• Home
  • News
  • Data Protection update - December 2016 / January 2017

26 Jan 2017

Data Protection update - December 2016 / January 2017


Happy New Year and welcome to the latest edition of our Data Protection update, our regular review of key developments in Data Protection law covering December 2016 and January 2017. As always, please do let us know if you have any feedback or suggestions for future editions. 

Data protection

Cyber security

ICO enforcement


Data Protection

Draft Regulation on e-Privacy announced

The EU Commission (EC) has proposed a new Privacy and Electronic Communications (e-Privacy) Regulation (the Regulation) to replace the existing e-Privacy Directive, implemented in th UK by the Privacy and Electronic Communication (EC Directive) Regulations 2003 (PECR). The Regulation is proposed to come into force on 25 May 2018 (the same day as the GDPR) and would have direct effect across the EU, including the UK where it will replace PECR. The draft Regulation draws heavily on the GDPR and makes use of numerous definitions, terms and concepts that first appeared in the GDPR.

The proposed Regulation updates the current laws relating to the confidentiality of electronic communications within the EU. It would expand the scope of the EU's privacy laws to include over-the-top (OTT) communication service providers (who deliver services across an IP network) for the first time and includes new rules on direct marketing via electronic means. These new rules include provisions relating to the use of 'cookies' as well as a new requirement obliging web browsers and other providers of software to inform users of their ability to "prevent third parties from storing information on the terminal equipment of an end-user or processing information already stored on that equipment". It is thought that this could lead to a drastic increase in the blocking of third party web-adverts by internet users throughout the EU.

The new Regulation promises to grant greater protection and rights to individual users across the EU. It will grant new rights to users of electronic communications to object to the processing of their communications data. The new rules would also allow users to gain compensation from offending communication providers if their rights are infringed and they suffer damage. In addition, the Regulation will tie into the enforcement regime of the GDPR with fines that could result in offending providers receiving fines of up to €20m or 4% of their global turnover, whichever is the highest.

As the Regulation is still in a draft stage it must now be scrutinised by both the European Parliament and the Council of Ministers. It will not take effect until both sets of legislators approve it. However, it is not expected to change significantly before then.


Article 29 Working Party publishes guidance on GDPR

The EU Article 29 Data Protection Working Party (Working Party), the pan-EU body made up of the different national data protection regulators, published guidance in December 2016 in relation to three key aspects of the GDPR: lead supervisory authorities; data protection officers; and the right of data portability. The guidance comprises broad practical guidelines as well as a FAQ in relation to each of the three issues (click here to access the published material).

This guidance aims to assist organisations in their implementation of the GDPR and to provide clarity as to how EU data protection authorities expect to enforce the relevant provisions of the GDPR.

We have prepared executive summaries of the guidance which can be accessed here:

The Working Party has stated that it welcomes any additional comments on the guidance and will be open to feedback from relevant stakeholders until the end of January 2017. As the year progresses the Working Party also plans to issue an 'Action Plan' in relation to Data Protection Impact Assessments and the certification process.


ECJ delivers blow to "Snoopers' charter"

The European Court of Justice (ECJ), the highest court of the European Union, has struck a blow against the recently passed Investigatory Powers Act 2016 (IPA) (known as the "Snooper's Charter" to its critics) by ruling that the "general and indiscriminate retention" of electronic communications by governments is illegal. As a result it is expected that the IPA may become subject to serious legal challenge from privacy campaigners.

The ruling comes after the Court of Appeal (COA) referred a case brought by MPs David Davis and Tom Watson in relation to the Data Retention and Investigatory Powers Act 2014 (DRIPA) to the ECJ. The ECJ was asked by the COA to clarify EU data retention laws in relation to confidential personal data. In doing so the ECJ confirmed that blanket data retention (including state surveillance) is unlawful unless it is carried out with the proper privacy safeguards in place.

It further clarified that governments are only permitted to carry out mass surveillance programmes on the condition that the surveillance is targeted by reference to specific named persons, duration of surveillance or geographic scope and is only for the purpose of combatting terrorism and serious crime. In addition, except in the most urgent situations, all mass surveillance programmes must only be carried out under judicial supervision.

Although this ruling was ostensibly directed at DRIPA, its repercussions are potentially far wider and could spell trouble for the IPA as well. The IPA will provide the government with extensive powers that will allow various public authorities to access vast databases of information without prior permission from the judiciary or any other independent authority (see our November 2016 bulletin here for further details). These powers clearly exceed those permitted under EU legislation and consequently the IPA could now be challenged in the wake of the ECJ's decision. We will keep you informed of any updates in this area.


Draft revisions to Swiss Data Protection Act published

In an effort to keep pace with the EU's far-reaching changes in the form of the GDPR, the Swiss Federal Council has put out a first draft of a completely revised Data Protection Act (DPA) for consultation. The draft DPA aims to ensure that personal data can continue to be exchanged between Switzerland and the EU: it contains the necessary provisions to allow Switzerland to ratify the Council of Europe's Data Protection Convention and to adopt the GDPR with respect to criminal matters.

In particular, the Federal Council aims to increase the transparency of data processing and to augment the rights of data subjects to make decisions about their own data. As such the draft DPA places further obligations on data processing organisations to provide information to data subjects, and it also creates new rights for affected data subjects to request and receive information.

The draft legislation focuses on the importance of self-regulation, and to this end it makes provision for the Federal Data Protection Commissioner to issue best practice guidance for affected organisations to follow. In addition, the Commissioner will also be permitted to investigate alleged violations of the draft DPA and to issue orders in accordance with its findings.

The consultation period for the draft DPA will run until 4 April 2017.


Switzerland approves US-Swiss Privacy Shield

The Federal Council of Switzerland has also announced that it has reached an agreement with US Government to replace the US-Swiss Safe Harbor Framework for the transfer of personal data from Switzerland to the US.

The new arrangement will be titled the Swiss-US Privacy Shield and will continue to be a self-certification scheme. It will contain similar protections to those contained in the EU-US agreement of the same name. The Swiss-US Privacy Shield contains enhanced requirements in respect of onward transfers and data retention, and also requires US officials to restrict government access to personal data transferred under the agreement. The provisions will also introduce detailed mechanisms for recourse and dispute resolution, and certified organisations will need to implement processes for handling complaints in order to obtain approval from the US Department of Commerce (DOC).

The Swiss-US Privacy Shield will replace Safe Harbor immediately, but affected organisations will only be able to sign up to the new agreement with the US DOC from 12 April 2017. US organisations will have three months to begin the certification process during which the Swiss Federal Data Protection and Information Commissioner will not undertake enforcement action in relation to non-compliance with the new Privacy Shield regime.


EU to begin adequacy talks with Japan and Korea

The European Commission (EC) has published its strategic framework for the making of adequacy decisions with new partners in the future. In particular, the EC has stated that it will engage with key trading partners in East and South-East Asia, starting with Japan and Korea in 2017, and that it can now adopt adequacy decisions in relation to the law enforcement sector of a third country.

Adequacy decisions permit the free transfer of personal data between EU-member states and third countries deemed adequate. Adequacy does not require a mirror image replication of EU rules, and the EC stated that it will also consider the following factors when deciding on whether to give an adequacy decision:

  • The extent of the EU's actual or potential commercial relations with the third country;
  • The extent of personal data flows from the EU (reflecting geographic and cultural ties);
  • Whether the third country can serve as a model for other countries in the region; and
  • The EU's political relationship with the third country.

The EC also stated its intention to begin talks with India and the Mercosur trade bloc in South America.


Cyber security

Allegations of Russian hacking in US election

A newly declassified report jointly produced by the CIA, FBI and NSA has alleged that Vladimir Putin personally approved cyber-attacks that took place during the 2016 US presidential election. The report is the result of an investigation ordered by former-President Obama after allegations of Russian interference surfaced in early December 2016.

The report claims that the General Staff Main Intelligence Directorate (GRU) carried out a number of subversive activities against the US and was motivated by a clear preference for newly elected President Trump. It states that the GRU disproportionately targeted the Democrat nominee Hilary Clinton by stealing emails, passing compromising documents to WikiLeaks and spreading "fake news" attacking the candidate through social media. In addition, the report also claims that Russian intelligence operatives engaged in "spearphishing" operations in the wake of the US election in an attempt to trick US government and think-tank employees into revealing confidential information.

The three agencies behind the report claim that in carrying out these activities, the GRU has undertaken a "significant escalation in directness, level of activity and scope of effort" when compared with previous cyber espionage exercises. Consequently the report also warns that Russia is likely to execute many more similar operations, directed against both the US and its close allies.

The CIA, FBI and NSA stopped short of saying whether the alleged hacking had any impact on the outcome of the election, stating that this kind of analysis is outside their remit. Nonetheless, the report does represent a comprehensive and unprecedented public assessment of the scale of Russian interference in the presidential campaigns.


Yahoo hack: one billion accounts compromised

Yahoo has revealed that it has been the victim of the largest data breach in history, following its discovery that a cyber-attack took place in August 2013 that resulted in the theft of data from over one billion user accounts. The number of accounts affected is thought to be double the numbers involved in the breach revealed by the company in September 2016.

Yahoo believes that the two breaches are connected and that both were "state-sponsored". It believes that the hackers utilised forged cookies to access user accounts by tricking the account security systems into thinking that the hacker using the cookie was actually the owner of the account. Yahoo also believes that the breaches may be related to a theft of the company's source code.

The company has reported that the stolen user account information may have included details such as names, email addresses, telephone numbers, hashed passwords and even encrypted and unencrypted security questions and answers. Bank account information and payment card data were not stored in the same system and it is therefore believed that these have not been affected. It has also been discovered that over 3,000 email accounts linked to high ranking Australian government officials, including MPs, member of the judiciary, and federal police officers, are among those affected.

Verizon, the US telecoms giant, is still in the process of acquiring Yahoo and industry commentators have speculated that this news of a further breach is likely to have an adverse impact on the company's sale price.


Russian central bank targeted in cyber-heist

The Central Bank of Russia has reported that hackers successfully stole 1.2bn roubles from central bank accounts early in 2016. The hackers had attempted to steal a total of 2.87bn roubles, but the Central Bank was successful in preventing the theft of 1.6bn roubles by freezing certain accounts that had been opened by the hackers in order to siphon off the stolen money. It has not been revealed whether the remaining funds are now safe or whether they have also been stolen. This scare follows a previous attack by hackers against the Russian state-run lender Sberbank in 2014 which lead to electronic withdrawals of over $20bn being made from the bank in one week.

Moscow-based cybersecurity firm Group IP published a report in October 2016 stating that Russian banks have lost a total of $44m in targeted cyber-attacks since 2013. Moreover, the FSB has stated on its website that it has uncovered plans by foreign secret services to provoke a run on several of Russia's major financial institutions by manipulating social media.


TalkTalk hacker pleads guilty

Nineteen year-old Daniel Kelley has pleaded guilty to 11 charges brought against him in relation to a major hacking operation against TalkTalk that occurred in October 2015 (see our October 2015 update here for more information). The charges include computer hacking, blackmail, fraud and money laundering.

In the attack Mr Kelley stole personal data belonging to nearly 157,000 customers, including email addresses, personal details and bank account information. In total, the attack is thought to have cost TalkTalk £42m, as well as the largest ever fine issued by the ICO at £400,000.

Despite having no previous convictions, the presiding judge warned Mr Kelley that a custodial sentence was inevitable given the severity of the crimes committed and the fact that the hack was committed while the defendant was on police bail for similar offences.

A total of six people have so far been arrested in relation to the TalkTalk attack and a separate hacker, who cannot be named due to his age, has been handed a rehabilitation order after pleading guilty to his involvement in the operation.


ICO enforcement

ICO reveals how charities have been exploiting supporters

The ICO has discovered that the Royal Society for the Prevention of Cruelty to Animals (RSPCA) and the British Heart Foundation (BHF) have both been secretly screening millions of their donors in order to target them for more donations. The two charities were also found to have breached the Data Protection Act 1998 (DPA) in two additional ways by using personal information obtained from other sources to target new and lapsed donors, and by trading personal details with other charities to create a "massive pool of donor data". The affected donors were not able to consent or object to these practices as they were unaware that they were taking place.

The ICO investigated the charities concerned after reports emerged in the media claiming that certain charities were placing "repeated and significant pressure" on their donors to contribute more and more money. As a result of the investigation the ICO has decided to fine the RSCPA and BHF £25,000 and £18,000 respectively. In doing so the ICO has exercised its discretion to significantly reduce the level of the fines levied, which could have been up to ten times the same amount for non-charitable organisations. However, the Information Commissioner Elizabeth Denham has emphasised that the level of the reduction should not detract from the severity of the breach committed.


ICO now in charge of Telephone Preference Service

The ICO has replaced Ofcom to become responsible for the running of the Telephone Preference Service (TPS), which gives individuals the opportunity to opt-out from direct telephone marketing.

The switch is designed to assist the ICO in enforcing PECR, as complaints about cold callers will now be able to be passed to enforcement officers with greater efficiency. Coupled with the Information Commissioner's advocacy of personal liability for directors of companies involved in cold calling activities (see our November update here for more information), this demonstrates how serious the ICO is about clamping down on nuisance calling.


ICO fines Bognor Regis firm for making nuisance calls to the elderly

The ICO has issued a fine of £40,000 to Bognor Regis based firm IT Protect Ltd for making telephone calls to people registered on the TPS. Ironically IT Protect Ltd was making the calls in order to sell a call-blocking service. This is the first example of enforcement action taken by the ICO in relation to nuisance calls since it took over responsibility for managing the TPS.

IT Protect told the ICO that it had purchased a list of people and phone numbers from another firm. However, an joint investigation between the ICO and West Sussex Trading Standards concluded that IT Protect had not carried out sufficient checks to ensure that the people on the list had given their consent to receive marketing calls.


Royal Sun Alliance PLC fined £150,000 for fialing to keep customer information safe

The ICO has fined major insurer Royal & Sun Alliance Insurance PLC (RSA) £150,000 following the loss of personal information relating to almost 60,000 customers. The loss took place after a hard drive device containing the customers' personal information was stolen earlier last year. The personal information comprised the names, addresses and bank account details (including account numbers and sort codes) of the affected customers. In addition, the hard drive also contained credit card details of around 20,000 customers, but in this case neither the CVC numbers nor the expiry dates were included.

The ICO investigation found that RSA did not have adequate protection in place to prevent the sensitive financial information of its customers from being stolen. The hard drive was taken by either a contractor or an RSA employee, was unencrypted, and was stolen from RSA's premises. The ICO's head of enforcement remarked that "there are simple steps companies should take when using this type of equipment including using encryption, making sure the device is secure and routine monitoring of equipment." The fine was issued due to RSA's failure to take any of these steps.




Alison Llewellyn

Alison Llewellyn

T:  +44 20 7809 2278 M:  Email Alison | Vcard Office:  London