UpData Bulletin – December 2019

Highlights include ICO consultations on guidance as to how to explain decisions made by AI and on the ICO’s pursuit of significant further criminal powers under the Proceeds of Crime Act, the risks related to political parties and cyberattacks and new requirements from the FCA for firms to explain senior managers’ roles in managing cyber security risk.

Published Articles

• ICO and the Alan Turing Institute consultation on explaining AI decision making: Reflecting the fact that the ICO is now treating AI has one of its key areas of focus, it has published, together with the Alan Turing Institute, a consultation paper on guidance regarding AI decision making and related GDPR requirements. The purpose of the Draft Guidance is to provide practical advice as to how organisations should go about explaining decisions made by or with the assistance of AI. We note that the Draft Guidance emphasises that even where an AI-assisted decision is not part of a solely automated process, GDPR still requires organisations to be able to explain it to any individuals affected. This requirement is broad and is likely to apply wherever AI or related technology is used to process personal data and assist in decision-making processes. The guidance is out for consultation until 24 January 2020 and can be accessed here. Simmons and Simmons’ Artificial Intelligence Group’s commentary on the same is available here.

Enforcement action

• British Airways and Marriot International: We are still waiting on confirmation or further developments regarding the ICO’s intended fines against British Airways and Marriot International of £183.39m and £100m respectively.
• Implications of the ICO and Facebook’s settlement regarding £500,000 fine in relation to Cambridge Analytica data leak: The fine was imposed by the ICO over a year ago on 24 October 2018 (at the maximum level allowed under the DPA 1998) following the ICO’s investigation into the misuse of personal data in political campaigns. Facebook appealed that fine in November 2018. In June 2019 the First Tier Tribunal issued an interim decision such that questions as to the ICO’s procedural fairness and allegations of bias could be considered. The ICO initially appealed that decision. The ICO and Facebook have now agreed to drop both appeals. Facebook will pay the fine but has made no admission of liability. The ICO’s statement is available here. There are two points of note:
  • the ICO has avoided the risk of proceedings going to the fairness of its processes and procedures and ultimately the risk of an adverse finding. Either would have been deeply unhelpful to the newly assertive regulator in the context of much larger pending GDPR fines that may or may not be challenged themselves;
  • the ICO previously requested Facebook freeze its internal investigations into issues relating to the inappropriate use and sharing of personal data whilst the appeals were pending. These internal investigations can now take place.

ICO Consultations

• ICO seeks further criminal powers: The ICO has this month been consulting on proposals that its criminal powers should be significantly expanded to include investigative and asset recovery powers under the Proceeds of Crime Act 2002. In particular, the ICO is seeking powers to apply for Restraint Orders and Confiscation Orders, as well as powers in relation to the seizure of cash and assets, to undertake investigations in support of the aforementioned applications and to access information relevant to the investigation of money laundering offences.

  The ICO says this is necessary on account of the increased prevalence of the exploitation of personal data by criminal gangs and the potential for significant criminal financial gain. Currently under the GDPR and DPA 2018 the only sanction available following a criminal conviction is a fine. This is often less than the financial gain that may have been made by the offender and leads to an imbalance between the ICO’s ability to deter breaches of GDPR in the civil and criminal contexts. The consultation closes on 6 December 2019. A link to the 8 November 2019 consultation paper can be found here. The clear implication from this consultation is that the ICO may be intending to increase the extent to which it engages in investigations against the use of personal data to facilitate crime. However, as only a single investigator is intended to acquire the requisite authorisation any such expansion is likely to be modest in scope.

Published guidance

• FCA and PRA require firms to explain their cyber security accountability for senior managers: The FCA and PRA have provided a self-assessment questionnaire (created by the FCA and PRA) that will need to be signed off at board level, detailing what senior manager’s responsibilities are and listing who is ultimately responsible. We understand firms will have eight weeks from receipt to complete and return the questionnaire, which can be found here. The FCA’s updated cyber resilience page can be found here.

• ICO Guidance on “Special category data” and “Conditions for sensitive processing” published: The ICO has published highly detailed guidance on its approach to the usage of special category personal data and in relation to the conditions under which sensitive processing may take place. The ICO’s detailed guidance on this topic can be found here and here.

• ICO “Principles to Law Enforcement Processing”: The ICO has updated its guidance about the six data protection principles of Law Enforcement Processing. The six law enforcement principles under Part 3, Chapter 2 DPA 2018 are broadly the same as the principles under the GDPR and are compatible, so you can manage processing across the two regimes. The updated list and information about the ICO’s law enforcement processing data protection principles can be found here.

• EDPB guidance on “Territorial Scope” and “data protection by design and default”: The European Data Protection Board (EDPB) has adopted the final version of the guidance on territorial scope of the GDPR (Guidelines 3/2018). The aim of these guidelines is to provide a harmonised interpretation of Article 3, GDPR. The press release announcing this is available here, and the final version of this guidance from the EDPB can be found here. The EDPB has also published draft guidelines 4/2019. The draft guidelines set out useful practically steps that controllers can take to comply with the ‘data protection by design and by default’ provisions in Article 25, GDPR. The draft guidelines can be accessed here.

In the news

• Election News: Both the Labour and Conservative Parties were hit in ‘distributed denial of service’ cyberattacks on 11 and 12 November in what appeared to be an attempts to knock their websites offline. There is no suggestion that data was compromised but the attacks underline the increasing salience of data security in politics; all significant political parties hold huge amounts of personal data and they appear to be increasingly attractive targets. A summary is available here. Separately, the ICO has ordered the Brexit Party to responds to Subject Access Requests submitted for personal voter data during the May 2019 European elections. The Brexit Party had resisted compliance on the basis that they were part of a concerted campaign to disrupt it by hostile activists. It is now reported that data privacy campaigners are making similar complaints in regard to each of the Conservative, Labour and Liberal Democratic parties' data processing in the course of the current election campaign. See here.
• Financial Times investigation into top health websites reveals sensitive data shared with advertisers: An FT investigation analysing 100 health websites of companies in the health sector found that 79% of the sites used cookies without the legally required consent. These cookies allowed third-party companies such as Google, Amazon and Facebook to see peoples’ sensitive data, including medical diagnoses, symptoms and drug names. None of the websites tested by the FT asked for the type of explicit and detailed consent as is required under the GDPR. The FT’s report can be found here.