Brexit has finally been ‘done’ but what can we data protection lawyers look forward to? Can we bin the EU General Data Protection Regulation (GDPR) along with our red EU passports?
The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 were made in February last year to deal with post-Brexit data protection in the UK. Some of the 61 pages of regulations, which deal mainly with consequential amendments, came into force on 29 March 2019. The main provisions came into force on ‘exit day’ (31 January 2020). The implications of the regulations will not be felt until the end of the Brexit transition period (currently 31 December 2020). Until then, EU GDPR will apply as though the UK was still part of the EU. Unless the transition period is extended (which at present seems unlikely) a revision of GDPR, known as the ‘UK GDPR’, will come into force on 1 January 2021.
The EU version of GDPR contains many references to EU laws, institutions, currency and powers (among other things) which will cease to be relevant in the UK after Brexit. The regulations amend GDPR to remove these references and replace them with British equivalents where applicable. The functions that are assigned to the European Commission will be transferred to the secretary of state or the information commissioner.
The regulations also deal with post-Brexit international data transfers from the UK by amending the GDPR and adding additional provisions to the Data Protection Act 2018 (DPA 2018). Broadly, these mirror the current GDPR arrangements so that the UK will:
- Recognise all EEA/EU countries (and Gibraltar) as ‘adequate’ as well as those countries subject to an EU adequacy decision;
- Give powers to the secretary of state to determine or revoke adequacy;
- Recognise current EU Standard Contractual Clauses as valid for international transfers, but the Information Commissioner’s Office(ICO) will have the power to issue more clauses;
- Recognise all Binding Corporate Rules authorised before exit day; and
- Introduce an extraterritoriality into the UK data protection regime.
Of course, from exit day the UK became a third country for the purposes of international data transfers. This means that after the end of the transition period, the lawful transfer of personal data from the EU into the UK without ‘appropriate safeguards’ (see article 46 of GDPR) will only be possible if the UK achieves adequacy status (as per article 45) and joins a list of 12 countries. The regulations attempt to make the UK version of GDPR as robust as the EU version and hopefully achieve an adequacy decision quickly. However this is very unlikely to happen by 1 January 2021, which means that data controllers and processors have to start putting in appropriate safeguards now to maintain the free flow of data.
Chapter 3 of part 2 of the DPA 2018 currently applies a broadly equivalent data protection regime to certain types of data processing to which the GDPR does not apply (the applied GDPR): for example, where personal data processing is related to immigration and to manual unstructured data held by a public authority covered by the Freedom of Information Act 2000. This will become part of the UK GDPR.
First ICO GDPR Fine
In other news, the ICO has issued the first fine under GDPR to a London-based pharmacy. Doorstep Dispensaree Ltd has been issued with a Monetary Penalty Notice of £275,000 for failing to ensure the security of Special Category Data.
The company, which supplies medicines to customers and care homes, left about 500,000 documents in unlocked containers at the back of its premises in Edgware. The documents included names, addresses, dates of birth, NHS numbers, medical information and prescriptions belonging to an unknown number of people. The ICO has held that this gave rise to infringements of the GDPR’s security and data retention obligations. Following a thorough investigation, the ICO concluded that the company’s privacy notices and internal policies were not up to scratch.
Doorstep Dispensaree has also been issued with an enforcement notice, under section 149 of the Data Protection Act 2018, due to the significance of the contraventions. It has three months to:
- Update all its policies and procedures;
- Appoint an information governance lead or data protection officer;
- Introduce mandatory (and refresher) data protection training;
- Provide evidence of compliance.
Data controllers and processors need to read the penalty notice carefully and ensure that are not repeating the same mistakes as Doorstep Dispensaree Ltd.
New year honours data breach
The new year honours list is supposed to ‘recognise the achievements and service of extraordinary people across the United Kingdom’. However more media attention this year has focused on the fact that, together with the names of recipients, the Cabinet Office accidentally published their addresses – a clear breach of the GDPR, particularly the sixth data protection principle and article 32 (security).
The honours list file contained the details of 1,097 people, including the singer Sir Elton John, cricketer Ben Stokes, the politician Iain Duncan Smith and the TV cook Nadiya Hussain. More than a dozen Ministry of Defence employees and senior counter-terrorism officers, as well as Holocaust survivors, were also on the list, which was published online at 10.30pm on Friday 26 December. The Cabinet Office said the list was downloadable from its website for around an hour and was taken down in the early hours of Saturday. The vast majority of people on the list had their house numbers, street names and postcodes published with their name.
The Cabinet Office, which (ironically) manages the UK’s cybersecurity, has apologised for the breach and said it is investigating the cause. The ICO is also ‘making inquiries’. Can the Cabinet Office expect a large fine? Article 83(2) of GDPR requires the ICO, when deciding whether to impose a fine and deciding on the amount, to have due regard to various factors including (among others):
- The nature, gravity and duration of the infringement;
- The number of data subjects affected and the level of damage suffered by them;
- The intentional or negligent character of the infringement;
- Any action taken by the controller or processor to mitigate the damage suffered by data subjects;
- The degree of cooperation with the ICO, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;
- The categories of personal data affected by the infringement;
- The manner in which the infringement became known to the ICO, in particular whether, and if so to what extent, it was notified of the infringement; and
- Any other aggravating or mitigating factor applicable to the circumstances of the case.
While this breach involved over 1,000 people, the effect on each will be different. It could endanger some of the recipients’ lives. A number of them are employed in extremely sensitive positions in the police and intelligence agencies.
The fact that the Cabinet Office took almost immediate action to remedy the situation and that it reported the data breach to the ICO will count in its favour. It has also said that it is contacting the individuals affected and providing them with guidance if they have security concerns. As long as the Cabinet Office can satisfy the ICO that it had appropriate security measures in place and staff were aware of their data protection obligations, my personal view is that the ICO will exercise one of its less serious corrective powers, under article 58(2) of GDPR (most probably a warning). Depending on what it discovers during its investigation, it may also issue an Enforcement Notice under section 149 of the Data Protection Act 2018.
Even if the ICO decides not to impose a fine, the Cabinet Office (at least in theory) faces the threat of legal action by those affected by the data breach. Articles 79 and 82 give them a free-standing right to sue the Cabinet Office in the civil courts for compensation for the material and non-material damage suffered. A recent Court of Appeal decision as well as section 168 of the DPA make it clear that this includes distress. Much depends on the attitude of the affected individuals. Many may just be grateful for the accolade and will not want to sour relations with the government. Others will put it down to human error and move on.
Finally, what of those who managed to download the full list, with the addresses, in the hour or so that it was available? The Guardian reported that it was alerted to the list by a member of the public. Section 170 of the DPA 2018 makes it a criminal offence ‘… after obtaining personal data, to retain it without the consent of the person who was the controller in relation to the personal data when it was obtained’.
There will be much to learn from the outcome of the ICO’s investigation into this high-profile data breach. Whatever the outcome, I was been delighted that data protection was mentioned in the same sentence as Sir Elton John, Ainsley Harriott and Olivia Newton-John. Proof, if it were needed, that data protection is now mainstream (and cool).
Ibrahim Hasan is a solicitor and director of Act Now Training