Do you consent to cookies? The latest data protection reforms in the UK

Kolvin Stone
Kolvin Stone (partner)
Vlad Arutyunyan

The government has announced significant proposed reforms to data privacy laws in the form of a Data Reform Bill, which was introduced into Parliament on 18 July 2022.

The Bill, part of the UK’s National Data Strategy, aims to improve on the UK’s current data protection standards whilst minimising the administrative burden of requirements on businesses in the UK.

We look at key aspects of the Bill, which originated from a government consultation, the response to which came out earlier this year.

Cookies and calls

Part of the Bill focuses on reducing ‘consent fatigue’.

Websites will use an ‘opt-out’ rather than ‘opt-in’ model for cookie consents and the onus for protecting data will be on users to alter their own browser settings to better protect their data. This means accepting cookies each time you enter a new site may be a thing of the past!

There will also be greater financial penalties for nuisance calls, texts, and certain data breaches where no consent has been given for such marketing. For example, fines will now be made in-line with current UK GDPR guidelines, the higher of up to 4% of the company’s global turnover or £17.5 million.

Updating the ICO

The Bill aims to modernise the Information Commissioner’s Office (ICO) including extending its legal remit, clarifying its framework for decision-making, and building out its leadership to enhance its reputation internationally.

The proposed board of the ICO will be entirely independent and consist of a chair, chief executive, and other board members. The Bill also proposes greater accountability of the ICO to the public and the government. The ICO will also be expected to consider in future decision making:

  1. economic growth and innovation
  2. competition
  3. collaborating with other regulators and relevant bodies

In addition, the ICO will be expected to set up expert panels in relevant areas when developing statutory guidance.

“Data Protection”

The Bill seeks to limit the definition of “data protection” to only include situations where:

  • information is identifiable by the controller or processor by reasonable means at the time of the processing or
  • the controller or processor ought to know that another person will likely obtain the information as a result of the processing and the individual will likely be identifiable by that person by reasonable means at the time of the processing.

Fewer requirements

The Bill also poses removing the requirement:

  • for mandatory ICO consultation (where a company has identified a high-risk data processing activity) and making it voluntary
  • to appoint a Data Protection Officer and placing data privacy responsibilities on a senior member of the company
  • to perform Data Protection Impact Assessments and
  • to retain records of any processing activities.

Automated decision making

The Bill has removed previous restrictions on automated decision making. It proposes to allow for solely automated decision making in relation to significant decisions where appropriate safeguards are in place, including the right to human intervention. There is not yet clarity as to what would constitute a “significant” decision in this context.

Data transfers

Whilst data privacy laws will need to remain at the standard imposed by the EU GDPR to facilitate effective data transfer between the UK and EU, the Bill also seeks to strengthen data transfers with trade areas outside the EU. The Bill puts forward an autonomous UK international transfer regime in lieu of the current EU-aligned regime.

The UK has highlighted high target jurisdictions where adequacy decisions will be prioritised. This includes the US, Australia and Singapore. On 5 July 2022, the UK announced that it has reached a data agreement with the Republic of Korea which hopes to create a new age of digital trade between the two nations.

Supporting scientific research

The proposed reform aims to encourage at-home scientific innovation by offering further clarity as to how data can be used for research purposes.

The Bill removes some of the tick boxes before scientists can collect data, by removing the need for granular specification of the ultimate purpose of any research before it can begin.

The Bill also suggests clarifying the standard to which data should anonymised to be relevant to each situation and the extent to which any data can be reused for further research.

The future

There is a substantial risk it will jeopardise the UK’s adequacy decision with the EU, which facilitates free data flow between the UK and EU. For instance, the Law Society aired its reservations surrounding the approach for being too business and innovation focussed which may be to the detriment of individual rights and protection.

The data rights activist body, Open Rights Group have commented on the Bill’s restriction of data subject’s rights “substantially incompatible” with the EU GDPR.

As a result, we expect ongoing discourse between the EU and UK to resolve these issues.

UK to reform data protection laws

Nigel Miller (partner)

Prince Charles, in giving the Queen’s Speech on 11 May 2022, announced the government’s intention to reform UK data protection laws. The purpose of the reforms is to:

  • Take advantage of the benefits of Brexit to create a “world class data rights regime” that will allow us to create a new pro-growth and trusted UK data protection framework that reduces burdens on businesses, boosts the economy, helps scientists to innovate and improves the lives of people in the UK.
  • Modernise the Information Commissioner’s Office, making sure it has the capabilities and powers to take stronger action against organisations who breach data rules while requiring it to be more accountable to Parliament and the public.
  • Increase industry participation in Smart Data Schemes, which will give citizens and small businesses more control of their data. The Bill will also help those who need health care treatments, by helping improve appropriate access to data in health and social care contexts.

The main elements of the Bill are:

  • Ensuring that UK citizens’ personal data is protected to a gold standard while enabling public bodies to share data to improve the delivery of services.
  • Using data and reforming regulations to improve the everyday lives of people in the UK, for example, by enabling data to be shared more efficiently between public bodies, so that delivery of services can be improved for people.
  • Designing a more flexible, outcomes-focused approach to data protection that helps create a culture of data protection, rather than “tick box” exercises.

The government sees the GDPR as a highly complex and prescriptive piece of legislation which encourages excessive paperwork, and creates burdens on businesses with little benefit to citizens. As the UK has now left the EU, the data protection framework can be reformed in order to reduce burdens on businesses.

Comment:

The contents of the Bill are not yet available and it remains to be seen quite how far these reforms will go. It is one thing (for example) to reduce paperwork, and remove the need for irritating cookie banners (a couple of the potential targets of the Bill), but another to go too far and put at risk the UK’s adequacy ruling that allows the free flow of data from the EU. In the end, the reforms may be helpful but relatively modest.

A new year, a new ICO

As of 4 January, John Edwards became the new UK Information Commissioner for a five-year term. Mr. Edwards spent the past eight years as New Zealand Privacy Commissioner, and before that worked as a barrister. He succeeds Elizabeth Denham CBE.

Looking ahead to 2022, Mr Edwards will be working on the proposed reforms to the Data Protection Act and the introduction of the Online Safety Bill. He will also prioritise the protection of children online, through the Age Appropriate Design Code, which has already prompted international tech companies to make changes to better respect children’s rights online.

One little known fact: In 1986 – 1987 Mr. Edwards worked as a mountaineer in the Search and Rescue Team at Mount Cook National Park. These skills may come in handy navigating the complex data protection landscape!

Lloyd v Google class action denied: what now for data breach class actions?

Kolvin Stone
Kolvin Stone (partner)
Ben Nolan
Ben Nolan (associate)

The Supreme Court has issued its long-awaited ruling in the Lloyd v Google case, overturning the Court of Appeal’s 2019 ruling which granted permission for ‘opt-out class action’ proceedings relating to Google’s alleged breach of the (old) Data Protection Act 1998 (“DPA”) to be served on Google in the USA.

The Supreme Court ruled that the claim had no likely prospect of success, reversing the grant of permission to serve. The decision will likely be well received by businesses but disappoint privacy activists and consumer rights groups.

The case is not only important from a data protection perspective, as it clarifies the circumstances in which damages for data protection breaches under the DPA can be obtained; but also helps clarify the situations in which “opt-out” class action legal proceedings can be brought in England and Wales under the Civil Procedure Rules (CPR).

Although the decision appears to stem a potential tide of “opt-out” data breach class actions, importantly, the Supreme Court does point to other formulations of claims which would have been successful. Data controllers should, therefore, continue to be mindful of their obligations under the DPA and the General Data Protection Regulation (GDPR) to avoid unnecessary litigation risk.

Background

The facts in brief, relate to Google’s use of advertising cookies to collect data on iPhone users’ internet browsing habits between 2011 and 2012 without those individuals having any knowledge of the cookies being used.

Google subsequently sold the data collected through use of the cookies (some of which is alleged to have been sensitive in nature) to third parties for advertising purposes.

The case against Google was brought by Richard Lloyd, a well-known consumer rights activist, as a representative action under CPR 19.6 claiming damages on behalf of all four million iPhone users whose data were obtained by Google during this time.

The claim was unique; it purported to be akin to an ‘opt-out’ consumer class action (something which is not expressly provided for under English law, except in relation to certain competition claims).

Mr Lloyd sought permission from the court to serve Google outside the jurisdiction. Google responded by seeking to strike out the claim on the basis that it had no real prospect of success. The case made its way all the way to the UK Supreme Court, with Google successful at first instance and Mr Lloyd successful before the Court of Appeal.

Supreme Court decision

The Supreme Court’s decision centred around two key issues:

  1. Whether the claim could be brought as a representative action.
  2. Whether damages could be awarded to the class under the DPA for Google’s breach of the DPA.

Appropriateness of the representative action

The Supreme Court ruled that it was not acceptable for Lloyd to bring a representative action claiming damages on behalf of the class.

The only requirement for a representative action to be brought is that the representative has the same interest in bringing the claim as the persons represented. Here, the Supreme Court considered it conceivable that the class members could have the same interests as Lloyd.

However, the issue stemmed from the fact that Lloyd was seeking damages on behalf of the class members on a uniform, lowest common denominator ‘tariff’ basis (£750 per person, for loss of control of personal data).

The purpose of damages under common law is to put the individual in the same position in which they would have been if the wrong had not been committed. Similarly, section 13 of the DPA gives an individual who suffers damage “by reason of any contravention by a data controller of any of the requirements of this Act” a right to compensation from the data controller for that damage.

The extent of the harm suffered by members of the class would ultimately depend on a range of factors, such as the extent of the tracking carried out by Google in relation to each user, and the sensitivity of the information obtained by Google. This would require each class member having their claim for damages assessed on an individual basis. Lloyd had therefore failed to meet the ‘same interest’ requirement under CPR 19.6.

Damages under the DPA

Lloyd argued that the class members were entitled to compensation under the DPA on the basis that Google’s breach had resulted in them incurring a “loss of control” of their personal data.

The Supreme Court rejected Lloyd’s argument on the basis that individuals must have suffered material damage (i.e. financial loss or distress) to be entitled to compensation under section 13 of the DPA. It was not possible to construe section 13 of the DPA as providing individuals with a right to obtain compensation on the basis of a controller’s breach of the DPA alone.

Whilst certain members of the class may indeed have suffered material damage as a result of Google’s breach, entitling them to obtain compensation, the way in which the claim was structured (i.e. on a lowest common denominator basis) made it impossible for damages to be awarded under it.

Ongoing litigation risk – what now for data breach class actions?

Although the Supreme Court decision might appear to protect data controllers from litigation risk, we do not consider this to be the case. While Lloyd’s claim failed to meet the ‘same interest’ test, the court highlighted other formulations which would have satisfied the CPR 19.6 requirements.

It pointed to bifurcated or “split” proceedings, where common issues (such as the data controller’s liability) are considered first, with individual issues (such as damages suffered) being considered at a later stage/second trial.

In addition, it is important to note that the Supreme Court’s decision focussed on the DPA 1998, which has been replaced by the GDPR and Data Protection Act 2018. Article 82 of the GDPR introduced an individual’s right to seek compensation for material/non-material damage (including financial loss and distress) from organisations breaching the data protection rules.

Given that Lloyd’s claim focused on the loss of control of class members’ data (which is ‘non-material’), it may have succeeded had it (i) related to breaches of the GDPR and (ii) proceeded on a bifurcated basis.

Data controllers should, therefore, continue to be mindful of their exposure to potential consumer litigation for breaches under the amended DPA and under the GDPR.

Ultimately, the Supreme Court did not say that Google or other data controllers could not be liable for damage caused to groups of consumers; just that the particular way in which Lloyd sought to bring this particular claim could not work, because of the combination of the terms of the DPA and the CPR.

In other words, it is business as usual for data controllers, and for claimant lawyers investigating and prosecuting group actions on behalf of the victims of data privacy breaches.

The orthodox way to bring a consumer ‘class’ action for data breach – as an ‘opt-in’ group action subject to a Group Litigation Order if necessary – remains perfectly valid. While the orthodox ‘opt-in’ group action is inferior from an access to justice perspective – because of the upfront ‘book-building’ effort required for an ‘opt-in’ group action – it can still be effective, as shown by the group action case brought against British Airways which settled in July 2021.

Take home points

  1. Data controllers now have more clarity around how damages can be obtained for data protection breaches under the DPA and this will be welcomed.
  2. This does not eliminate their risk from being subject to a class action as the Supreme Court’s decision was based solely on the facts of this specific case.
  3. Despite the Supreme Court’s decision a class action still remains a fully viable way of claiming damages in relation to data protection breaches – but the focus must be on how to bring a case.

Contact us

If you have any questions about these issues in relation to your own organisation, please contact a member of the team or speak with your usual Fox Williams contact.

 

Privacy Policies – Do’s and Don’ts following WhatsApp €225m fine

Nigel Miller (partner)
Ben Nolan
Ben Nolan (associate)

At the beginning of September, WhatsApp was fined €225 million by the Irish Data Protection Commissioner (“DPC”) for a number of failings related to its compliance with the GDPR’s transparency obligations (primarily set out in Art. 13 and 14 GDPR).  The fine is the second highest handed out under the GDPR to date and the decision sheds light on some of the key issues to be taken into account when drafting and updating privacy notices.

Many of the practices for which WhatsApp was fined are relatively standard. The decision should, therefore, come as a warning shot for organisations, especially those in the online consumer technology space, to make sure that they are providing individuals with all the required information.

The DPC’s decision is extremely long winded (266 pages), so we have summarised the key “do’s” and “don’ts” for privacy notices in light of the decision below.

DO’S AND DON’TS

When providing information on the purposes for which you process personal data and the lawful bases upon which such processing is based (as required by Art. 13(1)(c) GDPR):

DO

  • Provide information to individuals around how their personal data is actually used to achieve the relevant purpose. For example, if personal data are processed “to promote safety and security”, you should explain how the data are used to achieve those purposes, rather than simply stating the overall objective.
  • Provide information regarding the categories of personal data which are processed for each purpose. Up until now, it has been relatively common for controllers to simply set out the purposes for which they process personal data and the corresponding lawful basis, without clarifying which types of personal data are required for each purpose.
  • If more than one lawful basis applies in respect of a specific purpose for which you process personal data, clearly specify the circumstances when each basis will apply (for example, if you rely on both consent and also legitimate interests to send marketing communications, you should explain when each of these will apply).
  • Where processing is carried out on the basis of Art. 6(1)(c) GDPR (i.e. to comply with a legal obligation), you should provide information as to the types of law which require such processing to take place.

DON’T

  • Use vague wording to explain your purpose for processing the data (e.g. will readers know what you mean if you say that you use their data for the purpose of “improving their experience”?)

When providing information regarding your reliance on legitimate interests (as required by Art. 13(1)(d) GDPR):

DO

  • Be as specific as possible in setting out the relevant interest which applies which makes the processing necessary.
  • If the processing is being carried out based on the legitimate interests of a third party, you should specify the relevant third party who will benefit from the processing.

DON’T

  • Bundle together numerous interests to justify processing being carried out for one purpose.
  • Simply say you rely on legitimate interests to carry out a certain type of processing without mentioning what your interests are (this is more common than you think!).

When providing information on the third parties with which you share personal data (as required by Art. 13(1)(e) GDPR):

DO

  • If you identify the “categories of recipients” (rather than the specific third parties with whom personal information is shared), be as specific as possible when setting out such categories. For example, if your privacy policy says that you share customers’ personal information with service providers, you should provide information on the different types of service providers you share data with (e.g. IT service providers, data hosting service providers, marketing agencies etc.).
  • Identify the categories of data which are transferred to the specific third parties referred to the notice. (NB. To date, it is uncommon for controllers to provide this level of information in connection with data sharing.)
  • If you share personal data with other group members, clearly identify the specific entities with which the data is shared.

When providing information on international transfers (as required by Art. 13(1)(f) GDPR):

DO

  • If relying on an adequacy decision(s) to transfer personal data internationally, identify the specific adequacy decision(s) relied upon.
  • Identify the categories of data that are being transferred internationally. (NB. Again, providing this level of information has been uncommon in practice.)

DON’T

  • Use conditional language such as “may” when referring to reliance on a transfer mechanism (e.g. “we may transfer personal data internationally on the basis of an adequacy decision”).

When providing information on the right to withdraw consent (as required by Art. 13(2)(c) GDPR):

DO

  • Inform individuals that this does not affect the lawfulness of processing based on consent before its withdrawal (the DPC considers this necessary to “manage the data subject’s expectations” and ensure they are fully informed on the right).
  • Include the relevant information in the section of the privacy notice which discusses data subject rights, as this is the area individuals are most likely to consult for information around this.

If you have collected personal data indirectly but are exempt from providing relevant individuals with a privacy notice on the basis that this would involve “disproportionate effort”:

DO

  • Make sure that you still provide all the information required under Art. 14(1) and (2) in a privacy notice which you make publicly available – you can’t rely on this exemption if not!
  • Clearly identify in the privacy notice the parts of the document which are intended to apply in respect of individuals who have not been provided the privacy notice directly.

DON’T

  • Assume that posting your privacy notice on your website will be sufficient to satisfy the requirement that the privacy notice be made “publicly available”. In the WhatsApp decision, the DPC noted that:

“WhatsApp should give careful consideration to the location and placement of such a public notice so as to ensure that it is discovered and accessed by as wide an audience of non-users as possible. [A]…non-user is unlikely to have a reason to visit WhatsApp’s website of his/her own volition such that he/she might discover the information which he/she is entitled to receive”.

OTHER COMMENTS

Much of the DPC’s decision focused on the way in which WhatsApp presented information in its privacy notice, with WhatsApp being found to have violated Art. 12(1) GDPR (which requires controllers to provide information in a concise, transparent, intelligible and easily accessible form, using clear and plain language) in numerous instances. In this regard, the following practical tips can be drawn from the decision:

  • Avoid excessive linking to external documents in your privacy notice, particularly where these duplicate or (even worse) contradict information set out in your privacy notice or elsewhere. Readers should not have to “work hard” to get to grips with the notice.
  • Consider where in your privacy notice you are setting out information to ensure information is presented in a cohesive way and in the place that readers would expect. For example, the DPC considered that it would be logical to include information on the right to withdraw consent and the right to a complain to a data protection regulator in the “data subject rights” section of WhatsApp’s privacy notice as this is where most readers would come to find this information.
  • Avoid using vague and opaque language.

CONCLUSION

The DPC expects the information to be provided in privacy notices to be extremely granular, even more so than most organisations (and even data protection practitioners) would have expected to date, whilst still presenting the information in a concise and accessible manner. This will no doubt prove challenging for larger organisations carrying out complex processing operations, who will have to remain fully on top of their processing activities and data flows to stand a chance of providing the information expected by the DPC. The cost of compliance could be significant.

The decision is by an EU data protection regulator and relates to EU GDPR. It is not clear whether the UK ICO, which tends to be more pragmatic on data protection compliance, would take such a hard-line stance on the issues investigated by the DPC. However, it is clear that UK organisations that have a presence in the EU or are otherwise caught by the extra-territorial scope of the EU GDPR will need to update their privacy notices in line with the DPC’s decision.

 

If you have any questions about these issues in relation to your own organisation, please contact a member of the team or speak with your usual Fox Williams contact.