Latest news

“Clients say ‘they’re very good at knowledge-sharing’.”

Chambers UK

Data & Privacy eBulletin: (Still) preparing for Brexit

08 October 2019

Welcome to the Autumn edition of our quarterly Data & Privacy eBulletin. With Brexit looming larger than ever, we look at how businesses can ready themselves and their data protection practices.

In this edition, we also reflect on the Information Commissioner’s Office (ICO) guidance on cookies and consider the hot topic of facial recognition. Data protection remains a headline-grabbing area and is very much in the regulatory spotlight – the ICO announced proposed record fines on both British Airways and Marriot earlier this summer.

Please get in touch if you have any concerns or would like to know more.

Preparing for a ‘no-deal Brexit’

With ‘no-deal Brexit’ remaining a distinct possibility, organisations need to start ‘Brexit-proofing’ their data protection operations. For information on how a no-deal Brexit will affect data protection law in the UK, please see our article on the topic published on our website here.

The table below outlines the key steps controller and processors, both in the UK and the EU, might need to take if the UK exits from the EU without a deal on 31 October.

Position post-Brexit  Checklist of key steps
UK based controllers and processors Controllers that process personal data solely in the UK in relation to UK data subjects will be subject to the UK GDPR (a version of the GDPR implemented in the UK by the Data Protection Act 2018). The UK GDPR will also apply to processors located in the UK processing personal data obtained from those UK based controllers.


The GDPR will continue to apply to any processing in relation to data subjects in the EU or which is otherwise subject to the extra territorial provisions of GDPR.


UK law will recognise the EU model clauses, adequacy decisions and binding corporate rules so that international transfers of data out of the UK can continue as now.

·         Do you process personal data about EU data subjects?  If so,

o    Do you need to appoint a representative in the EU?

o    Who will be your lead supervisory authority in the EU?

o    Do you need to update your record of processing, your internal policies and your privacy notice (if you are a controller) to refer to them?

·         Do you receive personal data from the EEA?  If so, have you entered into EU model clauses to allow for the lawful transfer of the personal data to the UK?

·         Do you transfer personal data to the US based on a privacy shield certification?  If so, check that the US importer has updated its privacy notice to specify that it will apply the privacy shield principles to transfers of personal data from the UK.

·         Have you updated your contracts to restrict transfers of personal data outside of the UK?


EU based controllers and processors The UK GDPR will have extra-territorial effect. If an EU based controller or processor processes personal data about UK data subjects, or the processing is otherwise subject to the UK GDPR extra territorial provisions, the UK GDPR will apply.


The UK will be a third country for the purposes of the GDPR and an appropriate transfer mechanism will need to be put in place for transfers of personal data from the EU to the UK. The UK will not benefit from an adequacy decision, at least in the short to medium term so the most appropriate transfer mechanism is likely to be model clauses.

·         Do you process personal data about UK data subjects?  If so,

o    Do you need to appoint a representative in the UK?

o    Is your current lead supervisory authority the UK’s ICO under the current ‘one stop shop’ principle and do you therefore need to appoint a representative in the EU?

o    Do you need to update your record of processing, your internal policies and your privacy notice (if you are a controller) to refer to them?

·         Do you share personal data with a controller or processor in the UK?  If so, have you entered into EU model clauses to allow for the lawful transfer of the personal data to the UK?

ICO guidance on cookies

The ICO issued its long-awaited guidance on cookies in July. The guidance gives practical tips on how to obtain valid ‘GDPR standard’ consent for cookies. It is clear that consent is required for all non-essential cookies, it must be informed and freely given, and the user must take clear and positive action to give consent. This means that:

– Pre-enabled non-essential cookies are not valid and should not be set on landing pages. Users must be told up front about what cookies exist and what they do, before giving consent.

– Implied consent, such as pre-ticked boxes, sliders defaulted to ‘on’ or the user continuing to use the service or otherwise clicking out of the cookie consent mechanism without making a choice are not valid forms of consent. In addition, relying solely on browser settings to obtain consent will not be sufficient and at the very least users need to be prompted to review their settings.

– Consent mechanisms that emphasise that users should ‘agree’ or ‘allow’ cookies over ‘reject’ or ‘block’ cookies are not valid. This is nudge behaviour that influences users towards the ‘accept’ option.

– Cookie walls to restrict access to a service unless users consent are unlikely to represent valid consent. This is because the user does not have a genuine free choice about whether to accept cookies. Users should still be allowed to access a service if they do not consent to non-essential cookies.

Organisations must also consider how best to present information on cookies to users. Factors to consider are as follows:

– Information should be presented up front. Cookie policies should be accessible through a link within the consent mechanism and at the top or bottom of the website.

– Design, such as the positioning of the link, should be considered. For example, a link at the bottom of a concise webpage which has no content “below the fold” will be much more visible than a link in the footer of a dense webpage of 10,000 words. In the latter case, a link in the header would be more appropriate.

– The formatting of the link is also important. The link should be distinguished from the rest of the text e.g. by a different style or size of font.

– The wording of the link should be informative. For example, it should say more than simply ‘privacy policy’. Explanatory text such as ‘Find out more about how our site works and how we put you in control’ would be more appropriate.

– If children are likely to access the service, organisations should consult the ICO’s code of practice on age appropriate design.

Please contact us if you would like assistance with implementing compliant cookie consents and policies.

Spotlight on facial recognition

In recent months we have seen that facial recognition technology is coming under increasing scrutiny from the data protection authorities, the courts and privacy campaigners alike.

News in August of the historic use of facial recognition by property developers in Kings Cross prompted significant media attention and a backlash from privacy campaigners. The ICO has indicated that it is taking facial recognition technology, and its potential for abuse, very seriously and is launching an investigation into its use in Kings Cross.

Furthermore, the European Commission is planning regulations that will target the indiscriminate use of the technology and will implement stricter rules to ensure that individuals have the right to know when they are being monitored.

You can read our Insight article on the topic here.

Huge fines on the horizon

In early July, the ICO released details of its intention to fine British Airways £183.39m for the cyber breach it reported in autumn last year. This is the first major potential fine in the UK under the GDPR and Data Protection Act 2018 and it was followed swiftly the next day by the announcement of a proposed £99,200,936 fine for Marriott International for its own data breach.

British Airways and Marriott now have the opportunity to make representations to the ICO in respect of the level of the penalty and the findings. As the lead supervisory authority for the breach, the ICO also announced that it will be taking representations from other EU supervisory authorities whose residents have been affected by the breach.

Google hits headlines twice in one week

Google has been subject to two court judgements this month.

The first saw the search engine giant win an appeal against a French data protection regulator, which fined Google €100,000 for failing to remove unlawful results across all of its global platforms. Google appealed, arguing that it should only have to delete results from searches carried out within Europe, and from its European platforms (such as and The Court of Justice of the European Union (CJEU) ruled in Google’s favour. You can read more here.

The second saw The Court of Appeal allow a class action against Google, in respect of the search engine’s alleged unlawful monitoring of iPhone users without their consent through the use of third party cookies between 2011-2012. You can read more here.

Other regulatory decisions and activity

Unlawful e-marketing

The following action has been taken by the ICO in the past few months for breach of the Privacy and Electronic Communications Regulations:

  • Home Protection Limited has been fined £90,000 for making nuisance calls to people registered with Telephone Preference Service in order to sell its home security products and services.
  • EE Limited has been fined £100,000 for sending direct marketing messages to its customers when they had opted out of receiving marketing messages from them.
  • Making it Easy Limited has been fined £160,000 for making 297,761 calls to subscribers whose names were registered with the Telephone Preference Service.

Subject Access Request concerns

We have also seen a focus from the ICO on organisations that have failed to respond to subject access requests within the one month period prescribed by the GDPR:

  • The ICO issued the Metropolitan Police with two enforcement notices due to a backlog of subject access requests (one relating to SARs pre 25 May 2018 and one relating to SARs after that date). The Met has until 30 September 2019 to resolve the backlog before fines are imposed.
  • Hudson Bay Finance Ltd was also issued with an enforcement notice for failing to respond to a subject access request. The company was given 30 days to comply with the notice with failure to comply being a criminal offence.

Searches for illegally obtained data

  • The ICO searched two addresses in Liverpool as part of an ongoing investigation into the acquisition and sale of illegally obtained personal data. The ICO worked in partnership with the Insurance Fraud Bureau to investigate a business suspected of carrying out high volumes of data framing activity.

GDPR fines further afield

  • The Greek Data Protection Authority fined PWC €150,000 for unlawfully processing employee data. PWC had, incorrectly, been processing employee personal data on the basis of consent. This is another reminder that employers should not be relying on employee consent as a basis for processing their personal data as the imbalance of power between an employer and an employee effectively makes consent very difficult to obtain.

High commendation for H&L in Legal 500

We’re proud to announce that our legal expertise has been recognised by Legal 500 for our data protection, privacy and cybersecurity work.

Legal 500 cited our: “notable expertise in the technology, media and entertainment sectors acting for a client roster, which includes The Pokémon Company International, Comic Relief, the Harry Potter Theatrical Production and Virgin.

“The team handles contentious and non-contentious mandates and takes a cross-departmental approach utilising the commercial, employment and litigation teams.

“Sacha Wilson also enhances the firm’s strength in the data privacy aspects of marketing, adtech and digital media. Daniel Tozer leads the technology and data practice and focuses on commercial data protection. Senior partner Gerrard Tyrrell leads the group’s contentious work and John Kelly regularly acts for private individuals.”

Back to news

Share this page