We report on recent data protection and privacy developments including: the government consultation on the Investigatory Powers Act 2016; the ePrivacy Regulation and the ICO fine issued to a lead generation and data provider.

Investigatory Powers Act 2016: consultation on amendments

The Government has launched a public consultation on its proposed amendments to the Investigatory Powers Act 2016 (IPA). The European Court of Justice of the European Union (CJEU) handed down a decision in December 2016 which ruled that that EU law does not permit national legislation that allows for the general and indiscriminate retention of communications data for the purpose of fighting crime. Instead, Member States must legislate for a regime which permits the targeted retention of communications data and the judgment sets out conditions that such legislation must satisfy.

The Government considers that some aspects of the UK's current regime for the retention of and access to communications data do not satisfy the requirements of the CJEU’s judgment and is therefore proposing amendments to the IPA as well as the accompanying code of practice. Responses are invited by 18 January 2018 from telecommunications and postal operators, public authorities that have powers under the IPA, as well as professional bodies, interest groups and the wider public.

ICO issues GDPR Guide

The ICO has replaced its previous Overview of the GDPR with a Guide to the GDPR. Although the content is similar, the sections on Consent and Contracts and Liabilities have been expanded to include the guidance previously published on these topics for consultation. The ICO are keen to point out the Guide is a working document and upcoming guidance will be added, including links to more detailed guidance from both the ICO and the Article 29 Working Party.

e-Privacy Regulation – latest developments

The European Parliament has confirmed the decision of the LIBE Committee to enter into negotiations on the revision of EU privacy rules for electronic communications. This means that the European Parliament is now ready to start talks on the draft e-Privacy Regulation with member states once they have agreed their negotiating positions. An official press release indicates that the European Parliament's priorities include:

  • A ban on “cookie walls”, which block access to a website if the person does not agree to his or her data being used by the site;
  • Prohibition on snooping on personal devices via cookies or software updates, or tracking people without their clear approval through public hotspots or WI-FI in shopping centres;
  • Data should only be used for the purpose of which consent has been given by the individual;
  • “Meta-data”, which can give information about numbers called, websites visited, geographical location or the time and date a call was made and other sensitive data, should be treated as confidential and never passed on to third parties; and
  • “Privacy by default” settings should become standard for all software used for electronic communications.

Facebook fan page – decision on joint data controller and relevant supervisory authority

A recent opinion by Advocate General Bot has highlighted the difficulties in identifying joint data controllers. The issue was whether the German supervisory authority had been entitled to deactivate a fan page hosted on Facebook Ireland's website, which it alleged infringed German data protection law by failing to warn visitors that Facebook collected their personal data. The Advocate General pointed out that data processing is frequently complex and can comprise several distinct processes which involve numerous parties with differing level of control. In this case, the fan page administrator influenced the collection of the personal data so did meet the criteria of a joint data controller.

The opinion also considered which national supervisory authority has jurisdiction where a subsidiary established in another member state acts as "controller" throughout the EU. Facebook Inc provides social network services in the EU through various subsidiaries and Facebook Ireland has been designated as the controller of all personal data processing in the EU. Where a controller has several establishments in the EU, the current Data Protection Directive allows the application of multiple national data protection laws to ensure effective protection of individual's rights. The Advocate General therefore concluded that the German supervisory authority did have the power to apply its own national law to the proceedings and could exercise its power of intervention to ensure that German law was applied by Facebook on German territory. However, the Advocate General was careful not to pre-empt the introduction of the one stop shop mechanism under the GDPR.

European Commission releases its 2018 Work Programme

The European Commission 2018 Work Programme was published on 24 October 2017 and includes a number of initiatives and priorities relating to data protection.

Exchange of data: In its communication, the Commission notes the essential role that the exchange of data plays in cross-border transactions and states that it will finalise its guidance on data retention. The Commission also intends to ensure the free flow of personal data between the European Union and Japan through the adoption of a decision on data adequacy in early 2018.

Implementation and consistent application of EU rules: As part of its commitment to ensure consistent application of EU rules, .the Commission will work in partnership with the European Data Protection Board to issue guidance on the GDPR before it comes into force in May 2018.

Annex 3 of the Commission’s 2018 Work Programme contains a number of legislative proposals which will need to be resolved swiftly by the European Parliament and Council. These include the proposed ePrivacy Regulation and the proposed Regulation for establishing the framework for the free flow of non-personal data within the EU.

Inadequate privacy communications: ICO investigation

A review of thirty websites in the United Kingdom by the Information Commissioner's Office (ICO) found data protection and privacy notices to be unclear and generally inadequate. The review formed part of the Global Privacy Enforcement Network Sweep (GPEN Sweep) which assessed the privacy communications and practices of a total of four hundred and fifty five websites and apps from around the globe in sectors such as retail, financial services and banking, health and education.

The investigation concludes that there is clear room for improvement in terms of the handling of personal information by organisations and privacy communications "tended to be quite vague, and often contained generic clauses". Although organisations were generally successful in providing users with information about what data would be collected from them, the majority failed to inform users: how their information would be managed; what country it would be stored in; the existence of any security safeguards; and whether the date would be shared with third parties.

ICO issues fine of £80,000 to lead generation and data provider

The Information Commissioner's Office (ICO) has issued a fine of £80,000 to a lead generation and data provider (Verso Group) for non-compliance with the duty to process personal data fairly and lawfully. The monetary penalty is the first one to be issued following a wider investigation by the ICO into the data broking industry.

Facts: The ICO found that Verso Group collected personal data from two overseas call centres. Telephone operators in those call centres gathered personal data through making phone calls to individuals which were described as surveys. The ICO found that the calls were in fact lead generation calls intended to identify potential customers for an organisation's products or services.

Breach: The ICO identified a breach of the first principle of the DPA (to process personal data in a fair and lawful manner) in the way Verso Group failed to obtain the consent of the individuals to the supply of their personal data to other businesses and its use for direct marketing purposes.

The ICO also found that the due diligence conducted by Verso Group in respect of the personal data it obtained from other firms and its contractual arrangements with those firms were inadequate.

The ICO noted that Verso Group had extensive experience working in this sector and that it should have been aware of the requirements of the DPA and the relevant guidance issued by the ICO and the Direct Marketing Association.

Comment: This is the latest in a long line of fines imposed on businesses for breaches of marketing rules and is a clear indication that the ICO will go after lead generators as well as the organisations using leads for marketing purposes. The lead generation industry has been under fire for some time now and this latest fine is a further warning that extreme care needs to be taken when obtaining and using contact details for marketing purposes. The ICO expects clear consent mechanisms to be used and for organisations to have a clear audit trail of the consent provided by each individual. If these requirements are not met, then fines should be expected.