In considering these factors, the Draft Guidance confirms that data controllers should take account of the "means reasonably likely to be used" and factor in the time and cost required to identify individuals and the technological difficulty as persisting over time.
The call for views on the Draft Guidance is open until 28 November and can be accessed here.
ICO releases opinion on age assurance and the children's code
The ICO published an opinion on 14 October 2021 (the "Opinion") regarding the application of the "Children's Code" (formally known as the Age Appropriate Design Code), which came into full effect on 2 September 2021 (the "Code") to Information Society Services ("ISS"). The Opinion sets out how the ICO expects ISS to meet the age-appropriate application standard in the Code. The ICO has called for evidence to be submitted to them by 9 December 2021 in relation to the Opinion. Both the Opinion and the call for evidence can be found here.
The Opinion clarifies how organisations should approach "age assurance" in compliance with UK data protection law. Age assurance refers to assurance that children cannot access inappropriate content when using ISS and is achieved by the ISS estimating or establishing the age of a user. The benefit of age assurance is to reduce or eliminate the risks to children posed by accessing ISS online. However, there are potential data protection risks of age assurance, including: it being potentially intrusive, introducing bias and inaccuracy, and the fact that some methods can be circumvented (e.g., a child logging into their parent's account to complete account confirmation).
The Opinion outlines that an assessment of the level of data protection risk to children of age assurance should be done (via a Data Protection Impact Assessment ("DPIA")) when determining the age-appropriate application required by the Code. Where there is high-risk processing such as large-scale profiling of children, tracking of children, or invisible processing of children's personal data, the DPIA may produce the result that the ICO should be consulted prior to the commencement of the ISS activity in line with Article 36 of the UK GDPR.
Cyber Security
Financial Stability Board calls for common breach-reporting standard
The Financial Stability Board ("FSB") has published a report on the current approaches to cyber breach reporting and the further action required to achieve broader convergence in the reporting of such breaches.
The FSB's report acknowledges that cyber breaches are becoming more frequent and sophisticated and suggests that this is a result of the digitalisation of financial services and the increase of the usage of third-party service providers.
The FSB found that across jurisdictions and sectors there is divergence in terms of what needs to be reported, the methods of considering the cyber breach, when the breaches should be reported, and what happens to the information about the cyber breach. In practical terms, financial service institutions may have a single method of reporting cyber beaches across the global business. Given the global spread of the organisations, they may be subject to a variety of reporting requirements, potentially for a single cyber incident, which have nuances that may not be picked up by the "heterogeneous information" which can be reported. This could put response and recovery actions at risk.
The FSB's report says that harmonising the regulatory reporting of cyber incidents would promote financial stability through: developing a common understanding of these incidents; supporting supervision of the incidents; and facilitating the sharing of information about these incidents. The FSB says that by the end of 2021 it will develop a detailed plan to take this work forward.
ICO ends consultation on incident reporting thresholds
As we reported in our August update, the ICO opened a consultation on the Network and Information Systems (the "NIS Consultation") and the potential approaches to incident reporting thresholds for digital service providers ("DSPs") following the UK leaving the EU. Currently, under the thresholds set by the NIS Regulations 2018 and the European Commission Implementing Regulation 151/2018 (the "Implementing Regulation"), a DSP must consider the following factors when determining whether the impact of an incident is substantial:
- The number of users affected by an incident, including users relying on the service for their own services;
- Duration of the incident;
- Geographical impact of the incident;
- Extent of disruption of functioning of the service; and
- Extent of impact on economic and societal activities
In addition, the DSP must identify a ground under Article 4 of the Implementing Regulation, which provides situations where the incident will be considered substantial. These include: the service being unavailable for over five million user-hours; the incident has resulted in the loss of integrity, authenticity or confidentiality of processed data affecting over 100,000 users; the incident has created a risk to public safety or loss of life; or the incident has caused material damage of over a million EUR. If one of these grounds can be made out then the DSP should make a report under the Implementing Regulation to the ICO.
The NIS Consultation proposes to amend requirements applicable to DSPs to remove this Article 4 ground requirement. This would mean that DSPs would, instead, have to regard incident thresholds set by the ICO in forthcoming guidance. The NIS Consultation closed on 14 October 2021.
Enforcement
ICO issues Monetary Penalty Notice to HIV Scotland
The ICO has fined HIV Scotland £10,000 in relation to a data breach where an email was sent to 105 people, including patient advocates representing people living with HIV in Scotland, in which the email addresses were visible to all recipients, permitting assumptions to be made regarding individuals' HIV status. The ICO's investigation into the incident revealed deficiencies in HIV Scotland's data protection policies and procedures, including inadequate staff training, inappropriate methods of sending bulk emails by blind carbon copy ("BCC") and an inadequate data protection policy. The investigation also revealed that less secure BCC methods were still being used seven months after HIV Scotland had recognised the risks attendant in its email distribution systems.
Increase in GDPR fines in Q3 2021
Data gathered by Finbold indicates that total fines for breaches of GDPR issued by EU Supervisory Authorities in the third quarter of 2021 amounted to just over $1.1 billion, which is 20 times higher than the combined total of the first and second quarters in 2021 and triple the total amount of fines issued in 2020. The increase in fines serve as a stern warning regarding the increasing volume and scale of enforcement action across the EU, although the overall number is likely to have been skewed by the size of the fine of €746 million which Amazon recently received.
Amazon appeals data fine
As we previously reported here, Amazon is facing a fine of €746 million from the Luxembourg National DPC. It has now been confirmed that Amazon filed an appeal in respect of this fine on 15 October 2021, and we now await the outcome.
Irish regulator proposes fine of €36 million
Ireland's Data Protection Commission (the "DPC") has proposed a fine of between €28 million and €36 million in respect of one of multiple investigations it has opened into Facebook's conduct. In the instant investigation, which arose out of a complaint by privacy campaigner Max Schrems, the DPC considered the extent to which Facebook complied with transparency requirements in GDPR in respect of its processing in its terms and conditions (which the DPC considered it did not).
Somewhat surprisingly, the DPC is of the view that by re-labelling its terms and conditions as a 'contract', to which it required users to consent, Facebook is entitled to rely on the contract basis for lawful processing under Article 6 GDPR, which is the approach it adopted following GDPR coming into force in May 2018.
As Mr Schrem's notes: "[i]t is painfully obvious that Facebook simply tries to bypass the clear rules of the GDPR by relabelling the agreement on data use as a 'contract'. If this would be accepted, any company could just write the processing of data into a contract and thereby legitimise any use of customer data without consent".
It remains to be seen whether this decision, like the DPC's decision in relation to WhatsApp, fails to survive the scrutiny of other Supervisory Authorities, and, if necessary, the EDPB, which seems very likely to dispute the DPC's interpretation of relevant provisions of GDPR.
Given Facebook's primary revenue source is advertising revenue deriving from processing its users' data, it is at significant risk of very substantial fines, and civil litigation, if the DPC's finding on the 'contract' issue is overturned.
Road toll company fined by Norwegian DPA
In October 2019 the Norwegian Data Protection Authority ("NDPA") commenced an investigation into a road toll company, Ferde AS ("Ferde"), for transferring personal data to a data processor in China.
It was held that Ferde had breached: (1) Article 28(3) GDPR for failing to have a compliant data processing agreement with the data processor in place; (2) Article 32(2), Art 5(1) and Art 5(2) GDPR for failing to conduct a risk assessment in relation to the data transfer; and (3) Article 44 GDPR for failing to have a compliant transfer mechanism in place for the transfer of personal data to a third country.
The NDPA's investigation revealed a number of flaws in Ferde's privacy and data protection practices, which included: (1) an undated data processing agreement; (2) an undated risk assessment in respect of the data processor's use of data; and (3) whilst the European Commission standard contractual clauses for the transfer of personal data to third countries had been signed, it was undated and likely not in place during the period in which the relevant transfers took place.
Twitter fined by Irish regulator
The DPC imposed a fine of €450,000 on Twitter International Company, Twitter Inc's Irish operating company, for breaching Articles 33(1) and 33(5) GDPR, arising out to failure to notify a data breach to the DPC promptly and failure to adequately document the breach. The DPC commenced an inquiry in January 2019 following receipt of a breach notification on 9 January 2019. The inquiry revealed that the DPC ought to have been made aware of the breach by 3 January 2019 at the latest.
Civil litigation
Lloyd v Google judgment expected imminently
The Supreme Court has announced that judgment in Lloyd v Google will be handed down at 9:45 on Wednesday 10 November 2021.
The Supreme Court's highly anticipated decision is likely to be very significant from the perspective of the ability to pursue collective redress arising out of breaches of data protection law.
If the Supreme Court rejects Google's appeal from the Court of Appeal's decision (which we covered in detail here), we expect to see a raft of further representative claims in relation to high profile data breaches and other breaches of data protection law, in addition to the claims which have already been issued and stayed pending the Supreme Court's decision against Facebook, Marriott International, Salesforce and Oracle, and TikTok, amongst others.
Court strikes out claim on the basis that no actionable loss had been suffered
In Rolfe & Ors v Veale Wasbrough Vizards LLP [2021] EWHC 2809 (QB) Master McCloud dismissed the Claimants' claims for damages for distress arising from the Defendant law firm accidentally sending an email about outstanding school fees to the wrong person summarily and ordered the Claimants to pay the Defendant's costs on the indemnity basis.
In her judgment, Master McCloud noted:
"What harm has been done, arguably? We have here a case of minimally significant information, nothing especially personal such as bank details or medical matters, a very rapid set of steps to ask the incorrect recipient to delete it (which she confirmed) and no evidence of further transmission or any consequent misuse (and it would be hard to imagine what significant misuse could result, given the minimally private nature of the data). We have a plainly exaggerated claim for time spent by the Claimants dealing with the case and a frankly inherently implausible suggestion that the minimal breach caused significant distress and worry or even made them 'feel ill'. In my judgment no person of ordinary fortitude would reasonably suffer the distress claimed arising in these circumstances in the 21st Century, in a case where a single breach was quickly remedied… In the modern world it is not appropriate for a party to claim, (especially in the in the High Court) for breaches of this sort which are, frankly, trivial."
Update to immigration exemption
As we previously reported, in May 2021, the immigration exemption in para 4 of Schedule 2 of the Data Protection Act 2018 was deemed to be unlawful by the Court of Appeal for failure to comply with Article 23(2) of the GDPR. It was also held that the question of relief would be decided in a subsequent hearing, and this hearing was held on 8 October 2021.
The Court ruled that the declaration of the unlawfulness of the exemption would be suspended until 31 January 2022. The reasoning behind this is to allow the Government until the end of January 2022 to introduce legislation amending the exemption, with a view to avoiding harm to the public interest. If the Government fails to do so, then the exemonption would be disapplied from 31 January 2022.
Footballers threaten legal action for "GDPR violation" of performance data
As we previously reported, 850 professional football players have threatened to take legal action against companies which they allege have unlawfully processed personal data relating to their performance over the past six years, in breach of the GDPR. Such data includes statistics such as goals-per-game and information pertaining to a players' physique and attributes, which are collated and used by various betting and entertainment firms. It is alleged that such data has been collected without the players' consent, and the players have not received any payment for the unlicensed use of this data. It is estimated that more than 150 companies have misused this type of data. If the claim succeeds, it is likely to have significant ramifications for the sports data industry.