The Week – In Perspective: European Data Protection Board establishes a cookie banner taskforce

In this week’s round-up of the latest news and developments in Data Protection, we look at the key takeaways from the Irish data protection regulator’s WhatsApp decision, a statement from the British data protection regulator about COVID status check schemes and an announcement from the European Data Protection Board about cookies (not the edible kind however!).
The Information Commissioner’s Office (ICO) issues a statement on mandatory COVID status check schemes
What happened
- To coincide with the introduction of mandatory vaccination and COVID status checks in Scotland and Wales, the data protection regulator in the UK – the ICO, has emphasised the importance of privacy when implementing these schemes.
- This includes making sure that businesses are exhibiting high standards of governance and accountability and to ensure compliance with data protection principles such as transparency and fairness.
Why it matters
- Despite COVID vaccinations being non-mandatory within the UK, the Scottish and Welsh governments have made it a legal requirement for certain venues and settings, such as nightclubs, where their customers will have their COVID vaccination status checked.
- This involves processing personal data and therefore data protection law will apply.
- Examples of methods to achieve compliance includes being clear, open and honest with people about what you are doing with their personal information. This can be through an online privacy notice or posters around the venue’s entrance.
The European Data Protection Board (EDPB) adopts opinion on draft South Korea adequacy decision
What happened
- The EDPB adopted its opinion on the European Commission’s draft adequacy decision for the Republic of Korea.
- This adequacy decision will allow for the seamless transfers of personal data between the EU and the Republic of Korea including transfers in both the public and the private sector.
- The EDPB noted that there are a few key areas of alignment between the EU and South Korean data protection frameworks including the areas of data retention, security and confidentiality and transparency.
Why it matters
- The European Commission can assess a country’s laws and governance structures to determine whether they are ‘adequate’ i.e. whether they offer essentially the same level of protection of personal data as the EU.
- This process involves receiving an opinion as well as feedback from the EDPB.
- Once achieved, adequacy status will allow organisations in both jurisdictions to transfer personal data without the need for additional measures or safeguards, unless exceptions are specifically stated.
- Earlier this year, the European Commission granted the UK adequacy status.
What can we learn from the Irish data protection regulator’s fine on WhatsApp?
What happened
- Early in September this year, the Irish data protection regulator fined WhatsApp €225 million.
- The issues that were identified included failures to provide the required privacy information to WhatsApp users and non-users and failures to make privacy information available in an easily accessible form.
- The decision of the Irish data protection regulator reveals a lot about how businesses should comply with the transparency requirements of data protection law, particularly when it comes to compiling privacy notices.
Why it matters
- Privacy notices act as one way in which organisations can inform individuals about what they are doing with their personal data.
- The issues identified by the Irish data protection regulator provides some useful insights for businesses to consider with preparing their privacy notices.
- This includes avoiding the use of ‘linked documents’ so that the user is able to access all the information in one place rather then through different webpages.
- As well as this, the lawful basis for processing and the purpose for processing must be provided at a granular level of detail and on each and every processing operation respectively.
The European Data Protection Board (EDPB) establishes a cookie banner taskforce
One more thing…
During the earlier part of this year, the European Center for Digital Rights (better known as NOYB) issued more than 500 complaints to the owners of websites that, according to NOYB, use ‘unlawful’ cookie banners. Many of these complaints were later escalated to various data protection regulators across the EU. In response, the EDPB have recently established a cookie banner taskforce to promote cooperation, information sharing and best practices between data protection regulators.If you are wondering how a cookie banner should look like and what would be considered ‘lawful’, the Information Commissioner’s Office in the UK has produced some easy-to-read guidance that can be found here.