06 Jul 2015

Data Protection update - July 2015

Linkedin

Welcome to the July 2015 edition of our Data Protection update, our monthly bulletin on key developments in data protection law.

In this issue, we outline details of an intended review of the Freedom of Information Act, and consider the recent High Court ruling rejecting the proposed Data Retention and Investigatory Powers Act 2014 (Dripa).

We provide an update on the new German IT Security Act and analyse leaked data relating to Google requests made under the “right to be forgotten”. We also outline a recent decision to jail a Morrison’s employee for eight years for leaking personal data.

In our cybersecurity section, we outline the current status of the proposed Network and Information Security Directive (NISD). We also review the impact of last month’s major data hack affecting the U.S. Government, as well as further recent hacks of a cybersecurity firm and the infidelity dating site, Ashley Madison, considering the data protection implications for its users.

Finally, we continue to keep you up to date with the latest enforcement activity of the ICO, which also published its 2014/2015 annual report this month.

Do let us know if you have any feedback or suggestions for future editions.

Review of Freedom of Information Act

The Cabinet Office has announced details of an intended cross-party commission to review the Freedom of Information Act, with findings to be published by the end of November. After more than a decade in operation the Act will be reviewed to make sure the processes continue to work effectively. As part of their review, the Cabinet Office will consider “whether there is an appropriate public interest balance between transparency, accountability and the need for sensitive information to have robust protection”, and “whether the operation of the Act adequately recognises the need for a ‘safe space’ for policy development and implementation”.

Dripa legislation found to be unlawful

A judicial challenge brought by Labour MP Tom Watson and Conservative MP David Davis has been upheld by the High Court, which has found the Data Retention and Investigatory Powers Act 2014 (Dripa) to be unlawful. The emergency surveillance legislation, which was introduced by the coalition government, and received royal assent last year, was ruled to be inconsistent with EU law. The Government must now pass new legislation to come into effect by the end of March 2016. Judges identified two key problems with the law:

  1. There is no definition of what constitutes “serious offences” in relation to which material can be investigated; and
  2. It does not provide for independent court or judicial scrutiny to ensure that only data deemed “strictly necessary” is examined.

The Home Office security minister has indicated that the decision will be appealed, but human rights groups welcomed the decision as providing the opportunity to introduce an effective surveillance law that is compatible with human rights. The judicial challenge argued that the legislation was incompatible with article 8 of the European Convention on Human Rights (the right to respect for private and family life) and articles 7 and 8 of the EU Charter of Fundamental Rights (respect for private and family life and protection of personal data).

German IT Security Law

On 10 July 2015, the new German IT Security Act was approved by the German Federal Council demanding that over 2,000 institutions improve their cyber security to new standards within two years. The Act is primarily aimed at telecommunications and telemedia providers as well as critical infrastructure (CI) providers in the energy, telecommunications, IT, finance and insurance sectors as well as logistics and traffic control, health, water and nutrition.

These CI providers are obliged to implement adequate organisational and technical state of the art precautions and other measures to protect their essential IT systems and avoid breakdowns or impairments. These security measures must be fully implemented within two years after the regulation comes into effect and be demonstrated to the Bundesamt für Sicherheit in der Informationstechnik ("BSI") every two years.

The IT Security Act, which has been adopted by the German Parliament, and will allow fines of up to €100,000 to be imposed, now just needs to be signed by the Federal President and officially published in order to enter into force. It is interesting to see that Germany has introduced its own legislation on cyber security before the EU Network and Information Security Directive (NISD) is formally adopted (see below). As the NISD and the IT Security Act cover similar topics, it is likely that the German IT Security Act will substantially cover the measures requested by the NISD.

Right to be forgotten

The Guardian newspaper has discovered data hidden in the source code of Google’s transparency report that indicates that less than 5% of almost 220,000 “right to be forgotten” requests made since May 2014 were made by criminals, politicians and high-profile public figures. The data, which has since been removed, detailed the numeric breakdown of each request and associated links by country and issue type (e.g. “private or personal information”, “serious crime”, “child protection”) with Italy showing the highest level of “serious crime” information requests, comprising 12% of the total requests made. In respect of accepted requests, more than half of all requests from France and Germany have been successfully delisted, this figure being closer to a third in the UK. 

Morrisons employee jailed for eight years after leaking data

A Morrisons employee who leaked details of nearly 100,000 staff of the UK food retailer has been jailed for eight years. Andrew Skelton posted staff data on the internet as a result of a grudge after he was wrongly accused of dealing drugs at work. In retaliation, Mr Skelton sent information about staff salaries, bank details and National Insurance numbers to several newspapers and posted them on data sharing websites. The data breach cost Morrisons more than £2m to rectify.  Mr Skelton was found guilty of fraud by abuse of position, unauthorised access to data with the intent of committing an offence and knowingly or recklessly disclosing personal data.

It is interesting to note that the Secretary of State for Justice in the UK has the power to introduce regulations that would allow a custodial sentence penalty to be available for offences under Section 55 of the DPA (i.e. knowingly or recklessly obtaining or disclosing personal data), but those powers have yet to be used.

However, this decision by Bradford Crown Court demonstrates that there are other mechanisms available to the courts to allow them to impose custodial sentences for data protection breaches, notwithstanding the lack of implemented custodial sentencing powers under the DPA.

Cybersecurity

Cybersecurity Directive

In response to the rise of cyber-attacks and the growing cybersecurity threats, the European Parliament, Commission and Council met this month for the final stages of negotiations to agree the main principles of the Network and Information Security Directive (NISD). The NISD, Europe’s first attempt to legislate in the cyber security arena, was proposed by the Commission in 2013 and aims to ensure a secure and trustworthy digital environment throughout the EU. The new rules will designate operators to provide essential services to manage network risks and report incidents to the relevant authorities. With many similarities to the German IT Security Act outlined above, the NISD requires "market operators" that provide "critical infrastructure", the "disruption or destruction of which would have a significant impact on a Member State", to comply with a mandatory security breach and incident notification requirement.  "Market operators" include operators in the energy, telecoms, banking, health, transport and financial services sectors. 

Read the press release here

Hack on US Office of Personnel Management

Following last month’s announcement of a massive data breach of US Government data involving the Office of Personal Management (OPM), it has now been reported that the breach was far worse than initially thought, with sensitive information relating to more than 21.5 million people having been stolen. The OPM records personal information for all federal employees, housing information including social security numbers, employment and educational information, health, criminal and financial histories. The Director of the OPM, Katherine Archulete, has since resigned, and the White House has indicated that it is reviewing ways to tighten data security in future, including changing its password authentication process and limiting the numbers and capabilities of privileged users.

Cybersecurity firm hacked

Another cybersecurity firm has been hacked. Hacking Team, an Italian-based company offering security services to law enforcements and national security organisations, has had 400GB of what appears to be its own documents published via its Twitter feed, including documents purporting to show the company arranging to sell its technology to repressive regimes. If genuine, the leaked documents suggest that Hacking Team has clients in countries including Kazakhstan, Sudan and Saudi Arabia which have been criticised by human rights organisations for the aggressive surveillance of their citizens. The CEO of Hacking Team has suggested that the attack, given its complexity, may have been carried out at a government level.

Ashley Madison hack

Hackers have stolen and leaked personal information from online cheating site Ashley Madison, an international dating site with a membership of 37 million and the tagline “Life is short. Have an affair”. Impact Team, the group claiming responsibility for the hack, claim to have complete access to the Avid Life Media’s (the parent company) database, including user records for every single member. More than 2,500 customer records have already been released to the public and Impact Team are now threatening to release more information, including sensitive personal data, unless the site is shut down.

Ashley Madison charges users a fee of £15 to carry out a “full delete” of their information if they decide to leave the site. Although users have the option of permanently hiding their profile free of charge, the company’s advertisements claim that the full delete service is the only way to completely remove their information from the servers. Impact Team allege, however, that users’ purchasing details, including credit card details, real name and address, are not removed as promised.

British users of the site may be able to bring a claim in the UK against Ashley Madison, even though the site is based in Canada, if it can be shown that the site was processing personal data in the UK through its UK-registered subsidiary. Ashley Madison could potentially be found to be in breach of its obligations under the Data Protection Act 1998 (DPA), particularly the data protection principles 5 and 7 that require a data processor to (i) take “appropriate technical and organisational measures” against unauthorised or unlawful processing of personal data and (ii) securely delete information that is no longer needed for the purpose it was obtained. The case of Google Inc. v Vidal Hall earlier this year interpreted “damage” caused by a breach of the DPA to include an emotional impact on the claimant, potentially allowing for a compensation claim to be sought by a user of the site having suffered “anxiety and distress” without having to have suffered any pecuniary loss. Ashley Madison could also be found to be in breach of contract if customers have paid for a deletion service but their details remain available.

ICO activity

Enforcement

The ICO has issued the following undertakings to comply with the seventh data protection principle:

  • To Rochdale Borough Council as a result of the theft of paper social care files held in a cotton bag from the boot of a social worker’s car. The papers contained personal data relating to 86 individuals, with sensitive personal data present in respect of 29 of these individuals, relating to health, mental health and the commission of offences including sexual offences.
  • To Western Health & Social Care Trust following incidents involving the theft of personal data when two computers, one containing sensitive personal data, were stolen from the premises. It was concluded that additional technical measures could have prevented the possibility of the information being accessed (e.g. sensitive personal data could have been stored offline in an encrypted system, or personal data could have been more securely and permanently deleted from the hard drive).

ICO Annual Report

The ICO released its 2014/2015 annual report this month, highlighting the changing landscape for the ICO’s regulatory powers in the face of data privacy breaches, and outlining its proposals for the upcoming year.

In 2014/2015 the ICO:

  • received 14,268 data protection concerns;
  • issued £1,078,500 worth of civil monetary penalties;
  • answered 195,431 helpline calls;
  • handled over 180,000 concerns about nuisance calls and texts;
  • conducted 41 audits of data controllers; and
  • responded to 1,177 freedom of information requests.

Click here to read the full Annual Report

Linkedin

KEY CONTACT

Jonathan Kirsop

Jonathan Kirsop
Partner

T:  +44 20 7809 2121 M:  +44 7554 403 022 Email Jonathan | Vcard Office:  London