This month in review:
The key themes this month continue to focus on regulatory matters in relation to direct marketing failures and personal data breaches. There are also developments in protecting children online following the implementation of the Online Safety Act, and news of the Data Protection & Digital Information (No.2) Bill being progressed during this sitting of Parliament.
Also don't forget to sign up for our DP Summit on 6 December, more details below!
Also this month, we've identified some key themes of what our clients are asking us. We thought we'd share these to provoke some thoughts amongst readers:
- The first relates to data subject access requests from employees, former employees or as a result of a data breach where we can help with delivery, training, strategy and process.
- The second is to provide insightful training to improve confidence in compliance with awareness of data protection laws, increasingly a factor assessed in regulatory action. We can provide impactful in-person training as well as developing engaging e-learning training.
- Our events
- General updates
- Adtech and direct marketing
- AI and Innovation
- Cyber and ransomware
- Employment and Data Subject Rights
- Public sector
Second Annual DWF Data Protection & Cyber Security Summit
We are looking forward to our next in-person DP&CS Summit on 6 December 2023 in our London office. Our data protection and cyber security experts and guest speakers will be discussing:
- regulation and supervision in the UK
- how to improve your data protection programme
- the need for transparency in online advertising, direct marketing and cybersecurity
- privacy and the ESG agenda
- practical approaches for dealing with DSARs
- challenges in the use of automated facial recognition
- the priorities in the Online Safety Bill for child protection
- using AI to defend against email security threats
- automated recognition in the workplace, with comparative view in leading EU countries
Make sure you register your interest so you don't miss out!
EU – camera surveillance during daytime is justified at Swedish school to prevent fires
The Swedish Authority for Privacy Protection (IMY) concluded that the use of approximately 50 cameras in a Swedish school, which monitored hallways, stairwells, corridors, doors, toilets and student lockers 24 hours a day, 7 days a week, was justified to prevent the threat to life and health from fires. IMY also highlighted the importance of documenting incidents that have happened and investigating whether there are alternative methods available. In this particular case, the other options for camera surveillance were more intrusive and wider than necessary to protect against the risk of fires.
UK – Court of Appeal confirms the ICO has broad discretion in deciding the extent to which it investigates a complaint
In the case of Delo v Information Commissioner 2023, the Court of Appeal considered to what extent the ICO is required to investigate complaints that it receives from data subjects. The court held that the ICO has broad discretion regarding the degree of resources and time it dedicates to investigate any particular complaint, and that it does not need to determine the merits of every data subject complaint. On 10 October, the ICO issued a formal statement expressing its approval of the court's decision that the ICO acted lawfully. For additional information, please refer to Tuğhan Thuraisingam's recent article.
UK – Information Commissioner, John Edwards, delivers opening Data Protection Practitioners' Conference 2023 speech
In the opening of the Data Protection Practitioner's Conference, John Edwards touched upon the newly launched ICO employee monitoring guidance, which helps employers understand the data protection implications of using monitoring software. The ICO also announced a subject access tool, which allows individuals to submit a SAR by ensuring that they provide all the relevant information. Lastly, the ICO touched upon the DPDI Bill and confirmed that the Bill will not affect their independence and that the Bill introduces more flexibility for businesses, which should make it easier for organisations processing personal information.
UK – The Data Protection and Digital Information Bill (No.2): The King's Speech
On 7 November 2023, King Charles III announced that his "ministers will introduce new legal frameworks to… encourage innovation in technologies such as machine learning". The Data Protection and Digital Information (No.2) Bill should help encourage this innovation, as well increase the protection of individuals from harm by building on the UK's data protection regime. The Bill simplifies the UK regime for those businesses not operating in the EU and/or targeting EU citizens, as we've described previously. The inclusion of the Bill indicates the Government's intent to make these changes in the coming year. The Bill will establish a framework for secure digital verification services that will result in smoother and cheaper online transactions, and the Bill will enable "Smart Data" schemes, which will provide individuals with access to lower price schemes like Open fuel and Open Banking.
UK – how data protection law can help retailers tackle shoplifting
In the UK, criminal offence data can be disclosed where it is necessary and proportionate. The ICO has issued a blog that provides examples of situations where sharing of such data may or may not be appropriate:
Likely to be appropriate
- Sharing suspect details with the police to prevent, detect or investigate crime
- Sharing information with a manager of another store in your shopping centre
- Sharing information with the security guards of your shopping centre
May not be appropiate
- Putting images in a staff room (or other unsecure channels) or in public places (e.g. shop windows/lamp posts)
- Local businesses sharing images between one another via a messaging platform (without an agreement in place that controls access/use)
- Publishing information on a public social media group
EU – IMY fines retailer H&M for making it difficult to avoid marketing
The Swedish Authority for Privacy Protection (IMY) fined H&M for not ceasing to handle complainant's personal data for direct marketing without undue delay. The complainants were not based in Sweden but were handed over to IMY because H&M has its headquarters in Sweden. The administrative was SEK 350,000, which is approximately GBP 26,000.
UK – ICO issues further fines to organisations for illegal direct marketing activities
The ICO has fined three organisations a total of GBP 170,000 for collectively sending, and allowing third parties to send, more than 2.7 million unwanted direct marketing text messages and calls to individuals.
UK – ICO issues preliminary enforcement notice against Snap
The ICO issued Snap with a preliminary enforcement notice over the potential failure to properly asses the privacy risks posted by its generative AI chatbot 'My AI' to its users, including children aged 13 to 17. The ICO held that the data privacy assessment conducted by Snap (in relation to Snapchat+), which ought to identify risks posed by generative AI technology, particularly to children, was not adequate. If the final enforcement is adopted Snap may have to stop offering its AI product to users.
US – The White House releases an executive order on AI
On 30 October 2023, U.S. President Joe Biden released an executive order to regulate the use of AI. According to the fact sheet published by the White House, the order involves setting new standards for AI safety and security, protecting the privacy of US citizens, advancing equity and civil rights (including the Blueprint for an AI Bill of Rights which has already been published), standing up for consumers, patients and students, supporting workers in the workplace, promoting innovation and competition, advancing US leadership abroad and ensuring responsible and effective government use of AI. Stewart Room analyses it in more detail here.
UK – ICO seeks Sandbox entrants for 2024
The ICO's Regulatory Sandbox service provides organisations with numerous benefits, including free access to ICO expertise, increased confidence in data protection compliance, the opportunity to inform future ICO guidance and many more. Organisations involved in biometric processing, emerging technologies or exceptional innovations have until 31 December 2023 to submit their expression of interest to participate in the 2024 service.
US – SolarWinds and Chief Information Security Officer charged with fraud and internal control failures relating to cybersecurity
The Securities and Exchange Commission (SEC) charged SolarWinds Corporation and its Chief Information Security Officer for fraud and internal control failures, relating to the allegedly known cybersecurity risks and vulnerabilities. There is an effect that this case will increase CISO's exposure and vulnerability within their corporate structures, and change how security is reported within the business – as the FTC as well as the SEC has powers to take strong enforcement against misleading practices. Litigation will also become inevitable because heightened levels of transparency will provide more fuel for disputes and insecurity will erode the value of investments. Organisations may need to review how they approach legal advice in the sector because it is common, in the ransomware field that plain legal advice is delivered by non-lawyers presumably copied from Google or borrowed from other engagements. For additional information, please refer to Stewart Room's recent article.
US – financial firms ordered to report data breaches in less than 30 days
The US Federal Trade Commission (FTC) has amended the application of its Safeguard Rules to broaden its application to include non-banking financial institutions (e.g. mortgage brokers, investment firms, peer-to-peer lenders and similar organisations). The amendment means that from April 2024, where such institutions have a data breach affecting at least 500 consumers (especially where cleartext information is involved), it must be reported within 30 days.
US – customers speak out over Okta's response to latest breach
Customers (Beyond Trust and Cloudfare) of identity and access management specialist Okta have criticised it after both of them are caught in another cyber-attack. Beyond Trust detected an attacker on Okta's systems and were able to cut the attacker off, but Okta's response was delayed and Okta took 17 days from the date of the breach to notify Beyond Trust that it had been affected by a data breach.
Similarly, Cloudflare detected an attacker 24 hours before Okta notified them of that data breach. In response, Okta have said they are creating dedicated security channels for all of its customers.
India – data breach leaks information about 815 million individuals
The Indian Council of Medical Research (ICMR) is alleged to have suffered a data breach causing information about 81.5 crore Indians (815 million) to be offered for sale on the dark web. There is no official confirmation from ICMR or the government, but the data stolen is said to include names, contact details, Aadhaar (Government ID) and passport details, age, gender and address.
UK – ICO publishes guidance on monitoring employees in the workplace
Research conducted by the ICO finds that 70% of the people surveyed would find monitoring in the workplace intrusive and less than 1 in 5 (19%) would feel comfortable taking a new job if they knew their employer would be monitoring them.
The ICO's guidance reminds organisations to consider both their legal obligations and workers' rights before deciding to monitor their employees, for example by tracking calls, messages and keystrokes, taking screenshots, webcam footage or audio recordings or using specialist monitoring software. If deemed necessary and proportionate, steps to implement lawful workplace monitoring include:
- Making employees fully aware of the nature, extent and reasons for monitoring;
- Having a clear, defined purpose and using the least intrusive means to achieve it;
- Having a lawful basis for processing workers' data;
- Informing workers of any monitoring in a way that is easy to understand;
- Only keeping information which is relevant to its purpose;
- Conducting a DPIA where monitoring is likely to result in high risk to the rights of workers; and
- Including any personal information collected through monitoring available to workers in response to a Data Subject Access Request.
EU – EDPB chooses right of access by controllers as the topic for 2024 Coordinated Action
Since the EDPB's decision to set up a Coordinated Enforcement Framework in October 2020, as part of its 2021-2023 Strategy – each year the EDPB selects a topic for data protection authorities to focus on. The EDPB has chosen the implementation of the right of access (DSARs) by controllers to be the topic for its third coordinated enforcement action, which will be launched in 2024.
UK – ICO reprimands University Hospitals of Derby and Burton NHS Foundation Trust for lost referrals
The ICO issued a reprimand to Derby and Burton NHS Foundation Trust after a computer system caused some patient referrals to be delayed or lost altogether. The ICO's investigation found that the UHDB failed to implement a formal process or apply a suitable level of security when processing referral, and failed to have any formal oversight in place to ensure referrals were being effectively managed. As a result, nearly 5,000 patients were affected and some patients had to wait over two years for medical treatment to be arranged.