27 Aug 2015

Data Protection update - August 2015

Linkedin

Welcome to the August 2015 edition of our Data Protection update, our monthly bulletin on key developments in data protection law.

In this issue, we outline the Supreme Court’s ruling to grant part permission to appeal the Google v Vidal-Hall decision. We also consider a recent decision of the High Court to refuse to order compliance with a subject access request. We also outline an interesting exception in the new Consumer Rights Act 2015 that allows personal data to be shared in exchange for digital content without the application of consumer rights rules.

We provide an update on legal developments elsewhere in the world; outlining recent fines imposed by a German privacy watchdog and considering Google’s failure to comply with the French data protection authority’s (CNIL) demand to implement the “right to be forgotten” worldwide. We also report on a recent fine imposed by the Government’s Claims Management Regulator (CMR), one of the bodies attempting to tackle the issue of nuisance calls alongside the ICO, Ofcom and the Direct Marketing Association.

In our cybersecurity section, we review the ongoing data threats to customers following the recent hack of infidelity dating site, Ashley Madison. We also outline the warning given to other dating sites by theCNIL to improve their inadequate security and privacy policies. We look at a recent US decision finding that the Federal Trade Commission (FTC) has broad cybersecurity enforcement authority and consider a recent hack of Carphone Warehouse affecting 2.4 million customers.

Finally, we continue to keep you up to date with the latest enforcement activity of the ICO.

Part permission granted to appeal Google v Vidal-Hall

The Supreme Court has granted part permission to Google to appeal the Court of Appeal’s decision in the Google v Vidal-Hall case relating to a dispute over the use of information collected through cookies via the Apple Safari browser. The initial claim related to the fact that Google collected private information about users’ internet usage without their knowledge or consent via the use of cookies. This information allowed Google to pass on such information to its advertisers, who in turn were able to select and display targeted advertisements tailored to the users’ interests. It was claimed that these advertisements revealed private information which may have been seen by third parties when displayed on the users’ computer devices.

As set out in our April bulletin, the Court of Appeal ruled that misuse of private information is a tort, and gave a wide interpretation to the meaning of “damage” in section 13(2) of the DPA to entitle a claimant to receive compensation for a contravention by a data controller that caused an emotional impact on the claimant, such as anxiety or distress, without the need to show financial loss.

Google applied to the Supreme Court for permission to appeal on three grounds, questioning whether the Court of Appeal was right to: (i) hold that a claim for misuse of private information was a claim in tort for the purposes of rules relating to service out of the jurisdiction; (ii) hold that section 13(2) of the DPA was incompatible with Article 23 of the Directive (“any person who has suffered damage as a result of an unlawful processing operation […] is entitled to receive compensation from the controller for the damage suffered”.); and (iii) disapply section 13(2) of the DPA on the grounds that it conflicts with Articles 7 (right to private and family life) and 8 (right to protection of personal data) of the EU Charter of Fundamental Rights.

The Supreme Court has refused permission to appeal on the first ground, but ordered that permission to appeal be granted on “all other grounds”. 

High Court refuses to order compliance with a subject access request

The High Court has refused a court application under section 7(9) of the Data Protection Act 1998 (DPA) to order compliance with the Claimant’s subject access requests (SAR), as the requests were found to fall within the scope of section 8(2) of the DPA, that complying with such requests would “involve disproportionate effort”. On application by the Claimant that the data controller (being a firm of solicitors) had breached the DPA by failing to comply with the SARs, the High Court held instead that it was not reasonable or proportionate for a firm of solicitors to carry out lengthy and costly searches of files dating back at least 30 years in order to determine whether or not information was protected by legal professional privilege, in order to comply with the SARs.

The court considered that Schedule 7 of the DPA, relating to the exemption for information subject to legal professional privilege, should not be interpreted as a way to allow claimants to obtain documents which may assist them in litigation of complaints against third parties, nor should this be the objective of a court application. It was considered that the Claimant’s real purpose was to obtain information to use in litigation proceedings and there was a lack of evidence as to any other motive for the SAR (i.e. there was no suggestion that the claimant simply wanted to check the accuracy of the personal information held).

This case provides a useful interpretation of the “disproportionate effort” exemption, and is notable for its application of the exemption to the search itself, rather than the obligation to provide copies in an “intelligible form” (as it has narrowly been applied by the ICO) as well as its examination of the purposes behind the request (which again is not normally deemed by regulators to be a relevant consideration). The case has, however, been appealed and will now be considered by the Court of Appeal.

No consumer rights for personal data exchange

According to the Competition and Markets Authority (CMA), new UK consumer protection laws, which will come into force on 1 October 2015 under the Consumer Rights Act 2015 (Act), will not apply to businesses selling or licensing digital content in circumstances where consumers exchange access to their personal data, rather than money, in return for that content.

Instead the Act will only apply if consumers have directly or indirectly paid with money, including virtual currency, or if the content has been supplied for free in conjunction with something else which has been paid for. An example of this personal data exchange would be providing personal details to an internet service provider to gain access to “free” Wi-Fi. The only exception to this is in the event that damage has been caused by the digital content supplied. All agreements between digital content suppliers and consumers must still, however, abide by the fairness and transparency rules under the Act, as well as data privacy rules, even if the consumers will not benefit from the other rights and remedies under the Act.

Fines issues by German Privacy Watchdog

The Bavarian data protection authority has fined two companies for their failure to adhere to data protection laws when they entered into an agreement for the transfer of ownership of customer data to other businesses. Liquidators have since been warned that they cannot sell off customer data held by insolvent companies they manage in the same way as they dispose of other commercial assets; they must ensure that they have customers’ consent to the transfer of their data between companies, or have at least been given the right to object to a planner data transfer arrangement. In the two instances, compliance issues were triggered as the data included contact information and account and payment card details of individual customers. The information trade resulted in complaints being made by customers about unsolicited marketing communications they were subsequently receiving. The Bavarian data protection authority has reiterated that any businesses acquiring customer email addresses and phone numbers and planning to use the information for advertising purposes need the “express consent” of consumers to do so to avoid breaching German data protection and unfair competition laws, and facing fines of up to €300,000.

Google rejects CNIL calls to extend 'right to be forgotten' globally

In our June bulletin, we reported that the CNIL had given Google Inc. 15 days in which to comply with their demand to extend Europe’s ‘right to be forgotten’ globally. The company announced at the end of July that they would not comply with the order, stating in a written announcement that it “respectfully disagree[s] with the CNIL’s assertion of global authority on this issue”. The CNIL has indicated that it would examine Google’s appeal and decide whether to accept it within two months. Since the 2014 ruling by the European Court of Justice, Google has evaluated and processed over 250,000 requests to delist links to more than one million web pages. We will keep you updated on developments.
 

CRM action

This month the CMR, the unit of the Ministry of Justice that regulates companies offering service for compensation claims (e.g. personal injury, mis-sold financial products), decided to impose a financial penalty of £220,000 on Aurangzeb Iqbal’s claims management company, The Hearing Clinic. This decision followed hundreds of complaints from members of the public receiving cold calls about claims for Noise Induced Hearing Loss, including individuals subscribed to the Telephone Preference Service (TPS) to opt out of such calls, which breached the Conduct of Authorised Persons Rules 2014. The fine is the first to be issued by the CMR since the laws were changed in December 2014 to permit fines of up to 20% of a company’s annual turnover.  

Cybersecurity

Ashley Madison hack

Since a group of hackers, calling themselves Impact Team, stole personal information from online cheating site Ashley Madison, they have continued to act on their threats to release user details taken from the company’s compromised databases, source code repositories, financial records and email systems.  The hackers have been releasing large caches of data in response to the site’s failure to delete customer details, for not closing down the site “immediately and permanently”, and more recently in apparent retaliation to the CEO’s public statement that refused to confirm the authenticity of the initial data release.

Ashley Madison is attempting to prevent further dissemination of its stolen data by sending copyright takedown notices to social networks and file-sharing websites, and it has had some success in removing links from Twitter, Facebook and Reddit. However, as the main data leak is hosted on Tor, which is an anonymous browsing service accessed via an encrypted connection and routed through third parties to obscure the website’s address, it is proving difficult for Ashley Madison to use the legal system to take down the main data dump.

There are various significant implications linked to this data breach, including concerns of financial blackmail of Ashley Madison and its customers and reselling of personal data to third parties, as well as more personal implications relating to the reputation, and fidelity, of its users, which includes high profile individuals. The breach has triggered an investigation by the US armed forces into the thousands of .mil emails addresses used to sign up for Ashley Madison accounts. Adultery in the US military is a prosecutable offence.

If the ICO finds that Ashley Madison failed to take “appropriate measures” to prevent this type of breach, it could be fined up to £500,000.

French Dating Sites warned

In a public statement, the CNIL has criticised 13 French dating sites for inadequate practices relating to the collection and processing of information. Recognising the large number of users and the sensitivity of the data provided (with the majority of sites offering targeted searches by social community, ethnic or religious group, geographical location, personal appearance, political opinion etc.) the CNIL decided to add dating sites to its 2014 programme of inspection.

In all of the 13 sites reviewed (Meetic, Attractive World, Adopte un mec, Easyflirt, Rencontre obèse, Destidyll, Forcegay, Mektoube, Jdream, Feujworld, Marmite love, Gauche rencontre and Celibest) a number of failures to meet French data protection law were noted. These included not correctly or adequately informing users of their rights regarding access, deletion or processing of their data or the sites’ use of cookies; failing to obtain explicit consent for the collection of sensitive data; and failing to delete data relating to members who had requested to unsubscribe from the site, or had not used their account for a long time. Some sites were also found to not be using standard encryption.

The eight organisations responsible for the 13 sites have been ordered to improve their data protection practices. The CNIL emphasised the importance of making users aware of the processing of their intimate personal details, proposing the use of a simple ‘opt in’ check-box for users to consent to the use of their sensitive data. If the companies comply within 3 months, they will avoid future fines and sanctions.

Decision confirms FTC authority to police cybersecurity practices

A United States’ Third Circuit Court of Appeals, in the case of Federal Trade Commission (FTC) v Wyndham Worldwide Corporation (WWC), has ruled that the FTC has broad power to take action against WWC for failing to employ reasonable data security practices.

In 2008 and 2009, 619,000 customer records were stolen from WWC in three successful cyber-attacks on the hotel and resort chain’s computer networks, leading to over $10.6 million in fraudulent charges. As a result, the FTC took WWC to federal court, contending that WWC had failed to maintain reasonable data security standards and its cybersecurity practices were “unfair and deceptive trade practices”.The FTC alleged that WWC had failed to maintain an inventory of the computers connected to its network and had failed to conduct security investigations to detect unauthorised access, which “unreasonably and unnecessarily” exposed customer data to authorised access and theft.

On appeal by WWC, the Third Circuit Court of Appeals in Philadelphia affirmed the district court’s ruling that the FTC has the authority to regulate data security practices, pursuant to the “unfairness” limb of Section 5 of the FTC Act. This is the first decision of the Court of Appeals to find that the FTC has broad cybersecurity enforcement authority to hold companies accountable for failing to safeguard customer data. It is considered that this ruling will make it easier for the FTC to commence additional enforcement actions against companies failing to take adequate steps to protect consumer data.

Carphone Warehouse Hack

Carphone Warehouse has reported that its computer systems have suffered a cyber-attack that has put customers’ personal data at risk. The affected part of Carphone Warehouse operates the OneStopPhoneShop.com, e2save.com, and Mobiles.co.uk websites, and provides services to iD Mobile, TalkTalk Mobile, Talk Mobile and some Carphone Warehouse customers. Carphone Warehouse indicated that the names, addresses, dates of birth and bank details of up to 2.4 million customers may have been accessed and encrypted credit card data of up to 90,000 customers may also have been breached.

ICO activity

Enforcement 

  • The ICO has issued a£180,000 civil monetary penaltyto nationwide money lender The Money Shop after the company lost two computer servers, in separate incidents, containing employee details and customer records of several thousand customers. Neither server had sufficient encryption systems for the company to be confident that the information they contained could not be accessed.

Read monetary penalty notice here

  • Point One Marketing Ltd, which trades as ‘Stop the Calls’ and claimed to run a service that stopped people receiving nuisance calls has been fined £50,000 for breaching the Privacy and Electronic Communication Regulations, after the ICO found it was actually responsible for large numbers of nuisance calls. The company marketed a call blocking device for phones, as well as a service that removes people from a cold call database, but an ICO investigation found that the company marketed its own services through aggressive cold calling.

Read monetary penalty notice here

Right to be forgotten

  • On 18 August 2015 the ICO issued an enforcement notice to Google Inc. ordering the removal of nine search results linked to information about an individual, when searching their name, which are considered no longer relevant. The links must be removed from search results within 35 days.

    The links are to web pages that include details of a minor criminal offence committed by the individual almost ten years ago. Google had previously removed links relating to the criminal offence following a request from the individual, but when the request for such removal became a news story itself, details of the original criminal offence were repeated. These new results were displayed when searching for the individual’s name on Google. Google Inc. refused the complainant’s initial request for these new links to be removed on the grounds that the articles were an essential part of a recent news story relating to a matter of significant public importance (i.e. the ‘right to be forgotten’). The ICO ruling recognises that whilst news articles relating to decisions to delist search results may be in the public interest, this does not justify including links to the affected individual’s name, which caused a “disproportionately negative impact on the complainant’s privacy” and contravened the first and third data protection principles.

Read enforcement notice here

Linkedin

KEY CONTACT

Jonathan Kirsop

Jonathan Kirsop
Partner

T:  +44 20 7809 2121 M:  +44 7554 403 022 Email Jonathan | Vcard Office:  London