Data Protection Update - June 2018 - Data Protection

Welcome to the June 2018 edition of our Data Protection bulletin, our monthly update on key developments in data protection law.

Data protection

Personal liability for PECR regulatory fines proposed in Government consultation
European Council adopts decision amending EEA Agreement to incorporate GDPR
Department of Digital, Culture, Media and Sport consults on exemptions from paying charges to the ICO
ICO publishes draft Regulatory Action Policy
The European Court of Justice decision widens concept of 'Data Controller'
MEPs pushing for amendments to the EU-US Privacy Shield
European Data Protection Board

Cyber security

Dixons Carphone admits huge data breach
Three further high profile data hacks this month
EU cybersecurity certification framework

ICO enforcement

The British & Foreign Bible Society c/o the Bible Society fined £100,000
BT plc fined £77,000
Gloucestershire Police
Yahoo! Fined £250,000

Data protection

Personal liability for PECR regulatory fines proposed in Government consultation

On 30 May 2018 the Department for Digital, Culture, Media & Sport in the United Kingdom launched a consultation on the functioning of the current regime for holding company directors (or similar positions in corporate bodies or unincorporated associations) and members of partnerships to account for breaches of the Privacy and Electronic Communication Regulations 2003 ("PECR").

The proposals follow the Government's amendments to PECR in April 2015, which lowered the threshold at which the ICO can take action against companies that are in contravention of PECR and gave the ICO the power to issue civil penalties of up to £500,000.

We regularly report in this bulletin on enforcement action taken by the ICO in its crackdown on nuisance calls and texts made by companies in breach of PECR, and the increasingly hefty fines imposed in an effort to disincentivise such contravening marketing tactics. However, such fines are not always recovered in their entirety and the ICO has recently indicated that it has only recovered £9.7 million of the £17.8 million in fines issued for nuisance calls since 2010; a recovery rate of just 54%.

Currently only businesses responsible for unlawful marketing (such as nuisance calls, texts, or other electronic marketing messages) are liable for fines and not the directors themselves. The ICO has repeatedly asked the Government for powers to hold directors of companies to account, as part of its bid to tackle instances of companies being placed into liquidation by directors seeking to avoid substantial penalties, before reopening the responsible company under a different name (sometimes referred to as "phoenixing"). As we reported in September 2017, the ICO has made clear that it is committed to recovering fines it has issued, and will work with insolvency practitioners and liquidators if a company moves to insolvency after being fined.

The Government proposals being consulted on will provide the ICO with the powers it needs to hold officers personally and directly responsible for fines of up to £500,000 under PECR, even in cases where the company is put into liquidation. The ICO would also be able to take action against those no longer in senior positions (for example through resignation), as long as they were a director at the time of the relevant breach.

Any enforcement action taken by the ICO would be based on the seriousness of the contravention and other aggravating or mitigating factors. The consultation period runs until 21 August 2018 and the full consultation document is available here.

European Council adopts decision amending EEA Agreement to incorporate GDPR

On 18 June 2018, the European Council adopted a decision in relation to a series of amendments to the EEA Agreement in order to incorporate the GDPR. The amendments are:

The rules of the European Data Protection Board will now give full effect to the participation of the supervisory authorities of the EEA European Free Trade Association ("EFTA") member states and the EFTA Surveillance Authority (except in relation to voting rights and standing for election as chair or deputy chair of the Board).
Full participation by EEA EFTA member states in the "one-stop-shop" mechanism. This means where a data controller or processor processes personal data in more than one member state, one national data protection authority must act as lead authority and is competent for monitoring the activities of that data controller or processor throughout the EU.
EEA EFTA member states are kept informed of consultations with third countries seeking an adequacy decision.

Department of Digital, Culture, Media and Sport consults on exemptions from paying charges to the ICO

The DCMS has opened a public consultation to obtain views as to whether the current exemptions from paying charges to the ICO are still appropriate and whether there should be any new exemptions. Under the GDPR the Government is required to ensure an adequate level of funding to the ICO, so the impact of any changes to charge exemptions on the ICO's resources will be given due consideration.

The Regulations provide exemptions from paying charges for people and organisations that process personal data only for one or more of the following 'core business purposes':

Staff administration (including payroll);
Advertising, marketing and public relations (in connection with their own business activity);
Accounts and records (except in relation to processing of personal data by or obtained from a credit reference agency).

Other exemptions include processing for the purposes of judicial functions or personal, family or household affairs (including recreational purposes).

Some not for profit organisations; data controllers processing personal data only to maintain a public register (such as the Electoral Roll); and data controllers that do not process personal data by automated means, or with the intention that it be processed by automated means, are also exempt.

The DCMS welcomes views and invites participants to use the online tool (see here). The closing date for receiving responses is 1 August 2018. The consultation document can be found here.

For more information about fees that are due to the ICO, please see our article in last month's bulletin here.

ICO publishes draft Regulatory Action Policy

In its draft Regulatory Action Policy, the ICO has promised to continue its existing enforcement style based on education and encouraging compliance rather than being an overly strict enforcer. It aims to be effective, proportionate, dissuasive and consistent in its application of sanctions, using its most significant powers to target organisations and individuals suspected of repeated or wilful misconduct or serious failures to take proper steps to protect personal data.

Under the new UK Data Protection Act 2018, which came into force on 25 May 2018 ("DPA 2018"), in appropriate cases an 'urgent' information notice may be given to an organisation which requires a response in no less than 24 hours. If the recipient of an information notice does not provide a full and timely response, the ICO may apply to the court for an order requiring compliance with the information notice. An urgent assessment notice may require access to non-domestic premises with less than 7 days' notice, which in effect may allow the ICO to carry out a no-notice inspection to assess a company's compliance with the DPA 2018.

When deciding on the level of fines, aggravating or mitigating factors will be taken into account, for example, the attitude and conduct of the individual or organisation concerned.

The ICO is welcoming comments on its draft policy which can be found here.

The European Court of Justice decision widens concept of 'Data Controller'

The European Court of Justice ("CJEU") has ruled that the administrators of 'fan pages' on Facebook should be considered joint controllers of the personal data processed about people who access those pages. Both Facebook and the operator of the 'fan page' have a responsibility to inform users about how personal data is processed, obtain consent, if necessary, and conclude contracts with each other to regulate responsibilities.

The longstanding case concerns a dispute over data processing carried out in connection with a fan page on Facebook. The administrator of the fan page is the German organisation Wirtschaftsakademie Schleswig-Holstein, which provides educational services. In 2011, a German data protection authority ordered Wirtschaftsakademie to deactivate its fan page after raising concerns that neither it nor Facebook had informed people visiting the page that cookies were being used to gather information about them. However, Wirtschaftsakademie challenged the data protection authority's order arguing that Facebook, rather than Wirtschaftsakademie itself, was responsible for the data processing as controller. The case arrived at the CJEU when Germany's Federal Administrative Court asked the CJEU to help it interpret EU data protection law before it issues a ruling on the matter.

In an interesting decision, in addition to Facebook being held to be a data controller of the personal data processed about its users and other visitors to fan pages hosted on its platform, (because Facebook is "primarily determining the purposes and means of processing" of that data) the CJEU has also found that Wirtschaftsakademie is a data controller because it has an influence over the data processing, and helped to set the "parameters" by which the personal data about visitors to its page was processed (despite the fact Wirtschaftsakademie does not have access to the data processed other than in anonymised form for statistical purposes).

The CJEU's judgment means that any organisation that has an influence over how personal data is processed could be considered a data controller, not just in the context of fan pages on Facebook. Practically speaking, organisations in this position should reassess whether they should consider themselves a data controller and, as a result, ensure that any joint data controller has issued appropriate fair processing notices and obtained any necessary consents to the processing of data. Additionally, they should be ready to handle subject access requests and requests to delete data even if they do not primarily determine the way the data is processed or even have access to it in identifiable form (albeit in practice this may just mean passing those requests on to the other joint controller).

MEPs pushing for amendments to the EU-US Privacy Shield

The Civil Liberties Committee ("LIBE") at the European Parliament, a committee of MEPs, is pushing for an ultimatum to be served on the US government to strengthen the safeguards provided for in the EU-US Privacy Shield. LIBE has passed a motion on 12 June 2018 recommending that the European Commission suspend the application of the Privacy Shield unless the US meets its obligations "in full" by the end of summer. The European Parliament will vote on the motion in July.

The Privacy Shield enables US businesses to transfer personal data from the EU to the US in line with the requirements of EU data protection law. It operates as a self-certification mechanism, allowing businesses to confirm that they comply with a number of privacy principles. The Privacy Shield has been operational since August 2016, when it replaced Safe Harbour.

The European Commission confirmed the adequacy of the Privacy Shield mechanism following its first annual review last year (see October 2017 bulletin). However, it has continued to receive criticism, including by privacy campaigners, the WP29 (which called for the recommended actions to be completed by 25 May 2018 (see January 2018 bulletin)), and now from the LIBE Committee. The LIBE Committee stated that the current form of the Privacy Shield does not provide the adequate level of protection required by EU data protection law and the EU Charter. Concern has been raised about: (1) the extent of safeguards in place under the Privacy Shield to address bulk US surveillance powers; (2) EU citizens' ability to exercise all their rights in respect of the data transferred to the US under the framework; and (3) whether there is sufficient scope under US law for data subjects to obtain judicial redress in respect of any mishandling of their data.

MEPs pushing for amendments to the EU-US Privacy Shield

The Civil Liberties Committee ("LIBE") at the European Parliament, a committee of MEPs, is pushing for an ultimatum to be served on the US government to strengthen the safeguards provided for in the EU-US Privacy Shield. LIBE has passed a motion on 12 June 2018 recommending that the European Commission suspend the application of the Privacy Shield unless the US meets its obligations "in full" by the end of summer. The European Parliament will vote on the motion in July.

The European Commission confirmed the adequacy of the Privacy Shield mechanism following its first annual review last year (see October 2017 bulletin ). However, it has continued to receive criticism, including by privacy campaigners, the WP29 (which called for the recommended actions to be completed by 25 May 2018 (see January 2018 Bulletin )), and now from the LIBE Committee. The LIBE Committee stated that the current form of the Privacy Shield does not provide the adequate level of protection required by EU data protection law and the EU Charter. Concern has been raised about: (1) the extent of safeguards in place under the Privacy Shield to address bulk US surveillance powers; (2) EU citizens' ability to exercise all their rights in respect of the data transferred to the US under the framework; and (3) whether there is sufficient scope under US law for data subjects to obtain judicial redress in respect of any mishandling of their data.

European Data Protection Board

Members of the ICO were in Brussels on 25 May 2018 as the WP29 was replaced by the EDPB. The EDPB is an independent European body, which contributes to the consistent application of data protection rules throughout the European Union, and promotes cooperation between the EU's data protection authorities. The EDPB is composed of representatives of the national data protection authorities and the European Data Protection Supervisor. The EDPB is established by the GDPR, and is based in Brussels. It is believed that the EDPB will be a stronger, independent body with powers to rule by binding decisions, ensuring a unified approach to upholding data protection rights across the EU.

Click here to visit the EDPB website.

Cyber security

Dixons Carphone admits huge data breach

Dixons Carphone has admitted a huge data breach involving 5.9 million payment cards and 1.2 million personal data records. It is investigating the apparent attempt to access its payment processing systems at Currys PC World shops and Dixon Travel branches, which began in July last year. There was an attempt to compromise 5.8 million credit and debit cards but only 105,000 cards without chip-and-pin protection had been leaked. Dixons Carphone said it had no evidence that any of the cards had been used fraudulently following the breach.

Dixons Carphone chief executive Alex Baldock admitted the group had "fallen short" of its responsibility to protect customer data. The ICO has been informed of the breach and has commented that it is investigating it. The ICO previously fined Carphone Warehouse £400,000 in 2015 for a separate breach.

Three further high profile data hacks this month

Fortnum & Mason - The 311-year-old store warned about 23,000 customers that their details (including email and home addresses and social media handles) had been accessed. Most of those affected had entered their details online when voting in the TV personality of the year category at the store's food and drink awards.

Adidas - The company says it became aware of the breach on 26 June 2018, when it learned that an unauthorised party was claiming to have acquired the details of Adidas US customers. A preliminary investigation found the leaked data included contact information, usernames and encrypted passwords. Adidas said it does not believe any credit card or health and fitness information was compromised but sent alerts to millions of its US customers to inform them that their data may have been breached.

Ticketmaster - Ticketmaster has warned UK customers they could be at risk of fraud or identity theft after it revealed a major data breach had affected tens of thousands of individuals. Anyone who bought concert, theatre and sporting event tickets between February and 23 June 2018 may have been affected by the incident, which involved malicious software used to steal individual's names, addresses, email addresses, phone numbers, payment details and Ticketmaster login details. The company said less than 5% of its global customer base had been caught up in the breach, and indicated the number directly affected was fewer than 40,000.

EU cybersecurity certification framework

Proposals for a new information and communication technology cybersecurity certification framework have been announced, with the European Council agreeing its general approach on the proposal, known as the Cybersecurity Act, on 8 June 2018. The new laws that have been proposed envisage a three-tier system of voluntary cybersecurity certification, which will be implemented across all EU member states. Manufacturers of IT products and services, including manufacturers of connected cars and medical devices, will be able to obtain an EU-wide certification that their products conform to cybersecurity standards. As the certificates issued will be valid in all EU counties, the framework will make it easier for users to carry out cross-border business. It will also enable companies to have more confidence in the security of the technologies that they are using. The scheme will allow IT products and services to be evaluated in accordance with cybersecurity standards to provide for a 'basic', 'substantial', or 'high' assurance rating. Unless otherwise specified in national laws, certification will be voluntary and companies will be able to self-assess for the basic level rating.

The European Union Agency for Network and Information Security ("ENISA") will also become established as a permanent EU agency for cybersecurity under the proposal. ENISA will support member states on cyber issues, organise regular EU-level cybersecurity exercises, and support and promote EU policy on cybersecurity certification. The proposal agreed by the European Council forms the basis of their position for negotiations with the European Parliament. Both the European Council and the European Parliament will need to agree on the final text before it can enter into force.

ICO enforcement

The British & Foreign Bible Society c/o the Bible Society fined £100,000

The British and Foreign Bible Society, based in Swindon, has been fined £100,000 by the ICO, after its computer network was compromised as the result of a cyber-attack in 2016. Between November and December 2016, the intruders exploited a weakness in the Society's network to access the personal data of 417,000 of the Society's supporters. For a subset of these supporters some payment card and bank account details were placed at risk.

BT plc fined £77,000

British Telecommunications plc ("BT") has been fined £77,000 by the ICO after it sent nearly five million nuisance emails to customers. The investigation found that BT did not have customers' consent for such direct marketing. The 4.9 million emails, sent between December 2015 and November 2016, promoted three charities.

Gloucestershire Police

Gloucestershire Police has been fined £80,000 for revealing identities of abuse victims in a bulk email. The force was at the time investigating allegations of abuse relating to multiple victims. On 19 December 2016, an officer sent an update on the case to 56 recipients by email (including victims, witnesses, lawyers and journalists) but entered their email addresses in the 'To' field and did not activate the 'BCC' function, which would have prevented their details from being shared with others.

The case was dealt with under the provisions and maximum penalties of the Data Protection Act 1998, and not the DPA 2018 which has replaced it, because of the date of the breach.

Yahoo! fined £250,000

Yahoo! UK Services Limited, based in London, has been fined £250,000 by the ICO after its computer network was compromised as the result of a Russian state-sponsored cyber-attack that affected more than 515,000 UK email accounts co-branded with Sky in November 2014. The stolen data included names, email addresses, telephone numbers, passwords and encrypted security questions and answers. The ICO said Yahoo had failed to take appropriate measures to prevent the theft of data and failed to ensure that data was processed by Yahoo's US arm with appropriate data protection standards.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

UK: Data Protection Update - June 2018

Data protection

Cyber security

ICO enforcement

Data protection

Cyber security

ICO enforcement

Login to Mondaq.com

Why Register with Mondaq

Your Organisation