Welcome to our Spring 2021 Data & Privacy eBulletin, where we look at the development of international transfer positions in the UK since Brexit, the Age Appropriate Design Code, an update on the Lloyd v Google case, a look into the proposed EU AI regulation and other news in briefs.
MEPs urge the EC to amend draft decisions on UK adequacy echoing concerns raised in EDPB opinions
On 13 April 2021, the European Data Protection Board (EDPB) adopted two opinions on the European Commission’s (EC) two draft decisions relating to the transfers of personal data from the EU to the UK, released earlier this year.
Progress on the UK’s adequacy assessment could however be undermined by a recent call from Members of the European Parliament (MEPs) to amend the EC’s draft decisions on UK data protection. The Civil Liberties Committee recently passed a resolution evaluating the EC’s approach on the adequacy of the UK’s data protection regime. Concerns relate to the UK’s exemptions for national security and immigration and position on onward transfers, largely echoing the concerns raised in the EDPB opinions. The draft resolution will be debated and put to the vote during next week’s plenary session, together with a discussion of the ‘Schrems II’ ruling concerning data transfers from the EU to the US.
Read more on what the EDPB opinions say and what happens next in our full article here.
Countdown – age appropriate design code
September 2021 is the fast arriving implementation deadline for the Age Appropriate Design Code.
The Children’s Code is a statutory code of practice that applies to organisations providing online services and products targeted at, or likely to be accessed by, anyone under 18.
Under the Code, organisations are required:
- to switch off privacy-intrusive settings by default (e.g. location) and ensure other settings are ‘high privacy’ by default;
- not to deploy ‘nudge’ techniques or tools which might encourage children to turn off or weaken their privacy settings;
- provide prominent, accessible and user friendly privacy tools to enable children to exercise their rights and report concerns;
- provide concise and prominent privacy information to users which is in clear language and formats suited to the age of the child (including information about any parental controls or monitoring); and
- to collect and retain only the minimum amount of personal data necessary.
If your service is for, or is likely to be accessed by, children you will need to take steps to comply with the Children’s Code before 2 September 2021.
You can see our previous Data & Privacy eBulletin here, where we take a deeper look at the Children’s Code.
GDPR-style AI regulation proposed by the European Commission
The European Commission (EC) proposes ‘the first-ever legal framework on AI’ governing the placement of AI on the market, putting AI into service and general post-market monitoring obligations – the AI Regulation.
Generally, the AI Regulation places obligation on various players in the AI landscape and lays out a structure for governance and enforcement, in a format largely similar to those imposed by the EU GDPR.
Read more on the rules and implications in our full article here.
Supreme Court hears key Data Protection Act ‘representative claims’ appeal by Google
At the end of April, the Supreme Court heard an important appeal by Google in the Lloyd v Google case over whether ‘representative’ claims for breaches of the Data Protection Act (DPA) 1998 can be brought on behalf of other unidentified members of a ‘class,’ and whether damages are available to them under section 13 of the DPA 1998.
You can find out more about the implications here.
News in brief
ICO is working on UK set of Standard Contractual Clauses (SCCs)
New cyber security laws to protect smart devices
The Council of the EU under Portuguese presidency has updated the draft ePrivacy Regulation