DWF Data Protection Insights July 2023

This month in review:

With adtech being an integral part of modern e-commerce, don't miss our webinar introducing this complex and fascinating topic on 14 September – sign up details are below. 

There's a couple of key themes to draw out this month – around financial and regulatory matters and in respect of simple human errors. Both have significant consequences for individuals but are towards the opposite ends of the spectrum to be able to deal with. One requires complex and cutting-edge analysis, and the other some simple but impactful training – the likes of both of which we enjoy doing for our clients.  

Our trends 

Also this month, we've identified some key themes of what our clients are asking us. We thought we'd share these to provoke some thoughts amongst readers:

• The first relates to law enforcement requests – i.e. the requests (often mistaken for DSARs) from law enforcement or governmental bodies for information about someone. Having a clear process to follow for these is essential. 
• The second is for DSARs themselves. As you'll read below, these can be troublesome to deal with and are often weaponised – i.e. used as a mechanism to lever a benefit from your organisation. We've seen a trend of creating / updating rights request processes as well as supporting clients often in tricky consumer or employment claims in navigating a parallel DSAR. 
• Finally, adtech and AI – what can they be used for, and how should they be applied and controlled? We see this from both supply and customer sides, and it is increasingly topical as AI develops and adtech starts to move away from its cookie dominance.

Our contents this month: 

• Our events
• General updates
• Finance
• Adtech and direct marketing 
• AI and Innovation 
• Cyber and ransomware 
• Employment and Data Subject Rights
• Data transfers
• Public sector

Our events 

Back to top >

An introduction to digital advertising and privacy law webinar 

Don't miss our insightful and impactful webinar on adtech (An introduction to digital advertising and privacy law), delivered to you by our team. It's taking place on Thursday 14 September in a lunchtime webinar format – sign up here.

General updates

Back to top >

ICO submits Data Protection and Journalism Code of Practice for review 

The Data Protection Act 2018 required the ICO to create such a code of practice. It has now done so, and is with the Secretary of State for review before being laid before Parliament in final form. The ICO note that it can be used as good guidance now, and is compatible with other sector-relevant law and guidance.  

Raconteur article regarding digital identity 

Our Global Head of Data Protection and Cyber Security, Stewart Room, has contributed to a panel assessment of this controversial topic, including his conclusion on the matter: "There needs to be better policy development so that we end up with outcomes that are right for society. But no one’s doing it yet. We’re missing all the angles."  Read the full article here.

The EU proposes a new co-operation Regulation to boost the successful enforcement of the GDPR 

The EU states that the GDPR works, but that the procedural enforcement of them differs between Member States.  They assert that if some procedural aspects were aligned, that there would be quicker and more effective functioning of the regulatory approach, leading to decisions and changes much more quickly.  If this does become law, then regulatory enforcement approaches may need to be re-assessed in its wake. Read more here.

Finance

Back to top >

UK – ICO and FCA issue joint letter to UK Finance and Building Societies Association

The joint letter, issued on 18 July 2023, focuses on the interaction between data protection and direct marketing regulations and communications sent by firms providing finance and building society services. In brief, the core issue addressed by the letter is whether data protection regulations prevent firms from contacting their customers about better deals available.

The letter makes it clear that data protection law (UK GDPR and Data Protection Act 2018) and the Privacy and Electronic Communications Regulations 2003 (PECR) do not stop firms from sending 'regulatory communication messages' (which must comply with the FCA's Consumer Duty rules and guidance and should "provide neutral, factual information about the interest rate and terms of the savings product they hold, the interest rate and terms of other available savings products, and what their options are for moving to another product"). In practice, this information could be provided on firms' websites too.

UK – ICO statement on banks' personal data processing

Following media reports surrounding disclosures made by banks to news outlets about their customers, the ICO issued a statement to UK Finance to reiterate banks' responsibilities regarding the information they hold. 

The ICO acknowledged that banks are required to collect and process a lot of personal data about their customers, not only to administer their accounts but also to comply with money laundering regulations, for example. However, the ICO also emphasised that data protection rules still apply. In particular, the Information Commissioner highlighted specific data protection principles (being data minimisation, accuracy and lawfulness, fairness and transparency) which must be complied with. 

UK – New data sharing schemes to protect gamblers backed by ICO

Proposals for the financial sector to share data with gambling companies, with the aim of protecting customers from suffering unaffordable losses, has received backing from the ICO. 

The letter to UK Finance confirms that data protection law does not prevent financial risk checks being carried out on customers – provided that transparency and proportionality are considered appropriately. For example, the ICO and the Gambling Commission have collaborated on the design of privacy safeguards, which include gambling companies using personal information they receive solely for the purpose of financial risk checks, and informing customers that checks will be undertaken where they incur significant losses.

UK – ICO Sandbox work to reduce incidents of gambling-related harm

The ICO's Regulatory Sandbox, which aims to support organisations to utilise personal data in innovative and safe ways, has been working with the Betting and Gaming Council to explore the gambling industry's development and trial of a Single Customer View solution. The solution aims to enable unified and proactive intervention by gambling operators to reduce incidents of gambling-related harm.

The Sandbox exit report's considerations focuses on controllership, the lawful basis for processing, special category data processing, data protection impact assessments, storage limitation and transparency, and provides guidance to the Betting and Gaming Council around these key data protection considerations. 

Adtech and direct marketing

Back to top >

UK – Tackling unlawful marketing calls and messages

Through the enforcement of the Privacy and Electronic Communications Regulations 2003, the ICO has issued more than £2.4 million in fines since April 2022 against companies responsible for nuisance calls, texts and emails. Some of these investigations began with just one complaint from a member of the public, and the fines act as a deterrent towards other organisations who may be flouting the law. 

Recent fines have included: a collective £250,000 fine to two energy companies for making unlawful marketing calls to individuals on the TPS register; a £60,000 fine to another organisation for sending thousands of nuisance marketing texts as an attempt to profit from the coronavirus pandemic; and a £110,000 fine to a security company who made 565,344 unlawful direct marketing calls – the investigation followed 94 complaints to the ICO. 

The ICO's blog has a robust but fair approach when it comes to recovering its fines through the work of the Financial Recovery Unit. Whilst payment plans may be provided to debtors in genuine financial hardship, the ICO will pursue formal recovery action against organisations that have the means to pay but fail to do so, which may result in insolvency. Since 2017, more than 36 Directors have been disqualified as a result of the ICO's work with the Insolvency Service to protect the public from nuisance marketers. 

AI and innovation

Back to top >

UK – Worldcoin is launched in the UK 

Following the launch of Worldcoin (a new global digital currency) in the UK on 24 July 2023, the ICO has issued a statement stating that: "Organisations must conduct a Data Protection Impact Assessment (DPIA) before starting any processing that is likely to result in high risk, such as processing special category biometric data. Where they identify high risks that they cannot mitigate, they must consult the ICO. Organisations also need to have a clear lawful basis to process personal data. Where they are relying on consent, this needs to be freely given and capable of being withdrawn without detriment". 

The ICO has confirmed it will be making enquiries with Worldcoin. Assessing risks using a DPIA process is incredibly useful in assessing and then mitigating the risks as a product, service or new use of data is being designed.  

Cyber and ransomware

Back to top >

UK – ICO reprimands The Patient and Client Council for UK GDPR breaches 

On 19 July 2023, the ICO issued a reprimand to The Patient and Client Council ("PCC") for infringements of Article 5(1)(f) and Article 32(1) of the UK GDPR, following the disclosure of special category data to 15 individuals. A member of the PCC staff sent an email to 15 members of a Gender Identity Liaison Panel, which comprised individuals from Northern Ireland who each had lived experience of gender dysphoria, a recognised medical condition. In error, the recipient email addresses were carbon copied ("CC") rather than blind carbon copied ("BCC"), thereby disclosing the email addresses of all panel members to each other. The ICO considered that the recipients could reasonably infer that the other recipients also had experience of gender dysphoria given their inclusion as a recipient and therefore on the panel, which determined that special category data had been disclosed. 

The ICO has recommended that the PCC review and update their policies, procedures and guidance regarding the BCC function and communicate this to its staff members. It also recommended that the PCC consider undertaking an assessment, such as a DPIA, regarding the suitability of the BCC function in general. PCC are due to provide a progress update on these recommendation by 11 October 2023. 

Organisations using BCC for communications should take note! 

UK – ICO reprimands My Media World t/a Brand New Tube for UK GDPR breaches

On 25 July 2023, the ICO issued a reprimand to My Media World Limited t/a Brand New Tube ("BNT") for failing to implement appropriate technical security and organisational measures to properly secure their systems and thereby infringing Article 32(1) and Article 32(1)(d) of the UK GDPR. The reprimand follows the unauthorised access to BNT's systems by a third party which resulted in the exfiltration of the personal data of 345,000 UK data subjects, including their names, email addresses and passwords. 

The ICO has recommended that BNT ensures they have appropriate contracts in place with third party providers, keeps accurate records of their processing activities and security measures they are implementing and carries out regular testing of such measures, recording the outcome and addressing any issues promptly. 

Employment and Data Subject Rights

Back to top >

UK – an example of DSARs being used in disputes

Nigel Farage, a British political figure and former leader of the UK Independence Party, accused his former bank Coutts of closing his account due to his political views. Mr Farage was then able to produce documents, including a report from the bank's reputational risk committee which he obtained via a data subject access request ("DSAR") to Coutts showing that his account was closed because his "views did not align with [Coutts'] values".

This is just one example, amongst a growing list of others, of DSARs being used as a tool by individuals during a dispute with an organisation. It emerged in June 2023 that Caroline Lucas, Green Party MP, submitted a DSAR to the counter-disinformation unit which uncovered that she had been flagged for her criticisms of Ministers and government policy on Covid.

See 'our trends' summary at the start of this article for our observations on the trend for increasingly complex and contentious DSARs.

Data transfers

Back to top >

EU – IMY orders stop on use of Google Analytics for four companies

IMY, the Swedish Data Protection Authority, ordered four companies using Google Analytics (a tool for measuring and analysing traffic on websites) to stop (and to pay administrative fines).

Following complaints issued by the organisation NOYB alleging that the companies transferred data to the United States via Google Analytics, IMY audited the companies and found that, although all four companies had implemented standard contractual clauses, they did not have sufficient additional technical security measures in place.

EU – decision on EU-US Data Privacy Framework

On 10 July 2023, the European Commission adopted the adequacy decision for the EU-US Data Privacy Framework. The key principles of the framework include:

• Permitting the free flow of personal data from the EU to companies in the US that participate in the framework. 
• Introducing a new set of binding safeguards to limit access by US intelligence authorities to what is necessary and proportionate. 
• Creating a Data Protection Review Court and a two-tiered redress system to address complaints by EU data subjects.
• Implementing a self-certification system for companies processing data from the EU, requiring that they adhere to the standards expected.
• Incorporating specific monitoring and review mechanisms.

The first periodic review of the framework will take place in 2024, though uncertainties have already arisen as legal challenges have already been announced. As such, many EU data exporters may still continue to use other transfer mechanisms such as the EU SCCs.

The European Data Protection Board has already issued an information note which aims to provide clarity on the implications of the decision for EU data subjects and EU data exporters. 

UK – The UK receives 'associate' status in the Global Cross Border Privacy Rules Forum

On 6 July 2023, the UK became the first country in the world to be granted 'associate' status in the Global Cross Border Privacy Rules ("CBPR") Forum. The Global CBPR system is a government-backed data privacy certification programme that companies can join to demonstrate compliance with internationally recognised data privacy protections, and already includes businesses such as Apple, IBM and Mastercard. The Forum works to support international data transfers whilst safeguarding standards on data protection and privacy, and aims to help drive co-operation between its members (which include the US, Canada, Mexico, Japan, the Republic of Korea, the Philippines, Singapore, Chinese Taipei and Australia), with a view to establishing a universal set of data transfer standards. 

International data transfers are an inescapable part of modern global business transactions, with 93% of the UK's services exports in 2021 being data-enabled. The Minister for Data and Digital Infrastructure stated: "the UK already has high data protection standards in place when it comes to international transfers, and we look forward to sharing our approach on the global stage alongside the CBPR Forum". 

Public sector

Back to top >

UK – The ICO published a blog to help organisations deal with Freedom of Information requests

In July 2022, the ICO published their strategic enduring objectives (contained in ICO25) to promote openness, transparency and accountability, which also supports the Commissioner's duty under the Freedom of Information Act ("FOIA") to promote the following good practice by public authorities regarding FOIA and its Codes of Practice. 

The ICO has recognised that a lack of resource has meant a limited support has been given to public authorities responsible for making public information available however, funding secured in the last comprehensive spending review has allowed the ICO to recruit a new upstream regulation team who can focus on providing further support in this area. The ICO has asked FOI practitioners and public bodies across the country what support they require to get FOI access right. Whilst the ICO is still working through the feedback, the following have been identified as the key areas of focus: 

• Producing and piloting new tools, guidance and training to improve request handling;
• Increasing engagement with the FOI community, listening, sharing learning and promoting best practice to improve transparency; 
• Promoting ease of access by supporting those seeking information to make a FOI request so that requests are easier to handle for public authorities, while giving people the best chance of getting the information they want; and
• Supporting compliance with proactive disclosure and building evidence base of the benefits of proactive transparency, while making requesters more available of how they can access information already available, removing the need to make a request.

UK – ICO reprimands NHS Lanarkshire for UK GDPR breaches

On 31 July 2023, the ICO issued a reprimand to NHS Lanarkshire following the sharing of personal data of patients on a WhatsApp group. There were a minimum of 533 entries within the WhatsApp group that included the names of adult and child patients, to which 26 members of staff had access. Of those entries, 215 included phone numbers, 96 included dates of birth, and 28 included addresses. 15 images, 3 videos and 4 screenshots were also shared which included special category data as defined by Article 9(1) of the UK GDPR. 

The ICO has made various recommendations to NHS Lanarkshire – which include completing any outstanding remedial actions, considering the implementation of an image transfer system, considering the risks prior to deploying new applications, and communicating clear instructions and data protection responsibilities to employees, and reviewing and where required updating all relevant policies and procedures. NHS Lanarkshire are due to provide an update on the progress they have made on these recommendations by 14 January 2024. 

Use of WhatsApp and other digital communications and AI-enabled services is increasingly coming under scrutiny. 

If you have any questions relating to this article please reach out to our authors below.