Data Protection update - June 2019 | Stephenson Harwood

26 June 2019

Welcome to the June 2019 edition of our Data Protection bulletin, our monthly update on key developments in data protection law.

Data protection

Cyber security

ICO enforcement

Data protection

Employer’s review of employee emails need not infringe an employee’s privacy rights

In the case of Argus Media Ltd v Halim the court held that a reasonable and proportionate review of an employee’s emails by his employer, need not infringe that employee’s privacy rights when such a review exposed that employee’s misconduct.

The employee, Dr Halim, was a business development manager at Argus, a price reporting agency. Dr Halim left Argus to set up a new business that sold pricing reports to a number of Argus’ clients, and Argus alleged that this was in breach of Dr Halim’s post-termination restrictions.

Argus requested access to Dr Halim’s inbox due to suspicions about Dr Halim’s handover work prior to his departure, and found emails sent to Dr Halim’s personal account containing Argus’ confidential information. Argus’ policy in the employee handbook allowed Argus to review its IT systems in order to investigate breaches of contract. Dr Halim responded to the claim by arguing that he was under no obligation to comply with his post-termination restrictions due to Argus breaching his privacy rights.

The court found that Dr Halim’s privacy was not breached; the emails were work related and not private communications, and Argus’ investigation was appropriate and proportionate. The court ordered Dr Halim to pay 90 per cent. of his former employer’s legal costs which amounted to over £500,000.

Administrators are not controllers

In the case of Green v Group Ltd and others the court decided that administrators and liquidators are not controllers, meaning that they need not respond when subject access requests are made to the companies over which they are appointed.

Following the Cambridge Analytica scandal, a number of companies in the Cambridge Analytica group were placed in to compulsory liquidation by administrators, and the same administrators requested that they be appointed as liquidators.

A creditor opposed the appointment of the administrators as liquidators on the basis that the administrators had breached duties arising under data protection laws. The creditor issued a subject access request against two group companies asking for details of his personal data and demanded copies of the submissions made at the administrator hearing.

The court referred to established case law to find that, as a company’s agent, unless the liquidator takes decisions about the processing of personal data as principal and not agent, the liquidator cannot be a controller and the same reasoning must apply to administrators. The court also held that administrators are under no obligation to investigate data breaches by the company relating to data subjects, and that any data protection investigations should remain the responsibility of external regulators.

Nurse suspended after accessing medical records

Carol Anna Rodda, a senior nurse at the University Hospital Coventry and Warwickshire NHS Trust, has been suspended from the nursing register for repeatedly accessing her colleagues’ medical records in breach of information security and data protection policies.

Rodda began checking the medical records of her colleagues after suspecting that they were fabricating illnesses to avoid shifts. Not only did she inspect medical records, but she shared information that she found in those records with other colleagues and even tried to offer medical advice to one individual after seeing his record, advice that later turned out to be incorrect. She also accessed the medical records of herself and family members.

In a hearing Rodda was found to be guilty of misconduct despite Rodda denying all charges against her.

Leniency for data breach admissions in Singapore

Singapore’s data regulator, the Personal Data Protection Commission (“PDPC”) has said that businesses are more likely to avoid heavy fines if they admit to data breaches.

Guidance from the PDPC recommends that organisations that experience a personal data breach attempt to contain the breach, then report the incident to the PDPC if certain thresholds are met. The deputy commissioner, Yeong Zee Kin, has also confirmed that an organisation’s admission in relation to a personal data incident would be a strong mitigating factor when it came to setting financial penalties.

The PDPC has said that it intends to make reporting certain personal data breaches compulsory in future.

MI5’s use of personal data was ‘unlawful’ says watchdog

A case has been brought against MI5 in the High Court by civil rights group, Liberty, under the Investigatory Powers Act (the “Act”). Liberty argues that MI5’s ability to gather bulk data is incompatible with the European Convention on Human Rights.

Under the Act, MI5 can apply for warrants to obtain information (such as location data and web browsing history) and can use targeted interceptions of data for investigations such as counter-terrorism. However, the Act contains safeguards about how this information is stored and handled and it is unlawful to keep data when it is no longer needed or to store it in an unsafe way.

The Investigatory Powers Commissioner has said that MI5 has handled large amounts of personal data in an unlawful way. It is alleged that information was kept for too long, not stored safely, and MI5 knew about these issues in 2016 but did not speak up.

The court held that MI5 would be subject to greater scrutiny when applying for warrants in future.

Importance of biometric policies and consent

The use of biometric data has become increasingly prevalent in the workplace; however a recent unfair dismissal case has demonstrated the importance of updating policies and procedures before using such data.

Superior Wood began to use biometric scanners to register employee attendance at its site. An employee, Jeremy Lee, refused to use the biometric scanners even after Superior Wood released a policy making the use of the scanners compulsory. Lee was eventually dismissed for his refusal and brought an unfair dismissal application.

The Fair Work Commission in Australia (the “Commission”) held that the dismissal of Lee for refusing to use a fingerprint scanner was unfair because Superior Wood did not have a privacy policy in place, it didn’t obtain consent before collecting the biometric data and it did not release a privacy collection notice.

The Commission noted that if a refusal to give consent could result in disciplinary action, then any consent given in those circumstances would not be genuine consent. Although this is an Australian case, the position would likely be the same in Europe.

Payday lenders bombarded with claims of unlawful data use

Payday lenders are allegedly being bombarded with fraudulent claims from compensation claims management firms (“CMCs”).

The Consumer Finance Association (“CFA”) said that it was concerned about claims being made against the payday loans sector; the concerns cited were poor quality complaints, data protection issues and complaints made without the permission of the borrowers. The sheer volume of complaints has also proved overwhelming with a number of lenders receiving more than 1000 complaints from a single CMC in 24 hours.

In the latter half of 2018, Elevate, the US owner of the payday lender Sunny, received more than 2,500 complaints from CMCs on behalf of people who were not Elevate customers. The complaints also contained personal information including, in some cases, an individual’s employer and bank details. Elevate also found that some CMCs were sending data subject access requests on behalf of customers without their knowledge.

La Liga fined for spying on fans

La Liga, the Spanish football league, has been fined €250,000 for using an app to spy on illegal match screenings.

The league’s app would turn on the microphone of mobile phones listening for the sound of a match broadcast. Location software would then be used to find out where the individual was watching the match to ensure that they were in a place with a La Liga television subscription.

The national data protection agency condemned La Liga for not informing users that the app activated the microphone in breach of data protection legislation. La Liga has denied infringing data protection legislation.

Company fined for failing to be transparent with data subjects when creating a large decision support database

The national Personal Data Protection Office (“UODO”), Poland's data protection agency, has issued its first fine for non-compliance with the GDPR against Bisnode, a Swedish-headquartered digital marketing agency for its failure to provide individuals with a privacy notice.

In addition to a €220,000 fine, Bisnode was ordered to contact nearly six million individuals who had not previously been provided with a privacy notice. Bisnode has estimated that this exercise will cost them over €8million in registered postage alone, excluding any administration costs.

Bisnode obtained personal data from various sources, some publically available, such as public registers, and some not publically available. Under Article 14 of the GDPR, there is no need for a company to provide a privacy notice if it would be impossible or involve disproportionate effort. Where Bisnode obtained an individual’s email address, it would contact them by email; however where no email address was available, Bisnode made a conscious effort not to contact these individuals as it considered the costs of doing so to be disproportionate. Bisnode instead opted to post the privacy information on its website.

The UODO found that placing the privacy notice on its website had not satisfied Bisnode’s obligations under Article 14 of the GDPR. The UODO stated that Bisnode should have been pro-active in complying with its obligations under Article 14. It was not sufficient to place a privacy notice on its website and expect the data subject to find it, and therefore Bisnode had failed to comply with its Article 14 obligations.

Little reasoning was given by the UODO for what seems to be an onerous finding and Bisnode has said that it will appeal the decision.

Swedish data-protection authority launches Spotify GDPR investigation

The Swedish data protection authority, the Datainspektionen, confirmed that it has opened a review into Spotify’s practices after the company allegedly provided inadequate responses to a series of subject access requests ("SARs").

The Datainspektionen used SARs to ask Spotify to confirm: what information it provides to users, the decision making process behind what information it provides, and the systems used to make this clear and understandable to customers. The GDPR requires companies to provide information to customers in clear and simple language; an obligation that Spotify has apparently neglected. Spotify must respond to the Datainspektionen by 1 July 2019.

English Court rules on GDPR claim jurisdiction

In Ramona Ang v Reliantco Investments Limited the High Court confirmed that the the law on jurisdiction under Article 79 of the GDPR will take priority over the provisions of the Jurisdiction and Judgments Regulation ("Brussels I Recast"), in relation to that claim. This is the case even where the defendant has obtained a claimant's agreement to an alternative forum.

Ms Ang brought a claim against Reliantco after it blocked her account and subsequently refused to allow her to withdraw funds from the UFX platform. She had used the account to trade Bitcoin. One of the key points in dispute was whether or not Ms Ang was a ‘consumer’ as defined within the Brussels I Recast. Reliantco argued that her wealth and sophisticated trading discounted her consumer title; the court found that "wealthy consumers are consumers nonetheless", and that although she may have understated her experience, she was not reliant on the Reliantco revenues and was not trading as a business.

The court also found (obiter) that Ms Ang’s claim under the GDPR would, in any event, have “trumped” the jurisdiction clause. The court held that Article 79 of the GDPR (which grants jurisdiction over a claim made pursuant to the GDPR to the court in the claimant’s habitual residence) takes primacy over a choice of jurisdiction clause under the Brussels I Recast. Therefore, although Ms Ang was able to prove she satisfied the definition of ‘consumer’, the GDPR provisions would have allowed her claim to continue in any event.

Clients should therefore be wary that exclusive jurisdiction clauses can be overridden under two (increasingly common) circumstances:

claims brought under the GDPR; and
where claimants can prove they are ‘consumers’ under the Brussels I Recast.

ICO not compliant with cookie legislation

Whilst many companies have been struggling with the uncertainty surrounding the interaction between the GDPR and ePrivacy rules, the ICO has admitted that its own cookie consent process is not currently compliant. The revelation followed complaints that the ICO’s website automatically places cookies on users’ mobile devices once they access the ICO website, in contravention of the Privacy and Electronic Communications Regulations 2003 (“PECR”).

Pursuant to PECR, in order to use cookies on a website, companies must:

seek the consent of website users or subscribers; and
provide a clear, comprehensive and visible notice on the use of cookies at the time and place where the consent is sought.

The GDPR also applies the ePrivacy rules meaning that where consent is sought, that consent must be freely given, specific and informed, and must involve some form of unambiguous positive action. This is somewhat at odds with the ICO’s own approach of providing a cookie banner on its website which refers to an assumption of consent via the user’s continued browsing. The ICO’s admission appears to confirm that such implied consent is not sufficient.

The ICO has said that further guidance will be provided in due course; however, companies should note that the European ePivacy regime is under review with a new regulation expected to be adopted before the start of 2020.

The adtech industry is operating illegally

The ICO has accused the $200 billion adtech industry of operating illegally following a review of how adverts across the internet are bought and sold in real-time auctions.

Whenever someone visits a website, their computer sends out personal information, including location, device and browsing interests, to thousands of adtech companies. Those adtech companies use this information to bid for advertising space in real time on the screen, immediately serving up adverts, before a webpage has loaded. The ICO concluded that “the scale of the creation and sharing of personal data profiles in [real-time bidding] appears disproportionate, intrusive and unfair, particularly when in many cases data subjects are unaware that this processing is taking place.” The report also found that companies were illegally collecting and bidding for special category data, which requires the explicit consent of the data subject.

The report did not identify any particular companies for punishment, but offered a six-month grace period during which the adtech industry is expected to improve its data practices. Complaints against the industry have been made to regulators in at least 12 other countries including Belgium, Poland, the Netherlands, Spain and Luxembourg.

Cybersecurity

FAI Data Hack Confusion

The FAI was the victim of a cybersecurity breach earlier this month, and now there are concerns that the data of children was accessed by the hackers. Despite the Gardaí confirming that they were investigating the reported attack, the FAI have stated that there is "no evidence at this moment in time to suggest that any data held by the FAI has been exfiltrated from our systems". As reported in the Irish Daily Mail, Fergus O'Dowd (the chairman of the Oireachtas Sports Committee) said the FAI's statement was "unusual to say the least".

The FAI has been quick to reassure customers that their payment data has not been affected by the hack as it is stored off-site on a third-party platform. However, they have not responded to the unconfirmed reports regarding the data of children, which the FAI keeps in relation to children's teams, tournaments and camps. The parents of those children potentially affected await clarification from the FAI.

Veritas report reveals dark data exceeds 57% in the UAE

A report from Veritas Technology has revealed that over half of UAE company data remains 'unclassified' despite the global rise in security breaches. This unclassified data is known as 'dark data', and it can create a 'honeypot' for cybercriminals.

Classifying data is the key to data management; the less a company knows about the data it holds, the less accuracy it can employ when managing risks and security. Classification allows for easy scanning and tagging, enabling a business to ensure security resources are focused on protecting confidential material and sensitive data.

The research by Veritas surveyed 1,500 information technology decision makers and data managers across 15 countries, including 100 senior professionals from the UAE.

Last month, we reported that companies subject to cyberattacks suffered, on average, a 7.5 per cent. drop in their stock values. It is therefore troubling that the majority (83 per cent.) of UAE companies surveyed admitted that less than half of the data they hold on public clouds has been classified. This was the highest of all locations surveyed, followed by China (81 per cent.) and Singapore (67 per cent.). Jyothi Swaroop from Veritas said:

“A company’s dark data reservoir may be out of sight and out of mind for many organisations, but it’s an enticing target for cybercriminals and ransomware attacks. The more organisations know about the data they hold, the better they will be at judging its value or risk."

Customs Police: photos of travellers and personal data compromised in breach

The US Customs and Border Protection (“CBP”) has announced that a recent data breach compromised the photographs of travellers and licence plate numbers. CBP has notified Congress and stated that is was working with law enforcement and cybersecurity entities to "determine the extent of the breach and the appropriate response".

CNN broke the news that the hack has resulted in at least 50,000 American licence plate numbers being made available on the dark web. Adding insult to injury, it was revealed that the leaked data was being held by a third-party contractor when it was hacked who was not authorised to store the personal data. It is unclear why the licence plate information was being held by CBP and shared with a subcontractor, Perceptics, who itself has several contracts with law enforcement and government agencies.

CNN reported that its journalists were able to find the licence plates on the dark web, despite CBP's statement that "none of the image data has been identified on the Dark Web or internet". It has also been reported that around 100,000 photographs of travellers have been leaked, but CNN was not able to verify this.

On the up: cybersecurity companies raise large sums through funding and IPOs

Earlier this month, two cybersecurity companies raised staggering amounts, suggesting their popularity with investors is increasing. Security training company KnowBe4 raised $300 million in growth equity, while CrowdStrike (a leading player in the endpoint security space) floated its stock, raising $612 million.

Both cybersecurity companies are now worth well over $1 billion, joining a growing list of similar service providers whose worth has grown exponentially in recent years. Increased reliance on data means the risks of storing and maintaining it continues to grow. As has been widely reported, 90 per cent. of data ever generated was created in the last two years, and as knowledge of data manipulation deepens, its value is clearly reflected in the success of these cybersecurity companies.

All quiet on the demo front: Symantec plays down data breach

Cybersecurity giant Symantec reportedly downplayed enquires from the Guardian as to whether they experienced a data breach in February of this year. The breach allegedly allowed hackers to access passwords and a list of clients that includes Australian government agencies.

The supposedly "minor incident" involved a demo lab in Australia, meaning that the data was simulated for testing and no personal information was leaked. However, the incident is potentially serious as it was purportedly carried out by the same attackers that claimed responsibility for offering the Medicare data of millions of Australians for sale on the dark web. The list extracted in the demo breach is said to include Australia's 'big four' banks, the federal police, government departments, universities and insurers. The potential value of such information on the dark web is immense.

Amazon sellers hit with serious phishing fraud

Amazon was hit with an 'extensive' fraud that allowed hackers to attack over a period of six months in 2018. The information was discovered in legal papers that have now been made public.

Amazon's lawyers, according to the documents, asked a London judge to approve their search of account statements held by Barclays and Prepay, who are not suspected to be involved. The details of the fraud have not been disclosed, but it is believed the hackers were able to access the accounts of Amazon sellers, some of whom received business loans from Amazon. Once accessed, the hackers edited account details and replaced them with their own. Amazon has confirmed that it issued $1 billion in loans to merchants in 2018; it is not known how much the hackers were able to syphon away during those six months.

ICO enforcement

Should the DVLA be selling driver's details to private parking firms?

The DVLA has extensive access to a driver’s details. As personal data has grown in value, the practice of selling said details to third parties has become more valuable for the DVLA. In fact, a Freedom of Information request by The Sunday Times found that the DVLA earned £16.3 million selling these details in 2018, and even more worryingly, the threshold for third party purchases is low, as firms do not need to justify their reason for buying.

The DVLA has been referred to the ICO. A spokesperson for the ICO told one news outlet: “We are aware of the issues around the sharing of registered keepers details between the DVLA and private parking companies, and we are currently considering if and how new data protection laws affect this data sharing." It is anticipated that the ICO will investigate the practice and offer clarity as to its lawfulness in due course.

Restorative Justice Caseworker prosecuted for sending sensitive personal data to her own personal email account

The ICO has prosecuted Jeannette Baines, who previously worked at Victim Support. She was caught sending the information of both victims and offenders from her work email address to her personal email address during her last week working for the charity. It is not known what she intended to do with the information, but the ICO found that she sent it without authorisation and in breach of section 55 of the Data Protection Act 1998 (“DPA”). On top of a three year conditional discharge sentence, she was ordered to pay costs of £600 and a victim surcharge of £20.

Customer services officer fined for unlawfully accessing personal data

Wendy Masterson was formerly a customer services officer at Stockport Homes Limited ("SHL"). She was found guilty this month of breaching section 55 of the DPA at Stockport Magistrates Court, for accessing anti-social behaviour cases on SHL's case management system without authorisation.

SHL discovered the breaches after an audit. Concerns had been raised about Masterson's performance at work, and it was subsequently revealed in the investigation that she had accessed the system without authorisation 67 times during 2017.

Mike Shaw from the ICO said:

“People have the absolute right to expect that their personal information will be treated with the utmost privacy and in strict accordance with the UK’s data protection laws. Our prosecution of this individual should act as a clear warning that we will pursue and take action against those who choose to abuse their position of trust”.

Masterson pleaded guilty at Stockport Magistrates Court on 6 June 2019. She was ordered to pay a £300 fine, costs of £364.08 and a victim surcharge of £30.

ICO fines home security company for making thousands of nuisance calls

The ICO has fined Smart Home £90,000 for making nuisance calls. The Staffordshire-based company made over 118,000 marketing calls that were deemed unlawful by the ICO. The ICO received 125 complaints about Smart Home's unsolicited calls between 2017 and 2018.

Although Smart Home's business involves making so called 'cold calls', in this case they were making unsolicited advances to individuals registered with the Telephone Preference Service ("TPS"). It is illegal to make calls to TPS registered individuals.

The ICO rightly condemned the company's conduct; Stephen Eckersley, ICO’s Director of Investigations, said:

“Smart Home Protection has been in business for many years, so they should have been fully aware of their data protection obligations. It is a company’s responsibility to check the TPS and make sure that it has valid consent to make marketing calls. If they don’t, they can expect robust enforcement."

EE fined £100,000 for unlawful texts

EE has been fined £100,000 for sending 2.5 million text messages to customers without their consent in 2018. The purpose of the messages was to encourage EE customers to use its My EE app and to upgrade their handsets. EE also sent a follow-up text to those customers who did not react to the first one.

Whilst EE claims to have believed that the messages were services messages as opposed to direct marketing messages, the ICO held that if the message includes promotional material then the electronic marketing rules apply. The ICO’s guidelines state that electronic marketing can only be sent to existing customers who have given consent, provided that there is an easy way to opt out of such marketing.

The ICO can impose a fine of up to £500,000 for a failure to comply with electronic marketing legislation. EE’s smaller fine may be due to the fact that the ICO found that the company did not intentionally set out to breach electronic marketing laws despite being aware that it was sending direct marketing to customers.

EE has accepted the finding and has said that it will improve its processes.