Data Protection update - February 2020
Welcome to our data protection bulletin, covering the key developments in data protection law from February 2020.
- Croatian Presidency publishes e-Privacy proposal
- Brexit and UK adequacy
- EDPB publishes draft guidelines on connected vehicles
- High Court upholds claim of breach of confidence in respect of personal data accessed and retained by employee
- Hong Kong privacy legislation overhaul
- Austrian privacy activist behind Schrems cases files Amazon complaint
- FCA, ICO and FSCS issue warning to insolvency practitioners
- Irish Data Protection Commissioner halts Facebook Dating feature
- Potential fine for Labour Party for failing to protect party members' data
- US urges UK to reconsider Huawei decision
- H&M data leak in Germany
- Redcar and Cleveland Borough Council cyber-attack
- Britain's financial watchdog flags data breach
The Croatian Presidency of the Council of the European Union has released a draft proposal for the ePrivacy Regulation, the seventh presidency bidding to find consensus between Member States on a topic first proposed in January 2017. The headline point emerging from the draft is the discussion around legitimate interests, which under the proposal could be relied upon as a legal basis to process metadata. Whilst the presidency has insisted that the proposal is “in line” with the GDPR, doubts have been expressed as to whether this is in fact the case given the apparent lowering of protection in relation to the processing of metadata. A tension between the proposal and EDPB advice has also been highlighted, in light of the EDPB’s statement in May 2018 that “there should be no possibility under the ePrivacy Regulation to process electronic communications content and metadata based on open-ended grounds, such as “legitimate interests”, that go beyond what is necessary for the provision of an electronic communications service”. It remains to be seen whether the Croatian Presidency will succeed where its predecessors failed in establishing consensus on the proposal.
The European Parliament’s mandate for Brexit negotiations points – as expected - to the UK’s national security surveillance and data retention regime as key factors that may weigh against an adequacy decision for the UK. More interesting, though, is that it sets out as another complicating factor the immigration exemption from certain data subject rights. This exemption allows rights – such as subject access – to be set aside where necessary in order to maintain “effective immigration control”. In practice, it often prevents individuals from obtaining information that may be helpful to them in appeals against immigration decisions affecting them. The exemption has been the subject of an unsuccessful judicial review challenge in the UK. The negotiation guidelines can be read in full here.
The European Data Protection Board (“EDPB”) has published draft guidelines (the “Guidelines”) on the processing of personal data in the context of connected vehicles and mobile applications that relate to driving. The Guidelines highlight three categories of personal data to which special attention should be paid in this area: (1) geolocation data (which should not be collected except where “absolutely necessary” for the processing purpose); (2) biometric data (for example the use of voice control, fingerprints and facial recognition, the use of which should not be mandatory); and (3) data evidencing traffic offences (for example where the car is aware of a speed limit and of the speed at which the car is travelling and this instantaneously reveals a speeding offence, and in respect of which appropriate safeguards should be put in place).
The Guidelines confirm that the GDPR and, to a certain extent, the ePrivacy Directive will apply to this subject area. As to the legal basis for storing and accessing, and the subsequent processing of, personal data, the EDPB has indicated that consent “will likely constitute the legal basis” for doing so. A number of recommendations aimed at industry participants for mitigating data protection risks are also detailed in the Guidelines, including those relating to security and confidentiality, DPIAs, anonymization and pseudonymisation, data subject rights and the location in which personal data is processed.
Submissions on the draft Guidelines can be made until 20 March 2020.
High Court upholds claim of breach of confidence in respect of personal data accessed and retained by employee
The High Court has upheld a number of claims against a “middle man” for the buying and selling of personal data that had been unlawfully accessed by an Aviva employee. The employee, Miss Carruthers, accessed from her company’s computer systems the personal data of individuals who had been in accidents and in turn sold this information to Mr Oliver. He then sold the data on to claims management companies (“CMCs”). A remediation effort was launched by Aviva after receiving customer complaints about unsolicited contact from the CMCs, costing the company around £108,000. The High Court upheld claims in respect of (1) breach of confidence (Mr Oliver had knowledge he had obtained the confidential information – which was clearly confidential – unlawfully); (2) breach of contract (Miss Carruthers’ actions were in breach of the confidentiality provisions in her employment contract and liability was established given that Mr Oliver knew the information had been obtained unlawfully); and (3) Aviva’s allegation of an unlawful means conspiracy, whereby Mr Oliver and Miss Carruthers acted in concert to harm Aviva using unlawful means. Of particular note is the High Court’s decision to award damages to Aviva to the amount of the remediation efforts. This suggests that, in a situation like the ongoing Morrisons case (see our previous updates on the case here and here) where an employee deals unlawfully with customer data and the employer has to remediate the situation, the employer may be able to claim costs back. Whilst in the Morrisons case the court just suggested using insurance, this decision could provide the basis for an alternative in the absence of any such insurance.
The Constitutional and Mainland Affairs Bureau and the Privacy Commissioner for Personal Data in Hong Kong have released a discussion paper on proposed changes to the Personal Data (Privacy) Ordinance (“PDPO”). Any future reform will be the first since 2013, when direct marketing controls were introduced. Key proposed amendments include:
- Introduction of a data breach notification mechanism.
The discussion paper suggests that data subjects are notified of a breach “within a specified timeframe (e.g. as soon as practicable and, under all circumstances, in not more than five business days)” and that a threshold is imposed on any notification mechanism, whereby only those breaches which have “a real risk of significant harm” are to be reported.
- Increased levels of fines.
Currently, only criminal sanctioning powers (i.e. fines and/or imprisonment) are available under the PDPO. The discussion paper outlines the fact that data protection authorities in other countries are empowered to directly impose administrative fines, and references the maximum fines which can be imposed under the GDPR (i.e. EUR 20m or 4% of the company’s annual global turnover) with the suggestion that they also explore the feasibility of introducing an administrative fine linked to annual turnover.
- Amendment to the definition of personal data
In view of the wide and increasing use of tracking and data analytics technology, the proposal is to widen the definition of “personal data” under the PDPO, which currently covers information that relates to an “identified” person to information relating to an “identifiable” natural person.
- Regulation of data processors.
Again echoing the application of the GDPR, the proposal here is to subject processors (and sub-contractors) to direct regulation, making them directly accountable for data breach notification and data security.
A copy of the full discussion paper can be found here.
Noyb - European Center for Digital Rights, the not-for-profit organisation headed by Austrian privacy activist Max Schrems, has filed a complaint with the German data protection authority against Amazon in relation to alleged security flaws. The complaint centres on the tech giant’s email servers – used for communications between sellers and customers on its marketplace - which allegedly do not stand up to basic industry encryption standards by failing to provide transport layer security (TLS) encryption. TLS encryption is used by Gmail and iCloud Mail by default. Amazon has, to date, refused to comment on the complaint.
A joint statement has been issued by the Information Commissioner’s Office (“ICO”), Financial Conduct Authority (“FCA”) and the Financial Services Compensation Scheme (“FSCS”) reminding FCA-authorised firms and insolvency practitioners of their obligations and responsibilities when dealing with personal data. The statement appears to have been prompted by reports that a number of FCA-authorised firms and insolvency practitioners have sought to unlawfully sell client data to claims management companies (“CMCs”) in circumstances where it is likely that compensation claims will be made to the FSCS, before or after a firm has gone into administration. The statement notes that the provisions within a standard contract are “highly unlikely to constitute sufficient legal consent for personal data to be shared with CMCs to market their services, and may not be lawful”, adding “CMCs that intend to buy and use such personal data must be able to demonstrate how they have considered the fair treatment of customers and how their actions comply with privacy laws”.
The Irish Data Protection Commissioner (“DPC”) has put the brakes on Facebook’s planned launch of a new in-app “Dating” feature in Europe. The feature was launched in the US last September and is now operating in more than 20 countries, but its rollout in Europe has been indefinitely delayed after the DPC expressed concerns about a lack of information having been provided to it to evidence compliance with the GDPR. A DPC statement indicated that Facebook only informed the regulator of its intention to launch the feature on 3 February, just ten days before its proposed rollout date. The concern about this notification at the eleventh hour was compounded by the fact that no information or documentation was provided to the DPC on 3 February in relation to the data protection impact assessment or the decision-making processes that were undertaken by Facebook Ireland.
The DPC has separately announced that it has launched investigations into Google and MTCH Technology Services (the company behind Tinder) over complaints about the misuse of personal data. The Google probe relates more specifically to the processing of users’ location data, whilst the Tinder investigation has been commenced to “identify thematic and possible systemic data protection issues”. The DPC now has 23 active investigations into Big Tech firms.
The ICO has confirmed that it is looking into a report submitted by the Labour party alleging that Sir Keir Starmer’s leadership campaign team attempted to improperly access a Labour membership database. The allegation centres on two members of the campaign team, who supposedly were involved in “scraping” data contained within the Dialogue membership database for purposes beneficial to their campaign. The report has been flatly denied by Sir Keir and his team, who have dismissed the claim as “utter nonsense” and suggested that it is simply an example of political skulduggery in the wake of allegations that Ms Long-Bailey’s campaign team improperly shared a link to the Dialogue database with her supporters.
Despite US warnings, last month the UK made the decision to let Huawei, the Chinese technology firm deemed “high risk”, continue to supply equipment to build the 5G telecoms network.
US officials have refused to back down and are urging the UK take a “hard look” at the decision. The relationship between the US and Huawei has historically been tainted, with the US recently bringing allegations against Huawei claiming that it has been stealing trade secrets and lying to US federal investigators for a decade.
The US national security adviser, Robert O’Brien, said: “We have evidence that Huawei has the capability to access sensitive and personal information in systems it maintains and sells around the world”. It is claimed that the Chinese company does this through “back doors” designed only to be used by law enforcement. The concerns are particularly acute given the US and UK share large volumes of intelligence and security information.
The UK’s argument in response is that the risks can be “contained” in line with advice it received from the intelligence agency, GCHQ. Nonetheless, the US’ concerns are worrying a number of British Conservative party members who are trying to push Boris Johnson towards a compromise with the US; namely that Huawei will be excluded from the 5G network within the next two to three years.
Fashion retailer H&M has apologised for “unacceptable” data breaches at its German unit. The allegations involve the illegal storage and leaking of intimate employee details, such as health care, family bereavement and holiday experiences.
A spokeswoman for H&M said “the local team has taken a range of action and is in close dialogue with all colleagues” to ensure no further breaches occur.
The data protection supervisory authority has been notified and an investigation is being undertaken to assess the impact.
Redcar and Cleveland Borough Council has admitted to suffering a ransomware attack, leaving its IT systems out of use for more than two weeks and potentially causing a delay in children in the area finding out which secondary school they will be attending in 2020/2021.
In response, council leader, Mary Lanigan, has said: "Our absolute priority since the first day of the attack has been to protect our front-line services, ensuring the safety and well-being of the most vulnerable people in our community, while rebuilding our IT systems so they can return to full functionality.”
The council has joined forces with the National Cyber Security Centre and National Crime Agency to resolve the issue.
The FCA has flagged a leak of confidential information – including names and contact details - of people who submitted complaints against the regulatory body in respect of freedom of information requests.
The leaked information was made publically available on the FCA’s website. In response the FCA has said that “our primary concern is to ensure the protection and safeguarding of individuals who may be identifiable from the data,” and provided reassurance that no financial details, such as credit cards or passports, were made available.
The ICO has been informed.
The ICO has fined CRDNN Limited £500,000 – the maximum monetary penalty which can be issued under the PECR - for making more than 193 million automated marketing calls without the consent of recipients. The ICO investigation, which took place following the receipt of more than 3,000 complaints and a raid in March 2018, found that the Clydebank-based company was making around 1.6 million calls per day about debt management, window scrappage, and conservatory, window and boiler sales in the period between 1 June and 1 October 2018. The fact that the calls were made after the ICO raid was an aggravating factor, with the ICO’s Head of Investigations, Andy Curry, noting that “the directors of CRDNN knowingly operated their business with a complete disregard for the law […] That’s why their conduct called for the maximum fine possible under the law”.
CRDNN has also been issued with an enforcement notice, ordering the company to comply with the PECR within 35 days of receipt of the notice.
Facebook’s German unit has been fined 51,000 euros under the GDPR for failing to nominate a data protection officer. The relatively small size of the fine is as a result of the penalty being imposed on the German unit, rather than the parent company.
The Hamburg Commission for Data Protection and Freedom of Information noted that the penalty should serve as a “clear warning to all other companies: naming a (DPO) and telling the regulator about it are duties” and that “even smaller violations like these can lead to substantial penalties”. Facebook has accepted the fine.