Welcome to the November Global Data & Privacy Update. This update is dedicated to covering the latest legislative developments affecting the way data is managed and protected, as well as reporting on the most recent news governing data breaches and industry developments.

ICO provides clarity on informed consent for marketing

The Information Commissioner's Office (ICO) has clarified the meaning of 'informed consent' to receive direct marketing, in a monetary penalty notice issued to Xerpla. The ICO fined Xerpla £50,000 for sending over 1.2 million unsolicited marketing emails to individuals between 6 April 2015 and 20 January 2017, advertising products and services for or on behalf of third parties.

The ICO found that Xerpla had infringed the UK Privacy and Electronic Communications Regulations (PECR) by not obtaining valid consent, as recipients were not sufficiently informed. Consent, to be valid, must be specific and informed, freely given and involve a positive indication to signify agreement.

The ICO stated that for consent to be informed individuals must first understand what they are consenting to. Therefore companies should use language that is clear, understandable and not hidden in another document such as a privacy policy or terms and conditions. Secondly, individuals should not be asked to agree to marketing from generic categories of organisations such as 'similar organisations', 'partners' or 'selected third parties'. Thirdly, consent should not be based on a long exhaustive list of general categories of organisations because it will be difficult to show that the consent was specific enough to be valid.

The ICO fined Xerpla £50,000 for negligently breaching regulation 22 of PECR, by sending unsolicited emails to individual subscribers without consent.

Click here to read the monetary penalty notice in full.

Opportunities for the insurance market following the GDPR and underinsurance of cyber risks

The incoming EU General Data Protection Regulation (GDPR) has made cyber risks a priority for the boards of organisations doing business in Europe. In a survey conducted by Marsh of 1,300 senior executives, around 65% of respondents said they now consider cyber risks to be a key concern. This is compared to only one-third, in a similar survey Marsh conducted, last year.

Despite the growing awareness of the threat posed by cyber attacks, a separate study conducted by Aon alongside the Ponemon Institute found that organisations currently underinsure cyber risks. The study found that the average potential losses to information assets caused by cyber attacks ($979 million) are greater than losses to physical assets caused by property, plant and equipment related risks ($770 million). The study found that on average only 15% of an organisation's potential losses are covered by cyber risk insurance.

With fines for failures to protect personal data being substantially increased under the GDPR, the study by Marsh found that the majority of senior executives, whether in firms with a plan for readiness with the GDPR or not, intend to increase spending on cyber risks in the next year.

The insurance market may therefore expect an increase in organisations looking for cyber risk insurance. The challenge for insurers will be in addressing the concerns of organisations such as those identified in the report by Aon, namely, coverage being inadequate, premiums being too expensive and there being too many exclusions and/or restrictions.

Click here to read the report by Aon and the Ponemon Institute in full.

Click here to read the survey conducted by Marsh in full.

First annual review of EU-US Privacy Shield

The first annual joint review of the EU-US Privacy Shield (Privacy Shield) has been conducted by authorities from the EU and the United States of America (US), including representatives from the European Commission (Commission) and the US Department of Commerce (DoC). The Privacy Shield is a current method by which personal data may be transferred from the EU to the US in compliance with EU data protection laws. It was established last year, following the invalidation in late 2015 of the EU-US Safe Harbour scheme, although formal concerns regarding its legitimacy have been raised this year on several occasions.

Following the review, the Commission has released a report detailing its findings and recommendations on the Privacy Shield. The report concludes that the US provides an adequate level of protection for personal data transferred under the Privacy Shield from the European Economic Area to the US.

The Commission, however, makes a number of recommendations, including that US companies should not be able to publicly refer to their Privacy Shield certification until the certification has been finalised by the DoC, the DoC should regularly conduct searches for false claims of participation, and enforcers (namely the DOC and the EU Data Protection Authorities) are to cooperate with each other in developing guidance on concepts such as accountability. The Commission has stated that it will work with the US authorities over the coming months to follow-up on the recommendations.

Click here to access the Commission's news update from which the report can be downloaded.

Recent WP29 Guidance

The Article 29 Working Party (WP29) has recently published a number of draft and final guidelines on personal data breach notification, automated decision-making, administrative fines and data protection impact assessments (DPIA), as well as an opinion on cooperative intelligent transport systems.

Personal Data Breach Notification and Automated Decision-Making

The draft guidelines on personal data breach notification clarify when a data controller must notify the data subject and/or its supervisory authority of a data breach. The draft guidelines on automated decision-making clarify the limited exceptions to when automated decision-making (including profiling) that produce legal or similarly significant effects can be undertaken.

Administrative Fines

The guidelines on administrative fines explain how supervisory authorities are to apply and enforce the GDPR so as to ensure consistent enforcement. The guidelines identify the factors to be assessed when considering the imposition and amount of fines.


DPIAs are required under the GDPR for processing operations likely to result in a high risk to the rights and freedoms of natural persons. The revised guidelines clarify where a single DPIA will be sufficient for multiple processing operations that are similar in terms of nature, scope, content, purpose and risks. The guidelines also clarify when existing processing operations that have previously been checked by a supervisory authority will require a further DPIA.

Cooperative Intelligent Transport Systems

In addition, the WP29 released an opinion on the processing of personal data in the context of Cooperative Intelligent Transport Systems (C-ITS). C-ITS allows for continuous broadcasting and exchange of data between vehicles and road infrastructure (e.g. traffic lights or road work signs). The WP29's opinion acknowledges that C-ITS has benefits for drivers by improving road safety, but notes such large scale deployment will require additional efforts to ensure the confidentiality and security of communications. The WP29 notes that a lack of transparency will be a major concern, as users will be continuous broadcasters of data and so need to be made aware of the scope of the processing of their data.

Click here to access the WP29 page from which the guidelines and opinion can be downloaded.

EDPS updates recommendations on the ePrivacy Regulation

The European Data Protection Supervisor (EDPS) has published further recommendations on the proposed EU Regulation on Privacy and Electronic Communications (commonly referred to as the ePrivacy Regulation). The ePrivacy Regulation seeks to modernise and clarify the technological requirements for ensuring privacy of electronic communications. The ePrivacy Regulation is intended to come into force alongside the GDPR in May 2018, but there are concerns by the European Council that this deadline will not be met.

The ePrivacy Regulation, in comparison with the existing law under PECR, provides changes including the confidentiality of communications between devices, allowing consent to cookies through browser settings, adopting the definition of consent under the GDPR and increasing the fines available in line with the GDPR. The EDPS has issued previous advice on the matter, but decided to update it following developments in deliberations.

The EDPS advises that the confidentiality of communications should encompass content, metadata and data related to the terminal equipment used by the end user. The EDPS also recommends that the ePrivacy Regulation should offer a higher level of protection than the GDPR and require privacy protective settings by default.

Click here to read the EDPS' recommendations in full.

GPEN sweep finds privacy notices lack specific detail

The Global Privacy Enforcement Network (GPEN) in their 2017 sweep of websites and applications found that privacy notices are often too vague. The GPEN issued its findings after submissions from 24 Data Protection Authorities across the world, which collectively examined 455 websites and applications across various sectors.

The GPEN noted that information on how personal data would be used was often generic. It also identified a failure of privacy notices to advise users on how or where their data would be stored, including safeguards, and with which third parties the data would be shared with. In regards to the retail sector specifically, the GPEN noted that retailers who issue e-receipts (e.g. for proof of purchase) generally failed to provide any information relating to those receipts on their website.

The GPEN did observe overall, however, that the majority of organisations were quite transparent in specifying what information or categories of information they would be collecting and that privacy communications were usually easy to locate.

Click here to read the GPEN 2017 sweep in full.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.