Data Protection update - February 2019

Data Protection update - February 2019

Welcome to the February 2019 edition of our Data Protection bulletin, our monthly update covering key developments in data protection law.

Data protection

Cyber security

ICO enforcement

Data protection

Google appeals €50 million fine under GDPR

Last month, Google was fined €50 million by the French data protection authority, the CNIL, for violations of the General Data Protection Regulation ("GDPR"). The fine is the biggest yet for non-compliance with the GDPR and was awarded to Google for breaches of the US tech giant's obligations of transparency and for failing to have a legal basis for processing related to personalised advertising (for further information see our January update here).

Google has since confirmed its intention to appeal this fine. A Google spokesperson has announced: "We've worked hard to create a GDPR consent process for personalised ads that is as transparent and straight forward as possible, based on regulatory guidance and user experience testing. We're also concerned about the impact of this ruling on publishers, original content creators and tech companies in Europe and beyond. For all these reasons we've now decided to appeal."

Google had updated the company's transparency and privacy settings when the GDPR came into effect in May 2018. It remains to be seen whether these efforts will be enough to warrant a successful appeal. The fine by the CNIL, and Google's subsequent appeal, is a significant test case of how regulators' powers to impose large fines under the GDPR will be interpreted and enforced.

Complaints against tech companies filed with Austrian regulator

None of your business ("NOYB"), an Austrian-based not-for-profit organisation headed up by privacy activist Max Schrems who brought the case that invalidated Safe Harbour in 2015, has filed complaints against eight tech companies for violations of the GDPR. It is large tech companies that have yet again become the subject of criticism for potential shortcomings with regard to GDPR-compliance. Apple, Amazon, Netflix, Spotify and YouTube are among the tech firms named in the complaint filed with the Austrian Data Protection Authority.

The complaint comes after NOYB tested the tech companies' compliance with the GDPR by requesting personal data the companies hold about the user. NOYB claim that: "no service fully complied". The GDPR grants users a right of access to any personal data held by companies as well as other supplementary information including how that data is used and where it is sent. Social media platforms must obtain user consent each time user data is utilised in new ways, including for targeted advertising. A request for information can assist users in determining whether their personal data is being dealt with lawfully.

In response, Amazon has stated that a new "Privacy Help" page enables users to manage their data across Amazon's service offerings. In a statement, Amazon noted that: "Protecting the privacy of our customers is always a top priority and has been built into our services for years…We comply with any request from a data subject to provide access to the personal data that Amazon is processing."

Spotify also defended its approach to data privacy commenting that: "We are committed to complying with all relevant national and international laws and regulations, including GDPR, with which we believe we are fully compliant."

NOYB chairman Max Schrems has been a staunch critic of tech companies' attitude to data privacy. On this complaint he remarked: "Many services set up automated systems to respond to access requests, but they often don't even remotely provide the data that every user has a right to. This leads to structural violations of users' rights, as these systems are built to withhold the relevant information."

The Austrian Data Protection Authority will now review the complaints and determine whether any enforcement action is necessary.

Germany's competition regulator orders Facebook to restrict collection of user data

Germany’s Federal Cartel Office ("FCO"), the competition regulator, has held that the scope of Facebook's collection, combination and use of user data amounts to an abuse of a dominant position and has imposed restrictions on how the tech conglomerate collects and merges data about its users.

The regulator ruled that Facebook's platforms, including WhatsApp and Instagram, can continue to collect data, but such data cannot be merged with that on a user's Facebook account unless the member gives specific, informed consent. In addition, collecting data from third-party sites and transferring this to a Facebook user's account is only permitted if that user has granted their consent.

The method which Facebook obtains consent from its users has also come under fire. Andreas Mundt, President of the FCO, highlighted: "As a dominant company Facebook is subject to special obligations under competition law. In the operation of its business model the company must take into account that Facebook users practically cannot switch to other social networks. In view of Facebook's superior market power, an obligatory tick on the box to agree to the company's terms of use is not an adequate basis for such intensive data processing. The only choice the user has is either to accept the comprehensive combination of data or to refrain from using the social network. In such a difficult situation the user’s choice cannot be referred to as voluntary consent.”

The FCO concluded that Facebook's practices and terms of service are in breach of the GDPR and amount to "exploitative abuse" under EU competition law. Competition law prevents companies with a dominant position using exploitative practices to the detriment of consumers. Due to the cross-over between competition and data protection laws on this issue, there has been collaboration between the FCO and EU data protection authorities. Mundt further noted that the collection of user data is an "essential factor for establishing the company's dominant position" and enables Facebook "to build a unique database for each individual user and thus to gain market power". It is therefore imperative that Facebook complies with data protection legislation to avoid facing repercussions under this framework, but also to prevent any breach of EU competition law.

In retaliation, Facebook claims that the FCO's ruling "misinterprets our compliance with the GDPR and undermines the mechanisms European law provides for ensuring consistent data protection standards across the EU." The tech giant contends that the GDPR empowers data protection regulators, rather than competition authorities, to determine whether companies are meeting their obligations.

Facebook has one month to appeal the FCO's decision. If the FCO order is upheld, Facebook must develop and implement measures to ensure compliance within the next four months. If it does not, the company could be fined up to 10% of its annual turnover for breach of competition law and, in addition, potentially up to 4% of its annual turnover for breach of the GDPR.

EDPB publishes guidance on data transfers in the event of a no-deal Brexit

As the possibility of a no-deal Brexit edges closer, the European Data Protection Board ("EDPB") has published guidance on data transfers under the GDPR in the event that the UK leaves the EU without securing a deal and the steps that organisations should take in order to ensure compliance with data protection legislation.

The EDPB information note on Data Transfers under the GDPR in the Event of a No-Deal Brexit emphasises that when organisations are transferring data to the UK, the following five steps should be undertaken:

  1. Identify what processing activities will imply a personal data transfer from the EEA to the UK.
  2. Determine the appropriate data transfer instrument for your situation (e.g. standard contractual clauses, binding corporate rules ("BCRs"), derogations).
  3. Implement the chosen data transfer instrument to be ready for 30 March 2019.
  4. Indicate in your internal documentation that transfers will be made to the UK.
  5. Update your privacy notice accordingly to inform individuals.

On exit from the EU, the UK will become a "third country", meaning that, in the absence of a deal, the UK's level of personal data protection would need to be declared adequate by the European Commission in order for the free flow of personal data from EEA countries to the UK to continue. In the absence of any adequacy decision, the EDPB highlights that transfers of personal data to the UK must be based on one of the data transfer instruments under the GDPR. The guidance additionally refers to the UK government's approach to data transfers from the UK to the EEA, which is to recognise all EEA states, EU and EEA institutions, and Gibraltar as providing an adequate level of protection for personal data so that personal data can continue to flow freely from the UK to these destinations post-Brexit.

The EDPB has additionally published an information note on BCRs for companies which have ICO as BCR lead supervisory authority. This calls for companies that have the UK Information Commissioner's Office ("ICO") as Lead Supervisory Authority to identify a new Lead Supervisory Authority in an EU member state.

ICO publishes myth busting advice on data transfers post-Brexit

Elizabeth Denham, the Information Commissioner, has written a blog post directed at UK small and medium sized businesses that aims to clarify the position on data transfers to and from the EEA post-Brexit.

The blog post mirrors the guidance outlined by the EDPB above and advises UK businesses to consider whether they will need to implement alternative mechanisms in the event of a no-deal Brexit to ensure that they can continue to receive personal data from organisations based in EEA countries.

Housing developer fined after failure to respond to data subject access request

Housing developer Magnacrest Ltd faces criminal prosecution for its failure to respond to a subject access request ("SAR"). The housing developer was fined by Westminster Magistrates for its breach of data protection legislation.

An individual had submitted a SAR on 17 April 2017. A SAR empowers an individual to request all personal data an organisation holds about them. Organisations are subject to a timescale of 40 calendar days within which they must respond to the individual. When Magnacrest failed to respond, the individual lodged a complaint with the ICO. The ICO served an enforcement notice on the housing developer compelling it to provide the information requested.

When Magnacrest failed to comply, the ICO brought criminal proceedings against the company under s47(1) of the Data Protection Act 1998 ("DPA 98"). Magnacrest pleaded guilty to the charges against it and was fined £300, with a £30 victim surcharge, and was ordered to pay £1,133.75 towards prosecution costs.

Mike Shaw, the ICO's Criminal Enforcement Manager, commented: "Organisations not only have to respect this right but must also respect notices from the ICO enforcing the law. If they fail to do so then they must accept the consequences, which can include criminal prosecution."

Information notice appealed under new Data Protection Act for the first time

The ICO had issued an information notice to Doorstep Dispensaree Ltd on 25 October 2018 requiring the company to provide certain information in connection with the ICO's investigation into the company's GDPR-compliance. The investigation was prompted by a report received by the ICO from the Medicines and Healthcare Products Regulatory Agency in July 2018 regarding Doorstep's processing of personal data.

Doorstep challenged the information notice on the basis that it was void due to a breach of s143(6) of the Data Protection Act 2018 ("DPA 18") which states that an information notice cannot require a person to provide the ICO with information if doing so would, by revealing evidence of the commission of an offence, expose the person to proceedings for that offence. In the alternative, if the information notice was not declared to be void, the First-tier Tribunal should amend the information notice to remove certain questions which could lead to self-incrimination.

The Tribunal held that Doorstep had provided very little information to the ICO and the Tribunal about "the scope of the criminal investigation and thus the scope for self-incrimination". The Tribunal concluded that Doorstep's appeal should be dismissed since the information requested in the information notice was reasonably required for the ICO's investigation and there was clearly "an issue as to GDPR compliance which warrants further investigation."

It is pertinent that a key reason for dismissing the appellant's case was due to the lack of content contained in Doorstep's response to the information notice. Such material may be key in determining whether information can be withheld due to risk of self-incrimination.

See judgement here.

ICO and Insolvency Service cooperate in recent action against company director

Keith Hancock was the sole director of Lad Media Limited. The company came under scrutiny from the ICO when more than 100 people complained of receiving unsolicited text messages from the company. Between 6 January 2016 and 11 February 2016 more than 393,000 SMS messages were sent by Lad Media to individuals, including those who had specifically opted out of receiving marketing calls or texts. The ICO issued the company with a £20,000 fine for breach of the Privacy and Electronic Communications (EC Directive) Regulations 2003 ("PECR").

However, Lad Media failed to pay this debt and was shut down after a winding-up order was issued in April 2018 on the petition of the ICO. Following recommendations from the ICO, further investigations were undertaken by the Insolvency Service into Hancock's actions and his role in the breaches of PECR. The Insolvency Service concluded that he had played a key role and Hancock has now been banned for four years from directly or indirectly becoming involved, without the permission of the court, in the promotion or management of a company.

This is an interesting case of regulators pooling information and working together to successfully take enforcement action.

Cyber security

Employees' personal information compromised in Airbus data breach

Airbus has been hit by a cyber security breach on its "Commercial Aircraft business" information systems. Whilst there was no impact on the aerospace group's commercial operations, the incident resulted in unauthorised access to personal data, said by Airbus to comprise "mostly professional contact and IT identification details of some Airbus employees in Europe". In a statement, Airbus noted that it was "in contact with the relevant regulatory authorities pursuant to GDPR".

Mumsnet hit by data breach

Mumsnet has reported itself to the ICO after a data breach allowed users to inadvertently access the accounts of others. The company is unsure how many accounts were affected by the breach; whilst only fourteen users have reported an issue, 4000 individuals logged in during the three day period in which the bug was active. A software upgrade has been cited as the reason for the breach. Users who were logged into others' accounts were able to see various details, including email addresses, personal messages, account details and posting history, albeit no passwords were compromised. All users have since been informed of the breach by email.

HMRC accused of voice ID data protection breaches

HMRC has been reported to the ICO by the privacy campaign group Big Brother Watch after a Freedom of Information request revealed over seven million taxpayers are now enrolled in the HMRC voice database, prompting warnings that the public are being "railroaded into a mass ID scheme by the back door". Those calling the HMRC helpline have been asked to repeat the words "my voice is my password", a phrase which then acts as a digital signature for security purposes. When the scheme was initially launched, users were given no explicit option to opt out of providing this "voiceprint". Given that the system is likely to be defined as biometric data processing under the GDPR, explicit consent is required from the data subject. The ICO's investigation is ongoing.

ICO enforcement

ICO fine Leave.EU Group and Eldon Insurance Limited a total of £120,000 for unsolicited communications

The ICO has fined an insurance company and EU referendum campaign a total of £120,000 for breaches of electronic marketing laws. The investigation is notable for demonstrating how the ICO handles different data controllers operating within the same corporate group.

Leave.EU and Eldon Insurance were closely related entities, sharing the same corporate address and with a significant overlap of senior figures. The ICO found that there were insufficient systems in place to segregate the personal data which the respective organisations held. The campaign group was able to use the insurance company's customers' details to send nearly 300,000 political marketing messages; Eldon Insurance sent over one million emails to Leave.EU's political subscribers without sufficient consent over the course of two direct marketing campaigns.

The ICO noted that it is "especially important that different data controllers within the same corporate group have clear policies and procedures in place to ensure that marketing activities are appropriately delineated"; this is "especially so where the different controllers have different businesses".

In addition to the enforcement notices, the ICO has issued two assessment notices to inform both Leave.EU and Eldon Insurance that they will be audited to gather further information as to how the entities are processing personal data. The audit findings will eventually be made public.

The ICO's investigation should also be seen in the context of its wider data analytics inquiry.

NWR Limited issued with enforcement notice to stop illegal marketing activity

NWR Limited, a UK supplier of renewable energy products, has been issued with an ICO enforcement notice to stop illegal marketing activity after making over 800,000 calls to numbers registered with the Telephone Protection Service ("TPS"). In the vast majority of cases, the ICO found that an incomplete, false or misleading company name was provided such that the caller could not be identified. The enforcement notice specifies that NWR Limited must, in addition to refraining from making unsolicited marketing calls, include the company name in other communications.

Alistar Green Legal Services Limited fined £80,000 for 213 nuisance calls

Alistar Green Legal Services Limited has been fined £80,000 for making 213 nuisance marketing calls over a four month period in 2017 to TPS-registered numbers. Whilst the ICO noted that no actual damage was caused in this instance, a contravention of Regulation 21 of PECR was nonetheless found.