31 May 2017

Data Protection update - May 2017


Welcome to the May 2017 edition of our Data Protection update, our monthly review of key developments in Data Protection law. As always, please do let us know if you have any feedback or suggestions for future editions. 

Data protection

ICO enforcement


Data Protection

Global ransomware cyber-attack impacts 200,000 victims in over 150 countries

The global ransomware cyber-attack ("WannaCry") wreaked havoc this month by blocking or limiting those affected from accessing their computer systems and demanding a ransom payment to release the block. The WannaCry attack impacted numerous organisations around the world and, most notably in the UK, the NHS. Thousands of patients in the UK were affected, many of whom had their records taken offline and appointments and medical operations cancelled.

Although WannaCry was stopped by a security researcher, who inadvertently activated a "kill switch" by registering the domain which WannaCry ransomware relied upon (thereby stopping it from spreading), it is likely that future versions of the WannaCry ransomware will be created that will not contain such a mechanism.

The WannaCry attack illustrates the serious implications an attack can have on an organisation if it has failed to take basic measures to protect its computer systems and data. It has also become clear that the affected computer systems running out-of-date software are vulnerable to a similar attack.

The number of cyber attacks is increasing year on year and governments across the world have realised that network protection is no longer an optional extra. In January 2017, the UK government announced it will implement the European Network and Information Security Directive (NIS Directive) regardless of Brexit. The aim of the NIS Directive is to ensure that critical IT infrastructure in key sectors of the economy, such as health, are secure from cybersecurity threats by introducing security measures and incident notification requirements. Similarly, for incidents that may affect or compromise personal data (such as the WannaCry attack), there is a separate notification system under Article 33 of the GDPR. The NIS Directive is expected to be implemented in the UK by May 2018.


Data protection implications of the Digital Economy Act

The Digital Economy Act 2017 (the Act), which covers a wide array of matters relating to communications, IP, technology, media and data protection, received Royal Assent on 27 April 2017 during the 'wash up' period, in which bills are hurriedly passed before Parliament is dissolved for a general election. Certain provisions of the Act came into effect immediately and are already in force. Others will come into force on 28 June 2017 or will be brought into force through secondary legislation in due course. It is important to note that many of the Act's provisions cannot be commenced without a statutory instrument. Three areas of the Act of particular relevance to data protection are: public sector data sharing; direct marketing; and the Information Commissioner's ability to charge fees.

The Act has the following data protection implications:

  • Data Sharing: Part 5 introduces provisions for wide sharing of personal data across the public sector (e.g. to combat fraud). This section, most of which will be brought into force by statutory instrument, includes a suite of measures intended to improve the delivery of public services and the sharing of personal data with specified public authorities, including by way of introducing codes of practice.
  • Direct Marketing: Section 96 will come into force on 28 June 2017. It requires the ICO to prepare a new statutory code of practice on direct marketing. The code is intended to bring greater protections for citizens from spam email and nuisance calls and grant stronger enforcement powers for the ICO over direct marketing law, making it easier for the ICO to take action against nuisance callers and to impose fines. Whilst not legally binding, the statutory code of practice on direct marketing will be admissible in evidence and must be taken into account by the courts, tribunals and the Information Commissioner in relevant cases.
  • Fees: As the ICO notification fees paid by data controllers will be repealed under the GDPR, the Act has introduced a mechanism whereby the Secretary of State may require data controllers to pay charges of a specified amount to the Information Commissioner. This provision will be brought into force by statutory instrument and is in line with the Government's search for an alternative means of funding the ICO's functions (which are currently funded by notification fees paid by data controllers under the Data Protection Act 1998 (DPA)).


President Trump signs new cybersecurity Executive Order

On May 11 2017, President Donald Trump signed an Executive Order titled "Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure" which mainly focuses on committing the US government to improve its own IT and cybersecurity practices. Under the Executive Order, heads of executive departments and agencies are now explicitly held accountable for managing cybersecurity risk to their agencies.

The Executive Order also contains numerous directives that focus on reforming cybersecurity obligations across the private sector including a report to the President within 90 days:

  • on whether publicly-traded companies operating critical infrastructure should have to make fuller public disclosures concerning their cybersecurity practices;
  • on the electric sector's ability to respond to and mitigate an attack leading to a prolonged outage; and
  • on cyber threats confronting defence industrial base (DIB) companies and their supply chains.

Please click here to read the Executive Order.


Three fines issued to Facebook and WhatsApp

Facebook Inc. and Facebook Ireland (Facebook) were fined €150,000 for "unfair tracking" and several breaches of the French Data Protection Act by France's data protection watchdog (CNIL) after they were found to have failed to prevent users' data being accessed by advertisers. The fine was the maximum amount the CNIL was able to impose at the time it started the investigation (the law was changed in October 2016 to allow a maximum of €3 million).

The CNIL found that Facebook had collected and compiled data from its users "without obtaining their explicit consent" and "without having a legal basis". It said Facebook was tracking its users' web activity outside of Facebook, and this was not made clear to its users. Last year, the CNIL gave Facebook a deadline to stop tracking such activity without obtaining explicit consent from its users and ordered it to stop transferring some data to the United States. Facebook argued, unsuccessfully, that since its European headquarters are in Dublin, the Irish data protection authority was the only competent authority to issue such orders.

Separately, the Italian antitrust agency (the Agency) has imposed a €3 million fine on WhatsApp for sharing users' personal data with its parent company, Facebook. The Agency found that WhatsApp had led users to believe they would not have been able to continue using the service unless they agreed to terms including sharing personal data. It also found other aspects of WhatsApp's terms of use were unfair, including allowing for unexplained interruptions to service and only the provider having the right to terminate the agreement.

It was announced on 18 May 2017 that Facebook has also been fined £110m by the European Commission (EU Commission) for misleading the authorities during its acquisition of WhatsApp in 2014. At the time of the acquisition, Facebook said it could not easily combine information about its billions of users with those who had signed up for WhatsApp. Two years later, Facebook announced, as a major privacy policy change, that it would match the data on users from the two sites. The EU Commission found that, contrary to Facebook's statements at the time of the acquisition, the technical possibility of automatically matching Facebook and WhatsApp users' identities already existed.

Please click here, here and here for more information.


GDPR implementation: 12-month countdown has begun

With the General Data Protection Regulation (GDPR) compliance 'hard deadline' just one year away, organisations should now be implementing a 12-month actionable roadmap to ensure complete compliance ahead of 25 May 2018.

It is possible for companies who have not yet begun to implement the GDPR to meet the 25 May 2018 deadline but a project-managed, phased approach to implementation will be required. It is important to assess risks early on to prioritise activities.

We have set out below some key considerations and steps that companies should be taking to prepare for 25 May 2018:

  • Appoint a project management team (including stakeholders from different areas of the business) to evaluate the applicability of the GDPR, secure support and resources from senior management and identify your key stakeholders (HR, IT, legal etc.);
  • Conduct a data analysis to understand the various personal data flows and uses within the business. You may wish to use questionnaires for key departments or business units that feed in to a 'living' data map that is kept up to date. It will become a statutory requirement under the GDPR to maintain a record of data processing activities so it is a good idea to implement early;
  • Audit what data is collected, where and how it is stored, and the legal basis of processing. Consider, for example, what automated profiling you are carrying out; your mechanisms for fair processing; the procedures you have in place for handling individual requests; notifying data subjects and/or regulators of data breaches; international data transfers etc.;
  • Assess, as a 'Gap analysis', the existing privacy policies and terms you already have, with both data subjects and third party data processors or other counterparties, as well as the other points above, and check what is missing.
  • Plan what you need to change to systems and processes in order to evidence GDPR compliance and put in place a proposal, including a timeline for introducing key GDPR actions and necessary changes required to comply with the enhanced requirements of the GDPR before 25 May 2018;
  • Implement your agreed GDPR actions. These might include formally designating a Data Protection Officer, updating your privacy notices, revising or introducing new policies and procedures, rolling out template data processing arrangements, and launching a privacy impact assessment process;
  • Train your company. It will not be sufficient just to introduce GDPR-compliant policies and procedures if the business does not know how to interpret, implement and comply with them.

Please click here for a short overview of the EU General Data Protection Regulation including further information on the key changes and the effect of Brexit on its application in the UK.


New German data protection laws passed by Bundestag as part of GDPR preparations, and Spanish watchdog issues Code addressing GDPR

The German Parliament passed a new Federal Data Protection Act (FDPA) on 27 April 2017 to adopt the provisions of the upcoming GDPR into German law. The FDPA will come into force at the same time as the GDPR on 25 May 2018.

While the GDPR will apply unilaterally across the EU and is not required to be implemented in the national laws of each EU country, it does contain a number of provisions that either (i) specifically require EU member states to expand further in national law or; (ii) allow those countries to derogate from the Regulation in certain circumstances which, in general, must be no less stringent than those provided for under the GDPR. The FDPA is Germany's response to those member state specific requirements and freedoms.

Notable introductions include:

  • €50,000 maximum fine for violations which solely concern German law. This is in addition to the maximum EUR 20 million or 4% of global turnover fine for breaches of the GDPR; and
  • The ability for data subjects (including employees) to make claims against companies for non-pecuniary damage.

Meanwhile, the Spanish data protection authority (AEPD) has published a code (the Code) consisting of a legal analysis of the current data protection framework as well as an analysis of the most commonly debated provisions of the GDPR including: quality and retention of data, transparency, data subjects’ rights, and automated decisions affecting data subjects.

The national response to the GDPR has given rise to some concerns that the introduction of the FDPA and the Code contradicts the fundamental purpose of the GDPR; namely, that it will create a unified data protection framework that operates throughout the EU, making it easier for transnational companies operating in the EU by removing the burden of having to comply with different rules in each country. The rationale for allowing member state derogations is two-fold: i) to protect different social and cultural attitudes to data protection; and ii) to allow member states to reconcile the GDPR with certain national laws (e.g. those relating to freedom of information).

Please click here for more information on the new German law and here for information on the new Spanish code on data protection.


Self-reporting of data breaches in the UK on the rise, where risk of fine is below 1%

In its annual operational report for 2016/17, the ICO has recorded a 31.5% increase in self-reported incidents from the previous year. Out of the 2,565 self-reported incidents, it was decided in 1,680 of such incidents that the organisations involved were not required to take further action and less than 1% of organisations were fined.

Health organisations accounted for 41% of self-reported breaches. Telecoms companies, which are obliged to self-report data breaches to the ICO under e-Privacy regulations, also accounted for a significant volume of self-reported cases.

Once the GDPR comes into force on 25 May 2018, all organisations will be under a legal duty to notify the relevant data protection authorities of breaches which are likely to result in a risk to the rights and freedoms of individuals. For example, breaches which result in data subjects suffering discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.


EU General Data Protection Regulation: new guide for charity fundraisers

The Institute of Fundraising has published a new guide on the GDPR, focusing on the key issues for charities and fundraisers in relation to direct marketing.

The guide makes it clear that, for the purpose of the GDPR, 'advertising or marketing material' includes any material which promotes the aims and objectives of the organisation. Therefore, organisations using individuals' contact details to keep in touch with them about fundraising campaigns or charity work are engaging in direct marketing. Both the ICO and the Fundraising Regulator, an independent regulator of charitable fundraising, recommend that charities seek to rely on 'opt-in consent' (showing that individual has explicitly given their consent by taking a positive action to opt in to receiving such communications) as the safest basis for sending direct marketing communications, but acknowledge that in certain circumstances relying on a 'legitimate interest' may be a more appropriate lawful basis to rely upon.

It is useful to note that the Fundraising Regulator also sets the Code of Fundraising Practice, which should be adhered to by charities and fundraisers and already sets certain standards that go further than the legal requirements. Since the Code is expected to be updated soon to account for the GDPR, charities and fundraisers are advised to keep themselves apprised of the new requirements as set out in both the GDPR and the Code of Fundraising Practice.


EU Commission appointing multi-stakeholder expert group to advise on potential challenges relating to implementation of the GDPR

The EU Commission's Directorate-General for Justice and Consumers has announced it wants to set up a ‘multi-stakeholder expert group’ involving representatives from civil society, business, academics and legal practitioners to help the EU Commission comprehend the possible challenges that might arise when the GDPR comes into force. It is hoped that the group will advise the EU Commission on the appropriate level of awareness required among different stakeholders in respect of the GDPR.

The EU Commission is calling for applications with a view to selecting members of the group. Interested parties can apply to participate in the expert group by sending their applications to JUST-C3-MULTISTAKEHOLDER-GDPR@ec.europa.eu by 2 June 2017.

Please click here for more information.


ICO enforcement

ICO issues a record £400,000 fine to a company behind 99.5 million nuisance calls

The ICO has issued a record £400,000 fine to a company, Keurboom Communications Ltd, which made nearly 100 million nuisance calls in 18 months. The ICO's action was taken in response to over 1,000 complaints from people who received automated calls relating to road traffic accident claims and PPI compensation, in some cases repeatedly and during unsociable hours.

Furthermore, by hiding its identity when making these calls, Keurboom made it harder for individuals to complain.

Companies which use similar "bulk marketing" techniques, including SMS and emails, should ensure that their practices are compliant with the relevant laws and regulations. As mentioned above, this will become even more crucial when the GDPR comes into force on 25 May 2018, as it will allow regulators to levy fines of up to €20m or 4% of an undertaking’s worldwide turnover; a significant increase on the current UK maximum sanctions of £500,000.

Please click here for more information.


ICO fines Greater Manchester Police £150,000 for failing to keep victims' sensitive personal information secure

The ICO issued a fine of £150,000 to Greater Manchester Police (GMP) for violating the DPA after three DVDs containing footage of police interviews with victims were lost in the post. The DVDs, which were unencrypted, were supposed to be delivered to the serious crime analysis department of the National Crime Agency (NCA) but were lost and, to date, have not been recovered.

The ICO found that GMP failed to keep highly sensitive personal information in its care secure and did not have appropriate technical and organisational measures in place to guard against accidental loss as well as unauthorised or unlawful processing of the personal data. Furthermore, it found that this incident was part of an ongoing contravention of data protection rules by GMP dating back to 2009 as GMP had been sending unencrypted DVDs by recorded delivery to the Serious Crime Analysis Section of the NCA since 2009.

GMP had also previously been fined £150,000 by the ICO for failing to protect sensitive personal data after an unencrypted USB stick containing details of 1,075 people with links to drug probes, arrest targets and officers’ names was stolen in a burglary at a detective’s home. In the circumstances, the ICO considered that GMP's contravention was serious having regard to the number of people affected, the nature of the personal data involved and the possible consequences.

Please click here for more information.


ICO fines Fareham company for sending 3.3 million spam texts

The ICO has imposed a £100,000 fine on Onecom Ltd for sending millions of spam texts about mobile phone upgrades.

As well as sending unsolicited communications, Onecom had contravened regulation 23 of the PECR by not identifying the person on whose behalf the messages were sent. In deciding the amount of the penalty, the ICO took into consideration the fact that Onecom had stopped sending the marketing texts and had taken a number of remedial steps to address the problem.

Please click here for more information and here to see the ICO's detailed guidance for firms carrying out direct marketing.




Alison Llewellyn

Alison Llewellyn

T:  +44 20 7809 2278 M:  Email Alison | Vcard Office:  London

  • Related Services
  • Related Sectors
  • Related Locations