Keep up to date with our latest insight pieces, news and industry developments. See below for the latest posts or use the categories to hone your search for stories of interest.
Rather listen? The WABChats Podcast provides engaging and informative conversations with contacts, clients, advisors and friends of White & Black Limited. Listen Now.
Data protection and e-Privacy fines: UK regulator maintains robust stance
The Information Commissioner’s Office (ICO), the regulatory authority responsible for enforcing data protection and electronic privacy (e-Privacy) laws in the UK, has continued to take a pro-active approach to imposing fines (by issuing monetary penalty notices (MPNs)) of up to £500,000 in respect of serious breaches.
Recent enforcement action has included the following fines for significant amounts being imposed for breaches of data protection obligations in respect of the security of personal data and of e-Privacy obligations in respect of direct marketing activities:
Telegraph newspaper fined £30,000 for sending unsolicited emails on the day of the 2015 UK general election
In December 2015, the ICO issued the Telegraph Media Group Ltd (Telegraph) with an MPN of £30,000 for sending hundreds of thousands of emails on the day of the UK general election urging its readers to vote for the Conservative party.
The ICO found that the Telegraph had broken direct marketing rules under the Privacy and Electronic Communications (EC Directive) Regulations 2003 as amended (e-Privacy Regulations) by sending the unsolicited emails. Direct marketing includes the promotion of particular views or campaigns, such as those of a political party.
Direct Security Marketing fined £70,000 for making automated phone calls in the middle of the night
In February 2016, Direct Security Marking Ltd was issued with a MPN of £70,000 after making thousands of automated phone calls without the recipients’ prior consent, in contravention of the e-Privacy Regulations. Of the 40,000 calls made over a 24 hour period, around a quarter of those were made between 1am and 6am. The calls invited the recipients to purchase a home security system.
The ICO found that the calls were likely to cause substantial distress to the recipients, and were particularly disconcerting given that they related to security.
CPS fined £200,000 when laptops containing personal data were stolen
The ICO issued an MPN of £200,000 to the UK Crown Prosecution Service (CPS) in November 2015. The CPS had engaged a third party recordings editor to edit videos of police interviews to be used in criminal proceedings. Two unencrypted laptops were stolen during a burglary of the recording editor’s premises, those laptops containing videos of interviews with 43 victims and witnesses. The laptops were later recovered by the police.
The ICO found that the CPS had contravened the seventh principle of the Data Protection Act 1998 (DPA), which requires data controllers to take appropriate technical and organisational measures against unauthorised processing and loss of personal data, and to ensure that any third party engaged to process personal data on its behalf also has such measures in place. A contravention took place since the CPS had no guarantees as to the security measures (if any) put in place by the recordings editor (for example, as to the secure storage of unencrypted laptops and DVDs), and failed to monitor such measures. Further, the CPS did not have a DPA compliant contract in place with the recordings editor.
Increasingly robust enforcement action by the ICO should sound a warning bell for all businesses handling personal data and engaging in direct marketing. Failure to comply with statutory obligations under the current DPA and e-Privacy Regulations exposes businesses to significant financial and reputational risks.
Once the EU General Data Protection Regulation comes into effect, which is expected to be in early-mid 2018, maximum fines for data protection breaches will rise exponentially to the greater of EUR 20m or 4% of annual worldwide turnover. The European Commission has also announced its intent to reform the e-Privacy regime, with a legislative proposal to reform the e-Privacy Directive (2002/58/EC) due in mid-2017. Forward thinking businesses would be wise to take the ICO’s tough stance as a prompt to put in place a continuous review programme to ensure that their personal data and direct marketing practices are in order now and will remain so once the new laws come into effect.
Disclaimer: This article is produced for and on behalf of White & Black Limited, which is a limited liability company registered in England and Wales with registered number 06436665. It is authorised and regulated by the Solicitors Regulation Authority. The contents of this article should be viewed as opinion and general guidance, and should not be treated as legal advice.