Data Protection update - June 2022
Welcome to our data protection bulletin, covering the key developments in data protection law from June 2022.
Data protection
- Government publishes its response to consultation on proposed changes to UK data protection laws and finalises new adequacy decision in principle for Republic of Korea
- Policy paper on the government's UK Digital Strategy published
Cyber security
Enforcement
- ICO to keep money from UK GDPR fines
- ICO may reduce fines on public sector bodies
- Companies to face multimillion fines for nuisance calls
- ICO fails to disclose majority of reprimands issued under GDPR
- Italian DPA launches investigation into Uber
- French supervisory authority: modifications of Google Analytics don’t make it legal
- Highest court in France confirms French regulator is competent to sanction Amazon
- Dutch SA fines company for security flaws in data handling and sharing
Civil litigation
- Group litigation in data breach litigation: Bennett & others v Equifax Ltd [2022] EWHC 1487 (QB)
- Attempts to reframe claims arising from data breaches as claims for misuse of private information flounder: Smith & Ors v Talktalk Telecom Group Plc [2022] EWHC 1311 (QB)
Data protection
DCMS publishes its response to consultation on proposed changes to UK data protection laws and finalises new adequacy decision in principle for Republic of Korea
The Department for Digital, Culture, Media & Sport ("DCMS") has now published a response to its consultation "Data: a new direction", which was launched last year as part of the UK's National Data Strategy. The consultation contained proposals designed to build on the UK's current data protection regime in areas such as data rights for individuals, mechanisms for supervision and enforcement and data processing principles.
The response is arranged across five chapters: reducing barriers to responsible innovation; reducing burdens on businesses and delivering better outcomes for people; boosting trade and reducing barriers to data flows; delivering better public services; and reform of the Information Commissioner's Office ("ICO").
Draft legislation is expected to be published by the DCMS shortly, in the form of a Data Reform Bill that will amend the UK GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations 2003. Organisations may then lobby for changes while the Bill is debated before Parliament. The consultation response sets out what will be included in the Bill and below we set out the key takeaways for organisations as to how UK data protection law is likely to change.
Accountability
The DCMS intends to remove specific accountability requirements in order to reduce burdens on businesses. This includes:
- Introducing the requirement for every organisation to have in place a "Privacy Management Programme";
- Removing the need to appoint a Data Protection Officer. Instead, at a minimum a "senior individual" must be responsible for the Privacy Management Programme;
- Removing the requirement to carry out data protection impact assessments and allowing organisations to identify and manage risks in a more flexible way; and
- Removing the record of processing activities requirement and instead requiring organisations to keep personal data inventories.
Whilst the intention is to reduce burden on businesses, it is unclear at this stage whether it will have a significant impact. In any event, businesses operating in the EU will most likely keep their EU GDPR compliance arrangements in place, even for UK GDPR purposes.
Data Subject Access Requests
The DCMS is intending to make the following changes in relation to data subject access requests ("DSARs"):
- Changing the threshold for refusing a DSAR from 'manifestly unfounded or excessive' to 'vexatious or excessive'; and
- Confirming that a nominal fee would not be reintroduced for handling DSARs.
Privacy and electronic communications regime
The changes that are intended to be made to the Privacy and Electronic Communications Regulations 2003 ("PECR") include:
- Amending PECR to allow the ICO to levy fines of up to £17.5m or 4% of an organisation's global turnover, to bring cookies and direct marketing fines in line with those that can be levied under the UK GDPR and DPA 2018.
- Allowing businesses to use cookies and similar technologies without consent for a wide range of non-intrusive purposes such as allowing organisations to measure traffic to its webpage;
- Ultimately moving to an opt-out model of consent for all cookies, even more intrusive ones, with preference signals instead being set through browsers "when the government assesses these solutions are widely available for use";
- Extending the "soft opt-in" exception for sending direct marketing messages to non-commercial organisations; and
- Introducing a "duty to report" on communications providers in relation to nuisance calls and requiring them to inform the ICO of suspicious levels of traffic on their networks.
Legitimate interests and exemptions
Currently, data controllers must complete a three-part exercise when relying on the legitimate interests as a lawful ground for processing personal data under article 6(1)(f) of the UK GDPR. The third limb requires organisations to weigh up whether their interests in processing personal data outweigh the rights of data subjects. The DCMS noted that it is aware that some organisations have been concerned about the time and resource it takes to complete and record these legitimate interests assessments.
To address these issues, the DCMS has proposed to create a "limited, exhaustive list of legitimate interests for which organisations could use personal data without applying the balancing test." This will initially only cover public interest-related processing such as for AML and anti-fraud purposes, rather than commercial interests such as product development and research.
AI and machine learning
The consultation explored how AI systems can be built or deployed by organisations responsibly, while ensuring that risks are managed. A separate white paper on AI Governance is currently being drafted by the government and the DCMS made some proposals under this consultation. A new condition is to be added to Schedule 1 of the DPA 2018 to allow the processing of sensitive personal data in order to monitor and correct biases in AI systems.
Additionally, Article 22 of the UK GDPR which relates to automated decision-making and profiling will be retooled as a "right to specific safeguards, rather than as a general prohibition on solely automated decision-making" in order to remove onerous barriers to AI-powered automated decision-making whilst ensuring appropriate safeguards are in place.
Reform of the ICO
Some of the most significant proposals from the consultation relate to reforms to the ICO. The DCMS intends to transform the ICO into an agile and forward-looking regulator through a series of changes including:
- Introducing a new statutory framework for the ICO and a new overarching objective that relates to upholding data rights and encouraging trustworthy and responsible personal data use;
- Moving away from the current corporation sole structure, whereby one individual sits as Commissioner and introducing a statutory board with a chair and chief executive;
- New powers for the ICO to compel witnesses and commission expert reports;
- Powers for the DCMS to approve codes of practice and complex or novel guidance drafted by the ICO; and
- A more efficient complaints framework, whereby a complainant would need to attempt to resolve their complaint directly with the relevant data controller before lodging a complaint with the ICO.
International data flows
The government is aiming to design a future regime that will remove unnecessary barriers to cross-border data flows, whilst at the same time maintaining EU adequacy status. More flexibility will be introduced in the government's approach when making its own adequacy decisions, including removing the regular four-year review of live decisions.
For countries not subject to an adequacy decision, reforms will be introduced which ensure that "data exporters can act pragmatically and proportionally when using alternative transfer mechanisms."
In another recent development, the government has reached a data adequacy decision in principle with the Republic of Korea, which indicates the government's intention to prioritise adequacy decisions under the UK GDPR. The Republic of Korea already benefits from an adequacy decision from the European Commission under EU GDPR.
Other proposals
Some other key proposals include a clarification on controllers' ability to rely on compatible purposes and obtain "broad consents" in a research context. Additionally, the DCMS proposes to introduce more provisions on further processing and how personal data may be re-used for new purposes, including by new controllers.
To read the response in full click here.
Policy paper on the government's UK Digital Strategy published
The government has published its 2022 Digital Strategy which sets out the steps being taken to boost growth and innovation and the challenges facing digital businesses. Several key areas of action were identified for sustained digital growth including:
- Ideas and intellectual property (IP) – the government has committed to supporting universities to develop new ideas and technologies through increased funding. Businesses will be incentivised to innovate particularly in areas such as quantum computing technology and artificial intelligence and the NHS will continue to harness digital and data-driven innovation in order to improve treatment and the provision of care in partnership with Life Sciences Vision.
- Enhancing the UK's place in the world – the government will work to ensure that international data flows are enabled and will work to oppose unjustified data localisation. This will be achieved by ensuring that the free flow of data and anti-data location provisions are included in trade agreements reached with other countries.
- Reforming the UK GDPR with the aim of reducing compliance for businesses whilst also maintaining high standards of data protection.
- Creating a legislative framework for Smart Data which will provide consumers and small businesses with the power to enable trusted third parties to help them access, make sense of and use their data.
- Making digital identities more secure and creating a legal gateway to allow public bodies to share data with organisations that follow the rules of the UK digital identity and attributes trust framework when validating a person's identity.
To read the UK's Digital Strategy in full click here.
Cyber Security
Call for views to boost the security of UK data centres and cloud services launched
The government has launched a call for views on how to boost the security and resilience of the UK's data centres and online crowd platforms. The government is seeking views on the tools currently used in the regulated sector to boost security and resilience which include a) having an incident management plan in place; b) notifying a regulator when services are impacted by an incident; and c) a requirement for a person, board or committee to be held accountable for an organisation's security and resilience. The government is looking to build on existing safeguards for data infrastructure including the Networks and Information Systems (NIS) Regulations 2018 which cover cloud computing services.
The DCMS will use the evidence collected from the call for views to decide whether the government needs to provide additional support to minimise the risks brought about by data storage and processing infrastructure. The government is particularly interested in hearing from a) organisations who provide third-party data storage and processing infrastructure; b) organisations who directly depend on third-party data storage and processing infrastructure; and c) other organisations with significant involvement of data storage and processing infrastructure. The call for views will run until 23:59 on 24 July 2022. For more information click here.
Enforcement
ICO to keep money from UK GDPR fines
The ICO has announced that, by agreement with the Treasury and DCMS, it will now be allowed to retain a proportion (capped at £7.5 million per year) of funds received in fines. Importantly, the ICO will only be permitted to use these funds to cover their litigation costs, which will include the costs of external experts and counsel.
ICO may reduce fines on public sector bodies
On 30 June 2022, the UK Information Commissioner, John Edwards, published an open letter which sets out "a revised approach to working more effectively with public authorities across the UK." The ICO will aim to raise data protection standards across the public sector and prevent harm from occurring in the first place. Additionally, the government has pledged "to create a cross-Whitehall senior leadership group to encourage compliance with high data protection standards."
Mr Edwards also noted that whilst the ICO has a responsibility to enforce the law around compliance issues, he is not convinced that large fines are always the most effective sanctions in the public sector. A public sector fine can often result in reduced budgets for vital services which in effect punishes victims of a data breach twice. Mr Edwards confirmed that the ICO will be trialling an approach for the next two years where the impact of fines on the public will be reduced which will in turn mean an increase in public reprimands and other powers such as enforcement notices. Fines will only be issued "in the most egregious cases." To read Mr Edwards letter in full click here.
Companies to face multimillion fines for nuisance calls
Under the Data Reform Bill, the government has detailed plans to increase the fines for nuisance calls from the current maximum of £500,000 to four per cent of a company’s global turnover or £17.5 million, whichever is the greater.
ICO fails to disclose majority of reprimands issued under GDPR
A Freedom of Information request ("FOI") has shown that the ICO has failed to publicly disclose the majority of "reprimands" it has issued to public sector organisations (including the Government Digital Service (the "GDS")) since November 2021.
The FOI revealed that, despite the ICO's own policy that says its "default position" is to publish all formal regulatory outcomes, in the vast majority of cases, the ICO failed to publicly disclose that it had taken action to reprimand such organisations:
"By ‘formal regulatory outcomes’ we mean those where we serve or issue some form of notice, reprimand, recommendation or report following our regulatory work," said the ICO in its Regulatory and Enforcement Activity Policy. "Our default position is that we will publish (and, where appropriate, publicise) all formal regulatory work, including significant decisions and investigations, once the outcome is reached."
Specifically on reprimands, the ICO added: "We will publicise these if it will help promote good practice or deter non-compliance." While the ICO has not disclosed details of the specific contraventions that led to these reprimands being issued, its Regulatory Action Policy says that the watchdog will reserve its "most significant powers (i) for organisations and individuals suspected of repeated or wilful misconduct or serious failures to take proper steps to protect personal data."
Italian DPA launches investigation into Uber
The Italian DPA ("Garante") found that the Dutch company Uber BV and the US company Uber Technologies were joint controllers, each responsible for violating the Italian Privacy Code (the Italian implementation of EU Directive 95/46/EC) against data subjects in Italy. This comes after inspections revealed that the company had committed several violations, including publishing inadequate privacy notices, processing personal data processed without consent and failing to notify Garante about data breaches. Uber had also processed data of close to 1.5 million data subjects without having obtained valid consent by profiling them on the basis of the so-called 'fraud risk'. Garante fined Uber B.V. (Holland) and Uber Technologies Inc. (USA) €2,120,000 respectively (a total of €4,240,000) for these violations.
French supervisory authority: modifications of Google Analytics don’t make it legal
Despite guarantees offered by Google, the French data protection watchdog (the "CNIL") has ruled that the use of Google’s web analytics tool does not comply with the GDPR. The CNIL's clarification comes after it sent out formal notices to various companies in February following its decision that data transfers to the US via Google Analytics were unlawful. The decision by the CNIL came one month after its Austrian counterpart issued a similar decision and was followed by a decision of Garante which found that a local web publisher’s use of Google Analytics breached the GDPR and granted the publisher 90 days to rectify the issue.
Highest court in France confirms French regulator is competent to sanction Amazon
On 27 June 2022, France's highest court, the Council of State, confirmed the competence of the CNIL in its decision to impose a fine of 35 million euros on Amazon Europe Core on 7 December 2020. The CNIL found that there had been two violations of Article 82 of the French Data Protection Act (transposing the e-Privacy Directive). The CNIL found that the company had not obtained the consent of Internet users visiting "Amazon.fr" before automatically depositing cookies with an advertising purpose on their computers. Additionally, the CNIL was of the view that the cookie banner on "Amazon.fr" did not clearly inform French users beforehand about the deposit of cookies. The Council of State confirmed the two violations and considered that the fine imposed by the CNIL was not disproportionate to the seriousness of the breach, the financial capacity of the company and the scope of processing.
Dutch SA fines company for security flaws in data handling and sharing
The Dutch SA (the "DDPA") has fined the National Visa Information System ("NVIS") €565,000 after finding flaws in the way data in their system was handled and shared. Specifically, it found that the stricter security requirements necessary for processing 'special personal data' were not in place and that relevant IT systems were vulnerable, with the authorisation procedure for accessing those systems having last been updated in 2015. The Dutch DPA also found that Dutch visa applicants were insufficiently informed about how their data would be processed and who it would be shared with by NVIS. The DDPA's decision emphasises the importance of the transparency principle under the GDPR and in particular the need for full transparency regarding the sharing of personal data with third parties.
Civil litigation
Group litigation in data breach litigation: Bennett & others v Equifax Ltd [2022] EWHC 1487 (QB)
Equifax was issued with a £500,000 MPN by the ICO arising out a significant data security breach in 2017, the maximum available under the Data Protection Act 1998. The ICO understood that approximately 700,000 UK data subjects were affected of which, by the time of the hearing before the Senior Master, 100,000 had issued claims against Equifax and many more were being processed.
By agreement, the parties had filed Generic Particulars of Claim, a Generic Defence and a Generic Reply, along with Claimant-specific pleadings in nine instances selected by the parties as exemplars of different categories of Claimants.
In the instant application, the Claimants sought a Group Litigation Order (a "GLO"). The Defendant opposed a GLO and argued instead that preliminary issues on causation and loss should be determined, because if the claims (or most of them) were not worth anything, it would be disproportionate to proceed with a GLO and a contested liability hearing.
The Senior Master refused to decide the issue and referred the Claimants' application to be considered by a Judge of the QBD (yet to appointed) at a CMC. However, the Senior Master did make certain obiter comments which are likely to be of interest to readers.
At [23], the Senior Master held that: "I agree with the Defendant that there are real concerns about the entitlement to compensation under the DPA for a significant proportion of these claims and other potential claims. The Claimants accept that the claims are all small value claims and have put an average range of values on the claims of £750 -£3,000". Similarly, at [28], it was described as a "constructive proposal" and at [35] the Court commented that "it may be unlikely that the entirety of the Claimant cohort will be able to establish either financial loss or distress to enable compensation to be awarded".
In doing so, the Senior Master accepted that there could be advantages in the Defendant’s proposal, and that a GLO was not the only way to manage a large number of small value claims, but that a GLO would not be attractive where liability was left undetermined and would then need to be addressed.
Attempts to reframe claims arising from data breaches as claims for misuse of private information flounder: Smith & Ors v Talktalk Telecom Group Plc [2022] EWHC 1311 (QB)
Following Saini J's in Warren which we covered here it is doubtful whether claims for misuse of private information or negligence can be pursued arising out of a data breach. He has now followed that decision confirming the principles established in Warren in Smith, a claim arising from TalkTalk's data breaches in 2014 and 2015, in which he struck-out the Claimants' claim for misuse of private information. This was notwithstanding an attempt by the Claimants to recharacterize TalkTalk's failings as positive acts on its part, in an attempt to distinguish Saini J's reasoning in Warren. At [62] Saini J noted:
"In his evidence supporting the application to amend, the Claimants' solicitor sets out the 2014 and 2015 Breaches and then accurately described their repleaded MPI claim as based on an election by the Defendant "…not to take steps to prevent further access, thereby facilitating or enabling third-parties to obtain access to the Claimants' personal data". He also explained that this arose through the existence of what were called "technological gaps" through which third parties could access data. These descriptions demonstrate that the real complaint is not about misuse by the Defendants but about conduct which allowed others to misuse the Claimants' information. That is a matter for data protection law in the form of the DPA (or a claim for some other tort like negligence where protective duties are imposed). It is not within the scope of the tort of MPI."