Data Protection: An Overview of the General Data Protection Regulation Occurrences during the month of September

Data Protection Developments within the European Union: Data Protection and Healthcare

In the UK Data Protection sphere, NHS Trust has once again surfaced in the forefront as the Charing Cross Gender Identity Clinic in London exposed the identity of over 2000 patients and prospective patients of gender therapy.  This emerged when in efforts of marketing an art competition to a number of data subjects, being patients, a human oversight led to the mailing list remaining public to all the individuals. Tavistock and Portman NHS Trust, to which administration and management of the clinic is attributed, apologized for the data breach and confirmed that they voluntarily reported the it to the Information Commissioner’s Officer, the UK’s Data Protection Officer. The leaked personal data included email addresses of the data subjects, making one susceptible to unwanted contacting and identification. Professionals in the data protection area are expecting liabilities resulting in millions of Sterlings in fines. This is because, the information was not only unlawful, but being related to one’s sexuality, constitutes within the special category of personal data. It is also increasingly implicit since the private information’s leak is in breach of the confidentiality owed to the patients by the healthcare institution, especially seeing as the identification of such individuals is detrimental due to potential unsolicited discrimination.

This has not been an isolated incidence, especially in the light of the  NHS Trust Highlands data protection breach  occurring last June, which saw the exposure of the HIV status of almost 40 individuals following a similar human error, bringing to light the cruciality of data protection training, intrinsic within the healthcare industry due to its necessity to adequate treatment of patient’s data and confidentiality. In light of scrutiny in this regard, a recent campaign has been launched by NHS Digital as a regime of staff awareness, aimed at instilling cyber security. Entitled Keep I.T Confidential, this regime aspires to attain general awareness and knowledge across its employee-base, through this patient-centric programme. Apart from being tailored to the healthcare sector, effort has been made to also adapt each programme to the specific locale, as for each institute to be able to adapt the cyber security model adequately. This will therefore aim at offering higher standards of security by ensuring that NHS Trust offers treatment in line with the General Data Protection Regulation from each care-giver. As NHS Digital proclaimed, this is not only inspired by the General Data Protection Regulation but by the mere existence of the patient confidentiality principles and standards of proper patient care. Apart from this, NHS Digital has also announced an expansion to their digital toolkit through gratuitous services offered to trusts.

Data Protection Developments within the European Union: Poland Issues a Significant Administrative Fine

Poland’s office of the supervisory authority,  under the leadership of the President of the Personal Data, have proven themselves to be relatively active since the enforcement of the General Data Protection Regulation.  In the month of September, news surfaced of one of their first administrative fines imposed.  Amounting to around 647,290 Euros, Morele.net, an online electronics store established in Poland, was subject to the mentioned administrative fine, being quite hefty in nature, as a result of bleak compliance with the General Data Protection Regulation’s organisation and technical measures criteria, including for instance the insufficient safeguards and improper monitoring of prospective risks. The General Data Protection Regulation places a subjective obligation of security standards, which applies in accordance with the volume and sensitivity of the personal data.  In this case, the 2.2 million data subjects exposed to the threat, fell victims to the breach due to the risk posed in the processing in absence of adequate safeguards. In other words, the data protection breach would have been prevented with proper implementation of the General Data Protection Regulation. The issue was aggravated by the fact that following the breach, being the effective exposure of personal data of clients, there was no comprehensive and functional emergency response procedure pre-established. Affected personal data included the name, surname, contact information and home address of data subjects, being enough to make one susceptible to identity theft. Apart from this, customers with instalment loan applications had contents related to the lengthened payment method also exposed, impacting 35,000 individuals. Since all data was entrusted to Morele.net, accountability was also enforced on account of breach of the confidentiality principle.

Data Protection Developments within the European Union: Brexit and the General Data Protection Regulation

With yet another unsuccessful Brexit deadline having elapsed, political tension has not eased within the United Kingdom, making a decisive agreement plausibly a no-deal Brexit. Elizabeth Dunham, one of the United Kingdom’s Data Protection Commissioners, has urged that all organisations should institute plans ensuring data protection compliance in all potential scenarios.  The Information Commissioner’s Officer had previously alluded to prospectively maintaining the current European Union-aligned framework beyond Brexit. However, as implied by Dunham’s statement, the mere possibility of a no-deal Brexit renders this questionable. Therefore, new GDPR guidance has been published by the Information Commissioner’s Officer, directed towards Small and Medium Sized Organisations, SMOs.  This GDPR guidance presents the difficulties such companies would face beyond a no-deal Brexit, and provides more specific and adaptable guidelines. This has focused mainly on operations related to personal data flows, which would constitute third country transfers beyond a no-deal Brexit, unless an agreement specifies otherwise. The guidelines are drafted in such a way as to ease the transition from an European Union member to a third party country, with the continued application of any pre-existing contracts.

Data Protection Enforcement on Tech Giants

Facebooks progresses in Data Protection Compliance : Substantial Number of Applications Suspended due to Lack of Compliance

Following the Cambridge Analytica crisis, a leap forwards has been made by Facebook in the past month in attempt of meeting advanced compliance standards to the Fair Trade Commission Agreement finalised in recent months . Whilst it is arguable whether the multi-billion dollar company’s aim was grounded in moral motives or reputational ones, Facebook targeted over 400 application developers, corresponding to an aggregate of thousands of applications which were consequentially suspended. Whilst information regarding the suspension has been provided by Facebook, the criteria is not clear.  However, a data protection compliance analysis mechanism was adopted and applied to developing and operational applications. Facebook’s App Developer Investigation was initiated in March of 2018 and aimed at reviewing treatment and use of data by developers with access to masses of data. Whilst many applications suffered suspension due to the unfavourable discoveries, others were subjected to further inspections and in depth questionings.

Google’s battle with Data Protection : Winning a Landmark Judgement and Exposure of a Major Breach

Brave, the privacy and performance focused web pioneers, has exposed   and reported a suspicion of infraction committed by Google Inc through a formal compliant filed before the  Irish Data Protection Commissioner, instituted by Dr. Johnny Ryan, the company’s Chief Policy & Industry Relations Officer. The reported infringement constitutes a data protection breach materialised through bypassing Google Inc’s own published data safeguards, in line with the General Data Protection Regulations. The evidence allegedly demonstrates that data is leaked by Google Inc to numerous companies, over which Google Inc has no authority or means of applying data safeguards. Moreover, their DoubleClick and Authorized Buyers advertisement system circulates visitors’ personal data to a large number of companies daily. Whilst Google Inc claimed that data transferred was rendered difficultly identified and that combination of profiles were not allowed, proof has surfaced implying that Google Inc allowed the matching of Google identifiers with the corresponding data subject, leading to profiling and identification. Through the mechanism of ‘Push Pages’, such companies are invited to share and exchange profile identifiers about individuals, allowing illegal trades of personal data. This means that Real Time Bidding, whilst theoretically coordinated by Google in accordance with the General Data Protection Regulation, is in fact a liability to their compliance due to the alleged emerging illegality. This advertisement network may incur a fine ranging to 5.4 billion on Google Inc, with the 4 percentile threshold applying.

Whilst such a drastic loss may be experienced by Google Inc in the near future, September also saw a great win as on the 24th of September, news emerged on the European Court of Justice’s ruling of what has established itself to be a landmark judgement. This judgement continues to elaborate on the 2014 landmark case on the right to be forgotten, establishing one’s right to demand that search results regarding their sensitive information may be removed. This European Court of Justice judgement has deliberated the application of the General Data Protection Regulation and pursuant obligations as well as the respective scope of application, namely whether the right to be forgotten must be applied to sensitive personal data globally rather than merely within the EU/EEA area.  It also delved into the requirement of automatically deleting search results with sensitive information. Google Inc has successfully argued that the right to be forgotten is not a principle which must be globally enforced. Therefore, the European Court of Justice has corroborated that once a request is made, the personal data need only be removed within the remits of the EU/EEA, leaving it available beyond the area.

For more information on the General Data Protection Regulation
Get in touch with us

📧 ybusuttil@easl.com.mt

Share this post?

Get in
Touch

+356 2166 1273