Welcome to the October Global Data & Privacy Update. This update is dedicated to covering the latest legislative developments affecting the way data is managed and protected, as well as reporting on the most recent news governing data breaches and industry developments

UK draft Data Protection Bill

The draft Data Protection Bill ('Bill') has had its first and second readings in the House of Lords as part of the legislative process.

The Bill sets out the UK's derogations to the General Data Protection Regulation ('GDPR') as well as supplementing the GDPR with rules relating to the processing of personal data in the areas of law enforcement and national security. The Bill aims to ensure adequate and consistent data protection standards in the UK with Europe after Brexit. This is important to the UK in seeking an adequacy decision to facilitate cross-border transfers with Europe after the UK is no longer part of the EU.

The Bill includes new criminal offences such as altering, destroying or concealing information to be provided in a subject access request, and re-identifying de-identified personal data. It also lowers the age of consent for children on the processing of their personal data by information society services to 13.

The House of Lords at the second reading, whilst recognising the importance of updating the existing data protection laws, raised a number of concerns. These include concerns that after the UK is no longer part of the EU it will still struggle to obtain an adequacy decision as the Bill is not fully consistent with the GDPR and the EU may continue to update its policies on data protection without the UK's input. The Lords also expressed concerns that the age of consent for children should be higher.

The Bill is now due to move on to the Committee Stage within the House of Lords.

Click here to read the current text of the Bill.  

Click here (part 1) and here (part 2) to read the official record of the second reading of the Bill.

AEPD fines Facebook for processing sensitive personal data without consent

Facebook was fined €1.2 million by the Spanish Data Protection Agency ('AEPD') for a number of infringements of the Spanish Data Protection Act.

The AEPD investigated Facebook to confirm whether it was complying with Spanish data protection law. It found that Facebook breached domestic law by failing to obtain users' express consent to process sensitive data for advertising purposes and for collecting data without properly informing users how it would be used.

Facebook had been profiling users based on sensitive personal data such as religious and political beliefs, and then offering advertising based on those beliefs. Facebook, however, had not obtained express consent to use the data for those purposes, instead it had simply provided generic examples of the data it collected and for what purposes.

The AEPD also criticised Facebook for collecting the data of users when browsing third-party sites without making this clear, allowing users aged 13 to register with Facebook without obtaining the parent or guardian's consent and retaining data longer than required for its original purpose.

The fine is one of a number that Facebook has received from European Data Supervisory Authorities this year.

Click here to read the AEPD's press release.

Irish High Court refers validity of model contract clauses to ECJ

The Irish High Court has decided to refer questions relating to the validity of the standard contractual clauses to the Court of Justice of the European Union ('ECJ'). Standard contractual clauses, more commonly known as model contract clauses, are approved clauses by the European Commission for companies to use for the transfer of personal data to countries outside of the EEA.

This follows a complaint to the Irish Data Protection Commissioner ('DPC') about Facebook's transfers of personal data from Ireland to the United States of America. The individual argued that the model clauses Facebook uses to allow for the transfer of personal data do not provide adequate protection for personal data. If these clauses are held not to be valid, Facebook would not be permitted to transfer data between the EU and the United States of America without putting in place alternative permitted safeguards under current data protection legislation.

The DPC has sought a referral to the ECJ from the Irish High Court for a preliminary ruling to determine the legal status of such data transfers. The Irish High Court shared the DPC's concerns, stating that there is an absence of an effective remedy under law in the United States of America for an EU citizen whose data is transferred to the United States of America and an individual's data may be at risk of being accessed by federal agencies.

The questions to be referred for preliminary ruling will be formulated after further submissions (the date for submissions is yet to be set). In the meantime, the DPC acknowledged that the referral does not invalidate or prohibit the future use of model clauses.  

Click here to read the Irish High Court's judgment.

Former council worker fined for unlawfully obtaining personal data

An ex-employee of Leicester City Council ('Council') has been prosecuted by Nuneaton Magistrates' Court for taking details of users of Leicester City Council's Adult Social Care Department without the consent of the Council.

The Council discovered that shortly before leaving their employment, the individual had emailed a private account 34 times with the personal information of 349 individuals. The information included sensitive personal data such as medical conditions and care needs.

The employee had left the employment of the Council before they could take disciplinary action, but the Council referred the matter to the Information Commissioner's Office ('ICO').

He was fined £160 by the Court, ordered to pay £364.08 prosecution costs and a £20 victim surcharge, after pleading guilty to the offence of unlawfully obtaining personal data without the consent of the data controller.

Click here to read the ICO's news update regarding the prosecution.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.