Marketing to private individuals: What you need to know

If you or your company send promotional materials to individuals, chances are you rely largely on direct marketing to attract and target clients, allowing you to establish profitable business-to-consumer (B2C) relationships. Curating efficient marketing and sales tactics is critical to reaching your target audience and informing them about your company and why they should engage with you, regardless of industry. However, it is critical to prioritise your customers' privacy and their rights under data protection law.  Whether you market Business-to-Business (B2B) or Business-to-Consumer (B2C), if your company operates in the UK or handles the personal data of UK residents, there are regulations you need to follow. Read our full blog here   

MEPs adopt a resolution against granting the USA Adequacy Decision 

On Thursday, May 11, MEPs voted on a resolution regarding the proposed EU-US data flow agreement. In the session, MEPs voted that the Commission should not continue with its adoption of the US Adequacy Decision under the EU-US Data Privacy Framework. MEPs highlighted that although there has been improvement, there is still insufficient safeguards around the protection of personal data regarding bulk collection and the Data Protection Review Courts. MEPs further stressed the need for the framework to be ‘future-proof’ and has to withstand legal challenges. The text was adopted with 306 votes in favour, 27 against, and 231 abstentions. You can read the full press release here.

CJEU rules on the right to compensation under the GDPR 

In Case C-300/21, the Austrian Supreme Court had doubts over the extent of the right to compensation under GDPR, establishing the right to material and non-material damage. The Supreme Court questioned whether compensation for non-material damages has to reach a certain threshold of ‘seriousness’ before it is possible. The CJEU said there is a clear right to compensation, and this was subjected to three cumulative conditions (an infringement, material or non-material damages resulting from the infringement, and a causal link between the infringement and the damage), stressing that not every infringement would give rise to damages. The Court further stressed the right to compensation is not limited to non-material damages that reach a certain threshold of seriousness. Further adding, it is for the Member State’s legal system to prescribe the rules for action, including the criteria for determining the extent to which compensation is payable as long as it is “full and effective…for the damage suffered”. 

Met accused of using facial recognition at the King's coronation 

The Metropolitan Police (the Met) has been accused of using live facial recognition technology. The Met stated that it intended to use the technology to scan faces at the event, matching them against a list of people wanted by the police. The announcement on the use of the technology came after the police were granted wider powers to crack down on protests, which led many to believe that this technology was going to be used against the protesters. Experts have stated that this was likely the largest number of faces scanned and the largest deployment of live facial recognition. Emmanuelle Andrews, a campaigner for Liberty, said that the use was “extremely worrying” and could limit our rights and liberties.

EDPB launches a data protection guide for SMEs 

The European Data Protection Board has launched a data protection guide for small and medium enterprises (SMEs). It aims to give SMEs an overview of the GDPR, how it applies to them, their obligations under the GDPR, and how they can protect personal data. The guide will provide SMEs with information, videos, and practical examples. Some of the topics covered in this guide include the basics, individual rights, how to be compliant, the security of personal data, and data breaches. For the full article click here.

Tennessee and Montana will become the eighth and ninth states to enact privacy laws 

At the end of last month, Montana’s and Tennessee’s state legislatures approved comprehensive data privacy law proposals. In Montana, the state senate passed the amended version of the Montana Consumer Data Privacy Act, and the Tennessee state senate passed the amended version of the Tennessee Information Protection Act. The Tennessee bill, which was signed into law on May 11, will create a 'safe harbour' for businesses implementing a privacy programme that is compliant with the National Institute of Standards and Technology (NITS), and the Montana bill will require businesses to recognise opt-out. The Montana bill will be sent to the states' Governors’ desks for final signing. This marks an important step in the US privacy space, and increases the many new laws introduced this year. These include Washington State, who passed a law aimed at health data and categories of data that are not automatically associated with health data. 

Saudi Arabia makes changes to its Personal Data Protection Law 

The Kingdom of Saudi Arabia is set to make changes to its current Personal Data Protection Law (PDPL), with the new amendments promising to bring in new concepts to push the PDPL closer to the standards set by the EU and other international data protection laws. The new PDPL is set to come into force in September 2023, with a one-year grace period for controllers to achieve compliance. One of the key changes in the PDPL is regarding transfers. The amended PDPL will allow for the transfer or disclosure of personal data outside the Kingdom only if it achieves certain purposes and set conditions are met. The amendment also allows controllers to rely on ‘legitimate interests’, and there are expected to be provisions on the role of the DPO and data breaches.