Data Protection News Dec 18

Round-up of Data Breaches and ICO Fines
Brexit – Impact on International Data Transfers
The new UK PECR Liabilities have come into force
Facebook Issued with Maximum Fine
March 8 2019

New PECR Liabilities

On December 17th, 2018, the UK issued the latest amendments to PECR. The new rules allow the ICO to hold directors and senior officers personally liable where PECR breaches happen either with their consent or due to their negligence. The ICO have been clamouring for this change in law for many years due to their low recovery rates on PECR fines, caused by so-called ‘Pheonixing’. This is where a company that is issued with a fine, liquidates to avoid the fine, only for the Director to reappear at the helm of another organisation and re-offend. The law change means that directors can be fined up to £500,000. Now would be a good time for organisations to complete an internal PECR audit!

Brexit – Impact on International Data Transfers

Amidst all the uncertainty surrounding Brexit are an army of advisors, lawyers and consultants planning for all potential outcomes, whatever way the negotiations and votes happen to go. This is no different in the world of data protection and this article will briefly outline the impact of Brexit on international data transfers and data protection.

Before we talk about Brexit, here is a reminder about international data transfers. Transfers can happen to countries outside the EU based on one or more safeguards such as:

  • An assessment of ‘adequacy’ (including being list on the EU Journal of adequacy decisions)
  • The adoption of binding corporate rules
  • The adoption of model contract clauses

In the absence of any of these safeguards, international data transfers can still occur on one of several exceptions that are also listed in the legislation.

Along comes Brexit. On the 15th of November 2018, the UK Government and EU Commission jointly published a proposed agreement on the terms of Brexit.

The agreement establishes a transition period from 30 March 2019 until 31 December 2020 during which the UK will remain subject to all EU laws other than those expressly excluded.

So, what does the draft exit deal mean in terms of data protection?

There are 5 main areas of impact for data protection:

  1. The same laws will be applicable during the transition period, so the UK will still be bound by the GDPR.
  2. The Court of Justice of the European Union (CJEU) will keep Jurisdiction over the UK, continuing to arbitrate UK court interpretation of data protection law
  3. The UK will still be treated as a member state during the transition period.
  4. There will be no participation of the UK in EU decisions. The ICO’s role on the EDPB may be reduced to an observer role only.
  5. Data captured before the end of the transition period will continue to be protected by GDPR, but data captured after the transition period may be governed by a different regime of data protection laws.

The UK and EU have also published a non-binding declaration that states the ambition to adopt an adequacy decision for the UK by the end of transition. Securing an adequacy decision will be integral to supporting a free flow of personal data between the EU and the UK once the transition period comes to an end.

If the deal is rejected, the UK could leave the EU on 29 March 2019 without any transitional arrangements. Data transfers between the UK and EU would therefore be treated as transfers to a third country, requiring one of the other safeguards to be put in place such as binding corporate rules or model clauses. Plan for a surge of contractual renegotiations, if this situation transpires.

ICO Fines

As well as the second record breaking fine which was this time levied against Facebook, there were many other six-figured fines in the last quarter, including

  • ACT Response fined £175,000 for making 500,000 marketing calls to TPS subscribers
  • DM Bedroom Designs fined 160,000 for making 1.6 million calls to TPS subscribers
  • Uber fined £385,000 for failing to protect data during a cyber-attack in late 2016
  • Tax Returned Limited fined £200,000 for sending 14.8 million unsolicited texts

The ICO have also issued hundreds of fines for non-payment of Data Protection fees. The total value of these fines has not been published.

The year-end total of ICO fines for 2018 was £6,639,000 which is a 57% increase on the previous year.

For more detailed information about ICO fines, see the ICO enforcement webpage:

Data Breaches

Stats from December 2018 show that 8000 UK data breaches were reported to the ICO in the 6 months following the GDPR go-live date.

On the global stage, the biggest breaches from Q4 2018 were:

Marriott – 500 Million guests

Quora – 100 Million users

Google – 52 Million Users

Atrium Health – 2.65 million patients affected

Did you know?...

Facebook were fined £500,000

Hot on the heels of the record-breaking Equifax fine, Facebook were also fined the maximum amount allowable under the DPA (1998). This was for: lack of informed consent, not having a lawful basis for processing and failing to apply due diligence to ensure that apps using their data were consistent with the terms and conditions of their platform. In the enforcement notice, the Information Commissioner calls out the fact that if it were not for the statutory limits the fine would have been much higher – this sends a clear message to that the ICO are chomping at the bit to exercise the new maximum fine limits under GDPR.

GDPR Adoption Indicators:

Forrester Security Survey: 56% of security professionals say their organisation is not fully in line with the new legislation.

Bitkom Conference Survey: only 24% of attendees have fully adopted the new rules.