Photo of Alexander Mackay

An attempt to bring legal action against Google for its alleged tracking of an estimated 4.4 million iPhone users in 2011 and 2012 has been blocked by the UK High Court (the court).

Campaign group “Google You Owe Us” brought the claim as a representative action on behalf of the affected individuals (the class) in 2017. It is thought to be the UK’s first mass legal action of its kind.

The case

Google You Owe Us argued that Google breached its duty under the Data Protection Act 1998 by circumventing the default settings in Apple Safari, placing cookies on the browser to track user’s movements, and using the collected data to sell advertisements. The decision is still relevant to the Data Protection Act 2018.

In an application for permission to serve the claim on Google in the United States, the High Court was required to determine, amongst other things, whether the claim had a reasonable prospect of success.

Justice Warby acknowledged that Google may have breached its duty. He said: “There is no dispute that it is arguable that Google’s alleged role in the collection, collation and use of data obtained via the Safari Workaround was wrongful, and a breach of duty.”Continue Reading High Court blocks data privacy claim against Google

The European Parliament has published a non-binding resolution on distributed ledger technologies and blockchains (blockchain technologies).

What is distributed ledger technology?

Best known as the technology behind bitcoin and other crypto-currencies, distributed ledger technology is, in its simplest form, a ledger of digital information maintained in decentralised form across a large network of computers. The information making up the ledger is secured using cryptography and can be accessed using keys and cryptographic signatures. Cyber-attacks are considered to have less impact on such technologies as they need to successfully target many decentralised ledgers.

Positive applications of blockchain technologies

The resolution highlights the potentially positive applications of blockchain technologies across numerous industries and sectors including:

  • Transforming the energy markets by allowing households to produce environmentally friendly energy and exchange it on a peer-to-peer basis;
  • Improving the efficiency of the healthcare sector through electronic health data interoperability;
  • Improving supply chains by facilitating the forwarding and monitoring of the origin of goods and their ingredients or components, and improving transparency, visibility and compliance checking;
  • Enabling the tracking and management of intellectual property and facilitating copyright and patent protection;
  • Improving transparency and reducing transaction costs and hidden costs in the financial sector by better managing and streamlining processes; and
  • The potential of initial coin offerings as an alternative investment instrument in funding SMEs and innovative start-ups.

Continue Reading European Parliament favours innovation-friendly blockchain regulation

On 12 September 2018, complaints were filed with the UK Information Commissioner’s Office and the Irish Data Protection Commissioner regarding the “wide scale and systemic breaches of the data protection regime” by Google and others in the online advertising industry (the Complaints).

The Complaints

The Complaints were submitted by Brave, an ad blocking web browser, together with the Open Rights Group and Michael Veale, a researcher at University College London. They focus on the real time bidding (RTB) systems used by Google and the wider online advertising industry, which operate to provide personalised advertising on websites.

It is claimed that there are ongoing breaches of applicable data protection laws across the industry. As an example, a wide range of personal data is gathered by the RTB system, far more than is necessary to provide targeted advertisements to individuals browsing the web. It is suggested that the information collected is then provided to a host of third parties for a range of uses that go far beyond those purposes which a data subject can understand, consent to, or object to. According to Brave, “every time a person loads a page on a website that uses programmatic advertising, personal data about them are broadcast to tens – or hundreds – of companies”.Continue Reading Spotlight shone on online advertising as complaints are filed with EU supervisory authorities

In the recent case of Sabados v Facebook Ireland [2018], the English High Court ordered Facebook to disclose the identity of a mystery individual who requested that the platform delete the profile of a deceased user of the platform.

Around six months after the death of Mr Mirza Krupalija, Facebook received a request from an individual to delete Mr Krupalija’s personal profile, as well as the page of his band. Facebook duly complied with this request, leaving his long-term partner, Ms Azra Sabados, “devastated by the loss of so much material”.

Ms Sabados made a subject access request to Facebook on the basis that some of that deleted information, (which included photographs, poems and messages between the couple) would have included her own personal data. In response to a subject access request, Facebook confirmed that the data from Mr Krupalija’s profile was no longer available and that it was not able to tell Ms Sabados who requested that her partner’s profile be deleted.Continue Reading The digital beyond: Facebook ordered to disclose circumstances around deleted profile

On 10 July 2018, the Information Commissioner’s Office (ICO) announced its intent to fine Facebook £500,000 for two breaches of the Data Protection Act 1998, the maximum permitted under the pre-GDPR regime. If the penalty is enforced, it will be the biggest issued by the ICO in its history. For some perspective, had the breach occurred following the implementation of the General Data Protection Legislation 2016/679 (GDPR), the social network could have faced a fine of up to £359 million. Facebook now has a chance to respond to the ICO’s Notice of Intent, after which a final decision will be made.

Less than 30 days after issuing a Notice of Intent to fine Facebook, the ICO issued a further penalty as a result of the investigation, this time directed at Lifecycle Marketing (Mother and Baby) Ltd, also known as Emma’s Diary, a data broking company which provides advice on pregnancy and childcare. The ICO issued a £140,000 fine against Emma’s Diary for illegally collecting and selling personal information belonging to more than one million people.

Background

Facebook, alongside Cambridge Analytica, has been the focus of an ICO investigation for over a year. The investigation centred around the use data analytics in political campaigns and was spearheaded by Information Commissioner, Elizabeth Denham. The investigation was formally commenced in May 2017 following the unearthing of evidence that personal data from over 87 million Facebook accounts had been illegally harvested. The ICO described it as one of the largest investigations ever undertaken by a data protection authority, this being reflected in the most recent estimate of the cost of the investigation, which has been put at almost three times the level of the fine with which Facebook has been issued. In addition to the fine, the ICO announced its intent to bring a criminal prosecution against SCL Elections Ltd, the parent company of Cambridge Analytica, for being too slow to adequately respond to an enforcement notice issued in May of this year.Continue Reading What big data, political advertising and big fines have in common

On 22 June 2018, the European Commission published a factsheet that provides a visual summary of the actions taken to date to implement its Digital Single Market strategy. The Digital Single Market strategy refers to the European Commission’s mission to ensure access to online activities for individuals and businesses under conditions of fair competition, consumer and data protection, removing geo-blocking and copyright issues.

The factsheet sets out a timeline, which shows the status of each of the Digital Single Market strategy initiatives presented by the Commission since its announcement of the Digital Single Market strategy in 2015. The factsheet shows that 29 legislative initiatives have been presented, of which 17 have been agreed by the European Parliament, the Council of the EU and the Commission.

There remain 12 Commission legislative initiatives that the European Parliament and the Council are yet to reach agreement on. Notably, the forthcoming ePrivacy Regulation initially envisaged as coming into force at the same time as the General Protection Regulation 2016/679 remains very much in the negotiation process. With the upcoming European elections in 2019 looming ever closer, there is a very real danger that unless rapid progress is made, the whole adoption process could find itself put on hold.Continue Reading Commission publishes factsheet on Digital Single Market strategy

On 25 May 2018 the European Data Protection Board (EDPB) formally replaced the Article 29 Working Party as the European advisory committee on data protection issues. In addition to taking over Article 29 Working Party’s responsibilities in issuing guidelines, recommendations and statements of best practice, the EDPB, which operates as an independent body of the European Union with its own separate legal personality, also takes on a far broader set of responsibilities:

  • examining – on its own initiative or on the request of one of its members or the European Commission (Commission) – any question covering the application of the GDPR;
  • advising the Commission on any issue related to data protection in the EU, including on any proposed amendment of the General Data Protection Regulation (GDPR) and any EU legislative proposal;
  • advising the Commission on the format and procedures for the exchange of information in the framework of the Binding Corporate Rules;
  • providing the Commission with an opinion on the assessment of the adequacy of the level of protection in a third country;
  • providing opinions on draft decisions of the supervisory authorities; and
  • issuing binding decisions in certain instances, mostly about dispute resolution among supervisory authorities.

In its first plenary meeting, which took place on 25 May 2018, the EDPB agreed the final version of Guidelines 2/2018 on the derogations under Article 49 GDPR in the context of international data transfers (Article 49 Guidelines), as well as a set of draft Guidelines 1/2018 on certification in accordance with Articles 42 and 43 GDPR (Certification Guidelines).Continue Reading European Data Protection Board replaces Article 29 Working Party

On 23 April 2018, the European Commission published a proposal for a Directive on the protection of whistleblowers reporting on breaches of EU law, accompanied by an explanatory memorandum.

The Directive

The intention behind the proposal is to harmonise the minimum level of protection available to whistleblowers across the EU. It reflects the Commission’s view that whistleblowers can play an important role in exposing breaches of EU law, but they will often resist coming forward for fear of the legal and financial consequences which may occur. At present, legal protection for whistleblowers is fragmented and, in the Commission’s view, insufficient. In its explanatory memorandum, the Commission talks of ‘missed opportunities’ for preventing and detecting breaches of EU law where certain Member States currently have a lack of protection and argues that the harmonisation brought about by the draft Directive will contribute toward improving the business environment, increasing fairness in taxation and promoting labour rights.

The draft Directive applies to reports of breaches across a wide range of EU areas of law, including the protection of privacy and personal data, and security of network and information. It creates an obligation to establish internal channels and procedures to handle reports made by whistleblowers, which applies to entities that meet the prescribed thresholds. For those entities in the private sector, the threshold is 50 or more employees, or an annual turnover of EUR 10 million or more, although this does not apply to businesses offering financial services, for which there is no minimum threshold. Entities in the public sector will be caught if they are involved in state or regional administration, if they are responsible for municipalities with more than 10,000 inhabitants or if they are otherwise governed by public law.Continue Reading European Commission proposes draft Whistleblowing Directive

On 23 February 2018, the Article 29 Working Party (WP29) sent a letter to Alban Schmutz, President of Cloud Infrastructure Services Providers in Europe (CISPE), in response to the organisation’s submission of a draft Code of Conduct for Cloud Infrastructure Service Providers.

In conducting its review, the aim of WP29 was to ensure that the draft Code would enable individuals to feel confident that their chosen cloud infrastructure services are compliant with the Data Protection Directive (Directive 95/46/EC) (the ‘Directive’) and the General Data Protection Regulation ((EU) 2016/679) (GDPR). It should be noted that the GDPR recommendations made by WP29 are non-binding for now, with a final assessment of the Code to be made once the GDPR is implemented on 25 May 2018.

In the annexes to the letter, a series of general and specific remarks are made to assist CISPE in re-evaluating and redrafting the Code.Continue Reading Article 29 Working Party makes recommendations following submission of Code of Conduct for Cloud Infrastructure Service Providers