Data Protection update - August 2018
Welcome to the August 2018 edition of our Data Protection bulletin, our monthly update on key developments in data protection law.
- Sir Cliff Richard wins landmark privacy battle
- ICO calls for views on data sharing code of practice
- CJEU rules on joint controllership - what does this mean for companies?
- More EU Member States moving toward GDPR implementation
- Court of Appeal ruling on disclosure of mixed personal data in data subject access requests
- Higinbotham v Teekhungam & Anor
- First UK collective action data protection cases in the pipeline
- Facebook granted leave to appeal ECJ referral on SCCs
- EIOPA Report on Cyber Insurance raises awareness and understanding of cyber risk in the European market
- The cyber threat to the UK legal sector
- Cyber stress tests planned for banks in 2019
- Data breach affects 1.5 million people in Singapore
In a judgment on 18 July 2018, the High Court found that Sir Cliff Richard's privacy rights were breached in 2014 by the BBC in a "serious" and "sensationalist" way. Sir Cliff has been awarded £210,000 in general damages which is to be split between South West Yorkshire Police, who will pay 35%, and the BBC, who will pay 65%.
In 2014, the BBC broadcasted a police raid on Sir Cliff's property and named him as a suspect in an alleged historical sexual offence involving a minor in 1985. Sir Cliff was never arrested during the investigation which lasted almost two years and was never charged.
This judgment has been widely reported as a landmark case for individual privacy rights, but will also have a significant impact on the freedom of the press to report suspected wrongdoings. Previously the naming of suspects has only been considered from a defamation angle, whereas following this judgment it is clear that the right to privacy is likely to provide a stronger protection.
In reaching the decision, the court undertook a balancing exercise between Article 8 of the European Convention on Human Rights (the right to respect for private and family life) and Article 10 (the right to freedom of expression). In order to do this, the court considered: (i) whether Sir Cliff had a legitimate expectation of privacy in relation to the investigation published by the BBC; and (ii) if so, was the BBC nonetheless justified in publishing the investigation by virtue of its Article 10 rights prevailing over Sir Cliff’s Article 8 rights?
In relation to the first question, Mr Justice Mann ruled that as a general principle, a suspect in a police investigation has a reasonable expectation of privacy and Sir Cliff was no exception. He further held that a suspect’s legitimate expectation of privacy is not removed when the information is in the hands of the media.
In relation to the second question, Mr Justice Mann concluded that Sir Cliff’s privacy rights were clearly not outweighed by the BBC’s right to freedom of expression, primarily because the consequences of the disclosure of such serious allegations for someone like Sir Cliff were very severe and the failure of the public to keep the presumption of innocence in mind would inevitably contribute to any stigma. The judge emphasised that the BBC’s reporting of the investigation was already an infringement of Sir Cliff’s privacy rights, but had gone further by adding “drama and a degree of sensationalism by the nature of its coverage”.
The Data Protection Act 2018 ("DPA 2018") requires the Information Commissioner's Office ("ICO") to issue a data sharing code, which provides good practice advice to organisations that share personal data, either by updating the existing code that is already in place (issued in 2011 - see here) or by issuing a replacement code.
The ICO has issued a call for views on updating its existing data sharing code of practice as it is required to consult the Secretary of State as well as trade associations, data subjects and those representing the interests of data subjects, as the ICO considers appropriate before updating or replacing the code.
The call for views seeks responses on:
- which changes to the legislation the ICO should focus on in updating the code and any other non-legislative developments that should be covered;
- whether the existing code strikes the right balance between data sharing and data protection;
- any areas of the existing code that are either too detailed, not covered in enough detail, or not covered at all; and
- any case studies or scenarios that could be included in the updated code.
The deadline for submission of responses is 10 September 2018. See here for further information.
The Court of Justice of the European Union ("CJEU") has recently handed down two judgments on the issue of "joint controllership". We discussed the first judgment, Wirtschaftsakademie Schleswig-Holstein, in our June bulletin, which held that administrators of Facebook fan pages are jointly responsible with Facebook for the processing of Facebook visitors' personal data.
In a second judgment on 10 July 2018, the CJEU found that a religious community may be jointly responsible for collecting personal data in course of door-to-door preaching activities, with the members of its congregations who actually engage in such preaching activities.
Both of these cases indicate that the CJEU takes a broad interpretation of "joint controller" for the purposes of data protection legislation. Parties may be jointly responsible for the processing of personal data even when the data processing activities are only carried out by one of the parties and there is no transfer of data to the other party, provided that the other party somehow benefits from the data processing activity or exerts influence over the processing of personal data for its own purposes.
It is worth noting that these decisions were based on the pre-GDPR legislative position, and the GDPR now imposes direct liability and responsibility on processors, so arguably there is less need for a broad interpretation of joint controllership. This is because part of the reasoning behind the broad interpretation of joint controllership was to keep as many parties as possible liable and responsible for data protection.
The GDPR requires joint controllers to agree a "joint controller agreement" which is an arrangement specifying their respective responsibilities for compliance with the obligations under the GDPR, and to make the essence of the agreement available to the data subjects.
It remains to be seen how the CJEU will decide on similar arrangements under the GDPR and how national data protection authorities and courts will react to these rulings. Provided that the CJEU continues its broad interpretation of the concept of a controller under the GDPR, companies should be aware that they may be considered joint controllers if collaboration with another party involves processing personal data for a shared purpose.
Following the deadline on 25 May 2018, more EU countries are adopting national laws in compliance with the GDPR, as required to address the national derogations permitted by the GDPR (see our February bulletin):
- France’s new data protection law was adopted on 20 June 2018 and published on 21 June 2018.
- Spain's new data protection law is still on hold due to a change of government. However, in the first week of August, the Spanish government approved an urgent regulation appointing Spain’s national data protection authority as its representative on the European Data Protection Board. The regulation also provides a transitory regime for enforcement proceedings that are already underway and data processing agreements which are currently in force.
- In Romania, the legislative proposal for implementing the GDPR (Pl-x no. 167/03.04.2018) was adopted on 27 June 2018 and entered into force on 31 July 2018.
- Hungary’s parliament adopted a national law supplementing the GDPR on 17 July 2018. It has now been published and entered into force on 17 August 2018.
- For Member States that are moving too slowly towards GDPR implementation, the European Commission ("EC") has sent warning letters to the relevant governments to alert them of possible future action including possible referral to the CJEU where they may be subject to financial penalties.
In the recent case of B v The General Medical Council, the Court of Appeal has given guidance on when to disclose information containing the personal data of more than one individual, or mixed data, in response to a data subject access request ("DSAR"). In this case an expert report concerning a GP's fitness to practice was not disclosed to a patient in response to a DSAR made by the patient for personal data held about him. This was withheld on the basis that the report contained mixed personal data, i.e. personal data of both the GP and the patient.
Generally, under data protection legislation, a data controller is not obliged to comply with the request unless the third party has consented to disclosure of the information, or if it is reasonable in all the circumstances to comply with the request. Previous case law indicated that there was a presumption against disclosure in a mixed data case where the third party withholds consent. In this case the GP, Dr B, did not consent to the report’s disclosure, principally on the basis that the request was being made with a view to litigation against him.
The Court of Appeal held that:
- In determining whether to disclose mixed data, a balance should be struck between the requestor and objector’s competing interests, and a presumption in favour of withholding disclosure should only be applied in a 'tie-break' situation i.e. where all of the other interests balance equally (please note that there was a split in the judgments on this point, and it remains to be seen if any appeal of this case or further cases will re-establish the presumption); and
- The requestor's interests in seeking the disclosure should not be devalued because the information may assist them in litigation.
This case is now the leading case on mixed personal data, and will be relevant to employers faced with DSARs where the disclosure of mixed personal data is in issue. Employers face an increasingly onerous task when complying with DSARs under the new regime and, following this Court of Appeal decision, should think carefully before refusing requests for disclosure of “mixed data” on the basis of a lack of consent from a third party.
Although this case was decided under the Data Protection Act 1998 ("DPA 1998"), the same principles are likely to apply to DSARs under the GDPR and the DPA 2018.See here for the full judgment.
A claim for misuse of private information, breach of confidence and breach of the DPA 1998 in the High Court, has been dismissed as an abuse of process and a "fanciful" claim.
The claim had been brought by a married man against his Thai second wife. The claimant complained that a profile on Facebook, set up by the defendant, revealed that he had a second family, something which he had hoped to keep secret from his wife in the US, friends and business associates. The claimant issued the claim in December 2016, claiming that the publication of the profile was a breach of confidence or misuse of private information, and seeking damages and an injunction to restrain further publications. The court struck out the claim on the basis that it was an abuse of process and the claim had been brought for the collateral purpose of harassing the defendant.
The judgment contains a useful analysis regarding the scope of damages recoverable for trivial breaches of, amongst other things, the DPA 1998 and confirms that claims under the DPA 1998 are susceptible to being struck out on the basis that they are an abuse of process.
See here for the full judgment.
Under Article 80 of the GDPR, data subjects have a right of redress via collective actions. Under this new right, a group of UK residents is threatening to sue Facebook, Cambridge Analytica, the SCL Group limited and Global Science Research Limited for damages following misuse of their personal data. The group has sent Facebook a 27-page letter and they seeking to launch their class action claim. Up to 1 million UK residents could be eligible to join the action.
Another group, Fair Vote Project, is also gathering names to possibly start a class action suit against Facebook in the UK. Fair Vote runs on public donations and its aim is to tackle issues of data misuse, voter manipulation and lack of transparency in elections. As reported in our July bulletin, the ICO intends to fine Facebook £500,000 (the maximum fine available under the DPA 1998 which was in force when the activities took place), but the group does not believe that this is a sufficient remedy.
Additionally, the law firm Leigh Day is also planning to sue Facebook via a class action for compensation for misuse of personal data.
Facebook has been granted leave to make an appeal to the Irish Supreme Court on whether the Irish High Court should have referred a case relating to the validity of the Standard Contractual Clauses ("SCCs"), including questions about the EU-US Privacy Shield, directly to the European Court of Justice ("ECJ").
On 3 October 2017, the Irish High Court decided to refer the matter to the ECJ. The questions, which were finalised in April 2017, were raised in a complaint made by Max Schrems, the renowned data protection activist, to the Irish Data Protection Commissioner about Facebook's transfers of his personal data from Ireland to the US using the SCCs.
Facebook applied to the Irish Supreme Court for leave to appeal the referral setting out ten grounds on which the appeal would be pursued. These included the Irish High Court's failure to consider the different legal context introduced by the GDPR and errors in its assessment of US law. The Irish Supreme Court granted Facebook leave to appeal all the issues it raised, including the issue of whether an appeal could be made, and if so, what type. The court, however, directed that the appeal should be ready for hearing before the end of 2018.
Please note that, although their adequacy is under threat, the existing SCCs remain valid and will remain in force until amended, replaced or repealed.
EIOPA Report on Cyber Insurance raises awareness and understanding of cyber risk in the European market
The European Insurance and Occupational Pensions Authority ("EIOPA") has published a report which, following a consultation with cyber insurance companies, attempts to enhance understanding of cyber risk with a focus on the European market.
Due to the rapidly changing and increasingly complex technological landscape, Cyber risk is fast becoming one of the top risks for global businesses, and is of great concern to companies from a vast array of industries.
Currently the cyber insurance market operates predominantly in the US, with only a small portion of the market in Europe. To date, most of the reports and surveys available focus only on the US, and it is hard for the European cyber insurance industry to increase their understanding of cyber risk.
This report, which provides a useful analysis of the current state of the market and predictions for upcoming years, has been compiled following an organised consultation with 13 insurance and re-insurance groups based across Europe.
The key findings are as follows:
- there is a clear need for deeper understanding of cyber risk to assist with the assessment and treatment of risk, and understanding the needs of clients;
- interest in providing cover for individuals is gaining momentum due to increased exposure;
- the demand for cyber insurance is expected to increase following the surge in cyber incidents, increased knowledge of the risk and EU regulatory initiatives;
- cyber risk is expected to become a firm contributor to the economy;
- qualitative models are more frequently used than quantitative models;
- regulation may be a welcome support to the industry if it could help address some of the challenges identified in the report.
See here for the full report.
The National Cyber Security Centre's (the "NCSC") July 2018 report focusses on cyber risk to law firms.
As law firms handle substantial volumes of confidential and sensitive information, including significant client monies, they are increasingly at risk from cyber fraud. In 2017, 60% of law firms reported information security incidents. Additionally, according to the Solicitors Regulation Authority ("SRA"), (i) over £11 million of client money was stolen due to cybercrime in 2016 and 2017 and (ii) approximately 80% of law firms have reported phishing attempts in the past year.
The most common threats to law firms are phishing; data breaches; ransomware; and supply chain compromise.
The NCSC has published guidance on how to defend an organisation from phishing and ransomware attacks and recommends the following:
- implementing processes to verify (via independent means) invoices and account details for money transfers;
- using ‘cooling off’ periods for changing account details for high value transactions; and
- ensuring any outsourced business service providers have secure systems in place to hold sensitive data.
See here for the full report.
The Bank of England has announced that bank payment systems will be subject to cyber stress testing throughout 2019. According to a risk survey published by the Bank of England, throughout the first half of 2018 banks' fears of cyber-attacks to the UK financial system have been at a record high.
Cyber stress testing is part of a new initiative developed by the Bank of England's Financial Policy Committee ("FPC"). The FPC will set expectations on how speedily banks are able to restore "vital services" if they fall victim to a cyber-attack. The stress testing will then be based on these standards. The FPC intends to make its stress-testing scenarios severe but plausible. The NCSC will also be involved in shaping the stress testing exercises.
Further details on the stress testing will be published later in the year.
The Singapore government has confirmed that approximately one in four people in Singapore have been affected by a major data breach. The personal data of individuals who visited SingHealth's specialist outpatient clinics and polyclinics from 1 May 2015 to 4 July 2018 which was stored on SingHealth's database was stolen following a "deliberate, targeted and well-planned cyber-attack".
The data taken included names, NRIC number, address, gender, race, date of birth and records of outpatient dispensed medicines of approximately 160,000 patients. It is believed that the hackers were specifically targeting data belonging to Singapore Prime Minister, Lee Hsien Loong, in particular information about his medicine prescriptions. The data was accessed and copied, but not tampered with, amended or deleted.
The Singapore government said that an "independent external review" will be set up to look into the SingHealth data breach.
The ICO has fined AMS Marketing Ltd, a marketing company, £100,000 for making over 75,000 nuisance calls to people who were registered with the Telephone Preference Service ("TPS") between October 2016 and December 2017.
The investigation by the ICO found that AMS Marketing bought lists of data from other companies, but that they did not check whether any of the people on the lists were registered with the TPS.
Lifecycle Marketing (Mother and Baby) Ltd, a data broking company (also known as Emma’s Diary) has been fined £140,000 for collecting and selling personal information belonging to more than one million people.
The company, which provides advice on pregnancy and childcare, sold information to Experian Marketing Services, specifically for use by the Labour Party to profile new mothers in the run up to the General Election 2017. The Labour Party was able to use this information to send direct targeted mail to mothers living in marginal constituencies.
This case has formed part of the ICO’s comprehensive investigation into data analytics for political purposes. Please see our July bulletin for our discussion of the ICO's policy report "Democracy Disrupted? Personal information and political influence", and see here for the report itself.
Later this year, the ICO will audit the UK’s main political parties' data-sharing practices and it also has outstanding enquiries with a number of data brokers, including Experian.