Freeths Data Protection Update: Autumn 2022

Welcome to the Autumn edition of the Freeths Data Protection Update.

In this edition we look at the Information Commissioner's new guidance on the Privacy and Electronic Communication Regulations / Direct Marketing, update you on the state of the EU / US Data Privacy Framework / Data Adequacy discussions, look at some recent DSAR reprimands issued by the ICO, consider a close call for the Department of Education, and review developments in the ICO's approach to biometrics.

• UK Information Commissioner's Office issues updated guidance on direct marketing by email and “live” phone calls
• Update on President Biden's signing of Executive Order re EU/US Data Privacy Framework
• Update on US / UK talks over Data Adequacy
• DSARS and the need for speed - Recent ICO enforcement action
• Department of Education Breach
• ICO start to focus more closely on biometric technology compliance

---

UK Information Commissioner's Office issues updated guidance on direct marketing by email and “live” phone calls

By Luke Dixon

Overview

The Information Commissioner's Office (“ICO”) has issued new guidance on direct marketing, and specifically marketing via email and “live” phone calls.The ICO is required under the Data Protection Act 2018 to produce a Direct Marketing Code of Practice to provide practical guidance and promote good practice in regard to processing for direct marketing purposes. It had previously issue a draft code for public consultation which closed in March 2020. However, the onset of the COVID pandemic caused this work to be paused.The ICO subsequently continued work on the code, taking into account feedback it had received during the consultation.The ICO remains committed to producing a new code of practice. Given that the new Data Reform Bill is currently before Parliament, the ICO is publishing the code in the form of guidance on its website. The ICO's aim is to enable organisations to comply now rather than waiting for the new data legislation to be in force. The guidance forms the basis for the code, once the changes to the law come into force.The guidance notes are more clearly drafted than the old direct marketing code of practice. In particular, the guidance uses the words “must”, “should” and “could” in a well-defined manner throughout. “Must” items are legal requirements. “Should” is used for important points of compliance, but where there may be different routes to compliance. “Could” is then used to outline further good practices.This approach to draft will be welcomed by organisations that might have struggled with the wordiness of the previous code of practice. It is hoped that the ICO continues to adopt this practice with future guidance notes.

Key take-aways

Here are some key guidance “musts” and “shoulds” to note:Electronic Direct Marketing

• “Senders” and “instigators” of the message have responsibility for complying with the rules. PECR do not define the term “instigator”. The guidance says a party is likely to be instigating if it encourages, incites, incentivises or asks someone else to send electronic mail containing its direct marketing message.
• If you are an instigator, you should ensure the reliability of any sender that it uses and enter into a written contract with them. Where this involves the processing of personal data, then this becomes a “must”.
• The guidance reiterates the general “must” requirement for obtaining consent from recipients of the electronic direct marketing.
• Where you obtain consent, that consent must contain certain features. It must be freely give; specific and informed; unambiguous; and involve the recipient taking an affirmative opt-in action. Keeping records of the consent is a “should”, as it will help you to demonstrate the consent is valid in future. The guidance also offers some helpful exemptions of consent forms that would/would not be valid.
• Organisations may use the “soft opt-in” exemption from the need to get such consent. The guidance provides easy-to-follow checklists for where the soft opt-in exemption will (and will not) be available.
• In all cases, organisations must not hide their identity from recipients, and must give the recipient a valid contact address so they can opt-out/unsubscribe. The guidance also comments on the steps you should take to act upon unsubscribes.
• If you buy-in third party marketing lists, you must ensure that the persons on the list have consented to receive your marketing, and that the consent adequately covers that marketing. The guidance also sets out a list of checks you should do, before proceeding.
• The guidance clarifies that publicly available contact details do not necessarily amount to consent or the soft opt-in. This could apply to contact details found in various sources, including publicly accessible social media.
• Where you conduct viral marketing, you must comply with the Privacy and Electronic Communications Regulations (“PECR”), even if you think the recipients will appreciate receiving the marketing message. If you encourage people to send the marketing, you are responsible as an “instigator”.

Live Direct Marketing Calls

• “Callers” and “instigators” are responsible for compliance. The concept of “instigator” is similar to that for electronic marketing, except in relation to live calls made.
• In general, you do not need prior consent to make live calls to recipients. However, you cannot call someone who has objected to receiving such calls, including those listed on the Telephone Preference Service (“TPS”) and Corporate Telephone Preference Service (“CTPS”). These considerations also apply where you are buying-in live call marketing lists from a third party.
• You must display your number (or a valid alternative contact number) to the person receiving the call. You must not withhold your number when making direct marketing calls.
• You must also: (i) say who is calling (e.g. the name of your organisation); and (ii) provide contact details or a Freephone number for your organisation if asked.
• When collecting phone numbers from people, you should clearly explain to them that you want to use it to make live marketing calls. They cannot object if they are unaware of your intention to make such calls to them. Under data protection law, you must provide this information for transparency.

Our view

Whilst much of this guidance is not new, it does explain how organisations may comply with their obligations in a clearer and more “user-friendly” way than the predecessor code of practice. This is an important improvement, given how complex the direct marketing rules can be to apply in practice. The guidance also provides a helpful commentary on how PECR sits with other sources of data protection law in this area.The predecessor code of practice had been around for some time, so organisations will also welcome the guidance as a timely upgrade.The ICO emphasises that it will take a risk-based, effective and proportionate approach to enforcement of these rules. Direct marketers will approve of the ICO's desire to strike a balance between protecting individuals' rights and avoiding unnecessary red tape for organisations.

-

Update on President Biden's signing of Executive Order re EU/US Data Privacy Framework

By Shireen Eliyas

Overview

On the 7^th of October 2022 President Biden signed an executive order on Enhancing Safeguards for United States Signals Intelligence Activities, which sets out the steps that the US will take to implement the Data Privacy Framework between the EU and the US, announced in March 2022.It comes as concerns over the judgement in the case of Schrems II in July 2020 over the Privacy Shield Framework were held to no longer provide adequate safeguards for personal data transfers from the EEA to the US.The new framework addresses the concerns set out in the case of Schrems II in relation to adequacy and safeguarding of personal data and improves the mechanism for secure transfers between the EU and the US in a joint effort to restore trust and stability to transatlantic data flows.

Key take-aways

Here are some key points to note:

• Further safeguards: US signals intelligence activities should be proportionate, conducted only in relation to defined national security objectives, and consider the privacy and civil liberties of all (regardless of nationality or country of residence).
• Handling requirements: the responsibilities of legal, oversight and compliance are extended to ensure action is taken to remediate non-compliance.
• Policy updates: US intelligence communities are required to update their policies and procedures to reflect the new safeguards.
• Multi-layer mechanism:
  • the first layer provides a Civil Liberties Protection Officer (CLPO) who will conduct an initial investigation of any complaints to determine whether any safeguards or laws were violated and determine any remediation action. This builds on the existing functions of the CLPO, and provides protection to ensure independence as well as creating binding decisions subject to the second layer;
  • the second layer provides independent and binding reviews in the form of a Data Protection Review Court (DPRC) established by the Attorney General, which allows applications from individuals or the intelligence community. Judges for the DPRC will be appointed outside of the US Government with experience of data privacy and national security.
• Privacy and Civil Liberties Oversight Board: the Board will conduct annual reviews to ensure compliance of the executive order by intelligence communities, as well as compliance with determinations.

Our view

The new framework fills the gap since the Schrems II case with a streamlined transfer solution, providing a cheaper compliant way of data sharing.The draft framework requires approval from the European Commission which could take up to 6 months, but, if an adequacy decision is issued, will provide a first step to adopting a new data protection mechanism for transatlantic data flows, allowing redress for individuals and providing legal certainty in relation to data transfers for organisations.Some activists feel the order does not go far enough to protect personal data however, the effects of the new framework remain to be seen.

-

Update on US / UK talks over Data Adequacy

By Shireen Eliyas

Overview

Following the tech co-operation agreement signed between the UK and the US last year, the two governments committed to annual dialogue regarding data adequacy agreements required to allow the free flow of data between the two countries.US Secretary of Commerce, Gina Raimondo stated: “Today's announcement affirms our shared commitment to promoting responsible innovation and digital policies, while also supporting growth and opportunity. This partnership reflects our deepening cooperation on bilateral data and tech issues, as well as our commitment to closer engagement and global leadership as these issues continue to evolve. I look forward to working closely with Digital Secretary Michelle Donelan as we continue looking for ways to balance the needs of privacy and responsible data use while removing barriers for critical business needs.”It is hoped the agreement will provide certainty for businesses and provide access to markets and innovation for both sides. However, the previous data sharing agreements between the two countries were challenged in court due to the level of protection of data in the US.It is further hoped the new Data Protection Framework has addressed the concerns raised and therefore tightening the data privacy laws, allowing full accountability and remediation for individuals.

Our view

The details of the new framework and subsequent adequacy decisions will take some time to be approved before they are implemented. This means that no changes will be seen until at least next year at the earliest.If approved, the freedom to transfer data to the US will open up opportunities for both tech businesses and other data partnership arrangements, reducing costs to businesses.

-

DSARS and the need for speed - Recent ICO enforcement action

By Olivia Hill

Overview

The “right of access” is a key right afforded to individuals under the UK GDPR. Individuals are entitled to make data subject access requests (“DSARs”) to obtain a copy of their personal data held by an organisation. Organisations must comply with such requests without undue delay and at the latest within one month (three months if the request is complex or there are multiple).It follows that responding to DSARs can feel like a significant burden for some companies and with their increasing prevalence, it is no surprise that the ICO have recently taken action against organisations that have failed to handle requests in compliance with the law.Some recent examples of regulatory action include the following:

• 12-month delays and 9,000 unanswered requests

In July 2022, the ICO issued a reprimand to a government department with an extensive DSAR backlog dating back to March 2020. The department still had 9,000 unanswered requests in September 2022, meaning that requesters were typically waiting over 12 months for their information.

• Significant distress

Another reprimand was issued to a government department in September 2022 for failure to respond to just under 21,000 DSARs within the timeframe required by UK GDPR. The ICO reported that requesters suffered significant distress as a result of the department's delays.

• 14% of responses delayed

The ICO issued a reprimand to a large British telecommunications provider in September 2022. Over a six-month period in 2021, the organisation received over 9,500 DSARs and failed to respond to 14% of the requests during the required timeframe.

• Over 23 months to respond

The ICO issued a reprimand and a freedom of information practice recommendation to a London council in September 2022. Between April 2020 and February 2021, the council had failed to respond to 60% of the DSARs it received in the statutory timeframe and the longest delay was over 23 months.

• Over 50% of responses delayed

Another London council was issued a reprimand and a freedom of information practice recommendation in July and September 2022 respectively. The council had responded to less than half of the DSARs submitted within the timeframe required by UK GDPR.

Each of the above organisations were given between three and six months to make improvements or the ICO may take further enforcement action.John Edwards, the UK Information Commissioner, commented on the recent action taken:"We will continue to support organisations to meet their obligations to individuals. In addition to providing education to people about their rights. This includes developing a SAR generator to help people identify where their personal information is likely to be held and how to request it, at the same time as providing information to the organisation regarding what is required from them.We expect all information requests to be handled appropriately and in a timely way. This encourages public trust and confidence and ensures organisations stay on the right side of the law.”

Our view

The overwhelming majority of complaints received by the ICO relate to individuals and the right to access their data. It is therefore crucial that organisations have the right internal infrastructure in place to be able to respond to requests correctly and comply within the deadline required by the UK GDPR. This is important not only to avoid regulatory action from the ICO but also reputational damage and diminished trust in the organisation.If your organisation needs support with managing DSARs, including with implementation of policies and procedures to help your organisation to respond efficiently, please contact our Data Protection Team.

-

Department of Education Breach

By Mona Schroedel

Overview

During a time where the government is making headlines frequently, it could easily have passed people by, but the Department of Education has narrowly escaped paying a £10 million fine and has instead been issued with a reprimand by the ICO.The Department of Education is in charge of the learning records service database which education providers can access to see the records of pupils' qualifications. One of the companies that had access was Edududes Ltd, which was a training provider. A separate company called Trustopia claimed to be the trading name of Edududes and was granted access to about 28 million records of pupils aged 14 and upwards for over a year.Trustopia never provided any educational training and used the data access instead to carry out age verification serviced on about 22,000 data subjects for gambling services.To compound matters, the issue was only unearthed upon an exposé being run in a newspaper. Nor it seems was this an isolated incident; the Department for Education has since removed a further 2,600 companies from having access to the learning records database (although not all of those will have necessarily been removed for the same sort of use).

Our view

It seems from the ICO's report that a substantial fine would have been payable had it not been for a policy change in June 2022. This change determined a new approach to public sector breaches with the aim to reduce the impact of fines on the public.It remains to be seen whether this policy will ultimately be beneficial - it is clear that this enforcement action attracted less attention without the headline-grabbing aspect of a significant fine having been imposed. A breach of this severity and extent, particular where public sector bodies are handling sensitive data or data belonging to children, ought to be met with serious consequences.

-

ICO start to focus more closely on biometric technology compliance

By Will Richmond-Coggan

Overview

Biometrics are one of the more poorly understood categories of personal data.For one, it tends to be assumed that any biometric information is special category data, although in reality this enhanced protection only applies to biometrics that are used for identification purposes. Equally, it is not always well understood precisely what data might be comprised within the definition of biometric information.Coupled with these obstacles, rapid innovations are occurring across a range of fields where biometric information is engaged - from more established technologies like fingerprint readers, through to more cutting-edge applications such as facial recognition and even AI which interprets emotional responses.Recognising some of the opportunities, and threats, posed by this rapidly evolving sector, the ICO has published two reports, aimed both at educating data controllers who might be contemplating the deployment of biometric technology (or who even may already unwittingly be using it), and at framing a deeper discussion which they aim to set in train in the new year.

Our view

For those who work in the development of biometric technology, there is unlikely to be very much in these initial reports which is terribly surprising - although it is always useful to have an insight into the perspective of the regulator, and their understanding (or otherwise) of the field in which you operate.That said, for those organisations who think that they might be looking to acquire or deploy such technology in the next few years, the reports will provide a useful primer on some of the key considerations which need to be borne in mind. As the ICO highlights, there are a range of opportunities which such technology presents, but those come with commensurate risks which often expose the controller (that is the customer acquiring/deploying the technology) to greater risk than the manufacturer/vendor of the technology.As the ICO's deputy commissioner, Stephen Bonner, emphasises in the report, only those deployments of biometric tech which “are fully functional, accountable and backed by science” are likely to be able to withstand objections or regulatory audit.This is not to say that businesses should be discouraged to exploring the opportunities presented by the new technology. But it will be vitally important to ensure that this is done in a rigorous way, with due consideration for the underlying data principles, and the over-arching requirement to protect privacy by design and by default.As advisers to developers, manufacturers and customers in this space, we are well placed to help steer you through this challenging field and are always happy to have an initial conversation to help you scope out the range and complexity of the work that might be involved in a planned deployment.

---

If you have any queries on the topics discussed, please contact our expert Data Protection team.