May 16, 2019

Global Data & Privacy Update - April 2019

Welcome to the April Global Data & Privacy Update. This update is dedicated to covering the latest legislative developments affecting the way data is managed and protected, as well as reporting on the most recent news governing data breaches and industry developments.

Written by Mark Williamson, Isabel Ost and Charlotte Gatland

Fine for failing to provide an information notice – disproportionate effort exemption deemed misapplied

The Polish supervisory authority for data protection has fined a controller in Poland over €230,000 for failing to provide its privacy notice to data subjects, after incorrectly relying on the disproportionate effort exemption. The controller collected publicly available information for commercial purposes, from registers and public databases, concerning persons operating businesses including sole traders and now inactive businesses. The default position, under Article 14 of the GDPR, is that a controller must provide to data subjects certain information about the use and handling of their data - a privacy notice.

The company amassed over 6 million individuals' data but only sent an information notice to those for whom it held an email address, which represented a relatively small part of their database. The company held an address or telephone number for the remaining data subjects, however, relied on the disproportionate effort exemption for not providing an information notice (under Article 14(5)). It did this on the premise that sending the information by registered post would have involved a disproportionate cost. The company argued the cost was disproportionate as the postage costs, without administrative costs, represented the turnover of the business for the previous year. It had displayed a privacy notice on its website.

The Polish authority was not persuaded by the application of their argument and considered the company to have breached its data protection obligations, issuing a fine and ordering the company to comply within 3 months. The authority flagged that registered post was not necessary and cheaper forms of post could have been considered. The authority, in calculating the fine, took into account the number of data subjects affected and that data subjects may have been deprived of their rights due to not being informed, by way of a privacy notice, of how their personal data was being used, which is against the fundamental concept of transparency. It viewed negatively the fact that the decision was primarily financially driven, particularly given that the personal data is necessary for the company's long term commercial activities. The authority noted that business models need to be compliant and costs of doing so should be factored in.   

Click here to read the regulator's decision (available in Polish only).

EDPB guidelines on processing personal data for contractual purposes

The European Data Protection Board (EDPB) has published draft guidance on processing personal data under the lawful basis of contractual purposes, under Article 6(1)(b) of the GDPR, in the context of online services.

The EDPB underlines that, to rely on this legal basis, the personal data being used must be objectively necessary for the performance of a contract with the data subject or for entering into a contract at the data subject's request and there must be no less obtrusive means of achieving this. If it is not necessary for the contract purpose requested, including being necessary only for a company's other business purpose ancillary to the service or good requested, another legal basis must be used. The EDPB notes that there can sometimes be confusion when entering into a contract that the legal basis being relied upon is consent as opposed to contractual purposes for example and that controllers, in line with their transparency obligations, must be clear. 

The guidelines discuss, with examples, the concept of necessity of processing, what processing in the performance of a contract means, artificially bundling other services in to the contract and the consequence of termination.

The EDPB has drawn a narrow interpretation of this legal basis and companies may need to review their reliance on this exemption. 

The draft guidelines have been released for public consultation and are open for comment until 24 May 2019. 

Click here to read the guidance.

Regulating in a Digital World – House of Lords Report

The House of Lords Select Committee on Communications has published a report recommending a new Digital Authority manage and oversee regulation in the digital sphere. Currently, there are 13 regulators that touch on different aspects of this space, including the Information Commissioner's Office, however no single authority has oversight. The report advocates a principle based approach to shaping reform, due to the pace of developmental change in this area where specific rules could become quickly outdated. The report proposes 10 principles to support changes in this area, which include accountability, privacy and transparency.

The report notes the advances of recent legislative changes in strengthening data protection but highlights that in the digital world there are still improvements that should be made, including more extensive data portability rights, transparency and access.

Click here to read the House of Lords Report, HL Paper 299, on Regulating in a Digital World.

GPEN 2018 Report on Privacy Accountability

The Global Privacy Enforcement Network (GPEN) has released their annual report, this year addressing the implementation of data protection concepts within organisations, from the angle of accountability. This study was carried out in conjunction with 18 national data protection supervisory authorities who received responses from over 300 organisations. 

The report demonstrates that organisations still have a way to go with appropriately providing privacy notices, with 45% of organisations failing to maintain an appropriate notice which is easily accessible. It was flagged that some privacy notices did not clearly state whether the organisation has a data protection officer and or failed to provide contact information, which shows issues with transparency and accountability. 

Over half of responding organisations indicated that they have measures and processes in place to manage a data security breach, with 88% of organisations maintaining data security incident records. However, just under half stated that these records are not always current. The report highlights that companies do not regularly assess performance against standards, for example internal audits or self-assessments of different aspects of privacy, with only 36% of organisations managing compliance in this way.

The report demonstrates that there is still progress to be made to ensure that data protection concepts are complied with and embedded into an organisation.

Click here to read the full GPEN report.

Opinion on requirements for setting cookies

Advocate General Szpunar has provided an opinion on obtaining valid consent for deploying cookies. The case relates to individuals being presented with tick box statements when signing up to participate in an online lottery, one of which was a pre-ticked box agreeing to cookies being deployed. In order to deploy cookies, under the Privacy and Electronic Communications Regulations 2003 (PECR), consent must be obtained from the user and the definition of consent is tied to the meaning provided in the GDPR.

It was argued by the company that consent to deploy cookies was demonstrated from the user clicking to participate in the lottery, after having completed the sign-up form which included the pre-ticked statement on cookies. Szpunar did not consider valid consent was obtained as it was not actively given, due to the pre-ticked box, and importantly had not been separately obtained. Consent had been bundled with agreeing to participate in the lottery (a different activity), meaning that it was not separately provided. It was noted that obtaining consent for deploying cookies appeared to have been a secondary consideration to agreeing to participate in the lottery. Subscribers were not clearly informed that agreeing to cookies was not a pre-requisite for participation, as was the case with third party marketing communications, however it may have appeared so.  

The Advocate General noted further details to be provided to users about cookies, in order to comply with the information requirements under PECR. The information should allow a user to "easily determine the consequences" and impact of agreeing. Information on the lifespan of cookies needs to be stated along with which third parties are given access to cookies or have set cookies.

The other tick box presented to users related to third party advertising communications and this was a requirement to be able to participate in the lottery. While this was not an issue referred for consideration to the European Court of Justice, Szpunar, interestingly, did not deem the requirement - to agree to third party marketing in order to participate in the lottery - as being incompatible with obtaining valid consent. Whilst stating concerns with consent not being separate and bundled, he noted the referring court may consider that the marketing requirement is necessary to participate because of the lottery being set up on the basis of the data being sold.

This opinion serves as a reminder that consent for cookies must be affirmatively given (and not obtained via pre-ticked boxes), informed and separate, in line with the definition under the GDPR. Please note that Advocate General opinions are not binding on the Judges of the European Court of Justice and the judgment from the Court of Justice has not yet been released.

Click here to read Advocate General Szpunar's opinion on Case C-673/17 (Planet49 GmbH v Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V.).

ICO fines for failing to treat personal data fairly and lawfully

The Information Commissioner's Office (ICO) issued a fine of £400,000 to Bounty (UK) Limited (Bounty) for failing to process personal data fairly and lawfully, in breach of the first data protection principle of the Data Protection Act 1998. Bounty was a pregnancy and parenting support group but also operated as a data brokerage company. It disclosed the personal data of over 14 million members, multiple times over a number of months, to several organisations including credit reference, marketing and profiling agencies without appropriately notifying members of this activity or having a lawful basis to do so. The ICO also considered the activities would have caused substantial damage or distress. It noted, given the number of individuals affected, that the substantial damage or distress threshold could be met on a cumulative basis rather than at an individual level.

Members were not considered to have been provided with sufficient information about how their data would be used, in breach of the first data protection principle. Bounty's privacy notice stated that data would be shared for marketing purposes but only described generic categories of companies along with links to some specific companies. Bounty, however, failed to name four of the largest recipients of data – Sky, Indicia, Equifax and Acxiom – or that such organisations would be recipients. Bounty also signed up members in a number of non-digital ways, including at hospitals, which represented 69% of its database. These members were not provided with a privacy notice at the point of registration; however, where an email address was collected, the company sent one shortly afterwards. The ICO did not consider this sufficient as such information must be provided at the point of collecting data and so a privacy notice provided, even a short while, later by email was deemed non-compliant.

The ICO also found Bounty failed to fairly process individual's information, in breach of the first data protection principle. Its members, signing up to a parenting group, would not have reasonably expected their personal data to have been disclosed to organisations, such as credit reference agencies, without their notice. The Regulator did not consider there was a sufficient justification to mean that the data was fairly used.

In order to lawfully disclose member's data, Bounty relied upon consent collected from data subjects during the registration process. The ICO did not consider consent to have been validly obtained as it was not specific or informed. Data subjects were not informed that the recipients of their personal data, for marketing purposes, would include companies such as credit reference agencies and did not specifically name the four organisations, as noted above. At the point of registration for membership via non-digital routes, consent was also not freely given as data subjects had to permit their data to be disclosed for marketing purposes in order to register because the form did not treat the issues separately. Whilst Bounty did not rely on the lawful basis of legitimate interests, the Commissioner noted the legitimate interests test would not have been met given the failure to inform data subjects that their personal data may be disclosed in such a manner.

Click here to read the monetary penalty notice.

ICO issues fine for unsolicited marketing emails

The Information Commissioner's Office has fined Grove Pension Solutions Limited  (Grove) £40,000 for sending nearly two million marketing emails without consent, in breach of PECR. Grove's mailing list was built by obtaining contact details of individuals who had signed up to a number of other third party websites; however, those sites did not name Grove (in the sign-up wording, terms or privacy policies) as a recipient of the individual's data who may send marketing.

Those websites listed the recipients of the individual's data, who may send marketing, only in terms of a wide set of different sectors. The ICO does not consider the use of generic wording such as "partners" or "selected third parties" as being sufficient to validly obtain informed consent. Consent must be freely given, specific and informed. The ICO found that Grove had not validly obtained consent to send the direct marketing, in breach of PECR.

The ICO noted that working through the customer journey would have shown that consent had not been validly obtained. On issuing the fine, the ICO took into account that Grove had consulted with a recognised data protection consultancy regarding the marketing campaign, which demonstrated a pro-active approach to data protection and an awareness of its obligations.  

Click here to read the monetary penalty notice.