Data Protection update - April 2019 | Stephenson Harwood

26 April 2019

Welcome to the April 2019 edition of our Data Protection bulletin, our monthly update on key developments in data protection law.

Data protection

Cyber security

ICO enforcement

Data protection

Cancer doctor wins landmark data protection claim

In Rudd v Bridle [2019] EWHC 893 (QB), Dr Rudd, a leading expert on asbestos-related cancers, brought a claim against John Bridle, an asbestos lobbyist, pursuant to the DPA 2018. Dr Rudd specialised in the connection between exposure to asbestos and the onset of diseases such as lung cancer. He often stood as an expert witness for claimants seeking compensation for asbestos-related diseases. Mr Bridle had made a complaint to the General Medical Council alleging that Dr Rudd had falsified the health risks associated with asbestos exposure in his expert reports to the courts.

Dr Rudd served a subject access request ("SAR") on Mr Bridle to illicit information about Mr Bridle's activities and the persons behind the complaint against him. Mr Bridle failed to comply with the SAR and, as a result, Dr Rudd brought a claim under section 7 of the DPA 2018 demanding that Mr Bridle, or his company (J&S Bridle Limited), comply with the SAR. As part of his defence Mr Bridle argued that J&S Bridle Limited was the data controller of any personal data relevant to Dr Rudd and sought to rely on journalism, regulatory activity and legal professional privilege exemptions.

The court disagreed with Mr Bridle and held that Mr Bridle himself was the data controller and that he had failed to adequately comply with the SAR. Mr Bridle was ordered to provide certain information to Dr Rudd, including descriptions of the recipients of the personal data, the identities of the persons who had been communicating with Mr Bridle about Dr Rudd, and any information as to the sources of the personal data. The court held, however, that any personal data that was covered by legal advice privilege need not be disclosed in the SAR response.

'Cookie walls' are not GDPR-compliant according to Dutch data watchdog

The Dutch data watchdog, Autoriteit Persoonsgegevens ("AP"), has warned that a business asking its internet users to agree to the collection and use of their personal data in return for access to services, 'cookie walls', is in breach of the principles of consent under EU data protection laws. The statement was made after AP received multiple complaints from users unable to access certain websites after they had refused to give their consent to the use of cookies.

Under the GDPR, consent from a data subject to the processing of their personal data must be freely given, unambiguous and informed. The GDPR also demands that companies obtain permission from any users of their websites before tracking those users with cookies, tracking software or any other digital software. 'Cookie walls' force users to consent to the use of tracking cookies if they want to access the online content. Consent in these circumstances (i.e. an inability to access the content) has not been freely given as a refusal to comply results in adverse consequences for the user.

AP has said that it will intensify its monitoring of companies to ensure compliance. Companies should assess how their websites can comply with the consent regime without the use of 'cookie walls'.

Criminal disclosure orders for overseas data

The Crime (Overseas Production Orders) Act 2019 (the "Act") will, when it comes in to force, enable UK law enforcement authorities to obtain orders for the disclosure of electronic data from anywhere in the world. Large technology companies have already been approached by various authorities for their assistance with criminal investigations. The Act will make it much easier and quicker for UK authorities to access electronic data without having to resort to mutual legal assistance processes (which are notoriously slow) and will impose more onerous obligations on the companies or individuals holding that data.

Under the Act, an appropriate officer (for example, the police, the Serious Fraud Office and the Financial Conduct Authority) can apply to a Crown Court judge for an Overseas Production Order ("OPO") to obtain specified electronic data from someone outside the UK if there is a Designated International Cooperation Arrangement ("DICA") in place in that jurisdiction. The application for an OPO can be made without notice.

A DICA is a treaty providing for mutual assistance in connection with criminal investigations. The US implemented the Clarifying Lawful Overseas Use of Data Act in March 2018 allowing the US government to enter into agreements for the cross-border sharing of data. The UK is in the process of negotiating such an agreement with the US (which has been given priority given the prevalence of global technology companies based there), and there are plans for a similar agreement between the US and the EU; however, as at today's date there are no DICAs under which an OPO can be made.

In order to obtain an OPO, a number of tests must be met including an indictable offence having been committed and investigated or prosecuted, and finding that it is in the public interest to grant the OPO in relation to all or part of the electronic data, having regard to: (i) the likely benefit to the investigation or prosecution obtained from the data; and (ii) the circumstances under which P has control of the data.

There are exemptions in place for data protected by legal privilege and confidential personal records. The data will have to be produced within seven days of service of the OPO, unless a different time period is deemed appropriate.

The Act fails to expressly impose any penalties on a person who fails to comply with an OPO; however, this does not mean that non-compliance will go without retribution. The directors of a company that refuses to disclose information could be held in contempt of court, and there is substantial reputational harm that might arise from a failure to disclose.

Inquiry launched into Brexit adverts on Facebook

The ICO is to request information from Facebook relating to a network of pro-Brexit advertising campaigns.

The ICO's involvement comes after a number of Brexit adverts were shown on Facebook. The adverts were ostensibly from different groups but the administrators were all connected to the political consultancy firm, CTF Partners, a company founded by the election strategist, Sir Lynton Crosby. The ICO's investigation is focussed on how data, including email addresses collected to encourage people to email their MP, has been handled.

According to Facebook's rule on political advertising, anyone in the UK placing an advert has to publicly name an individual who is registered to a UK postal address but there is no requirement for transparency as to the individual administrators or an advert's financial backers.

The ICO confirmed that the use of personal information for political campaigning must comply with data protection law.

EDPB adopts guidelines in relation to Article 6(1)(b) of the GDPR

The EDPB has published a set of guidelines to clarify what is meant by lawful processing under Article 6(1)(b) of the GDPR in the context of contracts for online services.

Article 6(1)(b) is one of the legal bases under which personal data can be processed and applies when either one of two conditions are satisfied: (i) the processing in question must be objectively necessary for the performance of a valid contract with a data subject; or (ii) the processing must be objectively necessary in order to take pre-contractual steps at the request of a data subject.

The guidelines consider the requirement of 'necessity' under Article 6(1)(b). 'Necessity' is applied strictly and must reflect the objectives of data protection law (including the fairness principle and the right to privacy) and not simply what is set out in the terms of the contract. The controller must be able to show that the main object of the contract with the data subject cannot be performed without the processing of the relevant personal data. If there is an alternative way to perform the contract without the processing of personal data, and the processing is merely 'helpful' to the performance of the contract, then the processing will not be objectively 'necessary'. It is important for a controller to consider whether the processing of personal data is necessary from the data subject's perspective, not solely its own.

An example to demonstrate the application of this 'necessity' requirement is given by the EDPB: "a data subject buys items from an on-line retailer. The data subject wanted to pay by credit card and for the products to be delivered at home. In order to fulfill the contract, the retailer must process the data subject's credit card information and billing address for payment purposes and the data subject's home address for delivery. Thus Article 6(1)(b) is applicable as a legal basis for these processing activities. However, if the data subject had opted for shipment to a pick-up point, the processing of the data subject's home address is no longer necessary for the performance of the purchase contract and therefore a different legal basis to Article 6(1)(b) is required".

The example also demonstrates that where a contract has a number of elements to a service that can be performed independently of one another, the applicability of Article 6(1)(b) should be assessed in the context of each service separately.

If personal data is processed on the basis of Article 6(1)(b) and the contract is terminated then the controller must cease processing as the processing of that data will no longer be necessary for the performance of that contract (unless another legal basis is established for the continued processing of that data).

One of the conditions for the application of Article 6(1)(b) is where "processing is necessary in order to take steps at the request of the data subject prior to entering into a contract". This is relevant to a situation where preliminary processing of personal data may be necessary in order to facilitate the actual agreement of a later contract. An example of this is where a data subject offers their postal code to see if a particular service provider operates in their area. This can be regarded as processing necessary to take steps at the request of the data subject prior to entering into a contract pursuant to Article 6(1)(b).

These guidelines are currently open to consultation until 24 May 2019.

Austrian court rules that Max Schrems can take civil action against Facebook

The Vienna Higher Regional Court has overturned a previous ruling to allow Max Schrems to take civil action against Facebook. Mr Schrems is one of Europe's most high-profile privacy activists and began his claim against Facebook in 2014 claiming that Facebook had violated user rights with its transfers of personal data. He argued that complaints under Article 79 of the GDPR could be reviewed by courts as well as data protection authorities.

Article 79 of the GDPR grants people the right to effective judicial remedy against a controller or processor, as well as the right to lodge a complaint with an agency in their own member state.

Facebook contended that a citizen's only recourse is to submit complaints to a data protection regulator.

The Vienna Regional Court had sided with Facebook twice previously, holding that it was not able to hear the case because the data protection authority had exclusive jurisdiction on the matter. Mr Schrems then challenged this decision in the higher court.

Facebook is expected to appeal the decision.

UK Supreme Court gives Morrisons permission to appeal data breach class action

On 22 October 2018, the UK Court of Appeal found that Morrisons was vicariously liable for a data breach caused by a former employee, despite Morrisons itself being absolved from all wrongdoing (please refer to our October 2018 bulletin for more information).

The Supreme Court has now granted Morrisons permission to appeal the judgment on all grounds. If the appeal is heard, the Supreme Court will consider: (i) whether vicarious liability is available under the DPA 2018 in this context; and (ii) if the Court of Appeal's conclusion that the employee was acting in the course of his employment when he leaked the data was incorrect.

GDPR offers privacy groups new ways to challenge adtech

Privacy International, a British group, says that companies who are collecting and trading the data of their users in order to buy and sell advertising do not have the 'legitimate interest' for doing so, which is required under the GDPR. A 'legitimate interest' might be for example, banks using data to detect fraud, but not for the purpose of that bank's entire business model. The complaint follows a trend of activist and public interest groups challenging businesses on their use of data and GDPR compliance, a pattern which may be accredited to the increased opportunity for scrutiny provided by the GDPR.

Data processor hit with €220,000 GDPR fine

The President of the Personal Data Protection Office ("UODO") has imposed its largest fine to date on a Polish data processor for failing to fulfil its information obligation under the GDPR. The data processor remains unnamed, but Dr Edyta Bielak-Jomaa, President of UODO commented: “The controller was aware of its obligation to provide information. Hence the decision to impose a fine of this amount”. The processor had used publically available sources to gather information on over six million individuals, going on to utilise the data for commercial services. The processor asked for consent from individuals whose email addresses they had gathered, but not where they had only addresses or phone numbers. This was considered by the UODO as a deliberate and conscious decision to ignore the GDPR.

Cybersecurity

BakerHostetler's 2019 Data Security Incident Response Report

US law firm, BakerHostetler, have produced a report (the "Report") into data incidents in the US.

The Report reviews 750 incidents experienced by US companies in 2018 and found that phishing was the leading cause of data security incidents. According to the Report, 55 per cent. of the incidents had employees involved as the responsible party, through simple mistakes, falling for phishing or being socially engineered. Raising employee awareness of the risks of phishing and employing multifactor authentication will help to mitigate this risk.

A positive finding from the Report was that companies are increasingly detecting data incidents internally. In 2018, 74 per cent. of incidents were detected in-house as opposed to 52 per cent. in 2015.

Forensic investigations are increasingly prevalent in response to data incidents (forensic investigations were conducted in 65 per cent. of incidents in 2018); however, the average cost of such an investigation has markedly decreased ($63,001 in 2018, down from $84,417 in 2017). The Report also noted that companies had experienced an increased level of scrutiny from regulators and other enforcement agencies.

The Report offered a number of recommendations including:

evaluating a target's privacy compliance and security posture before any merger; and
identifying the issues faced by other companies and addressing them before you are facing the same risk.

Ticketmaster data hack

Ticketmaster fell victim to a data breach in June 2018 which affected up to 40,000 customers throughout the UK. The breach was said to be caused by malicious software on a third-party customer support product, Inbenta Technologies. The data stolen is believed to have included personal information, payment and login details. Ticketmaster said at the time of the breach that it had complied with all of its obligations under the GDPR.

Now more than 650 individuals are claiming against the company for damages up to £5,000,000, with a number of claimants asserting that they had suffered "multiple fraudulent transactions" or had endured "significant stress". Kingsley Hayes of Hayes Connor, the law firm representing the claimants, said that some of the claimants had needed medical attention and had been absent from work as a result of the disclosure of their personal data. This is the first multi-party action against Ticketmaster since the data breach.

Student computer hacker is jailed after the UK's most serious cybercrime investigation

Zain Quaiser has been jailed for more than six years for blackmailing the users of porn sites whilst he was a computer sciences student. Quaiser made hundreds of thousands of pounds working with a Russian crime group to target computers with browser-locking software. Although it is not known how many victims were successfully targeted, it is known that Quaiser's victims spanned at least 20 countries.

Using the online name K!NG, Quaiser bought large amounts of advertising space on pornographic websites. When users clicked on the advert their computers were infected with a virus known as Angler software. The exposed computers would then display a message purporting to be from a local enforcement agency telling the user that a crime had been committed and demanding payment of £767.

The National Crime Agency described the case as the most serious cybercrime investigation it had ever undertaken.

All those in favour of McDonald's

Names and home and/or email addresses of those in support of a planning application for a new McDonald's drive through in Bradley Stoke were uploaded to the South Gloucestershire Council planning portal. The information was in the form of a petition which was uploaded to the publically accessible portal as part of the planning application process. After complaints, the petition was removed from the website on the same day. The ICO has said that it does not have enough information to assess whether there had been a GDPR breach.

Huawei's takeover of telecom industry stalled

Huawei's ambitions are being tempered by GCHQ concerns about the resilience of the Chinese tech giant's infrastructure as well as concerns about the company's data sharing with Chinese intelligence agencies. Their vulnerability is perceived to be such that the UK government is expected to reveal in May whether it will restrict or even ban the company's 5G technology. Sensitive locations around the UK, such as around Westminster, can expect Huawei's mobile network equipment to be banned until defects in its cybersecurity processes are fixed.

Facebook stored hundreds of millions of passwords unprotected

It has emerged that Facebook stored its users' passwords in plain text, unprotected by encryption, meaning that this data was kept on Facebook's internal servers and could be found by Facebook employees. Facebook has said that there is no indication that any Facebook employees have abused access to this data.

Facebook's Vice President for Engineering, Security and Privacy assured Facebook's users that the passwords were never visible to anyone outside of Facebook and that affected users would be notified.

The ICO has since provided the following guidance to companies: "Do not store passwords in plaintext – make sure you use a suitable hashing algorithm, or another mechanism that offers an equivalent level of protection against an attacker deriving the original password. You should ensure that the architecture around your password system does not allow for any inadvertent leaking of passwords in plaintext".

The ICO has never issued a fine for solely storing passwords in an insecure fashion, although such an action would be considered an aggravating factor when penalising other data protection breaches.

We need to talk about Alexa

It has emerged that the private requests made of Amazon's Echo devices by unsuspecting users in their own home are being listened to by Amazon employees scattered across the world.

A Bloomberg report has uncovered the reality of Amazon's research and development which involves humans listening to the conversations and interactions of users after the command 'Alexa' is used in the vicinity of Echo devices. The team listen in to selections of audio data to improve Alexa's speech recognition and comprehension of natural language.

According to Bloomberg, Amazon’s privacy policy does not explicitly state that a team is listening to Alexa conversations, although it does give a user the option to disable the use of voice recordings for the development of new features.

Amazon claims that all information is subject to sufficient multi-factor authentication and confidentiality measures, noting that audio data can only be traced to an account number, user's first name, and the device serial number albeit this may be of little comfort to users.

Data becomes gang ammunition

Newham Council has been fined £145,000 after an employee inadvertently forwarded on police database information including an individual's likelihood of gang related violence.

As part of ongoing crime prevention measures, the Metropolitan Police (the "Met") share monthly updates about gang activity with local councils, including ethnicity, home addresses, police national computer ID and whether an individual is a prolific firearms offender or knife carrier. The Met provide the information in both redacted and un-redacted form, but in January 2017 a council employee forwarded both versions (including the un-redacted form containing information on 203 individuals) to 44 people, including external public agencies.

The Met did not escape the ICO's scrutiny; they were slammed for "multiple and serious" breaches, but it was decided that Newham Council had been "grossly negligent". Newham Council was unable to identify any written policy or guidance on the handling, storage or decision-making relating to the data that it received, and had not taken a number of sensible security measures.

Acronis World Backup Day: survey reveals 30 per cent. spike in consumer data loss

The survey, published in advance of World Backup Day, revealed several stark statistics about the state of data protection and cybersecurity. Amongst the most shocking of the revelations was that 65.1 per cent. of the consumers surveyed said either they or a family member had lost data as a result of an accidental deletion, hardware failure or software problem. For businesses, this type of loss could be potentially very harmful.

On a positive note, most respondents to the survey do try to protect their data, with only 7 per cent. revealing they do not bother to backup data. However, despite this finding, more data is being lost than ever before; this was attributed to more sophisticated ransomware, crytojacking and social engineering attacks. More information can be found here.

Interestingly, the DCMS have released the 2019 Cyber Security Breaches Survey, which showed a reduction in the percentage of businesses suffering cyber breaches. The report can be found here. Representatives of DCMS attributed this partly to the GDPR bringing cybersecurity to the forefront of business's agenda and raising awareness of the need for sound policies.

ICO enforcement

ICO fines Kent pensions company for sending nearly two million spam emails

A stark warning for those giving and receiving advice on data protection. Here, a Kent pensions company had instructed a third party marketing agent to send nearly two million direct marketing emails without consent. The company had sought specialist advice to confirm that its approach was compliant with relevant data protection legislation. The ICO disagreed, referring to the advice as 'misleading', and fined the company £40,000.

The ICO announcement states that: "The law says that organisations cannot generally send marketing emails unless the recipient has given them their consent to receive them. This applies equally to organisations using third parties to send direct marketing on their behalf."

ICO invites comment on its AI auditing framework

AI remains one of the ICO's top three strategic priorities, and in March the Executive Director for Technology Policy and Innovation, Simon McDougall, invited comment from organisations on the development of its AI auditing framework.

According to the ICO, its "framework will support the work of our investigation and assurance teams when assessing the compliance of data controllers using AI and help guide organisations on the management of data protection risks arising from AI applications".

Comments can be left on the relevant blog page, or sent direct to the following email: AIAuditingFramework@ico.org.uk

ICO Sandbox beta phase now OPEN

The ICO has now opened the beta phase of its Sandbox. The key aim is to allow and indeed support organisations that use personal data to develop innovative products and services with a demonstrable public benefit.

The Sandbox is open to applications. What this means in practice is that organisations may secure the opportunity to "work through how they use personal data in their projects with the ICO’s specialist staff to help ensure they comply with data protection rules", and receive "some comfort from enforcement action".

ICO and Facebook – intentions vs actions

The ICO has highlighted the apparent contradiction in Facebook's latest reference to the "need for increased regulation across four areas, including privacy", while it simultaneously continues with its "current appeal against the ICO's £500,000 fine – the maximum available under the old rules – for contravening UK privacy laws".

Perhaps Facebook's change in approach now mirrors the much higher level of potential sanction post-implementation of the GDPR which, in Facebook's case, could be far greater than £500,000.

ICO issues £120,000 fine for unlawful filming in maternity clinic

True Visions Productions was handed down the fine on 10 April 2019 for "unfair and unlawful" filming in a maternity clinic at Addenbrooke’s Hospital in Cambridge. The footage was intended for use in a Channel 4 documentary about stillbirths. True Visons Productions set up CCTV-style cameras and microphones to capture the footage and, although they had the hospital trust’s permission to be on site, not enough information was provided to the patients. The sensitivity of the medical information and subject matter was cited as part of the ICO's decision to issue the fine, as was the fact that there was no good reason for permission not to have been secured.

ICO fines Vote Leave £40,000 for sending unlawful text messages

An ICO investigation found that Vote Leave sent 196,154 text messages promoting the aims of the Leave campaign with the majority containing a link to its website. Vote Leave was unable to demonstrate that any consent had been given by those who received the messages, claiming this had been deleted after the conclusion of the referendum campaign. The ICO found this unacceptable, and given it publishes detailed guidance on how to comply with data protection legislation while running a political campaign, a fine was the appropriate sanction.

Bounty pregnancy club fined £400,000 over data handling

A fine of almost half a million pounds was handed down to Bounty, a pregnancy and parenting club, for illegally sharing personal information belonging to more than 14 million people. The information was shared with credit reference and marketing agencies, including Acxiom, Equifax, Indicia and Sky.

When collecting information from its users, individuals were told that by providing their information they consented to (i) get information from Bounty; (ii) have information shared with them; and (iii) Bounty would take "great care of the information provided". The ICO's decision demonstrates the importance for companies to obtain fully informed consent.

Moreover, Bounty's privacy policy stated that (i) Bounty collected information for "marketing" and "tailoring"; (ii) Bounty would share with "selected third parties"; and (iii) users might get information not only from Bounty but specified third parties (that were listed). None of the third parties listed were the parties with whom Bounty shared information.

The ICO accused the company of both "careless data sharing" as well as violations of the UK law that pre-dated the GDPR (as the violations occurred prior to the implementation of the GDPR in May 2018). The size of the fine (near the pre-GDPR maximum of £500,000) demonstrates that the ICO will take such behaviour very seriously, although the ICO did take into account Bounty's financial position, the fact that the company had ceased its activities voluntarily and that it had since made significant changes to its data practices.

ICO fines Kensington & Chelsea £120,000 after massive data breach

After the Grenfell Tower fire, Kensington & Chelsea Council received three freedom of information requests ("FOIs") for information on empty properties in the area. The FOI applicants were provided with a response, but information identifying nearly 1000 people owning those empty properties was accidentally included.

The FOIs together with the names of three high-profile property owners were later published.

This incident should serve as a reminder to public bodies of the need to protect personal data when fulfilling FOIs. The unlawful breach of personal data could have been avoided with appropriate redaction.

In the ICO's penalty notice it noted that the contravention of the GDPR was all the more serious due to the number of affected data subjects, the sensitive nature of the data and the potential consequences of the disclosure.

Four projects receive £275,000 from the ICO

Four projects have received a total of over £275,000 from the ICO's Grants Programme. The program supports new and innovative products that will benefit the UK by addressing and minimising privacy and data protection risks. The winning projects include a scheme which supports the privacy of homeless people and an initiative which aims to tackle issues around the use of genomic information in healthcare.

Former NHS Manager fined for sending personal data to her email account

Shamim Sadiq, a former GP practice manager, has been fined for sending personal data to her personal email account. Sadiq was suspended from Hollybrook Medical Centre in November 2017 but was still able to access her NHS email account. Following her suspension, Sadiq forwarded 13 applications to her personal email account; the forms had been submitted previously in response to a vacancy at the surgery and included substantial amounts of personal data about the candidates and their referees.

Sadiq was fined £120, £364 in costs and a victim surcharge of £30 under the Data Protection Act 1998.