Included in this edition of Data & Privacy News: GPDPR delay welcomed by ICO, The New EU Standard Contractual Clauses and more...

The New EU Standard Contractual Clauses: Who, What, Where and When?

On Tuesday 22 June Addleshaw Goddard will be hosting the latest edition of our Data Download webinar, focusing on the new EU Standard Contractual Clauses. You can read an overview of the new Standard Contractual Clauses below and on Tuesday our team will be examining everything that you need to know. To register for this webinar, please click here.

EU Standard contractual clauses for international transfers

The European Commission has adopted new EU Standard Contractual Clauses (SCCs) for organisations transferring personal data outside of the EEA. The change will apply to organisations transferring personal data from the EEA to other territories that are not deemed 'adequate' for GDPR purposes. Following Brexit, transfers from the UK are subject to different rules.

The new EEA SCCs will replace the previous controller-to-processor and controller-to-controller SCCs, which were drafted under the old Data Protection Directive 1995 and had become outdated.  They reflect the new requirements under the EU GDPR and also take into account the Schrems II judgement of the Court of Justice in July 2020.

Organisations will be able to continue to use the previous EEA SCCs for new contracts up to 27 September 2021 and all contracts made under the previous EEA SCCs are set to be covered by an 18 month transition period (until December 2022).   

To understand more about these new EEA SCCs, click here to register for our upcoming webinar on the subject.

GPDPR delay welcomed by ICO

The Information Commissioner's Office (ICO) has welcomed the delay in launching the General Practice Data for Planning and Research (GPDPR) data collection scheme from 1 July to 1 September 2021.

In a blog post from 8 June, Information Commissioner Elizabeth Denham stated that while the better sharing of health data could offer "substantial benefits", there is currently "considerable confusion regarding the scope and nature of the GPDPR, among both healthcare practitioners and the general public". Ms Denham further expressed the view that it was sensible for NHS Digital to take more time to engage with its stakeholders, as the project's success will rely on "people trusting and having confidence in how their personal data will be used".

The GPDPR scheme will allow planners and researchers faster access to pseudonymised patient information, however the delay has being implemented following concerns raised by groups including the British Medical Association and the Royal College of GPs that a lack of understanding about the plan would damage trust in the NHS.

The ICO plan to continue engaging with NHS Digital on this project. To read Addleshaw Goddard's analysis of the GPDPR programme, click here.

Amazon Faces Possible $425 Million EU Privacy Fine

Luxembourg's data-protection commission, CNPD, is proposing a fine of more than $425 million against Amazon.com Inc. for alleged violations of Europe’s General Data Protection Regulation (GDPR).

The claims, first reported in The Wall Street Journal, relate to Amazon’s collection and use of personal data, however both Amazon and the CNPD have declined to comment on the story.

As Amazon's EU headquarters are in Luxembourg City, the CNPD is the primary EU privacy regulator for the company, however any decision by the CNPD would need to effectively be agreed by other EU privacy regulators prior to its implementation.

High Court rules in case regarding an EU representative appointed under Article 27 of the GDPR 

In the case of Sanso Rondon v LexisNexis Risk Solutions UK Ltd [2021] EWHC 1427 (QB), the High Court ruled that an EU representative appointed under Article 27 of the General Data Protection Regulation (GDPR) is not liable for possible GDPR breaches by the entity that it represents.

In striking out the case, Mrs Justice Collins Rice ruled that the role of a representative was not extended to the day to day considerations of how data was processed and consequently could not be held liable for matters outside of their own specific functions.

Apple announces enhanced privacy features

Apple have announced a series of new features aimed at helping users manage how third-parties control and use their online data. The update, which are set to be implemented later this year, will allow users to see how often each app has used the permission they’ve previously granted to access their location, photos, camera, microphone, and contacts during the past seven days, as well as find information regarding whom their data may be shared by seeing all the third-party domains an app is contacting.

The update will also introduce features including:

• the ability to prevent marketers see if and when an email is opened through Apple’s Mail app;
• the option for premium iCloud users to access the internet through a "Private Relay" that would block network providers from using IP addresses and web usage to create a user profile for tracking; and
• a secure paste option for developers, letting users paste from a different app without the developer having access to what was copied until the user takes action to paste it into their app.

noyb targets "unlawful" website cookie banners

The non-profit data rights campaigner noyb has announced that it has sent 560 draft complaints to companies relating to the use of "unlawful" cookie banners. noyb state that by law website users must be given a clear yes/no option when consenting to cookies, however many companies make it "extremely complicated" to select an option other than accept. The 560 complaints issued by noyb make this the largest wave of complaints since the GDPR came into force, with companies based in 33 countries, including every EU/EEA member state except Malta and Liechtenstein, receiving a draft complaint.

noyb has also developed an automated system that identifies websites with cookie banners that are not deemed to be complaint and automatically generates a GDPR complaint. Companies will then be served with an informal draft complaint via email and will receive a guide on how to change their settings. Should a company not alter their settings, noyb plan to file a complaint with the relevant authority.