10 September 2021

Data Blast: Information Commissioner issues call to action on cookie pop-ups; Table service apps called out for excessive data collection and more…

Information Commissioner issues call to action on cookie pop-ups; Table service apps called out for excessive data collection; WhatsApp hit with €225 million fine for GDPR breaches; China adopts its first comprehensive data protection law; ICO approves three UK GDPR certification schemes for service providers.

UK Information calls on G7 partners to tackle ubiquitous cookie consent ‘pop ups’

The Information Commissioner, Elizabeth Denham, issued a call ahead of a meeting with her G7 counterparts for a new approach to user consent for the use of cookies online. The Information Commissioner echoed recent frustrations expressed by Oliver Dowden, Secretary of State for the Department of Culture, Media and Sport, that the present approach to cookie consent is unsustainable and is viewed as a significant nuisance by most internet users. The Information Commissioner will argue for the adoption of a new approach based on ‘web browsers, software applications and device settings allow people to set lasting privacy preferences of their choosing, rather than having to do that through pop-ups every time they visit a website.’

There is currently a move away from the use of third party cookies for tracking users across the web and across devices, and Apple controversially introduced a default ‘opt out’ setting for targeted advertising on its iOS devices (which we reported on here). Whilst many will be encouraged by the Information Commissioner’s proposal to put an end to cookie consent pop-ups, a change of approach to favour the user of browser or device settings to regulate user consent, is likely to meet resistance from others in the ad tech industry who remain reliant on the use of cookies for targeted advertising.

The rules governing the use of cookies derive primarily from the Privacy and Electronic Communications Regulations 2003. The Information Commissioner’s past recognition that significant compliance gaps exist online – in particular in the real-time bidding system which is central to online targeted advertising – has resulted in little regulatory enforcement against those breaching the cookie rules.

ICO urges consumers to be alert to how table service apps are collecting and using personal data

Restaurant and pub table service ordering apps have become commonplace since the start of the Covid-19 pandemic. Due to their popularity, following the lifting of Covid-19 restrictions, many venues have continued to offer the option to place table orders via apps.

Privacy groups and the ICO have expressed concern that some apps are collecting far more personal data than is required. For example, a study by consumer group Uswitch has identified that many ordering apps are collecting a wide array of personal data, including device information, social media profiles and insights, location data, and even marital status.

The ICO has warned that businesses and apps should only require the minimum amount of data to fulfil the purposes of an ordering app. Suzanne Gordon, Director of Data Protection Complaints and Compliance at the ICO, cautioned: ‘If businesses are asking for data, they need to understand why they are asking for it and they need to make sure it is relevant and necessary.’

The ICO urged consumers to be aware of what personal data they are sharing, and to check the privacy notice of the ordering app to find out how their data is to be used and shared with other organisations there.

WhatsApp fined €225 million by Irish regulator

The Irish Data Protection Commission (DPC) has imposed a fine of €225m on WhatsApp Ireland Limited for breaches of the GDPR; the second largest GDPR penalty following the recent €746m fine against Amazon (which we covered here). In particular, the DPC found that WhatsApp, which is owned by Facebook, had not fulfilled transparency obligations both to users and non-users of its services. ‘Non-users’ are those individuals whose phone numbers may be uploaded to WhatsApp if a user of the service agrees to provide the app with access to their contact list, which contains the personal data of other individuals who do not use WhatsApp.

In addition to the fine, the DPC ordered WhatsApp to bring its processing into compliance by taking a range of specified remedial actions to improve the level of transparency it offers to users and non-users.

The DPC concluded that WhatsApp was in breach of Article 14 of the GDPR, which requires notice to individuals about data processing where their personal data has been obtained indirectly. This was the case for non-users of WhatsApp whose details were obtained from the contact lists of users. The DPC confirmed that WhatsApp was required to provide transparency to non-users about how their data may be processed, and that this applied even if WhatsApp sought to rely on an exception under Article 14 for instances where notifying individuals directly would require a ‘disproportionate effort.’ The DPC concluded that even if the Article 14 exception could be relied upon, WhatsApp had a duty to provide information to non-users, for example in its public facing privacy notice.

The DPC’s investigation, and subsequent fine, was limited in scope to the WhatsApp’s transparency obligations. The DPC’s investigations in relation to wider complaints concerning data mining and the legal basis for processing personal data are ongoing. The Irish DPC’s summary and announcement can be read here.

China passes new personal data protection law

China has enacted a comprehensive new data protection law, the Personal Information Protection (PIPL) to be implemented on November 1st 2021, less than a year after the first draft of the law was published. The new law closely resembles the EU’s GDPR, making it one of the most robust data protection laws in the world.

The PIPL will govern processing activities carried out by companies or individuals within China. Similar to the GDPR, the law will also have extra-territorial effect, as it will apply to certain processing activities conducted outside China concerning individuals located in China.

The PIPL sets out various data protection principles, including transparency, fairness, purpose limitation, data minimisation, data retention, accountability and data accuracy. The declared aims of the PIPL are:

  • To protect the rights and interests of individuals;
  • To regulate processing activities;
  • To safeguard the lawful and ‘orderly flow’ of personal information; and
  • To facilitate the reasonable use of personal information.

The new law states that there must be a clear and reasonable purpose for processing personal information and a legal basis for doing so. In addition to consent (which must be informed and freely given), the other legal bases are: (i) when necessary to enter into or perform a contract to which the individual is a party; (ii) to perform legal responsibilities or obligations; (iii) to respond to emergencies including a public health emergency; (iv) for reasonable news reporting and media monitoring; and (v) for processing personal information already disclosed or otherwise lawfully obtained. It is noteworthy that legitimate interests is not a legal basis, in contrast to the GDPR.

Personal information rights under the PIPL are similar to those provided by the GDPR, although processors are only required to respond in a ‘timely’ manner to requests with no strictly prescribed time for a response (e.g. one month under the GDPR). Fines for breaches of the PIPL can reach up to 50 million RMB (roughly £5.6 million), or 5% of annual turnover.

The PIPL sits alongside existing data focussed laws; the Data Security Law and the Cybersecurity Law.

ICO approves the first UK GDPR certification schemes

The UK Information Commissioner’s Office (ICO) has approved the criteria for the first three UK GDPR certification schemes. Certification is a provision under Article 42 of the UK GDPR and enables organisations to demonstrate appropriate technical and organisational measures, and compliance with the UK GDPR by meeting the standards set out in the relevant certification scheme, in accordance with the accountability principle.

Although applying for certification is voluntary, to obtain certification controllers and processors must make binding and enforceable commitments to the approved certification bodies.

The ICO has approved the criteria for three certification schemes; two of these relate to online services directed at children, and one relates to the data retention and data security principles, covering data deletion services:

  • Age Check Certification Scheme (ACCS): This scheme provides data protection criteria for those organisations operating products that estimate or verify a person’s age so that they can purchase or access age-restricted products or services (age assurance products).
  • Age Appropriate Design Certification Scheme (AADCS): This scheme provides criteria for the age appropriate design of information society services and is based on the ICO’s Age Appropriate Design Code (also known as the Children’s Code).
  • ADISA ICT Assay Recovery: This is a standard for the providers of data sanitisation services, and provides criteria to ensure that personal data is permanently removed from IT hardware, such as computer hard drives or photocopiers so that they can either be securely disposed of or reused.

The ICO has stated that it is keen to advise organisations interested in developing further certification schemes, and it has published guidance on how to apply for UK GDPR certification.

The ICO announcement is here, and its guidance on the certification schemes can be found here.

For more information please contact Partner, James Tumbridge at