Category: UK

Amex fined for sending four million unlawful emails

15. July 2021

American Express Service Europe Limited (Amex) has received a £ 90,000 fine from the UK Information Commissioner’s Office (ICO) for sending over four million unwanted marketing emails to customers.

The reason for the investigation by UK’s supervisory authority were complaints from Amex customers, which claimed to have been receiving marketing emails even though they had not given their consent to do so. The emails, sent as a part of a campaign, contained information regarding benefits of online shopping, optimal use of the card and encouragement to download the Amex app. According to Amex, the emails were rather about “servicing”, not “marketing”. The company insisted that customers would be disadvantaged if they were not aware of the campaigns and that the emails were a requirement of the credit agreements.

The ICO did not share this view. In its opinion, the emails were aimed at inducing customers to make purchases with their cards in return for a £ 50 benefit, and thus “deliberately” for “financial gain”. This constitutes a marketing activity which, without a valid consent, violates Regulation 22 of the Privacy and Electronic Communications Regulations 2003. The consents and therefore the legal basis were not given in this case.

The ICO Head of Investigations pointed out how important it is for companies to know the differences between a service email and a marketing email to ensure that email communications with customers are compliant with the law. While service messages contain routine information such as changes in terms and conditions or notices of service interruptions, direct marketing is any communication of promotional or marketing material directed to specific individuals.

An Amex spokesperson assured that the company takes customers’ marketing preferences very seriously and has already taken steps to address the concerns raised.

British Airways could reach a settlement over the 2018 data breach

7. July 2021

Back in 2018 British Airways was hit by a data breach affecting up to 500 000 data subjects – customers as well as British Airways staff.

Following the breach the UK’s Information Commissioners Office (ICO) has fined British Airways firstly in 2019 with a record fine of £183.000.000 (€ 205.000.000), due to the severe consequences of the breach. As reported beside inter alia e-mail addresses of the concerned data subjects also credit card information have been accessed by the hackers.

The initial record fine has been reduced by the ICO in 2020 after British Airways appealed against it. The ICO announced the final sanction in October 2020 –  £20.000.000 (€ 22.000.000). Reason for the reduction has been inter alia the current COVID-19 situation and it’s consequences for the Aviation industry.

Most recently it has been published that British Airways also came to a settlement in a UK breach class action with up to 16 000 claimants. The details of the settlement have been kept confidential, so that the settlement sum is not known, but the law firm, PGMBM, representing the claimants, as well as British Airways announced the settlement on July 6th.

PGMBM further explains, that the fine of the ICO “did not provide redress to those affected”, but that “the settlement now addresses” the consequences for the data subjects, as reported by the BBC.

European Commission Adopts UK Adequacy Decisions

5. July 2021

On June 28, 2021, the European Commission adopted two adequacy decisions for the United Kingdom, one under the General Data Protection Regulation (GDPR) and another under the Law Enforcement Directive.

This means that organizations in the EU can continue to transfer personal data to organizations in the UK without restriction and fear of repercussions. Thus, there is no need to rely upon data transfer mechanisms, such as the EU Standard Contractual Clauses, to ensure an adequate level of protection while transferring personal data, which represents a relief as the bridging mechanism of the interim period decided on after Brexit set out to expire by the end of June 2021.

The European Commission found the U.K.’s data protection system has continued to incorporate to the same rules that were applicable when it was an EU member state, as it had “fully incorporated” the principles, rights and obligations of the GDPR and Law Enforcement Directive into its post-Brexit legal system.

The Commission also noted the U.K. system provides strong safeguards in regards to how it handles personal data access by public authorities, particularly for issues of national security.

In regards to criticism of potential changes in the UK’s legal system concerning personal data, Věra Jourová, Vice-President for Values and Transparency stated that: „We have listened very carefully to the concerns expressed by the Parliament, the Members States and the European Data Protection Board, in particular on the possibility of future divergence from our standards in the UK’s privacy framework. We are talking here about a fundamental right of EU citizens that we have a duty to protect. This is why we have significant safeguards and if anything changes on the UK side, we will intervene.“

The Commission highlighted that the collection of data by UK intelligence authorities is legally subject to prior authorization by an independent judicial body and that any access to data needs to be necessary and proportionate to the purpose pursued. Individuals also have the ability to seek redress in the UK Investigatory Powers Tribunal.

ICO fined several companies for data protection infringements

15. June 2021

The UK Information Commissioner’s Office (“ICO”) has fined several companies at the beginning of June for data protection infringements.

All fines have in common that the fined companies conducted marketing measures without having the required consent for doing so.

  • Conservative Party

The ICO has fined the Conservative Party £10,000 for sending 51 marketing emails without having the required legal basis and in violation of Regulation 22 of the Privacy and Electronic Communications Regulation 2003 (PECR).

The Conservative Party sent out a total of 1.190.280 marketing emails between July 24th and July 31st 2019, right after the election and in the name of Rt Hon Boris Johnson MP.

The ICO investigated that the party failed to ensure having a valid legal basis for marketing emails when changing the email provider. Even though the ICO assumes that there are more than 51 concerned data subjects, the ICO only received complaints of 51 individuals, thus the fine is based on this amount of concerned data subjects.

  • Colour Car Sales Ltd.

The ICO has fined Colour Car Sales Ltd (CCSL)  £170,000  for sending spam text messages from October 2018 to January 2020. CCSL is a credit intermediary for used car finance and the purpose of the spam texts was to direct the recipients to car finance websites.

Also in this case basis for the fine has been complaints of concerned data subjects which complained about not have given consent for receiving marketing emails from CCSL.

  • Solarwave of Grays

The ICO has fined Solarwave of Grays £100,000 for conducting 73.217 marketing calls about solar panel maintenance from January to October 2020.

The complainants that raised the concerns stated that they were registered with the Telephone Preference Service and should have received any marketing telephone calls based on this.

The Telephone Preference Service is the UK’s “do not call register” with which individuals can register to show that they are not interested in receiving any kind of marketing phone calls.

Beside the violation of the data protection law and the Telephone Preferences Service the concerned data subjects also stated that the callers were rude and persistent and ignored stop requests.

  • LTH Holdings

The ICO has fined LTH Holding, a Cardiff based telephone marketing company, £145,000 for conducting 1.4 million calls trying to sell funeral plans between May 2019 and May 2020.

In this case the ICO received 41 complaints and the complainants were also registered with the Telephone Preferences Service. Beside this infringement, the concerned data subjects also told the ICO that LTH adopted aggressive, coercive and persuasive methods to sell funeral plans.

  • Papa John’s

The ICO has fined Papa John’s Limited, a national takeaway pizza company, £10,000 for sending 168,022 nuisance marketing messages to its customers.

In this case the ICO received 15 complaints also stating the distress and annoyance the messages were causing. Some customers received up to 100 messages in two months without ever have given consent for marketing emails.

The ICO investigated that Papa John’s has sent over 210.000 messages to customers between October 1st 2019 and April 30th 2020.

In the contrary to the opinion of Papa John’s the ICO did not see the possibility to rely on “soft opt-in” because the data used for the marketing emails has been obtained for processing orders and not receiving marketing emails. Furthermore, the required information of the customers on this processing activity is missing.

EPRS publishes report on post-Brexit EU-UK Data Transfer Mechanisms

20. April 2021

On April 9th, 2021, the European Parliamentary Research Service (EPRS) published a report on data transfers in the private sector between the EU and the U.K. following Brexit.

The report reviews and assesses trade dealings, adequacy challenges and transfer instruments under the General Data Protection Regulation (GDPR). The report is intended to help take regulatory and business decisions, and in the Press Release the European Parliament stated that “a clear understanding of the state of play and future prospects for EU-UK transfers of personal data is indispensable”.

The report provides in-depth analysis of an adequacy decision for the UK as a viable long-term solution for data flows between the U.K. and the EU, also considering possible mechanisms for data transfer in the potential absence of an adequacy decision, such as Standard Contractual Clauses, Binding Corporate Rules, codes of conduct, and certification mechanism.

In this analysis the EPRS also sheds light on adequacy concerns such as U.K. surveillance laws and practices, shortcomings of the implementation of the GDPR, weak enforcement of data protection laws, and wavering commitment to EU data protection standards.

As part of its conclusion, the EPRS stated that the European Data Protection Board’s (‘EDPB’) opinion on the draft decision, which has just been published (please see our blogpost here), will likely scrutinise the Commission’s approach and provide recommendations on next steps.

EDPB adopts opinion on draft UK adequacy decisions

16. April 2021

In accordance with its obligation under Article 70 (1) (s) of the General Data Protection Regulation (GDPR), on April 13th, 2021, the European Data Protection Board (“EDPB”) adopted its opinions on the EU Commissions (“EC”) draft UK adequacy decision (please see our blog post). “Opinion 14/2021” is based on the GDPR and assesses both general data protection aspects and the public authority access to personal data transferred from the EEA for law enforcement and national security purposes contained in the draft adequacy decision, a topic the EC also discussed in detail. At the same time, the EDPB also issued “Opinion 15/2021” on the transfer of personal data under the Law Enforcement Directive (LED).

The EDPB notes that there is a strong alignment between the EU and the UK data protection regimes, especially in the principles relating to the processing of personal data. It expressly praises the fact that the adequacy decision is to apply for a limited period, as the EDPB also sees the danger that the UK could change its data protection laws. Andrea Jelinek, EDPB Chair, is quoted:

“The UK data protection framework is largely based on the EU data protection framework. The UK Data Protection Act 2018 further specifies the application of the GDPR in UK law, in addition to transposing the LED, as well as granting powers and imposing duties on the national data protection supervisory authority, the ICO. Therefore, the EDPB recognises that the UK has mirrored, for the most part, the GDPR and LED in its data protection framework and when analysing its law and practice, the EDPB identified many aspects to be essentially equivalent. However, whilst laws can evolve, this alignment should be maintained. So we welcome the Commission’s decision to limit the granted adequacy in time and the intention to closely monitor developments in the UK.”

But the EDPB also highlights areas of concern that need to be further monitored by the EC:

1. The immigration exemption, which restricts the rights of those data subjects affected.

2. How the transfer of personal data from the EEA to the UK could undermine EU data protection rules, for example on basis of future UK adequacy decisions.

3. Access to personal data by public authorities is given a lot of space in the opinion. For example, the Opinion analyses in detail the Investigatory Powers Act 2016 and related case law. The EDPB welcomes the numerous oversight and redress mechanisms in the UK but identifies a number of issues that need “further clarification and/or oversight”, namely bulk searches, independent assessment and oversight of the use of automated processing tools, and the safeguards provided under UK law when it comes to disclosure abroad, particularly with regard to the application of national security exemptions.

In summary, this EDPB opinion does not put any obstacles in the way of an adequacy decision and recognises that there are many areas where the UK and EU regimes converge. Nevertheless, it highlights very clearly that there are deficiencies, particularly in the UK’s system for monitoring national security, which need to be reviewed and kept under observation.

As for the next steps, the draft UK adequacy decisions will now be assessed by representatives of the EU Member States under the “comitology procedure“. The Commission can then adopt the draft UK adequacy decisions. A bridging period during which free data transfer to the UK is permitted even without an adequacy decision ends in June 2021 (please see our blog post).

ICO plans to update guidance on anonymisation and pseudonymisation

31. March 2021

The ICO is planning to update their anonymisation and pseudonymisation guidance as blogged by Ali Shah, ICO’s Head of Technology Policy on March 19th, 2021. He emphasizes the important role of sharing personal data in a digital economy, citing the healthcare and financial sector as examples. Thus, in healthcare, data could improve patient care, and in the financial sector, it could help prevent money laundering and protect individuals from fraud.

Last year, the ICO published their recent Data Sharing Code of Practice. The intention of the Data Sharing Code, according to Elizabeth Denham CBE, Information Commissioner, is “to give individuals, businesses and organisations the confidence to share data in a fair, safe and transparent way (…)”. Shah calls the Data Sharing Code a milestone and not a conclusion stating that ICO’s ongoing work shall lead to more clarity and advice in regard to lawful data sharing.

He names several key topics that are going to be explored by the ICO in regard to updating the anonymisation and pseudonymisation guidance. Among others, you will find the following:

  • “Anonymisation and the legal framework – legal, policy and governance issues around the application of anonymisation in the context of data protection law”
  • “Guidance on pseudonymisation techniques and best practices”
  • “Accountability and governance requirements in the context of anonymisation and pseudonymisation, including data protection by design and DPIAs”
  • “Guidance on privacy enhancing technologies (PETs) and their role in safe data sharing”
  • “Technological solutions – exploring possible options and best practices for implementation”

It is to be welcomed that apparently not only the legal side will be explored, but also technical aspects should play their role, as designing and implementing systems with privacy enhancing technologies (PETs) and data protection by design in mind has the potential to contribute to compliance with data protection laws already at the technical level and therefore at an early stage of processing.

The ICO plans to publish each chapter of the guidance asking the industry, academia and other key stakeholders to present their point of view on the topic encouraging them to give insights and feedback in order for the ICO to get a better understanding where the guidance can be targeted most effectively.

European Commission publishes draft UK adequacy decisions

25. February 2021

On February 19th, 2021, the European Commission (EC) has published the draft of two adequacy decisions for the transfer of personal data to the United Kingdom (UK), one under the General Data Protection Regulation (GDPR) and the second for the Law Enforcement Directive. If approved, the decisions would confer adequacy status on the UK and ensure that personal data from the EU can continue to flow freely to the UK. In the EC’s announcement launching the process to adopt the newly drafted adequacy decisions Didier Reynders, Commissioner for Justice, is quoted:

We have thoroughly checked the privacy system that applies in the UK after it has left the EU. Now European Data Protection Authorities will thoroughly examine the draft texts. EU citizens’ fundamental right to data protection must never be compromised when personal data travel across the Channel. The adequacy decisions, once adopted, would ensure just that.

In the GDPR, this adequacy decision is based on Art. 45 GDPR. Article 45(3) GDPR empowers the EU Commission to adopt an implementing act to determine that a non-EU country ensures an “adequate level of protection”. This means a level of protection for personal data that is substantially equivalent to the level of protection within the EU. Once it has been determined that a non-EU country provides an “adequate level of protection”, transfers of personal data from the EU to that non-EU country can take place without further requirements. In the UK, the processing of personal data is governed by the “UK GDPR” and the Data Protection Act 2018, which are based on the EU GDPR. The UK is and has committed to remain part of the European Convention on Human Rights and “Convention 108” of the Council of Europe. “Convention 108” is a binding treaty under international law to protect individuals from abuses in the electronic processing of personal data, and in particular provides for restrictions on cross-border data flows where data is to be transferred to states where no comparable protection exists.

The GDPR adequacy decision draft addresses several areas of concern. One of these is the power of intelligence services in the UK. In this respect, the draft focuses on legal bases, restrictions and safeguards for the collection of information for national security purposes. It also details the oversight structure over the intelligence services and the remedies available to those affected. Another aspect discussed is the limitation of data subjects’ rights in the context of UK immigration law. The EC concludes that interference with individuals’ fundamental rights is limited to what is strictly necessary to achieve a legitimate purpose and that there is effective legal protection against such interference. As the UK GDPR is based on the GDPR and therefore the UK privacy laws should provide an adequate level of protection for data subjects, the main risks for EU data subjects do not lie in the current status of these laws but in possible changes of these laws in the future. For this reason, the EU Commission has built a fixed period of validity into the draft adequacy decision. If adopted, this decision would be valid for a period of four years and the adequacy finding could be extended for a further four years if the level of protection in the UK remains adequate. However, this extension would not be automatic, but subject to a thorough review. This draft marks the first time that the EU has imposed a time limit on an adequacy decision. Other adequacy decisions are subject to monitoring and regular review but are not time-limited by default.

The UK government welcomed the EC’s draft in a statement, while also calling on the EU to “swiftly complete” the process for adopting and formalizing the adequacy decisions, as the “bridging mechanism” will only remain in force until June 30th. Under the EU-UK Trade and Cooperation Agreement, the EU and UK agreed on a transition period of up to six months from January 1st, 2021, during which the UK is treated as an adequate jurisdiction (please see our blog post). The draft adequacy decisions address the flow of data from the EU to the UK. The flow of data from the UK to the EU is governed by UK legislation that has applied since 1 January 2021. The UK has decided that the EU ensures an adequate level of protection and that data can therefore flow freely from the UK to the EU.

Next, the non-binding opinion of the European Data Protection Board is sought (Art. 70 GDPR). After hearing the opinion of the European Data Protection Board, the representatives of the member states must then confirm the draft in the so-called comitology procedure. This procedure is used when the EC is given the power to implement legal acts that lay down conditions for the uniform application of a law. A series of procedures ensure that EU countries have a say in the implementing act. After the comitology procedure, the EC is free to adopt the drafts.

EU-UK Trade Deal in light of Data Protection

4. January 2021

Almost fit to be called a Christmas miracle, the European Union (EU) and the United Kingdom (UK) came to an agreement on December 24th, 2020. The Trade Agreement, called in full length “EU-UK Trade and Cooperation Agreement“, is set out to define new rules from the date of the UK Exit from the EU, January 1st, 2021.

President of the European Commission, Ursula von der Leyen, claimed it was a deal worth fighting for, “because we now have a fair and balanced agreement with the UK, which will protect our European interests, ensure fair competition, and provide much needed predictability for our fishing communities. Finally, we can leave Brexit behind us and look to the future. Europe is now moving on.

In light of Data Protection however, the new Trade Deal has not given much certainty of what is to come next.

Both sides are aware that an adequacy decision by the EU Commission is very important with regard to data protection and cross-border data flows. Accordingly, the EU has agreed to allow a period of four months, extendable by a further two months, during which data can be transferred between EU Member States and the UK without additional safeguards. This period was granted to give the Commission enough time to make an adequacy decision. Accordingly, data transfers can continue as before until possibly mid-2021. However, this arrangement is only valid if the UK does not change its data protection laws in the meantime.

With regard to direct marketing, the situation has not changed either: for individuals, active consent must be given unless there was a prior contractual relationship and the advertising relates to similar products as the prior contract. Furthermore, the advertising must also be precisely recognisable as such, and the possibility of revoking consent must be given in every advertising mail.

However, much else has yet to be clarified. Questions such as the competence of the UK Data Protection Authority, the Information Commissioner’s Office (ICO), as well as the fate of its ongoing investigations, have not yet been answered. As of now, companies with their original EU Headquarters in the UK will have to designate a new Lead Supervisory Authority (Art. 56 GDPR) for their business in the EU.

The upcoming months will determine if questions with high relevance to businesses’ day to day practice will be able to be answered reassuringly.

The Controversy around the Council of the European Union’s Declaration on End-to-End Encryption

27. November 2020

In the course of November 2020, the Council of the European Union issued several draft versions of a joint declaration with the working title “Security through encryption and security despite encryption”. The drafts were initially intended only for internal purposes, but leaked and first published by the Austrian brodcasting network “Österreichischer Rundfunk” (“ORF”) in an article by journalist Erich Möchel. Since then, the matter has sparked widespread public interest and media attention.

The controversy around the declaration arose when the ORF commentator Möchel presented further information from unknown sources that “compentent authorities” shall be given “exceptional access” to the end-to-end encryption of communications. This would mean that communications service providers like WhatsApp, Signal etc. would be obliged to allow a backdoor and create a general key to encrypted communications which they would deposit with public authorities. From comparing the version of the declaration from 6 November 2020 with the previous version from 21 October 2020, he highlighted that in the previous version it states that additional practical powers shall be given to “law enforcement and judicial authorities”, whereas in the more recent version, the powers shall be given to “competent authorities in the area of security and criminal justice”. He adds that the new broader wording would include European intelligence agencies as well and allow them to undermine end-to-end encryption. Furthermore, he also indicated that plans to restrict end-to-end encyption in Western countries are not new, but originally proposed by the “Five Eyes” intelligence alliance of the United States, Canada, United Kingdom, Australia and New Zealand.

As a result of the ORF article, the supposed plans to restrict or ban end-to-end encryption have been widely criticised by Politicians, Journalists, and NGOs stating that any backdoors to end-to-end encryption would render any secure encryption impossible.

However, while it can be verified that the “Five Eyes” propose the creation of general keys to access end-to-end encrypted communications, similar plans for the EU cannot be clearly deduced from the EU Council’s declaration at hand. The declaration itself recognises end-to-end encryption as highly beneficial to protect governments, critical infrastructures, civil society, citizens and industry by ensuring privacy, confidentiality and data integrity of communications and personal data. Moreover, it mentions that EU data protection authorities have identified it as an important tool in light of the Schrems II decision of the CJEU. At the same time, the Council’s declaration illustrates that end-to-end encryption poses large challenges for criminal investigations when gathering evidencein cases of cyber crime, making it at times “practically impossible”. Lastly, the Council calls for an open, unbiased and active discussion with the tech industry, research and academia in order to achieve a better balance between “security through encryption and security despite encryption”.

Möchel’s sources for EU plans to ban end-to-end encryption through general keys remain unknown and unverifiable. Despite general concerns for overarching surveillance powers of governments, the public can only approach the controversy around the EU Council’s declaration with due objectivity and remain observant on whether or how the EU will regulate end-to-end encryption and find the right balance between the privacy rights of European citizens and the public security and criminal justice interests of governments.

Pages: 1 2 3 4 5 6 7 Next
1 2 3 7