Helen Davenport: Good morning. For anyone who may not know me, I am Helen Davenport, a Partner in the Commercial Litigation Team at Gowling WLG and the Head of Cyber Security and Data Privacy for the UK firm.
Thank you very much for joining our latest IT masterclass by webinar this morning. I hope that you are well, you are managing with the lockdown and that your families are all well too.
The topics that we have selected to cover today are highly relevant in the common text of COVID-19 but have a broader application too. You will hear from my colleague Rocio de la Cruz, on online trading and data processing risks. Then Alex Kim will speak on direct marketing, and finally I will cover cyber security.
A couple of pieces of housekeeping. We all aim to speak for around 40 minutes and then answer as many questions as we can in the remaining time.
If you would like to ask a question during the seminar, you can do so by clicking on the Q&A button at the bottom of the screen and submitting your question where we will treat all questions anonymously.
I will now hand over to Rocio to talk to us about online trading.
Rocio de la Cruz: Good morning everyone. Welcome, I am very happy to be here with you this morning.
In this part of the session, my colleague Alex and I will cover three areas that we are advising on, particularly during this COVID-19 situation. These areas are terms and conditions, re-use of cold case and the information provided concerning cold case and marketing.
In any case, the main thing to bear in mind as we will show in the next slide is that, when you are offering on-line services, you are showing your website.
If I come on to my next slide you will see that this is what I call the accountability window, I think this is the main thing to bear in mind. What is on your website and what does the public see?
When you are offering goods and services online, your website is what I call the security window, only because the way you have drafted your privacy notice, your consent forms, your cookies policies and your terms and conditions reflect your level of compliance to some extent. If you are on the website and you see a company with a poor privacy notice, this is telling the public that this company did not take compliance very seriously with GDPR.
The reason why I call it a window is because this is what the relators look at first. Even before contacting you, if they are investigating a company as a result of a complaint, they will probably go on the website and have a look first.
Let us talk about the impact on the precise documents that we are seeing due to COVID-19 as we get used to more changes. The first thing we are asking clients is 'what are you doing differently now and how does this affect customers'.
I mean particularly these customers are consumers, and this is because what you do differently is what needs to now be told in a very specific way and very clearly.
This is relevant because it will ensure compliance with the consumer contracts in relation to how it affects you, especially for those of you to which this is how I supply and also of course it ensures compliance with the GDPR, the Data Protection Act 2018, Contract and Privately and Telecommunication relations. In practice, this affects things like, for example, changes on the delivery times if you are delivering goods, and changes on the delivery methods which may imply that you need to revise your terms and conditions.
You may need to contact new service providers if you are seeing an increase of purchases made on line, and you need to employ more people in the warehouses for example while you are still complying with your social distancing. Perhaps you need further support, and that again will mean a change on the terms and conditions as well. Some of these service providers might also be data processors so that means additional documentation in terms of the arrangements that you have with your processors, privacy notice and terms and conditions.
You may also consider collecting additional data if you were thinking about restructuring the way you are going to market and targeting individuals. You may now be collecting more data, or you may collect less data if until now you were asking for signatures when you were delivering something and now you will not request the customer signature.
Again, that will have an impact on the privacy notice and if you collect additional data, you may need consent for the processing of this data to be lawful.
Finally, you also may consider using additional tracking tools and cookies, for example if you were using cookies for analytic purposes or in order for your website to provide a better experience to the customer and now you are thinking of replacing original cookies for targeting purposes.
Once you identify the changes that apply to the way that your business is going to be developed from now on during this situation, then you need to consider how and when to provide this information.
Something that I think most of us know is that the terms and conditions always need to be available on the website. There always needs to be a link to these terms and conditions. But in addition, there is specific information that needs to be highlighted at the appropriate time, and this is the time for those of you dealing with consumers in which it is stated in the CCRs.
You will see that I have included two slides with tables in, which include some of these relevant bits of information from a consumer perspective.
These are the lists of information that, after speaking with some clients, we noted are most likely to be impacted by the COVID-19 changes and then I have included a column on what is mandatory and a column on what is recommended by the European Commission. I have no time to go through each of the changes, but I thought that you may find this table useful, and please feel free to raise any questions as you are reading through it. If you need more time to consider the information that I have provided in this table, and you want to drop me a line afterwards, I will be very happy to talk through them if you want to.
Moving on to the cookies. Whether or not you are considering using additional cookies now for your business, it is always a good time to review what you have, the information that you provide, and the way you are collecting consent.
As you know, the cookies are related and very similar to PERC, which needs to be integrated along with the GDPR and the Data Protection Act. It is very important the information that you provide to customers and the consent forms that you are using are simple, and that you review them and obey them.
When updating a cookies document, you need to consider the revised guidelines and what is published by the ICO in July last year. This has been published in line with some suggested solutions by the European Court of Justice, in which certain points were clarified, and the key points are that most of the companies need consent except if it is a communication cookie, or if it is a strictly necessary cookie. Then my interpretation of the strictly necessary is very narrow, so only the cookie that you need for their website to work or the app to work in terms of functionality.
No preferences, no better experience to the user, all of those cookies are tracking towards are not considered necessary. Even if it is for the benefit of the user, you will have seen consent for those ones. Consent needs to comply with the GDPR requirements, even if it is for anonymised cookies. For those you see analysed, analytics cookies will need consent and the information that you need to provide needs to be detailed including the length of time for which you are using persistent cookies for which these persistent cookies are going to be places on users' devices.
These are the rules. Let us have a look at what this looks like in practice, and what is the audit approach on what we recommend. In practice, the steps we recommend to follow are to first of all review and classify the copies you have got.
Have a look at whether they are first or third party cookies, sessional or persistent legislation, and have a chat with your IT team or people dealing with cookies whether or not you collect personal data. Think about 'am I really using this cookie or this dragging tool'? Do I need different or original ones, etc.? Once you have got this classification done then it is very important to group them by purpose. By purpose, it is not by what they do from a technical point of view but what you will do with the information you are collecting with them.
There may be 10, 12, 100 cookies used by your organisation that are used for exactly the same purpose and they collect more or less similar data and they operate more or less in a similar way.
You may be able to group all of those to explain that all of those ones are for this particular purpose. When you are explaining this purpose, plan how you will explain this purpose in very plain language (which is very important). You know historically we always had or asked the IT team to fill the form in with each of the cookies explained, and the technical name is provided and this still needs to be provided but the first thing they see needs to be much clearer. Again in plain language. To give you an idea what the ICO says in the guidance that was published in July, it says if you use cookies you will need to make a particular effort to explain the activities in a way that all people will understand. This is kind of translating from IT to plain language if you like, and this information should be provided granular, in a clearer way for both the cookies policy and of course the consent form.
I wanted to give you an example of consent form because the ICO has also clarified what constitute valid consent.
On my next slide you will see that I brought the consent form that is used by the ICO. It seems that the ICO only uses analytic cookies so this is simple. You will see that the explanation provided there is clear and what the ICO says on the guidance I would like to flag two points.
There will be many points to come out but unfortunately we do not have time to cover each of them. The consent button. The consent button must be balanced. It must offer an option to consent and an option to reject or this on/off option that you can see here from the ICO's example.
If you have very big and centralised balanced in the centre of the cookies and accept button that is very big and then you have a tiny, tiny one for 'reject' in the corner. Just doing that to the ICI's eyes would be a breach of the obligation of collecting valid consents to comply with the GDPR requirements. If you are to offer two options.
The second thing is that the ICO states in the guidance that only relying on the user setting by themselves the browsers are not enough at the moment to be considered consent so you still need to collect consent even though you provide information about how to set your browser to allow or not allow setting cookies. This is what I wanted to cover this morning and now I will hand over to my colleague, Alex, who will talk about the marketing amendments and updates.
Alex Kim: Thank you Rocio. Good morning, everyone my name is Alex Kim, an associate in the Bid Privacy Team here at Gowling.
With a shift towards online training that we are seeing and coupled with the fact that earlier this year the ICO published a draft version of the code of practice on direct marketing which I will refer to as the draft code, we thought it would be useful to our clients to cover this topic for this IT masterclass.
To start this off, direct marketing is governed by two areas of law; data protection and e-privacy. For data protection we have the GDPR and the DPA 2018 but rather helpfully the DPA actually provides a definition of what direct marketing is which I have put on my slides. Please note the GDPR does not provide a definition. For e-privacy which we have PECR which Rocio mentioned earlier in relation to cookies and PECR as well as cookies provides rules in the area of electronic marketing communications such as email, phone calls and fax.
On the next slides, I would just like to point out that there is an overlap between the two regimes, the most important one being the definition of consent. While PECR was introduced much before GDPR it has adopted the GDPR definition of consent which is 'consent must be unambiguous and involve a clear affirmative action', so an 'opt in' as opposed to an 'opt out'.
Moving on, at over 120 pages long the draft code is certainly not lacking in coverage. It is a consolidation of earlier guidance with important clarifications and updates in areas such as service messages, tell-a-friend schemes and marketing on social networking platforms. I will go through five subjects in this draft code which we believe is of most interest to the audience here today.
Firstly, service messages. According to the draft code, consent is not required under PECR where an organisation sends service or operational messages to individuals. The draft code provides an example of a mobile network provider as shown on the slides a text informing a user that they are approaching their monthly data limit as a service message.
However, if that text also encourages customers to buy more data, then the entire message will constitute direct marketing. When determining whether a communication is a service message key factors include tone, phrasing and context. Service messages seem to be quite descriptive and neutral in tone, i.e. you are about to reach your data limit. However, organisations will not avoid the direct marketing rules simply by using a neutral tone. For example, a message from a supermarket chain sent from an individual saying "we stock carrots" or "we stock flour" since flour is in such high demand nowadays, that is clearly promotional and I would just like to add that inserting a link of a special offer in the service message will mean that the entire message is actually going to be direct marketing.
Secondly, we come to dual branding promotion where an organisation partners with a third party to deliver electronic communications both parties will need to comply with PECR irrespective of whether it has access to the data used.
The ICO gives an example of a supermarket sending out a marketing email promoting the charity the supermarket supports. Although the supermarket is not passing the contact details of its customers to the charity it still needs to ensure that there is appropriate consent from its customers to receive direct marketing promoting the charity. The draft code goes on to say, where possible it would be good practice for the supermarket to screen against the charity suppression list.
We should mention that there are many variables in relation to your branding as all of you may appreciate. The brands could be actively working together to send the direct marketing or it might just be one part that is entirely driving it without the other party even being aware of it. We cannot go through all the variables today but what we will say is that organisations need to be more cautious about how they approach direct marketing involving other brands. We appreciate that it is a challenge for the internal legal teams to review all marketing activities but the approach to take might be to share guidelines with the relevant business teams so they are aware of issues to watch out for and identify materials, which should be raised for a legal review.
The next subject is making service conditional on direct marketing. The draft code states that in most cases it is unlikely that an organisation can make the provision of a service or a product being conditional on an individual providing their consent for direct marketing. The ICO gives an example of a train service whereby it makes a provision of a passenger Wi-Fi conditional on the receipt of consent for direct marketing. The ICO's conclusion is that this would not be compliant. We do not think this is anything too controversial. We had always suspected that this would be the case but this is the first time this has been clearly established in the guidance, which is certainly helpful.
The fourth subject is tell-a-friend scheme. We commonly see organisations asking individuals to share or forward their marketing campaigns, for example, like a ready-made email, and share them to family and friends.
The ICO describes this a tell-a-friend campaign. According to the draft code these schemes are in breach of PECR because it is impossible for the organisation to obtain valid consent from a friend because the organisation does not have a direct relationship with the friend.
This area has not been specifically covered by the ICO in the past so clarification on this is certainly helpful. However, we understand that such schemes are widely used by advertisers and brands and we can imagine that the ICO's comments on this area will not be particularly welcomed and push back from marketers can be expected. Whilst organisations will not have to stop such activities immediately it would be useful to start looking into whether such a scheme is being used by your business teams.
Lastly, we have social media platforms I think the ICO's comments on this subject is also likely to cause quite a reaction. In the interests of sticking to the estimated timeframe for this session, I will keep it quite brief.
Social media platforms offer a service which is commonly referred to as customer audience services, but the explanation on the slides and the ICO have said that it is likely that consent is the appropriate lawful basis for using this service, and they believe that it will be difficult for organisations to rely on the other lawful basis, legitimate interest. However, it is not entirely clear why or how the ICO has come to this conclusion. Under GDPR organisation can rely on legitimate interest to send direct marketing and we are hoping in the final draft the ICO will provide more clarity and may be even more flexibility around this.
Social media platforms also offer look-a-like audience services, again explained on the slides. The ICO concluded that the brand and social media platform are joint controllers. As a brand will not have a direct relationship with the individuals or the look-a-like audience, they will need to be satisfied that the social media platform has the appropriate transparent information in place.
To end my section - In conclusion, we recommend that organisations assess their current practices, identify areas of potential non-compliance and get the conversation started. For example, you can review service messages to make sure it does not contain marketing messages or if it does then check whether there is lawful basis to send that direct marketing message out.
Dual branding will have to be assessed on a case by case basis so it will help to start reviewing what sort of partnerships are taking place and the same applies to social media platform based advertising. Whilst the final position is not out from the ICO it is worth getting the ball rolling in this area. Gather information on this works within the organisation and start sharing what kind of direction the regulator could be going towards.
That ends my section. Thank you everyone. I will pass you back to Helen now.
Helen: Thank you Alex. The last topic that we will cover today, why businesses need to be more cyber aware than ever.
Over the last decade, cyber security has become a vital part of corporate culture. Whilst businesses have bolstered their security measures at the same time cybercrime is being increasingly sophisticated and the threat from cyber criminals much harder to predict.
There are much greater opportunities. The cyber criminals are much greater losses than cybercrime can cause. COVID-19 has added to this. In these strange and uncertain times, a significant number of employees will be working at home for the foreseeable future.
For some, that will be a new experience and for others, at least a significant change in their working pattern and for many employers and employees the right infrastructure, the right measures might not be in place or if they are in place they still might not have been properly tested. Cyber and hacking criminals do not care and are already taking advantage of this. In the UK, the National Cyber Security Centre have handled more UK government branded scams relating to COVID-19 than any other subject.
Some more statistics for you on my next slide. As of last week a total of more than £2 million has been reported by Action Fraud as lost by 862 victims as a result of Coronavirus related scams and this has the potential to be just the start, because statistics from past recessions show that as GDP and the economy shrink then reported fraud increases.
Research from the University of Portsmouth suggest that by the latter part of 2020 if the economy shrinks by 15% then fraud is expected to increase by 60% in the UK. If the economy shrinks by more, by 25%, then fraud is expected to increase by 100% in the UK.
One of the key threats observed by the NCSC are official attacks which hackers often use as their first route into an organisation - Requests for credentials, passwords and user names or malware that might be hidden in emails, where individuals are invited to click on links that take them to the web pages run by the cyber criminals. The cyber criminals are extremely creative in devising new ways to exploit users and technology to achieve their objectives.
There is a heightened risk when working from home away from colleagues and the workplace environment and perhaps having distractions such as family or other family members at home. People may be less vigilant and they may click on a link that they would have thought twice about in other circumstances.
The attackers are also playing on human nature, individuals heightened anxiety in respect of COVID-19, so emails are headed "Coronavirus outbreak in your city there is an emergency" or there might be guidance purporting to come from the World Health Organisation or an individual in your area who is a doctor. Individuals may be more inclined to click on these because of their anxiety and there have also been some SMS messages, again phishing scams offering financial incentives for those who may be struggling financially as a consequence of COVID-19.
What should organisations do? The first point is to review cyber security measures that you have already got in place and consider if additional steps should be taken as a consequence of the new working arrangements.
Ensure that devices and connections are adequately protected. Warn your employees about this increased likelihood of phishing attempts and scams and the possibility of them being related to COVID-19. It is also timely to remind people about your company policies on software updates, passwords, and also if you do allow people to use their own devices and if you have a 'bring your own device' policy make sure they are reminded of it and are complying with it. Make sure that there is a contact that people can direct questions to and raise concerns given the new issues they may be experiencing at this time.
You should also prepare for some attacks to succeed and ensure that employees know who to contact if that happens, even in circumstances where their PC may be frozen or compromised.
They might not be able to get to your resources through their normal channels so make sure they know who they need to speak to because the if the attack does succeed it is much better to know about it sooner rather than later. There is a link to the NCSC guidance on the slide as well which provides more information about the nature of the risks and steps that organisations can take.
Getting cyber security wrong or having cyber security failures and the effects of cyber crime can of course give rise to a range of risks.
I have talked about fraud and financial losses there and of course these issues can also give rise to other costs and expenses.
There is also a risk of enforcement action from regulators including fines. Key developments we are expecting to hear about later in the year are the notifications that fines by the ICO in respect of EA and Marriott, so we are looking out for those. Other potential consequences could be reputational damage, business interruption and mass claims that affect data subjects.
Now in relation to the last point, is mass claims that affect data subjects, there has at least been some good news for employers and insurers who undermine their risks in the judgment given by the Supreme Court in the group claim against Morrisons and, as this has been a long awaited judgment, I am going to cover this development before we conclude this webinar today.
This was of course the case involving Morrisons work employee, Mr Skelton. In about November 2013 he was tasked with transferring payroll data for the entire workforce to Morrisons internal auditors, a task he had been asked to undertake and had done the previous year. He also did this in 2013 but at the same time he kept a copy of that information for himself, publishing it on the internet, intent to pursue his own vendetta and to do Morrisons damage.
A group of the affected individuals brought claims against Morrisons for breach of section 44 of the Data Protection Act 1988, misuse of private information and breach of confidence. Now the High Court delivered its judgment some time ago back in December 2017. It rejected the contention that Morrisons bore the primary liability to the employees.
It came to the view that Morrisons had taken appropriate technical and organisational measures to protect the data in question, save in one respect, which was not actually causative of any damage caused. The trial judge did however find that Morrisons was vicariously liable as Mr Skelton's employer for Mr Skelton's actions. Now Morrisons had argued it could not be vicariously liable because what Mr Skelton had done was not committed during the course of his employment, but this was rejected by the court on the basis that what he did was still closely related to what he was asked to do, transmit the data to the auditors, even if the task of then publishing that on the internet was not authorised. Now the court had not considered in that trial what the claims were worth as the trials in liability and quantum had been split.
This finding of vicarious liability against Morrisons had the potential to be very expensive for Morrisons as even if the future claimants received a very small sum of money when multiplied by the number of claimants then the total bill would be a very significant sum. Morrisons appealed on two issues.
They appealed that they maintained their argument that there should be no vicarious liability on the facts. They alternatively argued that regardless that the DPA in 1998 excludes vicarious liability, in essence the DPA 1998 exclusively set out the scope of Morrisons liability as a statute and as that does not mention vicarious liability then that should be excluded. The Court of Appeal dismissed the appeal on 28 October, in particular noting that the motive of the rogue employee was irrelevant and they felt that the previous finding by the High Court created no deemed base scenario for other employers, as they could obtain insurance to cover any claims that they might subsequently receive. Morrisons pursued the matter to the Supreme Court who delivered its judgement at the start of the month.
On the question of whether Morrisons was vicariously liable, the court said there were two questions that had to be addressed, what functions or field or activities had been entrusted to the individual and was there sufficient connection with the wrongful conduct.
Now the Supreme Court said the Court of Appeal had misunderstood the previous authorities and in fact it was material whether Mr Skelton was acting on Morrisons business or for purely personal reasons.
As Mr Skelton was, as the court put it, on a frolic of his own, Morrisons was not vicariously liable. This was good news for Morrisons, but on different facts the decision could have been different. Now having decided there was no vicarious liability the court did not need to look at the second question, whether the Data Protection Act 1998 excluded vicarious liability, because they had already found there was not any.
But the court considered it would be helpful to do so and that part of the appeal actually failed, the court finding that imposing a statutory duty is not inconsistent with the co-existence of vicarious liability.
What that means going forward for organisations, summarised on the next slide, is that employers can still be liable for data protection breaches where the employee is engaged, however misguidedly, in furthering their own employer's business and organisations may also be directly liable if they fail to comply on security requirements to safeguard data. Now this was a Data Protection 1998 case but we expect mirrored under GDPR decisions going forward because of the similarity of regimes, save that if anything the requirements on data control is even more stringent under the GDPR.
So the outcome is unlikely to change the growing trend in group claims and other claims against data controllers arising out of personal data breaches. Cyber security is more important than ever and it is important to be extra vigilant as we are all experiencing the impact of COVID-19.
So that concludes what I wanted to say on cyber security. We have got five or so minutes, which I think will enable us to cover some questions. Rocio, I think there were a couple of questions that came in for you, possibly short questions, so if you want to take those and then we will hand over to Alex.
Rocio: Yes I think there are four questions I would like to answer.
So the first one is, what do you mean by consent form within the accountability window. Can you expand on this please?
So what we mean is that, anything that you have got on your website, on the app, is accountable, so it is a window to how accountable you are. Consent form - I mean any consent form that you use in order to give your consent, that may be for cookies, that may be to process personal data and this is what I mean that when a regulator is investigating, they may even register as a user and look at how you collect consent and they may investigate that before even they contact you, so then if you change it later, they will know. That is what I meant by consent form. It is any consent form that we use.
There is another one, I think I responded to that but I will read it through anyway. On cookies, we have seen a trend where the developers highlight the 'yes' option for cookies where more prominently than the option for opting out, when presenting the cookies pop-up and they ask if this practice is permitted under the current UK and EU rules?
Our view is that this is not a valid option, it needs to be balanced as it was shown on the slides. For example, the European Data Protection website now it has an 'accept' and 'reject' and they are exactly the same size and it is expected to be standard going forward.
Another question is, what are the penalties for getting this wrong?
Okay, in terms of failure to provide information, or the web information that is provided in the terms and conditions, that is subject to different sector specific relations, so it depends in the place, but under the consumer conduct regulation which is what we were talking here, then the main consequence will be more in terms of some of these terms that were not clear will not apply or will apply. For the benefit of the consumer in terms of liability you may not be able to claim for certain liabilities or, for example, if there are changes on the delivery times or methods, and you were not informed, then you will consider that it was what it was before or again on the benefit of the customer and this may affect, for example, your posts. If you pretend that now the customer will have to pay, for example, if they want to cancel a purchase or return it and that it is not clear, then you may not be able to claim for those costs.
But in terms of the cookies, I think that is a very good question actually because my view is that, if you are not collecting personal data, what PECR states, is that the penalty will be up to £500,000 because this is a regulation that comes from a directive that was approved before GDPR. We are waiting for one in which it is supposed that the fines will be more similar to GDPR. But at the moment, this is all we have got and even though you will need to interpret the meaning of consent and the GDPR, the penalty for breaching PERC will be up to £500,000.
However, having said that, if you are collecting personal data through cookies, then you are processing personal data under GDPR. If the legal basis is to preserve that personal data, is consent, even if it is according to PECR - now we are in this processing of personal data, then you are facing the GDPR fines, which as you may know is up to 4% of the total global annual turnover or up to €20 million.
And then, the last one just very quick - but I thought it was interesting to clarify this. I read that the ICO will not take action against companies in lockdown. What is the risk if we do not have data privacy notice or consent form?
The ICO has said that it is going to relax or understand the circumstances we are all facing in terms of security, so they understand and now we are moving on to remote working and it may take time to catch-up with the security. It has expressly said that it will understand if you can justify, if - not by default, that is the key. Any delays, for example, in responding to subject access requests or freedom of information requests and so on.
But it has not said that it will not enforce and in fact, it has expressly said that if a company tries to get any advantage of this situation actually it will enforce very heavily. That is all the questions I have got, so I will hand over to Alex to respond to his.
Helen: Conscious of time Alex, so do you want to take one direct question and then we will conclude the session and we can always take additional questions, follow-up by email afterwards.
Alex: Yes, yes definitely. The question we got was, is consent required for communications regarding recruitment and job vacancy purposes to perspective candidates because it constitutes direct marketing?
Well the quick answer is, no - assuming that the communication is strictly on job recruitment, and does not include other messages. If this job recruitment is for internal admin resource and purposes, it is unlikely to be considered promoting your products and services, so laws around how you send out such communication would be covered by the data protection laws.
Okay. That is it for me. Thank you.
Helen: Many thanks to everyone for joining us. As I said at the outset, we will follow-up with a copy of the session and if you have got any additional questions, then do feel free to contact one of us after the session. Many thanks.
Rocio: Thank you very much, have a good day.
Alex: Thank you.