The Week – In Perspective – 30th – 3rd September 2021

What happened

• The Data Protection Commission (DPC) in Ireland fined WhatsApp for breaching the GDPR’s transparency principles.
• The DPC also issued “an order for WhatsApp to bring its processing into compliance by taking a range of specified remedial actions”.
• This is the second largest fine issued for noncompliance of the GDPR.
• WhatsApp, owned by Facebook, plan to appeal the decision in the Irish court system.

Why it matters

• The DPC claims that insufficient information was provided to individuals about the processing of information between WhatsApp and other Facebook companies.
• Transparency is a key obligation of data protection law.
• Organisations must inform individuals about what they are doing with their data.
• This includes information about why you are processing personal data and who it may be shared with.

What happened

• The UK Department of Digital, Culture, Media and Sport (DCMS) made various announcements about its post-Brexit data strategy.
• This includes the government’s prioritised list of countries for making formal decisions that will enable the free flow of personal data. The US, South Korea and Singapore are just a few of the countries mentioned.
• The UK Government have also confirmed that John Edwards is their preferred candidate for the role of Information Commissioner in the UK. He is currently the Privacy Commissioner in New Zealand.

Why it matters

• Following Brexit, the European Commission recently granted the UK ‘adequacy’ status allowing for the free flow of personal data from the EU to the UK.
• This is with the condition that the UK’s data protection laws do not significantly diverge from that of the EUs.
• The announcement from the DCMS signals that this may not necessarily be the case going forward.
• A number of challenges may arise in the future when it comes to seamless EU-UK data transfers.

What happened

• The German government is investigating whether they can temporarily ease data protection rules to allow companies to identify employees that have been vaccinated against COVID-19.
• This follows an announcement that businesses can consider the vaccination status of their staff when deciding on protective measures in the workplace.
• Germany has very stringent laws in relation to protecting personal data, particularly health information.

Why it matters

• In most EU countries, requesting vaccination data from your employees would be disproportionate and unnecessary, considering that vaccines are not mandatory for most people.
• This makes the collection and processing of such data, in most cases, noncompliant with data protection law – particularly the principle of data minimisation.
• However, exemptions can be allowed if the law of the country allows for it. It is therefore always important to check the latest guidance issued by your local data protection regulator.