After much heralding, GDPR arrived on 25th May 2018, the world has not stopped turning, although we are not yet beginning to discover its true impact, as GDPR compliance goes beyond the sparkly new privacy notice, some internal training, and writing new/revised policies. There is as yet no case law on GDPR, but there have been some notable cases on the old data protection law, and some interesting prosecutions.
Cases for Data Breaches
The Independent Inquiry into Child Sexual Abuse was fined £200,000 after sending a mass email that identified possible abuse victims. An Inquiry staff member emailed 90 people using the “to” field instead of the “bcc” field – allowing recipients to see each other’s addresses, it said. The incident was a breach of the Data Protection Act. The Inquiry said it had apologised and reviewed its data-handling. It is an easy mistake to make, but a potentially damaging one.
In B v The General Medical Council, the Court of Appeal has given guidance on when to disclose information containing the personal data of more than one individual or mixed data, in response to a subject access request (SAR). In this case, an expert report concerning a GP’s fitness to practice was not disclosed to a patient in response to a SAR made by the patient for personal data held about him. This was withheld on the basis that the report contained mixed personal data, i.e. personal data of both the GP and the patient.
Generally, under data protection legislation, a data controller is not obliged to comply with the request unless the third party has consented to disclosure of the information. Previous case law indicated that there was a presumption against disclosure in a mixed data case where the third party withholds consent. In this case, the GP, Dr B, did not consent to the report’s disclosure, principally on the basis that the request was being made with a view to litigation against him.
The Court of Appeal held that:
- In determining whether to disclose mixed data, a balance should be struck between the requestor and objector’s competing interests and a presumption in favour of withholding disclosure should only be applied in a ‘tie-break’ situation, i.e. where all of the other interests balance equally.
- The requestor’s interests in seeking the disclosure should not be devalued because the information may assist them in litigation.
This is now the leading case on mixed personal data, and will be relevant to employers faced with SARs where the disclosure of mixed personal data is in issue. Employers face an increasingly onerous task when complying with SARs under the new regime, and, following this decision, should think carefully before refusing requests for disclosure of “mixed data” due to lacking consent from a third party.
Following a cyber-attack on the British and Foreign Bible Society, which led to a data breach by the charity in 2016, the ICO has recently fined the Society £100,000 for failing to take “appropriate technical and organisational steps” to protect its supporters’ personal data. In particular, the ICO criticised the Society for failing to put strong enough security measures in place to protect the accounts it held concerning its donors, exposing them to the risk of financial and identity fraud.
This attack appears to have been made possible by vulnerabilities in the Society’s network, including its weak password, which the attackers exploited in order to access the data of over 400,000 donors to the charity, including names, addresses and payment card details. The attackers then used ransomware to encrypt the data, holding the Society to ransom by offering to unlock the encrypted data for a fee.
The ICO appears to have taken a strong stance in this instance to emphasise the point that, even where organisations are innocent victims of a cyber-attack, they are responsible for any data breaches that result from their failure to put sufficient protective measures in place. The ICO said that due to the reality that cyber-attacks happen, organisations must make it “as difficult as possible for intruders”.
In considering the seriousness of the data breach, the ICO emphasised the fact that supporters’ religious beliefs could be inferred from the personal data in question, as this made the breach likely to cause “substantial damage or substantial distress”, the extent of which “cannot be underestimated”.
The key lessons we can learn from this case are:
- Even where it is a victim of a criminal cyber-attack, an organisation can itself commit an offence simply by using systems which leave themselves vulnerable to such data breaches. Organisations must, therefore, prepare for the possibility that they may become the victim of such an attack.
- This fine is considerably larger than the fines previously imposed on charities by the ICO. Of the thirteen charities fined in 2016-17, the largest fine had been £25,000, and the rest were all less than £20,000. The substantial increase in fine indicates the start of a much tougher approach by the ICO.
- It is important to act quickly and proactively following a data breach. All organisations need clear processes to be able to identify and respond to a breach, and in particular, should contact anyone whose data may be affected, and find out the impact this has had on them. Taking positive action may mitigate the breach’s impact, and alleviate the fine imposed by the ICO.
Although these cases were decided under the Data Protection Act 1998, the same principles are likely to apply under the GDPR and the DPA 2018. The next case is very different, but even more worrying from an employer’s perspective.
In WM Morrisons Supermarkets plc v Various Claimants, the Court of Appeal held that an employer was vicariously liable for the actions of a rogue employee, who disclosed the personal information of around 100,000 colleagues on the Internet.
The Court of Appeal specifically rejected Morrisons’ public-policy argument that vicarious liability in similar scenarios imposes a disproportionate burden on ‘innocent’ employers. The Court’s strict stance in that regard should be viewed in conjunction with the possible increase in data protection-related group litigation now that the GDPR is in force. The decision is particularly notable in light of the ICO’s conclusion, following its investigation into this case, that Morrisons had not breached the DPA, and as such, should not be fined. In complete contrast, the Court suggested that employers should insure against data breaches committed by employees given the large potential liabilities involved. Morrisons are now appealing to the Supreme Court on this decision, so we wait with continuing interest and some sympathy.
The consequences of this decision for Morrisons are likely to be very costly, as it will be required to pay a significant level of damages to a large number of its employees. The decision also significantly broadens the scope for claims against employers, even where (as in this case) they have compliant data protection policies in place, and are subject to the vexatious actions of a rogue employee. The risk of reputational damage, as well as increased levels of fines under the GDPR, means that the consequences of the Court’s decision are potentially very far reaching.
Given that GDPR has only been in force since May 2018, it’s still too early to tell how aggressive data regulators across the EU will be, but Article 83 does stipulate provisions for assessing the severity of a breach and the appropriate punishment.
Lower tier fines should be typically handed out to those organisations who have failed to integrate data protection policies “by design and by default” into the services they offer to the public. Additionally, any organisation that fails to co-operate with a data regulator, regardless of the nature of a breach, is also likely to fall into this tier. The lower tier also marks out organisations who have failed to assign a data protection officer (when it’s clear that one is required), those organisations who fail to inform data subjects as and when their personal data is compromised, and those that fail to keep adequate records of the data they are processing.
The higher tier will apply only for the most serious GDPR infringements, including breaching subjects’ data and privacy rights, not following the basic principles of data protection, and refusing to comply with demands and requests from the data regulator, such as a refusal to comply with a previous warning or an order on processing data. How organisations handle user consent will also be considered.
Fines almost certainly won’t reach the scale outlined under GDPR for the vast majority of organisations. The regulations themselves make clear all fines issued will be administered on a case-by-case basis, in the spirit of being “effective, proportionate and dissuasive”. Regulators will take into account the nature of the infringement, its gravity and duration, the scope and nature of an organisation’s data processing, as well as the number of data subjects affected and the level of damage they have suffered.
The legislation also makes clear that intention, and scope for negligence, will be taken into account, as well as any previous efforts taken to comply, and any actions taken to mitigate damage to affected data subjects. This means organisations should document all processes, and show their working to prove to the data protection regulator that they are doing everything possible to comply. Other factors will include an organisation’s history when it comes to infringements, the categories of personal data affected, how quickly any infringement was reported, and their level of cooperation with the ICO.
The ICO has gained a reputation for being a conservative regulator, inclined towards leniency. Given the scale and severity of fines set to be imposed under GDPR – 40 times greater than the current maximum of £500,000 – as well as soundings by the Information Commissioner, Elizabeth Denham, all eyes are on the ICO as to how it will operate now that GDPR is in effect.
“While fines may be the sledgehammer in our toolbox, we have access to lots of other tools that are well-suited to the task at hand and just as effective,” Denham said in a speech in August 2017.
In the same speech, she reassured organisations that “predictions of massive fines under the GDPR that simply scale up penalties we’ve issued under the Data Protection Act are nonsense,” indicating the ICO will continue to operate in much of a similar vein to how it has been thus far, with fines a last resort. The ICO may, however, feel the need to demonstrate its new powers by imposing substantial fines, which would serve the dual purpose of bringing many private organisations into line.
The ICO is believed to have a number of ongoing investigations that have yet to materialise a sanction, including Ticketmaster, which suffered a breach on its systems in June. It recently revealed that it was receiving over 500 calls per week.
In theory, GDPR is unaffected by Brexit, although data protection has been discussed in the Brexit negotiations as there are some key aspects of the draft EU-UK Withdrawal Agreement which concern data protection. It is encouraging that there appears to be a clear drive towards a position in which personal data can continue to flow seamlessly between the UK and the EU.
The draft Withdrawal Agreement and its accompanying Outline of the Political Declaration documents – Section VII, ‘Data and information processed or obtained before the end of the transition period, or on the basis of this agreement’ – are lengthy.
There’s a fear that in a post-Brexit world the current free flow of personal data within the EU would no longer exist, and UK organisations could be left grappling with strict data transfer rules. A significant point in the draft Agreement is that some flexibility is proposed around the deadline for agreeing a mechanism for data flows between the UK and the EU, post Brexit. The UK hopes to be awarded what is termed an ‘adequacy decision’, whereby the EU would recognise UK data protection standards to be on a par with those of the EU.
The draft Agreement does not describe a precise mechanism for how data will be transferred. It does, however, say that EU citizens’ data processed in the UK before and after the end of the transition period will be processed in line with EU data protection law. It also says that member states will continue to process data on UK citizens in line with the EU laws. So, the status quo could continue at least until the end of 2020, and perhaps beyond. It is far from clear what will happen in the event of no deal or a hard Brexit, but it is likely that some agreement will still be reached as it suits nearly everyone. In December 2018 the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 were published in draft form. Their purpose is to replace GDPR with a version that will make sense once the UK has left the EU, a “UK GDPR”. Watch this space!
Subject Access Requests (SARs)
The good news is that there has not been a general flurry of Subject Access Requests (SARs) due to the publicity of the GDPR, or the lifting of the £10 fee. There was a reasonable fear that people would suddenly take an interest in the contents of their personnel file, or what emails were saying about them. We are, however, getting reports that solicitors are using this device as a prelude to litigation. This tactic was predicted and looks like it is coming to fruition, with potential employee claimants going on fishing expeditions to see if they can find something which they can use to improve their chances of winning a claim, or find another claim to add to what they already intend to do. The most fruitful source of ’ammunition’ is a request for all emails about them which might include slightly derogatory comments about them, or, worse still, emails which show a clear intention to dismiss them, or comments which might easily be described as discriminatory. There is very little that can be done to counter this tactic, and we certainly would not advise withholding information just because it will be damaging. The best way to reduce exposure is to be very careful about what is said in writing – use the telephone and speak instead.
The good news is that if you follow our advice and keep an audit trail of an employee’s failures and/or misdemeanours and what you have done to deal with the situation, you will have a much better defence, even if you have used slightly intemperate language to describe them and their actions.
Research shows that organisations struggled to be ready for the May 2018 deadline. For example, a study conducted after the GDPR came into effect showed that many organisations are failing to respond to subject access requests within the one-month time limit, with many failing to respond at all!
This could be for a number of reasons:
- personal data is so important to how we all do business, even small changes to how its use is regulated has a major impact on operations;
- achieving compliance requires input and effort from all areas of an organisation – not just the compliance team; and
- guidance on how the GDPR would be enforced was not available for all aspects of the Regulation, and industry standard compliance methods were in their infancy;
The bad news for those still reeling from GDPR is that there is a draft European regulation relating to privacy and electronic communications. It is expected to be finalised by the end of 2019. Assuming a reasonable implementation period, this is unlikely to take effect until 2020 at the earliest. But like the GDPR, it could have a major impact on your business, so preparing for this in 2019 makes sense.
It will replace the current Privacy and Electronic Communications Directive 2002, and bring the law in this area more in line with the GDPR, including the same level of potential fines following a breach. Like the GDPR, moving from a directive to a regulation will also provide a greater degree of uniformity across the EU.
As legislation with a specific application (e.g. electronic communications), it will supersede the GDPR, which has a general application. It will impact how messaging services (Skype, WhatsApp, Facebook, Messenger, etc.), telephone calls, SMS and emails are regulated. The biggest impact could be on businesses that send B2B marketing emails.
All this means that, data protection compliance has no respite and is going to be an ongoing journey.
You are welcome to raise any concerns with our Consultants, who would be pleased to advise you on any element of the issues arising from this newsletter.