Included in this edition of data & privacy news: Join our Data Disputes Webinar on Tuesday 17 November; ICO reduces Marriott fine to £18.4 million; Police given powers of access to individuals self-isolation data and more...


Data download webinar: Understanding the impact of the ICO's data broking investigation

Join our Data Management Team on Tuesday 17 November at Midday as they discuss the impact of the ICO's data broking investigation. Sign up here

ICO reduces Marriott fine to £18.4 million 

The ICO has reduced Marriott's data breach fine to £18.4 million, reflecting the improvements the hotel group has made to its cyber security, as well as the impact of the coronavirus pandemic. 

In July 2019, the ICO issued a notice of intention to fine Marriott over £99 million for infringements of the GDPR. The fine related to a cyber-attack on Starwood Hotels and Resorts Worldwide Inc. in 2014, when an estimated 339 million guest records were exposed. The cyber-attack remained undetected until September 2018.

Marriott didn't acquire Starwood until 2016, but the ICO investigation found that the hotel company failed to undertake sufficient due diligence when it bought Starwood. 

Uber facing court for using automated decision making to fire employees

Uber is being taken to court in the Netherlands by former employees for using automated "robo-filing" algorithms to dismiss them. The legal challenge is the first of its kind to test the protections of Article 22 of the GDPR.

Uber said that drivers' accounts were only deactivated after a manual review by an individual.

ICO publishes new detailed guidance on Subject Access Requests

The ICO has published new detailed guidance on Subject Access Requests (SARs) to help organisations deal with them in a more effective and efficient way. 

Following the consultation on the guidance in December 2019, the ICO have provided clarity on three key points raised: time limits when seeking clarification on requests, when a request is manifestly excessive; and what can be included when charging a fee for excessive, unfounded or repeat requests.

The ICO is also planning a suite of resources to provide extra support, which will include a simplified SAR guide for small businesses.

ICO fines Reliance Advisory for breaking electronic marketing law

The ICO has issued Reliance Advisory, a Bury based company, with a fine of £250,000 for breaking electronic marketing law over a six month period in 2019. 

The company made 15.1 million calls about claims management services to individuals who had not consented to receive them. Of these calls, 1.1 million connected. 

Police given powers of access to individuals self-isolation data

Senior health figures have raised concerns over the powers of access police forces in England have been given in relation to NHS Test and Trace.

Under guidance published by the Department of Health and Social Care on the 16 October, the police are able to access contact details of individuals instructed to self-isolate by the system, an arrangement that could undermine public trust in the testing regime. 

Information includes names, self-isolation addresses, contact details and dates they were instructed to self-isolate. 

The data will also be available to local authorities for investigatory purposes. 

Key Contacts

Ross McKenzie

Ross McKenzie

Partner, Commercial Services
Aberdeen, UK

View profile
Helena Brown

Helena Brown

Partner, Head of Data
Edinburgh, UK

View profile
Dr. Nathalie Moreno

Dr. Nathalie Moreno

Partner, Commercial Services
London

View profile
Beatrice Duke

Beatrice Duke

Managing Associate, Commercial
Leeds, UK

View profile
Jo McLean

Jo McLean

Managing Associate, Intellectual Property
Edinburgh, UK

View profile
Annabelle Gold-Caution

Annabelle Gold-Caution

Managing Associate, Commercial
Manchester

View profile