Data Protection update - April 2020
Welcome to our data protection bulletin, covering the key developments in data protection law from April 2020.
- ICO launches coronavirus information hub and further guidance on dealing with issues resulting from the pandemic
- ICO publishes guidance on their regulatory approach during the coronavirus pandemic
- EU takes steps to manage Covid-19, mobile data and apps
- ICO publishes opinion on Apple and Google’s joint initiative on contact tracing technology
- Zoom's approach to data privacy and security comes under scrutiny
- ICO and Surveillance Camera Commissioner publish updated impact assessment template
- EU Advocate General delivers opinion on GDPR requirement for obtaining data subject consent
- FCA publishes insight on key cyber-security risks
- NHS at risk of cyber-attack amidst Covid-19 crisis
- UK government releases Cyber Security Breaches Survey 2020
- Supreme Court holds that Morrisons is not liable for actions of a disgruntled employee
- UK cooperation with the USA on the "ISIS Beatles" held unlawful by the Supreme Court
- UK Supreme Court grants Google permission to appeal Lloyd v Google case
- Dutch data protection authority fines sports association
- First Tier Tribunal orders a general stay on all appeals against ICO rulings
- British Airways and Marriott International fines by ICO deferred again
ICO launches coronavirus information hub and further guidance on dealing with issues resulting from the pandemic
The ICO continues to update and publish new guidance for individuals and organisations on how to deal with data protection issues during the pandemic. The advice can be found on their general coronavirus information hub. Here, you can drill down into more specific data protection advice on topics such as secure working from home, as well as how to avoid scams during the pandemic. The ICO offers some welcome reassurance in a statement issued earlier this month explaining that they “stand ready to investigate any business taking advantage of the current pandemic” explaining in particular that, where they find evidence of fraud, they will work closely with Action Fraud, Trading Standards and relevant agencies to continue to protect people, raise awareness and stop criminal activity.
The dominant and consistent message issued by the ICO is that data protection law will not stop organisations from responding to the crisis. The hub is being regularly updated to reflect the changes in response to the pandemic.
On 15 April 2020, the ICO published guidance on its regulatory approach during the Covid-19 pandemic. In the guidance, the ICO acknowledges the "capacity shortages" and "financial pressures" organisations face due to the pandemic. It noted that the flexibility of the legal framework allows it to commit to an "empathetic and pragmatic approach" to its regulation throughout this crisis.
The ICO specifically pointed out the "severe front-line pressures" forcing health, local and central government, and police authorities to redeploy resources as necessary. The ICO stated it will support these authorities, while providing "practical support" to the public on understanding and exercising their information rights in relation to such authorities. Lastly, the ICO referred to its commitment to proportionality, enshrined in its Regulatory Action Policy, as the guiding principle to its regulatory investigations and enforcement action during this crisis.
With regard to enforcement, the ICO’s position is, amongst other things, that;
- “Organisations should continue to report personal data breaches to us,without undue delay. This should be within 72 hours of theorganisation becoming aware of the breach, though we acknowledge that the current crisis may impact this.”
- In relation to the investigatory process: “We will take into account the particular impact of the crisis on that organisation. This may mean less use of formal powers that require organisations to provide us with evidence, and allowing longer periods to respond.”
- “[w]e will take into account whether the organisation’s difficulties result from the crisis, and if it has plans to put things right at the end of the crisis. We may give organisations longer than usual to rectify any breaches that predate the crisis, where the crisis impacts the organisation’s ability to take steps to put things right.
- “[b]efore issuing fines we take into account the economic impact and affordability. In current circumstances, this is likely to mean the level of fines reduces.”
- "We will recognise that the reduction in organisations’ resources could impact their ability to respond to Subject Access Requests”.
The ICO has also helpfully provided a 'security checklist' for organisations whose employees are working from home during the pandemic. The main message in this regard is that, while data protection law does not prevent organisations from using IT solutions to meet the challenges as organisations shift towards a 'work from home' model, organisations must ensure that any such solutions must be secure in terms of effectively protecting the organisation and its clients' personal data.
Should you or your company have further questions about the ICO's approach on data protection amidst the Covid-19 pandemic, please do not hesitate to contact our data protection team at Stephenson Harwood.
As countries around the world begin to consider the use of contact-tracing apps as an exit strategy for Covid-19, the UK appears to be following suit. The Government has launched a track and tracing app to be piloted on the Isle of Wight in the first week of May. Access to the app will initially be offered to NHS staff before being made more widely available to download. The ICO has provided oversight on the development of the contact-tracing app, and will continue to monitor it (including to review and comment on the app’s Data Protection Impact Assessment and privacy notice). Elizabeth Denham has stressed that the ICO will not ‘sign off or approve’ the app; but will be an “expert adviser and enforcer”.
The contact-tracing app uses Bluetooth signals between devices in order to alert those who have been in close proximity to someone who later develops and records symptoms (if that individual chooses to let the app inform the NHS). While data will be anonymised, this could clearly have significant data privacy implications, particularly as individuals’ locations will be continuously tracked and there are fears that the unique IDs given to each device could be used to “de-anonymise” people who report symptoms. The Health Secretary confirmed on 4 May 2020 that the app has been designed with privacy in mind and has been signed off by the National Cyber Security Centre (“NCSC”). Prof John Newton from Public Health England further clarified that the app itself does not hold personal information and “people should feel reassured by all the precautions that have been taken”.
In response to the contact-tracing app trend, the European Commission and the EDPB are also working to promote a common approach to the use of mobile apps and data in fighting coronavirus. The European Commission has issued guidance on the apps supporting the fight against Covid 19 following the publication of its recommendation setting out a “toolbox” for Europe on how to use technology and data to combat Covid-19. The key message from the European Commission is that countries across the EU must adopt a synonymous approach which, in turn, will enable citizens to social distance more effectively without the strict country-wide restrictions on movement we are still seeing today. On 14 April, the EDPB emphasised the need to consult data protection authorities, particularly in the development phase of any contact-tracing app. The EDPB also noted that these apps will not have the desired effect without the majority of the population’s consent and sign-up, which means that the app (and governments alike) must ensure transparency in relation to use of personal data, compliance with privacy laws and protection of citizen’s fundamental rights.
The question of whether true anonymity will be achieved if data points including location and unique identifiers are used remains, and will likely be subject to further scrutiny. In addition, the extent of any data sharing with private sector companies, and controls on the uses for which those companies put the highly sensitive data they receive, will need to be carefully managed to ensure compliance with data protection law.
Separately, the ICO has published an opinion on Google and Apple’s de-centralised joint contact-tracing initiative (which they are calling the Contact Tracing Framework (“CTF”)). The opinion states that the initial stage of the CTF broadly aligns with data protection law however, the ICO stressed that app developers must ensure they carry out their own measures to ensure compliance with data protection law. The ICO has taken care not to fully endorse the initiative and acknowledges that other concerns and considerations may arise further down the line such as the association of other data generated by the app with centralised data held by public health authorities.
Zoom, the video-conferencing software, has risen in popularity since the Covid-19 crisis. Many private individuals, companies and even the UK government now use it to host personal and work meetings from home. Zoom claims (on its website) that it "does not monitor" meetings or their contents, and that it "complies with all applicable privacy laws, rules and regulations in the jurisdictions in which it operates".
However, the Financial Times recently reported that, since February 2020, some video/audio conferences initiated on Zoom were routed through two of its data centres located in China, despite the users being based outside China. Zoom said this was a "mistake", and that it had fixed the flaw which occurred "under extremely limited circumstances". According to the FT, Zoom explicitly noted that government users were not affected by this "mistake".
Interestingly, the Taiwanese Department of Cyber Security formally issued an advisory warning on 7 April 2020 to Taiwan's government organisations reminding that any video conferencing software used should be secure. The warning specifically mentioned Zoom as an example of video communication service which has "associated security or privacy concerns", but does not go on to elaborate how those concerns came about.
The Citizen Lab, an interdisciplinary laboratory base at the University of Toronto that focuses on research and development of IT and global security, noted that Zoom's popularity, spurred by the Covid-19 pandemic, has made it a "high priority target" for "targeted intrusion operations".
This serves as a reminder to users to understand the privacy and security policies of software which they propose to use, whether during this pandemic or otherwise.
The ICO and Surveillance Camera Commissioner jointly published an updated Data Protection Impact Assessment ("DPIA") template document on 1 April 2020. This updated template reflects changes in data protection requirements, such as the requirement to register the name of the company's data protection officer (“DPO”) and the need to consult with the DPO when carrying out a DPIA. The regulators recommend, in particular, that a DPIA be carried out when cameras are added, moved, have their systems upgraded or where systems with biometric capabilities are introduced.
On 4 March 2020, Advocate General Szpunar handed down his opinion on the matter of Orange România SA v Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP) (Case C-61/19) (the "Opinion").
This case concerns Orange, a telecommunication service provider which copied customers' identity documents and attached them to paper-based contracts for the provision of its services. The ANSPDCP (Romania's national data protection regulator) took the view that Orange had failed to obtain the customers' informed consent to this practice, and imposed an "administrative penalty" on Orange.
Orange pointed to a clause in the contract which provided that the customer "has been informed of and has consented to…the keeping [by Orange] of copies of documents containing personal data for the purposes of identification." Consequently, Orange brought an action to appeal the ANSPDCP's fine in the Bucharest Regional Court. The Regional Court requested a preliminary ruling from the Court of Justice of the EU.
In the Opinion, Advocate General Szpunar opined that the clause in Orange's contract (referred to above) failed to meet the strict requirements of the GPDR. In particular, he noted that the customers' consents were not "freely given" as the GDPR necessitates an active indication of consent. He clarified that "passive behaviour", such as "consent in the form of a preselected tick of a checkbox", of which Orange's contractual clause is analogous, did not satisfy the active consent requirement. Advocate General Szpunar also stated that the customers' consents were not "informed consent" as it was not "crystal-clear to the customer that a refusal to the copying and storing of his or her ID card does not make the conclusion of a contract impossible." This ties in with his emphasis that, in the context of formation of contract, a data subject must be told of the "consequences of refusing consent", i.e. whether refusing consent would preclude a contract being concluded.
This serves an important reminder to our readers to keep under review any data processing clauses in their commercial contracts to ensure compliance with the GDPR, the substance of which will continue to be operative after the Brexit transition period ends after 31 December 2020. If you have any queries on the above, please do not hesitate to contact our Data Protection team at Stephenson Harwood.
The opinion can be accessed here.
The FCA has published an insight document highlighting key cyber-security risks for firms operating in the financial sector. The insights are a product of the Cyber Coordination Groups ("CCG"), comprising firms brought together by the FCA from across different areas of the financial sector, including investment management, retail banking and brokers.
The CCG identified the following areas as currently presenting the highest cyber-security risks:
- Supply chain: risks arising from supply chain partners, particularly in the energy and telecommunications sectors.
- Increasing social engineering attacks: the CCG reiterated the need for firms to educate their employees to better identify and report deceptive tactics aimed at persuading the employees to disclose information.
- Ransomware: the CCG noted the importance of updating hardware and software, as well as separating key segments of the network to "isolate critical elements" where possible.
Looking ahead, the CCG recommended firms to focus on reinforcing weak links in the following areas, amongst others, to minimise future cyber-attacks:
- Cloud security: the increasing reliance on cloud-based software requires such environments to be encrypted, protected and managed. The CCG noted the possible inclusion of "kill switch" technology as a potential response to cyber-attacks.
- Development and Security Operations: the CCG pointed out the importance of embedding robust security practises into an organisation's development approach. This can be achieved by "an integrated consideration at each stage of the development process", with particular focus on privacy, security and compliance.
Importantly, the FCA clarified that this document is not an FCA guidance. To find out more about FCA guidance on cyber resilience, please visit the FCA’s dedicated webpage or contact the Data Protection team at Stephenson Harwood.
In our March 2020 bulletin, we raised the issue of phishing and spam emails related to the Covid-19 crisis. Unfortunately, cyber security issues arising from the pandemic have not eased off. In fact, they seem to have worsened to the extent that experts are now warning that the NHS is at risk of cyber-attacks whilst it struggles with the physical fight against the virus.
Hospitals in Spain, France and the Czech Republic have all reported being hit by cyber-attacks during the Covid-19 crisis. Similarly, the WHO and the US Department of Health have both been targets of cyber-attacks during this period.
As a result, Neil Bennett, acting CISO at NHS Digital, has confirmed that the NHS is working closely with the UK's National Cyber Security Centre and NHSX to protect itself against potential cyber-attacks.
While the risk of cyber-attacks on the NHS will no doubt continue as the pandemic progresses, private companies and individuals should be equally aware of this cyber-risk and consider taking appropriate action to secure their data.
The UK's Department for Digital, Culture, Media and Sport commissioned the Cyber Security Breaches Survey of UK businesses and charities "as part of the National Cyber Security Programme". This survey was carried out by Ipsos MORI, and the Survey was released on 25 March 2020. Please see here to access the Survey.
The Survey aims to highlight to UK organisations the "nature and significance of cyber security threats they face". Worryingly, the Survey found that between 2019 and 2020, 46% of UK businesses and 26% of charities have reported at least one cyber security breach or attack. The primary targets are medium businesses (68%), large businesses (75%) and high-income charities (57%). Approximately one in five UK businesses that have suffered a cyber-security breach or attack also report a "material outcome", either losing money or data.
While the Survey notes that UK businesses are becoming more cyber resilient, it warns that there is more to be done "on a range of diverse topics", including audits, cyber insurance, managing supplier risk and reporting breaches. The Survey singled out suppler risks as an area that is often overlooked when businesses audit their cyber resilience. In particular, it notes that businesses fail to consider the security of non-digital service suppliers that form part of their supplier network.
On Supreme Court’s much anticipated decision in WM Morrison Supermarkets Ltd v Various Claimants  UKSC 12 represents the first data class action in the UK of its kind.
The facts of the case have been covered in detail in a previous update.
In summary, the Claimants' (5,518 Morrisons' employees) claims arise from Mr Skelton's unauthorised uploading of personal data (including names, addresses, dates of birth, home and mobile phone numbers, national insurance numbers, and details of bank accounts and salaries) relating to nearly 100,000 Morrisons' employees (the "Data") to a file-sharing website in 2014 (the "Breach"). Mr Skelton, who, at the time of the Breach, was a senior internal IT auditor at Morrisons, had become disgruntled by virtue of an internal disciplinary relating to his operating a side-business using Morrisons' post room. Thereafter, Mr Skelton, who had the right to access the Data as a result of his role, copied the Data, uploaded it to a file sharing website (in a manner which was intended to frame another Morrisons' employee), and provided copies of the Data to three UK newspapers.
The Claimants' claimed that, in failing to prevent the Breach, Morrisons was primarily liable for breaches of the Act, misuse of private information, and / or breaches of confidence (the "Primary Claims"), or, alternatively, vicariously liable for Mr Skelton's misuse of private information and / or breaches of confidence (the "VL Claims").
At first instance, Langstaff J dismissed the Primary Claims (as Morrisons had not, itself, misused, or authorised the misuse of, the Data, and had in place appropriate measures to ensure that the Data was not misused by its employees, and was therefore not in breach of the Act), but held that Morrisons was vicariously liable for the Breach, and, accordingly, upheld the VL Claims. This judgment was upheld in its entirety by the Court of Appeal.
The Supreme Court overturned the Court of Appeal’s decision holding that the VL Claims failed as a matter of principle. In applying the “close connection” limb (i.e. whether a close link exists between the wrongful conduct of the employees and the business of the employer or nature of the employment) of the two-stage test for establishing vicarious liability, the Supreme Court held that an employer should not be liable for an employee’s wrongful act where that act is not engaged in furtherance of the employer’s business, and is an effort to deliberately harm the employer as part of a revenge tactic.
Separately, in relation to Morrisons argument that the Data Protection Act 1998 excluded vicarious liability, the Supreme Court held:
“The imposition of a statutory liability upon a data controller is not inconsistent with the imposition of a common law vicarious liability upon his employer, either for the breach of duties imposed by the DPA, or for breaches of duties arising under the common law or in equity. Since the DPA is silent about the position of a data controller’s employer, there cannot be any inconsistency between the two regimes. That conclusion is not affected by the fact that the statutory liability of a data controller under the DPA, including his liability for the conduct of his employee, is based on a lack of reasonable care, whereas vicarious liability is not based on fault.”
Accordingly, where a data breach arises out of the actions of an employee which satisfy the “close connection” test, vicarious liability on the part of the employer in circumstances where they may have no statutory duty under relevant data protection legislation (or other liability generally (e.g. for breach of confidence)), remains a possibility.
The Supreme Court recently handed down judgment in Elgizouli v Secretary of State for the Home Department  UKSC 10. This case concerns the 'Jihadi Beatles'; two British nationals who were ISIS members that the USA wanted to prosecute. Theresa May (when she was Home Secretary) initially denied Mutual Legal Assistance ("MLA") for the USA as it could not provide assurances that it the British nationals would not receive the death penalty. However, Sajid Javid, when he became Home Secretary, granted MLA to the USA without seeking the same assurances.
Ms El Gizouli, the appellant, is the mother of Shafee El Sheikh, brought a claim against the Home Office alleging that: (i) English law does not allow the Home Secretary to trespass on the right to life; or alternatively, (ii) the Data Protection Act 2018 (the "DPA 2018") does not permit the Home Office to transfer personal data to law enforcement authorities abroad for use in capital criminal proceedings.
The Supreme Court dismissed the first two grounds, but found for the appellant on the data protection ground. In particular, it held that Section 76(2) of the DPA 2018 provided that the ability of the Home Office to transfer data to a third country under the 'special circumstances' gateway is disapplied where this will affect the data subject's fundamental rights and freedom. Since the USA could not guarantee that, if Shafee El Sheikh is convicted, he would be subject to the death penalty, then his right to life, being a fundamental right, could be affected.
The full judgment can be read here.
The Supreme Court has granted Google permission to appeal the Court of Appeal's judgment in Lloyd v Google LLC  EWCA Civ 1599.
The facts of the case have been covered in detail in a previous update.
Between August 2011 and February 2012, Google took advantage of an Apple-devised exception to cookie blockers, the “Safari Workaround”, which allowed Google to harvest, without consent, browser generated information (“BGI”) of Apple iPhone users. This BGI, which constituted personal data for the purposes of the Data Protection Act 1998 (the “DPA”), gave Google unprecedented insight into the habits and preferences of more than 4 million Apple iPhone users (the “Data Subjects”) which it packaged and sold to advertisers, allowing them to target marketing specifically at the Data Subjects.
Google has already been subject to individual claims before the English Court as a result of these activities, which gave rise to the critical judgment in Vidal-Hall v Google  EWCA Civ 311 which established that damages for non-pecuniary loss were, in principle, available under s.13 DPA.
Mr Lloyd, the former executive director of Which, and a consumer rights activist, is pursuing a representative claim on behalf both of himself, and other affected Data Subjects, under r.19.6 of the Civil Procedure Rules 1998 (the “CPR”), seeking damages under s.13 DPA for breaches of s.4(4) DPA.
Before the claim can proceed in earnest, amongst other things, Mr Lloyd requires the English Court’s permission to serve the proceedings out of the jurisdiction on Google.
At first instance, Warby J refused to grant permission to Mr Lloyd to serve the proceedings out of the jurisdiction, as he considered that Mr Lloyd’s claim did not have a real prospect of success as, amongst other things, he had failed to demonstrate that the Claimants had either: (a) suffered "damage" for the purposes of s.13 DPA; and, in any event (b) had either the "same interest" within the meaning of CPR 19.6(1)1, or were ascertainable as members of a specific class.
However, on 2 October 2019, in a seminal judgment, the Court of Appeal overturned Warby J’s judgment, holding that: (a) the Data Subjects were entitled to recover damages pursuant to s.13 DPA, based on the loss of control of their personal data alone, regardless of whether they had suffered pecuniary loss or distress; (b) the Data Subjects represented in the claim did, in fact, have the same interest for the purposes of CPR 19.6(1); and (c) the Court should exercise its discretion to permit Mr Lloyd to act as a representative for the Data Subjects.
If the Supreme Court upholds the Court of Appeal's decision, it will significantly widen the scope of data protection claims under the DPA 1998, and probably also under the Data Protection Act 2018 (which offers similar remedies at sections 167 to 169), and potentially open the floodgates to US-style class actions by representative Claimants on behalf of classes of affected data subjects.
On 2 March 2020, the Dutch Data Protection Authority (the "DDPA") issued a €525,000 fine against the Dutch National Tennis Association (the "Association") for breach of data protection laws.
The Association had collected personal data from its members, which the Association then provided to two sponsors for marketing purposes under a data sharing agreement.
The DDPA found that, whilst the Association had lawfully collected its members' personal data, the commercialisation of such data was unlawful. In particular, the DDPA held that the Association could not rely on the members' initial consent (under the membership agreement) to have their personal data processed for its subsequent sale of the same personal data to the sponsors.
This highlights the complications that can arise in relation to commercialisation of personal data. Readers should ensure that they have properly identified a separate ground for processing stored personal data for the purposes of the sale.
Following the ICO's application for a general stay, on 31 March 2020, McKenna J (President of the First Tier Tribunal, General Regulatory Chamber) ordered a stay of 28 days on all appeals against rulings of the ICO. She also ordered that all time limits in any new and current proceedings be extended by 28 days. The stay begins on 1 April 2020 and will be reviewed after it expires on 28 April 2020.
McKenna J made the order in light of the Covid-19 pandemic, and the fact that the ICO has been temporarily closed as a result thereof. If you have any appeals pending against the ICO and would like assistance on how to proceed, please do not hesitate to get in touch.
The Direction can be viewed here.
In July 2019, the ICO issued notices of intent to fine British Airways £183,390,000 and Marriott International £99,200,396 for alleged breaches of the GDPR arising out of security incidents. In January 2020 confirmed that next steps in the regulatory process (the ICO has 6 months from issuing a notices of intent to issue a fine under Schedule 6 para 2(2) of the Data Protection Act 2018) relating to both fines was be delayed to 31 March 2020.
This deadline passed with no news of the regulatory outcome. It now transpires that the ICO has announced yet another delay, this time due to the Covid-19 crisis. Marriott's deadline will extended until 1 June 2020.
British Airways owner IAG's 2019 annual report explained that British Airways' deadline had been extended to 18 May 2020 to allow the ICO to "fully consider the representations and information provided by British Airways."
It remains to be seen whether these new deadlines will need to be further extended in light of the pandemic, and also what impact the pandemic may have on the amounts of those penalties, in particular, given the ICO’s guidance on the pandemic referred to above, and the economic impact it has had both on British Airways’ and Marriott International’s business.