Data Protection Update - June 2018

Welcome to the June 2018 edition of our Data Protection bulletin, our monthly update on key developments in data protection law.

Data protection

Personal liability for PECR regulatory fines proposed in Government consultation European Council adopts decision amending EEA Agreement to incorporate GDPR Department of Digital, Culture, Media and Sport consults on exemptions from paying charges to the ICO ICO publishes draft Regulatory Action Policy The European Court of Justice decision widens concept of 'Data Controller' MEPs pushing for amendments to the EU-US Privacy Shield European Data Protection Board Cyber security

Dixons Carphone admits huge data breach Three further high profile data hacks this month EU cybersecurity certification framework ICO enforcement

The British & Foreign Bible Society c/o the Bible Society fined £100,000 BT plc fined £77,000 Gloucestershire Police Yahoo! Fined £250,000 Data protection

Personal liability for PECR regulatory fines proposed in Government consultation

On 30 May 2018 the Department for Digital, Culture, Media & Sport in the United Kingdom launched a consultation on the functioning of the current regime for holding company directors (or similar positions in corporate bodies or unincorporated associations) and members of partnerships to account for breaches of the Privacy and Electronic Communication Regulations 2003 ("PECR").

The proposals follow the Government's amendments to PECR in April 2015, which lowered the threshold at which the ICO can take action against companies that are in contravention of PECR and gave the ICO the power to issue civil penalties of up to £500,000.

We regularly report in this bulletin on enforcement action taken by the ICO in its crackdown on nuisance calls and texts made by companies in breach of PECR, and the increasingly hefty fines imposed in an effort to disincentivise such contravening marketing tactics. However, such fines are not always recovered in their entirety and the ICO has recently indicated that it has only recovered £9.7 million of the £17.8 million in fines issued for nuisance calls since 2010; a recovery rate of just 54%.

Currently only businesses responsible for unlawful marketing (such as nuisance calls, texts, or other electronic marketing messages) are liable for fines and not the directors themselves. The ICO has repeatedly asked the Government for powers to hold directors of companies to account, as part of its bid to tackle instances of companies being placed into liquidation by directors seeking to avoid substantial penalties, before reopening the responsible company under a different name (sometimes referred to as "phoenixing"). As we reported in September 2017, the ICO has made clear that it is committed to recovering fines it has issued, and will work with insolvency practitioners and liquidators if a company moves to insolvency after being fined.

The Government proposals being consulted on will provide the ICO with the powers it needs to hold officers personally and directly responsible for fines of up to £500,000 under PECR, even in cases where the company is put into liquidation. The ICO would also be able to take action against those no longer in senior positions (for example through resignation), as long as they were a director at the time of the relevant breach.

Any enforcement action taken by the ICO would be based on the seriousness of the contravention and other aggravating or mitigating factors. The consultation period runs until 21 August 2018 and the full consultation document is available here.

European Council adopts decision amending EEA Agreement to incorporate GDPR

On 18 June 2018, the European Council adopted a decision in relation to a series of amendments to the EEA Agreement in order to incorporate the GDPR. The amendments are:

The rules of the European Data Protection Board will now give full effect to the participation of the supervisory authorities of the EEA European Free Trade Association ("EFTA") member states and the EFTA Surveillance Authority (except in relation to voting rights and standing for election as chair or deputy chair of the Board). Full participation by EEA EFTA member states in the "one-stop-shop" mechanism. This means where a data controller or processor processes personal data in more than one member state, one national data protection authority must act as lead authority and is competent for monitoring the activities of that data controller or processor throughout the EU. EEA EFTA member states are kept informed of consultations with third countries seeking an adequacy...