The past week in data protection

It’s the start of another week in the world of data protection so it's time for another bite-sized round up of the past seven days or so:

• Firstly, happy Data Protection Day for 28 January! The day marks the anniversary of the signing of Convention 108, the first legally binding international treaty on data protection. 43 years after this landmark there are now over 137 countries with data protection laws, with more being adopted each year!
• The folks at noyb (Max Schrems’ outfit) chose Data Protection Day to issue a new survey on how the GDPR is being enforced. The headline finding of the survey is that over 74% of the 1,000 privacy professionals surveyed agreed that a DPA would find “relevant violations” if they walked through the door of an average company. The report also found that whilst the risk of high fines is a big driver for compliance, “soft law” instruments such as EDPB guidance are much less influential. Whilst the conclusions are fairly unsurprising (not least because of noyb’s objectives), the report nonetheless makes for interesting reading.
• Having warned over half of the UK's top 100 websites of the need for their cookie banners to comply (in particular through the use of a "reject all" button at the top layer), the ICO this week confirmed that it will be writing "to the next 100 - and the 100 after that". Interestingly, the ICO also indicates that it is considering using an AI tool to detect which websites are non-compliant.
• Similarly, the EDPB has this week launched a new, free and open-source, website auditing tool to help analyse whether websites are compliant with data protection laws. This is intended to facilitate both compliance checks by controllers and also enforcement by DPAs. Definitely time to pay some close attention to the external facing aspects of your GDPR compliance programs!
• The Netherlands DPA has fined Uber €10m for infringements of the GDPR in relation to driver data. The fine concerned transparency issues (not communicating retention periods to drivers) as well as a finding that Uber’s process for handling access request was overly complicated. The investigation arose because of complaints made by 170 French drivers to a French human rights group. This serves to demonstrate that: (i) even a small number of complaints can cause problems if a regulator “looks under the hood”; (ii) lead authorities will take action even where complaints arise in other jurisdictions; and (iii) introducing complexity to a rights request process will rarely go down well with regulators.
• Finally, Donald Trump has had his data protection claim against Orbis Business Intelligence thrown out by the High Court. The court found that the claim, which related to the so called “Steele Dossier”, had not been brought within the required six-year limitation period. Big shout out to the Bristows team representing Orbis - you can find out more about Bristows' involvement here.