Regulatory guidance/campaigns/other news from the Information Commissioner's Office (ICO)/European Data Protection Board (EDPB):
ICO draft Direct marketing code of practice
The ICO has published a draft Direct marketing code of practice for consultation. While much of the code repeats familiar, but important, messages around ensuring that there is an appropriate lawful basis for the marketing, the importance of transparency, and the need to comply with data subjects' rights, it provides new insights into the ICO's views on some issues, particularly in relation to online advertising, including:
- The application of data protection law to marketing is wider than simply sending direct marketing communications; it extends to all processing of personal data with the intention that it will be used for direct marketing by you or a third party. This can extend to advertising on social media or collecting personal data from social media to use for marketing purposes, subscription TV, on-demand and "over the top" (OTT) services, if personal data is being processed to personalise the services towards the user. See also the "Adtech" section of these Insights.
- If you are using new technologies for marketing and online advertising in line with the industry trend away from cookies, it is highly likely that you require a data protection impact assessment (DPIA) – personal data is still being processed. If you intend to target children or other vulnerable individuals, you must complete a DPIA.
- "Direct marketing" is not limited to advertising goods and services; it includes the promotion of aims and ideals. The public sector is also capable of carrying out direct marketing.
- Data enrichment (buying additional contact details for your existing customers) is likely to be unfair (though we assume it will not if you have made it clear to data subjects that you will do that).
- It is unlikely that you will be able to use facial recognition technology to display direct marketing to specific individuals.
- It is very difficult to carry out a "refer a friend" type scheme by collecting personal data from a third party. If you use contact details collected in this way to send electronic direct marketing, this is likely to be a breach of the Privacy and Electronic Communications Regulations (PECR).
Remember that the code is currently in draft and subject to revision following the consultation. We will monitor developments and report on the finalised code in a future edition of DP Insights. In the meantime, please contact one of our data protection specialists if you need advice on direct marketing, particularly if you're using or are considering using new technology – and as part of Data Protection by Design you should be assessing data protection aspects early on in such a process.
Click here to read the draft code.
Data protection fee
The ICO is continuing its campaign to ensure that data controllers are paying the data protection fee. It appears that some businesses have been surprised to receive a letter from the ICO, some thinking that it’s a scam, as they thought that the old "notification" regime and fee had been abolished when the GDPR became applicable. While it is no longer referred to as "notification", data controllers must still pay a "data protection fee", which ranges between £40 and £2,900, to the ICO and be registered on the register of controllers. If your organisation is required to appoint a Data Protection Officer (DPO), you must provide their contact details to the ICO.
If you are unsure whether your organisation needs to pay the data protection fee and/or whether you need to appoint a DPO, please contact one of our data protection specialists for advice.
The GDPR envisages the establishment of data protection certification mechanisms for the purpose of demonstrating compliance with the GDPR. While the GDPR has now been in force for nearly two years, no such mechanisms have been created. The ICO has recently announced that it will be working with UK Accreditation Service (UKAS) to deliver certification schemes. The ICO will approve and publish the certification schemes and UKAS will accredit certification bodies to deliver those schemes.
While it will not be mandatory to obtain certification, these schemes may become a useful way to demonstrate compliance with data protection law. No further details are available at present, but we will monitor developments and report in future editions of DP Insights.
In June 2019 the ICO published its Adtech Update Report in which it expressed serious concerns about the use of personal data to place targeted advertising online, particularly using real-time bidding (RTB). The ICO told the industry that it had 6 months to act upon the report. In December 2019, the ICO published a blog post summarising the work that it had done since publication of the report, urging all organisations involved in RTB to review their processes, systems and documentation, including the following practical steps:
- Ensure your senior management understands that practices are changing in this industry, and challenge them to review their approach.
- Embed a privacy by design approach to your use of RTB.
- Keep engaging with your trade associations. Change is happening – make sure you are part of this dialogue and are engaging with your industry representation to make your views heard.
This is not limited to the UK, with EU/EEA regulators now starting to take action, France and Norway in particular. Google has said that it will withdraw support for third party cookies in two years for its Chrome browser, which are used to collect information about users which can then be used to serve relevant advertisements. However, as we noted above, other tracking technology still has the same privacy issues, just deployed in a different way.
We've also seen a great increase in the number of cookie preference tools deployed on websites. However unless these are configured correctly with non-essential cookies set to opt in, these too are non-compliant.
In January 2020, the ICO published a blog post which states that the ICO now considers that engagement alone will not address the issues with adtech, so it is developing an appropriate regulatory response. This is in response to the following issues:
- The ICO considers that some organisations are relying on legitimate interests as their lawful basis, but are unable to offer sufficient justification.
- The Data Protection Impact Assessments the ICO has seen are 'generally immature', lack appropriate detail, and do not follow the ICO's recommended steps to assess the risk to the rights and freedoms of the individual.
- The ICO has seen examples of insufficient basic data protection controls around security, data retention and data sharing.
If your organisation is involved in RTB, or you allow such an organisation to place advertisements on your website, you must review the arrangements, including your contractual documents and relevant privacy notices, to ensure that you are complying with the law. Contact our data protection team if you would like one of our specialists to advise on how to ensure compliance with this complex area of law.
Age Appropriate Design Code
The ICO has published its final version of this code. The code now needs to be laid before Parliament and go through a statutory process before it comes into force. There will then be a 12-month transition period before the code comes fully into force, which the ICO expects to be in autumn 2021. Like the Direct Marketing Code (above), this code repeats familiar messages about transparency, fairness, lawful basis and data minimisation, but the following points are noteworthy:
- The code is not limited to services which target children, but covers online services "likely to be accessed by children".
- Annex A contains a useful flowchart to identify whether an online service is covered by the code.
- The code emphasises the importance of establishing the age of an individual user and considers the pros and cons of different methods of doing this. It then identifies 5 age ranges and provides guidance tailored to each age range.
- Settings must be "high privacy" by default (unless there's a compelling reason).
- "Nudge" techniques should not be used to encourage children to provide unnecessary personal data or weaken or turn off their privacy settings. If a child attempts to change the privacy settings, you need to warn them of the effect and any associated risks. The format of this warning varies according to the age of the child.
- Children's data should not usually be shared.
- Geolocation services should be switched off by default.
- The code stresses the importance of doing a data protection impact assessment (DPIA) before processing children's data, and contains useful guidance on what this DPIA should cover.
- The code provides detailed guidance on how to comply with the transparency requirements of the GDPR, including incorporating mechanisms to "down-scale" or "up-scale" the information they see, i.e. ask for the information to be explained more clearly, or ask for more detail. This guidance varies according to the age range of the children likely to be accessing the service.
- Organisations should carry out user testing and document the results, or document the reasons for deciding that such testing isn't warranted.
The full code is 146 pages, so we've only been able to pick out some key points to include in these Insights. If your organisation provides online services which children are likely to access and you would like advice on how to comply with the code, please contact one of our specialists, who will be able to provide specific advice tailored to what service you are providing, and which age range of children are likely to access your service.
The continuing delay to the finalisation of the new EU ePrivacy Regulation, which will replace the existing EU Directive implemented in the UK by the Privacy and Electronic Communications Regulations (PECR) has been a cause for concern. It appears that the European Commission will put forward a revised proposal as part of the Croatian presidency of the EU Council, which runs from January to June 2020. It now seems extremely unlikely that the Regulation will be adopted before the UK leaves the EU, although the proposed territorial scope means that it may remain relevant to many UK businesses post-Brexit, and the UK may implement its provisions into domestic law to assist with adequacy status (see Brexit preparation).
The ICO has recently fined a large retailer for failing to secure its systems against a malware attack between July 2017 and May 2018, resulting in unauthorised access to its customers' personal data. Due to the date of the breach (before 25 May 2018), the fine was £500,000, which was the maximum possible under the Data Protection Act 1998. The ICO's Director of Investigations stated that the fine would have been much higher if the breach had taken place under the GDPR.
The ICO has also fined a pharmacy £275,000 for failing to ensure the security of special category data. While cybersecurity is normally given more attention, this action demonstrates the importance of physical security. Doorstep Dispensaree, which supplies medicines to customers and care homes, left approximately 500,000 documents in unlocked containers at the back of its premises. The documents included names, addresses, dates of birth, NHS numbers, medical information and prescriptions belonging to an unknown number of people.
The recent personal data breach in which the Cabinet Office accidentally published the home addresses of over 1000 recipients of new year honours, including MoD employees and counter-terrorism officials, demonstrates the danger of human error and the importance of putting in place training and processes to mitigate these dangers. Even quick tips training and awareness (posters/screensavers etc.) can get that vital message across.
The ransomware attack on Travelex has affected its website and online services. A spokesperson for the ICO stated that Travelex had not reported a data breach, but the ICO had been in contact with Travelex and was advising it on potential personal data issues. It's worth remembering that "personal data breach" is defined widely in the GDPR: "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed." Note that the data does not have to be disclosed to or accessed by a third party; the ICO guidance clarifies that alteration or loss of availability of personal data is a breach. Having a plan ready to deal with a cyber issue or breach is vital.
Our data protection specialists can advise on how to comply with your legal obligations under data protection law. If your organisation experiences a personal data breach, we can advise on how to handle the breach to mitigate the damage to your data subjects and your business' reputation, and whether you need to report the breach to the ICO and/or notify the affected data subjects. Click here for details of our Cyber and Breach Response service.
While the uncertainty continues around post-Brexit personal data transfers from the EEA to the UK, there are two items of more positive news:
- The Advocate-General to the Court of Justice of the EU (CJEU) has published his opinion on the validity of the Standard Contractual Clauses (SCCs, often referred to as the "Model Clauses"), which are used as a safeguard to legitimise the transfer of personal data from the EEA to non-EEA countries. While the AG emphasised that the SCCs need to be updated to be consistent with the GDPR, his opinion is that they are valid. The CJEU's decision, which is likely to follow the AG's opinion, is expected in the first quarter of 2020. The AG expressed concerns about the validity of the Privacy Shield, which is the mechanism that can be used to transfer personal data from the EU to US organisations which have self-certified under the mechanism.
- While commentators have been pessimistic about the chance of the UK receiving an adequacy decision by the end of 2020, when the post-Brexit implementation/transition period ends, the European Commission Task Force for Relations with the United Kingdom has indicated that it may be possible. If this can be achieved, this would remove the uncertainty surrounding personal data transfers from the EEA to the UK. While this sounds positive, there are a number of issues which may create barriers to an adequacy decision, including: the Investigatory Powers Act 2016, the immigration exemption provisions in the Data Protection Act 2018, the removal of the EU Charter of Fundamental Rights from UK law, the UK's membership of the Five Eyes intelligence-sharing community, the UK government's position that following Brexit it will be free to make its own adequacy decisions about which countries data can be transferred to and the potential for UK law to diverge from EU law.
While the future remains uncertain, you can put your business is in the best possible position to adapt to any future requirements by being clear on what personal data you are transferring to which countries, and what is being transferred to you, and ensuring that safeguards which meet the current requirements are in place.
Top tips for handling data protection claims
This area has seen an influx of civil claims arising from personal data breaches as data subjects become increasingly aware of their rights and the remedies available to them. There are also a number of claimant law firms seeking to bolster their expertise in these areas and offering data subjects no win no fee arrangements.
We have therefore set out below a few top tips regarding how to deal with these claims and what to look out for:
1. Firstly consider:
(i) what is actually being claimed - have they specified what obligations were owed and how these have been breached?
(ii) what remedy is being sought?
(iii) is the claim within the limitation period?
(iv) is the information personal information? is it sensitive information?
(v) is the de minimis threshold met?
2. The above 5 points will be key in determining your strategy and response to the letter. You may be able to robustly respond to the letter requesting that the claim be set out in more detail so your organisation can properly understand the claim it faces. Or if the letter does set out this information, considering these questions will inform how you assess the risk and strength of the claim.
3. Information gathering - this is key! Your organisation is under a duty to preserve documents as soon as it becomes aware of a dispute. Speak to the relevant individuals involved and gather the relevant documents as soon as possible to get an understanding of the facts which will inform your approach to the claim.
4. Policies, policies, policies - check your own policies! Are they compliant? If so, has your organisation complied with them?
5. Often letter of claim will make a request for pre-action disclosure as there is normally an imbalance of information between the individual and the organisation. Each request has to be considered on its own merits but you will need to check (i) are they entitled to this information at this stage and (ii) do they need this information to plead their claim.
6. ICO - has the matter been reported to the ICO? If so, what stage is their investigation up to? Remember - communications with the ICO and relevant documents will likely be disclosable.
Is the claim credible? If not, is there merit in looking at a commercial settlement on a nuisance value or are you in a position to defend the claim? Each response will depend on the merits of the claim and the approach of the organisation.
If you need advice on dealing with these claims, please contact Michelle Maher or Nicole Burton.