30 Sep 2015

Data Protection update - September 2015

Linkedin

This edition covers various topics including the recent high-profile opinion of Advocate General Bot of the Court of Justice of the European Union which suggests that the EU-US Safe Harbor Programme should be declared invalid, some recent direct marketing enforcement action in Hong Kong under the Personal Data (Privacy) Ordinance, the adoption of amendments to the Japanese Personal Information Protection Act and updates concerning the ICO including the recent announcement of an investigation into data sharing by charities.

Is the EU-US Safe Harbor programme under threat?

On 23 September 2015, CJEU Advocate General Bot delivered his opinion in Maximillian Schrems v Data Protection Commissioner following a request for a preliminary ruling to the CJEU from the High Court of Ireland. This case itself concerned a complaint from Mr Schrems, an Austrian national and Facebook subscriber, to the Irish Data Protection Commissioner. All European Facebook data is processed in Ireland and then transferred to the US where it is stored by its Safe Harbor certified US parent.

Under Article 25(1) of the Data Protection Directive (95/46/EC), data may only be transferred outside the EEA if that third country ensures an "adequate level of protection" (or other exemptions apply). The "Safe Harbor" programme, pursuant to European Commission Decision 2000/520/EC (the "Safe Harbor Decision"), provides that where data importers in the United States self-certify that they comply with the Principles set out in the Safe Harbor Decision, any transfers to such entities should be treated as being "adequate".

The basis of the complaint arose following the revelations by Edward Snowden of the US government's PRISM surveillance programme. The Irish High Court referred two questions to the CJEU and pending its decision, which is set to be given on 6 October 2015, the Advocate General has given his opinion. The questions are (i) whether a national supervisory authority is bound by the Safe Harbor Decision where the complaint claims that a third country does not ensure adequate protection and (ii) whether the national supervisory authority may/must conduct its own investigation of the matter.

Over the course of 237 paragraphs, the Advocate General opines that a national supervisory authority may investigate a complaint alleging that a third country does not ensure an adequate level of protection of personal data and where appropriate may suspend the transfer of that data notwithstanding the transfer being to a recipient subject to the Safe Harbor Decision.  In addition, the Advocate General opines that the Safe Harbor Decision itself is invalid on the basis that the exceptions to the Safe Harbor programme have permitted the mass collection of personal data by United States government authorities. This calls into question the very basis for Safe Harbor, a mechanism that is relied upon by over 4,000 companies.

Stephenson Harwood comments: The first thing to note is that this is an opinion of the Advocate General and not a binding decision of the CJEU. It has not invalidated Safe Harbor, which can still be relied upon as a mechanism for transfer as it always has been. Nor does this opinion recognise post-Snowden legislative developments in the US – such as the USA Freedom Act – and the negotiations currently taking place between the EC and US Department of Commerce to update and improve Safe Harbor (as well as the recent finalisation of an "Umbrella Agreement" covering law enforcement co-operation (see below)).  Nonetheless, with the decision of CJEU set to be as early as next week, if the Court were to follow the Advocate General's reasoning, this could genuinely put the whole programme in doubt.

A copy of the opinion can be found here.

 

EU and US finalise and initial data protection "Umbrella agreement"

On the 8th September, the EU and US finalised negotiations over a data protection "Umbrella Agreement". The aim of the Umbrella Agreement is to protect personal data where the EU and US cooperate in law enforcement. Personal data exchanged between police and criminal justice authorities must only be used for the purposes of prevention, detection, investigation and prosecution of criminal offences including terrorism.

A key provision of the Umbrella Agreement is to allow non-US resident EU nationals the right to seek judicial redress before US Courts in respect of their data protection rights. In addition, personal data must not be transferred outside the US or EU without permission from the law enforcement agency of the original transferring country. There are also provisions for retention periods for data, rights to access and rectification, and notifications in case of data security breaches.

The Umbrella Agreement has not yet been signed and is contingent on amendments to the US Privacy Act 1974 being passed by US Congress.

What is unclear is which rights will be enforceable in the US and the thresholds that national law enforcement agencies will apply when giving permission for the onward transfer of personal data to third countries. Whilst the ability for EU nationals to bring actions in the US for data protection breaches is welcome (and reflects the right that US nationals already have in the EU), the Umbrella Agreement may still not provide the same protection to which EU nationals are accustomed. 

Recent breaches of the Personal Data (Privacy) Ordinance in Hong Kong 

In two recent cases, two companies have fallen foul of Hong Kong's strict direct marketing provisions in the Personal Data (Privacy) Ordinance ("PDPO"). Under the PDPO individuals must give their prior consent before any personal data is used for marketing purposes. Any breach of the direct marketing provisions under the PDPO gives rise to a penalty of up to HK$500,000 and imprisonment of up to three years.  There are additional sanctions for those selling personal data to a third party for direct marketing purposes.

In the first case, Hong Kong Broadband Network Limited ("HKBNL") was found to have breached Section 35G(3) of the PDPO by failing to comply with a request from a data subject to cease to use his personal data in direct marketing. The Complainant had validly opted-out of direct marketing from HKBNL in 2013. However, an employee of HKBNL subsequently left a voice message on the Complainant's mobile phone towards the end of his mobile phone contract reminding him that it was about to expire and also  marketing HKBNL's services. HKBNL was fined HK$30,000.

In the second case, concerning Links International Relocation Limited ("Links"), personal data had been transferred to Links from a company that had ceased operations. A direct marketing email was sent in August 2013 to the Complainant in which various personal data were included. The Complainant had not given any consent for the use of his personal data for direct marketing and was not a customer of Links (but had been of the company that had ceased operations). Links was fined HK$10,000 for breaching section 35C of the PDPO. 

Japan amends its Personal Information Protection Act

In our May edition, we reported that a new bill to amend the Act on the Protection of Personal Information 2003 (the "Act") had been submitted to the Japanese Diet. As of 3 September 2015, the act has now been amended. There are various changes to the Act, which will come into effect as of 1 January 2016. The amended Act establishes a new Personal Information Protection Committee.

The changes include restrictions on transfer of personal data overseas and clarifications on the process of anonymisation of personal information. The definition of personal information has been updated to include biometric and numeric data. With similarities to the European regime, a new definition for "sensitive personal information" has been introduced to include information such as religious beliefs, race, criminal records and medical histories. There is now a requirement that a data handler deletes personal information upon it becoming no longer necessary.  Of great interest to international companies, the Act also now applies to data controllers that are not physically located in Japan but those which are providing goods or services to individuals in Japan. There are also new rules in respect of databases and an additional criminal offence for the theft, misappropriation or supply of personal information. 

ICO activity

Investigation into charities

Recent press reports have detailed a potential scandal in the charity sector through the misuse of personal data.  The Daily Mail recently broke a story concerning Mr Samuel Rae whose details, as it is alleged by the newspaper, were sold and passed on up to 200 times by different charities. Mr Rae, as it is alleged, received 731 requests for donations from charities who subsequently acquired his name and details. Mr Rae has allegedly suffered financial loss through scams following the acquisition of his details. The newspaper suggests that the problems began in 1994 when Mr Rae failed to tick a box on a survey refusing consent to the sharing of his personal data with third parties. The ICO has subsequently launched an investigation into the case.

ICO penalties

The ICO has recently fined Cold Call Eliminations Ltd ("Cold Calls") £75,000 under section 55A of the Data Protection Act and Regulation 21 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 ("PECR").

Cold Calls operates a service and provides a device to stop unsolicited phone calls. However, in an ironic twist, the company has been found to be responsible for large numbers of unsolicited calls which resulted in 46 complaints on the ICO's online reporting tool between June 2013 and March 2015 and 336 complaints to the Telephone Preference Service in the same period. In addition to the fine, the ICO's decision constitutes an embarrassing public document for Cold Calls. The decision gives examples of the complaints received by the ICO, which includes evidence of intimidation and duress on elderly and vulnerable individuals.

We reported in our August edition a similar enforcement action against Point One Marketing Limited.

Linkedin

KEY CONTACT

Jonathan Kirsop

Jonathan Kirsop
Partner

T:  +44 20 7809 2121 M:  +44 7554 403 022 Email Jonathan | Vcard Office:  London