’s decision to issue its first provisional notice to fine a data processor in the UK;
- Google’s backtrack on the end of third-party cookies;
- a complaint filed against Greek supermarket for failure to comply with GDPR in operating its loyalty scheme; and
- the latest on ‘Consent or Pay’.
New set of standard contractual clauses due in Q2 2025
The European Commission has announced a fifth set of Standard Contractual Clauses (SCCs) to be released in Q2 2025, catering for transfers to data importers who are directly subject to the GDPR.
In August, the Dutch Data Protection Authority fined Uber for transferring personal data of its drivers between the EU and the US during a two year period without adequate safeguards (transfer tools) in place to protect the data. Uber maintains that the territorial scope of the GDPR means that GDPR already applied to its processing activities and therefore the safeguards were not necessary.
This is an unusual fine, and Uber intend to appeal. However, for any organisation transferring personal data to restricted territories within its group, this serves as a reminder to ensure there is an intra-group data processing/sharing agreement in place including appropriate transfer mechanisms which meet the requirements of the UK GDPR. The fifth set of SCCs will be helpful to fill the existing gap in the current European transfer mechanisms.
ICO issues first provisional notice to fine a data processor in the UK
On 7 August, the ICO announced its intention to provisionally fine Advanced Computer Software Group circa £6m, relating to a ransomware attack in 2022 which compromised the data of 82,946 data subjects and included NHS patient data alongside other special category data belonging to its customers.
Whilst we’ve seen many fines throughout Europe concerning data breaches against ‘controllers’, interestingly Advanced are a ‘processor’ under data protection laws. This shows the ICO’s willingness to enforce directly against processors if it sees material non-compliance, although the regulatory burden of data protection compliance still largely rests with controllers.
Google backtracks on end to third-party cookie
In July, Google announced that it had abandoned plans to phase out third-party cookies in Chrome, which was anticipated to take place this year/early next year but had been delayed a number of times. As such, it looks like third party cookies are here to stay and will not be completely phased out, for now.
Google’s proposed new workaround which they claim enhances privacy rights is a solution whereby users will be given a one-time prompt in which they can choose and apply their cookie preferences across all Google platforms. The Competition and Markets Authority have announced that it will be working closely with the Information Commissioner’s Office to consider Google’s new approach.
Read out team’s summary including how third-party cookies work here
Complaint filed against Greek supermarket for failure to comply with GDPR
None of Your Business (NOYB), a non-profit organisation filed a complaint with the Greek Data Protection Authority in August, requesting an investigation into Greek supermarket, Alfa Beta (AB’s) processing operations and requested an order to be placed on AB to comply with a subject access request (SAR).
The basis of the complaint arose when a member of AB’s loyalty card programme made a SAR, and in responding to the request, AB only provided a list of the data subject’s transactions and contact information. However, AB’s terms and conditions stated that AB processed loyalty scheme members’ ‘buying habits, frequency of visit to stores, home address and the total cost of their purchases’. NOYB also emphasised in its complaint that AB does not provide all of their loyalty card members with details on the savings that a member has made, unless they ‘upgrade’ their membership to a certain level, which they alleged is not compliant with data protection laws as it required paying for personal data they should be entitled to.
Whilst this complaint is in its early stages, it is useful reminder that data controllers should thoroughly respond to SARs with all data held about an individual (subject to exemptions) regardless of any subscription terms.
Consent or Pay
You may have recently visited a website and noticed that you were instead presented with a full-page pop up asking you to pay to remove adverts, or consent to the placement of adverts and read on for free. Most people will click read for free, but what’s the deal?
When you allow a website to place cookies on your device, this in turn helps them to generate revenue by serving you personalised advertisements. When you reject the placement of non-essential cookies, this generates less revenue for the website as they cannot use your personal data to display personalised adverts. To combat this loss of revenue, some businesses are now asking users to either pay to access the content and have no adverts served to them, or to consent to the use of cookies and subsequently, personalised adverts, and be able to view the content free of charge.
Meta’s attempts at implementing this model were provisionally found unlawful by European regulators earlier this year. The ICO invited views on the model in April, confirming that it will issue guidance on this matter later this year.
On 17 September, we hosted a short Data Protection Compliance Back to Basics Webinar as part of Leeds Digital Festival.
It’s free to watch on-demand here and is suitable for anyone wanting a refresher of key GDPR concepts and principles.
If you have any questions or would like to discuss your business’ privacy and data protection compliance, feel free to contact one of our experts here.
