Welcome to our first Data & Privacy eBulletin of 2020.
This edition includes our insights on recent data breaches and advertising industry developments, as well as a summary of the Schrems II opinion on the lawfulness of personal data transfers to the US.
We have also commented on the ICO’s renewed appetite to enforce payment of the data protection fee and we have snapshots of the ICO’s new guidance and codes, including its recently published Age Appropriate Design Code.
Lastly, as 2020 looks to be the year of Brexit we include some updated thoughts on the implications for data protection law and practice.
There have been a couple of high profile public sector data breaches in recent months:
- In late December it emerged that a version of the New Year’s Honours list was available online featuring the home addresses of over 1000 honours recipients, including celebrities, senior politicians and police.
- Last week it emerged that GB Group, a data intelligence firm, gained unlawful access to the Department for Education’s Learning Records Service database and used the data for age verification services it provides to clients, including Betfair and 32Red.
ICO enforcement news:
- On 20 December 2019, the ICO issued its first actual fine under the GDPR to Doorstep Dispensaree. The company, which supplies medicines to customers and care homes, left approximately 500,000 documents in unlocked containers at the back of its premises in Edgware, was fined £275k.
- Pre-GDPR enforcement continues: the ICO issued a £500k fine on 9 January 2020 to DSG Retail Limited (owner of Curry’s, Dixons and PC World) after a cyber-attack in 2017 and 2018 (just prior to GDPR) on their system led to at least 14 million individuals’ data being compromised. The ICO criticised the company’s poor security arrangements and failure to take steps to protect individuals’ personal data.
- The ICO has come under some scrutiny for issuing a three month extension to the regulatory fining process in relation to British Airways and Marriot International. In July 2019, there was much fanfare as the two companies were issued with notices of intent to fine for breaches of GDPR (of £183m and £99m respectively). The ICO has not provided any more detail on the agreed extensions, which will be in place until March 2020. We wait with bated breath as to the final resolution on the fines.
Harbottle & Lewis data breach seminar
As can be seen from the above, data breaches are clearly a key business risk. A reminder that our upcoming Data Breach Breakfast seminar will be taking place on Tuesday 4 February 2020. The seminar will focus on how to deal with a data breach, including recent developments, enforcement action taken and fines issued by the ICO.
For more information, please contact: Marketing.EventsTeam@harbottle.com
Just before Christmas, the Advocate General gave an opinion in the case of Schrems II. In the original Schrems I case, privacy activist Max Schrems successfully challenged the validity of the ‘Safe Harbor’ mechanism for personal data transfers from the EU to the US.
Since the Schrems I decision, companies making personal data transfers from the EU to the US have relied on other mechanisms such as the Standard Contractual Clauses (SCCs) and EU-US Privacy Shield.
Schrems II concerned the validity of the SCCs; Schrems alleged that the transfer of his personal data from Facebook Ireland to its parent company in the US (using the SCCs) did not protect his fundamental rights under EU law given the ability of the US to carry out mass surveillance on EU citizens’ personal data for national security purposes. This prompted a referral from the Irish Data Protection Commissioner (DPC).
Whilst the AG concluded that, in his Opinion, the SCCs are still a valid mechanism, the Opinion does suggest that there are new obligations for those using SCCs to examine the national security laws of the country of the data importer to determine whether they can in fact comply with the terms.
You can read Lorna Woods’ commentary on the AG’s Opinion here.
Advertising sector in the spotlight
The advertising sector is coming under increasing scrutiny. This month it emerged that major dating apps, such as Tinder and Grindr, have been sending “special category” personal data to advertisers, including about users’ sexual preferences and drug use. The ICO published an Update Report into AdTech and Real Time Bidding in summer 2019 in response to the concerns it has with the advertising industry’s treatment of personal data. It is currently engaging with key stakeholders, including the International Advertising Bureau, which published a written response to the report in December, to identify and remedy key areas of key concern in terms of data privacy.
Also in the news, Google has announced that it intends to limit the ability of advertisers to track people across the internet by withdrawing its support for third party cookies within two years. This follows Google’s announcement last year of its intention to limit advertisers’ access to personal data on its DoubleClick platform.
Data protection fee enforcement
The ICO is increasing its efforts to collect data protection fees, which are payable by most organisations subject to the GDPR in the UK.
Many organisations have received a letter stating that the ICO’s records, based on information made available by Companies House, show that the organisation is required to pay a fee.
Organisations that fail to pay may be in breach of the Data Protection (Charges and Information) Regulations 2018 for which the ICO can serve a penalty notice.
Indeed, in October 2019, the First Tier Tribunal (Information Rights) dismissed an appeal by an organisation against a penalty notice from the ICO for non-payment of its data protection fee.
It was held that the accidental cancellation of a direct debit to pay the fee was not a reasonable excuse for non-payment.
Key guidance and codes update
As mentioned in our eBulletin: GDPR – One year On, the ICO has been working on four statutory codes to support the implementation of the GDPR. These codes are statutory codes under the UK’s Data Protection Act 2018.
Last week the ICO published the Age Appropriate Design Code aimed at protecting children’s privacy online. The Code sets out 15 standards that online service providers should meet if they provide online services that process children’s personal data. You can read more about the code in our Insight article ICO publishes Age Appropriate Design Code.
The ICO also published its first draft of the Direct Marketing Code. The Code is designed to provide practical guidance for those conducting direct marketing as well as those operating within the broader direct marketing ecosystem (e.g. providers of data enrichment services, or list brokering). It sets out good practice recommendations on compliance with GDPR and PECR. It also confirms that ‘direct marketing’ includes the promotion of aims and ideals as well as the advertising of goods and services (so charities and political campaigning are also caught by its scope).
We still await the publication of draft codes on Data Sharing and on Journalism.
Separately the ICO has also provided updated guidance on special category data. Under the GDPR, there are limited lawful grounds for processing special category data. This guidance clarifies the definition of special category data (in particular in relation to genetic and biometric data). It also provides guidance on the substantial public interest exemptions that may apply.
At the end of last year, the European Data Protection Board also adopted guidelines on the territorial scope of the GDPR. The guidelines were drawn up to clarify the criteria for determining whether particular data processing activities fall within the scope of the GDPR in order to provide a consistent reference for data protection authorities.
Brexit – what next?
- The Withdrawal Bill has now been passed through the Parliament and it is highly likely that the UK will be leaving the European Union on the 31 January. This date will mark the start of the transitional period in which EU law, including the GDPR, will continue to apply in the UK until 31 December 2020.
- During this time, the government intends to reach a trade deal with the EU, including on international data transfers, and failing that, the UK will exit on 31 December 2020 without a trade deal in place.
- The Task Force for Relations with the UK (a European Commission working party) has indicated that a UK adequacy decision, allowing organisations that are subject to the GDPR to freely transfer personal data into the UK, could be negotiated during the transitional period. This was a surprise; most commentators assumed that an adequacy decision would not be possible in time. Clearly, an adequacy decision would make post-transition EU-UK data transfer much easier; we’ll be keeping a close eye on this.
- Take a look at our Brexit guidance to see how leaving the EU will affect your business and what steps you can take to ensure compliance.
Team news: Lorna’s arrival
Finally, a very warm welcome to the latest member of our team, Lorna Woods.
Lorna is Professor of Internet Law at the University of Essex and her expertise includes the regulation of broadcasting, on-demand services, the press and advertising as well as the Internet and data privacy.