Included in this edition of Data & Privacy News: DCMS and the ICO sign data adequacy Memorandum of Understanding, ICO details plans to update their anonymisation guidance and more...

DCMS and the ICO sign data adequacy Memorandum of Understanding

The Secretary of State for the Department for Digital, Culture Media & Sport (DCMS) and the Information Commissioner have signed a Memorandum of Understanding on data adequacy.

Following the UK's departure from the EU, the DCMS now holds powers to make independent UK data adequacy arrangements with new global partners around the world, whilst the statutory process of assessing the adequacy of countries requires consultation with the Information Commissioner’s Office (ICO).

The Memorandum of Understanding officially recognises the roles and responsibilities of the DCMS and the ICO in carrying out adequacy assessments. This ensures the ICO’s position as an independent regulator is not impacted by its role in adequacy assessments while setting out the key principles for the continuation of its working relationship with the DCMS.

ICO details plans to update their anonymisation guidance

The ICO has outlined its plans to update guidance on anonymisation and pseudonymisation, and to explore how privacy enhancing technologies may aid safe and lawful data sharing. The updated guidance will assist organisations in deciding when data is personal data or anonymous information. It also further details the ICO's views on the spectrum of identifiability, how to assess the appropriate controls that need to be in place, and what practical steps organisations can take.

The key topics the ICO intend to focus on include:

• anonymisation and the legal framework;
• identifiability;
• pseudonymisation techniques and best practices;
• accountability and governance requirements in the context of anonymisation and pseudonymisation;
• anonymisation and research
• privacy enhancing technologies (PETs) and their role in safe data sharing;
• technological solutions; and
• data sharing options and case studies.

Ahead of issuing formal guidance, the ICO will be exploring these topics iteratively, as well as gathering insight and feedback from industry, academia and other key stakeholders.

ICO published data sharing sandbox reports

The ICO has published the final three projects from the beta phase of its data sharing sandbox, which has now entered into its next stage.

The project, first launched in April 2019, was created to support the development of data products and services with a clear public value whilst ensuing compliance with data protection law.

The final reports concern:

• Tonic Analytics: A technology company aiming to reduce the number of fatally and seriously injured road users in the UK and reduce the amount of crime associated with use of the UK’s roads. The program aimed to support more efficient data sharing between public and private sector organisations to ensure the efficient targeting of resources.
• Greater London Authority: Through supporting the development and enhancement of multi-agency data platform SafeStats, which aims to align the work of the London-based Violence Reduction Unit to inform violence-related decision-making processes.
• MHCLG: A planned project to address the low quality of privately rented housing in the Blackpool area through a housing quality pilot.

The ICO are now taking expressions of interest for participation in the sandbox later in 2021.

Spanish Data Protection Agency hands out record breaking fine

The Spanish Data Protection Agency (AEPD) have penalized Vodafone Spain with four separate fines totalling $9.72m. The decision, which included the consideration of 191 complaints about the organisations consent and data-processing practices, is the highest fine ever issued by the regulator. 

In the decision, published on 11 March, AEPD found that Vodafone Spain had approved an international data transfer that didn't meet the requirements of the GDPR, meaning the telecommunications company were unable to ascertain which of its customers had opted out of receiving marketing and third-party communications. 

Of the four fines, two (totalling $7.16m) relate to the EU's General Data Protection Regulation (GDPR) violations, one ($2.39m) relates to Spanish laws on digital rights and telecommunications as well as the GDPR and the final fine ($179k) relates to violations of a Spanish law regarding cookies.

Vodafone are reportedly intending to lodge an appeal against the sanctions.

EDPB releases statement on upcoming ePrivacy Regulation

The European Data Protection Board (EDPB) has welcomed the agreed ePrivacy negotiation mandate adopted by the Council's Committee of Permanent Representatives' (COREPER) but has noted several concerns still to be addressed.

The mandate covers the protection of privacy and confidentiality in the use of electronic communication services and is seen by the EDPB as a positive step towards a new ePrivacy Regulation. The regulation will seek to complement the EU general data protection framework with harmonised rules for electronic communications. 

The EDPB has however reiterated its previous standpoint that the ePrivacy Regulation must under no circumstances lower the level of protection offered by the current ePrivacy Directive or be used to de facto change the GDPR. The EDPB therefore feel that the updated position raises concerns including for the processing and retention of electronic communication data for law enforcement and safeguarding national security purposes and the effectiveness of ways to obtain consent for websites and mobile applications.

Concerns raised at COVID-19 'digital pass' plan

Several privacy and security experts have raised concerns about the European Commission’s legislative proposal for a pan-EU ‘digital green pass’ that will reflect the holder's verified COVID-19 status.

The European Union’s plan is for the pass to reflect whether the individual has received a COVID-19 vaccine, had a recent negative test or recovered from the disease and developed antibodies. The technological architecture that would underpin such a system has yet to be fully explained. 

Following a statement by Commission president Ursula von der Leyen on the subject, Germany MEP Patrick Breyer issued a statement arguing that the "proposal does not yet meet the requirements of data protection and protection against discrimination” and does not ensure "that the digital variant of the certificate is stored decentrally on devices of the person concerned and not in a central vaccination register.”