5 January 2017
2016 was another busy year for data protection so we are just highlighting some of the main events in 2016. You can see our full data protection and cybersecurity news archive on our Global Data Hub.
General Data Protection Regulation
A lot happened in 2016 so the fact that after four years of negotiation, the General Data Protection Regulation (GDPR) was finally passed, may not be top of everyone’s list of important events this year. It is, however, big news for any organisation processing EU personal data, whether as a data controller or a data processor, and whether inside or outside the EU.
The GDPR is a major overhaul of EU data protection law which gives new rights to individuals and brings an enhanced compliance burden for organisations processing personal data. The GDPR will apply across all Member States (including the UK) from 25 May 2018, and organisations should begin preparing for it if they haven’t already started.
Our Global Data Hub features a wealth of information on all aspects of the GDPR and we will continue to focus on moving towards compliance in 2017. We can also expect to see guidance from regulators, some of which may be published before the end of the year.
Having completed the GDPR, the Commission is now reviewing the e-Privacy Directive. In response to the EC’s consultation, the UK’s ICO called for an overhaul to bring the Directive in line with the GDPR, introduce a harmonised opt-in approach for electronic marketing communications and bring consistency to enforcement. This approach was echoed by the Article 29 Working Party and the European Data Protection Supervisor. Both called for an extension of the scope of the legislation to include OTT services and went further than the ICO in arguing that consent requirements for the processing of traffic and location data should apply to all companies and not just telecoms operators.
The EC published a summary report on the response to the consultation on the review of the e-Privacy Directive in August.
Key findings included:
- while the majority of individuals are in favour of OTT services coming within the e-Privacy regime, industry responders were divided on the issue;
- while there was general agreement that marketing rules should be harmonised, individuals mostly preferred opt-in, with industry largely advocating an opt-out approach;
- while 83% of individuals were in favour of rules to ensure confidentiality of communications, only 31% of industry responders agreed;
- there was more consistency on the overall review of the e-Privacy Directive. 76% of all participants believed it was not fit for purpose.
Investigatory Powers Act
The controversial Investigatory Powers Act 2016 (IPA) has been given Royal Assent. While more than 1700 amendments were debated, it passed more easily than originally anticipated due, it is thought, to the diversion of the Referendum result. A petition to debate the legislation in the House of Commons has passed and it is thought the IPA will be the subject of legal challenges. It also has a bearing down the line on whether or not the UK gets a decision of adequacy for the purposes of data exports once it leaves the EU.
Investigatory powers to intercept communications, acquire communications data and interfere with equipment have been dealt with under a patchwork of laws. These include the Regulation of Investigatory Powers Act (RIPA) and had included the Data Retention Directive until that legislation was declared invalid by the Court of Justice of the European Union in 2014 in the wake of the mass surveillance scandal. Attempts to introduce further powers, even before the demise of the Data Retention Directive under the so called ‘snoopers’ charter’ failed after Nick Clegg withdrew his support in April 2013. The government introduced stop-gap legislation in the form of the Data Retention and Investigatory Powers Act 2014 (DRIPA) but needed to bring in more permanent legislation before the powers under DRIPA expired at the end of 2016.
When does it come into force?
The data retention provisions which replace those in DRIPA have been brought into force in time to replace them. Other provisions will not be in place “for some time” according to the government and existing provisions under RIPA will remain in force until expressly repealed. The government has said some of the provisions require extensive testing and there will be consultation with industry to help develop Codes of Practice and other secondary legislation required to bring the rest of the IPA into effect. The government plans to set out a timetable for this process “in due course”.
What does the IPA do?
The IPA overhauls RIPA and, in many cases, extends its scope. In particular, it provides for:
- Warranty powers to conduct interception, equipment interface (i.e. hacking in order to monitor) and obtaining of bulk communications data. The most intrusive warrants and notices which are issued by the Secretary of State must be approved by a senior judge or Judicial Commissioner. A range of public authorities have powers to issue different types of warrants. There is a requirement to take various matters including privacy and human rights into account before issuing, renewing or cancelling warrants. Interception and equipment interface warrants can be targeted, thematic or bulk.
- A prohibition on unlawful interception of communications. The offence is similar to that under RIPA but extends to cover all communications stored by the telecommunications system before as well as after transmission.
- A new Investigatory Powers Commissioner who will oversee use of powers under the IPA.
- A power for the Secretary of State to issue “technical capability notices”. These will require telecommunications operators to institute semi-permanent interception capabilities. The notices can deal with interception, equipment interface, or bulk data sets.
- A power for the Secretary of State to serve “data retention notices”. These can require telecommunications operators to generate, obtain and retain “communications data” about users for up to twelve months. The classes of communications data which may need to be retained can be very wide – up to “all data”. The data can then be requested by a range of authorities for a range of purposes (largely to do with prevention of crime and terrorism and to protect public health and safety). Crucially, the definition of communications data has been extended so that the information obtainable includes internet connection records i.e. website browsing histories (although not details of individual web pages visited).
- Relevant authorities with the ability to use “request filters” to make complex searches for types of communications data.
- Certain exemptions in relation to disclosure of journalistic sources, legal privilege and communications between MPs and their constituents.
Who will be caught by warrants and data retention provisions?
The IPA significantly widens the types of businesses subject to notices, warrants and data retention obligations. In addition, many of the powers under the IPA are extra-territorial and can, to varying degrees, apply to non-UK businesses where they provide telecommunications services to people in the UK or control a telecommunications system in the UK.
The definitions including of telecommunications systems, services and operators are deliberately wide and a large range of business will be impacted, including:
- Large telecommunications providers – can be caught by all warrants, notices and retention provisions.
- ISPs – codes of practice may apply some exemptions for small ISPs.
- Cloud service providers, messaging apps and web-based email – caught by provisions applying to telecommunications operators. Draft Codes of Practice specifically state that “internet based services such as web-based email, messaging applications and cloud-based services” are included.
- Private networks – these are covered in the IPA so businesses, schools, universities and possibly even households are caught by the definition of private network.
- Free wi-fi providers – cafes and other organisations as well as the providing operator providing free w-fi will be within the definition of telecommunications operator.
- Media organisations – caught by provisions relating to journalist exemptions and private networks.
- IoT devices – data generated by IoT devices will be within the definition of communications data.
How will enforcement be handled?
Powers in relation to communications providers are largely enforceable through injunctions. Many of the enforcement powers can only be used in the UK, however, interception warrants and targeted communications data acquisition notices can be enforced by injunction against non-UK persons, in which case conflict of law provisions must be taken into account.
Other legislative developments
The second part of the data protection reform package was also completed with the publication of the Directive for the police and criminal justice sector in the Official Journal. This entered into force immediately on 5 May 2016 and Member States must transpose it into national law and implement it from 6 May 2018.
The PNR Directive was been published in the Official Journal. It must be implemented by 25 May 2018.
The EC published proposals for a Council Decision to give effect to an EU-US umbrella agreement to cover the transfer of personal data between the EU and the US for the purposes of prevention, detection, investigation and prosecution of criminal offences including terrorism. This is distinct from the EU-US Privacy Shield proposals as it covers law enforcement cooperation. The agreement, which provides for certain protections to be given to the data and for the right to judicial redress for EU citizens in relation to privacy breaches, was signed by the USA and on behalf of the EU in June 2016 and has just been approved by the European Parliament.
CJEU judgments and Opinions
We haven’t seen anything from the CJEU as dramatic as last year’s Safe Harbor decision and 2014’s Google Spain decision but there were some interesting developments.
AG Opinion on retention of personal data
An Advocate General’s (AG) Opinion in a case brought by Tom Watson and others relating to the government’s data retention rules, joined with a similar case from Sweden, was published in July.
The UK reference asked whether the current UK requirement on communications operators to retain communications data for 12 months was compatible with EU law, in particular the Privacy and Electronic Communications Directive and the Charter of Fundamental Rights.
The AG opined that a general obligation to retain data may be compatible with EU law, subject to satisfying certain strict requirements:
- the general obligation to retain data and accompanying guarantees must be laid down by legislative or regulatory measures possessing the characteristics of accessibility, foreseeability and adequate protection against arbitrary interference;
- the obligation must respect the right to respect for private life and the right to the protection of personal data under the EU Charter;
- any interference with the above fundamental rights must be in pursuit of an objective in the general interest. The AG’s view is that the only valid justification would be the fight against serious crime;
- the general obligation to retain data must be strictly necessary to the fight against serious crime (i.e. no other measure or combination of measures could be as effective while causing less interference with fundamental rights). In addition, the conditions laid out in the Digital Ireland case must be observed regarding access to data, retention periods and security of data, in order to limit interference with rights to what is strictly necessary; and
- the general obligation to retain data must be proportionate.
When the judgment is issued, there will, no doubt be consideration as to whether the provisions of the Investigatory Powers Act comply with it.
Applicable law in cross-border disputes
The CJEU considered the issue of governing data protection law in July in a case involving a cross-border dispute between an Austrian consumer protection association and Amazon EU, established in Luxembourg. The dispute centred around the conclusion of contracts between Amazon.de and Austrian consumers. The sales contracts were stated to be governed by the law of Luxembourg and the contract allowed for the use of customer data and content. These terms were the source of the claimants’ objection. Amazon does not have a registered office in Austria.
The case went to the Supreme Court of Austria which made a reference to the CJEU, asking three questions including whether Article 4(1)(a) of the Data Protection Directive 1995, meant that treatment of personal data by an undertaking engaged in electronic commerce was governed by the law of the Member State to which that undertaking directed its activities.
The CJEU cited Weltimmo, saying the fact that the undertaking which is the data controller does not have a branch or subsidiary in a Member State does not mean it does not have an establishment there for the purposes of Article 4(1)(a), however, the fact that a website is accessible in a particular Member State, does not necessarily mean that the data controller has an establishment in that Member State. It is for the Austrian national court to determine whether Amazon carried out the relevant data processing in the context of the activities of an establishment situated in a Member State outside Luxembourg. If it were to determine that the establishment was located in Germany, German law would govern the processing of the personal data in question.
Dynamic IP addresses can be personal data
In November, we reported on the CJEU decision which held that a dynamic IP address which can be combined with data held by a third party, is likely to be personal data. The CJEU said that while an IP address alone is not personal data, it should be treated as such if ISPs hold additional data which could be combined with the IP addresses to identify individuals where there is a reasonable likelihood they would do so and where they have the legal means to do so. This would not be the case where it would involve disproportionate effort to combine data or where the combination was illegal.
The ruling comes as no surprise to those familiar with the progression of EU data protection law although those used to a US definition of what constitutes Personally Identifiable Information may find it more surprising.
The Data Protection Directive has a wider definition of personal data than the UK’s Data Protection Act which is more accurately reflected in German data protection law, and the GDPR has a wider definition still in terms of whether data should be classed as personal because of its potential to be combined with other data in order to identify individuals. Decisions of regulators and courts have been trending towards the wide interpretation given by this judgment for some time.
The ruling does leave some questions unanswered, not least of which is just what is meant by “disproportionate effort” and “reasonable likelihood” in terms of combining different datasets. Notwithstanding the remaining ambiguities, the stance taken in this case reflects the general direction of travel of EU data protection law. The working assumption should be that any data which can identify an individual when combined with other lawfully obtained data, even where that data is held by a third party, should be treated as personal data unless there is a good reason not to do so.
Crackdown on nuisance marketing
2016 has seen a big step up in terms of enforcement by the ICO with barely a week going by without the announcement of a major fine being imposed on a company for sending nuisance marketing texts or making calls. A further deterrent was announced by the government in October. The government plans to amend PECR so that, from Spring 2017, company Directors can be held personally liable for the use of nuisance marketing calls by their companies. Fines of up to £500,000 per Director will be available by way of sanction in addition to fines of up to £500,000 for the company. The use of personal fines is intended to avoid the situation where a company facing a fine declares bankruptcy in order to avoid paying it and then essentially sets up again under a different name.
In February, the ICO published guidance for organisations which provide wi-fi services through which they process analytics data. The ICO’s key points are that organisations must give clear and comprehensive information to individuals to make them aware of the processing and that they should avoid excessive data collection and take steps to reduce the risk of identifying individuals.
Organisations should avoid covert collection of data by informing individuals, for example at the entry to relevant premises and around the building, as well as in website terms and conditions and on sign up to the wi-fi network, about what they are doing. They should also ensure users have time to review the information before the processing takes place.
The ICO also recommended carrying out privacy impact assessments in order to help reduce risk.
The ICO published updated guidance in March intended to help organisations decide when and how to use encryption. The ICO reminds organisations that while there is no legal requirement to encrypt data, there is a requirement to use appropriate measures to keep data secure. Where a lack of encryption has led to data loss, the ICO warns regulatory action and monetary penalties may follow, not to mention reputational damage.
The ICO warns that vulnerabilities often occur due to failure to keep systems and protections up to date. Other issues arise from basic errors like storing data on unencrypted devices like USBs which then get lost or are stolen. Failure to dispose of equipment properly or simply sending unencrypted data by mistake, are also recurring problems.
The ICO urges organisations to consider their specific needs prior to selecting a solution. Independent assessments of encryption software can also be useful, particularly to assess how robust they are. Organisations should also have proper internal security policies and practices in place.
At the end of May, the ICO published updated guidance on use of direct marketing. The government has confirmed that the guidance will be issued as a Code of Practice which would give it statutory recognition and allow it to be considered by the courts.
In terms of what’s new, the ICO said the guidance:
- includes a greater focus on scenarios involving not-for-profit organisations – a reminder that they have to follow the same rules as other organisations in the wake of the high profile scandals involving the marketing practices of some not-for-profits;
more direction around “indirect” or third party consent – the ICO says that indirect consent is insufficient for texts, emails or automated calls due to the stricter rules on electronic marketing under PECR which require that the sender of the message obtains consent. However, indirect consent may be acceptable under certain circumstances where it is sufficiently clear and specific. In essence, the customer must have anticipated their details would be passed to the organisation in question, for example, where the third party organisation was specifically named or where the class of third parties to whom personal data might be transferred was sufficiently well defined. A customer is unlikely to consent to unlimited marketing calls or texts from anyone, says the ICO, so the question is what the customer would reasonably expect given the context. If the third party marketing content is different from the type of content in relation to which the consent was originally obtained, it is unlikely to be valid under PECR.
The ICO also says that the fact that consent does not last indefinitely is even more important in relation to third party consent and reminds organisations that consent to pass personal data to third parties is a one-step process so that A may get consent to pass data to B but that will not allow B to pass data to C.
Organisations should make rigorous checks as to how and when consent was obtained, by whom and what the customer was told. They should not rely on assurances that consent was properly obtained but should conduct their own due diligence. Where consent was generic, it will be very difficult to show it was specific enough for calls, texts or emails. And, at the very least, any promotion sent e.g. by mail must be consistent with the context in which consent was given and aimed at a similar market;
- information about what constitutes “freely given” consent – it is not acceptable to ‘over-incentivise’ someone for giving consent to receiving direct marketing materials, nor to make it a condition of receiving products or services.
The ICO says it has not issued sector specific guidance, nor is it possible to give definitive answers to all questions as each case will be specific on its facts.
In October, we reported on the ICO’s revised Code of Practice on Privacy Notices, transparency and control (CoP) together with a checklist for privacy notices to help organisations to comply with the Data Protection Act and also the incoming requirements under the GDPR. The ICO recommends adopting a blended approach, using a number of different techniques in order to present information in the most fair and transparent way, taking into account the audience, the available methods of communication and the complexity of the data processing.
Article 29 Working Party
In January, the Article 29 Working Party (WP) published an updated Opinion on applicable law in light of the CJEU decision in Google Spain. It considers:
Activities carried out in the context of an establishment
Under Article 4(1)(a) of the Data Protection Directive, the Directive applies where processing of personal data is carried out in the context of the activities of an establishment. “Establishment” is broadly interpreted (as confirmed by the CJEU in Weltimmo) and the processing doesn’t have to be carried out by the relevant establishment but in the context of its activities.
The WP highlights the concept of an “inextricable link” as one of the new elements to be considered following the Google Spain judgment. This means that even where an establishment is not directly processing data, processing by a non-EU data controller may still be brought within the scope of the Directive where there is an inextricable link between the processing and the activities of the EU-based establishment.
In addition, the EU establishment must orientate its activity towards the inhabitants of that Member State.
The WP goes on to discuss what constitutes an inextricable link. It notes that revenue-raising in the EU by a local establishment is likely to be inextricably linked to processing of personal data outside the EU. This is the case even if the revenue raised locally is not used to fund local or other EU activity. The WP warns against using remote links to try and apply EU law and also suggests that the concept of an inextricable link does not apply solely to the search engine model. It provides other examples where this sort of reasoning might be applied including offering free services within the EU (financed by use of data collected); offering membership or subscription services in the EU; or seeking donations in the EU.
Applicable law for multi-jurisdictional businesses
The WP looked at which law applies where an organisation has several Member State establishments but where only one is a data controller in relation to the processing and where the others do not necessarily play a part in the processing. It notes that the Google Spain case did not address this directly and suggests a case by case approach. Regardless of where the data processing takes place, where a company has establishments in several EU Member States and the activities of each and the data processing are inextricably linked, then the law of each Member State will apply to the establishment within that State. Clearly this will change under the GDPR.
Where there is no EU establishment
Member State law will apply under Article 4(1)(c) of the Directive even if there is no establishment in that Member State but where the data controller uses equipment situated in the Member State territory (other than for mere transit). While Google Spain did not discuss this issue, it does not exclude organisations without an EU establishment from being subject to EU data protection law.
EDPS guidelines on web-based services and mobile apps
Opinion on use of surveillance technologies
The EDPS issued an Opinion on dissemination and use of intrusive surveillance technologies. The EDPS notes that certain uses are legitimate but the technologies can be exploited for illegal purposes. The EDPS recommends:
- assessing EU standards for protection of human rights in the sector;
- appropriate regulation of surveillance and interception tools;
- consistent and effective EU policy on the export of intrusive surveillance tools;
- addressing dissemination of interception and surveillance technologies within cybersecurity policies and appropriate legislation;
- investing in internet security initiatives with new technologies containing privacy by design and default;
- a consistent EU approach to protecting whistleblowers on human rights violations in this area.
Guidelines on personal data and mobile devices
The EDPS produced guidelines for EU institutions and bodies on personal data and electronic communications and mobile devices. The EDPS says these can be applied to any organisation and will remain relevant once the GDPR comes in due to the emphasis on accountability and demonstrating compliance. The EDPS recommends a case by case risk/benefit analysis prior to organisations allowing data processing on mobile devices. This should include an assessment of the type of data being processed and security implications. Organisations should also have policies governing the use of BYOD.
Case on employee monitoring
The judgment from the European Court of Human Rights in Barbulescu v Romania created a stir in January but was less controversial than might first have appeared. While the UK, as a signatory to the European Convention on Human Rights, is bound by the judgments of the European Court of Human Rights, this judgment did not extend the scope of permissible employee monitoring in the UK.
The employee, Barbulescu, was asked by his employer to set up a Yahoo! Messenger account to deal with client queries. Company policy was that it could not be used for personal communications. The account was monitored for nearly two weeks and Mr Barbulescu was informed that the monitoring showed he had used the internet for personal purposes. On denying this, he was shown a transcript of the communications and was subsequently dismissed for breach of company policy. Barbulescu relied on Romanian law to challenge the dismissal. The dismissal was upheld and he then appealed, arguing his emails were protected by Article 8 of the European Convention on Human Rights. The appeal was dismissed and the Romanian court held that the monitoring had been reasonable and the only way to establish whether there had been a disciplinary breach. Barbulescu next appealed to the European Court of Human Rights, arguing that the decision to terminate his contract had been based on infringement of his Article 8 rights. The Court dismissed the appeal.
It is worth emphasising that the heart of the judgment is that the Romanian domestic authorities acted appropriately in striking a fair balance between the rights of the individual to respect for the employee’s private life and the interests of his employer. In this case, the employer’s policy stated that its systems could only be used for professional purposes. It consequently expected it would only be accessing client-related communications. In addition, it was reasonable for the employer, in the context of Romanian labour law, to verify that its employees were completing their professional tasks during working hours (Romanian labour law specifically allows monitoring for this purpose provided the confidentiality of the employee personal data is preserved).
UK law allows employers to conduct minimal and proportionate monitoring of communications sent using an employer’s electronic communications system during business hours for specified business purposes such as checking that employees are complying with internet usage policies (and subject to various safeguards). In certain circumstances this may also include access to the content of those communications where necessary.
This judgment underlines the importance of having appropriate and lawful employee monitoring policies in place and making sure both that they are communicated to employees and that they are adhered to by the employer.
Surveillance Camera Compliance tools
The Surveillance Camera Commissioner published a self assessment tool and a certification scheme in the first part of 2016, to help companies comply with and demonstrate compliance with the Surveillance Camera Code of Practice. The self assessment tool is in the form a questionnaire designed to be completed by relevant authorities and the certification scheme allows the relevant authorities and any organisation operating a surveillance camera in a public space, to apply for an audit against the code by a third party and get a certification mark if the audit is completed successfully.
The Commissioner suggests that all local authorities complete the self assessment tool for their main town centre system. Once any recommended actions have been completed, local authorities should apply for step 1 certification which lasts for a year and then apply for full certification towards the end of the first year.
Guidance is provided after the main town centre system has been certified as to how to proceed with other camera systems. While it focuses on public authorities, the guidance is also relevant to organisations which wish to comply with the code on a voluntary basis.