• Home
  • News
  • Data Protection update - June 2017

03 Jul 2017

Data Protection update - June 2017


Welcome to the June 2017 edition of our Data Protection update, our monthly review of key developments in Data Protection law. As always, please do let us know if you have any feedback or suggestions for future editions. 

Data protection

Cyber security

ICO enforcement


Data Protection

ICO issues revised guidance on Subject Access Requests

The Information Commissioner’s Office (ICO) has issued a revised (and comprehensive) 65-page guidance note which provides organisations with recommendations of good practice when responding to Subject Access Requests (SARs). Notably, this guidance reflects current rules under the Data Protection Act 1998 (DPA) and does not make reference to the changes that will apply to SARs under the General Data Protection Regulation (GDPR).

The ICO recognises that compliance with a SAR can be burdensome for a data controller, and the revised guidance adopts a more data controller-friendly perspective by reflecting the fact that the courts have, in recent cases, more readily embraced the concept of proportionality of searches. However, the ICO does warn that this does not mean that a data controller can easily use arguments of disproportionality to avoid complying with a SAR, as the high burden of proof is on the data controller to show that it has taken all reasonable steps to comply and that it would be disproportionate in all the circumstances for the data controller to take further steps.

In addition, the ICO expects parties to engage in productive dialogue about SARs and considers it good practice for the data controller to engage with the applicant, confirming that if it receives a complaint about an organisation's handling of a SAR, it may consider, amongst other factors, the organisation's readiness to engage with the applicant.

On the question of deleted data, the ICO confirmed it does not require organisations to expend time and effort reconstituting information that they have deleted as part of their general records management. However, to the extent an organisation's IT systems readily allows it to find archived or backed-up data for its own purposes, it is required to use the same effort to find information in order to adequately respond to a SAR.

The ICO has also advised that:

  • it does not expect organisations to instruct staff to search their private emails or personal devices in response to a SAR unless they have a good reason to believe that they are holding relevant personal data; and
  • individuals may make a SAR using any Facebook page or Twitter account the organisation in question has, other social-media sites to which it subscribes, or possibly even via third-party websites.

For the full revised code of practice, please click here.


Belgian data authority's recommendation regarding designating a Data Protection Officer

The Belgian Privacy Commission (BPC) has issued a recommendation (the Recommendation) for organisations that are required to appoint a Data Protection Officer (DPO) on or before 25 May 2018, in accordance with the GDPR. Under the GDPR, organisations are required to appoint a DPO if their core activities consist of either:

  • regular and systematic monitoring of data subjects on a large scale; or
  • processing, on a large scale, of special categories of data (i.e. sensitive data such as race, religion, sexual orientation etc.) and personal data relating to criminal convictions.

The Recommendation aims to provide guidance in response to questions that it has received regarding the DPO function and the compatibility of its function with other existing roles in a company (e.g. security officer, compliance officer, risk manager, human resources director, IT director).

According to the BPC, companies must assess compatibility of the DPO role with any other existing role on a case-by-case basis in order to ensure compliance with the requirements of the GDPR and avoid potential conflict of interests. The BPC also recommends that companies document the analysis and decision-making process, as well as their final choice of DPO. It should be noted that companies are able to appoint external DPOs, particularly if there is no internal candidate with the relevant qualifications (whether this is as a result of conflicts of interest or otherwise).

In line with the GDPR and the revised guidelines of the Article 29 Working Party published in April 2017 (see our summary on this here), the Recommendation outlines the role and tasks that the BPC envisages will be carried out by the DPO, which includes (1) monitoring compliance with the GDPR, (2) assistance with data protection impact assessments, (3) assistance with internal record-keeping obligations and (4) cooperation with data protection authorities.


Italian Data Authority's decision provides useful elements to companies looking to rely on legitimate interests

The Italian data protection authority (Garante) announced in its monthly newsletter that it had ruled against automotive service company, Belron Italia S.p.A., for a decision under the Italian Personal Data Protection Code. Belron Italia had sought to create a database to record and track the data of its customers who had requested a quote for replacement of their car windows. The database was designed to detect insurance fraud by allowing the cross-referencing of lists of individuals who, in the following six months, applied for window insurance and made a claim with an insurance company for the same. Belron Italia would then share this information with its affiliated insurance companies to assist them in preventing fraudulent insurance claims.

The Garante expressed the following concerns regarding the planned processing:

  1. The assessment of insurance fraud is normally the domain of public bodies to investigate and police. Such a database would grant a supervisory role to a private body with no investigatory training or guarantees of impartiality.
  2. The use of such a database could result in an unjustified presumption of fraud, potentially resulting in unfair effects on innocent data subjects.
  3. Belron Italia presented insufficient evidence of an overriding interest over the rights and freedoms of data subjects to justify the processing of their personal data in this manner.

The Garante's decision is useful in understanding how other Data Protection Authorities may approach the interpretation of the "legitimate interests" grounds in the future. The clear message from this case is that companies will need to document a detailed context-specific analysis weighing the benefits for the company against the interests and risks to the rights and freedoms of individuals.


ICO's response to the GDPR consultation on national derogations

The ICO has published its response to the consultation of the Department for Culture, Media and Sport seeking views on the derogations contained within the GDPR. The GDPR provides for various national derogations where Member States can introduce their own national law. Although some of these derogations relate to technical matters, others are central to the functioning of an effective data protection regime, for example, those dealing with freedom of expression versus privacy or the modification of subject access rights in certain contexts.

The general approach of the ICO will be to replicate the existing arrangements under the Data Protection Act 1998 where they work satisfactorily. This will minimise disruption and bring certainty to the data protection regime in the UK. The ICO confirmed that it also supports the introduction of new derogations but only where this is necessary for the effective functioning of GDPR or where there is a clear need.

For the full response, please click here.


UK government committed to implement GDPR

The Queen’s Speech has been praised for removing any doubt about the UK’s commitment to data protection by promising a new data protection law, in this Parliament, aimed at ensuring that the United Kingdom retains its world-class regime protecting personal data, with proposals for a new digital charter designed to ensure that the United Kingdom is among the safest places to be online. The Government has also confirmed that the UK will implement the GDPR when it comes into force in May 2018 (acknowledging that the GDPR will have direct effect on all EU Member States). This is a welcome move that will supply businesses with certainty on the UK's intention to meet the obligations of the GDPR.

For the full text version of the Queen's speech, please click here.



New powers for EU law enforcement to access data to aid terrorist investigations

The European Commission (Commission) has outlined three possible legislative options to representatives of the national governments of all EU Member States at a meeting of the Council of Ministers, regarding the introduction of new powers for EU law enforcement to access personal data to aid terrorist investigations.

The most extreme option proposed would see law enforcement agencies given the power to access data directly from the servers of technology companies in "emergency" situations. EU justice commissioner Věra Jourová indicated that "additional" privacy safeguards would accompany such new powers, although it is unclear what these safeguards would consist of.

The second option being considered is that that authorities in one EU Member State would be given the power to request access to data held by technology companies based in another EU Member State without having to first ask the authorities in that Member State.

Alternatively, the Commission could seek to force technology companies to hand over data on a cross-border basis when requested to do so by authorities in another EU Member State.

The types of data that could fall within the scope of the law were also discussed, with options ranging from non-content data such as location or traffic data to personal communications data. Věra Jourová indicated a preference for enabling the use of personal data as an extraordinary measure for extraordinary threats such as terrorism.


European Commission's push for a greater EU role in cybersecurity

The Commission has unveiled plans to increase its role in directing cyber security policy across the EU. In a recently published paper, the increased threat posed by cyber-attacks was highlighted by the Commission as a key reason to build a closer union in respect of cyber defence efforts.

It sets out three standards of cooperation:

  • Security and Defence Cooperation the 27 post-Brexit EU Member States would cooperate on security and defence more frequently than in the past;
  • Shared Security and Defence: Member States would begin closer financial and operational integration with respect to security and defence measures; and
  • Common Defence and Security: cohesion and mutual assistance between Member States would become the default position on security and defence issues. This would involve a common EU defence policy.

The Commission suggested that common defence and security arrangements would allow the EU to coordinate responses to cyber-attacks and pool resources in relation to information sharing and technological cooperation. In light of Brexit, it is unclear how much involvement the UK will have if the EU does introduce a common EU defence policy.

Separately, the EU Commission also published a communication that highlights the importance of launching a European Defence Fund as soon as possible. The purpose of the fund is to counter the current lack of defence cooperation between EU Member States. The fund will, amongst other initiatives, support cybersecurity projects.

To read the Commission's paper and communication please click here and here.


Cyber-attack on Parliament: Dozens of email accounts hacked

The UK Parliament has been hit by a "sustained and determined" cyber-attack by hackers attempting to gain access to MPs' and peers' email accounts. The hackers targeted email addresses protected by weak passwords and managed to gain access to up to 90 email accounts.

The hack prompted the UK Parliament's IT team to shut down access to email accounts. It has been reported that the attack has now been contained but internal investigations suggest that a large number of communications may have been compromised, for example, communications between constituents and their local MP. It is widely though that blackmail is a possible motive.


"Petya" ransomware attack

In May, the WannaCry ransomware virus quickly spread around the world infecting hundreds of thousands of computers. Now, another piece of malware called "Petya" is spreading through networks that use Microsoft Windows. Organisations across Europe and the US have been impacted including the advertiser WPP, food company Mondelez, legal firm DLA Piper and Danish shipping and transport firm Maersk.

Experts have expressed concerns that Petya is much worse than the WannaCry ransomware, as the aim of Petya appears to be the mass destruction of data. In comparison, the WannaCry ransomware was spread to obtain ransom payments from those impacted.

At this stage, it is unclear what it is, why it is happening or how it can be stopped.


ICO enforcement

Two city councils fined for processing and publishing personal information

Gloucester City Council (GCC) was fined £100,000 for failing to prevent a hacker, who claimed to be part of the 'Anonymous' cyber terror group, from downloading over 30,000 emails. The emails contained financial and sensitive personal information belonging to between 30-40 current and former staff members of GCC.

GCC's IT Staff had previously identified that there was a vulnerability present in their own system. Whilst a patch for the affected software was available and GCC intended to apply the patch in accordance with its update policy, when GCC outsourced its IT services to a third party company, the vulnerability of the software was overlooked and no action was taken.

Basildon Borough Council was fined £150,000 by the ICO after sensitive information surrounding a family was published onto the Basildon Planning Portal. The event occurred as a result of the building request of a traveller family that had been living in a relevant green belt site for many years. The statement published referred to the family's disability requirements including mental health issues, the names and ages of each family member and the location of the site. The statement was given to a planning technician who was inexperienced in checking documents related to planning applications containing sensitive information. He did not notice that sensitive information was embedded in the statement and as a result, did not make the required redactions prior to publishing the building request on the portal.

Please click here and here for more information.


First-tier Tribunal reduces ICO fines for unsolicited marketing texts based on company's size and profit

The First-tier Tribunal upheld the ICO's decision that LAD Media Ltd had breached regulation 22 of the Privacy and Electronic Communications Regulations (PECR) but reduced the amount of the monetary penalty notice from £50,000 to a lower fine of £20,000 after considerations were taken into account about the company's size and the effect that the fines would have on the company.

LAD Media had purchased data from a third party data supplier relating to data subjects who had opted in to receive marketing text messages. The third party supplier published general privacy notices on its websites when it obtained the individuals' consent. LAD Media provided the ICO with contracts entered into with the third party supplier, stating that the data provided to LAD Media had individuals' consent. However, when a third party sent 393,872 direct marketing text messages on LAD Media's behalf the ICO received 158 complaints, highlighting that the indirect, or third party, consent was not sufficiently clear and specific.

The original decision highlights the importance of carrying out thorough due diligence when buying third party marketing lists to ensure that the seller has provided sufficient information to individuals to enable them to give the required consent to the use of their personal data for electronic direct marketing purposes.


Morrisons fined £10,500 for ignoring opt-out requests

The national supermarket chain WM Morrison Supermarkets (Morrisons) was fined £10,500 by the ICO for sending 236,651 emails entitled 'Your account details?' to customers who had opted out of marketing of the Morrisons More card marketing scheme. The email suggested that if the individual changed their personal preferences, they would start receiving money off coupons and would be entered back into receiving marketing and emails, despite having previously opted out of direct marketing.

As Morrisons were unable to evidence that the individual who had the emails sent to him had consented to receiving them, the Commissioner decided that the company contravened regulation 22 of PECR as it was the responsibility of Morrisons to ensure that sufficient consent had been acquired from the customers.

Please click here for more information.




Alison Llewellyn

Alison Llewellyn

T:  +44 20 7809 2278 M:  Email Alison | Vcard Office:  London

  • Related Services
  • Related Sectors
  • Related Locations