Welcome to the October 2017 edition of our Data Protection update, our monthly bulletin on key developments in data protection law. As always, please do let us know if you have any feedback or suggestions for future editions.

Data protection

Data Protection Bill second reading takes place in House of Lords

Following the release of the Government's statement of intent (as reported in our August bulletin here) and the publication of the Data Protection Bill (the DP Bill) (as reported in our September bulletin here), the second reading of the DP Bill took place in the House of Lords on 10 October 2017.

The key points in the DP Bill that were discussed included data protection reform, the processing of personal data for security and law enforcement purposes and minimum requirements for companies' age verification systems. Members of the House of Lords also raised issues relating to European Union (EU) withdrawal legislation and the flow of data between the EU and the UK post-Brexit.

The next stage of the DP Bill's progress through Parliament will be the committee stage; this will be the first chance for amendments to be made to the DP Bill, and is due to start on 30 October 2017.

To follow the progress of the DP Bill, please click here.

To read the ICO's briefing published ahead of the second reading, please click here.

European Commission has approved the EU-US Privacy Shield following the first annual review of the framework

On 18 October 2017, the European Commission (Commission) published its report following the annual review of the EU-US Privacy Shield which, as a reminder, is the framework for transatlantic exchanges of personal data for commercial purposes between the European Union and the United States (US).

The report confirms that the Privacy Shield continues to ensure an adequate level of protection for personal data transferred from the EU to participating companies in the US, who have implemented the necessary structures and procedures to ensure the correct functioning of the Privacy Shield.

The report also includes a number of recommendations for further implementation to strengthen the functioning of the Privacy Shield, including strengthening awareness-raising efforts to inform EU individuals about how to exercise their rights under the Privacy Shield, particularly in relation to complaint.

The Commission has sent its report and recommendations to the European Parliament and Council, the Article 29 Working Party and the relevant US authorities.

To access the report, please click here.

General Data Protection Regulation hotline to open from 1 November

The ICO has announced that it is launching a dedicated telephone service aimed at helping small businesses prepare for new data protection laws.

The service, based around the existing public helpline, will be available to companies which employ fewer than 250 people.

The service is intended to help smaller organisations which the ICO has identified tend to be less well prepared on data protection than larger organisations.

The phone service will add to a package of tools and resources already available for companies ahead of the GDPR coming into effect.

No ICO notifications but fees remain

The ICO has confirmed that, in accordance with the GDPR, data controllers no longer need to register with the ICO if they are processing personal data.

However, the ICO has clarified that while the notification regime has been dropped, fees will still be payable by data controllers to the ICO.

Currently, notification typically requires a fee of either £35 or £500, depending on the size (by turnover or employee numbers) of the data controller, to be paid to the ICO.

The new funding mechanism, as introduced by the Digital Economy Act (see our May bulletin here), is still being developed. The ICO aims to communicate the scope of the fees data controllers will have to pay by the end of this year. The current intention is to implement a mechanism which takes into account the size of the organisation and the risk of the organisation's processing activities.

The new fee model will go live on 1 April 2018 and it is important to note in the meantime that data controllers remain under an obligation to renew their ICO notification if a renewal falls between now and 1 April 2018.

Tribunal hears allegation that MI5 / MI6 are unlawfully sharing citizens' data

The Investigatory Powers Tribunal (IPT), heard that MI5 and MI6 may be circumventing legal safeguards when they share bulk datasets with foreign intelligence services and commercial partners.

Processing of personal data is one of the legal grounds upon which you can rely to satisfy the legal grounds for processing personal data without needing to rely on the consent of the data subject. The allegation is that most of the bulk personal datasets relate to UK citizens who are not of "legitimate interest" and that therefore the legal ground for processing such personal data without the consent of the data subject has not been satisfied.

Sharing of citizens' personal data is supposed to be subject to stringent oversight by independent judicial commissioners, including the newly appointed Investigatory Powers Commissioner's Office (IPCO). The IPT heard that the IPCO's predecessors were unaware of the situation until informed by Privacy International, the party bringing a case against the intelligence services.

The case has been running for three years but continues to unearth fresh details about the way in which the intelligence services handle data.

We will keep you updated on developments as this investigation could provide useful insight into the scope of application of legitimate interests as a legal ground for processing.

EDPS issues further recommendations on proposed e-Privacy Regulation

The European Data Protection Supervisor (EDPS) has published recommendations on specific aspects of the proposed e-Privacy Regulation ( see draft text in our December bulletin here). The recommendations focus on the need to ensure legal certainty and a high level of privacy and data protection.

With regard to consent, the EDPS noted that the definition of consent in the e-Privacy Regulation must be identical with the provisions relating to consent in the GDPR, highlighting the requirement that consent must be "freely given".

Additionally, the EDPS has requested that justifications for the processing of communications data should not be too broad and rejects the proposed legal ground to process electronic communication data based on legitimate interests.

Lastly, the EDPS has called for exceptions to the consent requirement, for the processing of data related to the terminal equipment, to be narrow in order to avoid loopholes.

To read more, click here.

Article 29 Working Party updated GDPR guidelines

Following a consultation period, the Article 29 Working Party (WP29) has now issued final guidelines on Data Protection Impact Assessments (DPIA).

The guidelines provide further clarification on the requirement for DPIAs and how they should be carried out.

Please click here for our summary of the DPIA guidelines.

EU consultation on data breach notification and automated decision making and profiling

The EU Article 29 Working Party has released guidelines on personal data breach notification and automated individual decision making under the GDPR.

The GDPR makes notification of personal data breaches mandatory for all data controllers unless a breach is unlikely to result in a risk to the rights and freedoms of individuals. Processors also have an important role to play and they must notify any breach to the controller.

The GDPR introduces new provisions to address the risks arising from profiling (any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person) and automated decision-making, notably, but not limited to, privacy. The purpose of the guidelines is to clarify those provisions.

Comments should be sent to just-article29WP-sec@ec.europa.eu and presidenceg29@cnil.fr by 24 November 2017.

Cybersecurity

2013 cyber breach in fact affected all three billion Yahoo accounts

Yahoo has revealed that three billion accounts were actually affected in a cyber-attack in 2013, confirming it as the largest data theft in history; this is almost two billion more than was first thought (as reported in our January bulletin).

The company stated that new intelligence has led them to believe that all Yahoo user accounts were affected by the theft. Yahoo is now in the process of sending email notifications to the two billion extra accounts believed to have been affected.

The new revelation was discovered during the integration with Verizon, who acquired Yahoo earlier this year.

To read the ICO's statement on the matter, please click here.

ICO Enforcement

Bank fined £75,000 over unsolicited marketing

Vanquis Bank has been fined £75,000 by the ICO after failing to ensure that recipients of its marketing messages had consented to receiving such communications.

The ICO fined the Bank after finding it was responsible for a serious breach of the Privacy and Electronic Communications Regulations (PECR), by sending 870,849 spam text messages and 620,000 spam emails. The ICO also issued a separate enforcement notice outlining the conditions the Bank must follow when engaging in marketing going forward.

Please click here to read the ICO's monetary penalty notice and here for the ICO's enforcement notice.

Advertising company fined £50,000 for sending unsolicited emails

The ICO has fined Xerpla, a London based advertising firm, £50,000 for sending unlawful direct marketing emails.

In just over 18 months, Xerpla sent 1,257,580 unsolicited direct marketing emails promoting products and services of third parties.

The emails consisted of marketing material from a variety of third parties, including suppliers of dog food and wine. The unsuspecting recipients had not consented to receive emails of this nature. Xerpla Limited was issued with the monetary penalty after it was found to have contravened Regulation 22 of PECR.

To read the ICO's monetary penalty notice, please click here.

Liverpudlian firm fined £70,000 for nuisance calls

The ICO has issued Lead Experts Limited with a monetary penalty of £70,000 for making more than 100,000 nuisance calls.

The firm had purchased individuals' contact details from another company and then paid the company to make 111,072 calls about reducing energy bills.

The ICO held that automated calls to people who had not agreed to be contacted in this way was a contravention of PECR (Regulations 19 and 24) and found that the firm was responsible for obtaining the necessary consent.

To read the monetary penalty notice, please click here.

Facebook fined €1.2 million in Spain for violating local data protection law

The Spanish Data Protection Authority (DPA) has levied a €1.2 million on Facebook after conducting an investigation into whether the social network's data processing activities were in accordance with the DPA.

The DPA held that Facebook had committed three serious breaches of the statute:

  1. Processing sensitive personal data (including regarding sexual preferences and religious beliefs) for advertising without consent – the consent obtained by Facebook was not valid, express or in writing;
  2. Facebook had failed to provide a clear notice of how the company collects and uses personal data on its site - it was determined a normal Facebook user would not be aware not be aware of the collection, storage and subsequent processing of their data, or the purposes for which the data will be used;
  3. Facebook's data retention policies are unlawful – personal data of users was not deleted when it was no longer required for the purpose for which it was collected; or when a user requested its deletion.

To read the DPA's announcement, please click here.

31 Oct 2017

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.