Included in this edition of data & privacy news: Join our Data Disputes Webinar on Tuesday 20 October; H&M fined for storing employee data in breach of GDPR and more...

Data Disputes: The Field of Play webinar on Tuesday 20 October 

Join our Data Management Team on Tuesday 20 October at Midday as they discuss recent data disputes. Sign up here. 

CJEU hands down preliminary ruling that could be significant for UK Adequacy post-Brexit

A finding of Adequacy for the UK post-Brexit has been further brought into question by a recent ruling of the Court of Justice of the European Union (CJEU).

The CJEU has stated in a Preliminary Ruling that laws providing for the general and indiscriminate interception of communications for national security reasons are incompatible with the Privacy and Electronic Communications Directive.

The question came from the UK's Investigatory Powers Tribunal and reference is made throughout to the UK government's powers under s.94 of the Telecommunications Act 1984.

A key quote from the ruling is as follows: "the transmission of traffic data and location data to persons other than users, such as security and intelligence agencies, derogates from the principle of confidentiality. Where that operation is carried out, as in the present case, in a general and indiscriminate way, it has the effect of making the exception to the obligation of principle to ensure the confidentiality of data the rule, whereas the system established by Directive 2002/58 requires that that exception remain an exception".

H&M fined €35 million for storing employee data in breach of GDPR

The German data protection watchdog has fined H&M €35m (£32.1m), the second largest fine under GDPR rules, for the illegal surveillance of several hundred employees.

The company kept "excessive" records of its workforce, including details of their families, religions and illnesses. To obtain the personal details, staff surveys were carried out and some managers probed for further information during informal chats with employees. 

H&M has accepted full responsibility and is planning to compensate employees.

France's data privacy watchdog boosts cookie consent rights

CNIL, France’s data privacy watchdog, has recommended to companies operating websites in the country, that they should keep a register of Internet users' refusal to accept cookies for at least six months, a timeframe that goes beyond the European-wide data privacy rules.

Data protection lawyers have said that this would cause some companies that exploit the targeting tools for advertising to go out of business. 

Under the CNIL guidance, Internet users have the right to withdraw their consent on cookies at any time, can refuse trackers when they enter a website and should be able to reconsider any initial agreement to cookies via a visible web link or icon on all website pages. 

ICO launches consultation on its draft Statutory guidance

The Information Commissioner's Office is consulting on its draft statutory guidance, which includes details of how it will exercise its regulatory functions and enforce UK data protection legislation.

n the draft guidance, an explanation of the ICO's powers is provided, as well as when it will use them and how it will calculate fines.

The consultation ends on Thursday 12 November 2020.