Category: GDPR

International Transfers Breach Results in Record GDPR Fine for Meta

Personal data transfers between the EU and US is an ongoing legal and political saga. The latest development is yesterday’s largest ever GDPR fine of €1.2bn (£1bn) issued by Ireland’s Data Protection Commission (DPC) to Facebook’s owner, Meta Ireland. The DPC ruled that Meta infringed Article 46 of the EU GDPR in the way it transferred personal data of its users from Europe to the US. 

The Law 

Chapter 5 of the EU GDPR mirrors the international transfer arrangements of the UK GDPR. There is a general prohibition on organisations transferring personal data to a country outside the EU, unless they ensure that data subjects’ rights are protected. This means that, if there is no adequacy decision in respect of the receiving country, one of the safeguards set out in Article 46 must be built into the arrangement. These include standard contractual clauses (SCCs) and binding corporate rules.
The former need to be included in a contract between the parties (data exporter and importer) and impose certain data protection obligations on both. 

The Problem with US Transfers 

In 2020, in a case commonly known as “Schrems II, the European Court of Justice (ECJ) concluded that organisations that transfer personal data to the US can no longer rely on the Privacy Shield Framework as a legal mechanism to ensure GDPR compliance. They must consider using the Article 49 derogations or SCCs. If using the latter, whether for transfers to the US or other countries, the ECJ placed the onus on the data exporters to make a complex assessment about the recipient country’s data protection and surveillance legislation, and to put in place “additional supplementary measures” to those included in the SCCs. The problem with the US is that it has stringent surveillance laws which give law enforcement agencies access to personal data without adequate safeguards (according to the ECJ in Schrems). Therefore any additional measures must address this possibility and build in safeguards to protect data subjects. 

In the light of the above, the new EU SCCs were published in June 2021.
The European Data Protection Board has also published its guidance on the aforementioned required assessment entitled “Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data”. Meta’s use of the new EU SCC’s and its “additional supplementary measures” were the focus of the DPC’s attention when issuing its decision. 

The Decision 

The DPC ruled that Meta infringed Article 46(1) of GDPR when it continued to transfer personal data from the EU/EEA to the US following the ECJ’s ruling in Schrems II. It found that the measures used by Meta did not address the risks to the fundamental rights and freedoms of data subjects that were identified in Schrems; namely the risk of access to the data by US law enforcement.  

The DPC ruled that Meta should: 

  1. Suspend any future transfer of personal data to the US within five months of the date of the DPC’s decision; 
  1. Pay an administrative fine of €1.2 billion; and, 
  1. Bring its processing operations in line with the requirements of GDPR, within five months of the date of the DPC’s decision, by ceasing the unlawful processing, including storage, in the US of personal data of EEA users transferred in violation of GDPR. 

Meta has said that it will appeal the decision and seek a stay of the ruling, before the Irish courts.  Its President of Global Affairs, Sir Nick Clegg, said:  

“We are therefore disappointed to have been singled out when using the same legal mechanism as thousands of other companies looking to provide services in Europe. 

“This decision is flawed, unjustified and sets a dangerous precedent for the countless other companies transferring data between the EU and US.” 

The Future of US Transfers 

The Information Commissioner’s Office told the BBC that the decision “does not apply in the UK” but said it had “noted the decision and will review the details in due course”. The wider legal ramifications on data transfers from the UK to the US can’t be ignored. 

Personal data transfers are also a live issue for most UK Data Controllers including public authorities. Whether using an online meeting app, cloud storage solution or a simple text messaging service, all often involve a transfer of personal data to the US. A new  UK international data transfer agreement (IDTA) came into force on 21st March 2022 but it still requires a Transfer Risk Assessment  as well as supplementary measures where privacy risks are identified.  

On 25th March 2022, the European Commission and the United States announced that they have agreed in principle on a new  Trans-Atlantic Data Privacy Framework. The final agreement is expected to be in place sometime this summer 2023 and will replace the Privacy Shield Framework. It is expected that the UK Government will strike a similar deal once the EU/US one is finalised. However both are likely to be challenged in the courts. 

The Meta fine is one of this year’s major GDPR developments nicely timed; within a few days of the 5th anniversary of GDPR. All organisations, whether in the UK or EU, need to carefully consider their data transfers mechanisms and ensure that they comply with Chapter 5 of GDPR in the light of the DPC’s ruling. A “wait and see’ approach is no longer an option.  

The Meta fine will be discussed in detail on our forthcoming International Transfers workshop. For those who want a 1 hour summary of the UK International Transfer regime we recommend our webinar 

The California Consumer Privacy Act (CCPA) and the CPRA: What’s Changed? 

Californian privacy law is about to change once again thanks to the California Privacy Rights Act (CPRA) which will become fully enforceable on 1st July 2023. 

The current law is set out in the California Consumer Privacy Act (CCPA) which has been in force since 1st July 2020. CCPA regulates the processing of California consumers’ personal data, regardless of where a company is located. It provides broader rights to consumers, and stricter compliance requirements for businesses, than any other US state or federal privacy law. 

Like the EU General Data Protection Regulation (GDPR), CCPA is about giving individuals control over how their personal data is used by organisations. It requires transparency about how such data is collected, used and shared. It gives Californian consumers various rights including the right to: 

  • Know and access the personal being collected about them 
  • Know whether their personal data is being sold, and to whom 
  • Opt out of having their personal data sold 
  • Have their personal data deleted upon request 
  • Avoid discrimination for exercising their rights 

CPRA is not a new law; it amends the CCPA to give Californians even more control over their personal data.  The key provisions include: 

  • Changing the CCPA’s definition of Personal Information 
  • Creating a new data category called “Sensitive Personal Information” similar to Special Category Data under GDPR 
  • Changing the scope of the CCPA  
  • Adding new rights e.g. to correct inaccurate information and to limit use and disclosure of sensitive personal information 
  • Changing regulatory area of focus towards behavioral advertisement  
  • Adding additional requirements for business (closely modelled on GDPR Data Protection Principles) namely data minimisation, purpose limitation and storage limitation 
  • Expanding the CCPA’s current consent requirements to include where, amongst others, a business is selling or sharing personal information after a user has already opted out and when selling or sharing the personal information of minors  

Whilst becoming fully enforceable on 1st July 2023, CPRA will have a 12 month “lookback period” applying to its new rights from 1st January 2022. 

Until recently, CCPA did not have a regulator like the Information Commissioner in the UK. It was primality enforced by the Office of the Attorney General through the courts; although there is a private right of right action for a security breach. The courts can impose fines for breaches of CCPA depending on the nature of the breach: 

  • $2,500 for an unintentional and $7,500 for an intentional breach  
  • $100-$750 per incident per consumer, or actual damages, if higher – for damage caused by a security breach.  

CPRA establishes the California Privacy Protection Agency (CPPA) which has the authority to investigate potential breaches and violations, and to draft enforcement regulations. It has produced new CPRA Regulations providing rules on service provider contracts, dark patterns, and the recognition of “global opt-out” browser signals. 

While the CCPA fines and damages may appear relatively low, it is important to note that they are per breach. A privacy incident can affect thousands or tens of thousands of consumers, in which case it could cost a company hundreds of thousands or even millions of dollars. In the first three years of the CCPA’s existence, 320 lawsuits have been filed in 28 states according to a report by Akin, a US law firm. It found that: 

  • More than 80% of CCPA lawsuits in 2022 corresponded to a breach notice filed with the California Attorney General’s Office, and businesses that report a data breach to the AG’s office have about a 15% chance of facing subsequent consumer litigation. 
  • Breaches affecting at least 100,000 people accounted for 56% of lawsuits in 2022 stemming from data breaches. 
  • Financial services companies accounted for 34% of cases in 2022, by far the highest rate of any industry. Medical services and software/technology each comprised 13%.

All US based businesses, as well as those elsewhere who are processing Californian residents’ personal information, need to consider how CPRA will impact their data management and start the implementation process immediately. People are more concerned than ever about what is happening to their personal data as a result of recent media headlines concerning the exploitation of personal data by AI and social media companies

Ibrahim Hasan will be speaking about the CCPA and CPRA at the MER Information Governance Conference in Chicago in May.  

Interested in US privacy law? Check out our US privacy programme 

Saudi Arabian Data Protection Law Update 

In September 2021, Saudi Arabia announced its first ever data protection law. The Personal Data Protection Law (PDPL) was implemented by Royal Decree M/19 of 9/2/1443H approving Resolution No. 98 dated 7/2/1443H (14th September 2021). PDPL will regulate the collection, handling, disclosure and use of personal data and includes governance and transparency obligations. It will initially be enforced by the Saudi Arabian Authority for Data and Artificial Intelligence (SDAIA). 

PDPL was originally going to come fully into force on 23rd March 2022. However, in November 2022, SDAIA published proposed amendments for public consultation. On 21st March 2023, some of these amendments were passed by the Saudi Council of Ministers. PDPL will now officially come into force on 14th September 2023 and organisations will have till 13th September 2024 to comply. Much of the detail of the new law will be set out in the Executive Regulations which we are still waiting for, although a draft version was issued last year. 

The amendments to PDPL introduce several concepts that will align the new law more closely to the EU General Data Protection Regulation (GDPR) and the UK GDPR. These include: 

  • New Ground for Processing: Like the GDPR, Data Controllers may now rely on “legitimate interests” as a lawful basis to process personal data; this does not apply to sensitive personal data, or processing that contravenes the rights granted under PDPL and its executive regulations.  
     
  • Easier International Transfers: Like other data protection regimes, PDPL imposes limitations on the international transfer of personal data outside of the KSA. The strict prohibition on transfers outside Saudi Arabia has now been amended. Furthermore they no longer require approval from SDAIA. Data Controllers will need a specific purpose to transfer data outside the Kingdom and transfers appear to be limited to territories that SDAIA determines as having an appropriate level of protection for personal data, which will be further clarified once they issue evaluation criteria for this purpose. The pending executive regulations should set out exemptions from this condition.  
     
  • Removal of Controller Registration Requirements: The original law required Data Controllers to register on an electronic portal that would form a national record. This provision has now been removed. However, SDAIA has the mandate to license auditors and accreditation entities and create a national register if it determines that it would be an appropriate tool and mechanism for monitoring the compliance of controllers. 
  • Data Breach Notification Relaxed: Notifications of personal data breaches to SDAIA are no longer required “immediately.” However, controllers must now notify data subjects when a breach threatens personal data or contravenes the data subject’s rights or interests. The pending regulations are expected to provide additional specificity, such as particular dates for notifying data breaches and threshold requirements.  
     
  • Criminal Offences Reduced: The penalties for breaching PDPL will be a warning or a fine of up to SAR 5,000,000 (USD 1,333,000) that may be doubled for repeat offences. Criminal sanctions for violating the PDPL’s data transfer restrictions have been removed. There now remains only one criminal offence in relation to the disclosure or publication of sensitive personal data in violation of the law.  

Action Plan for Compliance 

Businesses established in Saudi Arabia, as well as those processing Saudi citizens’ personal data anywhere in the world, have sixteen months to prepare for PDPL. Considering that those covered by GDPR had four years, this is not a long time. Now is the time to put systems and processes in place to ensure compliance. Failure to do so will not just lead to enforcement action but also reputational damage.  

The following should be part of an action plan for compliance: 

  1. Raising awareness about PDPL at all levels. Our GDPR elearning course can be tailored for frontline staff. 
  1. Carrying out a data audit and reviewing how records management and information risk is addressed. 
  1. Reviewing information security policies and procedures in the light of the new more stringent security obligations particularly breach notification
  1. Revising privacy policies in the light of the more prescriptive transparency requirements.  
  1. Writing policies and procedures to deal with new and revised Data Subject rights such as Data Portability and Subject Access. 
  1. Appointing and training a Data Protection Officer.  

The new KSA data protection law is an important development in Middle East privacy law alongside the passing of the new UAE Federal DP law.
These laws, being closely aligned with the EU General Data Protection Regulation (GDPR) and the UK GDPR, open up exciting job opportunities for UK and EU Data Protection professionals. A quick scan of jobs sites shows a growing number of prospects. 

Act Now in the Middle East 

Act Now Training can help your businesses prepare for PDPL. We have delivered training extensively in the Middle East to a wide range of delegates including representatives of the telecommunications, legal and technology sectors. Check out our UAE privacy programme. We can also deliver customised in house training both remotely and face to face.
Please get in touch to discuss your training or consultancy needs.  

Our new Intermediate Certificate in GDPR Practice includes a module on worldwide data protection laws. 

The New Data Protection Bill: What it means for DP and the public sector

In March, the UK Department for Science, Information and Technology (DSIT) published the Data Protection and Digital Information (No.2) Bill. The Bill is now going through Parliament. If enacted, it will make changes to the UK GDPR, the Data Protection Act 2018 and Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”).

Our director, Ibrahim Hasan, recently took part in a webinar organised by eCase. In this 45 minute session Ibrahim, alongside Data Protection experts Jon Baines of Mishcon de Reya and Lynn Wyeth of Leicester City Council, discusses the new Bill including:

  • The key changes
  • The differences with the current regime
  • What the changes mean for the public sector
  • The challenges

To access the webinar recording click here ((note: eCase email registration required to access)

The new Bill will be discussed in detail on our forthcoming GDPR Update workshop.  

Spring Offer: Get 10% off on all day courses and special discounts on GDPR certificates

The State of US Privacy Law in 2023 

The United States is making substantial progress on privacy law. Six states have passed comprehensive data protection bills (with at least two more likely to follow) and five of these take effect throughout 2023.  

One of the most significant changes to US privacy law comes in the form of the California Privacy Rights Act (CPRA) which is fully enforceable from 1st July 2023. The CPRA makes several important amendments to the California Consumer Privacy Act (CCPA) which has been in force since 1st July 2020. 

Among other changes, the CPRA introduces a concept of “sensitive personal information”, which includes data about a consumer’s government ID numbers, account credentials, racial origin, religious beliefs, union membership, genetics, biometrics, health status, and more. It also provides several new rights for consumers, such as the right to correct inaccurate personal information and the right to limit the use and disclosure of sensitive personal information. 

CCPA’s “right to opt out” now explicitly allows consumers to refuse
“cross-contextual advertising”, which involves combining personal information from different websites or apps to target people with ads.
Most significantly, CPRA gives California its own privacy regulator, the California Privacy Protection Agency (CPPA). 

Beyond California 

Following in the footsteps of California, five US states have now passed broadly-applicable privacy legislation: 

These laws create new challenges for businesses operating in the US.
They introduce data protection concepts more familiar to organisations complying with the EU General Data Protection Regulation (GDPR).
More state privacy laws will likely take effect in coming years, with similar bills in Tennessee and Indiana awaiting governors’ signatures at the time of writing. Other bills, such as Washington’s as-yet unsigned My Health My Data Act, could also have a broad privacy impact. 

The new state laws generally apply across all sectors but only to businesses processing the personal data of at least 100,000 consumers—plus smaller companies that derive a given proportion of their revenue from selling personal data. Utah’s law also excludes any business generating under $25 million in annual revenues. But unlike the GDPR, they contain carve-outs for data processing covered by sectoral laws, such as the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA)

Consumer Rights 

Each of the new US state privacy laws provides new consumer rights, including:  

  • The right of access 
  • The right to delete 
  • The right to correct (except Utah and Iowa) 
  • The right to data portability 
  • The right to opt out of targeted advertising, the sale of personal data (except Iowa) and profiling in furtherance of legal or similar effects (except Iowa and Utah) 

Each law also imposes new rights around the processing of “sensitive data”, with Virginia, Colorado and Connecticut’s laws mandating
GDPR-style consent; and Iowa and Utah requiring controllers to offer consumers an opt-out prior to collection. 

The consumer rights provided under these US privacy laws are somewhat narrower than the GDPR’s “data subject rights”. Consumers unhappy with a controller’s response must exhaust an internal appeals process before complaining to the state’s Attorney General. Controllers must respond to consumers’ requests within 45 days (compared to one month in the EU)—but, similarly to the GDPR, businesses must not charge a fee unless a request is  “manifestly unfounded, excessive, or repetitive”. 

Controllers’ Obligations 

Drawing language from the GDPR, each of these new laws requires controllers to implement binding agreements with their processors.
Much like California’s “service provider contracts”, controllers under these other state laws must contractually require processors to submit to audits, impose similar contracts on any sub processors, and not share data received from the controller (with limited exceptions). 

Virginia and Connecticut’s new privacy laws require controllers to conduct “data protection assessments” in certain circumstances, including before engaging in targeted advertising, selling personal data, processing sensitive data, and other risky activities. Privacy bills currently under consideration in Tennessee and Indiana contain a similar requirement. These provisions were clearly inspired by the GDPR’s Data Protection Impact Assessments and require businesses to balance the benefits that could flow from a processing activity against the risks to consumers and the public, considering any relevant safeguards. 

FTC Enforcement 

The new IS state privacy laws will have a major impact on companies operating in the US. But perhaps equally significant is recent enforcement action by the Federal Trade Commission (FTC) under existing laws. 

In February, the FTC enforced the Health Breach Notification Rule against the drug discount provider GoodRx, issuing a $1.5 million civil penalty and permanently banning the company from sharing health information for advertising purposes. In March, the FTC also settled for $7.8 million with remote therapy provider BetterHelp under the FTC Act—a consumer protection law that BetterHelp allegedly violated by promising not to share personal information and then doing so via pixels and other trackers.
The FTC’s broad interpretation of “personal information” and “health information” in these cases—and its view that the unauthorised sharing of data with advertisers can be a “data breach”—suggests a trend of more robust privacy enforcement in the US. 

Towards a US Federal Privacy Law 

A comprehensive US federal privacy law could provide some clarity in this increasingly complicated patchwork of state and sectoral privacy laws.
For the past two years, President Biden has advocated new privacy measures in his State of the Union address—focusing primarily on children’s privacy, but with a broader call this year to limit how tech companies collect personal information about everyone in the US. 

A federal bill, the American Data Privacy Protection Act (ADPPA) was introduced to the House of Congress last June. The ADPPA would apply to businesses and non-profits across all sectors, regardless of size.  

Among other provisions, the ADPPA would: 

  • Only allow the “reasonably necessary and proportionate” collection, use, and transfer of personal information. 
  • Require organisations to disclose how they collect, use, and share personal information. 
  • Provide consumers with rights to access, delete, and correct their personal information. 

The ADPPA would arguably impose much stricter requirements on businesses than the current tranche of state privacy laws. The bill failed to pass in last year’s legislative session. Opposition centred around the law’s potential to override state privacy laws, and the “private right of action”, which would allow individuals to sue non-compliant businesses. 

Biden’s call for improved privacy protections suggests that some version of the ADPPA could reappear in the US legislature this session. However, it is unclear whether the now Republican-controlled House will support a bill that significantly restricts business activity. 

Unless a federal law passes (and perhaps even if it does), businesses will continue to grapple with the various local and sectoral privacy laws passing across many US states. Either way, a long era of lax US privacy regulation seems to be coming to an end. 


Ibrahim Hasan will be speaking about the CCPA and CPRA at the MER Information Governance Conference in Chicago in May.  

Interested in US privacy law? Check out our US privacy programme 

Act Now Launches Updated GDPR Practitioner Certificate  

Act Now Training is pleased to announce the launch of its updated GDPR Practitioner Certificate. This course has been running successfully for the past five years with excellent delegate reviews: 

“The course was very useful as an IG Officer. The trainer was knowledgeable and explained some complex aspects of the legislation using interesting examples and real life scenarios. The course materials and handbook are invaluable and I know I will reuse them in conjunction with my usual resources.” NC, Lincolnshire County Council  

“I would highly recommend this online course which was well structured and interactive. The course tutor was engaging and made a complex subject accessible. There was a good balance between understanding the legal framework and practical application. I learnt a great deal which will help me in my DPO role.” RS, London Councils  

Key features of the new course include an updated course curriculum, new exercises and more emphasis on helping delegates develop key DPO skills.  

Our Motivation  

This revised course is part of our ongoing commitment to encourage and assist new talent in the IG profession. Through our involvement in NADPO and the IRMS over the past 20 years, Act Now has been  actively encouraging new entrants to the IG profession and providing quality training to assist in their learning and development. When the DP and IG Apprenticeship was launched last year, we became one of the first training companies to partner up with a leading apprenticeship provider to deliver specialist IG training and materials to apprentices. These have led to our partner, Damar, recruiting over 100 apprentices and helping them lay the foundations for a successful career in IG.  

Course Content 

The course curriculum has been updated in the light of Act Now’s Skills and Competency Framework for DPOs. For the past three years we have been working on this framework, alongside industry experts and education professionals, by thoroughly analysing all the core skills and competencies required for the DPO role and how they map against our wider GDPR course curriculum.  

Completing the course will enable delegates to gain a thorough understanding of the UK GDPR and develop the skills required to do their job with greater ease and confidence. In addition to the main course topics such as principles, rights and enforcement we have introduced new topics such as the ICO Accountability Framework. We also take time to consider the latest ICO enforcement action and the changes to the UK data protection regime proposed by the recently announced Data Protection and Digital Information Bill

Completing the GDPR Practitioner Certificate will enable delegates to gain a thorough understanding of the UK GDPR. The course will help delegates interpret the data protection principles in a practical context, drafting privacy notices, undertaking DPIAs and reporting data breaches. 

The course teaching style is based on four practical and engaging workshops covering theory alongside hands-on application using case studies that equip delegates with knowledge and skills that can be used immediately. Delegates will also have personal tutor support throughout the course and access to a comprehensive revised online resource lab. 

The DPO Learning Pathway 

The updated UK GDPR Practitioner Certificate is part of our learning pathway for Data Protection Officers. Once completed they can move on to the Intermediate Certificate in GDPR Practice where the emphasis is on skills, as well as advanced knowledge, with delegates covering more challenging topics to gain a deeper awareness of the fundamental data protection principles.  

Our premier certification is the Advanced Certificate in GDPR Practice, tailored for seasoned Data Protection Officers seeking to refine and expand their expertise. The course comprises a rigorous set of masterclasses that engage delegates in dissecting and interpreting intricate GDPR scenarios through compelling case studies. This immersive experience empowers participants with the skills and confidence needed to tackle even the most challenging Data Protection and Privacy scenarios they may encounter.

If you would like a chat to discuss your suitability for any of our certificate courses, please get in touch.  

Spring Offer: Get 10% off on all day courses and special discounts on GDPR certificates. Click on the link to find out more and take advantage of this limited time offer!

The TikTok GDPR Fine

In recent months, TikTok has been accused of aggressive data harvesting and poor security issues. A number of governments have now taken a view that the video sharing platform represents an unacceptable risk that enables Chinese government surveillance. In March, UK government ministers were banned from using the TikTok app on their work phones. The United States, Canada, Belgium and India have all adopted similar measures. 

On 4th April 2023, the Information Commissioner’s Office (ICO) issued a £12.7 million fine to TikTok for a number of breaches of the UK General Data Protection Regulation (UK GDPR), including failing to use children’s personal data lawfully. This follows a Notice of Intent issued in September 2022.

Article 8(1) of the UK GDPR states the general rule that when a Data Controller is offering an “information society services”  (e.g. social media apps and gaming sites) directly to a child, and it is relying on consent as its lawful basis for processing, only a child aged 13 or over is able provide their own consent. For a child under 13, the Data Controller must seek consent from whoever holds parental responsibility. Article 8(2) further states:

“The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.”

In issuing the fine, the ICO said TikTok had failed to comply with Article 8 even though it ought to have been aware that under 13s were using its platform. It also failed to carry out adequate checks to identify and remove underage children from its platform. The ICO estimates up to 1.4 million UK children under 13 were allowed to use the platform in 2020, despite TikTok’s own rules not allowing children of that age to create an account.

The ICO investigation found that a concern was raised internally with some senior employees about children under 13 using the platform and not being removed. In the ICO’s view TikTok did not respond adequately. John Edwards, the Information Commissioner, said:

“TikTok should have known better. TikTok should have done better. Our £12.7m fine reflects the serious impact their failures may have had. They did not do enough to check who was using their platform or take sufficient action to remove the underage children that were using their platform.”

In addition to Article 8 the ICO found that, between May 2018 and July 2020, TikTok breached the following provisions of the UK GDPR:

  • Article 13 and 14 (Privacy Notices) – Failing to provide proper information to people using the platform about how their data is collected, used, and shared in a way that is easy to understand. Without that information, users of the platform, in particular children, were unlikely to be able to make informed choices about whether and how to engage with it; and
  • Article 5(1)(a) (The First DP Principle) – Failing to ensure that the personal data belonging to its UK users was processed lawfully, fairly and in a transparent manner. 

Notice of Intent

It is noticeable that this fine is less than half the amount (£27 million) in the Notice of Intent. The ICO said that it had taken into consideration the representations from TikTok and decided not to pursue its provisional finding relating to the unlawful use of Special Category Data. Consequently this potential infringement was not included in the final amount of the fine.

We have been here before! In 2018 British Airways was issued with a Notice of Intent in the sum of £183 Million but the actual fine in July 2020 was for £20 million. Marriott International Inc was fined £18.4 million in 2020; much lower than the £99 million set out in the original notice. Some commentators have argued that the fact that fines are often substantially reduced (from the notice to the final amount) suggests the ICO’s methodology is flawed.

An Appeal?

In a statement, a TikTok spokesperson said: 

“While we disagree with the ICO’s decision, which relates to May 2018 to July 2020, we are pleased that the fine announced today has been reduced to under half the amount proposed last year. We will continue to review the decision and are considering next steps.”

We suspect TikTok will appeal the fine and put pressure on the ICO to think about whether it has the appetite for a costly appeal process. The ICO’s record in such cases is not great. In 2021 it fined the Cabinet Office £500,000 for disclosing postal addresses of the 2020 New Year Honours recipients. The Cabinet Office appealed against the amount of the fine arguing it was “wholly disproportionate”. A year later, the ICO agreed to a reduction to £50,000. Recently an appeal against the ICO’s fine of £1.35 million issued to Easylife Ltd was withdrawn, after the parties reached an agreement whereby the amount of the fine was reduced to £250,000.

The Children’s Code

Since the conclusion of the ICO’s investigation of TikTok, the regulator has published the Children’s Code. This is a statutory code of practice aimed at online services, such as apps, gaming platforms and web and social media sites, that are likely to be accessed by children. The code sets out 15 standards to ensure children have the best possible experience of online services. In September, whilst marking the Code’s anniversary, the ICO said:

“Organisations providing online services and products likely to be accessed by children must abide by the code or face tough sanctions. The ICO are currently looking into how over 50 different online services are conforming with the code, with four ongoing investigations. We have also audited nine organisations and are currently assessing their outcomes.”

With increasing concern about security and data handling practices across the tech sector (see the recent fines imposed by the Ireland’s Data Protection Commission on Meta) it is likely that more ICO regulatory action will follow. 

This and other GDPR developments will be discussed in detail on our forthcoming GDPR Update workshop.  

Spring Offer: Get 10% off on all day courses and special discounts on GDPR certificates

Spring Offer: Get 10% off on all day courses and special discounts on GDPR certificates

Spring is around the corner, and what better way to celebrate than by learning something new? Act Now Training are offering a special Spring sale with 10% off on all one day courses until 21/04/23. Plus, we have some exciting discounts on our GDPR certificates! 

Our one day courses are designed to provide you with a comprehensive understanding of various information governance topics, including data protection, records management, FOI and information security. Whether you are a beginner or an experienced professional, our courses are tailored to meet your specific needs. 

But that’s not all! We also have some exclusive discounts on our GDPR certifications. You can get a 10% discount on our NEW Intermediate Certificate in GDPR course (Valued at £195) and a mega £150 off on our Advanced Certificate in GDPR Practice course. 

Our Intermediate Certificate in GDPR strengthens the foundations established by our UK GDPR Practitioner certificate. Delegates will cover more challenging topics and gain a deeper awareness of the fundamental data protection principles. It is an excellent option for those with an established knowledge base and experience in data protection who wish to level up their knowledge and sharpen their skills. 

Our Advanced Certificate in GDPR course is perfect for those who want to take their GDPR knowledge to the next level. This course covers the more complex aspects of GDPR and provides you with the practical skills needed to manage GDPR compliance effectively. You will learn how to break down complex multi-faceted scenarios and learn how to analyse case law, MPNs, ICO reprimands and Enforcement notices. This course is unlike any other, it challenges delegates with real world complex scenarios and is excellent in showcasing a much higher level of knowledge depth and understanding. 

Don’t miss this opportunity to enhance your information governance skills and take advantage of our Spring sale. To take advantage of this offer, simply book your chosen course before 21/04/23 and enter the code SPRING10 at checkout and the relevant discount will be applied.

Act Now Launches New Intermediate Certificate in GDPR Practice 

Act Now Training is pleased to announce the launch of the Intermediate Certificate in GDPR Practice.  

For the past three years, we have been working on a skills and competency framework for DPOs. Alongside industry experts and education professionals, we have undertaken a thorough analysis of all the core skills and competencies required for the DPO role and how they map against our wider GDPR course curriculum. The latter has been designed to allow delegates to easily map their personal learning journey and ensure they have the requisite level of knowledge and skill for their role. 

Through this work, we have identified a need to further develop DPOs who have undertaken our GDPR Practitioner Certificate but who now wish to hone their DPO skills. Hence the emphasis in the intermediate certificate is on skills, as well as advanced knowledge, with delegates covering more challenging topics to gain a deeper awareness of the fundamental data protection principles.  

This new course is part of our ongoing commitment to encouraging the development of Information Governance as a recognised profession. Through our involvement in NADPO and the IRMS over the past 20 years, Act Now has been actively encouraging new entrants to the IG profession and providing quality training to assist in their learning and development. When the DP and IG Apprenticeship was launched last year, we became one of the first training companies to partner up with a leading apprenticeship provider to deliver specialist IG training and materials to apprentices.
These have led to our partner, Damar, recruiting over 100 apprentices and helping them lay the foundations for a successful career in IG. 

Ibrahim Hasan, Course Director, said: 

“Having listened to the demand from our delegates and taken soundings from IG experts, we are excited to launch the Intermediate Certificate in GDPR Practice. This new course is a great option for those with an established knowledge base and experience in data protection who wish to level up their knowledge and sharpen their skills. It is also an ideal stepping stone for those contemplating our Advanced Certificate in GDPR Practice.” 

Content 

This new course will challenge delegates, who have completed our GDPR Practitioner Certificate, by looking at previously covered subjects in more depth and complexity. These include getting to grips with Principle 1 and interpreting lawfulness, fairness and transparency in the light of ICO and EU enforcement action. We also work through more complex subject access requests applying exemptions and considering the practical aspects.  

The course also covers new and topical data protection subjects such as the processing of  children’s data, use of AI and consideration of data ethics.
We also take time to compare data protection laws around the world and consider the changes to the UK data protection regime proposed by the recently announced revised Data Protection and Digital Information Bill

Format 

This course is set over three days (one day per week) and can be attended online or in the classroom. Each day is designed to develop delegates’ ability to understand and apply the UK DP law in a practical context using case studies and exercises. On completion of the course, delegates are required to complete a practical assessment within 30 days. 

Our teaching style is based on practical and engaging workshops covering theory alongside hands-on application. Delegates will have personal tutor support throughout the course and access to a comprehensive online resource lab ensuring they have the best opportunity for success. 

Who will this course benefit? 

This course is ideal for those who have completed our GDPR Practitioner Certificate who wish to sharpen their skills and knowledge before undertaking the Advanced Certificate in GDPR Practice. 

The first course is scheduled for April. We have a special introductory price for a limited period. If you would like a chat with Ibrahim to discuss your suitability for the course, please get in touch.  

Experian’s GDPR Appeal: Lawfulness, Fairness, and Transparency

On 20th February 2023, the First-Tier (Information Rights) Tribunal (FTT) overturned an Enforcement Notice issued against Experian by the Information Commissioner’s Office (ICO). 

This case relates to Experian’s marketing arm, Experian Marketing Services (EMS) which provides analytics services for direct mail marketing companies. It obtains personal data from three types of sources; publicly available sources, third parties and Experian’s credit reference agency (CRA) business. The company processes this personal data to build profiles about nearly every UK adult. An individual profile can contain over 400 data points. The company sells access to this data to marketing companies that wish to improve the targeting of their postal direct marketing communications. 

The ICO issued an Enforcement Notice against Experian in April 2020, alleging several GDPR violations namely; Art. 5(1)(a) (Principle 1, Lawfulness, fairness, and transparency), Art. 6(1) (Lawfulness of processing) and Art. 14 (Information to be provided where personal data have not been obtained from the data subject). 

Fair and Transparent Processing: Art 5(1)(a) 

The ICO criticised Experian’s privacy notice for being unclear and for not emphasising the “surprising” aspects of Experian’s processing. It ordered Experian to: 

  • Provide an up-front summary of Experian’s direct marketing processing. 
  • Put “surprising” information (e.g. regarding profiling via data from multiple sources) on the first or second layer of the notice. 
  • Use clearer and more concise language. 
  • Disclose each source and use of data and explain how data is shared, providing examples.  

The ICO also ordered Experian to stop using credit reference agency data (CRA data) for any purpose other than those requested by Data Subjects. 

Lawful Processing: Arts. 5(1)(a) and 6(1) 

All processing of personal data under the GDPR requires a legal basis. Experian processed all personal data held for marketing purposes on the basis of its legitimate interests, including personal data that was originally collected on the basis of consent. Before relying on legitimate interests, controllers must conduct a “legitimate interests assessment” to balance the risks of processing the risks. Experian had done this, but the ICO said the company had got the balance wrong. It ordered Experian to: 

  • Delete all personal data that had been collected via consent and was subsequently being processed on the basis of Experian’s legitimate interests. 
  • Stop processing personal data where an “objective” legitimate interests assessment revealed that the risks of the processing outweigh the benefits. 
  • Review the GDPR compliance of all third parties providing Experian with personal data. 
  • Stop processing any personal data that has not been collected in a GDPR-compliant way. 

Transparency: Art. 14 

Art. 14 GDPR requires controllers to provide notice to data subjects when obtaining personal data from a third-party or publicly available source. Experian did not do provide such notices relying on the exceptions in Art 14. 

Where Experian had received personal data from third parties, it said that it did not need to provide a notice because “the data subject already has the information”. It noted that before a third party sent Experian personal data, the third party would provide Data Subjects with its own privacy notice. That privacy notice would contain links to Experian’s privacy notice.
Where Experian had obtained personal data from a publicly available source, such as the electoral register, it claimed that to provide a notice would involve “disproportionate effort”. 

The ICO did not agree that these exceptions applied to Experian, and ordered it to: 

  • Send an Art. 14 notice to all Data Subjects whose personal data had been obtained from a third-party source or (with some exceptions) a publicly available source. 
  • Stop processing personal data about Data Subjects who had not received an Art. 14 notice. 

The FTT Decision  

The FTT found that Experian committed only two GDPR violations: 

  • Failing to provide an Art. 14 notice to people whose data had been obtained from publicly available sources. 
  • Processing personal data on the basis of “legitimate interests” where that personal data had been originally obtained on the basis of “consent” (by the time of the hearing, Experian had stopped doing this). 

The FTT said that the ICO’s Enforcement Notice should have given more weight to:  

  • The costs of complying with the corrective measures. 
  • The benefits of Experian’s processing. 
  • The fact that Data Subjects would (supposedly) not want to receive an Art. 14 notice. 

The FTT overturned most of the ICO’s corrective measures. The only new obligation on Experian is to send Art. 14 notices in future to some people whose data comes from publicly available sources. 

FTT on Transparency 

Experian had improved its privacy notice before the hearing, and the FTT was satisfied that it met the Art. 14 requirements. It agreed that Experian did not need to provide a notice to Data Subjects where it had received their personal data from a third party. The FTT said that “…the reasonable data subject will be familiar with hyperlinks and how to follow them”.
People who wanted to know about Experian’s processing had the opportunity to learn about it via third-party privacy notices. 

However, the FTT did not agree with Experian’s reliance on the “disproportionate effort” exception. In future, Experian will need to provide Art. 14 notices to some Data Subjects whose personal data comes from publicly available sources. 

FTT on Risks of Processing 

An ICO expert witness claimed that Experian’s use of CRA data presented a risk to Data Subjects. The witness later admitted he had misunderstood this risk. The FTT found that Experian’s use of CRA data actually decreased the risk of harm to Data Subjects. For example, Experian used CRA data to “screen out” data subjects with poor credit history from receiving marketing about low-interest credit cards. The FTT found that this helped increase the accuracy of marketing and was therefore beneficial. As such, the FTT found that the ICO had not properly accounted for the benefits of Experian’s processing of CRA data. 

The ICO’s Planned Appeal 

The FTT’s decision focuses heavily on whether Experian’s processing was likely to cause damage or distress to Data Subjects. Because the FTT found that the risk of damage was low, Experian could rely on exceptions that might not have applied to riskier processing.  

The ICO has confirmed that it will appeal the decision. There are no details yet on their arguments but they may claim that the FTT took an excessively narrow interpretation of privacy harms. 

This and other data protection developments will be discussed in detail on our forthcoming  GDPR Update  workshop. There are only 3 places left on our next Advanced Certificate in GDPR Practice.  

%d bloggers like this: