UK: Global Data & Privacy Update - June 2019

Welcome to the June Global Data & Privacy Update. This update is dedicated to covering the latest legislative developments affecting the way data is managed and protected, as well as reporting on the most recent news governing data breaches and industry developments.

Danish Data Protection Authority to fine failure to delete data

The Danish Data Protection Authority intends to fine a Danish furniture company, DKK 1.5 million, for failing to delete 385,000 customers' records. The supervisory authority, on inspecting the company's systems and procedures, found a number of areas which were not compliant with the obligations relating to deletion of data under the GDPR.

  • The company, in relation to a legacy customer sales system, had continued to hold personal data of customers that should have been deleted because they were no longer necessary in breach of the storage limitation principle, Article 5(1)(e) of the GDPR, which states that personal data must not be stored for longer than necessary. The supervisory authority calculated that 385,000 persons' data should have been deleted from this system, at the point of inspection, following consideration of domestic legal obligations for records to be retained.

  • In relation to the same legacy system, the company had also failed to establish and document deadlines to delete the data. Therefore, the Danish authority found the company had also failed to comply with the principle of accountability under Article 5(2) of the GDPR.

  • The inspection also uncovered that, in relation to a newer customer sales system, the company had not implemented the deletion procedures it had established for that system and so data had not been appropriately deleted, in breach of the storage limitation principle.

  • Finally, whilst the company did have procedures in place for erasing data from its HR systems and was actively following those procedures, the Danish authority found that the company had not documented those deletion procedures, in breach of the accountability principle.

This decision serves as a reminder that it is not enough to have in place a data deletion policy, it needs to be implemented and compliance audited.

Click here to read the full press release (available in Danish only).

EE fined for sending unsolicited marketing messages

The Information Commissioner's Office (ICO) has fined EE £100,000 for sending marketing messages to over 2.5 million customers without consent, in breach of regulation 22 of the Privacy and Electronic Communications Regulations (PECR). PECR only permits electronic marketing messages to be sent where consumers have consented to receiving the messages or the "soft opt-in" applies. EE contacted customers about upgrading their phone and the EE mobile app in one message, and sent a second text message to individuals if they had not engaged with the EE app after the first message.

There were two strands to the text messages: (i) to inform customers about upgrading their mobile phone, meaning that they would sign a new contract with EE; and (ii) to inform customers about using the EE mobile app. The first more obviously falls into the category of marketing, and the ICO restated its guidance that makes it clear that a message is considered marketing if it promotes new products, including renewing contracts that are otherwise due to end - e.g phone contracts. The second point, at first blush, may not appear to be marketing. In this case, however, the ICO decided that EE's promotion of its app was marketing. Their reasoning for this determination is that the app, in addition to providing an individual with the ability to manage their account (e.g review billing information), also allows customers to buy items, increase their data and shows a countdown to being able to upgrade. This finding was considered by the ICO to be bolstered by EE sending a further message to persons who did not engage with the initial message about the app. This decision reinforces the fact that a communication does not have to be wholly about marketing to classify as a marketing message.

EE were aware that the messages were being sent to individuals who, according to their records, had opted out of receiving marketing messages. However, the company did not view the messages as marketing, but as service communications, and therefore outside the scope of PECR. The ICO expressly noted that being ignorant of infringing PECR did not prevent a contravention being deemed deliberate.

Click here to read the monetary penalty notice.

Interesting findings in ICO Report on Real Time Bidding

The ICO has published a report highlighting major data protection concerns with the operation, in the advertising industry, of real time bidding (online advertising space sold to bidders almost instantaneously). Real time bidding (RTB) is a complex marketplace whereby data about users is shared, in real time, in order for marketplace participants to be informed about viewers of the advertising space so that they can bid to place an ad there. The information given to bidders includes personal data collected from cookies; which means that market participants need to comply with PECR in relation to the use of the cookies and the GDPR for processing the personal data obtained from those cookies. The report draws a number of conclusions criticising the RTB ecosystem, including that data is being used without a lawful basis and that appropriate consent to deploy cookies under PECR has not been obtained.

The ICO has flagged that there is an incorrect reliance in the market on legitimate interests as the lawful basis for processing personal data. The ICO's view is that, for the normal activities involved with RTB's use of personal data collected from cookies, consent is the only appropriate lawful basis under the GDPR and consent is nevertheless also a prerequisite under PECR for the associated cookies to be placed. The report highlights issues with transparency relating to the information individuals are provided with about how their data is used, particularly the lack of clarity over who receives their data and what the user agreed to - this is a problem for those receiving parties intending to rely on consent to lawfully use the data. The report also points out a lack of accountability, control and supervision applied by market participants over the flows and sharing of data in the supply chain.

The ICO report also made some interesting observations about the scope of special categories of personal data. RTB involves the use of labelling webpages, visited by users browsing the internet, into particular fields in accordance with an industry taxonomy, which may relate to religion, health, ethnicity and politics. The labels form part of the bid request information supplied to participants placing ads. These tags are used for different purposes, including to describe online content in order to prevent ads going to the wrong website or to target certain users with ads. Under the GDPR, special categories of personal data means information that reveals certain characteristics such as health, religion, ethnicity, sexual orientation and political views. Where the tags are in relation to one of those specific characteristics, the ICO's view is that those labels are special categories of personal data. Whilst a person that visits a webpage about diabetes may not be a diabetic, the ICO considers that the label then attached to the person visiting such a website, being used either directly or by inference by the RTB industry, equates to the processing of special categories of personal data. Effectively, it seems the ICO has formed the view that as the market uses the label to add to an individual's profile and take consequential actions from this, that special categories of personal data are being processed. This report may have a wider impact on businesses processing data in such a way and require organisations to reflect on how information is being used.

Click here to read the report.

European Court of Human Rights Decision on the use of private messages in a dismissal

The European Court of Human Rights (Court) decided that an organisation had not, from using private messages in a dismissal process, breached the right to a private life and correspondence because on the facts the individual was considered to have had a reasonable expectation of their use.

Case Background

An individual was fired by an NHS Trust for gross misconduct, relating to harassment allegations. The harassment allegations primarily concerned communications sent, from fake accounts, about an alleged improper workplace relationship. Shortly before that workplace relationship began, the dismissed individual had been in a relationship with one of the pair. The police investigated harassment complaints but did not press charges. It did notify the employer of their investigations and supplied evidence to the Trust which included photos from the individual's phone and a list of the fake email addresses, that had been used to send some of the anonymous harassing messages, found on a piece of paper (Police Evidence). After an internal investigation, the Trust held a disciplinary hearing where the individual voluntarily supplied further personal communications, including WhatsApp messages. The organisation in their dismissal decision referenced, amongst other materials, those private communications and the Police Evidence.

The individual claimed the NHS Trust breached Article 8 of the European Convention of Human Rights (Convention) - right to a private life and correspondence - and Section 6 of the Human Rights Act 1998 - a public authority must abide by the Convention - due to the decision to dismiss involving private materials, being the Police Evidence and personal messages.

Court Decision

The Court noted Article 8 of the Convention (right to a private life and correspondence) is not automatically inapplicable where an email contains professional as well as personal content or where the email has been sent from a work email account. In agreement with the Employment Appeal Tribunal, the Court concluded the individual did not have a reasonable expectation of privacy over the evidence relied upon by the Trust, taking into account that the individual:

  • knew for nearly a year that concerns had been raised to the Trust about his behaviour amounting to harassment and his manager had previously notified him that a particular email was inappropriate;

  • had "sufficient prior notice" of the harassment allegations made against him;

  • could not have expected communications sent after a relationship had ended which were relevant to the harassment allegations being made by one of those persons to remain private;

  • did not challenge the use of the Police Evidence or the personal communications during the disciplinary proceedings and the individual had provided further communications which included intimate content; and

  • the facts of his claim are different and distinguished from the applicant in Băbulescu v Romania (see our previous article) – where the individual had not been made aware of the extent and type of monitoring activities carried out by his employer. The Court did restate, a point from that case, that while a reasonable expectation of privacy is a significant factor, it is not always conclusive.

Click here to read the decision.

GDPR – One Year On

The ICO and the European Commission have released reports marking the one year anniversary of the GDPR being in force. Both reports show an increase in public awareness of the legislation. Over 60% of data protection officers surveyed by the ICO agreed that there had been an increase in individuals exercising their data protection rights since the implementation of the GDPR. The European Commission found 73% of 27,000 persons surveyed were aware of at least one data subject right. The ICO received over 41,000 data protection concerns from individuals, with the most common complaint relating to subject access requests – representing 38% of those complaints. This correlates with the European Commission's report that this right is the most commonly known, but in their report they found the most commonly exercised right to be objecting to direct marketing, followed by subject access requests and then the right to erasure.

Between the implementation of the GDPR and May 2019, the ICO received around 14,000 reports of personal data breaches, compared to 3,300 the previous year. Out of those reports, only 17.5% resulted in an organisation needing to take action and less than 0.5% in a fine or an improvement plan. The health sector was the area that had the most reported breaches - around 16%.

The ICO report noted some of its future plans to include:

  • providing further assistance to SMEs, by establishing a "one-stop shop" of support;

  • releasing statutory codes on data sharing, direct marketing (anticipated to be finalised by November), age-appropriate design (currently released in draft form) and journalism; and

  • developing a draft code of practice for organisations involved in political campaigning, to be released for consultation in July.

Click here to read the ICO's report and here to read the European Commission's report.

Government Response to Report on Regulating the Digital World

The Government has responded to the House of Lord's Report on Regulating the Digital World, which set out recommendations for managing the digital sphere. Two key points from the Report were, one, developing online reform in accordance with 10 principles and, two, creating a new regulator to oversee and manage the digital world, as no one regulator currently has responsibility for this. The Government considered that the Report's 10 principles were closely comparable with the principles set out in the Government's Digital Charter. The Digital Charter is the Government's approach to overseeing the digital world, from the perspective of both user protection and business growth. The Government did not respond definitively to the recommendation for a new regulator, pointing to its programme of work under the Digital Charter and stating this will be taken into consideration.

The Government's response to a number of points raised in the Report about the regulation of algorithms and artificial intelligence was to point to the recently created Centre for Data Ethics and Innovation as well as, where relevant, the ICO. Further to the recent Government White Paper on Online Harms, the paper notes the intention to create a new statutory duty of care requiring organisations to take on more responsibility for the safety of their users and managing harmful content on their services.

Click here to read the Government's Response to the House of Lord's Report and here to read the Government's Digital Charter.

DCMS call for evidence to support National Data Strategy

DCMS has requested information on three key themes to support the Government's development of a National Data Strategy. The National Data Strategy, announced last year, aims to assist in making the UK a "world leading data economy".

DCMS are requesting evidence based around three themes – people, economy and government. This will inform the National Data Strategy being developed and a full consultation on the draft strategy is planned for later this year. The theme of people includes questions around trust and the use of (personal) data, including the impact of data protection legislation. The theme of economy looks to understand the operation of organisations in a data-driven economy and how data can be capitalised on by a business.

Click here to read the announcement.

Written by Mark Williamson, Isabel Ost and Charlotte Gatland

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
 
In association with
Related Topics
 
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions