It’s been just over three years since the GDPR was enforced in the UK and Europe. There has been a flurry of high-profile cases with record fines being issued (eventually) against British Airways and Marriot hotels.
There has also been much activity to curtail nuisance calls and texts.
Much of the recent news around data protection in the UK has focused on the all-important ‘adequacy decision’ meaning that EU data can continue to flow into the UK as it had while the UK were still members of the EU. The Information Comissioner's Office (ICO) has also been very busy trying to form some guidance around the use of AI and have also issued an age-appropriate design code.
There have been a few other cases that are immensely important, but have not attracted the fanfare of the likes of BA and Marriot. Here are three to look at.
TikTok sued on behalf of millions of children under the age of 13 for alleged data breaches
Anne Longfield, the former Children's Commissioner for England, has filed a lawsuit against TikTok, the video-sharing platform. TikTok is accused of illegally collecting personal information from millions of children who use the app.
According to ITV News, the action was filed on behalf of up to 3.5 million children under the age of 13 in the UK who may have had their data improperly acquired since the General Data Protection Regulation (GDPR) was implemented in May 2018. Compensation in the billions of pounds is demanded in the lawsuit.
“In terms of what they take, there are addresses, names, date of birth information, their likes, their interests, who they follow, their habits – all of these – the profiling stuff, but also the exact geolocation, that is very much outside what would be deemed appropriate,” Ms Longfield said of the case.
A TikTok spokesperson stated that they will "vigorously defend the action" in response to the action.
Immigration exemption in UK Data Protection Act found unlawful
The UK Court of Appeal has overturned a High Court decision from 2019, ruling that the government's 'immigrant exemption' under the Data Protection Act 2018 (DPA 18) is unconstitutional.
The immigration exemption, stated in Schedule 2 of the DPA 18, permits the Home Office and other organisations or enterprises involved in 'immigration control' to withhold access to personal data held about individuals if doing so would 'prejudice the maintenance of effective immigration control'.
In July 2019, the Open Rights Group (ORG) and the 3million, which represents EU citizens in the UK, argued in the High Court that the exemption was too broad and violated the European Union's (EU) General Data Protection Regulation (GDPR) and Charter of Fundamental Rights.
The exception, which is the first of its sort in the UK's 20-year data protection statute, covers not only EU citizens, but everyone who deals with state organisations or businesses involved in 'immigration control'. People seeking asylum in the UK or those affected by the Windrush scandal are among those affected.
While the court rejected the groups' arguments and upheld the exemption, finding that "the purposes for which, and the categories of data to which, it may be applied were… appropriately delineated" a legal appeal was heard on the 23rd and 24th of February 2021 by three judges, who unanimously overturned the decision on the 2nd of June 2021.
Lord Justices Underhill, Singh and Warby ruled it was "clear that the Immigration Exception is non-compliant' with Article 23 of GDPR, adding it 'is an unauthorised derogation from the fundamental rights conferred by the GDPR, and therefore incompatible...For that reason, it is unlawful."
“This is a momentous day. The Court of Appeal has recognised that the Immigration Exemption drives a huge hole through data protection law, allowing the government to restrict access to information that may be being used to deny people their rights,” said Sahdya Darr, immigration policy manager at ORG.
Vulnerable children’s details uploaded to Birmingham City Council website
At Birmingham City Council, a 'serious' data breach occurred when the personal information of 'vulnerable' children was unintentionally uploaded by workers.
The information, which according to Birmingham Mail pertains to minors who are eligible for free bus passes, was theoretically accessible from the outside. In an email sent on March 19, the council raised the alarm about the breach and promptly notified the Information Commissioner's Office.
The ICO did not take any immediate action in response to the breach because it was satisfied with how the council handled the situation and resolved it. The ICO gave the council more data protection advice and advised them to notify them if any new information affecting the case's circumstances became available.