Data & Privacy: £400k fine for TalkTalk is biggest ever, and ICO breaks its silence on Brexit, by Harbottle & Lewis

Record fine imposed on TalkTalk

The ICO has fined TalkTalk a record £400,000 for poor website security following the October 2015 hack in which data from nearly 157,000 customers was stolen. As £500,000 is the maximum possible fine, this is a clear warning from the ICO that data security is critically important.

Of particular concern to the ICO was the fact that TalkTalk had several opportunities to identify and remedy the security weaknesses which ultimately allowed the hackers to compromise their systems. Businesses should ensure that they are constantly monitoring their data security and remedying any defects.

How to deal with data subject access requests where the documents refer to others

The High Court has provided guidance in relation to data subject access requests where documents contain the personal data of more than one individual and where such data cannot be easily separated or redacted. Unless the people referred to in the documents consent, the assumption should be against release of the documents. The data controller then needs to balance the rights of the individual making the request and the rights of others featured in the documents, taking into account factors such as the type of data involved and purpose of the request. Where the request is made in contemplation of litigation, refusal of the request might be justified as the appropriate method of seeking disclosure for such documents is under usual litigation procedure, not data protection legislation.

In the case at hand, the High Court found that the General Medical Council (GMC) was wrong to allow the release of a report into the conduct of a GP to his patient, as the GMC had failed to take adequate account of the explicit refusal of the GP to such release and the fact that the patient had requested the document primarily for the purposes of litigation.

Not so Safe Harbor – a year on Schrems is still litigating and the Privacy Shield gathers momentum

It was around this time last year that the European Court of Justice (ECJ) invalidated the Safe Harbor regime which had permitted EU data controllers to transfer personal data to the US. In addition to bringing the Safe Harbor proceedings, Max Schrems concurrently brought an EU-wide consumer ‘class action’ before the Austrian Courts as well as a challenge to the validity of the ‘Standard Contractual Clauses’, another EU mechanism used to govern extra-European data transfers, before the Irish Courts.

The question of validity of the Standard Contractual Clauses has already been referred to the ECJ and now Austria’s High Court has also referred the consumer class-action. The ECJ is to determine whether the claimant, Max Schrems, who it is argued used Facebook only as an activist and not as a consumer, has standing to bring the claim in the Austrian courts and whether as a consumer he can bring claims on behalf of others.

The US-EU Privacy Shield, Safe Harbor’s successor, has now been up and running for over two months. Hundreds of US companies, including Facebook and Microsoft, have now signed up.

Cautionary reminder about third party direct marketing lists

Intelligent Lending Limited (trading as Ocean Finance) and Rainbow (UK) Limited were fined £130,000 and £20,000 respectively for sending marketing text messages without the necessary consents required by the Privacy and Electronic Communications Regulations 2003 (PECR).

Ocean Finance and Rainbow both demonstrated that they had received the marketing lists under contracts with third parties and provided evidence that the subjects of the data lists had opted-in to receive electronic marketing from ‘third parties’. However, the ICO reemphasised the high threshold of ‘consent’ required by PECR for electronic marketing and stressed that ‘indirect, or third party, consent can be valid but only if it is clear and specific enough’. The ICO stressed that consent to receive electronic marketing ‘from third parties’ (rather than named third parties) did not satisfy the clear and specific ‘consent’ required by PECR.

These two decisions serve as another reminder of the risks associated with purchasing third party marketing lists. Are you sure that the consent language used is sufficient?

Word from the new ICO on Brexit

The UK’s new Information Commissioner, Elizabeth Denham, stated that preparations for the arrival of the General Data Protection Regulation in May 2018 should not be put on hold as a result of the referendum vote earlier this year. She appears to have indicated a preference for a post-Brexit UK governed by laws akin to the GDPR, stating that “bottom line I don’t think that Brexit should mean Brexit when it comes to standards of data protection.” UK businesses should prepare for a GDPR future. The GDPR, or something very similar to it, is likely to form the cornerstone of UK data protection law for the near future.

ICO launches new code on Privacy Notices

The ICO has issued a new code of practice on Privacy Notices. The guidance focuses on the importance of transparency and providing accessible information to individuals. The ICO encourages businesses to use different techniques to better present privacy information. To read more please click here.

Lessons learnt from recent ICO enforcement

  • Failure to notify:Triforce Recruitment Ltd was prosecuted for committing an offence of failing to notify under s17 Data Protection Act 1998. The company was fined £5,000 and ordered to pay costs of £489.86 and a victim surcharge of £120. This is another example of DPA notification obligations continuing to be enforced by the ICO notwithstanding the fact they will no longer be a necessity when the GDPR comes into force in May 2018.


Clic here to access the full version of the article.