Included in this edition of data & privacy news; ICO publishes 2019-20 Annual Report; Hackers target UK sports sector; US banking app Dave reports data breach and more...

European Data Protection Board publishes FAQ document on CJEU judgment C-311/18 (Schrems II)

Following the judgement from the Court of Justice of the European Union (CJEU) in the Schrems II case against Facebook, the European Data Protection Board (EDPD) has issued a Frequently Asked Questions (FAQ) document to provide clarification and give preliminary guidance to supervisory authorities and other stakeholders on the use of legal instruments for the transfer of personal data to third countries, including the United States. The EDPB will continue to develop the FAQ as it examines and assesses the judgement of the CJEU.

The ICO has issued a statement as a result of these FAQs, confirming that although further EU guidance is required, organisations should take practical steps at this stage to assess their data transfers in order to be flexible and reactive to further guidance from the EU as and when it unfolds. Given the role of supervisory authorities emphasised in Schrems II, the ICO has also confirmed that it will continue to adopt a "risk-based and proportionate approach". 

ICO issues toolkit to help public bodies respond to FOI requests in COVID-19 recovery period

The Information Commissioner's Office (ICO) has launched an online toolkit to help public authorities respond to Freedom of Information (FOI) requests as organisations prepare their recovery from the COVID-19 pandemic.

The toolkit is designed to assess compliance with the Freedom of Information Act 2000 and the Environmental Information Regulations 2004, and to help organisations self-assess their performance in responding to FOI requests. The first phase of the toolkit focuses on timeliness, and is split into five modules covering: response rates; handling requests; training and awareness; compliance and assurance and governance structure.

Further toolkit developments will see other issues addressed, such as where the cost of compliance exceeds the appropriate limit. Prior to launch, the toolkit was tested with a range of public authorities who provided feedback and input for improvement. The ICO also received assistance from the Scottish Information Commissioner during the toolkit’s development stage.

ICO publishes 2019-20 Annual Report

The Information Commissioner’s Office (ICO) has published its Annual Report for 2019-20, covering what the Information Commissioner has called a “transformative period” for privacy and data protection and broader information rights.

Highlights from the report, which covers the 12 months to 31 March 2020, include the ICO handling 38,514 data protection complaints, closing 39,860 data protection cases (up 15% year-on-year) and receiving 6,367 freedom of information complaint cases. Over 2,100 investigations were conducted, and the ICO took regulatory action 236 times, including 54 information notices, 8 assessment notices, 7 enforcement notices, 4 cautions, 8 prosecutions and 15 fines. 

Hackers target UK sports sector

A report from the National Cyber Security Centre has revealed a range of cyber attacks on UK sports organisations. The report found that at least 70% of institutions suffer a cyber incident every 12 months. The report identifies three common tactics used by criminals to assault the sector on a daily basis, which are: business email compromise (BEC); cyber-enabled fraud; and ransomware being used to shut down critical event systems and stadiums. As the sector recovers from the impact of the coronavirus pandemic, the NCSC is urging organisations to consider the findings of the report and to follow its recommendations.

Garmin obtains decryption key after ransomware attack

Smartwatch maker Garmin has obtained the decryption key to recover its computer files from a ransomware attack. Garmin's services were taken offline on July 23 after a cyber attack infected the company's networks with a ransomware virus known as WastedLocker.

A number of Garmin's services are now operational and the business confirmed a cyber attack had taken place. Garmin stated that the company has no indication that any customer data, including payment information, was accessed, lost or stolen.

US banking app Dave reports data breach

Mobile-only banking app Dave, based in the U.S., has suffered a data breach in which some personal customer information was exposed. The breach reportedly affected 3 million customers, though Dave said that it did not affect customer financial information and that there is no evidence of any unauthorised account actions or any customers experiencing financial loss as a result of the breach.

The breach has been traced to an analytics platform by Waydev, a former third-party service provider to Dave. The company reported an unauthorized use of a GitHub OAuth token.

Uber drivers seek disclosure of company algorithm in Dutch case

Uber drivers have launched a legal case in the Netherlands to try to force the release of computer algorithms that are used to manage their work.

The case has been brought at the district court in Amsterdam, where Uber's European headquarters is based, by the UK-based App Drivers and Couriers Union (ADCU). The claim states that Uber's software tags drivers with keywords that relate to the allocation of rides, but that Uber drivers are not provided with the data or informed how it is used.