Data Protection – May/June 2017

Shield defense on blue technology background with digital code Print publication


Countdown to GDPR, Data Protection Bill plans, latest from the ICO, direct marketing, cyber security and more.

The clock is ticking…countdown to the General Data Protection Regulation (GDPR)

There are now less than 12 months to go until GDPR comes into force on 25 May 2018.  See our recent briefing for the practical steps to take now, and the one-year warning from the Information Commissioner’s Office (ICO).  The ICO has relaunched its 12 steps to take now document and updated its self assessment toolkit.  It has also published its Information Rights Strategic Plan for 2017-21, setting out the Information Commissioner’s mission to increase the confidence that the public has in government, public bodies and the private sector.  See the Commissioner’s blog post for further details.

In a speech on 25 May 2017, the Deputy Commissioner urged organisations not to wait or take a reactive approach to their GDPR preparations, “motivated solely by a mindset of compliance or risk management”: “Those organisations which thrive under GDPR will be those who recognise that the key feature of GDPR is to put the individual at the heart of data protection law.  Thinking first about how people want their data handled and then using those principles to underpin how you go about preparing for GDPR means you won’t go far wrong…It can be boiled down to two words: “transparency” and “accountability”.  Being clear with individuals how their personal data is being used.  And placing the highest standards of data protection at the heart of how you do business.

The recent Queen’s Speech (covering the legislative programme for the next two years as the UK prepares to leave the EU) included plans for a Data Protection Bill to “ensure that the United Kingdom retains its world-class regime protecting personal data”. The legislation may go further than GDPR.  One of the main benefits would be to give individuals new rights to require major social media platforms to delete information held about them at the age of 18.   The main elements are:

  • to establish a new data protection regime for non-law enforcement data processing, replacing the existing Data Protection Act, strengthening rights and empowering individuals to have more control over their personal data, including a right to be forgotten
  • to modernise and update the regime for data processing by law enforcement agencies, covering both domestic processing and cross-border transfers of personal data
  • to update the powers and sanctions available to the Information Commissioner.

The new legislation would implement GDPR and the new EU Directive which applies to law enforcement data processing.  This means that, practically, businesses should continue to press ahead with their GDPR preparations.  Nothing has changed on that front.

The ICO is analysing the responses to its recent feedback request on the new profiling provisions in GDPR.  A summary will be published in due course.  The ICO says that the main purpose of gathering feedback was to inform its work in leading the drafting of the EU guidance on profiling and automated decision-making.  The guidance is due to be published in the autumn.

The ICO has also responded to the government’s consultation on the derogations in GDPR, where the UK can exercise discretion over how certain provisions apply.  It says that its general approach is to favour replicating existing arrangements under the Data Protection Act where experience shows that they work satisfactorily.  This will minimise disruption and bring certainty and coherence to the data protection regulatory regime.  The ICO supports the introduction of new derogations only where it believes this to be necessary for the effective functioning of GDPR or where there is a clear need.

The Institute of Fundraising has published a guide to help charities understand and prepare for GDPR.

Finally, in Europe, the European Court of Justice has delivered an important ruling on the interpretation of the legitimate interests condition in the Data Protection Directive in relation to processing by a public authority.   Public authorities should take note that, under GDPR, they will not be able to rely on the legitimate interests condition as a lawful basis for carrying out data processing when performing their tasks.

More from Europe…

The European Commission has undertaken a mid-term review of the Digital Single Market Strategy and has fined Facebook €110 million for providing misleading information about its acquisition of WhatsApp.  Facebook had informed the Commission in 2014 that it would be unable to establish reliable automated matching between Facebook users’ accounts and WhatsApp users’ accounts.  However, in 2016, WhatsApp announced updates to its terms of service and privacy policy, including the possibility of linking WhatsApp users’ phone numbers with Facebook users’ identities.

Judgment is awaited in the high-profile litigation involving Facebook and Austrian privacy campaigner Max Schrems in the Irish High Court.  The Irish Data Protection Commissioner is seeking a reference to the Court of Justice of the European Union to determine the legal status of data transfers under model contract clauses, one of the mechanisms allowing the transfer of personal data from the EU to the US.

Data subject access requests – ICO issues updated guidance

The ICO has updated its guidance for organisations on dealing with data subject access requests (DSARs), which an individual has a right to make under data protection law to find out what information a data controller holds about them.  The guidance now reflects the recent Court of Appeal decisions on the use of DSARs in litigation and the efforts required in searching.  See our recent briefing for more details on this topic including practical advice for data controllers.  The ICO’s guidance does not cover the position under GDPR, which introduces changes to the DSARs regime, including expansion of the information that individuals can request.

Concern over use of data analytics

On 17 May 2017 (and unrelated to the election campaign running at the time) the Information Commissioner announced the opening of a formal investigation into the use of data analytics for political purposes, given the potentially significant impact of data analysis tools on individuals’ privacy.  An update on the investigation is expected later this year.  The investigation follows concerns over how personal data was used during the Leave campaign in last year’s EU referendum.

The ICO updated its paper on ‘big data’ in March 2017, taking into account GDPR and the advances made since first publication of the paper in 2014. The paper looks at the implications of big data, artificial intelligence (AI) and machine learning for data protection, and explains the ICO’s views, including six key recommendations for organisations using big data analytics.

Direct marketing and ICO enforcement action

Plans for legislation to introduce personal liability for directors for nuisance call fines have not been progressed.  Parliament was dissolved on 3 May 2017 ahead of the general election – any bills or statutory instruments which were not passed by then will have to be laid before Parliament again if they are to become law.

The section of the new Digital Economy Act which amends the Data Protection Act to require the ICO to prepare a new code of practice on direct marketing comes into force today.

The ICO released its annual performance statistics for 2016/17, which show that it dealt with record numbers of data protection incidents, nuisance marketing cases and individual complaints.

The ICO has published a statement released to Channel Four News following an investigation by the programme which it said found that the Conservative Party contracted a secretive call centre during the election campaign which may have broken data protection and election laws.

Supermarket chain Morrisons was recently fined after deliberately sending over 130,000 emails to people who had previously opted out of receiving marketing related to its Morrisons More card.

The ICO earlier handed out a record £400,000 fine to a company behind 99.5 million nuisance calls – the highest fine ever issued by the ICO in relation to nuisance calls.  The company made automated marketing calls on a wide range of subjects and hid its identity, making it harder for people to complain.  The ICO said it was committed to recovering the fine, after the company went into voluntary liquidation.

One firm was fined £100,000 for sending millions of spam texts about mobile phone upgrades; another was fined £50,000 and ordered to improve its procedures after making nuisance calls to people who had specifically stated that they did not want to be contacted; another was fined £40,000 for sending 336,000 spam texts and ordered to stop sending unlawful texts in the future; and another was fined £50,000 after making calls to numbers listed on the Telephone Preference Service.  It had bought data from third party companies in order to market its services but failed to check that its suppliers were operating within the law.  Homes were also raided as part of an ongoing ICO investigation relating to nuisance calls that encourage people to make personal injury claims about road traffic accidents being linked to the theft of data from car repair centres.

In other enforcement news: a former claims company manager was prosecuted for leading a team involved in ‘blagging’ calls to illegally obtain personal data; Basildon Borough Council was fined £150,000 for publishing sensitive personal data in online planning documents; Medway Council was issued with an enforcement notice requiring steps to be taken within six months in relation to mandatory data protection staff training; and Greater Manchester Police was fined £150,000 after victim interview videos went missing.

Cyber security news

Still on the subject of ICO enforcement action, Gloucester City Council was fined £100,000 for leaving employees’ sensitive personal information vulnerable to attack.

Following the cyber attacks on the NHS and other organisations worldwide in May 2017, the ICO republished its earlier post to help businesses prevent and recover from ransomware attacks, keep information secure and avoid financial and reputational damage.  Various guidance for organisations can also be found on the web pages of the National Cyber Security Centre.  The ICO also recently published a webpage on data security incident trends, setting out the action it has taken, what has been reported to it, and what organisations can do to stay secure, including a link to its “IT security top tips” and further guidance.