UpData Bulletin - November 2019

Highlights include significant judgments in both the Lloyd representative action against Google and the group action against British Airways, new guidance from the EDPB on processing personal data under GDPR, a joint report from Bank of England and FCA on machine learning, and the first UK-US Bilateral Data Access Agreement.

Published Articles

• Singularis: the attribution of wrongdoing to corporate entities and the insurability of fines: Felix Zimmermann and Alex Gabriel consider how the Supreme Court’s approach in Singuralis, if applied to the insurance of fines for breaches of the GDPR, could mean that some fines are insurable at law. The full article can be found here
• The New Oil: Rob Allen was quoted this month in this feature in The Law Gazette. The article considers ICO enforcement action so far, GDPR’s increasing influence and how the legislation has affected a large spread of sectors. The full article can be found here.

Enforcement action

• British Airways and Marriot International: We are still waiting on confirmation of the fines which the ICO announced it intended to make against British Airways and Marriot International of £183.39m and £100m respectively.
• ICO and Facebook settle privacy investigation: On 30 October, the ICO announced that an agreement had been reached, resolving an investigation into Facebook’s alleged misuse of personal data. A £500,000 penalty was issued under s55A of the Data Protection Act 1998 last year and Facebook has agreed to withdraw its appeal and offer an admission of guilt to settle the investigation. In a published statement Facebook’s associate general counsel noted that major changes had been made to restrict information to users’ personal data, stating that protecting people’s information and privacy was a “top priority” for Facebook. See the ICO statement here.
• ICO raids on business suspected of illegal cold calls: On 3 October the ICO searched a business premises in Chichester suspected of making unlawful cold calls in relation to pension policies. This follows the implementation of new, stricter rules as to who can make marketing calls related to pension schemes. Only calls from trustees or managers of pension schemes, or FCA authorised individuals or firms, are permissible and only calls to those who meet strict criteria or who have consented to calls from the specified company are allowed. An article from the ICO related to this ongoing investigation can be found here.

In the courts:

• Lloyd v Google - Court of Appeal judgment: On behalf of a class of over 4 million iPhone users, Mr Lloyd seeks damages against Google LLC for Google’s alleged unlawful tracking through the use of third-party cookies without the consent of iPhone users in 2011-12. On 2 October, a unanimous decision from the Court of Appeal overturned the 8 October 2018 judgment of the High Court that had, in effect, blocked the representative action from proceeding. The CoA’s decision confirms that:
  • it is possible in certain circumstances to use a representative action in the High Court to approximate the effect of a US-style opt out class action; and
  • an individual’s personal data has an economic value and loss of control of that data is a violation of an individual’s right to privacy, potentially giving rise to damages under s.13 of the Data Protection Act.

The judgement is being appealed to the Supreme Court, but, if upheld, the financial implications may be dramatic: Mr Lloyd’s suggested uniform damages of £750/person amounts to quantum of up to £3bn (albeit that the final sum is likely to be lower).

• British Airways Group Litigation Order: On 4 October 2019, the High Court approved a group litigation order in proceedings between British Airways and a group of customers affected by its 2018 data breach, allowing BA customers to go-ahead with an opt-in for a class-action lawsuit over the September 2018 data breach. Up to 500,000 potential claimant customers now have 15 months to join the claim (with a cut-off date of 17 January 2021). Claimant law firms’ estimates of damages per person range from £2000-6000 implying a maximum potential quantum of £1-3bn. The link between the ongoing ICO investigation into BA and this group action highlights a growing threat of follow on litigation after data protection enforcement action.

Published guidance

• EDPB guidance on The Processing of Personal Data under Article 6(1)(b) GDPR: this published guidance covers the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects. The guidance places an emphasis on personal data being processed in a fair and transparent manner, in line with the purpose limitation and data minimisation obligations contained in GDPR. The guidance also considers Article 6(1)(b)’s interaction with other lawful bases for processing, its scope, and the need for a constant consideration of necessity. The EDPB’s full guidance can be found here.
• Bank of England and FCA report on machine learning in the UK Financial Services sector: The BoE and FCA have published a joint report on the findings of their first ever survey of the use of machine learning in the UK financial services industry. The report summarises the results of a survey of 106 respondents from a group of almost 300 banks, credit brokers, e-money institutions, financial market infrastructure firms, investment managers, insurers, non-bank lenders and principal trading firms. The report’s principle finding is that there has been significantly increased deployment and uptake of machine learning, particularly in larger banks and insurers. It suggests that AI and machine learning will be used increasingly by financial service providers, particularly in an anti-money laundering context, and may become industry standard within the next 5-10 years. Report available here. In light of these conclusions financial services provides and their advisors would be well advised to consider the ICO’s approach to artificial intelligence and the importance of completing DPIAs in such circumstances which demonstrate the necessity and proportionality of any AI-related personal data processing. ICO’s latest commentary is available here.

In the news

• UK and US sign landmark Data Access Agreement: On 3 October 2019 a historic agreement was signed by the Home Secretary, Priti Patel, and the US Attorney General, William P Barr, in Washington DC which will allow law enforcement agencies to demand electronic data relating to serious criminals from US tech firms. The UK-US agreement is the world’s first international bilateral data access agreement and is intended to dramatically speed up complex investigations and prosecutions by enabling law enforcement, with appropriate authorisation, to go directly to the tech companies to access data, rather than the longer process of going through governments. See the UK Government’s announcement relating to this agreement here.
• Home Secretary and US Attorney General co-sign open letter to Facebook Chief Executive: The Home Secretary and the US Attorney General have co-signed an open letter to Facebook’s CEO, Mark Zuckerberg, outlining concerns with Facebook’s plans to implement end-to-end encryption across its messaging services. Their letter raises a number of concerns including the fact that law enforcement may not be able to gain access to content in order to protect the public. Patel noted that “Tech companies like Facebook have a responsibility to balance privacy with the safety of the public”. See UK Government’s announcement related to this letter here. Any limitations placed on encryption by governments will have clear data security implications.
• New Cayman Islands Data Protection Law: Recently, the Cayman Islands has implemented data protection legislation reflective of GDPR. Funds established in the Cayman Islands are likely to be data controllers under the DPL and should review their current data privacy policies to ensure they comply with it. See guidance from the Ombudsman of the Cayman Islands here. The DPL is evidence of the growing global influence of the principles contained with GDPR.
• Data Protection experts want watchdog investigation of political parties: As political parties’ general election campaigns get underway this week, concerns are looming that multiple parties may be using data brokers such as Experian to identify target voters. Experian has not offered an option to opt-in or out of that process. This is the first general election campaign run in the UK since the introduction of GDPR and the ways that political parties target and campaign may be required to change accordingly. See news articles relating to these concerns here and here.