Coverage this month includes a brief update on the progress of the European Union General Data Protection Regulation ("GDPR") as well as a summary of recently published guidance provided by the ICO on how to prepare for its introduction. In this edition, we consider the legal battle between the Federal Bureau of Investigation ("FBI") and Apple relating to the FBI's investigations into the mass shooting in San Bernardino in December and its attempts to access encrypted data on the iPhone of the perpetrator. We also look at proposed changes to how broadband providers use personal data in the US.
In our cyber security section, we look at a new body that has been introduced to provide advice to private and public bodies in order to prevent cyber attacks and highlight new encryption guidance provided by the ICO. Finally, we provide our monthly overview of the latest actions taken by the ICO including news of a record fine.
In a recent draft statement published on 17 March 2016, the Council noted that its position at the first reading reflects the compromise previously reached between the Council and the European Parliament (“Parliament”).
The Council is due to formally adopt its position on the GDPR on 21 April 2016. The Parliament will then decide whether or not to follow the Council's position and will vote accordingly. Once the GDPR is formally adopted, it will be submitted for signing by the President and Secretaries-General of Parliament and the Council. The GDPR will then be published in the Official Journal shortly after the signing and will take effect two years after that date.
As noted above, the GDPR will come into force two years after its formal publication in the Official Journal. In response, the ICO has issued the following guidance in the form of 12 steps that can be taken in advance of the GDPR coming into effect. An outline of the 12 steps is provided below:
- Awareness - key decision makers should be made aware of the forthcoming changes in law.
- Information - an information audit may be necessary to ensure that any personal data you hold is properly stored and managed.
- Privacy issues - put a plan in place for making any necessary changes in time for GDPR implementation.
- Individuals - check existing procedures and ensure they cover all the rights individuals have, including how you would delete or remove any personal data.
- Subject access requests - ensure that there are adequate procedures in place to enable you to deal with any such requests within the new timescales contained with the GDPR.
- Legality of processing information - always check the types of data being processed and identify your legal basis for carrying it out.
- Consent - ensure appropriate records of any consents given are kept.
- Children - identify and put appropriate systems in place to verify individuals’ ages and to gather parental or guardian consent for the data processing activity.
- Data breaches - ensure that adequate procedures are in place to detect, report and investigate a personal data breach.
- Data Protection Impact Assessments - familiarise yourself with the guidance the ICO has produced on Privacy Impact Assessments and work out how and when to implement them.
- Data Protection Officers - appoint a designated Data Protection Officer to take responsibility for data protection compliance.
- International - if you operate internationally, you should determine which data protection supervisory authority would act as lead authority.
The full guidance can be accessed here.
Following a mass shooting in San Bernardino, California by Syed Rizwan Farook in December, the FBI made headlines by demanding that Apple provide access to the attacker's iPhone, believing that encrypted data in Mr. Farook’s phone and its GPS system may hold vital clues about who he may have contacted before the attack, and where he may have travelled in the 18 minutes after the shootings. The FBI required assistance from Apple as the password mechanism built into iPhones will erase the phone’s data after 10 incorrect password attempts. Apple refused the FBI's request claiming that assisting the FBI in its attempts to access the attacker's mobile network would have far reaching consequences and could affect the security and privacy of its customers.
The FBI responded to Apple's lack of cooperation by seeking a court order to compel Apple to unlock the phone, and a federal court in California was scheduled to hold a hearing on the matter. However, on 21 March 2016 the Department of Justice ("DoJ") was granted its first request to delay the court order and a week later granted its request to cancel the court order entirely, after the FBI found an alternative way to extract data from the phone used in the attack without assistance from Apple.
Apple is now working to discover the vulnerability in its software, in light of fears about the possible repercussions of the FBI’s disclosure that a previously unknown flaw exists in the iPhone's security, leaving Apple users potentially exposed to a cyber security threat. This case also highlights the wider issue of how far companies should be required to modify their products in order to help investigators, and the question of balancing security and investigatory powers against the rights of individuals to privacy and data protection. In their respective statements, the DoJ anticipated future legal clashes with Silicon Valley over encryption and data security, while Apple confirmed that it would continue to strengthen the protections built into its devices.
Under proposed new privacy rules which are to be voted on at the end of this month by the American communications body, companies will be allowed to use customer information where such use is "necessary to provide broadband services and for marketing the type of broadband purchased". Data may also be used "for the purposes of marketing other communications-related services" unless a customer expressly opts out of receiving such communications.
Any other use of personal data will only be permissible where customers have expressly consented (by way of an "express, affirmative, opt in") to the broadband provider using such information. The new rules are effectively designed to enable customers to sign up for services without necessarily signing away their right to privacy.
These proposals, if introduced in the US, would require broadband providers to take "reasonable steps" to safeguard customer information from unauthorised use or disclosure. Such steps may include appointing a data protection manager, data protection training and taking responsibility for the use of any data shared with third parties.
GCHQ has long been the key cyber security body but its inaccessibility to those outside government has prompted the introduction of the National Cyber Security Centre ("NCSC") to bolster cyber security in the private sector. This body will provide advice to corporates, the financial services industry generally and public bodies.
This announcement has been made following Chancellor George Osborne's pledge to raise government spending on cyber security to £1.9bn by 2020. The centre will work alongside other government departments and will serve as a key source of information for any advice relating to combatting cyber attacks. The NCSC will primarily focus on promoting good practice and preventing online attacks from taking place.
The NCSC has recently announced its plans to work alongside the Bank of England in order offer increased protection to the UK economy against the threat of cyber attacks.
Although the Data Protection Act 1998 does not make the use of encryption mandatory, Principle 7 does require 'appropriate technical and organisational' measures to be adopted in order to keep personal data secure. The ICO suggest in its new guidance published this month that encryption is a cost-effective way to implement such measures. Any failure to encrypt data may result in the ICO taking action for failure to comply with Principle 7. Companies may also suffer reputational damage if customer details are lost or stolen.
The guidance considers the various forms of encryption that are available to protect information from unauthorised or unlawful processing. The ICO outlines the distinction between symmetric and asymmetric encryption, two types of encryption in widespread use, highlighting when and where different encryption strategies can help provide a greater level of protection and providing information relating to the implementation of encryption software. It also sets out advice and recommendations for encrypting data in the context of both storage and transfers of data.
The guidance covers a wide range of scenarios where information may be lost, stolen or subject to unauthorised access and can be accessed, with practical recommendations. Read the full guidance here.
The Government has announced its proposal for British Colombia's Information Commissioner Elizabeth Denham to take up the role of Information Commissioner in the UK for a five year period.
Christopher Graham is the current Information Commissioner and is due to step down at the end of his current term in the summer of 2016. The appointment of Elizabeth Denham will be confirmed once a pre-scrutiny hearing by the Culture, Media and Sports Select Committee has taken place and final approval from Her Majesty The Queen has been received.
Record fine handed out by ICO
The ICO fined Prodial Ltd £350,000 for making over 46 million nuisance calls relating to payment protection insurance ("PPI") mis-selling. As a result of these nuisance calls, 1,000 people complained but struggled to identify who was actually making the nuisance calls because of the way Prodial had structured their communications.
A copy of the monetary penalty notice can be found here.
A warning to all politicians: the case of David Lammy MP
The MP for Tottenham was fined £5, 000 this month for making over 35, 629 calls to his constituents over the course of a 48 hour period as part of his campaign to be nominated as the Labour candidate for London Mayor.
The ICO did not consider Lammy's actions to constitute a deliberate breach but did find that Lammy had been negligent as the company engaged by Mr Lammy to make the automated calls made clear that any correspondence should only take place with the prior consent of a subscriber. In this instance, such consent was not obtained from Lammy's constituents.
A copy of the monetary penalty notice can be found here.
Licence revoked but calls made anyway
Falcon & Pointer, which had its licence revoked by the Claims Management Regulator in January, told the ICO it had stopped making calls in June 2015 but an investigation later identified that the company made around two million automated calls in the following two months. The ICO held that the company should not transmit or instigate the transmission of, communications comprising recorded matter for direct marketing purposes by means of an automated calling system except in specified and limited circumstances.
A copy of the enforcement notice can be found here.