See below for the latest Data Blast from our legal team: US takes aim at TikTok and Chinese video game makers; scientific community seeks clarity over clinical data sharing; ICO publishes first code for the design of online services for children; algorithm to standardise A-level results causes panic before government reversal; Marriott faces a UK class action over data breach; Brazilian Data Protection Authority is established and Data Protection Law set to come into force; Dubai hoping for EU adequacy as its Data Protection Law takes effect.

See below for the latest Data Blast from our legal team: US takes aim at TikTok and Chinese video game makers; scientific community seeks clarity over clinical data sharing; ICO publishes first code for the design of online services for children; algorithm to standardise A-level results causes panic before government reversal; Marriott faces a UK class action over data breach; Brazilian Data Protection Authority is established and Data Protection Law set to come into force; Dubai hoping for EU adequacy as its Data Protection Law takes effect.

U.S. expands ‘Clean Network’ initiative to include various Chinese operators

The U.S. Secretary of State has announced that the ‘Clean Network’ initiative, implemented in April 2020, will be expanded to include various Chinese telecom carriers, apps and cloud service providers including Alibaba, Tencent and Baidu.

Under the move, affected service providers will be prevented from storing or processing the data of U.S. users, having their apps downloaded from US app stores, or being connected to the U.S. telecommunications system. Furthermore, certain Chinese smartphone manufacturers, including Huawei, will be prevented from pre-installing or offering downloads of some U.S. or foreign apps on their apps stores.

When questioned on the topic of the proposed US TikTok ban, Thierry Breton, the European Commissioner for the Internal Market, said that the Commission’s focus was not on banning any particular app, but rather on ensuring that the data of European users is processed and held in Europe and not, for example, in China.

Covid-19 pandemic highlights that confusion persists over the GDPR and clinical data transfers

It has been reported by the leading scientific journal Nature, that confusion persists in the scientific community over how researchers may share and transfer clinical data in compliance with the GDPR.  The journal reports that at least 40 international clinical and observational studies on risk factors and exposures for cancer have either been stalled or delayed since the GDPR came into force because of researchers seeking to understand data sharing restrictions and exemptions for scientific research.

The journal is calling for change in two key areas.  First, changes to the Standard Contractual Clauses (SCCs) used by organisations to transfer data from the EU to countries not on the EU’s list of countries providing adequate protection. The researchers argue that the Commission should create a model set of SCCs specifically in relation to the sharing of clinical data by publicly funded and non-profit research organisations.

Second, agreement on when data are considered anonymised and so not within the scope of the GDPR.  The journal argues that EU regulatory authorities have different stances on whether ‘pseudonymised’ data qualify, and that without a consistent approach research institutes may be hesitant about sharing data. The researchers argue that assuming security safeguards are in place, if a data processor does not possess the encryption key, those data should be considered truly anonymised in the hands of the data processor.

In April 2020, the European Data Protection Board announced guidance for data processing in the context of coronavirus, and earlier this year The European Data Protection Supervisor released its Preliminary Opinion on data protection and scientific research, which can be read here.

The Opinion recommends intensifying dialogue between data protection authorities and ethical review boards for a common understanding of which activities qualify as genuine research. The Opinion also calls for a better understanding of the EU codes of conduct for scientific research, closer alignment between EU research framework programmes and data protection standards, and the beginning of a debate on the circumstance in which access by researchers to data held by private companies can be based on public interest.

ICO’s Age Appropriate Design Code comes into force

The ICO’s Age Appropriate Design Code (the ‘Code’) came into force on September 2nd 2020, with a 12-month transition period for online services to conform. The Code sets out the standards that online services must meet in order to protect the privacy of children and comes at a time when more children than ever are accessing the internet. The focus of the Code is on the use of personal data to personalise contents feeds, rather than regulating the content itself.

The Code, the final draft of which was published in January 2020, sets out 15 standards of age appropriate design reflecting a risk-based approach.  The focus is on providing default settings that ensure that children have the best possible access to online services whilst minimising data collection and use.

The standards include requirements to take into consideration the best interests of children, refrain from using children’s personal data in ways that are detrimental to their wellbeing, and to ensure that settings default to ‘high privacy.’

Commenting on the introduction of the Code, the UK Information Commissioner, Elizabeth Denham, has stated that “those companies that do not make the required changes risk regulatory action. A generation from now, I believe we will look back and find it peculiar that online services weren’t always designed with children in mind.”

The ICO is the first regulator to issue such a code, but it is understood that other regulators and organisations in the U.S., EU and globally including the Organisation for Economic Cooperation and Development (OECD), are considering a similar approach.

The Code and related information and resources from the ICO can be viewed here.

A-level results calculation process leads to a surge in Subject Access Requests

As widely reported, due to the ongoing pandemic students have been unable to sit exams this year, and grades were awarded based on teacher assessment, taking into account any mock examination results and other factors.  Examination boards attempted to standardise teacher-assessed grades by using a model developed with Ofqual, leaving many students disappointed with their awarded grades.

The Information Commissioner’s Office (‘ICO’) expressed its concern with the automated process and has stated that “the GDPR places strict restrictions on organisations making solely automated decisions that have a legal or similarly significant effect on individuals. The law also requires the processing to be fair, even where decisions are not automated.”

The ICO later stated that it understands from Ofqual that automated decision-making does not occur when the standardisation model is applied as teachers and exam board officers are involved in the process. The ICO’s recent statement can be viewed here. The ICO have also stated that concerned students should raise any issues with exam boards first, before contacting the ICO.  This, however, appears to be at odds with the ICO’s obligation to deal with complaints under Article 57 of the General Data Protection Regulation (‘GDPR’).

In light of the reported problems, schools and colleges were anticipating a surge in Subject Access Requests (‘SARs’) from students wishing to challenge the grades they were awarded. Those immediate concerns are likely to have subsided, and we assume this to be the case, in light of the decision by the government to reverse Ofqual’s algorithmic grade allocation, under which many students were reporting that university offers had been rescinded due to the students having been ‘downgraded’ in the standardisation process. Under the GDPR, students have the right to request information concerning their marks, comments written by the examiner, and the minutes of any examination appeals panels.  A SAR does not, however, give a student the right to copies of answers to any examination questions. The ICO has also published guidance on exam results SARs that can be accessed here.

Class action claim filed against Marriott following data breach

It is reported that a class action claim has been brought in the UK on behalf of former guests of Marriott International, following one of the largest data breaches in history. The breach occurred between July 2014 and September 2018, and exposed personal data including passport and credit card details, email addresses, and in some cases reservation dates.  The vulnerability began when the systems of the Starwood hotels group were compromised in 2014. Marriott subsequently acquired Starwood in 2016.

The data breach involved the personal data of over 300 million guests, which included approximately seven million UK citizens.  The ICO had already announced that it intended to fine Marriott £99.2 million, though the deadline for the ICO to impose a fine has been extended numerous times, with the current deadline being September 30th 2020.

It is reported that every person who made a reservation at an affected hotel before September 10th 2018 will be included in the claim unless they decide to opt out. The news of this class action claim highlights the importance for companies and organisations to prioritise cybersecurity in order to avoid costly claims for compensation in addition to penalties imposed by the regulator.

Brazil publishes roles and structure of new Data Protection Authority

The Brazilian Presidency has published Decree (10.474/2020) establishing the new Brazilian Data Protection Authority (the ‘ANPD’).  The Decree sets out the roles and responsibilities of the ANPD, which include carrying out public consultations and hearings, and conducting impact analysis before issuing standards and regulations.

The publication of the Decree comes on the same day that it was announced that the Brazilian Senate had rejected the President’s Provisional Measure for a delay until May 2021 for the implementation of the new Brazilian Data Protection law (the ‘LGPD’).  As a result, the LGPD will now come into force when President Bolsanaro signs the bill within 15 days of receiving it from Congress.  However, it is noteworthy that under the LGPD sanctions will only apply from August 1st 2021.

The ANPD is to be staffed by approximately 40 people, including its President-Director and four Directors appointed by the Office of the Brazilian Presidency and approved by the Senate.  The ANPD’s Council of Directors will be comprised of the President-Director, the four Directors and various project managers.  ANPD’s Council will be responsible for providing guidance, establishing further rules (including in the area of international data transfers) and in defining the mechanism for the calculation of penalties for non-compliance and data breaches.

Dubai data protection law comes into effect

On July 1st 2020, the Dubai International Financial Centre (‘DIFC’) Data Protection Law came into effect. The new law was drafted with international best practice standards in mind, including the GDPR, and it is hoped by U.A.E. authorities that its implementation will lead to an adequacy finding from the European Commission in relation to data transfers. Under Article 45 of the GDPR, the Commission has the power to determine whether a country outside the EU offers an adequate level of data protection so that international data transfers may take place.

The new law contains many of the provisions found in the GDPR, including the same legal bases for processing, special requirements for the processing of special category data, and the need to conduct data protection impact assessments and to appoint a Data Protection Officer.

The new law will apply to all companies incorporated in the DIFC, irrespective of where data processing takes place. Due to the ongoing Covid-19 pandemic, businesses have three months to update policies and contracts in light of the new law.

For more information please contact Partner, James Tumbridge at jtumbridge@vennershipley.co.uk.