Data Protection update - September 2021

Data Protection update - September 2021

Welcome to our Data Protection bulletin, covering the key developments in data protection law from September 2021.

Data protection

Cyber security


Civil litigation

Data protection

UK Government launches Data Protection Consultation: Data: A New Direction

The UK's Department for Digital, Culture, Media & Sport ("DCMS") issued a consultation (the "Consultation") (Data: A new direction) on suggested reforms to the UK's data protection regime following Brexit. The stated aim is to "create an ambitious, pro-growth and innovation-friendly data protection regime that underpins the trustworthy use of data". It considers the following broad areas: innovation; burden of compliance and improving outcomes; trade and data flows; improving public services; and reform of the Information Commissioner's Office ("ICO"). 

The key points flowing from the Consultation are proposals to:

  • Eliminate the balancing test associated with the "legitimate interests" ground for processing in several areas, in favour of certain "pre-approved" interests;
  • Lower the compliance burden on organisations by: introducing a materiality threshold for mandatory reporting of data breaches to the ICO; (re)introducing a fee regime for making Data Subject Access Requests ("DSARs") and a costs threshold for response; and removing the requirement for organisations to obtain consent for the use of analytics cookies;
  • Empower organisations to be flexible in their transfer mechanisms to countries where no adequacy decision exists; and
  • Make changes to the ICO's structure and operation, including increasing enforcement powers for direct marketing in line with UK GDPR, such that PECR fines are no longer limited to £500,000.

Innovation and legitimate interests

The Consultation invites responses on the theme of improving innovation to enable greater use of new technology. The theme of the changes is to clarify how the research-related basis for processing personal data can be made out. One of the key challenges DCMS identifies with current DP legislation is that organisations find it difficult to marry the "broad consent" which can be given for research purposes and the general meaning of consent (freely given, specific, fully informed, and unambiguous). The Consultation says that an over-reliance on the consent ground has led to "consent fatigue" among data subjects. To deal with this, the Consultation proposes consolidating a number of research-specific provisions (such as the "research purposes" basis for processing and the re-use of data) into one set of provisions. 

Under the proposal in the Consultation, legitimate interests would be made easier to rely on as a legal basis for processing. A list of pre-approved legitimate interests for businesses would be provided, which an organisation would not need to balance against an individual's rights in order to rely on one of those interests as the basis for processing personal data. Notably, the list includes audience measurement cookies for service users' devices and the use of personal data for research and development to improve services as legitimate interests for which no balancing test would be needed.

Two other changes worth considering are: adjusting the safeguards around automated decision-making under Article 22 of the UK GDPR to remove the human oversight requirement, in favour of a "legitimate interest" test for the use of automated decision-making; and creating a new test for determining whether data will be regarded as anonymous on the basis of the actual risk of re-identification based on the means available to the particular data controller (as in the Court of Justice of the European Union's decision in Breyer v Germany C-582/14 EU:C:2016:779).

Burden of compliance: accountability framework

The Consultation makes a large number of proposals that aim to ease "disproportionate" compliance burdens on organisations. 

One of the key areas is removing the UK GDPR's accountability framework and replacing it with a "privacy management programme" ("PMP"), tailored to the processing activity. This would mean changes including removing the requirement to designate a data protection officer ("DPO"), to carry out a data protection impact assessment ("DPIA") and to keep a record of processing activities ("ROPA"). 

These changes appear significant. However, in practice, the PMP may have to cover a lot of the same ground as the existing accountability framework. The key difference is that the PMP would emphasise a 'risk-based' approach with respect to the volume and sensitivity of the data being processed. Instead of a DPO, the PMP must fall under a "delegated individual's" remit and includes policies and procedures around data protection that would largely be equivalent to DPIAs and ROPAs, but with a degree more flexibility. The Consultation leaves it up to organisations to consider their own needs around the PMP, including removing the prescriptions for the qualifications that the responsible individual must have. It's unclear how much of a change the PMP would be to the existing accountability framework (including the DPO role) so it will be interesting to see what the outcome of the Consultation is in this respect. Multi-national organisations that are subject to both the EU and the UK GDPR will have a limited ability to change their existing accountability framework in any event.

Burden of compliance: DSARs and PECR

There are a few proposals in the Consultation aimed at dealing with specific concerns which organisations have in relation to data subjects' rights. Firstly, the Consultation proposes increasing the threshold for mandatory reporting of breaches to the ICO by mandating reports to the ICO only where a breach is "material". This is designed to reduce unnecessary over-reporting of data breaches. 

Secondly, the Consultation proposes a couple of changes to how an organisation should handle DSARs: introducing a fee regime, similar to the previous £10 charge to make a DSAR; creating a costs ceiling whereby any private or public body would not need to respond to a DSAR to the extent that the cost exceeds a certain limit (the details of which are only hinted at, but the Freedom of Information Act costs limit of £600 for central government and £450 for other public authorities is mentioned); and permitting refusal of a DSAR on the grounds that it is a "vexatious request" that is "likely to cause a disproportionate or unjustifiable level of distress, disruption or irritation when the context and history of a request are taken into account". That change would aim to address the use of DSARs to apply pressure on an organisation, in particular when a potential dispute is in prospect or in process. Controllers may also be permitted to take into account whether a DSAR is being used for early disclosure when considering their response.

Thirdly, the Consultation proposes changes to the cookies regime under the Privacy and Electronic Communications (EC Directive) Regulations 2003 ("PECR"). It proposes removing the requirement to obtain consent for analytics cookies and permitting websites to use "legitimate interest" cookies without obtaining consent for limited purposes. Interestingly, removing the requirement for consent around analytics cookies could bring the UK in line with the French regime for certain analytics cookies, which, as discussed later in this bulletin, has been found to be largely successful. The Consultation also proposes bolstering the possible fines for breaches of PECR up to the GDPR levels of 4 per cent. of global turnover or £17.5m. The ICO has previously issued the maximum possible fine (£500,000) under the PECR (see our February 2020 bulletin, for example) and regularly issues fines near the top end of it (see our March 2021 bulletin, for example). Therefore, it is likely that enforcement action in this area would become more financially potent.

Trade and data flows

The Consultation details that it would like adequacy decisions to be "risk-based and focused on outcomes", rather than a "largely textual comparison of another country's legislation" considering "academic or immaterial" risks. This proposal could see a large number of countries, which currently an organisation must take additional compliance steps to send data to, added to the adequacy list which would enable cross-border data flows. This follows the announcement from DCMS that "adequacy partnerships" are lined up with a number of countries (including the US).

A key change in the proposals is the idea of empowering organisations to create, or identify their own, alternative transfer mechanism in addition to those under Article 46 of the UK GDPR. That could benefit organisations with complex data transfer requirements for which the existing suite of mechanisms, such as the Standard Contractual Clauses ("SCCs"), are not an effective way of safeguarding a data transfer. 

Another important change is the proposal to exempt "reverse transfers" of personal data back to its sender in a third country from the scope of the UK GDPR international transfers requirements.

Delivering better public services

A proposal from the Consultation which will be of interest to companies which carry out data processing on behalf of public authorities is to allow them to rely on the "public interest" basis for processing that many public authorities use. This would eliminate the need for the balancing assessment of the processing as against the individual's rights.

Reform to the ICO

There are a number of reforms proposed for the operation and make-up of the ICO. The theme of these reforms is to focus on outcomes, rather than being prescriptive about how those outcomes will be achieved. The reforms include creating a set of strategic directives for the ICO to fulfil, alongside an overarching objective. There is a new governance model proposed, which mirrors the structure of other regulators such as the FCA, Ofcom and Ofgem. 

There are also changes proposed to make the ICO more business-friendly and eliminate some of the operational burdens which, the Consultation argues, will create a "clearer mandate for a risk-based and proactive approach". These include a new duty on the ICO to have regard for economic growth and innovation in discharging its function. 

There is an operational change proposed in that complainants must attempt to resolve matters with a controller prior to complaining to the ICO, and the ICO should put in place criteria as to whether to investigate a given complaint. To sit alongside this, companies should have a simple and transparent complaints-handling process to try and alleviate some of the complaints that the ICO receives.

The Consultation ends on 19 November 2021 and further information about how to respond can be found here.

DIFC Consultation Paper

The Dubai International Financial Centre ("DIFC") Commissioner's Office has published a consultation paper ("CP") to seek responses to some updated guidance materials. The CP explains that in order to achieve an adequacy decision under the UK GDPR, the GDPR and other global data protection laws, the DIFC needs to be consistent with those international approaches. In order to ensure data flowing between these jurisdictions, the DIFC has proposed the updated guidance to "promote familiarity for businesses within the DIFC". 

The updated guidance materials cover:

  • revisions to the data export guidance, in the form of a handbook, assessment tools and webpage ("DEG");
  • revised data export SCCs;
  • adequacy decisions standards and process;
  • Binding Corporate Rules processes; and
  • Ethical Data Management Index research and methodology.

The DEG was created to provide a "simple, direct output to share guidance" and can be found here on the DIFC's new data protection website.

The deadline to respond to the DP has now passed (26 September 2021) and we expect responses to be published in due course.

UK ICO calls on G7 countries to tackle cookie pop-ups challenge

The UK Information Commissioner ("IC") chaired a virtual meeting with the G7 authorities in September to highlight her vision of how cookie consent pop-ups should be set in order to give people meaningful control over their personal data. The IC noted that many people automatically selected "agree" when presented with cookies pop-ups on the internet, which, potentially, meant that people did not have meaningful control over their data. She explained that the "fatigue [of engaging with cookie pop ups] is leading to people giving more personal data than they would like". She noted that "there are nearly two billion websites out there taking account of the world's privacy preferences. No single country can tackle this issue alone".

One of the IC's suggestions was to give users the ability to set lasting privacy preferences on web browsers, devices, and applications which would pull through to different websites leading to an improved user experience. 

French organisations scrutinised by CNIL regarding ease of accepting cookies

France's Commission Nationale de l'Informatique et des Libertés ("CNIL") has published an update into an order (the "Order") sent to organisations which published "high-traffic" websites which had non-compliant practices regarding cookies. The Order, issued on 19 July 2021, was sent to 40 organisations on the basis that the websites which they published did not allow internet users to refuse or accept cookies with the same level of ease. The Order required compliance to be achieved by 6 September 2021.

Of the companies notified under the Order, 30 have made themselves compliant by the deadline, while four have requested a delay (due to technical or operational constraints) and a further four are yet to respond. The CNIL said that it "is pursuing its overall strategy to ensure compliance by organisations that make use of cookies". The CNIL has advised that new monitoring campaigns are in the process of being launched, with special attention being paid to political party websites due to the presidential elections in 2022, which "will continue to target national and international private actors, but also public organisations whose websites generate a lot of traffic".

Cyber security

ProtonMail provides user's IP address to Swiss Authorities

ProtonMail, a Swiss encrypted-email company, has been criticised online after giving up one of its user's details to authorities, having advertised itself as not logging users' IP addresses "by default". The user's IP address and details of devices he used to access his mailbox were seized, resulting in the user's arrest. The user's account was said to have been linked to a "climate activist" arrested by French police.

ProtonMail advertises itself as an end-to-end encrypted email service and, on its website, says that emails "cannot be shared with third parties". However, in a recent blogpost, ProtonMail said it had been legally bound to provide the IP addresses, which it is mandated to collect, to Swiss authorities. ProtonMail have since updated their privacy policy to state: "If you are breaking Swiss law, ProtonMail can be legally compelled to log your IP address as part of a Swiss criminal investigation". The blogpost adds that users are able to access their email accounts using the Tor network which would provide anonymous access (i.e. without a user's IP address being logged) to the site.

Basel banking committee encourages banks to improve cyber-security systems

The Basel Committee on Banking Supervision has published a newsletter ("Newsletter") calling on banks to increase their efforts in improving resilience to cyber-attacks. The Newsletter warns banks that the COVID-19 pandemic has increased risks around the safety of individual banks, due to remote working and increased digital provision of services. Those factors increase the opportunities available to cyber-criminals to breach banks' security measures and access their systems.

The Newsletter stresses that banks need to "continually strive to improve their resilience to cyber security threats and incidents". It highlights that widespread adoption of tools, effective practices and frameworks based on industry standards should strengthen cyber security to protect against cyber threats. The Newsletter did not recommend any particular risk-management tool or framework, but it encouraged the use of those that are accepted industry standards. It added that these methods could "facilitate supervisory oversight and help promote further alignment of supervisory assessments across jurisdictions". By way of example, the committee referred to the U.S. National Institute of Standards and Technology's cybersecurity framework and the Financial Stability Board's cyber-incident response and recovery toolkit.

The issue is also one of interest to domestic regulators. In a paper in March, the PRA expressed that more needed to be done to prevent cyberattacks, while recognising that companies have started to make inroads into addressing the problems which allowed attacks on their technology systems.


UK regulatory fines Glasgow company for making half a million nuisance calls

The ICO has issued a Monetary Penalty Notice to DialADeal, a business and domestic software development company, fining it £150,000 for a breach of regulations 21 and 24 of PECR.

The ICO based its decision on the fact that: (1) DialADeal engaged in the direct marketing of "Government" green schemes which do not appear to exist; (2) there had been a high level of complaints and evidence that DialADeal used generic and untraceable names during its calls; (3) the use of "spoofed" calling line identifiers contravenes regulation 21(A1) PECR; (4) the Company is not registered with the Telephone Preference Service Limited ("TPS"); (5) there was no evidence that it screened its calls against the TPS register; and (6) it appears to have no internet presence through which the recipients of its calls can contact.

Sports Direct, amongst others, fined over UK nuisance messages

The ICO has issued Monetary Penalty Notices fining: Saga Services Ltd £150,000 and Saga Personal Finance Ltd £75,000 for sending more than 175 million unsolicited marketing emails between them; We Buy Any Car £200,000 for sending more than 191 million unsolicited marketing emails and 3.6 million nuisance texts; and Sports Direct £70,000 for sending more than 2.5 million unsolicited marketing emails.

None of these companies had permission from the affected recipients to send them marketing emails or texts, which contravened PECR.

Saga Services Ltd and Saga Personal Finance Ltd were also issued with Enforcement Notices ordering them to stop any further illegal direct marketing within 30 days.

CNIL fines insurer €1.75 million penalty fine for over-retention of personal data

CNIL has fined insurer AG2R La Mondiale €1.75 million for breached Article 5(1)(e) of EU GDPR (and other domestic legislation) in retaining the personal data of 1917 data subjects who had not had contact with the company for more than three years, 1405 of whom had not contacted AG2R La Mondiale for over five years. The fine was made notwithstanding the fact that AG2R La Mondiale had been making changes to its compliance policy; the CNIL considered that did not excuse a company, of AG2R La Mondiale's scale and resource, where such breaches occurred.

Irish DPC opens investigation into TikTok

The Irish Supervisory Authority ("DPC") has opened an investigation into TikTok's processing of children's personal data, and the extent to which its policy on international transfers of personal data to other countries, such as China, is compliant with EU GDPR.

Turkey fines WhatsApp $235,000 over data breach

Turkey's Personal Data Protection Authority has become the latest Supervisory Authority to impose a fine on WhatsApp, this time of US$235,000 for failing to obtain data subjects' consent to its processing of their data in appropriate terms. WhatsApp had updated its Terms of Service and Privacy Policy to require explicit consent to the contract as a whole. However, the contract included the processing of personal data of users who want to use the app and transfer it to third parties located abroad, with no right to opt out of this feature. 

Civil litigation

Class action launched against Google arising out of alleged misuse of sensitive personal data: Prismall v Google UK Limited and another - QB-2021-003654

Google and its subsidiary, the AI company DeepMind, are facing a claim by 1.6m UK data subjects arising out of their unlawful processing of medical information (i.e. sensitive personal data) which they were provided, without the Claimants consent, by the Royal Free Trust, an NHS Trust, as part of an app development project in respect of an app called Streams. The claim follows on from a decision by the ICO in 2017 that the "processing of personal data within Streams was not compliant with the Data Protection Act 1998".

Final injunction granted against a person or persons unknown responsible for cyber-attack on barristers' chambers

Nicklin J has granted a final injunction by default prohibiting the unknown defendants from disclosing any confidential information taken from 4 New Square or its members and requiring the delivery up of that confidential information and the provision of a witness statement confirming the same. The order also specifies that they may be held to be in contempt of court and "imprisoned or fined or have their assets seized" if they do so.

Injunctions of this nature are increasingly becoming commonly sought in cases of cyberfraud (see for example: Clarkson Plc v Person or Persons Unknown [2018] EWHC 417 and PML v Person(s) Unknown [2018] EWHC 838), and provide the applicant with protection even in circumstances where the respondents remain unidentified (e.g. where third parties, such as parties hosting websites or forums, which have been served with the order are provided with confidential information which has been exfiltrated, they will be on notice to take appropriate steps to prevent its ongoing publication, or otherwise take steps which may facilitate its further misuse).

The Austrian Federal Administrative Court requested the CJEU's preliminary ruling on the interpretation of Article 15(3) GDPR

In BVwG – W211 2222613-2/12E (request for preliminary ruling under Article 267 TFEU) the Austrian Federal Administrative Court have sought clarification on the meaning and extent of "a copy of the personal data undergoing processing" and "information". This ruling concerns a complainant's request from the Austrian credit reference agency for a copy of their personal data. The Austrian credit reference agency provided a table that contained the personal data (name, date of birth, address data business functions of the data subject) but declined to provide an actual copy of the data undergoing processing, such as database print-outs or email correspondence. The Austrian credit reference submitted that doing so would be in contravention of Article 15(3) GDPR concerning the right of access by the data subject. The complainant alleged that Article 15(3) did entitle them to receive a copy of the data in the form it was undergoing processing. The Austrian Data Protection authority aligned with the arguments of the respondents and the complainant consequently appealed.

The Belgian Council of State confirms that contracting with an EU branch of a US company using AWS cloud services does not breach the GDPR

The Flemish Authorities granted a tender to an EU branch of a United States ("US") company using the AWS cloud services. A Dutch company, which was not awarded the tender by the Flemish Authorities, challenged this decision on the grounds that this it would result in, amongst other things, a violation of relevant provisions of EU GDPR governing international transfers, as there was no adequate level protection for affected data subjects' rights in the US. In affirming the decision of the Flemish Authorities, the Belgian Council of State relied on guidance issued by the European Data Protection Board and Flemish Supervisory Commission, which found that encryption was a possible, and appropriate, supplementary measure which could be used to permit lawful transfers of personal data to the US. 

US judge dismisses first ever GDPR suit in American court, brought against PubMatic


The Plaintiff, Hugo Elliott, a UK citizen residing in England, along with various other data subjects domiciled in England and Wales, issued proceedings before the Californian Court against American adtech company PubMatic, arguing that it had unlawfully processed their data in breach of GDPR (in particular through unlawful cookie tracking).

The United States Northern District Court of California dismissed the Plaintiffs' claims. The Court considered that, in circumstances where: (1) it would be onerous on Californian courts to familiarise itself with the UK's GDPR law as it is still being developed; and (2) PubMatic had indicated a willingness to contest the suit in the UK, California was not the appropriate forum for the Plaintiffs' claims to be determined.