Included in this edition of Data & Privacy News: High Court clarifies the scope of liability for companies which have suffered a cyber-attack, ICO updates approach to regulation during Coronavirus pandemic and more...

High Court clarifies the scope of liability for companies which have suffered a cyber-attack

The High Court has provided welcome clarity on the scope of liability for companies which have suffered a cyber-attack, in a ruling with major implications for ATE insurance in data protection claims. The case of Warren v DSG Retail Limited [2021] EWHC 2168 (QB) followed a serious cyber-attack in which the claimant's data was affected. The claimant consequently sought damages to compensate for distress suffered. As well as breach of the Data Protection Act 1998, he pleaded misuse of private information, breach of confidence and common law negligence.

In a judgment that will be welcomed by data controllers, the High Court ruled that claimants who wish to seek redress following a cyber-attack can only do so through a claim for breach of data protection legislation, and should not plead a raft of other causes of action at the same time.

To read Addleshaw Goddard's analysis of this case and its implications, please click here.

Amazon reports record fine for breach of EU GDPR

Amazon has submitted a filing to the United States Securities and Exchange Commission, which details a record breaking fine of €746m (£635m) for breaching EU GDPR rules relating to how it utilises customer data for targeted advertising. The fine followed a decision by the Luxembourg National Commission for Data Protection (CNPD) against Amazon Europe Core S.à r.l. on 16 July 2021. As Amazon's European company is based in Luxembourg, the CNPD is responsible for monitoring their compliance with regulations, including EU GDPR. Under these rules, the CNPD has the powers to impose fines of up to 4% of a company’s annual global sales.

The case relates to complaints made by French privacy rights group La Quadrature du Net, who represent more than 10,000 customers. The claims, which also target Apple, Facebook Google and LinkedIn, state that Amazon utilises customer data for commercial benefits through altering the adverts and information they receive.

In the filing, Amazon states that it believes the CNPD’s decision to be without merit and intends to defend itself vigorously in this matter.

ICO updates approach to regulation during Coronavirus pandemic

The Information Commissioner’s Office (ICO) has published an updated version of its summary of its regulatory approach during the Coronavirus pandemic. The document details how the ICO aim to retain confidence in how personal data is used and safeguarded, whilst also acknowledging the potential economic and resource burdens that their actions could place on organisations during the pandemic. The ICO's regulatory approach is split into three sections:

• Engagement with the public and organisations: The ICO plan to continue identifying and fast tracking any advice, guidance or tools that are deemed to have a significant impact on helping public authorities and businesses, as well as continuing to ensure that the public can raise complaints about information rights concerns.
• Regulatory action: The ICO will act "proportionately" and in line with its Regulatory Action Policy, continuing to take regulatory action against any organisation breaching data protection laws but whilst also considering the current economic outlook before issuing fines to ensure their affordability.
• Freedom of Information Act and Environmental Information Regulations: The ICO seek to ensure transparency with relation to information regulation and expect public authorities to establish recovery plans to ensure any complaints backlogs are resolved in a reasonable timeframe, to ensure compliance with the Freedom of Information Act.

ENISA published report on the threat of supply chain security attacks

The European Union Agency for Cybersecurity (ENISA) has published a report on the threat landscape for supply chain attacks, which maps the trends of attacks discovered between January 2020 and July 2021. The report concludes that the number and sophistication of supply chain attacks has increased throughout 2020 and was continuing to do so in 2021, with an estimated four times as many attacks in 2021 than in 2020.

The report found that for 66% of the analysed attacks, suppliers did not know or failed to report on how they were compromised, with 66% of attacks focused on the supplier’s code and malware being used in in 62% of attacks. The report highlights the importance of good practices and the use of coordinated actions at EU level, as well as detailing a number of recommendations for ways customers can better manage supply chain cybersecurity risk and their relationship with the suppliers.

ICO published new guidance on direct marketing in the public sector

The Information Commissioner’s Office (ICO) has published guidance aimed at those responsible for data protection within public sector organisations, aimed at ensuring promotional messages are delivered in compliance with the law. In particular, the guidance provides greater clarity on when people have the right to object to promotional messages under UK GDPR, even if the message is not classified as direct marketing.

Direct marketing includes all types of advertising or marketing that is directed at individual, including commercial marketing as well as fundraising and campaigning, via any form of communication. Whilst the majority of messages sent to individuals from public sector organisations are unlikely to constitute direct marketing, any type of organisation is capable of engaging in this practice. In doing so, public sector authorities will need to comply with the marketing rules in the Privacy and Electronic Communications Regulations (PECR) as well as the requirements of UK GDPR.

New inquiry launched into the Government's approach to tackling harmful online content

The Department for Digital, Culture, Media and Sport (DCMS) Sub-Committee on Online Harms and Disinformation has opened an inquiry into Government’s approach to tackling harmful online content, as outlined in the draft Online Safety Bill. The Sub-Committee plan to examine how focus has shifted since the introduction of the Online Safety Strategy Green Paper in 2017.

The draft Online Safety Bill will require social media sites and search engines to remove harmful content such as terrorist content, child sexual exploitation and abuse and disinformation that causes individual harm. Concerns have however been raised that the Bill's definition of harm is too narrow and may fail to address issues such as non-state intervention in elections, racist abuse and content that contributes to self-harm and negative body image.

As part of their enquiry, the DCMS Sub-Committee has opened a consultation on the subject, which closes 3 September 2021.