Coverage this month includes: our analysis of the result of last week’s EU Referendum, and the effect "Brexit" could have on the data protection landscape in the UK, criminal proceedings taken against Uber and its employees, advice issued by a US regulator following a significant fine, and an update on the UK Investigatory Powers Bill as it heads for the House of Lords. We also report on the fines issued by the Hamburg Watchdog for failure to change procedure after invalidation of the Safe Harbor decision, and new ICO sanctions to prevent theft of data by employees.
In our cyber security section, we look at MPs' comments in respect of CEOs’ responsibility for their companies’ cyber security, advice from the Bank of England on addressing cyber security, and the UK's second National Cyber Security Strategy.
Finally we provide our monthly overview of the latest actions taken by the ICO, including fines against companies for unsolicited marketing via automated calls and texts.
Following the EU Referendum on Thursday 23 June 2016, the votes have been counted and the United Kingdom, by a majority of 51.9%, has voted to leave the European Union.
There is great uncertainty surrounding the implications of the UK's Brexit vote. The forthcoming EU General Data Protection Regulation (GDPR) is set to apply with direct effect in all EU member states from 25 May 2018 and the outcome of the EU Referendum raises a number of important data protection concerns. It is not currently clear whether and how the GDPR will apply to UK companies, but rest assured that the data protection landscape is unlikely to change overnight.
In order to leave the EU, the UK will need to follow a formal process set out in the EU Treaties. The government could trigger Article 50 of the Treaty on the European Union and notify the European Council of the UK's intention to leave the EU, although this is not obligatory and not the only route open to the government. The UK will then be required to negotiate an agreement with the EU, setting out the terms of its withdrawal. The UK's membership would cease once the withdrawal agreement is effected, or if no agreement is reached, two years after the official process started. The European Council can, by unanimous agreement, extend this period.
It is not known when the UK will begin the formal process of withdrawal from the EU, or whether it will at all (the idea that the Brexit vote could be used to prompt further membership negotiations has been mooted by some). For the moment, the UK will remain a member of the EU, and companies in the UK and other EU states can continue to transfer personal data to and from the UK.
The GDPR itself will have direct effect and apply to the UK while it remains a member state and/or until such time as the UK Government implements alternative regulation. Many of the changes to data protection regulation brought in by the GDPR were supported by the UK government in negotiations. It would therefore seem logical that this will continue regardless of the UK's ties to the EU. In the Brexit aftermath, other EU Member states will remain major trading partners and as a result the UK will want any data protection regulation to be deemed "adequate" by the EU. In order to achieve this in practice, any regulation is likely to have to adopt the GDPR provisions.
If the UK opts to remain a member of the EEA, the UK would certainly still be subject to EU data protection law. Importantly, even if the UK took the unlikely decision not to implement legislation along the lines of the GDPR, UK companies that process personal data in relation to offering goods or services to individuals in the EU would still need to comply with the GDPR.
In light of the above, it is recommended that companies continue with their efforts to assess the impact of the GDPR and continue to bring about the necessary changes to ensure compliance by May 2018. The worldwide momentum to report personal and non-personal data breaches to regulators will continue and we do not see why the UK would not continue to support this approach. The ICO's views on the EU Referendum are clear: businesses should continue to make arrangements to comply with the GDPR, even in the event of a Brexit.
Read the ICO's statement here.
For more information on Brexit and its possible impact, read our colleagues’ Insight alert here.
Uber Technologies has been fined EURO 800,000 (USD 907,000) by a French court for operating an illegal taxi service with non-professional drivers, misleading consumers and the unlawful collection of personal data.
Two executives were also fined EURO 30,000 and EURO 20,000 respectively in the first such criminal case in Europe. Whilst the company has been involved in a number of legal battles, this was the first time executives had gone to trial. The director for Europe, Middle East and Africa and the company's manager in France were found guilty of deceptive commercial practices and being accomplices in operating an illegal transportation service and violating privacy laws.
The US Securities and Exchange Commission (SEC) has warned firms to ensure that they have policies and procedures to prevent unauthorised accessing of customer data.
This warning followed a settlement reached earlier this month with Morgan Stanley in respect of security issues. Hackers accessed customer data after a former employee "impermissibly accessed and transferred" information from client accounts to his personal server. Part of the data was then posted online and the information was offered for sale.
The SEC found that Morgan Stanley had not put in place sufficient policies, procedures or controls in respect of employees' access to customer data. It also revealed shortcomings in the auditing and testing of "authorisation modules" used by the firm, along with its monitoring and analysis of employees' access to and use of portals through which client data could be accessed.
The director of the SEC's enforcement division, Andrew Ceresney, has stressed the need for companies of all sizes to have policies and procedures that are reasonably designed to protect customer information.
Having passed its final vote in the House of Commons on 7 June 2016, the Investigatory Powers Bill has now moved to the House of Lords for its second reading.
The entire Bill will continue to be debated, but the Joint Committee on Human Rights consider that the "bulk powers" are justifiable if "they have a sufficiently clear legal basis, are shown to be necessary, and are proportionate in that they are accompanied by adequate safeguards against arbitrariness".
In an effort to safeguard 'privacy', the Bill contains various provisions in clause 5 (General duties in relation to privacy). Along with this area, the following is likely to be heavily discussed:
- The safeguards that will be put in place in respect of bulk powers and warrants. For example, will warrants authorised by the Home Secretary need approval from a judge? It is currently expected that they will.
- The effect of the Bill on communication service providers will certainly be a hot topic. Will the latter be required to retain search activity for a period of time, assist the Government in enforcement and remove encryption if required?
- There is the potential for the Bill to clash with the longstanding principle of legal privilege. How will this issue be addressed in instances where data would normally be protected by legal or other privilege? It may be necessary to develop an advisory code of practice to navigate such situations.
The final Bill will need to strike a fine balance between protecting the fundamental right to privacy and providing the authorities, law enforcement and security services with the tools required to effectively deal with crime and terrorism in the digital age. Pending any major issues, it is expected that the new Bill will come into force by the end of 2016.
The Data Protection Authority of Hamburg undertook a review of 35 international organisations based in Hamburg which transferred personal data to America, culminating in the announcement of fines on 6 June 2016. They were particularly interested in whether companies had switched to a valid alternative following the Schrems judgment in October 2015, which declared the former Safe Harbor decision by the European Commission invalid (read our November 2015 bulletin for more information).
Their investigation revealed that the majority of companies had changed the legal basis of their data transfers and implemented Standard Contractual Clauses. This was in line with advice from the Article 29 Working Party, in the wake of the Schrems decision, that Standard Contractual Clauses and non-binding corporate rules would be acceptable for companies to rely on while a new framework was negotiated.
A few companies, however, had failed to switch to a valid alternative and their data transfers were considered unlawful. The Authority issued administrative fines totalling EURO 28,000.
The companies fined made the necessary changes during the proceedings and as a result the fines were much less than the possible EURO 300,000 per company. It is unlikely that future cases will attract such leniency.
The Data Protection Commissioner of Hamburg has requested that the European Commission and the US Government revisit the EU-US Privacy Shield (the successor to the Safe Harbor decision) so some changes may follow. We will keep you updated.
Traditional legal remedies to prevent employees leaving with confidential information can often feel impractical, very unpredictable and expensive to enforce for employers. A recent case may offer some comfort.
The ICO recently pursued a criminal prosecution against an employee who departed a company with information about his former employer's clients. This data contained clients’ personal information, which breached data protection legislation and was found to constitute criminal activity under section 55 of the Data Protection Act 1998 as it was obtained unlawfully.
Whilst the actual fines imposed were small (he was fined £300, ordered to pay a victim surcharge of £30 and £405.98 costs) the threat of a criminal conviction should act as a deterrent to most employees. It is too early to tell whether this decision represents a shift in the ICO's enforcement policy but it should be welcomed as a step in the right direction.
Read the enforcement notice here.
CEO pay and cyber security
The MPs that make up the Culture, Media and Sport Committee have suggested in a report published this month that CEOs should assume "ultimate responsibility for cyber security within a company" and that CEOs of companies that do not have effective cyber security should forfeit some of their pay.
Whilst day to day responsibility can be handed to another person in the business (e.g. the Chief Information Officer), in order to ensure adequate attention to cyber security at the top of business, the CEOs should be accountable in this respect. Board oversight in this area should also exist.
The Committee's comments come after their inquiry into cyber security which followed the significant data breach experienced by TalkTalk last year. The report also suggests that organisations holding large amounts of personal data should make annual statements to the ICO in respect of cyber security practices and procedures, staff training and audits of security processes. Such statements should also include information on the number of attacks that an organisation received, along with whether any were successful.
The Committee hopes that the above measures will lead to more pro-active monitoring of security at all levels as opposed to reactive reporting of breaches after the event.
The Committee's report can be found here.
The Bank of England provides helpful comments to financial institutions to manage cyber-risk
The Bank of England's Chief Security Officer, Will Brandon, has provided some helpful comments in respect of how financial institutions should manage cyber-risk.
Mr Brandon suggested that cyber–risk can be managed like any other risk that has the potential to damage a firm's business. Understanding the risk and balancing investment in mitigation against similar investments needed in the business is vital.
He further suggested that addressing cyber-risk is a leadership and management issue, not simply one for the IT department. Governance should be the same as in other areas of the business and clear policies, standards, good management information and a sensible approach to compliance are paramount.
In quantifying cyber-risk, firms should break the risk down into threats, vulnerabilities and assets. This process will allow the firm to outline people likely to launch an attack, the weaknesses that could be exploited by attackers, and the systems that underpin critical business processes.
If firms take this approach, they will be better placed to assess cyber-risk and have a better understanding of controls needed to reduce it, or at the very least, mitigate the impact. The full speech can be found here.
Launch of National Cyber Security Strategy
The UK's second National Cyber Security Strategy launches this year in response to confirmation that cyber-crime is a tier one threat to the UK's economic and national security.
In April 2016, the government published a final report on this strategy (read this reoprt here) which, along with summarising progress to date, reviews the way forward under the 2016 strategy.
Whilst businesses are better protected then they were when the last strategy was launched in 2011, there is still a considerable way to go. The May 2016 cyber-attack on a bank in Bangladesh, and subsequent access to the SWIFT system (reported in last month's bulletin), following which USD 81m remains unaccounted for, is a stark reminder of the need to improve cyber security.
Advanced VoIP Solutions Ltd
Between January and October 2015, the ICO received 6,381 complaints made against Advanced VoIP Solutions Ltd. The company was found to have hounded people with automated nuisance calls regarding personal protection insurance, packaged bank accounts and flight delays, without their consent.
The automated marketing calls allowed an option to press a key to be removed from the list, although this was not always effective. If the subscriber re-dialled the number, they were charged at the standard network rate plus 4.1667p per minute.
The ICO found the company to be in a deliberate serious breach of the PECR by making automated marketing calls to subscribers without their prior consent. The ICO fined the company £180,000.
A copy of the monetary penalty notice can be found here.
Quigley & Carter Limited
Between 6 April 2015 and 9 June 2015, a claims management company in respect of mis-sold packaged bank accounts, sent 2689 unsolicited marketing texts to subscribers, many of which complained to the GSMA's Spam Reporting Service.
The ICO found Quigley & Carter to be in breach of the PECR as the company was unable to provide any evidence that the individuals to whom the messages had been sent had consented to the receipt of those messages. The large number of complaints made during a relatively short period of time, showed that Quigley & Carter was engaged in an organising marketing campaign to send very large numbers of text messages. The ICO issued a fine for £80,000.
A copy of the monetary penalty notice can be found here.