Welcome to the December Global Data & Privacy Update. This update is dedicated to covering the latest legislative developments affecting the way data is managed and protected, as well as reporting on the most recent news governing data breaches and industry developments.

EDPB Guidelines on territorial scope of the GDPR

The European Data Protection Board (EDPB) has released detailed draft guidelines on the territorial applicability of the General Data Protection Regulation (GDPR), under Article 3 of the GDPR.

The guidelines provide helpful direction on how Article 3 is to be interpreted. They also set out examples of how the Article 3 criteria might apply in different scenarios – including how the Regulation would apply to a controller to processor arrangement where the GDPR does not apply to one of the parties. The EDPB guidance also includes information regarding the obligation to designate a representative within the EU, where a company is not established in the EU but is still subject to the GDPR.

Click here for the EDPB Guidelines 3/2018 on the territorial scope of the GDPR (Article 3).

Additional ICO enforcement powers for "officer" wrongdoings under PECR

The Privacy and Electronic Communications Regulations 2003 (PECR) have been amended (by the Privacy and Electronic Regulations (Amendment) 2018) to allow the Information Commissioner's Office (ICO) to issue monetary penalty notices to an officer of a company, in addition to the company itself. The ICO can issue a monetary penalty notice to an officer when the breach took place with the consent or connivance of that officer, or where the breach is due to any neglect on the part of that officer. This power applies to contraventions of Regulations 19 to 24 of PECR, which includes unsolicited marketing by email and telephone marketing.

This change has been brought in to assist with the issue of businesses attempting to evade fines by the ICO for their marketing practices by winding up the company following a monetary penalty notice and setting up under a new name.

Directors and persons of similar positions need to be aware that they are now potentially liable to a fine of up to £500,000 for breaches under PECR in relation to their company's marketing practices. The changes to PECR came into force on 17 December 2018.

Click here to read the Privacy and Electronic Communications Regulations (Amendment) 2018.

Uber fined for failing to take appropriate technical and organisational measures

The ICO has fined Uber £385,000 for failing to implement appropriate technical and organisational measures in relation to a cyberattack in breach of principle 7 under the Data Protection Act 1998 (DPA 1998). The breach, which took place in late 2016, compromised the personal data of 2.7 million customers and over 80,000 drivers in the UK. The attackers downloaded data from a cloud based storage service managed by a US Uber group entity; the data had been transferred to that company as a processor, pursuant to a data processing agreement. The attackers held the US Uber entity to ransom for $100,000 in return for assurances that the downloaded data would be deleted. Uber paid the ransom from their "bug bounty programme". The attackers accessed the data on the platform via the Uber US entity's service account credentials for the cloud storage site.

The ICO issued the fine against Uber B.V (located in the Netherlands) and four affiliate entities based in the UK, as joint controllers, on the basis that those companies had been jointly determining the data processing activities taking place in the UK. The ICO deemed Uber B.V to be in scope of the UK's DPA 1998 on the basis that it effectively exercised control over data processing activities in the UK through the UK entities.

The ICO determined Uber breached principle 7 of the DPA 1998 due to the inadequate security arrangements in place, including with respect to Uber US's policies and practices not requiring two factor authentication and the service account credentials having been stored in plain text. The ICO also found Uber US's response to the breach lacking – paying the ransom from their bug bounty programme instead of treating the incident as a data breach and delaying notification to both the UK regulator and data subjects.

Click here to read the monetary penalty notice.

EU–Japan Draft Adequacy Decision Status

Japan has not yet been deemed a country that ensures an adequate level of protection for the purpose of providing a lawful basis under which to transfer personal data outside of the EU under Article 45 of the GDPR. The EDPB, further to their fifth plenary session, adopted an opinion on the draft adequacy decision for Japan received from the European Commission. The opinion notes to the European Commission a number of concerns, recommendations and requests for further information.

The timeline for the European Commission to progress the conclusions raised by the Board is not yet clear. The designation of Japan as an adequate country is noted by the EDPB as an important marker for future adequacy decisions. It will be the first under the GDPR which sets out (under Article 45) the elements to be assessed by the European Commission in making an adequacy decision.

Click here to read the EDPB's press release on their fifth plenary session.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.