Data Protection – June/July 2019

Binary Code Print publication


Walker Morris risk series stampTwo companies face substantial General Data Protection Regulation (GDPR) fines; new cookies guidance; landmark case on data transfers; cybersecurity; and more.

British Airways and Marriott face substantial GDPR fines

In a significant development and stark warning to all organisations, the Information Commissioner’s Office (ICO) issued notices of its intention to fine British Airways £183.39 million, and Marriott International more than £99 million, for infringements of the General Data Protection Regulation (GDPR). Prior to GDPR coming into force, financial penalties were capped at £500,000.

The proposed British Airways fine concerns a cyber incident in which the personal data of approximately 500,000 customers was compromised by poor security arrangements (see the ICO’s statement). The proposed Marriott International fine concerns a cyber incident in which a variety of personal data contained in approximately 339 million guest records globally was exposed. The ICO investigation found that Marriott failed to undertake sufficient due diligence when it bought the Starwood hotels group in 2016 and it should also have done more to secure its systems (see the ICO’s statement).

The ICO will consider carefully the representations made by each company and the EU data protection authorities whose residents have been affected before it takes its final decisions.

Large fines may have been slow to materialise in the year since GDPR came into force, but they were expected to start flowing as the first investigations under the new regime concluded. These recent proposed fines are a clear indicator that the ICO means business when it comes to dealing with infringements. Organisations of all sizes should ensure that they have the necessary systems in place to comply with GDPR, and to demonstrate that compliance, including in relation to breach reporting. The proposed Marriott fine also highlights the importance of considering GDPR issues when carrying out due diligence on target companies.

ICO issues new cookies guidance

The ICO recently published its long-awaited updated guidance on the use of cookies and similar technologies. We highlighted in our earlier briefing the confusion surrounding the application of the GDPR standard of consent and the lack of available guidance on this issue. Key points are:

  • The user must take a clear and positive action to give their consent to non-essential cookies – continuing to use the website does not constitute valid consent. Users who fail to engage with the consent box, for example in a banner or a pop-up, cannot be said to consent to the setting of these cookies.
  • Users must be clearly informed about what the cookies are and what they do before they consent to them being set.
  • If any third party cookies are used, the third parties must be clearly and specifically named and an explanation given as to what they will do with the information.
  • Pre-ticked boxes (or equivalents such as ‘on’ sliders) cannot be used for non-essential cookies.
  • Users must be provided with controls over any non-essential cookies, and still allowed access to the website if they don’t consent to these cookies.
  • A consent mechanism that emphasises ‘agree’ or ‘allow’ over ‘reject’ or ‘block’ represents a non-compliant approach, as the online service is influencing users towards the ‘accept’ option.
  • A consent mechanism that doesn’t allow a user to make a choice would also be non-compliant, even where the controls are located in a ‘more information’ section.
  • Organisations must ensure that any non-essential cookies are not placed on the landing page, and similarly that any non-essential scripts or other technologies do not run, before the user has given their consent.

There is detailed guidance on how to comply with the cookie rules, including the suggestion to conduct a ‘cookie audit’.

The guidance notes that the cookie rules will be modernised and updated in the future when the proposed ePrivacy Regulation is (eventually) finalised in Europe.

European Court hears landmark case on data transfers

Europe’s highest court, the Court of Justice of the European Union (CJEU), recently heard a landmark case on data transfers. This is the latest twist in the long-running litigation involving Facebook and Austrian privacy activist Max Schrems regarding the transfer of his personal data by Facebook Ireland Limited to Facebook Inc. in the US for processing, and concerns over US mass surveillance.

The Irish Data Protection Commissioner referred 11 questions to the CJEU concerning the validity of the European Commission’s adequacy decisions on model contract clauses (which are also known as standard contractual clauses), one of the key mechanisms permitting the transfer of personal data from the European Economic Area (EEA) to the US and other countries outside the EEA. The EU-US Privacy Shield, another key mechanism for transatlantic data transfers, is also subject to challenge. If the CJEU’s decision results in the invalidation of both mechanisms, this will leave businesses with limited, if any, alternative options.

Brexit is a further complicating factor. If the European Commission has not made an adequacy decision in respect of the UK (i.e. a finding that the legal framework in place provides ‘adequate’ protection for individuals’ rights and freedoms for their personal data) by exit day, one of the key fallbacks in relation to transfers from the EEA to the UK is the use of these standard contractual clauses.

The Advocate General’s opinion on the case, which the CJEU may or may not follow, is expected in December 2019, with the CJEU’s judgment following sometime in early 2020. In the meantime, affected organisations should take stock of their current data transfer arrangements and consider what measures they can take to minimise the impact of invalidation on their business. Among other things, non-compliant transfers carry the risk of attracting maximum penalties under GDPR and the prospect of claims from affected data subjects.

The hearing of an action brought by a French privacy advocacy group to invalidate the Privacy Shield was vacated pending the CJEU hearing.

In related news, a permanent Privacy Shield ombudsman has been appointed in the US, which addresses one of the European Commission’s key concerns from its second annual review of the functioning of the Privacy Shield.

Cybersecurity update

The National Cyber Security Centre published guidance to help small to medium sized organisations prepare their response to, and plan their recovery from, a cyber incident. It also announced changes to the Cyber Essentials Scheme.

A new EU Cybersecurity Act is now in force, part of Europe’s Digital Single Market Strategy. The European Commission has published this at a glance factsheet about the new Act. Also see this press release and the government’s notice explaining the legislation.

The Financial Stability Board (FSB) published a survey of industry practices in both the financial and non-financial industry sectors on effective practices in response to, and in order to recover from, cyber incidents. Responses are requested by 28 August 2019. The FSB is developing a toolkit aimed at providing financial institutions and authorities with a set of effective practices. The toolkit’s development will also be informed by a review of publicly available documents on how firms have responded to and recovered from past cyber incidents and a stocktake of relevant publicly released guidance issued by national authorities and international organisations.

In other news…

  • The ICO is consulting until 9 September 2019 on a draft data sharing code of practice, updating the previous code which was published in 2011. This follows a call for views launched in August 2018. A helpful summary of the draft code is set out on pages 4 to 6. It is described as a practical guide for organisations about how to share personal data in compliance with data protection legislation, explaining the law and providing good practice recommendations.
  • On 11 July 2019, the ICO’s Executive Director for Technology Policy and Innovation gave a speech on the future of online advertising regulation following the publication of its update report into adtech and real time bidding. The ICO is not convinced current practices comply with the law and is giving the industry a six month period to reflect, review and address its concerns.
  • The ICO’s Executive Director for Technology Policy and Innovation also provided an update on the progress made in developing the ICO approach to auditing artificial intelligence (AI). He said that the ICO does not expect organisations to redesign their risk management practices from scratch, but it does expect them to review them and make sure they remain fit-for-purpose if AI is used to process personal data. The initial consultation phase on the new framework concludes at the end of October 2019 and a formal consultation paper is expected to be published no later than January 2020.
  • On 28 June 2019, the ICO published its new access to information strategy, which calls for better compliance by public authorities backed up with enforcement action.
  • The ICO’s Director of Freedom of Information published a blog post for public authorities on the issues surrounding charging for providing access to environmental information under the Environmental Information Regulations 2004.
  • The Information Commissioner published a blog post on her concerns surrounding the use of live facial recognition technology.
  • The ICO also recently published a blog post on data subject access requests (DSARs), in light of the work it has been doing with the Metropolitan Police Service to address a large DSARs backlog.
  • In recent ICO enforcement action, telecoms company EE Limited was fined £100,000 for sending over 2.5 million direct marketing messages to its customers without consent. EE submitted that the texts were sent as service messages and therefore not covered by electronic marketing rules. The ICO Director of Investigations said: “These were marketing messages which promoted the company’s products and services. The direct marketing guidance is clear: if a message that contains customer service information also includes promotional material to buy extra products for services, it is no longer a service message and electronic marketing rules apply”.
  • We reported previously that supermarket chain Morrisons has been granted permission to appeal to the Supreme Court against last year’s Court of Appeal decision upholding a High Court ruling that the company was vicariously liable in damages for the actions of one of its former employees who, while employed as a senior internal auditor at the company, deliberately leaked payroll data online relating to almost 100,000 employees following disciplinary action. The Supreme Court is due to hear the appeal in early November 2019.
  • The European Data Protection Board is consulting until 9 September 2019 on guidelines on the processing of personal data through video devices.
  • And finally, the Department for Digital, Culture, Media & Sport issued a call for evidence on the National Data Strategy, which will “unlock the power of data across government and the wider economy, while building citizen trust in its use”. A summary of relevant evidence will be published as part of a formal National Data Strategy consultation later in 2019.