Data Protection update - November 2020

Data Protection update - November 2020

Welcome to our data protection bulletin, covering the key developments in data protection law from November 2020.

Welcome to our data protection bulletin, covering the key developments in data protection law from November 2020.

Data protection

Regulatory enforcement 

Civil litigation

Data protection

For more in-depth discussions on the EDPB recommendations and the new SCCs, see our go-to-guides here. You can find each of these guides here:

EDPB issues recommendations on transferring data following the Schrems II judgment

On 10 November 2020, the EDPB published two sets of recommendations. The first focusses on measures that supplement transfer tools to third countries, particularly in light on the Schrems II judgment earlier this year (the “Recommendations”). The second relates to the European Essential Guarantees on surveillance measures (the “Guarantees”).

The Recommendations provide guidance to controllers and processors who transfer data outside the European Economic Area (the “EEA”). They place specific emphasise on the various supplementary measures that may be used to implement transfers to third countries. The Recommendations are broken down into six steps designed to help data exporters verify the level of protection afforded to their data subjects when their data is transferred to a third country. The Recommendations are open for public consultation until 21 December 2020.

The Guarantees, on the other hand, outline certain features that assist companies in their assessment of whether access by public authorities is considered justifiable interference or not.

Stephenson Harwood has considered the merits and flaws in the Recommendations and Guarantees and has produced a short guide to help you understand the steps you need to take and the potential pit falls you need to watch out for. You can find the guide here.

European Commission releases new draft SCCs

Following the CJEU’s decision earlier this year in Schrems II, the Commission issued draft versions of new SCCs just two days after the EDPB’s Recommendations. The new SCCs are expected to be adopted in early 2021 and are open for public consultation until 10 December 2020.

The existing SCCs were released before the GDPR was introduced and cover only two transfer scenarios (controller to controller and controller to processor). The new SCCs are far more comprehensive and bring welcome clarity and conformity with GDPR. Perhaps the most welcome change is that the new SCCs provide for two further transfer scenarios (processor to processor and processer to controller).

Predictably, the new SCCs deal with public authority access to data and include provisions that address the potential impact of a third country's laws on the contractual obligations and place particular attention on certain technical and organisational measures.

The new SCCs provide some much-needed upgrades for controllers and processors alike and will be critical to UK companies looking to transfer data to the EU from 1 January 2021, particularly as the UK awaits the EUs adequacy on data transfers following the end of the transition period.

Stephenson Harwood has considered the key changes in the SCCs, the main problems to look out for and some recommended practical steps in a short guide, which can be found here.

Article 28 SCCs

In addition to the SCCs referred to above, the Commission has also published SCCs drafted to comply with the requirements set out in Article 28 of the GDPR. Article 28 governs the relationship between controllers and processors and sets out provisions, which must be included in all contracts between controllers and processors located in the EU.

The draft Article 28 SCCs act as a standard form data processing agreement that companies can choose to use for their transfers between controllers and processors. Although not mandatory, the Article 28 SCCs comply with the minimum contractual requirements under Article 28. This includes obligations on the processor to follow the controllers instructions when processing personal data, return or erase data at the end of the data processing services, ensure adequate security measures are implemented, assist the controller in complying with GDPR, and ensuring sub-processors are engaged on the same terms.

The new Article 28 SCCs include a series of detailed annexes, which demonstrate the level of specificity required by the GDPR in controller-processor relationships. Annex II requires the parties to describe the processing, which not only includes details such as duration of processing and special categories of data but also requires parties to specify the place of storage and processing. Whilst Annex IV requires the parties to specify the controller instructions, Annex V includes specific restrictions and additional safeguards where special category data is concerned. Annex III is a very detailed annex for specifying technical and organizational measures, which has never been required of organisations previously but echoes the recent EDPB Recommendations.

As mentioned above, although the draft SCCs do offer a guaranteed means of compliance, they will not be mandatory and companies can choose to use bespoke data processing agreements instead (providing they are compliant with Article 28). Companies may look to augment these SCCs with their own clauses or supplementary measures but in doing so they need to be aware of conflict as the SCCs will take priority. Further, companies will need to pay attention to these draft Article 28 SCCs to ensure they do not stray too far from the example set by the Commission. This is particularly important when you consider how difficult it would be to justify the reasoning behind taking a difference stance as set out in the draft SCCs.

Whilst these standalone Article 28 SCCs have been somewhat hidden in the shadow of the SCCs for transfers outside the EEA, companies need to pay attention and consider aligning their current standard terms with the Commissions draft SCCs before they are adopted early next year.

Make the invisible visible: five key takeaways from the Experian enforcement action

In last month’s bulletin, we reported that the ICO issued an enforcement notice ("Notice") to Experian Limited ("Experian").

We have now put together five key takeaways designed to help your business process personal data for direct marketing purposes in accordance with data protection legislation:

  1. You may be surprised by how broad a definition the ICO uses for processing “for direct marketing purposes” - so make sure you understand which of your processing activities may amount to direct marketing.
  2. Check that you have a lawful basis for processing: whether it be consent or legitimate interest, ensure you can demonstrate your assessment as to the correct legal basis for your direct marketing-related processing.
  3. If you’re sending direct marketing, the onus is on you to make sure all consents have been appropriately obtained, even where you’re not the one obtaining them. To avoid being penalised, ensure you have verified any consents on which you’re relying that have been obtained by a third party.
  4. Take care to draft a clear and transparent privacy notice that sheds light on processing that may otherwise be invisible.
  5. Where you have obtained data from public or third party sources, it may not be appropriate to rely on the disproportionate effort exemption, or the fact that data subjects already have the information, so consider whether you have properly brought your privacy notice to data subjects’ attention.

Read more about the Experian Notice and our assessment of its impact here.

Is the ICO failing to collect fines?

The ICO remained in the spotlight this month in relation to another FOIA request. This request follows reports last year by SMS Works (an SMS Service Provider) that 42% of all fines handed out between 2015 and July 2019 were yet to be paid. Since that report only 1 of 47 outstanding fines has been paid.

Further, the new FOIA request confirms that the ICO has not improved its collection rate since last year, but rather 68% of all fines issued since January 2019 remain unpaid. In response to this figure, the ICO has confirmed that; “Since January 2019, nine fines have been paid, seven fines are in the process of being recovered and five are under appeal.”

The SMS Works report also includes interesting information around the number of fines being handed out by the ICO, in particular, there have been fewer fines issued by the ICO since the GDPR entered into force yet the offence that attracts the highest fines remains data breaches. Further, other than fines issued by the ICO to big brands, such as Facebook, the larger fines are the least likely to be collected.

In general, the ICO requires fines to be paid within one month of being handed down but it is clear that they struggling to enforce that. Unless the ICO begin to improve their collection rates, the threat of a fine risks becoming less of a deterrent and instead forms the basis of another potential criticism of the ICO’s effectiveness. 

Regulatory enforcement

ICO issues Marriott International with £18.4 million fine for breaches of GDPR

On 30 October 2020, the ICO, acting as Lead Supervisory Authority for the purposes of Article 56 of the GDPR, issued Marriott International, Inc. (“Marriott”) with a Monetary Penalty Notice (the “MPN”). The MPN fined the hotel chain £18.4 million for breaches of Articles 5(1)(f) and 32 GDPR, in relation to a cyber-attack on Starwood Hotels and Resorts Worldwide, Inc. (“Starwood”) which started in 2014 and remained undetected until September 2018 (by which time Starwood had been acquired by Marriott). This cyber-attack led to personal data (including unencrypted passport details, details of travel, and various other categories of personal information including name, gender, date of birth, VIP status, address, phone number, email address, and credit card data) belonging to approximately 339 million customers being exposed.

The MPN was issued just two weeks after the ICO imposed its largest fine to date - £20 million - on British Airways Limited (“BA”), similarly for breaches of Articles 5(1)(f) and 32 GDPR. An analysis of the BA MPN can be found here.

The two decisions share numerous common features, not least the significant reductions in the final penalty figures as compared to those which were proposed in the ICO’s Notices of Intent (“NOI”). In Marriott’s case, the final figure represents just 18.5% of the £99.2 million fine proposed in the ICO’s NOI dated 5 July 2019 or just over 0.1% of Marriott's worldwide turnover in 2018.  

Aside from the useful parallels which can be drawn with the BA MPN, the Marriott MPN is helpful in itself for providing further guidance to organisations on how to ensure that they have “appropriate technical and organisational measures” in place to avoid regulatory sanctions in the event that personal data in their possession is compromised following an IT systems breach. Data controllers and processors would be well-advised to take heed of the detailed guidance comprised in these MPNs, as they build on previous MPNs issued in respect of breaches of the seventh data protection principle under the old data protection regime, at Schedule 1 of the Data Protection Act 19981. Sympathy for those who fail to do so is likely to be in short supply at the ICO which, it is clear, will accept little deviation from the standards set out therein, particularly from well-funded data controllers and processors.

The decision also provides some very helpful guidance regarding how organisations should determine whether to notify relevant Supervisory Authorities for the purposes of Article 33 GDPR, and what steps they are obliged to take to notify affected data subjects in order to fulfil their obligations pursuant to Article 34 GDPR.

The regulatory sanction to which Marriott is subject also serves to highlight the importance of undertaking careful due diligence, and securing relevant contractual protections, for purchasers undertaking corporate acquisitions.

Please find more detailed analysis of the Marriott MPN here.


ICO fines Ticketmaster £1.24 million for data protection breaches

On 13 November 2020, the ICO issued Ticketmaster UK Limited (“Ticketmaster”) with a MPN, fining the ticket sales and distribution company £1.25 million for breaches of Articles 5(1)(f) and 32 GDPR. The breaches related to a cyber-attack, which took place in the first half of 2018 and compromised the personal data of up to 9.4 million customers.

This represents the third high profile fine issued by the ICO in the space of a month, following the £20 million penalty imposed on BA on 16 October 2020 and the £18.4 million penalty imposed on Marriott on 30 October 2020. All three fines relate to breaches of Articles 5(1)(f) and 32 GDPR, highlighting the ICO’s willingness to pursue enforcement action where organisations fail to implement "appropriate technical and organisational measures".

As with the BA and Marriott MPNs, the Ticketmaster MPN contributes to the developing jurisprudence around organisations on what constitutes "appropriate technical and organisational measures" for data controllers processing significant volumes of personal data, particularly payment-related data

Continuing the trend of reductions as between the fine proposed by the ICO in a Notice of Intent (“NOI”) and the final figure reached in the MPN, Ticketmaster’s penalty was reduced from the £1.5m figure proposed in the NOI to £1.25m; a much less significant reduction than those made in relation to BA and Marriott in proportionate terms.

Whilst the fine is far lower in absolute terms than that faced by BA and Marriott, by reference to overall turnover it is substantially higher (1.2% by comparison with 0.25% (BA) and 0.1% (Marriott)). This potential reflects, amongst other things, the fact that a "significant number of affected data subjects reported having suffered financial loss and/or emotional distress as a result of the breach", and Ticketmaster's dilatory approach after third parties had drawn the breach to its attention.

It is also worth noting that, like the BA data breach, the Ticketmaster breach arose from issues relating to third parties who were involved in Ticketmaster's digital supply chain. As in BA's case the ICO was entirely unreceptive to Ticketmaster's representations that this fact (and the fact that it had been targeted by malign third parties) in any way obviated its responsibilities as data controller.

James Dipple-Johnstone, Deputy Commissioner said in a statement by the ICO:

“When customers handed over their personal details, they expected Ticketmaster to look after them. But they did not. Ticketmaster should have done more to reduce the risk of a cyber-attack. Its failure to do so meant that millions of people in the UK and Europe were exposed to potential fraud. The £1.25milllion fine we’ve issued today will send a message to other organisations that looking after their customers’ personal details safely should be at the top of their agenda.”

Ticketmaster has indicated that it intends to appeal the MPN to the First-tier Tribunal.

We will shortly be sharing a more detailed analysis of the Ticketmaster MPN.

ICO closes its investigation into the adtech industry

In 2018, the Information Commissioner’s Office (the “ICO”) received a joint complaint from the Open Rights Group (“ORG”) and University College London, which alleged that Google, IAB, and other companies in the adtech industry, were acting in breach of numerous provisions of GDPR. 

The ICO investigated the issues outlined in the complaint and published a report in June 2019, stating that the adtech industry had not been complying with GDPR. However, thereafter, the ICO decided to close the investigation in September 2020, without taking any further action.

In light of the ICO's conduct in this regard, ORG has subsequently announced its intention to apply to the First-tier Tribunal (the "FTT") (under s166 of the Data Protection Act 2018 and Article 78 of GDPR) for an order that the ICO "take appropriate steps to respond to [ORG's] complaint", in order “to ensure that the law is enforced even when the regulator can’t be bothered to protect our rights and liberties”.

In addition, the Data & Marketing Association (“DMA”) has issued a statement, calling for the ICO to be more consistent in its approach to enforcement. John Mitchison, Director of Policy and Compliance at the DMA said:

“There are clear discrepancies between how the ICO investigates and administers enforcement to different parts of the data and marketing sector. Their recent actions against a handful of credit rating agencies contradicts their statement that it would be ineffective to act against a small number of companies when it is an industry-wide issue. If the ICO would like to work with industry sectors to make meaningful change, as opposed to taking disciplinary action, then it must be more consistent with its policies and how investigation outcomes are communicated to the general public.”

It will also be interesting to see the extent to which the FTT entertains ORG's application, given the narrow approach, which the FTT has adopted in relation to applications pursuant to s166 of the Data Protection Act 2018 to date1.

EDPB adopts its first Article 65 decision in relation to Twitter data breaches

The Irish Data Protection Commission’s (“DPC”) draft decision in respect of its investigation into a number of data breaches suffered by Twitter has been the subject of the dispute resolution procedure in Article 65 GDPR, the first such time this mechanism has been used.

The draft decision, which the DPC shared with a number of concerned supervisory authorities in May 2020 in accordance with Article 60(3) GDPR, was met with various relevant and reasoned objections (“RROs”) by other Supervisory Authorities. The RROs focused on the quantification of the proposed fine, the role of Twitter as sole data controller, and the breaches of GDPR identified by the Irish DPC (which include a breach of Article 33 GDPR).

In accordance with Article 60(4) GDPR, the Irish DPC referred the matter to the EDPB on the basis that it rejected the RROs and/or considered they were not “relevant and reasoned”.2 This initiated the dispute resolution procedure under Article 65.

The Article 65 resolution mechanism requires EU Data Protection Authorities (“DPAs”) to come to a two-thirds majority decision within one month of the referral. In the present case, the default deadline was extended by a further month, due to the complexity of the subject matter.

On 10 November, the EDPB announced that it had adopted its binding decision, signalling that at least a two-thirds majority of EU DPAs were in favour of the Irish DPC’s enforcement action against Twitter.

The EDPB statement said:

“The Irish SA shall adopt its final decision on the basis of the EDPB decision, which will be addressed to the controller, without undue delay and at the latest one month after the EDPB has notified its decision. The LSA and CSAs shall notify the EDPB of the date the final decision was notified to the controller. Following this notification, the EDPB will publish its decision on its website”.

1 See Leighton v Information Commissioner (No.2) [2020] UKUT 23 (AAC) in which it was held: "as a matter of legal analysis. Section 166 is directed towards providing a tribunal-based remedy where the Commissioner fails to address a section 165 complaint in a procedurally proper fashion. Thus, the mischiefs identified by section 166(1) are all procedural failings”

2 The EDPB published timely guidance on “relevant and reasoned” objections on 8 October 2020:

GDPR complaint filed against Wizz Air by None of Your Business

A customer incurred €35.67 in phone charges after attempting to change personal data (her name and email address) held by Wizz Air, the budget airline. The customer initially submitted a “rectification request” with Wizz Air’s Data Protection Officer (“DPO”) in 2019. After waiting three months for a response, the customer re-submitted her request – this time using Wizz Air’s company contact form. Wizz Air’s response merely stated that surnames could only be changed online in cases of marriage.

The customer was only able to change her name by calling Wizz Air’s customer call centre, which costs more than €1 per minute. After a 30 minute phone conversation, Wizz Air changed the customer’s name, however, they did not change her email address.

Under Article 12(5) GDPR, customers are entitled to correct and update their personal data free of charge. As a result of the charges incurred by the customer, and Wizz Air’s failure to deal with the customer’s request in a timely manner, None of Your Business (“NOYB”), a non-profit organisation, filed a GDPR complaint against the airline on 21 October 2020.

Ala Krinickytė, a data protection lawyer at NOYB, stated that:

"The GDPR states controllers should take ‘every reasonable step’ to ensure that data is accurate. In this case, it feels like Wizz Air failed to take any steps at all. The request for rectification is probably the least contentious data protection request a data subject can submit to the controller. Especially with airlines, it is of great importance that their passenger lists matches the passports. They make things more complicated and costly than necessary."

This action should serve as a reminder to organisations to ensure that effective measures are in place to allow customers to correct and update their personal data, and that consumer rights groups are increasingly willing to act to ensure that organisations that fail to do so are held to account.

Civil litigation

The Irish DPC has been ordered to pay Maximillian Schrems’ costs after Facebook suit.

The High Court of Ireland recently handed down judgment in The Data Protection Commissioner v Facebook Ireland Ltd and Another [2020] IEHC 537. Following on from the Schrems II proceedings, Maximillian Schrems sought his costs against the Irish DPC.

The High Court of Ireland has now ruled that the Irish DPC is liable to pay the majority of Mr Schrems’ costs, including costs incurred in dealing with the original complaint made to the European Court of Justice. This was despite the fact that the DPC’s office had acted entirely correctly in bringing the application.

While acknowledging the enormous financial burden this would place on the DPC, Judge Costello stated that it would have been a “grave injustice” not to award Mr Schrems his full costs. Judge Costello stated that: "It is a matter for government to ensure that the commission is adequately resourced so that considerations of legal costs do not act as a deterrent which hinder or prevent the commission from carrying out its vital functions as a truly independent, national supervisory authority and guardian of fundamental rights”. According to Judge Costello the outcome was an “unavoidable incident” of the DPC’s role.