The DPIA is a bitesize assessment of the impact of the most significant, interesting and important-to-know data protection issues.
The DPIA newsletter is a round-up of the most interesting and need-to-know privacy issues from the past two weeks. A quick 3-minute read to keep you on top of the news.
Knowledge nuggets for busy privacy professionals
GDPR Representative: Do you need one?
The General Data Protection Regulation (GDPR) requires many organisations located outside the EU and UK to appoint a Representative to act as a local contact point for data subjects and data protection authorities. In our latest blog, we cover frequently asked questions about the criteria for appointing an EU or UK GDPR Representative, including topics such as pseudonymised data, processing both EU and UK personal data, low-volume data processing, and the obligations of data controllers and processors. Read our latest blog on GDPR Representatives
Data privacy concerns over US spy tech firm winning NHS contract
The NHS has awarded a controversial £330 million five-year contract to US spy tech company Palantir to set up and operate a new ‘federated data platform’ (FDP). Palantir is known for working with governments and supplying spy technology. In a bid to cut patient waiting times and improve care, the FDP platform will allow NHS Trusts and integrated care systems to digitally ‘communicate’ and share data. Critics, including MPs across all parties, have voiced their data privacy concerns, highlighting the risk of patient data being mishandled. There is also a question of whether patients can opt out of the FDP data sharing process. The British Medical Association (BMA) said Palantir’s winning bid was ‘deeply worrying’.
Commissioner warns UK’s top websites to make cookie changes
The UK’s Information Commissioner’s Office (ICO) has warned some of the UK’s major websites to comply with data protection laws or face enforcement action. In a statement issued on 21 November 2023, the ICO reiterates that websites are required to provide users with fair choices over tracking for personalised advertising. Stephen Almond, ICO Executive Director of Regulatory Risk said, ‘Our research shows that many people are concerned about companies using their personal information to target them with ads without their consent.’ The ICO has written to the offending companies, giving them 30 days to make the changes to comply with the law. There will be an update on this work in January. Read the ICO’s full statement
International transfers report by UK’s Data Transfer Expert Council
A report by the UK Government’s International Data Transfer Expert Council on solutions for international data transfers was published this month. With a foreword by The Rt Hon. John Whittingdale, Minister for Data and Digital Infrastructure, the report includes eight recommendations on the goals for sustainable, multilateral, and universal international data transfers. The report highlights how ‘the current fragmented approach to the global data flows system is unsustainable’ and how the recommendations align with the proposed Data Protection and Digital Information Bill (No.2).
On 15 November 2023, the European Data Protection Board (EDPB) submitted guidelines for public consultation on clarifying the technical scope of Article 5(3) of the ePrivacy Directive. The guidelines aim to provide clarity about which technical operations are covered by the Directive, particularly new and emerging tracking techniques. Solutions are discussed, such as tracking links and pixels, local processing, and unique identifiers, to ensure consent obligations are not circumvented. The guidelines do not address how consent should be collected or exemptions. The public consultation is for a period of six weeks. Read the guidelines and provide feedback
Privacy activist group noyb files a complaint against EU Commission
On 16 November 2023, the privacy activist group noyb (an acronym for ‘none of your business’), filed a complaint against the European Commission over a targeted chat control ad campaign. The non-profit organisation, which is based in Vienna, Austria, states the EU Commission used unlawful micro-targeting on X (formally known as Twitter) in September 2023 to promote its controversial chat control regulation. Nyob’s data protection lawyers argue that the EU Commission has no legal basis to process sensitive data for targeted advertising, calling it a ‘threat to the EU legislative process’, and suggests the European Data Protection Supervisor (EDPS) imposes a fine.
Companies worried India’s DPDPA is too strict
The Digital Personal Data Protection Act (DPDPA), enacted by the Indian government on 17 Aug 2023, has raised concerns among some financial, healthcare, and telecommunications companies. These companies are reportedly considering legal action, as they believe the Act’s strict requirements around the use and deletion of personal data could negatively impact their operations. The DPDPA has principle-based obligations similar to the GDPR, albeit with subtle differences in areas such as consent, data localisation, and penalties. The full impact of the Act will only be clear when the rules are issued, but this recent objection highlights the need for further clarification and guidelines for the Act’s provisions.
ADGM publishes Addendum to EU SCCs
On 15 November 2023, Abu Dhabi Global Market (ADGM) issued an Addendum (ADGM Addendum) to the EU’s Standard Contractual Clauses (SCCs) for personal data transfers. This is the first Gulf country to adopt and issue this Addendum to EU clauses, which will support businesses operating in the ADGM and EU. Mr Sami Mohammed, ADGM’s Commissioner of Data Protection said, ‘International data flows are crucial for many businesses in ADGM, as an international financial centre. This Addendum not only facilitates cross-border transfers but also reduces costs, duplication, and effort by ADGM entities.’ Guidance Note and details of the ADGM Addendum
We are recruiting!
To support our ongoing requirement to continuously grow our remarkable and extraordinary #ONETEAM, we are seeking candidates for the following positions:
Data Protection Officers (based in the United Kingdom or The Netherlands)
Senior Graphic Designer
Digital Marketing Specialist to join our #ONETEAM
If you are looking for a new and exciting challenge, and the opportunity to work for a Great Place to Work-Certified™ company, apply today!
You have been sent this newsletter under legitimate interest, for more information please read our Privacy Notice
The DPO Centre is a limited company registered in England and Wales (Company Number: 10874595) Registered Office: Suffolk Enterprise Centre, Felaw Street, Ipswich, IP2 8SJ, United Kingdom
The DPO Centre, 50 Liverpool Street, London, Greater London EC2M 7PR, United Kingdom