Welcome to the July Global Data & Privacy Update. This update is dedicated to covering the latest legislative developments affecting the way data is managed and protected, as well as reporting on the most recent news governing data breaches and industry developments.
Administrator of Facebook fan page deemed a "data controller" under old data protection law
The Court of Justice of the European Union (CJEU) hands held that the concept of a data controller under Directive 95/46/EC (the data protection directive preceding the General Data Protection Regulation (GDPR)) may include the administrator of a social network fan page.
The CJEU deemed that a Facebook fan page administrator was a data controller jointly responsible with Facebook Ireland Limited and Facebook Inc for the processing of personal data of persons visiting the fan page, including both Facebook users and non-users. The CJEU did not expressly state whether the entities would be data controllers in common or joint controllers.
In this case, a German data protection authority alleged that the fan page infringed German data protection law as visitors were not warned that Facebook collected personal data from cookies on the page and used this information for both statistical purposes and to place targeted adverts.
The administrator was deemed a data controller on the basis that it determined the purposes and means of processing, from creating the fan page which involved selecting predefined options contributing to Facebook's use of data from the page. The fact that the administrator only received statistical information about visitors in anonymised form did not affect this decision because where multiple data controllers are concerned, under Directive 95/46/EC, a data controller does not require access to the data and the statistics provided to the administrator were produced from the parameters chosen by the administrator.
Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH (Case C 210/16) (5 June 2018)
Click here to read the CJEU decision.
Bible Society fined £100,000 for failing to keep personal data secure
The British and Foreign Bible Society (Bible Society) has been fined £100,000, by the Information Commissioner's Office (ICO), following a cyber-attack where personal data relating to 417,000 Bible Society supporters was accessed. The breach took place in 2016, before the effective date of the GDPR, and so the investigation took place under the Data Protection Act 1998.
Hackers exploited weaknesses in the Bible Society's internal network; a service account, that enabled remote access to the network, did not have a complex password. The hackers encrypted some of the personal data held on the Bible Society's network with the intention of holding the Bible Society to ransom but, due to back-ups of the data made on the network by the Bible Society, the ransom request failed. The personal data accessed included payment card and bank account details. Some personal data was also externally transferred from the network to the attackers.
The Bible Society was fined, under the Data Protection Act 1998, for failing to take appropriate technical and organisational steps to protect personal data.
Click here to access the monetary penalty notice.
Yahoo fined £250,000 for failing to keep personal data secure
Yahoo! UK Services Limited (Yahoo) suffered a cyber-attack in November and December of 2014, which was not publicly disclosed until September 2016. The ICO investigated the breach under the Data Protection Act 1998 in relation to Yahoo's responsibility as a data controller in the UK for the personal data of over 500,000 UK accounts and approximately 500 million users worldwide.
Attackers accessed data held on Yahoo's systems by exploiting compromised credentials of Yahoo employees and externally transferred back-up files containing personal data. The ICO found that Yahoo failed to: take appropriate technical and organisational measures to protect the data against external attack; take appropriate measures to ensure its data processor (Yahoo! Inc) complied with data protection standards; and put in place appropriate monitoring to protect the credentials of Yahoo employees with access to customer data.
Click here to access the monetary penalty notice.
Progress on ePrivacy Regulation
Further to the previous policy debate, the draft ePrivacy Regulation text allows member states to set a time limit under which organisations may contact individuals for direct marketing purposes.
Click here to read the note.
Government proposal to fine directors in charge of nuisance call firms
The Government has proposed making directors personally liable for fines of up to £500,000 if their company breaks the law in respect of unsolicited calls.
Currently, only the company is held liable if the law is broken with respect to unsolicited calls under the UK Privacy and Electronic Communication Regulations. The government press release notes that some businesses have attempted to avoid fines by declaring bankruptcy and setting up the same operation under a different name. The Data Protection Act 2018 has extended the liability of offences under the Act to directors where certain conditions are met, but the provisions of the Act are not specifically concerned with marketing because this is dealt with by the UK Privacy and Electronic Communication Regulations.
The Government proposes to give the ICO the power to hold directors accountable.
Click here to access the press release.
EDPS opinion on privacy by design
The European Data Protection Supervisor (EDPS) has published an opinion on privacy by design, covering both privacy by design in its broadest sense as well as the specific privacy by design and default obligations under Article 25 of the GDPR.
The EDPS notes that, under Article 24 of the GDPR, a controller has responsibility for the personal data it processes and privacy by design and default is one of the types of technical and organisational measures that a controller must implement to comply with the GDPR. The opinion discusses in detail the GDPR requirements for implementing privacy by design and default. The EDPS recognises that while these obligations directly apply only to a controller, they will also indirectly apply to a processor in order for the controller to comply with its obligations.
The EDPS recommends that privacy by design is also recognised in the draft ePrivacy text.
Click here to read the full opinion.
EDPB guidelines on transfers outside of the EU
The European Data Protection Board (EDPB), formerly the EU Article 29 Working Party, has published guidelines on Article 49 of the GDPR which sets out how personal data can be transferred to third countries in certain situations.
The EDPB expands on the requirements set out in the Article for transfers of personal data outside of the EU and provides examples of the meaning of words such as "not repetitive" and "necessary". It provides helpful further guidance on the information to be provided to data subjects where consent is relied upon to transfer personal data to a third country.
Click here to access the guidelines on Article 49 transfers.