N E W S L E T T E R

Data Protection & Cyber SecurityJune 2019

Glasgow | Edinburgh | Dundeewww.macroberts.com

Welcome to the latest edition of MacRoberts’ Data Protection and Cyber Security Newsletter, in which we consider topical issues in the area of data protection and cyber security including any notable developments, both in the UK and further afield.

In this edition, we look at what Brexit (whenever it may happen, deal or no deal) will mean for your business’s data protection obligations – do you need a data protection representative? We also take a look at the Open Data and Public Sector Information Directive which has been approved by the European Parliament, and what it means for the re-use of public sector information.

Since the GDPR was introduced last year, many countries around the world have taken notice and implemented their own data protection legislation similar to the provisions of the GDPR – we take a look at just three examples of recent practices. Furthermore, Washington has become the latest in a growing number of US States to amend its data breach notification law – what does this mean for businesses and consumers?

We hope you find this edition interesting and we would welcome any feedback – simply contact us or visit our website.

With very best wishes,MacRoberts’ Data Protection and Cyber Security Team

Valerie SurgenorPartner

valerie.surgenor@macroberts.com0141 303 1241

David GourlayPartner

david.gourlay@macroberts.com0131 248 2211

Jozanne BainbridgeSenior Solicitor

jozanne.bainbridge@macroberts.com0141 303 1194

Sonja HartSenior Solicitor

sonja.hart@macroberts.com0131 248 2112

Melissa HallSolicitor

melissa.hall@macroberts.com0141 248 1162

Rebecca HendersonSolicitor

rebecca.henderson@macroberts.com0141 303 1158

Save the Date!

We are now just over one year into the GDPR and UK Data Protection Act 2018 which continue to present compliance challenges for businesses. Please keep an eye on our website and upcoming newsletters for details of

our GDPR Update Seminars which will take place across Glasgow, Edinburgh, Dundee and Stirling this autumn!

Under Article 27 of the GDPR, any controller or processor established outside of the EU must appoint a representative within the EU to fulfil their obligations in relation to the GDPR and act as a point of contact for data subjects and supervisory authorities. It is possible for entities to be exempt from this requirement where any processing is occasional, low risk and does not involve special category or criminal offence data on a large scale.

Representatives in reverse The only certainty of Brexit is uncertainty. However, as things stand, the UK is currently due to leave the EU in October 2019. Entities are bearing this in mind when appointing EU representatives, often opting to appoint in Ireland. Whenever the UK leaves the EU, it will no longer be an EU member state and will become a third country in the context of Article 27 of the GDPR.

As such, UK organisations processing the personal data of EU-based data subjects will be required to appoint an Article 27 Representative in the EU.

The UK Government has confirmed that it intends to adopt the same approach in reverse. Post-Brexit, organisations outside of the UK processing the personal data of UK data subjects must appoint an Article 27 representative in the UK, except where any processing is occasional, low-risk and does not involve special category or criminal offence data on a large scale.

What does this all mean? The possibility of the UK leaving the EU without a deal, even at the end of any extended period, is something that organisations should plan for. If the UK leaves the EU with no deal on 31 October 2019, it will affect the Representative obligation for three types of organisations:

• UK-based organisations selling to the EU, with no EU office;• international organisations selling to the EU, whose only

EU office is in the UK; and• all organisations (including those in the EU) selling to the

UK with no UK office

The pragmatic result of this requirement is that many entities will be required to appoint and maintain separate representatives in the UK and the EU. There are already companies offering “No Brexit, no fee” contracts in relation to appointing a representative, thus helping controllers and processors ensure a default back-up position in the event that the UK leaves the EU without a deal. In the event that the UK leaves with a deal, the UK representative approach will be adequate during any transition period.

The UK as a Third Country

The time has come for EU and EEA businesses which are not established in the UK, but collect personal data of data subjects in the UK, to turn their minds to appointing a representative within the UK in time for Brexit day. UK businesses will also need to appoint a representative within the EU/EEA when the UK leaves the EU.

MacRoberts’ Data Breach Response Team

Data breach reporting is now mandatory in many cases. If you suffer a personal data breach and/or something goes wrong, MacRoberts’ experienced Data Breach Response Team is on hand to guide you through the response process.

We have extensive experience of assisting clients with various types and severities of data breaches – some of which have occurred on a cross-jurisdictional basis and some of which have been caused by the organisation’s service providers. We can assist you with:

• Identifying which policy/ies your organisation needs, and preparing and implementing these policies and procedures within your organisation

• Understanding whether or not you have actually had a data breach, or if it is instead a non-compliance issue• Evaluating whether the breach is notifiable to the ICO and/or the affected data subjects, and in preparing the appropriate

notification

For fast and effective assistance, please call our Data Breach Response Team helpline on 0300 303 1019.

The Open Data and Public Sector Information DirectiveMany private and public sector organisations across the globe view data as their most valuable asset. In the digitised world, data contributes to the strength of our economy, our understanding of human behaviour and our ability to innovate competitively. As such, it is not surprising that the sharing of high-quality and high-value data gathered by the public sector was welcomed by the European Parliament earlier this year.

On 22 January 2019, representatives from the European Parliament, the Council of the European Union and the European Commission reached an agreement on a revised directive to allow for the availability and re-use of public sector information (PSI) and on 5 April 2019, the European Parliament approved the new directive. The Open Data and Public Sector Information (PSI) Directive (“the Directive”) will be fully compliant with the EU GDPR and incorporates feedback received by the European Commission following a review of the PSI Directive in 2018. It is hoped the new directive will allow Member States to benefit from the many advantages of re-using data with minimal financial, legal or technical restraint.

The Directive is essentially an upgrade from the PSI Directive (Directive 2003/98/EC) on the re-use of public sector data, which was last reviewed in 2013. The exponential growth in both the value and use of data since then means the 2003 Directive is considered to be somewhat overdue.

What does it allow?The Directive updates the rules controlling the re-use of public sector information held by public sector bodies of the Member States and governs the re-use of documents held by public undertakings, such as those providing water, energy, transport, and postal services.

It augments the current rules to cover publicly funded research data providing that any charges related to the provision of public sector data should, in theory, be limited to minimal costs related to the initial provision of the documents. It also prioritises the identification and sharing of “high-value” data sets that should be available for free re-use facilitated by APIs.

Article 8 of the Directive provides for the availability of standard licences in digital format. The licences are defined in Article 2 as “a set of predefined re-use conditions in a digital format, preferably compatible with standardised public licences available online”. The Directive also stipulates that the licences should place “as few restrictions on re-use as possible”. It is clear the Directive is taking a pragmatic approach to ensure organisations looking to share public sector data face as few difficulties as possible in doing so.

Article 10 stipulates that Member States must “support the availability of research data by adopting national policies and relevant actions aiming at making publicly funded research data openly available (“open access policies”) following the principle of open by default”. It is anticipated that this expansion of the Directive will ensure improved re-use of, and value for money from, publicly funded scientific data. In order to protect personal data rights and to maintain security, Article 10 does have exemptions such as “intellectual property rights”

and “legitimate commercial interests”. Some commentators have expressed a more negative sentiment, raising concerns of organisations using these exemptions as loopholes. For the most part, however, this is a welcome change that is at least a step in the right direction on the road to safe and effective data sharing.

A key change in relation to database rights is included at point 5 of Article 1 in the Directive whereby database makers are no longer able to prevent or restrict the re-use of documents. This is an important clarification that commentators maintain is long overdue.

What are the aims/ goals?The Vice-President of the Digital Single Market, Andrus Ansip, explained:

“Data is increasingly the lifeblood of today’s economy and unlocking the potential of public open data can bring significant economic benefits. The total direct economic value of public sector information and data from public sector undertakings is expected to increase from €52 billion in 2018 to €194 billion by 2030. With these new rules in place, we will ensure that we can make the most of this growth.”

The Directive encourages Member States to employ the principle of “open by design and by default” to promote innovation amongst products and services in the Digital Single Market. The rationale behind the revised Directive is to reduce market entry barriers for SMEs by shielding them from high charges for re-using public sector data; increase the scope of the Directive to cover new types of public data; and to generate business opportunities by promoting the dissemination of dynamic data facilitated by application programming interfaces (APIs).

Once the Directive is approved by the Council of the EU, Member States will have two years to iron out the finer details and transpose the Directive into domestic law. We hope that Member States will keep in mind the “open by default” principle when adopting the Directive to ensure innovation and growth within the Digital Single Market are tangible results which private and public sector organisations alike can benefit from.

The introduction of the GDPR has led to a worldwide upgrade and improvement of data protection laws and regimes as countries are following in the EU’s footsteps by introducing more meaningful data protection legislation similar to the provisions of the GDPR. Here, we take a look at three recent examples.

EU continues to lead the way in global data protection law

It is clear there is a global trend in implementing new data protection laws similar to the GDPR, and therefore if your business operates internationally you need to be mindful of these different data protection regimes. The influence of the GDPR throughout the world cannot be underestimated as organisations and countries alike continue to strive to reach the GDPR’s standards.

Nigeria On 25 January 2019, the Nigeria Data Protection Regulation 2019 (NDPR) was enacted after being issued by the National Information and Technology Development Agency (NITDA). Prior to the NDPR, there was a significant lack of data protection regulation in Nigeria and, following the introduction of the GDPR, Nigerian organisations which handled EU citizens’ data had to be compliant with the GDPR even though there was no similar legislation in Nigeria.

In keeping with the GDPR, the NDPR seeks to safeguard the rights of individuals and the privacy of their personal data by regulating matters involving the collection or use of personal data. The NDPR applies to the data of all Nigerian citizens and those who live in Nigeria. The key objectives of the NDPR include the safeguarding of individuals’ rights to data privacy, assisting transactions that involve personal data, preventing the misuse of individuals’ personal data and ensuring Nigerian organisations remain compliant with international data protection laws (such as the GDPR).

Similar to the GDPR, data must be collected and processed transparently, legitimately and for a lawful purpose. If there is a data breach, the fines under the NDPR are substantial. If more than 10,000 data subjects are involved, the fine is the greater of 2% of the preceding year’s annual gross revenue or 10 million naira. If there are less than 10,000 data subjects, the fine is the greater of 1% of the preceding year’s annual gross revenue or 2 million naira. Although the fines are slightly lower than the GDPR, it highlights the influence of the GDPR in data protection laws and enforcement throughout the world.

Although the NDPR is not as comprehensive as the GDPR, it emulates many of its key provisions and reflects the growing digital economy which relies heavily on the data of individuals. There is still progress to be made with Nigeria’s data protection laws, however this is a step in the right direction.

Brazil Brazil has approved the General Data Protection Law (GDPL) which will come into force in early 2020. The GDPL will apply to the use, collection, storage and processing of personal data, both online and offline, and lists the legal bases upon which companies can process personal data including legitimate interest and consent.

The new legislation adopts a number of principles and ideas from the GDPR. The general principles of data protection that underpin the legislation include accountability, transparency, necessity and security.

The legislation created the Data Protection National Authority (DPNA). If a breach of personal data occurs, the notification to the DPNA and the affected data subjects is mandatory and must be immediate if there is a risk of damage to the data subjects. In terms of penalties for a data breach, a fine can reach up to 2% of the company’s global turnover, which is limited to 50 million reais (over £9 million).

Whilst it is evident that the GDPR had significant influence on Brazil’s data protection legislation,pArisbrussels2909 as it will not be enforced until 2020 it remains to be seen if the legislation will have as significant an impact in Brazil as the GDPR did in the EU.

IndiaThe EU is a substantial market for many Indian organisations and therefore compliance with the GDPR is necessary to continue their business within the EU. It is unsurprising that India now has a Data Protection Bill, albeit currently in draft form, that resembles aspects of the GDPR. The Draft Personal Data Protection Bill 2018 (PDPB) is a step towards the requirement of data protection law in India to ensure data is handled appropriately.

Like the GDPR, the PDPB is designed to regulate the processing of personal data for a purpose that is clear, lawful and specific. The main ground for processing personal data in the PDPB is consent, which can be withdrawn at any time. Key aspects of the rights included in the new PDPB are the right to have access to your personal data, including the right to rectification, the right to know where your personal data is stored and the right to the minimisation of your personal data. The Bill also contains the right to be forgotten for data subjects, which is unprecedented in India and may be a challenge in reality for large organisations. Furthermore, in reality, the right to be forgotten will not be a right to complete erasure of the data and is not as comprehensive as the right under GDPR. There have been concerns raised on several points of the PDPB, including the wide definition of data and the possibility of the definition being utilised as a tool to control information available on the internet.

When enforced, the PDPB will force organisations to revisit their data protection procedures and ensure they are in line with the new, GDPR-like provisions. If a personal data breach occurs, it must be notified to the Data Protection Authority as soon as possible if it could cause harm to the data subject. The PDPB provides for a fine of 2% of global turnover or around $730,000 for several instances, including failing to notify the DPA of a data breach and failing to meet obligations as a significant data controller. Furthermore, there is potential for a fine of 4% of global turnover or around $2.7 million for unlawful cross-border data transfer, processing the data of children in violation of the PDPB, failing to provide notices to the data subjects and failing to provide a legitimate basis for processing.

Washington State has become the latest in a growing number of US states to amend its data breach notification law, as Washington State Governor Jay Inslee signed bill HB 1071 on 7 May 2019.

The new legislation updates and expands the breach notification obligations of companies and organisations that maintain the personal information of Washington State citizens in four main ways. The amendments:1. expand the scope of ‘personal information’ which triggers

a notification obligation2. shorten the period the period in which notice must be

provided3. modify the content requirements of a notice; and 4. expand the methods by which a notice of breach may be

delivered.

The amendments will come into effect on 1 March 2020.

Widened definition of ‘personal information’Prior to the amendment, ‘personal information’ – for the purpose of notification – required following a breach was defined as a consumer’s name, as well as their social security number, driver’s licence number, state ID number and/or financial account information such as credit card or debit card number.

The updated law expands the definition of personal information to include, as well as first name or first initial and last name: • full date of birth;• student, military or passport ID numbers;• online login credentials e.g. usernames, passwords and

security questions;• private encryption keys used for electronic signature;• health insurance ID numbers;• medical history; and• biometric data e.g. DNA profiles or fingerprints

‘Personal information’ also includes any of the data in the above list, alone or in combination, without first name or first initial and last name if the data is not properly protected/encrypted and access to such data would enable identity theft. ‘Personal information’ also includes usernames or email addresses in combination with a password or security questions and answers that would allow access to an online account.

Change to Notification TimescalesThe time between an organisation discovering a data breach and when it must notify the breach to the affected consumers has been shortened from 45 to 30 days. This applies to breach notifications to the Attorney General (in instances where a data breach affects 500 or more Washington residents), who must now also be notified within 30 days rather than 45.

Expanded notification content requirements Notifications to the Attorney General must now include:• the time frame of exposure, if known, including the date of

the breach and the date of its discovery;• the types of personal information that were, or are

reasonably believed to be, affected;• a summary of steps taken to contain the breach; and• a sample copy of the breach notification letters to individuals

(without any identifiable information).

Notifications to the Attorney General must be updated if any of the information above changes.

Method of delivering notice of breach The new law allows organisations to provide notice of a breach to Washington residents affected electronically or via email where the personal data affected includes a person’s username or password. Notifications must comply with particular requirements such as recommending that passwords, security questions and answers are changed and other accounts which use the same login information are protected.

For security, however, where a data breach affects the login credentials of an email account, notifications must use a different delivery method and must not be sent to the compromised account.

The trend in the US?The changes in Washington State reflect a growing movement more generally in the US towards expanding what is covered by data breach notification laws. Most recently, the States of Connecticut, California and Delaware have expanded the scope of what personal information will be covered by breach notification laws. Of course, we will also see the introduction of the CCPA (the California Consumer Privacy Act) on 1 January 2020, which will bring significant changes to all companies which do business in this State of 40 million people. As we highlighted in our previous newsletter, the CCPA introduces new rights to California citizens, similar to those under the GDPR.

Washington strengthens data breach notification law

Key TakeawaysThe new legislation makes clear that the Washington State is putting increasing onus on companies and organisations collecting and using personal data to put adequate safeguards in place. Organisations falling short are likely to suffer considerable reputational and financial damage, however they are still in good time to review their practices and bolster their data protection mechanisms before the new law comes in to force early next year.

For those operating in the US, this latest addition to the patchwork of data breach notification laws further emphasises the difficulties faced in the US in working out how and when you have a legal duty to notify.

Category Level of Fine Type of Breach

Category I €0 to €200,000

Minor breaches e.g. failing to comply with an individual’s right to have their data record amended or deleted, or failing to agree a written data processing agreement with a data processor.

Category II €120,000 to €500,000Most GDPR breaches, including those relating to processing obligations, failing to ensure proper transparency or failing to comply with data subjects’ rights and/or obligations regarding data breach notifications and data transfers.Category III €300,000 to €750,000

Category IV €450,000 to €1 million

More serious breaches e.g. those relating to special categories of personal data, profiling or any unlawful processing of criminal data.

In circumstances where the €1 million is considered “not appropriate”, the Dutch regulator can fine more than the €1 million maximum, anywhere up to the maximum legal limit under Article 83 of the GDPR. However, there is no further guidance provided on how this might apply.

Will other regulators follow suit?While the matrix seeks to provide clarity and transparency, some have levelled criticism at the guidelines on the basis that they still do not provide sufficient detail. Aside from providing minimum and maximum fines within each category, the Dutch regulator still retains a good deal of discretion in deciding the final sum of a fine.

Despite this criticism, the matrix is a step in the right direction and it appears likely that similar attempts at providing guidance are likely to be developed by other European supervisory authorities in the coming months and years.

The ICO has previously been influential in establishing the general conditions for administrative fines under Article 83 of the GDPR and, in conjunction with other European regulators, they are thought to be considering the provision of such additional guidance at this current time. We will provide an update on this when we know more details.

Dutch GDPR fining matrixOn 14 March 2019, the Dutch Data Protection Authority published its new guidelines on administrative fines (“Dutch Guidelines”), making it the first EU Member State data regulator to introduce a framework for determining administrative fines for breaching obligations under the GDPR.

Current rules under GDPRUnder the GDPR at the moment, EU Member States may issue fines to organisations of up to a maximum of 4% of global revenue or €20 million, whichever is higher. However, to date there has been little additional guidance on how to determine the exact amount of a fine.

Dutch rulesThe new Dutch fining matrix goes some way to putting flesh on the bones of this issue. The policy introduces four categories and sets a minimum fine level in each. This can be increased where appropriate, having regard to a list of ‘relevant factors’ for determining the severity of a breach for the purposes of categorisation, such as the nature, seriousness and duration of the violation and the number of individuals affected.

The guidance applies broadly as follows:

GDPR: What do employers need to know?As you know, the GDPR and UK Data Protection Act 2018 are now in force, representing the biggest change to EU data protection laws in over three decades. It is therefore imperative that employers and HR teams are aware of the necessity of applying the rules in their day-to-day practices.

In our latest series of blogs, we look at some of the most significant changes that HR teams and employers need to get on board with when onboarding new staff and maintaining employee relationships with existing staff.

Click here to read more

Failure to obtain consent – a potential $925 million price tag!ViSalus, a health supplement marketing company based in Michigan which promoted, amongst other products, energy drinks, diet supplements and weight loss products, is facing the largest every privacy class action in the United States under the Telephone Consumer Protection Act (TCPA).

The original claimant, Lori Wakefield, briefly signed up to be a ViSalus member, however cancelled her membership within a month. After cancellation, ViSalus repeatedly contacted Wakefield despite her requesting ViSalus stop contacting her. Two years later, Wakefield started to receive new, undesired, telemarketing calls on her landline number that was do-not-call registered. Wakefield also received a robocall (or automated call) from ViSalus, or an agent, and was unable to re-register the do-not-call request.

The class action that has been brought is therefore on behalf of any individual who received a similar pre-recorded telephone call by or on behalf of ViSalus to promote its services and/or products without their express prior written consent. The class action currently has around 800,000 members. ViSalus is accused of making over 1.8 million robocalls/automated calls. By making these calls, ViSalus has violated the TCPA. Under the TCPA, prior consent must be obtained, however ViSalus has denied that it contravened the law in any way.

Per the TCPA, Wakefield, as the original claimant, requested that the Court award each class member damages of $500 for each pre-recorded call they received from ViSalus. If it can be shown that ViSalus wilfully or knowingly made such calls, Wakefield has requested up to $1,500 per class member per call, in line with the TCPA’s statutory damages regime. An order prohibiting ViSalus from making any further pre-recorded calls in the future was also sought.

On 12 April 2019, an Oregon federal jury determined ViSalus carried out unlawful telemarking by using the recorded robocalls to contact potential customers both on residential and mobile phone numbers. Although the calls made to landlines and mobile phones could not be separated, written consent is required for both and was not obtained. The jury stated they believed that ViSalus made 1,850,436 calls without the required consent.

Although the jury was not requested to determine damages, the number of calls the jury believes ViSalus made, together with the $500 of damages per violation, puts the possible damages at over $925 million, at a minimum. The level of damages has been reserved for the presiding US District Judge, Michael H. Simon, to rule on at a later hearing.

Whilst $925 million is a substantial amount of damages, should Judge Simon find that ViSalus carried out the calls wilfully and knowingly, ViSalus could face paying damages of over $2.75 billion. Given the potential damages at stake, it is likely ViSalus will appeal the decision.

This case highlights the necessity of obtaining valid consent and maintaining compliant policies and systems that address all data protection requirements in the country in which you are operating.

MacRoberts is one of Scotland’s leading law firms with a history and heritage tracing back over 150 years. Through the delivery of high-quality, innovative and practical solutions for clients, along with an impressive ability to adapt to the contemporary commercial landscape, we have maintained a position of leadership and prestige in the Scottish legal sector and beyond.

Our strength comes from our collaborative relationships and connections – we have an extensive network of clients and contacts throughout Scotland, as well as strong links to the wider UK and international markets.

We are more than just lawyers – we are industry experts with unrivalled commitment to the sectors in which our clients operate. In this era of digital revolution and economic difficulty, we have risen to the challenge in the same way we have done for more than 150 years – with sophistication, passion and expertise.

About MacRobertswww.macroberts.com