Included in this edition of Data & Privacy News: EDPB publishes guidance on credit card data storage, ICO publishes consultation on anonymisation, pseudonymisation and privacy enhancing technologies guidance and more...

Data and the Digital Economy – Spring 2021 Update

On 8 June 2021, Addleshaw Goddard will be hosting the latest in our series of Data Download webinars. You can register for this month's webinar, which will focus on data and the digital economy, here.

ICO publishes consultation on anonymisation, pseudonymisation and privacy enhancing technologies guidance

The Information Commissioner's Office (ICO) has launched a consultation on the first chapter of its draft anonymisation, pseudonymisation and privacy enhancing technologies guidance. The first chapter examines the legal, policy and governance issues around the application of anonymisation and pseudonymisation in the context of data protection law.

Topics covered in this chapter include:

• when personal data can be considered anonymised;
• if it is possible to anonymise data adequately to reduce risks; and
• what the benefits of anonymisation and pseudonymisation might be.

The first chapter of the draft guidance is available here and the consultation will run until 28 November 2021. The ICO intends to consult on the full draft guidance in autumn 2021.

EDPB publishes guidance on credit card data storage

The European Data Protection Board (EDPB) has published recommendations 02/2021 on the legal basis for the storage of credit card data for the sole purpose of facilitating further online transactions.

The EDPB deem that the risks of using credit card data online has increased due to the prevalence of the digital economy and e-commerce throughout the coronavirus pandemic. Consequently controllers must ensure that appropriate safeguards are in place for the data subjects, to maintain control over their personal data.

The recommendations set out in this guidance aim to encourage a harmonised application of data protection rules regarding the processing of credit card data within the European Economic Area (EEA). In particular, they cover situations where a data subject buys a product or pays for a service via a website or an application, and provides their credit card data, generally on a dedicated form, in order to conclude this transaction.

ICO shares gaming sector case study on the application of the Children's Code harms framework

The Information Commissioner's Office (ICO) has published a case study, detailing how international games developer Square Enix has utilised the ICO's Children’s Code harms framework. The framework is designed to help organisations identify data-related risks to children and support online services to place children’s best interests at the heart of their services.

This case study provides a worked example of how online services can map children’s data, identify associated risks and consider their implications for children’s rights and freedoms. The ICO hopes that the study can help bring the frameworkto life for others who are considering using it.

Joint statement issued by the CMA and ICO on competition and data protection law

The Competition and Markets Authority (CMA) and the Information Commissioner's Office (ICO) have issued a joint statement setting out their opinion on the relationship between competition and data protection in the digital economy.

The statement details:

• the role of data and personal data within the digital economy;
• the strong synergies that exist between the aims of competition and data protection;
• how the CMA and ICO will collaborate to reduce any perceived tensions between their objectives; and
• examples of how the CMA and ICO are already working together.

EDPS announce commencement of two investigations following the “Schrems II” Judgement

The European Data Protection Supervisor (EDPS) has announced the beginning of two investigations as part of the EDPS’ strategy for EU institutions to comply with the “Schrems II” Judgement. 

The investigations follow an order issued to European Union institutions, bodies and agencies (EUIs) by the EDPS in October 2020, requiring them to report on their transfers of personal data to non-EU countries. The resulting disclosures revealed that individuals’ personal data is being transferred outside the EU, in particular to the US. Consequently, information is subject to "disproportionate surveillance activities by the US authorities", due to the “Schrems II” Judgement. The aim of these investigations is to ensure that ongoing and future international transfers are carried out according to EU data protection law.

The two investigations launched involve:

• the use of cloud services provided by Amazon Web Services and Microsoft under Cloud II contracts by EUIs; and 
• the use of Microsoft Office 365 by the European Commission.

ECtHR rules that UK surveillance regime is in breach of the Convention on Human Rights

The Registrar of the European Court of Human Rights (ECtHR) has published a press release relating to the case of Big Brother Watch and Others v the United Kingdom (application nos 58170/13, 62322/14 and 24969/15). The case was brought by a collection of journalists and human rights organisations, who challenged the bulk interception of communications, the receipt of intercept material from foreign governments and intelligence agencies, and the obtaining of communications data from communication service providers.

In its judgment, the ECtHR unanimously ruled that an elements of the UK’s surveillance regime contravened Articles 8 and 10 of the European Convention on Human Rights and that there were insufficient domestic safeguards to ensure that measures taken were proportionate.

In addition to its ruling, the ECtHR concluded that the ability to authorise bulk interception should be managed by a body that is independent of the Secretary of State and that there should be an independent ex post facto review into the exercise of the regime.

The full case judgment is available here.