Included in this edition of Data & Privacy News: Morrisons Supermarkets given permission by UK Supreme Court for fresh appeal against data breach liability ruling; US urged by EU to adopt tougher data privacy rules; High Court judgment regarding asbestos expert's data protection claim provides useful guidance on handling DSARs and more...

Morrisons Supermarkets given permission by UK Supreme Court for fresh appeal against data breach liability ruling

Morrisons have been granted permission by the Supreme Court to launch a second appeal against a ruling that the supermarket chain is vicariously liable for a data breach caused by a disgruntled former employee posting the data of thousands of workers online in 2014. 

Previously, on 22 October 2018 the UK Court of Appeal upheld a December 2017 High Court ruling that Morrisons vicariously liable to compensate the individuals impacted by the breach, despite being cleared of any wrongdoing by the ICO. 

The Court of Appeal comprised of three judges, who had refused Morrisons permission to further appeals. Consequently, Morrisons has since applied directly to the Supreme Court for permission a second appeal. This has been granted with sanction to appeal the judgment on all grounds. This case is particularly notable due to its potential for a 'floodgate' effect regarding data breach class action claims in the UK. 

US urged by EU to adopt tougher data privacy rules

The EU's top privacy official has advocated that Trump and his adminstration should implement tough data privacy laws that are equivalent to the EU's General data protection regulation (the GDPR). The aim of this is as a precursor to broader talks regarding greater levels of data sharing between Europe and the US.

According to Vera Jourova, the EU Commissioner for Justice, adopting European-style rules within American privacy laws would make the US fit to receive an adequacy decision from the EU that would allow American and European businesses to be able to freely share personal information about their citizens.

This would also address the concerns raised by the European Commission in their second annual review of the EU-US Privacy Shield agreement in December 2018, which currently allows American companies to self-certify their compliance with European privacy laws. 

High Court judgment regarding asbestos expert's data protection claim provides useful guidance on handling DSARs

The High Court has handed down a judgment on the case of Rudd v Bridle (2019), which involved discussion over to what extent the claimant's personal data was exempt from the subject access regime. The claiment, Rudd, a leading cancer doctor has won a groundbreaking data protection claim against Bridle, a lobbyist for the asbestos industry, who had previously made unfounded allegations and had used contacts in an attempt discredit to Dr Rudd. 

The claimant, whose medical specialism is the science of exposure to asbestos, requested all personal data held by John Bridle, who has a longstanding career working in asbestos.  Mr Bridle argued that it was his company and not himself personally that was the controller, and that the personal data was exempt from subject access under the journalism, regulatory activity and legal professional privilege exemptions. 

It was held that information provided to Dr Rudd under his data subject access request (DSAR) was insufficient, and the defendent's entitlement to rely on three claimed exemptions was rejected and he was subsequently ordered to provide the claimant with greater amounts of significant information.  It was also clarified that Mr Bridle, and not his company, was the controller in this instance, since the majority of Mr Bridle's lobbying activities (in the context of which Mr Rudd's personal data was used) were conducted by him individually and not by his company. 

ICO issues penalty notices to 90 companies for non-payment of data protection fee

ICO have issued companies that failed to pay their data protection fee with a penalty notice (PN). These fees go directly to ICO and the watchdog can instate fines of up to £4,000 for those who do not comply with paying their data protection fee.

Initially the Information Commissioners Ofiice (ICO) declined to name the organisations involved during its first wave of penalty notices, however since then, with the exception of sole traders who have been issued with a penalty notice, ICO have listed the names of the organisations on their website.

The rules regarding the data protection fee sit separately from the UK data protection regulatory regime, under which the ICO has yet to issue its first fine.

Pregnancy and Parenting Support Club Bounty are fined for unfair data processing

Bounty have been found to have illegally shared 34.4m records with 39 companies and marketing agencies. The unlawful sharing was particularly controversial due to the personal nature of the information being shared, for instance data on vulnerable new mothers or mothers-to-be, and young children, including their date of birth and biological sex. 

The fine of £400,000 was issued by ICO to Bounty for breach of the first data protection principle under the DPA98 regarding fair and lawful processes, as the pregnancy and parenting support club failed to be transparent. This breach was investigated by ICO as part of their general investigation into data brokering services. However, the potential fine was capped at £500,000, due to the data sharing ending prior to the introduction of the European data general data protection regulation. Despite this, the fine is still amongst the highest ever issued under pre-GDPR regulations. 

ICO fines production company for unlawful filming of patients in maternity clinic

True Vision Productions (TVP), a television production company have been fined £120,000 by the ICO for unfairly and unlawfully filming patients at the Rosie Birth Centre at Addenbrookes Hospital, Cambridge - a walk-in clinic for patients who are concerned about their pregnancy. The production company set up CCTV-style cameras and microphones in examination rooms at the clinic for a Channel 4 documentary on stillbirths. The recorded footage was later deleted.

The ICO investigation found that despite permission being granted by the hospital's trust to be on the site, the production company had subsequently not provided patients with adequate amounts of information about the filming taking place between July and November 2017, nor had they gained adequate permission from those directly affected by the filming in advance. Although TVP had posted limited notices and letters near to cameras and in the waiting room area, ICO found that these sources of information were not adequate in their explanation to patients about permissions. 

This fine adds to the growing trend of regulatory action being taken where organisations are not fully transparent with individuals about the collection of their information and how their information will be processed.