Welcome to our Data Protection bulletin, covering the key developments in data protection law from December 2020 and January 2021.
- Noteworthy developments in the wake of the UK’s withdrawal from the EU
- Transforming Data Transfers: the ICO’s new Data Sharing Code of Practice
- SCCs: what do the EDPB and EDPS consider to be the pros and cons?
- What should you do when there is a data breach?
- Google and Amazon caught up in a cookie scandal
- Europe’s businesses face harsher penalties from regulatory authorities
- The Irish DPC faces criticism of Twitter saga
- Judgment offers guidance on the territorial application of the GDPR
- The ICO reduces their Monetary Penalty Notice against True Vision Productions
Noteworthy developments in the wake of the UK’s withdrawal from the EU
What was agreed and what has been said?
Since our last Bulletin, the UK and the EU reached a Brexit trade deal (the “Brexit Deal”) which details the terms on which the UK and EU will continue to trade now that the transition period for the UK leaving the EU has ended. Prior to the Brexit Deal, the UK announced that it deemed the EU and EEA and EFTA states to be adequate to allow for data flows from the UK. However, we still await an adequacy decision from the European Commission, which will permanently allow for data flows to continue from the EU to the UK without additional safeguards being required. The key takeaway from the Brexit Deal, therefore, is that for a maximum interim period of six months from 1 January 2020, data flows from the EU to the UK will not be considered transfers to a third country for the time being until the interim period expires or the adequacy decision is made, whichever comes first.
For more information on the impact of Brexit (including the Deal) on data protection law, please see our article Brexit trade deal: what does it mean for data protection law?
The ICO’s response to the Brexit Deal
The ICO responded positively, noting that it means organisations can remain confident in the free flow of data without having to make immediate changes to their data protection practices. The Information Commissioner herself published a blog commenting on the positive aspects of the Brexit Deal, noting in particular the EU’s commitment to promptly consider the UK’s adequacy application and the ICO’s continued focus on ensuring a seamless flow of data.
With that in mind, the ICO continues to recommend three main actions that all businesses operating in the UK should take in the wake of the UK’s withdrawal from the EU. These are:
- Review your privacy notices, DPIAs and other documentation to update references to EU law, UK-EU transfers and, where applicable, the addition of your EU and/or UK representative.
- Ensure any appointed DPO will be easily accessible from both UK and EEA establishments.
- Ensure that your records of processing identifies the difference between legacy data that falls under the EU GDPR and data gathered after the 1 January 2021 under the UK GDPR.
The ICO is encouraging businesses to take sensible precautions now, during the four to six-month interim period set out in the Brexit Deal, to work with EU and EEA affiliates or partners to put in place alternative transfer mechanisms to safeguard against any interruption of the free flow of data from the EU to UK.
The EDPB’s Response to the Brexit Deal
Following publication of a statement adopted on 15 December 2020, the EDPB updated their statement to reflect the bridging mechanism put forward by the Brexit Deal. This can be found here.
Multiple regulators to make businesses miserable?
Competent regulatory authorities
On 13 January 2021, the Advocate General of the European Court of Justice issued an opinion in Case C-645/19 Facebook Ireland Limited, Facebook INC, Facebook Belgium BVBA v Gegevensbeschermingsautoriteit that brings to light the issue of which supervisory authority will be competent where multiple authorities have the potential to be the lead supervisory authority. Until now, privacy complaints against Facebook by any European citizens had to be referred to the Irish Data Protection Commissioner, because Facebook's European headquarters are in the Republic of Ireland. However, the Advocate General held that in certain circumstances a data protection complaint against Facebook could instead be handled by other national supervisory authorities across the EU.
The starting point here is the GDPR's "one-stop-shop" mechanism, which envisages that there is normally only one supervisory authority competent to take enforcement action in cross-border processing cases. The GDPR provides that only the lead supervisory authority will have competence in most cases (this is usually the authority in the Member State where the main establishment of a controller or processor is based (i.e. Ireland for Facebook)). However, the Opinion makes it clear that the GDPR also specifically provides for circumstances in which the supervisory authorities of other Member States will be competent to bring enforcement proceedings. In particular, supervisory authorities can bring proceedings before the courts of their respective Member States in cases of cross-border processing even where they are not a lead supervisory authority. Some examples of this are where; the activities in question fall outside the scope of the GDPR; the processing is carried out by public authorities in the interest of the public or by controllers in third countries; the proceedings are required for the adoption of urgent measures; or, to bring proceedings following the decision of a lead supervisory authority not to bring a claim.
Although this decision is not binding on the eventual CJEU decision, it provides renewed clarity on how the GDPR
Impact on UK
As of 1 January 2021, the One-Stop-Shop mechanism is no longer applicable to the UK in any event. Therefore, regardless of whether the CJEU agrees with the EU’s Advocate General, businesses which operate within the UK and EU face the prospect of dealing with multiple regulators of, and enforcement action in relation to, UK and EU Data Protection Legislation. That said, the EDPB has been liaising with the ICO to try and ensure a smooth shift from 1 January. EEA supervisory authorities have been urged to follow a shared and efficient approach when handling existing complaints and cross-border cases involving the ICO.
In this regard, organisations should be reminded that controllers and processors not established in the EEA but whose processing activities are subject to the application of the GDPR are required to designate a representative within the EU pursuant to Article 27. The same applies in relation to the UK and UK representatives. The representative may be addressed by supervisory authorities and data subjects on all issues related to processing activities in order to ensure compliance with the GDPR/UK GDPR.
Collective interests of Consumers
The European Parliament has endorsed a new directive on representative actions for the protection of the collective interests of consumers. The Collective Redress Directive was made in response to multiple cases stemming out of breaches of consumer rights by global businesses.
The Directive requires all EU Member States to bring in one effective procedural mechanism which endorses certain qualified entities to bring representative actions to obtain injunctive relief or redress for consumers. The Directive covers all infringements of EU law, including the GDPR, that threaten the collective interests of consumers. This means another scenario in which UK businesses operating in Europe may have to face UK authorities as well as competent EU authorities in the event they are found to be undertaking activities that threaten individuals' interests.
More regulation and higher fines?
All of this come alongside reports of GDPR fines being at their highest, as European and UK data protection authorities have flexed their muscles during 2020. Overall fine increases of up to 40% have been reported whilst breach notifications were up by 19%.
Only time will tell whether businesses really will face the issue of dealing with multiple sanctions from different regulators in relation to the same issue. But if they do, there is definitely reason for concern over the potential for increasing fines on the horizon.
Transforming Data Transfers: the ICO’s new Data Sharing Code of Practice
On 17 December, the ICO published a new Data Sharing Code of Practice (the “Code”) and presented it to the Secretary of State to be laid before Parliament in the coming weeks. This new Code replaces an earlier version first published in 2011 and is accompanied by a suite of new resources providing practical assistance to businesses undertaking data sharing. Once approved by Parliament, the Code will become a statutory code of practice, which will be used by the ICO when assessing compliance with the UK GDPR and the Data Protection Act 2018.
The updated Code tackles the ever-evolving uses of technology and readily-accessible information. It is designed to increase the confidence businesses and organisations have when sharing personal data and to allow individual data subjects to rest easier knowing there is more guidance around their data being shared in a fair, safe and transparent way. The Code applies to personal data that is shared between controllers or provided to third parties. It does not apply to data sharing with a processor, nor the disclosure of data within an organisation.
The Code considers the key principles of the GDPR and applies them to the steps to be taken when transferring personal data. Organisations should consider how they intend to demonstrate compliance with the GDPR, taking steps to transfer personal data securely and informing data subjects of what is happening to their data. The Code reminds businesses that as well as considering the benefits of data sharing it is important to consider whether transferring data is necessary. The ICO strongly recommends that organisations complete a Data Protection Impact Assessment (DPIA), even if they are not legally obliged to carry one out.
Some of the other key takeaways are set out below.
Data Transfers in M&A
In November last year, the Stephenson Harwood team reported on the ICO’s fine imposed on the global hotel group Marriott International on 30 October 2020. The fine for £18.4 million was for breaches of Article 5(1)(f) and 32 of the GDPR in the context of a corporate acquisition. Further details of this case can be found here.
Following the theme of this landmark decision, the Code includes an in-depth consideration of the standards required for data-related due diligence when businesses are in the process of acquiring other companies. In this regard, the Code sets out certain action items for businesses to consider during a merger or acquisition in which data is transferred to a different organisation. The ICO states that assessing data sharing must be part of the due diligence undertaken during the M&A process. This includes establishing the purpose for obtaining the data in the first place, the lawful basis for sharing it, and whether these will be subject to change following completion of the relevant transaction.
Businesses should therefore seek advice before sharing personal data, particularly where the data is anticipated to be fed into different systems are involved and focus on transparency, informing data subjects what, when and how it is going happen.
Data transfers in business-to-business trade
Data transfers in emergencies
Lastly, the Code considers what steps businesses need to take in an emergency such as responding to a terrorist incident, preventing physical harm, protecting public health or other scenarios where urgent data sharing can be a life-saving action. In these situations, it is crucial that businesses carefully consider the risks of both sharing the data and not sharing the personal data. The ICO is clear that organisations should document any assessment taken relating to urgent data sharing, but acknowledges that this might have to be done retrospectively if there is not time to draft an assessment during the emergency in question.
The Code contains a data sharing checklist and templates for data sharing requests and decisions aimed at assisting organisations with decision-making around whether to share personal data. To supplement the Code, the ICO have also launched a data sharing information hub, which aims to provide targeted guidance and practical tools for businesses such as practical case studies and toolkits.
SCCs: what do the EDPB and EDPS consider to be the pros and cons?
In November 2020, the European Commission published new Standard Contractual Clauses, which are one of the key transfer tools for exporting personal data to outside of the EEA. For more information on the impact of these new SCCs on your business please see our go-to-guide here.
Now, the European Data Protection Board (“EDPB”) and the European Data Protection Supervisor have published joint opinions considering the SCCs and what they consider to be the positives and negatives the SCCs bring with them. The first opinion covers SCCs for contracts between controllers and processors (“Opinion 1”), whilst the second focuses on SCCs used for data transfers to third countries (“Opinion 2”).
Although acknowledging that the SCCs provide a better level of protection for data subjects, the Opinions suggest that certain provisions need improvement or clarification to ensure that the SCCs are aligned with GDPR requirements and have practical utility in the day-to-day operation of businesses that use them.
In Opinion 1, the EDPB and EDPS state that in order for the SCCs to be a helpful accountability tool the European Commission need to make it sufficiently clear when parties can use these SCCs, in particular which SCCs can be used for transfers outside of the EU and when they can be used. The EDPB and EDPS also request clarification around the operation of the “docking clause”, which is an optional clause allowing third parties to become parties to the SCC by completing an annex and subject to the agreement of the existing parties. The Opinion also calls for clarification on the roles and responsibilities for the processing activities set out in the Annexes, particularly where the SCCs have multiple parties. There are also several recommendations to bring the SCCs closer to the requirements of Article 28 of the GDPR, for example in relation to rights to audit processors.
As regards Opinion 2, the EDPB and EDPS recommend clarification of several clauses. These include, the scope of the SCCs, certain third party beneficiary rights, obligations around onward transfers, provisions around assessing third country laws pertaining to public authority access to personal data and supervisory authority notifications.
What should you do when there is a data breach?
In January, the EDPB adopted guidelines (the “Guidelines”) which consider a range of data breach notification cases considered most frequent by data protection authorities. These Guidelines, intended to help controllers respond to personal data breaches in a manner that is compliant with the GDPR, offer an insight into what supervisory authorities may require of controllers in breach situations. Some of the examples considered include ransomware attacks, security incidents with exfiltration, internal compromises, accidental transmissions, and lost or stolen devices. For each of the example cases described in the Guidelines, the EPDB identifies the relevant reporting and remediation obligations.
In addition to using the common scenarios as a method of setting out practical steps for businesses, the EDPB sets out some key data breach management tips as well. The EDPB encourages organisations to proactively identify vulnerabilities in data protection systems and assess the likely impact of a data breach on data subjects. The EDPB also recommends setting out clear reporting lines in policies and guidelines for staff handling data breaches. Those staff should be provided with regular training which is specifically tailored towards the business of the organisation in question. Lastly, the EDPB places weight on the importance of assessing all data breaches as soon as possible and in documented form.
Although the ICO has confirmed that EDPB guidelines will no longer be directly applicable to UK businesses following Brexit, the ICO considers that the content of such guidelines will provide helpful guidance for UK businesses. These Guidelines will undoubtedly act as a useful tool for controllers subject to the UK GDPR.
The Guidelines are intended to supplement the Article 29 Working Party (WP29) Guidelines on personal data breach notification and are open for consultation until 2 March 2020.
ICO and Global Cyber Alliance sign Memorandum of Understanding
Just before Christmas, the ICO signed a memorandum of understanding with the Global Cyber Alliance (the “MOU”), an organisation dedicated to reducing cyber risk internationally. This agreement lays the ground for the ICO and Global Cyber Alliance to begin sharing information on cyber risk as part of a wider collaboration aimed at protecting personal data from cyber-attacks.
The MOU specifies three key areas in which the two parties hope to focus their attention. Firstly on sharing aggregated breach report data from cyber incidents, including where appropriate related to cybercrime and fraud. Secondly, they will cooperate in sharing and exchanging information and intelligence tailored towards identifying cyber threats and trends. Lastly, the two will collaborate on research studies, to improve understanding of the cyber landscape.
This is a promising commitment from the ICO, particularly with cyber-attacks being one of the highest causes for concern in regards to the data privacy of subjects in the UK. With such a rise cyber related incidents and cyber security becoming a crucial aspect of protecting personal data, this partnership hopefully paves the way for new collaborative projects which will ultimately prevent harmful attacks.
Google and Amazon caught up in a cookie scandal
The French data protection authority, the CNIL, has fined Google LLC €60 million, Google Ireland €40m (together, “Google”) and Amazon Europe Core (“Amazon”) €35 million for unlawfully placing non-essential advertising cookies on the devices of users in France who visited google.fr and amazon.fr websites. Collectively, these fines are the largest imposed by the CNIL to date.
According to the CNIL, Google and Amazon breached Article 82 of the French Data Protection Act, which implements provisions relating to cookies in the e-Privacy Directive, as follows:
- A central issue identified by the CNIL was that both Google and Amazon failed to obtain the prior consent of users: cookies were automatically placed on users’ devices upon visiting the respective websites. This was a practice which, “by its nature”, the CNIL noted, “was incompatible with…prior consent”;
- Google’s opt-out mechanism was partially defective. Even when users deactivated ad personalisation on Google Search, one of the advertising cookies remained stored on the device and continued to read information.
Several aspects of the CNIL's decisions are notable:
- Jurisdiction: Both Google and Amazon challenged the jurisdiction of the CNIL, principally on the basis that the “one-stop-shop” mechanism under the GDPR should apply. If this were the case, the CNIL would not be the lead supervisory authority for either Google (headquartered in Ireland) or Amazon (headquartered in Luxembourg). The CNIL rejected this challenge, noting that its decision was ultimately reached on the basis of Article 5(3) of the ePrivacy Directive, as implemented by Article 82 of the French Data Protection Act.
- Inception of the CNIL's investigation: The CNIL's investigation was not prompted by a complaint, but was instead a product of remote (and, in the case of Amazon, one on-site) inspections of the relevant websites. This highlights the ease with which supervisory authorities may investigate potential breaches of provisions in relation to the setting of cookies, and the increased vigilance organisations should exercise in respect of the same. This is especially so in circumstances where supervisory authorities may seek to rely on the ePrivacy Directive, thereby avoiding the one-stop-shop mechanism under the GDPR.
Despite changes made in relation to cookie placement by Google and Amazon in September 2020, the CNIL noted that their websites still contain insufficient information for users to determine the purpose for which the cookies are used. Google and Amazon were therefore ordered to remedy this issue within three months, or face a further penalty of €100,000 for each day of delay.
It remains to be seen whether Google and/or Amazon seek to appeal the CNIL's decisions.
Europe’s businesses face harsher penalties from regulatory authorities
LfD Niedersachsen (“LfD”), the Lower Saxony data protection authority, has fined Notebooksbilliger.de AG (“Notebooksbilliger”), an online provider of computer hardware, software and accessories, €10.4 million fine for GDPR breaches. The fine was issued after it was discovered that Notebooksbillinger had been using video surveillance to monitor employees for over two years without any lawful basis.
Notebooksbilliger argued that it had used video surveillance as a preventative and investigative tool. However, the LfD considered such measures to be disproportionate. It was made clear that such video surveillance is only lawful when conducted on the basis that there is justified suspicion against a specified person. In addition, any video surveillance must be restricted to a limited period of time.
This is the largest fine issued by the LfD under the GDPR. Notebooksbilliger has since announced that it has appealed the LfD’s decision.
Separately, the AEPD, the Spanish data protection authority, has fined CaixaBank S.A. (“CaixaBank”) €6 million for breaches of Articles 6, 13 and 14 GDPR.
The decision highlights a number of key issues, especially in respect of the right to be informed about the collection and use of personal data. (Articles 13 and 14 GDPR), that firms would be well advised to keep in consideration, not least the importance of drafting privacy policies in as precise terms as possible, and ensuring that, where information is provided across multiple documents or channels, it is expressed uniformly.
These decisions are further evidence of an uptick in regulatory activity for breaches of data protection legislation across Europe of late.
The Irish DPC faces criticism of Twitter saga
In our November bulletin we reported that the EDPB had adopted its first Article 65 decision in relation to data breaches suffered by Twitter in 2018 and 2019. In the latest update to this ongoing saga, the Irish DPC has issued Twitter with a fine of €450,000. This comes after the EDPB directed the Irish DPC to increase the fine from that which had initially been proposed (between €135,000 and €275,000). The Irish DPC has described this penalty as an “effective, proportionate and dissuasive measure” and it has been readily accepted by Twitter. However, the penalty has been criticised by other supervisory authorities – notably in Austria, Italy and Germany - who believe that the fine is too low and is “insufficiently dissuasive”. This decision continues to shed light on one of the key powers afforded to the EDPB to resolve disputes among data protection authorities.
Judgment offers guidance on the territorial application of the GDPR
Jay J recently handed down judgment in Soriana v Forensic News LLC and Others  EWHC 56 (QB). A British resident (the “Claimant”) was recently granted permission, in part, to sue an investigative journalist website (“the First Defendant”), its operator and some contributing journalists (together the “Defendants”) under the GDPR. The Defendants are all based in the US and so the Claimant sought permission under CPR Practice Direction 6B to serve proceedings out of the jurisdiction.
The judgment provides significant guidance on territorial application of the GDPR.
The Claimant obtained permission to serve proceedings out of the jurisdiction (on an ex parte basis) in respect of claims in malicious falsehood; success harassment, misuse of private information, defamation, and breaches of statutory duty (pursued on the basis that the Claimant was entitled to bring a GDPR claim in the UK under Article 79 GDPR (the right to an effective judicial remedy against a controller or processer)). The Defendants sought to set aside this order.
In determining whether permission to serve outside of the jurisdiction should be set aside, Jay J determined, amongst other things, whether the processing complained of fell within the territorial reach of the GDPR.
Pursuant to Article 3 GDPR the Claimant could establish this on the following alternative bases:
- Article 3(1) GDPR “applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not”. Much of the analysis in this respect centred on the meaning of the word “establishment”. Jay J held that the fact that the First Defendant did not have a branch or subsidiary in the UK was not conclusive of itself. However, Jay J considered it to be relevant that the First Defendant did not have any employees or representatives in the UK. In addition, the fact that the First Defendant had a more than minimal readership in the UK was of no more than marginal relevance. Article 3(1) was therefore not engaged.
- Article 3(2) GDPR applies where the processing activities are related to: (i) “the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union”; or (ii) “the monitoring of their behaviour as far as their behaviour takes place within the Union”. The Claimant submitted that the following factors established that the Defendants fell within Article 3(2) GDPR:
- EU citizens could and indeed did buy products from the First Defendant’s website;
- the First Defendant’s website used cookies to monitor the behaviour of users in the EU; and
- the Defendants made publishing decisions based on the Claimants’ behaviour which had been monitored in the UK and EU.
Jay J disagreed. He applied the considerations outlined in the EDPB’s Guidelines 3/2018 on the Territorial Scope of the GDPR and found that the Defendant’s activities did not fall within the ambit of Article 3(2) GDPR.
This decision provides at least some clarity as to whether organisations based outside the EU will fall within the territorial scope of GDPR. Of course, this is of relevance to UK based organisations since Brexit, given that the UK is now a third country for the purposes of GDPR.
The ICO reduces their Monetary Penalty Notice against True Vision Productions
The First-tier Tribunal (General Regulatory Chamber) recently handed down judgment in True Vision Productions v Information Commissioner  UKFTT 2019 EA 0170.
In 2019, the ICO fined True Vision Productions (“TVP”) £120,000 for unfairly and unlawfully filming in maternity clinics. The relevant breaches would now fall under Article 5(1)(a) of the GDPR. As part of an observational documentary following mothers who experience stillbirths, TVP filmed medical consultations with expectant mothers who were concerned about the health of their unborn children.
TVP did not obtain consent from patients before recording the consultations. In order to obtain informed and explicit consent, TVP would have had to have told the mothers of the risk of stillbirth and it was obvious that that kind of communication should be left to medical professionals. Instead, TVP explained what they were doing and provided the mothers with the opportunity to have the consultation in a room that was not being recorded. Despite these efforts, issues of transparency arose.
This is one of the final enforcement actions under the Data Protection Act 1998 (“DPA 1998”). Nevertheless, this case is significant in that it was one of the first to consider the application of the journalism exemption.
In order for the exemption to apply, section 32(1) DPA 1998 had to be satisfied. In accordance with the first two grounds of section 32(1):
- the recording was taken with a view to the publication of journalistic material; and
- TVP reasonably believed that publication would be in the public interest.
The final ground required TVP to reasonably believe that, in all the circumstances, compliance with the relevant data protection provision was incompatible with the journalistic purpose. In respect of TVP’s decision not to obtain explicit consent, the Court found that it was reasonable for TVP to believe that it would be impossible to comply with the data protection principles without alerting the mother to the possibility of a stillbirth. However, in relation to the requirement for data to be processed fairly, the Court considered it unreasonable for TVP to believe that its journalistic purposes could not be met in compliance with the provision. In this regard, it was noted that TVP could have made the mothers more aware of the fact they were being filmed by, for example, using hand-held cameras instead of CCTV.
The ICO had correctly identified a serious contravention of DPA 1998 and, as such, was entitled to issue a MPN. However, in an action supported by the ICO, the judge significantly reduced the fine to £20,000.
While this case considered the journalistic exemption under DPA 1998, it remains of significance as the provisions have largely been replicated in Schedule 2, Part 5 para 26 Data Protection Act 2018. This decision therefore provides much needed guidance for future cases.