Data Dispatch - October 2024

Published on 28 October 2024

Welcome to the seventh edition of Data Dispatch from the Data Advisory team at RPC. Our aim is to provide you on a regular basis with an easy-to-digest summary of key developments in data protection law.

Please do feel free to forward on the publication to your colleagues or, better still, recommend that they subscribe to receive the publication directly.

If there are any issues on which you'd like more information (or if you have any questions or feedback), please do let us know or get in touch with your usual contact at RPC.

 

Data (Use and Access) Bill 

 On 23 October 2024, the government introduced the Data (Use and Access) Bill to Parliament. From a data protection perspective, the Bill includes many of the provisions from the previous Data Protection and Digital Information (DPDI) Bill (e.g. regarding automated decision-making, legitimate interests and international transfers) but does not include provisions in the DPDI Bill that were intended to reduce the accountability burden on businesses (e.g. regarding the DPO, ROPA, and DPIA mechanisms). The Bill also addresses access to customer and business data, digital verification services, and changes to the ICO structure. The Bill is awaiting its second reading in the House of Lords. (Data Bill Press Release)

ICO Reprimands Sky Betting and Gaming for cookie use

Bonne Terre Limited, trading as Sky Betting and Gaming (Bonne Terre), provides paid-for gambling services to online customers.

In September 2024, the UK's Information Commissioner's Office (ICO) found that, from January 2023 to March 2023, Bonne Terre placed advertising cookies on users' devices as soon as they accessed Sky's Betting and Gaming website and before consumers even had the option to accept or decline those advertising cookies. 

After the ICO's investigation, Sky Betting and Gaming made changes to their website so that customers can now reject advertising cookies before the cookies are set and any personal data is collected.

As part of the ICO's reprimand, they recommended that Bonne Terre ensure compliance with Articles 5(1)(a) (which requires lawful, fair and transparent processing), 6(1) (which relates to lawful bases for processing) and 7(1) (which governs conditions for obtaining consent) of the UK GDPR. Also, if the ICO suspects Bonne Terre continues to violate the UK GDPR requirements, this incident could be considered an aggravating factor in any future investigation into Bonne Terre.

In the ongoing action by the ICO addressing the placement of advertising cookies without consent, the regulator has reviewed the top 100 most visited websites in the UK and contacted 53 of these websites to request that they make changes to comply with data protection law. The ICO is now preparing to review the next 100 most visited websites in the UK on the same basis. They recommend all websites to assess their cookie banners to make sure consent can be freely given, and plan to give further guidance on the use of cookies later this year.

Data protection regulators in the EU have also made this an enforcement focus, as seen in similar actions against Mediahuis in Belgium and Yahoo in France.  

(ICO Decision)

(ICO News)

ICO Introduces New Data Protection Audit Framework

 The ICO has launched its new audit framework designed to help businesses evaluate and enhance their compliance with data protection laws. The framework is particularly suited for large businesses and organisations.

The framework serves as an extension to the ICO's current Accountability Framework, by adding specific toolkits covering key privacy areas, such as accountability, information and cyber security, data sharing, requests for data, personal data breach management and the use of artificial intelligence.

Each privacy area comes with a downloadable tracker, to help organisations self-assess their compliance and identify areas for improvement.

However, the ICO advises against relying exclusively on the Framework, emphasizing the importance of addressing privacy issues on a case-by-case basis instead of taking a check-box approach.

(ICO News)

EDPB releases guidance on Data Processors and Legitimate Interest

The European Data Protection Board (EDPB) has issued advice to organisations on controllers' responsibilities with multiple processors and sub-processors, alongside opening consultation on legitimate interest requirements.

Answering questions posed by the Danish data regulator, the EDPB advised on the extent of checks that a controller must put in place to verify whether processors (and sub-processors) provide "sufficient guarantees" to implement appropriate technical and organisational measures under Article 28.

Separately, the EDPB is consulting on guidance regarding the legitimate interest lawful basis until 20 November 2024. The guidance contains a number of requirements that must be fulfilled before a controller can rely on this lawful basis, including that legitimate interests must be clearly and precisely articulated, real and present.

When relying on Article 6(1)(f) GDPR for direct marketing, controllers must meet three conditions:

  1. a legitimate interest must be pursued
  2. data processing must be necessary for that interest; and
  3. a balancing test must confirm that the interest does not override individuals' rights

The EDPB provides guidance on ensuring compliance, including evaluating if marketing can be achieved without personal data and respecting data minimisation. Extensive data processing or intrusive profiling, such as tracking individuals across multiple platforms, is less likely to pass the balancing test. Less intrusive activities, such as sending the same commercial communication to existing customers who have purchased similar products, are easier to justify under Article 6(1)(f).

In a related development, the Court of Justice of the European Union (CJEU) has confirmed that commercial interests can qualify as legitimate interests for processing personal data under GDPR. This ruling further clarifies the scope of lawful processing where legitimate interests are relied upon as the lawful basis for that processing.

(EDPB – Opinion of the Board)

(EDPB Guidelines)

(CJEU Judgement)

Stay connected and subscribe to our latest insights and views 

Subscribe Here