Data Protection – June 2018

Privacy Shield Print publication


First GDPR complaints filed; Privacy Shield update; proposed fines for nuisance call directors; cybersecurity and more.

Latest on the EU General Data Protection Regulation (GDPR)…

Since the 25 May 2018 implementation date for GDPR, the Information Commissioner’s Office (ICO) has continued to update its Guide to the GDPR, to include detailed guidance on children and the GDPR and detailed guidance on determining what is personal data. It has also added guidance on the GDPR’s seven key principles.

The ICO launched a range of resources for its “Your data matters” public information campaign, including pages explaining the different personal data rights. See this post for more information about the campaign. Organisations can download and use the materials to help clients and customers understand how GDPR works. Those wanting to pledge their support for their customers’ or service users’ data rights can sign up to a public register and gain access to an exclusive banner for use on their communications materials.

Changes to the way that the ICO is funded came into force on 25 May 2018 (see our earlier briefing for details of what organisations need to do). The ICO’s new data protection fee webpage can be found here. The ICO’s register of fee payers is now publicly available.

The new European Data Protection Board (EDPB) replaced the Article 29 Working Party on 25 May 2018. The EDPB recently published its final guidelines on derogations applicable to international transfers under GDPR. It is currently consulting until 12 July 2018 on guidelines on certification and identifying certification criteria.

…as the first complaints are filed

Austrian privacy campaigner Max Schrems wasted no time in taking action under GDPR. On the same day that the GDPR came into force, his non-profit organisation “noyb” (meaning “None of Your Business”) filed multi-billion-euro complaints against Google, Instagram, WhatsApp and Facebook with various European data protection authorities, over the issue of “forced consent”. See the press release for details.

More news from Europe

At its first plenary meeting on 25 May 2018, the EDPB adopted a statement on ePrivacy. It calls on the European Commission, Parliament and Council to work together to ensure a swift adoption of the new ePrivacy Regulation.

On 31 May 2018, the European Data Protection Supervisor published a preliminary Opinion on the principle of “privacy by design” (a key feature of the accountability and governance requirements under GDPR), calling for “workable technology which serves the interests of society”. See the press release.

On 4 June 2018, the European Parliament’s Civil Liberties, Justice and Home Affairs Committee (known as the LIBE Committee) held the first part of a hearing on the Facebook/Cambridge Analytica case. On its website, the Committee says that: “The contributions made by speakers showed the need to further investigate the consequences this data breach has had on data protection and privacy, the possible impact on electoral processes, consumers’ trust in digital platforms, cybersecurity, the market position of Facebook etc”. The second part of the hearing is due to take place on 25 June 2018, when members will “question experts and Facebook representatives on issues such as data protection implications, alleged election interference and cybersecurity”.

In a separate but related development, the LIBE Committee has called on the European Commission to suspend the embattled EU-US Privacy Shield (the framework for transatlantic exchanges of personal data for commercial purposes) unless the US complies with it by 1 September 2018, saying that “the Privacy Shield in its current form does not provide the adequate level of protection required by EU data protection law and the EU Charter [of Fundamental Rights]”. It emphasises the need for better monitoring of the agreement (citing the fact that both Facebook and Cambridge Analytica are certified under the Privacy Shield). It is also concerned about a new US law granting the US and foreign police access to personal data across borders. See the press release here.

On the subject of the Privacy Shield, we reported in the previous edition of the Regulatory round-up that the Irish High Court has referred to the Court of Justice of the European 11 questions over the validity of the European Commission’s adequacy decisions on model contract clauses (following the complaint by Max Schrems to the Irish Data Protection Commissioner about Facebook Ireland’s transfer of his personal data to Facebook Inc. in the US). Importantly, a number of these questions refer directly to the Privacy Shield. The second annual joint review of the Privacy Shield is due to be held in the autumn. Walker Morris will continue to monitor and report on developments.

Back in the UK…

The Department for Digital, Culture, Media & Sport and the Home Office have published various guidance on the new Data Protection Act 2018, which also came into force on 25 May 2018 and is to be read alongside GDPR.

The government is consulting until 21 August 2018 on taking action against directors in relation to nuisance calls and messages, including proposals to amend electronic marketing regulations to give the ICO increased powers to impose fines of up to £500,000. The ICO has welcomed the consultation.

On 7 June 2018, the Department for Exiting the European Union published a technical note on the benefits of a negotiated legally-binding data protection agreement between the UK and the EU; benefits which, it says, a standard adequacy decision (where the European Commission assesses whether a third country’s data protection standards are “essentially equivalent” to those applied in the EU) cannot provide. This includes a role for the ICO on the EDPB. The government previously published a presentation setting out its proposed future UK-EU framework in relation to data protection. In a speech delivered on 26 May 2018, the Commission’s chief Brexit negotiator rejected, among other things, the notion that the ICO could remain on the EDPB, and said that “the UK must understand that the only possibility for the EU to protect personal data is through an adequacy decision”.

On 13 June 2018, the Department for Digital, Culture, Media & Sport issued a consultation seeking views on the activities and work of the new Centre for Data Ethics and Innovation. In the words of the Secretary of State: “From helping us deal with the novel ethical issues raised by rapidly-developing technologies such as artificial intelligence, agreeing best practice around data use to identifying potential new regulations, the Centre will set out the measures needed to build trust and enable innovation in data-driven technologies. Trust underpins a strong economy, and trust in data underpins a strong digital economy”. The consultation closes on 5 September 2018.

Cybersecurity update

On 13 June 2018, Dixons Carphone announced that it had launched an investigation into unauthorised data access, affecting 5.9 million payment cards and 1.2 million personal data records. The National Cyber Security Centre, ICO and Financial Conduct Authority are among those investigating the breach.

Yahoo! was fined £250,000 by the ICO following a cyber attack in November 2014 which was only publicly disclosed almost two years later. Systemic failures put customer data at risk. In the accompanying blog post, the ICO’s Deputy Commissioner of Operations discusses the fine and reminds organisations of their cybersecurity responsibilities.

The British and Foreign Bible Society was fined £100,000 after intruders exploited a weakness in its computer network to access the personal data of 417,000 supporters.

Other recent ICO enforcement action

  • BT was fined £77,000 for sending 4.9 million emails to recipients who had not given the necessary consent. While the company did not deliberately break the rules, the Information Commissioner found that it should have known the risks and it failed to take reasonable steps to prevent them.
  • Gloucestershire Police was fined £80,000 after a bulk email was sent revealing the identities of abuse victims. The officer involved had not used the “Bcc” function on the email, meaning that names and email addresses, and other information relating to the allegations, were visible to other recipients, who included witnesses, lawyers and journalists.