Here is our monthly data protection news and update blog from the Evalian team, providing some of the news items you may have missed together with links to 3rd party sites which provide more information.
Data Protection News & Updates
Information Commissioner hints at fines and will focus on fairness
UK information commissioner Elizabeth Denham has indicated that the ICO is working on some large GDPR breach cases which are likely to result in fines. Talking on stage at an IAPP event in Washington, Denham also said that whilst the ICO had traditionally focussed on direct marketing and security breaches, she was strategically focusing on the ‘fairness’ requirement of the GDPR.
Denham also said that she thought businesses wanted to see ‘momentum’ whereby regulators issue sanctions and fines that show interpretation of the law. She indicated that not acting would be to the benefit of companies with shoddy data practices. Because of this she said, “So it’s really important we take action”.
We’re not surprised that ‘fairness’ is a key area of focus. The first GDPR principle ‘fair, lawful and transparent’ processing requires processing transparency and processing activities that are within the expectation of data subjects. It’s a fundamental element of the GDPR (and the Data Protection directive before it). This area of focus is consistent with the £400,000 fine issued to Bounty earlier in April.
UK – ICO updates guidance on controllers, processors and joint controllers
The last time the ICO produced guidance for organisations in determining whether they are a controller or a processor was in 2014. In the most recent update, there are some changes to the self-assessment checklists.
In the old guidance there is a list of decisions and if an organisation makes any one of those decisions, it will be a controller. The new guidance advises that the more items ‘checked’ on the list the more likely the organisation will fall within that category.
From our perspective, the changes are a subtle re-interpretation rather than a material change.
UK – Government plans to introduce laws requiring ‘smart’ devices for the home to be better protected against cyber-attacks
Presently at a consultation stage, UK government’s Digital Minister, Margot James, has announced plans to bring forward new legislation which may include a mandatory labelling scheme guiding consumers towards better security protection and requiring manufacturers to design devices that comply with the ‘Secure by Design’ code of practice.
Guernsey – European Commission reassessment of the Bailiwick’s adequacy decision is underway
Under the GDPR (Article 45) the European Commission has the power to determine whether a country outside the EU offers an adequate level of data protection. At any time, it can maintain, amend of withdraw this decision.
Whilst its highly unlikely that the Commission will recommend the decision be reversed, it’s not a surprise that its under review given that it was first granted to Guernsey back on 21 November 2003.
UK – National Cyber Security Centre will not disclose confidential data breaches to ICO
The National Cyber Security Centre (NCSC) and ICO have clarified their roles in managing threats to UK cyber security. By separating their respective duties, it is hoped that organisations will be more willing to contact NCSC for confidential advice about cyber threats and breaches, whilst the ICO can concentrate on monitoring and enforcement of GDPR.
UK – Is an employer liable for damages to staff whose personal data have been published on the web by the criminal acts of another employee?
Food retailer, Wm Morrison is given permission to appeal to the Supreme Court to challenge the recent Court of Appeal decision that held Wm Morrison liable for the criminal acts of one of its (disgruntled) employees after he published sensitive staff payroll data on the Internet.
This is an important landmark case and the Supreme Court decision, if it supports the Court of Appeal, could have a profound impact on data security and employment law for years to come.
Jersey Commissioner expresses concerns over making register of beneficial owners publicly available
Creating a registry of beneficial ownership that is available to law enforcement officials around the world is an effective approach to combating the problem of money laundering. However, Dr Jay Fedorak, Information Commissioner, questions whether this registry should be open to the public.
In brief, the Information Commissioner is not persuaded that “the benefits of publishing the register of beneficial ownership in Jersey would outweigh the loss or privacy involved”.
EU – Is contract performance a valid lawful basis for processing data on online services? European Data Protection Board publishes guidelines
The EDPB guidelines relate to a specific category of agreements, those under which data subjects are provided “online services”, or access to platforms that do not require a direct payment from the users but are financed by targeted advertising instead.
In summary, where a controller cannot demonstrate that 1) a contract exists, 2) the contract is valid and, 3) that the processing is ‘necessary for the performance of the contract’, the controller should consider another legal basis for processing.
UK – ICO fines PPI company £120,000 for nuisance texts
The ICO remains very active in issuing fines against organisations that breach the PECR direct marketing rules. In this case, the Commissioner fined Hall and Hanlet Ltd of Manchester £120,000 for sending 3,560,211 direct marketing text messages about PPI claims between January and July 2018.
The messages led to a total of 1353 complaints being made which resulted in an ICO investigation. Whilst organisations are aware of the GDPR, PECR awareness remains low and being rules based, the PECR applies a black and white approach to compliance. We strongly advise all clients to review their electronic direct marketing activities against the requirement of PECR.
Have a question?
If you have any questions about any of the updates provided, please don’t hesitate to get in contact. You can contact us here.Get in touch