It is now three years since the EU General Data Protection Regulation (GDPR) came into force. So much has happened in the world of data protection. Where to start?

International transfers

In April, the European Data Protection Board (EDPB) looked at the EU draft adequacy decisions giving the green light to international data transfers from the EU to the UK in a post-Brexit world. It acknowledged that there is alignment between the EU and UK laws but also expressed concerns. It has, though, issued a non-binding opinion recommending their acceptance. If accepted, the two adequacy decisions will run for an initial four years.

Last month the Information Commissioner’s Office (ICO) held its annual conference online. Deputy information commissioner Steve Wood confirmed that the ICO is working on bespoke UK standard contractual clauses (SCCs) for international data transfers which will be published for consultation in the summer.

EU representatives

Article 27 of the GDPR requires organisations based outside the EU, which are caught by the extra-territorial provisions of GDPR, to appoint an EU-based representative. This could be because they are offering goods or services to EU residents, or monitoring their behaviour.

Dutch data protection regulator Autoriteit Persoonsgegevens has fined a Canadian firm,, €525,000 for failure to comply with article 27. The Canadian company, which offers a platform to help people locate former friends, was also ordered to pay an additional €20,000 for each two-week period that passes without the fine being paid. Article 27 of the UK GDPR contains mirroring requirements in relation to organisations based outside the UK which are processing the data of UK residents.

Age Appropriate Design Code

The Age Appropriate Design Code came into force on 2 September 2020, with a 12-month transition period. The deadline for organisations to conform is 2 September 2021. The code sets out 15 standards organisations must meet to ensure children’s data is protected online. It will apply to all major online services used by children in the UK. It includes measures such as providing default settings, which ensure that children have the best possible access to online services while minimising data collection and use. With less than four months to go, the ICO is urging organisations and businesses to make the necessary changes to their online services and products.

AI and automated decision-making

Article 22 of GDPR (and the UK GDPR) provides protection for individuals against purely automated decisions having a legal or significant impact. In February, the Court of Amsterdam ordered Uber, the ride-hailing app, to reinstate six drivers who it was claimed were unfairly dismissed ‘by algorithmic means’. The court also ordered Uber to pay compensation to the drivers.

In April, the EU Commission published a proposal for a harmonised framework on artificial intelligence (AI). The framework seeks to impose obligations on both providers and users of AI. Like the GDPR, the proposal includes fine levels and an extra-territorial effect.

Publicly available information

Organisations should remember that just because information is publicly available they do not have a free pass to use it without consequences. Data protection laws have to be complied with. In November 2020, the ICO ordered credit reference agency Experian Limited to make fundamental changes to how it handles personal data within its direct marketing services. The ICO found that significant ‘invisible’ processing took place, likely affecting millions of adults in the UK. It is ‘invisible’ because the individual is not aware that the organisation is collecting and using their personal data. Experian has lodged an appeal against the Enforcement Notice.

The Spanish regulator has fined another credit reference agency, Equifax, €1m for several failures under the GDPR. Individuals complained about Equifax’s use of their personal data which was publicly available. Equifax had also failed to provide the individuals with a privacy notice.

Data Protection by Design

The Irish data protection regulator issued its largest domestic fine recently. Irish Credit Bureau (ICB) was fined €90,000 after a change in the ICB’s computer code in 2018 resulted in 15,000 accounts having incorrect details recorded about their loans before the mistake was noticed. Among other things, the decision found that the ICB infringed article 25(1) of the GDPR (Data Protection by Design), by failing to implement appropriate technical and organisational measures designed to implement the principle of accuracy in an effective manner, and to integrate the necessary safeguards into the processing to meet GDPR requirements and protect the rights of data subjects.

Lloyd v Google

The much-anticipated Supreme Court hearing in Lloyd v Google LLC UKSC 2019/0213 took place in April. The case concerns the legality of Google’s collection and use of browser generated data from more than 4 million iPhone users during 2011/12. Following the two-day hearing, the court will now decide, among other things, whether, under the Data Protection Act 1998, damages are recoverable for ‘loss of control’ of data without needing to identify any specific financial loss, and whether a claimant can bring a representative action on behalf of a group on the basis that the group have the ‘same interest’ in the claim and are identifiable. The decision is likely to have wide-ranging implications for representative actions; what damages can be awarded for; and the level of damages in data protection cases. Watch this space.

Ibrahim Hasan is a solicitor and editor of the UK GDPR Handbook.