Welcome to the July 2016 edition of our Data Protection update, our monthly review of key developments in Data Protection law. As always, please do let us know if you have any feedback or suggestions for future editions.
Coverage this month includes: the adoption of Privacy Shield, a key development in the case of Google v Vidal-Hall, and legal issues for Microsoft in the US and France.
In our cyber security section, we look at the publication of the EU-wide cyber security directive and a jail sentence for a baseball scout.
We also provide our monthly overview of the latest actions taken by the ICO, including a stop notice for unsolicited marketing calls.
After months of consultations, the European Commission (the "Commission") finally adopted the Privacy Shield framework for EU-US personal data transfers on 12 July 2016. The US Department of Commerce will start accepting self-certifications from US companies under Privacy Shield as of 1 August 2016.
Under Article 25(1) of the EU Data Protection Directive (95/46/EC), transfers of personal data from the EU to non-EEA territories are not allowed unless "adequate protection" is available in the recipient territory. Up until last year, many companies relied upon the "Safe Harbor" framework to prove adequacy for transfers to the US.
From 2013 onwards, concerns were raised about the ease with which the US government were able to obtain data from "Safe Harbor" companies (companies which were deemed adequate under the existing Safe Harbor regime). This culminated in a decision of the Court of Justice of the European Union (the "CJEU") in October 2015 that ruled the Safe Harbor regime invalid as a mechanism for data transfers from the EU (the "Schrems Decision").
In order to approve the Privacy Shield, the Commission adopted an adequacy decision on 12 July 2016, which can be read here. The adequacy decision on Privacy Shield aims to address the concerns of the CJEU in the Schrems Decision and was released with a package of documents, including:
- Privacy Shield Principles (including principles on notice, choice, accountability for onward transfer, security, access, data integrity and purpose, and recourse, enforcement, and liability). There are also supplemental principles that may apply in some cases. Companies on the Privacy Shield list who transfer data to third parties must ensure that the third party is compliant with Privacy Shield and that third party must notify the company if they can no longer comply;
- Transparency, oversight and enforcement arrangements. This includes a requirement that participant companies are subject to compliance reviews and may be taken of the Privacy Shield list if found to be in breach;
- Various dispute resolution procedures including an ombudsman mechanism for national security related complaints; and
- Safeguards and limitations (including commitments and assurances from various US government bodies). This includes a promise from the US government not to carry out indiscriminate mass surveillance.
Notwithstanding the adequacy decision, however, the Article 29 Working Party (the pan-EU group of data protection regulators) (the "Working Party") released a statement on 26 July 2016 saying it still has concerns about Privacy Shield. Issues they have raised include:
- The lack of stricter guarantees on the independence and powers of the ombudsman mechanism;
- Insufficient assurances that indiscriminate mass data collection does not take place;
- The lack of specific rules on automated decisions and a general right to object; and
- The fact that the application of the Privacy Shield principles to data processors remains unclear.
The Working Party have said they will allow the agreement to run until at least summer 2017, but their statement raises some degree of uncertainty for companies hoping to rely on Privacy Shield in the long term. You can read the statement here.
As reported in our August 2015 bulletin, in July 2015 Google obtained leave to appeal the decision of the Court of Appeal in the case of Google v Vidal-Hall. This would have taken the case to the Supreme Court.
The case involves a claim for compensation for distress caused by unlawful processing of personal data, in this case the processing of data by Google through cookies in a web browser. The decision of the Court of Appeal was significant because the Claimants (Vidal-Hall and others) had not actually suffered any pecuniary loss or other material damage, but the court nonetheless ruled that they were entitled to compensation for the “distress” caused. The decision arguably opens up the scope for potential future claims for compensation, whether or not the claimant could prove financial loss.
Had Google's appeal gone ahead and succeeded, the scope for compensation claims would have been closed once more. However, the parties have settled the dispute out of court and the appeal has been withdrawn. The decision of the Court of Appeal accordingly remains unchallenged and data subjects may still seek to rely on it to claim compensation where they have suffered distress alone, something that represents a departure from the previous interpretation of the Data Protection Act.
The Advocate General of the CJEU has given his opinion in the joined cases of Tele2 Sverige AB v Post-och telestyrelsen and Secretary of State for Home Department v Tom Watson and Others.
The Advocate General noted that in 2014 the CJEU invalidated the Data Retention Directive on the basis that: (i) the general obligation to retain certain types of data seriously interfered with the right to private life and undermined the protection of personal data; and (ii) the rules were not properly restricted to matters that were strictly necessary to combat serious crime.
Following that 2014 judgment, the two joined cases listed above (brought in Sweden and the UK respectively) were referred to the CJEU regarding the general obligation imposed on telecommunication service providers to retain data relating to electronic communications.
In considering the two cases, the Advocate General opined that a general obligation on providers of electronic communication services to retain data could, in certain cases, be consistent with EU law, confirming his view that data can be retained if proper safeguards are in place.
However, the Advocate General is of the opinion that imposing such a data retention obligation must be subject to satisfying strict requirements. He opined that it is for the national courts to determine, in the light of all the relevant characteristics of the national regimes, whether those requirements are satisfied.
According to the Advocate General, in order to impose such a general obligation of data retention on a national level, the following requirements would need to be satisfied:
- Legislative or regulatory measures must be implemented, which are characterised by accessibility, foreseeability, and adequate protection against arbitrary interference.
- The general obligation must respect the right to private life and the right to protection of personal data.
- The only general interest that could be cited to justify the general obligation would be the fight against serious crime.
- The obligation must be strictly necessary (meaning that no other combination of less intrusive measures could be used as a substitute).
- The benefits of the general obligation should be proportionate to the risks.
You can read the Advocate General's opinion here.
The French data protection regulator (CNIL) has officially ordered Microsoft to comply with data protection law in France after finding the company to be in breach on multiple counts, namely:
- Excessive processing of personal data by recording information about the apps downloaded by a user and the degree of use of such apps.
- Insufficient security protection due to unlimited failed PIN attempts when authenticating on the user's Microsoft account.
- Automatic advertising without consent on installation of Windows 10.
- Placing cookies on users' devices without properly informing the users.
- Attempting to use the "Safe Harbor" regime for the transfer of data to the United States, despite the fact that this was ruled invalid in October 2015.
On this last point, as mentioned earlier in the bulletin, the Privacy Shield, as successor to Safe Harbor, has now been adopted by the European Commission. Microsoft has issued a statement confirming its intention to engage with the new Privacy Shield framework and the fact that it had been relying on a "variety of legal mechanisms", including model clauses, in order to transfer data outside the EU.
You can read the CNIL's notice here.
In better news for Microsoft, the United States Court of Appeals for the Second Circuit held on 14 July 2016 that data stored outside the United States by a US based service provider would not be subject to a search warrant served on that provider.
The case involved an attempt by the US government to investigate drug trafficking. In doing so, they wished to access the emails of a Microsoft customer and served Microsoft with a warrant requiring them to produce the customer's correspondence. Some of this data was stored outside the US, in Ireland.
The court that granted the original warrant under section 2703 of the Stored Communications Act ("SCA") assumed that the warrant would not be limited to materials located within the United States and that the critical issue on location was where the data was being examined by the Government, not where Microsoft would have to seize it. This meant that Microsoft was held in contempt of court when resisting the warrant in respect of the data held in Ireland.
The court ultimately decided that "Congress did not intend the SCA’s warrant provisions to apply extraterritorially”. Instead the focus of those provisions was the protection of a user’s privacy interests. The court noted that "the data lies within the jurisdiction of a foreign sovereign" and that to direct Microsoft to seize the communications stored in Ireland would constitute an "unlawful extraterritorial application of the Act." On this basis, they ruled in favour of Microsoft and held that the warrant did not compel the company to seize the data stored in Ireland.
If the court had held that the warrant did apply to the data held in Ireland, this would have left companies operating in the EU potentially having to decide between honouring disclosure obligations under US warrants and data protection obligations under EU law.
You can read the judgment here
Cyber security directive published in Official Journal
As reported in our May 2016 bulletin, the EU-wide network and information security directive (the "NIS Directive") was approved by the European Council in May.
The NIS Directive was subsequently adopted by the European Parliament on 6 July 2016. In a statement, Commissioner Günther H. Oettinger said that "the adoption of the first EU-wide legislation on cybersecurity will support and facilitate strategic cooperation between Member States."
The NIS Directive was published in the Official Journal of the European Union on 19 July 2016. It will now enter into force on 9 August 2016 and Member States will then have a period of 21 months up to 9 May 2018 to bring national laws and regulation into compliance with the NIS Directive.
The United Kingdom has not yet triggered Article 50 of the Lisbon Treaty to begin the formal process of leaving the European Union ("EU"). Article 50 gives a maximum period of two years to conclude a withdrawal agreement, after which time (unless a further period of negotiation is agreed between the departing nation and the European Council) the withdrawal will take effect automatically. Given the complexity of the negotiations involved, most commentators agree that the process will take at least two years from the date of formal notice and therefore the UK will likely still be part of the EU on 9 May 2018.
In theory, therefore, the UK will need to bring its national law in line with the NIS Directive, at least until the UK has formally left the EU. It is unclear at this stage exactly what approach the UK Government will take to this. However, even post-Brexit, it would almost certainly be in the UK's best interests to broadly mirror the NIS Directive as it has many common sense provisions that will help to facilitate digital trade and security for the UK, both with respect to the EU and elsewhere.
You can read the NIS Directive in the Official Journal here.
Baseball scout jailed
Chris Correa, the former scouting director of the St Louis Cardinals, has been sentenced by a federal judge in Houston to nearly four years in prison for cyber offences.
In order to try and gain an edge over rival teams, Correa hacked into the Houston Astros' computer system, accessing their scouting database and emails. He pleaded guilty to five counts of unauthorised access to a computer, dating back to 2013 and 2014. Major League Baseball will review information passed to them by federal authorities before deciding whether to take action against the Cardinals.
Michael Lewis's 2003 book Moneyball (and its 2011 film adaptation) told the story of the rising importance of statistical data to the success of baseball teams. The importance of data analytics to success is not unique to baseball, nor indeed to sport. The case highlights that some may be willing to go to extreme lengths to capture the valuable data and analysis of their competitors and that companies need to be increasingly alive to these risks.
Change and Save Limited
On 8 July 2016, the ICO issued a stop order against Change and Save Limited for initiating unsolicited marketed calls. These calls were made to people who were signed up to OFCOM's register of subscribers for people who do not wish to receive marketing calls. The ICO received 254 complaints between 1 June 2014 and 31 December 2015.
A copy of the enforcement notice can be found here.
Consumer Finance Claims Ltd
On 19 July 2016, the ICO ordered Consumer Finance Claims Ltd to respond to a subject access request, having decided that the company had failed to properly comply with the provisions of section 7 of the Data Protection Act 1998. The company had not provided the data subject with the information requested in his or her subject access request of 29 June 2015.
A copy of the enforcement notice can be found here.
Clarity Leeds Limited
On its website, the ICO has reported a court prosecution of Clarity Leeds Limited at Barkingside Magistrate's Court for failing to comply with an Information Notice. The company had been served with two such notices after failing to comply with a subject access request.
The company was fined £300, and was ordered to pay costs of £489.85 and a £20 victim surcharge. The case highlights that where companies fail to comply with notices from the ICO, data subjects still have recourse to the courts in order to enforce their rights under the Data Protection Act 1998.