Welcome to the November 2016 edition of our Data Protection update, our monthly review of key developments in Data Protection law. As always, please do let us know if you have any feedback or suggestions for future editions.
Stephenson Harwood has issued a short overview of the EU General Data Protection Regulation including information on the key changes, the effect of Brexit on its application in the UK and steps organisations should be taking now to prepare for implementation in May 2018. Click here to find out more.
The Investigatory Powers Bill, also known as the 'Snoopers' Charter' (the Bill), was passed earlier this month by both Houses of Parliament. The Bill will take full legal effect once it receives royal assent and is codified into law. It is expected to become law before the end of the year.
The Bill was originally introduced by Theresa May while still in her previous position as Home Secretary and has faced several serious objections during its passage through Parliament. It introduces sweeping surveillance powers and will grant the Government unprecedented legal powers that will allow it to intercept the communications of millions of ordinary citizens. The Bill also enjoys extra-territorial effect, as foreign-based companies with UK-based consumers will be forced to comply with the new law even if their domestic laws conflict.
The Bill imposes a potentially onerous new obligation on internet and telephone companies by requiring them to retain bulk records of all users for up to a year, and requires such companies to main an "encrypted back door" into their services. The Government will be able to require that relevant records are decrypted and handed over upon request. UK intelligence agencies will also be able to hack into computer devices outside the UK provided that they have received a special warrant approved by both the Home Secretary and an independent judge.
The Bill makes provision for judicial oversight in the shape of the Investigatory Powers Commission. This body will feature judicial commissioners who will be required to oversee warrants given in relation to, for example, the interception of communications or the coercion of internet companies. Warrants will only be needed in certain circumstances, however, and certain public bodies (including the Police, HMRC and the NHS) will typically be able to access personal data without the need for one.
We will keep you updated on the upcoming entry of this Bill into law.
Two legal challenges have been lodged in the Court of Justice of the European Union (CJEU) against the EU-US Privacy Shield by separate data rights activist groups within the EU. Digital Rights Ireland, an Irish activist organisation, and La Quadrature du Net, a data privacy group based in France, have both filed challenges in the General Court of the EU in an attempt to annul the Privacy Shield framework.
These challenges are based on their belief that the EU-US Privacy Shield does not provide sufficient guarantees to ensure adequate data protection. In particular, Digital Rights Ireland has stated that the self-certification scheme still does not do enough to prevent mass and indiscriminate monitoring of EU citizens' personal data by U.S. government agencies, including primarily the NSA.
EU data protection agencies have already expressed some concerns about the adequacy of the provisions within the Privacy Shield network but have indicated that they will allow the regime to operate for at least a year before entertaining any challenges to data transfers' undertaken in line with the scheme. Officials at the EU Commission and within the U.S. Department of Commerce have reaffirmed their confidence in the Privacy Shield system, and have also expressed doubt over whether the two activist groups have sufficient standing to bring the challenges in the first place. If the CJEU finds that Privacy Shield is not a "direct concern" to either of the groups it will be able to dismiss the challenges without hearing them. If the cases do go ahead it is considered unlikely that a decision will be reached by the CJEU within a year in any case.
Please see our July update for more information on the EU-US Privacy Shield.
The data transfer arrangements of up to 500 businesses currently operating in 10 regions around Germany are to be placed under greater scrutiny as part of a new audit exercise co-ordinated by the data protection commissioner for Berlin. The businesses selected to take part in the audit will be chosen to represent different sizes and different sectors. In-depth investigations may be carried out into specific companies as a result of the findings.
The review will focus on the arrangements that the selected businesses have in place for transferring data outside of the European Economic Area. The data protection commissioner for Berlin has announced that the purpose of the review is to "increase the sensitivity of the companies" to the requirements that apply to such transfers.
The news follows widespread uncertainty across the EU after the invalidation of the EU-US Safe Harbor scheme in October 2015 by the CJEU (please see our October 2015 update for more details), and subsequent challenges to the model-clause and Privacy Shield frameworks (see above).
Facebook has agreed to halt its use of data belonging to EU based WhatsApp users for marketing purposes. However, it will continue to use such data to combat spam messaging, and data sharing between Facebook and WhatsApp will continue as before. Since the announcement of the sharing scheme earlier this year, Facebook has been the subject of investigations by four national data protection authorities.
This move follows an earlier decision by the company to pause its use of UK based users' personal data for advertising purposes after the ICO announced that it was investigating arrangements between Facebook and WhatsApp. The ICO has now also asked the two organisations to enter into an undertaking that commits them to giving fuller explanations to users as to how their data is used.
Please see our September update for more information on the EU-wide investigations into Facebook data sharing arrangements with WhatsApp.
The Hague Administrative Court in the Netherlands has upheld a decision by the Dutch Data Protection Authority that WhatsApp has breached its obligations under the Dutch Data Protection Act (Dutch DPA) by failing to appoint a data protection representative within the country, even though WhatsApp has no offices or staff in the Netherlands. As a result of the ruling WhatsApp now faces a fine of €10,000 per day, up to a maximum of €1,000,000, until it remedies the situation by appointing a legally responsible representative in the Netherlands.
The Dutch DPA requires all companies based outside the European Union (EU) that process the personal data of EU citizens in the Netherlands to appoint a legally responsible representative in the country. The Dutch authority issued WhatsApp with an order requiring it to appoint such a representative in 2014 but the American company has so far failed to do so.
The question of whether WhatsApp processes personal data in the Netherlands appears in instance to have been satisfied by the argument that the processing of personal data of Dutch data subjects takes place in the jurisdiction in which the smartphones, on which the app is located, are being used.
This rationale aligns with the wider territorial scope of the EU General Data Protection Regulation (GDPR) which extends the obligation to designate a representative in an EU territory where the processing activities are related "to the offering of goods or services" directed at data subjects in the EU. Under the current Data Protection Directive (95/45/EC) (from which the Dutch DPA derives), organisations targeting data subjects only have to comply with EU rules if they also make use of “equipment” in the EU territory to process personal data. It therefore appears that the courts have started to interpret current legal requirements in light of the GDPR, despite it not taking direct effect in the EU until 25 May 2018.
One argument WhatsApp used for not appointing a representative was that it was unable to find anyone willing to accept this liability on their behalf. The Dutch court rejected this argument on the basis that WhatsApp should have been able to conclude an agreement under which it would accept all monetary fines and penalties for breaching the Act. Unlike other EU data protection laws, the right to impose fines directly on representatives is included in the Dutch DPA. However, the court's decision again appears to indicate a trend of the courts to reflect GDPR principles (albeit only set out in a recital, the GDPR provides that enforcement action can be taken directly against a representative).
The Moscow city court has upheld a decision to ban the professional networking site LinkedIn from operating within Russia. The decision follows a dispute relating to the storing of Russian users' personal data by Linkedin.
Since 2014 it has been mandatory for all foreign internet companies operating in Russia to store the personal data of all Russian users on servers based within the country. Most companies affected by the law have indicated that they intend to abide by the law, but some such as Facebook and Twitter are reportedly hesitating to do so.
In order to comply with the law LinkedIn would need to relocate its local storage to Russian territory and would also be required to install "automatic backdoors" for the Russian secret services to access their records. It is not yet clear whether such potentially invasive changes will be accepted by LinkedIn.
The Government has decided to keep the ICO as a single commissioner agency for the time being. This is despite recommendations contained in the Triennial Review published on 8 November 2016 that the ICO should be restructured as a multi-member commission in an effort to encourage accountability and breadth in decision making.
The ICO has stated that it is already working on an internal governance structure that will lead to responsibility for day-to-day decision making being shared around the wider leadership team. This structure will include a new General Counsel position.
The Triennial review was conducted by the ALB Governance Division within the Ministry of Justice and also recommended that any new structures adopted by the ICO should "incentivise data protection compliance amongst organisations, with the greatest financial burden falling on those organisations which cost the ICO the most to regulate."
Three Mobile, one of Britain's biggest mobile phone companies, has admitted that hackers have successfully accessed its customer upgrade database this month in a breach that resulted in the personal data of over 130,000 customers being put at risk.
The hack occurred after an employee login was utilised in order to unlawfully enter the database and obtain the names, phone numbers, addresses and dates of birth of many thousands of Three Mobile's UK customers. This information was used by the hackers to upgrade customer accounts, fraudulently order new phones and then intercept them they were successfully delivered to the genuine customers.
Customers who may have been affected by the hack are being informed but it is believed that, while personal information has been accessed, no financial information was stolen. Three arrests have now been made and the National Crime Agency is currently leading the investigation into the breach.
Tesco Bank has frozen transactions following the admission that approximately 40,000 accounts have been affected by an online breach.
The cyber-heist is one of the biggest of its kind ever to occur in the UK and over 20,000 Tesco Bank customers targeted by the hackers have had money stolen through the breach. The Bank has pledged to refund all losses to every account holder affected by the attack. However, the ICO, National Crime Agency and the Financial Conduct Authority are all now investigating the security practices of Tesco Bank and questions have also been raised in Parliament by MPs who have demanded an explanation as to what went wrong.
The ICO has issued Nouveau Finance Limited with an enforcement notice and a fine of £70,000 for the sending of over 2.2. million unsolicited marketing e-mails between August 2015 and January 2016. The ICO also ruled that Nouveau Finance Limited had breached the Privacy and Electronic Communications (EC Directive) Regulations 2003 ("PECR") by failing to include the required particulars of the company in the communications.
Click here to read the enforcement notice.
The ICO has fined an unnamed historical society £500 after a laptop containing sensitive personal data was stolen from a member of staff who was working away from the office. The laptop was not encrypted and contained the personal information of patrons who had donated historical artefacts to the society. The ICO also found that the society had breached its data protection obligations by failing to have any policies in place relating to working from home, encryption of data, or mobile devices. The size of the fine was limited by the specific financial circumstances affecting the historical society, but the ICO stated that the penalty would typically be much greater for most other organisations.
The ICO has fined Assist Law £30,000 for making unsolicited calls for over a year to people registered on the Telephone Preference Service (TPS). Over 100 complaints were made by the recipients of these calls, prompting the investigatory action by the ICO. Assist Law used contact information obtained from a third party who claimed that it had obtained the consent of those on its list for marketing.
The Government has also recently announced plans to allow the ICO to issue fines of up to £500,000 for company directors involved in the leadership of nuisance marketing campaigns. This will be achieved by an amendment to PECR that is due to take effect from Spring 2017.