Welcome to our second quarterly data and privacy eBulletin of 2016. In this eBulletin we give a round-up of the key developments in the last three months, from the latest data leaks to updates on the privacy shield, GDPR and direct marketing.
Another day, another breach
This week saw another high profile and large scale data breach, this time of dating site ‘Beautiful People’ which is marketed as “a playground for the aesthetically blessed”. Reports say that the hackers accessed the names, addresses, sexual preferences and income of 1.1 million of the site’s users.
The ‘Panama Papers’ data leak, involving Panamanian law firm, Mossack Fonseca, is one of the largest data breaches in history. A spokesperson for the law firm confirmed that the breach, which resulted in the leak of over 11 million confidential documents, was the result of an external hack. Security experts have said the hackers breached the firm’s email server which was outdated and riddled with security flaws. Significant criticism has been levelled at Mossack Fonseca for not encrypting their emails.
In response to the increased threat, WhatsApp, the world’s largest messaging service, has recently rolled out end-to-end encryption for its 1 billion users. The ICO has recently published guidance on encryption and may well take action where a lack of encryption has led to a loss of data.
With the ever-increasing rise of data breaches (notably targeted data hacks), businesses should regularly review their security and encryption practices to ensure that data is secure.
GDPR finally approved!
The European Parliament has finally adopted the terms of the General Data Protection Regulation (GDPR).
The GDPR marks the biggest shake up of European data protection laws for a generation and will come into force in Spring or Summer 2018. The ICO has issued some basic guidance on ‘Preparing for the General Data Protection Regulation‘.
We will be holding a number of sector-focussed sessions during 2016 explaining the implementation of the GDPR. Please contact us if you would like to be involved.
EU-US Privacy Shield update
On 14 April 2016 the Article 29 Working Party (the group of EU data protection regulators) issued its opinion on the proposed terms of the EU-US Privacy Shield (the ‘Privacy Shield’) (see here for further details on the Privacy Shield). It noted that whilst the Privacy Shield significantly improves on Safe Harbor, there are still a number of issues with the proposal. In particular:
- Some key European data protection principles were not reflected
- Onward transfers of EU personal data were insufficiently provided for
- The US representations in relation to US government access to data did not exclude massive and indiscriminate collection of data originating from the EU
- The new Ombudsperson might not be sufficiently independent nor vested with adequate powers to exercise its duty.
This opinion may delay the progress of the Privacy Shield and prompt some changes to the drafts. The EU Commission will want to adopt the Privacy Shield as soon as possible but it is unclear how and when this will happen.
Businesses previously relying on Safe Harbor or looking to transfer data to the US under the Privacy Shield should keep an eye on these developments. They should consider taking interim measures to ensure adequate protection of personal data transferred to the US.
The inside track on the ICO’s Data Protection Practitioner’s Conference 2016
As expected, preparation for the GDPR occupied the entire morning agenda. Other interesting take away points were that:
- Data breaches, leaks and hacks are now firmly at the top of the ICO’s agenda, accounting for some of the most serious enforcement action. If an investigation has to take place the ICO will ask: Was there a policy in place? Did the organisation have a means of following it? Was it followed?
- 44% of the complaints received by the ICO relate to responses to data subject access requests. It remains one of the most contentious areas of the Data Protection Act and it is very important to ensure that you have a good procedure in place to deal with requests received.
The outgoing Information Commissioner, Christopher Graham, summarised the importance of data protection for all businesses saying that it is “board responsibility, not just a boring detail”.
Private investigator ordered to comply with data subject access request
The High Court has ordered a private investigator to comply with a data subject access request made by a Russian couple who were involved with a company which the investigator was looking into (Gurieva and another v Community Safety Development (UK) Ltd).
The judgement includes useful discussion on the application of the exemptions relating to crime and legal professional privilege in the Data Protection Act, both of which can exempt data controllers from complying with a data subject access request. The decision also compares the facts of this case with those of Dawson Damer v Taylor Wessing LLP & Ors. It casts doubt on the assertion that data subject access requests made for early access to information for the purposes of pending or contemplated litigation might be an abuse of process.
Draft EU Trade Secrets Directive
Whilst not directly concerned with data protection law, this development is of substantial interest in relation to the protection of confidential information in the EU. The details are worth understanding as much for what they omit as for what they seek to protect.
On 14 April 2016, the European Parliament adopted the draft Directive, which will introduce an EU-wide definition of ‘trade secrets’ and sets out rules on the unlawful acquisition, disclosure and use of ‘trade secrets’.
The new definition of ‘trade secrets’ is information which is secret, has commercial value because it is secret, and has been subject to reasonable steps to keep it secret by the person lawfully in control of it. Because of, in particular, the emphasis on commercial value arising from secrecy, and the need for reasonable steps to maintain secrecy, its scope will not be aligned with that of protection for personal data under EU data protection laws. Existing English common law protection for confidential information is also potentially far wider than the limited scope of the draft Directive.
Formal adoption of the Directive is expected in May after which there is a two year period for implementation by member states.
Updated ICO Guidance on direct marketing
Direct marketing has been a recent focus of the ICO as evidenced by some of the recent fines issued for breaches of direct marketing rules. The ICO has published an updated version of its Direct Marketing Guidance to help companies understand how to comply with the law and follow good practice. Key updates include:
- More focused guidance for non-profits
- Guidance on third party consents, reinforcing that “are you happy to receive marketing from selected third parties” is unlikely to be specific enough to satisfy consent requirements
- Guidance on what constitutes ‘free, informed, specific’ consent.
Lessons learnt from recent UK ICO enforcement action
Prodial Limited was issued with the ICO’s current record fine of £350,000 for instigating over 40 million automated marketing calls without consent.
Direct Choice Home Improvements Ltd was fined £50,000 for cold calling people who were registered with the telephone preference service (TPS). A key point here is that it was not acceptable for the company to rely on assurances from third parties that data lists had been screened against the TPS; it was the company’s responsibility to ensure that it did not make unsolicited direct marketing calls to TPS subscribers.
David Lammy MP was fined £5,000 for instigating 35,629 nuisance calls, playing a recorded message that urged people to back his campaign to be named the Labour party candidate for London Mayor. Whilst Mr Lammy had made the calls to registered members of the Labour Party, the individuals had not specifically consented to receiving these marketing calls. Stricter rules apply to political purposes; the ‘soft opt-in’ route is not available.
Key data seminar for London Tech Week
As part of London Tech Week we are hosting a Techlaw breakfast seminar on Wednesday 22 June from 8:45am – 10:30am. This seminar will focus on data issues and online consumer rights. See here for more information. To register for this seminar please contact firstname.lastname@example.org.