The Information Commissioner’s Office (ICO) has published new guidance on international data transfers (the guidance) under the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR).

Ex-EU personal data transfers

The GDPR restricts the transfer of personal data to non-EU countries or international organisations.

The ICO has clarified that a transfer is restricted if:

  • The GDPR applies to the processing of in-scope personal data. GDPR Articles 2 and 3 set out the GDPR’s scope. The ICO states that the GDPR generally applies “if you are processing personal data in the EU”. The GDPR may also apply “in specific circumstances if you are outside the EU and processing personal data about individuals in the EU”.
  • An organisation sends personal data, or makes it accessible, to a receiver to which the GDPR does not apply. This will usually be because the receiver is located outside of the EU.
  • The receiver is a separate organisation or individual. The receiver could be an affiliate or subsidiary company, but not an employee of the transferring organization.

Transfer or transit?

The ICO states that transit of personal data is not the same as a transfer of personal data. If personal data is just electronically routed between EU countries via a non-EU country, no restricted transfer has taken place. The ICO gives the example of personal data transferring between Irish and French controllers through a server in Australia. No restricted transfer occurs where there is no intention that the personal data can be accessed or manipulated during transit.Continue Reading ICO issues new guidance on international data transfers under GDPR

On 10 July 2018, the Information Commissioner’s Office (ICO) announced its intent to fine Facebook £500,000 for two breaches of the Data Protection Act 1998, the maximum permitted under the pre-GDPR regime. If the penalty is enforced, it will be the biggest issued by the ICO in its history. For some perspective, had the breach occurred following the implementation of the General Data Protection Legislation 2016/679 (GDPR), the social network could have faced a fine of up to £359 million. Facebook now has a chance to respond to the ICO’s Notice of Intent, after which a final decision will be made.

Less than 30 days after issuing a Notice of Intent to fine Facebook, the ICO issued a further penalty as a result of the investigation, this time directed at Lifecycle Marketing (Mother and Baby) Ltd, also known as Emma’s Diary, a data broking company which provides advice on pregnancy and childcare. The ICO issued a £140,000 fine against Emma’s Diary for illegally collecting and selling personal information belonging to more than one million people.

Background

Facebook, alongside Cambridge Analytica, has been the focus of an ICO investigation for over a year. The investigation centred around the use data analytics in political campaigns and was spearheaded by Information Commissioner, Elizabeth Denham. The investigation was formally commenced in May 2017 following the unearthing of evidence that personal data from over 87 million Facebook accounts had been illegally harvested. The ICO described it as one of the largest investigations ever undertaken by a data protection authority, this being reflected in the most recent estimate of the cost of the investigation, which has been put at almost three times the level of the fine with which Facebook has been issued. In addition to the fine, the ICO announced its intent to bring a criminal prosecution against SCL Elections Ltd, the parent company of Cambridge Analytica, for being too slow to adequately respond to an enforcement notice issued in May of this year.Continue Reading What big data, political advertising and big fines have in common

On 22 June 2018, the European Commission published a factsheet that provides a visual summary of the actions taken to date to implement its Digital Single Market strategy. The Digital Single Market strategy refers to the European Commission’s mission to ensure access to online activities for individuals and businesses under conditions of fair competition, consumer and data protection, removing geo-blocking and copyright issues.

The factsheet sets out a timeline, which shows the status of each of the Digital Single Market strategy initiatives presented by the Commission since its announcement of the Digital Single Market strategy in 2015. The factsheet shows that 29 legislative initiatives have been presented, of which 17 have been agreed by the European Parliament, the Council of the EU and the Commission.

There remain 12 Commission legislative initiatives that the European Parliament and the Council are yet to reach agreement on. Notably, the forthcoming ePrivacy Regulation initially envisaged as coming into force at the same time as the General Protection Regulation 2016/679 remains very much in the negotiation process. With the upcoming European elections in 2019 looming ever closer, there is a very real danger that unless rapid progress is made, the whole adoption process could find itself put on hold.Continue Reading Commission publishes factsheet on Digital Single Market strategy

The Upper Tribunal (Administrative Appeals Chamber) in IC v Miller [2018] UKUT 229 (AAC) has rejected an appeal brought by the Information Commissioner (IC), which was in relation to a First-Tier Tribunal (FTT) decision finding that “small data” (i.e., data concerning five or fewer individuals or households) was not exempt from disclosure under the Freedom of Information Act 2000 (FOIA).

The FTT decision

A request for disclosure under FOIA was made to the Ministry of Housing, Communities and Local Government (MHCLG) (then named Department for Communities and Local Government (DCLG)). The request for information concerned data held by local authorities with regards to homelessness between 2009 and 2012, which had not been published by the MHCLG. The MHCLG refused to disclose the data.

The matter went to the FTT, which found that the small data did not constitute “personal data”, as defined by section 1(1) of the DPA 1998, and it was not exempt from disclosure under section 40(2) of FOIA.

The IC appealed the FTT’s decision on various grounds, including that in relation to small data, the information was exempt from disclosure under section 40(2) of FOIA.Continue Reading Upper Tribunal says “small data” is not exempt under FOIA

To enhance cyber resilience, the EU is building a certification framework for information and communication technology (ICT) products, services and processes. On 8 June 2018, the Council agreed a Proposal (known as the Cybersecurity Act) to prepare for negotiations with the European Parliament to finalise the text.

One of the effects of the Proposal is that it will upgrade the current European Union Agency for Network and Information Security (ENISA) into a more stable EU agency for cybersecurity.

Cybersecurity certification

The Proposal introduces a tool to create a more comprehensive regulatory framework for specific ICT processes, products and services designed to help ensure compliance with specified cybersecurity requirements.

Certificates issued under the scheme will be recognised, legally, across the EU. This will therefore have the dual effect of building trust in users – given the technology certification will mean the technology has received the European-security stamp – and enabling businesses to carry out their business cross-border. The resilience behind the technology in relation to accidental or malicious data loss or alteration will be certified.

This certification scheme addresses the barriers in the EU where Member States have implemented different standards to one another, for example Member States have issued regulations which improve country-specific requirements around security.

The details of this certification scheme and its requirements will, in particular, be important to network and data service operators, including cloud computing service providers.

The certification will be optional unless it is specified as a legal requirement under an EU law or Member State law.Continue Reading EU to create a cybersecurity certification framework

The Information Commissioner’s Office (‘ICO’) has published its 2017/2018 Annual Report, covering the 12 months leading up to 31 March 2018. The report is the ICO’s annual report to Parliament as required by the Data Protection Act 1998 (‘DPA’), and outlines the achievements and work of the ICO. Among the findings reported are the number of self-reported personal data breaches and a summary of fines issued by the ICO.

Upward trends

The ICO received a huge increase in telephone, live chat and written queries from the public and organisations. In the last quarter of 2017, it received 30,000 more such calls than in the previous three months. The report claims 235,672 calls were received by the ICO’s helpline, an increase of 24.1 per cent year-on-year, while 30,469 live chats were requested, up 31.5 per cent. Of the queries received, the majority of concerns related to data subject access (39 per cent), the disclosure of data (16 per cent), the inaccuracy of data (11 per cent) and securing the right to prevent processing (9 per cent).

With regards to personal data breaches, the number of self-reported cases increased significantly: 3,172 incidents were reported to the ICO over the course of 2017/2018, a 29.6 per cent increase. It is anticipated that the number of self-reported data breaches is likely to increase further during the 2018/2019 report period, to reflect the new mandatory data breach notification requirements under GDPR. This position was confirmed during an ICO webinar, where it was revealed that there were 1,792 personal data breaches notified to the ICO in June, a 173 per cent rise on the 657 reports received in May 2018, and an almost fivefold increase compared to April, when just 367 notifications were received.Continue Reading ICO publishes its 2017/2018 Annual Report

The UK Information Commissioner’s Office (ICO) has issued a resource for organizations to utilise when hiring and structuring the roles of data protection officers (DPO) under the General Data Protection Regulation (GDPR). This blog summarises several key elements of these resources.

DPO checklist

The checklist contains four sections which include:

  1. Appointing a DPO – across situations where a DPO is required to be appointed, and also where one is not expressly required but one has been voluntarily appointed.
  2. Position of the DPO – outlining the reporting structure, involvement in all issues relating to data protection, resources available to a DPO, and independence and freedom from conflicts in one’s capacity in the DPO role.
  3. Tasks of the DPO – setting out the roles and responsibilities of the DPO, including compliance, training and audits, as well as acting as a contact point for the ICO.
  4. Accessibility of the DPO – announcing the DPO as the accessible point of contact for employees, individuals, the ICO, and stating that the DPO should have their contact details published and communicated to the ICO.

DPO appointment

An organisation must appoint a DPO if:

  • It is a public authority or body (other than a court acting in a judicial capacity); or
  • Its core activities require regular and systematic monitoring of individuals on a large scale (which include tracking online behaviours); or
  • Its core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.

Continue Reading ICO issues guidance on hiring and supporting DPOs

The UK government has opened a consultation on exemptions to paying a data protection fee, giving businesses the opportunity to lobby for new exemptions to be introduced.

Businesses that are responsible for processing personal data (i.e. controllers) are required to pay a data protection fee to the Information Commissioner’s Office (ICO). These fees are: £40

You may well remember our blog from last year which outlined the Commission’s proposal for a framework in relation to the free flow of non-personal data in September 2017 (you can view our blog here).

On 19 June 2018, the European Parliament, Council and the European Commission reached a political agreement on the rules that will allow data to be stored and processed everywhere in the EU, without unjustified restrictions.

In addition to supporting the creation of a competitive data economy within the Digital Single Market, these new rules will remove barriers which hinder the free flow of data. Predictions suggest that this could boost Europe’s economy by an estimated growth of up to 4 per cent GDP by 2020. You can find more information on the European Commission’s website.

Key objectives

The new rules on the free flow of non-personal data will:

  • Ensure the free flow of data across borders: this will prohibit data localisation restrictions permitting organisations to be able to store data anywhere in the EU. Also, requiring Member States to communicate to the Commission any remaining or planned data localisation restrictions in “limited specific situations of public sector data processing”.
  • Ensure data availability for regulatory control: allowing public authorities to access data – for scrutiny and supervisory control – despite where it is stored and/or processed in the EU. Also, Member States may sanction users that do not provide access to data stored in another Member State.
  • Encourage creation of codes of conduct for cloud services: to facilitate switching between cloud service providers under clear deadlines. The Commission states that this “will make the market for cloud services more flexible and the data services in the EU more affordable”.

Continue Reading EU reaches agreement on rules allowing free flow of non-personal data

In the wake of the U.S. Supreme Court’s decision in Spokeo v. Robins, 136 S. Ct. 1540 (2016), there has been a plethora of litigation in privacy class actions over whether federal courts can exercise subject-matter jurisdiction over the asserted statutory or common law claims. However, in addition to considering whether a court has subject-matter jurisdiction, entities hit with a putative privacy class action should also consider whether the court can exercise personal jurisdiction over the parties and claims.

There are two types of personal jurisdiction: general and specific. Over the course of the last decade, the U.S. Supreme Court has limited the forums in which a court can exercise general – or all purpose – jurisdiction over a defendant. In most cases, those forums will be only an entity’s state of incorporation and principal place of business. The result has been an increased focus on whether courts have specific – or case-linked – jurisdiction. Now, entities – even those that conduct business in all 50 states – may be able to successfully bring a motion to dismiss for lack of personal jurisdiction where the entity’s contacts with the forum did not give rise to the claims against it.

In addition, the Supreme Court’s decision in Bristol-Myers Squibb Co. v. Superior Court of California, San Francisco Cty., 137 S. Ct. 1773 (2017) (Bristol-Myers) opened the door to an additional use of the lack of personal jurisdiction defense in nationwide privacy class actions. Relying on Bristol-Myers, several district courts have permitted entities hit with nationwide class actions to limit the putative class where the absent class members’ claims did not arise from the entity’s contacts with the forum state.Continue Reading Asserting the defense of lack of personal jurisdiction in privacy class actions