31 Aug 2016

Data Protection update - August 2016


Welcome to the August 2016 edition of our Data Protection update, our monthly review of key developments in Data Protection law. As always, please do let us know if you have any feedback or suggestions for future editions.

Coverage this month includes: the European Commission report on the E-Privacy Directive consultation, model clauses released by the Singapore regulator, and changes to WhatsApp's privacy policy.

In our cyber security section, we look at a data breach at Sage Group and the theft of millions of dollars' worth of bitcoins in Hong Kong.

We also provide our monthly overview of the latest actions taken by the ICO, including an undertaking from the Chief Constable of Kent Police.


European Commission reports on E-Privacy Directive consultation

As reported in our April bulletin, the European Commission (the "Commission") has been running a public consultation on the draft E-Privacy Directive. On 4 August 2016, the Commission published a summary report on the consultation, noting the following:

  • 83% of citizens and civil society respondents saw added value in special rules for the electronic communications sector to ensure confidentiality of electronic communications, although only 31% of respondents saw these rules as necessary. Among public authority respondents, almost all of them saw special rules on confidentiality as necessary.
  • 76% of citizens and civil society respondents are sceptical about whether the E-Privacy Directive had met its objectives, saying it fell short, with too narrow a scope, too much vagueness and weak levels of compliance and enforcement. Public bodies and industry respondents were both more positive in their feedback on this point.
  • There was widespread belief amongst citizens, civil society and public authority respondents that information service providers should not have the right to block access to their services if users opt out of cookies, although three quarters of industry respondents disagreed with this.
  • All groups of respondents generally agreed that member states should not have the ability to choose between a prior consent (opt-in) and a right to object (opt-out) regime for direct marketing calls. However, there was disagreement between industry and other groups on the issue, with industry groups favouring opt-out, and others favouring opt-in.

The full report will be published later in the year, once the Commission has had time to fully digest and analyse all of the feedback.

You can read the Commission's summary here.


Personal Data Protection Commission of Singapore releases model clauses

The Personal Data Protection Commission of Singapore ("PDPC") has issued guidance in the form of sample clauses for companies using contractors to handle customer data. In the UK, such contractors would normally be considered to be data processors under the Data Protection Act 1998. The PDPC states they would likely be considered as "data intermediaries" under Singapore's Personal Data Protection Act 2012 ("PDPA"), which is the equivalent of the data processor concept.

The sample clauses aim to:

  • Dovetail the definitions section of an agreement with the PDPA.
  • Ensure that contractors must comply with their obligations under the PDPA (and at their own cost).
  • Limit the circumstances under which contractors use or disclose customer data.
  • Ensure that customer data is not transferred out of Singapore without the customer's consent.
  • Oblige the contractor to put in place appropriate security measures to protect the customer data.
  • Limit access to the customer data to specific personnel and allow the customer access to their own data.

There are also further clauses on completeness of data, retention, notification and indemnity.

You can access the sample clauses here.


Changes to WhatsApp raise privacy concerns

In a blog post released on its website last week, WhatsApp announced an update to its privacy policy. This is the first update in four years and the first since the company was purchased by Facebook in a deal worth approximately US$19 million in 2014. The statement provoked much comment and analysis because of its references to increased data sharing between Facebook and WhatsApp and also its stated aim of exploring "ways for [the customer] to communicate with businesses". 

The blog post states that users could, in future, receive messages about flight delays or fraudulent bank transactions, of the kind that are currently received by text message. Although WhatsApp stresses that it would seek to avoid a spam-heavy experience, the move represents a departure from the current user experience. Some have argued that the reason users value WhatsApp is precisely because of the lack of business messages, which gives it an uncluttered feel.

Perhaps more significantly, concerns have also been raised about the statement that sharing data between WhatsApp and Facebook will help to improve the tailoring of adverts on the latter platform, which raises questions of exactly how much and what type of personal data will be shared. The blog post states that "by connecting your phone number with Facebook's systems, Facebook can offer better friend suggestions and show you more relevant ads if you have an account with them." The actual content of messages on WhatsApp is now covered by end-to-end encryption, which means that the keys to decrypt the messages are held by the users, not by WhatsApp. The FAQs provided with the blog post state that "nothing you share on WhatsApp, including your messages, photos, and account information, will be shared onto Facebook or any of the Facebook family of apps for others to see." However, the FAQs also give the example of "the last time you used our service" as a metric that could be shared with Facebook, so it remains to be seen what other data and metrics they intend to share.

The statement has been viewed by some as a betrayal of the company’s 2014 pledge not to change its privacy policy in light of the Facebook sale. The US-based privacy campaign group Electronic Privacy Information Center has threatened to take legal action, claiming that changing a company's data policies without getting the opt in consent of its users first is an "unfair and deceptive" trade practice (something which is forbidden under the Federal Trade Commission Act).

The Article 29 Working Party of European privacy regulators released a statement saying that national regulators across Europe would be following the changes with "great vigilance" and “what is at stake is the control of individual users over their own data when they are combined by major Internet players.”

In the United Kingdom, the Information Commissioner has released a statement saying that many people would be affected by the changes and “our role is to pull back the curtain on things like this, ensuring that companies are being transparent with the public about how their personal data is being shared, and protecting consumers by making sure the law is being followed". The statement went on to say that although companies do not require prior approval from the ICO in order to make such changes, the ICO would be looking into the matter to ensure that the companies were keeping within data protection laws.

You can read the WhatsApp press release here

You can read the Information Commissioner's statement here.


Police sued by former employee

It has emerged that Scotland Yard used powers that were designed to investigate criminals in order to obtain personal data on one of their own officers, Detective Constable Andrea Brown, who was on a leave of absence for depression. Although Ms Brown had breached protocol by failing to inform her line manager about a trip to visit family in Barbados, a fellow officer used unauthorised methods to find out about her movements.

Detective Inspector Sarah Rees applied to Virgin Atlantic to obtain five years' worth of Ms Brown's flight records, citing the Police Act 2007, an act which does not exist. She also managed to get information from the National Border Targeting Centre ("NBTC").

After resigning in 2013, Ms Brown sued both the Metropolitan Police and Greater Manchester Police (the force that helps operate the NBTC) for breach of data protection, human rights, and misuse of personal information. Ms Brown won her case at the Central London County Court and the Metropolitan Police have issued a statement saying they will not comment further until damages are awarded.

The case may raise concerns about the handling of personal data by police, as Ms Brown's lawyer stated that "the police officers involved in the case didn't appear to have any appreciation or understanding of the laws that regulate their conduct in this area, and didn't acknowledge that they had done anything wrong."


Cyber Security

Sage software company hit by data breach

On Friday 12 August, the FTSE100 listed Sage Group notified between 200 and 300 of its business customers that there had been a data breach including the possible leak of employee bank account details and salary information. It has not yet been made clear whether the data was stolen or only viewed.

Sage said: "We are investigating unauthorised access to customer information using an internal login. We cannot comment further whilst we work with the authorities to investigate — our customers remain our first priority and we are speaking directly with those affected.”

An employee of the company has since been arrested by the City of London Police on suspicion of conspiracy to defraud. Although cyber attacks from external hackers are always a danger for companies, it is often internal threats from employees, who have privileged access to information, that remain some of the most difficult risks for companies to guard against.

The ICO is aware of the matter and is investigating, saying in a statement that: “the law requires organisations to have appropriate measures in place to keep people’s personal data secure… where there’s a suggestion that hasn’t happened, the ICO can investigate and enforce if necessary.”

Huge Bitcoin theft on Hong Kong exchange

Bitfinex is a Hong Kong based Bitcoin exchange platform. On 2 August 2016, it announced the theft of nearly 120,000 bitcoins, with a market value of between US$60-70 million. The exchange suspended deposits and trading in the aftermath of the attack, although it has now regained most of its lost trading volume, to regain its position as one of the largest USD-denominated Bitcoin trading platforms in the world.

Although the size of the theft is dwarfed by the attack on the Tokyo based Mt Gox platform in 2014 (which involved the theft of around US$450 million worth of bitcoins), it represents the latest in a series of attacks that raise concerns about the security of a currency that has existed for less than eight years (the open-source software was released in 2009).

There are increasing suggestions that regulators need to address Bitcoin and the levels of security it offers, although this is challenging as the decentralised nature of Bitcoin means that there is no central authority or rules to govern it. Because of the anonymity associated with Bitcoin, it is more difficult to pursue civil court remedies in the event of a fraud or a hack; and there are also issues with preventing the use of Bitcoin for money laundering purposes. It is likely that regulation will continue to develop in the wake of breaches and other incidents involving Bitcoin (as happened in Japan after the Mt Gox incident), but it is hoped that regulators will begin to take a more pro-active approach.

One approach, which has been touted by Mike Belsche, the CEO of BitGo (a technology provider for Bitcoin) as a solution to some of the issues raised by this latest hack, is the creation of a Crypto Currency Security Standard, to establish a set of standard principles to ensure the security of Bitcoin (as well as other Crypto Currencies). This has been under development with input from Deloitte, PwC and BitGo. Mr Belsche warned that customer confidence in Bitcoin would drop dangerously if more was not done to secure Bitcoin and keep pace ahead of the hackers.


ICO enforcement 

Kent Police

The Chief Constable of Kent Police has given an undertaking to comply with the Data Protection Act in response to a leak of a CD containing an individual's mobile phone data.

Specifically, the Chief Constable has undertaken to: develop a written procedure for obtaining informed consent for the extraction of information from mobile phones; to create a fair processing notice for victims and witnesses to sign; and to extract the minimum data necessary when investigating crimes.

A copy of the undertaking can be found here.


Hampshire County Council

Hampshire County Council has been fined £100,000 for failing to take appropriate organisational measures against unauthorised processing of personal data.

The Council had vacated a building that used to house Adults and Children's services. In the two years following their departure various individuals had access to the building, including the agent responsible for selling the building and prospective buyers.

The Council was informed in September 2014 that files had been found at the site that contained confidential information and sensitive personal data relating to more than 100 data subjects. There was no written procedure to determine who was ultimately responsible for making sure that the building was properly vacated. This represented a failure in organisational measures, which allowed unauthorised access to the sensitive personal data.

A copy of the monetary penalty notice can be found here.


Whitehead Nursing Home

Whitehead Nursing Home Limited has been fined £15,000, as with Hampshire County Council, for failure to take appropriate organisational measures against unauthorised processing of personal data.

In this case, a member of staff was issued with an unencrypted laptop, which she took home with her from work. One night, her house was burgled and the laptop was stolen. The laptop contained sensitive personal data relating to 29 residents, including information about their mental and physical health.

The ICO found that the nursing home did not have policies to govern use of encryption and storage of mobile devices, nor did they offer training in data security.

A copy of the monetary penalty notice can be found here.



Jonathan Kirsop

Jonathan Kirsop

T:  +44 20 7809 2121 M:  +44 7554 403 022 Email Jonathan | Vcard Office:  London

Alison Kenney

Alison Kenney

T:  +44 20 7809 2278 M:  Email Alison | Vcard Office:  London