New Data Protection Bill, latest on GDPR, update on e-Privacy Regulation, ICO enforcement, Privacy Shield and more.
New Data Protection Bill published
The government has published the Data Protection Bill, which will replace the UK’s existing Data Protection Act. The Bill sits alongside the EU General Data Protection Regulation (GDPR) and: clarifies a number of points around GDPR, for example the definition of public authority and the minimum age of consent for children; sets out the derogations to GDPR that the UK will adopt; applies GDPR standards to general data processing which GDPR currently does not apply to (such as unstructured paper files processed by public authorities); applies GDPR standards to data processing by law enforcement and intelligence services; and sets out the Information Commissioner’s role and powers including enforcement powers. The Bill had its first reading in the House of Lords on 13 September 2017, with the second reading scheduled for 10 October 2017. See the government’s press release for a summary of the Bill, with a link to various factsheets. The Information Commissioner’s Office (ICO) has said that it is important to remember that GDPR is only a part of the UK’s overall data protection framework. The ICO’s aim is to provide a suite of data protection guidance that is as comprehensive as possible by May 2018. In practical terms, businesses should continue to prepare for GDPR, which comes into force on 25 May 2018.
Latest on GDPR
The ICO has published its long-awaited draft guidance on contracts and liabilities between data controllers and data processors under GDPR. The short consultation period ends on 10 October 2017. Under GDPR, whenever a controller uses a processor (or a processor employs another processor), there needs to be a formal written contract in place between them. GDPR specifies what terms must be included in the contract, as a minimum requirement. While data controllers bear ultimate responsibility for ensuring that the processing of personal data is GDPR-compliant, data processors need to be aware that GDPR also imposes direct obligations on them. Organisations should review all existing contracts which involve any processing or sharing of personal data to ensure that they meet GDPR requirements. Please get in touch if you require any assistance in this regard.
The ICO has updated its Guidance: what to expect and when document. Key points are:
- As part of the Article 29 Working Party (WP29), the ICO is leading the drafting of the EU-level guidelines on profiling, data breaches and administrative fines and contributing to the work on consent, transparency, certification and international transfers;
- For the rest of 2017, the ICO will be working to turn its “Overview of the GDPR” document into a comprehensive “Guide to GDPR”, to include summaries, checklists and more detailed content;
- The ICO will produce detailed guidance during 2017 on accountability and on children’s data;
- The ICO expects to publish detailed guidance on consent and other lawful bases for processing (including legitimate interests) in early 2018;
- It expects that WP29 guidelines on profiling and automated decision making will be adopted in October 2017, followed by consent, transparency and breach notification guidelines at the end of the year. These will sit alongside the ICO’s own guidance.
In the fourth in its series of ‘myth-busting’ blogs on GDPR, the ICO looks at issues surrounding data breach reporting. It explains that reporting will be mandatory where the breach is likely to result in a risk to people’s rights and freedoms (in high risk cases the breach will also need to be reported to the affected individuals). The breach must be reported without undue delay and, where feasible, not later than 72 hours after becoming aware of it. The ICO stresses that it does not expect to receive comprehensive reports at the outset, but it will want to know the potential scope and cause of the breach, planned mitigation actions, and how the organisation plans to address the problem. In relation to fines, these will be proportionate and will not be issued in every case. The ICO wants organisations to be aware that the sanction is there, but says that fines can be avoided if organisations are open and honest and report without undue delay: “Tell it all, tell it fast, tell the truth”. Over the coming months the ICO will introduce a new phone reporting service which will sit alongside the current web reporting form.
In a recent speech, the UK’s Information Commissioner spoke of how cyber security and data protection are “inextricably linked” and described the new Data Protection Bill, including GDPR, as a “massive opportunity” for cyber security, which is very much a boardroom issue: “Data protection law reforms are long overdue but now they are here, they will provide the best incentive for companies to get security right”.
Update on the e-Privacy Regulation
With all the focus on GDPR, it is easy to forget for a moment that a new e-Privacy Regulation (introducing new rules on electronic direct marketing, cookies and other forms of online monitoring) is also due to come into force on 25 May 2018. The Council of the European Union recently published some proposed revisions to the European Commission’s initial draft of the Regulation (published back in January 2016). The revised text was produced for the purposes of various meetings of the Working Party on Telecommunications and Information Society during September 2017. There is still some way to go in the legislative process and it is unclear at this stage whether the 25 May deadline will be met. Walker Morris will continue to monitor and report on developments.
More news from Europe…
The Investigatory Powers Tribunal here in the UK has referred to the Court of Justice of the European Union (CJEU) a number of questions concerning the activities of the security and intelligence agencies in relation to the acquisition and use of bulk communications data for the purposes of national security, including whether such activities are governed by EU law . The Tribunal was essentially satisfied that the bulk communications data regime complies with the European Convention on Human Rights (ECHR), which is distinct from EU law. The key issue is whether EU law applies and imposes a higher standard as a result of the CJEU’s Watson judgment at the end of 2016 . In that case, the CJEU effectively ruled that the UK’s Data Retention and Investigatory Powers Act 2014, predecessor to the controversial Investigatory Powers Act 2016 (IPA), was incompatible with the EU e-Privacy Directive when read in light of the EU Charter of Fundamental Rights. As we mentioned in the last edition of the Regulatory round-up, the even more extensive and intrusive IPA gives the government, among other things, wide-ranging powers to monitor and intercept citizens’ communications and internet usage. It is a potential sticking point in relation to the adequacy of the UK’s data protection standards in the EU’s eyes in a post-Brexit world.
On appeal, the European Court of Human Rights has reversed an earlier decision and found that the monitoring of an employee’s electronic communications amounted to a breach of his right to private life and correspondence (under Article 8 of the ECHR) . The Romanian national courts had failed to strike a fair balance between the competing interests at stake (the employee’s Article 8 right and the employer’s right to take measures in order to ensure the smooth running of the company). This included a failure to determine whether the employee had received prior notice from his employer of the possibility that his communications might be monitored. The ICO’s guidance on monitoring at work can be found here.
Recent ICO enforcement action – no let-up in nuisance marketing fines
In the space of just one week, the ICO issued fines totalling £610,000 to companies behind illegal recorded messages. Easyleads Limited was fined £260,000 after it made 16.7 million automated marketing calls about boiler grants without specific consent, while Your Money Rights Limited was fined £350,000 after it made a staggering 146 million calls about PPI without specific consent. This is the highest number of automated calls to result in an ICO fine to date. The ICO said that the company should have known that the law around automated calls is stricter than for other marketing calls. Both companies also broke the rules by not including the company name and contact details in the recorded message.
A taxi booking app firm was fined £45,000 for sending unlawful direct marketing texts during a one-day text marketing campaign. It could not show that it had received customers’ consent. On the same day, a telephone services company was fined £85,000 after it made calls to people registered on the Telephone Preference Service and to people who had specifically asked not to be called.
Breach of the direct marketing rules is a key focus for the ICO. As businesses prepare for GDPR, this is a timely reminder to review all types of direct marketing, ensure that GDPR-compliant consents are being collected, and refresh any non-compliant ones now.
In other enforcement news, a former data co-ordinator employed by The University Hospitals of North Midlands NHS Trust was prosecuted after she accessed sensitive medical records of colleagues and other people she knew, without the consent of the data controller, and a former Leicester City Council worker was prosecuted after he emailed personal data relating to 349 individuals, which included sensitive personal data, to his personal email address without the data controller’s consent.
EU-US Privacy Shield – first joint annual review takes place
Two days of joint review meetings of the EU-US Privacy Shield data transfer framework have taken place in Washington DC. According to a joint press statement, the review “examined all aspects of the administration and enforcement of the Privacy Shield, including commercial and national-security related matters, as well as broader US legal developments”. Various concerns have been raised over the robustness and effectiveness of the framework, including in relation to US surveillance activities. The European Commission has said that the discussions with the US administration (together with feedback from businesses, non-governmental organisations and other stakeholders) will feed into the Commission’s annual review report to be published in the second half of October 2017.
In a positive development, the US Federal Trade Commission (FTC), which oversees enforcement of the Privacy Shield in the US, has brought its first enforcement cases. According to the FTC’s press release, three US companies have agreed to settle charges that they falsely claimed participation in the framework, and the actions “highlight the FTC’s commitment to aggressively enforce” the Privacy Shield. Walker Morris will continue to monitor and report on developments.
  UKIPTrib IPT_15_110_CH
 The Tele2/Watson judgment: Joined Cases C-203/15 and C-698/15, 21 December 2016
 Bărbulescu v Romania (61496/08)