14 April 2020

Data Blast: Contacting tracing app for Covid-19 launching; UK ICO postpones fines to help business and more…

Data Blast: Contacting tracing app for Covid-19 launching; UK ICO postpones fines to help business; Marriott breached again; UK ICO warns about Covid-19 data retention; and French CNIL guidance on remote working…

Pan-European group plans release of GDPR-compliant contact-tracing app

Switzerland-based Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT) plans this month to release an opt-in location detection app for tracing those at risk of carrying the coronavirus, promising it will comply with the GDPR.

In a statement, PEPP-PT explained the app will deliver, ‘well-tested proximity-tracking technologies; secure data anonymization; trustworthy mechanisms to enable contact between user and health-officials in a data protection conforming environment; APIs that can provide anonymized contact chains as well as risk-scoring to other applications (e.g. for health resource management, private risk management, or the pandemic response systems).’

The app would use Bluetooth to establish distance from other users, and the resulting data would be encrypted and stored only on the user’s device, never to be accessed. However, if a user subsequently tests positive, they may allow the sharing of their historic location proximity information. Importantly, the app would work across European borders, enabling nations to use it and share data on the virus’ spread.

German chancellor Angela Merkel has voiced her support for the app, and PEPP-PT has attracted dozens of business and university partners already.

Mobile apps using location services to detect and track the spread of the coronavirus have become widely used (as covered here) but their use in the European Union is still doubtful, given the EU’s confirmation that such apps are not permitted under the ePrivacy Directive (discussed in detail here). However, where the explicit informed consent of users is obtained, as the PEPP-PT approach seems to achieve, this issue can be avoided.

ICO postpones issuance of fines for BA and Marriott

The UK ICO has again postponed the combined £288 million in fines for data breaches committed by British Airways and Marriott Hotels.

The fines (originally covered here) were announced in response to data breaches which affected millions of the companies’ customers around the world. Marriott’s potential fine came as a result of 383 million customers’ data being stolen by Chinese hackers, while British Airways was notified of the ICO’s intent to issue a fine after 380,000 customers‘ payment card details were leaked in 2018.

The annual report for IAG, British Airways’ parent company, announced that its subsidiary’s fine had been postponed until May 18th, while Politico has reported that the fine for Marriott has been delayed until June 1st.

The relevant section of the IAG report stated that ‘the ICO initially had six months from issuing the Notice of Intent to British Airways within which it could issue a penalty notice, which has been extended through to May 18 2020, to allow the ICO to fully consider the representations and information provided by British Airways,’ adding that it would ‘vigorously defend’ itself up to the Court of Appeal, if necessary.

UK and EU data protection law permits the ICO, and other European data protection authorities, to announce an intention to fine a company, through the issuance of a Notice of Intent, after which it has six months to issue the fine, during which a company can make its case to the ICO. This process resulted in British Airways and Marriott having their fines postponed in January.

Given the difficulties both companies are facing as a result of the coronavirus pandemic, the postponement is a rare bit of good news. The delay illustrates the ICO’s willingness to be accommodating, as these companies are currently facing existential challenges as a result of the virus and the global response to it. This timing is particularly fortunate for Marriott, who at the end of March announced it suffered another, separate data breach, which compromised the personal data of over 5 million guests.

Hotel chain Marriott suffers another data breach

In March, hotel chain Marriott announced that it suffered another data breach, in which compromised employee logins were used to access the personal data of roughly 5.2 million guests.

The unlawfully accessed data included names, phone numbers, postal and email addresses, dates of birth and loyalty card numbers, although Marriott has asserted that no customer financial information was accessed. Marriott confirmed that the breach likely began in January 2020 and was not detected until the end of February. However, no explanation was given as to why the company waited close to a month to inform customers of the breach.

In a statement, Marriott established that they had ‘identified that an unexpected amount of guest information may have been accessed using the login credentials of two employees at a franchise property,’ and ‘upon discovery, confirmed that the login credentials were disabled, immediately began an investigation, implemented heightened monitoring, and arranged resources to inform and assist guests.’

At first, the company did not confirm how many customers had been affected, simply stating that an ‘unexpected amount’ of guest data was accessed. However, the company emailed guests, providing a link to a self-help portal which allows guests to ascertain whether their personal data had been exposed, and will provide affected guests with free identity monitoring to notify them of any criminal use of the stolen data.

The breach comes at a challenging time for the company during the Covid-19 pandemic, and when they recently learnt that the ICO fine of £99million for a separate 2018 data breach (outlined above) had been postponed.

ICO issues warning over Covid-19 data retention

The Information Commissioner’s Office (ICO) has reminded supermarkets of their obligation to delete the personal data of vulnerable patients and individuals once the coronavirus pandemic is over.

This week, retailers began contacting vulnerable customers whose names are on a list of medically vulnerable people provided by the Government. Under the scheme, the NHS has identified 1.5 million people as being ’extremely clinically vulnerable‘ and in need of assistance in obtaining groceries and other essential products. These include people with severe asthma and other conditions, along with patients receiving chemotherapy or having undergone certain invasive procedures.

While the pandemic persists, retailers are able to use the personal information to help prioritise home deliveries. It has been reported that it is unclear whether the transfer of data to retailers merely includes the names of the vulnerable individuals identified, or information concerning medical conditions and other personal data. Although specific information about medical conditions and specific needs may assist supermarkets in prioritising deliveries, it is considered special category data and requires more protection.

Under the GDPR, data controllers and processors are obliged to return or delete all personal data after the end of services, or on expiry of a contract, unless there is a legal reason to retain the data. The ICO has warned that only the minimum amount of information required should be shared by the NHS with supermarkets, and all data should not be retained for any longer than needed.

French regulator issues guidelines on remote working

On April 1st 2020, the French Data Protection Authority (CNIL) issued Guidelines to employers concerning the implementation of remote working procedures during the Covid-19 pandemic, and Best Practices for employees to follow. CNIL has already issued guidance on the processing of personal data in the context of the Covid-19 outbreak, which we reported on in our earlier post here.

The Guidelines require employers to implement certain measures to secure their information systems. These measures include having a teleworking information security policy in place, and ensuring that firewall and antivirus software are installed on the workstations of all employees. The Guidelines also require organisations to use virtual private networks (VPNs) wherever possible in order to avoid direct exposure to the internet. Further recommendations are provided on delivering services on the internet. These include limiting the number of services available, regularly reviewing access logs, applying the latest security patches, and implementation of two-factor authentication mechanisms.

CNIL’s Best Practices for employees whilst teleworking include following all instructions provided by the employer, and only using systems and equipment at home as they would do in the office. Employees are also encouraged to use the VPN provided by their company, and to sufficiently secure their personal device if they are not using a company-maintained device. Finally, employees are advised to be mindful of transmitting personal data and confidential information by commercial file transfer or email services, and should remain vigilant to phishing attempts at all times.

The Guidelines can be read here, and Best Practices here (both in French).

For more information please contact Partner, James Tumbridge at