October was a particularly busy month, with headline-grabbing stories such as the long-awaited finalisation of the fines against British Airways and Marriott, which may well be the last penalties the UK Information Commissioner’s Office (the “ICO”) issues as a GDPR Lead Supervisory Authority. Having already covered both fines (here and here), and the French CNIL’s latest cookies guidance, below is the “best of the rest” from October.
ICO targets the data broking industry: On 27 October, the ICO demanded that Experian make sweeping changes to data protection practices within its direct marketing business within three months or face further enforcement action. The enforcement notice follows a two-year investigation into the data broking businesses of the three largest credit rating agencies in the UK – Experian, Equifax and TransUnion – which together hold data on nearly every UK adult. While Equifax and TransUnion apparently adequately addressed the ICO’s concerns (including by withdrawing certain products and services), Experian did not, and has now been ordered to, among other things, cease all non-compliant data processing, revise its privacy notices and send privacy notices for the first time to millions of individuals who were not previously given one.
While Experian has announced that it intends to appeal the decision, the enforcement notice still shows the GDPR compliance challenges the data broking industry faces and the ICO’s views on them. For example, the ICO was seemingly unconvinced by arguments that the high cost of providing privacy notices to individuals whose data had been collected indirectly rendered notice disproportionate in the circumstances. The ICO also found that Experian could not rely on “legitimate interests” as a lawful basis to process personal data received from third parties who had collected the data based on consent. More broadly, the ICO criticised Experian’s legitimate interests assessments and offered its general view that “it is unlikely that a controller will be able to apply legitimate interests for intrusive profiling for direct marketing purposes”. We will continue to report on developments as Experian’s appeal progresses.
Irish regulator investigates Facebook’s processing of children’s data: On 19 October, the Irish Data Protection Commission (the “DPC”) announced two inquiries into Facebook Ireland Limited’s processing of children’s data on its Instagram platform. The first inquiry will assess whether Facebook has a valid legal basis for processing children’s personal data from Instagram and whether child protections are adequate. The DPC will also assess whether Facebook, as data controller, “meets its transparency requirements in its provision of Instagram to children”. The DPC’s second inquiry will review Instagram’s account settings for children and will consider whether Facebook meets its obligation to protect the data protection rights of children as vulnerable persons under the GDPR. The investigations come just one month after a class action was filed in the English High Court against YouTube for allegedly processing children’s data without obtaining parental permission or providing appropriate disclosures (see our September Round Up).
Europe’s top court rules against mass surveillance: On 6 October, the CJEU ruled in Privacy International (Case C-623/17) that section 94 of the UK Telecommunications Act 1988, which grants UK intelligence agencies the power to access bulk communications metadata, beaches EU law. While the e-Privacy Directive permits more serious interferences with privacy rights on national security grounds, such measures are still subject to fundamental EU principles and to the rights guaranteed under the Charter of Fundamental Rights of the European Union, including the right to privacy and the right to protection of personal data. Consequently, the CJEU found that section 94 failed to establish minimum protections to ensure that the power to access metadata records only result in a strictly necessary and proportionate infringement of the affected individual’s fundamental rights.
In particular, the CJEU held that laws that permit the general and indiscriminate collection of data from individuals without any indirect or remote link to national security concerns cannot be necessary or proportionate. On the same day of the Privacy International decision, the CJEU issued a joint judgment declaring that corresponding national security legislation in France and Belgium also breached EU law. The decisions were welcomed by the Italian DPA, with the German regulator going further and calling for EU policy makers to scrap mass data retention policies.
Post-Brexit data transfers come into focus: Experts appearing before the UK’s House of Commons Digital Culture Media and Sport committee this month warned that the Privacy International decision would negatively impact the UK’s prospects of receiving an “adequacy decision” – which, if granted by EU authorities, would allow free flow of personal data from the EEA to the UK after the Brexit transition period ends on 31 December this year. The Irish Council for Civil Liberties (the “ICCL”) also raised concerns about the UK’s adequacy status, publishing a letter to the EU Commission arguing against an adequacy decision. The letter claims that the ICO does not meet the GDPR’s requirement for an “effectively functioning” supervisory authority as the ICO has (in the ICCL’s view) failed to adequately enforce the GDPR against the adtech industry.
While the UK has reaffirmed its desire to secure an adequacy decision, it is still maintaining its guidance on EU/UK data flows following the transition period and companies should start planning, if they haven’t already, for a “no-deal” scenario.
Microsoft to continue to host French health data: Following the Schrems II decision (see our Blog Post), trade unions and individual claimants looked to France’s highest administrative court – the Conseil d’Etat – to suspend the French government’s Health Data Hub platform, citing concerns about the possible transfer of personal data to the US. The Hub was established to encourage medical data sharing for research purposes, with an Irish Microsoft group company contracted to host and process the data in the Netherlands.
On 14 October, the Conseil d’Etat granted Microsoft permission to continue to host the Hub’s data, on the condition that no data is transferred outside the EU. The judge reiterated that Schrems II does not prohibit the use of US-based companies to process data within the EU, and while there remained a risk that data could still be accessed by the US intelligence services, this alone did not justify suspending the platform. The Conseil d’Etat also acknowledged the important role the Hub has played in France’s fight against COVID-19. Consequently, the judge ordered for the Hub to work closely with Microsoft to strengthen data protection measures, which is intended as a temporary measure until the French government devises a final solution that would prevent interference by US intelligence agencies entirely.
EU moves closer to AI regulatory framework: On 20 October, the European Parliament adopted proposals for a legislative framework to regulate artificial intelligence (“AI”). It comes at a time when European governments have remained divided over how to best manage the risks of AI, on the one hand, whilst encouraging innovation and investment, on the other. The proposals attempt to balance these competing considerations by adopting a two-tier approach and subjecting high-risk (from a privacy perspective) AI technology to more onerous rules. For example, the ethics framework calls on the Commission to develop ethical guidelines and subject high-risk technology, such as machine learning, to human oversight. Similarly, under the proposed AI civil liability framework, operators of high-risk systems will be strictly liable for any harm or damage caused arising out of the technology. At the same time, the proposals seek to encourage innovation by establishing an effective intellectual property rights system.
Uber faces new AI dismissal claim: On 26 October, four former Uber drivers brought an application before the District Court of Amsterdam, challenging what the claim says was an automated decision to terminate their contracts based on alleged fraudulent activity. While Uber has faced AI-related litigation in the past (see our July Round Up), this action is being brought under the rarely invoked Article 22 of the GDPR. Article 22 restricts fully automated decisions which have legal or similarly significant effects on individuals to a more limited set of lawful bases and requires certain safeguards to be in place. The proceedings are expected to tackle key issues, including what constitutes “meaningful” human intervention, and will be followed keenly by businesses using automated decision-making technology to inform employment decisions, or more broadly.
ICO publishes data subject access rights guidance: The ICO published its updated guidance on data subject access rights (“DSARs”) which advocates a proactive approach, including training staff to identify requests and appointing a specific person or team to manage them. Other recommendations include creating a response checklist to ensure standardisation as well as recording and monitoring past requests in a database.
The guidance also expands the scope of what constitutes as a “manifestly excessive” request, and companies need to consider the nature of the requested information, the context of the request and the organisation’s available resources. It also introduces a three-step plan for responding to requests which may result in the disclosure of third-party information, and allows controllers to “stop the clock” on the one month response deadline if they need to clarify information relating to the request. While many companies will already have policies and procedures in place to handle DSARs, they may wish to revisit them in light of the latest guidance to ensure they remain aligned with the regulator’s latest thinking.
ANSSI publishes guidance on cyber incident management: On 14 October, the French National Cybersecurity Agency (“ANSSI”) published a practical guide for public and private organisations explaining how to prepare and conduct cyber crisis management exercises. The guide focuses on the crisis response team, i.e. risk managers, employees responsible for ensuring business continuity or crisis management, and IT security personnel. The ANSSI suggests a response framework based on the ISO 22398:2013 standard and covers four key steps: creating the exercise (identifying its objectives and key players), preparing the scenario and the timeline for the exercise, carrying out the exercise, and learning from the exercise. The guide also includes a set of factsheets, recommendations to increase cyber resilience, and a practical example, “RANSOM 20”, to illustrate how steps should be executed. French companies may want to reference the guide when preparing cybersecurity preparedness exercises.
EDPB announces data protection by design guidance The European Data Protection Board (“EDPB”) has finalised its Guidelines on Data Protection by Design and by Default. GDPR Article 25 requires companies to integrate data protection controls into every aspect of their processing activities from the outset and regularly assess their effectiveness. The Guidelines help controllers meet these obligations by providing a list of key design and default elements. The recommendations are accompanied by a series of real-life scenarios, which means that the Guidelines will be a helpful refresher for any company seeking to devise new business activities involving personal data.
To subscribe to the Data Blog, please click here.
The authors would like to thank Debevoise trainee associate Jesse Hope for his contribution to this article.