Connected autonomous vehicles (CAVs) are increasingly capable of creating, collecting and processing a wealth of data. However, in order for vehicle manufacturers and CAV stakeholders to access and extract the value in such data, they must do so lawfully. This is especially true in relation to personal data which is governed in the EU (and beyond) by the General Data Protection Regulation (GDPR). This post explores at a high level how CAV stakeholders can ensure compliance with the GDPR, particularly in relation to CAVs which process personal data of vehicle drivers, owners and pedestrians. Continue reading
The German competition authority, the Federal Cartel Office (“FCO“) last week announced the results of its investigation into Facebook for a novel abuse of dominance involving consent for its data collection. Whilst the full decision is not yet public, the FCO has published a background paper here. In short, the FCO found that Facebook had a dominant position in the German market for social networks, and abused this with its data collection policy. The FCO did not impose a fine on Facebook, but has instead required Facebook in the future to only use data from non-Facebook sources where it has users’ voluntary consent, the withholding of which cannot be used to deny access to Facebook. Facebook has announced that it will appeal. Continue reading
On 23 January 2019, the EU Commission adopted a decision confirming the adequacy of Japanese data protection laws for the purpose of transferring personal data from the EU to Japan in compliance with the international data transfer restrictions set out in Chapter V of the GDPR. Continue reading
On 23 November 2018, the European Data Protection Board (the “EDPB“) published its draft guidelines on Article 3 of the GDPR, being the provision that sets out the territorial scope of Europe’s data protection legislation.
The guidelines are only in draft form and subject to consultation but they do go some way to clarifying key questions regarding the application of the GDPR. That being said, they do not cover every possible permutation of Article 3, meaning that there remain gaps where organisations will need to exercise judgment without any comfort that their interpretation will align with that of the regulators. In particular, there would seem to still be question marks around the application of Article 3(2)(a) and what actually constitutes the offering of goods and services to individuals in the EU. Continue reading
Following a UK Cabinet meeting on 14 November 2018, the UK Government has announced support for the text of a draft Withdrawal Agreement and an outline of the Political Declaration on the Future Relationship agreed with EU negotiators. The Withdrawal Agreement sets out the arrangements for the UK’s withdrawal from the EU on 29 March 2019 and includes a transition period through to 31 December 2020, during which EU law will continue to apply in and to the UK (the “Transition Period”). Data protection features in both the draft Withdrawal Agreement and the outline Political Declaration, reflecting the significance of the data protection rules to both the EU and the UK. Continue reading
The UK data protection regulator, the Information Commissioner’s Office (ICO), has issued its first enforcement notice under the EU’s new strict data protection law, the General Data Protection Regulation (679/2016/EU) (GDPR). The notice is particularly noteworthy because it has been issued against a company located in Canada, which does not appear to have any presence within the EU.
Not only is it the first extra-territorial notice issued by the ICO under the GDPR, but it is the first action ever taken by the ICO against an entity outside the UK. It is understood that the notice is being appealed. The extraterritorial reach of the GDPR is as yet untested and, without any regulatory guidance as to interpretation, how that appeal plays out may be an early indicator as to the issues that could arise in extra-territorial enforcement under the GDPR.
Click here for the full article.
The Court of Appeal has today dismissed an appeal against the High Court’s decision that Morrisons was vicariously liable for its employee’s misuse of data, despite: (i) Morrisons having done as much as it reasonably could to prevent the misuse; and (ii) the employee’s intention being to cause reputational or financial damage to Morrisons itself: Wm Morrisons Supermarkets Plc v Various Claimants  EWCA Civ 2339 (click here for the Court of Appeal’s full judgement and click here for our summary of the High Court decision).
Summary implications for businesses
This case highlights the wide reach of data protection. An organisation can be liable for data breaches even if it has taken appropriate measures to comply with the data protection legislation itself, and even if it is the intended victim of the breach. In this respect, the decision will also concern employers who can now be vicariously liable for the actions taken by a rogue employee even with appropriate safeguards in place to protect employee personal data. In addition to civil liability, organisations may suffer further damage as a result of negative publicity and impact on share price.
The fear for organisations will now be that this decision, combined with the legislative changes made by the EU General Data Protection Legislation (“GDPR“), increased public awareness of data protection issues, and the publicity that the case has attracted, could spark a new wave of court cases from workers and customers in the event of a data breach. Whilst individuals may not themselves be entitled to significant sums, if the data breach affects large numbers of individuals, the total potential liability for organisations could become commensurately large. In this regard, it will be interesting to see how the court approaches the issue of quantum in the case against Morrisons.
The Court of Appeal suggested that insurance could be the answer to “Doomsday or Armageddon arguments” about the effect of its decision. Cyber insurance typically covers claims for breaches of confidential information; and in some circumstances coverage may also be found in other classes of liability insurance. However, at this stage the UK cyber insurance market remains in its infancy and claims experience is limited. It therefore remains to be seen how the market will react to this enhanced exposure and whether insurance will be an effective tool to offset the increased risks that organisations now face.
Importantly, this case related to data breaches which occurred prior to 25 May 2018 (i.e. prior to the implementation of the GDPR). In the post-GDPR world where there is an express right for individuals to be compensated for non-material damage (i.e. distress) it could become even easier to bring such actions, particularly where there have been findings of non-compliance by the Information Comissioner’s Office (“ICO“) (the UK’s data protection regulator). With multiple data breaches having hit the headlines since 25 May 2018 (including the Conservative Party Conference, Butlin’s, British Airways, Dixons Carphone, Facebook and Google+), it will be interesting to see the impact of this decision on future individual compensation claims and whether or not this case opens the floodgates for data breach class action claims in the UK. Continue reading
The GDPR came into force on 25 May 2018 and brought with it additional rights for individuals and additional obligations for organisations. It also extends its reach beyond European borders and applies not just to companies within the EEA but also to some organisations outside the EEA.
With the legislation now in force, all eyes will turn towards the regulators to see how this piece of legislation will be enforced. We have already heard from the Information Commissioner in the UK that high fines can and will be levied on those that persistently, deliberately or negligently flout the law. And the ICO’s specified areas of focus are reportedly cyber security, artificial intelligence and device tracking. How this will all play out in practice remains to be seen.
For those organisations still on the compliance journey, there is a wealth of information to assist. We have published a GDPR hub, accessible here, which includes a series of briefings and webinars that take a deeper dive into some of the key considerations in any compliance programme. Copies of the briefings are accessible by clicking on the links below:
- The GDPR: the “whole of business” issue at the top of your board agenda
- The rise of the intelligent business: spotlight on employers
- Extending the long arm of the law: Extra-territoriality and the GDPR
- Data use – protecting a critical resource
- Supply Chain Arrangements: The ABC to GDPR Compliance
In light of the booming market of the Internet of Things (“IoT”) and of the General Data Protection Regulation (“GDPR”), the Information Commissioner’s Office (“ICO”) has published an article focusing on the key factors manufacturers and retailers of IoT devices should be thinking about. This follows the ICO’s draft guidance on data controller and processor liability issued in September last year, which can be found here.
Cyber security remains in the public eye with multiple incidents and vulnerabilities reported affecting telecoms companies. Telecoms companies need to continue to focus on the risks and consider updating their pro-active defence and cyber security response plans to reflect the increased legal, operational, technical and regulatory risks they are facing.
The evolution of the cyber threat has not escaped the attention of governments around the world. In 2018 the Network and Information Security Directive (NISD) as well as the General Data Protection Regulation (GDPR) will be implemented in the EU. The NISD, which is due to be implemented by May, will require operators of core “digital infrastructure” and certain “digital service providers” to ensure that their network and information systems meet minimum standards of cyber security. Continue reading