Coverage this month includes: the adoption of the European General Data Protection Regulation ("GDPR"); a useful ruling from the High Court on Subject Access Requests and the interpretation of the crime exemption; the Article 29 Working Party's opinion on the proposed EU-US Privacy Shield; and guidance from the Information Commissioner's Office ("ICO") on direct marketing communications.
In our cyber security section, we look at an ICO study into the security risks of mobile apps and an example of an app that suffered a recent security breach. Finally, we provide our monthly overview of the latest actions taken by the ICO, including a fine against the police.
As you may have seen from our alert this month, following a vote on Thursday 14 April 2016, at a plenary session of the European Parliament, the final text of the General Data Protection Regulation ("GDPR") was formally adopted by the European Parliament. This is the final stage in the legislative process and starts the timetable towards full implementation in 2018.
Click here to view the alert.
As reported in previous bulletins (which can be read here and here), the European Commission and US authorities have developed a proposed "EU-US Privacy Shield" ("Privacy Shield") agreement to replace the previous "Safe Harbor" framework which provided an exemption to restrictions on the transfer of data between the EU and US but was declared invalid in a ruling of the Court of Justice of the European Union in October 2015 (you can read the judgment here).
This proposed agreement has now been reviewed by the Article 29 Working Party ("Working Party") – the pan-European comprised of representatives of each EU member state's data protection regulator. The Working Party's opinion, published this month, raises some concerns that the agreement is not in keeping with the key data protection principles of European law. It therefore recommends that the agreement be amended in certain key areas.
In particular, the Working Party argues that derogations for national security purposes would leave individuals exposed to "massive and indiscriminate" collection of personal data. Although the Working Party is in favour of establishing an Ombudsman to help address this, it questions whether the new institution would be independent and well equipped enough to provide a satisfactory remedy.
It also believes that amendments are necessary, to "ensure the protection offered by the Privacy Shield is indeed essentially equivalent to that of the EU". It notes that Privacy Shield will also be used to transfer data outside of the US and that more needs to be done to ensure that this process does not "circumvent EU data protection principles."
Although the Working Party's opinion is only guidance and does not have the force of law, it is indicative of how national data protection regulators will interpret and enforce the proposed agreement. It is unclear at the moment whether the Commission and US authorities will consider amending the agreement to recognise the concerns raised. Even if they do not, businesses should note that national regulators will still have the power to investigate data transfers between the EU and US, regardless of whether the procedures under Privacy Shield are considered as adequate protection by the Commission.
The Working Party's opinion, dated 13 April 2016, can be found here.
The definition of direct marketing and the exact rules which govern it are important issues for many organisations. As readers of this bulletin will know, the UK ICO has not been afraid in the past to hand out large fines for breaches of the Privacy and Electronic Communications Regulations ("PECR") and the data protection principles.
The ICO has published a welcome update to the guidance, which, as well as providing further help in identifying the key characteristics of direct marketing communications, sets out clearly the rules in relation to opt-outs, marketing lists and business-to-business communications. The updated guidance provides more detailed advice for charities, including specific examples and scenarios. It also gives more direction in relation to third party consent and the concept of "freely given" consent.
The guidance focuses in particular on the rules for text messages and marketing calls, coming not long after the ICO issued its largest ever fine against Prodial Ltd, a lead generation firm responsible for over 46 million automated nuisance calls. Over 1,000 people complained to the ICO about the automated calls, which played recorded messages relating to PPI claims resulting in a fine of £350,000 for a serious breach of PECR (read our update on this here).
The guidance has been issued one year after a change in the law was introduced on 6 April 2015 to make it easier for the ICO to issue significant fines against companies making nuisance calls, texts and email. PECR was amended so that, when imposing fines, the ICO would no longer have to consider whether breaches caused substantial damage or distress, just that there was a serious breach of the relevant part of PECR. Since April 2015 the ICO has issued fines totalling over £2 million.
A copy of the new guidance can be found here
Under section 7 of the Data Protection Act 1998 ("DPA") data subjects have the right to make a Subject Access Request ("SAR") for disclosure of personal data held by data controllers.
Data controllers may refuse to hand over the relevant data if it falls within the section 29 exemption regarding processing relating to the prevention or detection of crime exception (s. 29, DPA). In the recent case of Guriev and Gurieva v Community Safety Development  EWHC 643 (QB), the High Court provided some useful guidance on when the exemption would apply.
- The judgment emphasised that the exemption would only apply if both of the heads were satisfied namely: (i) the personal data in question was processed for the purpose of the prevention or detection of crime; the apprehension or prosecution of offenders; or the assessment or collection of tax; and (ii) complying with the SAR would be prejudicial to that purpose.
- Anyone relying on the exemption needs to show a "very significant and weighty" chance of prejudice to the particular public interest. The court recognised that applying the exemption would be an interference with the data subject's rights and to do so it must be strictly necessary and proportionate.
- There should be a "selective and targeted approach" to any non-disclosure of documents and in this case the court ruled the defendant had not made any attempt to do a detailed review of the documents. They had applied a blanket approach, which was not acceptable.
- Instead, the person relying on the exception must carry out a "proper evidence-based evaluation" and demonstrate "in detail" why complying with the SAR would be likely to cause prejudice.
For data controllers, the case shows it is important to think carefully about why specific data is not being disclosed and be prepared to disclose some documents, while being prepared to give detailed reasons for any documents withheld.
Read the case here.
This month, the European Commission began a public consultation process on proposed revisions to the e-Privacy Directive, which will run until 5 July 2016. The e-Privacy Directive provides rules for the management of customer data by electronic communications service providers.
The Commission published a study in June 2015 into the current effectiveness of and possible revisions to the e-Privacy Directive, in particular its compatibility with the incoming Data Protection Regulation and legislative proposals are anticipated towards the end of the calendar year. We will provide further updates on this in due course.
For more information, please click here.
ICO identifies "room for improvement" in mobile app security
Although the results were generally not too worrying, they did reveal a couple of key issues.
- Two of the apps had login systems that used unencrypted connections, which would make it much easier for a third party to obtain usernames and passwords. An attacker might be in a position to steal this information if they were using the same wifi hotspot as the user.
- The ICO were also able to use fake certificates on three apps to access what should have been secure information.
Reassuringly, the ICO has written to the app developers where appropriate and highlighted these concerns. However, the study is a welcome reminder to both consumers and developers of the potential security risks created by our increasing use of mobile apps.
Mobile app "Beautiful People" suffers data leak
Beautiful People is a dating app reserved exclusively for those considered attractive enough by its user base. A few years ago the app suffered an apparent hack (dubbed "Shrek") that allowed people with "lower attractiveness" ratings to join.
However, this latest security breach is arguably more serious as it relates to a reported leak of personal data, including sexual preferences and correspondence.
Health and Social Care Information Centre ("HSCIC")
After concerns about the way HSCIC was sharing patient data, it has given a formal undertaking to comply with the data protection principles under the Data Protection Act in its position as a data controller. The issue related to HSCIC failing to properly implement procedures for patients to opt out of their personal information being shared.
A copy of the undertaking can be found here.
Chief Constable of Kent Police
The Commissioner found that Kent Police had allowed person information to be passed to the suspect in a domestic abuse claim. The accused was a member of the police force and the data had been taken from the mobile phone of the alleged victim as part of the investigation. The information from the phone contained a large amount of personal data and was held on a CD. Due to what the ICO decided were "inappropriate security measures", the CD was accidentally sent to the suspect's solicitor, who in turn passed it to the suspect. As a result of this breach, the Kent Police was fined £80,000.
A copy of the monetary penalty notice can be found here.