Data Protection – November/December 2018

Abstract Technology background.Security concept with padlock icon Print publication


Walker Morris risk series stampPrivacy Shield second annual review report, Brexit guidance, latest from the ICO, cybersecurity and more.

US continues to ensure adequate level of protection for personal data transferred under the Privacy Shield

Stop press!! The European Commission has today confirmed in its report on the second annual review of the functioning of the EU-US Privacy Shield that the US continues to ensure an adequate level of protection for personal data transferred under the Privacy Shield from the EU to participating companies in the US. The Commission does, however, expect the US authorities to nominate a permanent Ombudsperson by 28 February 2019 to replace the one that is currently acting. See the press release.

Guidance on data protection and Brexit

On 13 December 2018, both the UK’s Information Commissioner’s Office (ICO) and the government published guidance for organisations on data protection and Brexit, in particular relating to a ‘no deal’ scenario. This blog post contains links to the various ICO materials and practical tools. The advice is particularly relevant for those involved in transfers of personal data to and from the European Economic Area. As there will be no control over provisions for the free flow of data into the UK, organisations will need to give careful thought to alternative data transfer mechanisms, such as standard contractual clauses. If you require any assistance in this regard, please do not hesitate to contact Andrew Northage or Jeanette Burgess, who will be very happy to help.

The political declaration setting out the framework for the future relationship between the UK and the European Union contains a section on data protection. It says that both parties are committed to ensuring a high level of personal data protection to facilitate data flows between them, given their importance. The EU will start the assessments on the adequacy of the UK’s data protection standards as soon as possible after withdrawal, endeavouring to adopt decisions by the end of 2020, which is when the transitional period is due to end.

In related news, the EU is currently in the final stages of adopting an EU-Japan adequacy decision, which will be the first adequacy decision since the EU General Data Protection Regulation (GDPR) came into force.

Latest from the ICO

The ICO has updated its Guide to the GDPR to include:

On 12 November 2018, the ICO issued a call for views on a new direct marketing code of practice, to reflect requirements under GDPR and the new Data Protection Act 2018. The consultation closes on 24 December 2018. Other recent calls for views concern a code of practice for the use of personal information in political campaigns, and an age appropriate design code, which will set out the design standards the ICO expects providers of online services and apps used by children to meet when they process their data. The various codes are intended to provide organisations with practical guidance.

Following changes to the Privacy and Electronic Communications (EC Directive) Regulations 2003, the ICO can now impose a monetary penalty on an officer of a body corporate or Scottish partnership in addition to the body itself, where the breach occurs as a result of action, or inaction, by that officer. The changes came into force on 17 December 2018.

It has been reported in the media that Facebook is appealing the £500,000 fine imposed on it by the ICO in the wake of the Cambridge Analytica scandal. The fine is one of a number of actions taken by the ICO as part of its investigation into the use of data analytics for political purposes. On 6 November 2018, the ICO published an update report to Parliament on the investigation. See the blog post for details.

The ICO has issued the first fines to organisations across a range of sectors for failing to pay the new data protection fee. In related news, the government recently published the outcome of its consultation on whether the current exemptions from paying the data protection fee remain appropriate and fit for purpose. Views were also sought on whether new exemptions should be introduced.

In the ICO’s first prosecution under the Computer Misuse Act, a motor industry employee was sentenced to six months in prison after he accessed thousands of customer records containing personal data without permission.

In other recent enforcement action: two companies that made nearly 1.73 million direct marketing phone calls to Telephone Preference Service subscribers were fined £160,000 and £90,000 respectively; another company was fined £200,000 after it sent 14.8 million marketing text messages without valid consent through a third party service provider; the Metropolitan Police Service was ordered to make significant changes to the ways in which it uses its Gangs Matrix (a database that records intelligence related to gang members) to comply with data protection law; and a former headteacher was fined £700 after he obtained schoolchildren’s personal data from schools where he had previously worked and uploaded it to his new school’s server.

The ICO is analysing initial responses to its regulatory sandbox project. It recently consulted on creating a regulatory sandbox, following on from the publication of its Technology Strategy for 2018-2021. The sandbox “will be a safe space where organisations are supported to develop innovative products and services using personal data in innovative ways”. A consultation workshop will take place on 6 February 2019 and the ICO is committed to opening the sandbox, probably through a live ‘beta’ phase, later in 2019. See the blog post for details.

And finally, the ICO’s Deputy Commissioner (Policy) has posted a festive GDPR myth-busting blog to address some of the ongoing misconceptions surrounding GDPR and the new Data Protection Act 2018.

Cybersecurity update

The government has been undertaking its annual survey detailing the costs and impacts of cyber breaches and attacks on organisations. Businesses and charities from across the UK were selected at random to take part.

On 30 November 2018, hotel chain Marriott announced a data security incident involving its Starwood guest reservation database, potentially affecting up to 500 million guests. In the UK, the ICO is ‘making enquiries’.

The ICO recently fined Uber £385,000 (under the old data protection legislation) for failing to protect customers’ personal information during a cyber attack. The customers and drivers affected were not told about the incident for more than a year. Instead, Uber paid the attackers responsible US$100,000 to destroy the data they had downloaded. The ICO’s Director of Investigations said: “Paying the attackers and then keeping quiet about it afterwards was not, in our view, an appropriate response to the cyber attack. Although there was no legal duty to report data breaches under the old legislation, Uber’s poor data protection practices and subsequent decisions and conduct were likely to have compounded the distress of those affected”.

On 19 November 2018, the Joint Select Committee on the National Security Strategy published a report on the UK’s critical national infrastructure. It quotes the head of the National Cyber Security Centre as saying that a major cyber attack on the UK is a matter of ‘when, not if’. Among other things, the Committee says that the government’s current approach to improving the cyber resilience of the UK’s critical national infrastructure is “long on aspiration but short on delivery” and that “identifiable political leadership is lacking”. It urges the government to appoint a single Cabinet Office Minister charged with delivering improved cyber resilience across the UK’s critical national infrastructure.

On 10 December 2018, the European Parliament, Council and Commission reached a political agreement on the Cybersecurity Act, which will reinforce the mandate of the European Union Agency for Network and Information Security and establish an EU framework for cybersecurity certification. The Cybersecurity Act is part of a broader package of measures proposed in September 2017 to deal with cyber attacks and build strong cybersecurity in the EU and is a priority of the Digital Single Market strategy. See the press release for details.

More from Europe…

Ahead of a Transport, Telecommunications and Energy Council (Telecommunications) meeting in Brussels on 4 December 2018, consumer groups, non-governmental organisations and industry representatives wrote an open letter to EU member states in support of the ePrivacy Regulation, which was originally expected to apply at the same time as GDPR but has been slow to move forward. The organisations are concerned by the lack of progress and are urgently calling for agreement so that the legislative process can continue without delay. They stress that reform of the ePrivacy framework “is necessary to deliver effective confidentiality and security of modern online communications, to ensure clarity of the legal framework, and to restore public trust in the digital economy”.

In the meantime, the European Parliament and Council have both signed off on new rules for the free flow of non-personal data in the EU. See the Council’s press release. The regulation has since been published in the EU Official Journal and applies six months after publication.

A new regulation applied from 11 December 2018, bringing the data protection rules for EU institutions and bodies in line with the standards imposed on organisations by GDPR. See the press release from the European Data Protection Supervisor.

The European Data Protection Board is consulting until 18 January 2019 on guidelines on the territorial scope of GDPR.

The European Commission has been seeking feedback on a recommendation to establish a format for a European Electronic Health Record Exchange. The initiative “aims to facilitate cross-border interoperability and secure access to electronic health records for seamless exchange and use of health data in the EU”.  Adoption by the Commission is planned for the first quarter of 2019.

The Irish Supreme Court is now expected to hear Facebook’s appeal in the Schrems litigation in January 2019. It was previously scheduled for December 2018. The appeal concerns the Irish High Court’s referral of questions over the validity of the European Commission’s adequacy decisions on standard contractual clauses to the Court of Justice of the European Union. Walker Morris will continue to monitor and report on developments.

…and back in the UK

The government has published the response to its consultation on the creation of a Centre for Data Ethics and Innovation, a new advisory body, “to ensure our society keeps pace with the rapid developments in data-driven technology, supporting ethical and innovative uses of data and Artificial Intelligence”. The Centre’s first strategy document is due to be published by spring 2019. It has been commissioned to study the use of data in shaping people’s online experiences, and the potential for bias in decisions made using algorithms, with an interim progress update expected in summer 2019. The annual work programme will be agreed between the Centre’s chair and the Secretary of State for Digital, Culture, Media and Sport.

On 2 November 2018, the government published guidance for controllers relating to the register of information sharing agreements under Part 5 of the Digital Economy Act 2017, which gives government new powers to share personal information across organisational boundaries to improve public services.

On 21 November 2018, the Home Office published a communications data code of practice. Among other things, the code provides guidance on the procedures to follow when communications data is acquired and retained under parts 3 and 4 of the Investigatory Powers Act 2016.