Freeths Data Protection Update: Autumn 2021

Welcome to the Autumn edition of the Freeths Data Protection Update.

In this edition we breathe a sigh of relief as the EU issues the UK adequacy decision, look at recent draft and published guidance from the ICO, and consider the rise in data claims.

• International transfers: The UK adequacy decision

• International transfers: The UK’s new International Data Transfer Agreement

• ICO Data sharing code of practice

• Fines for marketing e-mails – when is a service message not a service message?

• ICO Draft anonymisation guidance

• The rise in data claims

---

International transfers: The UK adequacy decision

UK businesses have breathed a sigh of relief, as the EU Commission finally adopted the data transfer adequacy decision in favour of the UK.This is important news for any UK business that receives personal data from the EU. The EU’s decision means that personal data may continue to flow freely between the EU and the UK.It also means that UK businesses will not have to make potentially costly and time-consuming alternative arrangements to legitimise their data transfers from the EU to satisfy the requirements of EU GDPR.The UK Government has welcomed the news, noting that the decision will support trade, innovation and investment. The decision mirrors the earlier UK Government decision to grant adequacy to the EU for data transfers going in the opposite direction.Whilst this is undoubtedly good news for UK business, it comes with a caveat. The adequacy decision includes a “sunset clause” that allows the EU to review the adequacy decision in four years’ time. This is potentially significant because:

• The EU has said that its decision is based on the UK’s data protection regime being the same as when it exited the EU.

• For its part, the UK Government has referred to the UK’s “fully independent data policy” post-Brexit.

The EU has said it will monitor the UK’s data protection standards going forward, and will intervene if those standards cease to be “adequate” to safeguard EU personal data. Such intervention could involve the EU refusing to renew the UK’s adequacy status.It also remains to be seen whether the decision will be subject to legal challenge from third parties.But for the time being, UK businesses can put those standard contractual clause agreements back in the drawer for their EU data flows.For further information, please contact Luke Dixon. 

International transfers: The UK’s new International Data Transfer Agreement

Meanwhile, following the ICO’s announcement earlier in the year that it would be producing its own equivalent of the standard contractual clauses, the model International Data Transfer Agreement (IDTA) was published in draft form in August as part of a new ICO consultation International transfers under UK GDPR. Our initial review suggests that the IDTA has been designed to be user-friendly, with a tabular approach suited for the non-lawyer, and is intended to cover a number of scenarios including cross-referencing linked agreements (such as a services agreement) and multi-party arrangements.The consultation also covers a number of questions including on the interpretation of the territorial scope of GDPR when dealing with international transfers, and seeks views on the draft IDTA as well as a proposed risk assessment tool for use in assessing international transfers. Freeths will be responding to the consultation, so if you have views you would like us to incorporate in our response please do get in touch. 

ICO Data sharing code of practice

One of the challenges of compliance with data sharing is the lack of clearly defined regulatory requirements.  Unlike controller-processor relationships, which are governed by Article 28 of GDPR setting out a clear and comprehensive list of obligations to be included in controller/processor contracts, controller-controller sharing does not benefit from such a prescriptive set of requirements. Against this context, the long-awaited new Data Sharing Code of Practice (the “Code”) was welcome, when published by the ICO in May 2021.

When will it come into force and when do I need to start complying?

 Although the Code will not come into force until sometime during the autumn (after it has laid in Parliament for 40 sitting days), it pays to start considering its content now. The Code effectively reflects the ICO’s view of what is compliant activity.  So being able to show compliance would heavily weigh in an organisation’s favour if an issue arose. In any event, once the Code is in force organisations will be expected to comply, which means it is a good point in time to review practices and put in place any necessary changes or have a clear justification for not doing so.

What does the Code say?

In a nutshell, the new Code is intended to facilitate and standardise data sharing arrangements.  It highlights the benefits of data sharing and directly addresses some misconceptions such as the idea that GDPR and the DPA 2018 prevent data sharing, or that data can only be shared with the consent of the data subjects.As a first step for facilitating compliant data sharing, the Code considers it good practice for a Data Protection Impact Assessment (DPIA) to be carried out even if there is no legal obligation to do so. It refers to DPIAs as an example of best practice in building openness and transparency.As the next step, the Code suggests that it is good practice to have a data sharing agreement to set standards and clearly define the roles and responsibilities of parties involved, which demonstrates the organisations accountability obligations under the UK GDPR.  It recommends a detailed list of questions the agreement should address, some of which are:

• Details of the purpose and aims of sharing the data;

• The parties involved in the data sharing;

• Details of the lawful basis for sharing;

• Arrangements for data subject access; and

• Details of how the rights of data subjects will be protected between the parties.

Effectively, the Code’s list of questions to be considered when drawing up a data sharing agreement is intended to assist the parties to critically think about general data protection principles including fairness and transparency, obligations to use adequate technical and organisational security measures and data subject rights are considered and addressed. The Code also sets out in some detail the various elements that organisations have to consider and comply with.

Who does the Code apply to? 

The Code applies to organisations sharing data with other organisations on a controller/controller basis.  It is irrelevant in this context whether the transfer is a routine transfer, a scheduled way or as a one off and/or whether the organisation is the sender or recipient of the data. That said, data sharing with a processor or internally is not intended to be covered by the Code.Generally speaking, the Code seems to have more of an emphasis on large, complex, multi-party data sharing, and we consider it less likely that the ICO would always expect the full list of items to be included in respect of less complex and straightforward data sharing.  However, it is nevertheless recommended that the Code is followed or at the very least considered when data is shared with third parties. Even in the event that the Code does not apply or is not followed for whatever reason, it may be helpful to keep a formal note of the review detailing the reasons for the decision reached.

How does the Code fit into the bigger picture?

After its introduction, the GDPR placed broader obligations on data processors to comply with general data protection requirements than under previous legislation.  The consequence of this has been that the relationship between organisations, ie whether they are controller/controller or controller/processor has been reviewed.  As a result, we have seen an increase in service providers seeking to be viewed as a controller in their own right to retain a greater degree of decision-making power over the personal data that they handle.  Accordingly, data sharing agreements are becoming more and more common, so the new guidance is welcome.

What should I do? 

If your organisation shares data with third parties, it may be a good time to dust off any existing agreements and review them or, if there are none, review the position and put in place compliant documents such as a DPIA and a data sharing agreement.

For further information, please contact Mona Schroedel. 

Fines for marketing e-mails – when is a service message not a service message?

Earlier this year the Information Commissioner’s Office fined American Express £90,000 in relation to marketing e-mails.  The ICO’s investigation had been triggered by a number of complaints from Amex customers who had continued to receive marketing e-mails after they had opted out, and the fine related to ultimately over four million e-mails.  Amex had taken the position that the e-mails were service e-mails, not marketing, since they considered that customers would be disadvantaged if they were not aware of the latest offers made available to them.  However, the e-mails concerned had encouraged customers to use their cards more and to download the Amex app.  The ICO said that this was “a deliberate action for financial gain”, and that the e-mails “clearly contained marketing material”. This fine highlights the importance for businesses to understand not only the rules that they must comply with when sending direct marketing e-mails, but also the circumstances in which an e-mail will be considered to be marketing.  The ICO guidance is clear that where a message encourages customers to buy extra products or services, or to renew contracts, it will be considered a marketing communication, and the rules set out in the Privacy and Electronic Communications Regulations 2003 must be complied with, including obtaining freely-given consent from the recipient unless the so-called “soft opt-in” requirements are met. In addition, it is a useful reminder of the need to handle customer complaints with care.  The ICO makes the point that their investigation “was initiated from just a handful of complaints from customers”.  If there is systematic non-compliance within an organisation, it only needs a small number of disgruntled data subjects to report it to the ICO, for it to cause a significant problem for that organisation.  Listening to and acting on complaints made by customers can help organisations head off regulatory action before fines and other sanctions enter the picture. 

ICO Draft anonymisation guidance

One of the more complex and often misunderstood aspects of the data safeguarding required by data protection law is the technique of anonymization and the more nebulous ‘pseudonymisation’. Anonymization can fairly easily be defined, but is harder to achieve in practice – it is the removal of anything personal from a data record, so that it no longer remains personal information. But anything which leaves the records individualised (or, to use a more technical term, ‘individuated’) means that it is not yet anonymised. Although sometimes data is referred to as anonymised just because names, e-mail addresses, NHS numbers and other identifiers have been removed, that is unlikely to be sufficient. UK and European case law has confirmed that the string of unique user data in a cookie is still capable of being personal data without necessarily containing anything which might directly lead to identification of an individual; so is the biometric data derived from a facial image, even where it is deleted almost instantaneously and without ever having been connected to an identifiable human. Some of the challenges presented by this complexity are reflected in the draft guidance on anonymization being published (in stages, for consultation) by the ICO. So far, we have only seen the introductory section, but further sections are promised during the autumn, dealing in more detail with the benefits of “true” anonymization, navigating the more complex concept of “effective” anonymization (where data is pseudonymised, but the relevant lookup information is withheld from the person processing it), and the enticing promise of some discussion around wider “privacy enhancing techniques”. Consultation documents don’t usually tend to achieve much wide-spread attention, but it is important to be aware of this consultation, for a couple of reasons. Firstly, the approach to regulatory guidance on these concepts to date has been at a high level of abstraction, and it is going to be important to contribute practical real world experiences to ensure that the ICO’s guidance is more grounded in reality. As such, anyone whose work with personal data depends on that data being pseudonymised, or even anonymised, should take a look and think about the practical challenges that you might encounter in trying to implement their proposals. But it is also important to understand the provisional status of the guidance as it currently exists. The consultation material is a fairly long way from being concluded guidance, and you should be on your guard against anyone who is recommending changes in reliance in the current state of that incomplete and interim document. We wouldn’t ordinarily feel the need to give a specific warning about that, but we have already heard from more than one source about people proposing solutions or changes to their contractual obligations based on a misinterpretation of the draft guidance. As one of the firms engaging in detailed terms with the ICO’s consultation, we expect the guidance to undergo a fair amount of evolution and clarification between now and when it is due to be finalised at the end of the year, and no-one should be rushing to implement changes that are dependent on that guidance, before it is finalised. In the meantime, and as ever, we are happy to help to steer clients through these complexities with advice that is bespoke to their circumstances, if required. For further information, please contact Will Richmond-Coggan. 

The rise in data claims

As the title of this article would suggest, we have seen a steep rise in claims being made under the current data protection legislation. This should come as a warning to businesses: be aware and prepared – if you suffer the misfortune of a data breach or other data protection infringement, you are now likely to face potentially speculative claims from your data subjects. These claims may take shape in the form of a firm representing a group of data subjects or from individual claimants seeking compensation.

CausesThe following factors can all be said to have contributed to the rise in data claims:

1. Highly publicised data breaches and settlements

British Airways have recently made a legal settlement with some 420,000 data subjects affected by a breach that occurred in 2018. Whilst the business did not admit liability and the settlement amount remains confidential, this highly publicised case appears to have alerted many to the notion that if your data is lost in a breach by a business, compensation can be obtained. This has been exacerbated by the Information Commissioner’s Office (‘the ICO’) handing the company a fine of £20 million.

In addition, there have been several other prominent data breach claims issued over the last few years, notably against companies such as Equifax, Facebook, Marriott, Oracle, TalkTalk and YouTube. The wide reporting of these cyber-attacks has increased both public and claimant law firm awareness of this area and has contributed to the upturn in claims being made against companies where a data subject’s personal information has been purportedly lost.

2. Lloyd v Google LLC [2020]

The consumer rights activist Richard Lloyd brought a novel action against Google, purportedly on behalf of five million Apple iPhone users under the representative action procedure in rule 19.6 of the Civil Procedure Rules. The judgment handed down by the Court of Appeal concluded that damages were, in principle, capable of being awarded for loss of control of data, even where there is no monetary loss or distress suffered by an individual. However, the Supreme Court heard Google’s appeal in April 2021, the outcome of which is pending. If the Supreme Court allows Mr Lloyd to serve the representative action on Google, this could further open the floodgates to mass claims that do not require individuals to ‘opt-in’ to be included in the action.

This could also further open the floodgates to also allow for claims to be made for loss of control of personal data, possibly without the data subject(s) identifying any specific financial loss or distress suffered. This judgment of this case could therefore lead to an increase of extensive group claims regarding various breaches of data protection legislation by businesses.

3. Coronavirus

Working from home as a result of the ongoing Coronavirus pandemic has, to many, meant setting up a digital workspace in their own home. Bringing one’s work home can be said to have, in turn, helped make individuals more sensitive to (and aware of) the data they input into their computers.

4. The decline of Personal Injury claims

Recently, there have been significant alterations to personal injury litigation (such as the expansion of Fixed Recoverable Costs (‘FRC’) in many areas of PI litigation) which have substantially reduced the income streams for firms in the claimant market.

Opportunistic firms are therefore looking to shift their focus to more lucrative streams of income. As the FRC does not currently apply to data breach claims, this means that data breach claims can be very lucrative from a costs perspective. Whilst most data breach claims are of a limited value, in some cases the costs claimed can be upwards of ten times the agreed damages. Correspondingly, we have seen a rise in personal injury firms entering into pre-action correspondence with us regarding data claims.

5. The lack of compensation issued by the ICO

ICO currently gives no compensation to any data subjects it deems affected by a data breach or cyber-attack. Therefore, it may be that litigation in this area has increased so that claimants may glean compensation from affected businesses.

 Warren v DSG Retail Ltd [2021]Whilst we await the Supreme Court’s decision in Lloyd v Google, which may give rise to a substantially easier route for compensation for data subjects under the loss of control argument, the very recent decision made in Warren v DSG may conversely aid in cutting out some other heads of claim. In essence, breach of confidence, misuse of private information and negligence have been deemed not sustainable in conjunction with data protection legislation, specifically in relation to a business who suffered the loss of data as a result of a cyber-attack. This judgment was made after the ICO had investigated the incident and found the Defendant in breach of the requirement under the old Data Protection Act 1998 (mirrored in GDPR) for organisations to have in place appropriate technical and organisational measures to protect personal data (the "ICO Decision"). This decision and the Monetary Penalty Notice of £500,000 issued by the ICO is currently being appealed by the Defendant. In this matter, the Defendant successfully applied for an application to strike out all but the breach of statutory duty claim. In 2018, DSG Retail Ltd suffered a cyber-attack whereby its systems were accessed by an unauthorised third-party. Mr Warren (the Claimant) alleged that the compromised data including his name, address, phone number, date of birth and email address had caused him distress. The Claimant sought £5,000 for breach of confidence, misuse of private information, breach of statutory duty (Data Protection Act 1998), and common law negligence. In relation to the claim under breach of confidence, Mr Justice Saini was clear that breach of confidence imposed ‘a negative obligation not to disclose confidential information’ which was inconsistent with the position of the Defendant who had taken no positive action to disclose this information – it had been stolen from the business. Further to this, for the claim of misuse, as the Defendant did not disclose or misuse the claimant's personal data but this was, in fact, the work of the unauthorised third-party hackers, the Defendant was not liable under this head of claim. Finally, in regard to the claim made under negligence, Mr Justice Saini found that the Claimant had suffered no loss. All three of these heads of claim were therefore struck out by the Court.

The Implications of Warren v DSG Retail Ltd [2021]

Unless reversed on appeal, this decision narrows the basis upon which a claim can be brought and therefore restricts the funding of these claims, the likely costs recovery and the availability of ATE (After The Event) insurance premia recoverability. Although claimants may, in the future, seek to plead that the defendant did take positive acts that put them in breach of the three above mentioned principles, this may be difficult to prove given the nature of cyber-attacks.

Conclusions 

The potential risk to the finances and reputation of any business that suffers a data breach or a cyber-attack of mass civil damages claims from aggrieved data subjects should focus the minds of businesses upon enhancing their cybersecurity. Whilst Warren v DSG shows that some forms of protection are available to those who have been preyed upon by unauthorised third parties, it cannot be said that this case grants this protection to all businesses who face data breach claims.Therefore, it is vital that businesses have adequate and robust protections in place to secure the data and information held within them. Further to this, businesses must train their staff adequately to grant them the knowledge and ability to handle such data securely. In the meantime, businesses should ensure that the risk of litigation is accurately factored into their data privacy risk management frameworks and their data protection policies.

For further information, please contact Lydia Bullivant.