EU/UK Privacy & Cybersecurity News Roundup – Week of February 13, 2023

Data privacy case law and legislation is constantly updated in the United Kingdom and European Union to address key issues. In order to track the latest developments, we have set out a brief overview of case law updates, legislation, guidance and news.

In brief, there have been a two recent case law decisions worth noting within the EU data privacy space. The German Data Protection Conference has published a decision on the data protection assessment of third country public authorities’ access to personal data and the Court of Justice of the European Union issued a preliminary ruling concerning the position of a data protection officer following a request submitted by the German Labor Court. In the United Kingdom, the House of Lords and Home Office have published statutory reports addressing the Retained EU Law (Revocation and Reform) Bill 2022-23 and Investigatory Powers Act 2016 respectively. Globally, the signatories of the Code of Practice on Disinformation (the ‘Code’), which includes all major online platforms, have launched the new ‘Transparency Centre’ which sets out information on the Code and their actions to implement it.  Each signatory has also published a baseline report to outline how their commitments will be adhered to in practice.

  1. Case Law Updates
    1. The German Data Protection Conference (‘DSK’) published its decision, dated 31 January 2023, on the data protection assessment of third country public authorities’ access to personal data. In particular, the DSK assessed third country public authorities’ access possibilities to personal data processed by an EU/EEA-based company pursuant to Article 28 of the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’). In this regard, the DSK noted that the mere risk that third country public authorities or a third country parent company of an EU/EEA company could instruct it to transfer personal data to a third country is not sufficient to assume a third country transfer of data within the meaning of Article 44 of the GDPR had taken place. Please see the press release here and decision here, only available in German.
    2. The Court of Justice of the European Union (‘CJEU’) issued, on 9 February 2023, a preliminary ruling in Case C‑453/21 X-FAB Dresden GmbH & Co. KG v FC, following a request submitted by the German Federal Labour Court (‘Labour Court’) concerning Articles 38(3) and 38(6) of the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’). In particular, the preliminary ruling outlines that the request by the Labour Court was submitted in relation to the dismissal of an employee of X-FAB from the position of data protection officer (‘DPO’). Please see the preliminary ruling here.
  2. Legislation
    1. The House of Lords Delegated Powers and Regulatory Reform Committee published a report on the Retained EU Law (Revocation and Reform) Bill 2022-23. The Bill was brought from the House of Commons to the House of Lords on 19 January 2023. The Committee’s role is to report on inappropriate delegations of legislative power and inappropriate degrees of parliamentary scrutiny.
    2. The Home Office, pursuant to the requirement imposed upon it by section 260(4)(b) of the Investigatory Powers Act 2016 (IPA 2016), published its statutory report on the operation of the IPA 2016.
  3. Guidance & Draft Guidance
    1. The Home Office launched a consultation on review of the Computer Misuse Act 1980 (CMA).
    2. The FCA published a feedback statement following its call for input on the use of “synthetic data” to support financial services innovation.
    3. The French DPA (CNIL) published two sets of guidelines on health authorisation requests. In particular, CNIL explained that the guidance aims to aid data controllers in submitting their requests for authorisation of processing in the field of healthcare for research and non-research purposes. Please see the press release here and the guidelines here and here, all only available in French.
    4. The Information Commissioner’s Office (‘ICO’) published an update regarding its statement, published on 20 January 2023, on obligations of public electronic communications service providers (‘CSPs’) under Regulation 5A of the Privacy and Electronic Communications Regulations 2003 (‘PECR’), which it had subsequently removed, following the receipt of feedback on the same.
    5. The Spanish DPA published a blog post on when data controllers should review and update data protection security measures.
  4. Data Protection Authority Updates
    1. The CNIL fined DISCORD INC. 800,000 euros or failing to comply with several obligations under the GDPR.
    2. The Bavarian DPA issued a statement, only available in German, addressing the interplay between its data protection supervision and the general legal and technical supervision of Bavarian municipalities, as it is carried out by the competent district office or governmental entities.
    3. The Office of the Data Protection Authority (“ODPA”) published Strategic Plan (2023–2026). In particular, the ODPA stated that, in May 2022, it had consulted the public on its future strategy, and the results of this public consultation fed into the strategic plan’s development by the Commissioner and the ODPA’s Board Members. Please see the press release here.
    4. The Spanish DPA fined Vodafone España, S.A.U. €70,000, subsequently reduced to €56,000, following a complaint. Please see the decision, only available in Spanish, here.
  5.    Privacy News
    1. Following the publication of the strengthened Code of Practice on Disinformation, the signatories of the Code including all major online platforms (Google, Meta, Microsoft, TikTok, Twitter) launched the new Transparency Centre and published for the first time the baseline reports on how they turn the commitments from the Code into practice.
    2. The European Commission announced that the EU and India had set up a new Trade and Technology Council, to deepen the strategic engagement on trade and technology between both partners. Please see the press release here.
    3. The UK government has launched a call for views on measures on software resilience and security for businesses and organisations. This call for views aims to explore how the government can build on its existing interventions in this field, including the Product Security and Telecommunications Infrastructure Act 2022 and Code of Practice for App Store Operators and App Developers, to best improve software security throughout the breadth of the software lifecycle from development, procurement, use and maintenance through to its eventual end of life.
    4. The UK government has published a press release stating that the Prime Minister has created four new government departments. The departments include a Department for Science, Innovation and Technology (DSIT) and a refocused Department for Culture, Media and Sport (DCMS).