Data Protection – January/February 2018

Print publication


Latest on GDPR, the UK’s Data Protection Bill, e-privacy, ICO fee changes, cyber security and more.

Latest on the EU General Data Protection Regulation (GDPR)

The Information Commissioner’s Office (ICO) continues to update its Guide to the GDPR. See the “What’s new” section on page four.

It recently consulted on proposed guidance for UK organisations processing children’s personal data under GDPR and added a link on “GDPR breach reporting tips” to its local government webpage.

On 3 January 2018, the Department for Education published updated privacy notice model documents for schools and local authorities to issue to staff, parents and pupils about the collection of data.

The Fundraising Regulator has revised the Code of Fundraising Practice to take GDPR into account. The new Code rules will come into effect on 25 May 2018.

The Charity Finance Group recently published a guide for charities on GDPR.

On 24 January 2018, the European Commission published guidance “to facilitate a direct and smooth application of the new data protection rules across the EU as of 25 May” and launched a new online tool dedicated to SMEs. See the press release which includes a link through to Q&A on GDPR.

The Commission also published ‘Stronger protection, new opportunities’, a communication to the European Parliament and Council on GDPR. At paragraph 3.2, it discusses the new independent European Data Protection Board, which will replace the Article 29 Working Party (WP29) when GDPR comes into force. Importantly, the Board will not only issue guidelines on how to interpret core concepts of GDPR but will also issue binding decisions on disputes regarding cross-border processing, to ensure consistency of approach across the EU.

The WP29 recently adopted final versions of its guidelines on personal data breach notification and automated individual decision-making and profiling. It has also adopted final versions of its working documents on adequacy and binding corporate rules for controllers and for processors. It is currently consulting until 26 March 2018 on proposed guidelines for the application of Article 49 of GDPR, which concerns derogations from the prohibition on transfers of personal data outside of the EU. It is also consulting until 30 March 2018 on proposed guidelines on the accreditation of certification bodies under GDPR. Certification mechanisms are one of the voluntary measures to facilitate compliance with GDPR. The WP29 has not yet adopted its final guidelines on consent and transparency. Walker Morris will continue to monitor and report on developments.

In the press release issued after its February plenary meeting, the WP29 says that it is fully aware of the specific needs of SMEs and will provide guidance on when the obligation applies to maintain a record of processing activities according to GDPR. It will also work on updating the existing guidelines and criteria on the right to be forgotten. Links to the press release, consultations and other documents can be found on the new WP29 website.

Update on the UK’s Data Protection Bill and Brexit

The new Data Protection Bill, which will sit alongside GDPR, has completed its stages in the House of Lords and was presented to the House of Commons on 18 January 2018. It is expected to have its second reading there on 5 March 2018.

In a speech at the Munich Security Conference on 17 February 2018, the Prime Minister said: “The UK’s Data Protection Bill will ensure that we are aligned with the EU framework. But we want to go further and seek a bespoke arrangement to reflect the UK’s exceptionally high standards of data protection. And we envisage an ongoing role for the UK’s Information Commissioner’s Office, which would be beneficial in providing stability and confidence for EU and UK individuals and businesses alike. And we’re ready to start working through this with colleagues in the European Commission now”.

In its future partnership paper on the exchange and protection of personal data, published in August 2017, the government said that it wanted to explore a UK-EU model which could build on the existing adequacy model (where the European Commission assesses whether a third country’s data protection standards are ‘essentially equivalent’ to those applied in the EU) in two ways. Firstly, by enabling an ongoing role for the ICO in “EU regulatory for a”. Secondly, by the UK and EU agreeing to mutually recognise each other’s data protection frameworks as a basis for the continued free flows of data between the EU and other EU adequate countries, and the UK, from the point of exit (until longer-term arrangements come into force).

On 19 January 2018, the European Commission issued a notice to stakeholders processing personal data, reminding them of the legal repercussions which will need to be considered when the UK becomes a third country, “in view of the considerable uncertainties, in particular concerning the content of a possible withdrawal agreement”. It notes that: “Subject to any transitional arrangement that may be contained in a possible withdrawal agreement, as of the withdrawal date, the EU rules for transfer of personal data to third countries apply”.

ICO fee changes announced

The government recently announced changes to the way that the ICO will be funded from 25 May 2018. Under GDPR, there will no longer be a requirement to notify or register with the ICO on an annual basis as under the current rules, but there will be a legal requirement for data controllers to pay the ICO an annual ‘data protection fee’ unless they are exempt. The new fees range from £40 to £2,900 with an automatic £5 discount when paying by direct debit. There is a three tier structure based on number of staff, annual turnover, and whether the organisation is a public authority, charity or small occupational pension scheme. See our newsflash for more details.

Latest ICO enforcement action

Carphone Warehouse was issued with a £400,000 fine, one of the ICO’s largest to date, after one of its computer systems was compromised as a result of a cyber-attack in 2015. Serious failures placed customer and employee data at risk.

A company that was previously fined £50,000 by the ICO for making nuisance calls has been prosecuted under the ICO’s criminal enforcement powers for continuing to break the law. Recent ICO fines in relation to nuisance calls include: a £300,000 fine for making 8.7 million automated marketing calls; a £350,000 fine for making 75 million automated marketing calls in four months; a total fine of £600,000 issued against four companies behind 44 million spam emails, 15 million nuisance calls and one million spam texts; and a fine issued to a former employee of an accident repair firm who downloaded and sold the personal data of motorists to nuisance callers. Ofcom and the ICO recently published an update to their joint action plan to address the consumer harm caused by nuisance calls and messages.

Basildon Borough Council has had a £150,000 ICO fine reduced to £75,000 on appeal. It received the fine in May 2017 for publishing sensitive personal data in online planning documents. The Council submitted that the level of fine should have been much lower for a number of reasons, including that the disclosed data was relatively limited, and that the Council had self-reported to the Commissioner and taken steps to review its data protection policies. The Commissioner considered that she had already taken the Council’s mitigation points into account and that the level of penalty was “appropriate and proportionate”. The Tribunal upheld the Commissioner’s decision to issue the fine, but felt that some of the mitigation points had not been given sufficient weight. Although it did not influence the Tribunal’s decision, the Tribunal also noted that “unlike fines imposed in the criminal justice system there is no independent body such as the Sentencing Council providing a definitive list of relevant aggravating and mitigating factors and a matrix of appropriate fines…the Commissioner is seeking to establish her own ‘database’ of penalties and pertinent factors to be taken into account…, though it might be argued that it is not entirely appropriate for the investigator and enforcer of monetary penalty notices to be the body that also effectively sets the level of the penalties”.

In other enforcement news: a former local authority education worker was fined after sharing personal information about schoolchildren and parents via Snapchat; the ICO executed a search warrant at the home of a person suspected of posing as an ICO officer to commit criminal offences; a man was prosecuted after posting sensitive police information on Twitter; and a firm of loss adjusters, one of its directors and a senior employee, and rogue private investigators received record fines for being involved in the illegal trade in personal information.

Points to note from recent speeches by the UK’s Information Commissioner

On 23 February 2018, a speech by the UK’s Information Commissioner was screened at the Direct Marketing Association’s (DMA) Data Protection Event 2018. Here are some of the key points:

  • The ICO will soon publish an overview/roadmap of the UK’s new Data Protection Bill in response to feedback that it is “complex and confusing”.
  • It will also publish tools aimed at micro businesses (organisations employing less than ten people).
  • The ICO is working with the DMA to help produce a Direct Marketing Guide.
  • Its own Direct Marketing Code of Practice is “in the pipeline”.
  • The new e-Privacy Regulation (which sets out rules for direct marketing via phone, text and email, and which was due to apply at the same time as GDPR) is still being debated in Europe, “but a default for all consumer marketing to be opt-in is in the current draft”. The Privacy and Electronic Communications Regulations (or PECR) will sit alongside GDPR until the e-Privacy Regulation comes into force. The Commissioner said: “That means electronic marketing will require consent. Yes, there is potential to use legitimate interests as a legal basis for processing in some circumstances, but you must be confident that you can rely on it. It seems to me that a lot of energy and effort is being spent on trying to find a way to avoid consent. That energy and effort would be much better spent establishing informed, active, unambiguous consent. You say you will lose customers. I say you will have better engagement with them and be better able to direct more targeted marketing to them. You will have complete confidence that your customers have given informed consent”.

In a speech given earlier in February on information rights and responsibilities and focused on the public sector, the Information Commissioner mentioned, among other things, the following points of interest:

  • She will soon publish a blog setting out the essential steps for developing accountability in organisations.
  • Most cyber breaches and attacks are preventable: “The high profile attacks on TalkTalk and Carphone Warehouse would not have happened if they had put rudimentary protections in place. And if NHS systems had been patched and up to date, they would have been protected from Wannacry”.
  • New guidance that the ICO has written with the National Centre for Cyber Security will be published soon.
  • The ICO runs free, “no strings attached” voluntary audits to check organisations are on the right track and to identify weaknesses or red flags.
  • It will soon launch its first ever technology strategy setting out its plans for the future (now published).
  • It is developing a “sandbox”, a safe place for companies and public bodies to test the data durability of their innovations.
  • The Commissioner described the ICO as “a risk-based, proportionate regulator”. She said that she knows there will be many organisations that are less than 100 per cent compliant on 25 May 2018: “This is a long haul and preparations will be ongoing. But if you self-report a breach, engage with us to resolve issues, can demonstrate effective accountability arrangements, you will find us to be fair. Enforcement will be proportionate and, as it is now, a last resort”.

Cyber security update

The government responded at the end of January 2018 to the consultation on its plans to implement the Security of Network and Information Systems Directive (or NIS Directive) in the UK. The NIS Directive must be transposed into UK law by 9 May 2018. Businesses identified as “operators of essential services” will be required to take appropriate and proportionate security measures to manage the risks to their systems and to notify serious incidents to the relevant authority. Key digital service providers will also have to comply with security and incident notification requirements. The National Cyber Security Centre has issued guidance for organisations on what they need to do to comply.

The European Economic and Social Committee says that the EU should “strengthen the mandate of ENISA [the European Union Agency for Network and Information Security] as the EU cybersecurity agency, create a certification framework at European level, and focus on the education and protection of internet users”.  It broadly supports the Cybersecurity Act which was put forward by the European Commission in September 2017, and it proposes a number of practical measures to increase the European cybersecurity framework. See the press release here.

Here in the UK, the government recently consulted on the Commission’s proposal for a Cybersecurity Act and the House of Commons European Scrutiny Committee requested clarification from the government on the policy and Brexit implications of the proposal.

More news from Europe…

On 28 January 2018, Facebook published its privacy principles for the first time. It also introduced an education campaign which will include educational videos on important privacy topics. A new privacy centre will be introduced this year featuring core privacy settings in a single place, a move prompted by the requirements of GDPR.

Facebook has come increasingly under fire in Europe on a number of fronts. A German court recently found its default privacy settings and use of personal data to be in breach of German consumer law; and a Belgian court ruled that the company failed to comply with Belgian privacy legislation when tracking and recording the browsing behaviour of internet users in the country. The European Court of Justice ruled that privacy campaigner Max Schrems can sue Facebook in his home state of Austria as a “consumer”, despite his various semi-commercial activities which include publishing books, lecturing and fundraising. He does not have to sue in Ireland, where Facebook is based. However, the court ruled against Schrems being able to bring claims in Austria on behalf of thousands of consumers from Austria and other countries.

On 15 February 2018, the European Commission announced that Facebook, Google and Twitter had made changes to their terms of services “to make them customer-friendly and compliant with EU rules”. A factsheet sets out an overview of the changes.

We reported in the previous edition of the Regulatory round-up that Max Schrems launched a non-governmental organisation (called “noyb” or “None of Your Business”) with the aim of ensuring “that the tech industry is following fully the existing privacy and data protection laws in the European Union, through strategic litigation in the public interest”.  He has already surpassed the minimum funding goal.