This article was co-authored by Joshua Curzon, Edward Le Gassick, and Elizabeth Tucker, trainee solicitors, UK cyber and data risk team.
A summary of the latest cyber and data privacy developments and critical issues for organisations to consider in the United Kingdom, European Union and the United States.
- What’s on the Information Commissioner’s mind?
- The UK: a high value cybercrime target
- Incident response alliance: the ICO and the NCSC
- ICO clarifies guidance on employee monitoring
- Causation and Data Subject Claims
- Enforcement action round-up
1. What’s on the Information Commissioner’s mind?
The Information Commissioner's Office (ICO) recently hosted its annual Data Protection Practitioners' Conference. The Information Commissioner (the Commissioner) highlighted in his opening speech the key themes on the ICO’s agenda. In this article, we explore what these might mean for data protection in the UK over the coming months.
Artificial intelligence (AI)
The Commissioner highlighted the way in which AI has exploded into the mainstream over the last year, particularly since the launch of ChatGPT in November 2022. He understands the importance of the ICO providing organisations with regulatory clarity on AI, although the extent to which the ICO and the law will keep up (or catch up) with the rapid pace of AI development remains to be seen.
He also highlighted the ICO’s collaboration with the Alan Turing Institute on guidance for explaining AI decisions as an example of how the ICO intends to empower organisations to use AI.
It goes without saying that very few people enjoy the thought of their employer monitoring their activity at work. The ICO’s research backs this up, showing that 70% of people would find it intrusive.
Curiously, younger respondents are less likely to share these feelings, suggesting that denizens of the digital age are more resigned to a surveillance culture. The ICO has issued new guidance to help employers understand how they can ensure their employee monitoring is lawful and complies with best practice. See our article below for further comment.
Privacy and the public
New research by the ICO confirms what many privacy professionals already know: how people perceive the sensitivity and significance of personal information is highly dependent on context. The research also found that public understanding of data protection remains mixed, with people either overestimating or underestimating their privacy protections. The full results of the research, which are due to be released later this year, will help organisations understand the data that is shaping the ICO’s agenda.
Data subject access requests
Responding to data subject access requests can be time consuming and difficult for organisations. The clarity of individuals’ requests can be a major issue, although for many organisations, the biggest challenges often lie with identifying and supplying the relevant data.
The Commissioner has unveiled a tool which aims to help organisations deal with requests efficiently by ensuring that requests are submitted in a consistent format and contain the relevant information. The tool is likely to be most useful for small organisations which lack the resources for dedicated compliance functions and for organisations struggling to develop a bespoke process for identifying requests.
Change on the horizon
The Commissioner spoke extensively on the topic of change, including changes to the ICO’s processes and the impact of the proposed Data Protection and Digital Information (No.2) Bill (DPDI Bill). The Commissioner expects that all organisations, including the ICO, will need to adjust and adapt to the introduction of the DPDI Bill. Significantly, the DPDI Bill proposes to reform the ICO and introduce a board structure. This would bring the ICO into line with other regulators and increase the level of scrutiny applied to top level decision making.
The Commissioner has also announced a review of the ICO’s investigatory process. The ICO has identified reasons for the significant delays in its investigations, including over-resourcing lower-level regulatory activity. The Commissioner hopes that this will make the ICO more agile and responsive, which we take to mean a higher and more pressing level of scrutiny on serious cyber incidents and privacy issues.
Privacy professionals will welcome the ICO’s recent release of draft monetary penalty guidance. The draft guidance provides organisations with much needed clarity on the matters the ICO takes into consideration when determining (i) whether to impose a fine; and (ii) the amount of any fine imposed. It confirms that the final amount of any fine is at the Commissioner’s discretion (with one eye on the pending reforms set out in the DPDI Bill). The draft guidance is currently under consultation, and the ICO is inviting responses until 27 November 2023.
Author: Joshua Curzon, trainee solicitor, UK cyber and data risk team
2. The UK: a high value cybercrime target
Perhaps unsurprisingly, the National Cyber Security Centre (NCSC) and National Crime Agency (NCA) have stated that ‘the UK is a high value target for cyber criminals’.
In September 2023, security minister Tom Tugendhat highlighted that cybercrime affects many industries and sectors and has ‘cost the taxpayer millions’. Organisations need to appreciate that the cybercrime threat landscape is constantly changing.
The new white paper, ‘Ransomware, extortion and the cyber crime ecosystem’, published by the NCSC and the NCA, examines the rise of 'ransomware as a service' and extortion attacks.
Key takeaways from the white paper
- Ransomware continues to be the most significant, serious, and organised cyber threat faced by the UK.
- The rollout of ransomware as a service (known as RaaS) makes it easier for criminals to wreak havoc without requiring advanced computing knowledge.
- Most ransomware incidents are not due to sophisticated attack techniques; the initial access to victims is gained opportunistically, with success usually resulting from poor cyber infrastructure and practices. This means that organisations of any size and in any industry may be affected, with little thought from the cybercriminals responsible.
- Implementing the NCSC’s guidance (listed in the white paper) would help to interrupt and prevent some ransomware attacks.
- The white paper sheds light on the entire attack path of a cybercriminal system. Having a key understanding of this can help to identify an attack at the beginning of the process (exploiting access), rather than at the very end (deploying ransomware and attempting to monetise it).
The white paper serves as an important reminder that good cyber hygiene has never been more important. It is critical for organisations of all sizes to raise their awareness of the ever-evolving changes in cyber-criminal activity.
Author: Elizabeth Tucker, trainee solicitor, UK cyber and data risk team
3. Incident response alliance: the ICO and the NCSC
In September 2023, the ICO and the National Cyber Security Centre (NCSC) signed a memorandum of understanding on co-operation between the two bodies. The memorandum clarifies the relationship between the two bodies, with practical impacts on how organisations respond to data breaches. The memorandum contains several key pieces of information that clarify how the bodies will address the balance between regulatory action and incident response, as well as the need to improve cyber security at a national level.
Roles of the ICO and NCSC
ICO – As the UK’s data regulator, the ICO is responsible for determining whether to bring enforcement action against organisations which have failed to properly protect personal data.
NCSC – The NCSC is the government body responsible for providing the public with advice about cyber security and supporting organisations responding to cyber incidents. The NCSC is a part of the Government Communications Headquarters (GCHQ), a UK intelligence service.
Memorandum of understanding - key provisions
1. Information sharing
The memorandum unequivocally states that if an organisation shares information about a cyber incident with the NCSC, the NCSC will only share that information with the ICO with the organisation’s consent. This is a critical clarification, as organisations may have previously worried that information (particularly technical information about systems or security) shared with the NCSC would be shared with the ICO and result in enforcement action.
If organisations feel that they can confidentially share information with the NCSC, this may increase the level of support that the NCSC can offer and improve the guidance that the NCSC can offer to the public.
2. Incident reporting
The ICO and the NCSC have clarified that neither body will force an organisation to report an incident to the other. The NCSC may remind organisations to be mindful of their regulatory obligations, but it will not offer opinions on whether an organisation must report an incident to the ICO, nor will it make notifications to the ICO on an organisation’s behalf. However, the ICO will recommend and encourage organisations to report nationally significant cyber incidents to the NCSC.
3. Rewarding engagement with the NCSC
The ICO is committing to incentivising engagement with the NCSC, including by recognising organisations that report incidents to the NCSC and work with the NCSC to further the national interest. Crucially, it states that meaningful engagement with the NCSC may reduce regulatory penalties.
4. Incident management
The ICO accepts that in the immediate aftermath of an incident, an organisation’s priority is engaging with the NCSC and/or its cyber incident response providers to mitigate harm, identify root cause, and prevent recurrence. Where possible, the ICO and the NCSC will co-ordinate their efforts to minimise disruption to an organisation’s incident response.
This is a significant concession from the ICO, as it recognises the pressure that regulatory engagement in the middle of an incident can generate for the affected organisations.
The memorandum provides useful material for incident response advisers and for organisations considering their incident response plans. It highlights the real value in meaningful engagement with the ICO and the NCSC, empowers organisations to share information confidentially with the NCSC, and provides a framework for managing incidents in which both bodies are engaged. Awareness of key details of the memorandum are likely to be invaluable in executing an incident response plan that manages regulatory risk effectively.
Author: Joshua Curzon, trainee solicitor, UK cyber and data risk team
4. ICO clarifies guidance on employee monitoring
The ICO has launched new guidance on employee monitoring. This guidance identifies what the ICO considers to be ‘must dos’ and ‘should dos’ for employers. Whilst it does not fundamentally alter the established position, companies will welcome the additional clarity this provides.
The ICO’s guidance follows similar guidance published by Ireland’s Data Protection Commission (DPC) in April 2023. The DPC’s note, ‘Data Protection in the Workplace: Employer Guidance’, provides direction on the use of surveillance in a workplace setting.
- Employers can monitor their employees, provided they do so in a consistent, proportionate (i.e. what would an employee reasonably expect?) and lawful way (with a lawful basis for the processing under the UK GDPR).
- Employers must document and record their purpose for monitoring and restrict their use of the information collected to that purpose only.
- Employers must inform their employees as to how and why they monitor their activity and provide this information in an accessible way.
- Employers can, in certain circumstances, undertake covert monitoring if it is necessary, but this should be authorised by senior management and have greater protections in place.
This new guidance should act as a catalyst for organisations to review their existing monitoring activities to make sure they align with the ICO’s expectations. The ICO has provided an easy to follow checklist for organisations to work through.
Employers should examine the key issues listed in the checklist to ensure compliance with best practice. This is particularly relevant in circumstances where the ICO is increasingly scrutinising ‘big picture’ compliance issues and the management-led culture around data protection in the context of personal data breaches. How organisations deal with their own employees is likely to be seen as a key indicator on these points.
Author: Elizabeth Tucker, trainee solicitor, UK cyber and data risk team
5. Causation and Data Subject Claims
In April 2023, the High Court handed down judgment in the case of Ali v Chief Constable of Bedfordshire Police  EWHC 938.
This case provides helpful guidance on causation and quantum, and in particular, what liability the original wrongdoer has for any distress caused following the intervening act of a third party.
The claimant made a report to the police about her ex-husband’s alleged drug dealing. She made it clear that she did not want to be identified as the source of the information. Amongst other things, the police passed the report to the social services of the local council. An employee of the council, who was by then in a relationship with the claimant’s ex-husband, unlawfully accessed the report and informed him of the claimant’s allegations. The key issue was whether it was necessary for the police to inform the council that the claimant was the source of the information.
The court determined that it would not be fair on the facts for the police to escape liability, notwithstanding that it was accepted that the council employee’s disclosure was the principal trigger of the claimant’s distress. The court found that the initial disclosure to the council by the police was not necessary and was a standalone infringement of the UK GDPR. Even if there had been no subsequent disclosure by the employee of the council to the ex-husband, the claimant would still have suffered some distress if she had been made aware that her identity as the source of the information had been shared with the council. The police were therefore found liable for that portion of the claimant’s distress.
Awarding damages in the sum of £3,000, the court also helpfully reaffirmed the need for damages in data litigated claims to bear a reasonable relationship with awards in personal injury cases.
Organisations should pay particular attention to ensuring that data sharing is limited to that which is necessary in the circumstances. If they fail to do so, they may find themselves on the receiving end of a claim in the event of a future data breach, even if it is not caused by them.
Author: Alexandra O'Hare, associate, UK Cyber and Data Risk Team
6. Enforcement action round-up
Recent enforcement action in the UK and EU has seen supervisory authorities stress the need to take extra care when processing children’s data, to obtain consent when sharing data with third parties, and to ensure privacy by design before launching a product or service.
Protecting children’s data
We highlighted in our July 2023 insights that the ICO had fined TikTok £12.7 million for breaches of data protection law, including the unlawful processing of children’s data. The Irish Data Protection Commissioner (DPC) has followed suit and issued a fine of €345 million for similar reasons. The DPC noted issues such as lack of age verification controls within the registration process, as well as a failure to provide sufficient information to children upon registration.
The ICO has now turned its attention to Snap, Inc and Snap Group Limited, the companies behind the popular Snapchat app. Snap has been served with a preliminary enforcement notice by the ICO related to the release of its new ‘My AI’ chatbot earlier this year. The ICO alleges that Snap failed to study the potential risks to children and other users before launching My AI. Depending on the outcome of the investigation, Snap could be issued with a fine, be forced to discontinue the chatbot, or both.
Supervisory authorities continue to emphasise the requirement to process children’s data safely and fairly. UK organisations must follow the ICO’s Children’s code when collecting consent from children and designing their products and services.
The Norwegian Privacy Appeals Board has confirmed the Norwegian Data Protection Authority’s fine of NOK 65 million (approximately £4.86 million) against Grindr LLC for what has been labelled ‘surveillance-based advertising’ on its dating app. The fine is a result of a finding that between 2018 and 2020 Grindr unlawfully shared users’ data (including GPS location, IP Address, ID, age, and gender) with third parties for the purposes of behavioural marketing.
The decision affirms the need to explain in a concise and digestible fashion exactly what an individual is consenting to before collecting their data (a process known as layering).
Security and privacy by design
Lastly, the Swedish Data Protection Authority has fined Trygg-Hansa, a Swedish insurance company, SEK 35 million (approximately £2.6 million) for a security flaw in its website. The flaw allowed any member of the public using Trygg-Hansa’s website to access sensitive information (including social security numbers and health data) belonging to approximately 650,000 individuals, simply by tweaking numbers in the web URL.
A broad approach to ensuring compliance with privacy laws is not always easy. Organisations should learn from enforcement trends across the UK and the EU to mitigate regulatory risk.
Author: Michael Camilleri, associate, UK Cyber and Data Risk Team