Privacy In Focus | July

July 1, 2022

by Ito Onojeghuo | LLM, FIP, CIPM, CIPP/E

We bring you a round up of articles and updates in the data sphere.



In its Opinion published on the European Commission’s Proposal for a Directive on recovery and confiscation of assets, the EDPS recognises that processing personal data in this context is liable to have a significant impact on the individuals concerned and constitutes an interference with individuals’ rights guaranteed by the EU Charter of Fundamental Rights, including the right to data protection.

Read More


The Department of Health has been formally reprimanded, and the government warned that its use of WhatsApp has “the potential to lead to important information around the government’s response to the pandemic being lost or insecurely handled”. The Information Commissioner’s Office (ICO) has called for a review into the way government officials use private messaging channels to conduct official business. The private messaging channels include apps like WhatsApp as well as personal email accounts which have been tied to MoD security breaches, and Russian hackers stealing trade talk papers. It comes as the ICO publishes the results of a year-long investigation into how ministers at the Department of Health behaved during the pandemic which found there was “extensive use of private correspondence channels by ministers, and staff”.

Read More


IAPP reports that Authors of the proposed American Data Privacy and Protection Act released an amended version of the bill ahead of the U.S. House Committee on Energy and Commerce’s July 20 mark up session. Notable updates include changing the private right of action’s effective date from four years to two years post-adoption, enforcement tweaks related to the authority of the U.S. Federal Trade Commission and the California Privacy Protection Agency, and technical changes to the definitions for “covered entity” and “service provider.” Committee members also offered several additional amendments ahead of the mark up.
Find out more on the full Story



26 July 2022 the updated the Meta Privacy Policy and Terms of Service will go into effect which covers Facebook, Instagram, Messenger.

As well as providing more details about how and what types of information is collected, shared and used. It offers users the option to manage their privacy using settings and options if they do not wish to accept the Terms of Service.

They state plainly that ‘We do not sell and will not sell your information’.

The policy is intended to be clearer and easier to understand and provides links to the necessary settings to set preferences.

It also provides more specifics about the types of partners that the information is shared with, and where they receive information from.

Further explaining in more detail how and why the information is shared across products and companies to help people understand how practices apply, including up to date information about the newer products, such as Shops and Facebook View.

Find out more


Following a six month long listening exercise in early 2022 to reach out to businesses, organisations and individuals about their experiences of working with the ICO the new strategic plan – ICO25 was published this month.

Further describes our purpose, objectives and values and the shift in approach we aim to achieve through the life of this plan, the ICO25 gives clarity about the risks and opportunities needing most urgent attention to focus efforts for the long-term in terms of priorities for the next 12 months.

The plan sets out:

  • why the work of the ICO is important;
  • what the ICO want to be known for
  • and how they intend to achieve this by 2025

See the report here


EDPB adopted a set of criteria to assess whether a cross-border case may qualify as a case of “strategic importance” for closer cooperation. The Board also adopted a procedure detailing the steps to be taken following identification of a strategic case.

At a high level meeting in Vienna in May 2022, EDPB members agreed to further enhance cooperation on strategic cases, and to diversify the range of cooperation methods used. In particular, it was decided that EDPB members will collectively identify cross-border cases of strategic importance in different Member States on a regular basis, for which cooperation will be prioritised and supported by the EDPB. More information can be found in the EDPB’s Statement on Enforcement Cooperation.

Read More



ICO and NCSC stand together against ransomware payments being made and have released a joint letter, NCSC and the ICO ask the Law Society to remind its members that they should not advise clients to pay ransomware demands should they fall victim to a cyber-attack.

Paying ransoms to release locked data does not reduce the risk to individuals, is not an obligation under data protection law, and is not considered as a reasonable step to safeguard data.

The ICO has clarified that it will not take this into account as a mitigating factor when considering the type or scale of enforcement action. It will however consider early engagement and co-operation with the NCSC positively when setting its response.

Read More

Spain: In Spain a pilot for a Regulatory Sandbox on Artificial Intelligence is launched. By the end of the year, it will open a call for organizations to participate in the sandbox, focusing on high-risk AI across various verticals. Companies’ solutions will be tested in three-month iterations over the course of one year.

Read More

European Parliament: The Digital Markets Act (DMA) and Digital Services Act (DSA) has been voted in with a broad majority on Tuesday 5th July. The new EU digital rulebook sets out standards on the accountability of online companies, within an open and competitive digital market. The two bills aim to address the societal and economic effects of the tech industry by setting clear standards for how they operate and provide services in the EU, in line with the EU’s fundamental rights and values. Companies will also have to facilitate access to their data and algorithms to authorities and vetted researchers. Gatekeepers cannot now process users’ personal data for targeted advertising, unless consent is explicitly granted.

Read More

Luxembourg: Luxembourg becomes the first country to introduce a certification mechanism according to the GDPR criteria. The National Data Protection Commission (CNPD) has adopted its certification mechanism GDPR-CARPA which is the first certification mechanism to be adopted on a national and international level under the GDPR with a view to allow data controllers and processors to demonstrate compliance of their personal data processing operations with the requirements of the GDPR.

Read More


EU: The European Data Protection Board (EDPB) adopts guidelines on certification as a tool for transfers.

Download Guidelines

US: Roe v. Wade’s overturn: The impact on data protection and law enforcement

Read more

UK: Impact of fines on the public sector to be reduced – An open letter from UK Information Commissioner John Edwards to public authorities

Read more