Welcome to the Autumn edition of our quarterly Data & Privacy eBulletin. With Brexit looming larger than ever, we look at how businesses can ready themselves and their data protection practices.
In this edition, we also reflect on the Information Commissioner’s Office (ICO) guidance on cookies and consider the hot topic of facial recognition. Data protection remains a headline-grabbing area and is very much in the regulatory spotlight – the ICO announced proposed record fines on both British Airways and Marriot earlier this summer.
Please get in touch if you have any concerns or would like to know more.
Preparing for a ‘no-deal Brexit’
With ‘no-deal Brexit’ remaining a distinct possibility, organisations need to start ‘Brexit-proofing’ their data protection operations. For information on how a no-deal Brexit will affect data protection law in the UK, please see our article on the topic published on our website here.
The table below outlines the key steps controller and processors, both in the UK and the EU, might need to take if the UK exits from the EU without a deal on 31 October.
ICO guidance on cookies
The ICO issued its long-awaited guidance on cookies in July. The guidance gives practical tips on how to obtain valid ‘GDPR standard’ consent for cookies. It is clear that consent is required for all non-essential cookies, it must be informed and freely given, and the user must take clear and positive action to give consent. This means that:
– Pre-enabled non-essential cookies are not valid and should not be set on landing pages. Users must be told up front about what cookies exist and what they do, before giving consent.
– Implied consent, such as pre-ticked boxes, sliders defaulted to ‘on’ or the user continuing to use the service or otherwise clicking out of the cookie consent mechanism without making a choice are not valid forms of consent. In addition, relying solely on browser settings to obtain consent will not be sufficient and at the very least users need to be prompted to review their settings.
– Consent mechanisms that emphasise that users should ‘agree’ or ‘allow’ cookies over ‘reject’ or ‘block’ cookies are not valid. This is nudge behaviour that influences users towards the ‘accept’ option.
– Cookie walls to restrict access to a service unless users consent are unlikely to represent valid consent. This is because the user does not have a genuine free choice about whether to accept cookies. Users should still be allowed to access a service if they do not consent to non-essential cookies.
Organisations must also consider how best to present information on cookies to users. Factors to consider are as follows:
– Information should be presented up front. Cookie policies should be accessible through a link within the consent mechanism and at the top or bottom of the website.
– Design, such as the positioning of the link, should be considered. For example, a link at the bottom of a concise webpage which has no content “below the fold” will be much more visible than a link in the footer of a dense webpage of 10,000 words. In the latter case, a link in the header would be more appropriate.
– The formatting of the link is also important. The link should be distinguished from the rest of the text e.g. by a different style or size of font.
– If children are likely to access the service, organisations should consult the ICO’s code of practice on age appropriate design.
Please contact us if you would like assistance with implementing compliant cookie consents and policies.
Spotlight on facial recognition
In recent months we have seen that facial recognition technology is coming under increasing scrutiny from the data protection authorities, the courts and privacy campaigners alike.
News in August of the historic use of facial recognition by property developers in Kings Cross prompted significant media attention and a backlash from privacy campaigners. The ICO has indicated that it is taking facial recognition technology, and its potential for abuse, very seriously and is launching an investigation into its use in Kings Cross.
Furthermore, the European Commission is planning regulations that will target the indiscriminate use of the technology and will implement stricter rules to ensure that individuals have the right to know when they are being monitored.
You can read our Insight article on the topic here.
Huge fines on the horizon
In early July, the ICO released details of its intention to fine British Airways £183.39m for the cyber breach it reported in autumn last year. This is the first major potential fine in the UK under the GDPR and Data Protection Act 2018 and it was followed swiftly the next day by the announcement of a proposed £99,200,936 fine for Marriott International for its own data breach.
British Airways and Marriott now have the opportunity to make representations to the ICO in respect of the level of the penalty and the findings. As the lead supervisory authority for the breach, the ICO also announced that it will be taking representations from other EU supervisory authorities whose residents have been affected by the breach.
Google hits headlines twice in one week
Google has been subject to two court judgements this month.
The first saw the search engine giant win an appeal against a French data protection regulator, which fined Google €100,000 for failing to remove unlawful results across all of its global platforms. Google appealed, arguing that it should only have to delete results from searches carried out within Europe, and from its European platforms (such as google.co.uk and google.it). The Court of Justice of the European Union (CJEU) ruled in Google’s favour. You can read more here.
The second saw The Court of Appeal allow a class action against Google, in respect of the search engine’s alleged unlawful monitoring of iPhone users without their consent through the use of third party cookies between 2011-2012. You can read more here.
Other regulatory decisions and activity
The following action has been taken by the ICO in the past few months for breach of the Privacy and Electronic Communications Regulations:
- Home Protection Limited has been fined £90,000 for making nuisance calls to people registered with Telephone Preference Service in order to sell its home security products and services.
- EE Limited has been fined £100,000 for sending direct marketing messages to its customers when they had opted out of receiving marketing messages from them.
- Making it Easy Limited has been fined £160,000 for making 297,761 calls to subscribers whose names were registered with the Telephone Preference Service.
Subject Access Request concerns
We have also seen a focus from the ICO on organisations that have failed to respond to subject access requests within the one month period prescribed by the GDPR:
- The ICO issued the Metropolitan Police with two enforcement notices due to a backlog of subject access requests (one relating to SARs pre 25 May 2018 and one relating to SARs after that date). The Met has until 30 September 2019 to resolve the backlog before fines are imposed.
- Hudson Bay Finance Ltd was also issued with an enforcement notice for failing to respond to a subject access request. The company was given 30 days to comply with the notice with failure to comply being a criminal offence.
Searches for illegally obtained data
- The ICO searched two addresses in Liverpool as part of an ongoing investigation into the acquisition and sale of illegally obtained personal data. The ICO worked in partnership with the Insurance Fraud Bureau to investigate a business suspected of carrying out high volumes of data framing activity.
GDPR fines further afield
- The Greek Data Protection Authority fined PWC €150,000 for unlawfully processing employee data. PWC had, incorrectly, been processing employee personal data on the basis of consent. This is another reminder that employers should not be relying on employee consent as a basis for processing their personal data as the imbalance of power between an employer and an employee effectively makes consent very difficult to obtain.
High commendation for H&L in Legal 500
We’re proud to announce that our legal expertise has been recognised by Legal 500 for our data protection, privacy and cybersecurity work.
Legal 500 cited our: “notable expertise in the technology, media and entertainment sectors acting for a client roster, which includes The Pokémon Company International, Comic Relief, the Harry Potter Theatrical Production and Virgin.
“The team handles contentious and non-contentious mandates and takes a cross-departmental approach utilising the commercial, employment and litigation teams.
“Sacha Wilson also enhances the firm’s strength in the data privacy aspects of marketing, adtech and digital media. Daniel Tozer leads the technology and data practice and focuses on commercial data protection. Senior partner Gerrard Tyrrell leads the group’s contentious work and John Kelly regularly acts for private individuals.”