What has happened in the four months since GDPR was introduced, Loretta Maxfield asks.

It has been over four months since ‘GDPR day’. The media hype has certainly quietened down and with it the barrage of ‘re-subscribe’ emails and scare-mongering over the ICO’s use of its increased powers, particularly the increased fines. For most ‘data conscious’ organisations, preparations are now complete or at least well under-way. For the less data conscious, there is still a lot of work to do. Regardless, the mass panic seems to have vanished almost overnight!

But what has changed on the legal landscape since then? Loretta Maxfield and Rachel Lawson from our data protection team provide a brief synopsis on some key developments from the last few months.

Facebook fan page and the meaning of ‘data controller’

A recent ruling by the European Court of Justice has considered whether administrators of Facebook fan pages fall within the definition of a data controller. The case that originated in the German courts, concerned an educational services company, Wirtschaftsakademie, which set up a business-focused Facebook page and chose to use a product called ‘Facebook Insights’. This is a Facebook analytical tool that collects, via cookies, information from visitors to the page, allowing the administrators access to anonymised statistical data from Facebook about the page visitors. An issue arose as visitors were not informed that their data would be processed in this manner.

The court requested Wirtschaftsakademie to stop the use of cookies, but Wirtschaftsakademie argued that it is not the data controller (rather Facebook is) and therefore not responsible for providing privacy notices informing visitors about how their data will be used.

Whilst the court accepted that Facebook primarily determine the methods and purposes of processing and that it is responsible for placing the cookies on users’ computers, the question for the court was whether Wirtschaftsakamie also fulfilled the definition of a data controller.

Although Wirtschaftsakamie didn’t have access to the raw personal data, and only had access to anonymised data through the Insights tool, the Court decided that they still fell under the data controller definition due to the influence it had over the purpose for which the data was being used and also the means by which it was processed. Wirtschaftsakamie chose to use the Facebook Insights tool and had discretion over what kind of information the cookies collected from visitors to its page. It didn’t matter that Wirtschaftsakamie exercised less control over the data than Facebook, rather the Court confirmed that where two data controllers process data jointly they do not need to exercise equal responsibility. Nor did it matter that Wirtschaftsakamie did not have physical access to the personal data collected.

This case was decided under the rules that applied pre-GDPR. However the definition of ‘data controller’ under GDPR is very similar to the previous regime therefore this case remains relevant going forward. As more businesses use Facebook to promote services, this is a very interesting case and re-enforces the point that organisations should be alert to the risk of being deemed a data controller (and with it performance of the obligations that are imposed on controllers) even where it may not have actual access to the personal data processed.

Identifying the role of each party in a relationship that processes personal data is vital for apportioning responsibility and risk and when doing so, parties should consider what kind of influence each party has over the purpose of the processing and the means, and not necessarily who has physical possession of the personal data. It should be noted however that even where parties are deemed joint data controllers, this does not necessarily mean the liability or responsibility for meeting the obligations of a data controller ought to be equally shared; indeed liability/responsibility ought to reflect the factual circumstances of the case in terms of the extent of influence and control each party has and it is important that this is reflected in any contractual relationship.

ICO Annual Report

In July, the Information Commissioner’s Office published its 2017-2018 Annual Report covering the 12 months up to 31 March 2018. One notable aspect was the reporting of a 29% increase in the number of self-reported data breaches from 2,447 to 3,156.

Interestingly, out of the breaches dealt with by the ICO in the period covered by the report, the ICO took no further action in 60% of breaches reported. A monetary penalty was only imposed for 0.3% of breaches – emphasising that monetary penalties are reserved for the more serious or flagrant breaches.

The GDPR puts great emphasis on individuals’ rights and a further increase in reported data breaches is expected in next year’s report due to mandatory reporting under GDPR and the growing culture. It is yet to be seen whether the ICO will adopt a different approach to imposing monetary penalties as has been seen in previous reports or whether it will continue, despite the pre-GDPR scare mongering, to reserve penalties for the most serious of cases. The ICO’s Regulatory Action Consultation (see comment on article below) suggests the latter approach will remain the status quo going forward, which may provide some comfort to organisations.

Recent ICO enforcement action

  • In July, the Independent Inquiry into Child Sex Abuse attracted a fine of £200,000 when a staff member sent an email to 90 individuals about an upcoming hearing. The staff member in question intended to insert the email addresses in the BCC field, but accidentally inserted them into the to field, therefore allowing recipients to see the email addresses of all other recipients, most of which contained full names. Although decided under the Data Protection 1998, the ICO found that the inquiry failed to take appropriate organisational and technical measures against unauthorised processing of personal data by failing to make use of an email account that could send emails individually to each recipient, and providing staff with appropriate training. This example serves as a timely reminder that what may seem as an innocent mistake can end up being costly for organisations and robust, regular training for employees and adoption of appropriate security and organisational measures is vital to minimise risk
  • BT was also fined £77,000 in June for sending 4,930,141 direct marketing emails to customers who either previously opted out of receiving email marketing, or had failed specifically to opt-out, breaching the Privacy and Electronic Communications Regulations. BT argued that the emails in question (promotion of charitable initiatives backed by BT such as Stand up to Cancer) were service emails and so were permitted to send these without specific consent. However, the ICO confirmed that the emails were not service emails and since the direct marketing rules also apply to ‘the promotional, campaigning and fundraising activities of not-for-profit organisations’, consent was required in this instance. This case serves as a reminder that organisations should always check that they have the correct consents in place before sending bulk emails to customers or service users
  • June also saw a fine of £100,000 served on the British and Foreign Bible Society. A cyber attack in 2016 resulted in weaknesses in their internal servers to be compromised, and details of donors and supporters of the Society were compromised. The hackers gained access to an account on one of its networks where the username and password were the same and so access was gained easily. Although the attack is a criminal act, the ICO still deemed that the Society had not deployed appropriate technical and organisational measures to keep their supporters’ information appropriately secure. The ICO in its decision stated that the Society should have had better awareness of its network and underlying systems and it had not adequately assessed the risks to its network and the data held on it.

Regulatory Action Policy – fail to prepare, prepare to fail!

On the 29 June 2018 a consultation on the ICO’s regulatory powers came to a close resulting in the Regulatory Action Policy, which is now being considered by the UK Government. It covers how the ICO approaches data breaches, and what it will take into account when considering enforcement action. There is a lot of coverage in the press about monetary fines and caution around the maximum limit being increased from £500,000 under the Data Protection Act 1998 to the higher of €20,000,000 million or 4% of annual worldwide turnover under GDPR.

However, while still being considered by the UK Government, this policy is useful in serving as a reminder that, contrary to some of the media hype prior to GDPR, a monetary penalty is reserved for the most serious breaches usually involving wilful, deliberate or negligent actions and that various factors will be considered beforehand. Examples include: any action taken to mitigate the damage or distress suffered by individuals; cooperation with the ICO; what kinds of data is involved; whether the breach was properly reported in a timely manner to the ICO; whether a fine would be proportionate; and whether the breach is one that has been repeated previously.

The Policy also makes it clear that fines are reserved for those serious circumstances and organisations taking a proactive approach with regards to self-reporting of data breaches and ensuring internal operations comply with GDPR, can expect to have their compliance and engagement with the ICO rewarded if the ICO were to conduct an investigation on that organisation. We shall await the outcome of the review from the Government.

Director Liability

It is understood that the ICO only recovers around 54% of the fines it imposes for breach of the Privacy and Electronic Communications Regulations (PECR). A major problem for the ICO is that it can only impose fines against the organisation and companies are often dissolved or go into liquidation, and then directors start a new business under a different name, to avoid paying ICO fines. The Government is currently consulting on plans to give the ICO powers to fine directors, senior officers, partners etc personally where companies, LLPs or organisations engage in unsolicited marketing such as calls, emails and texts in breach of PECR.

If such measures were introduced the aim would be to increase the effectiveness of the ICO’s enforcement powers by escalating unsolicited marketing to the boardroom by attaching personal liability to directors and essentially taking away the loophole of dissolving or liquidating the company to avoid fines. The consultation closes on 21 August and the outcome remains to be seen. If the proposal is adopted, this will no doubt have significant implications for directors and equivalent roles and it will be interesting to understand what parameters (if any) will be placed on this new power.

If you require advice on any aspect of GDPR, the Data Protection Act 2018 or any other data related matter, please contact Loretta Maxfield on lmaxfield@thorntons-law.co.uk.