Data protection: Privacy– recent enforcement highlights

Over the last few months there have been some interesting fines and enforcement notices from the UK Information Commissioner’s Office (“ICO”), which provide some helpful insights into potential administrative fines for breaches of data privacy laws. These come at a time when the European Data Protection Board (“EDPB”) is seeking to ensure continuity of approach across Europe, which could well prove influential for the approach taken by the ICO moving forwards.

Scottish Government and NHS National Services Scotland

This first noteworthy enforcement is close to home and involves the Scottish Government. The ICO has issued a reprimand to the Scottish Government and NHS National Services Scotland relating to their failure to provide clear information about how personal data (including special category health data) is being used by the NHS Scotland COVID status app. The ICO has a corrective power under article 58(2)(b) of the UK GDPR (the General Data Protection Regulation, as adopted into UK law following Brexit), to issue a reprimand to a controller or a processor when their processing operations have infringed provisions of the UK GDPR.

The ICO reviewed the NHS Scotland app and identified concerns about non-compliance with obligations under the UK GDPR to provide fair processing information. Following further investigation a reprimand was issued due to the following infringements:

• Processing personal data, including special category data, in a manner which was unfair, in breach of article 5(1)(a) (the lawfulness, fairness and transparency principle). This was due to a misleading statement in the app that explicit user consent was relied on as the lawful basis for processing, despite ICO guidance that performance of a public task was the appropriate basis to use.
• Failing to provide clear information about the processing of personal data, in breach of article 12 (the requirement to provide transparent information). The ICO found the app’s information was not straightforward or concise enough.

There was also a requirement from the ICO for the app’s privacy notice to be redrafted “in order to present the information required by article 13 in a concise, transparent, intelligible and easily accessible form, using clear and plain language, as is required by article 12 of the UK GDPR”.

This enforcement serves as a useful reminder: (a) to ensure that privacy notices are clearly drafted and provide appropriate transparency; and (b) that careful consideration should be given to the legal basis for processing and account must be taken of any ICO guidance which would impact this consideration.

Clearview AI

The ICO has fined Clearview AI Inc over £7.5 million for breach of the UK GDPR. Clearview has collected more than 20 billion images of people’s faces and data from publicly available information on the internet and social media platforms to create an online database, including data from the UK. Access to this database was made available to third parties and the ICO found that people were not informed that their images were being collected or used for facial recognition by Clearview’s customers, including the police.

Clearview provides a service that allows customers, including the police, to upload an image of a person to the company’s app, which is then checked for a match against all the images in the database. The app then provides a list of images that have similar characteristics with the photo provided by the customer, with a link to the websites from where those images came from.

The ICO found that Clearview breached UK GDPR, in particular by:

• failing to use the information of people in the UK in a way that is fair and transparent, given that individuals are not made aware or would not reasonably expect their personal data to be used in this way;
• failing to have a lawful reason for collecting people’s information; and
• failing to meet the higher data protection standards required for biometric data (classed as “special category data” under UK GDPR).

The ICO has also issued an enforcement notice, ordering the company to stop obtaining and using the personal data of UK residents that is publicly available on the internet, and to delete the data of UK residents from its systems.

This enforcement underscores the importance of ensuring data privacy compliance when handling special category data and in particular facial recognition data.

Marketing calls

ICO has fined five businesses a total of £405,000 for making unsolicited direct marketing calls in breach of the UK Privacy and Electronic Communications Regulations, which apply to marketing communications.

This followed an investigation which revealed these organisations had been making calls to sell insurance products or services for white goods and other large household appliances, such as televisions, washing machines and fridges. The recipients of the calls were registered with the Telephone Preference Service (TPS) and the ICO found that businesses responsible had been deliberately targeting older people by buying marketing data lists from third parties, specifically asking for personal information about people aged 60 plus, with landline numbers.

The Information Commissioner has been clear that the distress and anxiety caused by unlawful predatory marketing calls made to some of the most vulnerable people in the UK is unacceptable and warned that organisations responsible for such calls can expect tough action from the ICO.

Fines and enforcement notices were issued against the companies for making unlawful marketing calls to people registered with the TPS. Whilst the fines were not at the headline grabbing level of Clearview, in three of the matters the fines were £100,000 or greater, and the notices provide a clear reminder that such marketing activities will not go unchecked and it is important to check whether the marketing target is registered with the TPS.

Tuckers Solicitors LLP

The final enforcement involves a law firm and is a reminder to all firms of the importance of maintaining appropriate data security measures. The ICO imposed a fine of £98,000 on Tuckers for violations of articles 5(1)(f) (the integrity and confidentiality principle) and 32 (the security requirements for processing) of the GDPR. Following a ransomware attack on its archive servers on 24 August 2020, Tuckers submitted a personal data breach notification to the ICO the following day, in which Tuckers outlined that nearly one million individual files were encrypted; of these, 60 court bundles were exfiltrated by the attacker and published on an underground market site. These bundles included a comprehensive set of sensitive personal data, including medical files, witness statements, names, addresses of witnesses and victims, and the alleged crimes of the individuals.

The ICO found that Tuckers failed to put in place appropriate technical and organisational measures to ensure a level of security appropriate to the risk associated with the processing of data for the purpose of their business, resulting in a violation of the principle of integrity and confidentiality under article 5(1)(f) of the GDPR, as well as article 32.

When assessing the adequacy of Tuckers’ technical and organisational measures the
ICO highlighted:

• a lack of multi-factor authentication – Tuckers allowed access to its networks using only a single username and password;
• inadequate patch management – which means that the system had known critical vulnerabilities, which were not appropriately addressed; and
• a failure to ensure ongoing confidentiality, integrity, and availability of personal data processed.

In light of these findings, the ICO stated that Tuckers had therefore violated the GDPR. In addition, the ICO found that Tuckers failed to ensure appropriate security by encryption of personal data, where it stored archive bundles in unencrypted and plain text format, resulting in a failure to protect against unauthorised and unlawful processing of its personal data.

As a result, given the seriousness of the breaches, the ICO considered it appropriate to issue a penalty of £98,000. Again, while this may not reflect some of the major penalties that have been seen in recent years this is a very clear reminder to all law firms of the importance of taking appropriate steps to ensure the security of personal data handled by the firm.

EDPB guidelines

There remains uncertainty around the magnitude of potential penalty notices under UK GDPR. In Europe the EDPB has issued guidelines for consultation, to assist in providing greater certainty. The guidelines are a step towards harmonising and providing transparency for the methodology used by data protection authorities across Europe to calculate administrative fines imposed for breaches of the EU GDPR. They introduce a five-step calculation methodology which includes an approach for dealing with multiple infringements, a starting point for calculations and guidance towards achieving consistency in taking aggravating or mitigating factors into account. However the supervisory authorities will also be required to ensure that the penalty meets the EU GDPR requirements of effectiveness, dissuasiveness and proportionality (which is also a current requirement under the UK GDPR). The proposed guidelines are under consultation until late June 2022. It remains to be seen what the final guidelines will be and whether these are followed in the UK, but they should provide further helpful insight and clarity.