GDPR – One Year on Brunch Briefing 2 July 2019 Data Protection and Information Law Team
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
GDPR – One Year on Brunch Briefing 2 July
2019
Data Protection and Information Law Team
The Team
Eeshma QaziSolicitor
Contact Details
T: 0121 214 3696E: [email protected]
Jana ZachevaAssociate
Contact Details
T: 0121 214 3561E: [email protected]
Alex LawrenceAssociate
Contact Details
T: 0121 214 3540E: [email protected]
Emma WattAssociate
Contact Details
T: 0121 214 3609E: [email protected]
Agenda• Chair’s Note
• Legislative Developments – and where are we with Brexit?
• A Case Update – key takeaways
• Problem Areas – subject access requests, breaches and a healthy dose of common sense!
• Enforcement
• E-Privacy – much ado about nothing
• Next Steps – where the west wind is blowing
• Take Homes
Chair’s NoteWhere are we now?
• The good news – we have survived 1 whole year and all of us are more PD aware and many of us are well on our compliance journey
• The world is still intact and as we know it
• Represents global shift towards privacy and privacy-related concerns
• Morocco and Brazil aligned with GDPR 2018, California and India rumbling towards the same
• Increased data awareness amongst individuals in line with proliferation of information society services
• Based on the views of 27,000 Europeans, Eurobarometer results – 73% have heard of at least one of their 6 DS rights under GDPR
• Battle not won – 62% still concerned about PD online
• Closer to home – ICO July 2018 found 1 in 3 (34%) people have high trust and confidence in companies and organisations storing and using their PD – up from 21% in 2017
Chair’s NoteWhere are we headed?
• No major enforcement yet under GDPR as ICOs have been covering backlog under DPA 98 but likely to exercise its muscle soon
• From 25 May 2018 – 1 May 2019, ICO received over 41,000 DP concerns from the public – in 2017/18 21,000 only
• Next year’s strategy according to ICO update GDRP 1 year on – from compliance to accountability but remember here to change behaviours not to penalise
• Aim of today to help you act on new watchwords pragmatism, proportionality, risk appetites, defensibility, innovation and pride rather than fines, fear, failure, burden and breach
Legislative Developments
• DPA 2018
• Largely replicates and expands upon GDPR bringing DP law into modern age
• Replaces DPA 98
• Harmonises EU Law with the UK’s own
• To be read in conjunction with GDPR
• Covers law enforcement etc
Legislative Developments
• Part 2 general processing including:
• Public Authorities (S7)
• Children’s age of consent (S9)
• Potential fees regulations for manifestly excessive (S12)
Legislative Developments• Part 5 codes
• Part 6 including:
• S 155(3) criteria for penalties
• A 82 GDPR gives “any person who has suffered material or non-material damages as a result of infringement” the right to receive compensation for the damage suffered
• S 168(1) “non-material damage” includes distress
• In line with case law Vidal-Hall v Google
• S 171 offence where an individual “knowingly or recklessly re-identifies information that is de-identified personal data without the consent of the controller responsible for de-identifying the personal data”
• S 173 offence for individuals “altering, defacing, blocking, erasing, destroying or concealing information with the intention of preventing disclosure of information that a person would have been entitled to receive” once they have made a data rights request
Legislative Developments
• Part 7:
• S 187 group actions
• S 204 detailed list of the types of role that fall within the definition of “health professional” and “social work professional”
Legislative Developments
The Murky Schedules
• Schedule 1 various additional lawful bases and substantial public interest conditions for special cats and criminal convictions:
• Para 1 (employment social security and social protection)
• Para 2 health or social care purposes
• Para 8 (equality of opportunity or treatment)
• Para 18 (safeguarding of children and individuals at risk)
• Appropriate policy document for special cats except as otherwise stated (para 5)
• Data re criminal convictions and offences
Legislative Developments
• Schedule 2 – data rights exemptions
• Para 17 - presumption of reasonableness for health workers, social workers and education workers
• Para 18 - protection of the rights of others
• Para 19 - arguably extension of legal privilege (information in respect of which a duty of confidentiality is owed by a professional legal adviser to a client of the adviser)
• Para 22 - negotiations
• Para 24 - Confidential References given and received
• Schedule 3
• Health, social care, teaching and child abuse exemptions and presumptions
Sched 3
Legislative Developments
Data Protection (Charges and Information) Regulations 2018
• What are they? – fees for funding rapidly expanding ICO
• When? – Orgs under old ‘notification’ system, pay on original annual deadline, new orgs pay when they become data controllers, and on each subsequent anniversary
• How much? – between £40 and £2,900 depending on no of staff and annual turnover and type of org
• What happens if you don’t? – fines between £400 and £4,350 (aggravating factors)
Legislative Developments• Farrow & Ball Limited v ICO [2019]
• FTT (IR) concluded that F&B had not advanced a reasonable excuse for non-compliance – (F&B argued holiday, lack of importance and paid asap)
• A reasonable controller would have systems in place to comply with 2018 regs
• No particular difficulty which explained F&B’s departure from expected standards
• No evidence of financial hardship or other reason for the ICO’s discretion to be exercised differently
And where are we with Brexit?
“At some point our relationship with Europe and the way that we interact with our Data Protection partners will change. We know that. What we don’t know yet is what precisely these changes will be”
Text of a speech presented by the ICO Deputy Commissioner (Policy), Steve Wood, 9th European Data Protection Days Conference, Berlin on 20 May 2019
• Deal or No Deal
And where are we with Brexit?No Deal
• GDPR as domestic law subject to some mods see EU Exit Regulations 2019 and EU (Withdrawal) Act 2018, S 3
• DPA 2018 still applies
• UK gov happy to accept EU, EEA, Gibraltar etc as adequate still so no data flows affected going out of the UK but unsurprisingly
• The EU has not returned the favour and classified the UK as adequate – UK a third country
• UK-US precarious but fine under self-certificated privacy shield although ‘Schrems II’ (Cambridge Analytica)?
• Dataflows from the EU to the UK will need to be on the basis of standard model clauses or other such measures
• More cost and bureaucracy also not necessarily fit-for-purpose
And where are we with Brexit?
Deal
• UK’s withdrawal prop – parity with EU in shaping DP regs
• To accept this would be to “abandon [the EU’s] decision-making autonomy” Michael Barnier
• Political declaration quite clear that we will not diverge from EU laws
• By the time we leave hopefully adequate if not same issues as with no deal
A Case Update – key takeawaysDB v General Medical Counsel [2018]
• Facts
• GMC’s report on GP’s fitness to practice not disclosed in full
• Report critical of DB but recommended no further action
• Previous case law indicated a presumption against disclosure in a mixed data case
• Judgement – COA held that:
• In determining whether to disclose mixed data, a balance should be struck between the requestor and objector’s competing interests, and a presumption in favour of withholding disclosure should only be applied in a ‘tie-break’ situation (judges split)
• Where there is no such tie-breaker, a controller has to decide whether it is reasonable to disclose third party data without consent – wide margin of discretion
• Special cat information being requested, enhanced protection
• Requestor’s interests in seeking the disclosure not devalued because it may assist in litigation
A Case Update – key takeawaysRudd v Bridle [2019]
• Complaint to GMC alleging that Dr Rudd had falsified the risks to health associated with white asbestos in his expert reports
• GMC rejected complaint as not meeting standard for investigation - dec upheld on review following challenge by Mr Bridle
• Mr Bridle also made unfounded allegations to MPs and communicated with unnamed allies in the asbestos industry about ways to discredit Dr Rudd
• Dr Rudd brought a, you guessed it... a DSAR under DPA 98
• Old law but still relevant for A15. No major enforcement yet under GDPR as ICO has been covering backlog under DPA 98 but likely to exercise its muscle soon
A Case Update – key takeawaysJudgement
• Mr Bridle was data controller – own personal project even though used company email address and occasionally director’s signature
• Q – why is the processing taking place, who initiated it?
• Legit parent and subsid separation should be upheld – these were obvious instances of him borrowing company facilities to further his aims
• Lifts corporate veil? Individually prosecutable offences e.g. S 173 DPA 18
A Case Update – key takeaways• Concept of journalism not so broad to cover ‘every activity conveying information or opinions’-
PD processed for more than one purpose are not exempt
• Subjective and objective element
• Didn’t matter solicitor had checked docs not when unreliable witness
• No litigation privilege
• “It is not enough for a party to show that proceedings were reasonably anticipated or in contemplation; the party must also show that the relevant communications were for the dominant purpose of either:
• (i) enabling legal advice to be sought or given, and/or
• (ii) seeking or obtaining evidence or information to be used in or in connection with such anticipated or contemplated proceeding”
• If there is another purpose, above test will not be satisfied
A Case Update – key takeaways
• Entitled to a description of the recipients or classes of recipients but not to know their names -his victims and co-accused were of biographical importance
• Entitled to info about the sources of PD including names and there was no need to show that this was Dr Rudd’s PD
• No evidence that any entity had been asked for consent, no reason to doubt disclosure unreasonable
• Individuals as sources to be treated differently
• No right to know the full contents of docs
• Re description of the purposes held – be proportionate, no obligation to provide info on a doc by doc basis
• Essence of right to know what data controller is doing and what he intends to do with the data
A Case Update – key takeawaysLloyd v Google
• Facts • Warby J again, concerned an app to serve proceedings out of the jurisdiction on Google for The Safari
Workaround • Well-known means by which Google allegedly obtained private information about internet usage
through its use of cookies without individuals’ knowledge or consent, via the Safari web browser used on Apple iPhones for add personalization
• Reliance on S13 DPA 98 - compensation should damage be suffered as a result of DC’s contravention • Accepted that an actionable breach had been committed but inability to demonstrate “damage”
• Judgement • Class actions not so easy • “Some people enjoy a surprise party” and “lasting relationships can be formed on the basis of contact
first made via a phone number disclosed by a mutual friend, without asking first” • The misuse of people’s data is not in itself actionable, claimant has to have suffered damage be it
pecuniary loss or simply distress• Contradiction with A 79 GDPR?• A 79 each data subject shall have the right to an effective judicial remedy where he or she considers
that his or her rights under [GDPR] have been infringed • Perhaps nominal damages but should act as deterrent?
A Case Update – key takeaways
Campbell v Secretary of State for Northern Ireland [2018] Out 372 (AAC)
• The UT considered whether a DS’s right of access could continue post death
Morrisons SC - TBDL
Problem AreasWhich legal basis?
• Overuse of consent (try legit interests/DPA) or
• DPIAs and appropriate policy docs
Documentation – clear and transparent
• Privacy notices and retention schedules – deep dive, mergers, data sharing, retention
• Sanitise data sharing agreements
Marketing and consent
• Consent forms and notices
• Opt-ins, b2b flex, real time advertising, accuracy, provenance and consent of data broking and DM if partners or affiliates?
DSARs
• Already covered twice but since the bane of orgs atm - a few thoughts
• Scrutinize wording of request – clarify if necessary
• Decide scope – what is PD and disclosable? What is not?
• Do thorough searches, scour for duplicates and doppelgangers
• Remember to say if need ext if complex
• Remember exemptions but just because something is confidential or embarrassing doesn’t mean you can hold back
• Do not delete or conceal even for an honorable motive
Problem Areas
• Update settlement agreement wording, consider policies and protocols, have template responses ready
• Manifestly excessive and unfounded – fees or refusal?
• Don’t be scared to use non-DP initiative - context and motivation matter behind the scenes
• Get basics right, respond, respond electronically if received electronically, remember deadline
• Magnacrest LTD housing developer - Feb - fined under DPA 98 for not responding to a DSAR in time and not complying with an enforcement notice ordering it to do so
• Whilst actual fine (excluding costs and victim surcharge) only £300 - ICO issued a warning reminding those who do not respect the right of access, or its enforcement, that their actions could lead to criminal prosecution
• You are not alone – Met Police
Problem Areas
Breaches
• Self-reporting a balm and defensibility but
• Take risk-based approach (special cats, flagrant, repeated, duration largescale, vulnerability, media coverage
• Mitigate, mitigate, mitigate
• More comp claims from DS than ICO
• Treat with respect and on own merits – do not comp people for receiving other people’s PD wrongly
• Autofill on addresses
• Inadvertent disclosure by staff
• Tech errors unnoticed
• Admin error - wrong addresses
• Train those manning phones etc
Problem Areas
• Moving further afield slightly:
• PWC tracker - ICO fined a total of £6.5M for DPBs in 2018 a £2M increase from 2017
• No of ICO enforcement actions actually fell from 67 in 2018, from 91 in 2017
• 50% of enforcement re marketing and 25% re DPBs
• Private sector 86% but 6 MPS issued to Local government almost one sixth (£975,000) of total fines
• ICO received around 14,000 PDB reports from 25 May 2018 to 1 May 2019 - For comparison, it received around 3,300 PDB reports than the previous year
Problem Areas
London Borough of Newham
• The ICO fined £145,000 for disclosing PD of more than 200 people who featured on a police intelligence database known as the Gangs Matrix
• This matrix contained PD of 203 DSs
• ICO concluded, unnecessary, unfair and excessive for Newham Council to have shared unredacted database with large no of people and orgs when redacted version readily available - the risks should have been obvious
• Worse still, Newham Council did not report data breach to ICO -conducted own internal investigation, not until December 2017, a significant time after became aware of breach
• Did not have any specific sharing agreements, policy or guidance in place
Problem Areas
Problem Areas
Morrisons SC
• Class action
• involved malicious data leak of over 99,000 staff including payroll
• approx. 5500 claimants
• Vicarious liability even though they did all they could and legit access to data
• Disgruntled employees – everyone has one
• Heathrow – last Oct – staff member lost USB containing info found by member of the public purportedly including queen’s security and travel arrangements
• Timetable of patrols to guard site against suicide bombers and routes for foreign dignitaries
• No encryption or password protection
• ICO confirmed memory stick given to a national newspaper
• Fined £120,000
• Home office - revealed 240 personal email addresses because failed to use BCC
• Applicants looking for settled status in the UK (already happened with 500 people from windrush generation)
Problem Areas
• Up coming - A £5 million data breach action launched on 3 April against
Ticketmaster following security breach affecting 40,000 customers including
payment details June 2018
• Caused by malicious software on a product hosted by a third-party supplier
• More than two thirds suffered multiple fraudulent transactions and more
than one third significant stress and heightened anxiety
• "unsuccessful negotiations" to agree an out of court settlement with
Ticketmaster, which maintains it is not liable for the breach and the
subsequent damages suffered by those affected”
• Affected customers offered a free 12-month identity monitoring service
Problem Areas
• TV production co fined £120,000 by ICO for unlawfully filming patients at a
maternity clinic
• TVP set up CCTV style cameras and microphones in exam rooms at a
hospital for a Channel 4 documentary on stillbirths
• Although TVP had hospital trust's permission to be on site, did not provide
patients with adequate information about the filming or get adequate
permission in advance
• Posted limited notices advising of the filming near to cameras and on the
waiting room tables but
• ICO found that a patient attending the clinic would not have reasonably
expected there to be cameras in exam rooms and would have expected to
be made aware of any filming
Enforcement
• ICO fined Uber £385,000 over DP failings
• The security arrangements adopted by Uber US (acting as a processor on behalf of Uber) were inadequate
• Cyber attackers were able to access and download a large amount of PD from its third-party cloud based storage service including names, email addresses and phone numbers of approximately 2.7 million UK customers and the records of around 82,000 UK drivers
• ICO highlighted that Uber did not notify the ICO or the affected individuals at the time of the attack (or when it first became aware) and did not take mitigating measures (such as monitoring accounts or offering fraud protection) until some 12 months later
• Instead, Uber paid the attackers to destroy the data which the ICO considered to be an inappropriate response to the cyber-attack
Enforcement
• Bounty UK - a pregnancy and parenting support club which provides info
and markets offers and services to parents at different stages of a family's life
fined £400,000 for sharing PD unlawfully
• Bounty contravened DPA18 by sharing PD of over 14M individuals to no of
orgs including CRAs and marketing agencies without informing those
individuals that it might do so
Enforcement
• HMRC - has been issued an Enforcement Notice for failing to get adequate
consent to collect around 7M callers’ PD since using voice ID for customer
verification
• HMRC contravened by collecting, retaining and using biometric data through
its Voice ID service, without having a lawful basis to do so
• Despite explaining the benefits and how the Voice ID system worked, the
recording did not give details of where customers could find further info
• No clear option available for callers who did not want to register
Enforcement
• CNIL EUR50 Million GDPR Enforcement Action Against Google
• Lack of transparency
• Failed to obtain valid consent for its processing activities
• Google to appeal
• Key info scattered across several docs which it provided at different times and required clicking multiple buttons and links for more
• Huge fine because:
i. The severity of the breach
ii. Infringement of core concepts of consent and transparency
iii. The fact that breaches were ongoing, the no of people affected, the vol of PD and level of intrusion
iv. The dominant position Google holds in the operating system market
Enforcement
ePrivacy – Much Ado About Nothing
• Privacy regs to come in sometime this year, heavily delayed will we be in Europe?
• Will ext to Viber and WhatsApp etc
• Will confirm no consent is needed for non-privacy intrusive cookies e.g. to improve the internet
experience (e.g. remembering shopping cart histories) or cookies used by websites to count
visitors
• GDPR style fines and enforcement by ICO
From compliance to accountability
• ICO update 1 year on – shift from baseline compliance to accountability
• But what does this mean?
• Tougher but
• Highly pragmatic compared to other DPAs
• Nobody ever complained about amount of fine
• Repeatedly said proportionate
Next Steps -Where the West Wind is Blowing
Cyber Security
• AI and machine learning
• Web and cross device tracking for marketing purposes
• Children’s privacy
• Use of surveillance and facial recognition technology
• Data broking
• Use of personal information for political campaigns
• Freedom of information compliance
• Always flagrant repeated breaches impacting vulnerable people on a largescale
Next Steps –Where the West Wind is Blowing
4 Guidance’s to be Published in 2019
• Data Sharing Code – updated version - formal consultation in June 2019 and before Parliament Autumn share but share with confidence and securely
• Direct Marketing Code: A direct marketing code - consultation in June 2019 -finalised by Oct-end- specifically mentions use for causes and growth of business so good news for profit and not for profits
• Data protection and Journalism Code - launched for consultation in June 2019 before parliament Summer – currently v broad exemption for who’s a journalist?
• Data Protection and Political Campaigning Code – expected to launch consultation in July 2019 this code doesn’t have the same legal status as the other 3 codes
Next Steps –Where the West Wind is Blowing
Take Homes
• Deep dive into PD held, have you got the right legal basis for processing it?
• Are your privacy notices and consent forms comprehensive and easy to understand, do they meet your audience’s needs (in particular children)?
• Is the PD that you handle sensitive or your users vulnerable? In need of greater protection? If so
• Have you got appropriate internal and external documentation?
• Review third party contracts & agreements especially in terms of liability clauses, due diligence re compliance in particular if handling special cat data
Next Steps -Where the West Wind is Blowing
Take Homes continued• Don’t forget your employees (they are crucial for DP by design, for cyber
security and greatest source of DSARS and innovation)
• Do you have a staff privacy policy, cyber security and PD Policies, regular DP training?
• Review procedures for rights – can be through any medium and all employees should be able to spot
• Create policies around retention and keeping request response packs for a while in case DS does not receive it, ICO needs a copy, request resurrects itself from the ashes
• Ensure you have great breach handling protocols
• Invest some time and resource at board level in IT security (outsource risk)
Next Steps -Where the West Wind is Blowing
Take Homes continued
• Consider appropriate policy docs, DPIAs, requesting ICO’s written opinions, always keeping logs to help with accountability
• Training – have at least one person in your organisation who does data protection well – train them, invest in them, accredit them if you can
• Lead by example - Remember getting this wrong is not just about fines or court action, about reputational risk, loss of trust and confidence, inconvenience, potential data loss, embarrassment and sometimes, sector wide ramifications but building respect, relationships and mutual reward
Next Steps -Where the West Wind is Blowing
Resources
• ICO website for Guidance’s, codes of practice and templates - https://ico.org.uk/
• European Data protection Board (EDPB) opinions - https://edpb.europa.eu/
• UK Gov’s 10 steps to Cyber Security - https://www.ncsc.gov.uk/collection/10-steps-to-cyber-security
• Cyber Essentials - https://www.cyberessentials.ncsc.gov.uk/
• Google industry guidance, NHF, CQC, NHS, charity commission and major church bodies
• Gov websites and Crown Commercial Services contracts
• ACS - https://www.anthonycollins.com/
ACS – What We DoYour fabulous fliers will tell all but by way of potted summary:-
• GDPR and DPA 2018 training
• Advice on policy, process and general compliance
• Information sharing
• Standard contracts and terms
• Information requests including Subject Access Requests
• Privacy notices and consents
• Privacy Impact Assessments
• Data security breaches & complaints to the ICO
• Direct marketing and PECR 2003
• CCTV, surveillance and monitoring
• Freedom of Information and Environmental Information
Disclaimer: Whilst every effort has been made to ensure the accuracy of these materials,
advice should be taken before action is implemented or refrained from in specific cases.
No responsibility can be accepted for action taken or refrained from solely by reference
to the contents of these materials. © Anthony Collins Solicitors LLP 2019
QUESTIONS?Anthony Collins Solicitors134 Edmund StreetBirminghamB3 2ESUnited KingdomTel: 0121 200 3242
[email protected]: @ACSLLP
Anthony Collins Solicitors76 King StreetManchesterM2 4NHUnited KingdomTel: 0161 470 0310
Related Documents
