Brexit: 55 Days to Go, or is it?

It has been a momentous week for UK politics. With Parliament back from the summer recess MPs moved to seize the Order Paper from Government. There then followed an audacious move to legislate against a “No Deal” Brexit, a move which would hamstring the Government’s Brexit negotiation strategy. The Government’s strenuous attempts to prevent the passage of legislation to take the “No Deal” option out of the equation led to the withdrawal of the whip (in effect the suspension) of 21 Conservative MPs.  The legislation that would prevent a No Deal outcome will return to Parliament early next week.  It remains to be seen whether the legislation achieves Royal Assent and is written into law.

In the meantime, the plan to prorogue Parliament for five weeks ahead of the Brexit deadline moved on apace despite a number of legal challenges.

Elsewhere 

This week also saw the Prime Minister’s own brother, Jo Johnson, resign as Universities Minister registering his objection to the direction of the Brexit negotiations which he viewed as no longer in the national interest. 

On a happier note Downing Street announced the arrival of a new resident as the Prime Minister and his partner unveiled Dilyn their new puppy.

The Prime Minister is keen to reinforce his Government’s resolve to achieve Brexit, with or without a deal by the 31st October deadline. But despite his vigorous defence of this policy it remains unclear whether this will be achieved.

Implications for businesses

Amongst all this political turmoil it is difficult for businesses to plan ahead especially if the business model includes data transfers to or from EEA companies.

In the case of a No Deal Brexit on the date of departure the UK becomes a ‘Third Country’ in terms of EU data transference rules.  This means companies that the UK will not have adequacy status, so needs to take particular steps when processing EEA* data, for example, the data of your customers or prospects or clients.

What you need to do

The UK will recognise all EEA countries as adequate under UK law.  So there are no issues with you continuing to send personal data to the EEA. 

The reverse, however, is not the case so there will be major changes when transferring personal data from the EEA to the UK.  You need to prepare:

  1. Know your data” specifically that data you process about EU individuals.  Make sure your data mapping is up to date and identifies those individuals outside the UK, but within the EEA.
  2. Take appropriate GDPR safeguards for processing and transfers of EEA data, and update your privacy policy accordingly
  3. Use Standard Contractual Clauses to enable transfers of personal data from the EEA to the UK and vice versa.
  4.  If you are using Binding Corporate Rules, these will need to be adjusted slightly post-Brexit.

*EEA = The 27 European Member States, plus Iceland, Liechtenstein and Norway.

Please feel free to contact us if you have any queries or concerns about how Brexit will affect your business, by calling 01787 277742 or email teambrexit@datacompliant.co.uk

Stop All the Clocks (with apologies to WH Auden)

The weekend papers informed us that many of the Brexit Countdown clocks installed in Number 10 and elsewhere across Whitehall have been turned off.  The countdown clocks initiated by the Prime Minister’s most senior adviser, Dominic Cummings, were designed to underline the Government’s firm resolve to leave the EU by 31st October. Deal or No Deal.

If the reports are to be taken be at face value Civil Servants were finding the inexorable countdown “stressful”.   You can see their point.  Much remains to be done to secure a leaving deal – especially on newly negotiated terms. This will not be a relaxing experience while a clock counts down in the corner of your computer screen. Added to which all Civil Service leave has been cancelled until after Brexit day.     

Last week in this blog we outlined the very limited time available to Parliament to put in place legislation ahead of the 31st October deadline.  This week’s announcement of the prorogation of Parliament and a Queen’s Speech while in line with Parliamentary convention narrows the timeframe further.  With limited time available the probability of “No Deal” – a major part of the Government’s negotiation strategy – has increased. 

New Developments on Implication of No Deal for Employers & Employees

As the prospect of a “No Deal” Brexit increases inevitably uncertainty for business will rise.   One of the issues that has risen up the business agenda is the status of EU nationals in the work force.   You could say the countdown clocks are running for UK business especially those employing EU citizens.

Under the Theresa May plan free movement of EU citizens would have continued during the transition period until 31 December 2020. The new Home Secretary, Priti Patel has stated that in a ‘No Deal’ Brexit free movement would come to an end on 31st October 2019. Newspaper reports state that the Home Office said: “Freedom of movement as it currently stands will end on October 31”.

Employee “Settled Status” – Those EU citizens already working in the UK on Brexit day will be able to stay and apply for settled status – provided they have 5 years residency. Those with less than 5 years residency will be given a grace period with residency on a temporary basis until they reach the five-year mark and qualify to apply for settled status.  Employers should be actively making their EU employees aware of these requirements. 

While employers are not currently required to perform such document checks on their EU workers this should not be ruled out in the future. As well as assisting employees with negotiating the settled status process it would be prudent for employers to check the status of their EU workers.

Implications for HR Personal Data Protection

Employers must:

  • demonstrate transparency in their privacy notices about the collection of personal data for verification purpose;
  • ensure that they have the organisational and technical security measures including policies and procedures for processing HR related personal data and where applicable special category data;
  • ensure that they include all categories of employee personal data in their personal data mapping/records of personal data processing.

If you have any questions or concerns about how Brexit will affect your business, in HR or any other area, please call 01787 277742 or email teambrexit@datacompliant.co.uk

    

Sweden issues first fine under GDPR for the use of facial recognition technology in a school

Previously on this blog, we discussed the UK Information Commissioner’s Office (ICO) investigation into the planned rollout of facial recognition software for a large site around King’s Cross in London. This investigation has renewed scrutiny of the technology among data protection observers, particularly in its relation to privacy rights.

Facial recognition technology for use in schools and on campuses has taken off in the United States and elsewhere, and there are even tech companies dedicated specifically to this section of the security industry. Amid understandable concerns of security at schools in the US, companies offer fairly comprehensive ‘biometric security platforms’ for schools, colleges and universities. Such services claim to identify unauthorised visitors, alert school personnel and secure campus events.

Despite the industry’s seemingly unstoppable uptake, Sweden’s Data Protection Authority (DPA) has issued its first monetary punitive measure to date for the use of this technology in a school. The DPA found a local authority to be in breach of the EU’s General Data Protection Regulation (GDPR), which the Swedish Rijksdag adopted as the Data Protection Act in April last year.

The local authority, the Skellefteå municipality in the north, was trialling facial recognition on secondary school students for the purpose of tracking attendance. Pupils faces would be scanned and registered remotely as they entered the classroom. Consent from the parents of the twenty-two students who participated in the trial in autumn 2018 had been sought, but this was not deemed sufficient reason to collect the special category (biometric) data: the DPA saw no adequate reason for the municipality to process and control this sensitive and potentially risky data. They took into consideration the students’ privacy expectations, as well as the fact that there are many less intrusive means of automating or economising on attendance tracking. As stated clearly by GDPR, ‘personal data shall be adequate, relevant and not excessive in relation to the purpose of purposes for which they are processed.’

In February, the local authority had told SVT Nyheter, the state broadcaster, that teachers were spending 17,000 hours a year reporting attendance, which is how facial recognition as a time- and cost-effective replacement for human labour, as so often the case with new tech, came to the table.

Countdown to Brexit… 69 days to go

The new Parliamentary session starts on 3rd September. Inevitably the session will be, once again, dominated by Brexit. With so little time between the start of the session and the Brexit deadline of Hallowe’en (31st October) there will be little Parliamentary time given over to any issues other than the terms of the UK’s exit from the EU. Parliamentary time is limited further by the Party Conference season with a further recess between 14th September and 9th October.

The Conservative Party Conference runs from 29th September to 2nd October in Manchester.  Members of Cabinet will be expected to attend and no doubt their speeches from the platform and on the fringe will be scrutinised for new policy initiatives and especially the direction of policy post Brexit. 

Over the summer the political agenda was dominated by possibility of a “No Deal” Brexit with MPs from all parties floating a variety plans for how such an eventuality could be prevented. Prime Minister Johnson has been resolute in his belief that the No Deal option cannot be removed from the table.     

Data Protection Implications

The new Prime Minister wasted no time in assembling his new Cabinet, making his intentions very clear by appointing, with few exceptions, long-standing Brexit supporters. Notable among the exceptions were the appointment of Amber Rudd to the Work & Pensions brief she has held since November 2018 and Nicky Morgan who assumes a Cabinet role as Secretary of State for Digital, Culture, Media and Sport. This is of particular interest because the brief includes Data Protection regulation and writing the “UK GDPR” into UK law.

When the UK exits the EU, as is planned, the EU GDPR will no longer be  applicable in the UK (although the Data Protection Act 2018 which references the GPDR will still apply). The UK government intends to write the GDPR into UK law, with changes to tailor it for the UK.The government has already published the – ‘Keeling Schedule’ for the GDPR, which shows the planned amendments. It can be found here http://bit.ly/2Nsy9sw 

The amendments primarily relate to references to the European Parliament, EU Member States, and the EU Commission.

What Next?

Deal or No Deal on the exit date, the UK will become a ‘third country’ (to use the jargon).  It has been suggested that there will be a period of at least 2 years of negotiations to finalise the full terms of the divorce arrangements.  During this time the UK Government will continue to allow transfers to the EU.  This will be kept under review by the new Secretary of State.  Watch this space!

Gareth Evans 23.08.2019

Facebook’s cryptocurrency Libra under scrutiny amid concerns of ‘data handling practices’

It would be giving the burgeoning cryptocurrency Libra short shrift to call it ambitious. Its aims as stated in the Libra Association’s white paper are lofty even by the rhetorical standards of Silicon Valley. If defining Libra as ‘the internet of money’ isn’t enough to convince you of the level of its aspiration, the paper boasts the currency’s ability to financially enfranchise the world’s 1.7 billion adults without access to traditional banking networks or the global financial system.

Like its crypto predecessors, Libra uses blockchain technology to remain decentralised and inclusive, enabling anyone with the ability to pick up a smartphone to participate in global financial networks. Distinguishing itself, however, from existing cryptocurrencies, Libra promises stability thanks to the backing of a reserve of ‘real assets,’ held by the Libra Reserve. There is also the added benefit, hypothetically, of Libra proving to be more energy efficient than cryptocurrencies such as Bitcoin because there will be no ‘proof of work’ mechanism such as Bitcoin mining, which requires more and more electricity as the currency inflates.

So far, so Zuckerberg. It may seem unsurprising then, that global data protection regulators have seen the need to release a joint statement raising concerns over the ‘privacy risks posed by the Libra digital currency and infrastructure.’ While risks to financial privacy and related concerns have been raised by Western policymakers and other authorities, this is the first official international statement relating specifically to personal privacy.

The joint statement, reported on the UK’s Information Commissioner’s Office (ICO) on the 5th August, has signatories from Albania, Australia, Canada, Burkina Faso, the European Union, the United Kingdom and the United States. The primary concern is that there is essentially no information from Facebook, or their participating subsidiary Calibra, on how personal information will be handled or protected. The implementation of Libra is rapidly forthcoming – the target launch is in the first half of next year. Its expected uptake is anticipated to be similarly rapid and widescale thanks to Facebook’s goliath global status. It is likely, therefore, that the Libra Association (nominally independent, but for which Facebook, among other tech and communications giants, is a founding member) will become the custodian of millions of peoples’ data – many of whom will reside in countries that have no data protection laws – in a matter of months.

The statement poses six main questions (a ‘non-exhaustive’ conversation-starter) with a view to getting at least some information on how Libra will actually function both on a user-level and across the network, how the Libra Network will ensure compliance with relevant data protection regulations, how privacy protections will be incorporated into the infrastructure, etc. All of these questions are asked to get some idea of how Facebook and Calibra et al. have approached personal data considerations.

Profiling, Algorithms and ‘Dark Patterns’

The joint statement asks how algorithms and profiling involving personal data will be used, and how this will be made clear to data subjects to meet the standards for legal consent. These are important questions relating to the design of the access to the currency on a user-level, of which prospective stakeholders remain ill-informed. The Libra website does state that the Libra blockchain is pseudonymous, allowing users to hold addresses not linked to their real-world identity. How these privacy designs will manifest remains unclear, however, and there is as yet no guarantee de-identified information cannot be reidentified through nefarious means either internally or by third parties.

The regulators also bring up the use of nudges and dark patterns (sometimes known as dark UX) – methods of manipulating user behaviour that can rapidly become unethical or illegal. Nudges may be incorporated into a site (they may sometimes be useful, such as a ‘friendly reminder’ that Mother’s Day is coming up on a card website) in order to prompt commercial activity that may not have happened otherwise. There is not always a fine line between a reasonable nudge and a dubious one. Consider the example of Facebook asking a user ‘What’s on your mind?’, prompting the expression of a feeling or an attitude, for instance. We already know that Facebook has plans to scan information on emotional states ostensibly for the purposes of identifying suicidal ideation and preventing tragic mistakes. The benefits of this data to unscrupulous agents, however, could prove, and indeed has proved, incalculable.

The Libra Network envisions a ‘vibrant ecosystem’ (what else?) of app-developers and other pioneers to ‘spur the global use of Libra.’ Questions surrounding the Network’s proposals to limit data protection liabilities in these apps are highly pertinent considering the lightspeed pace with which the currency is being designed and implemented.

Will Libra be able to convince regulators that it can adequately distance itself from these practices? Practices which take place constantly and perennially online? Has there been any evidence of Data Protection Impact Assessments (DPIAs), as demanded unequivocally by the European Union’s General Data Protection Regulation (GDPR) on a data-sharing scale of this magnitude?

Hopefully, Facebook or one of its subsidiaries or partners will partake in this conversation started by the joint statement, providing the same level of cooperation and diligence shown to data protection authorities as they have to financial authorities. More updates to come.

Harry Smithson, 9th August 2019

Framework for EU-US data flows under scrutiny as ‘Schrems II’ case takes place at the CJEU

For those unfamiliar with the Schrems saga, a brief catch-up may be required. The original case, now known as ‘Schrems I,’ involved an Austrian activist, Max Schrems, filing a complaint with the Irish Data Protection Agency against Facebook. The complaint was that Facebook had allowed US authorities to access his personal data on social media in violation of EU data protection law. This case ultimately found its way to the Court of Justice of the European Union (CJEU) and resulted in the invalidation of the ‘Safe Harbor Framework,’ which was the framework companies relied on to transfer data from the EU to the US. This is largely because legislation in the States does not have adequate limits on what data authorities may access.

With the Safe Harbor Framework invalidated, the Irish DPA asked Max Schrems to reformulate the case. On the 9th July, ‘Schrems II’ was heard at the CJEU in Luxembourg. This case took aim at EU Standard Contractual Clauses (SCC), which Facebook has been relying to legitimise its international data flows. Advocates for Schrems also called for invalidation of the EU-US Privacy Shield, arguing it provides inadequate protection and privacy to data subjects.

The hearing included many supporters of SCC, who emphasised the role of DPAs in enforcing SCC and suspending data flows where necessary and appropriate. The CJEU will likely not reach a decision until early 2020, but with the two remaining frameworks for legitimate EU-US data flows under such heavy scrutiny, data protection practitioners should be preparing for the impact these potential invalidations will have on their clients’ or their companies’ data flows.

Harry Smithson, July 2019

Two high-profile GDPR fines for British Airways and Marriott International, Inc

The Information Commissioner’s Office (ICO) has released two statements this week declaring intention to fine British Airways and Marriott International, Inc £183.39m and £99m respectively for breaches of the General Data Protection Regulation (GDPR). In both cases, which affect data subjects from countries across the world, the ICO was the lead supervisory authority acting on behalf of other EU Member State data protection authorities.

These punitive measures are provided under the GDPR, and are the largest fines issued by the ICO to date. These fines both therefore break the former record, which was the £500,000 fine issued to Facebook last year for the social media giant’s role in the Cambridge Analytica scandal (which was actually the maximum fine possible under the previous, much more lenient legislation, since much of the action had taken place prior to GDPR’s implementation).

These two warning shots are fines amounting to 1.5% of the respective company’s global turnover, out of a possible 4% provided by GDPR. This leniency is availed by the companies’ willingness to cooperate with the authority and make immediate improvements where possible. However, it is expected that the companies will appeal the decision.

Failure to protect their customers’ data due to negligent digital security was at the heart of the decisions. The ICO discovered that from June to September 2018, users of BA’s website were being diverted to a fraudulent site used to harvest data. Roughly 500,000 customers had their personal information compromised in this way. Arguably on an even greater scale, the hotel giant Marriott was found to be presiding over a system exposing 339 million guest records to the internet.

Due diligence is the important aspect to these decisions, associated to the principle of ‘accountability’ defined in the GDPR. In the case of BA, poor security arrangements on the website were responsible for the cyber attackers being able to harvest personal data relating to log-in details, payment cards, travel bookings, names and addresses. Similarly, Marriott had failed to pursue due diligence when the company acquired Starwood (a hotel chain), which maintained a vulnerability in its guest reservation database dating back to 2014.

Marriott’s CEO has emphasised the fact that their subsidiary was victim to a cyberattack indeed the company itself notified data protection authorities of the breach, but as the Information Commissioner Elizabeth Denham has stated, “the GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”

These decisions set a strong precedent, and will hopefully encourage companies to take greater responsibility for the personal data they hold. Being victim to a cyberattack is not in itself an excuse: companies and organisations must demonstrate that they have attempted to take appropriate and robust security measures. The accountability principle as explained in the GDPR is very clear on this.

Harry Smithson, July 2019

University data protection policies under scrutiny as report finds threats of cyber attacks

A report published by the Higher Education Policy Institute and conducted by Jisc, a digital infrastructure provider for HE, has emphasised the expanding risks of cyberattacks among UK universities and academic institutions in general. Last year saw an increase (17%) in attacks and breaches from the year before, and the trend is likely to continue. The cyberattacks will not only increase in frequency, but also in sophistication.

It is common knowledge that the higher education sector is expanding massively as more and more young people at home and abroad become students in the UK. On top of this, universities have become increasingly involved in cyber security research, making these institutions ever more desirable targets for, in the report’s words, “organised criminals and some unscrupulous nation states.” According to separate research conducted by VMware, 36% of universities believe that a successful cyberattack on their research data would pose a risk to national security.

The report (titled “How safe is your data? Cyber-security in higher education”) begins by relating a couple of everyday scenarios in academia in which cyberattacks can easily occur. These scenarios include a Distributed Denial of Service (DDoS) attack on a student using a Virtual Learning Environment (VLE); and a ransomware infection affecting a university’s digital infrastructure after a member of staff visits a website containing malicious code.

Threats such as these compound the sector’s somewhat underreported history of data protection challenges (to put it lightly). Thousands of records, many containing special category data (prior to the GDPR, ‘sensitive personal data’), have been breached across a host of institutions throughout 2017 and 2018. A whistle-stop tour of these incidents might include the University of East Anglia’s email scandal in which a spreadsheet containing health records connected to essay extensions was leaked to hundreds of students; the University of Greenwich receiving a £120,000 fine for holding data on an unsecured server; and Oxford and Cambridge research papers being stolen and sold on Farsi language websites.

To understand the extent of vulnerability that the HE sector’s data protection policies and practices have demonstrated, one need only look at Jisc’s penetration tests on an array of institutions’ resilience to ‘spear-phishing,’ an attack in which a specific individual is targeted with requests for information (often an email using the name of a senior member of staff, requesting, for example, gift voucher purchases or the review of an attached document

containing malware). 100% of Jisc’s attempts to use spear-phishing to gain access to data or find cyber vulnerabilities were successful.

Data protection policies come hand in hand with cyber security. Vast amounts of information are stored and used in university research projects, containing data relating not only to students and faculty, but to many external individuals and third parties. Robust data protection policy, including appropriate training for staff and regular risk assessments that analyse cybersecurity penetrability, is vital to reduce the risk of phishing and vulnerability to breaches and hackers.

As the report concludes, “It is imperative that those in higher education continually assess and improve their security capability and for higher education leaders to take the lead in managing cyber risk to protect students, staff and valuable research data from the growing risk of attack.”

Harry Smithson, June 2019

European Commission reports awareness throughout Europe of data rights and data protection

The Special Eurobarometer 487a report on GDPR conducted by survey and data insight consultancy Kantar at the request of the European Commission has been published this month. Where relevant, the report’s findings are compared to findings from the Special Eurobarometer 431 on Data Protection conducted in 2015.

The salient finding is that two-thirds of Europeans have heard of the General Data Protection Regulation (GDPR). Moreover, a clear majority are aware of most of the rights guaranteed by GDPR and nearly six out of ten Europeans know of a national authority tasked with protecting their data and responding to breaches.

The level of general awareness of GDPR varies across the EU, ranging from nine in ten respondents in Sweden to just over four in ten in France (44%).

The sixty-eight page report contains detailed comparative data on European attitudes toward the Internet, social media, online purchasing, data security and other GDPR-related phenomena.

Social Media

Despite a general increase in data awareness, the majority of social network users in Europe who responded affirmatively to the question, ‘have you ever tried to change the privacy settings of your personal profile from the default settings on an online social network?’ has decreased by 4% (from 60% in 2015 to 56% in 2019). Trust in social media giants among Europeans, therefore, seems to remain stable.

Interestingly, while UK internet-users are by some way the most likely in Europe to regularly purchase online (64%, followed by the Dutch and Swedish on 50%), they are also among the most likely to ‘never’ use social networks (one in five), following only the Czech Republic (21%) and France (28%). Might this not place under scrutiny the common assumption of a significantly positive correlation between marketing on social media and online sales? While online purchasing has remained stable since 2015, use of social media has expanded significantly, by 15%.

Privacy Statements

For anyone working on privacy statements or considering reworking the ones they have, the report’s findings on this subject may be useful. Your average EU28 internet-user is only 13% likely to ‘fully read’ a privacy statement. 47% of respondents said they would read them ‘partially,’ while 37% would not read them at all. These figures are also fairly consistent across all demographics and member states.

Perhaps unsurprisingly, it is the length of privacy statements that is the main reason respondents give for not fully reading them (at 66% of respondents, who could choose multiple reasons in the survey). In the UK this is higher than average at 75%, in line with the finding that high rates of internet usage correlate with people finding things too long to read.

Length of privacy statement is followed by finding them unclear or difficult to understand (31%), the sufficiency of a privacy statement existing on the website at all (17%), the belief that the law will protect them in any case (15%), the statement ‘isn’t important’ (11%), distrust in the website honouring the statement (10%, although this has fallen by 5% since 2015), and finally ‘other’ and ‘not knowing where the find them’ (5% each).

Websites do seem to have improved the clarity or wording of their privacy statements slightly over the last four years, given the mild reduction (7%) in Europeans claiming the statements are difficult to read. Respondents in the UK are among the least likely in Europe (at 19%) to find privacy statements unclear, on a par with Croatians and just below Latvians (at 15%).

Concern over control of data

The report shows there is still more that can be done by organisations and even data protection authorities wanting to build confidence among people providing information online. More than six in ten Europeans are concerned about not having complete control over the information they provide online. Indeed, 16% responded that they were ‘very concerned’. The British and the Irish are among the most concerned, either ‘very’ or ‘fairly’, at 73% and 75% respectively.

Overall, there has been a mild decrease across Europe of respondents expressing concern over control of their data, with significant decreases of up to 20% in Eastern Europe. Five countries show minor increases of concern, the highest being France and Cyprus with 5%.

Conclusions

Respondents are not only broadly aware of the rights guaranteed under GDPR, but many have begun to exercise them. Nearly a quarter of Europeans (24%) have cited the right to not receive direct marketing in taking action against this infringement. While awareness of the right to have a say when decisions are automated remains relatively low (41%), this proportion is likely to increase.

As the report states, ‘the GDPR regulation is now more important than ever – almost all respondents use the Internet (84%), with three quarters doing so daily.’ Organisations have the opportunity to pave the way for greater confidence and trust in online activities involving consumers’ data.

Harry Smithson, 28th June 2019

Belgian Data Protection Authority’s first GDPR fine imposed on public official

Leave a reply

The Belgian DPA delivered a strong message on 28th May 2019, that data protection is “everyone’s concern” and everyone’s responsibility, by premiering the GDPR’s sanctioning provision in Belgium with a fine of €2,000 imposed on a mayor (‘bourgmestre’) for the illegal utilisation of personal data. 

Purpose Limitation was Breached 

The mayor in question used personal data obtained for the purposes of mayoral operations in an election campaign, in breach of GDPR, particularly the purpose limitation principle, which states that data controllers and/or processors must only collect personal data for a specific, explicit and legitimate purpose. Given the fairly moderate fine, the data the mayor obtained would not have contained special category data (formerly known as sensitive personal data in the UK). The Belgian DPA also looked at other factors when deciding on the severity of the sanction, including the limited number of affected data subjects; nature and gravity of the infringement; and duration.  

‘Not Compatible with Initial Purpose’ 

The Belgian DPA received a complaint from the affected data subjects themselves, whose consent to the processing of their data was based on the assumption it would be used appropriately, in this case for administrative mayoral duties. The plaintiffs and the defendant were heard by the DPA’s Litigation Chamber, which concluded along GPDR lines that ‘the personal data initially collected was not compatible with the purpose for which the data was further used by the mayor.’ 

The decision was signed off by the relatively new Belgian commissioner, David Stevens, as well as the Director of the Litigation Chamber, a Data Protection Authority chamber independent from the rest of the Belgian judicial system. 

Harry Smithson, 3rd June 2019