Data Protection – November 2016

three unlocked red lock icons and one locked lock icon in the middle Print publication


Latest news on the GDPR, the EU-US Privacy Shield, data sharing, cyber security and more.

General Data Protection Regulation (GDPR) – Brexit doesn’t mean Brexit

The government has now confirmed that, for data protection at least, Brexit doesn’t mean Brexit and the UK will be implementing the GDPR. For further information about this legislation and what it means for businesses, see our briefing General Data Protection Regulation: What you need to know now.

The Information Commissioner’s Office (ICO) is due to publish a revised timeline setting out what areas of guidance it will be prioritising over the next six months.  It has already produced an overview of the GDPR, issued a useful 12 step plan and published a new privacy notices code of practice.

European-level guidance on data protection officers, data portability and identifying your lead supervisory authority is also expected from the Article 29 Working Party by the end of 2016, with further guidance on data protection impact assessments hopefully in February 2017.

The Information Commissioner recognises that there may still be questions as to how the GDPR will work on the UK’s exit from the European Union, and has said that the ICO “will be working with government to stay at the centre of these conversations about the long term future of UK data protection law…”.

Watch out for Walker Morris’ upcoming series of guides to help businesses plan ahead for implementation.

EU-US Privacy Shield faces two legal challenges

Privacy advocacy groups in Ireland and France are seeking to have the EU-US Privacy Shield, the framework governing transatlantic exchanges of personal data for commercial purposes which replaced Safe Harbor, annulled in two separate actions before the European court. Details of the action brought by Digital Rights Ireland in September have now been published in the EU’s Official Journal.  The group is challenging the European Commission’s ‘finding of adequacy’ that US organisations signing up to the Privacy Shield provide an equivalent level of protection for EU personal data transferred to the US.

It is widely anticipated that it will be at least a year before the European court rules on either the challenges to the Privacy Shield or the EU Model Clauses (which are also being referred to the European court).

The Commission has also recently released its proposed amendments to the Model Clauses.

US organisations should carry out a cost-benefit analysis of the various available transfer mechanisms and decide in accordance with their risk appetite whether they register under the Privacy Shield, adopt the model contract clauses, incorporate both into their compliance programme or use alternative mechanisms. EU organisations should ensure that adequate protections are in place for any EU personal data which they transfer outside of the European Economic Area.

See our newsflash EU-US Privacy Shield challenged before the European court for further details.

Data sharing – WhatsApp, Facebook and Yahoo

Since our article Facebook, WhatsApp and the controversies of data sharing, the ICO has provided an update on its investigation into WhatsApp’s approach to sharing customer information with its parent company, Facebook.

In the latest development, Facebook has agreed to pause using data from UK WhatsApp users for advertisements or product improvement purposes.

The Article 29 Working Party set out in a press release details of its recent letters to WhatsApp (regarding its updated terms of use and privacy policy) and to Yahoo (regarding its 2014 data breach and the scanning of customer emails for intelligence purposes). An enforcement sub-group has been set up to exchange views on enforcement actions in cross-border cases.

Cyber security

The government has published its National Cyber Security Strategy 2016-2021, setting out its plan to make the UK secure and resilient in cyberspace. £1.9 billion will be invested over the next five years.  The document highlights businesses’ responsibility to safeguard the assets they hold, maintain the services they provide, and incorporate the appropriate level of security into the products they sell, stressing that if they are the victim of a cyber attack, they are liable for the consequences.

The ICO responded in October to the recommendations set out in the Culture, Media and Sport Committee’s June report on cyber security. It has also published a link answering various questions on the issue and what organisations need to do.

This follows on from the record £400,000 fine issued to TalkTalk by the ICO for security failings which allowed a 17 year old boy showing off to his friends to access customer data “with ease”. In addition to the record fine, TalkTalk estimated that the attack cost them £60 million and 101,000 customers.  A recent cyber attack has also resulted in Tesco Bank paying out £2.5 million to 9,000 customers who had money stolen from their accounts.

It is essential that businesses take information security seriously; consumers are increasingly aware of data protection issues and their rights, and as demonstrated by TalkTalk’s customers, they are willing to vote with their feet if they don’t believe that businesses are looking after their personal data properly.

Direct marketing

A company was recently fined £20,000 by the ICO after sending thousands of spam texts to individuals promoting cash loans. The ICO has previously published guidance explaining the rules on direct marketing under the Data Protection Act 1998 and The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), with a focus on calls and texts to individuals.

Another company – providing a loan matching service – was recently fined £70,000 and ordered to stop by the ICO, after sending out 2.2 million illegal marketing text messages in breach of the PECR.

The government announced on 23 October 2016 that from Spring 2017 the ICO will have powers to hold company directors directly responsible for breaches of the PECR. Each director could be liable for a fine of up to £500,000.

Digital communication

In the recent case of Patrick Breyer v Bundesrepublik Deutschland, the European Court of Justice ruled that dynamic IP addresses registered by online media services providers (e.g. website operators) constitute ‘personal data’ under EU data protection law where the provider has “the legal means which enable it to identify the data subject with additional data which the internet service provider has about that person”.

The European Data Protection Supervisor has since published new guidelines on the protection of personal data processed by mobile applications and through web services.  The guidelines are aimed at the EU institutions, but contain practical advice which businesses may find useful.