Welcome to our data protection bulletin, covering the key developments in data protection law from April 2020.

Data protection

Cyber security

Enforcement

Data protection

ICO launches coronavirus information hub and further guidance on dealing with issues resulting from the pandemic

The ICO continues to update and publish new guidance for individuals and organisations on how to deal with data protection issues during the pandemic. The advice can be found on their general coronavirus information hub. Here, you can drill down into more specific data protection advice on topics such as secure working from home, as well as how to avoid scams during the pandemic. The ICO offers some welcome reassurance in a statement issued earlier this month explaining that they “stand ready to investigate any business taking advantage of the current pandemic” explaining in particular that, where they find evidence of fraud, they will work closely with Action Fraud, Trading Standards and relevant agencies to continue to protect people, raise awareness and stop criminal activity.

The dominant and consistent message issued by the ICO is that data protection law will not stop organisations from responding to the crisis. The hub is being regularly updated to reflect the changes in response to the pandemic.

ICO publishes guidance on their regulatory approach during the coronavirus pandemic

On 15 April 2020, the ICO published some guidance on its regulatory approach during the Covid-19 pandemic. In the guidance, the ICO acknowledges the capacity shortages and financial pressures that organisations are facing due to the pandemic, and emphasises its commitment to an "empathetic and pragmatic approach" to its regulation throughout this crisis. This approach should reassure organisations who are continuing to deal with the unpredictable climate at the same time as balancing data protection obligations.

The ICO specifically pointed out the "severe front-line pressures" forcing health, local and central government, and police authorities to redeploy resources as necessary. The ICO stated it will support these authorities, while providing practical support to the public on understanding and exercising their information rights in relation to such authorities. Lastly, the ICO referred to its commitment to proportionality, enshrined in its Regulatory Action Policy, as the guiding principle to its regulatory investigations and enforcement action during this crisis.

EU takes steps to manage Covid-19, mobile data and apps

As countries around the world begin to consider the use of contact-tracing apps as an exit strategy for Covid-19, the UK appears to be following suit. The Government has launched a track and tracing app to be piloted on the Isle of Wight in the first week of May. Access to the app will initially be offered to NHS staff before being made more widely available to download. The ICO has provided oversight on the development of the contact-tracing app, and will continue to monitor it (including to review and comment on the app’s Data Protection Impact Assessment and privacy notice). Elizabeth Denham has stressed that the ICO will not ‘sign off or approve’ the app; but will be an “expert adviser and enforcer”.

The contact-tracing app uses Bluetooth signals between devices in order to alert those who have been in close proximity to someone who later develops and records symptoms (if that individual chooses to let the app inform the NHS). While data will be anonymised, this could clearly have significant data privacy implications, particularly as individuals’ locations will be continuously tracked and there are fears that the unique IDs given to each device could be used to “de-anonymise” people who report symptoms. The Health Secretary confirmed on 4 May 2020 that the app has been designed with privacy in mind and has been signed off by the National Cyber Security Centre (“NCSC”). Prof John Newton from Public Health England further clarified that the app itself does not hold personal information and “people should feel reassured by all the precautions that have been taken”.

In response to the contact-tracing app trend, the European Commission and the EDPB are also working to promote a common approach to the use of mobile apps and data in fighting coronavirus. The European Commission has issued guidance on the apps supporting the fight against Covid 19 following the publication of its recommendation setting out a “toolbox” for Europe on how to use technology and data to combat Covid-19. The key message from the European Commission is that countries across the EU must adopt a synonymous approach which, in turn, will enable citizens to social distance more effectively without the strict country-wide restrictions on movement we are still seeing today. On 14 April, the EDPB emphasised the need to consult data protection authorities, particularly in the development phase of any contact-tracing app. The EDPB also noted that these apps will not have the desired effect without the majority of the population’s consent and sign-up, which means that the app (and governments alike) must ensure transparency in relation to use of personal data, compliance with privacy laws and protection of citizen’s fundamental rights.

The question of whether true anonymity will be achieved if data points including location and unique identifiers are used remains, and will likely be subject to further scrutiny. In addition, the extent of any data sharing with private sector companies, and controls on the uses for which those companies put the highly sensitive data they receive, will need to be carefully managed to ensure compliance with data protection law.

ICO publishes opinion on Apple and Google’s joint initiative on contact tracing technology 

Separately, the ICO has published an opinion on Google and Apple’s de-centralised joint contact-tracing initiative (which they are calling the Contact Tracing Framework (“CTF”)). The opinion states that the initial stage of the CTF broadly aligns with data protection law however, the ICO stressed that app developers must ensure they carry out their own measures to ensure compliance with data protection law. The ICO has taken care not to fully endorse the initiative and acknowledges that other concerns and considerations may arise further down the line such as the association of other data generated by the app with centralised data held by public health authorities.

Zoom's approach to data privacy and security comes under scrutiny 

Zoom, the video-conferencing software, has risen in popularity since the Covid-19 crisis. Many private individuals, companies and even the UK government now use it to host personal and work meetings from home. The Zoom website claims that it "does not monitor" meetings or their contents, and that it "complies with all applicable privacy laws, rules and regulations in the jurisdictions in which it operates".

Despite this, Zoom has been accused of undisclosed data sharing practices; features that allowed users to harass other users or mine data from them without their knowledge as well as issuing misleading statements about their encryption capabilities. The chief executive, Eric Yuan, has promised to fix the issues and issued a public apology for the data privacy unrest saying that the app will now be “shifting all our engineering resources to focus on our biggest trust, safety, and privacy issues”.

Since then, Zoom has announced that it will be releasing Zoom 5.0, an updated version which includes improved encryption features and the ability for the account administrator to choose the data centre region through which their meetings are routed.

This is a useful reminder of the importance of ensuring transparency in relation to data collection and whether third parties can access that data.

ICO and Surveillance Camera Commissioner publish updated impact assessment template 

The ICO and Surveillance Camera Commissioner jointly published an updated Data Protection Impact Assessment ("DPIA") template document on 1 April 2020. This updated template reflects changes in data protection requirements, such as the requirement to register the name of the company's data protection officer (“DPO”) and the need to consult with the DPO when carrying out a DPIA. The regulators recommend, in particular, that a DPIA be carried out when cameras are added, moved, have their systems upgraded or where systems with biometric capabilities are introduced.

EU Advocate General delivers opinion on GDPR requirement for obtaining data subject consent

On 4 March 2020, Advocate General Szpunar handed down his opinion on the matter of Orange România SA v Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP) (Case C-61/19) (the "Opinion").

This case concerns Orange, a telecommunication service provider, which copied customers' identity documents and attached them to paper-based contracts for the provision of its services. The ANSPDCP (Romania's national data protection regulator) took the view that Orange had failed to obtain the customers' informed consent to this practice, and imposed an "administrative penalty" on Orange.

Orange pointed to a clause in the contract which provided that the customer "has been informed of and has consented to…the keeping [by Orange] of copies of documents containing personal data for the purposes of identification." Consequently, Orange brought an action to appeal the ANSPDCP's fine in the Bucharest Regional Court. The Regional Court requested a preliminary ruling from the Court of Justice of the EU.

In the Opinion, Advocate General Szpunar opined that the clause in Orange's contract (referred to above) does not meet the strict requirements of the GPDR. In particular, he noted that the customers' consents were not "freely given" as the GDPR necessitates an active indication of consent. He clarified that "passive behaviour", such as "consent in the form of a preselected tick of a checkbox", of which Orange's contractual clause is analogous, did not satisfy the active consent requirement. Advocate General Szpunar also stated that the customers' consents were not "informed consent" as it was not "crystal-clear to the customer that a refusal to the copying and storing of his or her ID card does not make the conclusion of a contract impossible". This ties in with his emphasis that, in the context of formation of contract, a data subject must be told of the "consequences of refusing consent", i.e. whether refusing consent would prevent a contract being concluded.

This serves an important reminder to our readers to keep under review any data processing clauses in commercial contracts to ensure compliance with the GDPR.

Cyber security

FCA publishes insight on key cyber-security risks 

The FCA has published an updated insight document highlighting key cyber-security risks for firms operating in the financial sector. The insights are a product of the Cyber Coordination Groups ("CCG"), comprising firms brought together by the FCA from across different areas of the financial sector, including investment management, retail banking and brokers. Importantly, the FCA clarified that such insights do not constitute FCA guidance, but that many support existing guidance from the NCSC.

The CCG identified the following areas as currently presenting the highest cyber-security risks:

  • Supply chain: risks arising from supply chain partners, particularly in the energy and telecommunications sectors.
  • Increasing social engineering attacks: the CCG reiterated the need for firms to educate their employees to better identify and report deceptive tactics aimed at persuading the employees to disclose information.
  • Ransomware: the CCG noted the importance of updating hardware and software, as well as separating key segments of the network to "isolate critical elements" where possible.

Looking ahead, the CCG recommended that firms focus on reinforcing weak links in the following areas, amongst others, to minimise future cyber-attacks:

  • Cloud security: the increasing reliance on cloud-based software requires such environments to be encrypted, protected and managed. The CCG noted the possible inclusion of "kill switch" technology as a potential response to cyber-attacks.
  • Development and Security Operations: the CCG pointed out the importance of embedding robust security practises into an organisation's development approach. This can be achieved by "an integrated consideration at each stage of the development process", with particular focus on privacy, security and compliance.

NHS at risk of cyber-attack amidst Covid-19 crisis

In our March 2020 bulletin, we raised the issue of phishing and spam emails related to the Covid-19 crisis. Unfortunately, cyber security issues arising from the pandemic have not eased off.

Hospitals in Spain, France and the Czech Republic have all reported being hit by cyber-attacks during the Covid-19 crisis. Similarly, the WHO and the US Department of Health have both been targets of cyber-attacks during this period.

As a result, Neil Bennett, acting Chief Information Security Officer at NHS Digital, has confirmed that the NHS is working closely with the NCSC and NHSX to protect itself against potential cyber-attacks.

UK government releases Cyber Security Breaches Survey 2020 (the "Survey")

The UK's Department for Digital, Culture, Media and Sport commissioned the Survey of UK businesses and charities, as part of the National Cyber Security Programme, which was released on 25 March 2020. Please see here to access the Survey.

The Survey aims to highlight to UK organisations the "nature and significance of cyber security threats they face". Worryingly, the Survey found that between 2019 and 2020, 46% of UK businesses and 26% of charities have reported at least one cyber security breach or attack. The primary targets are medium businesses (68%), large businesses (75%) and high-income charities (57%). Approximately one in five UK businesses that have suffered a cyber-security breach or attack also report a "material outcome", either losing money or data.

Whilst the Survey notes that UK businesses are becoming more cyber resilient, it warns that there is more to be done "on a range of diverse topics", including audits, cyber insurance, managing supplier risk and reporting breaches. The Survey singled out suppler risks as an area that is often overlooked when businesses audit their cyber resilience. In particular, it notes that businesses failed to consider the security of non-digital service suppliers that form part of their supplier network.

Enforcement

Supreme Court holds that Morrisons is not liable for actions of a disgruntled employee 

The Supreme Court has held that Morrisons is not liable for the actions of a disgruntled employee, Mr Skelton, who was jailed for fraud for eight years in 2015. Delivered on 1 April 2020, the Supreme Court’s much anticipated decision in WM Morrison Supermarkets Ltd v Various Claimants [2020] UKSC 12 represents the first data class action in the UK of its kind. The facts of the case have been covered in detail in our October 2018 bulletin.

In summary, the Claimants' (5,518 Morrisons' employees) claims arise from Mr Skelton's unauthorised uploading of personal data relating to nearly 100,000 Morrisons' employees (the "Data") to a file-sharing website in 2014 (the "Breach"). Mr Skelton, who, at the time of the Breach, was a senior internal IT auditor at Morrisons, had become disgruntled by virtue of an internal disciplinary relating to his operating a side-business using Morrisons' post room. Thereafter, Mr Skelton, who had the right to access the Data as a result of his role, copied the Data, uploaded it to a file sharing website (in a manner which was intended to frame another Morrisons' employee), and provided copies of the Data to three UK newspapers.

The Claimants claimed that, in failing to prevent the Breach, Morrisons was primarily liable for breaches of the Act, misuse of private information, and/or breaches of confidence (the "Primary Claims"), or, alternatively, vicariously liable for Mr Skelton's misuse of private information and/or breaches of confidence (the "VL Claims").

At first instance, Langstaff J dismissed the Primary Claims (as Morrisons had not, itself, misused, or authorised the misuse of, the Data, and had in place appropriate measures to ensure that the Data was not misused by its employees, and was therefore not in breach of the Act), but held that Morrisons was vicariously liable for the Breach, and, accordingly, upheld the VL Claims. This judgment was upheld in its entirety by the Court of Appeal. The Supreme Court overturned the Court of Appeal’s decision, holding that the VL Claims failed as a matter of principle. In applying the "close connection" limb (i.e. whether a close link exists between the wrongful conduct of the employees and the business of the employer or nature of the employment) of the two-stage test for establishing vicarious liability, the Supreme Court held that an employer should not be liable for an employee's wrongful act where that act was not engaged in furtherance of the employer's business, and was an effort to deliberately harm the employer as part of a revenge tactic.

Separately, in relation to Morrisons' argument that the Data Protection Act 1998 excluded vicarious liability, the Supreme Court held: "The imposition of a statutory liability upon a data controller is not inconsistent with the imposition of a common law vicarious liability upon his employer, either for the breach of duties imposed by the DPA, or for breaches of duties arising under the common law or in equity. Since the DPA is silent about the position of a data controller's employer, there cannot be any inconsistency between the two regimes. That conclusion is not affected by the fact that the statutory liability of a data controller under the DPA, including his liability for the conduct of his employee, is based on a lack of reasonable care, whereas vicarious liability is not based on fault."

Accordingly, where a data breach arises out of the actions of an employee which satisfy the "close connection" test, vicarious liability on the part of the employer in circumstances where they may have no statutory duty under relevant data protection legislation (or other liability generally (e.g. for breach of confidence)), remains a possibility.

UK cooperation with the USA on the "ISIS Beatles" held unlawful by the Supreme Court 

The Supreme Court recently handed down judgment in Elgizouli v Secretary of State for the Home Department [2020] UKSC 10. This case concerns the 'Jihadi Beatles'; two British nationals who were ISIS members that the USA wanted to prosecute. Theresa May (when she was Home Secretary) initially denied Mutual Legal Assistance ("MLA") for the USA as it could not provide assurances that the British nationals would not receive the death penalty. However, Sajid Javid, when he became Home Secretary, granted MLA to the USA without seeking the same assurances.

Ms El Gizouli (the appellant, and mother of Shafee El Sheikh) brought a claim against the Home Office alleging that: (i) English common law does not allow the Home Secretary to trespass on the right to life; or alternatively, (ii) the Data Protection Act 2018 (the "DPA 2018") does not permit the Home Office to transfer personal data to law enforcement authorities abroad for use in capital criminal proceedings.

The Supreme Court dismissed the first two grounds, but found for the appellant on the data protection ground. In particular, it held that Section 76(2) of the DPA 2018 provided that the ability of the Home Office to transfer data to a third country under the “special circumstances” gateway is disapplied where this will affect the data subject's fundamental rights and freedom. Since the USA could not guarantee that, if Shafee El Sheikh is convicted, he would not be subject to the death penalty, then his right to life (being a fundamental right) could be affected.

UK Supreme Court grants Google permission to appeal Lloyd v Google case

The Supreme Court has granted Google permission to appeal the Court of Appeal's judgment in Lloyd v Google LLC [2019] EWCA Civ 1599.

Between August 2011 and February 2012, Google took advantage of an Apple-devised exception to cookie blockers, the "Safari Workaround", which allowed Google to harvest, without consent, browser generated information ("BGI") of Apple iPhone users. This BGI, which constituted personal data for the purposes of the Data Protection Act 1998 (the "DPA"), gave Google unprecedented insight into the habits and preferences of more than 4 million Apple iPhone users (the "Data Subjects") which it packaged and sold to advertisers, allowing them to target marketing specifically at the Data Subjects.

Google has already been subject to individual claims before the English Court as a result of these activities, which gave rise to the critical judgment in Vidal-Hall v Google [2015] EWCA Civ 311 which established that damages for non-pecuniary loss were, in principle, available under s.13 DPA.

Mr Lloyd, the former executive director of Which, and a consumer rights activist, is pursuing a representative claim on behalf both of himself, and other affected Data Subjects, under r.19.6 of the Civil Procedure Rules 1998 (the "CPR"), seeking damages under s.13 DPA for breaches of s.4(4) DPA. Before the claim can proceed in earnest, amongst other things, Mr Lloyd requires the English Court's permission to serve the proceedings out of the jurisdiction on Google.

At first instance, Warby J refused to grant permission to Mr Lloyd to serve the proceedings out of the jurisdiction. However, on 2 October 2019, in a seminal judgment, the Court of Appeal overturned Warby J’s judgment, holding that: (a) the Data Subjects were entitled to recover damages pursuant to s.13 DPA, based on the loss of control of their personal data alone, regardless of whether they had suffered pecuniary loss or distress; (b) the Data Subjects represented in the claim did, in fact, have the same interest for the purposes of CPR 19.6(1); and (c) the Court should exercise its discretion to permit Mr Lloyd to act as a representative for the Data Subjects.

If the Supreme Court upholds the Court of Appeal's decision, it will significantly widen the scope of data protection claims under the DPA 1998, and probably also under the Data Protection Act 2018 (which offers similar remedies at sections 167 to 169), and potentially open the floodgates to US-style class actions by representative Claimants on behalf of classes of affected data subjects.

The High Court judgment can be accessed here.

Dutch data protection authority fines sports association

On 2 March 2020, the Dutch Data Protection Authority (the "DDPA") issued a €525,000 fine against the Dutch National Tennis Association (the "Association") for breach of data protection laws.

The Association had collected personal data from its members, which the Association then provided to two sponsors for marketing purposes under a data sharing agreement.

The DDPA found that, whilst the Association had lawfully collected its members' personal data, the commercialisation of such data was unlawful. In particular, the DDPA held that the Association could not rely on the members' initial consent (under the membership agreement) to have their personal data processed for its subsequent sale of the same personal data to the sponsors.

First Tier Tribunal orders a general stay on all appeals against ICO rulings 

Following the ICO's application for a general stay, on 31 March 2020, McKenna J (President of the First Tier Tribunal, General Regulatory Chamber) ordered a stay of 28 days on all appeals against rulings of the ICO. She also ordered that all time limits in any new and current proceedings be extended by 28 days. The stay began on 1 April 2020, and was further extended to 27 May 2020 after review by McKenna J on 27 April 2020.

McKenna J made the order in light of the Covid-19 pandemic, and the fact that the ICO has been temporarily closed as a result.

British Airways and Marriott International fines by ICO deferred again 

In July 2019, the ICO issued notices of intent to fine British Airways £183,390,000 and Marriott International £99,200,396 for alleged breaches of the GDPR arising out of security incidents. In January 2020, it confirmed that the next steps in the regulatory process (the ICO has 6 months from issuing a notice of intent to issue a fine under Schedule 6 para 2(2) of the Data Protection Act 2018) relating to both fines were to be delayed until 31 March 2020.

This deadline passed with no news of the regulatory outcome and the ICO has since announced a further delay, this time because of the Covid-19 crisis. Marriott's deadline has been extended until 1 June 2020, whilst the British Airways' revised deadline is now 18 May 2020.