Data Protection – March 2018

Print publication


Latest on GDPR, the UK’s Data Protection Bill, WhatsApp, Facebook, enforcement action, cybersecurity and more.

Latest on the EU General Data Protection Regulation (GDPR)

On 22 March 2018, the Information Commissioner’s Office (ICO) published draft guidance on Data Protection Impact Assessments (DPIAs). The guidance will replace the ICO’s previous code of practice on conducting privacy impact assessments. GDPR introduces a new obligation to conduct a DPIA for types of processing likely to result in a high risk to individuals’ interests. While DPIAs are a legal requirement for processing that is likely to be high risk, the ICO says that “an effective DPIA can also bring broader compliance, financial and reputational benefits, helping you demonstrate accountability and building trust and engagement with individuals”. The “In brief” section on page 5 explains what organisations need to do in the run up to 25 May 2018, when GDPR comes into force. The ICO has also published a blog post on the consultation, which closes on 13 April 2018.

The ICO continues to update its Guide to the GDPR. It has published detailed guidance on legitimate interests and expanded its pages on DPIAs, Data Protection Officers, the right to be informed, the right to erasure, the right to rectification and the right to restrict processing.

The ICO’s guidance on direct marketing has been updated to include boxes on GDPR. The guidance will be replaced following consultation in due course on a Direct Marketing Code of Practice. Key points to note are:

  • until the new e-Privacy Regulation is finalised, the existing PECR (Privacy and Electronic Communications Regulations) rules will apply using the GDPR definition of consent
  • consent must therefore be unambiguous and involve an affirmative action (this means a positive opt-in) unless soft opt-in can be relied upon
  • pre-ticked opt-in boxes are banned under GDPR and, while opt-out boxes are not specifically banned, the ICO’s view is that they are unlikely to comply
  • consent should not be bundled up as a condition of service unless it is necessary for that service, as made clear under GDPR
  • any third party controllers who will be relying on the consent must be named – precisely defined categories of third parties will not be acceptable
  • organisations must keep records to demonstrate that they have obtained valid consent, including who consented, when, how, and what were they told
  • as set out in GDPR, individuals must be told about their right to withdraw consent and offered easy ways to do so at any time
  • the absolute right to object to marketing under GDPR applies to business-to-business direct marketing
  • the right to object to direct marketing does not prevent a controller from holding a suppression list; the list is held for compliance purposes as opposed to direct marketing.

The final content of the European-level guidelines on consent under GDPR is expected to be agreed on 10/11 April 2018, after which the ICO will publish a final updated version of its own guidance.

The ICO recently launched a campaign to help micro businesses prepare for GDPR. See the press release here. It is also supporting the Federation of Small Businesses campaign to help small businesses prepare for GDPR.

The Fundraising Regulator and the Institute of Fundraising have produced a series of joint guidance briefings on GDPR and charitable fundraising.

The Crown Commercial Service recently published a blog post on what it is doing to get ready for GDPR and what organisations will need to do. It previously published a guide on GDPR for public sector buyers.

Nominet UK, the .uk domain name registry in the UK, is consulting on its proposed changes to comply with GDPR.

And finally, the European Data Protection Supervisor’s 2017 Annual Report – Data Protection and Privacy in 2018: going beyond the GDPR was published on 19 March 2018.

Latest on the UK’s Data Protection Bill

The ICO has now published an introduction to the Data Protection Bill. It intends to produce detailed guidance once the Bill has been enacted. The current Data Protection Act 1998 will be superseded by the new Data Protection Act 2018 on 25 May 2018.

The Bill passed its second reading in the House of Commons on 5 March 2018 and, at the time of writing, MPs were considering it in a Public Bill Committee, which can take evidence as part of its scrutiny of the Bill. The latest version of the Bill can be found here.

The Information Commissioner produced a briefing ahead of the second reading. She has since provided written evidence and further written evidence to the Public Bill Committee. She says that there are a small number of outstanding issues which, if not resolved, could have a significant impact on her ability to conduct investigations and exercise her powers and functions in an independent and effective way. Her most significant concerns centre on: her ability to acquire the information she needs to assess whether the law has been broken; her independence when assessing whether processing of personal data by certain public bodies is in compliance with the law; and the breadth and effect of the exemption for defence purposes removing safeguards, individual rights and reducing the Commissioner’s powers. In her most recent submission she expresses concern over an agreed government amendment to the Bill which adds democratic engagement activity to the list of examples of processing activities that could be undertaken on the grounds of lawfulness of processing in the public interest, and deficiencies in her enforcement powers in relation to DPIAs in the area of law enforcement.

Debates are ongoing concerning the government’s decision not to include a provision in the Bill to exercise the available derogation at Article 80 (2) of GDPR. This allows not-for-profit organisations acting in the public interest to lodge complaints and exercise data subjects’ rights independently of the data subjects’ mandate (known as “collective redress”).

In its recent report on UK-EU security cooperation after Brexit the Home Affairs Committee considers the potential obstacles to data adequacy. It says that the evidence it has received “suggests that the UK’s current compliance with EU data protection law is no guarantee of obtaining a data adequacy decision without encountering challenges”, for reasons which include:

  • that the EU, when deciding on the question of adequacy, may examine the UK’s data protection regime relating to national security legislation, including controversial powers conferred by the Investigatory Powers Act 2016 (human rights organisation Liberty was recently in court to challenge mass surveillance powers in the Act)
  • the government’s apparent failure to incorporate into UK law the data protection provisions of the EU’s Charter of Fundamental Rights
  • the Data Protection Bill itself, because it denies data protection rights to certain people subject to immigration controls
  • the government’s “red line” on the future direct jurisdiction of the Court of Justice of the European Union.

In relation to the timeline for adequacy, the Committee says that, based on the evidence it has received, it has “serious concerns about the number of potential obstacles to the UK achieving an EU adequacy decision within two years. The Government’s position – that the UK’s current compliance with EU data protection law should enable consistency after Brexit Day – takes no account of the different rules governing third countries’ access to EU data. At best, this response is evasive; at worst, it suggests that the Government is worryingly complacent about the UK’s future access to EU data”.

As the Information Commissioner said in a recent speech discussing her varied roles: “Should the UK leave the EU without a data deal in place, EU organisations will need to have binding contractual arrangements in place every time they wish to share new information and data with their UK partners”. In relation to Brexit, the Information Commissioner also mentioned: possible divergences of interpretation of the law and confusion for companies that do business in the UK and the EU; uncertainty over the exact nature of the ICO’s future relationship with its European counterparts; and uncertainty over the arrangements for the protection of EU citizens’ data exported from the UK to the rest of the world, including to the United States.

WhatsApp undertakes not to share personal data with Facebook

WhatsApp Inc, operator of the WhatsApp mobile messaging service, has signed an undertaking with the Information Commissioner, publicly committing not to share personal data with Facebook until it can do so in compliance with GDPR. WhatsApp was acquired by Facebook in 2014 and the ICO recently completed its investigation into the sharing of personal data between WhatsApp and the Facebook group of companies. See the ICO’s comprehensive blog post here.

On the subject of Facebook…

Facebook’s founder has apologised following recent allegations that personal data from over 50 million of its users was improperly harvested and used by UK political consultancy firm Cambridge Analytica to influence the 2016 US presidential election and Brexit referendum. The ICO executed a warrant on 23 March 2018 to inspect the premises of Cambridge Analytica, as part of its ongoing formal investigation into the use of data analytics for political purposes, given the potentially significant impact of data analysis tools on individuals’ privacy. See the ICO’s latest statement here. It has been widely reported that Facebook is facing investigations by the US Federal Trade Commission and the EU.

Recent ICO enforcement action and other news

The ICO raided addresses in Greater Manchester as part of an investigation into companies suspected of sending over 11 million unsolicited text messages.

A Scottish company was raided as part of an ICO investigation into the making of over 200 million illegal nuisance calls, some of which were made to a public safety control centre for unmanned level crossings, potentially putting lives at risk. 146 million calls is the highest number to date to result in an ICO fine.

The ICO published a blog post Making or selling Internet of Things (IoT) devices? Six reasons you need to be thinking about data protection, which will be of particular interest to manufacturers and retailers.

An international operation involving the ICO has found that the affiliate marketing industry “has significant issues to overcome in terms of compliance with rules concerning privacy and unsolicited communications”. See the ICO’s webpage here.

The ICO published its first ever Technology Strategy, covering the period 2018 to 2021. One of the ICO’s eight technology goals is to provide effective guidance to organisations about how to address data protection risks arising from technology. Cybersecurity is one of three technology priority areas identified for 2018/2019.

A public education campaign called “Your Data Matters” will be launched in April 2018 to educate the public on their new rights under data protection law.

“Digital Government” provisions of the Digital Economy Act 2017 come into force on 1 May 2018

Various provisions in Part 5 of the Digital Economy Act 2017, which gives government new powers to share personal information across organisational boundaries to improve public services, come into force on 1 May 2018. The government consulted in late 2017 on various draft data sharing codes of practice, regulations and a statement of principles as required under Part 5 of the Act. Revisions have been made in light of the comments received.

Cybersecurity update

The National Cyber Security Centre has launched its first cybersecurity guidance for the charity sector. Other recent publications include guidance on denial of service attacks and guidance on how organisations can defend themselves against email phishing attacks.