Data protection update
A fair amount has happened on the data protection front in the past couple of months. Here we bring you up to date with the most important developments:
• The EU’s awaited approval for personal data to continue to flow from the EU to the UK;
• The settlement of a group claim against British Airways arising out of their 2018 data security breach;
• The Information Commissioner’s annual report, which says that her office only issued three data protection fines in the last year, although many more fines were issued for breaches of the rules on marketing communications such as cold-calling, unsolicited emails and text-marketing; and
• The latest efforts by individuals to extract cash for alleged data protection breaches by companies.
EU adequacy decisions for UK
As we’ve reported previously, although Brexit took full effect from 1 January this year after a year’s transitional period, there was a further transitional period just for data protection purposes, which lasted until 30 June. The purpose of this was to give the EU time to review whether the UK’s data protection laws were “adequate” for the purposes of continuing to allow transfers of personal data from the EU to the UK.
A negative decision could have caused mayhem but, although there was a little bit of sabre-rattling, it was never really likely to happen. As expected, on 28 June the European Commission adopted the two necessary adequacy decisions meaning that personal data can continue to flow from the EU into the UK.
There will be a review of the decisions in four years, which means that a wholesale move away from GDPR, which has been suggested by some politicians, is unlikely.
British Airways settle mass data breach claim
British Airways has reportedly settled the group claim brought on behalf of some 16,000 individuals who had suffered a loss of personal data in the airline’s 2018 data breach. The amount of the settlement is confidential, but it’s understood that British Airways have not admitted liability.
This follows the Information Commissioner’s Office own fine of £20 million levied on the carrier in respect of the same incident. That fine was reduced from the originally planned £183m following representations from the airline (including as to the hardship it was suffering due to Covid travel restrictions), but is still the largest data protection fine in British history.
Information Commissioner’s Annual Report
Elizabeth Denham, the outgoing Information Commissioner, has just issued her final annual report before leaving office. Highlights include:
• Over the course of the year, the Information Commissioner’s Office only issued three fines under GDPR – £20m to British Airways as mentioned earlier, £18.4m to Marriott and £1.25m to Ticketmaster. All of these arose from data security breaches which allowed personal data including credit card information to escape.
• More than 10 times that number of fines, albeit much smaller, were issued under the Privacy and Electronic Communications Regulations 2003 (known as PECR), which contain a variety of rules on issues such as cold-calling, unsolicited email marketing, and cookies. Many of these fines related to nuisance calls – in January for example, four fines were issued to companies found to have made a total of 2.4 million unlawful calls.
• Some of the PECR fines were in respect of Covid-opportunists, for example for text and email campaigns promoting hand-sanitiser and face masks without the necessary consent to receive electronic marketing communications.
• Limited companies are often set up by unscrupulous individuals to exploit a particular market opportunity. These can then be shut down by their founders, after the profits have been extracted, if the business runs into problems such as an ICO investigation. To try to counter this, the ICO has secured the disqualification of 27 directors.
We can conclude from this that failures to implement adequate information security measures, to keep them under proper review and to take appropriate and prompt action in the event of data breaches, are the things most likely to result in large fines, particularly where sensitive information escapes as a result. But we can also learn that the enforcement of the rules on direct marketing communications, including through media such as email, is rising up the enforcement agenda and must be taken seriously. If you don’t have the necessary consent programme in place, there is now the real risk of a fine.
Denman is keen to stress in the report that her office’s aim is “to work alongside organisations, helping them to make changes and improvements to comply with the law to reduce mistakes and misuse of people’s data”. This suggests that the approach will continue to be to take a collaborative approach wherever possible, and only to levy fines in the most serious cases or as a last resort. However, as noted above, her successor will have to keep an eye on making sure that the EU continues to be satisfied that the UK maintains adequate safeguards over personal data if the adequacy decisions which allow the continued flow of data are to be renewed in four years’ time.
We’ve recently been receiving reports from clients of approaches from individuals trying to seek payment for cookies being set on their devices before they have been given the chance to consent, claiming that this is in breach of the Privacy and Electronic Communications Regulations 2003 (known as PECR). This is similar to the claims being made when the GDPR first came into force in 2018 that their personal data was being misused in various ways. While the GDPR (which is largely unaffected by Brexit) allows individuals to claim compensation if they have suffered material or non-material damage (as was claimed against British Airways – see above), it’s much more difficult for an individual to claim damages under PECR.
But this is a good opportunity to remind readers that:
1 - apart from strictly necessary cookies, users should be given the opportunity to accept or reject cookies at an early stage; and
2 - in addition to the risk of the ICO investigating and perhaps ultimately issuing fines for non-compliant activities, individuals can bring personal claims too, so there’s a double risk.