• Home
  • News
  • Data Protection update - June 2015

30 Jun 2015

Data Protection update - June 2015


In this issue, we outline the progress being made with the draft Data Protection Regulation, together with calls by the French data protection authority (CNIL) for Google to extend Europe’s ‘right to be forgotten’ globally.

We consider the new USA Freedom Act, passed on 2 June 2015, which has been called “the most important surveillance reform bill since 1978”. We also outline guidance issued on binding corporate rules, and summarise a new data protection development in the Netherlands.

In our cyber-security section, we consider a major data hack affecting the U.S. Government, as well as recent hacks relating to companies in the UK.

Finally, we continue to keep you up to date with the latest enforcement activity of the ICO.


EU Council agrees draft Data Protection Regulation

Progress is finally being made with the draft Data Protection Regulation, as Justice Ministers in the EU Council reached a ‘General Approach’ on the new data protection rules which largely confirms the approach taken in the Commission's 2012 proposal, and includes the must-discussed 'one-stop shop'. The Council also endorses the principle of the right to be forgotten, but clarifies that it will be subject to certain exceptions, and has confirmed the right to data portability, making it easier for data subjects to transfer personal data between service providers.

Trilogue negotiations between the Council, the European Parliament and the EU Commission commenced on 24 June, with Europe now one step closer to a single, harmonised set of data protection rules. The current aim is for the Data Protection Regulation to be finalised by the end of 2015, coming into force in 2017.

CNIL calls to extend ‘right to be forgotten’ globally

The CNIL has called for Google to extend Europe’s ‘right to be forgotten’ globally.
Google accepted the ECJ’s ruling last year that citizens may require Google to remove embarrassing or sensitive results for queries that include their name. However, Google’s policy is limited to removing links from European versions of its search engine only and the CNIL has now said that Google should remove sensitive links from all global versions of the search engine. Google has been given 15 days in which to comply, failing which the CNIL will consider commencing a process which may lead to possible sanctions.


USA Freedom Act 

Following the expiry of US surveillance power provisions under the Patriot Act at midnight on 31 May 2015, including the National Security Agency’s (NSA) phone records collection, the US Senate on Tuesday 2 June passed a bill for the USA Freedom Act.

This Act will permanently ban the bulk collection of millions of Americans’ phone records by the NSA and introduces new transparency rules for other surveillance activities, in what is considered the country’s most significant surveillance reform since the 1978 Foreign Intelligence Surveillance Act.

Senators voted 67-32 to pass the USA Freedom Act. Barack Obama signed the legislation, saying he would “work expeditiously to ensure our national security professionals again have the full set of vital tools they need to continue protecting the country”.

Senators who voted against the bill described it as a reckless rescission of important national security tools, and said it would “put the country at risk” of a terrorist attack. Kevin McCarthy, the Republican majority leader, who fought against changes to the Patriot Act, called the USA Freedom Act “a resounding victory for those who currently plotted against our homeland”.

Last year, an independent analysis of hundreds of terrorism cases in the US concluded that the NSA’s collection of phone records has had no distinguishable impact on preventing acts of terrorism.


Guidance issued on binding corporate rules

The Article 29 Working Party, a committee made up of representatives from data protection authorities based across the EU, has issued an updated explanatory document on binding corporate rules (BCRs).

EU data protection laws prevent companies sending personal data outside of the European Economic Area (EEA) except to countries deemed “adequate” (e.g. Argentina, Canada and Switzerland). Where transfers are to be made to other countries, legal mechanisms must be adopted in order to provide adequate protection, including putting in place BCRs.

BCRs are legally enforceable contractual provisions agreed with regulators that commit businesses to handling and protecting personal data in a way which accords with the requirements of EU data protection law, when a company is seeking to transfer personal data from the EU to other offices within the same company, or to other companies in the same business group in non-EEA locations.

In its guidance, the Working Party states that parties to BCRs must demonstrate to data protection authorities that the BCRs they put in place are "effectively binding throughout the group". The BCRs must also be capable of being "understood and effectively applied by those having data protection responsibilities within the organisation". They also confirm that businesses outsourcing the processing of personal data to other companies can permit these suppliers to add sister companies as sub-processors of that information at a later date if the supplier has put in place BCRs for processors, provided that the data processors notify data controllers about those arrangements where such freedom is given to them.

Click here to read the guidance in full.

Netherlands implements new breach notification law

On 26 May 2015, the Dutch Senate passed the Bill on Notification of data leaks. The Bill introduces an obligation on data controllers in the Netherlands to notify a breach of security measures protecting personal data to the Dutch Data Protection Authority.  The law may also require data controllers to update agreements with their data processor to account for breach notice obligations. Fines for violations of the Dutch Data Protection Act will significantly increase, with a failure to comply with the rules which could lead to fines of up to €810,000 or 10% of the company’s net annual turnover.  It is expected that the majority of the requirements will enter into force on 1 January 2016, with the exact date to be determined by Royal Decree.


US Government Hacked

This month saw a massive data breach of US Government data involving the Office of Personal Management (OPM), the human resources department for the federal government, which also handles security clearances, and the Interior Department.

OPM Director Katherine Archuleta has stated that the first hack the agency discovered in April involved a breach of the personnel records of about 4.2 million current and former employees. However, a second separate, but related, data breach was discovered in June as the first was being investigated, with hackers able to gain access to records of background check investigations done on current, former and prospective employees who applied for jobs requiring a security clearance. The agency is carrying out preliminary investigations to establish whether up to 18 million unique Social Security numbers were stolen as part of the attack on security-clearance records.

China has routinely denied accusations by US investigators that hackers backed by the Chinese government have been behind attacks on US companies and federal agencies. However, suspicion has fallen on China as the source of the attack, having already been accused of carrying out cyber-espionage against the US in the past.

Cybersecurity Firm Hacked

LastPass, a company that stores its customer’s password collections online and permits access to them using master passwords, has been subject to a cyber-attack. Hackers gained access to password reminders, email addresses and encrypted master passwords. The company are now implementing additional security measures to ensure that data remains secure.

Bettys & Taylors of Harrogate Hacked

On 8 May 2015, the company discovered a breach of its database, with 122,000 registered online customer details copied due to an “industry-wide software weakness”. The data is limited, however, to names, email addresses and encrypted passwords; credit card details were stored by a certified third party. The company has informed the ICO, and set up a dedicated website to provide further information about the breach.

ICO activity


The ICO has issued the following undertakings to comply with the seventh data protection principle: 

  • To Pembrokeshire County Council for failure to properly redact sensitive personal data relating to a number of individuals from a response to a subject access request.
  • To the London Borough of Hammersmith and Fulham following incidents where personal data relating to a number of individuals was sent to unintended recipients due to typing errors in the address of the correspondence.
  • To South West Yorkshire Partnership NHS Foundation Trust following a series of incidents where patient data was sent to incorrect addresses.

An enforcement notice has also been issued to the Department of Finance and Personnel for Northern Ireland (DFPNI) ordering them to answer all outstanding freedom of information requests over six months old as a result of late responses to certain FOI requests and a subsequent failure to make improvements.

ICO Raid

On 24 June 2015 the ICO raided a business believed to contain an automatic dialler suspected of making 100,000 calls a day. It is thought the business made automated calls playing a recorded message.

The ICO received more than 7,000 complaints about calls believed to have been made by the business. The law on making automated calls playing recorded messages is stricter than on other marketing calls. Organisations can only make automated marketing calls to people who have specifically consented to receiving automated calls from that organisation. The business will remain anonymous while investigations are ongoing.

ICO guidance on monetary penalty notices

In April 2015, the Information Commissioner published updated guidance on the issue of monetary penalty notices under the Data Protection Act 1998 (DPA) to replace its 2012 guidance.

However the new guidance does not include the recent amendment made by Privacy and Electronic Communications Regulations 2015 (PECR). With effect from 6 April 2015, the Privacy and Electronic Communications Regulations 2015 amended section 55A(1) of the DPA to remove the need to prove "substantial damage or substantial distress" before imposing a fine in respect of a serious breach of regulations 19 to 24 of the Privacy Regulations 2003 (relating to unsolicited direct marketing calls, texts and emails, automated calls, fax messages, identification of sender and the information regulations).

The guidance is therefore not currently an accurate reflection of the law in relation to the issue of monetary penalty notices. The ICO has advised that they are awaiting statutory guidance and, once they receive this, will update and publish new guidance which accurately reflects the current legislative position.