Welcome to our quarterly Data & Privacy eBulletin in which we reflect on some of the key developments since April 2018 and, in particular, the momentous introduction of GDPR on 25 May.
This continues to be a very busy time for data lawyers – our team is working on all of the areas shown below; do please get in touch if you would like to know more.
Our Data team will also be hosting a webinar on subject access requests on Wednesday 8 August. If you’re interested in finding out more, there are further details below.
ICO: website changes
With GDPR finally coming into effect on 25 May, it will come as no surprise that the ICO has been busy updating some of its key guidance documents and information resources since our last bulletin.
Along with the final version of its guide on consent, the ICO website now has a new data breach notification form to reflect the mandatory breach notification regime brought in by GDPR.
Data protection officers, or others responsible for data protection within their organisations, must use the form to report a breach that risks the rights and freedoms of data subjects – and to do so within 72 hours. It is really important to be familiar with the new form.
Of particular note is that the new form specifically requests the time of both when the data breach occurred and when the breach was discovered. It also focuses on assessing the impact the breach will have on individuals.
GDPR: trends since 25 May
It’s been six weeks since data protection laws around Europe changed with the arrival of the GDPR. While many organisations started their data protection preparations well before 25 May, for most, the work hasn’t stopped since then.
Here are five trends we’ve seen since the GDPR came into force:
- Responding to data subject requests – recent updates to privacy policies, coupled with an increased awareness by individuals of their data subject rights, has led to a spike in data subject requests, including requests for data erasure and data access. Organisations have been busy responding to these requests in line with their updated obligations.
- Contract reviews – organisations are continuing to review agreements with their suppliers, contractors, partners, agencies and customers to assess their compliance with data protection laws, and, where necessary, are entering into revised agreements and data protection addendums to bolster data protection provisions.
- Updating internal policies – as well as updating their externally-facing privacy policies, organisations are developing and improving their own internal data protection policies to help inform their staff and employees on how to keep data safe, secure and used for the right reasons.
- Data breach identifications and notifications – with the GDPR requiring organisations to report personal data breaches that are likely to lead to a ‘risk to the rights and freedoms of natural persons’ within 72 hours of their discovery, organisations that have identified a data breach have been assessing the likely impact of the breach on individuals, and, where necessary filing notifications with the ICO, as well as informing any affected data subjects.
- Data protection impact assessments (DPIAs) – DPIAs must be carried out when proposed processing of personal data is likely to result in a high risk to individuals’ interests. With the ICO recently having provided a list of processing activities mandatorily requiring a DPIA, organisations are having to get used to undertaking DPIAs.
NT1, NT2 v Google LLC and Article 17: removal of historic archive articles
In the seminal ‘Right to Be Forgotten’ case of NT1 & NT2 v Google, the High Court ruled that an individual can force Google to delist results returned for a search of their name, but only where it is no longer necessary in the public interest for Google to keep processing the data.
In the case of NT2, the old news article in question related to his spent convictions which it was no longer in the public interest to show in a search result because there was no element of dishonesty and they were unrelated to his present career; there was no need for anyone to be warned of his past conduct. Conversely, for NT1, his lack of remorse, the fact that his spent conviction was for a more serious crime, and that the offence pertained to his ongoing role in public life were all key factors on which the Court found that his data should not be delisted and would still be shown in search results.
This is now effectively old law, given that the GDPR has introduced a wider-ranging ‘right to erasure’ which allows data subjects to require erasure of personal data if they can show that the content was unlawful or that their rights should override the search engine’s legitimate interests. The right to erasure also fails in any case where the processing is necessary for freedom of expression, and while Google was held not to qualify for the journalistic exemption (in NT1 & NT2), this argument could be revived. So it isn’t yet plain sailing for an individual seeking de-listing of out-of-date content.
Employee database theft no longer just an employment matter
The ICO pursued a prosecution of a recruitment consultant who took the details of 272 individuals from his former employer’s database when he left to set up his own rival business. The individual pleaded guilty to an offence under s.55 Data Protection Act 1998 and was given a fine of £355, ordered to pay £700 in costs and also a victim surcharge of £35.
The misuse of personal data contained in a client or customer database in this manner will constitute a data breach and will now likely be reportable to the ICO. Only where an employee who is establishing their own business can show that they reasonably believed that they had a legal right to make use of the data in the way that they did, would they have a defence.
A company who may be in dispute with a former employee relating to client data must ensure not to tie its hands in any way when it comes to reporting the data misuse.
Don’t forget to pay!
At midnight on the 24 May 2018, the requirement for most data controllers to formally register with the Information Commissioner’s Office (ICO) was abolished.
Under the old Data Protection Act 1998, data controllers had to complete a registration form providing details of their organisation, their sector, their nature of work and the types of processing undertaken. A notification fee of either £35 or £500 was payable based on the number of staff and annual turnover (subject to a few specific exemptions).
This abolished registration requirement was swiftly replaced on the 25 May with an obligation to pay the ICO a data protection fee under the Data Protection (Charges and Information) Regulations 2018.
But while there’s no need to register per se, much of the information required on the form for payment of the new fee is the same as the old registration form.
Furthermore, the ICO still maintains an online public register of data controllers, although it’s now called the ‘register of fee payers.’ Like the old regime, the fee is split into tiers based on annual turnover and staff numbers:
Tier 1 – £40 Fee:
- Maximum annual turnover of £632,000
- Maximum 10 members of staff
Tier 2 – £60 Fee:
- Maximum annual turnover of £36 million
- Maximum 250 members of staff
Tier 3 – £2,900 Fee:
- Annual turnover over £36 million
- 251+ members of staff
A note on Data Protection Officers…
Data controllers who are required to appoint a data protection officer (DPO) under the GDPR must also provide details of their DPO to the ICO. The new data protection fee form has a section for DPO details, and organisations who have voluntarily chosen to appoint a DPO can also use this section of the form.
Data controllers who have an existing registration under the old pre-25 May regime can email the ICO with details of their DPO by following these instructions. The DPO details will then be added to your organisation’s page on the ICO’s online register of fee payers.
While organisations can choose not to publically disclose the name of their DPO, all other details, like the DPO’s telephone number and email address, will be made public.
Be careful when reading the Data Protection Act 2018
Navigating the DPA 2018 can be challenging not only due to its size (215 sections and 20 schedules!) but also the confusing manner in which its sections are organised.
Whilst the DPA 2018 incorporates the GDPR into UK law, it also covers processing of personal data that (a) is regulated by other EU laws (such as processing for criminal ‘law enforcement purposes’ under the Law Enforcement Directive), and (b) falls outside EU law (such as national security and immigration).
Rather than being set out in clearly marked separate sections, these additional provisions are scattered throughout the DPA 2018. This can lead to confusion when searching for terms. For example, searching for the term ‘Data Protection Officer’ will point to section 69, which actually only applies to law enforcement processing.
Part 2 (General Processing) is the section which most businesses will want to look at – the bulk of the GDPR provisions are there. Parts 3 and 4 are only relevant to law enforcement and intelligence services processing.
Facebook fan page responsibilities
Anyone creating Facebook fan or business pages beware! In the recent decision in Wirtschaftsakademie v Facebook Ireland, the CJEU determined that Facebook page administrators could be data controllers in respect of the personal data collected via the fan pages.
In this case, Facebook was using cookies on the fan page and neither Facebook nor Wirtschaftsakademie, the fan page administrator/creator, informed the visitors to this particular fan page about the cookies. This was an infringement of the Data Protection Directive 95/46 (“the Directive”).
The cookies collected personal data, which Facebook then provided to the page administrator in anonymised form.
In determining whether Wirtschaftsakademie was a data controller, the CJEU considered the following points:
- The administrator took part in determining the purposes and means of the processing and then contributed to the processing itself by defining the parameters influencing the statistics put together by Facebook, which depended on the administrator’s target audience, its objectives of managing and promoting its activities and its page filter settings.
- Even though the administrator was only provided with anonymised data, the Directive does not require each data controller to have access to the personal data.
The administrator had even greater responsibility for visitors who were not Facebook users as the processing of their personal data only started when they visited the fan page.
- Visitors’ rights would have more complete protection if the administrator was a data controller.
- The CJEU held that the administrator had to be a data controller. Although the CJEU did not determine the extent of the control of each of the parties, it noted that the existence of joint responsibility does not necessarily imply equal responsibility of the various operators involved in the processing and the level of responsibility of each data controller must be assessed with regard to all the relevant circumstances of the particular case.
Essentially, if you set up a Facebook fan or business page, you shouldn’t rely on Facebook to ensure that the visitors’ personal data is being processed in a GDPR compliant way. It is also your responsibility.
H&L webinar: subject access requests
Don’t miss out on your chance to tune into our webinar on subject access requests on Wednesday 8 August at 4pm (BST).
Some of our Data Protection specialists, Jo Sanders, Sacha Wilson and Amy Bradbury, will be sharing their top tips on how to deal with these requests and offering best practice advice.
If you would like to sign up for our webinar, you can email us with your contact details here.