8 March 2023

Data Blast: UK announces Data Reform Bill, new EU monitoring, German conflict lesson for DPOs, Belgium Necessity lesson, Irish lesson for Police, and Italian marketing fine

UK Government unveils Data Reform bill

The Data Protection and Digital Information Bill was introduced to Parliament on March 8th. The Government claims it is a new common-sense-led UK version of the EU’s GDPR to reduce costs and burdens for British businesses and charities, aiming to remove barriers to international trade and cut the number of repetitive data collection pop-ups online.

The Data Protection and Digital Information Bill is said to be a co-design with business leaders and data experts. Data-driven trade generated 85 per cent of the UK’s total service exports and contributed an estimated £259 billion for the economy in 2021, and the Government claims this bill will:

  • Introduce a simple, clear and business-friendly framework that will not be difficult or costly to implement – taking the best elements of GDPR and providing businesses with more flexibility about how they comply with the new data laws;
  • Ensure the UK maintains data adequacy with the EU, and wider international confidence in the UK’s comprehensive data protection standards;
  • Reduce the amount of administration organisations need to complete to demonstrate compliance;
  • Support even more international trade without creating extra costs for businesses if they’re already compliant with current data regulation;
  • Provide organisations with greater confidence about when they can process personal data without consent;
  • Increase public and business confidence in AI technologies by clarifying the circumstances when robust safeguards apply to automated decision-making.

We shall continue to monitor developments and report them in our blasts.

The European Commission commits to new monitoring regime across the EU

Following a complaint lodged with the EU Ombudsman against the European Commission from the Irish Council for Civil Liberties (ICCL), the European Commission has now committed to examining every large-scale GDPR case, everywhere in Europe six times per year.  The action by ICCL began in September 2021 when the organisation alerted the European Commission to its EU-wide ‘data deficit’ which it has led to the announcement by the EU Commission that it will measure how long each procedural step in a case is taking, and what the relevant data protection authorities are doing to progress the case.  The Commission will request all national supervisory data protection authorities to share with them, on a bi-monthly and strictly confidential basis, an overview of large-scale cross-border investigations under the GDPR. It also will, in its second report on the application of the GDPR, provide an account of its practice of receiving this information from the national supervisory data protection authorities, indicating the specific kinds of data received.

German DPO and Conflict of Interest

A former employee of X-Fab Dresden, a semiconductor foundry company, who had also performed the role of ‘chair of the works council’ within the same organisation, was dismissed from the role of DPO in December 2017. He sought a declaration from the Federal Labour Court of Germany that he retained the position of DPO, and its duties as described under the GDPR when it came into force in 2018. X-Fab argued the former DPO’s dismissal was justified in consideration of ‘a risk of a conflict of interests’ in performing both functions ‘on the ground that those two posts are incompatible.’

The CJEU ruled, following a request for a preliminary ruling made by the German Court, that; “the GDPR does not establish that there is a fundamental incompatibility between, on the one hand, the performance of DPO’s duties and, on the other hand, the performance of other duties within the controller or processor.”

We now know that whether such a conflict of interest exists is for national courts to decide, on a case by case basis taking into account all the circumstances of the case.

A lesson on ‘Necessity’ from Belgium

A Belgian public authority announced on their intranet the termination of the contract of an employee adding, however, that the termination was with ‘with immediate effect.’ The statement also clarified that the termination was at the initiative of the employer. The affected employee made a formal complaint to the Belgian DPA (APD).  APD found that while communicating an employee termination of employment was legitimate as necessary under Article 6(1)(b) GDPR (performance of contract) the second part of the message sent by the public authority hinted at the reasons that had led to the dismissal as probable serious misconduct by the former employee. This was unacceptable and not necessary to fulfil a public interest need.  Consequently, the controller was ordered to withdraw the mention on the intranet of the termination.

Ireland concern on sensitive data in Police’s hands ending up on Social Media

A branch of the Irish national police service, the An Garda Síochána, was reprimanded by the Irish Data Protection Commission (DPC) following a leak of sensitive data on social media related to ongoing investigations. The cause was a contractor who was undertaking repair works at one of the Irish police stations who saw a list of ongoing investigations on a bulletin board, which he then shared on social media.  The Irish DPC found the An Garda Síochána in breach of the GDPR with regards to the principle of integrity and confidentiality in that there was a failure to implement a level of security appropriate to the harm that might result from someone having access to the information that was not working for the police and needed access to the personal data. The problem was compounded because there were no specific policies and procedures in relation to data breaches in place, further the data in question concerned ongoing investigations and included the data of vulnerable subjects. As part of the remediate actions, An Garda Síochána was reprimanded and ordered to bring its processing procedures and safeguards up to the standard required by the GDPR.

Marketing Campaigns: Italian Energy provider Edison fined €4,900,000.

In Italy, multiple GDPR violations led to a fine of an Italian Energy provider; Edison Energia, the fine was €4,900,000 (approximately £4,300,000).

The Italian data protection authority (GPDP) investigated following various complaints from users including: Receiving telephone calls without consent; failure to respond to requests to stop receiving unwanted calls; lack of proven free and specific consent for different purposes (promotional, profiling, communication of data to third parties), the provision of inaccurate information.

The investigation found that Edison was working with another company which provided the former with a contact list, and this was de facto unclear data and its use without consent was not acceptable. GPDP found that this constituted a violation, since the controller should have obtained new consent before using it for promotional activities. Further, the consent sought by Edison when a data subject registers via their website was not specific enough, as it allowed processing for different purposes, namely, marketing and profiling by Edison and by a third party that might receive the personal data. The GPDP noted that the controller had also not checked if the third party from which it received its calling list was GDPR compliant. The Italian Authority further found that the controller did not provide an easy way to object to the marketing campaign and took too long to act on it.  Consequently, Edison has been prohibited from any further processing for promotional purposes carried out using the contact lists prepared by other companies that have not acquired a free, specific, informed and documented consent to the communication of user data.