EU General Data Protection Regulation (GDPR)

Cyber SecurityThe European Court of Justice this morning issued a significant – and fairly surprising – ruling on international data transfers in the Schrems II case. Standard contractual clauses remain valid, but the Privacy Shield is invalid and cannot be relied on to legitimise transfers of personal data from the EEA to the US.
Continue Reading Privacy Shield Invalid but SCCs Survive… What next for international personal data transfers?

Cyber SecurityIn addition to the adoption by the European Data Protection Board (“EDPB”) of Guidelines on the use of location data and contact tracing tools in the context of the COVID-19 outbreak, various other European guidance regarding the use of data and technology in connection with COVID-19 has also been published.
Continue Reading COVID-19 Contact Tracing Apps Essential Requirements and Best Practices

On April 21, the European Data Protection Board (“EDPB”) released guidelines on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak (“Guidelines”).

The Guidelines note that the GDPR includes various provisions which permit health data to be collected and processed for scientific research purposes connected with COVID-19 and also envisages specific derogations to the prohibition on processing certain special categories of personal data, such as health data, where necessary for scientific research purposes.
Continue Reading European Guidelines Adopted on Health Data Processed in the Context of the Covid-19 Outbreak

Article29Recognizing the increasing prevalence of data-driven solutions in combatting COVID-19 and the numerous related privacy concerns, on April 21, the EDPB adopted guidelines on the use of location data and contact tracing tools in the context of the COVID-19 outbreak (“Guidelines”).

The Guidelines clarify the conditions and principles for proportionate use of location data and contact tracing tools for two particular purposes: (i) the use of location data to support the response to the pandemic by modelling COVID-19’s spread to calculate the overall effectiveness of confinement measures; and (ii) contact tracing, which aims to notify individuals that they have been in close proximity to an infected individual, to break the contamination links quickly and combat the virus’ spread.
Continue Reading European Guidelines Adopted on Contact Tracing Tools and the Use of Location Data in the Context of the COVID-19 Outbreak

Article 29Following the limited relaxation of lockdown restrictions by the UK Government and the likely return to the workplace of at least some employees, the UK Information Commissioner’s Office (ICO) has published some helpful guidance for employers on the data protection issues raised by workplace testing for coronavirus.

The guidance notes that, although data protection law does not stop employers taking measures that are required to protect their staff and the public during the coronavirus pandemic, personal data must be handled carefully.
Continue Reading UK Information Commissioner Issues New Guidance for Employers on Workplace Testing for Coronavirus

lockThe European Data Protection Board (EDPB) has updated its Guidelines on GDPR consent to clarify that making access to a website conditional on accepting cookies – so-called “cookie walls” – does not constitute valid consent and that scrolling or swiping through a webpage cannot constitute consent either, under any circumstances.

Updated Guidelines

“Guidelines on consent under Regulation 2016/679” were first published in November 2017 by the EDPB’s predecessor, the Article 29 Working Party, and formally adopted in April 2018. The EDPB has now produced a slightly updated version of those Guidelines which, apart from two important clarifications, essentially remain the same. The clarifications appear in the sections of the Guidelines on “Conditionality” and “Unambiguous indication of wishes” and concern, respectively, the validity of consent provided by individuals when interacting with “cookie walls” and the question of scrolling or swiping through a webpage or similar user activity to indicate consent.
Continue Reading European Data Protection Board Updates Guidelines on GDPR Consent

GDPRThe COVID-19 pandemic has forced organizations to reconsider their working arrangements and how employees interact with both internal and external clients and stakeholders. In the pursuit of maintaining a “business as usual” approach, many UK employers have questioned whether they can continue to effectively monitor their non-furloughed employees’ performance when all but those in essential roles are working remotely.


Continue Reading Employee Monitoring During the COVID-19 Lockdown GDPR Considerations Revisited

lockA landmark group claim for compensation under data protection laws in the UK between employees and employer has failed. The UK’s Supreme Court has held that a rogue employee’s activities were not sufficiently connected with his employment to make Morrison, his employer, vicariously liable for the data protection breach. If it had been held liable Morrison would have been in line to make compensation payments to nearly 10,000 employees.

The case relates to an incident in 2014 and was brought under the Data Protection Act 1998 (DPA), but it is likely that findings would be the same under the GDPR and the UK Data Protection Act 2018.
Continue Reading UK’s Landmark Group Claim for Compensation Under Data Protection Laws – Morrison’s Found Not Vicariously Liable for Actions of Rogue Employee

The rapid spread of the coronavirus is causing alarm around the world.  This almost unprecedented global event is leading to various unforeseen consequences, including the collection, use and sharing of personal data of affected individuals – and, in some cases, persons connected to them – in ways not envisaged only a few weeks ago.  The processing of personal data of this nature can potentially have serious, albeit sometimes unintended, consequences.

Continue Reading Thoughts on the Use of Personal Data in the Fight Against Coronavirus