Data Protection update - September 2019
Welcome to the September 2019 edition of our Data Protection bulletin, our monthly update on key developments in data protection law.
- Divisional Court backs use of automated facial recognition software
- Swedish DPA issues its first GDPR fine against school for improper use of facial recognition technology
- Gatwick set to become first UK airport to permanently use facial recognition technology for ID checks
- Google backed by ECJ in "right to be forgotten" case
- YouTube ordered to pay £138.5 million to the TFC for alleged illegal collection of personal data from children
- ICO investigating collection of personal data on gov.uk website
- ICO publishes no-deal Brexit guidance for small and medium sized organisations
- ICO publishes updated guidance on manifestly unfounded and excessive requests
- Apple fires back at Google report over iPhone security flaws
- Authorities arrest 281 alleged BEC scammers in 'Operation reWired' campaign
- One billion google calendar users exposed to fake invite scam
- UK team trials cyber security tech for driverless cars
- EIOPA report on cyber risk challenges and opportunities
- Criminal investigation launched following college cyber attack
- Woman, 21, accused in alleged cyber fraud of superannuation and share accounts
- Superior Style Home Improvements Ltd issued with monetary penalty notice and enforcement notice after making unsolicited marketing calls to individuals registered with the TPS to try and generate UPVC installation leads
- ICO issues warning over staff retaining historical data
The Divisional Court of England and Wales has dismissed a challenge to South Wales Police’s use of Automated Facial Recognition (“AFR”). SWP carried out a pilot scheme – “AFR Locate” - whereby CCTV was used to capture images of members of the public, with the biometric data from these images subsequently being run against a database of individuals known to the police.
Judicial review proceedings were brought on the basis that this use of AFR was unlawfully intrusive, with SWP alleged to have breached: (1) Article 8(1) ECHR; (2) data protection legislation (the DPA 1998 and DPA 2018); and (3) the Equality Act 2010 (which will not be addressed here).
As to (1), the Court held that there was an interference with the claimant’s rights under Article 8(1), but that SWP’s use of AFR was proportionate and struck a fair balance. Central to this finding were the following factors: (i) AFR was deployed in an open and transparent way; (ii) it was used for a limited amount of time and covered a limited area; and (iii) it was used for a specific and limited purpose of identifying individuals whose presence in the area was of justifiable interest to the police.
As to (2), the Court employed similar reasoning to that used in (1) to find that SWP’s processing of biometric data did not contravene the first data protection principle under the DPA 1998. The processing was also deemed to be justified under s.35 DPA 2018.
Swedish DPA issues its first GDPR fine against school for improper use of facial recognition technology
In a decision which went the other way, the Swedish DPA has issued its first GDPR penalty by fining a school SEK 200,000 (around £16,500) for its use of facial recognition technology to automate the registration process. The penalty was based on contraventions of: (1) the purpose limitation principle in Article 5 GDPR (on the basis that registering attendance could be achieved in less intrusive ways); (2) Article 9 GDPR (on the basis that neither consent nor a substantial public interest could be relied upon in these circumstances as a lawful basis for processing); and (3) Articles 35 and 36 GDPR (no data protection impact assessment was undertaken and the Swedish DPA were not consulted).
Whilst clearly based on differing factual matrixes, the Swedish DPA’s decision and that of the Divisional Court above are worth considering in tandem, if anything to highlight the importance of proportionality considerations in assessing the use of intrusive technology (here, crime prevention vs school register automation).
Gatwick set to become first UK airport to permanently use facial recognition technology for ID checks
Continuing the facial recognition theme, Gatwick Airport has announced that it will be rolling out self-boarding technology to eight departure gates at its North Terminal in 2022. Trials undertaken last year prompted concerns as to passenger consent, and these concerns will no doubt intensify as the implementation date nears.
The ECJ has clarified the geographical scope of the “right to be forgotten” principle by finding that the delisting of Google search results containing information in relation to EU citizens should only apply in the EU’s 28 member states, not globally.
Google introduced a geo-blocking feature in 2016 which prevented European users from seeing delisted results, but refused to censor search results in this way for users outside the EU. In doing so, it resisted the French regulator CNIL’s calls for the right to be forgotten to be enforced globally.
As well as the finding regarding territoriality, the court stressed that the right to be forgotten was not an absolute right; it had to be balanced against other rights, including the right of access to information.
YouTube ordered to pay £138.5 million to the FTC for alleged illegal collection of personal data from children
Google has been fined $170 million as part of a settlement agreement with the Federal Trade Commission and New York’s attorney general for collecting and using children’s personal data without their parents’ consent. The fine is the largest imposed by the FTC in a children’s privacy case, but is dwarfed by the $5 billion settlement between the FTC and Facebook in July this year. (“Facebook in the news again over repeated breaches; Turkish watchdog imposes fine”)
The use of children’s personal data online is firmly on the agenda of regulators in the UK, too, with the ICO having sought public feedback earlier this year on an age appropriate design code for online services.
The ICO has contacted the government in connection with the collection of personal data on the Gov.uk website in order to “fully understand its approach to compliance with data protection law and whether any further action is necessary”.
Documents leaked earlier this month appear to show that Boris Johnson told members of the EU exit operations (“XO”) committee that the Gov.uk website should serve “as a platform to allow targeted and personalised information to be gathered, analysed and fed back actively to support key decision-making – in effect, focused on generating the highest-quality analytics and performance data to support exit operations”. No.10 adviser, Dominic Cummings, stressed that this was a “top priority” in a subsequent email to senior officials.
The ICO has published updated no-deal Brexit guidance aimed at small and medium sized organisations. The guidance largely mirrors previous ICO advice on maintaining data flows, with minor amendments made to make it more relevant for smaller organisations.
The ICO has also published updated guidance on what constitutes a “manifestly unfounded” and/or “excessive” data subject request. The guidance suggests that a request may be “manifestly unfounded” if an individual: (i) has no intention to access the information; or (ii) is malicious in intent; or (iii) is using the request to harass an organisation. A request may be deemed “excessive” if it: (i) merely repeats a previous request without a reasonable interval elapsing; or (ii) overlaps with other requests.
These updates follow recent amendments (“ICO confirms timescales for responding to a SAR") made to the guidance on how to calculate the “one month” time period for responding to data subject requests.
Apple has responded to a Google report that said malicious websites could exploit Apple security flaws to hack iPhones and steal person data, including text messages, photos and contacts. Apple said that the attack Google referred to was narrow and affected fewer than a dozen websites that focus on content related to the Uighur community. On this basis, there was no large-scale exploitation of iPhones “en masse” as falsely described by Google. As such, Apple’s statement has confirmed the vulnerabilities in its security while also challenging Google’s framing of the exploits.
Business Email Compromise, or BEC, involves scammers tricking employees into transferring large sums of money via wire payment. These attacks usually target employees with access to company funds who have been identified in huge databases of employee contact details. The four-month investigation, dubbed Operation ReWired, has resulted in 72 arrests in the U.S. and 167 in Nigeria. Arrests also took place in Turkey, Ghana, France, Italy, Japan, Kenya, Malaysia and the U.K. In addition to conducting the arrests, members of law enforcement also seized $3.7 million in assets. This shows how the Department of Justice has increased efforts in taking aggressive enforcement action against fraudsters who are targeting American citizens and their businesses.
Google has said it is “working diligently” to fix a major flaw that allows hackers to hijack a person’s Google Calendar through unwanted email invites. The flaw allows cyber criminals to take advantage of a default setting that automatically adds invitations to a person’s Calendar when they are sent via email. Unsolicited invites, which if clicked on, can lead users to an official-looking page requesting personal and financial details. The fake invite scam was first discovered in 2017 and despite this affecting 1.5 billion Gmail users, Google is only now addressing the issue. It would therefore appear Google is finally taking this threat more seriously.
Researchers at the University of Warwick have demonstrated a number of innovations that they claim could improve the security and safety of connected and autonomous vehicles (CAVs). With autonomous vehicles expected to become ever more widespread over the years, the security of connected systems that underpin much of the technology are a major priority for researchers. Professor Carsten Maple commenting on the research has said, “The cybersecurity of CAVs is key to make sure that when the vehicles are on the roads, the data is trustworthy and that vehicle communications do not compromise privacy. We tested four innovations…and being able to apply them to the real world is the first major step in testing security of CAV systems”.
On 17 September 2019, EIOPA published a report on the challenges and opportunities for insurers arising from cyber risk. The report follows an EIOPA report on understanding cyber insurance published in August 2018 that concluded that the need for a deeper understanding of cyber risk was the core challenge of the European cyber insurance industry. The latest report provides an overview of cyber risk as part of the risk profile of insurers from the operational risk perspective as well as the challenges and opportunities for the European cyber insurance market. It is based on the response from 41 large (re)insurance groups across 12 European countries to an EIOPA questionnaire. Interestingly, EIPOA found that the most common cyber incidents affecting insurers are phishing mail, malware infections, data exfiltration and denial of service attacks. As such, the main consequences for insurers are business interruption and material costs for policyholders and third parties.
Cyber criminals have hacked into the personal data and potentially bank details of both past and present students and staff at Swindon College, resulting in unauthorised access to personal data. The number of those affected has not been confirmed. The breach has been reported to the Information Commissioner’s Office and the National Crime Agency, however officers from Wiltshire Police’s investigations unit are investigating the cyber-attack rather than the agency. Enquiries are still on-going. Meanwhile the ESFA released guidance for colleges saying they should ensure they have firewalls, strong passwords and anti-virus software in place.
A woman from Melbourne has been accused of being part of a syndicate which used stolen identity information to drain millions of dollars from multiple accounts. Authorities have been investigating the cybercrime for more than 12 months. The woman purchased identity information, along with SIM cards and fake email accounts, from a dark net marketplace to achieve “identity takeover”. These identities, mimicking unknowingly real people, were used to open accounts at various domestic banking institutions. The syndicate then siphoned money into the accounts as it stole funds from the victim’s share trading accounts in ASX-listed companies. The consequences of the breaches have been far-reaching.
Superior Style Home Improvements Ltd issued with monetary penalty notice and enforcement notice after making unsolicited marketing calls to individuals registered with the TPS to try and generate UPVC installation leads.
The Information Commissioner’s Office has fined a Swansea double-glazing company £150,000 for making nuisance calls. Superior Style Home Improvements Ltd called people over an 11 month period whose numbers were registered with the Telephone Preference Service (TPS) and who had not given their consent to receive them. The ICO has also issued an Enforcement Notice warning them to stop making the calls. Dave Clancy of the ICO’s investigations team said “Companies engaged in this illegal activity should take note, we will take action against those that continue to disregard the law around electronic marketing via phone calls, emails and text messages… Company directors should also be aware that they can now be made personally liable for fines that we issue”.
The Information Commissioner’s Office has warned employees that they could face prosecution for deliberately keeping hold of “historical personal data” after changing jobs. The move follows the ICO’s decision not to take enforcement action against two police officers who had been interviewed by the media about a historic case they had worked on involving an MP. This case was investigated under the previous legislation, the Data Protection Act 1998 but the law has since been strengthened through the Data Protection Act 2018 to include a new element of “knowingly or recklessly retaining personal data without the consent of the data controller”. The ICO is advising anyone dealing with the personal details of others in the course of their work to take note of this update to the law, especially when employees are retiring or taking on a new job.