Welcome to our data protection bulletin, covering the key developments in data protection law from April 2022.
Reminder: ICO’s new data transfer tools in force
On 21 March 2022, following Parliamentary approval, the UK’s new data transfer tools, the International Data Transfer Agreement (“IDTA“) and the international data transfer addendum to the European Commission’s Standard Contractual Clauses (“UK Addendum“) came into force. This means data exporters subject to the UK GDPR may now use the IDTA and the UK Addendum as a transfer tool when making restricted transfers. The old EU SCCs can still be used for data transfers until 21 September 2022, at which point any new transfers must be based on the IDTA or UK Addendum. Existing transfer arrangements issued under the old EU SCCs will remain valid until 21 March 2024 (after which the new transfer tools must be used for all UK transfers). For further information on the countdown timeline for transitioning away from the old EU SCCs please refer to our February 2022 summary here.
For most organisations, using the UK Addendum in conjunction with the EU SCCs will be the preferred choice, as this will ensure compliance with all European and UK data transfer requirements. Organisations exclusively focused on the UK may wish to use the IDTA instead. Keep an eye out for more updates and information on using the new transfer tools on our Data Protection Hub available here.
European Union reaches political agreement on Digital Services Act
On 22 April 2022, a provisional political agreement was reached by the European Council and European Parliament on the Digital Services Act (“DSA“). The DSA is set to regulate how online intermediary service providers handle illegal or potentially harmful online content by establishing a powerful transparency and accountability framework.
The obligations placed on different online businesses under the DSA will be proportionate to their role, size and impact in the online ecosystem. The DSA will complement the Digital Markets Act, which will aim to limit the market dominance of the biggest online platforms.
The DSA text still needs to be finalised at a technical level and then it will need to be adopted by both the European Parliament and Council. The DSA will come into force 15 months after it is voted into law, or from 1 January 2024, whichever is later. We will provide a more detailed update on the DSA once the final text becomes available.
US government announces establishment of Global CBPR Forum for transferring data
The US Department of Commerce has announced the establishment of a Global CBPR Forum with Canada, Japan, the Republic of Korea, the Philippines, Singapore and Chinese Taipei (the “Forum“). The Forum will establish an international certification system based on the existing APEC Cross Border Privacy Rules (“CBPR“) and Privacy Recognition for Processors (“PRP“) Systems and support the free flow of data through the promotion of both systems.
The Forum will also promote interoperability with other data protection and privacy frameworks and help bridge different regulatory approaches to data protection and privacy. Participation in the Forum will be based on a commitment to open dialogue and consensus-building and meetings of the Forum will be held at least bi-annually.
As data transfer requirements become increasingly complex, it is anticipated that this kind of multi-party data sharing framework could be the way forward for international transfers. Such a framework could be the basis for an adequacy decision under the GDPR, or a GDPR transfer certification scheme. The Department for Digital, Culture, Media & Sport (“DCMS“) announced on Twitter that it will be engaging with the Forum, so it could be looking at interoperability with the UK’s own transfer requirements.
Google’s cookies to crumble with ‘reject all’ plan
Google has announced that it will introduce a ‘reject all’ button on its cookie banners after its existing policy was found to be in violation of EU law. Stephen Bonner, ICO’s Executive Director of Regulatory Futures and Innovation commented that there is an expectation that the online advertising industry will follow Google’s lead to provide clearer choices for consumers. Mr Bonner also noted that “current approaches to obtaining cookie consent need further revision in order to provide a smoother and increasingly privacy-friendly browsing experience“, but this is an important first step.
Google has come under fire in recent years for its cookie banners. The French data protection authority CNIL previously fined Google €150 million because data protection laws require rejecting cookies to be “as easy as accepting them.” In light of these developments, businesses should review their cookie banners and ensure that users can reject cookies with ease.
New ICO guidance published on ransomware and data protection compliance
The ICO has published guidance on ransomware and data protection compliance (the “Guidance“), which includes a checklist that companies should review to ensure that adequate controls are in place to prevent and respond to ransomware attacks.
The Guidance also sets out eight scenarios designed to reflect the most common ransomware compliance issues. These are:
- Attacker sophistication: The ICO explains that it is common for attacks to be indiscriminate and not have a specific target. Companies are advised to use the NCSC Cyber Essentials to prevent these types of attacks.
- Personal data breach: Companies should consider whether a personal data breach has occurred either by way of hackers gaining access to personal data, loss of timely access to the personal data or a temporary loss of access to the personal data.
- Breach notification: If it is established that a personal data breach has occurred, the ICO must be notified without undue delay and no later than 72 hours after having become aware of it. A formal risk assessment must be undertaken to help businesses determine if the ICO should be notified of breach. This can be done using the ICO’s personal data breach assessment tool to help make such a determination.
- Law enforcement: The ICO recommends businesses to contact law enforcement if they have been subjected to a ransomware attack. There should only be a delay in notifying individuals of the data breach if this has been requested by law enforcement.
- Attacker tactics, techniques and procedures: Phishing, remote access, privileged account compromise and software vulnerabilities are identified as the most common methods attackers used to compromise data. Practical advice is offered to tackle each method of attack, including ensuring staff receive basic awareness training to identify a phishing attack and carrying out regular risk assessments of internal and external hardware for software vulnerabilities.
- Disaster recovery: All personal data must be backed up and backup strategies assessed for suitability in relation to the size of the business.
- Ransomware payment: Businesses are reminded that law enforcement and the ICO ‘do not encourage, endorse, nor condone the payment of ransom demands.’ A ransom payment is not considered an appropriate measure to restore the data in the event of a data breach.
- Testing and assessing security controls: Businesses should regularly test, assess and evaluate the effectiveness of the measures in place for safeguarding data. The guidance includes a 10-step checklist which should be followed in this regard.
Whilst the Guidance is not legally binding, the ICO considers that all UK businesses processing personal data are at risk of an attack and therefore reviewing the Guidance in full is encouraged.
FCA announces call for input on synthetic data to support financial services innovation
The FCA has published a call for input on the use of synthetic data within the financial services sector. Synthetic data is artificial data generated through the use of algorithms created by statistical modelling being applied to original data. The benefit of synthetic data is that whilst it accurately represents real data, specific individuals cannot be identified from the synthetic data meaning data protection laws do not apply. As a result, synthetic data is used across industries such as healthcare and medicine, logistics and automotive, and robotics.
In preparing this call for views, the FCA considered three main benefits for using synthetic data insofar as it:
- allows you to circumvent data privacy requirements which make collecting, sharing and accessing real data difficult;
- can be used to model realistic but potentially unlikely or uncommon scenarios where real data is limited or does not exist; and
- can be cost efficient as capturing and labelling real life data can take significantly more time.
The main limitation that the FCA associates with synthetic data is that the more such data mimics underlying real data, the greater the risk that under certain circumstances the data may be reverse engineered to reveal real-world information. This raises obvious privacy concerns. Additionally, where synthetic data is based on limited or biased real data, there is a risk that this bias will be replicated in the synthetic dataset. Finally, whilst the synthetic data itself may not be subject to data protection laws, the real data used to generate synthetic datasets must still comply with data protection laws.
The FCA is seeking views from market participants on the extent to which synthetic data is (i) being used by both regulated and unregulated firms; and (ii) can be used to expand data access and data sharing opportunities in the market. The FCA is also interested in learning about what the industry sees as the role of the regulator in the provision of synthetic data. For example, the FCA could help generate data, act as a central host or act as a co-ordinating body to facilitate data sharing.
Market participants are invited to share their views and experiences of synthetic data by 22 June 2022. For more information click here.
ICO publishes data protection guidance following relaxation of COVID-19 measures
The ICO has published guidance setting out the key considerations for organisations and their collection, use and processing of personal information now COVID-19 restrictions are relaxing across the UK. The key points for organisations to consider include:
- Reviewing emergency practices put in place in response to the pandemic to determine whether the collection of extra personal data in order to keep the workplace safe remains necessary.
- Organisations must have a specific use and compelling reason for collecting vaccination information; checking such information on a ‘just in case’ basis is unlikely to justify collecting it. The ICO also suggests that employment law, health and safety requirements and equalities and human rights law should be taken into account when considering whether to collect vaccination information.
- Naming individuals who have COVID-19 should be avoided wherever possible although the ICO notes that organisations are allowed to keep staff informed about potential or confirmed COVID-19 cases amongst colleagues.
Organisations should review the guidance and carry out a thorough analysis of current data processing practices to ensure that any personal data collected during or in relation to the pandemic is fully compliant with data protection laws.
Increase in maximum financial penalties for data breaches in Singapore
Amendments to the Personal Data Protection Act (PDPA) are to come into force in Singapore on 1 October 2022 and will mark a significant increase in the amount that companies can be fined for data breaches. Currently, the maximum a company can be fined for a data breach is S$1 million (just over GBP£576,000). This will be amended to make the maximum fine the higher of S$1 million or 10 per cent of local annual turnover for organisations whose turnover exceeds S$10 million.
The implementation of the new penalties had been delayed due to economic uncertainties caused by the pandemic, but Minister for Communications and Information Josephine Teo has said businesses now have sufficient lead time and “must continue to take ownership and be held accountable, especially those that hold sizeable volumes of data.”
Singapore has also introduced rules requiring organisations to report data breaches if it is likely to result in significant harm to affected individuals or likely to affect 500 or more individuals.
Government publishes findings from Cyber Security Breaches Survey 2022
The Department for Digital, Culture, Media & Sport (“DCMS“) has published its findings from the Cyber Security Breaches Survey 2022 (the “Survey“). The Survey explores the impact of data breaches and cyber-attacks and how well organisations are dealing with cyber security threats. The Survey will be used to help shape government policy on cyber security. The key findings were as follows:
- 39% of UK businesses identified a cyber-attack in the last 12 months, remaining consistent with previous years;
- 82% of boards or senior management within UK businesses rate cyber security as a ‘very high’ or ‘fairly high’ priority;
- 54% of businesses have acted in the past 12 months to identify cyber security risks;
- only 13% of businesses assess the risks posed by their immediate suppliers; and
- only 19% of businesses have a formal incident response plan.
In light of these findings, the DCMS has noted that business have gaps in some fundamental areas of cyber security. Businesses are not giving enough focus to proactive cyber risk management and there is a lack of technical knowhow expertise at the senior level within larger organisations. This means that businesses are often taking a reactive approach, viewing cyber security as a retrospective cost rather than a forward-thinking investment to drive improvements. There is also a lack of awareness that supply chains pose an entry point for attackers which leaves businesses susceptible to data breaches and cyber-attacks. Businesses need to put cyber security at the top of their corporate agendas, appropriate safeguards need to be put in place and staff need to be given adequate cyber security training.
The risk of being victim to a cyber-attack has never been greater – businesses must do more and the Survey is a reminder of that. For more information click here.
Cybersecurity: Fail to prepare; prepare to fail
We have recently published a cybersecurity risks insight on our Data Protection hub in which we look at which industry sectors are particularly exposed, the regulatory landscape and the technical and practical ways that organisations can prepare for and plan their response to a cyber-attack. Please click here to read.
Bank of Ireland fined €463,000 for data breaches
The Data Protection Commission fined the Bank of Ireland (“BOI“) €463,000 (£367,000) for data breaches affecting more than 50,000 customers. These breaches arose from the corruption of the bank’s data feed to the Central Credit Register (“CCR“), a centralised system that collects and securely stores information about loans. This problem led to the unauthorised disclosure and accidental alteration of personal data on the CCR. The DPC found that 19 of the reported incidents constituted breaches of the GDPR, namely:
- Article 33 of the GDPR in 17 cases. In some incidents, Article 33(1) was infringed by BOI’s failure to report the personal data breach without undue delay and Article 33(3) was also infringed by BOI’s failure to provide sufficient detail to the DPC in respect of some of the data breaches ;
- Article 34 of the GDPR in 14 cases as a result of BOI’s failure to issue communications to data subjects without undue delay in circumstances where the personal data breaches were likely to result in a high risk to data subjects’ rights and freedoms; and
- Article 32(1) of the GDPR as a result of BOI’s failure to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by its processing of customer data in transferring information to the CCR.
In addition to the fine, the DPC issued BOI with a reprimand and ordered it to bring its processing into compliance with GDPR.
ICO acts against companies making predatory marketing calls and sending thousands of spam text messages during the pandemic
The ICO has fined five companies totalling £405,000 who made unwanted marketing calls which targeted older, vulnerable, people to sell insurance products or services for white goods and other large household appliances, such as televisions, washing machines and fridges. John Edwards, UK Information Commissioner, said: “This is unacceptable and clearly exploitative. It is only right that we take tough and prompt action to punish those companies responsible using our full powers. Companies making similar nuisance calls and causing harm to people can expect a strong response from my office. I encourage anyone who is being pestered by other rogue operators, or knows a family member or friend who is, to report them to the ICO and we will step in to protect the public from these invasive calls.”
The ICO has also fined H&L Business Consulting Ltd £80,000 for sending 378,538 unsolicited text messages between January 2020 and July 2020, resulting in more than 300 complaints. The spam messages which offered recipients the opportunity to “Get Debt FREE during Lockdown” promoted a “government-backed” debt management scheme, were sent by the company which was not authorised by the Financial Conduct Authority to provide regulated financial products or services. Despite efforts by the company director to evade the ICO investigations since 2019, the ICO has said its investigators were “determined to bring this company to account for plaguing people’s lives with thousands of spam messages“.
High Court provides guidance on circumstances in which misuse of private information will not be sufficiently serious to be actionable
In Underwood and another v Bounty UK Ltd and another  EWHC 888 (QB) Nicklin J dismissed a claim for a breach of the Data Protection Act 1998 (DPA 1998) and misuse of private information by the Second Defendant, Hampshire Hospitals NHS Foundation Trust (the “Trust“).
The First Defendant (“Bounty“) described itself as being a pregnancy and parenting support club which carried out numerous services including providing information and marketed offers and services to parents and the provision of ‘Bounty Packs’ (sample packs for different stages of pregnancy and after birth) which it distributed to new parents. Bounty also operated a data broking service, providing hosted marketing on behalf of third parties which it supplied to third parties for marketing purposes until 2018. Bounty entered into a contract with the Trust which granted it access to new mothers in hospital and to lawfully collect contact details.
The Claimants brought the action on the grounds that in October 2017, a Bounty representative inappropriately accessed patient data sheets at the foot of the Claimant’s bed and unlawfully processed personal data concerning the new-born child and mother. The Claimants argued that the Trust was responsible for this misuse of private information and had failed to implement appropriate technical and organisational measures to prevent unauthorised processing of (or access to) the claimants’ personal data, in breach of the seventh data protection principle of the DPA 1998. The Claimants claimed exemplary damages.
In relation to the First Defendant, which went into administration in November 2020, judgment in default was obtained.
In relation to the Second Defendant, the High Court ruled that the acts of the Trust, in making available to Mrs Underwood, one of the Claimants, and Trust staff documents necessary for the care and treatment of Mrs Underwood by placing them at the foot of her bed, could not be regarded as having made those documents available to the Bounty representative. Nicklin J said “a functioning hospital cannot do its job without making available at least some limited data about patients … To avoid liability on this ground, all patient data would have to be strictly withheld“. The Court therefore found that the Trust was not liable for the unauthorised (and unlawful) acts of the Bounty representative.
The judge also dismissed the claim for misuse of private information on the basis that the information had been obtained without the Second Defendants’ consent or knowledge and the information was too trivial for the tort to be engaged. Specifically, Nicklin J said “To be actionable for misuse of personal information, the information misuse must reach a level of seriousness before the tort is engaged. Had the claim not failed for other reasons, it would have failed on this ground.”
Finally, in relation to the claim for exemplary damages, Nicklin J expressed the view that this should never have been brought against the Trust, commenting that:
“Claims for exemplary damages are wholly exceptional. The cases in which such damages can properly be claimed are very few; those in which they are awarded fewer still. It is never appropriate to add a claim for exemplary damages simply to mark how upset the claimant is about the defendant’s conduct, or as some sort of negotiating strategy.”
ECJ rules on validity of representative actions by consumer associations against Facebook
The European Court of Justice (“ECJ“) has said that consumer protection associations in the EU are allowed to bring representative actions against Meta Platforms Ireland Ltd. (formerly Facebook Ireland Ltd) (“Meta“), which is alleged to have violated rules governing the protection of personal data.
The case (C-319/20 Meta Platforms Ireland) was referred from the German Federal Court of Justice, which found in favour of the Claimant consumer organisation, the Federal Union of Consumer Organisations and Associations. The German Court found that Meta had breached the EU GDPR by failing to provide users with adequate and easily accessible information about how their personal data was processed in the context of online games. The German Court asked the ECJ to rule on whether consumer protection associations in the EU could bring representative actions in such circumstances.
The ECJ, in ruling that such actions could be brought by consumer protection associations, noted that these actions are to be opt-out, meaning that the consumer protection associations can sue on behalf of all of those with the same interest without having to name them as a Claimant, therefore removing the requirement of the associations to seek a mandate from those whose data was misused. Allowing associations to bring representative actions, in the ECJ’s view, “is consistent with the objective pursued by the GDPR …. In particular, ensuring a high level of protection of personal data“.
Specifically, the ECJ said “The EU General Data Protection Regulation does not preclude national legislation which allows a consumer protection association to bring legal proceedings, in the absence of a mandate conferred on it for that purpose and independently of the infringement of specific rights of the data subjects, against the person allegedly responsible for an infringement of the laws protecting personal data”.