Welcome to the January 2019 edition of our Data Protection bulletin, our monthly update covering key developments in data protection law.
France fines Google €50 million under GDPR
Google has become the first US tech giant to be fined under the General Data Protection Regulation ("GDPR") with the French data protection authority, the CNIL, fining the company €50 million for violating obligations of transparency and failing to have a legal basis for processing related to personalised advertising.
On 25 and 28 May 2018, immediately after the implementation of the GDPR, the CNIL received complaints from privacy advocacy groups claiming that Google did not have a valid legal basis for processing personal data of its users, particularly for the purpose of personalising advertising on the search engine.
In administering the fine, the French regulator stated that essential information regarding data processing purposes, data storage periods and the categories of personal data used in the personalisation of advertisements is confusing and spread across several separate documents, sometimes requiring up to five or six actions from the user to access the relevant information. The CNIL also noted that "information is not always clear nor comprehensive" and that the purposes of processing are described "in a too generic and vague manner, and so are the categories of data processed for these various purposes".
Google states that the legal basis it relies upon to process personal data for targeted advertising purposes is consent. However, the CNIL found that consent is not validly obtained by Google as it is neither sufficiently informed, specific nor unambiguous, as required by the GDPR.
The fine will force Google to reconsider its data privacy practices and how it seeks consent to collect data for its advertising business. A spokesperson for Google stated: "People expect high standards of transparency and control from us. We're deeply committed to meeting those expectations and the consent requirements of the GDPR. We're studying the decision to determine our next steps."
As its EU headquarters are based in Ireland, Google had signalled that the Irish Data Protection Commission should be the lead EEA data protection authority for the purposes of the GDPR. However, at the time of the breach, the data controller was Google LLC, an American company. Without a "main establishment" in the EU, Google LLC could not benefit from the GDPR's "one-stop-shop mechanism", whereby controllers and processors carrying out cross-border processing of personal data within the EEA only need to deal with a lead EEA data protection regulatory authority. As such it was agreed between the data protection authorities that the CNIL should investigate the complaints from the French advocacy groups.
If similar complaints are made by Irish data subjects to the Irish Data Protection Commission against Google, the Irish Data Protection Commission will be entitled to investigate and enforce against Google in its own right without reference to the CNIL's previous enforcement action.
As of 22 January 2019, Google's services in the EU will be provided by Google Ireland Ltd, rather than Google LLC. This move signals the company's intention to denote its Irish business as its "main establishment" in the EU for GDPR-purposes.
The decision of the CNIL to fine Google €50 million is an initial indicator of how regulators' powers under the GDPR to issue fines of up to €20 million or 4% of a company's annual turnover, whichever is highest, will be interpreted and enforced.
See here for further information on the CNIL fine.
ICO and UK government publish data protection guidance in the event of a "no deal" Brexit
With 29 March 2019 getting closer, the Information Commissioner's Office ("ICO") and the UK Department for Culture, Media and Sport ("DCMS") have both issued data protection guidance in the event the UK leaves the EU without securing a deal.
The UK government has already confirmed that the GDPR will be absorbed into UK law on exit, so the rules that organisations need to abide by will not change substantively. However, organisations that rely on the free flow of personal data between the UK and the EEA will be affected. This is because upon exit from the EU, the UK will become a "third country", meaning that, in the absence of a deal, the UK's level of personal data protection would need to be declared adequate by the European Commission in order for the free flow of personal data from EEA countries to the UK to continue.
To assist organisations in preparing for a "no deal" Brexit, the ICO has issued a guidance note on the six steps to take in this scenario:
- Continue to comply: organisations should continue to apply GDPR standards and follow current ICO guidance. If organisations have a data protection officer, they can continue in the same role for both the UK and Europe.
- Transfers to the UK: organisations should review data flows and identify where the organisation receives data into the UK from the EEA. GDPR safeguards should be put in place to ensure the continued flow of personal data. The Irish Data Protection Commission has reiterated this guidance (see here for further information).
- Transfers from the UK: identify data flows to countries outside of the UK, as these will fall under new UK transfer and documentation provisions.
- European operations: for organisations operating across Europe, group structures, processing operations and data flows should be reviewed to assess how Brexit will effect operations.
- Documentation: review privacy information and internal documentation in order to identify what will need updating when the UK leaves the EU.
- Organisational awareness: ensure that key people in the business are aware of these key issues and keep information up-to-date.
The DCMS guidance (see here), focuses on how the UK data protection framework will continue to operate effectively in a "no deal" scenario noting the following:
- the UK will transitionally recognise all EEA states, EU and EEA institutions, and Gibraltar as providing an adequate level of protection for personal data so that personal data can continue to flow freely from the UK to these destinations;
- where the EU has made an adequacy decision on the level of personal data protection of a country outside the EU, the UK government will maintain these decisions on a transitional basis so that transfers of personal data from UK organisations to these countries can continue uninterrupted;
- provision will be made so that the use of Standard Contractual Clauses ("SCCs") will continue to be an effective basis for international data transfers from the UK in the event that the UK leaves the EU without securing a deal; and
- where controllers of personal data located outside of the UK offer goods or services into the UK or monitor the behaviour of UK residents, such controllers will be required to appoint a UK representative. This measure is intended to mirror article 27 GDPR.
It remains to be seen whether these plans and procedures will come to fruition, nonetheless this guidance should assist businesses that process personal data in their preparations for a "no deal" Brexit.
Brexit draft data protection legislation issued by UK government
The UK government has issued draft legislation, the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 ("Exit Regulations", available here), to ensure the preservation of the UK data protection framework post-Brexit. The Exit Regulations amend the GDPR as it operates in the EEA in an effort to safeguard the UK's data protection arrangements and ensure such legislation makes sense after the UK leaves the EU. The Exit Regulations will take effect on either (i) 30 March 2019 in the event of a "no deal" Brexit; or (ii) the end of the transition period, if the UK Parliament manages to approve a deal with the EU.
As described above, the UK government has already confirmed that the GDPR will be absorbed into UK law on exit (this legislation is referred to as the "UK GDPR" as opposed to its EU cousin). The EU GDPR contains numerous references to different EU institutions and to Member States. The Exit Regulations thus make amendments to the EU GDPR as it will apply to the UK in order for the UK GDPR to "work" and make sense in a post-Brexit UK context.
The Exit Regulations largely serve as an operational tool to ensure that the UK GDPR is a coherent piece of legislation. However, there are some changes made to the EU GDPR as it currently applies including:
- the UK GDPR will apply to any controllers and processors established in the UK as well as those outside the UK but which offer goods and services to data subjects in the UK or to monitor the behaviour of data subjects in the UK, thus mirroring the territorial scope of the EU GDPR;
- EU organisations subject to the UK GDPR may need to appoint a UK representative, just as UK organisations subject to the EU GDPR may need an EU based representative;
- the UK, through the ICO, will be able to make its own adequacy decisions going forward; and
- the ICO will be able to create its own SCCs for the purposes of the UK GDPR, although UK controllers and processors will be able to rely on the current, EU Commission approved SCCs in the immediate period post-Brexit and the ICO is authorised to approve EU SCCs as an appropriate safeguard for the transfer of personal data.
The Exit Regulations will become key to understanding the UK GDPR in a post-Brexit environment.
Brexit steps published for EU-US Privacy Shield participants
The US Department of Commerce ("DOC") has published steps for organisations to take in order to extend current Privacy Shield processes to cover post-Brexit transfers of personal data between the US and the UK.
The Exit Regulations state that under the UK GDPR, adequacy decisions in relation to transfers of personal data outside the UK will be issued by the ICO, rather than the European Commission. The European Commission's adequacy decision in respect of the EU-US Privacy Shield will therefore no longer apply to transfers of personal data from the UK once the UK leaves the EU and is outside the scope of EU law.
The DOC has advised that to receive personal data from the UK in reliance on the Privacy Shield once the UK has left the EU (either on 29 March 2019 in the event of a "no deal" scenario or after a transition period), Privacy Shield participants are required to:
- update the organisation's public commitment to comply with Privacy Shield so that it states expressly that the commitment includes personal data received from the UK in reliance on the Privacy Shield;
- update the organisation's HR policy if an organisation plans to receive human resources data from the UK in reliance on the Privacy Shield; and
- continue to recertify with Privacy Shield on an annual basis.
Privacy Shield participants should therefore consider these steps as part of pre-Brexit preparations. Further details can be found here.
European Commission adopts adequacy decision on Japan
In our October 2018 Data Protection update (see here) we commented on the publication of a draft decision on the adequacy of Japan's data protection legislation. The European Commission has now adopted its adequacy decision on Japan, allowing for the free flow of personal data between Japan and the EEA.
Japan now joins one of a small number of countries deemed by the Commission to provide an "adequate" level of personal data protection: i.e. in the Commission's view, their level of data protection is essentially equivalent to that of the EU.
Věra Jourová, Commissioner for Justice, Consumers and Gender Equality said: “This adequacy decision creates the world's largest area of safe data flows. Europeans' data will benefit from high privacy standards when their data is transferred to Japan. Our companies will also benefit from a privileged access to a 127 million consumers' market. Investing in privacy pays off; this arrangement will serve as an example for future partnerships in this key area and help setting global standards.”
The adequacy decision, as well as the mutual decision on the Japanese side, came into force on 23 January 2019.
Google, Inc. v CNIL
In better news for Google, Maciej Szpunar, Advocate General to the European Court of Justice ("ECJ"), has voiced his opinion that Google and other search engines can limit the "right to be forgotten" to internet searches made in the EU, backing an appeal by Google against a €100,000 fine from the French data protection authority, the CNIL.
In 2016, the CNIL fined Google for failing to delist sensitive information beyond EU borders. Google had only delisted results in relation to EU domains, such as Google.es or Google.fr, and not domains outside of the EU such as Google.com. CNIL requested that google relist all founded requests for erasure of personal data from domains worldwide.
Szpunar argues that EU law does not expressly govern the territorial scope of de-referencing so a distinction must be made depending on where the search is made. He stated that provisions of EU law should not be given such a wide interpretation beyond the borders of Member States and endorsed Google's approach to geo-blocking in Europe only. ECJ judges typically follow the advice of advocates general, although the court is not bound to do so.
Laws banning pensions cold calling issued
Cold calls regarding occupational and personal pension schemes are now illegal in certain circumstances due to new regulations. The regulations amend the Privacy and Electronic Communications (EC Directive) Regulations 2003 ("PECR") to prohibit cold calling in relation to pensions except where:
- the caller is authorised by the Financial Conduct Authority, or is a trustee or manager of an occupational or personal pension scheme; and
- the recipient of the call consents to calls from the caller, or has an existing client relationship with the caller such as might give rise to an expectation of receiving cold calls from the caller.
The ban on pensions cold calling will be enforced by the ICO. The regulator may issue a fine of up to £500,000 for any breach of these regulations.
Facebook bug exposes 6.8m users' unposted photos to apps
Facebook has been forced to apologise after yet another security breach. In the most recent incident, up to 6.8 million users of the social network have been affected by a bug which allowed app developers to access uploaded, but never posted, photos. The developers may also have been able to see photos posted on Marketplace and Stories.
The bug affected a 12 day window between 13 September and 25 September 2018. Facebook became aware of the breach and fixed the bug on 25 September, but did not report the breach to the Irish Data Protection Commission ("IDPC") until 22 November. This raises questions about the company's compliance with the 72 hour reporting deadline in Article 33 GDPR. When quizzed in relation to this, a Facebook spokesperson noted: "…we notified the IDPC as soon as we established it was considered a reportable breach under GDPR. We had to investigate in order to make that conclusion. And once we did, we let our regulator know within the 72 hour timeframe". The IDPC has confirmed that it will be reviewing Facebook's compliance with GDPR having received a number of breach notifications since May 2018.
This latest incident pales in comparison to the scale of the security breach in September 2018, which Facebook said compromised the personal data of nearly 50 million users.
Mondelez claim the first legal dispute over how companies can recover the costs of a cyber attack
Mondelez is suing Zurich over a refusal by the latter to pay out on a $100 million insurance claim in relation to the NotPetya cyber attack. The case is notable for being the first significant legal dispute concerning the recovery of costs from a cyber attack, and is likely to have implications throughout the insurance industry.
Mondelez had claimed on a property insurance policy which, supposedly, covered damage caused by malicious code. Zurich invoked a war exclusion, and refused to pay. In order to invoke the exclusion, the insurer needs to demonstrate that the cyber attack was a hostile action by a government or its agents. This will inevitably be an uphill battle; the onus of proof is on Zurich.
It is notable that Mondelez's claim was made on a non-cyber policy; one implication of the case could be a push in the market for buyers to obtain cyber-specific policies.
Facebook shared private user messages with Netflix and Spotify
A New York Times investigation has uncovered special arrangements between Facebook, Netflix and Spotify whereby the social media giant allowed the latter two companies to read users' private messages. The data sharing did not stop there: Microsoft's Bing search engine was permitted to see the names of Facebook users' friends without consent; Amazon was allowed to access users' names and contact information; and Yahoo was permitted to see streams of friends' posts.
Whilst Facebook maintained that "none of these partnerships or features gave companies access to information without people's permission", the arrangements throw into sharp focus Mark Zuckerberg's assertion in April 2018 that users have "complete control" over everything shared on Facebook.
Marriott/Starwood data breach revised downwards
The investigation completed by Marriott into the data breach involving customers of its Starwood division has found that the initial belief that 500 million customers' personal data had been stolen was in fact an over-estimate. The figure is now estimated to stand at 383 million; a downwards revision, but hardly one which alters the conclusion that this was a data breach on a vast scale.
French data protection authority becomes third European watchdog to fine Uber over 2016 breach
The French data protection authority, CNIL, has become the third European watchdog to fine Uber over its 2016 data breach. The CNIL ordered the company to pay €400,000 for the hack, which exposed the data of 57 million users. 1.4 million of those users were based in France.
The CNIL concluded that Uber was "negligent in failing to implement some basic security measures" and that it demonstrated a "widespread lack of caution". The fine from the French authority follows the £385,000 and €600,000 penalties imposed by its UK and Dutch counterparts.
This doesn't appear to be the end of the road in terms of sanctions for Uber, however. On 21 December, the Italian data protection authority indicated its intention to fine Uber for violations of privacy rules.
Largest collection of breached data in history located on hacking forum
The largest ever collection of breached data was found on a hacking forum in December 2018. The breached data comprised of more than 770 million email addresses and passwords. Troy Hunt, who runs a breach-notification website (see here), discovered the compilation of breached data.
Hunt commented that the data on the hacking forum is likely to be "made up of many different individual data breaches from literally thousands of different sources", rather than from a single hack. Although most of the email addresses found on the forum have appeared in previous data breaches shared among hackers, there are around 140 million email addresses that have appeared in this breach that Hunt's breach-notification service has never seen before.
Tax Returned Limited fined £200,000 after sending 14.8m spam texts
The ICO has handed down a £200,000 fine to a firm for sending millions of unsolicited marketing text messages. The messages were sent through a third party service provider, but, as instigators of the campaign, the ICO noted that it was the firm's responsibility to ensure that specific, prior consent existed from those receiving the messages. Such consent had not been obtained. Over 2,100 people complained about the nuisance messages.
Steve Eckersley, ICO's Director of Investigations, commented: "Firms using third party marketing services need to double-check whether they have valid consent from people to send promotional text messages to them. Generic third party consent is also not enough and companies will be fined if they break the law".
An enforcement notice has also been served on Tax Returned Limited, stipulating that the firm must cease illegal marketing activity.
SCL Elections fined for failing to comply with enforcement notice
Cambridge Analytica's parent company has been fined £15,000 for failing to comply with an ICO enforcement notice. The notice, issued in May 2018, had ordered SCL Elections to respond to a subject access request from a US academic. SCL failed to respond, instead asserting that, as a non-UK citizen, the requestor had no more right to submit a subject access request "than a member of the Taliban sitting in a cave in Afghanistan".
The failure to respond was admitted at a hearing at Hendon Magistrates' Court. The company's administrators pleaded guilty on its behalf to a breach of s.47(1) of the Data Protection Act 1998 ("DPA 1998").
Elizabeth Denham, Information Commissioner, issued a firm reminder: "where…companies ignore ICO enforcement notices, we will take action".
ICO begins formal action against care homes for failure to pay data protection fee
Care homes that have failed to pay the data protection fee have been warned that they will be fined unless they do so. Notices of intent to fine have been sent by the ICO to the organisations concerned, who have 21 days in which to respond. Payment will cease any enforcement action on the ICO's behalf.
The data protection fee replaces the requirement to "notify" under the DPA 1998, and came into force on 25 May 2018 by virtue of the Data Protection (Charges and Information) Regulations 2018 ("the 2018 Regulations"). The ICO can enforce the 2018 Regulations and serve monetary penalties on those who refuse to pay. Data controllers who have a current DPA 1998 registration are not required to pay the new fee, until that registration has expired.
Organisations are grouped into three tiers – relating to size, turnover, and the nature of the organisation - for the purpose of determining the fee due. Large organisations are required to pay £2,900. The maximum fine payable, once aggravating factors are accounted for, stands at £4,350.
ICO guidance on the data protection fee can be found here.