Skip to main content

2018 - a year like no other for data protection! Part 3


United Kingdom

The summer of 2018 ... a Football World Cup, scorching temperatures across Europe and a continued flurry of data protection activity and news.

The summer of 2018 ... a Football World Cup, scorching temperatures across Europe and a continued flurry of data protection activity and news. 

The CJEU decision in the Jehovah's Witness case held the religious organisation is a data controller when preaching and canvassing door to door; the ICO again warned of the consequences when bulk emails are not sent using Bcc; the UK government brought new regulations in to force to ensure it meets EU data retention obligations (but ironically Japan may get an adequacy decision before the UK); the complexity of data sharing, even from new mothers' data, and its impact on democracy; as well as the potential demise to nuisance telephone calls ... Read on!


For some, the Football World Cup provided a welcomed distraction as the dust began to settle on the post GDPR world and the level of intensity somewhat dropped, unless you were engaged with subject access requests or data incidents. Hitting the headlines this month was Tietosuojavaltuutettu v Jehovan todistajat – uskonnollinen yhdyskunta, rather more colloquially known as the Jehovah's Witness case. The CJEU dealt with a preliminary request for a ruling from the Data Protection Supervisor, Finland after a decision by the Finnish Data Protection Board that prohibited the Jehovah’s Witness religious community from collecting or processing personal data when they preached door-to-door unless they observed the requirements of Finnish legislation with respect to data processing. The CJEU judgment stated that:

"A religious community, such as the Jehovah’s Witnesses, is a controller, jointly with its members who engage in preaching, for the processing of personal data carried out by the latter in the context of door-to-door preaching.

“The processing of personal data carried out in the context of such activity must respect the rules of EU law on the protection of personal data”.

The CJEU did not consider that the exemption of personal religion applied to the Jehovah's Witness who it held act as a data controller when preaching and canvassing door to door.

The ICO issued a fine of £200,000 to the Independent Inquiry into Child Sexual Abuse (Inquiry) for revealing identities of abuse victims in another example of a mistake and data breach made by mass email. Similar to the fine imposed on Gloucester Police in June 2018, bulk emails were mistakenly sent to 90 email addresses in the "To" field rather than the "Bcc" field.  This breach was made worse when one of the three emails the Inquiry sent to the recipients, asking them to delete the email and not disseminated it, "generated 39 "Reply All" emails from 22 recipients thereby exacerbating the security breach further".  Additional damage was caused when the Inquiry instructed an IT company to create a secure mailing list.  The IT company did not secure the mailing list and recipients were again able to "Reply All" thus causing yet another data breach. Besides this, the Inquiry itself did not obtain consent from participants in accordance with the Inquiry's Privacy Notice before their email addresses were shared with the IT company.

July also saw the publication of the Draft Data Retention and Acquisition Regulations 2018 to address the CJEU decision in Watson with regards to the level of retention of communications data; a further draft of the proposed ePrivacy Regulation was released by the Austrian presidency of the Council of the EU (although a further draft to this occurred in October 2018); and the ICO's annual report for 2017/18 highlighted its achievements and future challenges.



As Europe basked in perfect sunshine, the level of data protection activity epitomises how dynamic this area now is. In what is traditionally a quiet month, with the courts closed and the majority taking a summer holiday there was still plenty to keep us busy.

The ICO fined Lifecycle Marketing (Mother and Baby) Ltd, which is also known as Emma’s Diary, £140,000, for illegally collecting and selling personal information belonging to more than one million people. The company, which provides advice on pregnancy and childcare, also acts as a data broker and sold information to Experian Marketing Services, a branch of the credit reference agency.  The information was specifically for use by the Labour Party to profile new mums in the run up to the 2017 General Election.  Even for those who understand the level of data sharing from when the data is originally collected, this is nonetheless a remarkable account. Lifestyle Marketing are one of more than two dozen companies cited in the ICO's report to Parliament on The Investigation into the use of data analytics in political campaigns.

Nuisance calls continue to abound and despite members of the public having opted out of receiving marketing calls by registering with the Telephone Preference Service, AMS Marketing Ltd contacted them. For making 75,649 nuisance calls, the ICO fined AMS Marketing £100,000.  It will be interesting to see whether the recent amendment to the Privacy and Electronic Communications Regulations (PECR), which came into effect on 17 December 2018 and enables the ICO to fine directors of a company for such behaviour, will eradicate this nuisance practice once and for all.  Whilst that's perhaps unlikely, it may deter some and gradually instil better practices.

As we reached the three month mark of the GDPR being applicable, the ICO revealed how the complaints it received in June and July were almost double that of the number previously received in the months preceding the GDPR. The ICO revealed that 3,098 data protection complaints were made in June and 4,214 in July which was up from 2,310 complaints made in May and 2,165 in April.

Undoubtedly we have observed data breaches each month of the year with some exceedingly high profile household names involved. In a time when the chance of a breach occurring is a matter of when and not if, it is no longer a surprise to see such headline news items making the front page of the printed press and the first news item online.  In August, Superdrug and T Mobile, US both suffered data breaches.  Hackers claimed that they had the details of 20,000 Superdrug customers.  In contrast, the figure of the number of users in the T Mobile attack had a further two zeros, with an estimated 2 million customers attacked. 

On 30 August 2018 the Investigatory Powers Act 2016 (Commencement No 8 and Transitional and Saving Provisions) Regulations 2018 brought into force provisions relating to the targeted interception of communications by the intelligence services (with certain provisions coming into force on the later date of 7 November 2018). The new provisions relate to the interception of communications by the other intercepting authorities including the National Crime Agency, the Metropolitan Police, the Police Service of Northern Ireland, Police Scotland, HM’s Revenue and Customs, an individual who is the competent authority of a country or territory outside the UK for the purposes of an EU mutual assistance instrument or an international mutual assistance agreement.

The Investigatory Powers Act, like its predecessor the Data Retention and Investigatory Powers Act 2014, is a controversial piece of legislation with respect to the data it collects for surveillance purposes. As the time until 11pm 29 March 2019 (this is the moment the UK is due to leave the EU) evaporates at an alarming rate and uncertainty presides, it has long been said that this legislation may well thwart any UK adequacy decision.  Yet surely none of these things are insurmountable.



To illustrate the waterfall of information anyone working in data protection is confronted with and needs to prioritise / select to read, we produced a calendar of data protection activity for the month of September to highlight this dilemma. Time permitting, it would be magnificent if we were able to replicate this for each month in 2019.





Deadline for US administration to take action to meet its obligations under Privacy Shield Agreement.


Commission launches the adoption of its adequacy decision on Japan.


BA announces its data breach.

UK Government responds to Committee's Seventh Report on progress of UK's negotiations on EU withdrawal relating to data.


SPG law firm announces group compensation claim against BA based on Article 82, GDPR.


New powers to ban cold calls offering to settle personal injury or payment protection insurance claims if claimant has not chosen to ‘opt-in’.


EU's justice commissioner says e-signatures can prove data processing contracts have been concluded and their terms agreed to.

ICO's James Dipple-Johnson gives a speech to CBI Cyber Security on the impact of the GDPR and DPA 2018.


ECtHR holds bulk interception of data under RIPA did not comply with Articles 8 and 10 ECtHR.

UK Government launches Data Protection guidance on a no deal Brexit.


Confusion reigns over whether solicitors can seek medical records for free by making a SAR under the GDPR.


No fines under the GDPR by the ICO in the first three months.


Italy's GDPR implementation law goes into effect.


ICO announces it has issued its first enforcement notice under the GDPR to AggregateIQ.

ICO fines Equifax £500,000 for data security breach.


A Which? investigation finds that some of the most popular apps including Accuweather, and Apple's version of Amazon's

app have, in breach of privacy laws, tracked users' movements without clearly notifying them and failed to state who developers

were sharing data with.


Nurse prosecuted by the ICO for inappropriately accessing patient records.


EDPB Third Plenary.

On the agenda – Japanese Adequacy; DPIA lists; Guidelines on extra territorial scope.

Facebook, Google, Twitter and others in Europe announce they have signed up to a new, voluntary code of conduct aimed at tackling disinformation online.


EDPB Third Plenary Day 2.

Information Commissioner publishes response to DCMS on sustainable high quality journalism in the UK.


ICO fines Bupa Insurance £175,000 for failing to have effective security measures in place to protect customers’ personal information.

Facebook announces 50 million (c75% UK population (66.7m)) uses affected in a network data breach.


This overview of September also showcases the multifaceted nature of data protection.  The month opened with the deadline given to the US to complete its obligations under the EU-US Privacy Shield and days later the EU Commission launched its adoption of the adequacy decision for Japan.  British Airways (BA) suffered a significant data breach during the first week of September and it is debatable how well it dealt with this.  Some say that BA got its PR spot on whilst BA customers may argue to the contrary.  At the time, BA customers were not specifically told whether or not their data had been compromised and were left to check their own bank accounts whilst American Express took an extremely proactive customer friendly approach and assured its customers, who may have been effected by the BA data breach, that American Express would watch their accounts and flag any unusual suspicious activity as well as reimburse them for any loss.  The day following the announcement of BA's data breach, law firm SPG announced a group compensation claim against BA based on Article 82, GDPR.  In October, BA said that an additional 185,000 customers' data may have been breached.

The UK government published guidance on a no deal Brexit with input from the ICO whose work this month included the issuing of its first enforcement notice under the GDPR to AggregateIQ. Equifax and Bupa received Monetary Penalty Notices of £500,000 and £175,000 respectively and nurse, Clare Lawson, was prosecuted for accessing patients’ medical records without authorisation.  With Italy implementing its law to cover the derogations to the GDPR, the EDPB had its third plenary meeting.  To date (and there have now been five) all of these plenaries have had a packed agenda.  Amongst other things, in September the EDPB focused on Japan's adequacy, DPIA lists and the extraterritorial scope of the GDPR. The month concluded with Facebook announcing 50 million users had been affected in a network data breach.

With thanks to my colleagues for all their contributions to this blog series.

Sign up to our email digest

Click to subscribe or manage your email preferences.


Related Work Areas