02 Jun 2021

Data Protection update - May 2021


Welcome to our Data Protection bulletin, covering the key developments in data protection law from May 2021. 

Data protection

Cyber security

Regulatory enforcement

Civil litigation

Data protection

As the EU publishes final versions of the updated SCCs, the UK prepares its own international transfer mechanisms

The European Commission has today, 4 June 2021, published final versions of the new SCCs, both for international transfers of personal data and between controllers and processors. For details, see here

We will send a separate update with a detailed analysis of on the final versions and on how they differ from the drafts. The key point to note is that the transition period for updating existing SCCs is 18 months, not 12 months as was proposed in the draft implementing decision. This gives organisations a little more time to remediate their existing contracts.

The Commission's draft SCCs were released in November 2020 and they work to update the existing SCCs to bring them in line with the GDPR and to address the issues arising from the Schrems II decision in July 2020 (for more information, please see our commentary here and here). In this decision, the Court of Justice of the European Union ("CJEU") decided that the SCCs were valid, but only on the basis that they require both parties to the SCCs and the competent supervisory authority to assess the recipient's ability to comply with the SCCs (for more information about this decision, please see our updates on Schrems II  here and here).

Shortly after the release of the draft SCCs, the EDPB and the European Data Protection Supervisor ("EDPS") published joint opinions which largely criticised the Commission's subjective approach and contained a number of recommendations (for more information, please see our January 2021 update, accessible here). 

Now that the UK has left the EU, the new form of SCCs will not automatically be adopted for use under the UK GDPR when making international transfers from the UK. However, Steve Wood, the ICO's deputy commissioner and executive director for regulatory strategy, recently confirmed at the ICO's Data Protection Practitioner's Conference that the ICO was developing its own SCCs for the international transfer of data by businesses. The ICO plans to commence a consultation process with organisations and data protection practitioners in the summer. It is expected that the new UK SCCs will be similar to the new European SCCs, and it has also been suggested that the UK may even consider accepting the new European SCCs as appropriate safeguards for transfers from the UK, to the extent that they are equivalent to the new UK SCCs. This would be welcome to large international groups, in that it may minimise the need to put both EU and UK SCCs in place to cover identical transfers from the two regions to a third country.

European Commission's draft UK adequacy decisions to be amended after being criticised by the European Parliament's civil liberties committee

In the latest step in the EU considering adequacy decisions for the United Kingdom, a resolution was approved by the European Parliament's civil liberties committee on 11 May 2021 (the "Resolution") that criticised the draft adequacy decisions from the Commission. For more information on the draft UK adequacy decisions see our February 2021 bulletin (accessible here) and for information on the opinions from the EDPB on the Commission's draft adequacy decisions, see last month's bulletin (accessible here).

The Resolution contested the Commission's finding that the UK's data protection regime is "essentially equivalent" to the EU's, instead stating that "the UK rules on the sharing of personal data under the Digital Economy Act 2017 and on onward transfers of research data are clearly not 'essentially equivalent'" to the EU's GDPR. The Resolution further stated that it was "strongly concerned that a UK adequacy status would therefore lead to the bypassing of the EU rules on transfers to countries or territories not deemed adequate under EU law."

On 20 May 2021, the European Parliament voted to ask the Commission to modify its draft adequacy decisions in light of the concerns raised in the Resolution and to take account of recent EU court rulings. While the outcome of this resolution is not binding on the Commission, it will carry significant weight.

The ICO's New Data Sharing Code of Practice has been laid before Parliament

On 18 May 2021, the ICO's new Data Sharing Code of Practice ("the Code") was laid before Parliament, having originally been published and presented to the Secretary of State on 17 December 2020 (our commentary on this can be accessed here). The Code will come into force after 40 Parliamentary sitting days.

The ICO has stated that the Code aims "to give businesses and organisations the confidence to share data in a fair, safe and transparent way, and it dispels many of the remaining myths about data sharing." The Code covers issues including:

  • the standards required for data-related due diligence;
  • recommendations for businesses that trade data; and
  • data transfers in emergencies.

Once in force, the Code will become a statutory code of practice and, while it will not itself form part of data protection law, the ICO must take it into account when assessing whether an organisation has complied with the UK GDPR and the Data Protection Act 2018 ("DPA 2018").

Facebook suffers another blow after Irish High Court requires Irish DPC to stop EU-US data transfers

On 14 May 2021, the Irish High Court rejected Facebook's challenge to the Irish DPC's preliminary decision which required it to suspend all data transfers from the EU to the US. Facebook said that this preliminary decision threatened devastating and irreversible consequences (our previous analysis on this can be accessed here).

Facebook's challenge was to determine whether the Irish DPC had acted too hastily in issuing the draft order without first receiving any guidance on the Schrems II decision from the EDPB. In rejecting Facebook's challenge, Mr Justice David Barniville stated in the judgment that Facebook "has not established any basis for impugning the DPC decision or the PDD or the procedures for the inquiry adopted by the DPC."

In a statement, Facebook commented on the decision:

"Like other companies, we have followed European rules and rely on Standard Contractual Clauses, and appropriate data safeguards, to provide a global service and connect people, businesses and charities. We look forward to defending our compliance to the IDPC, as their preliminary decision could be damaging not only to Facebook, but also to users and other businesses."

While Facebook's statement seems to indicate that the battle is not yet over, Max Schrems  believes that time is running out for EU-US data transfers: "After eight years, the DPC is now required to stop Facebook's EU-U.S. data transfers, likely before summer." Such a decision could have far-reaching consequences, not just for Facebook, but for many other organisations that need to make transatlantic personal data transfers.

The ICO and CMA's joint statement sets out plans for cooperation in the digital market

On 19 May 2021, the ICO and the CMA published a joint statement which sets out plans to enhance cooperation between the two regulators. The statement recognises that there is already a strong overlap between competition and data protection in the digital regulatory landscape. In addition, however, it also recognises the tensions that can exist between competition and data protection. The regulators seek to reduce and overcome such tensions by enhancing cooperation.

The aim is to promote and support outcomes that are pro-competition and pro-privacy, as follows:

  • to ensure that users are clearly told what personal data is collected, how it will be used and how to make an informed choice before accepting the terms;
  • to ensure that the design and default settings protect user interests;
  • to ensure that users have a satisfactory choice between service providers and platforms (and that they can easily switch between these);
  • to ensure that digital services providers are able to compete with each other; and
  • to ensure that platforms are incentivised to encourage innovation and the development of new methods of advertising which use less personal data.

To reinforce this commitment, the ICO and CMA entered into a Memorandum of Understanding ("MoU"), with the goal stated as being "to ensure a digital ecosystem where people have a genuine choice over the service or product they prefer, with a clear understanding of how their data will be used to inform that decision." The MoU fits within the programme of work being championed by members of the Digital Regulatory Cooperation Forum to enhance coordination between regulators across digital and online services. This shows an intent to use a wide range of tools and sanctions to regulate digital markets and services in the future.

MoU signed between the ICO and New Zealand Office of the Privacy Commissioner

On 12 May 2021, it was announced that the ICO and the New Zealand OPC had signed a MoU. The MoU will govern the relationship between the two parties and, in particular, it provides for co-operation between the two authorities when it comes to the enforcement of data protection laws.

The ICO's press release stated that: "Cooperation between international data protection authorities is essential in our times of global data-driven business and this MOU builds on the strong collaboration the two authorities already enjoy as active members of the Global Privacy Assembly, which the ICO currently chairs. The MOU comes soon after New Zealand’s new privacy law has come into force, and at a time of increasing trade between the UK and New Zealand."

The UK has already confirmed that it recognises New Zealand as an adequate jurisdiction for data transfers. While the MoU does not permit the sharing of personal information, it states that the two regulators can (among other things decided from time to time): (i) share experiences and exchanges of best practice; (ii) implement joint research projects; (iii) cooperate in any specific projects of interest; (iv) exchange information in relation to a contravention of personal data protection legislation; (v) lead joint investigations into cross border personal data incidents; and (vi) convene bilateral meetings.

WhatsApp's privacy update continues to cause global upset

WhatsApp, the instant messaging service owned by Facebook, is in the process of rolling out a new privacy policy which is intended to facilitate the introduction of WhatsApp Business, a product designed to enable instant messaging between users and businesses, with the latter paying to use the service. While WhatsApp has already extended the deadline for users to accept the terms of the new policy once before, it recently announced a further extension and confirmed that no user accounts would be deleted until the expiration of the extended deadline. This news follows significant global backlash regarding the terms of the new policy and, in particular, the sharing of data between WhatsApp, Facebook and other third parties. Such concerns have arisen despite WhatsApp's repeated attempts to reassure users that the update wouldn't impact the privacy of personal messages for standard users. In a striking blow, German regulators temporarily banned the update on 13 May 2021 and this may indeed extend to an EU-wide ban. There have also been protests in India against the new policy.

Organisations that enable staff to communicate and run the business via WhatsApp should consider the update in light of their own security policies.

EDPB adopts guidelines on the targeting of social media users

Following a public consultation process that concluded on 19 October 2020, the EDPB adopted finalised guidelines on the targeting of social media users on 13 April 2021 (the "Guidelines") (please see our previous analysis of the draft guidelines here).

The key takeaways are as follows:

  • The Guidelines provide that there are three different types of data that can form a basis for the targeting of social media users (provided data, observed data and inferred data).
  • A joint controllership may exist between social media platforms and advertisers if they jointly determine the purposes and means of processing. As such, each party must justify its processing of personal data by showing the existence of a legal basis.
  • Prior to the commencement of any targeting operations where a joint controllership exists, each party must assess whether the targeting operation is likely to result in a high risk. If the answer is yes, a data protection impact assessment ("DPIA") is required. A DPIA is also necessary where special category data is being processed.
  • Social media providers and advertisers must ensure that data subjects are easily able to exercise their rights at all times. An easy-to-use tool should be made available to the data subject to facilitate this.
  • It is not enough to tell users that they are being subjected to "advertising" methods. Data subjects should be informed of the way in which their data is being processed in a concise, transparent and intelligible manner.
  • Social media platforms and advertisers will be jointly responsible for the processing of personal data (including special category data), although they may not share responsibility equally.

In order to comply with the GDPR, joint controllers must agree their respective responsibilities and the specific stages of the processing that they are responsible for. The level of responsibility each party possesses will be determined by that party's influence over the processing. 

Cyber Security

Insights from the FCA's 2020 Cyber Coordination Groups

The FCA recently published Insights from its 2020 CCG meetings, a consultation process involving 157 firms, with each CCG representing a specific sub-sector. What becomes obvious upon reading the FCA's summary is the unprecedented effect that the Covid-19 pandemic has had on information security. This can largely be attributed to the mass shift to remote working and the increasing sophistication of individuals seeking to exploit pandemic related vulnerabilities. The CCG groups further identified the following as major cyber threats: ransomware attacks, Denial of Service attacks, cloud security, insider threats and inadequate supply chain oversight and security.  

On a more positive note, however, the 2020 CCG's illuminated a number of promising emerging trends, such as Zero Trust security models and various tools that can be used both to resist and respond to cyber-security attacks.

Highlights from the NCSC's CYBERUK2021 conference

The NCSC hosted its CYBERUK2021 conference in May 2021 (albeit virtually, with much of the content still available to view online). The key takeaways from the conference are as follows:

  • The NCSC used the conference as an opportunity to launch its updated 10 steps to cyber security guidance. This update considers new cyber-security threats that have been brought about by the Covid-19 pandemic, the rise in ransomware attacks and the increasing use of cloud services.
  • To coincide with the publication of the updated 10 steps to cyber security guidance, the NCSC also launched an early warning notification service that provides alerts to registered organisations where they have identified potential cyber-attacks on their networks.
  • Priti Patel announced that the UK Government would formally review the Computer Misuse Act; and
  • Dominic Raab warned Russia to stop sheltering those responsible for ransomware attacks and stated that they "have a responsibility to prosecute those gangs and individuals".

Regulatory enforcement

ICO issues £90,000 fine to Amex for marketing emails

The ICO has issued a monetary penalty of £90,000 to Amex for sending over four million unsolicited emails between 1 June 2018 and 31 May 2019.  These emails were sent for direct marketing purposes in breach of Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”).

Amex said, in its response to the ICO in July 2019, that one of the key features of its cards were the various benefits and rewards which were available.  In its customer terms and conditions, Amex said that it would contact customers with product features, benefits and rewards. Amex therefore categorised the emails as “servicing” emails, which were always concluded with a footer saying that the recipient was receiving the “service related email as it contains information about an integral benefit of your Card”.  The Amex internal policy defined “servicing” emails as “communications which included information promoting services and/or benefits associated with the Amex product held by recipient”, and Amex considered that the emails in question were "required to be sent based on legal and contractual requirements" arising from its agreements with its customers.

The ICO disagreed. In its monetary penalty notice (the "MPN") the ICO explains:

  • The emails constituted “direct marketing” as defined by section 122(5) of the DPA 2018 as they encouraged customers to use their Amex card to make purchases and/or to download and use the Amex app for Amex's financial benefit.The ICO said that the emails were not “servicing” emails as “the emails engaged in advertising and marketing (…) none of the emails in question were neutrally worded and purely administrative in nature.Instead, each email sought to encourage the customer to make purchases on their Amex card”; and
  • Just under half of the customers who had received these service messages had opted-out, or not opted-in, to the receipt of marketing communications.

The ICO considered therefore that, notwithstanding that the breaches of PECR were not deliberate, they were negligent as Amex had failed to take reasonable steps to prevent the contraventions, and therefore ought to be subject to a fine. However, the ICO accepted that, in mitigation, Amex had undertaken an internal investigation into relevant matters and adapted its practices accordingly, and that it stopped marketing to customers who had opted-out of receiving direct marketing via email.

This fine is similar in size to the penalty issued to EE Limited in June 2019, in relation to the sending of over 2.5 million direct marketing text messages without its customer’s consent in breach of Regulation 22 of PECR. 

We previously reported (in our February update) on a decision of the Upper Tribunal which provided some guidance on the application of Regulation 22 of PECR.

Dutch DPA fines website for processing EU citizens’ personal data without a designated EU representative

The Dutch DPA, the Autoriteit Persoonsgegevens (“AP”), has fined Locatefamily.com (“LF”) €525,000 for failing to designate a GDPR representative.  LF is a website which allows people to search for the contact details of family members who they may have lost.  In its representations to the AP, LF said that it was not situated in the EU (it appears to be located in the US, although the position is somewhat opaque) and did not offer goods or services to the EU.  However, in its investigation the AP found that LF processed the personal data of approximately 700,000 Dutch individuals.

Article 27 of the GDPR requires that data controllers or processors that process EU citizens’ personal data, for the purpose of offering goods or services or behaviour monitoring, but are not established in the EU, must designate in writing a representative in the Union.  The representative must liaise with the data subjects and regulators where necessary and must be based in an EU country where the relevant data subjects are located. 

The AP deputy chair said that they issued the fine because data subjects: “must have an easy way to have [their personal data] removed.  That’s not possible here, partly because LF does not have a representative in the EU.  That’s why we issued the fine”.

In its notice, the AP required that LF remedy the situation by appointing a data representative in the EU by 18 March 2021.  If LF did not comply within that timeframe then it faced a further fine of €20,000 per fortnight up to a maximum of €120,000. 

We previously reported (in our January update) on the decision of Jay J in Soriana v Forensic News LLC and Others [2021] EWHC 56, which provides significant guidance on territorial scope pursuant to Article 3(1) of the GDPR, which will, of course, be determinative of the application of Article 27 of the GDPR to a given data controller or processor.

European Parliament adopts a resolution to start infringement procedures against the Irish DPC

The European Parliament has adopted a resolution calling for infringement procedures to start against the Irish DPC because of an “insufficient level of enforcement of the GDPR”. 

A key concern raised in the resolution is the implications of the unsuccessful attempt by the DPC to shift the cost of the judicial procedure for proceedings brought by Max Schrems on to Mr Schrems which, the European Parliament says, would have a “massive chilling effect” (which we reported on in our November update).

In addition, the resolution identifies:

  • That several complaints relating to breaches of the GDPR filed on 25 May 2018 (the day the GDPR came into force), and other complaints from privacy organisations and consumer groups, have not been resolved;
  • A concern about the lack of tech specialists working for the DPC and their use of outdated systems; and
  • A concern that the DPC interprets “without delay” in Article 60(3) GDPR (which relates to communication with other Supervisory Authorities) as being longer than a matter of months.

The backdrop to the resolution is the fact that the DPC has only reached a final decision on one cross-border GDPR case, against Twitter (which we reported on in our January update). The DPC has also faced notable recent criticism from other Supervisory Authorities in relation to the fine it levelled on Twitter.

Portuguese DPA suspends transfer of census data to Cloudflare despite use of SCCs

The Comissão Nacional de Proteção de Dados (“CNPD”) has ordered the National Institute of Statistics (“INE”) to suspend any international transfers of personal data to the USA or any other third countries which do not provide an adequate level of protection for personal data.  The personal data involved was the 2021 Census data which was uploaded to Cloudflare Inc (“CF”), a service provider based in the USA.  The INE had in place EU SCC's with CF pursuant to which it purported to lawfully undertake international transfers. The CNPD drew attention to the fact that CF was subject to US surveillance legislation, which imposed an obligation to provide unrestricted access to US authorities to the personal data that CF had in its custody without informing affected data subjects. 

The CNPD referred to the Schrems II ruling of the CJEU (which we reported on in our September update) which said that the SCCs can only be used as an appropriate mechanism for data transfers when combined with safeguards that prevent the US government from obtaining disproportionate access to exported personal data.  Of particular importance to the CNPD was the fact that the personal data included sensitive personal data (such as health data and religious information) in relation to a large number of data subjects.

This decision is particularly relevant to organisations which use US-based data providers on the basis of SCCs alone, without further protection.  We previously reported about some of the supplementary measures which organisations can take to strengthen their transfer mechanisms in our March update.  A sensible starting point for an organisation looking to supplement its transfer mechanism security is the guidance issued by the EDPB in November last year, available here and here.

Equifax ordered to delete personal data “scraped” from public sources

The Spanish DPA (“AEPD”) has issued a fine of €1 million to Equifax Iberica, S.L. (“EI”) and ordered it to stop processing and delete relevant personal data following the complaints of 96 data subjects.  EI had collected personal data from a variety of sources about individuals’ debts and fines.  This included various public sources such as: the Spanish Official State Gazette; the General Tax Administration; city councils’ gazettes; and debtor’s lists.  This information was compiled without ensuring the accuracy or completeness of the personal data which EI was processing. 

The AEPD identified EI as being in breach of Articles 5(1)(a)(b)(c)(d), 6(1) and 14 of the GDPR.  Central to the AEPD’s conclusions was the finding that the data was collected and published for a reason which was not compatible with the purpose for which EI was processing the data.  There was not a reasonable expectation on the part of the affected data subjects that the public notification of debt or fines would be compiled with other data by EI, and provided by EI to businesses about the data subjects’ credit ratings.

Civil litigation

Immigration exemption in the DPA is not compliant with GDPR

In R (Open Rights Group and the3million) v Secretary of State for the Home Department and Others [2021] EWCA Civ 800 the Court of Appeal held that the immigration exemption in paragraph 4 of Schedule 2 to the DPA 2018, which disapplies certain rights of data subjects where their personal data is processed for effective immigration control or the investigation or detection of activities that would undermine the maintenance of effective immigration control, is not compatible with the GDPR (and, by logical extension, the UK GDPR).

Member States are permitted to create their own exemptions in certain restricted circumstances under Article 23 of the GDPR.  These exemptions are permitted provided that they “respect the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society” (Article 23(1)) and must include (under Article 23(2)) “specific provisions” about the purposes of the processing, the categories of personal data, the scope of restrictions and safeguards to prevent abuse.  Warby LJ summarised the need for these Article 23(2) provisions as follows: “The legal framework will not provide the citizen with sufficient guarantees that any derogation will be strictly necessary and proportionate to the aim in view, unless the legislature has taken the time to direct its attention to the specific impacts which the derogation would have, to consider whether any tailored provisions are required and, if so, to lay them down with precision.”

In the instant case, the issue which fell to be decided by the Court of Appeal was whether those tests were met for the immigration exemption contained in the DPA 2018. The Appellants’ central contention was that the immigration exemption was “so over-broad as to be in breach of the express requirements governing derogations in Article 23(2) of the GDPR and the CJEU’s strict caselaw providing protection for data rights against attempts [to apply] generally worded derogations”.  The ICO intervened to support the Appellants’ position that the relevant test is one of strict necessity. Emphasising the importance of the rights at stake and the sensitivity of the context, counsel for the ICO noted that, in the absence of accompanying guidance carrying statutory force (here, there was only internal draft guidance on the Home Office intranet), the exemption is a disproportionate interference with fundamental rights.

Warby LJ, with whom Singh LJ and Underhill LJ agreed, held that the immigration exemption was non-compliant: “The Exemption itself contains nothing, specific or otherwise, about any of the matters listed in Article 23(2). Even assuming, without deciding, that it is permissible for the “specific provisions” required by Article 23(2) to be contained in some separate legislative measure, there is no such measure”. 

It remains to be seen whether this finding of incompatibility will have a bearing on the adequacy decision in respect of the UK currently being considered by the Commission.  We reported on the draft adequacy decision on our March update.

Equiniti sued by Police Officers over data breach

High Court proceedings have been commenced against Paymaster 1836 (the pensions division of Equiniti (“Equiniti”)) by 474 British police officers, who are seeking damages in excess of £1 million, in CR and Others v Paymaster (1836) Ltd. (trading as Equininti) (QB-2021-001110).  Equiniti distributed 750 pension benefit statements on behalf of Sussex Police force to a number of incorrect addresses because they failed to properly update their database. This led to the inappropriate disclosure of the names, NI numbers, salary banding, date of birth, police service details, and pension information of police officers.

This is a further example of the increasing trend for follow-on claims arising out of data breaches.