Data Protection update - July 2019
Welcome to the July 2019 edition of our Data Protection bulletin, our monthly update on key developments in data protection law.
- Intention to fine British Airways £183.39 million for data breach
- ICO announces £100 million fine for Marriott International
- Data transfers to the US
- Morrisons in the Supreme Court
- Boris Johnson's team is accused of breaching data protection laws
- KCL breached the GDPR by sharing a list of activist students with police
- UniCredit Bank hit with Romania's first GDPR fine
- Amazon admits that Alexa recordings are saved indefinitely
- Cookies guidance released
- The Dawson-Damer saga continues
- Victims pay up to ransomware hackers
- 1,000 per cent. spike in cyberincident reports from UK finance industry
- Jack'd dating app in pay out over leaked photos
- Border surveillance subcontractor suspended after cyberattack
- Urgent White Paper call: NHS must take steps to defend against hackers
- Cathay Pacific ordered to overhaul systems following data breach
- European Council approves new EU Cybersecurity Act
- Facebook stung with fine by Italian watchdog
- Complaint against UK over immigration exemption filed with European Commission
- E.On 'error': 498 customers' email addresses accidentally revealed
- Equifax to pay $700 million to settle data breach
- ICO receives hundreds of unnecessary school referrals as leaders struggle with GDPR
- ICO issues enforcement notice on Metropolitan Police (the "Police")
- Enforcement officers make data raids in Liverpool
The ICO has announced its intention to fine British Airways (“BA”) £183.39 million due to an incident in September 2018 which resulted in the personal data of 500,000 people being compromised (for more information on the data breach please refer to our September 2018 update).
The fine against BA is the first fine proposed by the ICO under the GDPR and represents about 1.5 per cent. of BA’s worldwide turnover last year.
The ICO investigation found that “poor security arrangements” at BA contributed to the breach. BA cooperated with the ICO investigation and has since made improvements to its security practices. BA may appeal against the sanction to the ICO before the ICO makes its final decision which will provide more detail as to those areas where BA has been found to be in breach.
The ICO has announced its intention to fine Marriott International, Inc. (“Marriott”) £99,200,996 (amounting to approximately $124 million) due to an incident that affected the personal data of 339 million guests. The exposure of customer information was only discovered two years after the Starwood Hotels group was acquired by Marriott. The ICO found that Marriott failed to undertake appropriate due diligence during the acquisition and should have done more to protect its systems.
Marriott stated in its SEC filing that it intends to contest the proposed fine. The fine came a day after the ICO announced its proposed sanction against BA, making it the second enforcement action under the GDPR to be publicly announced by the ICO.
On 9 July 2019, the Court of Justice of the European Union (“CJEU”) heard oral submissions by the Irish Data Protection Commissioner (“DPC”), Facebook, Max Schrems and the European Commission as part of a case in which the Irish Data Protection Commissioner sought to invalidate standard contractual clauses (“SCCs”). The submissions were made on the basis that national security bodies in the US are able to gain access to personal data transferred to the US from the EU under SCCs.
The DPC joins Mr Schrems in his view that US surveillance laws violate fundamental rights to privacy and data protection. However, the DPC alleges that because the data transfer mechanism Facebook uses (SCCs) does not foresee such a situation, the clauses themselves need to be invalidated. This would mean that data transfers to any non-EU country under this instrument would have to be stopped.
Facebook supports continuing to transfer data to the US under mass surveillance laws like FISA. Facebook also relies on the European Commission’s assessment of US law in the so-called “Privacy Shield” decision, which says that US surveillance laws comply with EU requirements.
Schrems argues that Article 4 of SCCs permits the DPC to stop individual data transfers (like Facebook’s). On Facebook’s reliance on the “Privacy Shield”, Mr Schrems argues that the Privacy Shield Decision by the European Commission does not adequately describe US surveillance laws, is not capable of providing adequate privacy protections, and must therefore be invalidated.
The European Commission is expected to put forward the view that there is no violation of fundamental rights in the US, but also acknowledge that the DPC has the power to solve the issue itself if the CJEU sees such a violation.
The decisions of the CJEU may be subject to appeal.
Facebook has also been involved in another appeal (Facebook Ireland Ltd & Facebook Inc v Information Commissioner) in which the ICO sought to strike out the procedural grounds of challenge advanced by Facebook against a monetary penalty notice (“MPN”) issued by the ICO.
Facebook’s challenges included bias, pre-determination, procedural irregularity and assertions of non-disclosure. Judge McKenna refused the ICO’s application and held that “in the particular circumstances of this case it would be fair and just for the Appellant’s Grounds of Appeal relating to procedural unfairness to be considered by the Tribunal.” In giving her decision, Judge McKenna referred to the penal sanction of an MPN, the substantial penalty imposed (£500,000) and the “most serious” allegations of procedural impropriety.
6-7 November 2019 has been set as the date for the Supreme Court hearing of Various Claimants v Morrisons Supermarkets Plc. This follows the Supreme Court's decision to give Morrisons permission to appeal against the judgment of the Court of Appeal that found that Morrisons was vicariously liable for a data breach committed by an ex-employee (more information about the Court of Appeal judgment can be found in our October 2018 update).
The ICO has been asked to consider whether Boris Johnson’s campaign to become party leader has breached data protection laws. Harriet Baldwin, a Foreign Office minister, and Ben Howlett, a former MP for Bath, have also asked the Conservative party chair, Brandon Lewis, to investigate after receiving allegedly unsolicited requests for support from the BackBoris campaign. Both suspect that Johnson’s campaign relied upon old email lists or phone numbers from previous campaigns to ask for support, a potential breach of the GDPR.
Johnson’s team dismissed the claims as an attempt by Jeremy Hunt’s campaign to deflect negative stories about Hunt and his team.
An ICO spokesperson said: “We are aware of these concerns and will be assessing the information provided.”
Several students at King’s College London (”KCL”) and one member of staff were barred from campus in March 2019 during the opening of a new site by the Queen. This followed a protest at an Israel Society event, where the protestors were identified by the head of security. Due to concerns about disruption ahead of the royal visit, the head of security provided details of the student protestors to the Metropolitan Police, including the fact that the students were part of the KCL Student Union Intersectional Feminist Society.
An independent report concluded that the creation and limited internal circulation of the list of protestors was not in breach of the GDPR; however, the disclosure of information about the protestors’ membership of certain societies was found to be a breach of Article 9 of the GDPR which protects ‘special category data’. The report also found that by sharing this information with the police, KCL had breached the GDPR as well as its own data protection policy.
KCL have since reported these data breaches to the ICO.
The Romanian National Supervisory Authority has issued its first fine under the GDPR against UniCredit Bank for €130,000. The fine comes after an investigation that found that the bank failed to implement appropriate technical and organisational measures in compliance with GDPR requirements and to protect the rights of the data subject.
Documents were made available online to payment recipients, revealing the personal identification numbers and addresses of over 337,000 payers in breach of Article 25 of the GDPR.
Amazon has admitted that it retains the voice recordings and transcripts of customer interactions with its Alexa voice assistant indefinitely. This revelation raises questions about how long companies should be allowed to store highly-personal data collected from voice assistant devices, and possible contraventions of the GDPR which demands that data retention should be for “no longer than is necessary for the purposes for which the personal data are processed”.
Amazon has stated that its consumers have the option to delete their recordings; however, even if they do, Amazon or third-party developers may still save records of the customers' interactions with Alexa.
The company has justified its data retention practices by claiming that it is necessary to “provide the Alexa service and improve the customer experience”. Amazon has also insisted that when a customer deletes a voice recording, it also deletes the transcripts associated with the customer's account of both of the customer's request and Alexa's response from Alexa’s primary storage systems, but conceded that such transcripts are not necessarily deleted from any of Alexa’s other storage systems.
This latest admission comes in the wake of the revelations that private requests made of the Alexa devices are listened to by Amazon employees (for more information please refer to our April update).
The most significant changes involve the imposition of higher standards under the GDPR for cookie usage, in particular, regarding what constitutes valid consent and transparency.
The key takeaways from the new guidance include:
- consent obtained for the purpose of setting cookies must be 'consent' as defined by the GDPR. In practice this means:
- a clear positive action – continuing to browse the website is not valid;
- granularity – the ability to consent to cookies used for some purposes, but not others; and
- there must be no pre-ticked boxes or options set to ‘on’ – the default option for non-essential cookies must be ‘off’;
- companies setting third party cookies (commonly used for targeted advertising and tracking purposes) must be specifically named;
- if consent is required to set the cookie under PECR, then consent should also be the lawful basis under Article 6 of the GDPR for the collection of any personal data by the cookie. For example, obtaining a cookie consent but citing ‘legitimate interests’ as the GDPR basis will in most cases not be possible;
- the obligation to provide information about the purposes for which cookies are used must align with GDPR transparency standards (i.e. “concise, transparent, intelligible and easily accessible form, using clear and plain language”). Many cookie notices and policies will need to be adapted to comply with this standard;
- after a period of time website operators should re-consent their users (although it is unclear what a reasonable period of time would look like in practice); and
- consent is required for the use of analytics cookies, but the ICO has admitted that the risk relating to these are low and it will not be a priority for enforcement.
The ICO recommends that companies conduct a cookie audit in order to identify the range of cookies that the company is using and the purposes for which those same cookies are used.
The French regulator, CNIL, has also issued new cookies guidance. Much of the guidance mirrors that given by the ICO, such as the requirements for valid consent and the obligation to identify cookies and provide information about the purposes for which cookies are used.
Interestingly, CNIL appears to suggest that the use of analytics cookies may be permitted without opt-in consent provided that a number of requirements are met, such as:
- that cookies are implemented by the publisher of the site or by his subcontractor;
- the data subject must be informed prior to the implementation of the cookies;
- the analytics cookies must not have a lifespan exceeding 13 months; and
- the use of such cookies must be strictly confined to the production of anonymous statistics.
This is a departure from the ICO’s guidance which stated that opt-in consent was required.
In response to a number of complaints related to online marketing, as well as a desire on behalf of professionals to better understand their obligations under the GDPR, CNIL have also decided to make targeted online advertising a priority topic for 2019. This announcement follows on from the ICO’s condemnation of the adtech industry (for more information please refer to our June update).
The release of the updated cookie guidance was the first part of CNIL’s action plan in this area. Stakeholders will have a transitional period of 12 months during which they must comply with the new guidance. Consultations will also be held to discuss practical arrangements for collecting consent. The results of these consultations should be published at the end of 2019.
The High Court handed down the third decision from an English court in the ongoing dispute between law firm Taylor Wessing LLP and the beneficiaries of a Bahamian trust (of which Taylor Wessing was the trustee).
In February 2017, the Court of Appeal handed down a decision of significance for both trust and data protection professionals on the use of subject access requests, using the procedure under section 7 of the UK Data Protection Act 1998 (“DPA 1998”).
There are ongoing procedures for breach of trust in the Bahamas, brought by the Dawson-Damers against Taylor Wessing. At first instance, HHJ Behrens QC held that Taylor Wessing was entitled to rely on the legal professional privilege (“LPP”) exemption to refuse to provide any information protected from disclosure in the Bahamas and that a search of Taylor Wessing’s files to establish whether any non-LPP protected material existed was disproportionate. The judge exercised the judicial discretion under the DPA 1998 in Taylor Wessing’s favour. The Court of Appeal reversed this decision and ordered Taylor Wessing to review their files and release the personal data of the claimant-beneficiaries.
High Court judgment
The case was remitted to the High Court and thus the Court of Appeal decision is unlikely to be reversed or reopened. However, the High Court judgment frequently quotes Arden LJ’s ratio that the DPA 1998 did not contain an exception for documents which would not be disclosable to a beneficiary under trust law principles. Taylor Wessing told the court they had reviewed their electronic files but would not review their paper files on the grounds that these did not constitute a “relevant filing system” under the DPA 1998. The High Court rejected that argument and found that:
- Taylor Wessing’s 35 paper files should be searched and personal data disclosed to the claimants;
- under English law, beneficiaries enjoy joint privilege with trustees in respect of advice taken by the trustees for the benefit of the trust; and
- the searches carried out by Taylor Wessing were insufficient to discharge their duties under the data protection legislation.
A town in Florida became the second to pay ransom money to hackers. Lake City officials voted to pay the sum in Bitcoin after they suffered two weeks of computer systems outage; workers found themselves locked out of their accounts and the public were unable to make online municipal payments. This damage was suffered despite Lake City IT staff disconnecting staff computers within minutes of the attack beginning.
The BBC reported that Lake City paid $500,000, or 42 Bitcoin, after negotiating with the hackers. Lake City Mayor, Stephen Witt, confirmed that most of the payment would be covered by insurance, but $10,000 would be contributed by taxpayers.
This story follows the recent payment of $600,000 to ransomware hackers by another Florida municipality in June, bringing the total paid by Florida towns to $1.1million in less than two months.
Closer to home, the BBC has reported that the UK’s biggest provider of forensic services also paid a ransom to cybercriminals who disrupted its IT services. Eurofins Scientific described the attack as “highly sophisticated” but did not disclose the amount of the ransom paid. The National Crime Agency (“NCA”) declined to comment on the ransom payment, saying it was a “matter for the victim”. The attack is understood to have caused delay to some court hearings where the results of forensic testing were due to be heard.
In response to a freedom of information request (“FOI”) the Financial Conduct Authority (“FCA”) has revealed that the number of declared cyberincidents rose from 69 in 2017 to 819 in 2018. This represents an increase of 1,000 per cent. Nearly 60 per cent. of the reports were submitted by consumer banks.
The BBC speculates that the spike is likely linked to the introduction of the GDPR throughout the EU; the regulation places an obligation on all organisations to report such attacks, which was not previously the case. However, the consulting firm RSM (who made the FOI) said the figures also reflected a genuine increase in such attacks on the finance industry.
The New York Attorney General has reached a settlement with the parent company of dating app Jack’d, whose cybersecurity negligence resulted in the exposure of private photographs of users.
According to the press release, the app promised its users privacy despite knowing that the pictures were vulnerable to exposure. Online Buddies, who own Jack’d, are required to pay $240,000 and make substantial cybersecurity improvements.
Attorney General James said of the incident that Online Buddies “didn’t do anything about it for a full year just so that they could continue to make a profit”. She further added:
“This was an invasion of privacy for thousands of New Yorkers. Today, millions of people across the country — of every gender, race, religion, and sexuality — meet and date online every day, and my office will use every tool at our disposal to protect their privacy.”
A spokesperson for Online Buddies issued an apology to technology news outlet Gizmodo, but have yet to explain why they did not take immediate action when the issue was first reported.
Last month we reported on the US Customs and Border Protection (“CBP”) announcement that a data breach had compromised photographs of travellers and licence plate numbers. As the story developed, it was revealed that the data was in the custody of a third-party contractor when it was accessed.
It has now been revealed that the third-party contractor Perceptics, who was not actually authorised to store the sensitive data, has been suspended by the CBP. As the Washington Post reports, suspensions of government contracts such as these are rare, and will undoubtedly deal a heavy blow to Perceptics’ reputation. Perceptics stated that it has an “unblemished record” and will stay “committed to working collaboratively with CBP to address any and all concerns.” Their swift dismissal perhaps signals a less forgiving attitude from service users, in particular those who deal with sensitive data, when faced with a serious cybersecurity breach.
A new White Paper, presented by researchers from Imperial College London, has highlighted the stark vulnerability of the NHS to potential attacks from cybercriminals. The press release emphasises the risks faced by NHS trusts if they are hit by a cyberattack: it can prevent life-saving treatments being carried out, put health at risk by interfering with machinery or equipment, and even lead to stolen patient data being leaked on the dark web. Many of the systems and data relied on by NHS staff, such as blood test results, x-ray machines, ventilators and patient’s medical histories are vulnerable to such attacks.
The report cites a combination of out-of-date systems, a lack of investment in technology and insufficient training in IT and cybersecurity as the main factors placing NHS hospitals as risk.
Hong Kong’s privacy watchdog, the Office of the Privacy Commissioner for Personal Data (“PCPD”), has criticised airline Cathay Pacific ("Cathay") for failing to follow data protection principles. Cathay announced an attack in October 2018 during which the personal data of around 9.4 million passengers was accessed unlawfully.
Although the airline became aware of suspicious activity on its network as early as March 2018, and conducted investigations in May, the breach was not announced until October. Cathay reported that the breach had compromised 860,000 passport numbers and 245,000 Hong Kong identity card numbers.
The PCPD has now publically criticised Cathay, condemning their “lax attitude towards data governance” that “fell short” of the standards expected by both customers and the PCPD. The report has ordered Cathay to overhaul their system and appoint an independent data security expert.
Cathay may also be subject to a fine by the ICO arising out of this breach, following on from its recent enforcement action against BA and Marriott (see above).
The EU agency for cybersecurity (“ENISA”) will be given more teeth with the introduction of the EU Cybersecurity Act (the “Act”).
The Act will introduce the European cybersecurity certification framework for ICT products, services, systems and processes, which ENISA will have a pivotal role in establishing and maintaining. This is designed to encourage greater consistency, communication and cooperation between EU member states.
Italy’s data protection watchdog has fined Facebook €1 million for violating local privacy law during the Cambridge Analytica scandal. The Italian regulator found that Facebook indirectly accessed data from over 200,000 Italian citizens without their consent. It was through the contacts and friends lists of those people that data was unlawfully accessed, meaning many were completely unaware of Facebook’s action until the scandal broke.
The ICO fined Facebook half this amount (a decision which is being appealed), being the maximum fine under the DPA 1998 which was in force at the time of the breach.
This follows on from the $5 billion fine that Facebook will pay to the Federal Trade Commission (“FTC”) to settle privacy concerns (for more information, please refer to our May update).
A complaint has been formally lodged with the European Commission regarding the breadth of the immigration control exemption within the DPA 2018. The complaint was brought by the Platform for International Cooperation on Undocumented Migrants’ (“PICUM”) and has been joined by other migrant and digital rights organisations. Privacy International announced on 10 July 2019 that they have also joined the complaint.
The DPA 2018 includes a section that allows “the maintenance of effective immigration control” or “the investigation or detection of activities that would undermine the maintenance of immigration control” to take priority over the EU’s data protection rules. This is known as the immigration exemption. The complaint challenges the exemption on the basis that it is far too broad and thus open to abuse. PICUM and others argue it should be removed completely, as other less wide-ranging provisions in the DPA 2018 would be sufficient.
The complainants argue that the GDPR was designed to protect and strengthen the rights of individuals, and that the immigration exemption is in direct conflict with these core principles meaning that the UK is not currently compliant with the GDPR.
Energy supplier E.On has apologised for sending automatic messages that revealed the personal information of hundreds of customers.
In what they described as an “error”, an automatic email response sent to customers requesting a meter reading included the email addresses of all 498 recipients. Despite E.On’s apology, some customers used the company’s online support forums to suggest that they will refer the matter to the ICO.
Credit score agency Equifax has agreed to pay up to $700 million (£561 million) as part of a settlement with the FTC following a data breach in 2017. This represents the FTC’s largest data-breach settlement to date. The FTC alleges that Equifax failed to take reasonable steps to secure its network and, as a result, the records of at least 147 million people were disclosed, including names, dates of birth, social security numbers and payment card numbers.
At least $300 million will go towards paying for identity theft services and other related expenses run up by the victims. The rest of the money will be divided between 50 US states and territories and a penalty paid to the Consumer Financial Protection Bureau.
The ICO has already issued the company with a £500,000 fine for failing to protect the personal information of up to 15 million UK citizens during the same attack.
There may be a fundamental misunderstanding about what the GDPR means for schools, after the ICO received hundreds of unnecessary referrals since the inception of the regulation.
In response to a FOI by Schools Week the ICO revealed that it handled over 1,385 school cases since 25 May 2018; however, only 15 per cent. of these cases resulted in action being taken.
Schools hold the personal data of vast quantities of individuals, but the ICO’s revelations suggest they are still struggling to interpret their obligations. Around half of the cases were self-referrals, with 80 per cent. of self-referrals resulting in the ICO taking no action. This suggests more training from within institutions is required, and perhaps further clarification from the ICO.
The ICO has served enforcement notices under the DPA 1998 and the DPA 2018 for sustained failures by the Police to comply with individuals' rights in respect of subject access requests within the statutory time frame.
The notices relate to repeated failures by the Police to respond to subject access requests within the statutory time frame. If the Police continue to fail to comply with the enforcement notice they may be subject to a fine of up to €20 million.
The ICO has carried out searches of two Liverpool addresses as part of an investigation into the suspected illegal acquisition and sale of personal data. After six months of working in partnership with the Insurance Fraud Bureau the two teams executed search warrants at both a business and a residential address; it is suggested that the illegal activity has been ongoing since November 2017.
Mike Shaw, ICO Group Manager, said:
”Today’s searches will fire a warning shot to businesses who operate outside the law by engaging in data farming. The evidence seized will help us identify any illegal business activities and assist us to take enforcement action.”
The business in question is suspected of carrying out high volumes of data farming activity, known as “blagging” or “vishing”, and of harvesting the personal data of motor accident victims to sell to law firms specialising in personal injury claims.