Data Protection – July/August 2018

three unlocked red lock icons and one locked lock icon in the middle Print publication


Latest on Privacy Shield and model contract clauses; ICO data analytics investigation, including Facebook fine; other recent developments.

EU-US Privacy Shield under threat (as the battle over model contract clauses rumbles on…)

The embattled EU-US Privacy Shield, one of the approved mechanisms for the transatlantic transfer of personal data, is under threat on a number of fronts.

On 5 July 2018, the European Parliament issued a non-binding resolution to suspend the Privacy Shield unless the US complies with EU data protection rules by 1 September 2018. It says that there is a need for better monitoring of the agreement following the recent Facebook/Cambridge Analytica data breach, given that both companies are certified under the Privacy Shield. It is also concerned about a new US law known as the CLOUD Act (Clarifying Lawful Overseas Use of Data), which grants the US and foreign police access to personal data across borders. We reported in the previous edition of the Regulatory round-up that the European Parliament’s Civil Liberties, Justice and Home Affairs Committee had been calling on the European Commission to suspend the Privacy Shield. See the European Parliament’s press release following the recent vote.

The Privacy Shield was criticised even before its launch in July 2016. It was introduced after the Court of Justice of the European Union (CJEU) held that the previous framework, ‘Safe Harbor’, was invalid. Following the first annual review of the Privacy Shield in September 2017 the Commission said that, on the whole, the framework continued to ensure an adequate level of data protection, but there was room for improvement. While the European Parliament’s recent resolution is not binding, it will ramp up the pressure on the Commission and its US counterparts when the second annual review takes place in October 2018.

The Privacy Shield was one of the topics discussed by the European Data Protection Board (EDPB) at its second plenary meeting held on 4/5 July 2018 (see the press release). The US Ombudsperson responsible for handling national security complaints under the Privacy Shield was invited to and attended the meeting. The EDPB said that it was particularly interested in the concerns addressed to the US by the EDPB’s predecessor, the Article 29 Working Party. It notes that the meeting was “interesting and collegial” but did not provide a conclusive answer to those concerns, which will remain at the top of the agenda during the second annual review. It is also calling on the US authorities to provide supplementary evidence in order to address the concerns raised.

In separate but related news, we reported previously that the Irish High Court has referred to the CJEU 11 questions over the validity of the Commission’s adequacy decisions on model contract clauses, one of the alternative available data transfer mechanisms. This followed the complaint by privacy activist Max Schrems (who brought down Safe Harbor) to the Irish Data Protection Commissioner about Facebook Ireland’s transfer of his personal data to Facebook Inc. in the US. A number of those questions refer directly to the Privacy Shield. Facebook was recently granted unprecedented leave to appeal to the Irish Supreme Court. The appeal is expected to be heard before the end of 2018, most likely before the CJEU delivers its judgment. Despite this latest twist, the referral to the CJEU still stands.

For now, at least, both the Privacy Shield and model contract clauses remain valid mechanisms for the transatlantic transfer of personal data, but the future is uncertain. Walker Morris will continue to monitor and report on developments.

On the subject of Facebook (again)…

On 10 July 2018, the UK’s Information Commissioner’s Office (ICO) published a detailed progress report on its ongoing investigation into the use of data analytics for political purposes. The investigation was launched in 2017 following concerns over how personal data was used during campaigning for the 2016 EU referendum. The ICO says in its report that the investigation has since broadened, becoming the largest of its type by any data protection authority involving social media online platforms, data brokers, analytics firms, academic institutions, political parties and campaign groups. Facebook and Cambridge Analytica became the focus of the investigation earlier this year.

The ICO investigation has concluded that Facebook broke the law by unfairly processing personal data and failing to take appropriate technical and organisational measures against unauthorised or unlawful processing. The ICO has signalled its intention to fine Facebook £500,000, the maximum financial penalty it can issue under the old Data Protection Act. This is due to the timing of the incidents being investigated. Under the EU General Data Protection Regulation (GDPR), which sits alongside the new Data Protection Act 2018, the ICO can issue financial penalties of up to €20 million or 4% of global turnover, whichever is higher. See the ICO’s blog post for a link through to the progress report and a second report setting out the findings and recommendations from the investigation. The ICO is calling on government to introduce a statutory code of practice for the use of personal data in political campaigns.

Over in the US, leading consumer privacy and civil liberties organisations have been urging the Federal Trade Commission (FTC) to conclude its own investigation into the Facebook/Cambridge Analytica scandal and issue its judgment before 1 September 2018 – the cut-off date given by the European Parliament for suspension of the Privacy Shield. In the 16 August letter they refer, among other things, to the ICO’s fine, and to a statement from the European Union Justice Commissioner that the European Commission is “impatiently waiting” for the FTC to conclude its investigation. The organisations say that a lack of enforcement by the FTC of the Privacy Shield would “imperil both European and American consumers and undermine the digital economy”.

As the fallout from the Cambridge Analytica scandal continues, it has been widely reported that Facebook is facing multiple class action lawsuits/group litigation by users whose data was improperly harvested.

On 27 June 2018, just after our previous edition of the Regulatory round-up went to press, the Norwegian Consumer Council published a report ‘Deceived by design: How tech companies use dark patterns to discourage us from exercising our rights to privacy’, in which it analyses a sample of settings in Facebook, Google and Windows 10, and shows how default settings and “dark patterns” – techniques and features of interface design meant to manipulate users – are used to “nudge” users towards privacy intrusive options. It argues that “providers of digital services use a vast array of user design techniques in order to nudge users toward clicking and choosing certain options. This is not in itself a problem, but the use of exploitative design choices, or “dark patterns”, is arguably an unethical attempt to push consumers toward choices that benefit the service provider. We find that the use of these techniques could in some cases be deceptive and manipulative and we find it relevant to raise questions whether this is in accordance with important data protection principles in the GDPR, such as data protection by design and data protection by default… Excessive nudging toward privacy intrusive options, use of dark patterns and privacy intrusive default settings, should in our view not be regarded as freely given or explicit consent”.

We reported previously that Max Schrems’ non-profit organisation “noyb” (meaning “None of Your Business”) has already filed multi-billion-euro complaints against Google, Instagram, WhatsApp and Facebook with various European data protection authorities, over the issue of “forced consent”.

According to the EDPB, most data protection authorities have reported a substantial increase in the number of complaints received since GDPR came into force.

Back in the UK…

The Court of Appeal provided welcome guidance for data controllers on how to approach data subject access requests in “mixed data” cases. See our recent briefing for details.

In its white paper on the future UK-EU relationship, published on 12 July 2018, the government says in relation to data protection that the EU’s adequacy framework provides the right starting point, but reiterates its desire for an “extensive agreement on the exchange of personal data that builds on the existing adequacy framework”. It says that the UK is ready to begin preliminary discussions on an adequacy assessment so that a data protection agreement is in place by the end of the Brexit implementation period at the latest, to provide the earliest possible reassurance that data flows can continue.

Latest from the ICO, including recent enforcement action

On 20 July 2018, the Information Commissioner published her second annual report. Pages 14 to 23 set out the ICO’s major achievements and work this year, in relation to each of its strategic goals. Unsurprisingly, GDPR and the new Data Protection Act feature prominently. See the ICO’s blog post for details.

The ICO is consulting until 10 September 2018 on updating its 2011 data sharing code of practice, to explain and advise on changes to data protection legislation, including transparency, lawful bases for processing, the new accountability principle and the requirement to record processing activities. The Information Commissioner is required to consult with the Secretary of State before preparing the updated code, and is seeking views from interested parties by way of an online form to help inform her work.

The ICO’s Guide to the GDPR was updated in August 2018 to include expanded guidance on international transfers. This is timely, given the current focus on the Privacy Shield and model contract clauses.

The ICO consulted until 28 June 2018 on how it will use its increased powers under new data protection legislation. It has now published a summary of responses to the consultation and the updated Regulatory Action Policy is awaiting parliamentary approval.

In recent enforcement action: a data broking company was fined £140,000 for collecting and selling the personal information of more than 1 million people for political campaigning; a marketing firm was fined £100,000 for making more than 75,000 calls to people who had opted out by registering with the Telephone Preference Service; a firm which was registered as an IT service provider was fined £60,000 after it allowed its lines to be used to send spam texts promoting payday loans to more than 270,000 people, without their consent; and the Independent Inquiry into Child Sexual Abuse was fined £200,000 after a member of staff sent a bulk email identifying possible abuse victims, having entered the addresses in the “to” field instead of the “bcc” field by mistake. Among other things, the ICO investigation found that staff had not been provided with any, or any adequate, guidance or training, and the Inquiry had breached its own privacy notice by sharing participants’ email addresses with the IT company it had hired to manage the mailing list, without their consent.

The ICO is continuing to investigate the Dixons Carphone data breach announced in June 2018. The company initially said that it had launched an investigation into unauthorised data access affecting 5.9 million payment cards and 1.2 million personal data records. On 31 July 2018, it reported that the investigation, which is nearing completion, has identified that approximately 10 million records containing personal data may have been accessed in 2017.