Welcome to the Stephenson Harwood Data Protection update, covering the key developments in data protection and cyber security law from October 2024.
In what has been a month jam-packed with noteworthy developments, the UK Government has introduced a new data protection bill into Parliament; the ICO has launched an audit framework for data protection, for use by organisations in self-assessing their compliance; and the EDPB has published various materials including opening a consultation on its draft guidelines for the "legitimate interests" processing basis, finalising its guidance on the information storage and access requirements under the ePrivacy Directive, and publishing its opinion on information that controllers should hold on their processors and sub-processors.
In cybersecurity news, the UK National Cybersecurity Centre has published guidance for organisations on communications strategy during and after a cyber-incident; and Microsoft has published its annual horizon-scanning Digital Defence report.
In enforcement and civil litigation news, the ICO has upheld a £750,000 fine levied against the Police Service of Northern Ireland; the Irish DPC has fined LinkedIn €310 million for improper use of the "legitimate interests" basis in targeted advertising; the Upper Tribunal has overturned an ICO data breach decision that payment card numbers and expiry dates could, by themselves, constitute personal data; and various judgments have been handed down by the ECJ/CJEU with significant general implications for how organisations rely on the GDPR processing bases, their processing of special category data, and what will constitute special category data in the first place.
DP Connect London event: Data (Use and Access) Bill - What does it mean for you? 5 December - Starting at 8:30 AM - London
We are delighted to invite you to our latest DP Connect session. DP Connect gives you the opportunity to share knowledge and connect with peers navigating the ever-changing data protection landscape.
This session will focus on the new Data (Use and Access) Bill - the latest attempt to reform the UK's Data Protection regime. It will start with an overview from our Data Protection team of the Bill's main objectives and provisions. We will then lead a roundtable discussion on the practical implications of the Bill's key clauses (such as changes to provisions on research, automated decision-making, and enforcement).
UK Government introduces new Data (Use and Access) Bill into Parliament
On 23 October, the UK Government brought a new Bill before Parliament, aiming to boost economic growth by enabling a wider array of smart data and data sharing initiatives and creating greater certainty and freedom of action for organisations with respect to their data protection obligations.
The Bill would modify the UK implementation of the GDPR and the UK Privacy and Electronic Communications Regulations ("PECR"), including to:
The ICO has welcomed the Bill, highlighting the role it has played in developing its content throughout the last Government as well as the current one. It has also stated that it does not regard the Bill as posing a risk to the UK's adequacy decisions from the EU.
We will be publishing a more detailed review of the key provisions of the new Bill, and the substantive changes it proposes to make to the UK's data protection regime, later this month.
The full text of the Bill, as introduced to Parliament, is available here.
EDPB consultation on new legitimate interest guidelines now open
The European Data Protection Board ("EDPB") have opened a public consultation, which will run until 20 November 2024, on the first version of its guidelines on personal data processing which look at the applicability of "legitimate interests" as a valid legal basis for processing.
Processing necessary for the purposes of the legitimate interests pursued by the controller or by a third party (Article 6(1)(f) of the UK and EU GDPR) has three conditions which must be met:
The guidelines consider several areas, such as setting out the three steps controllers should take to assess the applicability of the "legitimate interests" basis; how the basis interacts with a data subject's rights; and how to define a "legitimate interest".
As this legal basis is very commonly relied upon, we will be publishing an article later this month examining the guidelines in further detail.
UK lawmakers press for ministers to prioritise EU data adequacy
The European Affairs Committee of the UK House of Lords has called for maintaining EU-UK data adequacy arrangements to be treated as an "immediate policy priority" by the Government, in a letter addressed to Peter Kyle MP, the Secretary of State for Science, Innovation and Technology.
Looking at the Committee's inquiry into the issue, which commenced in March 2024, the letter presses for ministers to ensure that any new data protection policies pursued by the Government do not put at risk the current EU adequacy finding for the UK, originally adopted in 2021 and set to expire in June 2025 (subject to the European Commission renewing this decision).
The letter, and the inquiry's conclusions, particularly highlight the risk of "significant extra costs" and "new barriers" to UK businesses trading and delivering services in the EU if the adequacy decision is not to be renewed.
In the committee's view they expect that the Commission will want to renew the adequacy decision, given the benefits to the EU, but that the renewal is not a foregone conclusion and may be impacted if the UK diverts too far from the EU data protection regime.
EDPB finalises guidance on ePrivacy Directive information storage and access
The EDPB has published its final guidance, following consultation, on the application of Article 5(3) of the ePrivacy Directive.
Article 5(3) states that storing information or accessing already-stored information on the "terminal equipment" of a user or subscriber can only be lawfully done on the basis of that user's or subscriber's consent or necessity for specific, narrowly-defined purposes.
Although the ePrivacy Directive is often called the "cookie" law as it constrains the ways in which organisations may place cookies on user devices, the scope of the Directive goes much wider than just cookies, and the new guidance reflects that fact. For example, "terminal equipment" is not limited just to laptops, smartphones and similar devices, but also includes any connected device, such as connected cars, network-connected data storage, smart TVs and so on.
The guidance also gives a very wide reading to the ideas of information being "stored on" user devices and then "gaining access" to that information. For example, the storage and access do not need to have taken place in the same communication, nor do they need to have been performed by the same party. Information may be stored by one party, later accessed by another, and this will all still come within the scope of the Directive.
Finally, the existing position is made clear that the ePrivacy Directive, including this "terminal equipment" requirement, does not just relate to personal data but any and all information. This means that organisations will need the user's consent (or to rely on one of the narrow necessity grounds) when placing or accessing any information whatsoever on or from a user device.
EDPB opinion on processors meets with industry scepticism
The EDPB has set out guidance on processors, sub-processors, and the obligations and responsibilities of controllers. The EDPB guidance says that controllers should "have the information on the identity ... of all processors, sub-processors etc readily available at all times" in order to fulfil their GDPR obligations. "Identity" includes "name, address, contact person".
Processors, meanwhile, are expected under the guidance to proactively provide this information to controllers rather than waiting to be asked.
A number of industry bodies, such as the Business Software Alliance, raised questions about the extra administrative and compliance burden this would place on companies of all sizes and what they consider to be the disproportionate strictness of the EDPB's stated approach.
Concerns have also been raised about how "far down the chain" of sub-processors and sub-sub-processors a controller needs to have visibility to meet its obligations.
ICO unveils data protection audit framework
On 7 October, the ICO launched a new audit framework for data protection, intended to assist organisations of all sizes to assess the extent of, and any weaknesses in, their own compliance with data protection law.
The framework is pitched as a practical, user-friendly tool which organisations can rely on as a foundation for carrying out internal compliance assessments. It is broken out into a set of nine distinct "toolkits", covering areas such as accountability, records management, cyber security, data sharing, AI, and others. Each toolkit is accompanied by downloadable "audit trackers" intended to facilitate organisations' own compliance assessments and to identify and track progress on actions to be taken to remedy deficiencies.
NCSC publishes cyber incident communications guidance for organisations
On 18 October, the National Cyber Security Centre ("NCSC") published its guidance on effective communications in a cyber incident.
The guidance aims to support "organisations of all sizes to manage their communications strategy before, during and after a cyber security incident" - regardless of whether the organisation has a specialist communications team.
Three core principles are outlined in the guidance, which are that organisations should:
The guidance can be read in full here.
Delta sues Crowdstrike for $500 million following major system disruption earlier this year
US airline Delta has filed a lawsuit in Georgia against cybersecurity software provider CrowdStrike, alleging $500 million in losses resulting from the major software and system outage in July this year caused by a faulty software update.
In the suit, Delta alleges that the mechanisms by which CrowdStrike's software operated, which involved direct access to the most sensitive parts of the Microsoft Windows operating system running on Delta's machines (including the "kernel") constituted an "unauthorised door" into the operating system, which circumvented Microsoft's own requirements, particularly in respect of subsequent updates to that software pushed out by CrowdStrike. Delta also argues that, by failing to implement adequate quality controls for software updates, CrowdStrike breached its contract with them.
The incident, which took place in July this year and which was caused, at its root, by a faulty update to CrowdStrike's software which rendered computers unable to start up, impacted a vast array of different organisations and sectors across many countries, from airlines to healthcare, financial services, government and public sector bodies, causing widespread and prolonged disruption to many services.
Joanne Elieli, partner and cyber lead at Stephenson Harwood, took part in a webinar in September discussing potential disputes arising from the CrowdStrike incident and how organisations should respond, which you can view online here.
Microsoft publishes annual Digital Defence Report, identifies change in "tactics" from hostile state actors in the past year
In its annual Digital Defence report, published in October, Microsoft has identified key trends in the cyber threat landscape over the past year. Hostile state actors (the report names China, Russia, Iran and North Korea in particular) are "becoming better resourced and better prepared", and have increasingly been incorporating AI-generated content into their influence operations.
Microsoft itself has been the victim of sophisticated attacks, and its customers face, according to the report, "more than 600 million cybercriminal and nation-state attacks every day."
The report also explores AI's impact on cybersecurity. It has found that there is a "rapidly evolving AI threat landscape" and has identified emerging threat actor techniques such as AI-enabled spear phishing and deepfakes. Conversely, the report finds that AI can enhance security operations by "improving threat detection, response speed and incident analysis".
Enforcement and civil litigation
Irish DPC fines LinkedIn €310 million for misuse of "legitimate interests" in targeted advertising
The Irish Data Protection Commission ("IDPC") has fined Microsoft-owned professional networking platform LinkedIn €310 million over data protection failings in its use of its users' personal data for behavioural analysis and targeted advertising.
The fine, finalised on 22 October and announced on 24 October, follows a complaint made initially to the French data protection authority in 2018, subsequently transferred to the IDPC under the GDPR "one stop shop" mechanism as Microsoft and LinkedIn's European headquarters are in Ireland. In July 2024, the IDPC submitted a draft of the decision to other European data protection regulators through the GDPR-mandated cooperation mechanism and received no comments in response.
LinkedIn was found to have processed personal data without an appropriate legal basis, in breach of the GDPR. It had not validly relied on any of the bases it claimed to have relied on. Consent obtained from users was not freely given, sufficiently informed or specific, or unambiguous; LinkedIn's legitimate commercial interests in the use of its users' personal data for these purposes were overridden by those users' fundamental rights and freedoms; and it had also not validly relied on the "contractual necessity" basis.
It has also breached GDPR transparency requirements regarding the information provided to data subjects about the processing bases it was purporting to rely on for the data processing; and had breached the overarching GDPR principle of fairness in personal data processing.
The fine came along with a reprimand and an order from the DPC to LinkedIn to bring its processing into compliance.
Upper tribunal overturns ICO decision on payment card details as personal data
In a decision handed down in September and made public in October 2024, a three-judge panel of the Upper Tribunal has overturned a key aspect of an ICO data breach decision relating to what varieties of data should be considered personal data.
In a case concerning a penalty originally imposed by the ICO against DSG Retail, parent company of retailers Currys and Dixons at the time, the Upper Tribunal has now ruled that the unique 16-digit number found on a payment card, taken together with the expiry date of that card, did not by themselves constitute personal data for the purposes of the Data Protection Act 1998 (the relevant breach having occurred prior to the implementation of GDPR and the Data Protection Act 2018).
According to the Upper Tribunal, the relevant test that the First-tier tribunal should have applied, but did not, was not whether this data could be combined with other data in DSG Retail's hands to identify an individual - which would have made it personal data "in the hands of" DSG Retail - but rather what sort of data third parties might obtain if perpetrating a successful cyber attack and whether that data could be combined with the card data to identify an individual.
The Upper Tribunal remitted the original ICO decision back to the First-tier Tribunal for reconsideration on a number of issues.
ICO upholds £750,000 data breach fine against Police Service of Northern Ireland
The ICO has upheld a £750,000 fine it levied against the Police Service of Northern Ireland ("PSNI") in connection with a serious data breach which exposed the personal data of every one of its employees - nearly 10,000 people in total - causing significant harm and distress and plausibly placing the lives of many officers and other staff at risk from dissident republican groups and other paramilitary and criminal organisations.
The breach, which involved the inadvertent publication of identifying information about PSNI staff in a "hidden sheet" in an Excel document published in response to a freedom of information request, took place in August of 2023. The ICO's investigation identified that there had been a "lack of simple internal administration procedures" which should have been in place and which, if they had been, would have prevented the breach from occurring.
The Commissioner chose to exercise his discretion to apply the "public sector approach" to reduce the size of the fine, given that the PSNI would be paying it out of public money. This reduced the fine from what would have been £5.6 million to £750,000 - still the largest fine ever levelled by the ICO against any UK public body. In media interviews, the Commissioner described the incident as "the worst data breach that we have seen".
The ICO originally notified the PSNI of its intention to impose the fine in May 2024. The PSNI made further representations in an attempt to reduce the size of the fine, given its already precarious financial position, but was unsuccessful, and the fine was confirmed on 3 October.
CJEU confirms commercial interests capable of being legitimate interests under GDPR
In a preliminary ruling handed down on 4 October, the CJEU has confirmed that a purely commercial interest is capable of being a "legitimate interest" within the meaning of the lawful processing bases under GDPR.
The case concerned a tennis federation in the Netherlands which sold its members' personal data to two sponsors. The Dutch data protection authority, the Autoriteit Persoonsgegevens ("AP") fined the federation €525,000 on the grounds that this constituted unlawful processing. The AP had previously, in 2019, argued that use of personal data solely for commercial gain or profit could never constitute a "legitimate interest" within the GDPR and has proceeded on that basis subsequently.
In its ruling, the CJEU disagreed. It has ruled that in the absence of a specific definition in GDPR itself as to what can constitute "legitimate interests", a wide interpretation of the term to include commercial interests is permissible, provided the interest pursued is not unlawful.
However, the CJEU also ruled that this was subject to conditions which confine the scope within which commercial interests can be GDPR-compatible "legitimate interests". The processing must go no further than what is necessary for the stated legitimate interest; it must be necessary - meaning the processor could not accomplish the same result with less intrusive means; and the "balancing test" required under the legitimate interests processing basis still applies such that even where there is a legitimate commercial interest, it may be outweighed by the data subject's rights and fundamental freedoms. If so, the processing still cannot lawfully be carried out.
CJEU ruling gives wide scope to "data concerning health" in data protection dispute between pharmacies
In another preliminary ruling also announced on 4 October, the CJEU has cast a wide scope for what can constitute "data concerning health", within the meaning of GDPR.
The CJEU was asked by the German Federal Court of Justice to give a preliminary ruling on issues arising in a dispute between two German pharmacies. The defendant pharmacy sold pharmaceutical products online and required prospective customers to enter various information prior to making such a purchase. A competitor pharmacy applied to the German courts for an order that the defendant cease doing so for as long as the relevant customers could not consent in advance to processing of data concerning health.
The German courts asked the CJEU for a ruling on two issues. The first of these was whether the information submitted by the customer constituted data concerning health within the GDPR meaning of the term, even in cases where the purchaser might not be purchasing the medicines for their own use and where the medicines purchased online did not require a prescription. The CJEU held that it does. The data processed is "capable of revealing information about the health status of an identified or identifiable data subject". This potentially casts the scope of what will constitute "data concerning health" very widely indeed.
The second issue on which the CJEU was asked to rule was whether the German national legislation, which permits an organisation to bring a claim against a competitor on the grounds that that competitor's data protection noncompliance constitutes unfair competitive practice, is consistent with the GDPR. The CJEU ruled that it is. There is nothing in GDPR that precludes countries, in their national implementations, including the possibility of competitor organisations bringing actions on this basis.
CJEU ruling says companies cannot aggregate and target using special category data just because some of it is public
In a case brought by the well-known privacy campaigner Max Schrems against Facebook parent company Meta, the CJEU has ruled that just because an individual has manifestly made public a statement about their sexual orientation, this does not justify the aggregation of other data relating to that person's sexual orientation from other sources, such as third-party websites, for the purposes of serving targeted advertising.
Mr Schrems made a statement regarding his sexual orientation in a panel discussion. The ECJ held that the possibility could not be ruled out that this statement had been manifestly made public by Mr Schrems, within the meaning of the GDPR, such that this data could be lawfully processed.
However, this did not mean that other data about Mr Schrems' sexual orientation, from other sources which had not independently been made public by him, had been manifestly made public simply by reason of the panel discussion statement, even if this statement itself had been made public. Moreover, it did not justify the aggregation and use of such personal data for targeted advertising purposes.