In March this year, the Information Commissioner’s Office (ICO) fined Tuckers Solicitors LLP £98,000.

Tuckers had been hit by a ransomware attack that caused the encryption of almost one million files and the release of a small number of these onto the dark web. Ransomware attacks are criminal offences under the Computer Misuse Act. So why did Tuckers, the victim of a serious criminal act, end up being fined by the ICO?

The answer lies in the obligations placed on businesses by the UK’s data protection laws. Organisations that collect and use information about identifiable individuals (which is known as personal data) must comply with the data protection principles set out in the UK General Data Protection Regulation. These provide broad principles for good data handling, rather than very specific rules.

Security of data is key. The relevant data protection principle states that personal data must be used “in a manner that ensures appropriate security of the personal data … using appropriate technical or organisational measures.” There is a lot of flexibility in this principle. It isn’t an absolute obligation to keep personal data secure in all circumstances, which would be unrealistic and impossible to achieve. Instead, it requires organisations to take appropriate steps to ensure that personal data is kept securely.

In practice, businesses must make an assessment of the likely threats, the potential value of the data they hold and the sorts of security measures available. By way of analogy, think about the security of your house. You would certainly want to have working locks on the doors and valid insurance cover. If you had any particularly valuable items, you might want to take additional steps, such as using a lockable safe. In some circumstances, you might want to instal CCTV or even employ a security guard, but that wouldn’t be appropriate for every house.

Returning to Tuckers, the fact that personal data for which Tuckers was responsible fell into the wrong hands is not in itself evidence of a breach of data protection law. An organisation could have in place what appear to be perfect security measures, and yet still find itself a victim of a previously unknown or particularly sophisticated threat. Unfortunately for Tuckers, the ICO’s investigation found this wasn’t the case.

The ransomware attack affected Tuckers’ archive server. The attacker encrypted almost one million individual files, contained within 25,000 court bundles. These bundles contained personal data relating to thousands of individuals, and included sensitive information relating to criminal offences and allegations. Most damagingly, the attacker managed to download 60 court bundles that were later published on the dark web.

Tuckers acted straight away when they discovered the attack. As is required by data protection law, they informed the ICO within 72 hours, and later informed affected data subjects. They also informed the police, instructed third party investigators and took steps to contain the situation. Whilst all of these actions were appropriate after an attack of this nature, the ICO focussed its investigation on the period before the attack took place. Of course, it was the unknown attacker who was responsible for carrying out the attack. But, to continue the house analogy, had Tuckers left the front door unlocked?

The ICO looked at the security measures Tuckers had in place for the period from 25 May 2018, when the General Data Protection Regulation for took effect in the UK, to 24 August 2020, when the attack was discovered. Although the exact method used by the attacker was not identified, the ICO noted that Tuckers failed to apply a patch to a known system vulnerability for a period of five months after its release. Had the patch been applied promptly, the attack may not have occurred. The ICO also criticised Tuckers for failing to use multi-factor authentication for remote access to its systems and for failing to encrypt its archived files.

The use of multi-factor authentication and the need to apply security patches in a timely manner are both recommended by the National Cyber Security Centre (NCSC) and the Solicitors Regulation Authority (Tuckers’ regulator). The ICO noted that Tuckers’ own internal policies required all software and operating systems to be updated regularly. On encryption, the ICO found that given the highly sensitive nature of the personal data and the relatively low costs of encryption, Tuckers should not have been storing their archived files unencrypted. For all these reasons, the ICO found that Tuckers had failed to take appropriate steps to keep personal data secure, and fined them £98,000.

Most businesses are unlikely to be holding personal data that is quite as sensitive as Tuckers. However, there are important lessons from this case about the simple steps that all businesses can take to keep personal data secure. You should keep up to date with evolving threats, listen to (and act on) the advice of the NCSC and any sector-specific regulator, and make sure you always follow your own policies and procedures for keeping personal data secure. They may not stop an attack happening, but they could protect your business from a fine.

On 8 June I will be chairing a webinar with the ICO to discuss preparing for personal data breaches. Please click here for more information.

Read more:
Held to ransom: protecting your business from cyber attack

“This website uses cookies. Please click here to accept.” We’ve all seen these sorts of pop-up messages, known as cookie banners, which appear whenever we visit a website we haven’t been to before.

Many of us find them intensely annoying, others simply click ‘agree’ without giving a second thought to what doing so means.

Cookie consent is now one of the most visible, and one of the most misunderstood, aspects of data protection law. If you spend any time browsing the internet, you’ll quickly find lots of different approaches. Some websites give you comprehensive choice on whether to accept cookies, others make it very easy to accept cookies but almost impossible to reject, and some have no information on cookies at all. What’s going on?

Despite these variations, the law is actually relatively simple. The widespread view that cookie banners are somehow all the fault of the EU’s General Data Protection Regulation is false. In fact, the most relevant legislation in the UK is the Privacy and Electronic Communications Regulations, or PECR for short.

To understand what the PECR says, we must first consider what cookies are intended to achieve.  A cookie is simply a small text file created when you access a particular website. The information contained in this file can be used to recognise a user, to enable them to log in or access particular services, or provide functionality for the website, such as a shopping basket. These sorts of cookies are considered ‘strictly necessary’ for the website to function. And then there are other types of cookies which can be used to track your browsing habits or analyse your usage of the website. These may be very useful for the website and for advertisers, but they are not strictly necessary for the website to function.

For more than a decade, the PECR has required websites to tell users about their use of cookies and to obtain the prior consent of users before setting any cookies that are not strictly necessary. Consent in this context has the same meaning as in data protection law, so it must be a freely given, specific, informed and unambiguous indication of the individual’s wishes. And yet, websites are still failing to meet this straightforward consent requirement. Many do not offer a genuine choice for users, or make it all but impossible to reject tracking cookies.

Part of the reason why the consent requirement is so often ignored is down to an almost complete lack of enforcement. The UK’s Information Commissioner’s Office has the power to issue fines and enforcement notices for failure to comply with the PECR requirements, but has shown a reluctance to use its powers in respect of cookie compliance. This can be contrasted with elsewhere in Europe, where in December 2021 the French regulator issued fines of €60 million and €150 million against internet giants Facebook and Google for their failure to obtain appropriate consent for their use of cookies. The French regulator was particularly critical of the companies for making it much more difficult to refuse cookies than to accept them.

We’re unlikely to see a change of approach from the UK’s new Information Commissioner, John Edwards. When appearing before a Parliamentary select committee he admitted that he simply clicks ‘yes’ when faced with cookie banners, “like everybody else”, and questioned whether they served any purpose. His view appears to be shared by the government, which has proposed changes to the PECR to allow websites to set non-essential cookies such as analytics without the need to obtain consent. But even this proposed change would not stretch to the most intrusive tracking cookies, for which prior consent will still be required.

So are cookie banners here to stay? In the short term, the answer is certainly yes. However, as technology changes then we may begin to see fewer of these pop-ups. Google has already announced that it will be phasing out the use of third party cookies on its Chrome browser by the end of next year, and there are signs that the online advertising industry is beginning to look towards alternatives to the use of intrusive tracking cookies. Of course, there remains a great deal of scepticism that alternative solutions will be any more privacy-friendly, but the era of third party tracking cookies may be coming to an end. Whether that’s good news or not depends on your point of view, but few will be sad to see the cookie banner consigned to the history books.

Read more:
An end to cookie banners?

As 2021 draws to a close, I thought I would use this column to reflect on another strange year and look ahead to what may happen in the world of data protection during 2022.

But before that, I should revisit last December’s column, where I gave my data protection predictions for 2021. What did I get right, and what did I get wrong? Well, I was right to predict there would be controversy over the use of vaccine passports. These are still making the headlines today, as the Covid Pass is rolled out in England, replicating similar schemes in the other UK nations. My prediction that the UK’s data protection laws would begin to drift apart from those in the EU was also right, although I may have been too optimistic/pessimistic (depending on your viewpoint) when I said “don’t expect to see a significant shakeup, at least in the short term”. And my prediction that a new Information Commissioner would make an impact in 2021 proved wrong, as Elizabeth Denham’s term was extended to the end of November and the new Commissioner, John Edwards, doesn’t take up his post until the new year. Perhaps that’s one to be rolled forward to 2022.

So what else happened in 2021? Alongside the ongoing challenges posed by the pandemic, the year began with a new data protection regime. The end of the Brexit transition period on 1 January meant we said goodbye to the EU’s GDPR and hello to the new UK GDPR. We’ve also seen significant court cases on everything from class action claims to the Duchess of Sussex’s private correspondence, regulatory action by the ICO, and more changes to the rules on international data transfers. As if that weren’t enough, the UK government launched consultations on changes to the UK’s data protection regime and to weaken the privacy protections afforded by the Human Rights Act. It’s been quite a year.

And yet we may look back on 2021 as a period of relative stability in data protection, at least compared with what’s coming down the line. In the absence of any major legislative changes, the courts have taken centre stage. Data protection law can be characterised, not always entirely fairly, as seeking a balance between the rights of individuals and those of the organisations that wish to collect and use (or exploit) their data. The Supreme Court’s decision in the Lloyd v Google case, which has made large-scale class actions for data breaches considerably more difficult, has shifted the balance away from individuals. And other cases in the lower courts have mirrored that trend. To the relief of many businesses, data protection appears to be moving away from a compensation culture.

So to 2022. We’re expecting plenty of changes, with a common theme of shifting that delicate balance away from the individual and towards the organisation. That means eroding fundamental rights or freeing up businesses to innovate, depending on your viewpoint.

We already know the broad outline of the changes to our data protection laws. That’s because the UK government has told us, in a consultation that ended this autumn. The proposed reforms are intended to remove some of the more onerous obligations on organisations, limit some individual rights and encourage innovative uses of data. Whilst some of these changes are undoubtedly welcome and could improve our laws, the removal of other obligations will be controversial. Expect plenty of opposition once the detailed proposals are published, and not just from privacy campaigners. International businesses will want to stay closely aligned to the EU’s GDPR, to avoid any additional compliance burdens.

Meanwhile, as the year draws to a close and the news is dominated by the Omicron variant, the government has published proposals for changes to human rights law. Article 8 of the European Convention of Human Rights provides a right to private life and correspondence. This right is broader than anything in data protection law and has been central to many of the privacy cases that come before the courts, particularly those involving press intrusion into the private lives of celebrities, where Article 8 must be weighed against the Article 10 right to freedom of expression. The government wishes to rebalance (that word again) the scales so that Article 10 overrides Article 8 in more instances. The press will be delighted. Privacy campaigners significantly less so. That’ll be another battle to watch out for in the coming year.

Elsewhere, familiar arguments will continue to rage in 2022. As well as the ongoing debates around vaccine passports and covid rules, the Online Safety Bill will keep the spotlight on the behaviour of the tech giants and there will be a continued focus on the adtech industry. So no change there.

We already know that there’ll be a new Information Commissioner in the new year. What we don’t yet know is what the policy and legal environment will look like in twelve months’ time. It’s going to be another year of change ahead.

Read more:
Change is the only constant: A year in privacy law

Data protection is seldom out of the headlines these days. Whether its massive data breaches involving multinational companies, members of the royal family suing national newspapers.

Even the legality of your Ring doorbell provides a data protection angle to many news stories.

Maybe this isn’t so surprising. The modern world increasingly runs on the fuel of personal information. From our weekly shop, to our music and television consumption, personalisation is at the heart of our increasingly connected society. There are huge benefits from this trend, both for us as consumers and for the companies who collect our information. But there are also risks, particularly where companies misuse our data or allow it to fall into the wrong hands.

Data protection law is intended to give us as individuals rights over how our data is used, and to impose obligations on organisations that process that data. As the trends towards increased data collection and personalisation grow, some commentators have warned that soon all information will be personal, and therefore data protection will evolve into a ‘law of everything’, applying in all sorts of unintended situations. Given the complexities of data protection law, this would be unworkable and ultimately not give the protection that the law is intended to provide.

One of the key rights within data protection law is to give individuals the right to claim compensation for damage or distress caused by any breach of the legislation. This is obviously an important protection for individuals. But if data protection applies to (almost) everything, then individuals may use this right to sue whenever anything goes wrong, even if it is only tangentially related to data protection. Claimants, and some legal advisors, have sought to take advantage of this, leading to an apparent increase in legal claims citing data protection.

Fortunately, that trend may be checked by a series of significant court judgments in recent weeks. The most high profile was that of Lloyd v Google, which was heard in the UK’s Supreme Court. Google successfully argued that a proposed class action claim on behalf of up to 4 million iPhone users should not be continued. The judgment reiterated that compensation was only payable where an individual could show that they had suffered material damage or distress as a result of a breach of data protection law. It was not enough that there was a mere loss of control of personal data. This is likely to deter some of the more spurious claims, and the emphasis on individual consequences also makes the prospect of large-scale representative actions much less likely.

In Rolfe v Veale Wasbrough Vizards LLP, the defendant firm of solicitors had sent an email containing personal information about the claimants to the wrong address in error. The issue was discovered quickly and the information deleted. The claimants nevertheless sued for damages. The case was dismissed and the claimants ordered to pay costs, with the judge commenting that, “In the modern world it is not appropriate for a party to claim … for breaches of this sort which are, frankly, trivial”.

Johnson v Eastlight Community Homes is another recent High Court case involving similar facts. In this case, the defendant housing association sent an email containing personal information of the claimant to another person. Again, the issue was discovered and the information deleted. The claimant sought damages and other remedies, alleging distress caused by her personal information, including her address, being disclosed. The claim was issued in the High Court and the claimant’s solicitors confirmed that they had already incurred costs of £15,000, which they expected to rise to over £50,000. However, the value of the claim was stated to be no more than £3,000. The judge was highly critical of the claimant for bringing what appears to be a relatively trivial case before the High Court, stating “… the real point in this case is whether the Claimant’s entitlement is to purely nominal or instead extremely low damages. It is never going to be much more, a point that surely was [or ought to have been] obvious to the Claimant and her advisors from the outset.” The judge ordered the case to be transferred to the County Court. The significance of this decision is that legal costs cannot usually be recovered in the County Court. Future potential claimants and law firms are likely to be reluctant to take on claims where costs are not recoverable.

Taken together, these cases show that the courts are unwilling to adopt a strict compensatory regime for data protection claims. Instead, they are putting the onus on claimants to demonstrate the specific damage or distress caused in each case, which can often be difficult in data protection cases. And they are prepared to dismiss cases where there is no obvious damage caused.

All of this should be good news. As data protection law continues to expand, breaches are inevitable. It is absolutely right that, where breaches cause damage or distress, those individuals have the right to claim compensation. However, not all breaches will cause damage and, in any case, the law is not intended to allow individuals (or, more pertinently, litigation funders and claimant solicitors) to profit from every breach. As Lord Leggatt puts it in Lloyd v Google, the object of this compensatory principle is “… putting the claimant – as an individual – in the same position, as best money can do it, as if the wrong had not occurred.”

Read more:
Compensation and the ‘law of everything’: why data protection isn’t the new PPI

This week, a judge at Oxford County Court handed down what is believed to be the first judgment of its kind in the UK relating to the use of the ‘Ring’ doorbell, a popular smart doorbell system that is sold by Amazon.

Smart doorbells use video and audio recording to alert users when someone is at their door, using an app. The ‘Ring’ model alone is thought to be used by more than 100,000 people in the UK.

The claimant successfully brought a claim against her neighbour for harassment and breach of data protection legislation owing to his use of a network of smart doorbells. It has been widely reported in the press that compensation of up to £100,000 may be payable, although the judgment itself does not give any figure for damages.

The case has resulted in speculation about the legality of smart doorbells, and whether their continued use could put homeowners at risk of being sued by everyone from neighbours, passers-by and even delivery staff. Fortunately, much of this is hyperbole. Smart doorbells are not specifically prohibited by data protection law, and their ordinary use should not put individuals at risk of compensation claims. But, as with any other electronic device that automatically collects information about other people, homeowners do need to take care with their use and consider the rights of others.

Data protection law applies to the processing of ‘personal data’, which means information that relates to identified or identifiable individuals. However, it doesn’t apply where that processing is for purely personal or household activities. Otherwise we’d all be obliged to comply with data protection law every time we took a photo of our friends on our phones or started a group chat on WhatsApp. So if your smart doorbell is only recording on your property for household activities, then data protection law may not apply at all. This argument wasn’t considered by the court in the Oxford case, perhaps because at least two of the cameras in question were directed onto public areas, a shared car park and driveway, and the defendant stated that the devices were for crime prevention purposes.

Where data protection law starts and stops is a matter of open debate. The Oxford case suggests it can apply to smart doorbells. But does it apply to images collected by dash-cams? What about other smart electronic devices? These are not straightforward issues. Our current laws derive from European law and, in a recent opinion on a Dutch case, the Advocate General at the European Court of Justice expressed serious doubts about the increasingly wide scope of data protection law. He argued that an overly wide interpretation was turning data protection law into one of the most disregarded legislative frameworks in the EU, because so many individuals are “blissfully unaware” that their activities are subject to it. That could well apply to smart doorbell owners, at least before the recent publicity.

Assuming that data protection law applies at all, what should the homeowner need to do? Well, firstly they must have a lawful basis for processing the images and audio data from their smart doorbell. In the Oxford case, the judge ruled that the processing of video data from the smart doorbell mounted in the doorway was necessary for the homeowner’s legitimate interests (and these interests overrode the privacy rights of any visitors whose data was captured). But this lawful basis did not apply to the additional devices that were facing the driveway and the car park. For those cameras facing public areas, the privacy rights of other individuals overrode any potential legitimate interests of the homeowner. There was no valid lawful basis for the processing.

Smart doorbells record audio as well as video. The judge decided that audio recording was intrusive and breached the ‘data minimisation’ principle (that personal data must be adequate, relevant and not excessive). This was the case even for the audio data captured by the device in the doorway. The judge ruled that the homeowner had therefore breached data protection law and the claimant was entitled to compensation.

We should be wary of reading too much into the Oxford case. It was an unusual case where the neighbours had fallen out spectacularly and the devices in question were used for much wider and more intrusive surveillance than most users would contemplate. Nevertheless, homeowners with smart doorbell devices should be careful to ensure their devices are set up to only capture the minimum information that is necessary. That means carefully positioning the cameras and only capturing relevant video and audio material. And try not to fall out with your neighbours!

Read more:
Could your smart doorbell cost you more than you think? The GDPR at your home

There was a time when data protection was virtually a byword for something dull, boring and technical.

No longer. The last few years have seen data protection issues rarely out of the headlines, from major security breaches at household name companies to recent controversies over GP data and vaccine passports.

There have also been two major upheavals in the law, with the new General Data Protection Regulation taking effect in 2018, followed by the post-Brexit changes as the UK disentangles itself from EU laws.

But as data protection has grown in importance and attracted wider interest, there has been increasing frustration at the way data protection law is enforced and regulated. In particular, the Information Commissioner, Elizabeth Denham, has become the target of criticism for failing to take more robust action to enforce the law. This criticism reached the mainstream last week when the Telegraph published an opinion piece entitled ‘The Information Commissioner’s Office is letting us down’ (£), arguing that the Commissioner had spent too much time chasing headlines and not enough enforcing the legislation. This was followed quickly by a lengthy rebuttal on the ICO’s website.

What should we make of all this? The context here is important, so perhaps we should not be surprised by the timing of these public criticisms. Elizabeth Denham’s term as Commissioner runs out in October, when a new Commissioner will take up the role. We don’t yet know the identity of her replacement, although the strong favourite is John Edwards, currently New Zealand’s Privacy Commissioner. Some of the public criticisms appear to be a not-so-subtle attempt at influencing the new Commissioner to take regulation in a new and different direction.

Many of the criticisms raised by the Telegraph and elsewhere are well founded. Elizabeth Denham has had a higher public profile than any of her predecessors, regularly appearing in public to discuss data protection issues and ensuring that the ICO has contributed to debates around artificial intelligence and new technologies. But in terms of regulation, the ICO has used its significant powers sparingly since 2018 and has preferred to provide advice and guidance rather than impose heavy fines or issue formal enforcement notices. Whilst businesses certainly welcomed the Commissioner’s softly-softly approach in the beginning, many are now questioning whether it is simply too lenient. My clients who work hard to get it right tell me that they are frustrated to see competitors gaining an advantage by ignoring the rules with apparent impunity.

In the EU, regulators have taken an altogether more robust approach. This week it was announced that Amazon had been fined a record €746 million by the Luxembourg data protection authority, while elsewhere regulators have already racked up hundreds of smaller fines. Of course, effective regulation should not be all about fines and we should not underestimate the importance of the ICO’s advisory role. But demonstrating that non-compliance has consequences is one of the best ways to persuade reluctant organisations that data protection matters.

n the other hand, there are clearly some within the current UK government who do not wish to see the Commissioner taking a stronger approach and would prefer data protection to return to its former low profile. There have been repeated statements from within the UK government about the cost and perceived burden of data protection compliance, as well as the potential to exploit the power of data to drive economic growth. The Information Commissioner is independent of government but, in a post-Brexit world, the UK government now has a far greater role in terms of setting the direction of data protection policy. These voices are going to be difficult to ignore.

It feels like we are at a crossroads, with the future direction of data protection regulation unclear. Do we want to see the regulator as a largely advisory body, offering advice and guidance but leaving the tricky issues of enforcement to the courts? Or would we prefer an active and interventionist regulator that isn’t afraid to challenge the organisations it regulates (including, of course, the government itself)?

Whoever takes on the role as the next Commissioner is going to need a thick skin, expert diplomacy skills and the balance and poise of an Olympic gymnast. Good luck!

Read more:
At a crossroads: what next for data protection regulation?

On 28 June, the European Commission adopted a so-called ‘adequacy decision’ in respect of the UK’s data laws.

There were huge sighs of relief from businesses across the UK and the EU as the decisions finally brought to an end a long period of uncertainty around international data transfers. But although it’s undoubtedly very good news, there are already signs of more trouble ahead.

This saga began as long ago as June 2016, when the UK voted to leave the European Union. The EU’s data protection laws allow for unrestricted movement of data within the EU and the wider European Economic Area, but contain restrictions on transfers outside the bloc. As a member state, the UK enjoyed the benefits of free flows of data. Maintaining this privileged position was one of the UK government’s aims in the lengthy Brexit negotiations that followed.

This might all sound very technical and something only relevant to multinationals, but international data transfers are actually quite common for businesses of all sizes. A small manufacturing company that outsources its payroll to a company in Germany, for instance, or a retailer that uses an IT system hosted by an Irish company would both be involved in international data transfers.

The restrictions mean that sending personal data to countries outside the EU is considerably more difficult than sending data between EU countries. Transfers can only take place using an approved method, as set out in Chapter V of the General Data Protection Regulation. By far the easiest of these methods is where the European Commission has made an assessment of the country’s data protection laws, and has determined that they provide an adequate level of protection for personal data. This is known as an ‘adequacy decision’. Transfers to countries with an adequacy decision can take place without any further steps being taken.

On the UK’s formal departure from the EU in January 2020, a transition period maintained the status quo until the end of December 2020. And then, just as that deadline loomed, bridging arrangements were hastily put in place to continue the free flow of data while the EU considered adopting an adequacy decision in respect of the UK. Given that UK data protection law derives from EU law, you may have thought that such a decision was a mere formality. But that certainly wasn’t the case. The Commission looked in detail at all aspects of the UK’s laws, including interception powers of the security services, before reaching its decision.

When it was finally adopted, just two days before the bridging arrangements came to an end, the decision ran to 93 pages. It contains a detailed review of UK data laws and comes with an inbuilt sunset clause, meaning the decision lapses after four years unless the Commission decides to renew it. There is also a warning that the decision will be kept under review should the UK choose to alter its own data protection laws. This is where the next stage of uncertainty is likely to come from.

Just last month, the UK government’s own Taskforce on Innovation, Growth & Regulatory Reform issued its final report, which recommended replacing the UK’s current data protection laws with a new framework. There is very little detail in the report on what this new framework may look like, but if the recommendation is adopted then any significant changes to data protection law are likely to threaten the UK’s newly obtained adequacy decision.

The uncertainty around international data transfers is unlikely to go away as the consequences of the Brexit vote continue to play out.  Uncertainty perhaps remains the only certainty.

Read more:
Adequacy at last: what now for international data transfers

In 2021, cyber security is never far away from the headlines. In the last month alone, the Irish health service was hit by a significant ransomware attack, leading to a total shutdown of its computer systems and widespread disruption to services.

On the other side of the Atlantic, the owners of a gas pipeline which delivers 45% of the fuel supplies to the populous east coast region of the US were hit by a similar attack. The pipeline was temporarily shut down amid safety and security fears and only reopened after a ransom, reported to have been over £3 million, was paid. These attacks on critical national infrastructure show just how sophisticated and dangerous ransomware attacks can be.

A ransomware attack involves criminals unlawfully accessing computer systems and then encrypting (and sometimes stealing) data. Victims are left a message saying that they can only recover their data by paying a ransom. Whilst the attackers are committing criminal offences under computer misuse legislation, they are very difficult to trace and may be based anywhere in the world, making them almost impossible to bring to justice. Many victims feel they have no choice but to pay up or lose everything.

It is clearly far better to protect your business against ransomware attacks than managing the devastating consequences of a successful attack. But what is the best way of dealing with this growing threat?

Data protection law requires businesses to take ‘appropriate technical and organisational measures’ to keep information about identifiable individuals secure. There are lots of expensive technical IT security solutions on the market and so you will need to shop around for something that works for your business. In the meantime, here are five simple organisational measures you can take now to protect your business.

Know your data

You need to know what data you hold, where it is held (and backed up), and what is business critical to you. This is crucial to deciding how best to protect yourself. So carry out an information audit to find out what you hold, the sensitivity of the data, and the risks to both individuals and your business if that data became unavailable. Your information audit will inform the sorts of technical measures you need to implement to keep data secure.

Understand the threats

Cyber risks are constantly evolving. It’s very difficult for businesses outside of the technology sector to stay completely up to date. So start by following the guidance issued by the National Cyber Security Centre and sign up for their alerts. The NCSC website has some great advice for small businesses.

Train your staff

Although ransomware attacks can be very sophisticated, the criminals still need to find a way to gain access to your systems. And the easiest way of doing that is often by tricking employees into disclosing log-in details or clicking links that result in malware being installed. Make sure your staff are not your weakest security link by ensuring that they are trained and regularly reminded to look out for threats.

Have a plan (and test it)

If you want to be prepared should the worst happen, then putting in place a plan to deal with cyber-attacks is essential. Your plan should include key steps to get your business back up and running as quickly as possible, as well as clear lines of responsibility. Communications may be difficult if the cyber-attack has affected your IT systems, so your plan should cover communications with employees, suppliers and contractors, as well as with statutory authorities such as the police and the Information Commissioner’s Office. And don’t forget to test your plan regularly, and make changes to ensure it works.

Don’t hoard data

Finally, ensure that you regularly cleanse the data you hold. Too many businesses are afraid of deleting information that they no longer need. Make sure that you adhere to the data minimisation principle and only retain information that you really need.

Taking the steps above cannot guarantee that your business will be safe from sophisticated ransomware attacks, but they will go a long way to helping make your business more resilient to these ever-present threats.

Read more:
Ransomware: Five steps every business should take

The social media giants have found themselves in the news again, and not for positive reasons.

Earlier this month, it was widely reported that details of more than 530 million Facebook users worldwide have been made available online, including phone numbers and some email addresses. The data supposedly even included CEO Mark Zuckerberg’s own mobile number. And just days later, the data of up to 500 million LinkedIn users was alleged to have been put up for sale online.

The companies’ reactions were similar. Both denied any wrongdoing on their part or even that there had been any breach of their security. Instead, they argued that the data came from publicly available sources. Nevertheless, a number of regulators around the world have opened investigations into the Facebook incident. So what exactly is going on?

In a detailed response, Facebook argued that this data had been ‘scraped’ from publicly available information, saying:

“Scraping is a common tactic that often relies on automated software to lift public information from the internet … We believe the data in question was scraped from people’s Facebook profiles by malicious actors using our contact importer prior to September 2019. This feature was designed to help people easily find their friends to connect with on our services using their contact lists.”

Facebook’s contact importer tool has now been fixed to prevent further scraping of this data. LinkedIn’s statementalso included reference to the scraping of publicly available data, which was aggregated with data from other sources to create the database now supposedly on sale online. Both companies blame the data scrapers for breaching the websites’ terms and conditions.

In legal terms, the social media companies, the (as yet unidentified) data scrapers and any potential buyers of the data each have responsibilities. As ‘controllers’ for personal data that is created and posted on their websites, the social media companies must comply with relevant data protection law. In the UK and the EU, this means they must take ‘appropriate technical and organisational measures’ to ensure appropriate security of personal data, including protection against unauthorised or unlawful processing.

Clearly, there is very little that these companies can do to prevent information being copied from public-facing websites, particularly when the data has been actively published by users on their own individual profiles. However, if Facebook’s own contact importer tool was being manipulated to enable the data to be scraped, then it is legitimate to ask whether Facebook had really taken all appropriate steps to prevent such unauthorised processing. This may well be the focus of any future investigation by regulators.

Even if the data scrapers are only gathering publicly available information, this does not give them a completely free pass. Data protection law applies to all ‘personal data’, regardless of whether or not it is already in the public domain. Once the data is in their hands, the data scrapers would become controllers themselves and would be responsible for compliance with all aspects of data protection law. They would need to comply with the data protection principles, provide appropriate privacy notices and have a lawful basis for their processing of the data. Given that we don’t even know their identities, it is very unlikely that the data scrapers will be meeting these requirements.

It is also a criminal offence under section 170 of the Data Protection Act 2018 to knowingly or recklessly obtain personal data without the consent of the controller, or to sell or offer to sell personal data obtained in these circumstances. Finally, any breaches of social media companies’ website terms and conditions could give rise to civil claims, which Facebook and LinkedIn and their expensive lawyers may be keen to pursue.

Finally, anyone tempted to purchase this data would be very wise to decline the offer. As well as the criminal offence outlined above, it would be very difficult for a purchaser to use the data lawfully without themselves breaching data protection law. Although personal data can be a valuable business asset, reputable purchasers should always undertake appropriate due diligence on the sellers to ensure data was collected lawfully and can be used for the purposes which the purchaser intends. That’s very unlikely in these cases, even if the data is purely derived from publicly available sources.

Read more:
‘Scraping’ the barrel? The risks of publicly available data

On 1 January 2021, following the end of the Brexit transition period, the UK’s data protection laws were changed. Out went the EU’s General Data Protection Regulation, and in came the UK’s very own version of the GDPR.

Changes were also made to the Data Protection Act 2018. But these were mainly technical. The rights and obligations remained largely the same. Until now.

The UK government has recently dropped some strong hints that substantial change may be on its way. In a comment piece in the Financial Times, the Secretary of State for Digital, Culture, Media and Sport, Oliver Dowden, argued for a new approach to data protection in the UK. He wants data protection to be focused more on the positive benefits of using data rather than seeing it solely as about risks and harms. And in a speech reported by Sky News, Dowden is quoted as saying that the UK should have a “more pro-growth, more pro-public policy approach” to data protection.

What does all of this mean in practice? It isn’t entirely clear what a ‘more pro-growth’ approach would look like, although the tone of Dowden’s comments certainly suggests that the government is seeking to reduce some of the more onerous requirements that data protection law places on businesses. This could mean reducing or even removing completely some of the accountability obligations, such as the requirements to appoint data protection officers, keep detailed records of processing activities and carry out data protection impact assessments. Whilst there is no doubt these can be costly for some businesses, other businesses are already exempt from these requirements. Other potential changes could include broadening the circumstances in which personal data can be used, narrowing some individual rights and widening exemptions to the rules to allow greater innovation in the use of data.

There are opportunities here. Our data protection laws are far from perfect and there is much that could be improved. The obligations are overly complex and difficult to interpret, the language is technical and the laws are very widely misunderstood. Not for nothing has the Information Commissioner needed to publish a series of blogs about ‘GDPR myths’, trying to combat fake news about data protection which continue to flourish due to this lack of understanding.

One option may be to remove small and medium sized businesses entirely from compliance with certain data protection obligations. Although this may be superficially attractive to allow new and growing businesses to innovate, it is arguably more costly in the longer term (not to mention far riskier) to bolt on data protection compliance to a mature business, rather than building it in from the start.

So the government will need to tread very carefully in making any changes. Whatever amendments are proposed, these should not put at risk the European Commission’s intention to grant the UK the ‘adequacy’ decision it requires to continue the free flow of data between the EU and the UK, which is crucial to so many businesses in the UK. For this reason, it is unlikely that the government will radically alter the rights of individuals, such as right to be told about how their data is processed and the right of access, or the enforcement regime currently operated by the Information Commissioner. Any major relaxation of the data export rules will also risk undermining the prospects of an adequacy decision.

Another potential risk for making wholesale changes is that UK businesses which operate in the European Union or which sell to customers within Europe will continue to need to comply with the EU’s GDPR. Currently, UK law is very closely aligned to the EU’s GDPR, and so this requirement to comply with two different legal regimes is actually relatively straightforward. However, if the UK government chooses to make significant changes, a large number of businesses will need to adapt their activities in order to comply with both the EU’s and the UK’s (potentially very different) data protection laws. This is likely to add to, rather than reduce, the compliance burden.

In my December column, I made some predictions about what 2021 may bring to the world of data protection. In light of these developments, it appears I was right to mention the possibility of changes to the UK’s data protection laws, although perhaps I was wrong to say “don’t expect to see a significant shakeup”. Businesses will await the government’s detailed proposals with interest.

Read more:
‘Pro-growth’ data reforms bring opportunities and risks

After a year of mostly terrible news, the rapid roll-out of the coronavirus vaccination programme in the UK has at last brought some positive headlines.

Assuming that challenges with supply or new virus mutations do not derail the programme, it is likely that the entire UK adult population will have been offered a vaccination later in 2021. This brings with it the tantalising prospect of reopening the economy, and our lives returning to something approaching normality.

Despite the success of the vaccine roll-out, we know that covid-19 is not going to disappear immediately. None of the current vaccines offer 100% protection, and not everyone wants or is able to be vaccinated. So how can we reopen the economy and restore international travel without risking another wave of infections? One possible ‘solution’ is the introduction of so-called vaccine passports. A vaccine passport is a document, probably in electronic form, that provides official confirmation that the individual has had a recent and up-to-date vaccination against covid-19.

For individuals, particularly those who have received the vaccine already, there are clear and obvious benefits to a system of vaccine passports. But they do raise some very difficult legal and ethical challenges. Will businesses be guilty of discrimination if they refuse to serve customers without a vaccine passport? Can employers insist on their employees having a vaccine, and sack them if they don’t? What if an individual refuses the vaccine on religious grounds? Or because of an underlying health condition? And what about the risks of inaccurate data or data breaches?

At this stage, all this is theoretical. Not everyone has had the opportunity to be vaccinated and the current restrictions mean most businesses that may wish to rely on vaccine passports are closed. But governments across the world, including in the UK, are known to be looking at such measures. Separately, a number of private companies are working on technological solutions to allow individuals to ‘prove’ that they have been vaccinated. Once available, this technology is likely to prove very popular among people desperate to return to their former lives, particularly if businesses decide to restrict services only to those who can demonstrate that they have been vaccinated. There have already been media reports of travel companies insisting that customers are vaccinated prior to travelling, while Charlie Mullins of Pimlico Plumbers has written about his aim to make the vaccinate mandatory for new starters.

Businesses will need to think very carefully before requiring their customers to provide ‘proof’ that they have received a covid vaccine, particularly in the absence of any officially sanctioned vaccine passport, certification or other document. They will need to be sure that the data they are collecting is accurate, reliable and safe from manipulation. The types of manual vaccination appointment cards given by the NHS don’t provide sufficient reassurance, as they are not intended to be a definitive record and are clearly open to being copied or misused. Realistically, the importance of a vaccine passport, or lack of one, is likely to require some form of government involvement.

Assuming these practical challenges can be overcome, a business wishing to utilise vaccine passports will still need to comply with data protection law. This means having a valid lawful basis for collecting and retaining data, and ensuring that any data is used proportionately and only where necessary for a clearly defined purpose. Information about health merits special protection under data protection law, and so its use is tightly controlled. Businesses will need to justify their use of vaccine passports and clearly explain to individuals how information about them will be used.

If services are to be denied or employment restricted as a result of checking vaccine passports, then businesses will need to take into account equality and human rights legislation. Depending on the specific context, a blanket policy requiring individuals to show a vaccine passport may be disproportionate and therefore discriminatory. At the very least, businesses should put in place systems to allow individuals to explain why they may not be able to provide proof of vaccination and to challenge any inaccuracies in the data. There is a risk that some individuals will be effectively ‘blacklisted’ because of their failure to provide proof of vaccination, shutting them out of areas of public life as society begins to reopen.

Despite all of these issues, our collective desperation for a return to normality is likely to mean that we’ll see some sort of vaccine passport scheme in the near future. The challenge for government is to ensure that the scheme is accurate, available and secure. It will then be up to businesses to decide in what circumstances it is fair and lawful to insist on a vaccine passport.

Read more:
Vaccines: passports to normality?

It’s a question that you’ve probably had to ask yourself many times since the start of the coronavirus pandemic.

But you may not have thought about how much you rely on the everyday technologies that we all take for granted to keep your business running, and what could happen if something were to go catastrophically wrong.

In the aftermath of the terrible scenes at the Capitol in Washington on 6 January, the role of big technology companies such as Twitter and Facebook is under increasing scrutiny. President Trump himself had his social media accounts first suspended and then permanently removed from these and other platforms. Many of the President’s most fervent supporters had already moved from Twitter to an alternative platform, Parler, which boasted of its ‘free speech’ credentials and did not moderate content or remove hate speech. But Parler itself was then taken offline, not because of a Government or regulator, but because of the actions of another tech giant, Amazon. Like so many businesses, Parler relied on Amazon Web Services for its server space. And Amazon was able to simply terminate the contract because it decided that Parler had breached its terms and conditions. Parler immediately announced its intention to sue Amazon, but the damage was already done.

Whatever your politics, many people feel instinctively uncomfortable about the big tech companies’ power to take such significant decisions. There are calls on both sides of the Atlantic to strengthen the tech sector’s regulatory environment. Whether this results in a change in the law remains to be seen, and most businesses are very unlikely to find themselves in the situation that Parler does.

Nevertheless, it does show just how much we have all come to rely on a small number of big tech companies, and how a decision to withdraw services can have an immediate and dramatic effect. What if your business were to suddenly lose its server space, have its app withdrawn from Apple’s app store, or have its Facebook page or YouTube channel removed? There are minimal legal protections for businesses in this situation, because these relationships are governed by contracts, usually the tech companies’ standard terms and conditions. These are often drafted heavily in favour of the tech company, and allow little room for redress for the customer.

It’s not just big tech firms’ decisions that can leave businesses vulnerable. Over the past twelve months, there has been an increase in security incidents such as ransomware attacks on businesses. The move to remote working has only exacerbated this trend. A dispersed workforce can mean lower security and less awareness of potential threats. Criminals can target individuals and gain access to company networks.

Company data is then either stolen outright or held hostage and only released on payment by the victim. Such attacks are frequent and can have devastating consequences on businesses. Again, legal protections are not always sufficient to protect businesses.

Ransomware attacks in the UK are criminal offences under the Computer Misuse Act and potential offences under data protection law. Still, it is often difficult for the police to find and bring cybercriminals to justice. And in the meantime, the business affected will need to take immediate action to recover their data and keep their business going. Where personal data is compromised, they may also need to notify the Information Commissioner’s Office and affected individuals, and deal with complaints and potential legal claims.

Of course, organisations are only ever as safe as the weakest link in their security, which often means us. The Home Office blamed ‘human error’ for a recent incident which reportedly led to at least 150,000 records being accidentally deleted from the Police National Computer.

Not only is this hugely embarrassing for the Home Office, but it also has repercussions for the police’s ability to carry out their core functions. Although individual errors are inevitable, businesses are required under data protection law to take ‘appropriate’ measures to prevent accidental loss, destruction or damage to personal data.

There is no prescriptive list, but such measures may include IT security, clear policies and procedures, robust back-up arrangements and regular staff training. Businesses that fail to take these appropriate measures are vulnerable to security incidents and subsequent legal challenges.

So as we look forward to 2021, now is the time to consider how resilient your business really is – and take any extra steps required to protect it.

Read more:
How resilient is your business?

In my last column, I looked back at 2020 from an information law perspective. It’s safe to say that no-one would have predicted a year like 2020. And so it’s with some trepidation that I look forward to what we might expect in the year to come.

Inevitably, some of the trends that we saw in 2020 will continue. Despite positive news about the development of several vaccines, COVID will be with us for the foreseeable future. And as vaccines are rolled out, and testing improves, we may see novel information challenges. Will businesses start asking customers to provide proof of vaccination as a condition of service? Will the Government choose to issue the lucky ones with vaccination certificates? These scenarios will continue to test our data laws in 2021.

But if 2020 was all about COVID, we can’t look ahead to 2021 without talking about Brexit. For the second time in a little under three years, the UK’s data protection laws are being re-written. From 1 January 2021, the UK will no longer be required to follow EU law. The GDPR, as a European regulation, will no longer automatically apply in the UK. Instead, we’ll all need to get used to talking about its successor, the UK GDPR. This will be especially challenging for UK-based businesses which offer goods or services directly to consumers in the EU, as they will need to continue complying with the EU GDPR for their EU-based customers while adapting to the new UK GDPR for UK customers.

The good news is that the UK GDPR looks a lot like the EU GDPR. In fact, it’s largely a cut-and-paste job, with minor changes to replace references to the EU with the UK and to remove the requirements around international co-operation and the ICO’s international role. The one exception to this is around international data transfers. In my last column, I mentioned the judgment in the Schrems II case, published last July, which led to the demise of the EU-US Privacy Shield. Unfortunately, things are going to get a lot more complicated in 2021. UK-based businesses that have customers in the EU, or which use service providers based within the EU, will need to get to grips with the new rules on international transfers. As the UK will no longer be part of the EU, data transfers from the UK to the EU, and from the EU to the UK will be subject to new restrictions, the former contained within the UK GDPR and the latter in the EU’s GDPR. And this could be subject to last-minute changes should there be a trade deal between the UK and the EU.

Looking a little further ahead, the two sets of laws will inevitably drift apart. We had a small taste of how that might work in December when the UK Government announced its Online Harms Bill and then a day later the European Commission announced plans for a Digital Services Act. These two very different legislative plans share a similar objective of regulating the US big tech giants. Expect to see more of this type of duplication.

In addition, we have a Brexit government. One of the stated purposes of Brexit, if you can remember back to 2016, was to take back control of our laws. And many of our information laws are heavily influenced by European law – not only data protection but also the Environmental Information Regulations and the Re-use of Public Sector Information Regulations. So what might the UK Government do when it is no longer constrained by EU law? We don’t know but don’t expect to see a significant shakeup, at least in the short term. I don’t sense any big appetite for change, and there will be a lot of competing priorities in 2021.

Nevertheless, as a data protection lawyer, I would be the first to welcome improvements to our data protection laws. As they stand, they are overly complex, difficult to interpret and largely impenetrable for the majority of people. Businesses struggle to apply them to everyday situations and are often at the mercy of bad advice, which does nothing to improve compliance but can cost a fortune. There’s a lot of room for improvement, without necessarily reducing the rights for individuals or security of data. But perhaps that’s a topic for another column.

Lastly, we will see a change of Information Commissioner in 2021. Elizabeth Denham’s five-year term in the post comes to an end in July 2021. The ICO is now a big and powerful regulator, but it remains on one level the personal office of the post-holder, with the ICO’s priorities and approaches a reflection of the incumbent Commissioner. While we don’t know precisely in which direction the new Commissioner may choose to take his or her office, we can expect a change of emphasis as the new appointee seeks to make their personal mark in 2021.

Of course, if it’s anything like 2020, you should expect the unexpected in 2021!

Read more:
My data protection predictions for 2021 

My final column of 2020 is in two parts. In this first part, I reflect on what a strange year we’ve had – picking out some of the highlights from an information law perspective. In part two, I’ll be looking forward to what 2021 may bring.

The new normal also means new types of data collections. This includes hospitality and retail companies needing to obtain track and trace details, workplace testing for COVID, and even data about family members when an employee is required to self-isolate. Some of this data constitutes information about health, which is a special category. Organisations need to take particular care in this area, thinking about the lawful basis for the data’s collection, appropriate retention periods and updating privacy notices.

In some cases, this has required data protection impact assessments to be carried out at speed. This has been challenging for businesses large and small. The Government has also faced its own challenges. Back in the spring, it pinned its hopes on its contact tracing smartphone app, but data protection and privacy concerns almost derailed the whole project and led to a fundamental change of approach.

Moving away from specific COVID-related data, the summer’s major row over A level and GCSE results led to an important public debate about the use and potential abuse of algorithms, and their role in automated decision-making. Even among data protection practitioners, it’s fair to say the rules around automated decision-making were not widely understood. This row brought them to the forefront of our minds, although the decisions to scrap results by algorithm prevented the ICO or the courts from ruling on their scope. The use of algorithms is only likely to grow in the coming years, so this is one issue that is not going away.

Away from the pandemic, the law continued to develop. While (thankfully) there weren’t any major legislative changes this year, we have had new case law. In April, the Supreme Court issued its judgment in the Morrisons case. The Supreme Court overturned the decisions in the High Court and the Court of Appeal, which had previously held that Morrisons was vicariously liable under the Data Protection Act 1998 for the actions of a disgruntled employee who deliberately leaked payroll data of thousands of employees onto the internet.

Data protection cases rarely reach the Supreme Court, so this decision was significant. Employers were pleased with the result, although the Court did affirm the principle that employers can be vicariously liable under data protection law for the actions of their employees (just not on the facts of this case).

This case provided a timely reminder about training staff to handle data appropriately. In July, the European Court of Justice released its judgment in the much-anticipated Schrems II litigation. The decision invalidated the EU-US Privacy Shield and once again called into question the legitimacy of international data transfers. This is likely to be a big issue in 2021, particularly in light of the Brexit changes ahead – more on this in my next column.

In such a challenging year, day-to-day information governance work took something of a back seat. The ICO made an early and decisive statement that it would be giving organisations impacted by COVID additional leeway, which was very much welcomed and certainly helped to manage some of the initial pressures. But despite the challenges of the pandemic, the regulator’s work hasn’t stopped, and some major cases were resolved.

In October, British Airways and Marriott International finally received their much-delayed GDPR fines. As you may remember, in the summer of 2019 the ICO announced its intention to fine these companies £193m and £88m for serious security breaches. However, the companies made additional representations and so the ICO had to reconsider its approach. The fines issued were massively discounted compared to the original notices of intention, with British Airways receiving a fine of £20m and Marriott £18.4m. These are still huge numbers, but much lower than initially proposed, so in a way, British Airways and Marriott achieved a good outcome. Nevertheless, the era of multi-million-pound data protection fines has truly arrived.

The ICO has also been busy with new guidance. Practitioners have particularly welcomed new subject access requests guidance. The new accountability framework provides much clearer advice on the documents and actions the ICO expects organisations to take to meet their accountability obligations. Elsewhere, regulators have increased the pace of GDPR enforcement, from minimal fines to multi-million euro ones. For instance, the CNIL in France recently fined the Carrefour supermarket chain over €3m for various infringements and Twitter was fined €450,000 by the Irish DPC. There’s an irony in that we’re getting more examples from across Europe at just the moment when these decisions will cease to have an impact in the UK.

With everything that’s happened in 2020, it’s easy to forget that the GDPR and the Data Protection Act 2018 are still very new laws. All of us – businesses, practitioners, the regulator and the courts – are still working through new situations and new challenges. It has undoubtedly been a challenging year, with data protection issues never far from the headlines. In my next column, I’ll look ahead at what 2021 may bring.

Read more:
WFH, algorithms and multi-million-pound fines: the year in data protection

With the headlines this autumn continuing to be dominated by the ongoing coronavirus pandemic, you may have missed some significant developments in the world of data protection.

In October alone, the Information Commissioner’s Office (ICO) issued its first two significant GDPR fines and took enforcement action against one of the UK’s biggest credit reference agencies. Is the regulator finally showing its teeth?

When data protection law was comprehensively updated in 2018, one of the key changes was a major upgrade to the powers of the ICO. The maximum fine the regulator could impose for serious breaches was increased from £500,000 to the greater of €20 million or 4% of an organisation’s worldwide turnover.

The ICO was also given sweeping powers to order companies to take action to bring their processing into line with the legislation. This led to all sorts of alarmist stories about how the biggest companies could face billion-pound fines should they get things wrong, and how even the smallest infringements could lead to crippling financial penalties.

In fact, the ICO initially adopted a very cautious approach to regulating the new laws. Until last month, the ICO had only issued one fine since the GDPR came into effect in May 2018.

A London pharmacy was fined £275,000, well below the old maximum, for the distinctly low tech reason of leaving hard copy documents containing personal data in unlocked containers. But in the summer of 2019, the ICO took on two very high profile cases, announcing that it would be issuing huge fines against British Airways and the hotel chain Marriott International, of £183m and £99m respectively.

Both cases shared some similarities in that they involved security vulnerabilities which allowed unauthorised access to personal data relating to large numbers of customers. The potential fines were by far the largest anywhere in Europe under the GDPR.

Although you would have been forgiven for missing this in the press coverage at the time, the ICO announcements about BA and Marriott were not actually fines, but instead were notices of intent. Under the UK’s data protection law, the ICO must issue a notice of intent prior to any fine, to allow organisations to make any final representations in their defence. It was clear that both BA and Marriott were making such representations.

By March 2020, there was still no final decision on the fines. And then the covid pandemic hit, which had a huge impact on the aviation and hospitality sectors.

Finally, in October, the ICO announced that it was fining BA £20m for security failings which led to the hacking of personal data relating to more than 400,000 customers, and Marriott £18.4m for a security failure which led to personal data relating to 339 million customers worldwide being put at risk. Still very significant amounts, but much lower than the ICO originally intended.

So what happened? Both companies appear to have fought very hard against the original notices and, under considerable pressure, the ICO chose to reconsider the levels of fines completely. In the Marriott case, the ICO chose a new starting point of £28m for the fine and then applied a reduction for mitigating factors, together with a £4m covid ‘discount’, to get to the £18.4m figure. The published decisions in these cases give us a real insight into the ICO’s approach to regulation. However, it’s important to remember that these two cases are not typical.

They both involved major companies and serious security failures leading to personal data about a very large number of individuals being compromised. The level of fines reflects the seriousness of the incidents. Nevertheless, there are lessons for businesses about preventing breaches and how to handle them, including the importance of early detection, positive engagement with the regulator and a willingness to argue your case strongly.

It remains to be seen whether either company chooses to appeal against their fine, although given the size of the original notices of intent, they seem to have achieved a good result.

The ICO showed an alternative approach to regulation on 29 October this year when it issued an enforcement notice to the credit reference agency, Experian. As well as having the power to issue fines, the ICO can issue enforcement notices requiring organisations to take action to comply with data protection law.

This particular notice followed a lengthy investigation into the data protection practices of the UK’s three biggest credit reference agencies. The ICO found evidence that all three were processing personal data of millions of people in contravention of data protection law and required them to take steps to change their practices.

All three made changes voluntarily, but the ICO concluded that Experian needed to take further steps and so issued a formal notice. Interestingly, none of the three companies was fined for these contraventions, although requiring changes to the way a company does business can clearly have a significant financial impact.

Businesses should be reassured that the action against Experian and the much-reduced fines issued to BA and Marriott mean that the ICO is maintaining its cautious approach to the regulation of data protection law. It seems large fines are only likely to be imposed in the most serious cases. However, businesses should not be complacent and continue to take appropriate steps to avoid the attention of the regulator.

Read more:
Enforcing GDPR: is the regulator finally showing its teeth?

Facebook recently hit the headlines when it told a court in Ireland that it might have to stop offering its services in Europe.

The context of this statement was a decision of the Court of Justice of the European Union, earlier this summer, which cast doubt on the ability for organisations in Europe to continue sending personal data to the US. Facebook argues that it relies on data transfers between the EU and the US to operate its services. So, should we be getting ready for a future without Facebook or Instagram? And what might this row tell us about the future of international data transfers?

I wrote about the Schrems II case and its possible implications for international transfers back in July. The case involved the transfer of personal data from Facebook’s European HQ in Ireland to Facebook in the US. After the European court’s judgment, the proceedings moved back to Ireland, where Ireland’s Data Protection Commissioner is tasked with enforcing the rules.

The Commissioner has now issued a preliminary notice requiring Facebook to stop data transfers to the US, which is being challenged by Facebook. The reason for Facebook’s continued legal action, despite repeated defeats, is obvious – international data transfers are a crucial part of its business model.

In a blog post setting out Facebook’s position, ex-Deputy PM Nick Clegg, now a senior Facebook executive, makes a case for a clear set of global rules. He says:

“A lack of safe, secure and legal international data transfers would damage the economy and hamper the growth of data-driven businesses in the EU, just as we seek a recovery from COVID-19 … Businesses need clear, global rules, underpinned by the strong rule of law, to protect transatlantic data flows over the long term … The EU has led the way in establishing a framework for data protection that protects and empowers users. Privacy rules will continue to evolve, and global rules can ensure the consistent treatment of data wherever it is stored.”

In the age of Brexit and increasing protectionism, this plea for global rules may seem far-fetched, even naive. However, there is a clear trend internationally towards standardised data protection rules. In 2019 the European Commission granted an adequacy decision to Japan, which allows data to flow freely between the EU and Japan. The decision followed Japan’s implementation of new data protection rules. And only last month, Brazil adopted its new data protection law. Even the US, which has traditionally not had comparable privacy laws, has seen a move towards increased regulation. The California Consumer Privacy Act, which shares some common features with the European GDPR, came into force in January this year. There are also moves in Congress to enact a federal law, the so-called SAFE DATA Act (Setting an American Framework to Ensure Data Access, Transparency, and Accountability Act). However, it may be some time before anything resembling a comprehensive US data protection law is passed.

The irony for Facebook is that it is precisely the strong rules set by the EU, which Facebook is continuing to challenge through the courts, that are driving this global trend towards ever closer standards of data protection. Many of the new laws we have seen around the world are very closely influenced by EU data protection law. The GDPR is seen as very much the gold standard for protecting individual rights and ensuring accountability for how personal data is used. So Nick Clegg may get his wish for a standard set of global rules thanks in no small part to Facebook’s courtroom defeats.

While standards are converging elsewhere, the UK appears to be going in the opposite direction. Brexit will, of course, allow the UK to change data protection rules away from European (and increasingly global) standards.

Here, the UK government is sending out some very mixed messages. In its recently launched National Data Strategy, the government states that “… we know that regulatory certainty and high data protection standards allow businesses and consumers to thrive. We will seek EU’ data adequacy’ to maintain the free flow of personal data from the EEA, and we will pursue UK’ data adequacy’ with global partners to promote the free flow of data to and from the UK and ensure that it will be properly protected.” Elsewhere, however, the Strategy talks about ‘lifting the compliance burden’ of data protection rules, which certainly hints at relaxation of the rules.

Ultimately, the future of Facebook and Instagram in Europe is likely to depend on profitability rather than data protection rules. Despite the posturing and some apocalyptic predictions, international data transfers are too valuable to businesses for them to stop suddenly.

The EU’s continued insistence on high data protection standards may be causing difficulties today for global companies such as Facebook. Still, it is leading us slowly towards common international standards for tomorrow. And ultimately that will be good news for all businesses- even Facebook.

Read more:
Are we about to say goodbye to Facebook?

In this most strange of years, the problems with A-Level and GCSE results may seem like just another short-term political crisis.

But the combination of big data and algorithms, and their potential discriminatory effects on individuals, gave us a powerful insight into one possible (dystopian) future. Algorithms are increasingly becoming part of our everyday lives, employed by many businesses and increasingly by governments. Used appropriately, they can improve decision-making and increase efficiency. But when they go wrong, they can have a profound adverse effect on individuals, as the class of 2020 has found out.

The A-Level and GCSE results problems affected hundreds of thousands of young people across the UK. When the coronavirus pandemic forced the closure of schools and the cancellation of exams, a new system was needed to allow students who would have been sitting their A-Levels or GCSEs to be graded. The authorities proposed collecting teacher assessments, which would then be moderated centrally to ensure a consistent approach and to prevent so-called ‘grade inflation’. An algorithm was developed which would amend the teacher assessments to ensure that the 2020 grades were broadly comparable with those of previous years, using information including the past performance of schools and colleges.

The algorithm appeared to work perfectly at this macro level, ensuring that broadly the same percentage of students received the top grades as in previous years. But it proved catastrophic for individual students, as around 40% of grades were lowered, and some individuals received grades substantially below their teacher assessments. This seemed to particularly affect high-achieving students in schools which had traditionally performed less well, heightening the appearance of unfairness.

In the face of overwhelming political pressure, the four governments across the UK all decided to revert to teacher assessments. Some of these problems were obvious with hindsight. Because schools had been shut since March, no one had been able to drop out or underperform against expectations, so the algorithm was always going to have to downgrade some students to compensate. And whilst this downgrading rightly reflected the fact that some students would underperform, it felt cruel and unfair to the actual individuals whose grades were lowered.

Before the governments changed their minds, several legal challenges to the grades allocated by the algorithm were launched. Data protection law, which was updated across Europe as recently as 2018, when the General Data Protection Regulation was introduced, contains specific provisions around automated decision-making and profiling. Article 22 of the GDPR provides individuals with a right not to be subject to decisions based solely on automated processing which produce legal effects or significantly affect them. This right is little known and rarely comes before the courts.

England’s exams regulator, Ofqual, argued that decisions about this year’s grades did not engage Article 22, because the decisions involved a human element and therefore were not ‘solely’ made by automated means. Many commentators have disputed this claim. It would have been interesting to see how the courts interpreted the right had the legal challenges proceeded. As automated decision-making becomes more prevalent, Article 22 challenges are likely to become commonplace.

More widely, data protection law requires organisations to process personal data fairly. The concept of fairness is often subjective and can be difficult to define. Nevertheless, it is hard to argue that downgrading an individual, not because of their own weaknesses but because of the past performance of the school they attend, meets this basic test of fairness. The algorithmic results may have been fair to the whole cohort, but they were deeply unfair to some individuals.

Again, we will never know whether a legal challenge under data protection law would have succeeded. Still, there is a lesson here for all organisations that use algorithms to make decisions about individuals. The decision-making must be fair at an individual level. There are parallels with another controversial and ever-growing technology, automated facial recognition software. Whilst such software has important uses, allegations persist that facial recognition performs poorly in respect of certain ethnic minority groups. This can lead to very significant individual unfairness which should not be overlooked.

In a business context, automated decision-making is beginning to be used more widely, especially in recruitment and selection. This creates enormous opportunities for business to improve their efficiency, make better hiring decisions and ultimately increase their profitability. But it comes with risks. Algorithms are not magic. They can only ever be as good as their design and the data that goes into them. Errors in either can lead to unexpected biases being exaggerated and result in more flawed decisions. A considerable amount of work went into getting the exams algorithm right. Still, ultimately it suffered from both a design bias, in that the goal of ensuring fairness at a cohort level led to unfairness at an individual level, and from a lack of robust data, which meant that schools with smaller class sizes appeared to benefit at the expense of larger centres.

Automated decision-making is undoubtedly here to stay, and algorithms are only likely to get more sophisticated. The 2020 exam results scandal doesn’t mean we should give up entirely on automated decision-making. But it should make all businesses pause to consider their fairness and the potential impact on individuals. Otherwise, they could face not only legal challenges but also significant reputational damage.

Read more:
Algorithms and fairness: lessons from the class of 2020

Earlier this month, the Court of Justice of the European Union issued a judgment that will have major implications for all businesses which transfer personal data internationally.

This isn’t just a matter for multinationals or tech companies; international transfers are crucial for all sorts of businesses, large and small. They can happen when businesses store data in the cloud, send data to other organisations or engage suppliers based outside of Europe.

The latest decision came in the long-running legal battle between Austrian privacy campaigner Max Schrems and social media giant Facebook, which has already had a huge impact on international transfers of personal information. Back in 2013, while he was still a student, Mr Schrems made a complaint against Facebook.

His complaint arose from the revelations of whistle-blower Edward Snowden, which revealed that US authorities routinely intercepted and retained information from social media companies. A case was brought in Ireland, where Facebook has its EU headquarters, and related cases have been proceeding through the courts ever since.

The complaint revolves around the validity of transfers of personal data from the EU to the US. The General Data Protection Regulation, like its predecessor the 1995 Data Protection Directive, contains a broad prohibition on the transfers of personal data outside the EU. However, this prohibition can be overcome in various ways.

The most popular of these are where the transfer is to a country which the European Commission has decided gives adequate protection to personal data (a so-called ‘adequacy decision’), or where the data exporter and the data importer agree to a contract containing European Commission-approved standard contract clauses. Both of these methods were under scrutiny in this case.

Mr Schrems’ original case led to a ruling in 2015 that the previous ‘Safe Harbor’ framework for data transfers to the US did not offer adequate protection for individuals in Europe.

The latest case has moved on to consider the validity of both the standard contractual clauses and the replacement for Safe Harbor, the EU/US Privacy Shield, which in reality is a partial adequacy decision for certain companies in the US. Mr Schrems argued that neither the EU/US Privacy Shield nor the standard contractual clauses offered adequate protection to his data once it had been transferred to the US, because of the wide powers of US authorities over the personal data of non-US citizens.

In the most eye-catching part of the judgment, the Court ruled that the EU/US Privacy Shield does not offer appropriate safeguards for data protection, because of the US government’s wide powers to collect and review personal data held in its jurisdiction. Accordingly, the Court annulled the adequacy decision in respect of the EU/US Privacy Shield.

Data transfers under that framework will no longer be valid. As with the similar ruling in 2015 in respect of Safe Harbor, the EU Commission and US authorities may try again to find a replacement scheme, but this appears increasingly difficult, particularly in light of the existing US administration’s increasingly protectionist agenda.

Perhaps more importantly, however, the Court also ruled on the use of standard contractual clauses, which can be used to transfer data anywhere in the world, not just to the US. To the huge relief of many businesses, the Court upheld the use of standard contractual clauses as a means of validating transfers outside the EU.

But in doing so, the Court emphasised that putting in place standard contractual clauses alone is not enough to ensure adequate protection. Instead, data exporters must also consider the legal context in the recipient country. Where the laws of the recipient do not provide adequate protection, the use of standard contractual clauses is not enough, and the data exporter must not transfer the data.

So what does all of this mean for businesses? In some ways, we’ve been here before. In respect of the Privacy Shield, the current situation is almost identical to 2015, when the earlier judgment annulled the Safe Harbor framework. At that time, European regulators urged a cautious approach and emphasised that businesses should not immediately stop transferring data, which could itself have a negative impact on individuals.

But that was under the old regime, before the General Data Protection Regulation and the significant strengthening of data protection rules.

The UK regulator, the Information Commissioner’s Office, has again taken a cautious approach and stated that, at least for now, businesses can continue existing transfer arrangements using Privacy Shield, but should not start new transfers under the now-defunct framework. Other European regulators have taken a stronger approach and recommended businesses switch now to an alternative method of transfer or stop exporting data altogether.

Any businesses that transfer personal data to the US using the Privacy Shield framework would be wise to immediately take stock. They should assess the situation to understand the scale of the issue and consider what steps to take to remove any data protection risk.

This may involve using another method to validate those data transfers or considering whether alternative solutions exist. But they should be careful not to simply stop data transfers on the basis of this judgment, without taking into account all of the potential wider consequences.

The use of standard contractual clauses should also be reviewed. This decision means that international data transfers are likely to become subject to much greater scrutiny and will potentially become more difficult. And with the post-Brexit transition period ending on 31 December 2020, data transfers between the EU and the UK will become subject to these strict rules from next year. Now really is the time for businesses to be reviewing all of their international data flows.

Read more:
The end of the privacy shield: what next for international data transfers?

In my column on 4 May, I reported that the UK government was trialling a contact tracing app, which was due to be rolled out nationwide later that month.

But it never happened. And last week, the government announced that it was abandoning the app, to be replaced at some unspecified time in the future by a new version based on technology developed jointly by Apple and Google. So what went wrong?

Will we ever see an effective contact tracing app widely used in the UK?

It’s fair to say that the benefits of a contact tracing app were always oversold. Think back to earlier this spring when the coronavirus pandemic was at its height, we were all adapting to lockdown, and the news was full of terrible statistics of rising deaths and infections.

Everyone, not just the government, was desperate to find solutions. In the absence of a vaccine, the idea of a neat technological solution that could ease the lockdown was just too good to ignore. The government put the proposed smartphone app at the very heart of its planned track and trace strategy.

Despite the fanfare, concerns were raised about the government’s approach from the start. I asked in my column why the government had chosen to use a centralised model for its proposed app, rather than the decentralised approach which underpinned the Apple and Google technology and had already been adopted in other European countries. Broadly, the centralised model involves creating a central database of contacts, whereas, in the decentralised model, contacts are stored locally on individuals’ own phones and only shared when an infection is confirmed.

Centralised databases raise privacy and security concerns, and legitimate questions were asked about what the government may do with the data collected. Reassurances that any data collected would only be used for contact tracing and the fight against coronavirus did not convince everyone.

Even the influential Parliamentary Joint Committee on Human Rights arguing for a new law to protect against potential ‘mission creep’, as well as outlawing discrimination against those who chose not to install or use the app. The government rejected this proposal as unnecessary.

As the number of cases of coronavirus continued to fall, so the chances of coming into contact with someone infected also fell. The government was going to need a large percentage of the population to download and use its app for it to succeed in making a meaningful difference.

It was reported that as many as 80% of smartphone users would need to be running the app. But with ongoing concerns about privacy, this was already a challenge. The issue of trust then became a real problem for the government in the wake of the Dominic Cummings saga, which broke in late May.

Regardless of the rights or wrongs of that particular scandal, the opinion polls showed it resulted in a significant fall in trust in the government. This has been backed up by recent polling which has shown only a minority of people would be willing to install the government’s own app.

While the UK government continued to pursue a centralised option, other countries were moving in the opposite direction. Most other European countries, with the notable exception of France, had chosen to work with the Apple and Google technology to create their own apps based on the decentralised model.

It was becoming an international standard. Questions were raised about interoperability and when international travel resumes, whether the UK app will work with other countries’ own apps. This is especially important in Ireland, which is developing its own decentralised app. Meanwhile, Germany’s decentralised app was launched on 14 June and has already been downloaded 10 million times.

In the end, it was the practical issues which finally doomed the UK’s app in its current form. As well as working with Google to develop its own technology to assist contact tracing, Apple had put in place restrictions on the use of Bluetooth for the sort of centralised tracing envisaged by the UK government.

So, the government’s own app simply did not work properly on iPhones, which represent a significant share of the UK smartphone market. The government was warned of this as long ago as April but had hoped to find a technical solution. Clearly, that has not been possible.

The recent government u-turn means that there is now no firm timetable for an app to be launched, and there must now be a question mark about whether an app will ever be launched in the UK which can help with contact tracing. But this isn’t just a story of government mistakes.

There remain real technological difficulties, even with the Apple and Google model. Bluetooth signals are not intended to measure distance accurately, and so an app could give a high rate of false positives or miss some close contacts altogether. There are no easy answers to these technical questions. This is still an unproven technology.

Finally, there is the issue of need. A smartphone app is undoubtedly more ‘sexy’ (and headline-grabbing) than plain old manual contact tracing. But the more we learn about the virus, the more we have realised that manual tracing was always going to be key.

The virus is mainly spread when you spend longer periods of time indoors with others, such as at home or in the workplace, rather than via one-off chance encounters on the street. So if you are infected, you are likely to know nearly all of your ‘contacts’ personally. The main risk of spreading via an unknown contact is on public transport, the use of which has fallen dramatically and where the wearing of masks is now compulsory. It may be that we didn’t need an app all along.

Read more:
Contact tracing revisited: Whatever happened to the UK’s smartphone app?

As the worst of the covid-19 heath crisis appears to be behind us at last and we begin to take our first tentative steps out of lockdown, thoughts have turned to the economic consequences of the pandemic.

These have been stark, with the UK government’s furlough scheme supporting over 8 million workers and thousands more left unemployed. Many of us who are usually office-based have been working from home, and this is likely to continue for the foreseeable future.

In the legal profession, individuals have worked from home on a temporary or part time basis for many years, but it has still been a huge culture shock for entire firms to be working from home indefinitely. Technology is certainly playing its part, with video calling via Zoom or Teams increasingly becoming a part of our daily routines.

This has led many professionals to consider alternatives for their working arrangements like moving permanently to a new home (and office) abroad. Destinations like Spain prove to be very lucrative to UK citizens even post-Brexit, as the value and cost of buying a property in Spain is quite good.

As well as individuals getting used to working remotely, managers are finding new and sometimes controversial ways of supervising their teams.

Here technology is again playing a role. New tools such as ‘Sneek’, which can be set to automatically take photos of employees using their webcam every five minutes, have been in the news, with concerns raised about the potential for spying on employees. I don’t want to comment on the merits or otherwise of any particular application, but it got me thinking about the legal issues raised by the use of technology to monitor employees working remotely.

In person monitoring of employees as they work has always been a feature of the workplace. In recent years, this has increasingly been supplemented by automatic monitoring using technology, such as measuring internet usage and telephone calls.

As technology improves, these tools have become ever more sophisticated. Earlier this year (but what already feels like an age ago), Barclays faced a backlash when it was revealed that the bank was using software known as ‘Sapience’ to monitor activity and send alerts when employees were inactive for a period of time.

Following criticism from staff, the bank announced it was scrapping the software. Ironically, Barclays has since been in the news saying that big offices ‘may be a thing of the past‘.

The reason automated monitoring tools are controversial is that they can be much more intrusive than monitoring in person, and that can affect the privacy of employees. Human rights law gives all individuals a right to privacy, and that right extends to the workplace.

But it is not an absolute right, and may be overridden where it is necessary, proportionate and in accordance with the law to do so. Obviously, employers have a good reason to want to know what their employees are doing, to ensure that work is being done appropriately, meeting quality standards and time limits. So there is a need to balance the rights of the individual to privacy with the rights of the employer.

Exactly where the line is drawn remains a contentious area and there have been a number of court cases that have explored the boundaries of privacy and the world of work. In the Bărbulescu case, the European Court of Human Rights ruled that the right to privacy extended to the workplace.

Mr Bărbulescu had been sacked from his job after his employer had monitored his electronic communications and found that he had been using it for personal messages, in breach of the company’s IT policy. He appealed against his dismissal but lost in the Romanian courts, so took his case to the European Court of Human Rights.

The court ruled that Mr Bărbulescu did have a right to privacy in work, and that this right should only be overridden when there is compelling grounds to do so.

Data protection law contains obligations on employers, and rights for individuals, in relation to information collected about members of staff. This includes data obtained via automated monitoring systems. Employers need to consider carefully any systems that automatically monitor their staff, to ensure that they collect only the information needed.

Information needs to be handled appropriately, access limited to only those who need to know and kept securely. Without these appropriate safeguards, there is always a danger that appropriate monitoring will tip into unjustified and intrusive surveillance.

Employers wishing to monitor their staff whilst they are working remotely need to carefully consider these issues. Just because a technological solution exists, it doesn’t mean that it is automatically appropriate to use it. And any automated monitoring solution for home-workers could intrude into individuals’ domestic life as well as their working life, which magnifies the risks to privacy.

For instance, it is hard to see how remotely accessing a webcam in an employee’s home could ever be justified for monitoring purposes. So, employers will need to consider the utility of the solution and balance it against the potential negative impact on individuals.

One of the best ways to do so would be through a data protection impact assessment, a type of risk assessment that is designed to address these specific issues.

Finally, employers should not neglect any potential impact on staff morale. Working remotely certainly has its challenges and employers will naturally want to ensure that productivity isn’t lost. But over-zealous monitoring could lose trust and alienate employees which, in the long run, isn’t going to be good for any business.

Read more:
Who’s watching us while we WFH? The pitfalls of monitoring a remote workforce

With coronavirus cases finally falling in the UK, thoughts have turned to how to ease current lockdown conditions.

How can we return to some semblance of normality, and how will that look? Of course, the virus itself hasn’t disappeared, so there is a real danger of repeated spikes in new cases once the current social distancing measures begin to be relaxed.

One way of ensuring that new outbreaks do not spiral out of control is to put in place an effective means to test potential new case, trace contacts and quarantine potential carriers. Along with employing an estimated 18,000 ‘contact tracers’, the UK hopes to use technology to track and trace contacts, through a newly developed smartphone app.

The UK certainly isn’t alone in developing an app. Most European countries are also doing so, while similar apps have been in operating in South East Asia for some time. The apps work by recording proximity with other users of the app, so that when one individual tests positive or displays symptoms, all those who have been in proximity with the individual can be alerted automatically.

In the UK, the app is being developed by NHSX, the digital arm of the NHS in England. It is being tested in the Isle of Wight and is expected to be available more widely later this month. While there is an obvious need for speed in developing and rolling out contact tracing technology, if not done correctly, it could undermine rather than help efforts to contain the virus. Here are my five key questions that the government needs to answer:

Why has the government chosen to reject the model proposed by Apple, Google and other European countries?

There are many different ways to make a contact tracing app. Still, broadly these fit into two types – a centralised model, which relies on a central database of contacts, and a decentralised model, where contacts are stored locally on individuals’ phones. Apple and Google, the companies responsible for the majority of smartphone operating systems, have teamed up to develop a decentralised approach.

Most European countries have also chosen a decentralised model, which many experts believe is more secure and better for privacy. It also has the advantage that the apps can work across borders, which will be crucial when travel begins to open up. So the question for the UK government is, why take the opposite approach?

When will a data protection impact assessment be published?

Contact tracing, particularly the centralised model, involves the processing of personal information on a vast scale. Data protection laws apply whenever personal information which relates to identifiable individuals is collected and used.

When contemplating such a huge data collection exercise, organisations must carry out a data protection impact assessment. This is essentially a risk assessment, describing what data is collected and how it will be used, the associated risks, and any measures to mitigate those risks. The government has said that the UK’s app will meet all data protection requirements. So, why not publish the assessment?

Why not put statutory limits on the use of data?

The app will collect information about every user. This sort of information is a valuable commodity. Academics, security experts and privacy campaigners have raised real concerns about the potential for ‘mission creep’. Governments or private companies could use an app designed to trace potential contacts for all sorts of other purposes.

The government denies this and has stated that data will only be used as part of the fight against coronavirus and will be deleted once it is no longer needed. But the government will need the public’s trust for the app to work, and trust in governments is generally in short supply. So, why not legislate to ensure that the app and the data it generates is strictly limited? A group of academics has even drawn up draft legislation to do just that.

How will the government ensure enough people actually use the app?

The BBC has reported that up to 56% of the UK population will need to download and use the app for it to be effective. That’s 80% of all smartphone users. While many people will want to support measures aimed at easing the lockdown and preventing future outbreaks, it will be a huge challenge for the government to get anywhere near these numbers.

There is a danger that the app will never reach the sorts of numbers required to have an effect on managing the virus. If this is the case, will the government choose to make the app compulsory? And what about those without smartphones, or with older models that won’t support the app? These are real concerns which need to be addressed by the government now.

How can we be sure that the app is accurate?

Imagine that you download the app and receive an alert, warning you that someone you have been near to has exhibited symptoms of COVID-19. What happens next? Most of us would immediately self-isolate to ensure that we haven’t been infected. But this only works if the alerts are accurate. And here there are real challenges for the government.

From what we currently know, the alert will be triggered by self-diagnosis of symptoms, rather than confirmed test results. This is likely to mean a lot of false alerts. Individuals who receive an alert will then need to self-isolate until they are tested. Without access to quick and reliable testing, the app could find itself inadvertently spreading fake news, doing more harm than good. There are also technical challenges around the use of Bluetooth and the potential for some contacts to be missed, while others are recorded despite being at no risk (for instance being physically close but separated by a barrier).

Read more:
Can contact tracing app help ease lockdown?: Five key questions for UK government

As the coronavirus crisis continues, governments are rightly concentrating on slowing down the spread of the virus and ensuring that hospitals and other vital services are not overwhelmed.

But, as time goes on, thoughts will inevitably turn to what happens once the initial wave of the virus has dissipated. One possible outcome, in the absence of a vaccine, is that the current restrictions on social distancing will be relaxed once cases drop or disappear, only to be reintroduced repeatedly as the virus reappears or is reintroduced from other countries.

If we are to respond better to a second wave, we will certainly need much better access to information. We already know the importance of acting quickly to test, isolate cases, trace contacts and quarantine potential carriers.

These actions appear to have worked in some countries, such as South Korea, where the initial outbreak was brought under control with greater success than in European countries. They were also part of the UK government’s original ‘contain’ strategy, before we moved to a broader ‘delay’ phase.

Countries in South East Asia, such as Singapore, South Korea and China, have taken the lead in using technology for contact tracing and quarantine enforcement. This has included widespread surveillance of the population using mobile phone data.

It is reported that the US has been in talks with the major internet companies to utilise similar technology, and various countries in the EU are also considering adopting new measures. What might these look like, and what are the possible privacy implications?

Location data from mobile phones can provide authorities with valuable information about how and when people move around and who they interact with. Apps have also been developed which use Bluetooth to automatically log details of individuals whose paths intersect, which can then be used to trace contacts, such as people who sat in the same carriage on a train.

Although these seem like promising sources of information, they inevitably give an incomplete picture. Not everyone carries a mobile phone, for instance, and not everyone will download and use specific apps.

Nevertheless, we know this technology is already being used in some countries, usually on a voluntary basis, although the BBC has reported on a case of quarantine being enforced in Taiwan using mobile phone data. We don’t yet know enough to judge whether they have been successful in slowing the spread of coronavirus.

In Europe, there are much stricter rules around surveillance and the use of personal information, as well as specific limitations on the use of mobile phone location data. The European Convention on Human Rights gives individuals a right to privacy.

This is not an absolute right, and it may be interfered with by government where it is necessary to do so for public safety or the protection of health. Innovative approaches to data collection and sharing may well be required during the pandemic, but they need to be properly thought through and proportionate.

Collection of extra data should not be done just because we have the technology to do so, but only if it will actually help in the fight against the virus. Unless a clear link can be established between surveillance technology and halting the spread of the virus, European governments could find themselves open to legal challenge.

European data protection law requires any organisation or government wishing to collect and use information about identifiable individuals to ensure that it is fair and lawful.

In practice, this means that governments would need to consider the potential adverse impact on those individuals, and to weigh up the benefits of any mass surveillance solutions against the resulting loss of privacy.

Of course, we are all getting used to some very severe new limits on other rights we would usually take for granted, such as our freedom to move around and to meet our family and friends. At this moment in time, most would agree that the benefits of stopping or at least slowing the spread of the virus are worth the limits on our normal rights.

But these restrictions are very clearly temporary, and will be lifted once the immediate threat is over. The fear with surveillance technology is that, once governments have access to such useful data about their citizens, they won’t want to give it up.

One solution to these issues may be to use anonymised information. Truly anonymised information cannot be linked to identifiable individuals and so does not raise the same privacy concerns, but it may still provide crucial intelligence about the potential spread of the virus.

In the UK, the NHS is already using anonymised data to model potential virus hot spots and allocate resources accordingly. An example of anonymised information is aggregated location data from mobile phones.

This could be used to track journeys and better understand where the virus may appear next. Use of location data is subject to specific rules and generally can only be used anonymously.

But in the age of big data, where so much information is available about all of us, there are legitimate concerns that location data is not really anonymous and can be easily used to identify individuals.

Most of us would agree that we should be using all available tools to combat the coronavirus pandemic, to minimise the loss of life and protect the most vulnerable in society. This may include the use of surveillance technology, but only if it can genuinely be shown to make a real difference.

However, as with the restrictions on our other rights, we should expect our right to privacy to be only limited when it is necessary to do so. A pandemic should not be used as an excuse to erode fundamental rights.

Read more:
Can ‘surveillance tech’ help defeat a second wave of coronavirus?

Information is key to handling any crisis, especially in a health emergency such as the current coronavirus pandemic.

Governments need to know who is infected (and infectious) in order to trace potential contacts and allow them to take steps to mitigate the risks. And businesses will want to keep a close watch on their employees and any visitors, to ensure that they can keep their workplaces safe.

In normal times, information about our health is – rightly – seen as particularly sensitive and worthy of additional protection. Medical professionals are expected to treat health information confidentially, whilst data protection and human rights laws only allow this type of information to be used in narrowly defined circumstances. But these are not normal times. So could our privacy laws actually be hindering the response to COVID-19?

Data protection law does not prevent the collection or sharing of heath data, but it does put in place strict rules on the reasons that such data can be used. For instance, health data can usually only be used where it is necessary to protect the vital interests of the individual or for the provision of their treatment.

There is also a specific condition allowing the use of health data where it is “necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health“. That seems like a pretty good definition of the current situation with COVID-19. In recent days, the ICO and the European Data Protection Board have both issued reassuring statements for employers and public bodies, so it is unlikely that organisations will find themselves in trouble for processing personal information where it is necessary to do so to treat patients or protect their staff.

Human rights law provides similar flexibility. Whilst individuals do have a right to their private life, home and correspondence, this is not an absolute right. That means the right to privacy may be overridden where doing so is in accordance with the law, necessary and proportionate, particularly in extraordinary circumstances.

Public bodies are therefore entitled to interfere with privacy to the extent required to deal with public health emergencies. Any new emergency legislation proposed in the coming days may include specific measures to allow additional data collection and usage in an effort to control the spread of the outbreak.

So governmental bodies and employers will be able to collect and use health data to monitor cases, treat the infected and manage any disruption. Most of us will accept the interference with our privacy as a small price to pay to successfully contain the virus. But what about some of the more innovative responses being considered?

In China and South Korea, apps have been developed that utilise location data to track individuals via their mobile phones. If an individual is later diagnosed with COVID-19, the app will alert everyone they have come into contact with.

This allows those individuals who receive an alert to take steps to either self-isolate or seek further medical advice. Israel has also announced it will be using location data to track its citizens. Whilst all this seems attractive to combat the outbreak, it does have significant implications for privacy. How can individuals be sure that their location data isn’t being used for other purposes?

What happens if the data is leaked or used inappropriately? Other potential technological solutions include creating a database of those self-isolating to allow friends and neighbours to provide support, or providing detailed street-level maps of all new cases so that the authorities can provide targeted support at a very localised level. These suggestions raise even more legitimate concerns about possible unintended consequences, such as increasing crime by allowing vulnerable and isolated people to be identified.

Our privacy laws do not specifically prohibit such novel methods of collecting and using personal information, but they do set out a framework within which organisations must operate. New uses of personal information would only be lawful where there is a clear legal justification and where the use of data is both proportionate and necessary.

Even where these tests are met, legal protections governing personal information do not automatically fall away. Organisations must still tell individuals about what they are doing, keep the data secure, and ensure that it is not used for any other purpose.

The success of any innovative measures may come down to how much we can trust our governments and technology companies, neither of which have a particularly good reputation when it comes to protecting the privacy of our information.

We are currently living through unprecedented times. What seemed completely unthinkable yesterday appears entirely normal today, and may prove to be woefully inadequate tomorrow. Everyone is scrambling to keep up as the pandemic progresses and advice changes at an alarming pace.

Organisations must of course do what is necessary to keep people safe and healthy, but they should remember that privacy remains a basic right, particularly when it comes to people’s health and wellbeing.

Read more:
Maintaining our privacy during a pandemic: are our privacy laws working?