ICO Reminds Organisations of EU-U.S. Personal Data Transfer Obligations

The Interim Deputy Commissioner at the Information Commissioner’s Office (“ICO”), Steve Wood, has published a blog reminding organisations of their obligations when transferring personal data to the United States, pursuant to the case brought by Max Schrems in 2015, which led to the Safe Harbor framework being declared immediately invalid. Wood reminds organisations that continued reliance on Safe Harbor as a means to provide an adequate level of protection for the rights and freedoms of data subjects “is not an option.” Although it is accepted that implementation of the required changes may take time, the ICO, in certain circumstances, will contemplate enforcement action against companies that fail to comply with the provisions of the Data Protection Act 1998 (“DPA”). It is recommended that organisations do not delay.

One method of providing an adequate level of protection, and thereby complying with the provisions of the DPA, is to transfer personal data to Privacy Shield certified companies. Adopted 12 July, the Privacy Shield framework replaces Safe Harbor and introduces stronger protections for personal data, such as greater transparency requirements and more robust redress mechanisms. On its adoption date, the Privacy Shield entered into force immediately in the EU. In the United States, it became effective 1 August, and since then, several U.S. organisations have certified to the framework. Other options include the implementation of the EU Model Clauses and Binding Contractual Rules.

Wood, however, warns of uncertainty in the law governing international transfers. He highlights the report on the Privacy Shield published by the Article 29 Working Party, and the fact that several cases are currently being considered by the Court of Justice of the European Union, which may affect the current legal bases for international personal data transfers, and lead to the scrutiny of the other mechanisms for international transfers, e.g., the EU Model Clauses. The collapse of Safe Harbor certainly left choppy waters in its wake, and organisations would do well to consider the guidance and materials provided by both the ICO and the U.S. Department of Commerce.

ICO Responds to the ePrivacy Directive Consultation

In April, we reported that the European Commission had opened a public consultation seeking the views of various stakeholders on the current wording of, and possible changes to, the Privacy and Electronic Communications Directive (2002/58/EC as amended) (“ePrivacy Directive”). The retrospective evaluation was necessary to ensure the ePrivacy Directive is fit for the digital age, and remains valuable and effective once the General Data Protection Regulation (2016/679) (“GDPR”) is introduced. The Information Commissioner’s Office (“ICO”) published its response to the consultation, outlining its view that the ePrivacy Directive has achieved its objectives to a “moderate” degree, and providing feedback on a range of specific points. The response revealed the following ICO opinions: 

  • Having specific rules for the electronic communications sector for the confidentiality of communications, unsolicited electronic marketing communications, itemised billing invoices, and presentation and restriction of calling and connected lines, adds value.
  • Having specific rules for the electronic communications sector for personal data breaches and traffic and location data will not add value, as these areas will be dealt with by the GDPR.
  • The definitions contained in the ePrivacy Directive often lacked clarity.
  • The scope of the ePrivacy Directive should be broadened, in part, to include Over-The-Top services, such as Voice over IP, instant messaging, and emailing over social networks, but only if accompanied by a clear definition of such services.
  • Strong protections for individuals’ privacy rights (such as requiring manufacturers to ship products with strong privacy settings as the default) should be introduced with great care, and should be balanced with the legitimate interests of business so as not to stifle innovation.
  • A requirement to obtain opt-in consent should be applied to all instances of direct marketing on the basis that one consistent rule is “simpler to understand and to enforce”. The ICO does, however, recognise the inevitable challenges that occur with this approach. Amending the provisions on confidentiality of communications and of the terminal equipment, unsolicited communications, and governance (competent national authorities, cooperation, fines, etc.), were highlighted as priorities when revising the ePrivacy Directive.

The ICO confirmed that EU data protection laws will still be relevant after the UK’s withdrawal from the European Union, validating its contribution to the ePrivacy Directive consultation.

High Court Permits University’s Contravention of Its Own Privacy Policy

The High Court in Bangura v Loughborough University [2016] EWHC 1503 (QB) ruled 19 May that Loughborough University acted lawfully under the Data Protection Act 1998 (“DPA”) in supplying Leicestershire Police with the registration form of a student suspected of sexual assault and rape. In contravention of the university’s data protection policy, the registration form was supplied to Leicestershire Police before a written request for the form was received.

The claimant, Mr Bangura (who had been a student at the university), appealed an earlier summary judgment against him, arguing that the university’s disclosure of his personal data to the police – prior to receiving a written request – was an action which contravened its data protection policy. The claimant asserted that the policy formed part of his contract with the university, and sought permission to re-open his application for permission to appeal against an earlier order, and various other relief.

The court refused the application on the basis that it had no realistic prospect of success. Specifically:

  1. The claim under the DPA was rejected on the basis that Section 29 does not state that a request for information must be made in writing, and that the test for legitimate interests had been met.
  2. Section 29(3) permits a data controller to disclose personal data without an individual’s knowledge or consent (an exemption from Principle 1 of the DPA), where the disclosure is for the prevention or detection of crime, or the apprehension or prosecution of offenders.
  3. The disclosure of the claimant’s registration form was not a breach of contract, as the policy was not incorporated into the contract between the claimant and the university by either the policy itself, or the registration document.

The Information Commissioner’s Office provides guidance in both its data sharing code of practice and its checklist for data sharing, for organisations that disclose personal data. Organisations are advised to: (i) consider whether the sharing would be justified; (ii) consider whether it has the power to share; and (ii) record the decision to share. Organisations could avoid the administrative burden of court proceedings by including express wording in their data protection policies specifying the extent to which the policy has contractual force, and the potential of disclosure for criminal, fraudulent or legal purposes.

The FCC Clarifies Prior Express Consent Under the TCPA for Calls to Utility Company Customers

The Telephone Consumer Protection Act (“TCPA”) applies in many circumstances when companies use an automatic telephone dialing system (or “autodialer”) and/or pre-recorded messages to call consumers. In those situations where the TCPA does apply, the company cannot make the call unless it is an “emergency,” or unless the company has the prior express consent of the called party.  The Federal Communications Commission (“FCC”) has the power to exempt certain categories of calls from the TCPA’s requirements.

The TCPA is vigorously enforced by the FCC and has also been the source of extensive class action litigation, including suits against utilities. Any violation of the TCPA can subject the calling company to statutory damages of $500 to $1,500 per call.  Those statutory damages can quickly add up to millions or tens of millions of dollars in liability.  Given this regulatory framework and potential liability, entities have petitioned the FCC for clarification regarding definitions in the TCPA and the application of the law to certain types of telephone communications.

The Edison Electric Institute and American Gas Association recently filed a petition with the FCC (the “EEI/AGA Petition”), seeking confirmation that “under the TCPA, providing a wireless telephone number to an energy utility constitutes ‘prior express consent’ to receive, at that number, non-telemarketing, informational calls related to the customer’s utility service, which are placed using an autodialer or an artificial or prerecorded voice.” The FCC has previously found that a consumer providing his or her telephone number signifies prior express consent to be called on that number for purposes that relate to the reason the number was provided.  For example, providing a phone number on a credit application signifies prior express consent to be called on that number for purposes related to that credit account.  The EEI/AGA sought clarification that such guidance applied in the context of providing telephone numbers to utility companies.

In a declaratory ruling released August 4, 2016, the FCC granted the EEI/AGA Petition. The FCC found that:  “in the absence of facts supporting a contrary finding, prior to the termination of a customer’s utility service, a customer who provided a wireless telephone number when he or she initially signed up to receive utility service, subsequently supplied the wireless telephone number, or later updated his or her contact information, is deemed to have given prior express consent to be contacted by their utility company for calls that are closely related to the service[.]”

Continue Reading

Third Circuit Finds Photo Placement Sufficient to Permit Defamation, False Light Claims to Go Forward in Suit Alleging Harm from Firefighter Sex Scandal Story

In a case demonstrating the difficulties of applying long-established but arguably outdated legal principles to modern technology, the United States Court of Appeals for the Third Circuit last week reversed itself to permit a Philadelphia firefighter’s defamation and false light claims to go forward, based on the inclusion of his photograph in an online article describing a sex scandal. The court concluded upon considering the firefighter’s arguments for the second time that, in the context of an online article accompanied by pictures, specifically naming and showing an individual was sufficient to establish that an article was “of or concerning” that individual for purposes of a defamation or false light claim.  However, the Third Circuit affirmed its prior dismissal of the plaintiff’s intentional infliction of emotional distress claim, finding that being implicated in a sex scandal did not rise to the level of being “extreme or outrageous.”

Central to the claims in the case was an article published on the New York Daily News website describing a sex scandal in which “dozens of firefighters were accused of scandalous behavior.”  The text of the article appeared on the right column, while the left column contained two pictures readers could toggle between; one was a silhouette of an unnamed firefighter, while the other was of plaintiff and stated, “Philadelphia firefighter Francis Cheney holds a flag at a 9/11 ceremony in 2006.”  This was the only reference to a specific firefighter in that article and on the following day, the Daily News published an additional article regarding the scandal but did not include the Cheney photograph. Continue Reading

“Battle-ready” Privacy Shield gets muted welcome from EU data protection authorities

On 26 July, the Article 29 Data Protection Working Party (WP29) released a statement outlining its opinion on the EU-U.S. Privacy Shield, which was adopted by the European Commission earlier this month. After praising the improvements implemented by the Commission and U.S. authorities since its last critical opinion, the WP29 outlined some remaining concerns, including the lack of:

  • specific rules on automated decisions and a general right to object;
  • clarity regarding how the Privacy Shield applies to processors;
  • strong guarantees regarding the independence and powers of the Ombudsperson mechanism; and
  • concrete assurances that the bulk, indiscriminate collection of EU citizens’ personal data will not take place.

The first annual review of the functioning of the Privacy Shield program in 2017, to be conducted by the U.S. Department of Commerce and the European Commission, is clearly seen as important by the WP29, which calls for a more defined role in that process and hints that an adverse review could impact negatively on other data transfer methods, including Binding Corporate Rules.

In the meantime, the EU data protection authorities (DPAs) within the WP29 “commit themselves to proactively and independently assist the data subjects with exercising their rights under the Privacy Shield mechanism, in particular when dealing with complaints”. The WP29 has announced it will be producing guidance for data controllers about their obligations under the Shield, and commenting on the citizens’ guide produced by the Department of Commerce.

1 August 2016 marks the start of a new chapter for transatlantic data transfers. U.S. companies will be able to self-certify that they abide by the privacy principles set out in the Privacy Shield, providing them with a legal basis to receive personal data from the EU. It is too early to offer predictions on the success of this replacement to Safe Harbor; however, in the short term, the EU DPAs look set to uphold individuals’ considerably enhanced rights under the program – and Privacy Shield joiners should prepare themselves accordingly.

The Stored Communications Act’s Warrant Provisions Do Not Apply Extraterritorially

On July 14, the Second Circuit in Microsoft v. United States ruled that the Stored Communications Act (SCA) “does not authorize a U.S. court to issue and enforce an SCA warrant against a United States-based service provider for the contents of a customer’s electronic communications stored on servers located outside the United States.”

The Justice Department sought and obtained a warrant under the SCA against Microsoft, seeking the contents of an email account on the grounds that the account was being used in furtherance of narcotics trafficking. Microsoft complied with the warrant by producing non-content information, but moved to quash the warrant as to the content because the content was stored on servers located in Ireland.  The U.S. District Court for the Southern District of New York denied the motion to quash, and ultimately held Microsoft in contempt for its failure to comply with the warrant. Continue Reading

European Commission Publishes Communication on Cybersecurity

On 5 July, the European Commission (“EC”) published a communication outlining measures to improve resilience to cyber incidents, improve cooperation and information sharing, and promote innovation and competition in the European cybersecurity industry.


The communication highlights the EC’s intention to take cooperation, knowledge, and capacity to the next level, particularly through the imminent introduction of the Network and Information Security Directive (“NIS Directive”), on which we reported in May. The EC announced it will publish a blueprint for the Cooperation Group (created by the NIS Directive) in early 2017, and proposes the creation of an ‘information hub’. Here, the member states, EU bodies, the European Union Agency for Network and Information Security (“ENISA”), and the Computer Emergency Response Team, will pool and share expertise and information on cybersecurity. Another NIS Directive initiative highlighted was the establishment of Computer Incident Response Teams in each member state. These will be responsible for conducting checks on key network infrastructures. The EC proposes to ensure the necessary conditions for these checks to take place.


The communication also proposes a move toward ENISA 2.0 by reviewing its mandate before 2018, alongside the establishment of a cybersecurity training platform. The communication provides a clear roadmap for the actions of the Commission in the field of cybersecurity in the months to come.

Electronic Signature Regulation Now Effective

Tasked with harmonising the disparate member state legislation that implemented the eSignatures Directive (Directive 1999/93/EC), Regulation (EU) N°910/2014 (the “eIDAS” Regulation) became effective 1 July this year.

The eIDAS Regulation repeals the eSignatures Directive and contains specific provisions governing electronic identification, trust services, and a range of online authentication methods, including electronic signatures, seals, time stamps, and registered delivery services. The new rules are a step in furthering the development of the Digital Single Market, improving trust in digital authentication methods, and breaking down the barriers to online trade and the provision of digital goods and services.

The eIDAS Regulation distinguishes between three types of eSignature:

  1. Electronic signatures

These shall not be denied legal effect or admissibility as evidence in legal proceedings based purely on the fact that they are in electronic form.

  1. Advanced electronic signatures

These allow unique identification of the person who signs the document, and act as a tamper-evident seal which can reveal any unauthorised changes to its content. Such signatures can now be provided on mobile devices, as well as on traditional desktop computers.

  1. Qualified electronic signatures

Similar to advanced electronic signatures but with increased security, these are based on ‘Qualified Certificates’ which can only be issued by a Certificate Authority duly accredited and supervised by EU member state designated authorities, tasked with ensuring that the requirements of eIDAS are met. Qualified Certificates must be stored on a qualified signature creation device (such as a USB token, a cloud-based trust service, or similar). This is the only type of signature which has the equivalent legal effect of a handwritten ‘wet ink’ signature, and ensures mutual recognition across the EU.

Qualified electronic signatures provide a higher level of security (e.g., the signing process creates a tamper-evident seal), and combined with its mutual recognition across the EU, gives rise to a variety of different applications. For example, it could be particularly beneficial in the mHealth and FinTech industries; it provides a secure method of obtaining the consent of mobile app users for processing their sensitive personal data.

The eIDAS Regulation is a welcome update to the 17-year-old eSignatures Directive, which struggled to cater to the demands of an increasingly digital European economy.

Bavarian Data Protection Authority issues guidance paper on video surveillance under the General Data Protection Regulation

On 6 July 2016, the Bavarian Data Protection Authority issued a brief guidance paper on video surveillance under the new EU General Data Protection Regulation (“GDPR”).

This short paper is the first issue within a series of non-binding guidance papers on selected topics in relation to the GDPR, which the Bavarian Data Protection Authority has planned to publish periodically, and which can be found here. Continue Reading