Data Matters - February 2023

ICO Update

New Suite of FOI Assistance - ICO

In a recent blog post, the ICO has announced a new Upstream Regulation team, responsible for providing public authorities with macro-level assistance in dealing with FOI requests. As part of this new initiative, the ICO conducted both internal and external research, and has developed a new suite of products to assist compliance.

The resources include:

• A self-assessment toolkit, to assess current performance and look for indicators of where to focus improvement efforts; the toolkit at the moment is only able to consider timescale compliance and where public authorities engage section 12 (the costs exemption);
• A template action plan, designed to record resourcing and best practice within the team responsible for handling requests, to help illustrate any potential bottlenecks;
• An internal consultation guide, which can act as a checklist in ensuring all internal stakeholders are aware of the organisation’s obligations and required timescales;
• A number of introductory videos the ICO uses for internal training, covering various topics;
• A snapshot report, setting out high level reviews of sector compliance, which may serve as a useful comparator to assess an organisation’s general performance.

These releases appear to be the next step in the ICO’s recent attempts to update and renovate its approach to regulation, as part of its ICO25 plan. While the documentation and change in approach is new, public authorities will likely want to stay abreast of developments so they are not surprised if / when the ICO starts expecting greater compliance resulting from its recent efforts. The link to the FOI toolkit is available here.

Recent ICO Enforcement Action

1. Reprimand to the Department for Education

In November 2022, the ICO issued a reprimand to the Department for Education (DfE) after a national newspaper exposé, and subsequent ICO investigation, found pupil’s records had been repurposed, and misused, for age checking online gambling account applicants.

The Learning Records Database contains the personal data of 28 million pupils and is used to verify academic qualifications and eligibility for funding, among other functions. DfE originally granted access to the database to Edududes Ltd, a training provider. That company subsequently advised DfE that it had changed its trading name to Trustopia. DfE continued to grant Trustopia access to the database. Trustopia was actually a screening company, which was using the database to verify the age of people opening gambling accounts. Trustopia had used the database for this purpose on 22,000 occasions. It has never provided any government-funded training.

The ICO found that, in sharing the database with Trustopia, DfE had failed to process data fairly, lawfully and transparently, and that this further processing was done without the data subject’s awareness. It also failed to put in place adequate measures to prevent unauthorised or unlawful access to the database.

The reprimand follows on from the ICO’s announcement in 2022 concerning its new approach to regulating the public sector, with the aim of reducing the impact of fines on the public purse. As such, the ICO issued the DfE with a reprimand, but no fine. The ICO reprimand set out the measures the DfE needs to take to improve its data protection practices. Had this trial approach not been in place, the ICO confirmed that the DfE would have been issued with a fine of over £10 million for this failing.

No regulatory action could be taken against Trustopia, as it had been dissolved before the conclusion of the ICO’s investigation.

Further details regarding this case are available here.

2. Monetise Media Limited – direct marketing case and breach of PECR

The ICO issued a monetary penalty of £125,000 to Monetise Media Limited (MML) on 12 December 2022 after MML was found to have instigated the transmission of 3,506,157 unsolicited direct marketing emails and text messages. The messages were sent by affiliate companies on MML’s behalf between July 2020 and July 2021 without valid consent.  Individuals had been automatically “opted in” to receiving marketing messages when they accepted affiliate terms and conditions of service or had provided indirect consent, where they had opted in to receiving marketing messages relating to the ‘financial products’ industry sector. Neither constituted freely given, specific or informed consent as required by the UK GDPR. This was a serious contravention of the requirements set out in Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) which requires the instigator of direct marketing to ensure that it has valid consent from recipients before sending marketing messages.  

In its monetary penalty notice the ICO concluded that automatically opting individuals in to receive marketing messages when accepting terms and conditions of service does not constitute ‘freely given’ consent. In respect of indirect consent, the ICO referenced its guidance on direct marketing which states "organisations need to be aware that indirect consent will not be enough for texts, emails or automated calls. This is because the rules on electronic marketing are stricter, to reflect the more intrusive nature of electronic messages." It flags that where categories of organisations are referred to, those categories need to be tightly defined, and long exhaustive lists of categories of organisation are unlikely to be sufficient to constitute valid consent. Consent must also be specific as to the type of marketing communication to be received and the organisation or specific type of organisation sending it. It follows that consent mechanisms asking individuals to agree to receive marketing from ‘similar organisations’, ‘partners’, ‘selected third parties’ or other similar generic descriptions won’t be sufficient.

This penalty notice is another example of the ICO’s low tolerance approach to direct marketing related breaches. The ICO expects organisations that rely on direct marketing to have familiarised themselves with the relevant legislation and be aware of their responsibilities, especially in light of the detailed guidance it has published on the requirements under PECR and consent under the UK GDPR. The ICO also expects organisations using marketing lists from third parties to undertake rigorous checks to satisfy themselves personal data was obtained fairly and lawfully, and they have the necessary consent. Simply relying on assurances given by third party suppliers, without undertaking proper due diligence, as MML did here, will not be acceptable.

A copy of the ICO’s monetary penalty notice can be read in full here.

UK Law Update

3. Updated guidance on Data Protection PPN

The Crown Commercial Service, responsible for central government procurement and guidance, has recently updated the Policy Procurement Notice (PPN) which discusses data protection in contracts. The update contains a summary of the recent changes to data protection, and sketches out the current position following the UK’s withdrawal from the EU.

Scope of PPNs

PPNs apply to ‘in-scope organisations’, which are Central Government Departments, their Executive Agencies, and Non-Departmental Public Bodies; as such, the PPN will not be binding on most organisations. However, its guidance and commentary is likely to be useful for many organisations in both the public and third sectors, and will be a good reference for data protection practitioners or more general commercial practitioners to keep to hand, where they are working in or adjacent to the public sector.

Contents of the PPN

The PPN discusses several key terms that would generally need to be covered in a contractual agreement, as well explaining a number of key definitions and the legislation which governs organisations’ data protection obligations.

They key points of the PPN include:

• A discussion of what it means to be ‘data controller’, ‘data processor’ and ‘joint/independent data controller’;
• Risks of non-compliance and contractual liabilities, including how to account for potential fines;
• Measures for protecting data; and
• Guidance and background on current requirements for international data transfers, including to the EU, to third parties, and under the Law Enforcement Directive.

Annexes

The PPN also provides several annexes – Annex A (covering ‘generic’ data protection clauses) and Annex B (detailing possible security measures). While the annexes are not a replacement for specific drafting, they will nevertheless be a useful guide in terms of ‘what clauses should we be considering’ and ‘what information should we consider including’. In particular Annex B provides a useful indicative checklist of security measures, with which we would suggest the ICO is unlikely to disagree as a matter of policy.

The guidance is available here.

4. Advance warning – update to NIS regulations

Following the launch of a consultation in January 2022 on proposals to update the Network and Information Systems (NIS) Regulations 2018, the government has now published its plans to release the updated legislation, which it considers are necessary to enhance and strengthen the current cyber security regime in place to protect against increasingly frequent and sophisticated cyber-attacks.  The new measures will bring more IT organisations, such as “managed services”, within the scope of the regulations, so that organisations which provide key information services (e.g. IT security services, outsourced business processes providers) will be regulated as a “Digital Service Provider” and be subject to the NIS regime. The update to the regulations will also apply to critical service providers which will include key suppliers to existing essential service operators, which will include large IT suppliers to NHS organisations. There will also be wider regulatory reporting requirements to organisations such as Ofcom, Ofgem and the ICO.

The purpose of the expanded scope of the regulations is to ensure that adverse incidents which pose a risk to an organisation’s security and resilience are reported, even where the organisation may still be able to continue to provide its essential service. We don’t have the detailed legislation at this point, but expect the drafting to be published soon.

The government’s response to the consultation is published here.

5. Driver v CPS – decided case on value of data breach claims

Non-material breach - damages

Damages for data breaches are a subject that’s of interest to any data protection practitioner. A recent case provides some clarity on the lowest end of the scale, and what organisations can expect for minimal impact data breaches – something of particular relevance where an organisation is looking at a large number of minimal-impact claims.

Driver v CPS [2022] EWHC 2500 (KB)

Mr Driver had been a subject of investigation by the police under an Operation Sheridan. He had previously been informed that he was no longer a suspect. A few years later, a file was passed to the CPS about Sheridan’s findings regarding eight individuals, including Mr Driver. The CPS confirmed to a member of the public that a charging file about Sheridan had been passed to the CPS, although it did not name or otherwise identify Mr Driver. The High Court held that Mr Driver had been sufficiently tied to Operation Sheridan previously such that it could be reliably inferred that he would be the subject of any charging file, and therefore the email consisted of his personal data. On that basis, the email represented a breach of his data protection rights.

Because the processing in question related to law enforcement, it fell outside the scope of the UK GDPR, and was only governed by the Data Protection Act 2018. In addition, the Court held that because of material already in the public domain (i.e. that Mr Driver had previously been a suspect in Sheridan), the breach had minimal impact. Mr Driver was therefore given declaratory relief, and compensation of £250. The case highlights that where the impact caused to the subject is minimal or the risk presented by any breach is low, the compensation which may follow is likely to be at the lower end of the scale.

The judgment in the case is available here.

EU/Global Law Update

6. EU adequacy decision – EU / US data transfers

The EU-US Data Privacy Framework is the EU’s latest proposed mechanism to send personal data to the US without restrictions. Following on from the signing of the Executive Order on 7 October 2022 (for background, read our previous edition of Data Matters), the European Commission has now published its draft adequacy decision on the matter.

The draft adequacy decision concludes that the US legal framework will provide comparable safeguards to those of the EU; the US is therefore deemed to have an adequate level of protection to allow unhindered transfer of personal data from the EU to the US. As proposed, this will only apply to US companies who are eligible to join the EU-US Data Privacy Framework (and choose to do so). Companies joining the framework will have to comply with a detailed set of privacy obligations laid down by the US Department of Commerce.

Next, the European Data Protection Board (EDPB) [1] will give its non-binding opinion of the draft decision. That is expected by the end of February 2023. The EDPB opinion will be keenly anticipated; its opinion on Privacy Shield acknowledged many of the issues which led ultimately to the European Court of Justice’s annulment decision on that mechanism. A committee of EU Member State representatives must then approve the decision, with the European Parliament having a right of scrutiny over any adequacy decision. Once this procedure is completed, the Commission can adopt the final adequacy decision. Once adopted, personal data will be able to flow freely from the EEA to participating US companies without further protective measures being put in place. The final adequacy decision is expected by the end of July 2023.

It should be noted, however, European Commissioner for Justice, Didier Reynders, has said the US must change the way its intelligence services deal with complaints regarding the handling of personal data, before the new transfer mechanism can be used. This complaints process is likely to be the subject of some future challenges in the European Court of Justice.

Before the final decision is adopted, and when sending data to US companies not operating within the framework after adoption, organisations may use the recently modernised Standard Contractual Clauses (SCC) to facilitate transfers. However, it is important to bear in mind the need to undertake a full transfer risk assessment in line with the ICO’s guidance (see our previous edition of Data Matters).

The draft adequacy decision for the Data Privacy Framework can be accessed here.

7. Advice of EDPB for public sector to use cloud based services

Throughout 2022 the EDPB in conjunction with European data protection authorities has embarked on an analysis of the use of cloud service providers within the public sector and their compliance with the GDPR.  The EDPB has produced a state of play report which aggregates the findings to date of all the supervisory authorities participating in the inquiry, following coordinated investigations undertaken by the supervisory authorities into around 100 public bodies across the EEA and their use of cloud service providers and the extent to which they are processing personal data legitimately.

The report identifies key challenges in delivering GDPR compliance reported by public sector bodies when using cloud-based services from hyperscale providers (usually based in the US), including undertaking DPIAs and data transfer impact assessments, negotiating contractual terms with cloud providers who largely operate on a “take it or leave it” basis, ensuring that cloud based processors do not process personal data supplied to them for their own commercial purposes, and assessing the level of access to EU citizens’ personal data by public authorities based in third countries.

The report notes that when it comes to negotiating with large US based cloud providers, public sector bodies do not deliver the level of compliance required by the GDPR when processing personal data, for a number of reasons. The EDPB identified that actions by European supervisory authorities are ongoing to highlight the need for greater compliance with the requirements of the GDPR and the Schrems II judgment. Whilst not directly applicable to organisations in the UK, the report will be of interest to public sector bodies based in the UK to assess how regulators across Europe are approaching the procurement of cloud-based solutions who may be processing large amounts of citizens’ most sensitive personal data in a variety of industry sectors. The report is available here.

8. EU Advocate General Opinion: GDPR compensation

Further to the Driver case referred to above, there have been similar developments concerning compensation for data breaches at a European level. At the end of 2022, EU Advocate General Campos Sánchez-Bordona (AG) issued an opinion in regard to an Austrian EU GDPR breach case relating to the collection and sale by the Austrian postal service of the personal data of Austrian residents. This included linking an affinity for a far-right populist party to the subject who brought the case, ‘UI’. UI objected to the processing and observation, finding it ‘insulting and shameful’, and brought a claim for compensation for non-material damages under the EU GDPR.

The opinion considered the following points:

• Must the subject have suffered harm from the breach of the GDPR in order to be awarded compensation?

The AG held that actual harm is a prerequisite for compensation, i.e. a breach by itself with no impact on the subject does not give rise to damages; however, it remains open to Member States to consider whether they wish to provide for such compensation within their own legal system. To date, England and Wales has not done so.

• Is there a threshold for non-material damages?

As many organisations will be glad to hear, the Opinion holds that there is indeed a minimum threshold for non-material damages – a claim based only on annoyance or upset caused by GDPR infringement does not attract compensation, although other remedies may apply.

While the UK now falls outside of the direct territorial scope of the EU GDPR, and post-withdrawal case law is no longer binding, the opinion is nevertheless useful as a persuasive / indicative source of law so long as the UK and EU systems remain relatively aligned. The opinion clearly limits the rights to compensation and weakens the general enforcement of the GDPR which may be reassuring for organisations routinely processing personal data, the position as regards the calculation of damages however remains unclear and it is left to national courts to determine compensation in detail.

9. India – Digital Personal Data Bill to be introduced in March 2023

For those organisations who are either currently using or considering using outsourced third party providers based in India, it may come as welcome news that in November 2022, the Indian government released a completely new draft of the Digital Personal Data Protection Bill (2022), previous iterations having been withdrawn at an early stage due to criticisms from business for the high cost of compliance. The new Bill is the latest attempt by the Indian government to establish a comprehensive data protection framework within India. The Bill is applicable to the processing of digital personal data, but notably excludes from its scope the non-automated processing of personal data. The Bill contains many data protection principles that are broadly similar to the GDPR including data fiduciaries (controllers), data processors and data principals (subjects), and applies similar obligations in relation to processing of transparency and accountability, and ensuring that data principals (subjects) are able to seek independent redress where their data rights have been breached. It also establishes a Data Protection Board with supervisory powers functioning as an independent body. The Bill is due to be tabled before the Parliament of India in its 2023 budget session and will have to be passed by both houses of the Indian Parliament before it becomes law.

OneTrust has published a helpful guide to the Bill which is available here.

 

[1]               The EDPB is the body within Europe with responsibility to enforce the consistent application of data protection rules throughout the European Union and to promote cooperation between the EU’s data protection authorities

This article was co-written by Laura Cook, Trainee Solicitor.

If you have any questions about the issues raised in this update, please contact a member of our Information Law team.