2018 - a year like no other for data protection! Part 1
Locations
Without doubt 2018 was an unprecedented year for data protection. The spotlight blazed upon it and not just because it was the year the General Data Protection Regulation 2016/679 (GDPR) became applicable. Brazil and the state of California passed their own data protection legislation, largely based upon the GDPR, whilst Argentina and India have new data protection bills in progress; the NIS Directive was transposed into National Law; Facebook had an annus horribilis with one data breach after another; and the waiting game for the Council's agreed version of the draft ePrivacy Regulation continues into 2019.
For the last Fieldfisher London privacy meeting of the year we decided to take stock and have a rundown of 2018 by month. Each month was assigned up to three individual team members with the challenge for each team to present in five minutes maximum, the most intriguing, informative and / or bypassed issues in their assigned month. With such a passionate data protection team and given that prizes were on offer, unsurprisingly it was an excellent and informative, albeit a little competitive, finale. So, what were our highlights?
January
At the beginning of the year the ICO fined Carphone Warehouse £400,000 due to serious security failures after their systems were accessed by a third party putting both employee and customer data at risk. Whilst the ICO fine of £400,000 still kept a little in reserve for the worst data breaches under the Data Protection Act 1998, some of the ICO's arguments in its monetary penalty notice were aligned to the requirements set out in Article 83 GDPR, including the ICO's aim to promote compliance through the imposition of fines. This decision reminded controllers of the importance of audits, controls and the implementation of internal recommendations. Carphone Warehouse had previously identified vulnerabilities in its systems but had not taken any action. The ICO did not look favourably on this. In the regulator's opinion, Carphone Warehouse could easily have protected their data better and it may be that the size of future fines will be proportionate to a company's ability to afford and implement the most appropriate technical and organisational measures. Despite such a relatively high level of fine, the fact that there was no evidence of the data breached being used for fraudulent purposes did act as a mitigating factor.
Elsewhere in January, as you were drafting your [insert number] GDPR compliant privacy notice, the Chief Constable of Surrey Police was required to sign undertakings to ensure that the force's data was better protected. To highlight that the ICO monitors the undertakings which organisations sign, it followed up with Surrey Police on 14 December 2018. Related to this, William Godfrey was convicted of two offences of unlawfully disclosing personal data in breach of the Data Protection Act 1998, after he leaked sensitive information he obtained on a USB stick from Surrey Police. He was sentenced to a 12-month conditional discharge (though this was largely due to the fact he had breached undertakings to deliver the information to court) and ordered to pay £150 costs as well as a £15 victim surcharge.
With individuals becoming more aware of their data protection rights as well as the ability to request a notice and takedown, Facebook reached a confidential settlement with a 14-year-old girl as part of a landmark revenge porn case in the High Court in Belfast. The girl sued Facebook after claiming that Facebook should have done more to remove a nude photo of her which was posted on a so-called "shame-page" on its platform. The girl alleged misuse of private information, negligence and breach of the Data Protection Act 1998.
February
Valentine's Day this year marked 100 days until the GDPR became applicable. Meanwhile, some high profile technology companies and an individual challenging the freedom of the press grabbed the headlines for us.
February opened with Applicant, ABC's application for an interim injunction against Google requiring it to block access to a blog site which made reference to a previous (now spent) conviction. The application failed for the procedural reason that Google Inc. did not exist and the proper defendant was Google LLC – and Google LLC was never served with either the claim/application, nor was permission obtained to serve out of the jurisdiction on Google LLC (in California).
In Germany, consumer rights group, The Federation of German Consumer Organisations (VZVB) described how a court had ruled Facebook's use of personal data illegal because Facebook "did not adequately secure the informed consent of its users". Heiko Duenkel, VZVB stated how "Facebook hides default settings that are not privacy-friendly in its privacy centre and does not provide sufficient information about it when users register". Such standards did not meet the data protection requirements for informed consent. For instance, in the privacy settings, boxes were pre ticked allowing search engines to link to a user's timeline. As a result anyone was able to quickly and easily find a user's profile. The court said Facebook's terms, granting it consent for the use of personal data were framed too broadly, with 8 clauses found to be invalid. Facebook announced that it would update its data protection guidelines and terms of service to comply with the GDPR going forward.
February also saw Max Mosley's lawyers write to the Times, the Daily Mail, and the Sun newspapers to demand they stop 'processing data' related to their client and block/erase information they said was inaccurate. In 2008, the multimillionaire and former motor racing boss won a landmark claim for a breach of privacy after the News of the World published compromising images of him at an infamous party. The court held that he had a 'reasonable expectation of privacy' yet stories of that party have never completely gone away.
Mosley served a notice under s10(1) DPA 1998 in which he objected to the processing of his personal data (including sensitive personal data) by the data controllers, the companies that own the newspapers in question, on the basis that such processing caused him unwarranted and substantial damage or distress. Given the timing of this correspondence, i.e., pre GDPR, Mosley's lawyers were relying on the data protection principle requiring controllers to act fairly and proportionately. The newspapers relied on the journalistic exemption in s32 DPA. It is interesting to see what provisions are now explicitly available under the GDPR for a similar type of future action including Article 17, 18 and 21 – respectively the right to erasure of personal data; right to restriction of processing; and the right to object to processing of personal data.
March
Following on from media reports in The Observer newspaper some 12 months previous, in March 2017, the Information Commissioner stated that her office would begin a review of the evidence as to the potential risks arising from data analytics in the political process. The company at the centre of this was Cambridge Analytica, which is now a household name. The other major player here and so intricately linked to this story is, none other than, Facebook. As the data protection community waited on tenterhooks to see whether the ICO would be given a warrant, one was eventually granted some four days after Elizabeth Denham indicated her intention to search Cambridge Analytica's offices. Such is the change in the prominence of data protection that the UK Data Protection Act 2018 now provides that "7 days' notice" for a warrant is not required were "compliance with [such] condition[s] would defeat the object of entry to the premises in question, or the Commissioner requires access to the premises in question urgently" (DPA 2018 Schedule 15(4)).
Not only was the data protection practitioner busier than ever before in 2018 but each regulator and the Article 29 Working Party, now known as the European Data Protection Board (EDPB), had its work cut out. The launch of the ICO's Technology Strategy for 2018-2021 during this month highlighted the ICO's divergent work yet this is something that may have garnered little attention during the blinkered, intense, somewhat frantic run up to the GDPR. It is the ICO's first ever Technology Strategy and sets out the ICO's approach to technology, citing eight technology goals and how the ICO intends to achieve those goals besides three areas of priority for 2018-2019.
The strategy, spearheaded by the ICO's new Technology Policy Department which is headed by Simon McDougall, seeks to develop and enhance technical knowledge and understanding at the ICO and to ensure the ICO effectively communicates this expertise to both organisations and individuals. The priorities for 2018-2019 are cybersecurity; AI, Big Data and Machine Learning; together with Web and Cross Device Tracking. This is a pivotal initiative for companies actively involved with data protection because following the progress of this strategy will demonstrate the regulatory mind set; documents will be published and events held for companies to provide input and attend; and there will be opportunities, for those companies who wish, to engage with the ICO.
With thanks to my colleagues for all their contributions to this blog series.