24 July 2019

Data Blast: EU Commission survey results; New US Ombudsman and more…

Data Blast: EU Commission survey results; New US Ombudsman; British Airways and Marriott suffer multi-million pound fines; marketing messages can surprise you, biometric decision for Facebook, and news on Singapore…

European Commission Publishes Surveys Marking One-Year GDPR Anniversary      

The European Commission has published two surveys meant to gauge public awareness of the new law, and the results have proved interesting.

The first survey, Eurobarometer 487a, sought to clarify GDPR awareness among the pubic, and the public’s general feeling regarding data protection issues. Some key takeaways from the survey include:

  • 67% of respondents had heard of the GDPR, while only 36% had both heard of it and knew what it was;
  • 73% had heard of at least one right guaranteed under the GDPR, while only 30% had heard of all of the rights outlined in the survey;
  • 57% had heard of a public authority in their country responsible for protecting their rights regarding personal data, an increase of 20% since 2015;
  • 65% of respondents felt they have some control over personal information they provide online; and
  • Roughly 20% stated they are always informed regarding the conditions attached to the collection and use of their personal data online.

It is apparent that the public is becoming increasingly aware of their rights under the GDPR, making it all the more important that data controllers and processors are in proper compliance.

The Commission also published a report compiled by the GDPR Multistakeholder Expert Group, comprised of business representatives, legal advisers and academics. The report findings (which can be found here) summarised the key concerns of the Group members in relation to the GDPR, including:

  • The cost and additional resources required by organisations in order to comply with the GDPR;
  • The exercise of data subjects’ rights in relation to how detailed the information provided to data subjects must be and dealing with excessive data subject requests;
  • The impact of Article 7(4) regarding the conditions for obtaining valid consent, including shifting from consent to other legal basis;
  • Difficulty in managing complaints under the GDPR and the one-stop-shop mechanism in dealing with DPAs;
  • Experiences with the application of the risk-based approach and accountability principle, particularly their impacts on innovation.

The report gives a detailed and informative overview of the issues faced across a variety of industries in becoming GDPR compliant, and should be considered by organisations that process large amounts of personal data.

Keith Krach to serve as EU/US Privacy Shield Ombudsman

On June 20th 2019, the United States Senate confirmed Keith Krach, former CEO of Ariba and DocuSign, as the Under Secretary of State for Economic Growth, Energy and Environment.

In this role, Mr. Krach will serve as the permanent ombudsman for the EU-US Privacy Shield agreement, and handle complaints relating to the protection of EU data in the United States.

The Privacy Shield agreement affords companies a mechanism by which they may lawfully transfer personal data from the EU to the US, provided they have complied with the relevant data protection principles. The EC has long been calling for a permanent ombudsman to oversee complaints, as part of a wider disagreement over the agreement.

This appointment comes at an important time, as it was reported on June 14th 2019 that the US Federal Trade Commission had taken action against a number of companies for misrepresenting their Privacy Shield compliance. The FTC sent 13 warning letters to companies claiming to participate in the Privacy Shield and the US-Swiss Safe Harbor frameworks. The Privacy Shield replaced the Safe Harbour frameworks in 2016, and all certifications under the latter expired automatically when the Privacy Shield went into effect.

The appointment of Mr.Krach will help placate certain concerns at the EC regarding the proper protection of EU data in the United States, at a time when the Privacy Shield Agreement is facing legal challenges across Europe.

British Airways to be fined £183.39m

The fine announced this month relates to a cyber incident notified to the ICO by British Airways in September 2018. This is reported to have involved user traffic to the British Airways website being diverted to a fraudulent site. Through this false site, customer details were harvested by the attackers. Personal data of approximately 500,000 customers were compromised in this incident, which is believed to have begun in June 2018.  Another report said that this was caused by changes to one of the JavaScripts loaded in the main web page of BA, and if so this suggests companies need to be running regular checks and diagnostics on their sites to ensure this is not happening.

The ICO’s investigation claims that they found that a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information. British Airways is contesting the proposed fine, but this shows how willing regulators are to impose significant fines, and the outcome of the appeal may be very important in telling us what the right approach is to fines.

Marriott to be fined nearly £100 million following data breach

The ICO has confirmed that Marriott International, the parent company of hotel chains which include W, Westin and the Sheraton, is to be fined nearly £100 million following the major data breach first notified to the ICO in November 2018.

The ICO’s investigation traced the origins of the breach to the hacking of the guest reservation database of the Starwood hotels group in 2014. Starwood was acquired by Marriott in 2018, who reported to have only discovered the breach in late 2018.

The ICO investigation found that approximately 30 million of the hacked records related to residents of the 31 countries in the EEA, with 7 million related to UK residents.

This incident highlights the importance of conducting due diligence concerning data protection and cybersecurity during any corporate acquisition.

Commenting on the imposed penalty, the ICO stated that Marriott “failed to undertake sufficient due diligence when it bought Starwood and should have also done more to secure its systems. Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset.”

The ICO’s statement can be read here.

Beware how you update your contacts….

A little embarrassing for a law firm – a Winkworth Sherwood partner forgot to blind copy 600 contacts taken from his former firm in an email informing them of his move. Mistakes happen but it serves as a reminder of the importance of thinking before sending emails to a large number of recipients… We understand the ICO and Solicitors Regulation Authority are both considering what happened.

Facial Recognition under scrutiny…good news for Facebook for now…

On June 14th 2019, the United States Court of Appeals for the Ninth Circuit affirmed summary judgment in favour of Facebook, holding that the company did not violate the Illinois Biometric Information Privacy Act.  The matter concerned a photograph uploaded to Facebook, and an allegation it was then subject to facial recognition software without the subject’s consent. The court found no breach.  The question is what does this tell us about changing trends of behaviour?  This case suggests people are becoming more willing to raise such questions of major tech companies; companies should be thinking about their policies and procedures and, in particular, ensuring an accurate record is kept to demonstrate compliance when such complaints are made.

Fines for direct marketing without consent still a big issue…

The ICO has fined telecoms company EE Limited £100,000 for sending over 2.5 million direct marketing messages to its customers, without consent.

The messages, sent in early 2018, encouraged customers to access and use the ‘My EE’ app to manage their account and also to upgrade their phone; a second batch of messages was sent to customers who had not engaged with the first.

During the ICO investigation EE stated the texts were sent as service messages and were therefore not covered by electronic marketing rules. However, the ICO found the messages contained direct marketing and that the company sent them deliberately, although acknowledges that EE Limited did not deliberately set out to breach electronic marketing laws.

Andy White, ICO Director of Investigations said: ”These were marketing messages which promoted the company’s products and services. The direct marketing guidance is clear: if a message that contains customer service information also includes promotional material to buy extra products for services, it is no longer a service message and electronic marketing rules apply. EE Limited were aware of the law and should have known that they needed customers’ consent to send them in line with the direct marketing rules.”

Once more this shows the ICO view on marketing messages is not necessarily what you expect…be wary…

Finally news on data co-operation UK-Singapore

Last month the UK ICO signed a Memorandum of Understanding (MoU) with the Singapore Personal Data Protection Commission (PDPC). The MoU sets out how the two regulatory bodies will engage in the cross-sharing of experiences, exchange of best practices, staff exchanges, joint research projects and information exchange on regulatory approaches and activities. It forms the basis of the working relationship between the two bodies going forward in matters of mutual regulatory interest. A copy is here.

For more information, please contact Partner, James Tumbridge at