Tag: ICO

UK intents to deliver own Adequacy Decisions for Data Transfers to Third Countries

30. August 2021

On August 26, 2021, the UK Department of Culture, Media and Sport (DCMS) published a document in which it indicated the intent to begin making adequacy decisions for UK data transfers to third countries.

As the UK has left the EU, it has the power under Chapter V of the UK General Data Protection Regulation (UK GDPR) to independently assess the standard of data protection in other jurisdictions, and recognize certain jurisdictions as adequate for the purpose of foreign UK data transfers. This was announced by the DCMS in a Mission Statement including reference to international data transfers, “International data transfers: building trust, delivering growth and firing up innovation“.

“In doing so we want to shape global thinking and promote the benefits of secure international exchange of data. This will be integral to global recovery and future growth and prosperity,” writes the UK Secretary of State for Digital, Culture, Media and Sport, Oliver Dowden and Minister for Media and Data John Whittingdale.

The UK has developed and implemented policies and processes for reaching adequacy agreements with its partners. So far it has identified 10 countries as “priority destinations” for these deals. The countries include Australia, Brazil, Columbia, The Dubai International Financial Centre, India, Indonesia, Kenya, The Republic of Korea, Singapore and the USA.

The adequacy of a third country will be determined on the basis of whether the level of protection under the UK GDPR is undermined when UK data is transferred to the respective third country, which requires an assessment of the importing jurisdiction’s data protection laws as well as their implementation, enforcement and supervision. Particularly important for the consideration will be the third country’s respect for rule of law and the fundamental human rights and freedoms.

The Mission Statement specifies four phases in assessing the adequacy of a jurisdiction. In the first phase, the UK Adequacy Assessment team will evaluate if an adequacy assessment will take place. The second phase involves an analysis of the third country’s level of data protection laws, the result of which will influence the third phase, in which the UK Adequacy Assessment team will make a recommendation to the UK Secretary of State. In the fourth and last phase, the relevant regulations will be presented to Parliament to give legal effect to the Secretary of State’s determination.

Adequacy decisions are planned to be reviewed at least once every four years, and may be subject to judicial review.

Amex fined for sending four million unlawful emails

15. July 2021

American Express Service Europe Limited (Amex) has received a £ 90,000 fine from the UK Information Commissioner’s Office (ICO) for sending over four million unwanted marketing emails to customers.

The reason for the investigation by UK’s supervisory authority were complaints from Amex customers, which claimed to have been receiving marketing emails even though they had not given their consent to do so. The emails, sent as a part of a campaign, contained information regarding benefits of online shopping, optimal use of the card and encouragement to download the Amex app. According to Amex, the emails were rather about “servicing”, not “marketing”. The company insisted that customers would be disadvantaged if they were not aware of the campaigns and that the emails were a requirement of the credit agreements.

The ICO did not share this view. In its opinion, the emails were aimed at inducing customers to make purchases with their cards in return for a £ 50 benefit, and thus “deliberately” for “financial gain”. This constitutes a marketing activity which, without a valid consent, violates Regulation 22 of the Privacy and Electronic Communications Regulations 2003. The consents and therefore the legal basis were not given in this case.

The ICO Head of Investigations pointed out how important it is for companies to know the differences between a service email and a marketing email to ensure that email communications with customers are compliant with the law. While service messages contain routine information such as changes in terms and conditions or notices of service interruptions, direct marketing is any communication of promotional or marketing material directed to specific individuals.

An Amex spokesperson assured that the company takes customers’ marketing preferences very seriously and has already taken steps to address the concerns raised.

British Airways could reach a settlement over the 2018 data breach

7. July 2021

Back in 2018 British Airways was hit by a data breach affecting up to 500 000 data subjects – customers as well as British Airways staff.

Following the breach the UK’s Information Commissioners Office (ICO) has fined British Airways firstly in 2019 with a record fine of £183.000.000 (€ 205.000.000), due to the severe consequences of the breach. As reported beside inter alia e-mail addresses of the concerned data subjects also credit card information have been accessed by the hackers.

The initial record fine has been reduced by the ICO in 2020 after British Airways appealed against it. The ICO announced the final sanction in October 2020 –  £20.000.000 (€ 22.000.000). Reason for the reduction has been inter alia the current COVID-19 situation and it’s consequences for the Aviation industry.

Most recently it has been published that British Airways also came to a settlement in a UK breach class action with up to 16 000 claimants. The details of the settlement have been kept confidential, so that the settlement sum is not known, but the law firm, PGMBM, representing the claimants, as well as British Airways announced the settlement on July 6th.

PGMBM further explains, that the fine of the ICO “did not provide redress to those affected”, but that “the settlement now addresses” the consequences for the data subjects, as reported by the BBC.

ICO fined several companies for data protection infringements

15. June 2021

The UK Information Commissioner’s Office (“ICO”) has fined several companies at the beginning of June for data protection infringements.

All fines have in common that the fined companies conducted marketing measures without having the required consent for doing so.

  • Conservative Party

The ICO has fined the Conservative Party £10,000 for sending 51 marketing emails without having the required legal basis and in violation of Regulation 22 of the Privacy and Electronic Communications Regulation 2003 (PECR).

The Conservative Party sent out a total of 1.190.280 marketing emails between July 24th and July 31st 2019, right after the election and in the name of Rt Hon Boris Johnson MP.

The ICO investigated that the party failed to ensure having a valid legal basis for marketing emails when changing the email provider. Even though the ICO assumes that there are more than 51 concerned data subjects, the ICO only received complaints of 51 individuals, thus the fine is based on this amount of concerned data subjects.

  • Colour Car Sales Ltd.

The ICO has fined Colour Car Sales Ltd (CCSL)  £170,000  for sending spam text messages from October 2018 to January 2020. CCSL is a credit intermediary for used car finance and the purpose of the spam texts was to direct the recipients to car finance websites.

Also in this case basis for the fine has been complaints of concerned data subjects which complained about not have given consent for receiving marketing emails from CCSL.

  • Solarwave of Grays

The ICO has fined Solarwave of Grays £100,000 for conducting 73.217 marketing calls about solar panel maintenance from January to October 2020.

The complainants that raised the concerns stated that they were registered with the Telephone Preference Service and should have received any marketing telephone calls based on this.

The Telephone Preference Service is the UK’s “do not call register” with which individuals can register to show that they are not interested in receiving any kind of marketing phone calls.

Beside the violation of the data protection law and the Telephone Preferences Service the concerned data subjects also stated that the callers were rude and persistent and ignored stop requests.

  • LTH Holdings

The ICO has fined LTH Holding, a Cardiff based telephone marketing company, £145,000 for conducting 1.4 million calls trying to sell funeral plans between May 2019 and May 2020.

In this case the ICO received 41 complaints and the complainants were also registered with the Telephone Preferences Service. Beside this infringement, the concerned data subjects also told the ICO that LTH adopted aggressive, coercive and persuasive methods to sell funeral plans.

  • Papa John’s

The ICO has fined Papa John’s Limited, a national takeaway pizza company, £10,000 for sending 168,022 nuisance marketing messages to its customers.

In this case the ICO received 15 complaints also stating the distress and annoyance the messages were causing. Some customers received up to 100 messages in two months without ever have given consent for marketing emails.

The ICO investigated that Papa John’s has sent over 210.000 messages to customers between October 1st 2019 and April 30th 2020.

In the contrary to the opinion of Papa John’s the ICO did not see the possibility to rely on “soft opt-in” because the data used for the marketing emails has been obtained for processing orders and not receiving marketing emails. Furthermore, the required information of the customers on this processing activity is missing.

ICO plans to update guidance on anonymisation and pseudonymisation

31. March 2021

The ICO is planning to update their anonymisation and pseudonymisation guidance as blogged by Ali Shah, ICO’s Head of Technology Policy on March 19th, 2021. He emphasizes the important role of sharing personal data in a digital economy, citing the healthcare and financial sector as examples. Thus, in healthcare, data could improve patient care, and in the financial sector, it could help prevent money laundering and protect individuals from fraud.

Last year, the ICO published their recent Data Sharing Code of Practice. The intention of the Data Sharing Code, according to Elizabeth Denham CBE, Information Commissioner, is “to give individuals, businesses and organisations the confidence to share data in a fair, safe and transparent way (…)”. Shah calls the Data Sharing Code a milestone and not a conclusion stating that ICO’s ongoing work shall lead to more clarity and advice in regard to lawful data sharing.

He names several key topics that are going to be explored by the ICO in regard to updating the anonymisation and pseudonymisation guidance. Among others, you will find the following:

  • “Anonymisation and the legal framework – legal, policy and governance issues around the application of anonymisation in the context of data protection law”
  • “Guidance on pseudonymisation techniques and best practices”
  • “Accountability and governance requirements in the context of anonymisation and pseudonymisation, including data protection by design and DPIAs”
  • “Guidance on privacy enhancing technologies (PETs) and their role in safe data sharing”
  • “Technological solutions – exploring possible options and best practices for implementation”

It is to be welcomed that apparently not only the legal side will be explored, but also technical aspects should play their role, as designing and implementing systems with privacy enhancing technologies (PETs) and data protection by design in mind has the potential to contribute to compliance with data protection laws already at the technical level and therefore at an early stage of processing.

The ICO plans to publish each chapter of the guidance asking the industry, academia and other key stakeholders to present their point of view on the topic encouraging them to give insights and feedback in order for the ICO to get a better understanding where the guidance can be targeted most effectively.

EU-UK Trade Deal in light of Data Protection

4. January 2021

Almost fit to be called a Christmas miracle, the European Union (EU) and the United Kingdom (UK) came to an agreement on December 24th, 2020. The Trade Agreement, called in full length “EU-UK Trade and Cooperation Agreement“, is set out to define new rules from the date of the UK Exit from the EU, January 1st, 2021.

President of the European Commission, Ursula von der Leyen, claimed it was a deal worth fighting for, “because we now have a fair and balanced agreement with the UK, which will protect our European interests, ensure fair competition, and provide much needed predictability for our fishing communities. Finally, we can leave Brexit behind us and look to the future. Europe is now moving on.

In light of Data Protection however, the new Trade Deal has not given much certainty of what is to come next.

Both sides are aware that an adequacy decision by the EU Commission is very important with regard to data protection and cross-border data flows. Accordingly, the EU has agreed to allow a period of four months, extendable by a further two months, during which data can be transferred between EU Member States and the UK without additional safeguards. This period was granted to give the Commission enough time to make an adequacy decision. Accordingly, data transfers can continue as before until possibly mid-2021. However, this arrangement is only valid if the UK does not change its data protection laws in the meantime.

With regard to direct marketing, the situation has not changed either: for individuals, active consent must be given unless there was a prior contractual relationship and the advertising relates to similar products as the prior contract. Furthermore, the advertising must also be precisely recognisable as such, and the possibility of revoking consent must be given in every advertising mail.

However, much else has yet to be clarified. Questions such as the competence of the UK Data Protection Authority, the Information Commissioner’s Office (ICO), as well as the fate of its ongoing investigations, have not yet been answered. As of now, companies with their original EU Headquarters in the UK will have to designate a new Lead Supervisory Authority (Art. 56 GDPR) for their business in the EU.

The upcoming months will determine if questions with high relevance to businesses’ day to day practice will be able to be answered reassuringly.

ICO fines Marriott International

9. November 2020

The Information Commissioner’s Office (ICO) fines Marriott International Inc. (Marriott) £18.400.00  (€20.397.504).

The fine refers to a data breach which occurred in 2018. Back then the world’s largest hotel company based in the USA suffered a massive data breach affecting up to 383 million customers. For Marriott it is still not possible to state the exact number of people affected.

The ICO considers it proven that Marriott failed keeping customers’ personal data secure. In context of the breach confidential data like name, address and contact data as well as unencrypted passport and credit card data has been unauthorized accessed.

In a previous statement in 2019 the ICO announced, that it intends to fine Marriott with a fine of £99.200.396 (€109.969.591) this fine has now been reduced.

The reduction is based on the following reasons: the ICO considered the presentations from Marriott as well as the taken steps by Marriott as well as the consequences of the COVID-19 pandemic.

In October, the fine previously issued by the ICO against British Airways was also reduced, again partly because of the consequences of the COVID-19 pandemic.

Since the data breach occurred before the UK left the EU, the ICO investigated on behalf of all European Data Protection Authorities as lead Supervisory Authority and the fine has been approved by all other Authorities.

Experian to appeal ICO’s decision regarding handling of personal data

29. October 2020

On October 27th, 2020 the Information Commissioner’s Office (ICO) issued an enforcement notice against the credit reference agency Experian Limited, ordering it to make fundamental changes to how it handles personal data related to its direct marketing services in the United Kingdom.

An ICO investigation found that at the three largest credit reference agencies (CRAs) in the UK significant ‘invisible’ processing took place, likely affecting millions of adults in the UK. Experian, Equifax and TransUnion, were ‘trading, enriching and enhancing’ people’s personal data without their knowledge to provide direct marketing services. The data was used by commercial organisations, political parties for political campaigning, or charities for their fundraising campaigns. Some of the CRAs were also using profiling to generate new or previously unknown information about people.

While Equifax and TransUnion made adequate improvements to their marketing practices, the ICO found Experian’s efforts to be insufficient and the processing of personal data to remain non-compliant with the data protection law. As a result, Experian has been given an enforcement notice compelling it to make changes within nine months or it will face financial penalties under the GDPR.

Experian is going to appeal the decision by the ICO regarding the notice over data protection failures. In a statement, the Chief Executive Officer Brian Cassin said:

We disagree with the ICO’s decision today and we intend to appeal. At heart this is about the interpretation of GDPR and we believe the ICO’s view goes beyond the legal requirements. This interpretation also risks damaging the services that help consumers, thousands of small businesses and charities, particularly as they try to recover from the COVID-19 crisis.

We share the ICO’s goals on the need to provide transparency, maintain privacy and ensure consumers are in control of their data. The Experian Consumer Information Portal makes it very easy for consumers to fully understand the ways we work with data and to opt out of having their data processed if they wish.

 

 

British Airways: Fine reduced

20. October 2020

In 2018 British Airways (BA) had to announce that they suffered a massive data breach. The data breach referred to the online booking tool. Login data and credit card data as well as travel data and address data were accessed illegaly. Affected were more than 400.000 customers.

Back in 2019 the UK’s Information Commissioners Office (ICO) evaluated the breach and stated that weak security precautions enabled the hakers to access the data. Thus, the ICO fined BA as a consequence of the breach a record fine of £183.000.000 (€ 205.000.000).

BA appealed against the fine and now – in 2020 – the ICO announced a reduced fine.

On October 16th, 2020, the ICO announced the final sanction for BA. The initial fine of £183.000.000 (€ 205.000.000) has been reduced to a total fine of £20.000.000 (€ 22.000.000). Reason for the reduction is inter alia the current COVID-19 situation and it’s consequences for the Aviation industry.

The notification from the authority states in this context:

As part of the regulatory process the ICO considered both representations from BA and the economic impact of COVID-19 on their business before setting a final penalty.

ICO passed Children’s Code

8. September 2020

The UK Information Commissioner’s Office (ICO) passed the Age Appropriate Design Code, also called Children’s Code, which applies especially to social media and online services likely to be used by minors under the age of 18 in the UK.

The Children’s Code contains 15 standards for designers of online services and products. The aim is to ensure a minimum level of data protection. Therefore, the Code requires that apps, games, websites etc. are built up in a way which provides already a baseline of data protection. The following default settings should be mentioned here:

  • Glocalization disabled by default,
  • Profiling disabled by default,
  • Newly created profiles private and not public by default.

Base for the Children’s Code is the UK Data Protection Act of 2018 – local implementation law of the GDPR. Thus, the standards also include the GDPR Data Protection principles Transparency and Data Minimisation.

The requirements also and especially apply to the major social media and online services used by minors in the UK, e.g. TikTok, Instagram and Facebook.

The Code is designed to be risk-based. This means that not all organizations have to fulfil the same obligations. The more companies use, analyse and profile data from minors, the more they must undertake to comply with the Code.

Pages: 1 2 3 4 Next
1 2 3 4