Happy New Year and welcome to the latest edition of our Data Protection update, our review of key developments in Data Protection law covering December 2017 and January 2018.

DATA PROTECTION

EU Commission: "UK will be a 'third country' for personal data transfers from the point of Brexit"

The European Commission has confirmed that, subject to any transitional arrangement that may be agreed following Brexit, the UK will be considered a "third country" for data transfers as such transfer of personal data would constitute a transfer out of the EEA.

Unless EU and UK officials agree on transitional arrangements in the interim, businesses will no longer be able to automatically transfer personal data to the UK from 30 March 2019 in the comfort that such transfers will be compliant with EU data protection legislation, namely the General Data Protection Regulation (GDPR).

One way in which data could continue to be transferred between the EU and the UK, post Brexit, is if the Commission passes a decision that the UK's data protection legislative framework provides adequate protection of personal data (a so called "Adequacy Decision"). Examples of such countries which have been deemed adequate are Switzerland, Israel, Jersey and Argentina.

In the absence of an Adequacy Decision, the GDPR permits a data transfer to a third country if a controller or processor has an alternative appropriate safeguard (e.g. a compliant data transfer agreement/binding corporate rules) in place.

We will keep you updated of any developments as to UK to EU data transfers following Brexit. In the meantime if you have any questions with regards to transferring data to "third countries", do let us know.

To read the Commission's notice to stakeholders, please click here.

Article 29 Working Party releases draft guidelines on "Transparency" and "Consent under the GDPR"

The Article 29 Working Party (WP29) has published draft guidelines on consent and transparency under the GDPR.

As the guidelines are still in draft form, we have set out a high level overview of each below and will issue with more detailed summaries when the WP29 publish the finalised guidelines.

Transparency

The transparency obligations contained in the GDPR require controllers to provide certain prescribed information to data subjects regarding the processing of their personal data. A common approach adopted by businesses looking to meet their transparency obligations is to provide such information in a privacy policy or 'fair processing notice'. Key takeaways from the draft guidelines include:

  • Controllers should present information efficiently. The WP29 recommends layered notices to avoid information fatigue. The first layer of these should provide a clear overview of intended processing (including information that will have the most impact on the data subject and processing activities which could surprise the data subject) and set out where further, more detailed, information can be found (e.g. via a hyperlink).
  • Provide 'intelligible' notices. An 'intelligible' notice is one that can be understood by an average member of the intended audience. Controllers should regularly check notices are tailored to the actual audience. For complex, technical or unexpected processing, in addition to giving notice, it is best practice to also spell out the consequences of the specific processing to the individual.
  • The individual should not have to work to find the information. Information should be clearly flagged to the data subject. For example:

    • a website privacy notice should be clearly visible on each page of a website under a commonly used term ('Privacy', 'Privacy Policy' etc.); and
    • for apps, notice should be made available from the online store prior to download. Once the app is installed, the WP29 state the privacy notice should never be "more than two taps away".
  • Information should be provided in a simple manner. It should not be phrased in vague or abstract terms or leave room for different interpretations. Qualifications such as 'may', 'might', 'some', 'often' and 'possible' should ideally be avoided.

Consent

The WP29's draft guidelines provide a thorough analysis of the notion of consent under the GDPR, including providing commentary on each of the required elements for obtaining valid consent. By way of reminder consent must be (i) freely given, (ii) specific, (iii) informed, and (iv) unambiguously indicated.

  • Freely given - The WP29 notes that there are situations where a data subject will not have real choice because of an imbalance of power in their relationship with the controller (e.g. between an employer and employee, or citizen and public authority) so it may not be possible in such circumstances for consent to be freely given. The WP29 also highlights that consent cannot be said to be freely given if interlinked with services where either withholding, or withdrawing, consent would lead to a detrimental effect on the data subject (e.g. being denied a particular service requested by the customer because consent is not given).
  • Specific – The WP29 reiterates that when data is processed in pursuit of several purposes, the solution for complying with the conditions for valid consent lies in its granularity (i.e. separating out these purposes and obtaining consent for each specified purpose).
  • Informed - the minimum information the WP29 considers is required for obtaining valid consent is as follows: (i) the controller's identity; (ii) the purpose of each of the processing operations for which consent is sought; (iii) the type of data to be collected and used, (iv) the existence of the right to withdraw consent; (v) information about the use of the data for decisions based solely on automated processing; and (vi) if the consent relates to transfers, the possible risks of data transfers to third countries in the absence of an adequacy decision and appropriate safeguards.
  • Unambiguous - Written statements by the individual (e.g. typed instructions) are suggested as the surest way of evidencing unambiguous consent, although the WP29 does acknowledge that this is not often realistic. Pre-ticked opt-in or unticked opt-out boxes are specifically identified as non-compliant, as is blanket acceptance of general terms and conditions.

The GDPR requires controllers to ensure that consent can be withdrawn as easily it was given and the WP29 makes clear that any failure to comply with this requirement may invalidate the original consent.

To read the draft guidelines please click here.

Article 29 Working Party publishes first annual joint report on EU-US Privacy Shield

WP29 has published its first annual joint review on the EU-US Privacy Shield (Privacy Shield). This joint report follows the European Commission's report on the first annual review of the functioning of the Privacy Shield as reported in our October bulletin.

The report welcomed efforts made by the US authorities to support the operation of the Privacy Shield. Concerns remain regarding the lack of guidance and information for individuals and companies and the need for increased oversight and supervision of compliance with the Privacy Shield's principles.

The report states that further improvements need to be made in relation to the rules covering automated decision-making or profiling, and self-certification. The WP29 remain concerned about the collection and access of personal data for national security purposes and required further evidence that the collection of data under US law was not indiscriminate or undertaken on a generalised basis.

The report prioritises the need for the appointment of an ombudsperson, a redress mechanism for individuals and clarification of their rules of procedure. It calls for the recommended actions to be completed by 25 May 2018 and any outstanding concerns by the second joint review; indicating that a failure to deal with these concerns within the relevant timescales could result in the WP 29 taking the Privacy Shield adequacy decision to national courts for them to make a reference to the Court of Justice of the EU for a preliminary ruling.

To read the report, click here.

ICO encourages businesses to fix known security flaws now, before the GDPR

Following a number of security flaws found in the way many computer processors operate, the ICO has strongly recommended in a blog update that data controllers determine which of their systems are vulnerable, and test and apply the patches as a matter of urgency.

Failure to patch known vulnerabilities is a factor taken into account when determining the level of fine under the DPA, and under the GDPR there may be some circumstances where organisations could be held liable for a breach of security where vulnerabilities should have been patched previously when they were discovered.

The ICO recommends having an effective layered security system to help to mitigate any cyber-attack; systems should be protected at each step and companies should be reviewing data flows to understand how data moves across and beyond the organisation, both in electronic and 'real world' format. The ICO advises controllers to evaluate the impact of a data breach, or data loss on the company, both financially and reputationally, including highlighting that data should be secure in rest as well as in transit – even if a hacker gets the data they should not be able to read it.

To read the ICO's blog in full, please click here.

ECJ confirms that handwritten exam scripts and examiners' comments constitute personal data

Following an application from the Irish Supreme Court, the European Court of Justice has confirmed that an answer given by a candidate contained in an exam script, and the comments made on an exam script by an examiner, both constituted the personal data of the candidate.

In order to be considered personal data, the written answers submitted by a candidate at a professional examination must relate to them as a person. This was the case as the answers reflected the candidate's knowledge and assessed his professional abilities. This also applied in relation to the examiner's comments as they reflected an opinion or assessment of the candidate's performance in the examination.

The judgment found that failing to classify this information as personal data would mean that data controllers would not be required to comply with the principles and safeguards of personal data protection, or the rights of access, rectification and objection by a data subject. Examination candidates have a legitimate interest in being able to object to the processing of their answers and examiner's comments and, in particular, to object to these being sent to third parties or published without permission.

This decision will now be handed back down to the Irish Supreme Court and may provide a method for students to gain access to this information under Irish data protection legislation.

Morrisons vicariously liable for employee's disclosure of personal data of co-workers on the internet

The High Court has found that an employer, Wm Morrisons Supermarkets PLC (Morrisons), was vicariously liable for the deliberate and criminal disclosure by a rogue employee of personal data belonging to co-workers.

During an audit in 2012, KPMG had requested a copy of Morrisons' payroll data. A senior IT auditor (S) was recruited to assist with the exercise. S, aggrieved following a disciplinary procedure, downloaded the payroll data to a USB stick. Just under a month later, from his home computer, S posted a file containing the personal details of around 100,000 employees on a file sharing website. Links to the site were then posted elsewhere. S was later convicted of offences under the Computer Misuse Act 1990 and the DPA. Over 5,500 employees initiated a civil class-action claim against Morrisons, alleging a breach of statutory duty under the DPA. The key issue was whether Morrisons was liable, directly or vicariously, for S's actions.

The High Court accepted that Morrisons could not be directly liable under the DPA, as it was not the data controller at the time of the breach and its security measures were largely appropriate. However, the High Court went on to hold that vicarious liability was established. Morrisons entrusted the employee with payroll data and assigned him specific tasks in relation to it, which established sufficient connection between his employment and the disclosure for the purposes of vicarious liability. The fact that the breach occurred at the weekend, from home, and using personal equipment, was not enough to break the link.

The Judge gave Morrisons leave to appeal to the Court of Appeal and Morrisons has indicated that it will do so. We will keep you updated in this regard as this judgment confirms the principle that vicarious liability applies to the DPA even where a company has done all it reasonably can to protect personal data.

CYBER SECURITY

Government consults on proposed EU Regulation

On 13 September the European Commission published a draft Regulation on ENISA (previously the European Union Agency for Network and Information Security but now referred to as "the EU Cyber Security Agency") and on Information and Communication Technology cyber security certification.

The draft Regulation aims to reform ENISA and provide it with a permanent mandate and also proposes a framework to govern European cyber security certification schemes to address existing certification fragmentation.

The Government is seeking stakeholder (e.g. telecoms operators, information technology service providers, device and software manufacturers and consumer groups) views on the draft Regulation to ensure that this new legislation delivers the best outcomes for all those affected by the measures.

The Government is seeking comments on the Commission's draft Regulation and also asks for views on the potential impact of the Regulation in the light of the UK's planned withdrawal from the EU.

To comment: email eucybersecurityregulation@culture.gov.uk or write to EU Cyber Security Consultation (4/49), DCMS, 100 Parliament Street, London, SW1A 2BQ.

Please click here to read the full European Commission proposal for a Regulation of the European Parliament and of the Council on the future of ENISA. The consultation closes on 13 February 2018.

National Cyber Security Centre guidance on managing risk of cloud-enabled products

The National Cyber Security Centre (NCSC) has published guidance, entitled "managing the risk of cloud-enabled products", on assessing and managing the risks raised by locally-installed software that interacts with services in the cloud.

The NCSC explains that organisations are increasingly deploying software to both servers and end user devices that make use of cloud services. This may be an explicitly stated feature of the product (such as cloud storage for data backup or synchronisation between devices), an implicit function (such as a line-of-business application reporting usage statistics to the developer), or an anti-malware product using a cloud service to analyse suspicious files. The NCSC says that it is easy to "overlook the nature of these cloud interactions, and the security implications".

The guidance outlines the risks of locally installed products interacting with cloud services, and provides suggestions to help organisations manage these risks. It highlights key questions to ask about the interaction of products with cloud services, and the security implications that this could have on an organisation's systems. The guidance then goes on to suggest how the risks can be managed, using tools such as in-built controls, network-level controls, network monitoring and contractual terms. It also recommends the use of an antivirus software package to further mitigate the risks created by the use of cloud services.

To read the guidance, please click here.

ICO ENFORCEMENT

Carphone Warehouse fined £400,000 after serious security failings

Carphone Warehouse has been issued with a monetary penalty of £400,000 by the Information Commissioner's Office (ICO), after one of their computer systems was compromised as a result of a cyber-attack in 2015.

An investigation by the ICO found that there were multiple inadequacies in Carphone Warehouse's approach to data security and the company had failed to take adequate steps to protect the personal information. Using valid login credentials, intruders were able to access the system via out-of-date software. The company was also found to have inadequate technical security measures, out of date software on the systems affected and the company failed to carry out routine security testing. The failures allowed unauthorised access to the personal data of over three million customers and 1,000 employees. The compromised customer data included names, addresses, phone numbers, dates of birth, marital status and historical payment card details for 18,000 customers. This was a serious contravention of the DPA.

The fine was reduced as the ICO acknowledged the steps Carphone Warehouse took to fix some of the problems and to protect those affected and that, to date, there has been no evidence that the data has resulted in identity theft or fraud.

To read the penalty notice, please click here.

Four companies fined £600,000 by ICO for nuisance marketing calls, spam emails and texts

Four companies that disrupted the public with nuisance marketing have been fined a total of £600,000 by the ICO.

Hundreds of complaints from the public about the firms prompted four ICO investigations, and resulted in the following fines:

  • Barrington Claims Limited fined £250,000 for over 15 million automated calls;
  • London-based Newday Limited fined £230,000 for over 44 million spam emails;
  • Goody Market UK Limited fined £40,000 for 111,367 spam texts; and
  • TFLI Limited fined £80,000 for over 1.19 million spam texts.

All four of the businesses broke breached the Privacy and Electronic Communications Regulation by not having individuals consent to be contacted by them.

To read the press announcement, click here.

ICO fines company £350,000 for making nuisance automated calls

The ICO has issued a monetary penalty of £350,000 to Miss-sold Products UK Ltd after it made 75 million nuisance calls to individuals without their prior consent. The calls contained recorded messages, primarily promoting PPI compensation claims.

To read the penalty notice, please click here.

ICO fine reduced by £75,000 on appeal

As reported in our July bulletin the ICO previously issued Basildon Borough Council with a £150,000 monetary penalty for a serious contravention of the DPA (the sensitive information surrounding a family was published on the Basildon Planning Portal).

Basildon Borough Council appealed to the First Tier Tribunal against the penalty on three grounds:

  • It did not contravene the DPA.
  • Alternatively, if it did, the conditions for issuing a monetary penalty under section 55A of the DPA were not met.
  • Alternatively, if the ICO was entitled to impose a monetary penalty, the amount of this penalty was too high.

The Tribunal rejected the first and second grounds – it was an unavoidable fact that the Council had breached the DPA and had met the threshold test to be issued a fine.

In relation to the monetary penalty the Tribunal acknowledged the mitigating points that the ICO had taken into account but felt that some of them had not been given sufficient weight. Accordingly, the monetary penalty was reduced to £75,000.

To read the decision, please click here.

Loss adjusters fine for unlawfully disclosing personal data

On 5 January 2018, Woodgate and Clark Ltd was fined £50,000 following conviction for breaching section 55 of the DPA at Maidstone Crown Court.

Woodgate and Clark Ltd, a firm of loss adjusters was investigated for disclosing personal data illegally obtained by senior members of their staff and private investigators. The company, director, employee and private investigator were convicted and given significant fines on 7 December 2017 in relation to the charges, brought by the ICO for unlawfully obtaining and disclosing personal data.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.