Data Protection – April 2017

Print publication


Update on the General Data Protection Regulation, e-Privacy reform, EU-US Privacy Shield, ICO, direct marketing and cyber security.

Latest on the General Data Protection Regulation (GDPR)

April 2017 saw another round of GDPR activity both here in the UK and at European level:

  • The UK’s Information Commissioner’s Office (ICO) reported that it had received a significant response to the consultation on its draft consent guidance, which closed at the end of March 2017. It is now analysing this feedback and working towards publication of final guidance in June 2017.
  • The ICO put out a feedback request on the topic of profiling under the GDPR. The discussion paper sets out the ICO’s initial thoughts on key issues which it considers require further debate, including marketing, the right to object and data minimisation. The feedback window closed on 28 April 2017 and the ICO says that the responses will help inform the UK’s contribution to the Article 29 Working Party (WP29) guidelines on profiling which are due to be published later in the year. See the ICO’s blog post for more information on this topic.
  • The government is consulting on the exemptions in the GDPR, where the UK can exercise discretion over how certain provisions will apply. Comments are requested by 10 May 2017.
  • The WP29 has published its final, adopted guidelines on the right to data portability, data protection officers, and identifying a controller or processor’s lead supervisory authority. It has been reported that the European Commission has written to EU privacy regulators to express concern over their interpretation of the data portability clause in the GDPR, saying that the WP29’s guidelines on this topic might go beyond the scope of what was agreed in the legislative process.
  • The WP29 has also published draft guidelines for consultation on high risk processing and data protection impact assessments. Comments are requested by 23 May 2017.

Watch out for the next instalment in our series of guides to the GDPR, where we will look at the latest developments in more detail.

Update on the proposed e-Privacy Regulation

In January 2017, the European Commission proposed a new e-Privacy Regulation to replace the current EU e-Privacy Directive. The new Regulation which, among other things, aligns the rules for electronic communications (including fines and remedies for individuals) with the standards of the GDPR, is intended to come into force at the same time as the GDPR on 25 May 2018.

On 4 April 2017, the WP29 adopted an Opinion on the proposal.  While it broadly welcomed the draft Regulation, it also had “grave concerns” in relation to four areas: WiFi tracking; analysis of content and metadata; consent for tracking; and default settings of terminal equipment and software.  The European Data Protection Supervisor has also broadly welcomed the proposal, but raises similar concerns.  See the press release with a link through to his Opinion, which was published on 24 April 2017.

The draft was also discussed by the European Parliament’s civil liberties committee on 11 April 2017, when concerns were raised in relation to privacy safeguards for children active online, advertising and cookies. See the press release here.

The ICO’s blog post explains more about the proposal and background.  The ICO plans to publish an initial guidance document later in the year, highlighting the likely key issues with the proposed legislation.

EU-US Privacy Shield – important first annual joint review confirmed for September

The European Commissioner for Justice, Consumers and Gender Equality recently confirmed during a speech in Washington DC that the first annual joint review of the EU-US Privacy Shield data transfer framework will take place in September 2017. See our recent briefing Newsflash: EU-US Privacy Shield to be reviewed in September for details.

The WP29 has published a form for submission of requests to the US Ombudsperson – a new mechanism set up under the Privacy Shield to facilitate the processing of and response to requests relating to the possible access for national security purposes by US intelligence authorities to personal data transmitted from the EU to the US.

The WP29 has also published a copy of a letter sent by the WP29 Chair to the US Director of National Intelligence further to reports in October 2016 that Yahoo! had scanned customer emails for US intelligence purposes at the request of US intelligence agencies.  The WP29 says that it is deeply concerned at the significant number of EU data subjects who may be affected and considers that there should be a direct exchange on the issues.

ICO, direct marketing and recent enforcement action

The ICO has launched a new set of resources aimed at improving records management in the health sector.

It continues to crack down on nuisance calls and texts. A finance brokerage firm was fined £40,000 for sending thousands of unsolicited marketing texts promoting loans, while two companies were fined a total of £220,000 for sending millions of spam texts and making nuisance phone calls.

On 6 April 2017, the government launched a scheme to give elderly and vulnerable people – including those with dementia – hi-tech call blocking devices to block nuisance calls.  Those individuals identified by doctors, Trading Standards officials and local councils as at risk from nuisance callers will have the trueCall devices installed in their homes.  They completely block all recorded messages, silent calls and calls from numbers which have not already been pre-identified by the individual home owner.

After a long-running investigation, eleven charities were recently fined for breaking the law when handling donors’ personal information.

Separately, the Advertising Standards Authority ruled that clothing retailer Lands’ End Europe Ltd breached the Committee of Advertising Practice Code as the complainant had not given explicit consent to receiving marketing communications from the company.  The complainant’s personal information had been submitted to the partner website of a company which then supplied the data to Lands’ End’s email re-targeting agency.  While the complainant had opted in to receiving third-party marketing communications from “affiliate partners”, it was not clear who the third parties were or the types of communications that consumers might receive from them.  Lands’ End had primary responsibility for ensuring that their marketing communications complied with the Code – they should be able to demonstrate that consumers had provided explicit consent to receiving marketing communications from them.

The Digital Economy Bill received Royal Assent on 27 April 2017, with provisions enabling the stronger enforcement of direct marketing laws.

Finally, an online retailer has been fined £55,000 by the ICO for failing to protect its customers’ personal information.   The firm did not have the appropriate technical measures in place to prevent a cyber attack in which unencrypted cardholder details were accessed.  This was a breach of the Data Protection Act.

Cyber security news

Not long after payday loan company Wonga became the latest high-profile firm to suffer a data breach – potentially affecting up to 250,000 of its UK customer accounts – the government published its Cyber Security Breaches Survey 2017, detailing business action on cyber security and the costs and impacts of cyber breaches and attacks.  The report says that nearly half of all UK businesses have identified a breach or attack in the last twelve months.   Conclusions are set out on page 57.

Tech giants Google and Facebook have reportedly confirmed that they were the previously unidentified victims of a $100 million email scam in which they were tricked into complying with fraudulent wiring instructions after receiving emails apparently from a company with whom they regularly conducted multi-million dollar transactions. In a press release in March 2017, the Acting US Attorney for the Southern District of New York said: “This case should serve as a wake-up call to all companies – even the most sophisticated – that they too can be victims of phishing attacks by cyber criminals.”

In a recent speech “Expect the unexpected” – cyber security – 2017 and beyond, FCA Executive Director Nausicaa Delfas talked about the ever evolving threats to cyber security and what can be done to manage them.

The UK’s National Cyber Security Centre and a number of private sector companies have collaborated to identify and disrupt a new cyber attack campaign believed to be run by the “APT10” hacking group which targeted managed outsourced IT services as a way in to customers’ organisations,  gaining unprecedented access to IP and sensitive data.