- The European Court of Justice (“ECJ”) has today invalidated the EU-US Privacy Shield, meaning that companies can no longer rely on this mechanism for transferring personal data from the EU to the US.
- Companies transferring data to the US relying on the Privacy Shield (including transfers to a number of the big tech IT service providers registered with the scheme) will now need to scramble to put in place a lawful alternative.
- In contrast, the ECJ has upheld the Standard Contractual Clauses (“SCCs”) as a valid mechanism to transfer personal data to third countries but subject to a fairly significant sting in the tail.
- Importantly, the ECJ has pointed out that both data exporter companies and regulators must ensure that there are mechanisms to suspend or prohibit transfers to third countries where there is a conflict between the SCCs and the laws of that third country.
- In practice, this appears to mean that companies need to undertake a level of due diligence prior to any transfer of personal data to a third country where the SCCs are being used, and that recipients of that data have an obligation to tell the exporter where their local laws (for example because of surveillance powers in their jurisdiction) mean that they cannot comply fully with the SCCs.
- Given the ECJ’s comments on the adequacy of the US regime, it remains to be seen how businesses can undertake such due diligence to reach a conclusion that data is sufficiently protected when being sent to the US, even using the SCCs.
Tag: data privacy
In a move that marks a major U-turn for the Government, the UK’s proposals for a centralised contact tracing app have been abandoned in favour of a decentralised model. The new model is based on technology developed by Apple and Google and replaces the original app designed by NHSX, which recently has faced criticism due to privacy concerns as well as technical issues and delays.
The UK follows Germany and Italy, who have already made the switch from centralised contact tracing apps to decentralised models. The UK’s health secretary, Matt Hancock, confirmed the news at the UK Government press conference last night.
To centralise or decentralise?
The UK Government had previously asserted the superiority of a centralised contact tracing model, but what exactly is the difference?
A ‘decentralised’ data model requires individual users to provide an anonymous ID to a centralised server. The user’s phone then downloads information from the centralised database and carries out contact matching and risk analysis on the phone itself before sending alerts to other users if necessary. Information on whether a user has come into contact with an infected person will be shared with that user, but not with the central server.
In contrast, a ‘centralised’ data model would require users to provide not only their own anonymous ID to a centralised database, but also to send any codes collected from other phones. The computer server then carries out contact matching and risk analysis using that information, making the decision as to whether someone is ‘at risk’ and sending alerts accordingly.
The UK’s previous preference for the centralised model was based on the belief that storing data in a centralised manner would promote a more considered approach to contact tracing based on risk factors, and would enable epidemiologists to use valuable data on the spread of the virus for further research. However, the centralised model was criticised for potentially encroaching on privacy by using more data than necessary, and using the data for purposes other than contact tracing.
NHSX, the health service’s innovation arm, has confirmed that its current leaders will step back from the project, and that Simon Thompson, current chief product manager at Ocado, will take over management of the new app.
While this move will be welcome to privacy campaigners and critics of the centralised model, concerns over the limitations of Bluetooth-enabled technology, as well as the uneasiness over allowing Apple and Google to control the UK’s response to the pandemic, may cause further obstructions to the eventual rollout of a UK-wide contact tracing app. The additional delays resulting from this change in approach may also result in a lower than ideal take-up rate, with much of the population of the view that the time for contact tracing has passed given the current downwards curve of the pandemic.
The COVID-19 outbreak has resulted in an unprecedented focus on the power of data to assist in resolving national emergencies. From health tracking, to volunteer coordination, to accurately identifying the vulnerable, data is being harnessed in both the public and private sectors to try to help bring COVID-19 under control and mitigate its impact. Continue reading
Today the Supreme Court handed down its decision in Wm Morrisons Supermarkets Plc v Various Claimants  UKSC 12, bringing to its conclusion a case which had the potential to alter significantly the data protection and cyber security litigation and class action landscape.
The headline news is that Morrisons has been found not to be vicariously liable for the actions of a rogue employee in leaking employee data to a publicly available file-sharing website.
The judgment will likely result in a collective sigh of relief for organisations who have been watching closely to track their potential liability for data breach class actions. However, it is important to note that the Morrisons case and judgment is very fact specific; it does not close the door on data breach class action compensation as a whole. Boardrooms should still be examining the technical and organisational measures they have in place to prevent personal data breaches in order to reduce the risk of regulatory enforcement and class actions.
In 2015 a former Morrisons employee was found guilty of stealing and unlawfully sharing the personal data (including names, addresses, bank account details, salary and national insurance details) of almost 100,000 of Morrisons’ employees with members of the press and with data sharing websites. At the time, the ICO investigated and found no enforcement action was required with respect to Morrisons’ compliance with the Data Protection Act 1998 (“DPA”).
Nevertheless, around 5,000 Morrisons employees brought a claim for damages – irrespective of the fact that they had not suffered any financial loss. Instead, the employees claimed that Morrisons was vicariously liable for the criminal acts of its employee and for the resulting distress caused to the relevant employees.
For full details of the background to the High Court and Court of Appeal arguments, please see our previous Morrisons data protection briefing. Following the conclusion of the Court of Appeal case, the Supreme Court subsequently granted leave to appeal, which led to a two day hearing in November 2019 and, ultimately, the judgment handed down today.
The Supreme Court overturned the Court of Appeal’s decision, finding that Morrisons was not vicariously liable for the employee’s unlawful actions. Lord Reed gave the judgment of the court, with which Lady Hale, Lord Kerr, Lord Hodge and Lord Lloyd-Jones agreed.
Lord Reed concluded that the courts below had misunderstood the principles of vicarious liability, and in particular had misinterpreted the Supreme Court’s judgment on vicarious liability in Mohamud v WM Morrison Supermarkets plc  UKSC 11. That judgment was not intended to change the law on vicarious liability, but rather to follow existing authority including, importantly, Dubai Aluminium Co Ltd v Salaam  UKHL 48.
In Dubai Aluminium, Lord Nicholls identified the general principle that applies when the court considers the question of vicarious liability arising out of an employment relationship: the wrongful conduct must be so closely connected with acts the employee was authorised to do that, for the purposes of the liability of the employer to third parties, it may fairly and properly be regarded as done by the employee while acting in the ordinary course of his employment.
Applying that test, vicarious liability was not established in this case. The Supreme Court found that the employee’s wrongful conduct was not so closely connected with the acts he was authorised to do that, for the purposes of assessing Morrisons’ liability, it could fairly and properly be regarded as being done in the ordinary course of his employment.
Lord Reed referred to the distinction drawn by Lord Nicholls in Dubai Aluminium between cases “where the employee was engaged, however misguidedly, in furthering his employer’s business, and cases where the employee is engaged solely in pursuing his own interests: on a ‘frolic of his own’, in the language of the time-honoured catch phrase.”
In the present case, he said, it was clear that the employee was not engaged in furthering Morrisons’ business when he committed the wrongdoing in question. On the contrary he was pursuing a personal vendetta against the company, seeking revenge for disciplinary proceedings some months earlier. In those circumstances, the close connection test was not met.
Although it did not affect the outcome, in light of the court’s findings, Lord Reed also considered Morrisons’ contention that the DPA excludes the imposition of vicarious liability in relation to data breaches under that Act and for the misuse of private information or breach of confidence – in effect that the DPA is a statutory scheme which “owns the field” in this respect. The Supreme Court rejected this argument, stating that: “the imposition of a statutory liability upon a data controller is not inconsistent with the imposition of a common law vicarious liability upon his employer, either for the breaches of duties imposed by the DPA, or for breaches of duties arising under the common law or in equity.”
Implications of the decision
Data privacy implications
Although this case was argued under the repealed Data Protection Act 1998, it will likely result in a collective sigh of relief for organisations now subject to the GDPR which expressly allows individuals to claim compensation for non-material damages (including distress) caused by non-compliance with the regulation. This is exactly the decision that many organisations wanted. In a world where companies can already be fined up to EUR 20 million or 4% of annual worldwide turnover for non-compliance with the GDPR, there are real fears concerning the potential for additional significant liability under class action claims for data breaches. Many organisations will be comforted by the steps that the Court has now taken to reduce the likelihood of such claims being successful.
However, it is important to caution against too much optimism. The Morrisons case was quite unique because the compensation claim was brought by individuals despite no regulatory action being taken by the ICO at the time of the data leak itself. The decision is no guarantee that similar claims would fail in circumstances where the regulator agrees that there has been a breach of the security requirements under the GDPR, such as has been the case when you look at some of the recent big data breaches we have seen which are starting to result in significant fines from the ICO.
Despite the claim not being successful in this instance, another, perhaps unintended, consequence of the case is that employers will be seriously considering what steps can to taken to mitigate against the risk of rogue employees leaking personal data. This may result in increased employee monitoring in the workplace, with all the data privacy implications that that may entail.
The “close connection” test for rendering an employer vicariously liable for an employee’s actions (as described above) is well established. What has been less clear is how broadly that test should be applied to the facts. For example, it was suggested that the Supreme Court’s ruling in Mohamud v WM Morrison Supermarkets meant that, where an employee’s role involves interacting with customers in some way, an employer might be vicariously liable for the employee’s conduct towards customers even if the employee engages in a wholly different nature of interaction from that envisaged (such as by using force or away from the usual work station) and regardless of motive.
Given there is no ‘reasonable steps’ defence against vicarious liability for torts, employers will welcome today’s ruling which rows back from that liberal interpretation of the test. The Supreme Court has made clear that the mere fact that the job provides the employee with “the opportunity to commit the wrongful act” is not sufficient to impose vicarious liability, nor is the fact that the wrongful act was the culmination of an unbroken temporal or causal chain of events regardless of the employee’s motive. Doing acts of the same kind as those which it is within the employee’s authority to do is not sufficient either.
The test is whether the wrongful act was sufficiently closely connected with what the employee was authorised to do. In Mohamud it was key that the employee was purporting to act on his employer’s business, threatening the customer not to return to the employer’s premises, and not acting to achieve some personal objective. In contrast, in the current case “the employee was not engaged in furthering his employer’s business when he committed the wrongdoing in question. On the contrary, he was pursuing a personal vendetta, seeking vengeance for the disciplinary proceedings some months earlier.” The ruling helpfully re-establishes that employers should not be liable for the acts of employees engaged on “frolics” of their own, pursuing their own objectives.
Cyber and data security implications
While the spectre of no fault liability presented by Morrisons has fallen away, there is still a significant risk from fault based claims. ICO is imposing substantial fines upon organisations for inadequate technical and organisational security measures. Claimants are cutting and pasting adverse findings from the ICO into claim forms. Organisations will have to make sure that the measures they are taking are appropriate, which will involve considering many factors including state of the art and the harm that may be caused if the security measures fail.
Class actions implications
Data breach class actions are on the rise in the UK and today’s judgment should be seen as a setback not a roadblock. Funders and claimant firms are looking to build class actions in relation to data breaches even where there is no specific evidence of individual damage. They are seeking damages for the whole class for “distress” or a standardised claim of loss of access to data and even a nominal damages award per claimant could lead to a significant amount over a class of tens or hundreds of thousands. Today’s judgment will not reverse that trend, but it will at least mean that companies who are themselves victims of data breaches by employees will not also face such claims on this basis alone.
The key question for the viability of those claims will be how much a bare data breach is “worth” by way of damages, even if there’s no other loss suffered by the victim. We will have to wait a bit longer now to find that out. The principles applied in misuse of private information cases may be helpful to the courts in considering this issue, given how little case law there is on damages in data protection claims.
The judgment is good news for corporates and their insurers. The expectation of the courts below had been that insurance was the answer to the point that the judgment effectively helps achieve the rogue employee’s aim – namely to harm Morrisons. Insurers may therefore also be breathing a sigh of relief – but only up to a point. Vicarious liabilities for data breaches by rogue employees are insurable in principle, but these claims are not doomsday for the insurance market. That’s because the main risk for corporates – and therefore insurers – is direct liability claims and related losses, which continue apace on an upwards trajectory.
The good news for concerned corporates is that they can buy cyber insurance to cover data breach claims, whether for direct or vicarious liabilities, as well related losses such as costs of managing the incident, regulatory investigations and loss of profits if systems are impacted. However, risk transfer strategies within corporates vary, and that cover cannot necessarily be banked upon in all cases. The main challenge therefore remains – and is not answered here: how much cover would I need to buy for a reasonable worst case, and is that available at reasonable cost on a good wording. Given that the measure of damages is still unclear, this issue will continue to be wrestled with.
In these unprecedented times, COVID-19 has forced organisations to quickly put in to place measures with the aim of ensuring both business continuity and the protection of employees. In many instances, this has involved increased processing of health data, in ways that were not envisaged a short time ago. Organisations across the globe are also asking employees to work from home. Given the timeframes involved and speed at which government advice and directions have evolved, data protection regulators are recognising the challenges involved (please see the related article here), yet a global pandemic is not a general waiver for privacy compliance.
Here we explore some of the data privacy issues that organisations should be considering as they adapt to the COVID-19 crisis. For more information about general people issues, please see COVID-19: People – key issues for UK employers.
COVID-19 related data processing: key compliance issues
- Lawful basis for processing for COVID-19 related activities
For all COVID-19 related activities involving the processing of health data of, whether it be as a result of: (a) employees voluntarily informing employers that they have tested positive for, or are suspected to have, COVID-19; (b) employers proactively asking employees about their health; or (c) other preventative measures introduced by employers (e.g. body temperature scanning for access on to premises), a lawful basis for processing is required under both Article 6 and Article 9 of the GDPR.
Article 6: The Article 6 ground which many organisations are likely to seek to rely on will be the “legitimate interests” of the organisation or third parties (e.g. other employees), provided that a risk assessment is carried out to check that any risks to individuals’ interests are proportionate. This should be documented in a legitimate interests assessment. It is, however, recognised that organisations are being required to respond rapidly to evolving guidance and it may not always be feasible to carry out such an assessment. Alternatively, an organisation may seek to rely on other lawful bases, such as:
- the processing is “necessary to perform the employment contract”, if ensuring health and safety is a term of that agreement; or
- the processing is “necessary to comply with legal obligations”, in relation to health and safety.
Article 9: As health data is considered ‘special category data’ under the GDPR, a lawful basis will also be required under Article 9 of the GDPR. It is likely that much of the processing will be necessary to carry out obligations in relation to employment law, insofar as it is authorised by Union or Member State law (Article 9(2)(b)). Other relevant grounds may also be “public health” and “preventative and occupational medicine”, again in each case insofar as authorised by Union or Member State law (Articles 9(2)(h) and (i)). As you will note, this aspect of the GDPR is devolved to Member States, meaning that local privacy and employment laws will need to be reviewed to assess what specific measures may be permitted locally when processing health data.
In respect of the UK, the UK Data Protection Act 2018 provides for these conditions at Schedule 1, Part 1, but imposes additional safeguards. For example, if relying on the basis that processing is necessary to carry out obligations in relation to employment law, the organisation must have an “appropriate policy document” in place, which should:
- explain the organisation’s procedures for securing compliance with the principles set out in Article 5 of the GDPR; and
- explain the organisation’s policies as regards retention and erasure of personal data, giving an indication of how long such personal data is likely to be retained.
- Disclosing COVID-19 employee-related information
Where an employee has tested positive for COVID-19, an employer may wish to carry out ‘contact tracing’ amongst other employees, or alert other employees. However, unless it has the explicit and freely given consent of the employee who has tested positive, it should not be divulging the name of that employee to anyone else, although employers can still communicate that employees may have been exposed. The Information Commissioner’s Office (ICO) has indicated that employers that inadvertently share too much information in a bid to protect employees’ health will not be penalised, although the more cautious approach would not be to test this and to avoid disclosing the names of affected employees.
- Proportionality and other considerations
The personal data that is processed should be limited to only what is necessary for the purpose of the response measure the organisation is implementing and making decisions as to action required. All other relevant GDPR principles and obligations will also need to be kept in mind and complied with – for example, data minimisation, the updating of Article 30 records, and appropriate retention periods.
COVID-19: Remote Working issues
It is not just the increased processing of health data that has raised data privacy issues. Many organisations are now asking their employees to work from home, some for the first time.
- Security risks
Organisations are still under an obligation pursuant to Article 32 of the GDPR to ensure that the personal data processed are subject to appropriate technical and security measures. This applies in a work from home scenario as much as in the office environment.
- Use of personal devices: Where employees have been asked to use their personal devices as part of remote working, this typically raises more issues as these will often lack the tools built in to business devices – such as strong antivirus software, customised firewalls, and automatic online backup tools. This increases the risk of malware finding its way onto devices and both personal and work-related information being compromised. Even for company-issued devices, organisations will want to consider how to manage updates where machines are not connecting to the company LAN.
- Use of third party technologies: As organisations are embracing the use of third party technologies to adapt to this new ‘normal’, we have seen the advent of apps to replace processes and functionality that are no longer readily accessible or available to employees in a home environment – for example, videoconferencing apps, team communication apps, scanning apps etc. Questions are already being raised over the security of these apps, and the due diligence that organisations should take before permitting, or encouraging employee use, of these technologies. It may be that organisations only permit use of these technologies in limited circumstances. However, once again, given the speed of developments at the macro/governmental level, organisations are having to respond extremely quickly to a new set of security challenges.
- BAU risks are magnified: During this time, all the more ‘traditional’ risks are likely to be magnified. Employees are working at home, possibly having shifted larger than normal amounts of confidential documents from the office to home, may also be surrounded by others – whether it be flatmates, family or partners – and so this can pose a security threat. Devices should be locked when unattended, privacy screens used where possible, and phone calls or online meetings carried out somewhere they cannot be overhead, particularly if what is being discussed is business critical or sensitive information. It may also be tempting for employees to forward emails and documents containing personal data to a personal email address if working from home and having issues with company-provided devices or the remote network. However, strictly speaking, this could often amount to a personal data breach under the GDPR as an unauthorised disclosure of personal data (albeit likely not a notifiable one, depending upon the consequences of the employee doing so). As a result, communications with employees regarding use of technologies and devices etc is more vital than ever to ensure that individuals are not inadvertently opening up the organisation to additional risk.
- Introduction of new technologies
As we look set to be working at home for the foreseeable future, organisations may seek to introduce new technology for a host of reasons, e.g. to facilitate home-working, to monitor employees etc, which would likely involve the processing of personal data. However, as is always the case when introducing new technology that involves the processing of personal data, organisations should consider whether a data protection impact assessment is required. In the context of employee monitoring in particular, this could present issues around impact on the individual where it involves monitoring an employee at home, on a personal device, or possibly even a shared device.
COVID-19: Direct Marketing
Nothing has changed with respect to direct marketing rules and what organisations may or may not do, but just a reminder that businesses should be careful not to include marketing information in COVID-19-related communications that it is entitled to send to individuals, e.g. service communications. This could amount to a breach of the ePrivacy rules to the extent any of those individuals have opted-out of receiving direct marketing. Although the ICO has made it clear that public health messages sent by the government, NHS and healthcare professionals will not be considered to be ‘direct marketing’ for ePrivacy purposes, this should not be interpreted as meaning that all messages relating to the COVID-19 pandemic will fall outside of the ePrivacy rules.
Key points for organisations
We recommend you take the following key steps when considering data privacy risks associated with COVID-19 processing activities and remote working:
- Ensure that measures implemented are consistent with current public health advice, to help inform what is proportionate.
- Carry out legitimate interests assessment or data protection impact assessments if required.
- Review employee use of unauthorised third party applications.
- Ensure that adequate IT security is in place to take into account remote working on a large scale and for a prolonged period.
- Update company policies on remote working if needed.
- Remind employees to be alert to security issues and of best practices and expectations to ensure secure working from home.
- Consider ad-hoc training for those roles that typically do not work from home.
- The EDPB has reviewed implementation of the GDPR so far and has declared the first year and a half a success.
- The EDPB did note areas for improvement, including the impact of implementation on SMEs and issues with cooperation across different jurisdictions.
- However, notwithstanding these difficulties, the EDPB considers that it would be premature to revise the text of the GDPR.
On 18th February 2020 the European Data Protection Board (“EDPB”) adopted its contribution to the evaluation of the GDPR under Article 97. The report is the EDPB’s reflection on the GDPR so far, noting areas of success and those where there is room for improvement.
Overall, the EDPB sees the first year and a half of the GDPR as a success, which has ‘strengthened data protection as a fundamental right and harmonized the interpretation of data protection principles’. In particular, the EDPB has emphasised that the GDPR is ‘a technologically neutral framework’ and is designed ‘to foster innovation by being able to adapt to different situation’.
Despite its generally positive outlook, the EDPB did acknowledge that it has not all been plain sailing, and the implementation of the GDPR has been challenging, in particular for SMEs. The EDPB has emphasised its commitment to developing tools to try and make compliance less burdensome for SMEs.
Similarly, the difficulty of implementing the cooperation and consistency mechanisms in the GDPR was also noted. The EDPB now publicly accepts that the ‘patchwork of national procedures and practices has an impact on the cooperation mechanism’ and notes that it is examining potential solutions to ensure the GDPR is applied consistently.
The report also touches on international data transfers and the resourcing challenges faced by supervisory authorities.
The EDPB concludes that it would be too soon to revise the text of the GDPR, and instead invites legislators to focus on adopting the ePrivacy Regulations to complete the data protection framework, a task that has thus far proven to be challenging.
The EDPB, unsurprisingly, has a taken a positive view of GDPR so far. It is certainly true that data protection has become a board level issue within most organisations, and data subjects are now more aware than ever of their rights. That being said, it is perhaps optimistic to suggest that the GDPR fosters innovation, given the difficulties that some emerging technologies such as blockchain have found in aligning themselves to the GDPR requirements, and the further issues that the market anticipates as innovation accelerates away from existing regulation.
SMEs will welcome the prospect of additional support for their compliance programmes. We will watch this space to see what solutions are proposed, and whether they actually help in practice.
The focus on cooperation and consistency will be no surprise to anyone that has struggled with the realities of implementing a single data protection policy across Europe. The commitment to finding a solution for consistent GDPR application will be a welcome statement for those companies who have grappled with local divergences, either by accepting certain jurisdictions as outliers from their overall data protection regime, or by having to take a risk based approach where they have chosen not to follow local derogations. However, it will be interesting to see whether any further harmonisation acts a race to the bottom to meet the lowest acceptable standard, or alternatively whether it requires more lax jurisdictions to take a more rigorous approach to enforcing the GDPR.
Data has been labeled the world’s most valuable resource in our current digital economy. It is the lifeblood of many companies, especially those in the technology, media and telecommunications sector where data is often used to predict, analyse and respond to consumers’ behaviours, patterns and preferences for services and products. Capabilities to collect and analyse mass data are therefore seen as a decisive factor used to distinguish whether one company is a cut above the rest, using data to accurately determine current and future market trends. But in a regulated society, companies cannot freely process whatever data they choose – a balance must be struck between technological innovation and protection of individuals’ rights attaching to their personal data. Continue reading
Almost exactly a year after publishing its draft version, the EDPB has adopted its final guidelines on Article 3 of the GDPR and the extra-territorial scope of the legislation. The adopted guidelines don’t differ substantially from the consultation draft but include a number of clarifications and new examples. Some of the key takeaways are:
- Article 3 aims to determine whether a particular processing activity is within the scope of the GDPR and not whether an entity is within the scope of the GDPR (i.e. a non-EU controller can be caught with respect to some data and processing but that does not necessarily mean the entire organisation and all its data is subject to the GDPR);
- Article 3(2) only covers processing where the controller or processor is intentionally targeting individuals; inadvertent or incidental contact with data subjects within the European Union is not enough to trigger this Article (i.e. confirmation that the capture of non-EU people’s data whilst they happen to be on holiday in the EU is probably not going to trigger Article 3(2)); and
- A new section of guidance concludes that where a controller is consider under Article 3(2) to be “targeting” data subjects in the European Union, that any processor engaged by the controller in respect of such processing will also be caught by Article 3(2) and therefore subject to the GDPR (i.e. one of the few examples of when a processor can be caught by Article 3(2)).
Whilst helpful to have the final guidance, it is important to note that further clarity is still required in some areas, in particular the interplay between international data transfers and the scope of Article 3. Continue reading