In this E-bulletin we focus on significant data law development in the UK in the last few months. Of course, we are now very much into ‘final countdown’ territory for the GDPR with its implementation date of 25 May 2018 rapidly approaching. Many businesses are working very hard on their GDPR-readiness projects, but few will feel confident of 100% compliance by implementation. We will all be waiting with baited breath for the first ICO enforcement action.
Amending existing data processing contracts – what if the other side refuses?
The GDPR requires that processing by a processor shall be governed by a contract that must contain certain provisions. What if your data processor refuses to amend your existing contract? Are they in breach of contract by doing so? Are you entitled to terminate the contract, to prevent you being party to a contract which does not comply with the GDPR? Which party should bear the costs of compliance with the GDPR?
In many cases, the answers will depend on the wording and purpose of the contract. In some contracts, provision is made for the effect of a change in the law, which might indicate that the parties intended for one party rather than the other to take responsibility for, and bear the costs of, compliance with new legislation. If the contract is silent on the issue of compliance with laws, there may be an implied term which addresses the issue. If the key benefit of the contract is the processing of personal data, it may be arguable that a serious breach of an obligation to comply with laws is sufficiently serious to justify termination of the contract.
It is important to remember that GDPR places obligations on both the controller and the processor to comply with this requirement so it’s in the interests of both parties to get the contract terms right.
A new risk from Data Breaches – insider trading
Could employees be tempted to misuse knowledge of a potential data breach?
The risks have been highlighted following charges being brought last month against the former Chief Information Officer of Equifax, Jun Ying, by the US Securities and Exchange Commission arising from his alleged misuse of company confidential information regarding a serious data breach affecting 145 million Equifax customers.
The SEC allege that prior to the public announcement of the breach, the executive researched online the impact of data breaches on stock price and had subsequently exercised all of his Equifax stock options to sell nearly $1m of shares, thereby avoiding $117,000 of losses. The case is at an early stage and no findings have yet been made. We will track the case as it develops.
See below for more information on our Data breach training.
No guarantee of confidentiality regarding the identity of DPOs
From 25 May 2018 all data controllers required to appoint a Data Protection Officer (DPO) under the GDPR will be obliged to share with the ICO the name and contact details of the DPO. The information will generally be collected from data controllers at the time they register to pay the data protection fee.
The DPO is required to give their express consent through ‘opting in’ before their name can be included on the version of the Data Protection Register that is made available to the public. However, DPOs should be aware that even if they ‘opt out’ there are circumstances in which their name may nevertheless be disclosed by the ICO to third parties. This is most likely to occur in the context of requests made pursuant to the Freedom of Information Act 2000.
DPOs must be made aware that their identity may have to become public.
Service Message or Direct Marketing?
Royal Mail Group Ltd has been fined £12,000 by the ICO for sending over 300,000 emails informing customers of a temporary price drop for 2nd Class Medium Parcels purchased online. Royal Mail sent two sets of emails to its customers, one set to those who had opted-in to receive marketing one set to those who had opted-out. The emails were different in style and content. Royal Mail argued that the emails sent to opted-out customers were service messages, not marketing communications. They felt it was appropriate to inform all current online users of the price drop by email, and referred to their regulatory duty to publish information about prices “in such a manner as will ensure reasonable publicity for it”.
The ICO did not agree and found Royal Mail to be in breach of the Privacy and Electronic Communications Regulations by sending emails to opted-out customers without their consent. Whilst Royal Mail “distinguished what message was sent to opted in and opted out customers, the phrasing and style of the message sent to opted out customers meant that it constituted marketing and not simply a service message”.
The ICO also stated that Royal Mail could have complied with its obligation to ensure reasonable publicity for the price drop through alternative methods of communication, for instance a notice on its website.
Overview of the Network Information Systems Directive
On 6 July 2016, the European Parliament adopted the ‘Network Information Systems Directive’ (NISD) to harmonise and strengthen cybersecurity provisions applicable to Operators of Essential Services (OESs) and Digital Service Providers (DPSs) in response to the rise in magnitude, frequency and impact of security incidents, which have a significant detrimental impact on network and information systems. The government has been consulting on the Directive and is running a live consultation on issues specifically affecting DSPs here .
The NISD will come into force in the UK on the 9th May 2018. For more information on the Directive and to see whether your business might be affected, read our helpful overview document here.
Data breach training
Our specialist data and privacy litigators are offering training for clients on ‘Responding to data breaches: legal obligations, risks and reputation.’ If your organisation might be interested in a bespoke training session at your offices, please contact us at Marketing.EventsTeam@harbottle.com to discuss availability or click here for more information.