The impact of a no-deal Brexit on data protection

The government has published guidance for UK organisations on transfers of personal data in the event of a so-called no-deal Brexit. In particular, the guidance sets out actions for UK organisations to take to enable the continued flow of personal data between the UK and the European Union (EU) in such an event.

While emphasising the fact that a no-deal Brexit is “unlikely”, the guidance notes that it is important to prepare for all eventualities.

The guidance forms part of the government’s series of notices on a no-deal Brexit, aimed at businesses and citizens.

The current position

The UK has a comprehensive data protection framework, consisting of the Data Protection Act 2018, which is a UK-specific law, and the General Data Protection Regulation (GDPR), which applies across the EU Member States.

The GDPR does not restrict transfers of personal data within the EU. Transfers can also be made outside of the EU if there is an appropriate legal basis for doing so.

Continue Reading

The digital beyond: Facebook ordered to disclose circumstances around deleted profile

In the recent case of Sabados v Facebook Ireland [2018], the English High Court ordered Facebook to disclose the identity of a mystery individual who requested that the platform delete the profile of a deceased user of the platform.

Around six months after the death of Mr Mirza Krupalija, Facebook received a request from an individual to delete Mr Krupalija’s personal profile, as well as the page of his band. Facebook duly complied with this request, leaving his long-term partner, Ms Azra Sabados, “devastated by the loss of so much material”.

Ms Sabados made a subject access request to Facebook on the basis that some of that deleted information, (which included photographs, poems and messages between the couple) would have included her own personal data. In response to a subject access request, Facebook confirmed that the data from Mr Krupalija’s profile was no longer available and that it was not able to tell Ms Sabados who requested that her partner’s profile be deleted.

Continue Reading

Southeast Asian nations to form regional framework for cybersecurity cooperation

The Association of Southeast Asian Nations (ASEAN) announced last week that it will create a rules-based framework for its 10 member states to cooperate on cybersecurity matters.

The 10 ASEAN members are Singapore (which is the chair for ASEAN this year), Malaysia, Indonesia, the Philippines, Thailand, Vietnam, Brunei, Myanmar, Laos and Cambodia.

Singapore is expected to take the lead in drawing up a mechanism that facilitates cross-country collaboration on cyber policy development, capacity building and operational issues. ASEAN recognized that such a system would need to be flexible and take into account the economic considerations of the different member states.

Although the framework is still in an early phase of development, greater cross-border cooperation will likely take place among regulatory authorities in the various ASEAN members, as well as the introduction of more cybersecurity laws at a national level. Continue Reading

Security challenges arising out of the convergence of Internet of Things and Cloud computing

The European Union Agency for Network and Information Security (ENISA) has published a paper on the security challenges that arise from the convergence of Internet of Things (IoT) and Cloud computing. The paper is directed at IoT developers, IoT integrators and Cloud service providers, and concludes with a number of suggested steps to achieve secure solutions.

ENISA defines IoT as “a cyber-physical ecosystem of interconnected sensors and actuators, which enable intelligent decision making”. This would include, for example, smart homes, Fitbits and Apple Watches. ENISA divides the IoT ecosystem into three components, (i) devices, (ii) communications and (iii) Cloud platform, backend and services.

The growth of IoT in recent years has put pressure on Cloud computing to evolve in order to accommodate IoT’s needs, including aggregating, storing and processing the data that it generates. This resulted in a new model, the “IoT Cloud”.

The emergence of the IoT Cloud poses potential security risks, and ENISA is primarily concerned about the fact that IoT devices provide access to Cloud systems, and therefore any attack on an IoT device can potentially lead to a more widespread attack.

Continue Reading

ECJ ruling on fairness of disproportionately high default interest rate in consumer loan agreements

In the joined cases of Banco Santander SA v. Demba and another (Case C-96/16) and Cortes v. Banco de Sabadell SA (Case C-94/17), the European Court of Justice (ECJ) considered the application of the Unfair Contract Terms Directive (Directive) in two joined cases concerning the rate of default interest in consumer loan agreements, which were referred by the Spanish courts.

The Unfair Contract Terms Directive

The Directive protects consumers from unfair terms included in contracts. In Spain, the Directive is implemented into national law via the LGDCU (Ley General para la Defensa de los Consumidores y Usuarios y otras leyes complementarias (Royal Legislative Decree 1/2007)). The LGDCU provides that the test of fairness can be applied to all terms not individually negotiated and all practices not expressly agreed. A term may be deemed unfair if it causes a significant imbalance in the parties’ rights and obligations arising under the contract, to the detriment of the consumer.

Facts of the cases

The ECJ was asked to provide a preliminary ruling on certain questions referred by the Spanish courts in two joined cases:

(i) In the first case, the default interest rates on unsecured loan agreements (concluded between individual borrowers and Banco Santander) were 18.50 per cent and 23.70 per cent, compared to ordinary interest rates of 8.50 per cent and 11.20 per cent, respectively. After the borrower’s defaulted, the bank sought enforcement of its claim by assigning its debt to a third party in accordance with Spanish law.

(ii) In the second case, an individual’s mortgage loan agreement with a bank provided an ordinary interest rate of 5.5 per cent per annum, which was subject to change after the first year, and which was 4.75 per cent at the time of the main proceedings. The default interest rate was 25 per cent per annum. The consumer argued that this was unfair.

Continue Reading

UK Code of Conduct for data-driven health and care technology

Earlier this month, the UK Department of Health and Social Care published an initial Code of Conduct for data-driven health and care technology. The code builds on the Department for Digital, Culture, Media and Sport’s Data Ethics Framework.

The code encourages the United Kingdom’s health and care system to form partnerships with suppliers of data-driven technologies, in order to deliver improved health care and position the United Kingdom as a “great place to do business on technology”.

Four key group stakeholders are identified by the code: patients and citizens, health and care professionals, commissioners, and innovators. The code aims to meet the “most important need” for each of these groups, which consist of those experiencing improved care, those delivering better care, those providing services that better meet users’ needs, and those working to make the United Kingdom become a centre for innovation.

Continue Reading

First tribunal case overturning an ICO fine for sending marketing emails without opt-in consent

In Xerpla Ltd v. Information Commissioner [2018] UKFTT 2017_0262 (GRC) (14 August 2018), an English General Regulatory Tribunal has overturned a fine, issued by the Information Commissioner’s Office (ICO) against the direct marketing company, Xerpla Ltd, after the ICO determined that Xerpla had failed to obtain the necessary consents for electronic communications to its subscribers.

The ICO fined Xerpla £50,000 in October 2017 for sending 1.26 million marketing emails to its subscribers, which, according to the ICO, breached the Privacy and Electronic Communications (EC Directive Regulations 2003) (PECR). Central to PECR is that any direct marketing emails to subscribers must only be sent with the prior consent of the email recipient.

The tribunal found that Xerpla’s subscribers had “consented to, and knew they were consenting to, the direct marketing of third party offers for all kind of products and services… That is why they subscribed…” It was therefore considered obvious what was being consented to, given the services offered by Xerpla.

Continue Reading

Munich Court of Appeal prohibits Facebook from deleting a post that does not fall under the German Hate Speech Act

On 24 August 2018, the Munich Court of Appeal (“Court”) issued a preliminary injunction against Facebook that prohibits Facebook from deleting a certain user’s post (docket no. 18 W 1294/18, available in German here).

Facts of the case

The claimant is a Facebook user who had taken part in a discussion on the Facebook page of a renowned German news journal on Austria’s announcement of border controls. In the course of a controversial discussion, in particular with another Facebook user, the claimant posted a quotation of the German poet Wilhelm Busch, combined with a provocative statement against another Facebook user:

Original German wording English convenience translation:
… Gar sehr verzwickt ist diese Welt, mich wundert’s daß sie wem gefällt. Wilhelm Busch (18321908)

Wusste bereits Wilhelm Busch 1832 zu sagen:-D Ich kann mich argumentativ leider nicht mehr mit Ihnen messen, Sie sind unbewaffnet und das wäre nicht besonders fair von mir.

… This world is very tricky, I wonder who likes it. Wilhelm Busch (1832–1908)

Wilhelm Busch already knew in 1832 to say :-D Unfortunately, I can no longer compete with you argumentatively, you are unarmed and that wouldn’t be particularly fair of me.

Facebook deleted the claimant’s post. Continue Reading

The UK responds to NISD consultation

The government has published its response to the April 2018 targeted consultation on the Security of Network and Information Systems Directive (NISD). The targeted consultation specifically addressed how NISD will apply to Digital Service Providers (DSPs) in the UK, focusing on the identification of DSPs, security measures and further guidance. This follows the government’s public consultation in August 2017see our recent blog on this here.

The targeted consultation received 12 responses that largely showed support for the government’s overall approach. Concerns were expressed, however, regarding the uncertainty over who falls within NISD’s scope and the subject of costs recovery.

As the Network and Information System Regulations 2018 (the NIS Regulations) are already in force, the targeted consultation process will be used to assist the Information Commissioner’s Office (ICO) in providing updated guidance to DSPs. The government’s response, therefore, provides a useful insight into the future guidance on this topic, which will directly affect the regulation of DSPs in the UK.

Continue Reading

When do organisations need to carry out a data protection impact assessment? German authorities provide guidance

The German data protection authorities (German DPAs) have jointly released a list of processing activities (List) that are subject to a data protection impact assessment (DPIA). The List contains 16 examples.

What is a DPIA?

DPIAs shall help identifying, assessing and minimising the data protection risks of a project in which personal data are processed. Especially broader risks to the rights and freedoms of individuals, resulting from the processing, shall be assessed and mitigated by appropriate countermeasures.

DPIAs also support the General Data Protection Regulation’s (GDPR) accountability principle, helping organisations to prove that they have taken appropriate measures as required by GDPR, so that a compliant processing is possible.

Art. 35 GDPR provides that a DPIA is generally required where the processing of personal data, in particular when using new technologies, is likely to result in a high risk to the rights and freedoms of natural persons. The GDPR lists three examples where a DPIA is required:

  • Systematic and extensive profiling
  • Processing of special categories of personal data or criminal offence data on a large scale
  • Systematic monitoring of publicly accessible places on a large scale

Art. 35 (4) GDPR calls on supervisory authorities to release lists that further specify those cases where a DPIA is mandatory.

Continue Reading

LexBlog