27 November 2018

Data Protection Update

French regulator findings on consent and contracts; US considers new data law; fines against the police; Brexit; and territorial reach under review

French data protection authority finds flaws with privacy consents used across online advertising industry

The French data protection authority, CNIL, issued a decision on October 30th 2018 (still available in French only), which raises serious concerns for data controllers who rely upon consent passed on by their contractual partners. The decision follows an audit carried out by a French business called Vectaury, specialised in targeted advertising based on geolocation profiling.

Having read the actual CNIL decision, we note some early reports mistakenly understood the decision to say that valid consent from data subjects could not be passed on via contract between data controllers. The CNIL in fact concluded that a contractual guarantee that valid data subject consent has been obtained is not on its own sufficient for a data controller to meet the requirements of Article 7 of the GDPR:

Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data. (Underlining added)

It is not surprising that merely having in place a contractual guarantee that valid consent has been passed on, is not sufficient to meet the Article 7 requirements of the GDPR. The actual proof of consent is obviously an issue. The CNIL decision is a reminder that contractual arrangements must be more than merely ‘window dressing.’ In this case, Vectaury relied upon consents collected by its partners using Vectaury’s Software Development Kit (‘SDK’), as is common across the mobile advertising industry. CNIL’s factual findings in relation to the mechanisms used for collecting user consents which were then relied upon by Vectaury, were that the mechanisms employed were deficient insofar as the user consents were not (i) informed, (ii) specific, or (iii) obtained through a positive action by the data subject (i.e. consents must be ‘opt in’ and not obtained by default). Thus, CNIL did not dismiss as invalid the contractual guarantees Vectaury relied upon, but rather required evidence that consents were valid, in light of the deficiencies in Vectaury’s SDK approach. A challenge for those operating in the mobile advertising space, is that the CNIL found that user consent was not ‘informed’ in part because users were not provided at the outset with a full list of those with whom their personal data would be shared if they provided consent. This may be very difficult to achieve, given the high number of separate networks involved in serving mobile advertising, and that they will often evolve frequently. Seeking to obtain express consent for each and every partner could therefore not only require a privacy notice approach that is onerous and potentially confusing to users, but also could require renewal of consent every time the list of network partners alters in any way.

The CNIL decision highlights the importance of accountability under the GDPR; data controllers (and processors) must be able to demonstrate compliance. For this reason, it is always advisable for data services agreements to contain robust audit provisions which allow the data controller relying on consent, to ensure valid consent is being obtained by conducting an audit of their contractual partners. Unfortunately, the CNIL decision is silent as to how data controllers can demonstrate to the satisfaction of regulators, the ability to verify ‘systematically’ that consents obtained are indeed valid.

Proposed US Consumer Data Protection Act resembles GDPR

US Democratic Senator Ron Wyden has proposed privacy bill that would bring US data protection law more in line with the GDPR, as well as with California’s recently passed privacy regulations. The proposed Consumer Data Protection Act would give the Federal Trade Commission (FTC) the power to set privacy and security standards, introduce financial and criminal penalties, and establish consumer opt-outs from certain types of data processing.

The bill seeks to make more transparent the operations of companies that process the data of US citizens. It grants Americans the right to examine the information a company holds on them, including who it has been sold to or shared with, and to seek the correction of any inaccuracies in that information. However, Wyden’s bill sharply diverges from the GDPR with regards to the penalties resulting from data breaches.

Companies subject to these enhanced penalties will include any firm processing at least 1 million consumers’ data and that have annual revenues of $1billion or more; or smaller companies processing at least 50 million users’ data.

The bill proposes fines of up to $50,000 per violation, as a cumulative total of all violations, or 4% of total annual gross revenue, for first time offenders, similar to the fines under the GDPR. The bill also contemplates prison time for company execs of breaching organisations.

The proposed bill mandates that subject companies submit an annual data protection report accompanied by an affirmation statement from the CEO, chief privacy officer and chief information officer. If these individuals were to knowingly certify a non-compliant annual report they may be personally subject to fines or imprisoned for up to 10 or 20 years. The bill would also establish a centralized ‘Do Not Track’ list, in order to allow consumers to stop companies from sharing their data with third parties, or from being subjected to targeted advertising.

Such a law may be in the US future as businesses are also calling for new laws; Speaking at a conference in Brussels last month, Apple CEO Tim Cook praised the GDPR, and called for a comprehensive federal privacy law in the United States. The conference also saw these sentiments echoed in comments made by executives of Facebook and Google.

ICO’s first Computer Misuse Act prosecution

In the first prosecution brought by the ICO under the Computer Misuse Act 1990, a UK motor industry employee who misused his customer database access in order to send data to telephone scammers, has been sentenced to six months in prison.

The accused, who was employed by Nationwide Accident Repair Services (NARS) pleaded guilty to one charge under section 1 of the Computer Misuse Act, for causing a computer to perform a function with intent to secure access to any program or data held on that computer.

In his role at NARS the person had access to Audatex, the company’s software system that estimates vehicle repair costs. Using a colleague’s log-in details, he was able to take thousands of customer records containing names, phone numbers, and vehicle and accident information which he sold onto telephone scammers. When he started a new job at a different organisation that also used Audatex, he continued accessing and selling customer information. When NARS experienced an increase in customer complaints related to nuisance phone calls, the matter was quickly reported to the ICO.

The ICO usually prosecutes such cases under the Data Protection Act, as the Computer Misuse Act is normally reserved for prosecuting alleged hackers. However, the ICO may prosecute under the Computer Misuse Act, where appropriate, to reflect the nature and extent of the offending party’s actions.

The head of the ICO’s criminal investigations team said “people who think it’s worth their while to obtain and disclose personal data without permission should think again. Although this was a data protection issue, in this case we were able to prosecute beyond data protection laws resulting in a tougher penalty to reflect the nature of the criminal behaviour.”

Confiscation proceedings under the Proceeds of Crime Act, intended to recover any benefit gained from selling the data, are ongoing.     

UK and EU announce commitment to maintaining data protection equivalence post-Brexit       

While the penalties under the Data Protection Act 2018 are considerable with regards to potential fines, they do not include prison sentences. As such, the ICO’s use of the Computer Misuse Act illustrates their creativity and willingness to imprison wrong doers.     

The Political Declaration on the UK future arrangement with the EU on Data it says this – ‘Commitment to a high level of personal data protection. Commencement of the Commission’s assessments of the United Kingdom’s standards on the basis of the Union’s adequacy framework, endeavouring to adopt decisions by the end of 2020. In the same timeframe, the United Kingdom will take steps to ensure comparable facilitation of personal data flows to the Union. Appropriate cooperation between regulators.’ – So the UK and EU are aiming to confirm adequacy, but in any event GDPR was enacted under the Data Protection Act 2018 and so the UK is compliant for data matters in Europe. Furthermore, agreed political statements issued by the UK and EU commit to an adequacy finding prior to the end of any transition period.

ICO: Metropolitan Police Service in violation of data protection law

The ICO have issued a report finding that the use of a controversial crime database by the Metropolitan Police Service (MPS) resulted in multiple and serious data breaches.

The ICO listed several ways in which the MPS likely caused harm to data subjects, including failing to apply data protection like encryption and information-sharing agreements, and lacking coherent policies regarding data retention, sharing and deletion.

The database in question, the Gang Violence Matrix, was established in 2012 by the MPS to reduce London’s gang-related crime, and involved attributing risk scores to data subjects based on a number of factors, including arrest and conviction history. If the MPS were unable to prosecute an individual listed on the database, it would allow them a greater ability to target that individual and share their data, including names, addresses, ethnicity and police information, with a multitude of private and public organizations.   

The ICO took issue with 88% of the database’s individuals being from black or ethnic minorities, which created potential issues of discrimination. They also criticised the lack of differentiation amongst database groups, as victims of two or more gang-related crimes were listed as gang-associated, while 64% of the database individuals were identified as low-risk.

Furthermore, despite an informal retention policy wherein individuals with risk scores of zero were to be removed from the database, such individuals were either left on the database or placed on informal lists created by officers and saved their personal drives, or both.

According to the ICO, this was unjustifiably excessive and lacking in differentiation, and data subjects were never truly removed from the Gangs Matrix.

The ICO also criticised the unredacted sharing of sensitive personal data with other institutions, stating that “undifferentiated sharing goes beyond what is reasonably necessary to achieve the MPS’s legitimate purposes in preventing and detecting crime and prosecuting offences.” The ICO pointed out that this had often occurred without information sharing agreements, and that data was often transferred between officers in unsecured ways.

The ICO has issued an enforcement notice, requiring the MPS take the following steps: Conduct a data protection impact assessment, review data-sharing agreements, properly label data subjects, erase informal lists of retained subject data, create an access log, develop processing guidelines for individual boroughs, and ensure victims and offenders are distinguished going forward.

On a related note, the ICO announced that it has launched a similar investigation into the use of police information by local councils, focusing on a breach by the Newham Borough Council involving their use of information from the Gang Violence Matrix.

 ICO: Washington Post online does not comply with GDPR      

According to the ICO, the Washington Post’s online subscription offers are not GDPR compliant.

 Like many online newspapers, the US-based newspaper provides several options to potential viewers, all of which differ in price. While the most expensive subscription allows users to disable cookies and ad tracking, the cheaper and free options require readers to consent to the use of cookies, tracking and advertisements by both the paper and third parties.

 Article 7(4) of the GDPR states ‘when assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of the contract.’ As such, since the Post has not provided a free option in place of accepting cookies, the ICO has taken the view that ‘consent cannot be freely given and is invalid.’

 Despite its non-compliance with the GDPR, enforcement action against the Post has not been taken. This is because the paper is based in the US, and the ICO is looking at its jurisdiction. The ICO has stated “We have written to the Washington Post about their information rights practices…we hope that they will heed our advice, but if they choose not to, there is nothing more we can do in relation to this matter.”

 This is a surprise given the GDPR extra territorial scope and a consultation by the European Data Protection Board (EDPB) has just opened, so we expect the ICO to make further comment on this in the near future. A link to the consultation guidelines can be found here.