European data protection landscape rocked by CJEU decisions

Earlier this month, the Court of Justice of the European Union (CJEU) delivered two judgments in the space of a week which have profound effects for any EU-based business which processes personal data. You can read our detailed analysis of the decisions in Schrems v Information Commissioner and Weltimmo v Hungarian Data Protection Authority  here.

Opinion published on C-SIG draft Code of Conduct for Cloud Computing

The Data Protection Code of Conduct for Cloud Service Providers (the Code) was produced by C-SIG, the EU working group of cloud industry representatives, and submitted to the EU's Article 29 Working Party (WP29) for an Opinion in January 2015.

Whilst WP29 recognised that the Code contained important data protection guidance for cloud providers operating in Europe and would help them demonstrate compliance with the relevant rules, it felt that further work was needed, particularly in respect of clarifying where responsibilities lie between data controllers and cloud providers in the event of a data protection violation. WP29 also found the Code lacking in detail with regard to data portability, transparency on the location of data processing, and the requisite security measures to be implemented by cloud providers.

C-SIG is expected to amend the Code in line with WP29's Opinion and to publish a final version by the end of October 2015. Both the Opinion and the draft Code can be accessed here.

ICO advises organisations to begin preparing for the GDPR

In a recent ICO blog post, Deputy Information Commissioner, David Smith, suggested that businesses start planning now in order to mitigate the impact of the General Data Protection Regulation (GDPR), which is likely to come into force from mid-to-late 2018. He encouraged organisations to consider the following five areas in particular:

  1. Consent and control: businesses should prepare for the heightened consent requirements of the GDPR by assessing how far and where they rely on customer consent, how this is documented and how far customers are able to control their personal information;
  2. Accountability: Record-keeping will be a key part of compliance with the GDPR and organisations should ensure that procedures are well-documented and data handling processes are transparent;
  3. Staffing: Not every organisation will be required to have a data protection officer – but all businesses should make sure they have enough data protection expertise at their fingertips to understand and comply with the new GDPR requirements;
  4. Privacy by design: Businesses should analyse their systems and procedures to make sure that data protection requirements are complied with as a matter of course. Privacy impact assessments should be used to effectively identify and minimise privacy risks;
  5. Breach management: With breach notification to become compulsory, the ICO recommends both implementing a breach management process and putting in place preventative technical and organisational security measures.

EU and Parliamentary inquiries held into online platforms

A European Commission consultation is to consider the social and economic roles of online platforms, analyse the liability of intermediaries in relation to illegal content hosted online and to explore how the free flow of data in the EU might be improved. The Commission will incorporate the information obtained into its planned 2016 initiatives on the formulation of a European Cloud and the free movement of data. The consultation will remain open until 30 December 2015.

The House of Lords EU Internal Market Sub-Committee is also running an inquiry into online platforms, which aims to investigate how they operate, how they use data and their impact on consumers. Oral evidence sessions will run until December 2015 and a report is expected in spring 2016.

Online pharmacy fined for selling customer data without consent

In the first Monetary Penalty Notice imposed for breach of the first principle of the Data Protection Act, the ICO has fined Pharmacy 2U £120,000 for selling the details of more than 20,000 of its customers to various organisations through a data broker. Over 100,000 records were offered for sale, in batches of 1,000, and the customer database was advertised as featuring individuals suffering from specified illnesses.

The ICO decided that Pharmacy 2U had failed to process its customer data fairly and lawfully in accordance with the first principle of the Data Protection Act, as customers had not been informed that their personal data would be sold to third party organisations and therefore did not provide informed consent.

Speaking recently to a House of Commons Select Committee on fundraising in the charitable sector, Information Commissioner, Christopher Graham, expressed concern that financial penalties are not sufficient, and asked the Government for powers to imprison those who trade personal information unlawfully.