Included in this edition of Data & Privacy News: ICO issues first fines for security breaches under the GDPR; Energy supplier E.on discloses 498 customers' email addresses; Right to privacy recognised in Scots law; and more...

ICO issues first fines for security breaches under the GDPR 

The Information Commissioner's Office (ICO) has issued notice of intention to fine British Airways £183m and Marriot International £99m for infringements of the General Data Protection Regulation (GDPR).

The British Airways fine relates to a cyber incident which the company reported to the ICO in September 2018.

The Marriot International fine relates to a cyber incident reported to the ICO in November 2018.

British Airways and Marriott International have cooperated with the ICO investigations and have made improvements to their security arrangements since these incidents emerged. Both companies will now have the opportunity to make representations to the ICO before a final decision is made.

ICO publish new cookies guidance

The UK ICO has published revised guidance on the use of cookies and similar technologies to reflect changes that come from the GDPR and impact the application of the rules on cookies contained in the Privacy and Electronic Communications Regulations.

The new guidance confirms that consent is not required for essential cookies necessary for the operation of a website, but that for other cookies (including analytics cookies) organisations should be seeking opt-in consent with the default position being set to opt-out of cookies.

The ICO have also indicated that they will consider taking enforcement action against organisations that fail to change their approach to cookies in line with the guidance – indicating a significant change in enforcement policy in this area.

Ross McKenzie, Commercial and Data Partner at Addleshaw Goddard, has written a blog on this interesting development.

Energy supplier E.on discloses 498 customers' email addresses

Energy supplier E.On has apologised for an error after it revealed 498 customers' email addresses in requests for their meter readings. 

Emails should have been sent to individuals only, however 497 recipients were copied in due to a "system error" with E.on's automated service.

E.on discovered the incident "within 4 minutes" of the emails been sent and has spoken to the customers affected, as well as those who have raised concerns about the sharing of details. The matter has also been reported to the ICO.

ICO investigating how TikTok handles child data 

ICO Commissioner, Elizabeth Denham, has told a parliamentary committee that the ICO is investigating the video-sharing app TikTok for how it handles the personal information of its young users, as well as how it prioritises their safety.

The ICO began the investigation in February following TikTok's record fine of $5.7m (£4.2m) from the US Federal Trade Commission for illegally collecting personal data from children under 13.

In addition to concerns about personal data collection, Ms Denham said there were concerns about how the open messaging system on the social media app allowed any adult user to message any child user.

TikTok could face a fine of up to £17.9m, or 4% of revenue, whichever is higher, if found to be violating GDPR. Under the GDPR, the company is required to impose a higher standard of protection when it comes to children using online services.

Complaint against GDPR Immigration exemption filed with European Commission

The European Commission has received a formal complaint against the UK for allegedly flouting GDPR by including a broad immigration control exemption in the Data Protection Act 2018 (DPA).

The complaint has been made by the Platform for International Cooperation on Undocumented Migrants', joined by several migrant and digital rights organisations. 

Under the DPA, the government and others are allowed to ignore the EU's data protection rules when those rules impede “the maintenance of effective immigration control” or “the investigation or detection of activities that would undermine the maintenance of immigration control.”

Right to privacy recognised in Scots law 

For the first time in Scots law, a judge has ruled that there is a right of privacy in the common law of Scotland, and its nature and scope is similar to that protected under article 8 of the European Convention on Human Rights. 

Lord Bannatyne, a Court of Session judge, made the ruling in an action brought by police officers against whom misconduct proceedings were raised after a detective investigating sexual offence allegations against another constable found inappropriate and offensive "WhatsApp" messages.

Lord Bannatyne held that given the content of the "Whatsapp" messages and the standards expected of the police, the officers could have “no reasonable expectation of privacy”.