30 Aug 2017

Data Protection update - August 2017

Linkedin

Welcome to the August 2017 edition of our Data Protection update, our monthly bulletin on key developments in data protection law. As always, please do let us know if you have any feedback or suggestions for future editions.

Data protection

Cybersecurity

ICO enforcement

Data protection

UK Government has published the Data Protection Bill statement of intent

On 7 August 2017, the UK government's Department for Digital, Culture, Media and Sport released its statement of intent outlining proposals for a new Data Protection Bill (the DP Bill). Acknowledging that the GDPR will be directly applicable across the EU, including the UK, from 25 May 2018, the statement of intent explains that the purpose of the DP Bill is to reflect the requirements of the GDPR and "ensure that we help to prepare the UK for the future after we have left the EU". The DP Bill will also repeal the Data Protection Act 1998 (DPA) and will implement certain UK-specific data protection rules in accordance with the government’s right to exercise the derogations available to the UK under the GDPR. In its preparations for Brexit, the government has clarified that the DP Bill will modify the GDPR to make it work for the benefit of the UK by applying the new data protection standards to all personal data (not just in the areas of EU competence).

The notable derogations to be implemented by the DP Bill are as follows:

  • an ability to require social media platforms, on request, to delete information held about you at the age of 18;
  • children aged 13 years or older can consent to data processing (the youngest age allowed under the GDPR);
  • to preserve and extend the right to process personal data regarding criminal convictions and offences beyond official bodies (although strict requirements for processing will be imposed), enabling all organisations to continue to process personal data in appropriate circumstances (e.g. to continue to allow employers to conduct criminal record checks);
  • to give individuals an express right not to be subject to automated decision-making (including profiling);
  • to maintain the journalistic exemption (broadly similar to the current s.32 of the DPA) for personal data which are processed for special purposes and with a view to publication in the public interest; and
  • to ensure that research organisations and archiving services will not have to comply with certain aspects of data protection law (e.g. replying to subject access requests or rights of data subjects to rectify, restrict, or object) where to do so would seriously impair or prevent them from fulfilling their purposes provided that appropriate security safeguards are put in place.

The DP Bill creates two new criminal offences, which each carry a penalty of a potentially unlimited fine:

  • intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data; and
  • altering records with the intent to prevent disclosure following a subject access request.

The DP Bill also extends the scope of the existing offence of unlawfully obtaining data to capture those who retain data against the wishes of the data controller, even if the data were lawfully obtained in the first place.

Importantly, none of these modifications appear to prevent the UK from fully complying with the GDPR post-Brexit. This is crucial as the UK will need to demonstrate its law is equivalent to the GDPR if it wishes to to transfer data to and from the remaining EU Member States without restriction post-Brexit. The government confirmed in its statement of intent that it is committed to ensuring that “uninterrupted data flows continue between the UK, the EU and other countries around the world”. Nevertheless, it does appear likely that the UK will require an adequacy finding by the EU in due course (see article below on post-Brexit data sharing).

To read the Government's statement of intent, please click here.

Top

 

UK seeks early deal with EU on post-Brexit data sharing

The UK government is seeking to negotiate a deal over data sharing with Europe in which there are no substantial regulatory changes as a result of Brexit. The strategy paper entitled "The exchange and protection of personal data – a future partnership paper" was published on 24 August 2017. The aim of the paper is to establish common data protection standards with the EU, post-Brexit as a result of the current "unprecedented alignment" between UK and European data protection standards that will be in place at the point of the UK exiting the EU.

In the paper, the government argues that the UK:

  1. has a unique standing as a leading player in the world of electronic commerce and "has some of the strongest data protection standards in the world" which means that it should be able to demand special treatment from the EU when agreeing future standards; and
  2. as a result of the unprecedented alignment, should be exempt from the usual European adequacy tests that are applied to third-party countries, and instead wants to explore a unique UK-EU model comprising of a more permanent harmonisation agreement, therefore, providing stability and legal certainty for businesses.

The government commented that "the future deep and special partnership between the UK and the EU could productively build on the adequacy model", but did not indicate how it would seek to maintain this mutual recognition once rapidly-evolving privacy standards start to diverge. The government did, however, confirm that it would like to have a shared policy process in place in which both the UK and the EU would have to agree to future changes.

Given that the UK has indicated its intentions to closely align its data regulations with the GDPR, in publishing the DP Bill, the Government’s position does not appear unachievable. However, the EU has not considered if the DP Bill meets what it considers to be adequate levels of data protection nor has it confirmed if it agrees that the UK should be exempt from the adequacy test. The EU Commission currently recognises Andorra, Argentina, Canada (commercial organisations), Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay as providing adequate protection.

To read the Government’s strategy paper, please click here.

Top

Cybersecurity

UK Government publishes NIS Directive consultation document which envisages large fines for operators of essential and digital services

On 8 August 2017, the Government launched a consultation on how best to implement the Network and Information Systems Directive (the Directive) which aims to increase the security of network and information systems across the EU. In contrast to the GDPR, the government has some flexibility regarding the implementing regulation which will give the Directive legal effect in the UK. The consultation sets out the government’s proposed approach and asks a series of questions on policy issues relating to the Directive.

The Directive’s focus on essential services (e.g. digital infrastructure, energy, health, transport, and water) is intended to minimise the frequency of cyber-attacks and the sizeable impact they have on the UK economy and society as a whole (e.g. the NHS ‘WannaCry’ cyber-attack in May 2017). However, only operators of essential services with their head office in the UK will have to comply with the implementing legislation. The purpose of this is to prevent operators having to comply with multiple national regulations across the EU but does raise the question of whether operators with headquarters outside the EU will be exempt from the security and incident reporting requirements.

If the Directive is implemented in accordance with the Government’s current proposals, organisations caught by its scope would be facing fines of up to €20million, or 4% of global turnover (whichever is higher), for a serious breach of cyber security standards.

The consultation (which can be accessed here) closes at 11:45pm on 30 September 2017.

Top

 

Nationwide Mutual Insurance reaches $5.5 million in settlement of breach investigation

On 9 August 2017, US insurer Nationwide Mutual Insurance Co. (Nationwide Mutual) agreed to a $5.5 million settlement with Attorneys General from 32 US states in connection with a data breach, in 2012, which exposed the personal information of over 1.2 million individuals to hackers.

Nationwide Mutual and its affiliate, Allied Property & Casualty Insurance Co. (Allied), suffered a breach that resulted in unauthorised access to, and unauthorised transfer of, certain personal information of their customers and other consumers, including names, social security numbers, drivers' license numbers, credit scoring data and other data collected to provide quotes to consumers applying for insurance coverage.

The Attorneys’ General alleged that the breach occurred when hackers exploited a vulnerability in a third-party web application hosting software used by Nationwide Mutual and Allied and both Nationwide Mutual and Allied had failed to deploy a critical software patch to address the vulnerability.

Under the terms of the settlement, Nationwide Mutual and Allied agreed to, amongst other conditions:

  • appoint an individual responsible for managing and monitoring software, security updates and patches;
  • maintain an inventory of systems processing personal information together with the patches and updates applied to each system;
  • assign a priority level to each new security update and document the basis for any exceptions;
  • regularly review and update incident management policies and procedures; and
  • hire an independent third party to perform a patch management audit on an annual basis.

 

Top

 

ICO Enforcement

The ICO has fined TalkTalk Telecom Group PLC £100,000 after it failed to look after its customers’ data

The Information Commissioner's Office (ICO) has fined TalkTalk Telecom Group PLC (TalkTalk) £100,000 after the personal information of 21,000 customers was exposed to fraudsters. The breach came to light in September 2014 when TalkTalk received complaints from customers that they were receiving scam calls. Customers reported that the fraudsters pretended they were providing support for technical problems and quoted customers’ addresses and TalkTalk account numbers.

The ICO’s investigation uncovered that customer details were compromised as a result of a TalkTalk portal, through which customer information could be accessed by various other companies (including Wipro, a multinational IT services company in India that resolved high level complaints and addressed network coverage problems on TalkTalk’s behalf). It became apparent that three Wipro accounts had been used to gain unauthorised and unlawful access to the personal data.

As a result of the investigation, it became apparent that forty Wipro employees had access to the customer details of up to 50,000 TalkTalk customers and that staff were able to log in to the portal from any internet-enabled device (with no controls in place to restrict access to devices linked to Wipro) and carry out "wildcard" searches to view and export up to 500 customer records at a time.

The investigation said this level of access was "unjustifiably wide-ranging" and placed data at risk. As a result of the investigation, TalkTalk's failure to take appropriate technical and organisational measures was found to constitute a serious contravention of the seventh data protection principle.

This is the second major fine to have been issued to TalkTalk by the ICO in less than a year; in October 2016 it was issued with a record £400,000 fine for security failings that allowed a cyber attacker to access the details of nearly 157,000 customers “with ease” (see here).

Click here to read the monetary penalty notice.

Top

 

ICO fines Islington Council £70,000 for parking ticket website security breach

Islington Council (the Council) has been fined £70,000 after the ICO found that the Council’s parking-ticket website had failed to adequately secure the personal information of 89,000 citizens. The Council’s "Ticket Viewer" service allows people who have received a parking ticket in the borough to look at a CCTV image or video evidence of their alleged offence. However, in October 2015, a site user uncovered that they were able to manipulate the URL and gain unauthorised access to folders containing personal information.

The ICO found that the Council should have tested the system both prior to going live and regularly after that. As the Council did not do this, it failed to take appropriate technical measures to keep the personal information secure and this was a breach of the DPA.

Click here to read the monetary penalty notice.

Top

Linkedin

KEY CONTACT

Jonathan Kirsop

Jonathan Kirsop
Partner

T:  +44 20 7809 2121 M:  +44 7554 403 022 Email Jonathan | Vcard Office:  London

Alison Kenney

Alison Kenney
Associate

T:  +44 20 7809 2278 M:  Email Alison | Vcard Office:  London