DWF Data Protection Insights August and September 2023

This month in review:

We have combined the August and September updates for a bumper Insights report!

The key themes this month continue to focus on regulatory matters in relation to direct marketing failures, Freedom of Information (FOI) request backlogs and personal data breaches – all of which require both reactive handling and, perhaps most importantly, proactive analysis to adequately manage and mitigate risk.

There are also lots of new legislative updates in the UK, with the Online Safety Bill now receiving approval and the UK-US data bridge coming into force from 12 October 2023. Outside of the UK, both India and Switzerland have introduced new data protection legislation.

Our trends

Also this month, we've identified some key themes of what our clients are asking us. We thought we'd share these to provoke some thoughts amongst readers:

• The first relates to digital advertising and website design. Data protection by design and default is key.
• The second is international transfers, following the UK-US data bridge announcement by the UK Government. As you'll read below, the introduction will have a beneficial operational impact for UK organisations undertaking US data transfers (and of course the US organisations receiving those).
• Finally, with the continued spotlight on data protection compliance from both the regulatory environment, the legislative requirements and in the public, focus is on implementing simple but impactful training to increase awareness.

Our contents this month:

• Our events and articles
• General updates
• Adtech and direct marketing
• AI and Innovation
• Cyber breach and ransomware
• Employment and Data Subject Rights
• Data transfers
• Public sector

Our events and articles

Back to top >

An introduction to Digital Advertising and Privacy Law – webinar recording

In case you missed our insightful and impactful webinar on adtech (An introduction to digital advertising and privacy law), which took place on Thursday 14 September, you can access the recording here.

Exploring the Online Ad Ecosystem: Olivia O'Kane's blog

Check out Olivia O'Kane's article "Exploring the Online Ad Ecosystem: Unveiling Bad Actors and Mitigating Malicious Advertising", which explores the hidden challenges of the online advertising ecosystem, from problematic ads and deceitful advertisers, to concerns about monopolistic practices.

Second Annual DWF Data Protection & Cyber Security Conference

We are looking forward to our next in-person DP&CS Conference on 6 December 2023 in our London office. More details to follow!

General updates

Back to top >

UK – Online Safety Bill passes final Parliamentary debate

The Online Safety Bill has received approval from both Houses of Parliament, meaning it will soon become law. At the debate stages, the bill was amended to provide more protections for children, more control for adults, and clarity for social platforms. The Online Safety Act (as it will become) will be enforced by Ofcom, the appointed regulator. Ofcom will have the power to take action against any social media and tech companies, if they are accessible to UK users.

UK – ICO and CMA call out harmful website design practices

ICO and Competition and Markets Authority (CMA) released a joint position paper aimed at web designers, developers and organisations commissioning websites, which calls for an end to harmful design practices that could undermine people's control over their personal information, and lead to worse consumer and competition outcomes. In a joint blog, ICO highlights cookie banners as one clear example of an often harmful design which it will be investigating and assessing.

EU – new Swiss data protection law comes into force

The revised Swiss Federal Act on Data Protection came into force on 1 September, bringing Switzerland's data protection regime more into alignment with the EU GDPR. In practice, like the GDPR, organisations targeting goods or services to Swiss individuals or monitoring their behaviour will now have to comply with revised Swiss requirements. Organisations storing personal data on servers located in Switzerland will also likely be caught by the new Swiss data protection legislation. Another key update is, where triggered, the requirement for organisations to appoint a representative in Switzerland to act as a local, accessible point of contact for Swiss data subjects and/or the Federal Data Protection and Information Commissioner (FDPIC). This continues the trend of GDPR or "GDPR plus" equivalent legislation in many more countries around the world.

UK – ICO to review period and fertility apps amid data security concerns

ICO announced on 7 September that it is reviewing period and fertility tracking apps. This follows a poll it commissioned which revealed that respondents said transparency over how their data was used (59%) and how secure it was (57%) were bigger concerns than cost (55%) and ease of use (55%) when it came to choosing an app.

The announcement calls for users to come forward to share their experiences via a survey. It also confirms that companies operating these apps have been contacted to provide information about how they are processing users' personal information.

India – new data protection regulations

On 11 August 2023, the Indian Digital Personal Data Protection Act (later as: the "Act") was published in the Indian Official Gazette. This date marks the beginning of a new phase of data protection in India. The legislation has been under development for many years, but it is only now that the proposed changes have been adopted in their current form. Notably, the Act does not specify the date of entry into force. A definite date is yet to be announced by the Central Government.

As a part of the Act is analogous to the GDPR standards (as we refer to also above for Switzerland), it will provide an important legal basis for the processing of personal data covered by this Act, and will increase the security of personal data processed by private entities. However, it should be taken into consideration that the rights of data subjects are not fully reflected in the Act. In addition, the fact that the Central Government will have such broad powers and will appoint the Data Protection Board of India may affect the effectiveness of the principles established in the Act. The authorities may still have wide access to data, citing a number of exceptions under the Act. The scope of exemptions is being criticised by the opposition and rights groups in India which are alarmed that the Act may result in increased surveillance by the State.

For this reason, it is worth being cautious when transferring personal data to India, and analysing the impact of the new regulation on your organisation and its data transfers/operations there. Adoption of the Act is an important step to build an effective data protection system in this country, but in our view, it does not change the overall level of risk related to data transfers to India. Furthermore, it should be noted that the adoption of the new regulation does not affect the obligations of the controller or processor as indicated in the European Court of Justice's Schrems II judgment – according to which one must verify that the third country's laws provide adequate protection before transferring personal data to that third country. In case of data transfers to India, your organisation should still perform a transfer impact assessment (TIA) or, if you are UK based, a transfer risk assessment (TRA).

EU – EDPB and EDPS adopt joint opinion on cross-border enforcement regulation

The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) adopted a Joint Opinion on the European Commission's Proposal for a Regulation on additional procedural rules for the enforcement of the GDPR. The proposal aims to reconcile procedural differences across the EU, to ensure the expedited completion of investigations and delivery of remedies in cross-border cases.

Adtech and direct marketing

Back to top >

UK – ICO tackling "text pests"

ICO is calling for victims of "text pests" to come forward to assist with its evidence gathering in relation to the impact of the behaviour. ICO deems "text pests" to be: "individuals who use personal information, such as a phone number or email address, given to them in a business context for “romantic” or sexual propositions – for example, asking a customer out on a date after they ordered a takeaway."

As part of its work, ICO will be contacting some of the major customer-facing organisations to emphasise their legal responsibilities, as well as to learn more about what safeguards they have in place. Emily Keaney, Deputy Commissioner (Regulatory Policy) at the Information Commissioner’s Office said in the announcement: “If you are running a customer facing business, you have a responsibility to protect the data of your customers, including from your employees misusing it. We are writing to major businesses, including food and parcel delivery, to remind them that there are no excuses, and there can be no looking the other way."

UK – ICO issues guidance on sending bulk emails

The guidance reminds organisations of the requirement to have appropriate technical and organisational measures in place to ensure personal information is kept safe and not inappropriately disclosed to others. The announcement also issues a warning to organisations to use alternatives to the blind carbon copy (BCC) email function when sending emails containing sensitive personal information or sending bulk communications, following a catalogue of breaches.

UK – ICO continues to crack down on unsolicited direct marketing calls

As documented in our previous Insights (June 2023 and July 2023), ICO has continued to target organisations operating unlawful direct marketing campaigns. This includes the recent issuing of fines totalling £590,000 to five companies for collectively making 1.9 million unwanted marketing calls which targeted the elderly and people with vulnerabilities, many to people who had taken steps to block nuisance calls by registering with the Telephone Preference Service (TPS).

AI and innovation

Back to top >

UK – first phase of ICO biometric data guidance published for consultation

ICO published the first phase of its biometric data guidance, with the second phase due to commence with calls for evidence in early 2024. In its current form, the guidance covers the key data protection concepts, biometric recognition systems and data protection requirements when using biometric data. It also provides a biometrics impact assessment.

Joint statement on data scraping and the protection of privacy

ICO and eleven other data protection and privacy authorities published a joint statement on unlawful data scraping taking place on social media sites. It sets expectations of social media companies in regards to protecting people's data from unlawful data scraping, and recommends steps individuals can take to minimise risk. One key takeaway of the statement is, in most jurisdictions, mass data scraping that harvests personal information can constitute a reportable breach.

UK – Which? report on smart devices collecting personal data

Which? analysed data collection practices of major brands across smart speakers, washing machines, TVs, video doorbells, and security cameras. The report, and ICO's subsequent statement, highlights the need for such brands to be transparent about the data they collect and how it is used as well as not sharing it in ways that people would not reasonably expect.

Cyber breach and ransomware

Back to top >

UK – Electoral Commission issues public notification of cyber-attack

The Electoral Commission issued a statement on 8 August 2023 confirming that suspicious activity was detected on its systems, with the incident then being identified in October 2022. The notification confirms that the threat actors accessed the Commission's servers (including the Electoral Register and the Commission's email system). ICO issued a statement on the same day to confirm it is making enquiries.

EU – Swedish supervisory authority fines insurance company for security deficiencies

Trygg-Hansa (then Moderna Försäkringar) received an administrative fine in the sum of EUR2.8 million due to their failure to implement appropriate technical measures to ensure a level of security that is appropriate in relation to the risk. The investigation was initiated following a complaint from an individual who received an email from the company which contained a link with URLs which led to other policyholders' documents.

UK – ICO issues reprimands to two companies following breaches

The first of those two companies is a recruitment company which was reprimanded in respect of infringements of Article 5(1)(f) and 32(1)(b) of UK GDPR. The organisation misconfigured its storage location, containing 12,000 records relating to 3,000 workers, to be publicly accessible without any requirement to authenticate. The ICO's recommendations include: auditing the configuration of cloud services; ensuring identity and access controls are in place; and implementing appropriate event logging and security monitoring. The company was directed to National Cyber Security Centre (NCSC) guidance in relation to those.

The second is a high street law firm, reprimanded following a spear phishing attach which led to interference with payments to beneficiaries of a probate matter. The firm's processing of personal data was found to be non-compliant with the requirements set out in Articles 5(1)(f) and 32(1)(b) of UK GDPR. The recommendations concern: accountability; authentication of remote access; access controls; anti-spoofing measures; data protection and cyber security training; contractual requirements with suppliers; and assessments of security controls. Again, the company was directed to National Cyber Security Centre (NCSC) guidance.

UK – ICO statement on impact of data breaches on domestic abuse victims

ICO's statement highlights that it has issued reprimands to seven organisations in the past 14 months for data breaches affecting victims of domestic abuse. The statement includes advice and guidance to help organisations handle information more appropriately. This includes: having appropriate processes in place; regularly checking contact information is accurate; avoiding inappropriate access; double checking before any personal data is transferred, altered or disclosed; and ensuring training is thorough and relevant.

UK – ICO and NCSC sign Memorandum of Understanding

The ICO and the National Cyber Security Centre (NCSC) signed a Memorandum of Understanding (MoU) on 12 September, detailing how both organisations will cooperate. Key provisions in the MoU include:

• The ICO will encourage organisations to engage appropriately with the NCSC on cyber security matters, including the response to cyber-incidents;
• The ICO will also incentivise engagement with the NCSC, by exploring reducing regulatory penalties for organisations that demonstrate meaningful engagement with the NCSC;
• The ICO will support the NCSC’s visibility of UK cyber-attacks by sharing (anonymised and aggregated) information with NCSC about cyber-incidents;
• Where the NCSC and ICO are both engaged on a cyber-incident, they will deconflict to minimise disruption to an organisation’s efforts to contain and mitigate harm; and
• The NCSC and ICO will provide each other with ongoing feedback with a view to continuous improvement in relation to their collaboration.  

Employment and Data Subject Rights

Back to top >

UK – criticism of Data Subject Rights (DSR) provisions in DP&DI (No.2) Bill

Off the back of a recent spotlight on high profile individuals exercising their rights and submitting DSRs (as reported in our July 2023 insight), data protection rights groups have criticised the DSR provisions contained within the proposed DP&DI (No.2) Bill. The criticism is levied against the changes that the bill would introduce in relation to the exemptions available to data controllers when refusing to comply with DSRs. For example, the new Bill would reduce the existing standard of manifestly unfounded or manifestly excessive (contained within Article 12(5) UK GDPR) to “vexatious or excessive”. Though the actual effect of this remains to be seen, it is argued that this change could lower the threshold for refusals.

UK – ICO reprimands local government for DSAR delays

The ICO's investigation into this local government organisation revealed that, between 2 January 2022 to 3 January 2023, 35% of DSARs were not responded to within the relevant statutory deadlines contained within Article 12(3) UK GDPR. The ICO noted that the volume of DSARs relating to children and young people (the personal data of whom was contained within physical documents in an unavailable storage location for a period of time) was raised as a mitigating factor raised by the Council. The remedial action recommended includes ensuring adequate staff resources are in place and that the backlog of children and young people DSARs is addressed – which the reprimand decision states is already in progress.

UK – ICO guidance on information about workers' health

The ICO has published new guidance aimed at employers who handle the health information of their workers. Key points considered are:

• Distinguishing between sickness, injury and absence records, with sickness and injury records requiring additional safeguards to be implemented;
• Taking care when implementing an occupational health scheme, including executing a data sharing agreement with the provider;
• The considerations when using medical examinations and drugs and alcohol testing;
• Genetic testing in an employment context as a last resort;
• When it may be proportional and necessary to introduce health monitoring; and
• The preparation required in advance of sharing workers' health information, including sharing in an emergency or with other workers.

Data transfers

Back to top >

UK – UK-US Data Privacy Framework update

Following the announcement of the EU-US Data Privacy Framework (DPF) (as covered in our July 2023 insights), the UK Government has now announced (on 21 September 2023) that, following an adequacy assessment, it considers that the US provides an adequate level of data protection compared to the UK. From 12 October 2023, businesses in the UK will be able to transfer personal data to certified US organisations (identifiable on the DPF List) through the UK Extension to the EU-US DPF under Article 45 of UK GDPR, without the need for further safeguards such as those set out in Articles 46 and 49 of the UK GDPR (establishing what is also known as the UK-US data bridge).

This follows the US Attorney General's decision on 18 September 2023 to 'designate' the UK as a qualifying state, which relates to the US Executive Order 14086 (“Enhancing Safeguards for United States Signals Intelligence Activities”). The UK’s designation as a qualifying state therefore allows UK individuals to seek redress if they believe their personal data was collected or processed through US signals intelligence in a manner that violated applicable US law. This safeguard was introduced to address the concerns raised in the 2020 Schrems II judgment.

In practice, organisations should take care to review the nature and scope of transfers permitted and to consider the steps that should be taken to effectively make those transfers in accordance with the new arrangements. For example, the DPF differs in many ways from existing data protection legislation including:

• genetic data, biometric data for the purpose of uniquely identifying a natural person and data concerning sexual orientation is not designated as sensitive information under the UK Extension to the EU-US DPF (whilst under Article 9(1) UK GDPR these are special category data);
• "journalistic data" (as defined by the EU-US DPF) is not subject to the DPF requirements and therefore cannot be transferred under the UK-US data bridge; and
• The sharing of criminal offence data as part of a HR data relationship must adhere to specific requirements, such as the US recipient organisations indicating that they are seeking to receive such data under the DPF.

In relation to the assessment of the UK Extension to the EU-US DPF, ICO issued an opinion which, whilst recognising that the adequacy decision may be a reasonable conclusion, there are four specific areas of concern to the ICO if the protections are not properly applied. These are:

• the definition of “sensitive information”, which is discussed above;
• the UK’s approach to criminal offence data and that in the US, such that equivalent protections may not exist for certain types of criminal offence data in the US;
• the lack of a similar right to the protections under the UK GDPR regarding automated decision making, as there is no right to obtain a human review of solely automated decisions; and
• the lack of a similar right to the right to be forgotten and the right to withdraw consent.

UK – ICO urges sharing of information to protect children at risk

The ICO issued a statement stating that organisations will not face reprimands or fines if they share children or young people's data where a child is at risk of harm. The statement was published alongside new guidance, which gives practical advice on data protection as part of the safeguarding process.

EU – EDPB adopts new guidelines on transfers under LED

The newly-adopted EDPB Guidelines on Article 37 of the Law Enforcement Directive (LED) aim to provide clarity in the form of practical guidance on the legal standard for appropriate safeguards that competent authorities need to apply when transferring personal data from EU countries to third country authorities or organisations in the field of law enforcement – and on the relevant factors of whether such safeguards exist.

Public sector

Back to top >

UK – ICO publishes practice recommendations and enforcement notices on FOI

A year on from the first publication of ICO's Freedom of Information (FOI) regulatory manual, it has reflected on the anniversary by highlighting increased action taken over the last year (which includes issuing 12 practice recommendations and six enforcement notices). Warren Seddon, ICO's Director of FOI and Transparency, noted in his blog that the updated strategic approach to regulation will continue as "just reactively handling individual complaints is not enough". The statement expresses ICO's intention to continue its commitment to publish the decision notices to encourage public bodies to proactively review and improve their own services.

One of those enforcement notices was issued to City of York Council in relation to their backlog of 261 FOI cases (dating back to April 2021). The council must respond to requests that are over 20 working days old, and provide an action plan of how it plans to improve its performance, which must include a ‘lessons learned’ exercise.

UK – ICO fines former social services council employee for unlawful access to personal data

A former family intervention officer was fined £92.00, ordered to pay court costs of £385.00 and a victim surcharge of £32.00 for unlawfully obtaining personal data, in breach of s170(1) of the Data Protection Act 2018. An internal council audit found the defendant unlawfully looked at the records of 145 people whilst employed in the social services department, without a business need to do so.