Included in this edition of Data & Privacy News: CJEU rules in case between Facebook and BE DPA, Data: A New Currency for Consumers and Businesses, European Commission adopts adequacy decisions for the UK and more...

Data: A New Currency for Consumers and Businesses

Data has evolved as a commodity that is bought, sold and even securitised in our new virtual business environment. In the increasingly digitised post COVID-19 world, more data than ever is captured about how we live our lives at home and work. All this is happening at the same time as the ever-increasing legal scrutiny around the use of personal data so consequently the right privacy culture has become a must-have for any successful business.

On Tuesday 6 July Addleshaw Goddard will be hosting a webinar examining the value of personal data as an asset, and some of the issues that need to be balanced when building and dealing with data assets.

We are delighted to be joined for this session by Stephen Robertson, founder of Metis Partners and a leading IP strategist, who along with AG's head of data Helena Brown will share some market insight into handling data assets. To register for this webinar, please click here.

European Commission adopts adequacy decisions for the UK

The European Commission has adopted two adequacy decisions for the United Kingdom, which will allow personal data to be transferred from the European Union to the United Kingdom under a system similar to when the UK was a Member State of the EU.

The two decisions are made under the General Data Protection Regulation (GDPR) and the Law Enforcement Directive respectively. As well as ensuring the transfer of personal data, the decisions aim to facilitate the correct implementation of the EU-UK Trade and Cooperation Agreement, which includes the exchange of personal information, for example for cooperation on judicial matters.

Both adequacy decisions entered into force on 28 June 2021, however for the first time the decisions include a ‘sunset clause', meaning that the decisions will automatically expire four years after their entry into force. The decisions may be renewed after this four year period, provided the Commission deems that the UK continues to ensure an adequate level of data protection.

TIGRR publishes report proposing reform of UK GDPR and digital health technology

The Taskforce on Innovation, Growth and Regulatory Reform (TIGRR) has published a report on how the UK can reshape its approach to regulation and capitalise on the regulatory freedom available post-Brexit. The report includes recommendations on replacing GDPR with a new UK framework for data protection and the establishment of a clear regulatory pathway for new digital health technology to ensure that the UK is at the forefront of the digitalisation of healthcare.

The key proposals for replacing GDPR with a new UK framework for data protection include:

• Reforming GDPR to give people more meaningful control of their data. The proposed framework would place greater emphasis on the legitimacy of data processing and whether it is in the interests of the data owner and society, rather than a legalistic version of consent where businesses "comply with the letter but not the spirit of the law".
• Removing Article 22 of GDPR and focusing instead on the legitimacy of automated decision making.

The key proposals for digital health include:

• Creating a new digital health regulatory unit within the MHRA, responsible for establishing digital interoperability standards and an integrated regulatory pathway for development of Consumer Healthcare Apps.
• Establishing a digital framework for assessing Disease Cost and Population Health by each local authority area.
• Reforming GDPR to improve the use of healthcare data by establishing federated models of data sharing and creating a joint sandbox between the ICO and the HRA.
• Updating regulations on medical devices to licence and adopt AI and AI software as a diagnostic device.
• Accelerating the integration of business to consumer patient wellness apps with clinical neuroscience research networks and NIHR research databases to create an integrated UK digital health spine for mental health.

EDPB adopts final version of Recommendations on supplementary measures

The European Data Protection Board (EDPB) has adopted a final version of the Recommendations on supplementary measures, which were first introduced in November 2020 following the Court of Justice of the European Union (CJEU) Schrems II ruling. The Recommendations aim to assist controllers and processors acting as data exporters in identifying and implementing measures to ensure an essentially equivalent level of protection to the data they transfer to third countries. 

The final versions of the Recommendations follow a public consultation and contain several changes to the previously published draft Recommendations, including:

• a greater emphasis on the examination of third country public authorities in the exporters’ legal assessment to determine whether the legislation and/or practices impinge on the effectiveness of the Art. 46 GDPR transfer tool;
• the possibility that the exporter considers in its assessment the practical experience of the importer; and
• clarification that the legislation of the third country of destination allowing its authorities to access the data transferred may also impinge on the effectiveness of the transfer tool.

The EDPB also published a letter to EU Institutions on the privacy and data protection aspects of a possible digital euro and designated three EDPB Members to the ETIAS Fundamental Rights Guidance Board.

EDPS Case Law Digest on the transfers of personal data to third countries

The European Data Protection Supervisor has published a case law digest on transfers of personal data to third countries. The case law digest aims to clarify the structure of the analysis carried out by the Court of Justice of the European Union (CJEU) in judgments concerning the transfer of personal data to third countries, in particular by highlighting the steps followed and the jurisprudential acquis in relevant case law.

The publication also includes a list of key questions relating to international transfers of personal data including:

• When does a transfer to a third country within the meaning of Chapter V of the GDPR take place?
• What are the powers available to the national supervisory authorities in respect of the transfers?
• What is meant by the duty to notify to the data subject the transfer of personal data?
• What are the data protection requirements in case of onward transfer of personal data?

CJEU rules in case between Facebook and BE DPA

The Court of Justice of the European Union (CJEU) has handed down its ruling in the case between Facebook and the Belgian Data Protection Authority (BE DPA). In its ruling, the CJEU decided that a national supervisory authority is able to bring an alleged infringement of the GDPR to the attention of the judicial authorities of a Member State, even if this supervisory authority is not the lead authority for that processing. The ruling also sets out a broad interpretation of the powers of national supervisory authorities.

The case, which began in 2015, centred on what the BE DPA deemed to be a serious invasion of the privacy of Belgian citizens through Facebook's use of cookies, which collected information on the surfing behaviour of millions of internet users in Belgium.

The case was being examined by the Court of Appeal of Brussels, however the Court of Appeal referred elements of the case to the CJUE in order to ascertain whether this legal action was possible following the commencement of GDPR and introduction of a new cooperation mechanism between European data protection authorities called the “one-stop shop”.