Information Security and Data Protection Newsletter - November 2015
Published 1 November 2015
It has been another jam packed month in the world of data protection. The Safe Harbor fallout continues and on the 6 November, the European Commission published its guidance and attempt to provide some certainty to businesses affected by its demise.
The EC have reiterated their commitment to the creation of a "renewed and sound framework", most likely in the form of Safe Harbor 2.0, and have set a three month target for the conclusion of discussions with the US government. In the meantime, and in line with our advice immediately following the CJEU decision, the EC has reaffirmed the use of alternative transfer methods: Model Clauses, Binding Corporate Rules for intra-group transfers and other methods such as consent. To access the full Communication from the EC, please click here.
With all eyes on Europe and the US you may not have noticed a significant data protection decision back in the UK: the ICO has issued its first ever monetary penalty notice for breach of the first principle of the Data Protection Act 1998 (the requirement to process personal data fairly and lawfully).
To date, monetary penalties have been predominantly issued for breaches of security (principle 7) and of the marketing rules in the Privacy and Electronic Communications Regulations. In fact, prior to the news this month, the only other principle that has been the subject of a fine is principal 4 back in 2012 when a financial services firm was fined for holding inaccurate data back.
As further incentive for companies to take a second look at their privacy notices, the Consumer Rights Act 2015, which came into force on 1 October, explicitly covers "consumer notices" with the requirement that they are fair. One test as to whether a notice is fair is whether the term causes a significant imbalance in the parties' rights and obligations under the notice to the detriment of the consumer. Detriment is not assessed solely in respect of financial burden, and guidance issued by the Competition and Markets Authority gives the example of a privacy notice, which purports to allow the passing on of information held on the consumer more widely than is permitted under the Data Protection Act 1998.
In addition to the threat of ICO action, there is therefore now the risk that the FCA, in the case of regulated financial services companies, or another applicable regulator could take enforcement action and require the offending company to amend the unfair term in the notice.
We would therefore advise all companies to find the time to ensure their privacy notices and policies are clear, and be mindful that poorly worded and hidden “opt out” boxes do not enable informed consent and could result in enforcement action.