Latest on the General Data Protection Regulation (GDPR)
There has been a flurry of GDPR guidance published over the last month:
- the Information Commissioner’s Office (ICO) recently published its user-friendly draft consent guidance, which went out to public consultation, with the intention that finalised guidance will be published in May 2017. The final two pages of the draft guidance comprise a checklist to work through in relation to asking for, recording and managing consent;
- guidance on contracts and liability from the ICO is expected to follow shortly;
- European-level guidance on a wide range of GDPR topics, including consent and profiling, is also expected from the Article 29 Working Party (WP29) throughout 2017; and
- the French Data Protection Authority, the CNIL, has also published a six-step methodology to help organisations prepare. The six steps are: appointing a Data Protection Officer; carrying out a data mapping exercise; identifying key compliance actions as a result; conducting privacy assessments and managing risks; implementing internal processes to ensure a high level of protection; and documenting compliance.
Our series of guides to the EU General Data Protection Regulation: the latest guidance on GDPR contains further details.
On 8 March 2017, the UK’s Information Commissioner participated in a wide-ranging evidence session before the EU Home Affairs Sub-Committee on the topic of the EU Data Protection Package. Among other things, the Commissioner spoke of: the need for increased resources to address the ICO’s new regulatory powers under the GDPR; the importance of obtaining an adequacy decision post-Brexit (considered the most straightforward process to ensure the continued flow of data between the EU and the UK); the importance of the UK’s status and influence on the European Data Protection Board (which as an adjudicative board will make decisions about data processing that impact on UK citizens); and setting the ‘gold standard’ of data protection regulation and enforcement internationally.
The Information Commissioner highlighted that currently the ICO is mainly funded by notification fees which will no longer be required under GDPR. The ICO has been working with the government on a new fee structure to fund the ICO which needs to be approved by parliament. As yet, no details of what that new fee structure will look like have been published. We will be monitoring this and we will report on any developments once it is clear how the new fee structure may impact on businesses.
The ICO recently published a blog post to help councils prepare for the GDPR. This follows publication of an ICO survey on information governance practices among local authorities, which highlights where work needs to be done.
The ICO has also updated its paper on ‘big data’, taking into account the advances made since first publication in 2014 and the upcoming implementation of the GDPR. The paper looks at the implications of big data, artificial intelligence (AI) and machine learning for data protection, and explains the ICO’s views, including six key recommendations for organisations using big data analytics.
Research commissioned by Payments UK shows that fewer than one in three people always check the terms and conditions when sharing their personal data online. Payments UK says that the findings highlight the need to build customer understanding of how their data is used at a time when regulatory and legislative changes, including GDPR, are set to transform their options for allowing their personal information to be shared.
EU-US Privacy Shield – concerns rumble on
The European Parliament’s Committee on Civil Liberties, Justice, and Home Affairs has narrowly approved a resolution labelling the Privacy Shield as inadequate, stressing that key deficiencies remain to be urgently resolved. See the press release here. A European Parliament vote on the resolution is expected in early April. The EU’s Commissioner for Justice, Consumers and Gender Quality is set to meet President Trump’s administration to discuss the data-sharing arrangement, amid ongoing concerns about its future under the new US administration. As we reported previously, Human Rights Watch and the American Civil Liberties Union wrote a joint letter to the Commissioner urging her to re-examine whether the Privacy Shield and EU-US Umbrella Agreement (on the protection of personal data exchanged for law enforcement purposes) sufficiently protect the fundamental rights of people in the EU. A further letter from a coalition of 17 civil liberties organisations urges the Commissioner to ensure that the US substantively reforms its surveillance laws this year to protect the rights of non-US persons including Europeans, and calls on her to suspend the Privacy Shield if there are no meaningful reforms. The first annual review of the Privacy Shield is due in the summer. We will continue to monitor and report on developments.
More news from Europe…
The WP29 has published the latest revision of its working document on FAQs related to Binding Corporate Rules (one of the legal mechanisms for transferring personal data outside of the European Economic Area between companies forming part of a multinational group). The document can be found under the ‘Letters, Opinions and other documents’ heading on the WP29’s website.
In the recent case of Manni Camera di Commercio Industria Artigianato e Agricoltura de Lecce v Salvatore, the Court of Justice of the European Union (CJEU) ruled that the ‘right to be forgotten’ does not apply to personal data on a company register – a reminder that this right is not an absolute right and will be balanced against others.
The CJEU has also recently ruled that, where a telephone subscriber gives permission for their data to be published in one Member State, that permission extends to all Member States.
Data subject access requests – further case law
Data subject access requests (DSARs), which an individual has a right to make under data protection law to find out what information a data controller holds about them, have been considered once again by the English courts. In Deer v University of Oxford  the Court of Appeal considered the point that, under section 7(9) of the UK’s Data Protection Act, the court has discretion whether to compel a data controller to comply with a DSAR. It was noted that the court must have regard to the general principle of proportionality which runs through EU law when exercising its discretion, with a view to ensuring a fair balance between the right of the individual to have access to his or her personal data on the one hand, and the interests of the data controller faced with a DSAR on the other. Watch out for our upcoming briefing on the recent case law in this area, setting out our practical advice for data controllers.
Cyber security update
The government has announced its long-awaited UK Digital Strategy, with ‘Making the UK the safest place in the world to live and work online’ one of the key themes. On 27 March 2017, the Joint Committee on National Security Strategy heard from cyber security experts on risks faced in the UK, the relationship between the public and private sectors, and the issue of international cyber norms and governance. In a recent report on cyber security, the Institute of Directors provides practical tips for businesses on what they can be doing to protect themselves from the ever-increasing threat of cyber crime.
Direct marketing – sending marketing emails without the right consent is against the law
The ICO has fined Flybe and Honda a total of £83,000 for breaking the rules on how people’s personal information should be treated when sending marketing emails. Both firms sent emails asking for consent to future marketing. Flybe was fined £70,000 for breaching the Privacy and Electronic Communication Regulations (PECR) after it deliberately sent more than 3.3 million emails to people who had said they did not want to receive marketing emails, asking them if their details were correct. Honda Motor Europe Ltd was fined £13,000 after it sent around 290,000 emails to customers to clarify their choices for receiving marketing. This was a breach of the PECR as there was no evidence provided that customers had given their consent to receiving such emails. Honda believed that the emails were customer service emails – not marketing emails – and that they helped the company to comply with data protection law.
As businesses review their processes in readiness for the GDPR and the draft ePrivacy Regulation, including in relation to customer consents, these fines are a timely and important reminder that sending marketing emails without the right consent is against the law.
Meanwhile, a company that made 22 million nuisance calls was fined £270,000 – one of the highest such fines imposed to date. Automated marketing calls, which play a recorded message, can only be made to people who have specifically agreed to receiving such calls. The recorded messages related to a variety of subjects including PPI, personal injury claims and debt management. The ICO found that Media Tactics Ltd did not have the necessary permissions to make such calls. The ICO also recently fined a firm £20,000 after it instructed another firm in Belize to send around 64,000 spam texts promoting loans on its behalf.
 Deer v University of Oxford and Ittihadieh v 5-11 Cheyne Gardens RTM Co Ltd & Ors  EWCA Civ 121