18 February 2020

Data Blast: Canadian privacy commissioner takes Facebook to court and more…

Canadian privacy commissioner takes Facebook to court; ICO issues fine to London pharmacy in GDPR first; Hamburg Data Commissioner calls for GDPR improvements; New US Data Privacy Act proposed; Indian Parliament tables amended privacy bill.

Canada’s privacy watchdog takes Facebook to court for refusing to change its data practices

Canada’s Office of the Privacy Commissioner (OPC) has applied to the Federal Court, seeking to force Facebook to implement changes to the way it handles personal data, and to issue a public notice confirming those changes. The application follows Facebook’s refusal to comply with corrective measures required by the OPC. Those measures followed an investigation that concluded that Facebook had breached the Personal Information Protection and Electronic Documents Act (Canada’s principle data protection statute) when it shared user data with an application called ‘thisisyourdigitallife,’ which was part of the transatlantic data sharing scandal involving the company Cambridge Analytica. The crux of the complaint by the OPC is that Facebook failed to obtain the requisite level of user consent for the data sharing, and that it lacked appropriate safeguards to protect user data.

It is striking that the OPC lacks the power to impose monetary sanctions on Facebook (in stark contrast to the GDPR’s fining powers of up to 4% of global turnover). It will be interesting to watch this matter proceed, against the backdrop of the Canadian Government’s intention to adopt new and far reaching data protection laws drawing inspiration from the GDPR (previously reported here).

ICO issues first GDPR fine for careless handling of printed patient records

In late December 2019, the ICO fined London-based Doorstep Dispensaree Ltd. £275,000 for breaches of the GDPR in relation to the way it ‘carelessly’ stored and processed patient records. This marks the ICO’s first fine under GDPR; we previously reported on proposed fines to British Airways and Marriott Hotels, but these fines have not been issued to date.

Doorstep Dispensaree, which supplies medicines to customers and care homes, left approximately 500,000 documents containing personal data in unlocked crates, disposal bags, and cardboard boxes in the rear courtyard at the back of its premises. It is understood that the ICO launched its investigation after it was alerted to the situation by the Medicines and Healthcare products Regulatory Agency (MHRA), which was conducting its own enquiry into the pharmacy’s storage and distribution of medicines.

The documents, which dated from June 2016 to June 2018, included names, addresses, dates of birth, NHS numbers, medical information and prescriptions belonging to an unknown number of people. The ICO found that the company had breached the GDPR as it had failed to ensure the ‘appropriate security’ of the personal data it processes and had “processed personal data in an insecure manner”. The ICO also noted that the pharmacy had failed to protect against accidental destruction as many of the documents had become water damaged by rain. The pharmacy had argued that a licensed waste disposal company it had hired should have been fined, rather than the pharmacy itself. The ICO rejected that argument, finding that the pharmacy remained the data controller for its customer’s records, and the waste disposal company was a data processor only acting on the instructions of the pharmacy.

The ICO has stated that the nature of the pharmacy’s business in supplying medicines to up to 78 care homes, meant that a high proportion of the affected data subjects were elderly or otherwise vulnerable individuals. It is also understood that in setting the fine, the ICO only considered the contravention from May 25th 2018, when the GDPR came into force, without taking account of fines which could have been issued under the DPA 1998. The ICO also required Doorstep Dispensaree to improve its data protection practices within three months in order to avoid further enforcement action.

The ICO’s monetary penalty notice can be found here.

Hamburg Data Commissioner sees room for improvement in GDPR enforcement

The Hamburg Commissioner for Data Protection and Freedom of Information has published a report looking back on two years of the GDPR being in force, and taking stock of what he perceives to be the most pressing challenges for effective data protection.

In the English language press release accompanying the report, the Commissioner notes the importance of publicising citizens’ data protection rights, and to that end the Commissioner has launched an educational initiative to promote data protection awareness in schools.

The Commissioner has a particularly pointed assessment of the GDPR’s ‘one stop shop’ enforcement mechanism for entities operating across borders, concluding that contrary to its intended purpose, the procedure has proven itself to be ‘cumbersome, time-consuming and ineffective.’ In support of his assertion, the Commissioner notes that ‘despite numerous reports of data protection violations in the last two year[…]no draft decisions have ever been made, which is a bad sign in the second year of the GDPR.’

The Commissioner concludes that a ‘legal reorientation’ is needed if the GDPR is to serve its purpose, and calls on the European Commission to present proposals for change in its upcoming evaluation report due in May 2020.

US Senator proposes overhaul of US data privacy regulations

On February 13th, NY Democratic Senator Kristen Gillibrand proposed the ‘Data Protection Act’ (the ‘Act’) which seeks to overhaul the US privacy regulatory system.

Most notably, if passed, the Act would create a new Data Protection Agency (DPA), tasked with protecting consumer data in much the same way as DPAs in European jurisdictions. Consumers would lodge complaints with the DPA, potentially leading to larger investigations into data misuse. Where companies are found to have abused consumer data, the DPA could levy fines or seek injunctive relief.

In addition to its investigatory function, the DPA would work alongside the technology sector to promote Privacy Enhancing Technologies (PETs) aimed at ‘minimizing or eliminating the collection of personal data.’ The motivation behind developing PETs, accordingly to Senator Gillibrand, would be to enable to tech sector to move away from pay-for-privacy models. The DPA would also provide advice to Congress on the emergence of new technological threats, and how best to regulate them.

Presently, the Federal Trade Commission (FTC) is tasked with the DPA’s proposed investigatory function, but has faced criticism in the wake of its efforts to police large tech platforms; failing to do so in the view of many critics. This was evident in its $5 billion fine of Facebook last July (covered here), which included little to no restrictions of Facebook’s future use of consumer data.

Senator Gillibrand’s proposal is one of many proposed shakeups of the US privacy regulation landscape. Earlier this week, Republican Senator Josh Hawley introduced legislation to move under the umbrella of the Department of Justice (DOJ), and appoint a Senate-confirmed head officer. The proposal comes after the FTC and DOJ, both separately tasked with combating anti-competitive behaviour in the tech industry, have faced criticism for being ineffective in doing so.

Indian Parliament introduces updated Data Privacy Bill

On December 11th 2019, India’s Ministry of Electronics and Information Technology introduced a draft privacy bill to the Indian Parliament.

The draft bill was updated from a version submitted to the Indian Parliament in 2018. A Select Committee report on the draft bill is expected next month, prior to the bill being tabled for discussion in Parliament.

While broadly similar to the 2018 version, the new bill includes some key changes:

  1. Relaxation of data localization requirements: The bill originally required data controllers (known as ‘data fiduciaries’) to maintain a local copy of any personal data transferred out of India. However, the draft bill exempts all data not constituting either sensitive personal data (as defined by the GDPR) or critical personal data, which is to be defined by the government and may not be transferred outside of India.
  2. Heightened accountability requirements: The draft bill introduced heightened accountability mechanisms for certain data controllers, including conducting data protection impact assessments, appointing data protection officers and maintaining processing records.
  3. Social media intermediaries may be designated as ‘significant data controllers’, taking into account the number of users, and whether their actions have, or are likely to have, a significant impact on state security, public order or electoral democracy.
  4. Required sharing of anonymized data: The government may require any controller or processor to provide anonymised or other non-personal data to the government, where this would enable better targeting and delivery of government services or devising of policy.

Similar to other data protection measures proposed outside of the EU, the Indian bill seeks to mirror much of the GDPR where possible. This approach may assist in obtaining an adequacy decision from the European Commission, allowing for personal data to flow from the EU to that third country. Recent examples of this include Thailand’s new data protection law, which we previously covered here.

For more information please contact Partner, James Tumbridge at