Freeths Data Protection Update: Summer 2021
Welcome to the Summer edition of the Freeths Data Protection Update.
In this edition we report on the adoption of new EU Standard Contractual Clauses, wait with bated breath for the UK’s adequacy decision from the EU, take a look at some of the recent fines issued by the ICO, consider the Children’s Code and issues around data breaches, and dip into some European court decisions.
- Adequacy for the UK
- EU Adopts Revised EU Standard Contractual Clauses
- Recent ICO fines
- The Children’s Code
- Data breaches
- Recent overseas decisions
- On the horizon
The EU GDPR restricts transfers of personal data from the EU to “non-adequate” third countries.
The UK became a “third country” for EU GDPR purposes at the end of the Brexit transition period on 31 December 2020. However, the UK/EU Trade and Cooperation Agreement gave the UK a grace period to continue to receive a free-flow of EU personal data, whilst the EU decides whether to grant UK status as an “adequate” country.
Whilst there is quiet confidence in the market that the EU will grant the UK adequacy, we await confirmation of this. The grace period runs out shortly after the date of this Newsletter, so things are “going down to the wire”.
Freeths’ Data and Information team will update clients and subscribers as soon as there are further developments in this important matter.
For further information, please contact Luke Dixon.
After a long wait, the EU has adopted new standard contractual clauses to cover and legitimise data transfers from the European Union to third countries.
This news is very significant for businesses that import/export personal data between the EU and third countries internationally. It may also be important for future EU-UK data transfers, depending on whether the UK gets an adequacy decision from the EU.
The EU has now adopted a new set of standard contractual clauses (the “Revised EU SCCs”) that will replace the pre-existing standard contractual clauses (“Current EU SCCs”) over the next 18 months.
This means that businesses relying on the Current EU SCCs may have to “repaper” those arrangements by entering into the Revised EU SCCs. It also means that businesses will need to enter into the Revised EU SCCs in future, once the Current EU SCCs are repealed.
For more detail on this important development, please read Freeths’ client update.
For further information, please contact Luke Dixon.
The ICO has issued some recent fines to companies for sending marketing texts during lockdown without the data subjects’ consent.
Leads Work Ltd
The first company, Leads Work Limited, sent more than 2.5 million text messages in the space of 2 weeks during lockdown directly referencing the potential financial difficulties data subjects might be experiencing. The ICO received over 10,000 complaints and fined Leads Work £250,000.
The ICO found that Leads Work had acted in contravention of Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”). Regulation 22 of PECR specifically sets out that it is prohibited to send unsolicited electronic communications for the purposes of marketing without prior consent.
Leads Work was also issued with an enforcement notice in March 2021 following further messages having been sent by them.
Valca Vehicle Ltd
The second company, Valca Vehicle Ltd, was fined £80,000 for also sending unsolicited messages during the pandemic referencing the difficult financial position some data subjects may have found themselves in. The text messages read:
*firstname* Affected by COVID? Struggling with finances? lost job /furloughed? Were here to help! Gvnmnt backed support see if you qualify http://www.debtquity.org”
The ICO found that Valca had not only breached Regulation 22 of PECR but also Regulation 23, which requires that any messages must contain an opt-out link, which was not the case here. The ICO found that there was no informed consent as Valca tried to rely on consent obtained via another organisation for its own purposes.
Additionally, the ICO’s view was that this was a clear attempt to capitalise on the national crisis and, therefore, fined Valca £80,000.
Tested.me Ltd provides private digital contact tracing services via a QR code scan. During the pandemic they offered their services to businesses.
Tested.me Ltd sent subsequent unsolicited e-mails to individuals who had used the services and filled in visitor registration forms, none of which clearly explained Tested.me Ltd’s relationship with the venue or contained a link to Tested.me Ltd’s privacy notice. The ICO considered that no freely given specific and informed consent had been given by these individuals and Tested.me Ltd had contravened Regulation 22 of PECR.
Tested.me Ltd was fined £8,000 and the contravention has prompted the ICO to also look into the way other digital contact tracing companies have conducted themselves, but found that compliance was overall well understood by those companies.
It is important for any organisation to understand the requirement for informed consent and to adhere to the rules in place. The above messages rulings show that the ICO is willing to issue monetary fines, especially where it considers that there has been an attempt to profit from the fallout of the pandemic.
For further information, please contact Mona Schroedel.
The United Kingdom has become a pathfinder in setting compliance standards relating to the protection of children within the digital world that now provides so much to enhance social life, education and many other experiences relevant to young persons. Statutory Guidance issued by the Information Commissioner’s Office (referred to as the “Children’s Code) places additional data protection compliance requirements on all publishers of apps and websites that are aimed at or are likely to be visited by children (for this purpose anyone up to the age of 18) with “likely” being assessed on a balance of probability basis.
Affected organisations (this includes charities and the public sector) responsible for online activities that could be caught by the requirements of the Code should assess urgently whether they are indeed within scope and, if so, take action to ensure that from 2 September 2021 they are able to demonstrate compliance.
ICO provides a Children’s Code information hub. Freeths advises upon the issues and challenges associated with implementation of the Code.
For further information, please contact Frank Suttie.
One of the key trends that we have identified as gathering pace over the last year has been the rise not just in litigation around data breaches, but specifically in the area of group litigation. It seems that almost invariably the reporting of a data breach of any type will immediately be followed by the start of aggressive advertising by firms suggesting that the fact of a breach inevitably means that there is liability and that anyone affected will be able to get compensation. Public awareness of the reported group litigation against Morrisons (by employees), Equifax, BA, Marriott or Google (by service users) has ensured that these matters receive more attention and the details of those claims (few of which have yet resulted in compensation payments) are often overlooked.
Although the prospects of claimants succeeding in such group claims might be over-stated, that doesn’t mean that they shouldn’t be taken seriously. We are currently acting for a number of corporate defendants in claims with a minimum of several hundred claimants or prospective claimants on the other side. Even where those claims are largely unmeritorious the cost of engaging with them is significant, and such costs tend to be dwarfed by the costs being incurred on the claimants’ side. There are several key takeaways that businesses should therefore be thinking about now:
- The key factor in the availability or extent of compensation for a breach tends to be the degree to which a breach happened because of a lack of proper policies, procedures, safeguards and security measures, or in spite of those various protections. The GDPR is not intended to provide compensation for the mere fact of a breach, but may give rise to actionable claims where the controller’s lax approach to compliance and data security has resulted in an avoidable incident.
- We are hearing of some controllers who are encountering difficulties in relation to insurance in the immediate aftermath of a breach. This can be as simple as the insurance company not responding quickly enough for the controller to know with confidence what they are covered for before they are at the point of having to try to remediate the breach, or notify the ICO or the affected data subjects. But sometimes it can be more serious, including in some instances discovering that the policy they thought they could rely on having such wide-ranging exceptions as to be completely inapplicable to the incident that has occurred.
- Tied into both of the previous points is the importance of being able to respond quickly when an incident does occur. We will often be instructed within the first few hours after breach happens (which is generally late on a Friday afternoon). At that stage there is a very obvious difference between those clients with incident management plans in place, and ideally having done a live test of their plans within the preceding twelve months, compared to those who are having to invent their response as they go along. While we are able to bring our extensive experience in this area into play to help those in the latter category, a good deal of time, stress and cost can be saved by knowing ahead of time what steps need to be taken and who needs to be involved in taking them.
While, fortunately, such incidents are still not that common, the increasing publicity and prominence given to data protection claims means that they are a real risk that the business needs to plan for and be ready to respond to if and when it falls victim to a data breach. Freeths’ advisory and contentious teams work very closely together to provide end-to-end support in this area and we’re always happy to discuss how we might be able to assist you.
For further information, please contact Will Richmond-Coggan.
The applicability of the CJEU’s decision in the Schrems II can now be seen through two recent cases.
To recap, in the Schrems II judgment, it was declared that the EU-US personal data transfer mechanism (known as ‘the Privacy Shield’) was no longer lawful. This judgment also held that transfers to cloud service providers in the United States may require additional safeguards, due to the broad investigative powers of U.S. authorities, e.g. under Section 702 (50 U.S.C. § 1881a) of the Foreign Intelligence Surveillance Act (known as the ‘Cloud Services Act’).
In response to this decision, the Bavarian Data Protection Authority, has recently prohibited a European company from using U.S. e-mail marketing provider Mailchimp, after finding that the company in question had not assessed whether additional safeguards for transferring personal data to Mailchimp were required. The authority made this decision after having noted that Mailchimp may be subject to the Cloud Services Act. While no fine was imposed (and the authority did not issue a formal decision) the company was informed that that their use of Mailchimp was (in the authority’s assessment) not in line with EU GDPR. In turn, the company promised to cease using Mailchimp in the future. It should be noted that the authority’s decision was specifically due to the failure to assess whether additional safeguards were required, and this does not imply that use of Mailchimp itself is necessarily a breach of GDPR. See a synopsis of the decision here.
In contrast, France’s highest administrative court (the Conseil d’Etat) ruled that personal data on a platform used to book COVID-19 vaccinations, managed by Doctolib and hosted on European-located servers by Amazon Web Services (also known as ‘AWS’, who are based in the U.S.), was sufficiently protected under the EU GDPR. This was because sufficient legal and technical safeguards had been put in place in case of an access request from U.S. authorities relating to data held on the European servers. The judge in this matter therefore rejected a claim that asked for the suspension of the service because Doctolib referred to AWS for hosting the platform. The plaintiffs unsuccessfully argued that because the processor was a company bound by U.S. law, the risk of access by U.S. authorities was incompatible with EU GDPR under the Schrems II decision made by the CJEU. See a synopsis of the decision here.
Following these decisions, EU companies using U.S. online service providers, especially cloud services, are therefore encouraged to check the basis of their data transfers to the United States and, if necessary, adapt them to the new legal situation in order to avoid facing potential large fines.
For further information, please contact Lydia Bullivant.
- It is hoped that the long-awaited UK adequacy decision will shortly be granted by the EU, following the issue of a draft decision in the UK’s favour in February. The current post-Brexit grace period, allowing free flow of personal data from the EU to the UK, will expire at the end of June. If an adequacy decision is not in place when that period expires, businesses transferring data from the EU to the UK will need to put another mechanism in place, such as standard contractual clauses, to ensure those transfers are lawful.
- The ICO is working on a set of UK-specific standard contractual clauses (SCCs) for data exports from the UK, and intends to consult on these over the summer. In the meantime, the ICO is considering whether to recognise the revised SCCs issued by the EU (see “EU Adopts Revised EU Standard Contractual Clauses”) as being valid for transfers from the UK as well. It seems unlikely that the ICO will deviate hugely from the EU SCCs when it comes to producing UK-specific SCCs, not least because of the potential impact on the status of the UK adequacy decision.
- Meanwhile, we await the decision of the Supreme Court in Lloyd v Google LLC, which was heard in late April 2021. The case relates to Google’s bypassing of cookie-blocking on the iPhone in order to collect browser-generated data. The issues to be considered by the Supreme Court include whether damages are recoverable under the general heading of “loss of control” of data in the absence of specific financial loss. The Court will also look at questions relating to the use of a representative action in this case; for instance, whether the group of users concerned have the “same interest”, despite having likely suffered different types of loss depending on their individual circumstances.
Freeths’ Data and Information team can provide information and advice on the various issues covered in this update. If you would like to discuss anything mentioned, please get in touch with our Head of Data and Information, Luke Dixon.
The content of this page is a summary of the law in force at the date of publication and is not exhaustive, nor does it contain definitive advice. Specialist legal advice should be sought in relation to any queries that may arise.
‘Doing the right thing’ is at the heart of Freeths. Find out more about our excellent client service and the strong set of values that guide the way we work.
Talk to us
Freeths are a leading national law firm with 13 offices across the UK. If you have a query about our services or just want to find out more, why not give us a call?
Contact: 03301 001 014