The European Data Protection Supervisor's Office hosted the 40th International Conference of Data Protection and Privacy Commissioners, #DebatingEthics, described by Giovanni Buttarelli as the Olympics Games of Data Protection. It was a truly fantastic event and the two days of sessions open to the public were absolutely remarkable. The greatest challenge though is perhaps the cultural change that is required by companies whose business model has been to use an individual's data as their product in return for free services. Fundamentally, companies need to have a decent benchmark level of compliance before determining their ethics strategy but whilst this concept was perhaps once considered as the icing on the cake for data protection standards, it is now being discussed and implemented. Data protection standards today most certainly act as a differentiator, used by customers to select which company they will do business with and a company's data protection reputation is essential to its success.
Two judgments in the field of data protection were handed down in quick succession this month, both involving large scale litigation. The High Court judgment in Lloyd v Google LLC in relation to the Safari workaround representative action was followed by the Court of Appeal judgment in WM Morrison Supermarkets PLC v Various Claimants.
Lloyd v Google LLC provided a number of key takeaways both in relation to the need for claimants to evidence damage when compensation is claimed from alleged breaches of data protection and with respect to the appropriateness of a representative claim on behalf of large number of claimants. Lloyd, the claimant, issued the claim on the basis that it should represent a large class of potential claimants, i.e., all those individuals who had used Safari on their iPhone when the Google Safari workaround was in place. The potential size of this group would be several million people. However, this case did not meet the criteria for a representative action in the Courts of England and Wales since all the individuals on whose behalf the representation was made did not have "the same interest in" the claim. For this reason it was held that a representative claim could not be brought. An additional factor was that the supposed claimants represented had not provided their expressed interest for this claim to be made on their behalf.
Whilst Morrisons has stated that it will make an appeal to the Supreme Court, the Court of Appeal's decision as it stands held the company vicariously liable for a data breach by a rogue employee. The Court in its judgment considered the way to deal with such malicious acts by employees is to insure against such acts! Undoubtedly, steps to thoroughly vet employees should be in place as well as live policies that employees actively engage with during the course of their everyday employment to ensure that they adhere to their company's approach to data protection.
Heathrow Airport Limited (HAL) received a fine of £120,000 for failing to make sure that the personal data held on its network was properly secured. A member of the public found an unencrypted memory stick which was not password protected containing 76 folders and over 1,000 files. Whilst the amount of personal and sensitive personal data on the stick was a fraction of the total files, the ICO did express particular concern about "a training video which exposed ten individuals’ details including names, dates of birth, passport numbers, and the details of up to 50 HAL aviation security personnel". The ICO's investigation also raised concern that only 2% of HAL's staff had been trained in data protection.
After an anticipated wait and delayed publication, due to further legal checks being required, the EDPB adopted and made available its draft Guidelines 3/2018 on the territorial scope of the GDPR. The Guidelines primarily discuss how the two criteria – the 'establishment' criterion under Article 3(1) and the 'targeting' criterion under Article 3(2) should be interpreted with reference to existing case law. The Guidelines also address the obligation for controllers and processors which are based outside the EEA but fulfil the "targeting" criterion to appoint a representative in the EU. The guidelines remain open for public consultation until 18 January 2019.
The ICO fined five Uber entities (including four UK companies and one Dutch company) £385,000 for a data breach that occurred in 2016 and which included the names, email addresses and phone numbers of approximately 2.7 million UK customers and the records of around 82,000 drivers. The ICO found that the security arrangements adopted by Uber were inadequate and therefore the company was in breach of the seventh principle under the Data Protection Act 1998 (appropriate technical and organisations measures). Uber had not notified the ICO or the affected individuals at the time of the attack and instead paid the attackers to destroy the data. However, the penalty was mitigated by the fact Uber had taken prompt action to prevent a reoccurrence and by the lack of evidence that the personal data in question had been misused.
Between September and November, the ICO fined more than 100 organisations and sent a further 900 notices of intent for failing to pay the data protection fee. The fees, which increased on 25 May 2018, are payable under three tiers based on an organisation's head count and turnover. Organisations that fail to pay can face fines of between £400 to the maximum of £4,350, including aggravating factors.
Thankfully December for data protection has not been quite as busy as the UK festive season! Nonetheless, there have been some interesting developments, perhaps none more so than Parliament's publication of "confidential" Facebook emails that were seized at the end of November. Damian Collins MP relied upon rarely used parliamentary powers to demand Ted Kramer, head of software company, Six4Three, hand over the documents during a business trip to London. The documents were in Six4Three's possession because they had been disclosed to them as part of litigation proceedings with Facebook. The documents were believed to contain some significant details about decisions Facebook had made about its data and privacy controls, decisions which are said to be behind the Cambridge Analytica scandal.
Facebook is rather annoyed at the way in which these documents have been seized and disclosed. Yet the contents provide a dramatic insight into Facebook's culture, certainly at the time some of the emails were written, in 2012 and highlight the value of users' data to both Facebook and developers using its platform. Whilst Facebook's message to the public is that it is resolving its data protection issues, CEO Mark Zuckerberg has admitted that the problems will take more than one year to fix although he questions whether everything can be fixed.
Australia this month passed controversial legislation designed to force technology companies to provide police and security agencies with access to encrypted messages. The government argued that the law is required to help combat terrorism and crime. Unsurprisingly the government has faced criticism about the disruption to an individual's privacy besides disapproval from security experts. Experts argue that creating back doors in technology that allow law enforcement agencies to be able to access a user's end to end encrypted messages without them knowing will ultimately create vulnerabilities in the overall technology putting all users at risk.
Anyone who's an O2 user in the UK, or whose provider such as Tesco Mobile or O2 subsidiary GiffGaff, uses the O2 infrastructure, will know the level of disruption that was caused when O2 had an outage due to a software glitch suffered by supplier Ericsson. Unable to access data or use their usual services for more than 24 hours, O2 users and all those affected will be compensated for the inconvenience. O2 in turn will be compensated by Ericsson. This matter highlights the dependency of companies on their suppliers and the disastrous consequences that can occur when something breaks down in the chain. What happened here is also a good reminder for all companies to ensure that they have a procedure for making sure software licences are continually renewed and do not expire (one of the reported root causes of the problem).
It did seem a little ambitious at the time details were release for the Facebook v Schrems hearing (re: whether the referral to the CJEU on Standard Contractual Clauses aka Model Clauses should have been made) to be listed for Wednesday 19 December 2018, i.e., six days before Christmas Day. Unsurprisingly, at a case management hearing in November it was pushed back to 21 January 2019. It's a date to most definitely add to your new calendar for 2019 and a case worth continuing to watch to see how it progresses and concludes.
The takeaways from 2018 are innumerable but of key importance to all companies today is undoubtedly to have a tried and tested data breach incident response plan. Time and time again, it is the mistakes of individual employees which exposes a company to ICO enforcement action though not the action of a sophisticated state hacker or hobbyist although that remains a realistic probability too. Are your employees leaving the premises with personal data downloaded onto portable media, neither encrypted nor password protected? Have all your staff be trained in data protection? What is your policy for sending out bulk emails? It is clear from the two ICO cases cited in this series about bulk email (Gloucestershire Police, June and the Independent Inquiry into Child Sexual Abuse, July) that the regulator wants companies to learn from and act upon the mistakes of others. It is therefore imperative to keep up to date with the outcomes of the ICO's monetary penalty notices and implement any of the recommended practices.
Accountability is a cornerstone of the GDPR and it is essential that companies keep their policies and records up to date. The GDPR makes it clear that data breaches are only reportable in certain circumstances but the decision making process by which you decide whether or not to report an incident may ultimately be of great interest to a regulator in the future. Companies, whenever a data incident or breach occurs, should retain a record of the circumstances and the reason(s) why the incident was not reported to the regulator.
With the Cambridge Analytica scandal and the ICO's investigation into Democracy Disrupted?, the collection and sharing of data has arguably never before been so closely scrutinised. Whilst the GDPR readiness exercise many companies undertook ought to have provided a consolidated data map of such activity, it cannot be over emphasised how important it is for companies to understand what is happening with the data that they are responsible for. Every stakeholder has its part to play.
The growth in litigation surrounding data protection brought by or on behalf of data subjects cannot be ignored. The GDPR provides for cases to be brought by a representative on behalf of data subjects. The outcome of the Supreme Court hearing in the Morrisons case will be pivotal in how employers safeguard against the actions of rogue employees. Companies, if they have not already done so, need to consider how they would deal with such an eventuality and what insurance protection they have in place to cope with a rogue employee causing a data breach.
Unquestionable 2018 was for data protection a year like no other. But it is far from slowing down and there are so many things happening in this most dynamic area of law and compliance to look forward to in 2019 and beyond. To coin the phrase of Phil Lee, "The good news: we survived the GDPR! And, if we can do that, we can surely survive Brexit and the ePrivacy Regulation too"!
We wish all our readers a Happy, Healthy and Prosperous New Year!
With thanks to my colleagues for all their contributions to this blog series