On the 25th May 2019 the General Data Protection Regulation (GDPR) celebrated its first anniversary (or third, depending on your point of view). Clearly, we are still some way short of knowing how regulators and courts will opine when interpreting GDPR and the Data Protection Act 2018. We can, however, look at ICO enforcement action over the last year to see if there is anything we can learn.
GDPR & DPA 2018 – A Quick Recap
GDPR came into force in all 28 EU member states on 25th May 2018. The Data Protection Act 2018 (DPA18) received Royal Assent in the UK two days before this, on 23rd May 2018. Although GDPR had direct effect in member states (as an EU regulation) local laws have been required to pave the way for GDPR by repealing existing national laws and exercising derogations. In the UK, DPA18 also implemented the Law Enforcement Directive and helped prepare for embedding GDPR in UK national law after Brexit.
The drafting of GDPR is a masterpiece compared to the DPA18 and the UK law could be even more complex to follow in the event of a no-deal Brexit by virtue of the (currently draft) Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.
Brexit aside, however, to understand data protection in the UK you need to read the GDPR and DPA 18 together. The most high-profile change from the Data Protection Act 1998 (DPA98) relates to the maximum fine that a regulator can impose.
ICO enforcement action doesn’t always mean that fines will be imposed. The Information Commissioner has numerous enforcement powers, but inevitably the headlines in the run up to GDPR focused on the increase an maximum fines that could be levied. Under DPA98 the maximum enforceable fine is £500k. Under the GDPR and the DPA18, the ICO can impose a financial penalty of up to £17 million (€20m) or 4% of global turnover on a data controller. Few, if any, fines at this level are expected but it’s worth bearing in mind that the maximum fine is no longer capped at £500,000.
Recent ICO Enforcement Action
There were 59 ICO enforcement actions in the last year. Some are counted twice as they include an Enforcement Notice much like a ‘cease and desist’ followed by a fine if the perpetrator still hasn’t complied.
The range of violations that make up this number include a small number of individual fines for unlawfully accessing personal data, non-payment of the data protection fee and non-response to Subject Access Request (SARs). The majority of enforcement actions fell under the Privacy and Electronic Communications Regulation (PECR) for direct marketing violations. The maximum fine under PECR is £500k with the maximum actually issued being £200k. Four of the largest fines were linked to data breaches caused by cyber incidents where the maximum amount was issued to Equifax.
So, in keeping with historical ICO enforcement action, the Information commissioner has once again been most active around direct marketing actions (in breach of PECR, not the DPA) and in response to information security failures.
Featured below are the most recent enforcements concerning data protection violations (not PECR breaches). Three out of the four have been handled under the DPA98 as they occurred before GDPR came into force. The latest enforcement has been handled under DPA18 and the GDPR as it commenced before and continued after the GDPR implementation.
London Borough of Newham: DPA98
On the 4th April 2019, the ICO announced a fine for London Council of Newham of £145k for disclosing sensitive personal data about suspected gang members.
In this case, on the 27th January 2017, a council employee emailed a database, known as the ‘Gangs Matrix’ to internal and external organisations involved in combatting gang related crime. The matrix included dates of birth, home addresses and information on the types of alleged crimes they were linked to. The database therefore included sensitive personal data.
This information fell into the hands of rival gang members which coincided with a series of serious incidents of gang related violence, victims of which were on the disclosed database. Although the council carried out their own investigation, this wasn’t started until December 2017 and at no point did they report the data breach to the ICO.
The ICO found the London Borough of Newham to be in violation of the 1st data protection principle (DPA98), that ‘personal data shall be processed fairly and lawfully’ and the 7th data protection principle (DPA98) that ‘appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data‘.
In its Monetary Penalty Notice (MPN), the ICO stated (among other findings) that the processing of sensitive personal data was excessive and, therefore, unfair and would likely cause distress to data subjects because the number of parties to whom it was (unnecessarily) disclosed.
True Visions Productions TVP: DPA98
On the 10th April 2019, the ICO announced that it has fined TVP, a TV production company, £120k for ‘unfairly and unlawfully’ filming patients of a maternity clinic between July and November 2017. The clinic was set up with cameras and microphones to record footage for a documentary on stillbirths.
TVP did not provide patients with adequate information about the filming. It put up notices that filming was occurring next to the CCTV style cameras and in the waiting room, but no one specifically told them about the filming or gave them an opportunity to decline.
The CCTV style cameras used were also not the type that could be turned off. If a patient did realise that filming was taking place and declined to be filmed, their only option was to move to the one consultation room out of four which did not have a camera and this room was not always available.
The ICO issued the penalty for contravention of the 1st data protection principle, under DPA98.
Again, this processing was considered to be unfair on the basis that the processing was beyond the reasonable expectations of a patient attending the clinic. The ICO felt that such processing would likely cause distress to patients who may suspect their sensitive personal data and private medical history had been filmed and recorded without their knowledge.
On the 11th April 2019, the ICO issued a fine to Bounty, a pregnancy and parenting support club, for £400k for illegally sharing the personal information of 14 million people to third parties for electronic direct marketing.
Furthermore, the off-line pack had no opt-out option at all and 69% of records held came from data obtained off-line, at the hospital bedside.
Once again, the ICO found Bounty was in violation of the first data protection principle under DPA98, which provides that ‘personal data shall be processed fairly and lawfully’.
The ICO, in it’s MPN, stated that the contraventions were of the type likely to cause substantial damage or substantial distress.
HMRC: GDPR / DPA18
On the 10th May, the ICO issued an enforcement notice on HMRC, the first under GDPR legislation, for failing to obtain adequate consent from callers to collect their personal data.
In January 2017, HMRC commenced the roll-out of a voice authentication system, to help improve security and speed up help centre calls through quicker verification. However, the process customers were presented with when they called HMRC meant that they were not told that they did not have to sign up. Likewise, they were not given a clear option to withhold consent. Presumably, then, it appeared to callers that there was no other option for getting through to a helpdesk without going through the process of setting up the voice authentication first.
The ICO found that HMRC contravened the first data protection principle under GDPR which requires that ‘Personal data shall be… processed lawfully, fairly and in a transparent manner in relation to the data subject’.
In this case, the HMRC did not have a clear lawful basis for processing under Article 6(1) of GDPR and did not meet one the conditions for processing special category data under Article 9 of GDPR (necessary because voice data is biometric data which falls within the special categories of personal data under GDPR).
Whilst the ICO did not conclude that damage of distress to data subjects was likely, it did state that data subjects would be concerned. Thus, an enforcement notice was issued to bring HMRC into compliance rather than a fine being issued.
What Can We Learn from recent ICO Enforcement Action?
Three out of the four most recent violations discussed here have been dealt with by the ICO under the Data Protection Act 1998, for which the maximum financial penalty in civil cases is £500,000. They were issued fines between £120k up to £400k. So, there’s clearly a backlog of case work ongoing at the ICO under the old law.
In the case of HMRC, it continued its violation after the launch of GDPR, as such its handling has fallen under the GDPR and the DPA18. It has been issued with an enforcement notice to comply within a given timescale. Because distress and damage was possible, but not likely, and taking in to account mitigating circumstances the ICO did not issue a fine. This is a reminder that the potential harm to data subjects (or lack thereof) is a critical consideration when complying with the law.
Most notable in these cases is the consistent reference to the first principle of data protection, which under article 5 of GDPR, requires that processing of personal data be ‘lawful, fair and transparent’.
The fairness principle specifically consists of ensuring that data subjects are aware of what their data will be used for and would reasonably expect their data to be used the way it is being used. It’s no co-incidence therefore that at the recent IAPP conference, The Information Commissioner, Elizabeth Denham, has said that fairness is going to be an area of focus for the ICO going forward (whilst acknowledging that direct marketing and security breaches have been areas of focus in the past). She also said:
“the ICO will be adding to that momentum this spring with a couple of very large cases that are in the pipeline. I think what’s important is for us to enforce strongly and firmly here if there has been misuse of data.”
So, our advice is to think about the lawful bases you rely on for processing and especially on the fairness of processing. Review your privacy notices and the ways in which you ensure transparency of processing and manage data subject expectations. We also recommend keeping up to date with new ICO enforcement action on the ICO website, which can be filtered by type and industry.