Mega GDPR Fines for Meta

On 4th January 2023, Ireland’s Data Protection Commission (DPC) announced the conclusion of two inquiries into the data processing operations of Meta Platforms Ireland Limited (“Meta Ireland”) in connection with the delivery of its Facebook and Instagram services. Not only does this decision significantly limit Meta’s ability to gather information from its users to tailor and sell advertising, it also provides useful insight into EU regulators’ view about how to comply with Principle 1 of GDPR i.e. the need to ensure personal data is “processed lawfully, fairly and in a transparent manner in relation to the data subject”(Article 5).

In decisions dated 31st December 2022, the DPC fined Meta Ireland €210 million and €180 million, relating to its Facebook and Instagram services respectively. The fines were imposed in connection with the company’s practise of monetising users’ personal data by running personalised adverts on their social media accounts. Information about a social media user’s digital footprint, such as what videos prompt them to stop scrolling or what types of links they click on, is used by marketers to get personalised adverts in front of people who are the most likely to buy their products. This practice helped Meta generate $118 billion in revenue in 2021.

The DPC’s decision was the result of two complaints from Facebook and Instagram users, supported by privacy campaign group NOYB, both of which raised the same basic issue: how Meta obtains legal permission from users to collect and use their personal data for personalised advertising. Article 6(1) of GDPR states that:

“Processing shall be lawful only if and to the extent that at least one of the following applies:

  1. the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  • processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;”

In advance of the GDPR coming into force on 25th May 2018, Meta Ireland changed the Terms of Service for its Facebook and Instagram services. It also flagged the fact that it was changing the legal basis upon which it relies to process users’ personal data under Article 6 in the context of the delivery of the Facebook’s and Instagram’s services (including behavioural advertising). Having previously relied on the consent of users to the processing of their personal data, the company now sought to rely on the “contract” legal basis for most (but not all) of its processing operations. Existing and new users were required to click “I accept” to indicate their acceptance of the updated Terms of Service in order to continue using Facebook and Instagram. The services would not be accessible if users declined to do so.

Meta Ireland considered that, on accepting the updated Terms of Service, a contract was concluded between itself and the user. Consequently the processing of the user’s personal data in connection with the delivery of its Facebook and Instagram services was necessary for the performance of this “contract” which includes the provision of personalised services and behavioural advertising.  This, it claimed, provided a lawful basis by reference to Article 6(1)(b) of the GDPR.

The complainants contended that Meta Ireland was in fact still looking to rely on consent to provide a lawful basis for its processing of users’ data. They argued that, by making the accessibility of its services conditional on users accepting the updated Terms of Service, Meta Ireland was in fact “forcing” them to consent to the processing of their personal data for behavioural advertising and other personalised services. This was not real consent as defined in Article 4 of GDPR:

“any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;” (our emphasis)

Following comprehensive investigations, consultation with other EU DP regulators (a process required by GDPR in such cases) and final rulings by the European Data Protection Board, the DPC made a number of findings; notably:

1. Meta Ireland did not provide clear information about its processing of users’ personal data, resulting in users having insufficient clarity as to what processing operations were being carried out on their personal data, for what purpose(s), and by reference to which of the six legal bases identified in Article 6. The DPC said this violated Articles 12 (transparency) and 13(1)(c) (information to be provide to the data subject) of GDPR. It also considered it to be a violation of Article 5(1)(a), which states that personal data must be processed lawfully, fairly and transparently.

2. Meta Ireland cannot rely on the contract legal basis for justifying its processing. The delivery of personalised advertising (as part of the broader suite of personalised services offered as part of the Facebook and Instagram services) could not be said to be necessary to perform the core elements of what was said to be a much more limited form of contract. The DPC adopted this position following a ruling by the EDPB, which agreed with other EU regulators’ representations to the DPC.

In addition to the fines, Meta Ireland has been directed to ensure its data processing operations comply with GDPR within a period of 3 months. It has said it will appeal; not surprising considering the decision has the potential to require it to make costly changes to its personalised advertising-based business in the European Union, one of its largest markets. 

It is important to note that this decision still allows Meta to use non-personal data (such as the content of a story) to personalise adverts or to ask users to give their consent to targeted adverts. However under GDPR users should be able to withdraw their consent at any time.  If a large number do so, it would impact one of the most valuable parts of Meta’s business. 

The forthcoming appeals by Meta will provide much needed judicial guidance on the GDPR particular Principle 1. Given the social media giant’s deep pockets, expect this one to run and run.

This and other GDPR developments will be discussed in detail on our forthcoming GDPR Update workshop. 

Are you an experienced GDPR Practitioner wanting to take your skills to the next level? See our Advanced Certificate in GDPR Practice.

ICO Reprimand for Misuse of Children’s Data: A Proportionate Response or a Let Off?

Last week, the Department for Education received a formal reprimand from the Information Commissioner’s Office(ICO) over a “serious breach” of the GDPR involving the unauthorised sharing of up to 28 million children’s personal data. But the Department has avoided a fine, despite a finding of “woeful” data protection practices.

The reprimand followed the ICO’s investigation into the sharing of personal data stored on the Learning Records Service (LRS) database, for which the DfE is the Data Controller. LRS provides a record of pupils’ qualifications that education providers can access. It contains both personal and Special Category Data and at the time of the incident there were 28 million records stored on it. Some of those records would have pertained to children aged 14 and over. 

The ICO started its investigation after receiving a breach report from the DfE about the unauthorised access to the LRS database. The DfE had only become aware of the breach after an exposé in a national Sunday newspaper.

The ICO found that the DfE’s poor due diligence meant that it continued to grant Trustopia access to the database when it advised the DfE that it was the new trading name for Edududes Ltd, which had been a training provider. Trustopia was in fact a screening company and used the database to provide age verification services to help gambling companies confirm customers were over 18. The ICO ruled that the DfE failed to:

  • protect against the unauthorised processing by third parties of data held on the LRS database for reasons other than the provision of educational services. Data Subjects were unaware of the processing and could not object or otherwise withdraw from this processing. Therefore the DfE failed to process the data fairly and lawfully in accordance with Article 5 (1)(a). 
  • have appropriate oversight to protect against unauthorised processing of personal data held on the LRS database and had also failed to ensure its confidentiality in accordance with Article 5 (1)(f). 

The ICO conducted a simultaneous investigation into Trustopia, during which the company confirmed it no longer had access to the database and the cache of data held in temporary files had been deleted. Trustopia was dissolved before the ICO investigation concluded and therefore regulatory action was not possible.

The DfE has been ordered to implement the following five measures to improve its compliance: 

  1. Improve transparency around the processing of the LRS database so Data Subjects are aware and are able to exercise their Data Subject rights, in order to satisfy the requirements of Article 5 (1)(a) of the UK GDPR. 
  • Review all internal security procedures on a regular basis to identify any additional preventative measures that can be implemented. This would reduce the risk of a recurrence to this type of incident and assist compliance with Article 5 (1)(f) of the UK GDPR. 
  • Ensure all relevant staff are made aware of any changes to processes as a result of this incident, by effective communication and by providing clear guidance. 
  • Complete a thorough and detailed Data Protection Impact Assessment, which adequately assesses the risk posed by the processing. This will enable the DfE to identify and mitigate the data protection risks for individuals. 

This investigation could, and many would say should, have resulted in a fine. However, in June 2022 John Edwards, the Information Commissioner, announced a new approach towards the public sector with the aim to reduce the impact of fines on the sector. Had this new trial approach not been in place, the DfE would have been issued with a fine of over £10 million. In a statement, John Edwards said:

“No-one needs persuading that a database of pupils’ learning records being used to help gambling companies is unacceptable. Our investigation found that the processes put in place by the Department for Education were woeful. Data was being misused, and the Department was unaware there was even a problem until a national newspaper informed them.

“We all have an absolute right to expect that our central government departments treat the data they hold on us with the utmost respect and security. Even more so when it comes to the information of 28 million children.

“This was a serious breach of the law, and one that would have warranted a £10 million fine in this specific case. I have taken the decision not to issue that fine, as any money paid in fines is returned to government, and so the impact would have been minimal. But that should not detract from how serious the errors we have highlighted were, nor how urgently they needed addressing by the Department for Education.”

The ICO also followed its new public sector enforcement approach when issuing a reprimand to NHS Blood and Transplant Service. In August 2019, the service inadvertently released untested development code into a live system for matching transplant list patients with donated organs. This error led to five adult patients on the non-urgent transplant list not being offered transplant livers at the earliest possible opportunity. The ICO said that, if the revised enforcement approach had not been in place, the service would have received a fine of £749,856. 

Some would say that the DFE has got off very lightly here and, given their past record, perhaps more stringent sanctions should have been imposed. Two years ago, the ICO criticised the DfE for secretly sharing children’s personal data with the Home Office, triggering fears it could be used for immigration enforcement as part of the government’s hostile environment policy. 

Many will question why the public sector merits this special treatment. It is not as if it has been the subject of a disproportionate number of fines. The first fine to a public authority was only issued in December 2021 (more than three and a half years after GDPR came into force) when the Cabinet Office was fined £500,000 for disclosing postal addresses of the 2020 New Year Honours recipients online. This was recently reduced to £50,000 following a negotiated settlement of a pending appeal.

Compare the DfE reprimand with last month’s Monetary Penalty Notice in the sum of £1,350,000 issued to a private company, Easylife Ltd. The catalogue retailer was found to have been using 145,400 customers personal data to predict their medical condition and then, without their consent, targeting them with health-related products. With austerity coming back with a vengeance, no doubt the private sector will question the favourable terms for the public sector. 

Perhaps the Government will come to the private sector’s rescue. Following the new DCMS Secretary for State’s speech  last month, announcing a plan to replace the UK GDPR with a new “British data protection system” which cuts the “burdens” for British businesses, DCMS officials have said further delays to the Data Protection and Digital Information Bill are on the way. A new public consultation will be launched soon.

So far the EU is not impressed. A key European Union lawmaker has described meetings with the U.K. government over the country’s data protection reform plans as “appalling.” Italian MEP Fulvio Martusciello from the center-right European People’s Party said his impression from the visit was that Britain is “giving in on privacy in exchange for business gain.”

This and other GDPR developments will be discussed in detail on our forthcoming GDPR Update workshop. Are you an experienced GDPR Practitioner wanting to take your skills to the next level? Our Advanced Certificate in GDPR Practice starts on 21st November. 

£4.4 Million GDPR Fine for Construction Company 

This month the UK Information Commissioner’s Office has issued two fines and one Notice of Intent under GDPR. 

The latest fine is three times more than that imposed on Easylife Ltd on 5th October. Yesterday, Interserve Group Ltd was fined £4.4 million for failing to keep personal information of its staff secure.  

The ICO found that the Berkshire based construction company failed to put appropriate security measures in place to prevent a cyber-attack, which enabled hackers to access the personal data of up to 113,000 employees through a phishing email. The compromised data included personal information such as contact details, national insurance numbers, and bank account details, as well as special category data including ethnic origin, religion, details of any disabilities, sexual orientation, and health information. 

The Phishing Email 

In March 2020, an Interserve employee forwarded a phishing email, which was not quarantined or blocked by Interserve’s IT system, to another employee who opened it and downloaded its content. This resulted in the installation of malware onto the employee’s workstation. 

The company’s anti-virus quarantined the malware and sent an alert, but Interserve failed to thoroughly investigate the suspicious activity. If they had done so, Interserve would have found that the attacker still had access to the company’s systems. 

The attacker subsequently compromised 283 systems and 16 accounts, as well as uninstalling the company’s anti-virus solution. Personal data of up to 113,000 current and former employees was encrypted and rendered unavailable. 

The ICO investigation found that Interserve failed to follow-up on the original alert of a suspicious activity, used outdated software systems and protocols, and had a lack of adequate staff training and insufficient risk assessments, which ultimately left them vulnerable to a cyber-attack. Consequently, Interserve had breached Article 5 and Article 32 of GDPR by failing to put appropriate technical and organisational measures in place to prevent the unauthorised access of people’s information. 

Notice of Intent 

Interestingly in this case the Notice of Intent (the pre cursor to the fine) was for also for £4.4million i.e. no reductions were made by the ICO despite Interserve’s representations. Compare this to the ICO’s treatment of two much bigger companies who also suffered cyber security breaches. In July 2018, British Airways was issued with a Notice of Intent in the sum of £183 Million but the actual fine was reduced to £20 million in July 2020. In November 2020 Marriott International Inc was fined £18.4 million, much lower than the £99 million set out in the original notice. 

The Information Commissioner, John Edwards, has warned that companies are leaving themselves open to cyber-attack by ignoring crucial measures like updating software and training staff: 

“The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company. If your business doesn’t regularly monitor for suspicious activity in its systems and fails to act on warnings, or doesn’t update software and fails to provide training to staff, you can expect a similar fine from my office. 

Leaving the door open to cyber attackers is never acceptable, especially when dealing with people’s most sensitive information. This data breach had the potential to cause real harm to Interserve’s staff, as it left them vulnerable to the possibility of identity theft and financial fraud.” 

We have been here before. On 10th March the ICO  fined Tuckers Solicitors LLP £98,000 following a ransomware attack on the firm’s IT systems in August 2020. The attacker had encrypted 972,191 files, of which 24,712 related to court bundles.  60 of those were exfiltrated by the attacker and released on the dark web.   

Action Points  

Organisations need to strengthen their defences and have plans in place; not just to prevent a cyber-attack but what to do when it does takes place. Here are our top tips: 

  1. Conduct a cyber security risk assessment and consider an external accreditation through  Cyber Essentials. 
  1. Ensure your employees know the risks of malware/ransomware and follows good security practice. At the time of the cyber-attack, one of the two Interserve employees who received the phishing email had not undertaken data protection training. (Our GDPR Essentials  e-learning solution is a very cost effective e learning solution which contains a specific module on keeping data safe.)  
  1. Have plans in place for a cyber security breach. See our Managing Personal Data Breaches workshop.  
  1. Earlier in the year, the ICO worked with NCSC to remind organisations not to pay a ransom in case of a cyber-attack, as it does not reduce the risk to individuals and is not considered as a reasonable step to safeguard data. For more information, take a look at the ICO ransomware guidance or visit the NCSC website to learn about mitigating a ransomware threat via their business toolkit

This and other GDPR developments will be discussed in detail on our forthcoming GDPR Update workshop.  

Are you an experienced GDPR Practitioner wanting to take your skills to the next level? Our Advanced Certificate in GDPR Practice starts on 21st November.  

ICO Fines “World’s Largest Facial Network”

The Information Commissioner’s Office has issued a Monetary Penalty Notice of £7,552,800 to Clearview AI Inc for breaches of the UK GDPR. 

Clearview is a US based company which describes itself as the “World’s Largest Facial Network”. It allows customers, including the police, to upload an image of a person to its app, which is then checked against all the images in the Clearview database. The app then provides a list of matching images with a link to the websites from where they came from. 

Clearview’s online database contains 20 billion images of people’s faces and data scraped from publicly available information on the internet and social media platforms all over the world. This service was used on a free trial basis by a number of UK law enforcement agencies. The trial was discontinued and the service is no longer being offered in the UK. However Clearview has customers in other countries, so the ICO ruled that is still processing the personal data of UK residents.

The ICO was of the view that, given the high number of UK internet and social media users, Clearview’s database is likely to include a substantial amount of data from UK residents, which has been gathered without their knowledge. It found the company had breached the UK GDPR by:

  • failing to use the information of people in the UK in a way that is fair and transparent, given that individuals are not made aware or would not reasonably expect their personal data to be used in this way;
  • failing to have a lawful reason for collecting people’s information;
  • failing to have a process in place to stop the data being retained indefinitely;
  • failing to meet the higher data protection standards required for biometric data (Special Category Data):
  • asking for additional personal information, including photos, when asked by members of the public if they are on their database. This may have acted as a disincentive to individuals who wish to object to their data being collected and used.

The ICO has also issued an enforcement notice ordering Clearview to stop obtaining and using the personal data of UK residents that is publicly available on the internet, and to delete the data of UK residents from its systems.

The precise legal basis for the ICO’s fine will only be known when (hopefully not if) it decides to publish the Monetary Penalty Notice. The information we have so far suggests that it considered breaches of Article 5 (1st and 5th Principles – lawfulness, transparency and data retention) Article 9 (Special Category Data) and Article 14 (privacy notice) amongst others.  (UPDATE – the notice has now been published here)

Whilst substantially lower than the £17 million Notice of Intent, issued in November 2021, this fine shows that the new Information Commissioner, John Edwards, is willing to take on at least some of the big tech companies. 

The ICO enforcement action comes after a joint investigation with the Office of the Australian Information Commissioner (OAIC). The latter also ordered the company to stop processing citizens’ data and delete any information it held. France, Itlay and Canada have also sanctioned the company under the EU GDPR. 

So what next for Clearview? The ICO has very limited means to enforce a fine against foreign entities.  Clearview has no operations or offices in the UK so it could just refuse to pay. This may be problematic from a public relations perspective as many of Clearview’s customers are law enforcement agencies in Europe who may not be willing to associate themselves with a company that has been found to have breached EU privacy laws. 

When the Italian DP regulator fined Clearview €20m (£16.9m) earlier this year, it responded by saying it did not operate in any way that brought it under the jurisdiction of the EU GDPR. Could it argue the same in the UK, where it also has no operations, customers or headquarters? Students of our  UK GDPR Practitioner certificate course will know that the answer lies in Article 3(2) which is sets out the extra territorial effect of the UK GDPR:

This Regulation applies to the relevant processing of personal data of data subjects who are in the United Kingdom by a controller or processor not established in the United Kingdom where the processing activities are related to:

  1. the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the United Kingdom; or
  2. the monitoring of their behaviour as far as their behaviour takes place within the United Kingdom. [our emphasis]

Whilst clearly Clearview (no pun intended) is not established in the UK, the ICO is of the view it is covered by the UK GDPR due to Article 3(2). See the statement of the Commissioner, John Edwards:

“Clearview AI Inc has collected multiple images of people all over the world, including in the UK, from a variety of websites and social media platforms, creating a database with more than 20 billion images. The company not only enables identification of those people, but effectively monitors their behaviour and offers it as a commercial service. That is unacceptable. That is why we have acted to protect people in the UK by both fining the company and issuing an enforcement notice.”

If Clearview does appeal, we will hopefully receive judicial guidance about the territorial scope of the  UK GDPR.   

UPDATE 19/10/22): Clearview’s appeal against the ICO’s £7.5 million fine is scheduled for 21-23 November in the First Tier Tribunal(Information Rights).

This and other GDPR developments will be discussed in detail on our forthcoming GDPR Update workshop. We also have a few places left on our Advanced Certificate in GDPR Practice course starting in September.

advanced_gdpr_cert

Law Firm Fined For GDPR Breach: What Went Wrong? 

On 10th March the Information Commissioner’s Office (ICO) announced that it had fined Tuckers Solicitors LLP £98,000 for a breach of GDPR.

The fine follows a ransomware attack on the firm’s IT systems in August 2020. The attacker had encrypted 972,191 files, of which 24,712 related to court bundles.  60 of those were exfiltrated by the attacker and released on the dark web.  Some of the files included Special Category Data. Clearly this was a personal data breach, not just for the fact that data was released on the dark web, but because of the unavailability of personal data (though encryption by the attacker) which is also cover by the definition in Article 4 GDPR. Tuckers reported the breach to the ICO as well as affected individuals through various means including social media

The ICO found that between 25th May 2018 (the date the GDPR came into force) and 25th August 2020 (the date on which the Tuckers reported the personal data breach), Tuckers had contravened Article 5(1)(f) of the GDPR (the sixth Data Protection Principle, Security) as it failed to process personal data in a manner that ensured appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. The ICO found its starting point for calculating the breach to be 3.25 per cent of Tuckers’ turnover for 30 June 2020. It could have been worse; the maximum for a breach of the Data Protection Principles is 4% of gross annual turnover.

In reaching its conclusions, the Commissioner gave consideration to Article 32 GDPR, which requires a Data Controller, when implementing appropriate security measures, to consider:

 “…the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons”.

What does “state of the art” mean? In this case the ICO considered, in the context of “state of the art”, relevant industry standards of good practice including the ISO27000 series, the National Institutes of Standards and Technology (“NIST”), the various guidance from the ICO itself, the National Cyber Security Centre (“NCSC”), the Solicitors Regulatory
Authority, Lexcel and NCSC Cyber Essentials.

The ICO concluded that there are a number of areas in which Tuckers had failed to comply with, and to demonstrate that it complied, with the Security Principle. Their technical and organisational measures were, over the relevant period, inadequate in the following respects:

Lack of Multi-Factor Authentication (“MFA”)

MFA is an authentication method that requires the user to provide two or more verification factors to gain access to an online resource. Rather than just asking for a username and password, MFA requires one or more additional verification factors, which decreases the likelihood of a successful cyber-attack e.g. a code from a fob or text message. Tuckers had not used MFA on its remote access solution despite its own GDPR policy requiring it to be used where available. 

Patch Management 

Tuckers told the ICO that part of the reason for the attack was the late application of a software patch to fix a vulnerability. In January 2020 this patch was rated as “critical” by the NCSC and others. However Tuckers only installed it 4 months later. 

Failure to Encrypt Personal data

The personal data stored on the archive server, that was subject to this attack, had not been encrypted. The ICO accepted that encryption may not have prevented the ransomware attack. However, it would have mitigated some of the risks the attack posed to the affected data subjects especially given the sensitive nature of the data.

Action Points 

Ransomware is on the rise. Organisations need to strengthen their defences and have plans in place; not just to prevent a cyber-attack but what to do when it does takes place:

  1. Conduct a cyber security risk assessment and consider an external accreditation through Cyber Essentials. The ICO noted that in October 2019, Tuckers was assessed against the Cyber Essentials criteria and found to have failed to meet crucial aspects. The fact that some 10 months later it had still not resolved this issue was, in the Commissioner’s view, sufficient to constitute a negligent approach to data security obligations.
  2. Making sure everyone in your organisation knows the risks of malware/ransomware and follows good security practice. Our GDPR Essentials e learning solution contains a module on keeping data safe.
  3. Have plans in place for a cyber security breach. See our Managing Personal Data Breaches workshop

More useful advice in the ICO’s guidance note on ransomeware and DP compliance.

This and other GDPR developments will be discussed in detail on our forthcoming GDPR Update workshop. We also have a few places left on our Advanced Certificate in GDPR Practice course starting in April.

advanced_cert

Cabinet Office Receives £500,000 GDPR Fine

The Information Commissioner’s Office (ICO) has fined the Cabinet Office £500,000 for disclosing postal addresses of the 2020 New Year Honours recipients online.

The New Year Honours list is supposed to “recognise the achievements and service of extraordinary people across the United Kingdom.” However in 2020 the media attention was on the fact that, together with the names of recipients, the Cabinet Office accidentally published their addresses; a clear breach of the General Data Protection Regulation (GDPR) particularly the sixth data protection principle and Article 32 (security).

The Honours List file contained the details of 1097 people, including the singer Sir Elton John, cricketer Ben Stokes, the politician Iain Duncan Smith and the TV cook Nadiya Hussain. More than a dozen MoD employees and senior counter-terrorism officers as well as holocaust survivors were also on the list which was published online at 10.30pm on Friday 26th December 2019. After becoming aware of the data breach, the Cabinet Office removed the weblink to the file. However, the file was still cached and accessible online to people who had the exact webpage address.

The personal data was available online for a period of two hours and 21 minutes and it was accessed 3,872 times. The vast majority of people on the list had their house numbers, street names and postcodes published with their name. One of the lessons here is, always have a second person check the data before pressing “publish”.

This is the first ever GDPR fine issued by the ICO to a public sector organisation. A stark contrast to the ICO’s fines under the DPA 1998 where they started with a local authority. Article 82(1) sets out the right to compensation:

“Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.”

It will be interesting to see how many of the affected individuals pursue a civil claim. 

(See also our blog post from the time the breach was reported.)

This and other GDPR developments will be discussed in detail on our forthcoming GDPR Update workshop. We have a one place left on our Advanced Certificate in GDPR Practice course starting in January.

First ICO GDPR Fine Reduced on Appeal

photo-1580971266928-ff5d40c194a7

The first GDPR fine issued by the Information Commissioner’s Office (ICO) has been reduced by two thirds on appeal.

In December 2019, Doorstep Dispensaree Ltd, a company which supplies medicines to customers and care homes, was the subject of a Monetary Penalty Notice of £275,000 for failing to ensure the security of Special Category Data. Following an investigation, the ICO ruled that the company had left approximately 500,000 documents in unlocked containers at the back of its premises in Edgware. The ICO launched its investigation after it was alerted by the Medicines and Healthcare Products Regulatory Agency, which was carrying out its own separate enquiry into the company.

The unsecured documents included names, addresses, dates of birth, NHS numbers, medical information and prescriptions belonging to an unknown number of people.
The ICO held that this gave rise to infringements of GDPR’s security and data retention obligations. It also issued an Enforcement Notice after finding, amongst other things, that the company’s privacy notices and internal policies were not up to scratch.

On appeal, the First Tier Tribunal (Information Rights) ruled that the original fine of £275,000 should be reduced to £92,000. It concluded that 73,719 documents had been seized by the MHRA, and not approximately 500,000 as the ICO had estimated. She also held that 12,491 of those documents contained personal data and 53,871 contained Special Category Data.

A key learning point from this appeal is that data controllers cannot be absolved of responsibility for personal data simply because data processors breach contractual terms around security. The company argued that, by virtue of Article 28(1) of GDPR, its data destruction company (JPL) had become the data controller of the offending data because it was processing the data otherwise than in accordance with their instructions. In support of this argument it relied on its contractual arrangement with JPL, under which JPL was only authorised to destroy personal data in relation to DDL- sourced excess medication and equipment and must do so securely and in good time. 

The judge said:

“The issue of whether a processor arrogated the role of controller in this context must be considered by reference to the Article 5(2) accountability principle. This provides the controller with retained responsibility for ensuring compliance with the Article 5(1) data processing principles, including through the provision of comprehensive data processing policies. Although it is possible that a tipping point may be reached whereby the processor’s departure from the agreed policies becomes an arrogation of the controller’s role, I am satisfied that this does not apply to the facts of this case.” 

This case shows the importance of data controllers keeping a close eye on data processors especially where they have access to or are required to destroy or store sensitive data. Merely relying on the data processor contract is not enough to avoid ICO enforcement. 

Our  GDPR Practitioner Certificate is our most popular certificate course available both online and classroom. We have added more dates.

%d bloggers like this: