The UK’s supervisory authority, the Information Commissioner’s Office (ICO), published a new data sharing code of practice (Code), available here, which addresses the requirements for data sharing under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA 2018).

Once approved by Parliament, the Code will become a statutory code of practice. Thereafter, the Code will be used by the ICO when assessing whether organisations have complied with their data protection obligations when sharing personal data. The Code applies to the sharing of personal data between controllers, as well as giving access to personal data to third parties. It does not, however, apply to data sharing with a processor, nor the disclosure of data within an organisation.

The Code contains practical guidance for controllers on how they can share data fairly and lawfully and how they can meet their accountability obligations under the GDPR and the DPA 2018. It also addresses misconceptions regarding data sharing, such as clarifying that data protection laws do not prevent data sharing (as long as the sharing is lawful, fair and proportionate) and that most data sharing does not rely on consent as the lawful basis.
Continue Reading The ICO publishes a new data sharing code of practice

In September 2020, the European Data Protection Board (EDPB) released new guidelines on the targeting of social media users (Guidelines) for consultation.

Background

The Guidelines address the privacy risks and legal issues that arise when social media services are used to direct specific messages to users based on particular criteria, such as the users’ perceived interests, preferences and socio-demographic characteristics.

 A typical example of this is when a brand (or ‘advertiser’) advertises their products or services on individuals’ social media platforms. Through programmatic advertising (the automated buying and selling of online advertising) and the process of ‘real-time bidding’ (the automated bidding of display advertising inventory in real-time) in particular, advertisers can place personalised adverts on individuals’ social media platforms (e.g. through content feeds or ‘stories’). This process usually involves processing personal data in bid requests, which can include individuals’ web browsing history, age, gender, location and network connections. Advertisers submit bids to have their adverts placed on individuals’ social media pages based on the perceived likelihood that the individual will be interested. Generally, the more detailed the bid request, the higher the bids are likely to be, so there is more incentive for the parties involved to collect as much personal data as possible through the use of tracking technologies or otherwise. Further, parties within the ad tech ecosystem (such as data brokers) may augment the data collected from the bid request with information from other sources (including offline sources), which they might sell to other stakeholders involved in the targeting process.

The Guidelines split the types of actors involved in the targeting process into four different groups, namely: (1) social media providers; (2) social media users; (3)  targeters (e.g. advertisers); and (4) ‘other actors’ which may be involved (e.g. supply side platforms (SSPs), demand side platforms (DSPs), data management platforms (DMPs), data brokers, ad networks and ad exchanges).

The Guidelines identify the potential risks of targeting for social media users, such as loss of control over personal data, potential discrimination and potential manipulation of individuals (as targeting mechanisms seek to influence individuals’ behaviour and choices).

The Guidelines also seek to clarify the roles, responsibilities and relationships between social media providers and targeters and explain the key data protection requirements and documentation that should be in place.Continue Reading EDPB releases draft guidelines on the targeting of social media users

Smart contracts and digital assets are becoming increasingly common in a variety of industries. Nevertheless, is the law ready for them? Following the publication of the Legal statement on the status of cryptoassets and smart contracts by the LawTech Delivery Panel, the Law Commission has launched two projects to analyse how English law can be reformed to accommodate these emerging technologies.

Smart contracts

English contract law has developed on the presumption that contracts are written by individuals in ordinary language. Smart contracts, on the other hand, are drafted by a computer code, without the need for human intervention. They can either be in natural language generated through computer code, a hybrid of coded terms and natural language or wholly written in code. These developments raise a number of questions and challenges for English contract law, particularly in relation to what circumstances a contract written in code would be considered legally binding and how they can be interpreted by courts.

The UK Government asked the Law Commission to undertake a study on smart contracts, which will focus on:

  • Formation and enforceability;
  • Interpretation;
  • Performance of the contract;
  • Remedies; and
  • Vitiating factors

Continue Reading The Law Commission is looking at smart contracts and digital assets: Is the law ready?

A Dutch court has held that a grandmother was in breach of the General Data Protection Regulation (GDPR) for posting pictures of her grandchildren on social media platforms without their parents’ consent and refusing to delete them after multiple requests.

The GDPR does not apply to the processing of personal data by an individual “in the course of a purely personal or household activity”.

However, the court said that it was not sufficiently established what security settings the grandmother had on her social media accounts, and it was not clear whether the photos could have been found via search engines. As a result, the court was not convinced that posting the photos on social media sites constitutes a “purely personal or household activity”, as this places them in the public domain, and they could then be further distributed and used by third parties.
Continue Reading Dutch court holds that a grandmother is in breach of the GDPR for failing to remove photos of her grandchildren from social media platforms

It has been 64 days since the UK officially went into lockdown due to the COVID-19 crisis, with many ‘non-essential’ workers vacating their workplace. In preparation for sending the UK back to work, the Information Commissioner’s Office (ICO) has issued FAQ-style guidance to assist employers wishing to track and test employees’ symptoms.

Health data is ‘special category data’ under the General Data Protection Regulation (GDPR) and is therefore subject to greater restrictions. Nonetheless, the ICO makes it clear that data protection law does not prevent employers from taking necessary steps to ensure the safety of staff and the public, provided that personal data is handled responsibly and carefully in accordance with the law.

The guidance covers the following specific activities:

  • Testing employees for symptoms of COVID-19
  • Compiling lists of employees with symptoms or positive diagnoses
  • Disclosing positive cases to other employees
  • Using temperature checks or thermal cameras in the workplace

Continue Reading ICO issues guidance on workplace coronavirus testing

The Data & Marketing Association and the Incorporated Society of British Advertisers have published a “Seven-Step Ad Tech Guide” (the Guide) to help address the privacy challenges of Real Time Bidding (RTB) in programmatic advertising.

RTB is an automated auction process that allows advertising space to be bought and sold on a per-impression basis. When a user visits a publisher’s property (usually a website or app), this triggers a bid request that usually contains personal data (such as the user’s demographic information, browsing history, location and the page being loaded). The bid request goes from the publisher’s property to an ad exchange. It is then submitted to multiple advertisers who can automatically submit bids to place their adverts on the publisher’s property so that it can be viewed by the user in real time, and the ad impression goes to the highest bidder.

As the provision of targeted, personalised advertising through RTB relies on the use of personal data (particularly as more detailed bid requests are deemed to be more attractive to advertisers), various data protection issues and challenges arise in relation to RTB, which have concerned the UK’s Information Commissioner’s Office (ICO).

The Guide was produced in consultation with the ICO and seeks to address concerns that the ICO identified in its investigation into RTB and the ad-tech industry. The ICO announced in early May that this investigation is currently on hold during the COVID-19 pandemic, but it plans to restart work in the coming months as its concerns about ad-tech remain.
Continue Reading The 7-Step Ad Tech Guide – New guidance issued by industry bodies on programmatic advertising

The chair of the Council of Europe’s data protection ‘Convention 108’ committee, Alessandra Pierucci, and the Council of Europe Data Protection Commissioner, Jean-Philippe Walter, have recently released a joint statement on digital contact tracing in the fight against coronavirus.

Digital contact tracing is being used in many countries to help control the spread of coronavirus by alerting individuals that may have come into contact with an infected person.  The UK government is gearing up to deploy its contact tracing app within the next few weeks (it is currently being tested on the Isle of Wight), which could help lift the lockdown measures further. However, as highlighted by the joint statement, it is crucial to ensure that the necessary data protection safeguards are implemented when adopting extraordinary measures to protect public health.
Continue Reading Digital contact tracing and coronavirus: The Council of Europe’s take

In a matter of three days, Parliament passed a bill granting emergency powers to the government to deal with the COVID-19 outbreak. The Queen granted Royal Assent on 25 March 2020, bringing into force the Coronavirus Act 2020 (the Act) (the Act).

The Act, amongst other things, gives the government wide-ranging powers to restrict events and social gatherings, shut down premises and isolate or detain ‘potentially infectious persons’. The Act also provides means for extending time limits for retention of fingerprints and DNA profiles (which would have been taken under various police and terrorism legislation) for up to 12 months if necessary and in the interests of national security. Whilst these measures have been implemented to help curb the spread of COVID-19, the enforcement of such measures could impact individuals’ rights to privacy and data protection.Continue Reading A whistle-stop tour of the potential data protection implications of the new Coronavirus Act