Data Protection update - February 2018

Data Protection update - February 2018

Welcome to the latest edition of our Data Protection update, our review of key developments in Data Protection law covering February 2018.

Data protection

Cyber security

ICO enforcement

Data protection

EU countries told to 'speed up' preparations for the GDPR

In a communication from the European Commission (Commission) this month, the Commission has told governments across the European Union (EU) to speed up their adoption of new data protection legislation to supplement the GDPR.

While the GDPR will apply with direct effect from 25 May 2018, certain provisions may be supplemented at Member State level with derogations implemented into data protection legislation (for example, to establish the youngest age at which children can consent to data processing, or to determine the conditions under which national ID numbers may be processed).

At present, only two EU Member States (Germany and Austria) have adopted the relevant national legislation. The Commission noted that is important to give operators enough time to prepare for all the provisions that they have to comply with and said that a failure to implement necessary national laws in time could result in fines for individual Member States.

In addition, the Commission has urged Member States to provide the necessary financial and human resources as well as premises and infrastructure to their national data protection authorities to facilitate the effective performance of tasks and exercise of their powers.

By way of reminder, in the UK, the House of Lords approved its national legislation, namely the Data Protection Bill 2017 (Bill), on 18 January 2018. According to the House of Lords, a range of subjects were discussed as part of the Bill's passage including penalty notices, criminal liability, national security certificates, data protection in schools and support for small organisations.

To read the communication in full, click here. To read the Bill, click here.



ICO releases additional guidance on record keeping requirements under GDPR

The Information Commissioner's Office (ICO) has released additional guidance regarding requirements under Article 30 of the GDPR for controllers to maintain a record of processing activities. Article 30 requires that the record of processing must contain the following information:

  • the name and contact details of the controller;
  • the purposes of the processing;
  • a description of the categories of data subjects;
  • the categories of recipients to whom the personal data have been or will be disclosed;
  • transfers of personal data to a third country or an international organisation; and
  • the envisaged time limits for erasure of the different categories of data.

The guidance provides recommendations as to who must maintain internal records of processing activities, what must be recorded and how to document such activities; highlighting that organisations with 250 or more employees must document all of their processing activities. It also includes various examples, checklists and templates to assist with such requirements.

The ICO notes in the guidance that the Article 29 Working Party is currently considering the scope of the exemption from documentation of processing activities for small and medium-sized organisations. We will provide further updates on this in due course. As drafted the information obligations of Article 30 do not apply to an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data (e.g. health data) or criminal conviction and offence data.

Accountability is a key new principle under the GDPR, which reflects the increased importance of maintaining internal records of a controller's processing activities and obligation to ensure (and demonstrate with documentation) that what a controller does with individuals' personal data is in line with the GDPR.

To read the guidance, please click here.



FCA and ICO publish joint update on GDPR

On 8 February, the UK Financial Conduct Authority (FCA) and the ICO published a joint statement on the GDPR.

The FCA does not consider the GDPR imposes any requirements that are incompatible with the rules already detailed in the FCA Handbook. The FCA further states its view that compliance with the GDPR is now a board-level responsibility, and firms must be able to produce evidence to demonstrate the steps that they have taken to comply with the requirements of the GDPR. The statement also highlights that the requirement to treat customers fairly is central to both data protection law and the current financial services regulatory framework.

While it is the ICO that will regulate the GDPR, the FCA notes that complying with the GDPR requirements is also something the FCA will consider under its Senior Management Arrangements, Systems and Controls (SYSC) rules. As part of its obligations under SYSC, a firm should establish, maintain and improve, where necessary, appropriate technology and cyber resilience systems and controls. The FCA and ICO are working closely together in preparation for the GDPR, and recently jointly hosted a GDPR Roundtable with firms and industry bodies to listen to industry concerns. The FCA and ICO have had a Memorandum of Understanding in place since 2014, laying out the formal relationship for the cooperation and coordination of their activities. Over the coming months this MOU will be reviewed to ensure it is still appropriate for the collaboration.

To read the statement, please click here.



German court rules Facebook use of personal data illegal

Facebook's default privacy settings, and use of personal data, are against German consumer law, according to a judgment handed down by a Berlin regional court (Court), which held that the social media platform collects and uses the personal data of its members without providing enough information for them to render meaningful consent.

The federation of German consumer organisations (VZBV), who brought the case against Facebook, argued that the site hides its default settings, which are not privacy friendly, in its privacy centre and does not provide sufficient information about the settings when users register. This does not meet the requirement for informed consent.

VZBV's core concerns were, firstly, that in Facebook's smartphone app, the location services were pre-activated which revealed a user's location and, secondly, in the privacy settings, boxes were pre-ticked allowing search engines to link to the user's timeline.

The Court agreed that certain default settings which were a source of VZBV's complaint were invalid declarations of consent. The Court also ruled eight clauses in Facebook's terms of service were invalid, including terms that allow Facebook to transmit data to the US and use personal data for commercial purposes.

Facebook has since released a statement confirming that it would appeal the judgment and that further changes to the company's terms and data policy are anticipated ahead of the GDPR. The GDPR requires privacy notices to be in clear and plain language, and enhances the requirements for obtaining valid consent, meaning that pre-ticked boxes and other forms of default consent will not be acceptable.



Public bodies still not subject to fines under new Data Protection Bill in Ireland

The text of Ireland's new Data Protection Bill has been published on 1 February 2018 (Irish Bill). The text may still be subject to change by the Oireachtas (the Irish legislature) before it becomes law, but the Irish Bill does not substantially depart from the provisions of the Heads of the Bill published in May 2017. The Irish Bill transposes much of the GDPR text directly, while also addressing the powers of the Irish Data Protection Authority. However, one controversial inclusion in the Irish Bill is the exemption of public bodies from the administrative fine regime, except where such a public body is acting as an "undertaking" (i.e. providing goods or services for gain). Keeping public bodies in scope for administrative fines was explicitly requested by the current Irish Data Protection Commissioner, Helen Dixon, and was also a recommendation from a Committee in the previous stage of the legislative process.

The Irish Bill will give the Irish data protection commission the power to apply to the High Court for an order suspending, restricting or prohibiting the processing of data or its transfer outside of the EEA, where it considers that there is an urgent need to act in order to protect the rights and freedoms of data subjects.

To read the Irish Bill in full, click here.



Former F1 boss demands UK National Press stop processing his personal data

Lawyers for Max Mosley, the multimillionaire former motor racing boss, have written to the Times, the Daily Mail and the Sun earlier this month to demand they stop "processing data" related to their client, and block or erase information which they argue is inaccurate.

The letter demands the newspapers remove from their websites articles referring to an infamous party that Mr Mosley participated in ten years ago. Mr Mosley won a claim for breach of privacy in 2008 after the News of the World published images of him at the party.

Mr Mosley's lawyers are seeking to rely on the Data Protection Act 1998 (DPA), including the data protection principle requiring controllers to act fairly and proportionately, to have certain articles removed from the papers' websites. They argue that personal information on their client has been kept for longer than is necessary, and that such personal data is irrelevant and excessive, and has not been processed fairly or lawfully. They further state that the exemption which broadly applies to journalists (exemption to protect processing for the special purposes of journalism, art and literature) no longer applies. Mr Mosley is of the opinion that the journalists have acted outside this exemption and are now publishing articles in a campaign against him.

The Daily Mail and the Times responded by publishing articles regarding Mr Mosley's attempt to prevent further disclosure of his personal data, with the Times suggesting that it was an attack on press freedom. Mr Mosley has since commented that a failure on the part of the newspapers to respond in 21 days will likely result in him going to court.



Law Society publishes guidance on appointment of data protection officers under the GDPR

On 1 February 2018, the Law Society published guidance on the appointment of data protection officers (DPOs) by law firms as may be required under Article 37 of the GDPR.

The guidance provides that:

  • Most law firms will not be required to appoint a DPO under the GDPR.
  • Some law firms might be obliged to designate a DPO; for example those which are conducting large scale processing of special categories of data (e.g. concerning the health, political or religious beliefs, or sexual orientation of the firm's clients).
  • It is good practice for all firms to a) evaluate their processing of personal data against the criteria for the mandatory appointment of a DPO; b) document their decision; and c) continuously review their decision, especially before any substantial change in processing activity or when carrying out a data protection impact assessment (DPIA).
  • Firms should consider voluntary designation of a DPO and document the reasons for their decision. If a firm does not appoint a DPO it should consider other governance arrangements it will put in place to ensure compliance with the GDPR.
  • Governance arrangements should always include a suitably senior and qualified person with the necessary resources to lead on data protection compliance.
  • Firms should pay careful attention to the characteristics, role and tasks of the DPO in deciding whom to appoint and ensure that the DPO has the appropriate levels of expertise, independence and resource, as well as considering other relevant issues, such as conflict of interest, the statutory duties of the DPO, that person's duties to his or her clients and fellow partners, etc.
  • The appointment of a DPO can facilitate data protection compliance, however, DPOs are not personally responsible in case of a non-compliance with the GDPR, and the compliance responsibilities will always remain with the firm.

To read the guidance, click here.



Government significantly increases ICO Fees for large organisations

The Government has announced a new charging structure for data controllers to ensure the continued funding of the ICO under the Data Protection (Charges and Information) Regulations 2018 (Regulations), which was laid before Parliament on 20 February 2018. The model must still be approved by Parliament before it is finally confirmed and implemented. As reported in our October bulletin, the Government has been finalising the new funding mechanism, as introduced by the Digital Economy Act (see our May bulletin here), for some time. The new fees are as follows:

  • Tier 1 - micro organisations' fee: £40 (or £35 if paid by direct debit) (maximum turnover of £632,000 or no more than ten members of staff);
  • Tier 2 – SMEs' fee: £60 (maximum turnover of £36 million or no more than 250 members of staff);
  • Tier 3 - large organisations' fee: £2,900 (those not meeting the criteria of Tiers 1 or 2).

A company's failure to pay the fee, or not pay the correct fee, may be subject to a fine of up to £4,350.

Currently, data controllers are legally required to register with and pay the ICO either £35 or £500 annually depending on their revenue and number of employees. Until 25 May 2018, organisations are legally required to pay the current notification fee, unless they are exempt.

Previously it was thought that fees would change on 1 April 2018 but pursuant to the recent guidance the new fee model will go live on 25 May 2018. It is important to note in the meantime that data controllers remain under an obligation to renew their ICO notification if a renewal falls between now and 25 May 2018. Although the 2018 Regulations come into effect on 25 May 2018, this doesn't mean everyone has to pay the new fee on that date. Controllers who have a current registration (or notification) under the DPA do not have to pay the new fee until that registration has expired.

To read the ICO's guidance, please click here.



Article 29 Working Party has issued final guidelines on Data Breach Notification

Following a consultation period, the Article 29 Working Party (WP29) has now issued final guidelines on personal data breach reporting. The guidelines provide clarification as to the notifications that may need to be made to the relevant supervisory authority, as well as the data subjects themselves, following a personal data breach.

To read our summary of the guidelines, please click here.



Cyber security

UK finalises plans to implement new cybersecurity laws

The Department for Digital, Culture, Media & Sport (DCMS) has published the Government's response to the public consultation on the Network and Information Security Directive (NIS Directive) which was reported in our August bulletin (click here).

By way of reminder, the NIS Directive sets out measures designed to ensure critical IT systems in central sectors of the economy like energy, health and transport are secure. It applies to operators of such 'essential services', as defined by each EU Member State. Slightly different rules also apply to 'digital service providers'. EU Member States have until 9 May 2018 to implement the Directive into national law. DCMS confirmed the criteria which will define whether organisations across the sectors covered by the rules will be considered 'operators of essential services' and subject to the requirements of the new laws. The criteria for determining which organisations qualify as 'digital service providers' is set out in the NIS Directive itself.

DCMS also confirmed that operators of essential services that breach the security requirements will face fines of up to £17 million. Fines will only be issued as a last resort and will not be issued where operators of essential services have assessed the risks adequately, taken appropriate security measures, and engaged with regulators but still suffer an attack.

Under the new UK regime, different competent authorities will have responsibility for monitoring compliance and enforcement depending on which sector a relevant organisation operates.

It was noted that there is a distinct possibility of double jeopardy for a company that simultaneously contravenes the NIS Directive and other legislation, such as the GDPR. The Government stated there will be encouragement in the legislation for competent authorities to work with other relevant regulators in order to seek to address the potential for such double jeopardy that might otherwise occur through the doubling up of fines. That being said, the Government has acknowledged that imposing penalties for the same event under different regimes may be appropriate where penalties relate to different aspects of the wrongdoing, which have different impacts.

To read the paper, click here.



FedEx customers' private information exposed

A server containing personal information from more than 119,000 FedEx customers may have been left unsecured for several years, security researchers have found.

According to a report from security research firm Kromtech, the server stored more than 119,000 scanned documents from U.S. and international citizens, such as passports, driving licenses, and security identification.

The data was stored on an Amazon S3 storage server and collected by Bongo International, a company FedEx acquired in 2014, which calculated international shipping prices among other services. On 15 February, FedEx announced that has secured some of the customer identification records that were visible earlier this month on an unsecured server, and so far has found no evidence that private data was "misappropriated".



Every NHS trust fails to meet the required standard

Every NHS trust assessed for cyber security vulnerabilities has failed to meet the standard required, civil servants have said for the first time.

In a parliamentary hearing on the WannaCry attack which disrupted parts of the NHS last year (as reported in our May 2017 bulletin), Department of Health officials said all 200 trusts had failed to meet a recommended standard, despite increases in security provision.

Rob Shaw, the NHS Digital deputy chief executive said trusts were still failing to meet cyber security standards, admitting some have a considerable amount of work to do.

Appearing before the Commons' public accounts committee, he said the department had completed 200 on-site assessments but none had matched the bar set out by the national data guardian, Dame Fiona Caldicott. He noted that the recommended standard in Dame Fiona Caldicott's report is a high bar, and the results of the assessments do not mean the trusts had failed to take any action to boost cyber security.

The WannaCry attack is believed to have infected machines at a third of all health trusts across England, plus computers at almost 600 GP surgeries, according to a National Audit Office report released in October 2017.



ICO enforcement

Company fined £300,000 for nuisance calls

A company that made 8.7 million nuisance calls has been fined £300,000 by the ICO. The calls contained recorded messages, primarily promoting PPI compensation claims, and were made without the recipients' consent to receive direct marketing, breaching the Privacy and Electronic Communications Regulations (PECR).

To read the penalty notice, please click here.



Accident recovery firm employee who sold personal data to nuisance callers is fined

A former worker at an accident repair firm who downloaded and sold the personal data of motorists to nuisance callers has been fined.

Phillip Bagnall was an employee of Nationwide Accident Repair Services Limited (NARS) when he was found to be accessing suspicious volumes of customer data from a laptop at home outside of work hours.

During a week that Bagnall's accesses were monitored, he accessed the data of 2,724 customers without his employer's consent. Customers whose data was accessed subsequently received unsolicited, and at times aggressive, marketing calls regarding their accidents and were asked whether they wanted to pursue legal claims.

The defendant pleaded guilty to unlawfully obtaining data in breach of s55 of the DPA when he appeared at Manchester and Salford Magistrates' Court. A further charge of unlawfully disclosing data was also admitted and taken into consideration. Bagnall was fined £500 and was also ordered to pay £364 costs and a £50 victim surcharge.



Company previously fined now prosecuted after failing to change ways

A company that has already been fined for making nuisance calls has now been prosecuted in a criminal court for continuing to break the law.

Direct Choice Home Improvements Limited was given a £50,000 civil monetary penalty by the ICO in March 2016. It was also issued with a formal Enforcement Notice, requiring it to cease contacting people registered with the Telephone Preference Service.

The ICO continued to receive complaints and reports about unsolicited marketing calls from the firm, and Direct Choice has now been prosecuted under the ICO's criminal enforcement powers for breaching the terms of its Enforcement Notice.

Having previously been fined £50,000 Direct Choice was fined £400 and was also ordered to pay £364.08 and a victim surcharge of £40.



ICO issues enforcement notices to five data controllers for failing to respond to SARs

The ICO has issued five enforcement notices to Gain Credit LLC, Magnacrest Limited, Ian Chambers, William Macbeath, and Ainsworth Lord Estates Limited respectively (Enforcement Notices), for their failure to respond to subject access requests (SARs) and preliminary enforcement notices.

The Enforcement Notices require the recipients to inform the complainants whether the data being processed consists of personal data, and supply them with copies (in accordance with Section 7 of the DPA and the sixth data protection principle) within 30 days of the date of the Enforcement Notices.