Data Protection update - October 2021

Data Protection update - October 2021

Welcome to our Data Protection bulletin, covering the key developments in data protection law from October 2021.

Data protection

Cyber security


Civil litigation

Data protection

ICO response to proposed data protection reforms

On 7 October 2021, the Information Commissioner's Office ("ICO") published its response (the "Response") to the proposals by the Department for Digital, Culture, Media and Sport ("DCMS") contained in the consultation "Data: A New Direction" (the "Consultation"). We discussed the proposals in the Consultation in our September update here. In general, the Response supports the proposals in the Consultation and DCMS' intention behind them on the basis that the data landscape has changed significantly since the introduction of the Data Protection Act in 2018. 

The Response contains detailed consideration of key areas of the Consultation, some of which we set out below:

Scientific research: The ICO agrees that further clarity is required in relation to the processing of personal data for scientific research, in particular the re-purposing of personal data. The Consultation identifies the difficulties faced by organisations in order to marry the "broad consent" required for research purposes and the general meaning of consent (freely given, specific, fully informed and unambiguous) under UK Data Protection law. The Response confirms the ICO's view that where consent is the lawful ground for processing personal data, data subjects should retain control over the re-use of their personal data. Reforms in that area, the Response says, should be to give people confidence about data re-use through adequate transparency and consideration of rights and freedoms.

Cookies and Direct Marketing

The Response addresses the Consultation's proposal regarding reform of the cookies regime under the Privacy and Electronic Communications (EC Directive) Regulations 2003 ("PECR"). The ICO supports the Consultation proposal to remove the requirement to obtain consent for analytics cookies, however the Response does suggest appropriate safeguards should be retained. The ICO also supports the Consultation's proposal to increase the fines which can be imposed under PECR to match the level of the UK GDPR. On cookie banners themselves, the ICO cautions against the Consultation's proposal to remove them completely and has urged the DCMS to consider the pros and cons of legislating against the use of cookie walls.

Trade and data flows

The ICO welcomes the proposal in the Consultation that adequacy decisions should be "with a focus on risk-based decision-making and outcomes". However, the ICO points out that any new approach to granting adequacy should continue to ensure the existing high standards of data protection in place in the UK. 

The Consultation included a proposal to empower organisations to create their own transfer mechanism under Article 46 of the UK GDPR, but this is met with concern by the ICO. The Response says that DCMS should give consideration to risk-based oversight of these mechanisms in order to manage the risks involved. This may mean some regulatory oversight for organisations with the sort of complex data transfer requirements for which the existing mechanisms, such as standard contractual clauses, are not an effective way of safeguarding the transfer.

The Response also comments that the "devil will be in the detail" in reference to the importance of maintaining individuals' rights alongside minimising burdens for business and safeguarding the independence of the regulator.

Delivering better public services

The Response identifies the importance of genuine public interest (as already permitted under the current law) with respect to the Consultation's proposal regarding reliance on "public interest" for companies which carry out data processing on behalf of public authorities.

Reform to the ICO

The Response highlights a key concern around the ICO's independence in respect of the proposals in the Consultation. In particular, the Response identifies that the power of the Secretary of State to approve or reject codes of practice and complex or novel guidance may represent a challenge to the ICO's independence. 

The Response is a significant reaction to the Consultation, which closes on 19 November 2021 and which can be seen here.

Data sharing code of practice comes into force

The ICO's new statutory Data Sharing Code of Practice (the "DS Code"), which we reported on in our January update and our May update, came into force on 5 October 2021. 

The ICO has stated:  "We have written this Data Sharing Code to give individuals, businesses, and organisations the confidence to share data in a fair, safe, and transparent way in this changing landscape." The DS Code covers issues including:

  • the standards required for data-related M&A transaction processes, such as due diligence;
  • the importance of fairness and transparency along with respecting data subjects' rights;
  • recommendations for businesses that trade data; and
  • data transfers in emergencies.

The DS Code is a statutory code of practice and therefore the ICO must take account of the DS Code when consider whether a data controller has complied with its obligations when sharing personal data. The courts must also take the DS Code into account and it can be used as evidence in court.

Hong Kong's new anti-doxxing regime

In Hong Kong in recent times, a number of high-profile police officers, judges, government officials and their family members have had their privacy rights violated when their personal information has been posted on the internet. This act has become known as 'doxxing' and can be very harmful to the victims.

The current statutory regime under the Personal Data (Privacy) Ordinance that seeks to punish the non-consensual disclosure of personal data has largely failed to criminalise these types of acts. Please take a look at our note which takes a deep-dive into the regime and which considers the moves that the Hong Kong Government is taking to outlaw and prevent such behaviour.

ICO publishes second draft chapter of anonymisation guidance

The ICO has now published the second draft chapter of its anonymisation, pseudonymisation and privacy enhancing technologies guidance (the "Draft Guidance"). As we reported in our June update, the Draft Guidance is intended to clarify the key issues to be considered by organisations to ensure effective anonymisation techniques.

This second chapter focusses on identifiability and why that matters when ensuring the effectiveness of anonymisation. The Draft Guidance explains that identifiability should not be viewed as a binary but rather as a sliding scale, with information which is clearly personal data at one end of the range and truly anonymous data at the other. In the middle is information which may be identifiable depending on the circumstances and the time of processing. 

According to the Draft Guidance, the three key indicators for determining whether information is personal data or not are:

  • Singling out, which means being able to distinguish one individual from another in a dataset;
  • Linkability, which means being able to combine multiple records about the same individual together; and
  • Inferences, which means being able to predict, deduce or guess details about someone using information from various sources.

    In considering these factors, the Draft Guidance confirms that data controllers should take account of the "means reasonably likely to be used" and factor in the time and cost required to identify individuals and the technological difficulty as persisting over time. 

    The call for views on the Draft Guidance is open until 28 November and can be accessed here.

    ICO releases opinion on age assurance and the children's code

    The ICO published an opinion on 14 October 2021 (the "Opinion") regarding the application of the "Children's Code" (formally known as the Age Appropriate Design Code), which came into full effect on 2 September 2021 (the "Code") to Information Society Services ("ISS"). The Opinion sets out how the ICO expects ISS to meet the age-appropriate application standard in the Code. The ICO has called for evidence to be submitted to them by 9 December 2021 in relation to the Opinion. Both the Opinion and the call for evidence can be found here.

    The Opinion clarifies how organisations should approach "age assurance" in compliance with UK data protection law. Age assurance refers to assurance that children cannot access inappropriate content when using ISS and is achieved by the ISS estimating or establishing the age of a user. The benefit of age assurance is to reduce or eliminate the risks to children posed by accessing ISS online. However, there are potential data protection risks of age assurance, including: it being potentially intrusive, introducing bias and inaccuracy, and the fact that some methods can be circumvented (e.g., a child logging into their parent's account to complete account confirmation).

    The Opinion outlines that an assessment of the level of data protection risk to children of age assurance should be done (via a Data Protection Impact Assessment ("DPIA")) when determining the age-appropriate application required by the Code. Where there is high-risk processing such as large-scale profiling of children, tracking of children, or invisible processing of children's personal data, the DPIA may produce the result that the ICO should be consulted prior to the commencement of the ISS activity in line with Article 36 of the UK GDPR.

    Cyber Security

    Financial Stability Board calls for common breach-reporting standard

    The Financial Stability Board ("FSB") has published a report on the current approaches to cyber breach reporting and the further action required to achieve broader convergence in the reporting of such breaches.

    The FSB's report acknowledges that cyber breaches are becoming more frequent and sophisticated and suggests that this is a result of the digitalisation of financial services and the increase of the usage of third-party service providers.

    The FSB found that across jurisdictions and sectors there is divergence in terms of what needs to be reported, the methods of considering the cyber breach, when the breaches should be reported, and what happens to the information about the cyber breach. In practical terms, financial service institutions may have a single method of reporting cyber beaches across the global business. Given the global spread of the organisations, they may be subject to a variety of reporting requirements, potentially for a single cyber incident, which have nuances that may not be picked up by the "heterogeneous information" which can be reported. This could put response and recovery actions at risk.

    The FSB's report says that harmonising the regulatory reporting of cyber incidents would promote financial stability through: developing a common understanding of these incidents; supporting supervision of the incidents; and facilitating the sharing of information about these incidents. The FSB says that by the end of 2021 it will develop a detailed plan to take this work forward.

    ICO ends consultation on incident reporting thresholds

    As we reported in our August update, the ICO opened a consultation on the Network and Information Systems (the "NIS Consultation") and the potential approaches to incident reporting thresholds for digital service providers ("DSPs") following the UK leaving the EU. Currently, under the thresholds set by the NIS Regulations 2018 and the European Commission Implementing Regulation 151/2018 (the "Implementing Regulation"), a DSP must consider the following factors when determining whether the impact of an incident is substantial:

    In addition, the DSP must identify a ground under Article 4 of the Implementing Regulation, which provides situations where the incident will be considered substantial. These include: the service being unavailable for over five million user-hours; the incident has resulted in the loss of integrity, authenticity or confidentiality of processed data affecting over 100,000 users; the incident has created a risk to public safety or loss of life; or the incident has caused material damage of over a million EUR. If one of these grounds can be made out then the DSP should make a report under the Implementing Regulation to the ICO.

    The NIS Consultation proposes to amend requirements applicable to DSPs to remove this Article 4 ground requirement. This would mean that DSPs would, instead, have to regard incident thresholds set by the ICO in forthcoming guidance. The NIS Consultation closed on 14 October 2021. 


    ICO issues Monetary Penalty Notice to HIV Scotland

    The ICO has fined HIV Scotland £10,000 in relation to a data breach where an email was sent to 105 people, including patient advocates representing people living with HIV in Scotland, in which the email addresses were visible to all recipients, permitting assumptions to be made regarding individuals' HIV status. The ICO's investigation into the incident revealed deficiencies in HIV Scotland's data protection policies and procedures, including inadequate staff training, inappropriate methods of sending bulk emails by blind carbon copy ("BCC") and an inadequate data protection policy. The investigation also revealed that less secure BCC methods were still being used seven months after HIV Scotland had recognised the risks attendant in its email distribution systems.

    Increase in GDPR fines in Q3 2021

    Data gathered by Finbold indicates that total fines for breaches of GDPR issued by EU Supervisory Authorities in the third quarter of 2021 amounted to just over $1.1 billion, which is 20 times higher than the combined total of the first and second quarters in 2021 and triple the total amount of fines issued in 2020. The increase in fines serve as a stern warning regarding the increasing volume and scale of enforcement action across the EU, although the overall number is likely to have been skewed by the size of the fine of €746 million which Amazon recently received.

    Amazon appeals data fine

    As we previously reported here, Amazon is facing a fine of €746 million from the Luxembourg National DPC. It has now been confirmed that Amazon filed an appeal in respect of this fine on 15 October 2021, and we now await the outcome.

    Irish regulator proposes fine of €36 million

    Ireland's Data Protection Commission (the "DPC") has proposed a fine of between €28 million and €36 million in respect of one of multiple investigations it has opened into Facebook's conduct. In the instant investigation, which arose out of a complaint by privacy campaigner Max Schrems, the DPC considered the extent to which Facebook complied with transparency requirements in GDPR in respect of its processing in its terms and conditions (which the DPC considered it did not).

    Somewhat surprisingly, the DPC is of the view that by re-labelling its terms and conditions as a 'contract', to which it required users to consent, Facebook is entitled to rely on the contract basis for lawful processing under Article 6 GDPR, which is the approach it adopted following GDPR coming into force in May 2018.

    As Mr Schrem's notes: "[i]t is painfully obvious that Facebook simply tries to bypass the clear rules of the GDPR by relabelling the agreement on data use as a 'contract'. If this would be accepted, any company could just write the processing of data into a contract and thereby legitimise any use of customer data without consent".

    It remains to be seen whether this decision, like the DPC's decision in relation to WhatsApp, fails to survive the scrutiny of other Supervisory Authorities, and, if necessary, the EDPB, which seems very likely to dispute the DPC's interpretation of relevant provisions of GDPR.

    Given Facebook's primary revenue source is advertising revenue deriving from processing its users' data, it is at significant risk of very substantial fines, and civil litigation, if the DPC's finding on the 'contract' issue is overturned.

    Road toll company fined by Norwegian DPA

    In October 2019 the Norwegian Data Protection Authority ("NDPA") commenced an investigation into a road toll company, Ferde AS ("Ferde"), for transferring personal data to a data processor in China.

    It was held that Ferde had breached: (1) Article 28(3) GDPR for failing to have a compliant data processing agreement with the data processor in place; (2) Article 32(2), Art 5(1) and Art 5(2) GDPR for failing to conduct a risk assessment in relation to the data transfer; and (3) Article 44 GDPR for failing to have a compliant transfer mechanism in place for the transfer of personal data to a third country.

    The NDPA's investigation revealed a number of flaws in Ferde's privacy and data protection practices, which included: (1) an undated data processing agreement; (2) an undated risk assessment in respect of the data processor's use of data; and (3) whilst the European Commission standard contractual clauses for the transfer of personal data to third countries had been signed, it was undated and likely not in place during the period in which the relevant transfers took place.

    Twitter fined by Irish regulator

    The DPC imposed a fine of €450,000 on Twitter International Company, Twitter Inc's Irish operating company, for breaching Articles 33(1) and 33(5) GDPR, arising out to failure to notify a data breach to the DPC promptly and failure to adequately document the breach. The DPC commenced an inquiry in January 2019 following receipt of a breach notification on 9 January 2019. The inquiry revealed that the DPC ought to have been made aware of the breach by 3 January 2019 at the latest.

    Civil litigation

    Lloyd v Google judgment expected imminently

    The Supreme Court has announced that judgment in Lloyd v Google will be handed down at 9:45 on Wednesday 10 November 2021.

    The Supreme Court's highly anticipated decision is likely to be very significant from the perspective of the ability to pursue collective redress arising out of breaches of data protection law.

    If the Supreme Court rejects Google's appeal from the Court of Appeal's decision (which we covered in detail here), we expect to see a raft of further representative claims in relation to high profile data breaches and other breaches of data protection law, in addition to the claims which have already been issued and stayed pending the Supreme Court's decision against Facebook, Marriott International, Salesforce and Oracle, and TikTok, amongst others.

    Court strikes out claim on the basis that no actionable loss had been suffered

    In Rolfe & Ors v Veale Wasbrough Vizards LLP [2021] EWHC 2809 (QB) Master McCloud dismissed the Claimants' claims for damages for distress arising from the Defendant law firm accidentally sending an email about outstanding school fees to the wrong person summarily and ordered the Claimants to pay the Defendant's costs on the indemnity basis.

    In her judgment, Master McCloud noted:

    "What harm has been done, arguably? We have here a case of minimally significant information, nothing especially personal such as bank details or medical matters, a very rapid set of steps to ask the incorrect recipient to delete it (which she confirmed) and no evidence of further transmission or any consequent misuse (and it would be hard to imagine what significant misuse could result, given the minimally private nature of the data). We have a plainly exaggerated claim for time spent by the Claimants dealing with the case and a frankly inherently implausible suggestion that the minimal breach caused significant distress and worry or even made them 'feel ill'. In my judgment no person of ordinary fortitude would reasonably suffer the distress claimed arising in these circumstances in the 21st Century, in a case where a single breach was quickly remedied… In the modern world it is not appropriate for a party to claim, (especially in the in the High Court) for breaches of this sort which are, frankly, trivial."

    Update to immigration exemption

    As we previously reported, in May 2021, the immigration exemption in para 4 of Schedule 2 of the Data Protection Act 2018 was deemed to be unlawful by the Court of Appeal for failure to comply with Article 23(2) of the GDPR. It was also held that the question of relief would be decided in a subsequent hearing, and this hearing was held on 8 October 2021.

    The Court ruled that the declaration of the unlawfulness of the exemption would be suspended until 31 January 2022. The reasoning behind this is to allow the Government until the end of January 2022 to introduce legislation amending the exemption, with a view to avoiding harm to the public interest. If the Government fails to do so, then the exemonption would be disapplied from 31 January 2022.

    Footballers threaten legal action for "GDPR violation" of performance data

    As we previously reported, 850 professional football players have threatened to take legal action against companies which they allege have unlawfully processed personal data relating to their performance over the past six years, in breach of the GDPR. Such data includes statistics such as goals-per-game and information pertaining to a players' physique and attributes, which are collated and used by various betting and entertainment firms. It is alleged that such data has been collected without the players' consent, and the players have not received any payment for the unlicensed use of this data. It is estimated that more than 150 companies have misused this type of data. If the claim succeeds, it is likely to have significant ramifications for the sports data industry.

      • The number of users affected by an incident, including users relying on the service for their own services;
      • Duration of the incident;
      • Geographical impact of the incident;
      • Extent of disruption of functioning of the service; and
      • Extent of impact on economic and societal activities