Data Protection – January 2020

3rd February 2020

Latest from the ICO, including Brexit, subject access request timings and draft direct marketing code; international data transfers; cybersecurity; and more.

Latest from the Information Commissioner’s Office (ICO), including Brexit statement, data subject access requests and draft direct marketing code

On 29 January 2020, the ICO issued a brief statement on data protection and Brexit implementation, with links through to its various guidance materials and other resources. It will be “business as usual” until the end of December 2020. The General Data Protection Regulation (GDPR) will continue to apply.

In other developments:

• In its GDPR right of access guidance, the ICO explains that the timescale for responding to a subject access request is not paused when the controller asks for clarification from the data subject and awaits a response. Even if the data subject refuses to provide any additional information or does not respond, the controller must still comply with the request, within the timescale, by making reasonable searches for the information covered by the request. The ICO is currently consulting on detailed right of access guidance.
• The ICO is consulting until 4 March 2020 on a draft direct marketing code of practice. The code starts by looking at the definition of direct marketing to help organisations decide whether the code applies to them, before moving on to cover areas such as planning marketing, collecting data, delivering marketing messages and individuals’ rights. The ICO intends to produce additional practical tools, such as checklists, to go alongside the code. We are no further along in Europe with progress on a new ePrivacy Regulation and so the current Privacy and Electronic Communications Regulations 2003 (PECR) continue to apply.
• The ICO announced that it will be working with the UK Accreditation Service to deliver the ICO-approved certification schemes under GDPR. Certification is a way for an organisation to demonstrate compliance with GDPR.
• On 21 January 2020, the ICO published the final version of its Age Appropriate Design Code, a set of fifteen standards that online services should meet to protect children’s privacy. The ICO says that it is preparing a significant package of support for organisations.
• In a recent blog post, the ICO’s Executive Director of Technology and Innovation gave an update on adtech real time bidding reform. The ICO gave the industry six months to work on the points raised in its June 2019 report and, while many organisations are on board with the changes that need to be made, “some appear to have their heads firmly in the sand”. Given the ICO’s understanding of the lack of maturity in some parts of the industry, it anticipates that it may be necessary to take formal regulatory action. In an earlier blog post, all organisations involved in real time bidding were urged to review their processes, systems and documentation.
• In a statement on the use of live facial recognition technology by the police, the ICO said that it will be publishing more about the technology’s use by the private sector later this year.
• On 20 January 2020, the ICO issued a call for views to find out if gaps exist in controllers’ awareness and understanding of the data protection requirements for processing personal data relating to criminal convictions. Responses are requested by 28 February 2020.
• In recent enforcement action, a retailer was fined £500,000 after a ‘point of sale’ computer system was compromised as a result of a cyber attack, affecting at least 14 million people. The ICO’s Director of Investigations said: “The contraventions in this case were so serious that we imposed the maximum penalty under the previous legislation, but the fine would inevitably have been much higher under the GDPR.”
• A pharmacy supplying medicines to customers and care homes was fined £275,000 after it left approximately 500,000 documents – including names, addresses, dates of birth, NHS numbers, medical information and prescriptions – in unlocked containers at the back of its premises. The company was also issued with an enforcement notice due to the significance of the contraventions and ordered to improve its data protection practices within three months.
• The director of a telecoms company was banned for six years after his company permitted its lines to be used to make millions of nuisance marketing calls. The ICO had issued the company with a then-record £400,000 fine in 2017 for breaching the PECR. Collaboration between the ICO and Insolvency Service has resulted in two other recent disqualifications in this area.

Update on international data transfers

On 19 December 2019, just after the November/December 2019 edition of the Regulatory round-up went to press, one of the advocates general of the Court of Justice of the European Union (CJEU) delivered his eagerly anticipated opinion on the validity of the European Commission decision that established standard contractual clauses for the transfer of personal data from EU controllers to processors established outside the EU or European Economic Area.

The advocate general’s view is that the decision is valid given the obligation on controllers and supervisory authorities to suspend or prohibit a transfer when the clauses cannot be complied with. See the press release.

The opinion follows a referral to the CJEU in the long-running litigation involving Facebook and Austrian privacy activist Max Schrems regarding the transfer of his personal data by Facebook Ireland Limited to Facebook Inc. in the US for processing, and concerns over US mass surveillance.

While the opinion is non-binding, the CJEU tends to follow such opinions in the majority of cases, and organisations can breathe a cautious sigh of relief that this key international data transfer mechanism looks set to remain available.

The opinion is particularly relevant now that the UK has left the EU, with no guarantee at this stage that the European Commission will issue an adequacy decision in respect of the UK before the end of the transition period in December 2020 – i.e. a finding that the UK’s legal framework provides adequate protection for individuals’ rights and freedoms for their personal data.

Importantly, the advocate general went on to say that he entertained certain doubts as to the conformity of the Commission’s Privacy Shield decision (one of the key mechanisms for the transfer of personal data between the UK and US for commercial purposes) to the relevant GDPR provision on adequacy, read in the light of certain provisions in the EU Charter of Fundamental Rights and the European Convention on Human Rights. Walker Morris will continue to monitor and report on developments.

Other news from Europe

On 6 January 2020, the European Data Protection Supervisor published a preliminary opinion on data protection and scientific research. The executive summary can be found on page two.

On 15 January 2020, the Council of the European Union published its position and findings on the application of GDPR, ahead of a review and evaluation of the legislation by the European Commission, which is due to submit a report by 25 May 2020. See this link. Among other things, while the Council notes that GDPR was drafted to be technologically neutral and its provisions already address the new challenges associated with emerging technologies, it considers that it is necessary to clarify as soon as possible how GDPR applies to these technologies.

Cybersecurity update

On 27 January 2020, the government announced new legislation to improve security standards of internet-connected household devices. The measures set a new standard for best practice requirements for companies that manufacture and sell consumer smart devices or products.

A guide which brings together for the first time knowledge from the world’s leading cybersecurity experts was launched recently in London. The National Cyber Security Centre (NCSC) says that the ‘Cyber Security Body of Knowledge’ has the potential to help organisations to better protect themselves. It covers the foundations of cybersecurity, ranging from the human element through to issues in computer hardware security. See this link.

The NCSC published a complete refresh of all of its end-user device content (mobile device guidance) for organisations. See the blog post for details and a link through to the guidance.

And finally, the NCSC also recently released guidance to assess the security of voice, video and messaging services. See the blog post for details and a link through to the NCSC’s secure communication principles. Feedback on the principles is requested by 30 April 2020.