Coverage this month includes: the publication of the General Data Protection Regulation, a Supreme Court ruling on celebrity injunctions, a challenge from the Irish regulator to the use of Standard Clauses for data transfers outside the EEA and an enforcement update from Singapore.
In our cyber security section, we look at the European Council's adoption of the cyber security directive and a recent hack against a bank.
We also provide our monthly overview of the latest actions taken by the ICO, including a fine against a company for making over 6 million calls without consent.
The General Data Protection Regulation ("GDPR") was published in the Official Journal of the European Union on 4 May 2016. As was reported in last month's bulletin, the GDPR was adopted in a plenary session of the European Parliament on 14 April 2016.
The publication of the GDPR means it will be directly applicable in Member States from 25 May 2018, giving businesses two years to bring their policies in line with the new requirements. We will keep you informed of any updates and guidance published over the next two years to assist companies preparing for implementation.
As reported in our October 2015 update, last year the Court of Justice of the European Union ("CJEU") ruled that the "Safe Harbor" regime for data transfers out of the EEA was invalid.
The Article 29 Working Party issued a statement in the wake of the CJEU's decision saying that Standard Contractual Clauses approved by the European Commission could still be relied upon and companies have therefore been choosing to switch to this method for their data transfers to the US, as it is now seen as the sole practicable method of data transfer in the absence of Safe Harbor.
However, the Irish regulator intends to challenge Facebook's reliance on these clauses following the Schrems case. Helen Dixon, the Irish Data Protection Commissioner, has been quoted in the Financial Times as saying that they would “seek declaratory relief in the Irish High Court and a referral to the [European Court of Justice] to determine the legal status of data transfers under Standard Contractual Clauses.”
Given the number of companies that rely on these clauses, there would be potentially huge ramifications for international data transfer if the clauses were ruled to be invalid. Options for companies wishing to transfer data out of the EEA would become extremely limited, particularly as the planned successor to Safe Harbor, "Privacy Shield" continues to make slow progress towards agreement as doubts persist (as reported in last month's bulletin).
On 19 May 2016, the Supreme Court released its judgment on the injunction that has prevented newspapers from reporting on the extra-marital affair of a celebrity. The Court of Appeal had ruled in favour of the injunction and News Group appealed to the Supreme Court, which dismissed the appeal and ruled that the injunction should continue in force.
It is clear from the judgment that private affairs will not be considered "in the public interest" if they are simply a matter of curiosity for the public. In terms of freedom of expression, the court ruled that "this type of expression is at the bottom end of the spectrum of importance (compared, for example, with freedom of political speech or a case of conduct bearing on the performance of a public office)."
Importantly, the judgment also clarifies that even where information is leaked into the public domain, thereby losing its confidentiality, this does not mean that the court will no longer seek to uphold privacy for the individual through an injunction. Lord Neuberger drew a discussion between confidentiality and intrusion, arguing that while confidentiality may have been lost, it is still possible for the injunction to limit further intrusions into the individual's private life.
The judgment appears to breathe new life into these types of injunctions and is a warning to both the press and users of social media about the degree to which they may be able to report on private affairs.
You can read the Supreme Court's judgment here.
The ICO has issued a statement on the implications on data protection law of the UK leaving the European Union.
It points out that UK law on data protection existed before any EU law on the subject and that the UK will continue to need "clear and effective data protection laws" regardless of its membership of the EU.
This firm's view (and that of most commentators) is that if the UK was to leave the EU, the most likely scenario would be for national legislation to be passed which would be along very similar lines to the GDPR.
Read the ICO's statement here.
As reported in our March bulletin, Elizabeth Denham was selected as the government's preferred choice to be the next Information Commissioner.
Her appointment was confirmed on 27 April 2016 by the Culture, Media and Sport select committee. The appointment is still subject to final approval from Her Majesty The Queen. Assuming that such approval is granted, Elizabeth Denham will take over as Information Commissioner this summer.
In Singapore, personal data is protected by the Personal Data Protection Act 2012 ("PDPA"), the provisions of which are enforced by the Personal Data Protection Commission ("PDPC"). The PDPA came into force on 2 July 2014 and last month marked the first fines and decisions imposed by the PDPA.
While most of the companies involved were only issued with warnings, three companies received fines, the largest being awarded against K Box Entertainment Group, which was fined SGD$50,000.
The fines and warnings are an indication of the PDPC's willingness to enforce the provisions of the PDPA against companies. Although the highest fine of SGD$50,000 was still far below the maximum penalty of SGD$1m, it is a reminder to companies to take their obligations under the PDPA seriously.
Some of the key issues that companies should be aware of are:
It is important to prevent access to computer systems by former employees.
- Companies should make sure they appoint a data protection officer and develop a robust data protection policy.
- Security systems should be tested and updated regularly to address vulnerabilities. Third party providers should also be vetted to make sure their security systems are sufficiently secure.
Summaries of the decisions can be found here.
European Council adopts cyber security directive
The EU-wide network and information security directive (the "NIS Directive"), which was proposed by the European Commission in 2013, aims to create a harmonised approach to cyber security between member states.
After negotiations during last year (which we reported here), an informal agreement on the NIS Directive was reached between the European Council (the "Council") and European Parliament in December 2015 (please see Council press release here).
On 17 May 2016, the Council adopted the NIS Directive at first reading and it will now need to be approved by the European Parliament at a second reading. It is anticipated that the NIS Directive will enter into force in August 2016.
Unlike the GDPR, the NIS Directive will not have direct effect, which means that Member States will need to bring their national law in line with its provisions within 21 months of its entry into force.
Some of the key features of the NIS Directive are as follows:
- Member States must adopt strategies for tackling information security risks, which will be facilitated by national designated authorities and the creation of Computer Security Incident Response Teams ("CSIRTs").
- In order to realise the aim of increased co-operation between member states in dealing with cyber security, CSIRTs across Europe will form a network, initial meetings of which have already been held at The Hague and Riga.
- There are particular security obligations for operators of essential services (for example health and energy).
The first reading of the NIS Directive can be read here.
SWIFT reports further cyber attack against bank
Following on from the £56m theft by hackers from Bangladesh's central bank earlier this year, on 13 May 2016 the financial messaging service provider SWIFT announced that another attempted attack was made against a bank.
SWIFT has not revealed the identity of the victim institution, but it has been reported in the press that it was a Vietnamese bank and that the attack was ultimately unsuccessful.
The press release from SWIFT notes similarities to the earlier attack in Bangladesh. Hackers apparently targeted vulnerabilities in the bank's payment environment in order to initiate the transfer of funds and tried to cover their footsteps by overriding secondary controls.
Due to the apparent level of knowledge of the hackers, SWIFT believes that they must either have had inside help or managed to obtain information through other cyber attacks.
The news is a further reminder to financial institutions that security systems must be kept up-to-date and regularly stress-tested to ensure they do not fall prey to similar attacks.
The SWIFT press release can be read here.
Teenager charged with hacking Mumsnet
Mumsnet is a parenting forum, which according to its website aims to "make parents' lives easier by pooling knowledge, advice and support."
The site reset passwords for its 7.7 million users last August when it was subjected to online hacks including distributed denial of service attacks, which are a method of overloading a website with traffic so as to disrupt its normal service.
A British teenager has been charged and will appear in Guildford Magistrates' Court on 7 June to answer counts of hacking and impairing the operation of or hindering access to a computer.
Check Point Claims Ltd
The ICO received complaints last year of automated marketing calls being made in relation to hearing loss claims, which originated from Check Point Claims Ltd ("CPCL"). Between 30 March and 30 September 2015. CPCL sent or instigated 6,388,122 automated calls. The Commissioner's office first wrote to CPCL in September 2015 reminding them of their obligations under PECR, including the warning that fines could be issued up to £500,000.
The ICO subsequently found that CPCL were in breach of PECR for sending automated marketing calls to subscribers without consent and fined CPCL £250,000.
A copy of the monetary penalty notice can be found here.
Chelsea and Westminster Hospital NHS Foundation Trust
The ICO has fined Chelsea and Westminster Hospital NHS Foundation Trust £180,000 for breaching the Data Protection Act 1998 by failing to take appropriate technical and organisational measures against unauthorised processing of personal data.
The breach related to a service where patients with HIV could receive results and make appointments by email. A member of staff sent an email to 17 patients, but used the "to" instead of the "bcc" field, thereby revealing the identities of the patients to each other. Adequate training was not put in place and the mistake was repeated in September 2015 with a newsletter sent to 781 patients.
A copy of the monetary penalty notice can be found here.
Better for the Country Ltd
Better for the Country ("Company") campaigns for Great Britain to leave the EU under the name Leave.EU. As part of its campaign, the Company sent out text messages asking individuals to support their "fight to leave the EU."
Between 1 May 2015 and 7 October 2015, the GSMA’s Spam Reporting Service received 134 complaints of unsolicited texts being sent by the Company. After being contacted by the ICO, the Company revealed that some of the names who had been contacted were obtained from data supplied to the Company by a third party.
The ICO found the Company to be in breach of PECR by sending direct marketing messages without consent and fined the Company £50,000.
A copy of the monetary penalty notice can be found here.