Welcome to the February Global Data & Privacy Update. This update is dedicated to covering the latest legislative developments affecting the way data is managed and protected, as well as reporting on the most recent news governing data breaches and industry developments.

ICO fines RSA for data protection breach

The ICO has issued a penalty of £150,000 to Royal & Sun Alliance Insurance PLC (RSA) for failing to prevent the accidental loss or damage to personal data, breaching the seventh data protection principle.

It was found that between 18 May and 30 July 2015, a person permitted access to RSA's data server room stole a portable 'Network Attached Storage' device, which included the names, bank account details and sort codes of nearly 60,000 individuals. The device was password protected but unencrypted, and there has been no recovery since the theft. The lack of encryption and the failure to properly restrict access to the server room were highlighted by the ICO as particular reasons why it found there had been a breach of the seventh data protection principle in this case.

The ICO found that the contravention was one likely to cause substantial damage or substantial distress to those affected.

Click here to view the ICO's monetary penalty notice.

ICO fines charities for mishandling donors' personal data

The ICO has fined the RSPCA and British Heart Foundation £25,000 and £18,000 respectively for screening their donors to target them for further fundraising. This was held to be handling personal data in a way inconsistent with the data protection rules. Since the judgment, the Charities Commission has also opened up its own investigations into the charities' regulatory compliance and duties under charity law.

Actions taken by the charities included forming a scheme 'Reciprocate' under which personal details of donors were traded with other charities to create a pool of donor data, without the informed knowledge or consent of the donors whose data were included in the pool.

The ICO exercised its discretion in significantly reducing the fines to the charities, so as not to create any further stress to the donors as a result of the charities' actions through higher penalties that may be seen by the donors as being funded by their donations. Under normal circumstances, the fines could have been ten times the figure.

Click here to view the ICO's report of its investigation into the charities' conduct.

European Council backs EU-US Umbrella Agreement

The Council has approved the EU-US "Umbrella Agreement", which will provide for a cross-border data protection framework for criminal law enforcement and cooperation. This will, in particular, improve the enforcement of EU citizens' rights before US courts by providing them with equal treatment to US citizens.

The agreement concerns the transfer of personal data from police and criminal justice departments between EU Member States and US federal authorities for the purposes of investigating and handling serious crime and terrorism. The agreement has incorporated numerous safeguards to prevent the mishandling of data transfer and ensure its lawfulness. As well as complementing existing agreements between EU-US criminal law enforcement authorities, it will form the bedrock for all future data transfer agreements between the two parties.

Click here to view the Council's press release on the above.

European Commission proposes draft E-Privacy Regulation

The European Commission has proposed a draft E-Privacy Regulation, which, if implemented, will replace the current E-Privacy Directive (2002/58/EC) and be directly applicable across all EU Member States. Its aims are to deal with how electronic communications have evolved since 2009 and to align with the upcoming General Data Protection Regulation (which comes into force May 2018) so as to properly protect individuals' privacy.

Click here to view the EC's press release on the above.

European Commission adopts Communication on single digital market

The European Commission has adopted a working document on the lack of a digital single market for data processing within the Community. It argues that restrictions to the free flow of data between Member States prevent data-driven services, such as the Internet of Things (IoT) and cloud computing, from being able to perform to their full potential. Such restrictions include current barriers to the free movement of data and data location restrictions imposed in domestic legislation within the EU. Data portability of non-personal machine generated data, which is beginning to be used by IoT devices but which is not adequately covered in existing EU legislation, is also considered.

Liability considerations are also discussed in circumstances where IoT services depend on various independent products (eg. hardware and software) from different providers – ie. if the system malfunctions, which party should bear liability.

The consultation paper is open until 26 April 2017.

Click here to view the EC's press release on the above.

ECJ rules excessive data retention in UK incompatible with E-Privacy Directive

The European Court of Justice has ruled that any national legislation that permits the retention of electronic communication users' traffic and location data without discrimination, regardless of whether the purpose of the retention is for fighting crime, is incompatible with the E-Privacy Directive when considered in light of the rights of privacy and protection of personal data that are currently provided by EU legislation.

The UK legislation that led to this ruling is the Data Retention and Investigatory Powers Act 2014. This has since been replaced by the Investigatory Powers Act 2016, which itself is now open to further legal challenges. Without appropriate amendments, the UK could be deemed not to provide 'adequate' protection of personal data following its impending departure from the EU.

Government transfers preference services to ICO

The Government has with effect from 30 December 2016 transferred the Telephone Preference Service and Fax Preference Service (together the 'registers') from Ofcom to the ICO. The registers list individuals who have opted out of receiving direct marketing by phone and fax and following the transfer, the ICO will have direct control over maintaining and enforcing the registers.

The Government hopes that this action will assist in dealing with nuisance calls, and complaints relating to them, more efficiently, and is one of the measures that have been put in place to tackle this issue, including a government requirement that marketing companies display their number to customers receiving their calls.

European Commission adopts Communication on international cross-border data transfer

Following on from the GDPR, the European Commission has produced a Communication on the requirement to protect personal data on an international scale.

The Communication outlines the EC's intention of engaging in 'adequacy' assessments with key third country trading partners in 2017, including South Korea and Japan, and the importance of promoting a globalised standard of data protection and better international law enforcement cooperation.

Click here to view the EC's press release on the above.