Top 5 data protection stories in 2021
Welcome to the December issue of In Perspective. The General Data Protection Regulation (GDPR) which came into force in May 2018, saw many firms bring their internal policies and procedures in line. These fundamental principles continue to remain relevant, yet many firms continue to be investigated for data breaches.
In the final issue for this year, Samad Miah, Group Privacy Officer at Shearwater Group plc and Data Protection Consultant at Xcina Consulting shares the top five stories which dominated headline news in data protection through the year.
- The defendant had installed security cameras and a smart doorbell on their house.
- The smart doorbell is able to record both audio and video of the claimant’s house and garden.
- The claimant argued that the installation of these security devices infringed data protection laws and contributed to harassment.
- The judge upheld these claims and stated that the devices “unjustifiably invaded” the privacy of a neighbour.
- The defendant now faces a potentially significant fine.
Why it matters
- Article 2 of the UK GDPR states that data protection law does not apply to the processing of personal data by an individual in the course of a purely personal or household activity.
- An example could be someone taking pictures of family members and sharing these with their friends on a social media platform.
- However, in the case of domestic CCTV systems, this exemption only applies to the person’s own private property and garden and not outside the property boundary e.g. public footpaths and shared spaces.
- From August 2011 to February 2012, Google is alleged to have installed software on Apple iPhones by bypassing protections within the device’s Safari web browser (i.e. the ‘Safari Workaround’).
- This allowed Google to track these iPhone users across websites, and to collect information about their internet usage and browsing habits.
- Mr Lloyd issued a representative claim for damages for breach of the Data Protection Act 1998, on behalf of himself and all those allegedly affected by the Safari Workaround. This is known as a representative action.
- Mr Lloyd argued that the affected individuals could claim damages for ‘loss of control’ over their data, uniformly, without the need for individual assessments of damages.
- Google argued that the conditions of a representative action had not been established because the affected individuals had varying entitlements to damages and ‘loss of control’ damages were not available in English law.
- Mr Lloyd lost in the High Court, won in the Court of Appeal and has now lost in the Supreme Court.
Why it matters
- The Supreme Court found that a claim for damages for the unlawful processing of data under the Data Protection Act 1998 requires proof of damage in the form of either material damage (such as financial loss) or mental distress. The damage could not simply be the unlawful processing itself or ‘loss of control’.
- The court also stated that it would need to consider the extent of the unlawful processing in the individual case in order to rule out that the damage was more than just trivial (and therefore potentially subject to a compensation claim). This is not possible in a representative action.
- Whilst privacy campaigners may be frustrated by this decision, data controllers can breathe a sigh of relief after hearing the court’s reasoning. The threat of a costly representative action following a personal data breach is not on the horizon.
- This case serves as an important reminder that in order to claim compensation for a non-trivial personal data breach, proof must be shown of material damage or distress. The contravention itself is not enough – i.e. the ‘cause’ must have an ‘effect’.
- In July this year, Amazon was fined a record $865 million (or €746 million) for noncompliance of the GDPR, particularly in relation to the way the business collects personal data.
- The appeal was filed at the Luxembourg Administrative Tribunal a couple of weeks ago.
- Amazon continues to receive a significant amount of scrutiny over its business practices in Europe, with probes also being carried out in Germany and the UK.
Why it matters
- Whilst the full details of the fine have not been disclosed, it is believed that it relates to how the company processes personal data to show customers relevant advertising.
- Data protection law states that placing a cookie or other similar technology on a user’s device/browser requires freely given and unambiguous consent.
- Early in September this year, the Irish data protection regulator fined WhatsApp €225 million.
- The issues that were identified included failures to provide the required privacy information to WhatsApp users and non-users and failures to make privacy information available in an easily accessible form.
- The decision of the Irish data protection regulator reveals a lot about how businesses should comply with the transparency requirements of data protection law, particularly when it comes to compiling privacy notices.
Why it matters
- Privacy notices act as one way in which organisations can inform individuals about what they are doing with their personal data.
- The issues identified by the Irish data protection regulator provides some useful insights for businesses to consider with preparing their privacy notices.
- This includes avoiding the use of ‘linked documents’ so that the user is able to access all the information in one place rather then through different webpages.
- As well as this, the lawful basis for processing and the purpose for processing must be provided at a granular level of detail and on each and every processing operation respectively.
- In September, the UK government published its consultation paper on proposed reforms to the country’s data protection regime.
- Following Brexit, the UK is now free to develop its own data protection laws.
- The consultation paper includes recommendations to replace the requirement for businesses to designate a Data Protection Officer, remove obligations relating to the completion of Data Protection Impact Assessments and introduce a fee regime when responding to a data subject access request.
- Cookies and other similar technologies are also covered within the paper including proposals to permit businesses to use analytics cookies without the user’s consent.
Why it matters
- Many businesses have been working to ensure they have an effective privacy programme in place to achieve accountable data protection practices.
- The changes that are being suggested will compel businesses to, once again, reassess what they are doing and act accordingly.
- Whilst many of the proposals indicate a ‘watering-down’ of current requirements, UK businesses that target and monitor individuals in the EU would still be affected by the EU GDPR.
- The UK’s data protection regulator, the ICO, also felt that changes to help businesses avoid performing a risk assessment when processing personal data based on legitimate interests would create problems in how individuals are able to object to such processing.