The General Data Protection Regulation (GDPR) came into force on 25 May this year. As the GDPR completes its first six months, we look at what has happened since May and what is coming up in the near future. This article begins with current trends, including the rise of DSARS, data breach reporting and the increase in complaints to the ICO.
It also covers
The rise of data subject access requests (DSARs)
The introduction of the GDPR saw an immediate rise in data subject access requests (DSARs), in particular as a first move in the context of a potential claim (especially in the employment context). This is a little surprising given that the provisions for DSARs were not substantially changed by the GDPR, save for a shorter response period and no fee. Recent guidance from the Courts has highlighted that DSARs cannot be refused even where they are motivated by potential litigation. We are working with clients to put in place policies to ensure that they are able to recognize and respond rapidly to a DSAR. And we are supporting clients in putting together responses to DSARs taking advantage of the available exemptions.
Data breach reporting
Given the GDPR’s new requirement to notify data breaches to the Information Commissioner’s Office (“ICO”), it is not surprising that there has been a rapid rise in data breach reporting, with about 500 data breaches being reported to the ICO each week. We are advising a number of clients on the consequences of a data breach, which in many cases do not warrant a report to the ICO. Where a report is needed, we are working with our clients to manage their legal and – importantly – reputational risk.
There has also been a marked increase in the number of complaints being made to the ICO, perhaps reflecting – given all the emails and publicity surrounding GDPR – greater awareness amongst data subjects of their rights and increased concern over data privacy and security. The ICO received over 6,000 complaints in the first three months of GDPR, a 160% increase over the same period in 2017. Should the ICO choose to investigate a complaint, the target business is much better placed if all their GDPR polices and records are in place. Although the GDPR came into force some months ago, for many organizations GDPR compliance is a work in progress and we continue to work with many businesses to address those areas of compliance which were not completed before 25 May.
There has also been a clear increase in regulatory enforcement action and a willingness to impose substantial fines – even though we have yet to see any fines awarded under GDPR given the time lag from complaint to fine. The ICO has commented that they consider each case on its merits but that “as a general principle, the more serious, high-impact, intentional, willful, neglectful or repeated breaches can expect stronger regulatory action.”
Compliance with the GDPR does not begin and end on 25 May. Further guidance is being released by Europe and the ICO as new compliance practices evolve. There is a continuing need to keep policies and practices up to date.
More information on managing data breaches and risk management can be found here.
Following Brexit, the UK will be a “third country” for purposes of international data transfers. The GDPR prohibits transfers of data to third countries unless a compliance mechanism is put in place. It is unlikely that the UK will be awarded “adequacy” status before Brexit occurs. For the latest update regarding Brexit’s impact on data protection, please see here.
Employers liable for unauthorized data breaches by employees – the Morrisons case
On 22 October 2018, the Court of Appeal handed down a significant ruling regarding the principle of vicarious liability in data protection law.
Last year, the High Court ruled that the supermarket Morrisons was vicariously liable under the Data Protection Act 1998 for the criminal actions of a rogue employee who leaked personal data of around 100,000 of his colleagues on the internet. Even though the employee acted completely of his own accord (he did so because he held a grudge against the company following a disciplinary procedure), his actions were deemed by the court to be sufficiently closely connected with his employment. Therefore, the court deemed it right for the employer – Morrisons – to be liable for the individual’s actions. Morrisons, unsurprisingly, appealed the decision. However, the Court of Appeal dismissed its appeal.
The decision comes as positive news for the claimants, whose data were leaked as a result of the breach. On the other hand, it has left businesses scratching their heads about what, if anything, they can do to prevent the actions of an unscrupulous employee. The Court of Appeal has said that one solution is to take out insurance.
Whilst the case was decided under the old data protection law (as the incident occurred prior to the GDPR coming into force), the introduction of the GDPR is unlikely to have made any difference to the outcome. The decision will therefore be of significance in the post-GDPR world. This could lead to a dramatic increase in (a) class actions against businesses for similar data breaches and (b) insurance policies (presuming they are available) being taken out by businesses to cover losses incurred as a result of such claims.
There are also two important follow-up issues on the back of the Court of Appeal’s decision:
- Morrisons has stated its intention to appeal the decision to the Supreme Court so this is not the last we have heard of this case.
- The matter of how much compensation to be awarded to each of the claimants, of which there are more than 5,000, is still to be decided.
The Morrisons data breach saga, therefore, continues.
ICO issues first enforcement notice under the GDPR to AIQ a Canadian company
On 24 October 2018, the ICO issued an enforcement notice to the Canadian company AggregateIQ Data Services (“AIQ”). This was part of a wide-ranging investigation by the ICO into the improper use of personal data analytics for political purposes (involving Cambridge Analytica and Facebook) which dominated headlines earlier in the year. According to the ICO’s report, AIQ was provided with names and email addresses of UK individuals and used these details to target the individuals with political advertising on social media, all without the individuals’ knowledge or permission.
This is the first enforcement action taken by the ICO under the GDPR (although no fines have yet been issued: AIQ were simply told to erase the personal data it had obtained unlawfully). Secondly, although AIQ is based outside the EU (specifically, Canada, where an investigation was carried out by the equivalent data protection authority in Canada), the ICO argued that it is still caught by the GDPR due to its monitoring of individuals’ behaviour within the EU. This serves as a useful reminder that the GDPR’s reach, in some scenarios, extends to businesses which are established beyond the borders of the EU.
We have been advising many non-European businesses on the territorial scope of the GDPR, and further guidance on this from the European regulators is expected in the near future.
ICO issues largest fine to date
As a consequence of its investigation into Facebook referred to above, the ICO recently issued the social media company a record £500,000 fine (the statutory maximum under the previous data protection law). In a separate investigation, the ICO also recently fined Equifax the same amount for failing to protect the personal information of up to 15 million UK citizens during a security breach in 2017. These are the largest fines issued by the ICO to date and signal that the ICO is prepared to exercise its regulatory muscles. We can expect to see higher level fines in future.
If the Equifax breach had occurred after 25 May 2018, given the gravity and magnitude of that breach, it would have been interesting to see what fine the ICO would have issued under the new increased fining regime (which allows for fines of up to €20 million or 4% of global turnover for serious breaches). We suspect the fine would have been far higher than £500,000 and would have been a wakeup call for other businesses processing large amounts of data in a similar position to Equifax. Similarly, the Facebook breach occurred before 25 May 2018 and so Facebook also escaped the new fining regime. The ICO stated, in their penalty notice to Facebook that “it would have been reasonable and proportionate to impose a higher penalty” which almost suggests frustration on the part of the ICO that it could not have issued a larger fine due to its statutory limitations.
We are still seeing fines continuing to be issued under the old data protection regime for breaches that occurred prior to the GDPR coming into force. It is only a matter of time, however, before the first fines under the GDPR are issued. If the ICO investigates breaches of the GDPR on similar levels to those of Facebook and Equifax, we can certainly anticipate significantly higher fines than the current record fines.
Fines are paid into the Treasury’s Consolidated Fund and are not kept by ICO.
Further information on recent fines can be found here.
The ePrivacy Regulation – on the horizon
Whilst the GDPR took the spotlight this year, it is important to remember that a new parallel EU regulation is on the horizon: the ePrivacy Regulation. The intention for this regulation is to update and replace the current ePrivacy Directive (implemented in English law by the Privacy and Electronic Communications (EC Directive) Regulations 2003). These regulations govern the rules around, among other things, electronic direct marketing, telemarketing, use of internet cookies (and similar devices) and the processing of location data.
The original intention was to implement the ePrivacy Regulation at the same time as the GDPR but the draft was not agreed in time. The implementation date of the ePrivacy Regulation has pushed back and is not known, although it now seems that the regulation is unlikely to go live until the end of 2020 at the earliest.
International data transfers: challenges to the Standard Contractual Clauses
A central requirement under GDPR is that businesses are not permitted to transfer personal data outside the EEA unless the recipient country has been deemed “adequate” by the European Commission or, failing this, one of the legal safeguards prescribed by the GDPR is established.
A commonly used safeguard is the Standard Contractual Clauses (or “SCCs”) which are a set of clauses prescribed and approved by the European Commission. The SCCs are frequently applied in contracts entered into between organisations within the EEA wishing to transfer personal data to recipient organisations outside the EEA.
However, following the ECJ’s ruling in the Schrems case in October 2015, the SCCs have since been called into question. It is possible, therefore, that a future ECJ ruling or European Commission decision might invalidate or amend the SCCs. This would not be a surprise given that the current version of the SCCs is not up to date with the GDPR. There is no indication yet of a change to the SCCs but this is an area to keep under close review.
International transfers: challenges to the Privacy Shield
The EU-US “Safe Harbour” was a mechanism that allowed businesses in the EU to transfer personal data to US organisations that had signed up to “Safe Harbour” without the need for additional legal safeguards. The ECJ (in Schrems) invalidated the Safe Harbour scheme in 2015 after which, in July 2016, the European Commission introduced “Privacy Shield” to replace it.
However, since its inception, Privacy Shield (and the US government’s compliance with it) has been called into question. In particular, the European Parliament recently urged the Commission to suspend the Privacy Shield. Due to its criticism, organisations in the EU relying on the Privacy Shield framework in respect of data transfers to the US should keep a close eye on its future reliability and consider alternative safeguards should the Privacy Shield framework be tightened or even scrapped.
Prison sentence in first Computer Misuse Act prosecution
A motor industry employee has been sentenced to six months in prison in the first prosecution to be brought by the ICO under s.1 of the Computer Misuse Act 1990. This refers to causing a computer to perform a function with intent to secure access to any program or data held on that computer. It carries a custodial sentence of up to 2 years.
Mustafa Kasim, who worked for accident repair firm Nationwide Accident Repair Services (NARS), accessed thousands of customer records containing personal data without permission, using his colleagues’ log-in details to access a software system that estimates the cost of vehicle repairs, known as Audatex.
He continued to do this after he started a new job at a different car repair organisation which used the same software system. The records contained customers’ names, phone numbers, vehicle and accident information.
NARS contacted the ICO when they saw an increase in customer complaints about nuisance calls and assisted the ICO with their investigation.
In addition, confiscation proceedings under the Proceeds of Crime Act, to recover any benefit obtained as a result of the offending, have been commenced and are ongoing.
The ICO usually prosecutes cases like this under the Data Protection Act. However, in appropriate cases, they can prosecute under other legislation – as in this case – to have a wider range of penalties available.
Annual fees to the ICO
The requirement for businesses to pay an annual fee to the ICO continues, albeit under a new regime. It is important that you check whether your business has paid the correct fee. If you have not, you should visit the ICO website and ensure that that you do so. The amount you are required to pay depends on the number of staff your business employs and its turnover: Tier 1 organisations are required to pay £40, Tier 2 organisations must pay £60 and Tier 3 businesses are required to pay £2,900.
The ICO announced recently that it had begun formal enforcement action against 34 organisations (across varying sectors) that have failed to pay the fee. This suggests that the ICO is allocating its resources towards cracking down on organisations that have not yet paid. Those who do not pay the correct fee risk a fine of up to £4,350.
There is much more to come from the GDPR and the initial six-month period shows that we are still in the early stages. The first fine under the GDPR is yet to be issued but it is only a matter of time before an ICO investigation carried out under the new law will lead to a significant fine, given the frequency of data breach stories in the media.
The main theme from the above is that just as data protection compliance is increasingly important for all businesses, we are going through a period of rapid change and uncertainty in the data protection world. We are keeping a close eye on developments.