Please see below for the latest Data Blast from our legal team: Supreme Court Decision in Lloyd – November 10th 2021 Judgment given – Rapid Note; Unite Union Fined £45,000 for marketing messages; Labour Data Breach; The Freedom of Information (FOI) Act Guidance; The Commissioner Departs…

Supreme Court Decision in Lloyd – November 10th 2021 Judgment given – Rapid Note

This significant case concerns a claim alleging that a major multinational technology company that specialises in online services and products headquartered in the USA, breached its duties as a data controller.  It is said that under the Data Protection Act 1998 (DPA) over 4 million Apple iPhone users during a period in 2011-2012, had their personal data collected by way of their browser generated information. The claimant sued on his own behalf and on behalf of a class of other residents in England and Wales whose data was collected in this way. He applied for permission to serve the claim out of the jurisdiction. The claim is opposed on the grounds that (i) the pleaded facts did not disclose any basis for claiming compensation under the DPA and (ii) the court should not in any event permit the claim to continue as a representative action.

The Supreme Court was asked to determine whether to refuse permission to serve his representative claim against out of the jurisdiction (i) because members of the class had not suffered ‘damage’ within the meaning of section 13 of the DPA; and/or (ii) the claimant was not entitled to bring a representative claim because other members of the class did not have the ‘same interest’ in the claim and were not identifiable; and/or (iii) because the court should exercise its discretion to direct that the respondent should not act as a representative.

The Supreme Court unanimously allowed the appeal stating that it had no real prospect of success and restored the order made by Mr. Justice Warby in the High Court. The claim advanced could not succeed for two reasons: First, the claim is founded solely on section 13 of the DPA 1998, which provides that ‘an individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage.’ On the proper interpretation of this section the term ‘damage’ refers to material damage (such as financial loss) or mental distress distinct from, and caused by, unlawful processing of personal data in contravention of the Act, and not to such unlawful processing itself. Second, it is necessary, in order to recover compensation under section 13, to prove what unlawful processing of personal data relating to a given individual occurred.

In handing down the judgment, Lord Leggatt considered that the ‘same interest’ requirement must be interpreted purposively and pragmatically.  The judge found that the claimant’s lawyers had set the bar for membership of the class action too low and had not collected evidence of material damage or distress for each individual that joined the class action.  In this case, the aggregation of data was insufficient to cause any harm or mental distress.

The Supreme Court’s decision makes it clear that compensation is only appropriate where real harm has been caused. However, the Supreme Court left open the possibility of future section 13 class actions against multinational technology companies with the judge stating that “there is no reason why a representative party cannot properly represent the interests of all members of the class, provided there is no true conflict of interest between them.”

The Supreme Court’s press summary can be read here.

Unite Union Fined £45,000 for marketing messages

The Unite Union has been fined under section 55A of the Data Protection Act 1998 (“DPA”) because of a serious contravention of regulation 21 of the Privacy and Electronic Communications (EC Directive) Regulations 2003, (“PECR”).  The fine arises from 57,665 unsolicited direct marketing calls to subscribers who were registered with the Telephone Preference Service (TPS).  The unsolicited calls led to a total of 27 complaints.

Unite told the ICO that it did not ‘run or promote a business,’ nor did it have customers, and further, that it obtained all of its personal data directly from members (suggesting consent).  Unite claimed that it did not make unsolicited marketing calls; only calls updating members on the ‘services and benefits available to them under their union membership via Unite’s membership helpline.’ Unite said this was a requirement in line with its Rule Book which governed membership of the trade union;   its actions were therefore outside the PECR and/or TPS restrictions.  Unite also pointed out they used a third party to make the calls, that there was a suppression list and the third party screened for TPS listed numbers, thereby suggesting that the processor on their behalf, and not Unite had liability.

Unfortunately for Unite, the ICO considered the management of preferences was not acceptable.  They observed that members were not given the option to opt-in to specific means of communication in relation to specific types of ‘services and/or benefits.’ The ICO were also concerned that there was no option for individuals to agree to electronic direct marketing from third parties, to select which third parties, if any, they might wish to be contacted by, or to select the method by which they might consent to being contacted.

After their investigation they concluded that these were unsolicited calls and breached PECR Regulation 21, and constituted direct marketing as defined by section 122(5) of the DPA 2018 because each of the calls encouraged members to have a ‘free life insurance and protection review’ from a third party whose business was to sell life insurance.  The ICO sent a very clear message with this, that despite Unite believing they were offering something to members who had agreed to be contacted, the ICO did not accept that contention. They clearly consider the holder of personal data for use in direct marketing has to have clearer consents and clearer options to protect people from unsolicited messages.  It is therefore sensible to think carefully before allowing third party offers to members and contacts, as you may be creating lability for yourself.

Labour Data Breach

Blackbaud a service provider to the UK’s Labour Party have notified that they have been the victim of a ransomware attack, which occurred sometime between February and May 2021, we do not know why it has only come to light in November 2021. According to a public statement, a backup file containing personal information was stolen by a cybercriminal. Labour have said that that no sensitive information, such as bank account information, passwords or usernames, was taken.  This is not a legal meaning of what is sensitive, so much as a statement that financial information and login information was not stolen.  The statement did confirm that names, email addresses, telephone numbers and the amounts donated to the Labour Party were taken, and so special category data was lost as this is revealing political opinions by support for the Labour Party.

Interestingly, the Party statement says that Blackbaud have paid the ransom demanded by the cybercriminal and have received assurances that the data was destroyed as a result.  The matter is now being reviewed by the ICO and by the National Crime Agency.

In addition the Party has launched its own investigation, but it is not known whether its findings will be made public. Given the nature of political parties it is clear that they will always need to be cautious in who they work with given the high level of press interest in their activity, and they must be sure they have agreements to adequate de-risk their liability for third party provider breaches.  In this case it will be interesting to see what the NCA investigation uncovers, whether the act of paying the ransom will be seen as a positive or negative decision, and whether the Party bears any responsibility for how this has been handled.

The Freedom of Information (FOI) Act Guidance

In November, the ICO updated its guidance on FOI responses and added clarity that all forms of e-communication can be subject to disclosure if concerning ‘government business.’

The ICO says that FOI replies are key to the public’s understanding and trust in decisions, and transparency is only through documenting decisions in detail.  The FOI Act covers relevant information that exists in the private correspondence channels of public authorities but debate has been ongoing as to whether there are any forms of communication not caught, consequently the FOI guidance on official information held in private communication channels has been updated – https://ico.org.uk/for-organisations/foi-and-eir-guidance/official-information-held-in-non-corporate-communications-channels/.

It now explicitly covers not just private emails, but clarifies that conversations over WhatsApp, Facebook Messenger or other private channels are covered by FOI when they are used for official business.  In our opinion though, the area that really requires attention is how to determine what is and is not ‘official business’ and how much of an exchange of ‘chat’ messages should be read in connection with such determinations.

The Commissioner Departs…

Elizabeth Denham’s term as the Information Commissioner comes to an end on November 30th 2021. John Edwards, who is currently serving as the New Zealand Privacy Commissioner, was approved by the Digital, Culture, Media and Sport Select Committee as the next Information Commissioner after a pre-appointment hearing on September 9th, and he is expected to take up his position in January 2022.