Update on GDPR, e-Privacy Regulation, Data Protection Bill, Privacy Shield and more. Looking ahead to 2018.
Latest on the EU General Data Protection Regulation (GDPR) and e-Privacy Regulation
The UK’s Information Commissioner’s Office (ICO) has replaced its “Overview of the GDPR” with a “Guide to the GDPR”, which includes new expanded guidance on the lawful bases for processing (including consent and legitimate interests) as well as an expanded section on contracts and liabilities. The Guide links to ICO guidance and guidance from the EU’s Article 29 Working Party (WP29).
The WP29 consulted until 28 November 2017 on draft guidelines on personal data breach notification and on automated individual decision-making and profiling. The ICO is reviewing the consultation responses with the rest of the WP29 and finalised guidelines are expected in early 2018. The WP29 recently published draft guidelines on consent and transparency (accessed via the WP29 website). Comments are requested by 23 January 2018. The ICO says that it will publish a final updated version of its own consent guidance once the final content of the WP29 guidelines is clear.
The ICO has published a package of GDPR resources for small organisations.
A recent ICO survey revealed that only 20% of the UK public have trust and confidence in companies and organisations storing their personal information. The ICO’s Deputy Commissioner (Policy) said: “By now organisations should be aware of the changes to data protection law next May. It’s no longer acceptable to see the law as a box ticking exercise. Organisations will need to be accountable, to their customers and to the regulator”.
Meanwhile, the European Parliament confirmed in a press release that it is ready to start talks with member states on the new e-Privacy Regulation as soon as they have agreed on their own negotiation position. It is not yet clear whether the Regulation will meet the planned in-force date of 25 May 2018, to coincide with GDPR.
The new Data Protection Bill, which will sit alongside GDPR, is working its way through the legislative process. The third day of the report stage in the House of Lords (continued line-by-line examination of the Bill) is scheduled to take place on 10 January 2018 and a number of amendments to the Bill have already been made, such as allowing public authorities to rely on legitimate interests as a legal basis for processing personal data when they are carrying out non-public tasks. The Information Commissioner has published two further briefings in relation to the Bill. In the latest briefing, she expresses her significant concern over a clause in the Bill which places a duty on the Commissioner to take the Secretary of State’s framework guidance on data processing by government departments and other public bodies into account when considering any question relevant to her functions. She says that whilst she “understands the relevance of considering any guidance about the legal basis of government functions the provision runs a real risk of creating the impression that the Commissioner will not enjoy the full independence of action and freedom from external influence when deciding how to exercise her full range of functions as required by Article 52 of the GDPR”.
Update on ICO fee changes
We reported in the October 2017 edition of the Regulatory round-up that the ICO had outlined the proposed fee and registration changes which will come into force next year. Under GDPR, there will no longer be a requirement to notify the ICO on an annual basis as under the current rules, but there will still be a legal requirement for data controllers to pay the ICO a ‘data protection fee’. The new system will start on 1 April 2018. The ICO has updated its original blog post to set out the fee ranges used by the Department for Digital, Culture, Media and Sport (DCMS) in its recent consultation about the future fees. A three tier system is proposed (see this link for details). The DCMS will now reflect on the consultation feedback before developing the fee regulations.
“Huge concerns” over Uber’s concealed data breach
The ICO’s Deputy Commissioner (Operations) said in his first statement on 22 November 2017 that “Uber’s announcement about a concealed data breach last October raises huge concerns around its data protection policies and ethics….. Deliberately concealing breaches from regulators and citizens could attract higher fines for companies”. The statement followed the announcement the day before by Uber’s CEO that, in late 2016, two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service, including the names and driver’s licence numbers of around 600,000 drivers in the United States, and personal information of 57 million users around the world. This included names, email addresses and mobile phone numbers. It has been widely reported that Uber paid the hackers $100,000 to delete the data and keep the breach quiet. It failed to report the incident to regulators or those affected by the breach.
The WP29 has established a taskforce on the Uber data breach case which will coordinate the national investigations on this issue.
The UK’s Digital Minister, responding to an urgent parliamentary question on the incident, referred to the package of tougher measures to address data breaches which will be introduced by GDPR and the Data Protection Bill. Under GDPR, a personal data breach affecting people’s rights and freedoms must be reported to the ICO without undue delay and, where feasible, not later than 72 hours after the controller becomes aware of it. The Information Commissioner will have the power to issue fines of up to €10 million or 2% of annual global turnover, whichever is greater. The maximum fine is currently £500,000.
We reported previously that independent consumer body Which? is calling for the Data Protection Bill to be amended so that independent organisations acting in the public interest can help groups of affected consumers to get collective redress. Following the news of the Uber data breach, Which? reported that it, together with Age UK, Privacy International and the Open Rights Group, had submitted a joint letter to the Digital Minister, calling on the government to make it easier to seek redress for data breaches. This is in the context of Article 80(2) of the GDPR, which allows bodies such as Which? to lodge complaints and exercise data subjects’ rights independently of the data subject, where they consider that a data subject’s rights under GDPR have been infringed. During the recent debates on the Bill in the House of Lords, the government rejected a proposed amendment to include this provision. This was referred to during the parliamentary exchange on the Uber incident. In response, the Digital Minister said that “the whole principle behind the Data Protection Bill is to increase the level of consent required and people’s control over their own data. The proposed amendment pushed in the opposite direction, which is why we rejected it yesterday, but we will have the debate in this House, too”.
WP29 publishes Privacy Shield report – will take action if concerns not addressed by 25 May 2018
The WP29 has now published its report on the functioning of the EU-US Privacy Shield after the first annual joint review of the transatlantic data transfer framework took place in Washington DC in September 2017. While the WP29 acknowledges the progress of the Privacy Shield, it has identified a number of “significant concerns” that it says need to be addressed by the European Commission and the US authorities. It is calling on them to restart discussions and says that an action plan must be set up immediately to demonstrate that all of the concerns will be addressed. The concerns are set out in the executive summary on pages 2 to 4 of the report (which can be accessed via the WP29 website under the “Plenary meetings” heading).
In particular: the appointment of an independent Ombudsperson should be prioritised; the rules of procedure governing access to relevant information by the Ombudsperson and governing the interactions of the Ombudsperson with other members of the intelligence community should be further explained and declassified (so that the WP29 can assess whether the Ombudsperson is vested with sufficient powers to access information and to remedy non-compliance); and members of the Privacy and Civil Liberties Oversight Board should be appointed. The WP29 says that if these concerns are not resolved by 25 May 2018 (when GDPR comes into force), its members will take appropriate action, including bringing the Privacy Shield adequacy decision to national courts for them to make a reference to the Court of Justice of the European Union (CJEU) for a preliminary ruling. It expects the remaining concerns to be addressed at the latest at the second joint review.
The European Commission published its own, separate, report in October 2017 (see the October 2017 edition of the Regulatory round-up for further details).
In a separate development, one of two legal challenges to the Privacy Shield has been ruled inadmissible by the EU General Court, one of the three courts of the CJEU. The Irish privacy campaign group Digital Rights Ireland was seeking to have the Privacy Shield annulled, but the Court found that the group did not have an interest under the law in bringing proceedings, nor did it have the standing to act in the name of its members and supporters or on behalf of the general public. It is not yet clear whether the second challenge, by a French advocacy group, will face a similar fate.
The WP29 is consulting until 17 January 2018 on proposed updates to its working document on transfers of personal data to third countries in the context of GDPR and recent European case law. The focus of the consultation is the central question of adequacy.
A single regulator in the future?
In a recent interview, the European Data Protection Supervisor talked about a long-term move towards a single European data protection regulator: “It doesn’t appear sustainable in the long-term that competent authorities in different areas continue to act as regulators by fragmenting their actions at EU and national level and within different sectors. The answer will be increasingly global”.
Update on challenge to model contract clauses
We reported previously that the Irish High Court is referring questions over the validity of the Commission’s adequacy decisions on model contract clauses to the CJEU, following the complaint by Austrian privacy campaigner Max Schrems to the Irish Data Protection Commissioner about Facebook Ireland’s transfer of his personal data to Facebook Inc. in the US. The exact questions to be referred to the CJEU are yet to be formulated. The first of a number of hearings on the wording of the referral took place at the beginning of December 2017. Further hearings will follow.
Max Schrems recently launched a non-governmental organisation (NOYB or “None of Your Business”) with the aim of ensuring “that the tech industry is following fully the existing privacy and data protection laws in the European Union, through strategic litigation in the public interest”.
Changes to Binding Corporate Rules applications
As the countdown to GDPR continues, the ICO has published a blog post setting out some key facts for companies planning to apply to the ICO for Binding Corporate Rules authorisation, and for those who have already received their authorisations. Binding Corporate Rules are a way in which companies can comply with the required data protection rules surrounding protection of personal data transferred outside the European Economic Area, within their group of entities or subsidiaries.
The WP29 is consulting until 17 January 2018 on proposed updates to its working documents on Binding Corporate Rules and Processor Binding Corporate Rules, to bring them in line with GDPR requirements.
Recent enforcement action
A firm behind over 156,000 spam texts was fined £45,000 by the ICO, bringing the total nuisance marketing fines issued to date during this financial year to £2 million. The director of a personal injury claims management company that made millions of automated marketing calls in breach of regulations and failed to pay a £250,000 ICO fine has been disqualified as a director for seven years. See the Insolvency Service press release. The ICO recently executed search warrants as part of an investigation into a network believed to be responsible for making hundreds of millions of automated nuisance calls.
An unlawful data supplier was fined £80,000 – the first fine to be issued following a wider investigation by the ICO into the data broking industry. The investigation includes looking at a wide range of organisations and the roles they play, including credit reference agencies.
A firm of loss adjusters, one of its directors and a senior employee, and rogue private investigators have been found guilty after personal data was unlawfully obtained and disclosed. The ICO is investigating alleged data protection offences involving corporate clients suspected of using the services of rogue private investigators.
The ICO has issued a warning to people who work with personal information after a charity employee was prosecuted for making his own copies of sensitive data. It has also published a blog post on the same topic, following eight convictions against NHS employees so far this year.
Morrisons found liable for ex-employee’s actions in data breach group action case
Supermarket chain Morrisons has been found liable for the actions of one of its ex-employees who, while employed as a senior internal auditor at the company, deliberately leaked payroll data of thousands of staff online following disciplinary action. Morrisons was not found directly liable, but there was a sufficient connection between the individual’s position of employment and his actions to establish secondary (vicarious) liability. This was despite the disclosure of the data being made outside working hours using the individual’s personal equipment. The judge was troubled that his decision might seem to make the court an accessory in furthering the ex-employee’s criminal aims, after it was submitted that the actions were deliberately aimed at Morrisons itself. The company was granted leave to appeal the decision, which has significant implications for employers. Walker Morris will continue to monitor and report on developments.
Google faces UK consumer legal action over mass data collection
Consumer campaign “Google You Owe Us” is launching legal action against tech giant Google on behalf of millions of UK consumers whose personal information Google is alleged to have unlawfully harvested by bypassing the default privacy settings on the Apple iPhone.
Government consulting on response to European data retention judgment
In a key judgment in December 2016, the CJEU ruled that national legislation which, for the purpose of fighting crime, provides for the general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication, is incompatible with the EU e-Privacy Directive when read in light of the EU Charter of Fundamental Rights. This was a referral by the English Court of Appeal following a 2015 High Court ruling that the Data Retention and Investigatory Powers Act 2014 (DRIPA) was inconsistent with EU law. The controversial Investigatory Powers Act 2016 (IPA) replaced DRIPA at the end of 2016, and goes even further. Like DRIPA, the IPA has been dubbed the ‘Snooper’s Charter’.
On 30 November 2017, the government launched a public consultation on its response to the CJEU’s judgment. It considers that some aspects of the current regime for the retention of and access to communications data do not satisfy the requirements of the CJEU’s judgment and it therefore proposes to amend the IPA. It says that “it is important that any changes support the important right to individual privacy and the collective right of citizens to be protected from crime and terrorism”. The government is consulting on a draft statutory code of practice on communications data at the same time. The CJEU’s ruling raised the possibility of an obstacle to the UK obtaining an adequacy decision to enable the continued free flow of personal data between the EU and UK in a post-Brexit world.
On 6 December 2017, the Home Affairs Committee issued a call for written evidence on Brexit and EU policing and security cooperation. This includes data protection issues (including implications of the government’s security aims for its future data protection regime) and the bulk retention of communications data (the compliance of the government’s latest proposals with the EU Charter of Fundamental Rights and what this means for the UK’s future surveillance powers).
Finally, a word on cyber security…
On 1 December 2017, the National Cyber Security Centre published guidance for organisations on managing the risks of cloud-enabled products.
Looking ahead to 2018
- 25 May 2018 is the key date!
- In other news, 9 May 2018 is the date by which the Security of Network and Information Systems Directive (or NIS Directive) must be transposed into UK law. The government consulted on its implementation plans earlier in the year and is currently considering the responses.