Data Protection update - October 2018
Welcome to the October 2018 edition of our Data Protection bulletin, our monthly update on key developments in data protection law.
- Privacy action against Google blocked by High Court
- Morrisons loses appeal on data leak
- GDPR exemptions guidance expanded by ICO
- Argentina on its way to reforming data protection legislation
- Progress on Japan's adequacy decision
- Silicon Valley advocates need for new data privacy regulation
- FCA levies £16.4 million fine against Tesco Bank for its handling of cyber-attack
- High Court rules in favour of world wide freezing orders for victims of cyber fraud
- 30 million Facebook accounts hacked
- Facebook fined £500,000 for involvement in Cambridge Analytica scandal
- ICO takes steps to fine organisations for failure to pay data protection fee
- Bupa fined £175,000
- Oaklands Assist fined £150,000
- Heathrow fined £120,000
- Regulatory tribunal overturns ICO fine for failing to obtain opt-in consent when sending marketing emails
In Lloyd v Google LLC  EWHC 2599 (QB), former Which? director Richard Lloyd brought an action on behalf of the campaign group Google You Owe Us. The campaign group maintain that Google took millions of iPhone users' personal information illegally in 2011 and 2012 and were seeking to claim as much as £3 billion in damages from Google under the Data Protection Act 1998 ("DPA 1998"). Mr Justice Warby acknowledged that it is likely that Google had committed a breach of duty under the DPA 1998 by making use of the Safari Workaround, and therefore there was a basis to claim damages under the DPA 1998.
However, Warby J found that the Lloyd had not proved that "damage" had been suffered by iPhone users as a result of the Safari Workaround, which is an essential element that must be satisfied for compensation to be awarded under the DPA 1998. The claimant had been successful in outlining that the alleged breach of duty had been committed by Google, but had failed to demonstrate that there had been any damage to iPhone users as a consequence, including financial loss or psychological harm such as distress.
Warby J made clear that:
"Even if the data controller [Google] had no justification for its conduct, and was thus in breach of duty, the remedy which the law requires does not have to be the remedy of compensation, if no consequences followed from the breach."
In addition, the High Court held that the claim could not continue as a representative action made on behalf of millions of individuals using the Safari browser in England and Wales whilst the Safari Workaround was in use. This was because the representative claimant (LLoyd) and the potential group of claimants were not deemed to have the "same interest" in the claim. Most claimants would not have suffered any damage as a result of the Safari Workaround, and if it could be proven that some claimants had suffered damage, they would not each have suffered the same kind of damage. The claim therefore could not continue as a representative action.
This claim was brought under the DPA 1998, however the same principles apply under the European General Data Protection Regulation ("GDPR") and the Data Protection Act 2018 ("DPA 2018") under both of which compensation will only be awarded where damage has been suffered.
See here for the full judgement.
The Court of Appeal has upheld the High Court's decision, issued in December 2017, against Morrisons supermarket that Morrisons was vicariously liable for a data leak committed by an ex-employee, Andrew Skelton, who acted as a senior internal auditor at the retailer's headquarters. Skelton copied personal data onto a personal USB and subsequently posted the personal details of almost 100,000 Morrisons' employees online, as well as sending them to newspapers. The data included names, addresses, dates of birth, salaries and bank details. Skelton was jailed for fraud for eight years in 2015.
More than 5,000 employees or former employees of Morrisons brought proceedings against the supermarket, in a class action seeking damages for misuse of private information, breach of confidence and breach of statutory duty under the DPA 1998. In the High Court in December 2017, Mr Justice Langstaff held that Morrisons was not directly liable for the breach as it did not misuse any private information itself and Morrisons had implemented adequate systems and controls with respect to data security. However, Langstaff J found Morrisons to be vicariously liable for Skelton's actions and this was the question at issue in the Court of Appeal.
Morrisons advanced two arguments on vicarious liability. The first was that the DPA 1998 excludes any possibility of vicarious liability. Morrisons contended that this was because the DPA 1998 imposes express obligations on the data controller through its obligation to comply with Data Protection Principles ("DPP") listed in the DPA 1998. Importantly under DPP 7 "the data controller must take reasonable steps to ensure the reliability of any employees of his who have access to the personal data." The DPA 1998 therefore expressly considers the liability of a data controller for data breaches committed by its employees. Rather than imposing vicarious liability, which is strict liability irrespective of whether the employer has been at fault, the DPA 1998 envisages that the employer will be held directly liable if it fails to take reasonable steps to ensure the reliability of the relevant employees.
In this case, Skelton was the data controller in respect of the personal information disclosed online and in newspapers. Morrisons therefore argued that the DPA 1998 imposes no express liability on an employer who is not a data controller, for breaches of the DPA 1998 by an employee who becomes the relevant data controller by using the data for his own purposes. The express obligation contained within the DPA 1998 in relation to data breaches by employees was in DPP 7 and as long as Morrisons had met its obligations under this principle (which was not disputed), Morrisons could not be held vicariously liable for breach of an employee's statutory duty under the DPA 1998. As the DPA 1998 had already considered the ways in which an employer would be held directly liable for data breaches committed by employees, the DPA 1998 excluded any possibility of employers being held vicariously liable.
Morrisons' second argument was that the DPA 1998 is a piece of "specialist legislation" which Parliament intended to cover all forms of liability that an employer would incur for data breaches committed by an employee. Therefore the DPA 1998 excludes any scope for finding employers to be vicariously liable in relation to actions brought at common law for misuse of private information or in equity for breach of confidence.
The Court of Appeal rejected both arguments. The court contended that "whatever the position on the first ground of appeal, the vicarious liability of an employer for misuse of private information by an employee and for breach of confidence by an employee had not been excluded by the DPA". The court rejected the argument that Parliament had intended to exclude employers being found vicariously liable for actions brought at common law for misuse of private information or in equity for breach of confidence, finding that these claims run in parallel and are complementary to the DPA 1998. The court rejected the contention that Parliament had intended to exclude common law and equitable actions that clashed with the analysis under the DPA 1998, and that if Parliament had intended to erode such common law and equitable rights it would have said so expressly.
The Court of Appeal suggested that the solution for employers is to ensure that they have adequate insurance in place to cover such situations. The court contended that: "the fact of a defendant being insured is not a reason for imposing liability, but the availability of insurance is a valid answer to the Doomsday or Armageddon arguments put forward…on behalf of Morrisons."
The case will cause concern among employers that they will be held accountable for the actions of their rogue employees. Appropriate training and education of staff may help to mitigate the risks here, as well as checking insurance coverage. Anyone concerned that their employees could seek to deliberately hurt the company by trying something similar should take note that there would be a high risk that this would be a criminal offence by the employee.
See here for the full judgement.
The Information Commissioner's Office ("ICO") has provided further guidance on the exemptions in the GDPR. The GDPR and DPA 2018 set out exemptions from some of their rights and obligations in certain circumstances.
Specifically, the ICO has noted that:
- whether an exemption can be relied upon often depends on the circumstances surrounding the processing of personal data and the reasons for processing;
- organisations should consider whether exemptions apply on a case-by-case basis and should never routinely apply exemptions; and
- organisations should justify and document their reasons for relying on an exemption in order to demonstrate compliance with data protection legislation, in line with the accountability principle.
The new guidance additionally outlines which exemptions are commonly available in different sectors such as journalism, healthcare and education.
See here for the ICO's updated guidance.
The Argentinian President has submitted to Argentina's National Congress a data protection bill that aims to replace the current Personal Data Protection Law, in force since 2000. Argentina has already been declared as having an 'adequate' level of data protection by the EU commission. This means that personal data can flow freely from the EU to Argentina without further safeguards being required.
Argentina's current data protection legislation is not fully aligned with the GDPR. The new bill seeks to ensure that Argentinian data protection legislation mirrors the GDPR as closely as possible.
In line with the GDPR, the new bill limits the concept of "data subject" to natural persons, includes an obligation to notify data breaches and adds the data processor's legitimate interest as a new legal basis for processing personal data. The right to be forgotten and the right to data portability are also acknowledged in the bill and contractual clauses are recognised as a mechanism suitable for transfers of data.
The European Commission has produced a draft decision (see here) on the adequacy of Japan's data protection legislation. If implemented, Japan would join one of a small number of countries deemed by the Commission to provide an "adequate" level of personal data protection: i.e. in the Commission's view, their level of data protection is essentially equivalent to that of the EU. Japan is in the process of formalising a mutual decision in relation to the GDPR. These decisions aim to allow for the unrestricted transfer of personal data between organisations established in both the EU and Japan.
The GDPR allows for unhindered cross-border transfers of data between countries within the European Economic Area and to countries deemed "adequate". The Commission has commented that establishing a reciprocal adequacy decision with Japan will "create the world's largest area of safe transfers of data based on a high level of protection for personal data".
Both the EU and Japan are currently following internal procedures in order to finalise the agreement of this mutual adequacy decision. The EU must obtain approval from the European Data Protection Board as well as a committee made up of representatives of all member states.
Representatives from Amazon, Apple, AT&T, Charter, Google and Twitter presented arguments to the US Senate commerce committee supporting the notion of the introduction of new privacy laws. The US Congress is currently deliberating implementing new federal privacy legislation, which is significant since this issue has been the subject of deliberation and delay for the last decade.
However, the implementation of new federal privacy laws is still a long way off in the USA. Consumer voices have so far been sorely absent from this debate and so Congress has not yet been able to see the full picture. The chair of the Senate commerce committee, John Thune, acknowledged that there would be another hearing in which consumer voices would be heard.
Representatives before the committee were critical of some of the more restrictive elements of the GDPR and the newly implemented Californian privacy legislation. Instead, witnesses favoured a federal system that seeks to pre-empt existing and forthcoming state regulations.
The Financial Conduct Authority ("FCA") has imposed a fine of £16.4 million against Tesco Personal Finance Plc ("Tesco Bank") under the Financial Services and Markets Act 2000. This is due to Tesco Bank's handling of a cyber-attack that took place in November 2016. This incident was the first time the FCA has fined a regulated body as a result of a cyber-attack.
The cyber-attack involved the perpetrators obtaining Tesco Bank debit card details which then resulted in thousands of unauthorised transactions taking place. The Bank managed to stop 80% of transactions in their tracks, yet the incident still affected 8,261 Tesco Bank accounts. The unauthorised transactions amounted to £2.26 million.
Mark Steward Executive Director of Enforcement and Market Oversight at the FCA commented:
"The fine the FCA imposed on Tesco Bank today reflects the fact that the FCA has no tolerance for banks that fail to protect customers from foreseeable risks. In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started. This was too little, too late. Customers should not have been exposed to the risk at all."
The FCA found that the cyber-attack was "largely avoidable" and exposed customers to a high degree of actual, or potential, risk. Tesco cooperated fully throughout the FCA's investigation, a settlement agreement was reached and Tesco Bank has already fully compensated the customers affected.
See here for FCA notice to Tesco Bank.
The High Court has found that world wide freezing orders ("WFO") should be made accessible to those who have been the target of cybercrime, in instances where the victim is bringing a claim against "persons unknown".
In CMOC v Persons Unknown  EWHC 2230 (Comm), CMOC Sales & Marketing ("CMOC") lost $8 million from its accounts as a result of a cyber-attack. The stolen money was dispersed across 19 jurisdictions into accounts with 50 banks. CMOC sought the WFO in order to freeze the bank accounts to which the money had been transferred, despite the fact that account owners could not be traced.
CMOC was granted a WFO against "persons unknown". Previously such injunctions had been restricted to situations involving online libel. The overseas banks had to freeze the assets of the individuals who held accounts where the allegedly stolen funds were contained, and reveal the identity of the alleged offenders in addition to the occurrence of any subsequent transfers.
The judgement will now need to be enforced in some 19 jurisdictions in order for CMOC to obtain the stolen funds.
His Honour Judge Waksman said the decision "reflects the need for the procedural armoury of the court to be sufficient" in order to confront the challenges posed by cybercrime.
In September 2018, 30 million Facebook accounts were hacked with personal data stolen from 14 million of them. The personal data taken included name, relationship status, religion, birthdate, workplaces, search activity and recent location check-ins.
Facebook has alerted those affected and informed them of what information has been taken. Facebook confirmed that they would not pay for an identity theft monitoring service for those affected by this hack, as companies who have suffered data breaches that affect customers sometimes do.
Facebook met the requirement under the GDPR of reporting the breach "without undue delay and, where feasible, not later than 72 hours after having become aware of it." If any victims of this cyber-attack reside in the EU, fines under the GDPR could be triggered. The Irish Data Protection Commission has recently started to investigate Facebook's breach. Facebook chose the regulator for its "one-stop shop" for overseeing its compliance with the GDPR. Facebook may face fines of up to the higher of €20 million or 4% of global annual turnover under the GDPR.
Facebook has hit the headlines again as a result of a £500,000 fine issued against it by the ICO. In July, the ICO spoke of its intention to fine Facebook the maximum fine possible under the DPA 1998 for the part Facebook had to play in the Cambridge Analytica scandal (see our July bulletin here).
Confirming that a fine of £500,000 would be issued, the ICO said in a statement: "Between 2007 and 2014, Facebook processed the personal information of users unfairly by allowing application developers access to their information without sufficiently clear and informed consent, and allowing access even if users had not downloaded the app, but were simply 'friends' with people who had."
Some of the personal data harvested was shared with Cambridge Analytica, which used it to target political advertising in the US during the most recent presidential election and in the UK in the run up to the Brexit referendum.
Had this data breach occurred since the implementation of the GDPR in May 2018, the ICO would have been able to fine Facebook up to the higher of €20 million or 4% of global annual turnover. Therefore, although £500,000 may not pose a significant financial threat to an organisation such as Facebook, fines for any future data protection law breaches for which Facebook is responsible could reach as much as $1.4 billion.
The ICO has commenced enforcement action against 34 organisations that have failed to pay the data protection fee. Unless an exemption applies, all controllers of personal data must pay an annual fee to the ICO.
The fee is set by the Government, which has a statutory duty to ensure the ICO is adequately funded, and goes towards funding the ICO's work including the introduction of new services such as an advice line, guidance and online resources. The amount of the fee depends on an organisation's size, turnover and whether the organisation is a public authority or has charity status.
The ICO has sent notices setting out its intention to fine the 34 organisations unless they pay the fee within 21 days. Organisations that do not subsequently pay could face a fine of up to £4,350.
The health insurance company has been fined £175,000 by the ICO for failing to have effective security procedures in place to protect customers' personal data in breach of the DPA 1998. Between January and March 2017 an employee at Bupa offered for sale the personal information of 547,000 Bupa Global customers on the dark web.
The employee sent the data to his personal email account. The personal data included names, dates of birth, email addresses and nationality.
ICO Director of Investigations, Steve Eckersley, stated:
“Our investigation found material inadequacies in the way Bupa safeguarded personal data. The inadequacies were systemic and appear to have gone unchecked for a long time. On top of that, the ICO’s investigation found no satisfactory explanation for them.”
Bupa and the ICO received a total of 198 complaints about the breach. The employee was dismissed and a warrant has been issued for his arrest.
The ICO has fined Oaklands Assist UK Ltd £150,000 for making thousands of nuisance direct marketing telephone calls. Between May and July 2017, the Manchester firm made 63,724 calls to people registered with the Telephone Preference Service ("TPS"). The Privacy and Electronic Communications Regulations ("PECR") states that live telephone calls must not be made to any number registered with the TPS unless the person has specifically consented to receiving the call.
59 complaints were made to the ICO, including: “Caller was extremely abusive when asked how they got our details. Used profane language when hanging up. The same number had also called on numerous other occasions, sometimes just a silent call, and then ring back within half an hour.”
The ICO found that Oaklands Assist deliberately broke the law and was "thoroughly uncooperative" with its investigation. The ICO has had to prevent Oaklands Assist UK Ltd being struck off the Companies House register in order to enable the regulator to enforce the sanction.
The airport has been fined £120,000 by the ICO for failing to ensure the security of personal data held on its network. In October 2017, a member of the public found a USB stick that had been lost by an employee at Heathrow. The stick contained over 1,000 files that were not encrypted or password protected.
The USB stick only held a small amount of personal data, however of particular concern was a training video which contained the personal data of ten individuals including names, dates of birth, passport numbers and the details of several aviation security personnel at Heathrow. The USB stick was given to a newspaper which took a copy of the data before returning the stick to Heathrow.
The ICO investigation additionally revealed that only 2% of the workforce at Heathrow had been trained in data security. Heathrow has taken steps to mitigate the breach including reporting the incident to the police, attempting to contain the incident and engaging an external specialist to monitor the internet and dark web.
Regulatory tribunal overturns ICO fine for failing to obtain opt-in consent when sending marketing emails
A fine issued by the ICO against the direct marketing company Xerpla Ltd has been overturned by the General Regulatory Tribunal for the first time in Xerpla Ltd v Information Commissioner  UKFTT 2017_0262 (GRC). In October 2017, the ICO fined Xerpla £50,000 for sending marketing emails to its subscribers without obtaining the necessary consent as required under the Privacy and Electronic Communications (EC Directive Regulations 2003) ("PECR"). Under PECR, opt-in consent must be obtained from the email recipient prior to sending any direct marketing emails.
Between 6 April 2015 and 20 January 2017, Xerpla Ltd sent 1.26 million unsolicited direct marketing emails to its subscribers. Such emails promoted the products and services of third parties. The emails consisted of marketing information from various providers including providers of wine, dog food and boilers. Subscribers had been informed by Xerpla that by providing your details, "you consent to receive our email newsletters and offers from and on behalf of our offer partners and from other similar third party online discount/deal providers".
Although this case predates the stricter requirements for consent implemented under the GDPR, consent to receiving such marketing emails still needed to be "freely given, specific, and informed" under PECR. In 2017 the ICO found that consent had not been sufficiently informed and that this was enough to warrant a financial penalty.
However, the tribunal dismissed the opinion of the ICO and held that Xerpla's subscribers had "consented to, and knew they were consenting to, the direct marketing of third party offers for all kinds of products and services…that is why they subscribed". The tribunal felt that it was obvious what subscribers were consenting to, taking into account the marketing services offered by Xerpla.
The tribunal also considered the fact that only 14 complaints had been made to the ICO, amounting to less than 0.0012% of the 1.26 million emails sent to subscribers, therefore implying that the majority of subscribers were content with receiving the marketing emails. The small number of complaints combined with the nature of the services Xerpla was providing as a direct marketing company were enough to convince the tribunal that adequate consent had been obtained under PECR and that the penalty issued by the ICO should be overturned.
See here for the full judgement.