Data Protection update - April 2018
Welcome to the April 2018 edition of our Data Protection bulletin, our monthly update on key developments in data protection law.
- The Information Commissioner's keynote speech at the IAPP Europe Data Protection Intensive 2018
- The Article 29 Working Party ("WP29") issues revised guidelines on consent and transparency in the GDPR
- High Court Judgment on the 'Right to be Forgotten' in NT1 and NT2 v Google and the Information Commissioner
- The WP29 issues a statement on encryption of personal data
- 13 EU member states commit to delivering cross-border access to genomic information
- MPs raise "serious concerns" over NHS Digital stewardship of data
- UK launched a cyber-attack on Islamic State
- Company obtains cyber injunction under the protection of anonymity
- Yahoo! cyber breach settlement gives shareholders cause for cheer
- Royal Mail fined £12,000
- Kensington and Chelsea council fined £120,000
- The Energy Saving Centre Ltd fined £250,000
- Approved Green Energy Solutions fined £150,000
In her speech at the IAPP Europe Data Protection Intensive 2018, Elizabeth Denham, the current Information Commissioner, discussed how the Information Commissioner's Office (the "ICO") is preparing for the GDPR; its powers; its focus on technology; its future in Europe; and, ultimately, how it will increase public trust and confidence.
The Commissioner stated that in the wake of the Cambridge Analytica-Facebook scandal, there is an international opportunity for focus on data protection, and highlighted that debates about data protection are taking place at government level around the world, effecting global change.
In relation to the Cambridge Analytica-Facebook scandal, the Commissioner did not give any details about the ongoing investigations other than to say that the ICO's report will describe the realities of data-driven political campaigning and their investigation will be thorough, independent and focussed. The findings and conclusions will be made public and the ICO will provide a further update in due course.
Under the GDPR, which comes into force on 25 May 2018, the Commissioner will have the power to audit all those who hold, use and share personal data. However, the Commissioner raised concerns about the ICO's ability to keep up with technological advances in relation to how personal data is being used and managed. She is in intense consultation with the UK Government to ensure that, as part of the Data Protection Bill, the ICO has the ability to move more quickly to obtain the information they need to carry out investigations in the public interest (i.e. a streamlined warrant process).
In preparation for the GDPR, the ICO is increasing its body of staff from 520 to 700; increasing its budget to £38 million a year; and developing a suite of resources on its website.
According to the Commissioner, the ICO has no intention of changing its proportionate and pragmatic approach after 25 May and will not be issuing huge fines as a default approach under the GDPR. The Commissioner did note, however, that hefty fines will be levied on those organisations that persistently, deliberately or negligently flout the law. The Commissioner recommends that companies endeavour to report to, and engage with, the ICO and that voluntary compliance is always its preferred route.
The Article 29 Working Party ("WP29") issues revised guidelines on consent and transparency in the GDPR
The WP29 has issued its final guidelines on two key issues under the GDPR; consent and transparency.
See here for the WP29's guidelines on Consent.
See here for the WP29's guidelines on Transparency.
High Court Judgment on the 'Right to be Forgotten' in NT1 and NT2 v Google and the Information Commissioner
The High Court has given its judgment in two claims that concern the "right to be forgotten" or the right to be delisted. In NT1 and NT2 v Google and the Information Commissioner, Warby J had to consider claims concerning the right to be forgotten (or what he said was more accurately described as the right to have personal information "delisted" or "de-indexed" by the operators of internet search engines).
The claimants, known only as NT1 and NT2, were both businessmen with previous criminal convictions. NT1 was convicted of conspiracy to account falsely in the late 1990s; whereas NT2 was convicted more than 10 years ago of conspiracy to intercept communications. NT1 was jailed for four years, while NT2 was jailed for six months.
Both men demanded that Google remove search results mentioning the cases for which they were convicted. Google refused their requests and the men took the company to the High Court.
NT2 succeeded in his claim and the court made a delisting order, although the judge did not award any damages to be paid to NT2. NT1, on the other hand, was not successful.
Warby J said his key conclusion in relation to NT2’s claim was that “the crime and punishment information has become out of date, irrelevant and of no sufficient legitimate interest to users of Google search to justify its continued availability”. According to Warby J, it is likely that we will see more of these claims in the future, particularly following the success of NT2's claim.
A Google spokesperson said: “We work hard to comply with the right to be forgotten, but we take great care not to remove search results that are in the public interest and will defend the public’s right to access lawful information. We are pleased that the court recognised our efforts in this area, and we will respect the judgments they have made in this case.”
The judgment provides useful guidance to those making a delisting request of Google. This is a relatively straightforward process which can usually be achieved without going to court.
See here for the judgment.
On 11 April 2018, the WP29 published a statement on encryption (ePrivacy) and its role in protecting the personal data of individuals in the EU.
The statement focusses on three key messages:
- The availability of strong and trusted encryption is necessary to ensure the secure, free flow of data between citizens, businesses and governments. End-to-end encryption ensures strong confidentiality and integrity when data is transferred between devices.
- Encryption should remain standardised, strong and efficient. This would not be the case if encryption providers were compelled to include "backdoors" or provide "master keys" in their software allowing law enforcement agencies to decrypt and have access to the plain text data of suspected criminals.
- Law enforcement agencies already have access to data via their existing legal powers. The focus should be on agencies exercising their existing powers and improving their capabilities to interpret existing data when investigating and prosecuting criminals.
See here for the WP29's statement.
The European Commission has published a press release, announcing that 13 EU member states (including the UK) have signed a declaration delivering cross-border access to their genomic information. This increased sharing of genomic data is expected to improve understanding and prevention of disease, allowing for more personalised treatments (and targeted drug prescription).
Under the declaration, the signatories will work together on exercising the secure and authorised access to genetic data and other relevant data that is stored nationally and regionally. Specifically, the declaration foresees:
- Consolidating infrastructure and expertise to enable one million genomes to be accessible in the EU by 2022;
- Leveraging and maximising investments, particularly those in sequencing, bio banking and data infrastructure, which have already been made by EU member states at national and EU level; and
- Providing a sufficient scale for "new clinically impactful research".
The Commission will support the initiative in setting up a mechanism for public authorities to coordinate ongoing genomic medicine schemes. This mechanism will set out the terms and conditions for secure access to genomic data and how that data can be used and also the technical specifications for cross-border access and exchange.
See here for the press release.
A group of UK MPs said it had “serious concerns” over the ability of the senior leadership of NHS Digital to understand and protect health and social care data.
The House of Commons Health and Social Care Committee (the "Committee") has delivered a report into the memorandum of understanding (the "MoU") prepared on data-sharing between NHS Digital and the Home Office which said that NHS Digital, which supplies information and data to the health service, was failing to uphold patients’ interests.
The Committee received a number of representations expressing concern over the practices of data-sharing governed by the MoU. These included the incompatibility between the disclosure of information about people in contact with health services and the obligations of confidentiality assumed to apply to that information. There were also concerns that the sharing of patients’ addresses with other government departments would become accepted as normal practice.
MPs have stated that they have serious concerns about the government policy on the confidentiality of data collected for health and social care purposes. The Committee has recommended that NHS Digital suspends its participation in the MoU until the NHS Code of Confidentiality is reviewed. According to the Committee the data held for the purposes of health and care should only be shared for law enforcement purposes in the case of serious crime. The NHS policy and practice in relation to patient data continues to be the subject of parliamentary criticism.
The UK has used a cyber-attack to hinder Islamic State's ability to co-ordinate attacks and suppress its propaganda. The attack was launched by the Government Communications Headquarters ("GCHQ") in collaboration with the Ministry of Defence. The operation was described by the GCHQ director, Jeremy Fleming, as the “first time the UK has systematically and persistently degraded an adversary’s online efforts as part of a wider military campaign”.
According to Fleming, these operations were aimed at disrupting services or a specific online activity, deterring an individual or group, or destroying equipment and networks used by the Islamic State.
It may be that in the future we will see more offensive cyber operations backed by nations. However, the legal issues surrounding these operations are complicated and it remains to be seen how these attacks will be utilised in the future.
In the recent case of PML v Persons Unknown (see here for the judgment) a UK company has obtained an interim non-disclosure order under the protection of anonymity after it sustained a major cyber-attack. The company applied for, and was granted, anonymity by the court.
Earlier this year, an anonymous hacker unlawfully obtained access to a UK company’s computer systems, stealing a large amount of information which was then hosted on a password protected website. The hacker then sent an email to directors of the company, informing them of the attack, providing login and password details for the website and demanding a substantial ransom in bitcoin, failing which the stolen information would be published in order to destroy the company. The hacker attached various confidential documents belonging to the company to these emails, by which it was established that the attack appeared to be genuine.
An injunction for non-disclosure was granted in this case because the company was likely to be able to demonstrate at trial that publication of the stolen confidential documents would not be allowed on the basis of the circumstances in which the defendant came to be in possession of the relevant documents and information (i.e. by computer hacking). After granting of the injunction, the defendant failed to engage in the proceedings. In fact, the defendant continued to threaten and make attempts to publish the confidential information in breach of the order (via an online forum and a cloud-based computer file transfer service). The defendant also failed to deliver up the confidential information in breach of the injunction.
This decision may be helpful for companies who suffer a cyber-attack at the hands of an anonymous hacker, but who are nervous about taking legal action for fear that it could lead to wider public attention of the attack and its details. It appears from the judgment that victims of blackmail (individuals as well as companies) are arguably entitled to protection via anonymity. Such an anonymity order will also be very useful for companies who wish to stop a hacker going to the press and causing reputational harm.
A U.S. data breach class action has settled for $80 million. The action concerned two significant data breaches, the first in 2013 involving over one billion user accounts, while the second in 2014 involved over 500 million accounts. The breaches weren’t revealed until late 2016. The action was brought on behalf of “all those who purchased or otherwise acquired Yahoo common shares traded on the NASDAQ during the Class Period and were damaged upon the revelation of the alleged corrective disclosures.” Unlike most cyber-breach related class actions, the class members were not the users whose private information was hacked, but rather the shareholders of Yahoo who saw the company’s share price fall following news of the breach.
The $80 million settlement sum is significantly more than most recent breach-based class and derivative action settlement. This is the first significant class action in the US where the basis of the claim was the failure to disclose cyber breaches.
The Royal Mail Group Limited has been fined £12,000 by the ICO after it sent more than 300,000 nuisance emails to people who had opted out of receiving them. The emails advertised lower prices for parcels and Royal Mail claimed that they were communicating a "service" rather than marketing materials. However, the ICO found that the emails constituted marketing and Royal Mail had breached Regulation 22 of the Privacy and Electronic Communications Regulations ("PECR").
The Royal Borough of Kensington and Chelsea has been fined £120,000 by the ICO after it unlawfully identified 943 people who owned vacant properties in the borough. In the aftermath of the Grenfell Tower Fire, names and addresses of the owners of unoccupied homes in the borough were sent to three journalists who had requested statistical information under the Freedom of Information Act 2000. According to the ICO the contravention of data protection legislation was serious both in terms of the council's deficiencies and the impact such deficiencies had on the affected data subjects.
The Energy Saving Centre Ltd has been fined £250,000 for unsolicited calls for direct marketing purposes to subscribers who had registered with the Telephone Preference Service ("TPS") in contravention of PECR. Bradford-based Energy Saving Centre Ltd, which offers services such as replacement windows and doors and guttering, made seven million calls over a seven month period without screening them against the TPS register and at least 34,000 of these calls were made to TPS subscribers. The information used to make the calls was bought from another company and the firm failed to check it against the TPS register. Energy Saving Centre has also been issued with an enforcement notice ordering it to stop illegal marketing.
In a separate case, Mr Alex Goldthorpe t/a Approved Green Energy Solutions has been fined £150,000 for making over 300,000 unsolicited calls for direct marketing purposes to subscribers who had registered with the TPS in contravention of PECR. The information used to make the calls was bought from another company and the firm failed to check it against the TPS register.