25 January 2019

Data Protection: New EU ePrivacy Code, Cambridge Analytica fined…

European Electronic Communications Code (EECC) broadens scope of the ePrivacy Directive

The new European Electronic Communications Code (the ‘Code’) was formally adopted on December 20th 2018. EU Member States now have two years to incorporate the Code into national law before December 21st 2020.

The definition of electronic communication services (ECS) in the existing EU rules for telecom/electronic communication services only covers traditional telecommunication services.  However, once implemented, the Code broadens the scope of ECS to include instant messaging applications, email, internet phone calls and personal messaging provided through social media, collectively known as over-the-top ‘OTT’ communication services.  The processing of personal data by all ECSs must comply with the GDPR.

As a result, the obligations of the current ePrivacy Directive will apply to the providers of OTT communication services in addition to traditional telecom providers.  Service providers should consider whether they are covered by the new rules and assess how they will meet the requirements of the ePrivacy Directive

We note that the European Commission’s proposal to replace the ePrivacy Directive with a regulation continues to make its way through the legislative process and we will provide a further update when information becomes available.

The Code can be viewed here.

Cambridge Analytica’s parent company fined for failing to comply with an enforcement notice

he parent company of Cambridge Analytica, SCL Elections, has been fined £15,000 by the Information Commissioner’s Office (ICO) for failure to comply with an enforcement notice, contrary to sections 47 and 60 of the Data Protection Act 1998.

The enforcement notice was issued one day before the company went into administration in May 2018 for its failure to provide the necessary response to a request from Professor David Carroll, a US-based academic, for a copy of any personal information the company held on him.

SCL Elections pleaded guilty at the hearing at Hendon Magistrates Court and in addition to the fine were ordered to pay £6,000 costs and a victim surcharge of £170.

Commenting on the prosecution the Information Commissioner Elizabeth Denham said “Wherever you live in the world, if your data is being processed by a UK company, UK data protection laws apply. Organisations that handle personal data must respect people’s legal privacy rights. Where that does not happen and companies ignore ICO enforcement notices, we will take action.”

The ICO’s announcement can be read here.

Pharmacy is ‘Well’ and truly sorry after breaching employees’ data

Well Pharmacy Group has apologised after the data of approximately 24,000 employees was accidently included in an email sent to an undisclosed number of pharmacists.

Although it was confirmed that no patient data was disclosed, it is understood that the spreadsheet attached to the email included the personal and sensitive data of nearly 24,000 staff and locum pharmacists. The data included names, addresses, phone and payroll numbers.

It has been reported that some pharmacists were concerned that information about religion, pay rates and other personal characteristics was disclosed.  However, Well Pharmacy has denied this and stated that personal information is only held to assist in placing locum pharmacists in suitable positions.

The pharmacy has reported the incident to the Information Commissioners Office (ICO) and has launched a full internal investigation.  This incident highlights the need for regular and ongoing training for all staff handling personal data in order to minimise the risk of a data breach.

Organisations should also ensure that they have a lawful basis in order to process personal data.  Although personal patient data was not breached in this incident, pharmacies can be particularly susceptible to data breaches given that they collect and handle large volumes of personal data.  The ICO has published a good practice report for community pharmacies which can be viewed here.

Amazon’s Alexa involved in serious data breach

Amazon’s in-home voice assistant Alexa has reportedly sent over 1,700 private audio files to the wrong user in Germany.  The data breach occurred when an individual exercised his right under the General Data Protection Regulation (GDPR) to request all of his data being held by Amazon.  However, the audio files and transcripts he received came as a surprise as they belonged to someone else entirely.

It is understood that the breached data included conversations recorded whilst a man was taking a shower, and audio files revealing the identity of his partner, where he lived, and his taste in music.  It appears that sufficient personal data was disclosed to enable the recipient to identify the man and to contact him directly via his Twitter account.

Although Amazon described the incident as an “unfortunate case of human error and an isolated incident,” this is not the first time that virtual listening devices have been responsible for serious breaches of personal data.  We previously reported on the incident of Alexa sending a private conversation to a random person in a user’s contacts list.  As the use of artificial intelligence, virtual assistants and smart home technologies continue to increase, so too does the risk of privacy and data breaches.

Steps that consumers can take to protect their privacy include muting their device when not in use, deleting recordings and refraining from connecting financial accounts to their device. For more information on these issues, please read our previous article here.

German politicians subject of data hack

German politicians and other public figures have been targeted in a years-long data exfiltration campaign, which culminated in a large data dump beginning the week before Christmas.

The leaked data included individuals’ contact details including mobile phone numbers and addresses, as well as internal political party communications, emails, ID card photographs, invoices and credit card numbers.

Given the range and variety of the hacked data, it seems likely the hack occurred continually over a number of years, suggesting that there was not a singular data breach incident that could be pointed to as the source of the dumped information.

The data was drip-released on Twitter beginning the week before Christmas, and it was only after several weeks that Twitter suspended the accounts spreading the information. However, by that point the information had been mirrored over a multitude of other websites and platforms in an attempt to evade takedown.

German media outlets have concluded that the hack was politically inspired, as the only political party that did not see its data released was the right-wing Alternative fur Deutschland.

On January 8th, the BKA (the German Federal authorities) announced that a 20-year-old German man had confessed to the leaks and had provided corroborating information regarding the hack.  In a press release, the BKA stated the suspect had acted alone and out of an annoyance with the politicians and public figures concerned.

ICO guidance on breach reporting

Given the considerable changes made to data protection law in 2018, we have summarised the ICO’s requirements regarding data beach reporting to start off 2019.

While you do not have to report every data breach, the ICO has identified 4 main types of incidents that should be reported, which are outlined below.

  1. GDPR/Data Protection Act 2018 personal data breach: After 25 May 2018, if you experience a personal data breach which is likely to pose a risk to people’s rights and freedoms, then you must notify the ICO. This includes a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
  2. Privacy & Electronic Communications Regulations (PECR): organisations providing electronic messing services to the public are required to notify the ICO of all personal data breaches.
  3.  A potential breach of the NIS Directive: this Directive relates to network and information systems security, and applies to operators of essential services as well as digital service providers.
  4. A potential breach of the eIDAS Regulation: this Regulation sets out rules for electronic identification and trust services, which help verify the identity of individuals and businesses online or the authenticity of electronic documents.

For further information, the ICO has published a brief note on breach notification which can be viewed here.