UK: Global Data & Privacy Update - April 2019

Fine for failing to provide an information notice – disproportionate effort exemption deemed misapplied

The Polish supervisory authority for data protection has fined a controller in Poland over €230,000 for failing to provide its privacy notice to data subjects, after incorrectly relying on the disproportionate effort exemption. The controller collected publicly available information for commercial purposes, from registers and public databases, concerning persons operating businesses including sole traders and now inactive businesses. The default position, under Article 14 of the GDPR, is that a controller must provide to data subjects certain information about the use and handling of their data - a privacy notice.

The company amassed over 6 million individuals' data but only sent an information notice to those for whom it held an email address, which represented a relatively small part of their database. The company held an address or telephone number for the remaining data subjects, however, relied on the disproportionate effort exemption for not providing an information notice (under Article 14(5)). It did this on the premise that sending the information by registered post would have involved a disproportionate cost. The company argued the cost was disproportionate as the postage costs, without administrative costs, represented the turnover of the business for the previous year. It had displayed a privacy notice on its website.

The Polish authority was not persuaded by the application of their argument and considered the company to have breached its data protection obligations, issuing a fine and ordering the company to comply within 3 months. The authority flagged that registered post was not necessary and cheaper forms of post could have been considered. The authority, in calculating the fine, took into account the number of data subjects affected and that data subjects may have been deprived of their rights due to not being informed, by way of a privacy notice, of how their personal data was being used, which is against the fundamental concept of transparency. It viewed negatively the fact that the decision was primarily financially driven, particularly given that the personal data is necessary for the company's long term commercial activities. The authority noted that business models need to be compliant and costs of doing so should be factored in.

Click here to read the regulator's decision (available in Polish only).

EDPB guidelines on processing personal data for contractual purposes

The European Data Protection Board (EDPB) has published draft guidance on processing personal data under the lawful basis of contractual purposes, under Article 6(1)(b) of the GDPR, in the context of online services.

The EDPB underlines that, to rely on this legal basis, the personal data being used must be objectively necessary for the performance of a contract with the data subject or for entering into a contract at the data subject's request and there must be no less obtrusive means of achieving this. If it is not necessary for the contract purpose requested, including being necessary only for a company's other business purpose ancillary to the service or good requested, another legal basis must be used. The EDPB notes that there can sometimes be confusion when entering into a contract that the legal basis being relied upon is consent as opposed to contractual purposes for example and that controllers, in line with their transparency obligations, must be clear.

The guidelines discuss, with examples, the concept of necessity of processing, what processing in the performance of a contract means, artificially bundling other services in to the contract and the consequence of termination.

The EDPB has drawn a narrow interpretation of this legal basis and companies may need to review their reliance on this exemption.

The draft guidelines have been released for public consultation and are open for comment until 24 May 2019.

Click here to read the guidance.

Regulating in a Digital World – House of Lords Report

The House of Lords Select Committee on Communications has published a report recommending a new Digital Authority manage and oversee regulation in the digital sphere. Currently, there are 13 regulators that touch on different aspects of this space, including the Information Commissioner's Office, however no single authority has oversight. The report advocates a principle based approach to shaping reform, due to the pace of developmental change in this area where specific rules could become quickly outdated. The report proposes 10 principles to support changes in this area, which include accountability, privacy and transparency.

The report notes the advances of recent legislative changes in strengthening data protection but highlights that in the digital world there are still improvements that should be made, including more extensive data portability rights, transparency and access.

Click here to read the House of Lords Report, HL Paper 299, on Regulating in a Digital World.

GPEN 2018 Report on Privacy Accountability

The Global Privacy Enforcement Network (GPEN) has released their annual report, this year addressing the implementation of data protection concepts within organisations, from the angle of accountability. This study was carried out in conjunction with 18 national data protection supervisory authorities who received responses from over 300 organisations.

The report demonstrates that organisations still have a way to go with appropriately providing privacy notices, with 45% of organisations failing to maintain an appropriate notice which is easily accessible. It was flagged that some privacy notices did not clearly state whether the organisation has a data protection officer and or failed to provide contact information, which shows issues with transparency and accountability.

Over half of responding organisations indicated that they have measures and processes in place to manage a data security breach, with 88% of organisations maintaining data security incident records. However, just under half stated that these records are not always current. The report highlights that companies do not regularly assess performance against standards, for example internal audits or self-assessments of different aspects of privacy, with only 36% of organisations managing compliance in this way.

The report demonstrates that there is still progress to be made to ensure that data protection concepts are complied with and embedded into an organisation.

Click here to read the full GPEN report.

Opinion on requirements for setting cookies

Advocate General Szpunar has provided an opinion on obtaining valid consent for deploying cookies. The case relates to individuals being presented with tick box statements when signing up to participate in an online lottery, one of which was a pre-ticked box agreeing to cookies being deployed. In order to deploy cookies, under the Privacy and Electronic Communications Regulations 2003 (PECR), consent must be obtained from the user and the definition of consent is tied to the meaning provided in the GDPR.

It was argued by the company that consent to deploy cookies was demonstrated from the user clicking to participate in the lottery, after having completed the sign-up form which included the pre-ticked statement on cookies. Szpunar did not consider valid consent was obtained as it was not actively given, due to the pre-ticked box, and importantly had not been separately obtained. Consent had been bundled with agreeing to participate in the lottery (a different activity), meaning that it was not separately provided. It was noted that obtaining consent for deploying cookies appeared to have been a secondary consideration to agreeing to participate in the lottery. Subscribers were not clearly informed that agreeing to cookies was not a pre-requisite for participation, as was the case with third party marketing communications, however it may have appeared so.

The Advocate General noted further details to be provided to users about cookies, in order to comply with the information requirements under PECR. The information should allow a user to "easily determine the consequences" and impact of agreeing. Information on the lifespan of cookies needs to be stated along with which third parties are given access to cookies or have set cookies.

The other tick box presented to users related to third party advertising communications and this was a requirement to be able to participate in the lottery. While this was not an issue referred for consideration to the European Court of Justice, Szpunar, interestingly, did not deem the requirement - to agree to third party marketing in order to participate in the lottery - as being incompatible with obtaining valid consent. Whilst stating concerns with consent not being separate and bundled, he noted the referring court may consider that the marketing requirement is necessary to participate because of the lottery being set up on the basis of the data being sold.

This opinion serves as a reminder that consent for cookies must be affirmatively given (and not obtained via pre-ticked boxes), informed and separate, in line with the definition under the GDPR. Please note that Advocate General opinions are not binding on the Judges of the European Court of Justice and the judgment from the Court of Justice has not yet been released.

Click here to read Advocate General Szpunar's opinion on Case C-673/17 (Planet49 GmbH v Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V.).

ICO fines for failing to treat personal data fairly and lawfully

The Information Commissioner's Office (ICO) issued a fine of £400,000 to Bounty (UK) Limited (Bounty) for failing to process personal data fairly and lawfully, in breach of the first data protection principle of the Data Protection Act 1998. Bounty was a pregnancy and parenting support group but also operated as a data brokerage company. It disclosed the personal data of over 14 million members, multiple times over a number of months, to several organisations including credit reference, marketing and profiling agencies without appropriately notifying members of this activity or having a lawful basis to do so. The ICO also considered the activities would have caused substantial damage or distress. It noted, given the number of individuals affected, that the substantial damage or distress threshold could be met on a cumulative basis rather than at an individual level.

Members were not considered to have been provided with sufficient information about how their data would be used, in breach of the first data protection principle. Bounty's privacy notice stated that data would be shared for marketing purposes but only described generic categories of companies along with links to some specific companies. Bounty, however, failed to name four of the largest recipients of data – Sky, Indicia, Equifax and Acxiom – or that such organisations would be recipients. Bounty also signed up members in a number of non-digital ways, including at hospitals, which represented 69% of its database. These members were not provided with a privacy notice at the point of registration; however, where an email address was collected, the company sent one shortly afterwards. The ICO did not consider this sufficient as such information must be provided at the point of collecting data and so a privacy notice provided, even a short while, later by email was deemed non-compliant.

The ICO also found Bounty failed to fairly process individual's information, in breach of the first data protection principle. Its members, signing up to a parenting group, would not have reasonably expected their personal data to have been disclosed to organisations, such as credit reference agencies, without their notice. The Regulator did not consider there was a sufficient justification to mean that the data was fairly used.

In order to lawfully disclose member's data, Bounty relied upon consent collected from data subjects during the registration process. The ICO did not consider consent to have been validly obtained as it was not specific or informed. Data subjects were not informed that the recipients of their personal data, for marketing purposes, would include companies such as credit reference agencies and did not specifically name the four organisations, as noted above. At the point of registration for membership via non-digital routes, consent was also not freely given as data subjects had to permit their data to be disclosed for marketing purposes in order to register because the form did not treat the issues separately. Whilst Bounty did not rely on the lawful basis of legitimate interests, the Commissioner noted the legitimate interests test would not have been met given the failure to inform data subjects that their personal data may be disclosed in such a manner.

Click here to read the monetary penalty notice.

ICO issues fine for unsolicited marketing emails

The Information Commissioner's Office has fined Grove Pension Solutions Limited (Grove) £40,000 for sending nearly two million marketing emails without consent, in breach of PECR. Grove's mailing list was built by obtaining contact details of individuals who had signed up to a number of other third party websites; however, those sites did not name Grove (in the sign-up wording, terms or privacy policies) as a recipient of the individual's data who may send marketing.

Those websites listed the recipients of the individual's data, who may send marketing, only in terms of a wide set of different sectors. The ICO does not consider the use of generic wording such as "partners" or "selected third parties" as being sufficient to validly obtain informed consent. Consent must be freely given, specific and informed. The ICO found that Grove had not validly obtained consent to send the direct marketing, in breach of PECR.

The ICO noted that working through the customer journey would have shown that consent had not been validly obtained. On issuing the fine, the ICO took into account that Grove had consulted with a recognised data protection consultancy regarding the marketing campaign, which demonstrated a pro-active approach to data protection and an awareness of its obligations.

Click here to read the monetary penalty notice.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
Wright Hassall LLP
Shepherd and Wedderburn LLP
Waterfront Solicitors LLP
Mishcon de Reya
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Wright Hassall LLP
Shepherd and Wedderburn LLP
Waterfront Solicitors LLP
Mishcon de Reya
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions