Busy 60 Days – ICO Annual Report & European Regulatory Action

Elizabeth Denham of the Information Commissioner’s Office (“ICO”) said the following in respect of Covid-19, “”In this context, data is now less the trail that we leave behind us as we go through our lives, and more the medium through which we are living our lives””.

ICO Annual Report 2019/2020

Elizabeth Denham’s statement above was included in the ICO’s Annual Report for 2019/2020 which was published on 20 July 2020. We’ve taken a look at this 141-page report and the key points that we take away from it are:

1. The ICO has been writing to companies registered with Companies House but not registered with the ICO and has been informing them to pay the required data protection registration fee. In the last year, the ICO has collected fees totalling £44.712 million which is a 24% increase from the year before. It has stated that it is improving its technology and is working on making the data protection fee quicker and easier. Our Advice: If you haven’t registered yet, make sure that you do it before you receive a letter from the ICO.
2. Members of the public are continuing to show an interest in data protection matters. The ICO received 39,860 data protection complaints. Out of these cases, 46% concerned data subject access requests. In 50% of the cases, the ICO found that data controllers could have done more in either improving their information rights practices or explaining a more comprehensive way how they comply with their legal obligations. Our Advice: Ensure that you have a Privacy Notice on your website and an internal Data Subjects Rights Policy & Procedure which addresses how to manage data subject access requests (as well as other requests).
3. The ICO is continuing to investigate data controllers and has conducted 2,100 investigations. In the last year, there have been 236 instances where the ICO has taken regulatory action in responses to breaches of the legislation it regulates. This includes 54 Information Notices, 8 Assessment Notices, 7 Enforcement Notices, 4 Cautions, 8 Prosecutions and 15 Fines. Two of the most significant data breach cases have been of British Airways and Marriot (for which the regulatory process is still underway). Our Advice: Ensure that you have a strong Data Protection Compliance Program and keep it under regular review; audit and review your organisational and technical measures.
4. The ICO is developing its relationships across jurisdictions and is being seen as a leader on the data privacy front. Elizabeth Denham and her team went to California to engage with technology businesses and she lectures in the privacy field. During this trip, recognition and strengths of the UK’s legislative framework and the ICO’s regulatory powers during investigations was attributed as being a catalyst to the efforts to develop the California Consumer Privacy Act 2018. Our Advice: If you have global presence, ensure that you are complying with pan-wide and extra-territorial legislation as well as local legislation.

European Regulatory Action

Other regulators within Europe are certainly paying attention to the “”medium through which we are living our lives”” and there has been vast enforcement action in Europe over the last 60 days. Take a look at this snapshot:

1. Google Belgium SA was fined EUR 600,000 by the Belgium Data Protection Authority due to it failing to correctly manage and comply with a data erasure request.
2. Vodafone Espana, SAU was fined EUR 12,000 by the Spanish Data Protection Authority for failing to comply with the general data processing principles.
3. Allgemeine Ortskrankenkasse was fined EUR 1,2400,000 by the German Data Protection Authority of Baden-Wuerttemberg for failing to put in place sufficient technical and organisational measures to ensure information security.
4. Tulsa Child & Family Agency was fined EUR 75,000 by the Irish Data Protection Authority for failing to correctly notify of a personal data breach.
5. Lejre Municipality was fined DKK 50,000 by the Danish Data Protection Authority for failing to comply with the general data protection processing principles.
6. Bureau Krediet Registration was fined EUR 830,000 by the Dutch Data Protection Authority for failing to successfully comply with a data subject access request.
7. Proleasing Motors SRL was fined RON 72,642 by the Romanian Data Protection Authority for failing to put in place adequate technical and organisational measures to ensure data security.
8. Odin Flissenter was fined NOK 300,000 by the Norwegian Data Protection Authority for not having a sufficient legal basis for processing personal data.
9. Wind Tre S.p.A was fined EUR 16,700,000 by the Italian Data Protection Authority for its unlawful data processing activities in respect of direct marketing.
10. Digital Technologies Limited was fined GBP 90,000 by the ICO for the transmission of unsolicited communications (direct marketing) by email.

Our Advice: Make sure that you have holistic and robust Data Protection Compliance Program. This is an area in which regulators are and will continue to take action.

European Court of Justice (“ECJ”) Judgement in Schrems II

Whilst all of the enforcement activity has been happening, the ECJ has been preparing for and hearing the Schrems II case for which a decision was made on 16 July 2020. This case centred around transferring data between the EU and the US (including and especially under the EU-US Privacy Shield). The outcome of the case is that organisations can no longer rely on the EU-US Privacy Shield when transferring data as the ECJ has stated that it is an invalid mechanism. This is not really a surprise in light of Schrems I which centred around the EU-US Safe Harbour arrangement and it has often been argued that the EU-US Privacy Shield is simply the same safeguard albeit with a different name. The ECJ did in Schrems II confirm, however, that the mechanism of using the Standard Contractual Clauses is still valid and can continue to be used by organisations. This is also of no real surprise as the European Commission has been recently working on modernising and updating the Standard Contractual Clauses and therefore its unlikely that the ECJ would have stated that they are invalid mechanism under which to transfer data.

Our Advice: When it comes to data protection matters, try to be pro-active and consider potential regulatory changes in advance. In the run-up to the Schrems II decision, our lawyers pre-empted that the EU-US Privacy Shield would be considered an invalid mechanism for the transfer of personal data and advised clients to enter into the Standard Contractual Clauses.

Aria Grace Law

It has been an overwhelmingly busy 60 days in the data privacy landscape and our Data Privacy Team including Puja Modha and Katharina De Resseguier have been working with a number of clients in respect of building and developing their data protection compliance programs and ensuring that they are compliant when transferring data.

Puja Modha, Katharina De Resseguier and other Partners at Aria Grace Law have supported organisations of varying sizes and across different industries in complying with data privacy legislation across multiple jurisdictions. If you would like to get in touch with them, please contact compliance@aria-grace.com .