Welcome to the December Global Data & Privacy Update. This update is dedicated to covering all the latest legislative developments affecting the way data is managed and protected, as well as reporting on the most recent news in breaches and industry developments for the month.
Safe Harbor confusion continues
EU bodies reach political agreement over Regulation
FCA launches consultation on cloud outsourcing guidance
Big data under scrutiny
ICO warns of the dangers of hidden data
Morrisons sued by staff over 2014 data breach
US Supreme Court hears arguments on harm arising from misuse of data
In the weeks which have passed since the Court of Justice of the European Union (CJEU) sparked widespread uncertainty with its controversial decision to 'tear up' the Safe Harbor framework, we have seen a truly global reaction. Whilst national data protection regulators from across the world have warned local companies to review the legal basis for their data transfers, EU authorities have attempted to dispel fears of immediate and aggressive enforcement.
As a result, there is, unsurprisingly, little real clarity as yet on what to expect in the new, post-Safe Harbor world. The best hope for a positive resolution to the crisis however lies in the swift agreement of a Safe Harbor 2.0.
In what appears to have been an attempt to inject more urgency into the Commission's negotiations with the US on a new agreement, the Article 29 Working Party (WP29), the independent advisory body made up of representatives from all the EU data protection authorities (EU DPAs), announced in its statement on 16 October 2015 that if no appropriate solution is found by January 2016, the EU DPAs are committed to taking all necessary and appropriate actions, which may include coordinated enforcement action.
This was followed by a Communication from the Commission on 6 November 2015, which reiterated the Commission's commitment to reaching agreement with the US on a new framework which provides proper limitations and safeguards on access to personal data by the US authorities. The Commission discussed the alternatives available to undertakings wishing to transfer personal data to the US and confirmed that businesses could continue to transfer data by using derogations, contractual solutions such as model clauses or, in the case of intragroup transfers, binding corporate rules, whilst admitting that these mechanisms may nonetheless be subject to review by the relevant DPAs.
With a little over two weeks left to meet the deadline to reach agreement over a General Data Protection Regulation for the EU, tripartite talks ended on 15 December with success. The EU Commission, Parliament and Council signed off on new rules that will replace the "patchwork" of regulations across 26 member states, including the Data Protection Act 1998 here in the UK. However, the text of these rules will not take shape until early in the New Year, after heads of government have added their signatures at meetings in January and a new Directive is drafted to deal with matters relating to policing and justice. The Regulation is then expected to be fully in force by 2018, following a two-year transition period. During this time, the Information Commissioner's Office has announced it is planning a series of blogs and training events to help explain how the new rules will work.
The FCA has indicated in draft guidance that it will be taking a positive approach to regulating firms which outsource to the cloud or other third party IT services.
The detailed document highlights the potential risks involved in choosing cloud services over traditional outsourcing methods, but the FCA acknowledges that use of the cloud is likely to bring benefits to both consumers and firms, and states that there is "no fundamental reason why cloud services (including public cloud services) cannot be implemented, with appropriate consideration, in a manner that complies with our rules".
The guidance provides welcome clarity to firms wishing to outsource to the cloud; in addition to providing an explanation of those services it would expect to be covered by the term 'cloud', it also advises firms to pay attention to a number of specific issues when considering outsourcing. These are set out in detail within the document and include general legal and regulatory considerations, data security and protection, business continuity, risk management and regulator access to data.
The proposed guidance is available to view here. The consultation will run until 12 February 2016.
Following an announcement earlier this year that it intended to conduct a study on the topic, the FCA has now issued a call for inputs on the use of big data by insurers in the retail general insurance market. The review aims to provide the regulator with a greater understanding of how big data is being used, how its use affects customer outcomes and competition in the market and how well the current regulatory framework deals with the issue.
The FCA's call for inputs is available to view here. Depending on the results, the call for inputs could be followed by a market study, adjustments to policy or the publication of further guidance. A feedback statement is expected by mid-2016.
Meanwhile, Giovanni Buttarelli, the European Data Protection Supervisor (EDPS), has published an opinion on the challenges posed by big data, and called for a debate on the issue with regulators, industry and experts.
The EDPS recognised that data protection law needs to evolve with technology and allow innovation at the same time as continuing to protect fundamental rights. He emphasised that although the current data protection principles of transparency, proportionality and purpose limitation would remain key, they would need to be applied in a flexible, creative way, and be complemented by new principles, including accountability and privacy by design and by default.
Following the publication in October 2015 of its guidance on how to disclose information safely, in a recent blog post, the ICO has drawn further attention to the risk of inadvertently disclosing personal data when dealing with information requests. The ICO provides examples of inappropriate methods of disclosure it has seen, as well as simple, practical advice on file format, metadata and redaction. More detailed technical information is available in the guidance.
A group claim is being brought against the UK supermarket by more than 2,000 of its former and current employees following the publication online in March 2014 of bank account details, salaries and home addresses of more than 100,000 staff members by a fellow employee. The claimants allege that by failing to prevent the data leak, Morrisons is liable for breaches of confidence, privacy and data protection law.
The supermarket, which has already spent over GDP 2 million managing the fall-out from the data breach, has denied any responsibility for the "actions of a rogue individual". The data was leaked deliberately by a senior internal auditor seeking revenge after having been given a reprimand for using the Morrisons mail room to conduct eBay deals. He was jailed for eight years in July 2015.
Mr Thomas Robins sued Spokeo, a 'people search engine' which sells information on individuals gleaned from online sources, after discovering that the data broker was providing inaccurate details of his marital status, age, education and professional experience, in breach of the Fair Credit Reporting Act.
The case is proving controversial. Spokeo, which claims Mr Robins suffered no actual harm and therefore should not be allowed to sue, has been publicly back by tech giants such as Google and Facebook, which are concerned about the floodgates being opened to a raft of expensive class action lawsuits brought on the grounds of technical legislative breaches. Consumer groups, liberal judges and even the Obama administration have however weighed in on the side of Mr Robins, claiming that the publication of false information about an individual is capable of resulting in real injury and highlighting how little recourse consumers otherwise have against companies which fail to safeguard their data.
The appeals court found that Mr Robins did not need to show any 'actual harm' to continue with his claim, and the case is now being considered by the Supreme Court. If judges there take the same stance, it is likely to become much easier for consumers to sue companies for strict breaches of consumer or data protection law. A decision on the case is not expected until mid-2016.