With applicability of the GDPR a little over a month away, the Article WP 29 published its revised and adopted guidelines on consent and transparency. Alas, this did not stop so many companies requesting individuals to reconsent. Why, oh why, did this happen? The guidelines on transparency arguably did not provide any surprises to what was already in Articles 12 to 14 but it did stress the need to avoid information fatigue. How many updates to privacy notices did you receive from companies that you personally deal with around this time? Did you read any, all or some of them?
Facebook hit the headlines again, this time because it relocated the data of users outside of the US, Canada and Europe from Ireland to its main offices in California in order that such user data would be governed by US and not EU law.
Trumpet fanfare … almost six years after the European Commission published COM (2012) 11 final and numerous years of discussion prior to that, the GDPR became applicable. 25 May 2018 was a momentous day for data protection but in terms of a compliance journey it most certainly did not mark an end point. Rather, it singled the start of a new era, where companies and organisations are held accountable for their data protection standards and procedures and policies need to be continually reviewed, monitored and where necessary, improved upon. Data protection today is a continuum that touches every aspect of a modern business or organisation, which needs to be collaboratively supported and championed across all departments.
Max Schrems set up and crowdfunded noyb (none of your business) from November 2017 and it was no surprise to see four complaints made by the not for profit organisation on 25 May 2018 in relation to Facebook, Instagram, WhatsApp and Google’s Android operating system. nyob argued that the tech giants forced users to agree new terms of service, in breach of the requirement in the law that such consent be freely given. Schrems compared the behaviour of Facebook, which offered "accept" or "delete your account" to the regime of a "North Korean election process".
May also witnessed the ICO serve an Enforcement Notice on SCL Elections Ltd, parent company of Cambridge Analytica, over an inadequate response to a subject access request made by US academic Professor Carroll. Professor Carroll submitted a SAR in January 2017 and in March 2017 received a spreadsheet, supposedly containing all the personal data held about him. Unhappy with the response he received, Professor Carroll complained to the ICO in September 2017 although SLC Elections stated in response to the ICO that the complainant was not entitled to make a SAR. The ICO disagreed and served an Enforcement Notice on SCL Elections which was not responded to. As such the company has been charged by the ICO with one count of failing to comply with an Enforcement Notice with a trial set for January 2019.
Shortly after breath had been drawn following the GDPR becoming applicable, the Court of Justice of the European Union (CJEU) gave judgment in the case of Wirtschaftsakademie Schleswig-Holstein GmbH, the interveners in which included Facebook and Vertreter des Bundesinteresses beim Bundesverwaltungsgericht. The judgment ruled on the concept of ‘joint controllership’ and widened the concept of the “Data Controller”. The CJEU determined that the operator of 'fan pages' on Facebook should be considered joint controllers of the personal data processed about people who access those pages and confirmed that both parties have a responsibility to inform users about how personal data is processed, obtain consent, if necessary, and conclude contracts with each other to regulate responsibilities.
The CJEU's judgment means that any organisation that has an influence over how personal data is processed could be considered a data controller, not just in the context of fan pages on Facebook.
June saw the notification and admission of a huge data breach involving 5.9 million payment cards and 1.2 million personal data records by Dixons Carphone. 105,000 cards without chip-and-pin protection were leaked although there was apparently an attempt to compromise 5.8 million credit and debit cards. Dixons Carphone chief executive Alex Baldock admitted the group had "fallen short" of its responsibility to protect customer data.
An update to the ICO's website published on 31 July 2018, 11:15am states that Dixons Carphone "has now confirmed that the incident affected the personal data of 10 million records, which is significantly higher than initially stated". Of course, under Article 33(4), GDPR "where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay".
Gloucestershire police was fined £80,000 by the ICO in June in relation to a data breach incident that occurred in December 2016 when an officer emailed an update on an investigation relating to allegations of child abuse to 56 recipients using the "To" field rather than the "Bcc" function. The recipients of the email included victims, witnesses, lawyers and journalists who could each see the others’ full names and e-mail addresses. The recipients could also infer from email content that many of the other recipients were victims of child abuse. Whilst the police force did identify the breach two days after it happened it only successfully recalled three of the emails so 56 names and email addresses had still been disclosed to 52 recipients. Recipients were asked to delete the email.
It is always interesting to review the mitigating and aggravating factors in an ICO Monetary Penalty Notice. In this case they included:
- Prompt remedial action
- An apology to the individuals affected was issued
- Officer involved referred to professional standards department
- Reporting to and cooperating with the ICO
- Some of the recipients were known to each other
- Issuing a penalty may prevent other victims reporting (loss of trust)
- Chief Constable of Gloucestershire Constabulary is improving TOMs
- Right to anonymity for life has been removed for some
- No guarantee the information had been recovered in full
- An ICO Audit in 2014 provided a limited assurance rating, and highlighted concerns about the quality, standard and content of training on certain key systems
- This incident can be partially attributed to lack of policies and poor standards and inconsistency in relation to the provision of staff training
At paragraph 40 of this monetary penalty notice the ICO underlines the risk of using the "Bcc" field to send bulk emails and highlights two previous monetary penalty notices which have been given for similar conduct, namely the Bloomsbury Patients Network in December 2015 and the Chelsea and Westminster Hospital NHS Trust in May 2016. This clearly demonstrates the needs for controllers and processors to collectively improve their behaviour and learn from the mistakes of others, when those mistakes receive attention from the ICO.
With thanks to my colleagues for all their contributions to this blog series.