03 Apr 2015

Data Protection update - April 2015

Linkedin
Welcome to the April 2015 edition of our Data Protection update, our monthly bulletin on key developments in data protection law.

In this issue, we outline the progress made for EU Data Protection reform, as a consolidated draft of the document that will form the basis of the final text of the Data Protection Regulation is released, together with the latest draft of the Data Protection “law enforcement” Directive.

We also summarise an important clarification by the Court of Appeal in the case of Google Inc. v Vidal Hall in relation to the misuse of private information. We look at the decision of the Supreme Court to require the release of letters written by Prince Charles to various government ministers. We also comment on the French Data Protection Authority’s recent steps to simplify authorisation requirements for transfers of data outside the EU.

In our cyber security section, we consider the US Treasury secretary’s recent call on the Chinese government to suspend its new cyber security rules. We also outline the key principles behind the new cyber security guide for business published by the International Chamber of Commerce (ICC).

Finally, we continue to keep you up to date with the latest enforcement activity of the ICO, as well as detailing a recently rejected appeal by the First-tier Information Rights Tribunal against an ICO civil monetary penalty.

Do let us know if you have any feedback or suggestions for future editions.

Progress on EU Data Protection Reform

The first draft of the document that will form the basis of the final text of the Data Protection Regulation has been released. In the form of a table, the document shows the original text of the Regulation as proposed by the European Commission, and the versions that the European Parliament has and the European Council is likely to recommend. It is understood that the European Council is pushing to reach final agreement on its position by 15th June 2015. The latest draft of the Directive was also released on 14 April 2015, showing the most recent changes to the original Commission proposal.

Read more on the Regulation here

 

Google Inc. v Vidal Hall

The Court of Appeal made an important ruling last month, (i) confirming that misuse of private information is a tort, (ii) clarifying the interpretation of clause 13 of the Data Protection Act 1988 (DPA), and (iii) demonstrating that it is clearly arguable that “browser generated information” collected via cookies could constitute personal data.

Clause 13 provides that an individual who suffers distress by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that distress if (a) the individual also suffers damage by reason of the contravention, or (b) the contravention relates to the processing of personal data for special purposes.

In this case, the meaning of “damage” was interpreted so that compensation can be recovered solely for an emotional impact on the claimant, such as anxiety or distress. Financial loss no longer needs to be shown for a compensation claim to be sought by a Claimant having suffered “distress” alone.

Read the full judgment here

 

Release of Black Spider Memos

The Supreme Court has ruled, by a 5 to 2 majority, that letters written by Prince Charles to various government ministers, the so-called “black spider memos” should be made public, and the previous decision to veto their release was unlawful.

The Supreme Court has ruled that the letters, dated between September 2004 and April 2005 should be disclosed by seven government departments.

The letters were requested in April 2005 by the Guardian newspaper under the Freedom of Information Act. The government refused to disclose them and the newspaper has been involved in a 10-year legal fight to force their release. The Supreme Court found that the government acted unlawfully in blocking the disclosure of the letters.

The letters may not be published for a number of weeks because the Supreme Court will first have to make an order and the case will have to go back to the Upper Tribunal to determine what details included in the correspondence can now be released.

Read the full judgment here

 

French Data Protection Authority (CNIL)

At the end of last month, the CNIL published a press release indicating that it will be simplifying the data transfer notification formalities for companies that have adopted Binding Corporate Rules (BCRs) for intra-group transfers of personal data. The CNIL promises to deliver a “single decision” (autorisation unique) relating to transfers of data outside the EU to each group company that has adopted BCRs. Such single decision means that separate group entities, subject to compliance with the French Data Protection Act, no longer need to apply to the CNIL for each transfer of data from France outside the EU when governed by BCRs. Instead they just need to fill in a “compliance commitment” on the CNIL's website.

More than sixty multinational organisations that have adopted BCRs will be contacted by the CNIL's services within the next weeks in order to define the content of their respective authorisations.

Read the CNIL press release here

 

Cybersecurity

China Cyber Security

Following our report in the February 2015 bulletin that US business groups had written to Chinese Government officials to request that the implementation of new cyber security rules be delayed, the US Treasury secretary has now spoken to Beijing officials about Washington’s concerns. The US Treasury secretary is reported to have said that “it would be a significant barrier to US companies doing business in China if they were to go ahead with the proposals pending”. The regulations, which have begun to be implemented, include steps that will force commercial banks to buy IT equipment deemed “secure and controllable” by Beijing.

Chinese government officials deny that they are targeting foreign companies deliberately and have argued that all countries have the right to ensure their cyber security.

Cyber Security Guide for Business

The International Chamber of Commerce has launched a new cyber security guide to help companies of all sizes manage their approach to cyber security and mitigate threats posed by cybercrime.

The guide outlines how businesses can optimise their ability to identify and manage evolving cyber security risks, adopting a pragmatic and accessible approach to the issues and setting out five key principles:

  • “Focus on the information, not on the technology”
  • “Make resilience a mind-set”
  • “Prepare to Respond”
  • “Demonstrate a leadership commitment”
  • “Act on your vision”

The advice also focuses on six essential actions to optimise cyber security systems: backing up information, keeping IT systems up to date, training staff on security issues, monitoring for security breaches, layering security defences to reduce risk, and making contingency plans to deal with breaches.

Click here for the guide

 

ICO activity

Enforcement

  • The ICO has fined the Serious Fraud Office (SFO) £180,000 after a witness was mistakenly sent evidence relating to 64 other people involved in the case. Following the conclusion of an investigation into serious fraud, bribery and corruption in February 2010 at BAE Systems, the SFO has been working to return 11,000 bags of evidential data collected from witnesses and participants to their respective owners. However, inadequate organisational measures lead to 407 evidence bags containing information about third parties being erroneously sent to a witness. The ICO considered this to be a very serious contravention of the seventh Data Protection Principle, particularly in light of the SFO’s failure to put appropriate security measures in place.
  • A company called Direct Assist Ltd, which offered access to solicitors for personal injury insurance claims, has been issued with an £80,000 penalty by the ICO for making direct marketing calls to people without their consent. Between January 2013 and July 2014, the ICO and the Telephone Preference Service (TPS) registered 801 complaints about the company. The company had no formal staff policies and procedures to ensure compliance with the Privacy and Electronic Communication Regulations (PECR) and intentionally contacted numbers registered with the TPS. One household reported being called 470 times by the company. Following service of the final notice by the ICO on the company, and at the request of HMRC, Direct Assist has now gone into liquidation. The ICO intends to register as an unsecured creditor in an attempt to obtain the fine.

Rejected appeal

  • On 13 April 2015 the First-tier Information Rights Tribunal rejected an appeal by Reactiv Media Limited against a £50,000 civil monetary penalty issued by the ICO in 2014, and increased the penalty to £75,000. The fine was issued as a result of unsolicited marketing calls made by Reactiv Media Limited, resulting in the ICO and the Telephone Preference Service receiving almost 600 complaints in total. The Tribunal concluded that evidence showed "a culture of denial and minimisation of the breach, weak governance of the company and a tendency to blame others rather than accept responsibility". Due to these aggravating factors, and awareness of the growing turnover of Reactiv Media Limited, the Tribunal concluded that a larger penalty was more appropriate.

    Read decision here
Linkedin

KEY CONTACT

Jonathan Kirsop

Jonathan Kirsop
Partner

T:  +44 20 7809 2121 M:  +44 7554 403 022 Email Jonathan | Vcard Office:  London