Welcome to the latest edition of our Data Protection update, our monthly update on key developments in Data Protection law.
Coverage this month includes the release of a new consolidated draft of the General Data Protection Regulation as the Trilogue process looks set to draw to an end, updates on the on-going fallout from the invalidation of Safe Harbor and the fine imposed on Facebook Belgium. In our cybersecurity section, we note the recent hack on Vtech. As always, we include an overview of the latest enforcement actions issued by the ICO.
New text released of the General Data Protection Regulation
The Council of the EU has prepared a consolidated revised draft of the proposed General Data Protection Regulation (the "GDPR"). There are reports that the Trilogue are moving towards agreement over a finalised document, with Trilogue meetings scheduled for 10 and 15 December. It is possible that the final text may be in place before Christmas.
Some of the remaining open issues include the following.
Communications of breaches to data subjects (Article 31)
The new draft reverts to the original Commission draft in requiring that all breaches (not just high risk breaches) are reported to the supervisory authority.
Data Protection Officers (Article 35)
The new draft includes the mandatory designation of a data protection officer in certain circumstances. This includes where processing is carried out by a public authority or the core activities of the data controller or processor consist of large scale processing operations which require the regular and systematic monitoring of data subjects or involve "special" categories of data (i.e. sensitive personal data).
Administrative Fines (Article 79)
The Council's Presidency has proposed a compromise between Parliament and Commission proposals on administrative fines, which would see a maximum administrative fine of 4% of annual worldwide turnover.
Commission Communication on post-Safe Harbor transfers to the US
On 6 November the European Commission issued a Communication to the European Parliament and Council on the transfer of data from the EU to the US following the Court of Justice's decision in Maximillian Schrems v Data Protection Commissioner invalidated the Safe Harbor regime (the "Schrems decision"). In its Communication, the Commission reiterates that it remains committed to working with US authorities to build a new framework for such transfers and that it has begun negotiations with the US government to ensure that any new arrangement complies with the standards for protection set out in the Schrem's decision.
The Communication also sets out guidance on the alternative bases for transfers of personal data to the US, namely the use of binding corporate rules ("BCRs") (for intra-group transfers), standard contractual clauses ("SCCs") (for extra-group transfers) and the various exceptions set out in the Data Protection Directive (1995/46/EC) (the "Directive") allowing transfers of personal data in the absence of an adequacy decision. The Commission notes that some data protection authorities have expressed doubts over the protection gained through the use of BCRs and SCCs and states that data exporters may have to put in place additional safeguards to meet the requirements of the Directive. The Communication also states that the Commission will be preparing a decision to amend all existing adequacy decisions to replace wording limiting the powers of individual data protection authorities.
Meanwhile, EU data protection Commissioner Vera Jourová has confirmed her confidence in a new solution for EU-US data transfers being concluded by January 2016.
French data protection authority publishes guidance and FAQs on Safe Harbor
The French data protection authority, CNIL, has published guidance and FAQs recommending companies use SCC's rather than Binding Corporate Rules as an alternative to Safe Harbor. The reason for this is that implementation of Binding Corporate Rules takes several months. In addition, the CNIL requires all Safe Harbor-registered companies to either declare that their transfers have ceased or are based on a non-Safe Harbor mechanism by January 2016.
Microsoft to offer European customer cloud data storage in Europe
Microsoft announced in November that it will be setting up new German data centres to host Microsoft's European customers' data (who will be required to opt-in to a more expensive service). The new data centres will be operated and controlled by T-Systems, a subsidiary of Deutsche Telekom. Under the arrangement, T-Systems will act as a "trustee" of the data and facilities. According to Microsoft, its employees will have no access to the data without T-Systems' permission. The move is intended to prevent the US government from demanding access to data and to force such authorities to request access through the German authorities. In doing so, it is hoped to satisfy the restrictions of the Schrems decision.
Facebook ordered to pay daily fine for setting cookies and collecting web usage data of non-Facebook registered internet users
On 9 November, the Belgian Court of First Instance ordered three Facebook entities (Facebook Inc., Facebook Ireland Limited and Facebook Belgium SPRL) to stop collecting data from a certain cookie when non-Facebook registered users visited websites with Facebook plugins and issued a fine of €250,000 for each day of non-compliance (thought to be the highest ever EU data protection fine).
Using similar rationale to the Court of Justice of the European Union in its decision on the so-called "Right to be Forgotten" case, the Belgian Court found that it did have jurisdiction, on the basis that Facebook Belgium SPRL was incorporated in Belgium to perform lobbying and undertake marketing activities for Facebook. In addition, the "unique identifier" and IP address of the user was held to be personal data, despite arguments that such data identifies a computer rather than an individual. Consequently, the collection of web surfing behaviour of millions of non-Facebook registered Belgian users was a violation of Belgian data protection law. Facebook could provide no legal justification: there was no consent from such users and no legal obligation to collect the data. In addition, the processing of such data was not fair and lawful. The Court rejected Facebook's argument that the use of the relevant cookie was essential for security reasons.
Facebook is appealing the decision. The daily fine will accumulate during this time.
Twitter ordered to keep Russian data within Russia
The Russian internet regulator, Roskomnadzor has ordered Twitter to store the data of its Russian users on servers in Russia. After deciding that Twitter collected personal data, the authority ordered Twitter to comply with the new data processing law which took effect on 1st September 2015. The new law requires all businesses which collect or process Russian citizens' personal data to store that data within Russia, in addition to other notification and documentation obligations. The new law also allows the authority to block access to services/websites where website/service providers are in breach.
FCA proposes guidance on outsourcing to Cloud Service Providers and other third parties
The FCA has issued for consultation proposed guidance for regulated firms outsourcing to the cloud and other third party IT service providers. The proposed guidance notes some of the key considerations, with respect to data protection as well as more widely, that firms authorised by or dealing with the FCA will need to take. These include general legal and regulatory requirements, risk management, international standards, the oversight of service providers, data security, data protection, access to data and business premises by regulators, relationships with service providers, change management, continuity and business planning, provisions for insolvency events and exit plans for outsourcing.
The FCA is consulting on the proposed guidance for three months. The deadline for responses is 12 February 2016.
A copy of the proposed guidance can be found here.
Proposed data protection aspects of the Trans-Pacific Partnership Agreement
The proposed text of the Trans-Pacific Partnership Agreement (a trade agreement between the US and 11 other Pacific Rim countries) was released on 5 November 2015. Within Article 14, there are provisions in relation to data protection. These include commitments from participating countries to adopt or maintain a legal framework to protect personal information of users of electronic commerce and to allow the cross-border transfer of information by electronic means for conduct of business of a "covered person". A covered person is a citizen or business of a participating country, excluding financial institutions. Restrictions on transfers to further public policy aims must not restrict trade, unjustly discriminate or be disproportionate.
On 27 November, electronic children's toy manufacturer Vtech announced that it had been the victim of a data theft following the hacking of its Learning Lodge application database. Around 5 million customers from several countries have been affected. News outlets are reporting that pictures of children, chat logs, audio recordings between parents and children and other personal data have been accessed.
There have been a string of monetary penalty notices, undertakings and prosecutions following breaches of data protection legislation this month. The following constitutes a snapshot.
UKMS Money Solutions
UKMS Money Solutions ("UKMS"), a PPI claims company has been fined £80,000 under the Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 ("PECR") and the Data Protection Act 1998 for sending more than 1.3 million spam text messages in June 2015 without the consent of the recipients. 1405 complaints were made to the 7726 spam service in relation to the messages in the same period. UKMS had purchased the phone numbers from a third party supplier. The ICO found that the consent wording relied on by UKMS was not sufficient to amount to consent under PECR.
A copy of the monetary penalty notice can be found here.
The ICO have fined Oxygen Ltd, a lead generation company, £120,000 for making unsolicited automated marketing calls. The ICO found that between 6 and 28 April over 1 million pre-recorded unsolicited calls were made in contravention of Regulation 19(1) and (2) of PECR. The ICO found that the calls were misleading as they implied a government connection. In addition, Oxygen Ltd did not identify the person sending/instigating the calls or provide the required contact details required under Regulation 24 of PECR.
A copy of the monetary penalty notice can be found here.
Sirona Care and Health
Sirona Care and Health, a not-for-profit provider of health and social care services, has signed undertakings to comply with the seventh data protection principle (which relates to taking technical and organisational measures to protect personal data). An employee of Sirona Care and Health had accidentally sent an email containing sensitive personal data to a former service user after selecting their email address in error.
The ICO had previously expressed concerns that the organisation was unable to demonstrate that information governance training was given to employees annually. The undertakings include a requirement that Sirona Care and Health complies with the seventh data protection principle and in particular provides annual data protection training to relevant staff, reviews its policies in relation to email checking procedures and implements other security measures as appropriate to ensure that personal data is protected.
A copy of the undertaking can be found here.