Evalian Data Protection News Image July 2019

Data Protection News July 2019

By Georgina Donovan - July 31st, 2019 Posted in Data Protection, News & Resources

Here is our monthly data protection news and update blog from the Evalian team, providing some of the news items you may have missed together with links to 3rd party sites which provide more information.

It’s been an incredibly busy month for news, starting with the ICO’s announcement that it intends to impose very large GDPR fines on British Airways (£183m) and Marriott Hotels (£99m) both of which were widely reported. These have since been dwarfed by the US Federal Trade Commission’s proposed fines against Facebook for privacy and security breaches.

We’ve also seen new cookie guidance from the ICO and the French regulator CNIL. Cookies haven’t really been actively regulated but we expect this to change and based on the guidance, most organisations don’t currently comply. It’s therefore a good time to review your use of web cookies.

In other news, we also have draft guidance from the European Data Protection Board on the use of video surveillance and the CJEU has heard the ‘Schrems II’ case on the legality of international transfers using Standard Contractual Clauses or Privacy Shield. We’ll hear more on this at the end of the year / start of next year.

UK & US – Latest Penalty Fines Issued

In the UK, the ICO has issued several penalty fines, one of which is the largest so far under the new data privacy regime. Here is a shortlist of the most prominent cases;

  • British Airways fined £183m for data breach of 500,000 customer’s details that were harvested by cyber attackers. Read more…
  • Marriott Hotels fined £99m for data breach that resulted in 339 million guests having had their personal details exposed. Read more…
  • Under the Privacy and Electronic Communications Regulations (PECR), EE telecom company fined £100K for illicitly sending 2.5 million marketing messages without consent.
    Read more…

And in the US, the Federal Trade Commission (FTC) formally announced;

  • $5 billion settlement with Facebook alleging that Facebook repeatedly used deceptive disclosure and settings to undermine users’ privacy preferences. Read more…
  • Equifax have been ordered to pay at least $575 million in a settlement agreement for a 2017 data breach that affected 147 million people. Read more…
  • It is continuing its trend of aggressively policing companies that falsely claim to be Privacy Shield compliant. Read more…

UK & France – New Cookie Guidance Published

The use of website cookies, device fingerprinting, tracking pixels and similar technologies is regulated by the Privacy & Electronic Communication Regulations (PECR) in the UK, based on the EU e-Privacy Directive which dates back to 2002. In truth, the law in this space hasn’t been heavily regulated meaning most websites assume or imply consent for cookies (the ICO’s own website wasn’t even compliant). We knew this would change following GDPR (which made it clear implied consent was not true consent) and the incoming e-Privacy Regulation (which is still under review).

The ICO and the French data protection regulator, CNIL, have recently issued guidance (and made their own websites compliant) which indicates that much more proactive enforcement is on the way because of the scale of online tracking in use by most websites today. The revised ICO guidance requires websites to ask users for explicit consent before applying non-essential cookies, making the use of cookie walls and downloading cookies to a browser as soon as someone lands on a web page non-compliant. Our advice is to review your use of cookies and to think about how to respond to the new guidance. Read more…

EU – International Data Transfers

On 9th July 2019, Europe’s highest court, the Court of Justice of the European Union (CJEU) reviewed a case (Schrems II) concerning the validity of two key data transfer mechanisms: Standard Contractual Clauses (SCCs) and US Privacy Shield. This judgement could have major implications on the rights to transfer personal data outside EEA – and might complicate no deal Brexit data protection preparations. The CJEU decision on the case is expected by early 2020. Read more…

EU – Data Protection Board New Guidance on CCTV

On 10th July 2019, the European Data Protection Board (EDPB) adopted new guidelines on the use of video surveillance. It clarifies how the GDPR applies to the processing of personal data when using video devices and aims to ensure the consistent application of the GDPR. These guidelines are open for public consultation. At the heart of the matter is balancing the interests of the controller (the party relying on the CCTV) with those of the individuals; ensuring that the fundamental rights and freedoms of the data subjects are not overridden. Read more…

UK – Mid Sized Firms Not Yet Compliant with GDPR

Almost a third of European businesses admit they are still not compliant with GDPR, according to a survey conducted by the European Business Awards on behalf of accountants, RSM. But despite the lack of compliance, GDPR is starting to have a positive impact on cyber security. Almost 75% reported that GDPR has encouraged them to improve the way they manage customer data and over 60% stated it has seen them increase their investment in cyber security. Read more…

Have a Question?

So, there is a lot going on and it’s clear that the ICO is going to be more active than many of us perhaps anticipated. If you have any questions on any of these topics, please contact us.

Get in touch