This Week’s Techlaw News Round-up

April 26, 2024

UK law

ICO issues reprimand to housing association for exposing personal information on online portal

The ICO has issued a reprimand to Clyde Valley Housing Association in Lanarkshire after personal information was accessible to other residents on an online customer portal. Residents could access documents related to anti-social behaviour cases and view personal information about other residents, including names, addresses and dates of birth. A resident called a customer service advisor at Clyde Valley Housing Association to flag the breach, but their concerns were not escalated, and the personal information remained accessible for five days. Following a mass email to residents promoting the portal, four more residents reported the same breach, and the new system was suspended. The ICO’s investigation found that the housing association failed to test the portal appropriately before it went live and staff were not clear on the procedure to escalate a data breach. The ICO recommended that Clyde Valley Housing Association should take steps ensure its compliance with data protection law, including ensuring that rigorous testing is undertaken that focuses on data protection before the rollout of a portal in the future; and conducting a review of data protection training to ensure that training provided is relevant to, and adequate for, the staff members receiving it.

ICO fines two companies a total of £340,000 for making aggressive and unwanted marketing calls

The ICP has fined Cardiff-based Outsource Strategies Ltd £240,000 and London-based Dr Telemarketing Ltd £100,000 after they made a total of almost 1.43 million calls to people on the Telephone Preference Service. The calls, all made between 11 February 2021 and 22 March 2022, resulted in 76 complaints to the ICO and the TPS. Complainants said the callers were aggressive and used high-pressure sales tactics to persuade them to sign up for products. The ICO investigation also found evidence that both companies were specifically targeting elderly and vulnerable people.

EU law

EDPB adopts strategy for 2024-2027

The European Data Protection Board has adopted its strategy for 2024-2027. It sets out its priorities, grouped around four pillars, as well as key actions per pillar to help achieve these objectives. The four pillars are enhancing harmonisation and promoting compliance, reinforcing a common enforcement culture and effective cooperation, safeguarding data protection in the developing digital and cross-regulatory landscape and contributing to the global dialogue on data protection. In the next four years, the EDPB will continue to promote compliance with data protection law by developing guidance on important topics, and by developing materials for a wider audience. In addition, enforcement cooperation will remain an important priority for the EDPB. The Board will continue building on the vision set out in its so-called Vienna Statement, and further develop EDPB initiatives in this area, such as the coordinated enforcement actions. A new aspect of the strategy is the focus on the interplay with the new regulatory digital framework. New digital laws, such as the DMA or the DSA, have an impact on data protection and privacy. The EDPB will work to enhance cooperation with other regulatory authorities, with a view to embedding the right to data protection in the overall regulatory architecture. Furthermore, the EDPB will consider challenges raised by new technologies, such as AI. It has also published its annual report. The report provides an overview of the work carried out by the EDPB in the previous year and reflects on important milestones. In addition, it includes examples of enforcement by data protection authorities at national level.

IAB Europe issues response to EDPB Opinion on consent or pay models

IAB Europe has responded to the EDPB’s opinion about so-called consent or pay models. It considers that the Opinion is contrary to the case law of the CJEU as well as mischaracterising the consent or pay model and personalised advertising. It believes that the Opinion will increase legal uncertainty for many businesses beyond large online platforms and may ultimately undermine the ability for users to access diverse sets of services and content online for free. The IAB says that the EDPB makes overly abstract assumptions about the underlying functioning of personalised advertising, suggesting that this form of advertising would be inherently irreconcilable with the GDPR principles of data minimisation and fairness. This is not demonstrated or substantiated in any way, yet the assumptions are used to misrepresent the consent or pay model as transforming data protection rights into “a feature that data subjects have to pay to enjoy, or a premium feature reserved for the wealthy or the well-off.” The IAB says that this cannot be followed, as the GDPR stops unlawful data processing irrespective of the legal basis of processing, including consent, and provides data protection regulators with extensive investigative and corrective powers to supervise the correct application of the GDPR. The EDPB also introduces the provision of a third option, a “free alternative without behavioural advertising”, as a quasi-mandatory condition for obtaining valid consent without presenting any empirical research or other evidence to justify why companies should develop another version of their service free of charge and funded by a different form of advertising such as contextual. The IAB stresses that contextual advertising is not always a viable monetisation alternative. Yet, the IAB says that no company can be required to provide their product and services at a loss and it is not required by the GDPR, which is not intended to interfere with the business models chosen by companies. It says that the EDPB has ignored the required balance between the right to data protection and the freedom to conduct business under recital 4. The IAB is also concerned that the EDPB is seeking to impose by soft-law instrument, an unprecedented interpretation that is neither enshrined by the law nor supported by the established position of the CJEU, based on fundamentally flawed assumptions of the digital advertising industry and simply overlooking stakeholders’ commercial realities. The EDPB intends to develop further guidelines on the consent or pay model and the IAB stresses the importance of consulting to help ensure the development of sound policy guidance that takes account of all relevant stakeholders’ concerns and interests.

European Parliament adopts Platform Work Directive

MEPs have approved new rules aiming to improve the working conditions of platform workers. The new Directive aims to ensure that platform workers have their employment status classified correctly and to correct sham self-employment. They also regulate the use of algorithms in the workplace. The new law introduces a presumption of an employment relationship (as opposed to self-employment) that is triggered when facts indicating control and direction are present, according to national law and collective agreements, and taking into account EU case law. The Directive obliges EU countries to establish a rebuttable legal presumption of employment at national level, aiming to correct the imbalance of power between the digital labour platform and the person performing platform work. The burden of proof lies with the platform, meaning that it is up to the platform to prove that there is no employment relationship. The new rules aim to ensure that a person performing platform work cannot be fired or dismissed based on a decision taken by an algorithm or an automated decision-making system. Instead, digital labour platforms must ensure human oversight on important decisions that directly affect the persons performing platform work. The Directive also introduces rules that protect platform workers’ data more robustly. Digital labour platforms will be forbidden from processing certain types of personal data, such as data on someone’s emotional or psychological state and personal beliefs. The agreed text will now have to be formally adopted by the Council. After its publication in the Official Journal of the EU, member states will have two years to incorporate the provisions of the directive into their national legislation.