Techlaw News Round-Up

September 12, 2019

DCMS calls for views on cybersecurity certification
The Department for Digital, Culture, Media & Sport has issued a call for views on the UK government’s proposed approach to cyber security certification following the UK’s departure from the EU. The EU Cyber Security Act entered into force on 27 June 2019. It established a cyber security certification framework under which EU-wide cyber security certification schemes will be developed and implemented in future. The call for views states that the UK is committed to maintaining a close relationship with the EU on cyber security, and will seek to cooperate on approaches to cyber security certification with the EU. The UK will therefore seek to enter into negotiations with the EU on mutual recognition arrangements, where it seems reasonable to do so and subject to agreement with the EU. The consultation ends on 8 October 2019.

CMA publishes responses on online platforms and digital advertising market study
The Competition and Markets Authority has published the responses to the statement of scope for its market study into online platforms and the digital advertising market in the UK. The final report is due to be published by 2 July 2020. The CMA launched a market study into online platforms and the digital advertising market in July 2019. It is assessing three broad potential sources of harm to consumers in connection with the market for digital advertising.

Austrian data protection authority fines controller in the medical sector
The Austrian data protection authority has imposed an administrative fine of €55,000 on a data controller operating in the medical sector. Over the course of more than six months, the controller had neither appointed a data protection officer nor published its contact details nor reported those to the supervisory authority. In addition, the controller had obliged the data subjects to give their consent to a data processing, which did not meet the criteria set out in Article 7 of the GDPR and also violated its duty to provide information under Articles 13 and 14 of the GDPR. In addition, despite handling sensitive data, no data protection impact assessment under Article 35 of the GDPR, was carried out. An appeal against the fine is expected.

Data State Inspectorate of Latvia imposes a financial penalty of 7000 euros on online retailer
The Director of the Data State Inspectorate of Latvia has imposed a financial penalty of 7000 euros on an online retailer for non-compliance with the GDPR. The retailer neither failed to execute a data subject’s request nor cooperated with the DSI. The DSI’s investigation of the data subject’s complaint found that in 2018 the claimant had repeatedly requested the retailer to delete all his personal data, including his mobile phone number. The retailer did not comply with the data subject’s request to erase the data and continued to process the personal data. When determining the amount of the fine the DSI took into account the nature, gravity and duration of the infringement, the degree of cooperation with the supervisory authority, the number of data subjects affected and the total annual turnover of the preceding financial year of the retailer. The retailer has the right to appeal.

ICO issues statement on facial recognition case
The ICO has issued a statement on the High Court decision in the facial recognition case brought against South Wales police. In the statement, it states that it will be reviewing the judgment carefully. It says it welcomes the court’s finding that the police use of live facial recognition systems involves the processing of sensitive personal data of members of the public, requiring compliance with the Data Protection Act 2018. It points out that the technology has the potential, if used without the right privacy safeguards, to undermine, rather than enhance, confidence in the police. The ICO’s investigation into the first police pilots has recently finished. It will now consider the court’s findings in finalising its recommendations and guidance to police forces about how to plan, authorise and deploy any future facial recognition systems. In the meantime, any police forces or private organisations using these systems should be aware that existing data protection law and guidance still apply.

Information Commissioner’s Office issues warning about historical personal details accessed through work
The ICO has concluded its investigation into the actions of two former Metropolitan Police Service (MPS) officers. The investigation followed a referral from the MPS and considered if the two former officers had acted unlawfully by retaining or disclosing personal data. It came after they had spoken to the media about a case they had worked on as serving officers involving an MP.  

Following a full investigation, the ICO has considered the evidence in this case carefully. After considering advice from external legal counsel, the ICO has decided not to take formal regulatory action. The case was investigated under the Data Protection Act 1998. The law has since been strengthened through the Data Protection Act 2018, which adds a new element of knowingly or recklessly retaining personal data without the consent of the data controller. The ICO is advising anyone dealing with the personal details of others in the course of their work – be it in a police force, health trust or private business – to take note of this update to the law, especially when employees are retiring or taking on a new job. The ICO’s investigation highlighted some opportunities for police forces to review their handling of personal data such as notebooks, to ensure people do not retain them when leaving the service. The National Police Chiefs Council will be taking this forward and providing further advice to forces.

ICO publishes guidance for SMEs about a no deal Brexit
The Information Commissioner’s Office (ICO) has published guidance to help small and medium-sized businesses prepare for a no-deal Brexit scenario. It emphasises that businesses must ‘prepare for all scenarios’. The guidance provides the same advice previously published on how to maintain data flows, but has been produced to be more relevant and accessible to smaller organisations. The ICO’s guidance sets out steps to take to keep the information flowing such as using pre-approved contract terms, which are currently used to transfer personal information worldwide.

PSA issues fine of £600,000 in landmark case
The Phone-paid Services Authority has issued a fine of £600,000 and a two-year prohibition from the market to Veoo Ltd. Veoo must also undergo a formal compliance audit if it wishes to return to the market once the ban ends. The PSA Tribunal found that Veoo had committed eight serious breaches of the required standards in due diligence, risk assessment and control to ensure those providers of phone-paid services it contracted with complied with the PSA Code of Practice. The Tribunal found that five of the eight breaches had been committed knowingly.  The PSA has recently taken further action to protect consumers from harm, including the introduction of new regulatory requirements for phone-paid services charged on a subscription basis, and work with the mobile networks and independent security experts to ensure that platform security across the market remains high. These measures, alongside enforcement activity, are designed to raise standards and advance the consumer interests within the market.