Data Protection update - September 2018
Welcome to the August 2018 edition of our Data Protection bulletin, our monthly update on key developments in data protection law.
Data protection
- UK data protection standards in a 'no deal' scenario
- Big Brother Watch and others v the United Kingdom
- Belgium implements the GDPR
- ICO issues guidance on GDPR's international transfer provisions
- Sabados v Facebook Ireland
- Privacy Shield Program answers FAQs
- City of London Law Society Data Law Committee formed
Cyber security
- British Airways security breach compromises 380,000 customers' personal data
- ICO alerts businesses to "over-reporting" of GDPR breaches
- West Ham data breach
ICO enforcement
- Equifax fined maximum amount under the Data Protection Act 1998
- Everything DM Ltd fined £60,000
- Enforcement notice for London Borough of Lewisham
Data protection
UK data protection standards in a 'no deal' scenario
On 13 September 2018, the Department for Digital, Culture, Media & Sport ("DCMS") released guidance on what will happen to data protection arrangements in the event that the UK leaves the EU without reaching a deal with the other Member States. 'No deal' describes the situation in which the UK fails to conclude a draft withdrawal arrangement with the EU in time for the UK's exit on 29 March 2019. Rather than a negotiated and carefully planned break that would minimise disruption for businesses, a 'no deal' scenario would result in no transition period and a dramatic end to the application of EU rules to the UK.
The European General Data Protection Regulation ("GDPR") allows for unhindered cross-border transfers of data between countries within the European Economic Area ("EEA"). The GDPR has established a mechanism allowing for unimpeded transfers of personal data to countries outside the EU. This is known as the adequacy decision. Data transfers can continue to countries whose legal regime is deemed by the European Commission to provide for an "adequate" level of personal data protection: i.e. the Commission has decided that their level of data protection is essentially equivalent to that of the EU.
Upon exit from the EU in March 2019, the UK will become a "third country", meaning that, in the absence of a special deal, the UK's level of personal data protection would need to be declared adequate by the European Commission in order for the free flow of personal data from EEA countries to the UK to continue. There is considerable alignment between the GDPR and UK data protection legislation, as the GDPR has been implemented into national law through the UK Data Protection Act 2018. However, the DCMS has indicated that the European Commission has stated that a decision on adequacy cannot be taken until the UK is a third country.
The DCMS has provided guidance for what to do if the European Commission does not make an adequacy decision in time for the point of exit and UK businesses want to obtain personal data from organisations established within the EU. On exit, a legal basis under the GDPR must be identified by the organisation based within the EU in order for it to send personal data to an organisation based in the UK.
The view of the DCMS is that the most relevant alternative legal basis would be standard contractual clauses. These are model data protection clauses approved by the European Commission which, if adopted in a contract between the parties, enable the free flow of personal data. The DCMS recommends that organisations with EU partners proactively consider the action that may need to be taken in order to ensure that the cross-border flow of data can continue in the event of a 'no deal' scenario.
In the meantime, the government has expressed its intention to continue engaging with the EU on contingency planning for a 'no deal' situation. This includes seeking to obtain an adequacy assessment on data protection prior to March 2019.
See here for the full DCMS guidance note.
Big Brother Watch and others v the United Kingdom
In this case, the European Court of Human Rights ("ECtHR") found that the UK government's mass interception of communications program violated the rights to privacy and freedom of expression under the European Convention on Human Rights.
The court held that the program provided for insufficient supervision and safeguards on the mass interception of communications.
The ECtHR said that: "While there is no evidence to suggest that the intelligence services are abusing their powers – on the contrary, the interception of communications commissioner observed that the selection procedure was carefully and conscientiously undertaken by analysts – the Court is not persuaded that the safeguards governing the selection of bearers for interception and the selection of intercepted material for examination are sufficiently robust to provide adequate guarantees against abuse. Of greatest concern, however, is the absence of robust independent oversight of the selectors and search criteria used to filter intercepted communications."
Importantly, however, the ECtHR found that it is possible for governments and their intelligence agencies to intercept communications in order to protect national security without infringing human rights. The court held that national states "enjoy a wide margin of appreciation in choosing how best to achieve the legitimate aim of protecting national security". The court stated that the UK's decision to engage in the mass interception of communications to identify threats to national security clearly fell within the country's margin of appreciation, however a lack of oversight and adequate safeguards meant the UK's program was held to have a disproportionate effect on human rights.
This judgment will have immediate implications on the Investigatory Powers Act 2016. Provisions that regulate the selection of undersea cables that the government may tap into will need to be revised, including the provision of more comprehensive supervision. Additionally, the government will need to revise the rules governing how agencies examine metadata related to intercepted communications and provide for significant improvements in safeguards.
See here for full judgement.
Belgium implements the GDPR
On 5 September 2018, Belgium implemented the GDPR by passing the Belgian Privacy Act ("BPA"), which repealed the Privacy Act of 1992. The BPA came into force immediately.
The BPA also contains a number of additional provisions that depart from or add to the requirements of the GDPR. These include:
- controllers processing genetic, biometric or health data are obliged to comply with some additional measures;
- data subject rights have been restricted where data is being processed by various public bodies; and
- a significant number of GDPR provisions have been declared unenforceable in relation to the processing of data for journalistic purposes and for reasons of academic, artistic and literary expression.
Other legislation under Belgian law has also been amended since the implementation of the GDPR, notably the Camera Act 2007, which now contains GDPR-compliant provisions for the use of CCTV cameras in Belgium.
ICO issues guidance on GDPR's international transfer provisions
The Information Commissioner's Office ("ICO") has published a guidance note (see here) clarifying the rules regarding international transfers under the GDPR. If personal data is transferred to outside of the EEA, individuals are at risk of losing the protection granted by the GDPR. The GDPR therefore restricts such international transfers, unless such personal data can be protected in another way, or one of a number of limited derogations apply.
The ICO's latest guidance states that a transfer will be restricted if data is transferred "to a receiver to which the GDPR does not apply". This will usually be because personal data is being transferred to a receiver located in a country outside of the EEA.
However, this also implies that a transfer will not be restricted if data is transferred to a receiver to which the GDPR does apply. Article 3(2) GDPR extends the territorial scope of the GDPR, stating that it also applies to organisations that are not established in the EEA but process personal data whilst selling goods or services to, or monitoring, data subjects in the EEA.
Therefore, if a non-EEA organisation receives personal data from the EEA for the purpose of selling goods or services to, or monitoring, data subjects in the EEA, the processing of that data will be subject to the GDPR, under its extra-territorial provisions. This means that the transfer of this data to outside of the EEA will not be a restricted transfer. The mechanisms under Chapter V which allow for transfers to third countries therefore do not need to be considered in relation to transfers to non-EEA countries covered by Article 3(2) GDPR.
The guidance will be of interest to any UK organisation needing to make international transfers of data, as it means that if the GDPR applies to the recipient, or the recipient is in the same organisation, safeguards such as standard contractual clauses may no longer be necessary. The guidance note also states that a transfer will only be restricted if the receiver is a separate organisation or individual (i.e. not covering employees of the sender or its company, but including other companies in the same group).
Sabados v Facebook Ireland
The High Court has compelled Facebook to reveal the name of a person who pretended to be a family member in order to secure the deletion of a deceased man's profile. The claimant (Sabados) was the deceased man's partner and the deletion resulted in the loss of personal material including photographs, poems and six years' of the couple's private correspondence. The Judge held that some of this amounted to the claimant's own personal data under the Data Protection Act 1998 ("DPA 1998") and deletion of that data would amount to a breach of the DPA 1998.
The court chose to grant a Norwich Pharmacal order ("NPO"). This order is granted where a claimant is unable to identify an ultimate wrongdoer, but is able to target a third party (Facebook) it knows holds the information and is somehow "mixed up" in the ultimate wrongdoer's misconduct. The claimant must also be able to prove to the court's satisfaction that: (i) they have a good arguable case; and (ii) they cannot proceed with their claim without the NPO.
Here, there was indeed a good arguable case that the deletion constituted a breach of the DPA 1998 and misuse of private information. The court also raised the possibility that the unknown person had committed a breach of confidence if they had been able to access the deceased's profile in order to request deletion. Sabados would not have the required evidence to formulate her claims without the NPO and Facebook was "mixed up" in the unknown person's wrongdoing as the company allowed deletion of a profile from a request of a person who did not have the requisite authority.
The judge found that these criteria were satisfied in this instance stating that "unless the court makes the order sought, the claimant will have no remedy whatever for very hurtful, distressing and on the face of it, very possibly malicious behaviour by the person unknown."
Although this case was heard under the DPA 1998, it highlights the potential consequences of disclosing and deleting personal data without the necessary authority.
See here for full judgement.
Privacy Shield Program answers FAQs
In our July 2018 Data Protection update (see here) we discussed the European Parliament's passing of a non-binding resolution calling for the suspension of the EU-US Privacy Shield ("Privacy Shield") if the US did not comply with its requirements by 1 September 2018. Although the Privacy Shield has not yet been suspended, the resolution has increased pressure on the Commission and its US counterparts in the run up to the second annual review of the Privacy Shield, taking place in October 2018.
The Privacy Shield Program has recently released answers to frequently asked questions (see here). The guidance addresses some of the concerns raised by the European Parliament and includes the following:
- the US plans to adopt a new Clarifying Lawful Overseas Use of Data Act (CLOUD Act), allowing data transfers across borders for law enforcement purposes. The FAQs state that the CLOUD Act does not conflict with the Privacy Shield Framework and the Privacy Shield Framework is unrelated to, and unaffected by, the CLOUD Act;
- information that an organisation will be required to provide to the Department of Commerce in the online self-certification process and how much it will cost to self-certify to the Privacy Shield; and
- that the main Privacy Shield website URL must be included within an organisation's privacy policy in order to meet the framework's requirement to link to the Privacy Shield Website.
It remains to be seen whether the Commission will find these answers to some of the European Parliament's concerns sufficient when undertaking its second review of the Privacy Shield in October 2018.
City of London Law Society Data Law Committee formed
Stephenson Harwood partner Jonathan Kirsop has become one of the 15 founding members of a new data law committee, the formation of which was announced this month by the City of London Law Society. The group of city data law specialists has been set up to discuss pending legislation, law reform and practice issues in data protection and privacy law and one of its first priorities is to seek to assist government and regulators in preserving the free movement of data between the UK and the EU following 'Brexit'.
Further information here.
Cyber Security
British Airways security breach compromises 380,000 customers' personal data
British Airways may face the possibility of a fine of around £500 million over a 15 day data hack that concerned 380,000 customers' payments. This is reflective of the higher levels of fines introduced under the GDPR, under which the ICO could enforce a fine of up to 4 per cent of British Airways' global turnover. The ICO is also investigating the incident and a criminal inquiry is being undertaken at the National Crime Agency.
The personal data that was hacked included personal information such as names, debit and credit card numbers, expiry dates and CVVs, as well as addresses and email addresses. British Airways swiftly notified the ICO and its customers of the breach, and reassured customers that the company would compensate those who had suffered "direct financial losses".
A collective action has been commenced against British Airways by law firm SPG Law. Article 82 of the GDPR grants individuals a right to compensation for non-material damage, which includes compensation for inconvenience and distress caused by the data leak. Collective action against British Airways is also being commenced by Hayes Connor Solicitors, which states that it is expecting to claim up to £5,000 per person.
Alex Cruz, British Airway's chairman and chief executive, has apologised to customers affected and reassured individuals that "no itinerary information, no frequent flier data, no passport data has been compromised".
ICO alerts businesses to "over-reporting" of GDPR breaches
James Dipple-Johnstone, the UK's deputy information commissioner, has addressed the problem of controllers "over-reporting" perceived breaches of the GDPR. He highlights that: "Some controllers are 'over-reporting': reporting a breach just to be transparent because they want to manage their perceived risk or because they think that everything needs to be reported".
The ICO's breach reporting phone line has received an average of 500 calls a week. Dipple-Johnstone stated that around one third of calls are from organisations who, after a discussion with ICO officers, decided that their breach doesn't meet the GDPR's reporting threshold.
Organisations are obligated to inform the ICO of specified personal data breaches as well as, in some cases, informing the affected individuals. The GDPR defines a personal data breach as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed". Under the GDPR personal data breaches must be reported to the ICO "without undue delay and, where feasible, not later than 72 hours after having become aware of it … unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons".
Dipple-Johnstone highlighted some key trends the ICO is finding from their reporting system including:
- organisations are misunderstanding the requirement to notify the ICO not later than 72 hours after having become aware of the breach. This does not mean 72 hours after the breach has occurred. The 72 hours starts when the organisation becomes aware of the breach;
- some incomplete reports of breaches are being submitted to the ICO. Guidance is clear on what should be included when you first notify the ICO of a breach; and
- "over-reporting": Dipple-Johnson emphasised that the ICO understands why this is a problem in the initial months after the implementation of the GDPR. He stressed that the ICO will be working with organisations to try and manage this in the future, once the ICO and organisations become more familiar with the new reporting threshold.
It is advisable that organisations take the time to gather the appropriate information and use that to make a decision about whether a report is necessary. It may be useful to refer to ICO guidance with regard to this, particularly about the reporting threshold.
West Ham data breach
West Ham's start to the season appears to be the least of the club's worries, after the club inadvertently shared hundreds of supporters' email addresses when emailing fans in order to confirm their successful applications for tickets for a future fixture. The club reported the breach to the ICO within 72 hours of becoming aware of the breach and made an apology to those affected.
The club will have had to report the following information to the ICO:
- causes of breach;
- categories of data involved;
- ·number of affected individuals;
- likely consequences; and
- whether the staff involved in the breach had recently received training on data protection.
The Hammers may face fines of up to the higher of €20 million or 4% of global annual turnover under the GDPR.
ICO enforcement
Equifax fined maximum amount under the Data Protection Act 1998
Credit reference agency Equifax Ltd has been issued with a £500,000 fine for a data breach affecting up to 15 million UK citizens during a cyber attack in 2017. The attack affected 146 million Equifax Ltd customers worldwide.
The ICO investigation found that Equifax was accountable for the personal data of its UK customers, despite the fact that the incident compromised information systems in the US. The UK subsidiary did not take the necessary steps to make sure that its American parent, Equifax Inc., which was processing the data on its behalf, was protecting this personal data.
The investigation found that Equifax's data protection systems were unsatisfactory and had resulted in personal data being kept for longer than needed, therefore making it vulnerable to cyber attacks. The credit reference agency had been warned by the US Department of Homeland Security about Equifax's vulnerable position in relation to data hacks as far back as March 2017. Sufficient steps weren't taken by the agency, meaning that its consumer facing portal was not appropriately patched.
The company broke five out of eight data protection principles contained in the DPA 1998, resulting in the maximum fine of £500,000 being awarded. The fine was awarded under the DPA 1998 rather than the GDPR because the breach took place before the GDPR came into effect.
Everything DM Ltd fined £60,000
Everything DM Ltd (EDML), a marketing agency, was fined £60,000 by the ICO for sending 1.42 million emails without the requisite consent. The agency used a direct marketing system called 'Touchpoint' to send emails on behalf of its clients.
The emails appeared to be sent directly from EDML's clients. EDML was unable to prove that the recipients of these emails had ever consented to receiving such marketing emails, either from its clients or from EDML itself.
ICO Director of Investigations, Steve Eckersley, has commented on this finding: "Firms providing marketing services to other organisations need to double-check whether they have valid consent from people to send marketing emails to them. Generic third party consent is not enough and companies will be fined if they break the law."
Enforcement notice for London Borough of Lewisham
The ICO has issued an enforcement notice under the DPA 1998 in connection with a number of outstanding subject access requests. On 29 March 2018 the council confirmed it had a backlog of 113 subject access requests, the oldest dating back to 2013. These were supposed to be eliminated by 31 July 2018. However, in July the council admitted that this deadline would not be met.
The ICO has given London Borough of Lewisham until 15 October 2018 to inform the individuals who submitted subject access requests before 25 May 2018 whether the personal data processed by the council includes any of their personal data.
On 25 May 2018 the DPA 1998 was repealed and replaced by the Data Protection Act 2018. Subject access requests made on or after 25 May 2018 must be dealt with in accordance with the new legislation.