Welcome to the September 2016 edition of our Data Protection update, our monthly review of key developments in Data Protection law. As always, please do let us know if you have any feedback or suggestions for future editions.
Coverage this month includes: GCHQ's plans to erect a 'Great British Firewall', an increase in the take-up of the EU/US Privacy Shield in the USA, the NAO's report on the Government's approach to UK data security and the decision of several national data protection regulators across the EU to scrutinise proposed data sharing arrangements between WhatsApp and Facebook.
In our cyber security section, we look at Yahoo's announcement of a 2014 data hack, the escalation of the WADA hacking scandal, the impact of Edward Snowden's leaks in the USA and the extradition of the alleged hacker Lauri Love to the USA.
We also provide our monthly overview of the most recent actions taken by the ICO, including a potential investigation into Virgin Trains following the rail operator's decision to release footage of Labour leader hunting for a seat last month and the latest fines handed out by the ICO to businesses who have breached UK data privacy laws.
Since the scheme became effective on 1 August 2016, up to 200 U.S. companies, including Microsoft and Google, have now registered with the International Trade Administration of the U.S. Department of Commerce in order to self-certify that they are complying with the Privacy Shield framework agreement.
As reported in several previous bulletins (which you can read here and here), the Privacy Shield is the successor arrangement to the Safe Harbor scheme that had previously provided an exemption to the restrictions on personal data transfers between the EU and the USA.
The Privacy Shield was finally approved in July 2016, when the European Commission announced an adequacy decision in relation to the Privacy Shield, confirming that it provides sufficient protection for EU Citizens' privacy rights. The Commission had earlier criticised the Privacy Shield for its "vague" treatment of mass surveillance but these fears have now been assuaged after the text of the framework was improved by including limitations on the USA's ability to conduct indiscriminate collection of EU data held by US companies.
The future success of the framework is far from certain, however. In particular, the Article 29 Working Party (the EU body comprising representatives from each member states' data protection regulator) is yet to deliver its verdict on the system, having refused to endorse the proposed Privacy Shield agreement in April (read our April bulletin here). Moreover, some commentators remain nervous that Privacy Shield still does not do enough to prevent mass surveillance of personal data and are speculating that it will probably be invalidated by the CJEU before too long.
This notwithstanding, if self-certification continues at the present rate, it could take up to two years for the Privacy Shield to achieve the same level of coverage as that previously enjoyed by Safe Habor.
The US Department of Commerce has set up a dedicated website here, which includes a list of certified organisations. As a reminder, the Privacy Shield is just one of various mechanisms for compliance with the restriction on personal data transfers to the United States and organisations can also use exemptions such as model contractual clauses or (for intra-group transfers) binding corporate rules, all of which were unaffected by the Safe Harbor ruling.
The National Audit Office (NAO) has reported that there are "too many bodies" within the Government who have overlapping responsibilities for information security. In addition, the report also found that the Government does not collect sufficiently clear information on the way in which it protects data, or the costs involved in doing so.
The NAO further raised the following significant concerns:
- lack of a central body responsible for collating detailed figures on expenditure for data protection;
- an attitude in many departments whereby data protection was not given the same importance as other forms of governance;
- a failure to deliver promised costs savings in major projects relating to data protection; and
- a shortage of information security skills leading to "chaotic treatment" of personal data breaches and differences between departmental systems that rendered comparisons between different approaches "meaningless".
In total the report found that there had been nearly 9000 data breaches recorded by the 17 biggest government departments in 2014/15. While most of these breaches were very minor (only 14 were reported to the Information Commissioner's Office), they occurred across the whole breadth of government, which is clearly a cause for some concern.
Although the NAO welcomed the creation of the National Cyber Security Centre (NCSC), which will be operational from October, it went on to warn that the Government needs to drastically improve its data protection systems if it hopes to avoid incurring considerable fines after the implementation of the EU's General Data Protection Regulation (GDPR) in May 2018.
You can read the full report here.
New proposals outlined by the European Commission recommend that a new mandatory text and data mining exception should be written into EU legislation, which would then need to be implemented into local laws by the member states.
In these proposals, the Commission defines text and data mining as "any automated analytical technique aiming to analyse text and data in digital form in order to generate information such as patterns, trends and correlations."
The proposed exception would allow research organisations to extract and reproduce text and data from information to which they currently have lawful access for research purposes. As such, universities and research institutes are among the organisations most likely to benefit from these developments.
Under the new proposals, holders of copyright would be prohibited from preventing text and data mining of their materials for the purposes of scientific research.
An exception allowing data and text mining of online journals for non-commercial scientific research already exists in the UK. The new exception will go further by applying to more varied source material, but it is as yet unclear whether it will allow for data to be used in the sort of commercial scientific research that is currently forbidden under existing legislation.
In light of the UK's impending exit from the EU it is not clear how much impact these proposals will actually have in the UK. However, it is possible that the UK Government will seek to implement similar changes to UK legislation if these proposals are seen to be successful in the EU.
The draft proposals can be found here.
The ICO has confirmed that it will investigate WhatsApp's proposal to share its users' data with Facebook. It added that while organisations do not need to get prior clearance from the ICO when they change their practices relating to data sharing, the ICO still has a responsibility to check on how such methods will impact consumers.
The new UK Information Commissioner, Elizabeth Denham, emphasised that part of her role is to ensure that companies are sufficiently transparent with consumers as to how their personal data is shared, and also to protect those consumers by ensuring that their rights are respected and the law obeyed.
The ICO's decision to investigate has been replicated across the EU, with the national data protection agencies of Belgium, France and Germany all seeking to scrutinise the nature of the messaging service's arrangements with Facebook.
In particular, the data protection regulator in Hamburg (the site of Facebook's German headquarters) has now ordered Facebook to cease collecting user data from the WhatsApp messenger app, and to delete any data that it has already received from this source.
This followed a ruling by Hamburg's Commissioner for Data Protection and Freedom of Information on 27 September 2016 that Facebook had not "obtained an effective approval from the WhatsApp users" to collect their data, and did not otherwise possess a legal basis for such data receiving activities.
Yahoo confirms theft from 500 million accounts
Yahoo has confirmed that information from at least 500 million accounts was stolen in an allegedly state-sponsored attack that occurred in 2014. The information stolen is thought to include names, addresses, telephone numbers and even unencrypted security questions and answers.
The security breach is speculated to be the largest ever in terms of the volume of accounts compromised, and it is now being investigated by the FBI.
In an attempt to limit the damage caused by the hack, Yahoo has been contacting all potentially affected users to recommend that they revisit their online security arrangements. In particular, Yahoo has been advising users to change any unencrypted security questions and answers as a precautionary measure.
The news comes at a particularly awkward time for Yahoo, as the company is currently in acquisition talks with Verizon. Industry analysts suggest that should the breach lead to a significant departure of Yahoo users then the company's sale price is likely to suffer dramatically as a result.
Many BT and Sky customers could also be at risk, as those two internet service providers have historically outsourced their webmail hosting service to Yahoo. Customers of both companies who are worried that they may be using Yahoo-based products have been advised to reset their passwords and update their security information accordingly.
WADA suffers cyber-security breach at hands of Russian hackers
Scandal has ensued after Russian cyber-espionage group Fancy Bears released a series of documents obtained from the World Anti-Doping Agency (WADA) after illegally hacking into the authority's Anti-Doping Administration and Management System database (ADAMS). The group gained access to ADAMS following a spear phishing attack against WADA launched earlier this year from an International Olympic Committee (IOC) account created for Rio 2016.
Fancy Bears have so far released a number of documents relating to several elite athletes in a variety of disciplines. These reveal that the athletes have been the subject of 'therapeutic use exemptions' (TUEs), which allow competitors to use otherwise banned substances for short periods of time. TUEs are typically given for medical reasons and as yet there is no suggestion that any of the athletes named has done anything illegal.
The hacking group, also known as Tsar Team (APT28), has been operating since 2008 and claims affiliation to Anonymous. Fancy Bears also claims to stand for 'fair play and clean sport'. The New York Times, however, has alleged that the group is actually associated with the GRU, Russia's primary military intelligence agency. At this stage there is no conclusive evidence to substantiate this claim.
This cyber-attack on WADA follows soon after an earlier incident in August this year in which Yuliya Stepanova's ADAMS database password was illegally obtained by hackers whose identity currently remains unknown. Stepanova had previously hit headlines after the athlete blew the whistle on Russia's alleged state-sponsored doping scheme.
GCHQ plans 'Great British Firewall' to protect UK against hackers
GCHQ, the UK's signals intelligence agency, is currently in the planning stages of developing an automated defence tool to guard the country against future cyberattacks. The tool has been nicknamed the 'Great British Firewall' due to its supposed similarity with the pre-existing 'Great Firewall of China'.
The Great British Firewall would function in much the same way as the type of firewalls that are utilised by most business and domestic computer users, but on a much larger scale. In this way it would act as a filter, preventing internet traffic deemed to be either harmful or undesirable from entering the UK.
The Firewall could be used to block connection requests from untrustworthy sources, including web addresses thought to be used by state-sponsored hackers and cyber-criminals, and it could also be used to block the entry of suspicious files thought to contain viruses or other malware.
Similarities between GCHQ's planned system and the current Chinese firewall can be overstated, however. Whereas the Chinese Firewall encompasses the entire country mandatorily, the Great British Firewall as planned would primarily be a voluntary system. Whilst it is thought that government agencies would automatically sit behind the firewall, British companies and members of the public would need to opt in before they are protected by the British system.
GCHQ has not yet announced anything more than rudimentary details about the project.
US Congress issues report on damage caused by Edward Snowden
Former National Security Agency (NSA) contractor Edward Snowden has been roundly condemned in the findings of a two-year Congressional investigation published on 15 September 2016.
The report emphasised the "tremendous damage to national security" that his activity had caused while highlighted the "falsehoods, exaggerations and crucial omissions" which it claimed were rife throughout the 'public narrative' created by Snowden and his associates.
The Committee responsible for the report further added that the majority of the 1.5 million documents leaked by Snowden had nothing to do with the NSA's surveillance programmes, but rather related to the "military, defence and intelligence programmes of great interest to America's adversaries". As a result, the report claimed that Snowden had actually infringed the privacy of government employees and had stolen his colleague's security credentials.
Snowden's legal representatives have challenged these findings and have asserted that there is still "no credible evidence" that Snowden's disclosures have caused any actual harm. Instead they emphasise the fact that his leaks led to the NSA discontinuing the programme which allowed it to store the phone numbers dialled by US telephone users.
Court approves extradition of alleged hacker to the USA
Alleged hacker Lauri Love is set to be deported to the USA following the decision approving the same by Westminster Magistrates' Court earlier this month.
Self-styled computer activist Love is charged with several counts of computer misuse and conspiracy in the United States, while all charges against him in the UK have since been dropped.
It is alleged that Love worked with several others to conduct numerous cyber-attacks against the US government and multiple corporate organisations in 2012/13. The court heard that Love utilised vulnerabilities in Adobe ColdFusion and used SQL injection to steal and disseminate identifiable personal information, including credit card information.
Love's legal representatives sought to resist extradition on the basis of his significant problems with his mental and physical health, including Asperger's syndrome and chronic eczema. The presiding judge rejected these arguments, ruling that the US prison system was capable of managing Love's physical and mental health.
ICO issues £100,000 in fines
Separate investigations into two different companies (Omega Marketing Services Ltd and Vincent Bond Ltd) that were triggered by complaints about nuisance marketing have this month resulted in fines totalling £100,000.
Omega Marketing Services Ltd was found to have over 1.6 million nuisance calls to people registered on the Telephone Preference Service (TPS) and who had therefore not given permission to be contacted in this way.
Vincent Bond Ltd had similarly sent over 340,000 spam text messages to people who had not agreed to receive them. The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) state that organisations may only send marketing text messages to individuals who have agreed receive them unless there is a clearly defined relationship. Vincent Bond Ltd was in breach of this law.
Carfinance247 Limited fine
Carfinance247 Limited has been issued with a £30,000 monetary penalty notice by the ICO.
The action follows an investigation which found that the company had used a public telecommunications service in order to send a total of roughly 65,000 direct marketing text messages to consumers who had not agreed to receive them. Carfinance247 Limited had therefore perpetrated a serious breach Regulation 22 of the PECR, which prohibits persons and companies from transmitting or instigating the transmission of unsolicited electronic communications (including SMS messages) for the purposes of direct marketing without the recipient's consent.
ICO considering investigation into leak of Corbyn CCTV footage by Virgin Trains
The ICO is reportedly considering launching an investigation into Virgin Trains following the rail operator's decision to release footage of Labour leader Jeremy Corbyn hunting for a seat last month.
Officials from the ICO are currently considering whether Virgin is likely to have broken any provisions of the Data Protection Act by revealing such footage.
According to the ICO's CCTV code of practice, all disclosure of footage captured by CCTV needs to be "consistent with the purpose for which the system was established". The Code goes on to warn that releasing the footage relating to identifiable individuals is unlikely to be appropriate.