Focus on fines

Nigel Miller
Nigel Miller

Since the GDPR came into force on 25 May 2018 the ICO has carried out a number of audits on organisations as well as a number of “advisory” visits. These do not necessarily lead to regulatory sanctions but sometimes they do.

Reportedly, since the GDPR came into force, there has been a 160 per cent rise in the number of complaints made to the ICO on the same period in 2017. This is a result of the build up to the GDPR which has heightened individuals’ awareness of their data rights.

In terms of fines, it is too soon after the GDPR came in for GDPR level fines to come down the line as these can take some months to be awarded after the initial complaint. Currently, the UK ICO is issuing fines under the old law where the initial complaint preceded 25 May 2018. Under the old law the maximum fine was £500k.

Under the GDPR, companies can be fined €20 million (£16.5m) or 4 per cent. of their worldwide turnover, whichever is the greater.

Examples of fines over the last month include:

September:

Equifax Ltd –  maximum fine £500,000 for failing to protect the personal information of up to 15 million UK citizens during a cyber-attack in 2017. The ICO investigation found that, although the information systems in the US were compromised, Equifax Ltd was responsible for the personal information of its UK customers. The UK arm of the company failed to take appropriate steps to ensure its American parent Equifax Inc, which was processing the data on its behalf, was protecting the information.

Everything DM –fined £60,000 for sending 1.42 million emails without consent.  Between May 2016 and May 2017, the firm used its direct marketing system called ‘Touchpoint’ to send emails on behalf of its clients

Bupa Insurance Services Limited (Bupa) – fined £175,000 for failing to have effective security measures in place to protect customers’ personal information.

Oaklands Assist –  fined £150,000 for making thousands of nuisance direct marketing phone calls.

October:

Heathrow Airport fined £120,000 for failing to ensure that the personal data held on its network was properly secured.

Boost Finance – fined £90,000 for millions of nuisance emails about pre-paid funeral plans.

It is reported that the ICO intends to fine Facebook the maximum £500k following the investigation launched in 2017 over the use of data for political campaigns. Were the breach to have happened after 25 May 2018, the ICO would have been able to issue a fine of up to 4% of Facebook’s annual worldwide turnover (reportedly meaning a maximum fine of £479m).

How fines are assessed under GDPR

Fines are regarded as an important tool for the supervisory authorities who have said they will not shy away from issuing fines or only use fines as a last resort.

The Regulator has said that fines under the GDPR are to be “effective, proportionate and dissuasive”.  Fines may be imposed in response to a wide range of infringements. Each case is to be assessed individually.

Factors to be taken into account in assessing fines are:

  • the nature, gravity and duration of the infringement;
  • the number of data subjects involved;
  • the categories of the personal data affected (e.g. special categories, directly identifiable data, data whose dissemination would cause damage/distress to the individual);
  • is it is an isolated event or symptomatic of a more systemic breach or lack of adequate routines in place;
  • if data subjects have suffered damage, and the level of the damage;
  • action taken to mitigate the damage suffered by data subjects;
  • the intentional or negligent character of the infringement, and the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented;
  • any relevant previous infringements by the controller or processor;
  • the degree of cooperation with the supervisory authority;
  • whether, and if so to what extent, the controller or processor notified the infringement;
  • any other aggravating or mitigating factor applicable to the circumstances, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.

The use of location data by mobile apps post-GDPR

This article was first published on Lexis®PSL TMT on 24 September 2018.

From the perspective of a party providing an app via an app store, what regulations govern the use of location data by that mobile app?

The key consideration is data privacy and, therefore, the main regulation to consider is the General Data Protection Regulation (GDPR) which came into force on 25 May 2018. This will apply to the app provider if they carry out processing of personal data on the device.

While there is as yet no specific guidance under the GDPR on the use of location data by Apps, in 2011 the Article 29 Data Protection Working Party (now the European Data Protection Board (EDPB)) adopted Opinion 13/2011 on “Geolocation services on smart mobile devices” and in 2013 Opinion 2/2013 on “Apps on smart devices”. Although these opinions relate to the Data Protection Directive (95/46/EC), much of the content of the Opinions is still relevant under the GDPR.

In the UK, you should also take into account the Data Protection Act 2018 which supplements the GDPR in certain areas (such as in relation to special categories of personal data and data subject rights) although not specifically in relation to location data.

To what extent / in what circumstances will the Privacy and Electronic Communications Regulations 2003 regulate the use of location data by mobile app providers? What exemptions apply and does PECR 2003 apply to ‘information society services’?

Under regulation 6 of PECR (as amended by the 2011 Regulations), it is unlawful to gain access to information stored in the terminal equipment of a subscriber or user unless the subscriber or user (a) is provided with clear and comprehensive information about the purposes of the access to that information; and (b) has given his or her consent. This applies irrespective of whether or not the location data is “personal data”.

Regulation 14 relates specifically to the processing of location data and provides that you can only process location data if you are a public communications provider, a provider of a “value-added service”, or a person acting on the authority of such a provider, and only if: (a) the data is anonymous; or (b) you have the user’s consent to use it for a value-added service, and the processing is necessary for that purpose. This does not apply to data collected independently of the network or service provider such as GPS-based location data or data collected by a local wifi network. However, the use of such data will still need to comply with the GDPR.

To what extent / in what circumstances will the GDPR regulate the use of location data collected from mobile apps by mobile app providers?

The GDPR will apply if the app provider collects the location data from the device and if it can be used to identify a person.

If the data is anonymized such that it cannot be linked to a person, then the GDPR will not apply. However, if the location data is processed with other data related to a user, the device or the user’s behavior, or is used in a manner to single out individuals from others, then it will be “personal data” and fall within the scope of the GDPR even if traditional identifiers such as name, address etc are not known.

Opinion 13/2011 sets out the regulator’s view that a device is usually intimately linked to a specific individual and that location data will, therefore, be regarded as “personal data”. Indeed, the definition of “personal data” in the GDPR, specifically includes location data as one of the elements by reference to which a person can be identified.  The Opinion comments that the providers of geolocation based services gain “an intimate overview of habits and patterns of the owner of such a device and build extensive profiles.”

Furthermore, in certain contexts, location data could be linked to special category personal data (sensitive personal data). For example, location data may reveal visits to hospitals or places of worship or presence at political demonstrations.

How is compliance with such laws commonly addressed by app providers?

To process the data derived from the device or the app, the app provider needs to have a legal basis.

Contract necessity may apply to some uses of the location data. For other uses, depending on the app, it may be problematic to rely on “legitimate interests” as a lawful basis for tracking individuals using location data, for example, to serve location specific ads. Therefore, in many cases the app provider will need to rely on the user’s “consent” for processing location data.

How should app providers respond to recent changes in the law (e.g., the introduction of GDPR) impacting their apps’ use of location data?

Where app providers rely on “consent” as the legal basis, they will need to ensure that this meets the stricter requirements for consent under GDPR. This can be challenging given the constraints of the mobile app environment.

Transparency is essential. The Article 29 Guidelines on transparency WP260 rev.01 indicate that, for apps, the Article 13 privacy information should be made available from the app store before download. Once the app is installed, the privacy information needs to be easily accessible from within the app. The recommendation is that it should never be more than “two taps away” (e.g. by including a “Privacy” option in the app menu). Use of layered notices and contextual real time notifications will be particularly helpful on a mobile device.

The device’s operating system (such as IOS) may require the user’s permission to use the location data, for example via a dialogue box asking if the user agrees to allow the app to access the user’s location, either while using the app or in the background. Clicking on the “allow” button enables location service on the device and may also help signify consent provided that this has been sufficiently informed and is sufficiently granular.

If the app integrates with a third-party provider to enable, for example, location-based advertising the consent to use location data must be sufficiently explicit to include consent to data collection for advertising purposes by the third party, including the identity of the third party. Data sharing arrangements may also be required between the app provider and the third party.

Where children (in UK, under 13) may be involved, the consent must be given or authorised by the holder of parental responsibility over the child.

Following GDPR, app providers should review their data security and retention policies for compliance with the Article 5 principles.

App providers should be mindful of the principles of privacy by design and by default, and so for example location services should, by default, be switched off and its use should be customizable by the user.

Finally, using location data may involve “profiling” within the meaning of Article 4(4) which specifically refers to analysing location data. As such, consideration should be given to whether a data protection impact assessment (DPIA) is required under Article 35 or, if not required, should be undertaken as good practice.

Are there any forthcoming or anticipated changes to the law which may impact on use of location data by mobile app providers?

The ePrivacy Directive on which PECR is based is currently under review to be updated and aligned with GDPR in the form of the ePrivacy Regulation.

This is not yet finalised and its implementation date is not certain but may be in 2019 or 2020. However, GDPR-grade consent will still be required for use of location data subject to certain exceptions including where strictly necessary for providing an information society service specifically requested by the individual. Assuming the ePrivacy Regulation takes effect after Brexit, it remains to be seen if / how it will be implemented in the UK but this can be expected in the interests of UK “adequacy” status.

 

Nigel Miller leads Fox Williams’ technology and data protection group. Nigel is a Certified Information Privacy Professional/Europe (CIPP/E).