In the digital age, where information and data protection are at the forefront, safeguarding personal data is a paramount concern for organisations globally. The data protection supervisory authority in the United Kingdom (“UK”), the Information Commissioner's Office (“ICO”) has several powers including issuing warnings, reprimands and the authority to impose a temporary or permanent ban on an organisation’s processing of personal data.
Over the last 18 months, the UK has witnessed several occurrences of media and digital organisations receiving regulatory enforcement action from the ICO. In this blog post, we've outlined some of the most noteworthy enforcement actions.
My Media World Limited trading as Brand New Tube
In July 2023, the ICO issued a reprimand to My Media World Limited, trading as Brand New Tube (“BNT”), following alleged infringements of the UK General Data Protection Regulation (“UK GDPR”). In August 2022, an unauthorised third party gained access to BNT's systems and extracted the personal data of 345,000 UK data subjects, including their names, email addresses, and passwords. BNT were unable to pinpoint the exact cause of the breach.
The ICO found that BNT failed to provide evidence of regular penetration testing or vulnerability scanning on their systems. BNT told the ICO that a third party was responsible for providing this service but could not confirm when the scans were last performed. The ICO also found that BNT did not have appropriate organisational measures in place to ensure the confidentiality and integrity of their systems and failed to evidence how the personal data for which they were responsible was stored and protected.
Due to these alleged infringements of Article 32 of the UK GDPR, the ICO provisionally decided to issue a reprimand and recommended steps for BNT to comply with Article 32 of the UK GDPR including ensuring they have appropriate contracts in place with any third-party providers and ensuring they keep accurate records of their processing activities and the security measures they are implementing.
TikTok Information Technologies UK Limited and TikTok Inc.
In April 2023 TikTok Information Technologies UK Limited and TikTok Inc. (“TikTok”) was fined £12.7 million by the ICO for various breaches of data protection law related to children's data. Despite TikTok's rules prohibiting users under 13, the ICO estimated that around 1.4 million children under 13 used the platform in 2020. TikTok failed to obtain parental consent for using the personal data of these children and did not adequately remove underage users from its platform. The ICO emphasised the importance of protecting children online and introduced the Children's Code to safeguard them.
Clearview AI Inc.
In May 2022, the ICO announced its decision to issue Clearview AI Inc. (“Clearview”) with a monetary penalty notice, requiring it to pay approximately £7.5 million for using images of people in the UK, and elsewhere, that were collected from the internet and social media to create a global online database that could be used for facial recognition. The ICO also issued Clearview with an enforcement notice, requiring it to delete and refrain from processing the personal data of any data subjects in the UK. The ICO highlighted that Clearview collected over 20 billion facial images and data from various online sources worldwide without informing individuals or obtaining their consent.
The ICO took action because, in its view, Clearview’s actions violated the EU and UK GDPR, including failing to use personal data transparently, collecting data without a lawful reason, lacking a process for data retention, and not meeting the necessary standards for biometric data.
However, in October 2023, the First-tier Tribunal (“Tribunal”) overturned the notices issued by the ICO. The Tribunal held that although the processing undertaken by Clearview was related to the monitoring of data subjects’ behaviour in the UK, Clearview only provided its services now to non-EU and EU law enforcement or national security bodies and their contractors. As such, processing was beyond the material scope of the UK GDPR and was not relevant processing for the purposes of Article 3 of the UK GDPR. Therefore, the Tribunal concluded that the ICO did not have jurisdiction to issue the notices to Clearview.
This recent judgement does not limit the ICO from taking action against international companies that process data of individuals in the UK, it only addresses a specific exemption related to foreign law enforcement agencies. Notably, data protection supervisory authorities in Canada, Australia, South Africa and the EU including France, Italy and Greece have taken enforcement actions against Clearview.
Our Data Protection Law Services
We have an array of highly experienced lawyers who specialise in data protection law. Our lawyers can advise you across multiple jurisdictions and collectively have over 50 years’ experience in this field.
We can do the following for you:
ensure that your organisation has established lawful bases for processing personal data;
advise on the implementation of robust security measures, including encryption and access controls, to protect personal data from unauthorised access and breaches;
draft all of your data protection documentation (including notices, policies and procedures);
develop processes for efficiently handling data subject access requests;
help your organisation establish robust data breach response plans that include clear steps for investigations, containment, notification and mitigation in the event of a security incident;
ensure that your organisation complies with international data protection laws and regulations
assist in conducting data protection impact assessments to evaluate the potential risks and privacy implications on data processing activities;
ensure that you have appropriate contracts in place with any third-party providers which set out the roles and responsibilities of each party;
offer data protection training programs to educate employees on their responsibilities and obligations under data protection laws and regulations;
provide ongoing monitoring and compliance checks to ensure that your organisation stays up to date with evolving data protection laws and regulations; and
support you through investigations or enforcement action that you’re facing.
If you’d like to get in touch with our team, please contact us on email@example.com.
Article by Puja Modha (Partner) and Sarah Davies (Paralegal) – 21 November 2023