July 24, 2019

Global Data & Privacy Update - June 2019

Welcome to the June Global Data & Privacy Update. This update is dedicated to covering the latest legislative developments affecting the way data is managed and protected, as well as reporting on the most recent news governing data breaches and industry developments.

Written by Mark Williamson, Isabel Ost and Charlotte Gatland

Welcome to the June Global Data & Privacy Update. This update is dedicated to covering the latest legislative developments affecting the way data is managed and protected, as well as reporting on the most recent news governing data breaches and industry developments.

Danish Data Protection Authority to fine failure to delete data

The Danish Data Protection Authority intends to fine a Danish furniture company, DKK 1.5 million, for failing to delete 385,000 customers' records. The supervisory authority, on inspecting the company's systems and procedures, found a number of areas which were not compliant with the obligations relating to deletion of data under the GDPR.

  • The company, in relation to a legacy customer sales system, had continued to hold personal data of customers that should have been deleted because they were no longer necessary in breach of the storage limitation principle, Article 5(1)(e) of the GDPR, which states that personal data must not be stored for longer than necessary. The supervisory authority calculated that 385,000 persons' data should have been deleted from this system, at the point of inspection, following consideration of domestic legal obligations for records to be retained.

  • In relation to the same legacy system, the company had also failed to establish and document deadlines to delete the data. Therefore, the Danish authority found the company had also failed to comply with the principle of accountability under Article 5(2) of the GDPR.

  • The inspection also uncovered that, in relation to a newer customer sales system, the company had not implemented the deletion procedures it had established for that system and so data had not been appropriately deleted, in breach of the storage limitation principle.

  • Finally, whilst the company did have procedures in place for erasing data from its HR systems and was actively following those procedures, the Danish authority found that the company had not documented those deletion procedures, in breach of the accountability principle.

This decision serves as a reminder that it is not enough to have in place a data deletion policy, it needs to be implemented and compliance audited.

Click here to read the full press release (available in Danish only).

EE fined for sending unsolicited marketing messages

The Information Commissioner's Office (ICO) has fined EE £100,000 for sending marketing messages to over 2.5 million customers without consent, in breach of regulation 22 of the Privacy and Electronic Communications Regulations (PECR). PECR only permits electronic marketing messages to be sent where consumers have consented to receiving the messages or the "soft opt-in" applies. EE contacted customers about upgrading their phone and the EE mobile app in one message, and sent a second text message to individuals if they had not engaged with the EE app after the first message.

There were two strands to the text messages: (i) to inform customers about upgrading their mobile phone, meaning that they would sign a new contract with EE; and (ii) to inform customers about using the EE mobile app. The first more obviously falls into the category of marketing, and the ICO restated its guidance that makes it clear that a message is considered marketing if it promotes new products, including renewing contracts that are otherwise due to end - e.g phone contracts. The second point, at first blush, may not appear to be marketing. In this case, however, the ICO decided that EE's promotion of its app was marketing. Their reasoning for this determination is that the app, in addition to providing an individual with the ability to manage their account (e.g review billing information), also allows customers to buy items, increase their data and shows a countdown to being able to upgrade. This finding was considered by the ICO to be bolstered by EE sending a further message to persons who did not engage with the initial message about the app. This decision reinforces the fact that a communication does not have to be wholly about marketing to classify as a marketing message.

EE were aware that the messages were being sent to individuals who, according to their records, had opted out of receiving marketing messages. However, the company did not view the messages as marketing, but as service communications, and therefore outside the scope of PECR. The ICO expressly noted that being ignorant of infringing PECR did not prevent a contravention being deemed deliberate.

Click here to read the monetary penalty notice.

Interesting findings in ICO Report on Real Time Bidding

The ICO has published a report highlighting major data protection concerns with the operation, in the advertising industry, of real time bidding (online advertising space sold to bidders almost instantaneously). Real time bidding (RTB) is a complex marketplace whereby data about users is shared, in real time, in order for marketplace participants to be informed about viewers of the advertising space so that they can bid to place an ad there. The information given to bidders includes personal data collected from cookies; which means that market participants need to comply with PECR in relation to the use of the cookies and the GDPR for processing the personal data obtained from those cookies. The report draws a number of conclusions criticising the RTB ecosystem, including that data is being used without a lawful basis and that appropriate consent to deploy cookies under PECR has not been obtained.  

The ICO has flagged that there is an incorrect reliance in the market on legitimate interests as the lawful basis for processing personal data. The ICO's view is that, for the normal activities involved with RTB's use of personal data collected from cookies, consent is the only appropriate lawful basis under the GDPR and consent is nevertheless also a prerequisite under PECR for the associated cookies to be placed. The report highlights issues with transparency relating to the information individuals are provided with about how their data is used, particularly the lack of clarity over who receives their data and what the user agreed to - this is a problem for those receiving parties intending to rely on consent to lawfully use the data. The report also points out a lack of accountability, control and supervision applied by market participants over the flows and sharing of data in the supply chain.

The ICO report also made some interesting observations about the scope of special categories of personal data. RTB involves the use of labelling webpages, visited by users browsing the internet, into particular fields in accordance with an industry taxonomy, which may relate to religion, health, ethnicity and politics. The labels form part of the bid request information supplied to participants placing ads. These tags are used for different purposes, including to describe online content in order to prevent ads going to the wrong website or to target certain users with ads. Under the GDPR, special categories of personal data means information that reveals certain characteristics such as health, religion, ethnicity, sexual orientation and political views. Where the tags are in relation to one of those specific characteristics, the ICO's view is that those labels are special categories of personal data. Whilst a person that visits a webpage about diabetes may not be a diabetic, the ICO considers that the label then attached to the person visiting such a website, being used either directly or by inference by the RTB industry, equates to the processing of special categories of personal data. Effectively, it seems the ICO has formed the view that as the market uses the label to add to an individual's profile and take consequential actions from this, that special categories of personal data are being processed. This report may have a wider impact on businesses processing data in such a way and require organisations to reflect on how information is being used.  

Click here to read the report.

European Court of Human Rights Decision on the use of private messages in a dismissal

The European Court of Human Rights (Court) decided that an organisation had not, from using private messages in a dismissal process, breached the right to a private life and correspondence because on the facts the individual was considered to have had a reasonable expectation of their use.

Case Background                                                                                                                      

An individual was fired by an NHS Trust for gross misconduct, relating to harassment allegations. The harassment allegations primarily concerned communications sent, from fake accounts, about an alleged improper workplace relationship. Shortly before that workplace relationship began, the dismissed individual had been in a relationship with one of the pair. The police investigated harassment complaints but did not press charges. It did notify the employer of their investigations and supplied evidence to the Trust which included photos from the individual's phone and a list of the fake email addresses, that had been used to send some of the anonymous harassing messages, found on a piece of paper (Police Evidence). After an internal investigation, the Trust held a disciplinary hearing where the individual voluntarily supplied further personal communications, including WhatsApp messages. The organisation in their dismissal decision referenced, amongst other materials, those private communications and the Police Evidence.

The individual claimed the NHS Trust breached Article 8 of the European Convention of Human Rights (Convention) - right to a private life and correspondence - and Section 6 of the Human Rights Act 1998 - a public authority must abide by the Convention - due to the decision to dismiss involving private materials, being the Police Evidence and personal messages.

Court Decision                                                                                                                           

The Court noted Article 8 of the Convention (right to a private life and correspondence) is not automatically inapplicable where an email contains professional as well as personal content or where the email has been sent from a work email account. In agreement with the Employment Appeal Tribunal, the Court concluded the individual did not have a reasonable expectation of privacy over the evidence relied upon by the Trust, taking into account that the individual:

  • knew for nearly a year that concerns had been raised to the Trust about his behaviour amounting to harassment and his manager had previously notified him that a particular email was inappropriate;

  • had "sufficient prior notice" of the harassment allegations made against him;

  • could not have expected communications sent after a relationship had ended which were relevant to the harassment allegations being made by one of those persons to remain private;

  • did not challenge the use of the Police Evidence or the personal communications during the disciplinary proceedings and the individual had provided further communications which included intimate content; and

  • the facts of his claim are different and distinguished from the applicant in Băbulescu v Romania (see our previous article) – where the individual had not been made aware of the extent and type of monitoring activities carried out by his employer. The Court did restate, a point from that case, that while a reasonable expectation of privacy is a significant factor, it is not always conclusive.

Click here to read the decision.

GDPR – One Year On

The ICO and the European Commission have released reports marking the one year anniversary of the GDPR being in force. Both reports show an increase in public awareness of the legislation. Over 60% of data protection officers surveyed by the ICO agreed that there had been an increase in individuals exercising their data protection rights since the implementation of the GDPR. The European Commission found 73% of 27,000 persons surveyed were aware of at least one data subject right. The ICO received over 41,000 data protection concerns from individuals, with the most common complaint relating to subject access requests – representing 38% of those complaints. This correlates with the European Commission's report that this right is the most commonly known, but in their report they found the most commonly exercised right to be objecting to direct marketing, followed by subject access requests and then the right to erasure.

Between the implementation of the GDPR and May 2019, the ICO received around 14,000 reports of personal data breaches, compared to 3,300 the previous year. Out of those reports, only 17.5% resulted in an organisation needing to take action and less than 0.5% in a fine or an improvement plan. The health sector was the area that had the most reported breaches - around 16%.

The ICO report noted some of its future plans to include:

  • providing further assistance to SMEs, by establishing a "one-stop shop" of support;

  • releasing statutory codes on data sharing, direct marketing (anticipated to be finalised by November), age-appropriate design (currently released in draft form) and journalism; and

  • developing a draft code of practice for organisations involved in political campaigning, to be released for consultation in July.

Click here to read the ICO's report and here to read the European Commission's report.

Government Response to Report on Regulating the Digital World

The Government has responded to the House of Lord's Report on Regulating the Digital World, which set out recommendations for managing the digital sphere. Two key points from the Report were, one, developing online reform in accordance with 10 principles and, two, creating a new regulator to oversee and manage the digital world, as no one regulator currently has responsibility for this. The Government considered that the Report's 10 principles were closely comparable with the principles set out in the Government's Digital Charter. The Digital Charter is the Government's approach to overseeing the digital world, from the perspective of both user protection and business growth. The Government did not respond definitively to the recommendation for a new regulator, pointing to its programme of work under the Digital Charter and stating this will be taken into consideration.

The Government's response to a number of points raised in the Report about the regulation of algorithms and artificial intelligence was to point to the recently created Centre for Data Ethics and Innovation as well as, where relevant, the ICO. Further to the recent Government White Paper on Online Harms, the paper notes the intention to create a new statutory duty of care requiring organisations to take on more responsibility for the safety of their users and managing harmful content on their services.

Click here to read the Government's Response to the House of Lord's Report and here to read the Government's Digital Charter.

DCMS call for evidence to support National Data Strategy

DCMS has requested information on three key themes to support the Government's development of a National Data Strategy. The National Data Strategy, announced last year, aims to assist in making the UK a "world leading data economy".

DCMS are requesting evidence based around three themes – people, economy and government. This will inform the National Data Strategy being developed and a full consultation on the draft strategy is planned for later this year. The theme of people includes questions around trust and the use of (personal) data, including the impact of data protection legislation. The theme of economy looks to understand the operation of organisations in a data-driven economy and how data can be capitalised on by a business.   

Click here to read the announcement.