Welcome to the October 2019 edition of our Data Protection bulletin, our monthly update covering key developments in data protection law.

Data protection

Cyber security

ICO enforcement

Data protection

Lloyd v Google

The Court of Appeal has reversed Warby J’s decision in the High Court to dismiss an application for permission to serve proceedings out of jurisdiction on Google, in so doing paving the way for representative proceedings to be brought against the technology giant in the Media and Communications Court in London.

The appeal concerns a claim brought by consumer protection campaigner Richard Lloyd in connection with the alleged collection of browser generated information (“BGI”) by Google from iPhone users (dubbed “the Safari Workaround”) and its use for commercial purposes. Mr Lloyd seeks to make the claim on behalf of a class of more than 4 million iPhone users.

Warby J had found that Mr Lloyd had failed to show that the claimants had: (1) suffered “damage” for the purposes of s.13 Data Protection Act 1998 (“DPA 1998”); (2) had the “same interest” within the meaning of CPR 19.6(1); or (3) were ascertainable as members of a specific class. Warby J also exercised the discretion afforded by CPR 19.6(2) to direct that a person (here, Mr Lloyd) may not act as a representative, focusing on the fact that since the Safari Workaround had come to public attention, none of the affected data subjects based in England had complained or sought compensation other than the claimants in Vidal-Hall v Google [2015] EWCA Civ 311 and Mr Lloyd.

The Court of Appeal overturned Warby J, in summary holding that:

  1. A claimant can recover damages for loss of control of their data under s.13 DPA 1998 without pecuniary loss or distress. The claimants had something of value – their BGI - taken by Google without their consent in the same circumstances during the same period;
  2. Members of the representative class were identifiable and had the same interest as one another for the purposes of CPR 19.6(1). The class are all victims of the same alleged wrong and have suffered the same loss, that is loss of control over their BGI; and
  3. Warby J should have exercised his discretion to allow the action to proceed as a representative action. This was not “officious litigation”, but a claim which should be allowed to proceed to “ensure that there is a civil compensatory remedy…to call Google to account for its allegedly wholesale and deliberate misuse of personal data without consent, undertaken with a view to commercial profit”.

Please see our more detailed summary of the case here.

CJEU ruling clarifies cookie consent

Consent to the use of cookies obtained through a pre-ticked check box is not valid, the Court of Justice of the European Union (“CJEU”) has ruled. The decision concerned the registration form used by a German online lottery service, Planet49 GmbH, which included a pre-ticked box which allowed users to opt out from the use of cookies by deselecting the box. The key issue for the CJEU was whether this met the consent requirements in the ePrivacy Directive, the Data Protection Directive, and the GDPR.

The CJEU focused on the need for affirmative consent. It noted that the wording “given his or her consent” in the ePrivacy Directive “lend[s] itself to a literal interpretation according to which action is required on the part of the user”. In a similar vein, the requirement in the Data Protection Directive for consent to be given “unambiguously” means that “only active behaviour on the part of the data subject with a view to giving his or her consent may fulfil that requirement”. Accordingly, “it would appear impossible in practice to ascertain objectively whether a website user had actually given his or her consent to the processing of his or her personal data by not deselecting a pre-ticked checkbox nor, in any event, whether that consent had been informed.”

High Court grants group litigation order for British Airways customers affected by 2018 data breach

The High Court of England and Wales has issued a group litigation order, facilitating the commencement of group action by customers affected by the British Airways data breach in 2018. Issued by Warby J on 4 October, the order sets out that those individuals who received an email from the airline in September or October 2018 pertaining to the data breach and who have suffered damage as a consequence of it may be eligible to join the proceedings. The deadline for serving group particulars of claim is 17 January 2020, and those individuals who wish to enter on to the group register must issue and serve claims within 12 months of that date.

New US-UK bilateral data access agreement

Home Secretary Priti Patel has signed with US Attorney General William P. Barr the first UK-US bilateral data access agreement (the “Agreement”). The Agreement is intended to expedite investigations by allowing US and UK law enforcement authorities, subject to gaining appropriate authorisation, to go directly to technology companies based in the other country to obtain electronically stored data. This streamlined process will bypass the current route to obtaining such data – mutual legal assistance treaty requests (“MLATS”) – which can take months and even years to complete.

Prior to obtaining data, UK law enforcement agencies will need a court order in place under the UK Crime (Overseas Production Orders) Act (“C(OPO) Act”). A judge must therefore find that there exist reasonable grounds to believe that the data will be of substantial value to proceedings or investigations into an indictable offence, that the data will be relevant evidence in respect of such an offence, and that it is in the public interest for the data to be produced. Safeguards are in place, too. Law enforcement authorities must seek permission from the other country prior to using data gained through the Agreement as evidence in certain prosecutions; death penalty cases in the US, and freedom of speech cases in the UK. The recipient of a production order in the UK may, under the C(OPO) Act, apply to court to have it varied or revoked.

Importantly, the Agreement does not affect the way in which technology companies use encryption and does not allow authorities to force companies to hand over personal data, for example encrypted data from messaging apps such as WhatsApp and Facebook Messenger.

The Agreement will now go through a review/ratification period in both the US and the UK and should, subject to approval, enter into force around March 2020.

Dangers of relying on consent for processing employee data

An employer in Greece has been fined €150,000 by the Hellenic Data Protection Authority for incorrectly purporting to rely on consent as its basis for processing personal data under the GDPR, in what is a clear reminder of the difficulties of relying on data protection consent in an employment context. In-depth discussion of the decision can be found here.

Twitter misuse personal information for advertising

Twitter has admitted to utilising information submitted by users for security purposes, including two-factor authentication, for targeted advertising. A blog post by the social media platform detailed the issue, which is said to have involved users’ email addresses and phone numbers. Twitter reassured users that “no personal data was ever shared externally with our partners or any other third parties” and that “[we] are no longer using phone numbers or email addresses collected for safety or security purposes for advertising”. The admission comes less than a year after it emerged that fellow social media giant Facebook was also using two-factor authentication details for advertising purposes.

EDPS expresses “serious concerns” over EU deals with Microsoft

Preliminary results from an ongoing investigation by the European Data Protection Supervisor (“EDPS”) has revealed “serious concerns” over the GDPR compliance of contractual terms in agreements between Microsoft and EU institutions for the provision of products and services. The investigation, which started in April this year, follows the introduction of Regulation 2018/1725 - effectively the public sector counterpart of the GDPR – which brought changes to the rules governing outsourcing. Commenting on the preliminary results, Wojciech Wiewiórowski, Assistant EDPS, noted that “when relying on third parties to provide services, the EU institutions remain accountable for any data processing carried out on their behalf…[and] they also have a duty to ensure that any contractual arrangements respect the new rules and to identify and mitigate any risks”; it is “with this in mind that the contractual relationship between the EU institutions and Microsoft is now under EDPS scrutiny”.

Duchess of Sussex takes privacy action against Mail on Sunday

The Duke of Sussex and his wife are taking legal action against the Mail on Sunday for publishing a private letter sent by the Duchess of Sussex to her father. Schillings, acting for the Duchess, filed a High Court claim against the Mail on Sunday and its parent company, Associated Newspapers, over the alleged misuse of private information, infringement of copyright and breach of the Data Protection Act 2018. The paper is accused of an "intrusive and unlawful publication of a private letter" and of a campaign of publishing false and derogatory stories about the Duchess of Sussex. The Mail on Sunday spokesperson said: "We categorically deny that the Duchess's letter was edited in any way that changed its meaning."

High Court upholds immigration exemption

The High Court has dismissed a judicial review application challenging the lawfulness of the immigration exemption in the Data Protection Act 2018 (“DPA 2018”). The application was brought by campaign groups the3million and Open Rights Group and alleged that the exemption, contained in Schedule 2 paragraph 4 DPA 2018, amounted to a disproportionate restriction on individuals’ data rights and was so broad as to create a risk of abuse. The widespread use of the exemption was brought into sharp focus during proceedings; it emerged that the Home Office relied on the exemption in 59% of subject access requests relating to the border and immigration system.

Dismissing the challenge, the High Court noted that the purposes for which, and the categories of data to which, the exemption may be applied were “clear and appropriately delineated”. The Court further noted that the exemption was of “important public interest” and that the DPA 2018 contained sufficient safeguards to limit the risk of abuse. The campaign groups have since indicated their intention to appeal.

Admissibility of covert recordings

The High Court has found that covert recordings in a personal injury case are admissible as evidence. The claimant recorded examinations with medical experts and sought to use these recordings in a compensation claim for injuries suffered as a result of a road traffic accident. The insurer, Direct Line, argued that the recording of these examinations amounted to unlawful processing contrary to the GDPR and DPA 2018 and that they should not be admitted as evidence.

Master Davison held that the processing was in fact lawful; it fell within both the “personal purposes” exemption in Article 2(c) GDPR and the “legal proceedings” exemption under paragraph 5 of Schedule 2 DPA 2018. The recordings were deemed admissible, too. Master Davison noted that the claimant’s motives were “in the context of adversarial litigation, understandable” and that “whilst her actions lacked courtesy and transparency, covert recording has become a fact of professional life”.

Austrian regional court awards individual EUR 800 in non-material damages under Art 82 GDPR

The Austrian regional court of Feldkirch has awarded an individual whose personal data was processed without legal basis EUR 800 in non-material damages under Article 82 GDPR. The decision lends credence to the suggestion that approximately £750 is an appropriate compensation award for a breach of GDPR that causes no loss. £750 was awarded in Halliday v CCF [2013] EWCA Civ 333 for a violation which caused “frustration at non-compliance” but no other loss, and this is the same amount that has been suggested (per claimant) in the Lloyd v Google class action (see [2018] EWHC 2599 (QB) at [3]).

Cyber security

Yahoo users to receive up to $358 in $117.5 million data breach settlement

Individuals who had a Yahoo account between 2012 and 2016 have been informed by Yahoo that they may be eligible for at least two years of credit monitoring or a cash payment of up to $358 as part of the company’s $117.5 million settlement for a series of recent data breaches. The exact cash sum users will receive will ultimately depend on how many claims are filed.

Polish data protection authority issues EUR 645,000 fine to online retailer

The President of the Polish Personal Data Protection Office has imposed a fine of PLN 2.8 million (around EUR 645,000) on online retailer Morele.net for failing to protect the personal data of around 2.2 million customers. The retailer’s customer database was breached in December 2018, compromising names, telephone numbers, email and delivery addresses. The national identity number, ID/passport number and financial details of around 35,000 customers was also acquired by hackers. The fine is the largest imposed by the Polish DPA to date, perhaps unsurprisingly given its comments that the breach was “of considerable importance and of serious character”.

ICO enforcement

ICO raids business in connection with pension nuisance calls

The ICO has raided business premises in Chichester in connection with an investigation into pensions cold-calling. The investigation follows changes in the law earlier this year which made nuisance calls in relation to pensions illegal in certain circumstances. Live pension scheme marketing calls can now only be made where (1) the caller is FCA-authorised or is the trustee or manager of an occupational or personal pension scheme; and (2) the recipient consents to the call from the caller, or has an existing client relationship with the caller where there might exist an expectation of receiving cold calls. The investigation is ongoing.