Monthly Archive: February 2017

UK: The perils of indirect marketing consents

A credit broker has been fined £120,000 by the Information Commissioner’s Office (“ICO”) under section 55A of the Data Protection Act 1998 for sending millions of marketing texts, all of which were sent without proper consent. The news was released on the ICO’s website on 15 February 2017 as an investigation had revealed that Digitonomy Ltd had used affiliated marketing companies to send out over five million messages all of which offered cash loans as part of a marketing campaign.

Digitonomy had contravened regulation 22 of the Privacy and Electronic Communications (e-Privacy) Regulations 2003 (“PECR“), which generally prohibits the sending or instigating of a transmission of unsolicited communications to a consumer for the purpose of direct marketing, unless that person has given their prior consent.

The law clearly states that data subjects must provide companies with specific consent to the receipt of marketing text messages. Evidencing such consent is particularly difficult where, like Digitonomy, you are relying on consumer details which have been obtained by a third party on your behalf. By way of example, Digitonomy Ltd stated their consent wording from affiliate companies was “you consent to us and our trusted partners contacting you by SMS, mail, email, telephone and automated message”. This wording was insufficient to protect Digitonomy as one of the “trusted partners”.

Consent must be freely given, specific and informed and involve a positive indication signifying the individual’s agreement. This enforcement action should provide fair warning to businesses who buy marketing lists from third parties, contract with third parties to carry out the marketing for them, or even share contact details within a corporate group for marketing purposes to make thorough checks and be satisfied that personal data has been obtained fairly and lawfully with the necessary consent.

The 2015 case of Optical Express (Westfield) Limited v Information Commissioner was a clear statement of the law in this area, in which the First-tier Tribunal found that consent has to be provided to the sender of the communications.  Data subjects must understand that they are providing a marketing consent to a specific third party, or failing that, have some reasonable expectation as to the identity of the third party (for example, the industry it operates in and the type of goods and services it might attempt to sell).  Further, consent must always be explicit and obtained on a clear opt-in basis.

This latest salvo in the ICO’s on-going war with the spammers is also a salutary lesson for companies operating across the full-range of B2C sectors about the dangers or relying on woolly indirect marketing consents, and the care that must be taken when obtaining marketing lists from commercial partners or group companies.

James Clark and Katrina Hennessy

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/uk-the-perils-of-indirect-marketing-consents/

CHINA: new Cybersecurity watchdog suggests greater compliance challenges ahead for overseas companies in China

Developments this month continue to signpost a more challenging compliance environment ahead for non-Chinese technology companies and those operating online in China.

The Chinese Government’s continued scrutiny over cyberspace continues apace, with the announcement of a new cybersecurity watchdog. As well as monitoring cybersecurity threats and co-ordinating national cyberspace policy and practices, of greatest significance to organisations operating in China is the watchdog’s proposed role in evaluating non-Chinese organisations’ online products, services and content. 

In particular network products and services used within information systems that relate to national security or the public interest will have to pass a security and controllability assessment conducted by the Chinese authorities. Professionals say that the review is not universally applicable – only network products and services purchased by “key information infrastructure operators” (“KIIO“) (as defined in the new PRC Cybersecurity Law – for further information, click here) that may impact national security have to pass the security review in order for the procurement to proceed. Whether a network product or service purchased by a KIIO may impact national security shall be determined by the Department of Key Information Infrastructure Protection.

It appears that the supervisory assessments will focus on the security and management of the products and services; will look at risks of illegal control, disruption or interruption (such as “loopholes” allowing access by foreign governments and illegal collection of personal data); and also consider potential anti-competitive effects that may be harmful to users’ interests. It has also been suggested that products and services that fail these assessments will be blacklisted from future procurement by KIIOs.

The security review is not mandatory. It can be initiated by notification from the authorities, suggestions by national industry associations, responses from the market and an organisation’s own application, but it will in no way become a kind of routine scrutiny.

Additional challenges may arise through mandatory compliance with new national standards, which are yet to be announced but will be at the discretion of the new watchdog.

These measures were announced through the recent publication for public consultation by the Cyberspace Administration of China of the Measures for the Safety Review of Network Products and Services (Draft for Comment) (“Draft Measures“). Public consultation on the Draft Measures closes on 4 March 2017. This latest announcement reflects the guiding concept of the recently published PRC Cybersecurity Strategy (for more information click here), namely “Internet sovereignty”, defined as China’s right to police the Internet within its borders and participate in managing international cyberspace.

The Chinese Government has sought to reassure overseas organisations, with officials reportedly saying “the review will not hinder foreign products from entering the Chinese market, but will only to boost confidence in such products and services…. Authorities will treat Internet products and services from home and abroad equally” (according to the official news agency, Xinhua). However, the Chinese market may now become more challenging for overseas providers of online products, services and content. Such organisations are strongly advised to keep abreast of developments in China and start to plan their compliance strategy in anticipation of the new measures coming into force. In particular, it would be sensible to take into account new national standards, and to plan ahead for the likely lead time required to obtain clearances from the new watchdog, for any products, services or content to be launched in China.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/china-new-cybersecurity-watchdog-suggests-greater-compliance-challenges-ahead-for-overseas-companies-in-china/

AUSTRALIA: Mandatory data breach reporting comes to Australia

By Peter Jones (Partner, Sydney) and Josephine Gardiner (Associate, Sydney)

After a gestation period that would make African Bush Elephants proud, it is finally here…

It would be an understatement to say that data breach notification laws have been on the table for some years in Australia. The long-awaited mandatory data breach laws, which passed the Senate on Monday, are the result of a long and winding five year road through the Australian Parliament, three governments and many abandoned attempts. The Privacy Amendment (Notifiable Data Breaches) Act 2016, which amends the Privacy Act 1988, will legally compel organisations to disclose a data breach to the Australian Privacy Commissioner and affected individuals in certain circumstances.

When will the regime start?

At the time of writing, an exact commencement date has not been set (though our bet is that it will be within the next 12 months).

What’s it all about?

Basically, the legislation requires an entity to report a ‘serious data breach’ to customers, the Privacy Commissioner and, potentially, the media.

What is a ‘serious data breach’ you ask? Well, given the importance of this term to the notification regime, it is not ideal that more objective certainty has not been provided. We do know that a serious data breach includes unauthorised access to, disclosure of, or loss of customer information held by the entity (for example personal information, credit reporting information or tax file information) and puts individuals affected at ‘real risk of serious harm.’ This will require judgement calls to be made by organisations as to when notification is required to be made, introducing compliance uncertainty, at least until a number of incidents have arisen and been considered by the Privacy Commissioner.

The notification should include specific details including the information involved and how those affected can respond to the incident (by cancelling credit cards or changing a passwords for example). The entity must not only make such a notification after a breach has been known to have occurred, but also when it becomes aware that there are reasonable grounds to believe that there has been an eligible data breach. The entity must comply with these notification steps as soon as practicable. We note too that there are also quite robust obligations to undertake investigations into whether there has been a data breach where an entity has a ‘suspicion’ that there may have been such a breach.

It is recommended that entities currently bound by the Privacy Act review their internal procedures to update data breach response plans and related requirements to align with the new requirements. Easy, huh?

Well, not so fast. We all know that privacy provides fertile ground for legal exposure but also reputation and brand damage. If an obligation to notify arises, how do you manage the potentially competing demands of legally mandated notification with PR advice which, often, recommends against notification unless you have first identified the problem, resolved it/put in place workarounds and ideally come to some view on ‘customer compensation’. Crisis management advisers may well be popping the odd champagne cork or two (although probably not Krug or Cristal just yet).

Also, in a world where personal information is increasingly the subject of third party processing and storage arrangements, how will your compliance obligations be cascaded into the agreements with those third party suppliers? Do any existing ‘compliance with law’ obligations extend to cover the operational requirements of the new regime? Are contract amendments required? What leverage do you have to require those amendments?  How can you provide for contract certainty where the legislative requirements are not themselves absolutely crystal clear? Will third party providers, particularly global vendors such as cloud providers, accept obligations to ‘self-police’ breach and disclosure matters?

Maybe not so easy after all…

Consequences of non-compliance

If an individual or business fails to comply with the new notification legislation, it can be liable for serious or repeated interferences with the privacy of an individual and can face a civil penalty of up to $360,000 and $1.8 million respectively.

How will the new laws impact your business?

The US and EU have already established advanced regulation in this area. While Australia is late to the party, the overall effect of the laws for Australia will align – to some extent – privacy requirements with a wide range of other jurisdictions. For international companies operating already under other mandatory breach notification regimes, the changes may be minimal, such as tweaking internal compliance functions. However, for companies with local footprints only, these changes may be more significant.

We realise that the legislation has not yet commenced but reviewing your business’ privacy regime would not be a bad place to start. It should also be a priority to ensure your customers information is not compromised in any way and to ensure you have operational procedures in place to adequately manage a data breach event. Thinking this through your existing and future supplier environment and the nature of required upstream contract obligations will also be needed.

Response to the new laws?

Despite the bill only being passed yesterday, concerns with the legislation have already been expressed by legislators (Senator Cory Bernardi for one). Specifically, some have criticised the ability of the Office of the Australian Information Commissioner (OAIC) to manage the new regime given its current resourcing levels.

Additionally, others are concerned that the legislation is one of the strictest disclosure laws in the world. Its threshold is relatively low as disclosure must be made by the entity not only if it knows a breach has occurred but in the event they believe a breach may have occurred (plus the onerous investigation obligations that are triggered by having a ‘suspicion’ that a breach may have occured). This can be seen as both a positive and a negative depending on what which side of the privacy debate spectrum you sit on.

Senator Bernardi has also called out what he considers to be the unnecessary red tape and the ‘lack of specificity.’ Specifically, he claims that, ‘a serious breach’ is too broadly defined in the laws suggesting that someone with a mere ‘mailing list could fall foul’ of the new rules. Some of these arguments were supported by the recently formed group, Data Governance Australia, whose CEO Graeme Samuels (former head of the ACCC) stated that the legislation was ‘heavy handed’ and suggested a voluntary industry code of conduct instead.

On the other side are those who put the privacy of the individuals above the concerns of over regulation. Senator Penny Wong for example has pointed out that before these laws commence, a government agency, a bank or an online store can incur a breach of an individual’s data and would not have to alert the individual to protect themselves (mainly out of fear of damage to the corporation’s reputation).

So, what will the OAIC do? Again, if we were placing bets we would probably place a responsible wager on the Privacy Commissioner pursuing a suitable ‘example’ in the initial 12 months of the regimes.

Commentary

In Timothy Pilgrim’s (Australia’s Privacy Commissioner as well as the Acting Information Commissioner) statement made yesterday, he welcomed the new data breach legislation and working with the government, businesses and consumer groups in preparation for commencement of the new laws.

However, as noted, it is difficult to escape the reality that the legislation adds further grey areas to an already difficult area of law for businesses to navigate (as the Privacy Act in Australia is largely a ‘principles-based’, as opposed to a prescriptive, regime). For example, the lack of specification as to what constitutes ‘serious harm.’ The interpretation of such ambiguities and the overall application of the laws can only be clarified through a combination of Privacy Commissioner guidance and eventual action.

On a practical level, another potential problem of this legislation is that the data breach scheme could lead to ‘notification fatigue’ among members of the public. This means that a bombardment of notifications could eventually undermine the effectiveness of the entire reporting scheme. As the cyber threat environment continues to evolve, and as ‘big data’ analytics and the internet of things continue to expand in Australia, the chances of a breaches occurring (and such breaches meeting the required standard) could increase dramatically and ‘notification fatigue’ could come with it.

Ultimately, if the new notification regime was in itself perceived to provide something of a panacea for individuals, and to provide greater clarity to business in terms of the Legislature’s requirements, in our view that perception can be challenged.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/australia-mandatory-data-breach-reporting-comes-to-australia/

POLAND: GIODO special team publishes the “Proposed procedures before the Inspector General”

By Damian Karwala (Senior Associate, Warsaw)

The Polish Data Protection Authority, GIODO (Generalny Inspektor Ochrony Danych Osobowych), as well as data controllers and data processors in Poland are currently preparing for the General Data Protection Regulation (GDPR). Among other things, GIODO has recently proposed that Administrators of Information Security (so-called “ABIs”, or Administratorzy Bezpieczeństwa Informacji – the Polish counterparts of Data Protection Officers), who are registered in the national register kept by GIODO, will ex lege become Data Protection Officers under the GDPR. According to information on GIODO’s website: “one of the provisions that should be included in the new personal data protection act, pursuant to the necessity to implement the GDPR, is a transitional provision, according to which the ABIs registered in a national, open register should ex lege become Data Protection Officers” (available here in Polish).

This statement is explained by the current status and competencies of ABIs. The function of ABI, in its current state, was introduced in Poland on 1 January 2015 with the aim of preparing a group of privacy professionals to meet the requirements of the GDPR and increasing the professionalisation of this role in organisations. In GIODO’s opinion, its proposal will make “information security administrators who have met all the criteria currently required to fulfill this function [i.e. under Polish regulations] able to continue performing this function without having to take into consideration any further formal actions”. However, this position raises some doubts because, despite their close similarities, the status of ABIs and DPOs is somewhat different. As a result, it does not seem plausible that national data controllers could “automatically” change the name ‘ABI’ into ‘DPO’ without taking any further action, e.g. in relation to a DPO’s obligation to act as a contact point for data subjects and the supervisory authority.

This was one of many issues raised by GIODO in the proposed procedure prepared by a special team working on the reform of data protection law in Poland, appointed by GIODO on 8 July 2016. The draft of this procedure (“Proposed procedures before the Inspector General”, available here in Polish) was sent to the Ministry of Digital Affairs on 27 January 2017, where it is currently subject to further work.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/poland-giodo-special-team-publishes-the-proposed-procedures-before-the-inspector-general/

JAPAN: Supreme Court rules on “right to be forgotten”

Despite signs in recent years that a so-called “right to be forgotten” had been introduced in Japan, the Supreme Court of Japan has recently refused to enforce such a right against a search engine in Japan, thus questioning just how far this right exists and extends in Japan.

In a landmark case in October 2014, a court in Tokyo ordered Google Japan to remove a number of search results that alluded to the complainant’s connections with criminal activity, in a case with some similarities to the Google Spain case in Europe. While this case did not constitute a formal legal precedent under Japanese law, its practical effect was to recognise that a “right to be forgotten” can be enforced in Japanese law. Further cases have followed, including in December 2015 where a Saitama court cited – reportedly for the first time – a “right to be forgotten” (rather than a right to privacy) when ordering Google to de-list links to three-year old news reports regarding an individual’s criminal conviction; however, this decision was reversed on appeal in July 2016.

Now in the latest development, on January 31, 2017 the Supreme Court of Japan dismissed the appeal brought by a Japanese man against Google Japan (the Saitama case mentioned above), who was seeking the removal of online search results which referenced his arrest for child prostitution more than 5 years ago.  In its decision, the Supreme Court of Japan did not directly address the “right to be forgotten” but rather decided to base its resolution of the case on the traditional legal frameworks governing privacy rights. The Court reasoned that “removal of information can be demanded only when privacy protection concerns clearly outweigh the public’s interest in the disclosure of information online,” and went on to balance these competing interests through careful consideration of factors including the public’s interest in disclosure of this type of information on the one hand, and the potential harm brought upon the individual on the other.

This relatively favourable decision for operators of online search engines may perhaps inhibit future claims based on the right to be forgotten and allow these operators to avoid the cost increases that would be necessary to provide additional mechanisms to monitor and remove infringing items from search results. However, as the legal arguments concerning the right to be forgotten were not explicitly addressed by the Supreme Court of Japan in this case, it is possible that the issue could eventually be re-litigated should societal perceptions change.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/japan-supreme-court-rules-on-right-to-be-forgotten/

UK: Implementation of the Network and Information Security Directive

By Ross McKean (Partner, London) and Linzi Penman (Associate, Edinburgh)

With the annual cost of cybercrime and cyber espionage to the world economy estimated in the hundreds of billions of dollars and accusations from various Western governments and law enforcement agencies that a sustained campaign of cyber-attacks targeting democracy and critical infrastructure is being carried out in the West, there has been sustained pressure on legislators to toughen cyber laws.

The cybersecurity strategy for the European Union and the European agenda on security provide an overall framework for the numerous EU initiatives to improve cybersecurity and tackle cybercrime. This remains a key priority for the EU institutions which have repeatedly stated that the digital economy within the single market depends on trust in secure information networks and systems.

Progress was made at an EU level in 2016 with a view to bolstering cybersecurity across Europe, with the adoption of the Network and Information Security Directive which requires implementation by Member States on or before 9 May 2018. The Directive is the first EU-wide piece of legislation concerning cybersecurity with its core objectives being to:

  • enhance cyber security at a national level,
  • increase cooperation among Member States on the matter, and
  • impose certain obligations aimed at improving cybersecurity on operators of ‘essential services’ (i.e. water, energy, transport, health, finance, banking, ISPs, DNS).

UK Position – DCMS implementation of NIS Directive

The UK Government advised last year that it is ‘taking stock of the EU referendum outcome and looking at what impact this might have, if any, on the UK Government’s plans for implementing the NIS Directive’.  This coupled with reports that the UK Government may use access to UK intelligence services as a bargaining chip in the forthcoming Brexit negotiations and reports that GCHQ has concerns about the ability of its European equivalent organisations to keep secrets, had led some to question whether the NIS Directive would be implemented at all in the UK. However, Stuart Peters – the Head of EU Cyber Security Regulatory Policy – noted last week that the UK “will still be members of the EU in May 2018 when the Directive is due to come into force…. [and the] UK Government is therefore continuing to implement the Directive.”

Next Steps

As of yet, there are no official proposals as to how the UK will implement the NIS Directive, however the Department of Culture, Media and Sport notes that the government intends to submit its proposed plan by the end of February/beginning of March, with an impact assessment and public consultation planned to be conducted in April and June 2017, respectively.

View further details of the changes envisaged under the NIS Directive >>

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/uk-implementation-of-the-network-and-information-security-directive/

HONG KONG: new guidance on privacy protections for IoT

Those involved in the IoT industry in Asia should take note that data protection compliance can no longer be ignored in favour of rapid technological and market opportunities. Even though many data protection laws – including in Hong Kong – were drafted in the days of filing cabinets, cutting edge technologies in today’s digital world must operate within the existing compliance frameworks.

Hong Kong’s Privacy Commissioner for Personal Data (“PCPD“) is the latest privacy authority – and one of the first in the Asia Pacific region – to study and make recommendations on privacy protections amid rapid developments in the Internet of Things (“IoT“). A local study last year by the PCPD highlighted IoT device manufacturers and associated app designers in the local market were not adequately notifying device users of data privacy and security rights and measures.

The new, non-binding but persuasive guidance in particular recommends:

  • Improved and accessible data protection notices: a reader-friendly privacy policy should be provided and easily located, containing all information required to be provided under Hong Kong’s data protection laws. Clearly the task of making a data privacy notice readily available in the context of machines talking to each other is more challenging, but cannot simply be ignored.
  • Adopting “privacy by design” from the outset, including as regards data collection (not being excessive) and data security (incorporating appropriate safeguards when transmitting and storing personal data). While this is recommended for all new projects across all industries, many data protection authorities consider this a “must” for new technologies such as IoT and will – if a complaint were made – question why privacy was not taken into account during the initial design phase.
  • Adopting “privacy by default”, namely adopting default settings which are least privacy intrusive. This includes not being excessive in data collection. For example, a IoT manufacturer should offer opt-out choices if its supporting mobile app would access data in the user’s smartphones that is not directly relevant or necessary; or, preferably, engineer the system from the outset so that only directly relevant or necessary data is collected.
  • Allowing data subjects to exercise their rights, including providing clear instructions to allow users to delete data, as well as contact details to allow access/correction of personal data etc. Again, this can be more challenging in the IoT environment but, just because a system involves limited human interaction, the PCPD has made clear that an individual’s right to enquire about how their personal data is handled must be recognised and acted upon.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/hong-kong-new-guidance-on-privacy-protections-for-iot/

DLA Piper Italy and AIGI event on the General Data Protection Regulation

DLA Piper Italy and AIGI will run an event on how the General Data Protection Regulation will impact the business of companies on 16 February 2017. Read the rest of this entry »

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/dla-piper-italy-and-aigi-event-on-the-general-data-protection-regulation/

Europe: Artificial Intelligence, what can we learn from the GDPR?

Connected devices that exchange substantial volumes of data come with some obvious data protection concerns. Such concerns increase when dealing with artificial intelligence or other devices/robots that autonomously collect large amounts of information and learn though experience.

Although there are not (yet) specific regulations on data protection and artificial intelligence (AI), certain legal trends can be identified, also taking into account the new European General Data Protection Regulation (GDPR). Read the rest of this entry »

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/europe-artificial-intelligence-what-can-we-learn-from-the-gdpr/

UK: Government Outlines Strategy for Post-Brexit Data Transfers and Privacy Standards

The UK Government has today published a white paper setting out its approach to the forthcoming negotiations on exiting the European Union, and its vision for a ‘post-Brexit’ settlement.  In a chapter entitled ‘Ensuring free trade with European markets’, the white paper outlines the Government’s intention to retain data protection standards in the UK which are equivalent to those in the EU.

The free flow of data between the UK and continental Europe is an important foundation of cross-border trade, and a fact of life for many UK and EU businesses and consumers. EU law, both in its current form through Directive 95/46/EC, and in the General Data Protection Regulation (“GDPR“), which will apply from May 2018 onwards, restricts the transfer of personal data from the EU to ‘third countries’ which do not have a level of data protection recognised as equivalent by the European Commission.  This is expressly addressed in the white paper, which commits the Government to seek a solution which preserves stable data transfers between the UK and EU once the UK officially becomes a third country:

 8.39 The European Commission is able to recognise data protection standards in third countries as being essentially equivalent to those in the EU, meaning that EU companies are able to transfer data to those countries freely.

8.40 As we leave the EU, we will seek to maintain the stability of data transfer between EU Member States and the UK.

Whilst an equivalency decision is not specifically referred to as the Government’s goal, this is a strong indication that the UK is not planning to deviate significantly from the GDPR standards which it will adopt, whilst it is almost certainly still a member of the EU, in May 2018.

The statements contained in the white paper are the latest in a line of public pronouncements which have helped to give a degree of clarity and reassurance around the UK Government’s plans for data protection law in the UK in the wake of Brexit. In her first speech as the new Information Commissioner in September 2016, Elizabeth Denham talked about the ‘fundamental importance’ of data flows between the UK and the EU, and about the need for consistency of law and standards.   More recently, the UK’s Data Protection Minister, Matt Hancock, confirmed in evidence given to the House of Lords Home Affairs sub-committee that (i) the UK will implement the GDPR in full in May 2018; and (ii) that, as and when the UK revaluates its legal framework post-Brexit, it needs to prioritise data sharing with international partners.

Given the potential for upheaval caused by Brexit across a whole range of areas which are based, directly or indirectly, on EU law, it is encouraging to be given an indication that the UK is leaning towards a strategy of stability and equivalence in the field of data protection. The GDPR represents a once-in-a-generation change in data protection and privacy law, which the UK Government, the ICO and businesses have been gearing up to for several years. The inference from these latest statements is that that preparation will not be in vain, and that the broad framework of the GDPR will be the basis for UK data protection law both in sixteen months’ time, and in the eventual post-Brexit landscape.

DLA Piper’s GDPR microsite provides a user friendly overview of the key legislative changes and compliance requirements associated with the upcoming change in data protection law.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/uk-government-outlines-strategy-for-post-brexit-data-transfers-and-privacy-standards/