17 May 2018

GDPR Month – Data Protection Update

It’s GDPR month, but we have more for you than that, it’s time to start thinking about PECR’s replacement! (And some GDPR issues…)

Fining news – Royal Mail fined for unsolicited nuisance emails

The Royal Mail has been fined £12,000 by the Information Commissioner’s Office (ICO) after sending almost 330,000 nuisance emails to customers over a period of two days. The emails, concerning a fall in the cost of posting parcels, were sent to customers who had explicitly opted out of receiving direct marketing. The ICO began its investigation after receiving a complaint from a member of the public. During the investigation, Royal Mail claimed that the emails constituted service messages as the purpose was to inform customers of a price drop. However, the ICO disagreed and found that the emails breached regulation 22 of the Privacy and Electronic Communications Regulations (PECR), which prohibits the transmission of unsolicited marketing emails.

In 2017 the ICO also fined airline Flybe and Honda after receiving complaints concerning unsolicited marketing emails. These fines show an increasing trend by the ICO to take action based on individual complaints. We expect that to continue under GDPR.

Marketing Communications – PECR’s replacement not ready yet

Electronic marketing communications will be directly affected by the General Data Protection Regulation (GDPR) when it comes into force later this month. The GDPR provides for fines of up to €20 million or four per cent of global annual turnover, whichever is higher. The ICO’s decision against the Royal Mail is a reminder that electronic marketing communications will not only need to comply with the GDPR, but also with the PECR.

A new EU ePrivacy Regulation governing electronic communications was meant to be ready to start alongside GDPR but it is not yet ready. The ICO has confirmed that the new Regulation is now not expected until 2019. Until then, the PECR will apply alongside the GDPR, as it currently does alongside the Data Protection Act (1998). The current draft of the new ePrivacy Regulation raises some uncertainties; for example, it is unclear if the final draft will distinguish between corporate and individual users and how the new Regulation will eventually work alongside the GDPR. The staggered introduction of legislation means that whilst businesses prepare for the GDPR, they should keep a watchful eye on the development of the new ePrivacy Regulation so that they are ready to make any necessary adjustments.

The long arm of the GDPR

TThe GDPR aspires to a broad jurisdictional reach and is intended to apply to the processing or controlling of data of any natural person present in the EU. However, the global applicability of the GDPR is not always clear and is tied to the location of the Data Controller and Data Processor rather than the Data Subject. The recitals of the GDPR indicate the extent to which the GDPR will apply to individuals present in the EU: Recital 2 states that ‘The rules on the protection of natural persons with regard to the processing of their personal data should, whatever their nationality or residence, respect their fundamental rights and freedoms, in particular their right to the protection of personal data,’ and Recital 14 states that ‘the protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence.’

These recitals indicate that a ‘Data Subject’ under the GDPR is anyone within the borders of the EU at the time of processing of their personal data, irrespective of their nationality or residency status. This raises some interesting scenarios. For example, it appears that the GDPR will apply to the processing of a Chinese national’s personal data during a stopover following arrival in the EU on an international flight. On the other hand, if an EU citizen or resident moves out of the EU border and becomes an expat in China, they will no longer be a Data Subject under the GDPR unless their data is processed by an organisation with an ‘Establishment’ in the EU, in accordance with Article 3(1). In the context of the GDPR, an organisation will have an establishment in the EU if it is registered in the EU or has at least a single representative in the EU. The broad and flexible interpretations of both Establishment and Data Subject are consistent with the territorial reach of the GDPR in an age when data is continually being transferred and processed across borders.

Facebook moves 1.5bn users from Ireland to California ahead of GDPR

Prior to the coming into force of the GDPR, Facebook announced that it will be migrating its user agreements with 1.5 billion users located outside the EU, Canada, and the US, away from Facebook Ireland; those users in other parts of the world will be served by Facebook in California going forward. Facebook has stated that it offers the same privacy protection to users regardless of their location, however, the firm acknowledged the heightened informational requirements for privacy policies under the GDPR. As noted above, the GDPR applies to data processing carried out by entities with establishments in the EU, including in respect of data subjects located outside the EU. One practical impact of Facebook’s change of approach will be that users migrated to Facebook’s California entity will not be covered by the GDPR, whereas under the existing arrangement with Facebook Ireland, those users fell within the scope of the GDPR. Whilst the move will reduce the number of Facebook users able to seek enforcement of their rights under the GDPR, maximum fines under the GDPR may be assessed as a percentage of the global annual turnover of a corporate group. Accordingly, global businesses such as Facebook may still be liable for larger fines based on their global turnover, even though only some of those corporate entities may be subject to GDPR compliance for their data processing activities.

Self-assessment and the data protection fee – register soon to save

The government has published the Data Protection (Charges and Information) Regulations 2018, which introduce a new charging structure for Data Controllers to ensure the continued funding of the ICO. The new fee structure will come into effect at the same time as the GDPR and will replace the annual notification fee payable under the existing system. There are three different tiers of fees depending on the size of the organisation and its annual turnover: Tier 1 with a fee of £40 applies to micro organisations with a maximum turnover of £632,000 or having no more than 10 members of staff; Tier 2 with a fee of £60 applies to small and medium organisations with a maximum turnover of £36 million or having no more than 250 members of staff; and Tier 3 with a fee of £2,900 applies to all large organisations that not meet the criteria for either Tier 1 or Tier 2.

It is important that organisations assess which level of fee they are required to pay as this information will be needed when registering with the ICO for the first time. In the absence of being told otherwise, the ICO will regard any organisation registering for the first time as eligible to pay a Tier 3 fee. The ICO has stated that it will publish a self-assessment tool to assist organisations before the Data Protection Regulations come into force.

Organisations previously registered under the Data Protection Act (1998) will not be required to pay the data protection fee until their current registration expires: the ICO will use information it holds to calculate the fee tier level for the new data protection fee. Organisations which are not registered because their registration has recently expired will also be regarded as eligible to pay the Tier 3 fee until the ICO is notified otherwise. The ICO will publish details of all Data Controllers who pay the data protection fee on its data protection website, including the level of fee that has been paid. Failure to pay a fee, or to pay the correct fee, will be subject to a maximum penalty of £4,350 (150 per cent of the Tier 3 fee).

As some fees are increased, if you register now you may find your fee is lower than if you register after May 25th 2018.

ICO issues guidance on consent and seeks to dispel the myth that it is ‘silver bullet’ to GDPR compliance

With just ten days remaining to achieve compliance with the GDPR, many of us have seen our email inboxes overflowing with requests to provide, or confirm, our consent to receiving communications from businesses and other organisations. In some cases, consent is being sought because the initial approach to obtaining consent may have used ‘pre-ticked’ boxes which would not suffice under the GDPR. In other cases, though, it seems that an overabundance of caution, or indeed a misunderstanding of the GDPR, may be at the root of these last minute solicitations for consent. By way of example, where an individual has provided their email address in order to be informed of news or special offers from a business, there is no need to seek fresh consent in order to be GDPR compliant; providing, of course, other requirements are met, such the ability for individuals to withdrawn their consent to receiving future communications.

The ICO is clearly aware that the issue of consent has eclipsed other aspects of GDPR compliance in the headlines, and two weeks before the arrival of the GDPR, the ICO has published its finalised guidance on consent as a legal basis for processing under the new regulation. In an accompanying blog post, the Deputy Commissioner for Policy, Steve Wood, seeks to dispel the myth that any and all existing consents must be ‘refreshed’ prior to May 25th 2018. Where a business has an existing relationship with a customer who has purchased goods or services, for example, it may not be necessary to obtain fresh consent; businesses should not seek view consent as the ‘silver bullet’ for data processing under the under GDPR. Businesses may often be able to look to another legal basis to justify their data processing, such as the performance of a contract or their own legitimate interests. Another piece of advice from Mr. Wood, which echoes the Commissioner’s recent comments, is that May 25th is merely the start, and not the end, of GDPR compliance, which will require organisations to review their approach to processing personal data regularly, and to keep their policies (and consents, if appropriate) current going forward.