Data Download webinar on Tuesday 26 May

Join our Data Management Team on Tuesday 26 May at Midday to hear what they have seen since the GDPR came into force on 25 May 2018. They will share their frank views on practice from experience and what could be on the horizon for data protection practice.

A must attend event for anyone with an interest in data protection in their business. Sign up here with Zoom.

Latest ICO updates

The ICO has published guidance for employers on workplace testing for coronavirus, with some sectors returning to work. If you would like advice or an action plan creating from a data protection perspective, please get in touch. 

The ICO are also reviewing the Data Protection Impact Assessment (DPIA's) for the NHSX's trial of its contact tracing app in the Isle of Wight and will provide feedback as soon as possible. DPIAs are used by organisations to identify, address and minimise data protection risks of potential projects. 

ECJ to deliver judgment in Schrems II case on 16 July 2020

The European Court of Justice (ECJ) has announced that it will deliver its judgment in the Schrems II case on 16 July 2020. 

The judgment will determine the validity of model clauses (officially known as standard contractual clauses (SCCs)) as a mechanism for transferring personal data from the EEA to third countries under the GDPR. It is anticipated that further insight will also be given on the validity of the US Privacy Shield regime.

In December 2019, the CJEU's Advocate General released its non-binding opinion, stating that SCCs remain a valid way in which to transfer personal data outside of the EEA. Although the Advocate General's opinion is followed by the CJEU in almost all cases, there is no requirement for the CJEU to do so.  

EDPB guidance states cookie walls do not constitute valid consent

Under new consent guidance adopted by the European Data Protection Board (EDPB), it has been confirmed that cookie walls will not constitute valid consent, as access to the website (and the provision of services) is dependent on accepting the cookies and therefore not freely given. Further, scrolling or swiping through a website will not constitute valid consent. Under this guidance, implied consent to cookies will not meet the unambiguous and affirmative indication requirement of GDPR consent.  

In this guidance, the EDPB has retained the majority of the previous consent guidance issued by the Article 29 Working Party, notably updating the case study example 16 on scrolling and consent. 

Dutch Data Protection Authority to investigate TikTok's use of children's personal data

The Dutch Data Protection Authority (DPA) is investigating social media app TikTok and how it handles the data of its young users. 

The DPA will examine whether the app adequately protects the privacy of Dutch children and whether parental consent is required for the collection, storage and use of children's personal data. 

Preliminary results of the DPA's investigation are expected later in the year.

Key contacts

Ross McKenzie

Ross McKenzie

Partner, Commercial Services
Aberdeen, UK

View profile
Helena Brown

Helena Brown

Partner, Head of Data
Edinburgh, UK

View profile
Dr. Nathalie Moreno

Dr. Nathalie Moreno

Partner, Commercial Services
London

View profile
Beatrice Duke

Beatrice Duke

Managing Associate, Commercial
Leeds

View profile