As anticipated, the e-Privacy Regulation did not get over the line before the end of the last term of the European Parliament. However, the new Finnish presidency has stated that the regulation will continue to be a priority for the European Parliament this year, with the European Data Protection Board recently calling upon EU legislators to intensify efforts towards adoption by the end of 2019 (although this seems ambitious given the delays to date). One of the key sticking points is the debate over the role of consent under the new regulation.
In the meantime, on 29 March 2019, the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulation 2019 came into effect, and amended the definition of 'consent' in the Privacy and Electronic Communication (EC Directive) regulations 2003 to align to consent under the GDPR (meaning that implied consent and browse-wrap consent for cookies is non-compliant).
Although at this stage we aren’t aware of any enforcement action by the Information Commissioner's Office (ICO), and market practice does not seem to have fully caught up (the ICO itself has admitted that its own cookie banner and cookie consent mechanisms do not currently comply with these updated requirements). Organisations should use this as an opportunity to revaluate their current cookie practices, and in particular in preparation for the e-Privacy Regulations.
EU Cybersecurity Act
The EU's Cybersecurity Act came into force on 27 June 2019. The Act introduces a mechanism for EU-wide cybersecurity certification and an enhanced role for ENISA, the EU's cybersecurity agency. Companies with ICT processes, products or services that may be covered by the proposed certification scheme will need to monitor developments carefully. The provisions which require Member States to designate authorities with respect to cybersecurity certification will become applicable two years following publication.
Processing of children's data
the ICO has released a new consultation document on its code of practice applicable to information society services which may be accessed by children. The draft code sets out key principles for ensuring an "age appropriate design", including to set "default" privacy settings at the highest protection (such as geolocation information to be set to “off” by default). The code will apply to relevant services that are 'merely likely' to be accessed by children, and not just those that are 'targeted' at children.
The European Data Protection Board (EDPB) has published a set of draft guidelines to clarify what is meant by 'lawful processing' under Article 6(1)(b) of the GDPR (for processing that is necessary for performance of a contract) in the context of contracts for online services.
The guidelines state that a controller must be able to show that the main object of the contract with the data subject cannot be performed without the processing of the relevant personal data. If there is an alternative way to perform the contract without such processing, and the processing is merely 'helpful', then it will not be objectively 'necessary'. This will require controllers to more closely scrutinise the actual purpose and requirement for the personal data being processed under Article 6(1)(b).
In May 2019, the ICO launched its 'Be Data Aware' campaign to help the general public understand how organisations use their data, as well as informing people on how they can control it. This campaign is likely to result in an increase in the number of complaints and requests received by organisations on their data privacy practices.
The ICO is also set to develop a new framework (to be published in spring 2020) on how artificial intelligence (AI) can be audited to check for compliance with data protection laws, having previously raised some concerns that AI and machine learning (ML) can exacerbate known security risks, and result in decisions that are biased or not fully transparent. The ICO is currently asking for input to help shape its proposed framework.
On 8 July 2019, the ICO announced its intention to fine British Airways £183.39 million for infringements of the GDPR. This would be its first monetary fine under the new legislation. However, the ICO has previously issued enforcement notices requiring that entities cease to process personal data.
The ICO's GDPR 'One Year On' update demonstrates the material rise in data breach reporting. The ICO received 14,000 reports from 25 May 2018 to 1 May 2019, up from 3,300 in the year from 1 April 2017. Of the 14,000 reported, the ICO closed over 12,000 cases during the year. Of those closed, around 17.5% required action from the organisation and less than 0.5% led to either an improvement plan or stringent enforcement action. We await the outcomes for the 2,000 cases that have not yet been closed by the ICO, and anticipate that, particularly given the scale of the British Airways fine, some of these may result in more stringent enforcement action.
Data controllers should also ensure that they are up to date with their statutory data protection fee and registration (£40, £60 or £2,900 fee dependent on the size of the controller entity), which can be paid or renewed on the ICO website. This should be completed for all relevant group companies that act in a controller capacity. The ICO has now issued fines (in the region of £4,000) to organisations that have failed to pay/renew the annual fee.
In Focus | Regulatory powers and trends
Who are the regulators?
The ICO the principal regulator for data protection in the UK. It is also the supervisory authority in the UK for the purposes of the GDPR and enforcement in relation to data protection.
Sector specific regulators that do not focus on data protection also have enforcement powers in relation to cybersecurity. These include the Financial Conduct Authority in relation to regulated entities and sector-specific regulators in relation to the Security of Network and Information Systems Regulations which apply to: (a) digital service providers (in which case, the competent authority will be the ICO); and (b) operators of essential services. For the latter, the UK's "competent authorities" are sector specific and as follows (with some variation for Wales, Scotland, and Northern Ireland):
- Electricity: The Gas and Electricity Markets Authority (Ofgem) and the Secretary of State for Business, Energy and Industrial Strategy (BEIS) acting jointly;
- Oil: BEIS;
- Gas: BEIS and, in certain cases, the BEIS and Ofgem acting jointly;
- Transport: (a) for air transport, the Secretary of State for Transport and the Civil Aviation Authority acting jointly; and (b) for Rail, Water, and Road transport, the Secretary of State for Transport;
- Health: The Secretary of State for Health;
- Drinking water supply and distribution: The Secretary of State for Environment, Food and Rural Affairs; and
- Digital infrastructure: Office of Communications.
The answers below focus on the ICO's powers regarding data protection under the GDPR only.
Do they have powers to compel businesses to hand over documents?
Yes. The ICO can issue an information notice, to compel a data controller or processor to provide information and documents.
Do they conduct dawn raids?
The ICO has extensive powers of inspection which it can exercise (in certain circumstances) without prior written notice (i.e. a dawn raid). This power has not been exercised to date, but the ICO has signalled that it will look to use this power in future.
Are they able to bring criminal prosecutions (and do they do so)?
The ICO is a prosecuting authority which can bring criminal prosecutions under a variety of legislation including both the DPA 2018 and, for example, the Computer Misuse Act 1990 (which, unlike the DPA 2018, allows for custodial sentences to be imposed).
In November 2018, the ICO exercised these powers with its first prosecution under the Computer Misuse Act, resulting in a six month prison sentence for the individual.
Do they bring prosecutions against individuals?
As noted above, in November 2018, the ICO successfully brought a criminal prosecution under the Computer Misuse Act 1990 against an individual for unauthorised access to computer material.
Is there a self-reporting / leniency regime?
In the event of a personal data breach, unless the breach is unlikely to result in a risk to the rights and freedoms of an individual, it is a legal requirement to notify the ICO. If the ICO is not notified (in breach of that legal obligation), this will be considered an aggravating factor for the purposes of any enforcement action.
Are there any plans to introduce new powers (or use existing powers differently)?
All of the ICO's post-GDPR powers are fairly new and it remains to be seen how they will be used (and whether they will be expanded upon review). The ICO has demonstrated its willingness to issue Enforcement Notices requiring that the processing of certain data ceases; notably, against HMRC for its failure to obtain adequate consent to collect callers' personal data.
Are there any areas of new technology that are a particular focus of regulatory attention?
The ICO's stated regulatory priorities, so far as new technology is concerned, are:
- Cyber security.
- AI, big data and ML.
- Web and cross-device tracking.
- The use of surveillance and facial recognition technology.
For example, this year the ICO released:
- Its interim report on Project ExplAIn. This project aims to create practical guidance to assist organisations with explaining AI decisions to the individuals affected.
- A summary report from the adtech Fact Finding Forum, which was designed to help the ICO better understand the key data protection issues around adtech (particularly around Real Time Bidding).
How has digital transformation affected the regulators' own behaviours?
The reports mentioned above show how the ICO is working with other bodies to develop its understating of digital transformation. For example, during Project ExplAIn the ICO worked with the Alan Turing Institute, the national institute for data science and AI.
Dates for the diary
Q4 2019 – Q1 2020
ePrivacy Regulation expected to be passed by European Parliament.