Governmental and Regulatory Activity:
- Data transfers from the UK and the EU to the USA: update
- ICO publishes live marketing calls guidance
- Lloyd's requirements for state-backed cyber-attack exclusions
Regulatory Enforcement and Litigation:
- ICO takes action against seven organisations for failing to respond to SARs
- ICO fines catalogue retailer £1.48 million for breaches of UK GDPR and PECR
- AG opinion in the ECJ: Compensation for non-material damage does not automatically accompany every breach of the GDPR
- High Court awards £250 damages for data breach "at the lowest end of the spectrum"
Find out more about the significant change again to the intended laws for the future of UK data protection law. With recent Governmental changes, we are waiting to hear if there will be yet further change.
If you're at IAPP Brussels, let us or a member of the team know and we can catch up on the latest developments!
Governmental and Regulatory Activity
On 7 October the Department for Digital, Culture, Media and Sport (DCMS) announced that the UK and the US have made significant progress towards a data adequacy agreement, which would permit organisations to transfer personal data from the UK to the US without putting in place additional safeguards (which would be termed an "adequacy regulation" in UK law).
On the same date, the US White House announced that President Biden had signed an Executive Order introducing new safeguards that seek to address the concerns raised by the European Court of Justice in the Schrems II decision on transfers of personal data to the USA.
The Executive Order implements into US law a number of commitments made in an agreement in principle made between the EU and the US in March 2022, including new binding safeguards to limit access to data by surveillance agencies to information that is necessary and proportionate to protect national security and a new two-tier independent redress mechanism to investigate and resolve complaints.
The European Commission has announced that it is now commencing its "adequacy decision" approval process, which involves publication of a draft adequacy decision and consultation with the European Data Protection Board and the EU member states.
Max Schrems' privacy activist organisation noyb (None of your business) has, perhaps unsurprisingly, published a first reaction to the Executive Order, expressing the opinion that it is unlikely to satisfy EU law.
DWF Solutions: In view of the ongoing uncertainty surrounding data transfers from the UK and the EEA to the USA, please contact one of our data privacy specialist lawyers for advice on the most efficient way to make global data transfers in compliance with the law.
The ICO has published Guidance on direct marketing using live calls which covers how the Privacy and Electronic Communications Regulations 2003 (PECR) apply to live marketing calls.
The guidance covers:
- What are live direct marketing calls?
PECR does not use the term 'live marketing calls', but the ICO uses it to refer to telephone calls, where a live person speaks to the person they are calling, to distinguish these from calls made by an automated dialling system.
Direct marketing covers all types of advertising, marketing or promotional materials. It includes the promotion of products and services and the promotion of aims and ideas (e.g. fundraising or campaigning).
The rules do not apply to:
- service messagese. calls made for administrative or customer service purposes, such as calls to check that someone’s details are correct or to advise them on a problem with their account; or
- live calls for genuine market research
However, if the call includes promotional elements or you collect contact details to send marketing communications, the call will be direct marketing.
The rules are not limited to calls involving personal data, so they apply even if the caller does not know the name of the recipient. PECR applies to subscribers, i.e. the person or organisation who has the contract with the service provider, so the rules are not limited to calls to individuals.
- What are the rules on live direct marketing calls?
- Who is responsible for complying with the rules on live marketing calls? The caller or the instigator is responsible, so if your organisation appoints a third party to make calls on your behalf, you are responsible.
- What are the rules on making most types of live marketing calls? You don’t need consent under PECR to make most types of live marketing calls. For most types of live calls, you can make unsolicited marketing calls to people and businesses if:
- they have not objected to your live marketing calls; and
- they are not registered on the Telephone Preference Service (TPS) or the Corporate Telephone Preference Service (CTPS).
Stricter rules apply to direct marketing calls about claims management services and pension schemes. See the ICO guidance for details.
- What is the difference between solicited and unsolicited call? Some of the rules only apply to unsolicited calls, meaning calls that the recipient has not specifically requested. This is different from calls that the recipient has agreed to, or not objected to, which are solicited.
- What is consent? While the ICO states that consent is not usually required for marketing calls under PECR, if you choose to rely on consent as the lawful basis for the personal data processing under the UK GDPR, remember that the consent needs to meet the UK GDPR standard: freely given, specific, informed and unambiguous. You must also make it easy to withdraw consent.
- What information must be provided? When making solicited or unsolicited marketing calls, you must:
- display your number or a valid contact number;
- say the name of your organisation; and
- provide contact details of your organisation if asked.
- How do we comply with the rules on live marketing calls?
Can we use bought-in lists or publicly available phone numbers to make live marketing calls? The normal PECR rules apply, so you must check the numbers against the TPS/CTPS lists and your own 'do not call' lists, and comply with the additional rules for calls about claims management and pension schemes. The guidance sets out the very limited circumstances in which it may be permitted to call a number registered on the TPS.
- What else do we need to consider?
This section covers:
o the need to comply with the UK GDPR as well as PECR, including the data protection principles of fairness, lawfulness and transparency; and
o the ICO's enforcement powers, which include serving an enforcement notice and imposing fines of up to £500,000.
DWF Solutions: Running direct marketing campaigns in accordance with the law can be difficult, due to the need to comply with both the UK GDPR and PECR and sector-specific requirements. Please let us know if you'd like us to advise on your marketing plans.
From March 31 next year, all standalone cyber-attack policies must exclude liability for losses arising from any state-backed cyber-attack. We consider the impact of these minimum requirements in this rapidly evolving area of law. Find out more.
Regulatory Enforcement and Litigation
The ICO has announced that it has taken action against seven organisations, including issuing reprimands and practice recommendations under the Freedom of Information Act 2000 (FOIA). The action was taken due to the organisations' failure to meet their obligations to respond to subject access requests (SARs) within the required timeframe.
DWF Solutions: Contact one of our data protection specialists if you would like to discuss how we can support your organisation to manage SARs and other privacy rights requests, or you can read more about our approach here: Cyber Security Compliance, Data Compliance
The ICO has fined a catalogue retailer:
- £1,350,000 for using its customers' personal information to predict their medical condition and target them with health-related products without their consent; and
- £130,000 for making 1,345,732 predatory direct marketing calls.
The fine was high because:
- the breach involved a large number of data subjects (145,400);
- there was significant profiling of customers and invisible processing, meaning that people were unaware the company was collecting and using their personal data for that purpose;
- the processing involved health data, which is special category data; and
- there had been a failure to apply reasonable measures to mitigate the breach. In particular, the ICO stated that failure to conduct a Data Protection Impact Assessment (DPIA) was a notable failing.
DWF Solutions: If you would like advice on your marketing plans, or support with conducting a DPIA, please contact one of our data protection specialists.
AG opinion in the ECJ: Compensation for non-material damage does not automatically accompany every breach of the GDPR
An Attorney General (AG) of the European Court of Justice (ECJ) has issued an opinion that:
- a mere breach of the GDPR is not in itself sufficient to merit an award of compensation if that infringement is not accompanied by material or non-material damage; and
- compensation for non-material damage provided for in Article 82 of the GDPR does not cover mere upset which the person concerned may feel as a result of the infringement of provisions of the GDPR.
While the ECJ judges are not obliged to follow the AG's opinion, in practice they usually do.
In the UK, a High Court judge has awarded damages of £250 to a claimant whom the judge accepted would have experienced a very modest degree of distress as a result of the breach.
As we've reported in previous issues of DWF Data Protection Insights, for example the February 2022 edition, the UK courts are reluctant to grant significant amounts of compensation for minor breaches of data protection law that do not cause real harm to the data subject.
For advice on any aspect of data protection law please contact one of our privacy specialists.