• Home
  • News
  • Data Protection update - February 2017

28 Feb 2017

Data Protection update - February 2017


Welcome to the February 2017 edition of our Data Protection update, our monthly review of key developments in Data Protection law. As always, please do let us know if you have any feedback or suggestions for future editions. 

Data protection

Cyber security

ICO enforcement


Data Protection

Article 29 Working Party approves Google's model clauses

The Article 29 GDPR Working Party (WP29) has confirmed that the model contractual clauses used by Google for cross-border personal data transfers, for European business customers using G-Suite and Google Cloud Platform, meet the requirements of the EU Data Protection Directive (95/46/EC) (Directive).

The Google clauses are based on the European Commission's model clauses (EC Model Clauses) with some small additions. A number of European data protection authorities, led by the Irish data protection commissioner (Irish Commissioner), analysed the Google model clauses and decided that they meet the required standard for transfers of personal date from EU data controllers to non-EU/EEA data processors.

This confirmation will allow Google's European business customers to rely on Google's model clauses to transfer personal data from the EU to the USA without any further authorisations. However, the decision letters issued by the Irish Commissioner point out that the scope of analysis of the EC Model Clauses was limited and that the appendices to the main EC Model Clauses to be completed by Google and its customers may also be analysed separately by the relevant data protection authorities.


EU-US Umbrella Agreement in force

On 1 February 2017 the EU-US Umbrella Agreement on the protection of personal information relating to the prevention, investigation, detection and prosecution of criminal offences entered into force. The aim of the Umbrella Agreement is to establish a common system for the protection of personal data processed by, and transferred between, law enforcement agencies in the EU and the USA. The agreement will boost co-operation between European and US organisations, while also guaranteeing the lawfulness of data transfers conducted under it and providing reassurance that the data rights of EU citizens will be respected by the USA.

The European Commission (EC) has published a statement noting that, alongside the Umbrella Agreement, to guarantee effective and enforceable judicial remedies for EU citizens under the Umbrella Agreement, the USA also adopted the Judicial Redress Act (JRA) in February 2016. This will give EU citizens the right to seek effective judicial remedies in US courts if US authorities have denied access or rectification, or unlawfully disclose their personal data.

The EC expects that under the JRA all data transfers within the scope of the Umbrella Agreement will be covered, and further confirmed that such data transfers include those under the EU-US Passenger Name Records agreement and under the Terrorist Finance Tracking Program and that such data cannot be exempted from the benefit of JRA judicial redress rights.

For more information on the EU-US Umbrella Agreement, please see our February 2016 update here.


Court of Appeal rules DPA claim can be brought alongside defamation claim

The Court of Appeal (COA) has ruled that there is no reason why a claim under the Data Protection Act 1998 (DPA) cannot be run in parallel alongside a defamation claim.

This was the decision in a case involving a Moroccan prince, who sought to add a claim for unfair and inaccurate processing (in breach of the first and fourth data protection principles) to his libel claims against a defendant publisher. The libel claims stemmed from an article posted on the publisher's news website which cast aspersions upon the claimant's loyalty to the Moroccan regime.

The defendant's case in reply rested on the argument that that the additional claim was an abuse of process and that to allow it would constitute disproportionate interference with the defendant's right to freedom of expression under Article 10 of the European Convention of Human Rights (ECHR).

In finding for the claimant, the COA ruled that although courts have previously expressed doubt about the necessity and proportionality of advancing parallel claims, in this instance the parallel nature was justified as the two types of claim were directed at protecting distinct aspects of the right to private life under Article 8 ECHR.

However, the COA did accept that if parallel claims are run then active case management would necessarily be required to ensure that a just result was reached in a proportionate manner.


Court of appeal overturns high court decision and orders subject access request

In an important judgment for data subjects, the COA has ruled that law firm, Taylor Wessing, must comply with a subject access request (SAR) made by the beneficiaries of a trust that was administered by a former client of the firm. The SAR was made in the context of broader litigation against the trust by the beneficiaries and requested Taylor Wessing to disclose all of the data that it held of which the beneficiaries of the trust were data subjects.

Taylor Wessing resisted the claim on the basis that the data requested was covered by legal professional privilege and that the firm was therefore exempted from complying with the SAR on the basis of an exemption contained in paragraph 10 of Schedule 7 of the DPA. The law firm further claimed that any search for relevant data would involve a disproportionate effort on its behalf.

The COA dismissed these arguments. The legal professional privilege exemption contained in the DPA is only applicable if the data concerned is subject to privilege recognised in UK legal proceedings. In this case the privilege claimed related to proceedings in the Bahamas, where the trust was located, rather than the UK. In addition, Taylor Wessing failed to adduce sufficient evidence to show that searching for the information would have entailed a disproportionate effort.

This final point does, however, provide welcome clarification for data controllers that the concept of disproportionate effort will apply to the process of compliance with the SAR (i.e. finding or retrieving the relevant document) and not just to the supply of the document. Although Taylor Wessing was unsuccessful, this judgment indicates that, in appropriate circumstances, there may be a limit on the searches the data controller will be required to make, if the effort involved in finding and supplying the document outweighs the benefit to the data subject.

The COA noted that the fact that Taylor Wessing was the trustee's solicitors was altogether of little importance. The law firm was a data controller, regardless of the fact that it was acting as its client's agent, and besides the duty to claim privilege for their clients, the solicitors were otherwise in no special position in respect of their data protection obligations. Finally, the COA summarised that the existence of a collateral purpose behind a SAR (i.e. an intention to use such information obtained in the Bahamian litigation) does not invalidate it, and that data controllers cannot seek to refuse a SAR on the basis of its purpose alone.


Facebook says Irish challenge to US data transfers deeply flawed

Facebook has publicly questioned the merits of a challenge to the way in which it transfers EU personal data to the US that is currently being led by the Irish Commissioner. The social media giant has labelled the challenge "deeply flawed" and has said that there is no need for the case to be referred to the Court of Justice of the European Union (CJEU), because adequate data privacy protections are already in place.

In response to the public criticism by Facebook, the Commissioner for the Irish Commissioner stated that its complaint about the privacy protections afforded to transatlantic data transfers was "well founded". It is asking the CJEU to consider whether the model contractual clauses currently used by Facebook and many other organisations offer sufficient protection to EU based data subjects, or whether these should be struck down instead.

A lawyer for Facebook told the Irish High Court that the flaws in the Irish Commissioner's case related to the fact that the Commissioner had failed to consider the EU-US Privacy Shield agreement, which has been in force since last August. This agreement, a replacement for the Safe Harbor regime that was struck down by the European Court of Justice in 2015, purported to prevent US intelligence agencies from gathering personal data from EU sources. However, this regime is also currently subject to a separate legal challenge (see our November 2016 update here for more details).


UK Government to bring forward DP legislation in next session

Matthew Hancock, Minister of State for Digital Policy within the Department for Culture, Media and Sport, confirmed earlier this month that the UK Government will aim to ensure that data flows between the UK and the EU will continue uninterrupted both during and after Brexit.

Answering questions on the EU data protection package, the post-Brexit UK data protection landscape and EU-US data transfers at an EU Home Affairs Sub-Committee meeting on 1 February 2017, Hancock announced that the Government will be proposing legislation relating to data protection during the next parliamentary session. Hancock confirmed that the Government intends to enshrine the GDPR into UK law following Brexit and emphasised the fact that the UK would seek to match the EU's standards on data protection and that the UK was approaching the exit negotiations from a position of harmonisation rather than divergence. Please see here for our summary of the most important provisions in the GDPR.

The Minister also confirmed that the UK would be seeking to maintain relations with other "high quality" data protection regimes across the globe, and also suggested that being outside the EU's data protection system would allow the UK to respond to changes in data protection requirements with greater ease than before.


British Banking Association publishes "quick brief" on data protection post-Brexit

The British Banking Association (BBA) has published a series on "Brexit quick briefs" (BQBs) on its webpage covering the impact of Brexit on banking, aimed at informing members of the banking industry about the most important commercial, regulatory and political considerations to bear in mind in relation to Brexit.

BQB #5 focuses on data protection and data transfer arrangements for banks involved in the EU. It contains a detailed explanation of the current protection regime for EU personal data to be transferred both within the EU/EEA and beyond it. The guidance describes the nature of adequacy decisions in relations to data transfers and warns that the process for the EU and the UK to agree adequacy between their respective data protection regimes post-Brexit may not be straightforward. It also notes that, judging by the current experience of adequacy discussions with the USA, any adequacy decision process may take a significant length of time to conclude.

The BBA recommends that while adequacy talks are ongoing between the UK and the EU/EEA, British banks should be prepared to engage in transitional arrangements to ensure that data transfers to and from the EU/EEA are not interrupted. This is explained in more detail in BQB #6, entitled "Time to adapt- the need for transitional arrangements". The BBA recommends that banks should prepare to put data protection frameworks in place so that they can meet any additional requirements necessary for continued transfers with the EU/EEA, and also to enable them to continue to transfer data to countries beyond the EU/EEA as well.

Please click here for more information and access to the BBA's series of BQBs, including BQBs #5 and #6.


Australia adopts law on mandatory data breach notification

The Australian government has passed the Privacy Amendment (Notifiable Data Breaches) Bill 2016 into law. The passage of this bill has the effect of creating a mandatory breach notification regime in Australia.

The new law will require government agencies and business that are covered by the new law to notify any data subjects affected by a breach that is likely to cause them serious harm. The government agencies and businesses concerned will also be required to notify the relevant data protection authorities, who will then determine if any further action needs to be taken.

The introduction of this new law is aimed to strengthen the protection afforded to personal data in Australia and to increase the transparency surrounding public and private sector responses to data breaches on the whole.


NHS pressured by Home Office to release data to assist tracking of immigration offenders

The former head of NHS Digital, Kingsley Manning, has claimed that the Home Office placed him under "immense pressure" to share patient data. The requests aimed to obtain confidential patient information to help the Home Office track down immigration offenders. Despite Mr Manning resisting these requests, records show that in the past year over 8,000 items of personal non-clinical data has been given to the Home Office by NHS Digital.

The legal basis for allowing the Home Office to make requests for confidential patient information to trace immigration offenders has since been set out for the first time in a memorandum of understanding (MoU) published jointly by the Home Office and NHS Digital, which came into effect on 1 January 2017. It draws on exemptions contained in the Health and Social Care Act 2012 requiring the NHS to share confidential patient information records. The MoU justifies the Home Office's use of these provisions on the basis that it is in the public interest that "limited UK resources and public services…are protected from unnecessary financial and resource pressures". Several human rights and medical organisations called on the Government this month to suspend the NHS data sharing service until a public review of the merits of the system can be undertaken.


Cyber security

New York Department of Financial Services issues Final Cybersecurity Regulation

On 16 February 2017, the New York Department of Financial Services (the NYDFS) published the final iteration of its new cybersecurity regulation (the Regulation). The current Governor of New York, Andrew Cuomo, has hailed the Regulation as a "first in the nation regulation". The detailed Regulation, which has a far-reaching scope, is aimed at protecting both financial institutions and their customers from cybercrime, and the new provisions in the Regulation will require all those affected to perform an extensive review of their current cybersecurity arrangements.

Importantly, the Regulation requires organisations to appoint a Chief Information Security Officer (CISO) and put in place a cybersecurity programme; makes the board of directors ultimately responsible for cybersecurity issues; and requires organisations to self-certify compliance every year. In addition, the Regulation requires organisations to perform cybersecurity risk assessments and to conduct regular penetration and vulnerability testing. It also places obligations on organisations in relation to the encryption and physical security of data, and new requirements in respect of third-party access to the IT infrastructure and personal data. Finally, the Regulation creates a mandatory breach obligation whereby organisations must report all cybersecurity incidents that have a reasonable chance of causing material harm to the organisation to the NYDFS within 72 hours of the breach event occurring.

Small organisations (with an annual turnover of $5m or less) and organisations without access to personal data are not affected by the Regulation. However, those organisations that are covered by the legislation will need to move quickly, as the Regulation is due to come into force on 1 March 2017. However, not all of the Regulation's features will take effect immediately; affected organisations will have until 28 August 2017 to appoint a CISO and implement a cybersecurity programme, and testing does not need to commence until 1 March 2018.


UK under cyber-siege by increasing level of cyber attacks

The head of the new National Cyber Security Centre (NCSC), Ciaran Martin, has stated that the UK is currently subject to dozens of cyber-attacks a month. Martin further stated that the NCSC, which has been operational since October 2016 but which was only officially opened by the Queen earlier this month, has intercepted 188 "high-level attacks" targeted at the Government in the last three months. It is thought that many of these attacks were carried out by Russian state-sponsored hackers attempting to steal state secrets relating to UK defence and foreign policy.

The statement comes as Philip Hammond told the Sunday Telegraph that the NCSC has been responsible for blocking over 34,000 other potential attacks on the Government as well as private UK citizens in the five months since the NCSC went live in October.


Norway hit by suspected Russian hack attack

Norwegian authorities have claimed that the country's foreign ministry and its armed forces, among other national organisations, have been subject to a significant cyber attack carried out by a group thought to have links to Russian intelligence agencies.

The Norwegian intelligence service, the PST, reported that nine different email accounts had been targeted in so-called "spear-phishing" operations, which use malicious emails to try and gain access and compromise the accounts of high-ranking government officials. An official within the PST stated that it was difficult to know the exact motivation for the operation, but it is possible that there is a connection between the attack and legislative elections within Norway that are scheduled to take place in autumn 2017.

The suspected perpetrators, known alternatively as APT 29 or Cozy Bear, have previously been accused of interference in the US presidential election and their actions are believed to be directed in some way by either the Russian Security Service or the Foreign Intelligence Service.


ICO enforcement

Credit broker fined after sending over five million unlawful text messages

The ICO has issued a fine of £120,000 to credit broking company Digitonomy Ltd for unlawfully sending more than five million marketing text messages without the consent of the recipients.

The ICO received over 1,400 complaints in the period between April 2015 and February 2016 about the marketing texts, which directed recipients to Digitonomy's website and encouraged them to apply for loans from the company.

Digitonomy was operating on the basis of consent wording that stated that customers consented to being contacted by "us and our trusted partners … by SMS, mail, email, telephone and automated message." The consent wording made no direct reference to messages being sent for marketing purposes and was therefore insufficient and not in compliance with data protection law.


ICO issues eleven charities with notice of intent

Eleven UK-based charities have been issued with notices of intent to fine by the ICO. The charities now have 28 days to respond to the ICO's findings and may receive fines if the ICO is not satisfied with the answers it receives from them.

The investigation into the practices of the eleven charities is part of a wider operation initiated following the publication of numerous reports in the media claiming that donors were being repeatedly placed under significant pressure to donate. The RSPB and the British Heart Foundation have already received fines as part of this operation (see our December 2016/January 2017 bulletin here for more details).

The ICO held a conference at Manchester town hall on 21 February 2017 that aimed to assist charities and similar organisations to comply with data protection law. It is hoped that this will boost awareness of the need for data compliance for all organisations that handle personal data.


Business could face fines for ignoring CCTV data protection

The ICO has prosecuted a business owner for making use of in-store CCTV and failing to register her use of the cameras with the ICO, as required under the DPA. The business owner, Kavitha Karthikesu, claimed that she did not know she was required to register with the ICO despite receiving several warning letters to that effect, which she thought were spam.

Ms Kavitha pleaded guilty to an offence under section 17 of the DPA and was fined £200 by the ICO. The ICO's head of enforcement, Steve Eckersley, has stated that there is a clear message in the ICO's decision to prosecute: businesses that operate CCTV cameras must register with the ICO or face the consequences if they fail to do so.




Alison Llewellyn

Alison Llewellyn

T:  +44 20 7809 2278 M:  Email Alison | Vcard Office:  London