Here is our round-up of the most significant data protection developments in the UK and overseas in recent weeks.
- Key Insights
- Government Regulatory Activity
- Enforcement Actions
On November 17 2022 the UK data protection regulator, the Information Commissioner’s Office (“ICO”), published updated guidance on international transfers that includes a new section on transfer risk assessments (“TRAs”).
The ICO described the purpose of the update as providing “an alternative approach to the one put forward by the European Data Protection Board” and says its aim is “to find an alternative, achievable approach delivering the right protection for the people the data is about, whilst ensuring that the assessment is reasonable and proportionate.”
Ultimately, organisations wishing to transfer personal data outside the UK (and ‘adequate’ countries), can now choose one of the two approaches when conducting a TRA to comply with the requirements of Article 46 of the UK GDPR. We cover this in more depth in our post HERE.
GOVERNMENT AND REGULATORY ACTIVITY
UK Government Announces South Korea Adequacy Decision
After agreeing to a data adequacy agreement in principle in July 2022, the UK government announced on the 23rd of November that it has completed its full assessment of the Republic of Korea’s personal data legislation. This has determined that the country’s privacy/data protection laws must sufficiently protect the rights of data subjects whose personal data may be transferred into it.
The legislation will now be laid in Parliament, and is expected to come into force on 19 December 2022.
This would make it possible for businesses in both countries to share data without the requirement for using standard contractual clauses; making it easier for them to operate and engage in bilateral trade. It’s important to note that this does not change the requirements for Data Processing/Sharing Agreements to be in place, nor does it remove the controller/exporter’s obligation to conduct due diligence and monitor performance to ensure data subjects’ rights are not being abused.
ICO Launches Consultation on FOI Complaints Prioritisation
The Information Commissioner’s Office (ICO) has launched a consultation on how it prioritises the complaints it receives about public bodies’ handling of Freedom of Information (FOI) requests.
The proposal is to prioritise complaints where there is a clear public interest in the information that has been asked for. Public interest covers a wide range of values and principles relating to the public good, or what is in the best interests of society.
This work is one of the first outcomes of ICO25, the ICO’s three-year strategic vision, which sets out how the ICO will regulate information rights as efficiently and effectively as possible.
India Parliament Introduces New Data Protection Bill
After an unexpected withdrawal of the previous Personal Data Protection Bill earlier in the year, India’s parliament has released a new Digital Personal Data Protection Bill. This bill aims to provide comprehensive data protection coverage to replace the current fragmented legal framework of privacy law.
As a major trading partner of the UK in goods and services (especially technology), the passage of the law could facilitate smoother international transfers of personal data in both directions. However, concerns have been raised about the marked differences that exist between the provisions of the new bill and the UK framework, such as the exemption of government agencies from the rules.
Depending on how the bill progresses through India’s legislative process, those concerns will be essential to any Transfer Risk Assessments relating to the country, as well as any consideration for adequacy status by the UK Government.
ICO Fines Cabinet Office £50,000
The ICO had originally issued a Monetary Penalty Notice of £500,000 against the Cabinet Office on 15 November 2021, following an investigation into the 2019 data breach where the Cabinet Office published a file on GOV.UK containing the names and unredacted addresses of more than 1,000 people announced in the New Year Honours list.
The personal data was available online for a period of two hours and 21 minutes and it was accessed 3,872 times.
The notice was appealed by the Cabinet Office in December 2021 for being “wholly disproportionate”, and was before the first-tier tribunal before the parties reached an agreement to reduce the fine.
ICO Issues Reprimand Against Department for Education
The Information Commissioner’s Office (ICO) has issued a reprimand to the Department for Education (DfE) following the prolonged misuse of the personal information of up to 28 million children.
An ICO investigation found that the DfE’s poor due diligence meant a database of pupils’ learning records was ultimately used by Trust Systems Software UK Ltd (trading as Trustopia), an employment screening firm, to check whether people opening online gambling accounts were 18. This data sharing meant the information was not being used for its original purpose.
This is against data protection law.
ICO Issues Fine of £160,000 to Zuwyco Limited, a Lead Generation Company, For Unsolicited Marketing Calls
Between 1 January 2021 and 1 August 2021, Zuwyco Limited used a public telecommunications service for the purposes of making 93,558 unsolicited calls for direct marketing purposes. The ICO’s investigation concluded that Zuwyco breached regulations 21 and 24 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) by calling people repeatedly without their consent and in some cases despite being registered on the Telephone Preference Service (TPS).
French Data Protection Authority fines Discord €800,000 for Data Security And Retention Failures Under GDPR
The French data protection authority (‘CNIL’) announced, on 17 November 2022, that it had issued a fine of €800,000 (£690,000) against Discord Inc., for violations of Articles 5(1)(e ), 13, 25(2), 32, and 35 of the General Data Protection Regulation (‘GDPR’). The violations identified related primarily to the poor data retention practices, including the lack of a written policy, no transparency of those practices to customers, and the failure to perform Data Protection Impact Assessments (‘DPIA’) as necessary. CNIL also highlighted the poor security measures at Discord which allowed users to open accounts with weak, six-character passwords.
Meta fined €265m over data protection breach that hit more than 500m users
Facebook’s owner has been fined €265 Million (£230 Million) by the Irish data watchdog after a breach that resulted in the details of more than 500 million users being published online. The Data Protection Commission (DPC) said Meta had infringed two articles of the EU’s data protection laws after details of Facebook users from around the world were scraped from public profiles in 2018 and 2019.
The data appeared on a hacking website last year, prompting an investigation by the DPC, which is responsible for regulating Meta across the EU. The watchdog said a “significant” number of the users were from the EU. In addition to the fine, it “imposed a reprimand and an order” requiring Meta to “bring its processing into compliance by taking a range of specified remedial actions within a particular time frame”. This latest fine brings the total amount of fines imposed on Meta by the DPC to nearly €1 billion (£860 Million) since September last year.
If you’re worried about the potential of a data breach, consider running an audit to assess any potential gaps and how to remediate them. Alternatively, consider outsourcing a data protection officer to support your organisation.
To view our next bulletin (December 2022), click here.