15 July 2021 #Data Protection
The EU has finally adopted the UK adequacy decision. In addition, British Airways settles its data breach case, and the ICO has fined a charity for poor policies and inadequate training.
European Commission has adopted UK adequacy decision
At the end of June 2021, the European Commission adopted an adequacy for decision for the UK. Although this decision was very much expected, this ends a period of uncertainty for EU and UK data controllers and processors. The European Commission afforded themselves just two days to confirm the decision, with current arrangements, negotiated as part of the wider Brexit agreement, due to elapse on the 30 June 2021.
“Today we can give EU citizens certainty that their personal data will be protected when it is transferred to the UK” commented Didier Reyners, the Commissioner for Justice. Adopting the adequacy decision means that the European Commission are confident that personal data will be afforded the same level of protection in the UK as it has in the European Union; therefore, personal data can now flow easily, freely and lawfully between the two jurisdictions.
The decision will last five years before being subjected to a further review. This too is by no means guaranteed and the European commission will keep a close eye on how data protection law amalgamates and adapts over the next few years. In order to maintains this status, the UK will, at the very least, need to ensure it mirrors the ongoing protections afforded to data subjects in the European Union.
British Airways has settled its data breach case
The court-appointed lead solicitors have confirmed in July that mediation has resulted in the settlement on confidential terms. BA announced back in September 2018 that a breach of their security system had resulted in the leak of over 420,000 customer/staff personal and financial information. It is suspected that this included customers’ payment card and CVV numbers. The Information Commissioner’s officer conducted its own investigation into the breach and found that the BA IT Security system had significant weaknesses. This resulted in an announcement, in July 2019, from the ICO that it intended to fine BA £183.39 million.
On the 16 October 2020, the ICO issued a penalty notice under section 155 of the data Protection Act 2018. The notice drastically reduced their final fine to, an albeit not insignificant, £20 Million. It was after this announcement that nearly 17,000 claimants brought a group claim against BA.
It should therefore be noted that an ICO fine may not be the end of the matter for offending organisations. The potential costs for poor security initiatives and safeguards are likely to extend way beyond the penalty notice. With more widespread publication and interest in data breaches on the rise, we would expect to see more claims for similar breaches being brought by individuals in the future.
The ICO fines Charity for failing to keep user data secure
The ICO has fined Mermaids, a charity that supports transgender, non-binary and gender-diverse young people, £25,000 for creating an insufficiently secure setting for an internal email group that ran between 2016 and 2017. The ICO were alerted to the breach by the charity after it became aware of the breach in 2019, two years after the email group had been disbanded.
The ICO’s investigation led to the discovery that some 780 pages of highly confidential emails had remained easily accessible online for a period of three years. These emails included the email addresses and names of close to 550 individuals and the extremely sensitive data of 24 individuals, data that related to their sexual orientation and/or mental health. Furthermore, the ICO specifically highlighted that the charity had been negligent in its data protection obligations by not providing adequate training for staff and having insufficient policies.
This investigation and consequential fine highlights the needs for organisations to ensure they are giving proper and regular training to their staff on the importance of data protection and making sure that policies are correctly drafted and followed by employees.
For any further advice relating to these data protection topics contact our data protection lawyers.