Data Protection update - March 2019
Welcome to the March 2019 edition of our Data Protection bulletin, our monthly update on key developments in data protection law.
- Brexit - BCR Guidance
- Brexit – Privacy Shield
- Brexit – Transfers of data from DIFC
- Lords Communications Committee's proposal for a new digital regulator
- Impact of the application of EU Regulation on the free-flow of non-personal data
- Increase in data complaints received by the Irish Data Protection Commission in the first year of GDPR
- Organisations should be doing more to achieve privacy accountability
- UAE regulatory update on the use of IT in healthcare
- Uber could face GDPR lawsuit or probes in UK over drivers' data requests
- EDPB adopts Opinion on the interplay between the ePrivacy Directive and the GDPR
- Businesses lag on data breach response times
- Personal data in the Upper Tribunal
- Citrix networks infiltrated by hackers
- Payment data of thousands of customers of FILA UK and US online stores could have been compromised
- Privacy activists say online ad industry knowingly violated GDPR
- 59 charities referred to ICO by the Fundraising Regulator named
- ICO raids businesses suspected of making millions of nuisance calls
- A former senior local government officer has been prosecuted for passing the personal information of rival job applicants to his partner
The EDPB has released some guidance on binding corporate rules ("BCRs") for companies that have the UK Information Commissioner's Office (the "ICO") as the BCR Lead Supervisory Authority. BCRs allow multinational companies to transfer personal data from the European Economic Area ("EEA") to companies outside of the EEA without breaching data protection legislation. The BCR Lead Supervisory Authority is the data protection authority responsible for authorising BCRs. UK companies intending to apply for new BCRs will need to identify an appropriate BCR Lead Supervisory Authority in an EU member state in the event of a 'no deal' Brexit.
Further advice offered to UK companies in a 'no deal' scenario is:
- where current applications have only reached the review stage in the UK, the new EU BCR Lead Supervisory Authority will take over the application and formally initiate a new procedure at the time of a no deal Brexit;
- if a draft ICO decision for approving BCRs is pending before the EDPB, the company will need to identify a new BCR Lead Supervisory Authority who will take over and re-submit a draft decision for the approval of the BCRs to the EDPB;
- if the company is an authorised BCR holder it will need to identify the new BCR Lead Supervisory Authority; and
- BCRs which have already been authorised prior to Brexit will remain valid across the EU.
The Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) (No 2) Regulations 2019 (SI 2019/484) (the "Regulation") amends the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419) and will come into force immediately before the UK leaves the EU. The Regulation will ensure that personal data transferred from the UK to US Privacy Shield organisations will continue to be covered by the Privacy Shield legislation when the UK leaves the EU. Privacy Shield organisations must ensure that their privacy policies refer to personal data transfers from the UK.
On 14 March 2019, the Commissioner of Data Protection for the Dubai International Financial Centre ("DIFC") announced that the UK will be treated as offering an adequate level of protection for personal data transferred outside the DIFC after the UK leaves the EU. This reflects the fact that the GDPR will be absorbed into UK law in addition to the Data Protection Act 2018 being retained. The data protection law of the DIFC limits the transfer of personal data to countries that are not considered to have an adequate level of protection for that personal data. This confirmation ensures that entities in the DIFC can continue to transfer personal data to the UK after Brexit. No changes to processes or procedures should be necessary to comply with data protection legislation after Brexit.
On 9 March 2019, the House of Lords Communications Committee (the "Committee") published a report entitled, "Regulating in a digital world" (the "Report"). Among the suggestions in the Report is the creation of a new regulator, the Digital Authority, to ensure that regulation in the digital space is constantly assessed and that digital service providers uphold a proposed set of ten common principles and remain accountable to consumers.
The Committee recommends that the Digital Authority should have comprehensive powers over the existing regulators: the ICO, Ofcom and the Competition and Markets Authority. It is also suggested that a joint select committee would be created to oversee the Digital Authority.
Other key proposals from the Report include the regulation of user services (including social media gaming and search engines), measures to minimise the dominance of data monopolies, and a requirement for maximum privacy and safety settings to be imposed by default.
A copy of the report can be seen here.
EU Regulation 2018/1807 on a framework for the free flow of non-personal data in the European Union (the "Non-personal Data Regulation") will come into effect as of May 2019. The Non-personal Data Regulation applies to the processing of all data that does not conform to the definition of personal data under Article 4 of the GDPR. It purports to allow unimpeded movement of non-personal data across borders and to ensure the freedom to provide data processing services within the EU.
The Non-personal Data Regulation applies to processing activities which are: (i) provided as a service to users residing or having an establishment in the EU, regardless of whether or not the service provider is established in the EU; or (ii) carried out by a natural or legal person residing or having an establishment in the EU for its own needs.
The Non-personal Data Regulation promotes the free mobility of data throughout the EU and therefore any prohibition of, or hindrance to processing in any member state is prohibited (unless such a requirement is justified on the grounds of public security).
By 30 May 2021, member states must review their existing laws and remove anything that limits the processing of non-personal data, or ensure that any limit is justified under the public security exception.
Increase in data complaints received by the Irish Data Protection Commission in the first year of GDPR
The Irish Data Protection Commissioner (the "DPC"), released a report setting out the work of the DPC from 25 May 2018, when the GDPR came into effect, to 31 December 2018.
The report notes that Ireland handled 136 GDPR complaints that were lodged by individuals with other EU data protection authorities under the One-Stop-Shop principle. The One-Stop-Shop system is used by entities that carry out cross-border processing, and offers those entities a single supervisory authority that will act as the lead on behalf of the other EEA supervisory authorities. This ensures that an entity will only need to work with one authority that is responsible for that entity's processing and the enforcement of the GDPR against that same entity.
Due to Ireland's multinational technology sector, which houses companies such as Apple and Facebook, the DPC has become the lead supervisory authority for a range of technology companies. The report states that 15 statutory investigations have been commenced to examine the compliance of some of these technology companies.
Other points of note from the DPC report include:
- in total, 4,113 complaints were received in 2018 representing a 56 per cent. increase on the total number of complaints received in 2017; and
- 4,740 valid security breaches were notified in 2018 representing a 70 per cent. increase on the total number of valid security breaches recorded in 2017.
By way of a news update on their official website, the ICO has stated that organisations need to improve their implementation of the core concept of accountability into their own internal privacy policies and programmes.
The Global Privacy Enforcement Network ("GPEN") has conducted a joint study of 356 organisations in 18 countries to assess how well GPEN members have taken responsibility for complying with data protection laws.
The study found that there were a number of organisations that were not equipped with the technical and practical measures to handle complaints or deal with data security incidents.
Some of the findings from the global study include:
- organisations were generally good at providing data protection training to staff, but often failed to provide refresher training to existing staff; and
- over half of the organisations reviewed indicated that they have documented incident response measures, and that they maintain up to date records of all data security incidents and breaches.
However, a number of organisations indicated that they have no processes in place to respond appropriately in the event of a data security incident.
In terms of the UK companies surveyed, the ICO contacted 28 entities across a number of sectors, and made the following findings:
- only 67 per cent. of organisations who provided a response said that they conduct regular self-assessments of audits of internal data protection standards and practices, and only 67 per cent. indicated that they maintain inventories of personal data held; and
Although the results (both globally and nationally) revealed areas of good practice, the ICO indicates in its own statement that there is room (and need) for improvement.
The United Arab Emirates has implemented its first federal privacy law relating to healthcare data and protection of personal and sensitive data (The United Arab Emirates Government Promulgate Federal Law No.2 of 2019 – Using IT and Telecommunications in the Healthcare Sector) (the "Law"). The Law seeks to regulate healthcare data processed, controlled, transferred and stored electronically.
The Law contains 22 articles including:
- the creation of a central database system;
- obligations in respect of data privacy and use of IT and telecommunication technology when processing;
- transferring and storing data;
- obligations placed on media licensing;
- training; and
- violations for breach.
Entities in the healthcare space, including healthcare providers, insurers and technology companies, will need to update their current policies and practices in order to comply with the Law.
The US company's failure to share all GPS location and log data with its drivers prevents those drivers from calculating the total time they've spent on the platform and whether Uber owes them money.
If Uber fails to provide this data, a group of four drivers have threatened to either file data-protection complaints with privacy regulators in the UK, the Netherlands and Ireland, or file a case at London's High Court.
According to Uber driver, James Farrar, Uber has so far only disclosed part of this data. It is also alleged that Uber has failed to tell its drivers which of its entities – those in the UK, the Netherlands or Ireland – are handling their personal information.
If Uber complies with the data requests, it is still open to further challenges pursuant to the GDPR, such as complaints regarding fairness and transparency.
EDPB has adopted Opinion 5/2019 (the "Opinion") on the relationship between ePrivacy Directive (2002/58/EC) (the "ePrivacy Directive") and the GDPR. The Opinion clarifies the enforcement position where personal data is processed and is within the scope of both the ePrivacy Directive and the GDPR. The ePrivacy Directive is implemented into UK law by the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426).
The opinion confirms that:
- a data protection authority which oversees compliance with the GDPR needs to also be competent to enforce conformity with the ePrivacy Directive;
- the provisions of the ePrivacy Directive and the GDPR can interact and complement each other. However, where the processing of personal data falls within the scope of both rules, and the ePrivacy Directive provides for a more specific or specialised rule in relation to the processing activity, that rule should take precedence. An example of this is where cookies are used to collect personal data. Article 6 of the GDPR sets out the grounds for the lawful processing of this data; however, Article 5(3) of the ePrivacy Directive also applies. Article 5(3) requires consent to be obtained before cookies are installed on an individual's device, and, as the more specific rule, Article 5(3) of the ePrivacy Directive will apply;
- the cooperating and consistency mechanisms under Chapter VII of the GDPR do not apply to the enforcement of the ePrivacy Directive; and
- the penalties and enforcement powers under the ePrivacy Directive are unaffected by the GDPR.
According to the ICO, businesses in the UK took an average of 21 days to report personal data breaches during the year up to 31 March 2018 (see further details here).
The data pre-dates the application of the GDPR. Under the pre-GDPR regime, reporting of data breaches was voluntary; it is now mandatory where such breaches are likely to result in a risk to the rights and freedoms of affected individuals.
The reporting practices of firms prior to the roll-out of GDPR would fall below the new, higher standards which generally require notice within 72 hours of awareness.
The ICO provided figures on voluntarily reported data breaches to cybersecurity company Redscan, after a freedom of information request. Redscan revealed that, along with lax reporting speed, the details provided of voluntarily reported breaches was scant. According to their analysis of the data, in over 90 per cent. of the cases, businesses did not "specify the impact of the breach or did not know the impact at the time it was reported".
More worryingly perhaps is that, according to Redscan's analysis, it took businesses an average of 60 days to actually detect a breach. For some organisations, breaches went undetected for 3.5 years. Based on Redscan's analysis, less than 25 per cent. of businesses analysed in their data set would meet the requirements of the GDPR.
In Information Commissioner v Halpin  UKUT 29 (AAC), Judge Markus QC overturned the First-Tier Tribunal's earlier decision. The First-Tier Tribunal had held that personal data was not exempt from disclosure under section 40(2) of the Freedom of Information Act 2000.
Judge Markus QC stated that the First-Tier Tribunal had erred in their decision because they had not considered the implications of possible disclosure of the personal information to the wider world, beyond the requestor; once information is released by a public authority under a Freedom of Information Request, that authority no longer controls its distribution. Thus, although the requestor's motives for seeking disclosure of personal data were sufficiently legitimate, this did not justify the potential disclosure to the world at large.
Obiter, Judge Markus QC discussed the possibility that future judgments should consider applying a higher threshold to decisions regarding requests under the Freedom of Information Act that involve the disclosure of personal data.
In LO v Information Commissioner  UKUT 34 (AAC), Judge Jacobs dismissed the reliance of the ICO on First-Tier Tribunal decisions as guidance on the law. While it has been accepted that First-Tier Tribunal decisions do not have precedent value, Judge Jacobs's comments might be perturbing for public authorities looking at previous decisions for guidance on how a tribunal might approach the facts they are dealing with. It is best for authorities or organisations to treat tribunal matters on a case-by-case basis; as Judge Jacobs made clear, decisions are very likely to be based on the individual factual context.
Citrix, a popular enterprise software company that provides services to many organisations, including the FBI, the U.S. Military and various U.S. government agencies, has warned customers that Iranian-backed hackers infiltrated its internal company network. The hackers stole emails, documents and "secrets" from "more than 200 government agencies, oil, gas, and tech corps" (read more here).
It has been reported that the FBI initially alerted Citrix to the potential hack believing that the malefactors were using "password spraying" to infiltrate the system (guessing weak passwords to gain access to the FBI network in order to launch further attacks once access was gained (more information here)).
According to some sources, 6TB of sensitive data may have been stolen.
Citrix has not released detailed information about the breach, but cybersecurity firm Resecurity has named the Iranian-linked group known as IRIDIUM as the perpetrators of the breach. In their statement, released on 8 March 2019, Resecurity struck a foreboding tone:
"We forecast a continued growth of targeted cyber-attacks on supply chains of government and large enterprises organized by state-actors and sophisticated cyberespionage groups".
Further information on this "form-jacking" malware can be found here. The "cyber-thieves" are able to implant a code on the affected website that can "scoop up" a customer's card details when they pay.
A group advocating for privacy and protection of personal data have updated a complaint they filed against Google and the Internet Advertising Bureau ("IAB"). The complaint includes allegations about the use of Real Time Bidding ("RTB"), a system under which Google and the IAB share their user's personal information — such as what they are reading online, or their recent searches — with third parties, who bid in order to determine what ad is displayed.
According to the privacy activists, the IAB and Google were aware that the RTB practice would violate the GDPR as early as 2017 and decided to continue this practice regardless.
The Fundraising Standards Board has released the names of 59 charities that it referred to the ICO for apparent failures to react to customers' requests not to be contacted via the Fundraising Preference Service (a full list of the named charities can be found here).
This story also underlines an emerging theme in data protection, the alacrity with which regulators have adopted a conjoined approach to enforcement. This point was further emphasised by the updated Memorandum of Understanding recently published by the ICO and FCA emphasising their focus on collaborating when taking enforcement action in relation to, amongst other things, breaches of the GDPR by financial services firms.
The ICO has announced that it searched two addresses as part of an investigation into businesses suspected of making both live and automated nuisance calls.
The investigation, which has been ongoing for one year, led to ICO enforcement officers executing search warrants at two addresses, one in Brighton and the other in Birmingham on 12 March 2019. The ICO stated that it has received almost 600 complaints related to these nuisance calls.
This is the first publicised example of the ICO using the enhanced investigatory powers which it was granted pursuant to Article 58 of the GDPR; powers which we anticipate the ICO will use frequently as part of its approach to enforcement going forward.
A former senior local government officer has been prosecuted for passing the personal information of rival job applicants to his partner
Kevin Bunsell, a former employee of Nuneaton and Bedworth District Council in Warwickshire, has been convicted of unlawfully sharing personal data in breach of section 55 of the Data Protection Act 1998.
Mr Bunsell's partner had applied for a role with the council, and he (although not involved in the recruitment process) accessed the personal data of other applicants and shared them with his partner over email.
Steve Eckersley, Director of Investigations at the ICO, which brought the prosecution, said:
“People who supply their personal information to an organisation in good faith, such as when applying for a job, have a legal right to expect it will be treated lawfully and ethically."
The ICO's approach emphasises its commitment to enforcement action in relation to such breaches, which it considers extremely serious.