Welcome to our data protection bulletin, covering the key developments in data protection law from October 2020.
Stop the clock, we need clarification! The ICO has issued new guidance on subject access requests (SARs)
Stopping the clock
Under the GDPR, controllers are required to respond to SARs “without undue delay and in any event within one month of receipt of the request”. Previously, there was no provision to extend that timeframe where the controller asked the data subject to clarify their request.
However, on 21 October, the ICO issued new guidance which provides that the clock can be stopped whilst organisations are waiting for the requester to clarify their request. This will provide some much needed flexibility to controllers, particularly employers, who are asked to deal with an unclear or excessively broad SAR. However, this is not a time saving provision for all SARs as the guidance is clear that you should only seek clarification if it is genuinely required in ordered to respond to the SAR and if you process large amount of data about the requesting individual. It is unlikely, therefore, that you can use this stop the clock to extend the timeline for responding to a SAR, if you can obtain and provide the requested information quickly and easily.
Another helpful addition to the guidance is a broadening of the definition of what consists of a manifestly excessive request. According to the guidance, controllers should base their assessment of a SAR on the proportionality of the request when considering the burden or costs involved against the rights of the requester. First and foremost, this will require organisations to consider whether a request is “clearly or obviously” unreasonable. The guidance is clear that this will mean taking into account all the circumstances of the request, including the nature of the requested information, the relationship with the requester, the available resources, the potential impact of not providing the information, if the request duplicates a previous request or overlaps with other requests. The ICO is asks organisations to bear in mind that a request is not necessarily excessive just because the individual requests a large amount of information.
The ICO suggests that organisations should consider the nature of the data and how often data is altered when considering whether a SAR is manifestly excessive. In doing this, each SAR needs to be considered individually such that no blanket policy is applied and organisations are warned against making presumptions based on previous requests submitted by the same individual. The ICO places weight on the word “manifestly” and advises that organisations must have strong justifications for concluding that a request is excessive.
Bills, Bills Bills
Lastly, the ICO has updated the guidance in relation to what organisations can take into account when charging an admin fee for a manifestly unfounded or excessive request. When determining a reasonable fee, the ICO advises the activities for which controllers can charge for and warns against double-charging where these activities overlap. The guidance notes that the administrative costs of assessing, locating, retrieving, extracting and copying the information as well as the time taken to communicate your response can be taken into account when determining a fee. It follows that a reasonable fee might consist of the direct costs of handling the data (such as copying, printing or posting) and the cost of any equipment or supplies required to respond to the SAR. It can also include staff time which the ICO advises should be based on the estimated time it will take staff to comply with the specific request, charged at a reasonable hourly rate.
The guidance encourages controllers to establish an unbiased set of criteria for charging fees which explains when a fee will be charged, a breakdown of standard charges and details of how a fee is calculated. These criteria can then be made available to data subjects or the ICO as required.
Since the implementation of the GDPR, more people, particularly in their capacity as an employee, are becoming aware of their status as a data subject, and organisations have been seeing an increasing numbers of SARs. This guidance and its more flexible and comprehensive approach to SARs will be well received by controllers.
Transferring data after 1 January 2021: what does the government say?
After the end of the transition period, the UK will be considered a ‘third country’ under EU rules meaning that anyone transferring personal data from the EU to the UK will do so on a third country basis. The UK Government has already determined that it considers all EU and EEA member states to be adequate for the purposes of data protection, ensuring that data flows from the UK to the EU/EEA remain unaffected from 1 January 2021.
The UK government has now issued guidance on how British organizations should handle data protection and data flows once the Brexit transition period ends. The guidance notes that all countries, other than Andorra, deemed adequate under EU law have informed the UK that they will maintain unrestricted personal data flows with the UK. The major question now revolves around whether or not the EU will consider the UK to be adequate for the purposes of the GDPR.
Although the guidance takes an optimistic tone in recognising that the EU’s adequacy assessment of the UK is already underway, they do consider the possibility that such a decision might not be reached by the end of the transition period. If the EU has not made its adequacy decisions in respect of the UK before the end of the transition period, the guidance considers how companies may have to use standard contractual clauses for data transfers.
In a similar vein, there is a scenario – albeit not contemplated in the guidance – in which the EU do not consider the UK adequate for the purposes of transferring data. Of particular concern, is the government’s New Data Strategy and its promise to transform how data is handled in the public sector. There is a real possibility that this could lead the EU Commission to conclude that the UK’s data protection laws are inadequate, which would result in a post-Brexit data flow that is wholly reliant on transfer mechanisms such as SCCs. See our September bulletin for a discussion of the National Data Strategy.
An uneventful end to the Brexit data scandal
Following the Brexit referendum and accusations about the use of personal data and political influence, the ICO launched a formal investigation in May 2017. The ensuing investigation is best known for its assessment of the scandal relating to Cambridge Analytica and its associated group (“SCL”) but is responsible for the fines imposed on political campaigns Vote Leave and Leave.EU, pregnancy advisor Emma’s Diary and Facebook. The ICO has now concluded the largest investigation of its type and has presented its conclusions to Parliament.
Somewhat disappointingly, the conclusion of the ICO is that data processing by SCL and its associated companies was in fact lawful. The probe into the use of invisible processing of personal data and the micro-targeting of political advertising has concluded that Cambridge Analytica and the SCL group were using well-recognised processes and commonly available technology. Nevertheless, the ICO has successfully fined SCL £18,000 for failure to comply with an enforcement notice and identified various conduct issues within SCL and its group of companies that it has shared with the UK’s Insolvency Service.
Of perhaps the most significance is the awareness around the risks of data misuse that this investigation has brought to the attention of policymakers and the public alike. It is hoped that this will lead to political parties in the UK improving the way they handle data. The ICO’s work continues with audits of the UK’s main political parties and updated guidance on political campaigning expected in the coming months.
The aftermath of Schrems II: Part Three
The Irish Data Protection Commission (the “DPC”) faces another judicial review
Last month we reported on the Irish High Court’s decision to grant Facebook a judicial review of the Irish DPC’s decision to ban all Facebook’s EU-US transfers following the Schrems II decision earlier this year. Now, the Irish High Court has granted another leave for a judicial review against the DPC. This time, the legal action was brought by None of your business (Noyb) and also aims to implement the Schrems II decision.
In the application, Noyb drew attention to fact that after seven years and five judgments, there has been very little progress in the original case. This is despite the two Schremsjudgements by the CJEU that invalidated the Safe Harbor and Privacy Shield. Noyb also noted that rather than making a final decision in this case, the DPC instead suspended the complaints procedure last month, and started an investigation into the same subject matter, without first making a decision in these unresolved proceedings.
Following the High Court’s approval of the judicial review, the relevant papers by the DPC will be filed and a hearing date will be set for later this year.
Rising costs of data protection enforcement
There is an on-going costs battle around the Schrems II case. The DPC’s position is that it is entitled to recover its costs from Facebook on the basis that Facebook was unsuccessful. It also argues that Facebook and not the DPC should pay Max Schrems’ costs.
Simultaneously, the DPC has sought and received a significant increase in funding from the Irish Government in its 2021 budget. The DPC has stated that it foresees an expansion to its resources, key strategic projects and greater intervention on areas of systemic risk, such that they now require an annual budget of EUR 19,100,000. As data protection issues continue to be at the forefront of international law and litigation becomes increasingly expensive, we can expect to see similar increases in data protection authority budgets.
The future of processing: a transition to hosting in the EU?
On September 28, 2020, several associations, unions and individual applicants appealed to the summary proceedings judge of the highest administrative court in France (the “Conseil d’État”), asking for the suspension of the processing of health data on France’s centralized health data platform, the Heath Data Hub (the “Hub”) which is currently hosted by Microsoft. Petitioners argued that the hosting of the data by a company subject to US laws entails privacy risks due to possible transfers of the data to US intelligence services, as highlighted by the Schrems II judgment.
On 13 October, the Conseil d’État issued a summary judgment that rejected the request for the suspension of the Hub. However, in issuing the judgment, the Conseil d’État recognized that the potential risk as identified in Schrems II and called for additional guarantees under the control of the French data protection authority (the “CNIL”). The CNIL has since concluded that health data should be hosted by companies that are not subject to US law as this would constitute the most effective solution to avoid any risks of transfers.
If this French case is any indication, it looks like EU hosting companies might be set to benefit as companies look to carry-out the processing of data from within the EU.
Europol unlawfully processing data of innocent people
According to a report published by the European Data Protection Supervisors (“EDPS”), Europol is unlawfully processing the personal data of innocent people.
Due to the nature of its work, Europol receives vast quantities of data from national law enforcement agencies. Whilst processing the data for investigations, Europol analysts can make multiple copies of each dataset which are then stored for prolonged periods of time. The EDPS report has declared that the forensic and digital techniques used by Europol in exploiting large datasets are non-compliant with the Europol’s data protection regulations.
With the safeguards contained in the Europol Regulation not being met, data subjects run the risk of wrongfully being linked to a criminal activity across the EU which, in turn, could cause serious harm to personal and family life, freedom of movement and occupation. Despite these risks to individual rights and freedoms identified by the EDPS, Europol has been allowed to continue using the unlawful data processing techniques whilst an action plan in developed over the next two months and implemented within six months. With such a huge data challenge ahead, however, we have to question whether it is realistic to expect Europol to be able to make the necessary changes so quickly.
Draft Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2020
On 15 October 2020, the draft Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2020 (the “draft Regulations”) were published.
The main amendment is intended to ensure that all the necessary provisions come in to effect after the transition period. Some of the other amendments bring the draft Regulations in line with some recent developments in the EU. These include the adequacy decision made by the European Commission in relation to Japan, the Schrems II invalidation of the Privacy Sheild and revoking all retained EU legislation which have been made redundant by the Schrems II judgment.
These amendments to the draft Regulations stand as another reminder that the end to the transition period is just around the corner, and it is now all hands on deck to make sure we are ready to make as smooth an exit as possible, particularly where data is involved.
Working from home and data protection
During the pandemic, we have all become used to working from home but how has this impacted the way in which our employers can monitor our activity? See our recentinsight for a breakdown of these issues and a discussion of the data protection implications.
Considering purchasing cyber insurance for your business? This guide might be for you.
The NCSC has published its guidance is for organisations of all sizes who are considering purchasing cyber insurance. The guidance is not intended to be a buyer’s guide to insurance, rather it has been produced to enable organisations to decide if cyber insurance could help them manage their cyber risk.
The guide is structured as a series of questions that allow businesses to assess whether cyber insurance might be a sensible option and which policy to buy, if any. The guidance first encourages businesses to consider whether they are already protected under existing business interruption or protection policies. If they are not, the questions assist organisations in assessing their cyber security risk and how they can best manage it.
Cyber security is a fairly new consideration for organisations and with attacks becoming increasingly common and complex, cyber insurance could be a good way to ensure the costs of any cyber incident are not detrimental to your business continuity. If you are considering cyber insurance, therefore, these questions put forward by the NCSC will help you frame discussions about the most appropriate and comprehensive policy options.
Robo-advisor caught up in huge data breach
German-based, digital wealth manger Scalable Capital notified customers of a large data breach on 19 October. Scalable invests money and creates portfolio, offering investment advice through digital technology. A subset of documents stored in Scalable’s digital document archive was breached including personal and contact details, data relating to the investment account and tax data.
In a message to customers, Scalable warned of the personal data breach by unlawful access but reassured customers that assets were safe with the custodian bank and the breach posed no risk to them. Following the breach, Scalable have offered all customers affected 12 months of free credit and web monitoring services.
The ICO issues its largest fine to date in relation to British Airways’ data protection breach
The ICO has issued its first substantial post-GDPR monetary penalty. British Airways plc (“BA“) has been fined £20 million for breaching Articles 5(1)(f) and 32 GDPR. The ICO found that the airline had put hundreds of thousands of its customers’ personal data at risk by failing to have in place adequate technical and organisational measures in place to prevent, detect, and contain a cyber-attack which exposed the personal data, including payment card data, of approximately 429,612 customers and staff and which went undetected for two months. Rather presciently, the breach emanated from a hacker gaining access via systems used to permit staff/contractors to work remotely.
A detailed analysis of the ICO’s monetary penalty notice (the “MPN“), which is interesting both in terms of the method by which the substantially reduced penalty to which BA was subject was calculated, and for the helpful guidance it provides regarding how organisations can ensure that they have “appropriate technical and organisational measures” in place to avoid regulatory sanction where personal data is lost arising out of unauthorised access to their IT systems.
However, in summary the key takeaways are:
- Whilst the fine is significant, it is only 11% of the £183m fine initially threatened in the ICO’s Notice of Intent issued in July 2019, having been reduced by virtue of: (1) the ICO adopting a revised calculation model in light of BA’s representations (see paras 7.60 – 7.66); and (2) mitigating factors including the impact of the COVID-19 pandemic on BA’s business. Accordingly, its calculation should not be seen as fact specific, and not as a guide to the scale of future fines. Indeed, the ICO’s draft Statutory Guidance (as to which see below) indicates that, if classified as “high seriousness” the starting point for this fine should have been as set out in the ICO’s Notice of Intent rather than the £30m quoted in the MPN. Similar considerations are also likely to apply in relation to any reduction in the fine to which Marriott International, Inc is subject;
- The ICO found that BA could, and should, have adopted a variety of measures that would have better positioned them against the threat of cyber-security attacks (e.g. using multi-factor authentication, IP whitelisting, privileged account management, logging, the use of a Security Information and Event Managing System etc), and was negligent in failing to adopt such measures; noting: “each step of the [a]ttack could have been prevented, or its impact mitigated, by BA implementing one or more of a range of appropriate measures that were open to it”. In this regard, the ICO was unsympathetic to the suggestion that because: (1) it had been subject to a sustained criminal attack; and (2) the data breach emanated from a contractor’s IT security failures; this somehow obviated responsibility on BA’s part for the damage suffered by the affected data subjects. The ICO also rejected BA’s submission that, in fact, as such breaches are a fact of modern life, the affected data subjects would not have been concerned by the breach; and
- The fine was only slightly reduced in light of the impact of COVID-19 on BA’s business (~16%, or £4m). In any event, in an open letter to UK businesses, the ICO has subsequently provided a clear warning that the ICO’s lenient approach to enforcement as a result of COVID-19 was coming to an end; and
- The reduced fine which BA achieved speaks to the benefits of organisations faced with a serious data breach:
- Promptly reporting the breach to the ICO and affected data subjects;
- Fully engaging with the ICO throughout any investigation and, as appropriate, following a Notice of Intent being issued;
- Promptly addressing deficiencies in “technical and organisational measures” which have become apparent by virtue of the data breach; and
- Robustly challenging the findings in any Notice of Intent ultimately issued. Had BA adopted a more passive approach, it is likely to have been left facing a fine running into the hundreds of millions.
If BA wishes to appeal the MPN to the First Tier Tribunal, it must serve a notice of appeal by no later than 16 November 2020.
BA’s position remains that, of course, it was not in breach of its obligations under Articles 5(1)(f) and 32 GDPR. However, given the fact that the MPN sets out in great detail why BA’s position is untenable in this regard, notwithstanding that the ICO’s decision does not bind BA in the various sets of civil proceedings which are afoot against it arising out the data breach, BA is going to have an uphill struggle in contesting liability in those proceedings.
In the instant case, assuming that all affected customers pursue claims against BA, its liability from those proceedings is likely to be more than double that deriving from the MPN, if BA elects not to appeal.
This is likely to be reflective of a wider trend, with the losses from civil claims arising out of data breaches eclipsing those from deriving from regulatory sanctions, even where those sanctions are calculated by reference to the ICO’s draft guidance if it is finalised in its current form.
ICO issues draft Statutory Guidance setting out its approach to enforcement
As noted above, the ICO has recently issued draft Statutory Guidance on the exercise of its regulatory functions, which, it appears likely, was produced in light of submissions made by BA following the Notice of Intent issued in July 2019.
This document outlines the ICO’s intended approach to enforcement and regulation in relation to data protection in the UK. It explains that the ICO will approach regulatory action proportionately and consistently and sets out a nine step process that will be used to guide the ICO in its determination of suitable monetary penalties. The nine steps are as follows:
- Assessment of seriousness;
- Assessment of degree of culpability;
- Determination of turnover;
- Calculation of an appropriate starting point;
- Consideration of relevant aggravating and mitigating features;
- Consideration of financial means;
- Assessment of economic impact;
- Assessment of effectiveness, proportionality, dissuasiveness; and
- Early payment reduction.
Importantly, the first four stages of this process will end up in analysis conducted by reference to the table below:
This reflects the ICO’s rejection in the MPN of BA’s submission that a turnover-based approach is a “fundamentally flawed” way of achieving proportionate and effective penalties. The MPN emphasises that turnover remains “a relevant metric for assessing whether any fine is proportionate and dissuasive”; it is “one key factor to be taken into account in the round, by reference to the particulars facts at issue in the case”>1.
Accordingly, if the guidance is finalised in its current form, the spectre of fines running to hundreds of millions of pounds still looms large. In this regard, it is worth noting that even if a proportionate percentage reduction for mitigating factors had been granted to BA against a starting point based on the draft Statutory Guidance, its fine would have been over £120m.
The ICO has invited interested parties to provide comments on the draft Statutory Guidance by 5pm on 12 November 2020.
The ICO take enforcement action against Experian Limited
The ICO has ordered Experian Limited (“Experian“), a credit reference agency, to correct various data protection failings that had been uncovered during a two-year long investigation. The ICO’s investigation found that, in breach of data protection law, Experian had been using people’s personal data, without their knowledge or consent, to engage in data broking. It is estimated that millions of adults in the UK would have been affected by the “invisible” processing conducted by Experian. The ICO found that Experian did not go far enough in making changes to its digital marketing services business. Therefore, the ICO issued an enforcement notice, requiring Experian to make fundamental changes to its practices within nine months. If these changes are not made, Experian risk receiving a fine of up to £20 million or 4% of its annual global turnover (whichever is greater).
In a statement provided by Experian’s Chief Executive Officer, Brian Cassin, Experian’s intention to appeal the decision was made clear: “We disagree with the ICO’s decision today and we intend to appeal. At heart this is about the interpretation of GDPR and we believe the ICO’s view goes beyond the legal requirements. This interpretation also risks damaging the services that help consumers, thousands of small businesses and charities, particularly as they try to recover from the COVID-19 crisis”.
The appeal process will shed further light on the ICO’s ability to take enforcement action against firms that are in breach of data protection regulations.
The Irish Data Protection Commissioner is investigating Instagram regarding its alleged misuse of children’s data
Instagram is the latest social media platform to come under fire over the misuse of children’s data. The Irish DPC has opened an investigation into Facebook, Instagram’s parent company, to determine whether it has been unlawfully processing children’s personal data.
In 2018, Instagram introduced a feature which allowed its users to convert their “personal” accounts into “business” accounts. The business account setting contained numerous advantageous features for businesses operating through Instagram. One such feature allowed businesses to add a contact button, thus making it easier for customers to contact them. While the “business account” feature was obviously intended for use by businesses, Instagram did not require users to verify their businesses before switching. As a result, children were easily able to switch from their personal accounts so that they could also make use of the additional features. A prerequisite for switching to a business account was the requirement for a phone number or email address that could be publicly accessible on the business profile. Therefore, the contact details of children were publicly displayed on their profile pages.
The ICO’s investigation will seek to determine whether Instagram had taken sufficient steps to ensure the protection of children’s personal data. This investigation serves to reinforce the growing emphasis that is being placed on the need for children’s data to be appropriately protected.
The ICO investigating Klarna over unsolicited marketing
The ICO has opened an investigation into Swedish Fintech company, Klarna, following numerous complaints from individuals stating that they had received unsolicited marketing emails from Klarna, despite having never used or signed up to Klarna’s services.
UK data protection legislation entails that individuals must provide their explicit consent to receiving marketing emails save in limited circumstances where the customer has a pre-existing relationship with the business.
Klarna has stated that, although the email had been sent to certain individuals in error, the email addresses had been legitimately gathered by a separate division of its business which facilitates card payments for online retailers. Klarna does not concede that any of its customers’ personal data had been unlawfully processed. The ICO’s investigation should serve as a reminder to readers both that consumers are becoming increasingly vigilant in ensuring that their personal data is used properly and of the ICO’s increasing interest in investigating breaches of this nature.
CJEU decision regarding data processing by the UK Government could cause significant complications for transfers of data from the EU to the UK post-Brexit
The Court of Justice of the European Union (“CJEU”) recently handed down judgment in Case C-623/17. Privacy International (the “Claimant”), a non-governmental organisation (“NGO”) that advocates for the global right to privacy, brought a case five years ago against the UK Government and a number of its security agencies (the “Defendants”), challenging their collection and retention of private data. The case was recently referred to the CJEU by the Investigatory Powers Tribunal.
The CJEU was asked to determine the extent to which the Defendants could use highly personal data from private electronic communications, which the Defendants admitted collecting, for the purposes of combatting crime and keeping citizens safe.
The CJEU first established that the UK’s national legislation, which allowed the Defendants to compel providers of electronic communications to transmit or retain data for the purpose of combatting crime and maintaining national security, fell within the ambit of EU data protection law. Further, it was found that the UK legislation was incompatible with EU standards. Under EU data protection law, Member States are only allowed to require private communications providers to retain and transmit private traffic and location data of a general and indiscriminate nature when there is a genuine, present and foreseeable threat to national security. In such circumstances, the Member State must not retain the collected data for a period that goes beyond what is strictly necessary. In this case, the CJEU found that the Defendants’ requests for the “general and indiscriminate transmission” of data was incompatible with EU law.
If the UK is not in compliance with this ruling by the end of the year, it will have significant implications on the Brexit negotiations. It is unlikely that an agreement will be found if the UK’s policies remain inconsistent with European standards.
In light of the decision in Schrems II, it is also likely to have an impact on the lawfulness of data transfers from EU countries to the UK, as the processing complained of is of precisely the type which led the ECJ to invalidate Privacy Shield as valid mechanism for transferring personal data from the EU to the US.
Experian sues insurers to recover over $18m
In a telling illustration of the costs to businesses of the losses suffered arising from breaching data protection legislation, Experian has issued proceedings (Experian PLC v. Zurich Insurance PLC and another, Claim Number CL-2020-000670) against Zurich Insurance PLC and the General Security Indemnity Company of Arizona, a subsidiary of SCOR, to seek to recover over $18m in legal costs which it has incurred in dealing with the fall out of multiple sets of civil proceedings and regulatory investigations in the US and UK, arising out of a 2015 data breach and other allegedly unlawful processing of personal data which it was said to have undertaken. Interestingly, in addition to seeking to recover legal costs already incurred, Zurich is seeking a declaration that the insurers will be liable for any fines which it may face arising out of the 2015 data breach. The question of whether it is possible to insure such losses remains uncertain and, to the extent that this claim reaches trial, it will provide helpful guidance on this point.
Application of the Data Protection Act 2018 in case concerning the retention of data regarding individuals suspected as being at risk of “radicalisation”
The High Court recently handed down judgment in R (on the application of II (by his mother and litigation friend)) v Metropolitan Police Commissioner  EWHC 2528 (Admin). This case involved the retention of personal data relating to a 16-year-old boy (the “Claimant”) who was reported to the Counter Terrorism Command of the Metropolitan Police in 2015 as being at risk of “radicalisation”. When the Claimant was aged 11, his online tutor made a report to the Department of Education, expressing a number of concerns about the Claimant’s behaviour. The case was closed in 2016, however, the Claimant’s personal data was retained on various databases and the Claimant’s requests for this data to be deleted were refused. The Claimant applied for judicial review of the Metropolitan Police Commissioner’s (the “Defendant”) decision in this regard.
In its consideration of the Human Rights aspect of the claim, the High Court found that the decision to retain the Claimant’s personal data constituted a disproportionate interference with the Claimant’s right to private life. The decision was considered to be not “strictly necessary” and was therefore unjustified. The Defendant was found to have breached Article 8 of the European Convention on Human Rights.
The High Court also found that the Defendant had breached Sections 35 and 39 of the Data Protection Act 2018 (“DPA”). S.35 DPA states that “the processing of personal data for any of the law enforcement purposes must be lawful and fair”. S.39 DPA states that “personal data processed for any of the law enforcement purposes must be kept for no longer than is necessary for the purpose for which it is processed”.
In its evaluation of these two principles, the High Court followed the reasoning that it had provided in respect of the Article 8 claim. The Defendant was found to have breached ss.35 and 39 DPA because the continued retention of the Claimant’s personal data was disproportionate and unnecessary.