Monthly Archives: January 2018

PECR: The forgotten relative

Much of the focus in relation to data protection and privacy law is on implementation of the Genera Data Protection Regulation, which becomes applicable from 25 May 2018.  However, many of the discussions that are taking place in respect of GDPR implementation are forgetting the GDPR’s older cousin:  the snappily named Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications).  This Directive from the European Union dating from 2002 was implemented in the United Kingdom through the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”).

 The Directive on privacy and electronic communications is concerned with the processing of personal data and the protection of privacy in the electronic communications sector and is of importance to telecommunications providers, Internet Service Providers and any person or organisation who conducts direct marketing by electronic means; however, this blog post is concerned only with direct marketing and is a follow-up to my recent blog post on whether consent is required under the GDPR.

The GDPR might be the big thing at the moment, but it is important not to consider it in isolation.  When thinking about GDPR implementation it is necessary to take a holistic view and think about how it interacts with other laws because these other laws don’t stop having effect just because of the GDPR.  Therefore, it is essential to consider how these other laws affect your GDPR implementation.

The rules on direct marketing by electronic means are relatively simple and straightforward, but this does not stop unlawful behaviour from taking place on an industrial scale.  Rarely does a month go past without the Information Commissioner’s Office publishing information on enforcement action it has taken against businesses arising out of failing to comply with PECR, especially since the law changed to lower the legal threshold for Monetary Penalty Notices in relation to PECR infringements.

Electronic Mail
Electronic Mail includes E-mail and SMS text messaging.  The general rule for direct marketing by electronic mail is that you need consent, as defined by the 1995 Data Protection Directive.  This means that you must have a freely given, specific and informed indication that the person to whom you are directing the marketing wants to receive such marketing.

There is an exception to this which is referred to as the “soft opt-in”.  This applies where you have obtained a person’s personal data “in the course of the sale or negotiations for the sale of a product or service” to them.  You can then send direct marketing to this person, without first gaining their express consent, where you are marketing your own similar products or services.  The data subject must be “given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of his contact details for the purposes of such direct marketing, at the time that the details were initially collected”.

Each direct marketing communication that is sent must include a simple means of opt-out of further direct marketing content (and this must be free of charge, except for the costs of transmission of the opt-out).

Telephone:  Automated calls
The rules for direct marketing by telephone are split into automated and unsolicited live telesales calls.  In the case of automated calls with recorded information played when the phone line being called is answered, the subscriber (i.e. the person who has contracted with the telephone service provider) must have notified the caller (or the person instigating the call where the caller is a third party acting on behalf of the instigator) that, for the time being, they consent to receiving such calls.  Again, this requires there to be a freely given, specific and informed indication.  Consent can be withdrawn.

Telephone:  Unsolicited live telesales calls
You do not require consent to make such calls; however, you must not make such calls where the subscriber has notified you that they do not wish to receive such calls, or if the number is registered with the Telephone Preference Service (TPS).  You can call numbers registered with the TPS where the subscriber has consented to receiving calls from you, notwithstanding that the number is registered with the TPS.  Consent can, as always, be withdrawn at a later date.

Fax
Yes, it is still a thing and some people (and indeed whole sectors) still use fax machines.  However, as it is more or less an obsolete technology all I will say on the matter is that PECR regulates the use of fax for direct marketing and the relevant parts are Regulations 20 and 25.

That is a very brief run through of the relevant law as it stands today.  However, a couple of points to note in closing:  Firstly, the EU is currently working on a replacement to the current Directive.  It had been anticipated that the new E-Privacy Regulation would be implemented alongside the GDPR, but work started on it too late and so it won’t.  Whether it will be finalised in and in force prior to Brexit is something that we will need to wait and see.  Secondly, depending on what happens with the Brexit negotiations it may still end up being part of UK law even if it comes into force after the UK leaves the EU.  Thirdly, there is likely to be some temporary adjustments to PECR from 25 May 2018, that is because PECR adopts a lot of definitions from the Data Protection Act 1998 and the 1995 Data Protection Directive (both of which will be repealed on 25 May 2018).  Finally, the domestic Regulations were made under the European Communities Act 1972; therefore the European Union (Withdrawal) Bill may well have some impact upon them.

Alistair Sloan

If you would like advice or assistance with a privacy or data protection matter, or any other information law concern then contact Alistair Sloan on 0345 450 0123 or send him an E-mail.

Data Protection/Privacy Enforcement: December 2017

Our monthly look at the enforcement action taking by the Information Commissioner in respect of Privacy and Data Protection matters continues with a review of the enforcement action published by the ICO in December 2017.  You can view last month’s review of the November 2017 enforcement action here.  December 2017 was not an overly busy month for the ICO; they published just one Enforcement Notice.

Key Points

  • Ensure that you have in place adequate procedures to ensure that you handle Subject Access requests within the time allowed by the law.

Enforcement Action

Secretary of State for Justice
The Secretary of State for Justice was served with an Enforcement Notice [pdf] requiring him to deal with his department’s backlog of delayed Subject Access Requests.  As at 10 November 2017 the Ministry of Justice had 793 Subject Access Requests which were over 40 days old; some of this backlog was made up of Subject Access Requests made in 2014.  This was a reduction from the 919 requests more than 40 days old as at 28 July 2017 (which included requests going back to 2012).  The Data Protection Act 1998 requires that Subject Access Requests be responded to within 40 calendar days (this will be reduced to 30 calendar days under the GDPR – you can find out more about this change, and others to the right of subject access requests, in my blog post on Subject Access Requests under the GDPR).

Alistair Sloan

If you require advice or assistance with Subject Access Requests, or any other Information Law matter then contact Alistair Sloan on 0345 450 0123 or send him and E-mail

GDPR: Do I need consent?

The General Data Protection Regulation becomes applicable in the United Kingdom later this year, the 25th May to be precise.  There is a lot of information out there on the GDPR; some of which is incorrect.  Relying upon incorrect information could cause data controllers and processors unnecessary headaches.

In this blog post I am going to focus on just one aspect of the GDPR, upon which there seems to still be a large amount of misinformation floating around.  It is an issue of such fundamental importance that getting it wrong will inevitably lead to headaches and crises in businesses and other organisations that simply do not need to exist:  that aspect is consent.

It is not difficult to find information on the internet selling the idea that the GDPR requires the consent of data subjects before a data controller can process personal data.  It should be obvious, but in case it is not, that is completely false.  Article 6 of the GDPR sets out six grounds which make the processing of personal data lawful under the GDPR; one of those six grounds is indeed consent, but it therefore follows that there are five other grounds of lawful processing which do not require the consent of the data subject.

It is important to understand Article 6 to ensure that your GDPR preparations are on the right track; one of the first things that any data controller who is preparing for the GDPR needs to establish is upon what basis they are processing the personal data.  If a data controller goes off in the wrong direction by assuming that consent is always required then they’re going to hit a problem:  what if a data subject refuses you consent, or withdraws consent which was previously given, to process personal data where you have a statutory obligation or some other compelling business need to process it?  You’re still going to have to process that personal data, but having asked the data subject for their consent you have given them a false impression.  One of the most fundamental aspects of the GDPR is fairness:  giving a data subject a false impression on the need for consent cannot be considered to be fair.  In short, if you need to process personal data irrespective of whether the data subject has given their consent; then consent is not the appropriate Article 6 ground to rely upon.

As noted above, there are a total of six grounds in Article 6 of the GDPR which make the processing lawful.  The grounds in Article 6 are (and note they do not appear in any special order of importance):

  • the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  • the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
  • the processing is necessary for compliance with a legal obligation to which the controller is subject
  • the processing is necessary in order to protect the vital interests of the data subject or of another natural person
  • the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
  • the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child

Picking the right Article 6 grounds to legitimise your processing is vital; it feeds into so many other aspects of data protection compliance (such as your privacy notice).  Consent should only become a consideration where none of the other grounds of lawful processing in Article 6 apply.  Where some may be becoming confused with regards to consent is the requirement to be transparent with data subjects.  You have to tell data subjects clearly, and in easy to understand language, what personal data you are processing about them, how it is being processed and why you are processing it.  This is not the same as gaining their consent and should not be confused as such.

Alistair Sloan

If you require advice and assistance with any aspect of getting prepared for the GDPR, or any other Privacy and Data Protection law matter then contact us on 0345 450 0123 or you can send Alistair Sloan and E-mail.

The National Security Blanket has been Shrunk

On 2nd January 2018 the Upper Tribunal (Administrative Appeals Chamber) (consisting of Charles J, Lane J and Anne Chafer)  published an important decision [pdf], dated 14th December 2017, on the application of the exemption in section 23 of the Freedom of Information Act 2000.

The exemption in section 23 relates to information supplied by, or relating to, bodies dealing with security matters.  Subsection (3) provides a list of 15 bodies to which the exemption applies; including the Security Service (MI5), the Secret Intelligence Service (MI6), the National Crime Agency (NCA) and the Government Communications Headquarters (GCHQ).  The actual exemption is contained in Section 23(1) and provides that:

Information held by a public authority is exempt information if it was directly or indirectly supplied to the public authority by, or relates to, any of the bodies specified in subsection (3).

Background

The decision is worth reading in full, but the essential background to the decision is as follows.  On 21st August 2015 the Royal Air Force carried out a precision air strike in Syria utilising a remotely piloted aircraft (commonly referred to as a ‘drone strike’).  The strike took place in the Syrian city of Raqqa and the target was 21 year-old Reyaad Khan, who was born in Cardiff, and had featured in a ‘recruitment video’ produced by ISIS (also known as IS, Dahesh or ISIL).  The strike killed the intended target along with two other ISIS fighters, one of whom was also British.

On 7th September 2015 the then Prime Minister, David Cameron, made a statement to the House of Commons.  In his statement to the House, Mr. Cameron provided details on the operation which had taken place in August 2015 in Raqqa.  The Upper Tribunal’s written reasons for its decision quote extensively, at paragraph 10, from Mr. Cameron’s statement to the House.  It also quotes an exchange between Mr. Cameron and the then acting leader of the Labour Party, Harriet Harman MP (paragraphs 11 and 12).

In compliance with the United Kingdom’s obligations in terms of Article 51 of the UN Charter, the UK’s Permanent Representative to the United Nations wrote to the President of the Security Council informing the President that the UK had undertaken the 25th August 2015 operation and that this was in “exercise of the inherent right of individual and collective self-defence.”  The Upper Tribunal have quoted further from that letter in paragraph 13 of its decision.

There is much more to the background which can be dealt with in this blog post; however, it is comprehensively set out in the Upper Tribunal’s decision.  It is suffice to say that Freedom of Information requests were made by the appellants to the Attorney General’s Office (AGO) and to the Cabinet Office.  These requests were refused by the public authorities and, in three decisions dated 30 August 2016, the Information Commissioner upheld the decisions of the AGO and the Cabinet Office.  The appellants appealed to the First-Tier Tribunal (Information Rights) and the appeals were transferred to the Upper Tribunal in terms of Rule 19 of The Tribunal Procedure (First-Tier Tribunal) (general regulatory Chamber) Rules 2009 – which allows appeals to the First-Tier Tribunal against decisions of the Information Commissioner’s office, amongst others, to be transferred to and be determined by the Upper Tribunal instead of the First-Tier Tribunal; essentially the appeal ‘leap-frogs’ the First-Tier Tribunal.

Section 23 of FOIA

Section 23 of FOIA is an absolute exemption, which means that it is not necessary for the public authority to consider where the public interest rests between maintaining the exemption and disclosure.  It was designed to ensure that there was no backdoor route to gaining access to information held by the security services under FOIA.  The security services are not public authorities for the purposes of FOIA and this exemption ensures that information which is supplied by, or relates to, one of the security bodies in section 23 cannot be obtained from a public body which is a public authority for the purposes of FOIA.  A similar exemption, but not identical, can be found at Section 31 of the Freedom of Information (Scotland) Act 2002.

The Upper Tribunal’s decision

The Tribunal’s starting position seems to have been that FOIA provides a right of access to information rather than documents.  When responding to an FOI request, a public authority does not need to supply a copy of the document which contains the requested information (although, in practice an authority will provide the document – redacted where necessary).  The request can be complied with by extracting the information from the document or other records held by the authority (APPGER v ICO and FCO [2015] UKUT 0377 (AAC)).  This seems to be a key pillar of the Upper Tribunal’s decision in Corderoy and another v The Information Commissioner and others.

The Upper Tribunal has in this case qualified a statement that was made in the decision of the Upper Tribunal in the APPGER case.  In the APPGER case, the Upper Tribunal stated that “…information, in a record supplied to one or more of the section 23 bodies for the purpose of the discharge of their statutory functions, is highly likely to be information which relates to an intelligence or security body and so exempt under section 23.”  The Respondents in the present case appear to have relied upon this position to argue for a very broad interpretation of section 23.  The Appellants however argued that the absolute exemption in section 23 would prevent disclosure under FOISA unless:  (a) the legal analysis to found the view that he policy decision was lawful can be disaggregated and provided in an intelligible form; and (b) any such disaggregated information falls outside the scope of section 23.

The Appellants were interested in the legal advice which underpinned the Government’s policy decision.  They argued that if this information could property be removed from the documents supplied to the section 23 bodies, and that information itself was not provided by, or related to, a section 23 body, then section 23 did not preclude disclosure and the information instead had to be considered under the qualified exemptions in sections 35(2) and 42 of FOIA (relating to the formulation of government policy and legal advice).

The Upper Tribunal eventually concluded that, while the information in question was clearly of interest to the section 23 bodies; Parliament did not intend, when enacting Section 23(1), for the exemption to apply to information simply because it might be of interest to the section 23 bodies.  The information in question in the present case was concerned with, and confined to, the question as to whether the Government’s policy was lawful.

The Upper Tribunal then went on to consider the public interest arguments, deciding that the public interest rested in maintaining the alternative qualified exemptions rather than in disclosure.  The Upper Tribunal held that it was not necessary for the Government’s legal advice to be shared in order to enable a debate on the lawfulness of the Government’s position to take place; indeed, a considerable debate had already taken place on the issue without the information.

Criticism of the Information Commissioner’s Investigations

The Upper Tribunal also took issue with the way in which the Information Commissioner had conducted her investigations into the complaints made by each of the appellants.  The Information Commissioner had proceeded on the basis of assurances given by the AGO and the Cabinet Office that the information was exempt under section 23(1) of FOIA rather then exercise her statutory powers to require the AGO and Cabinet Office to provide her with the information in question for her consideration.

The Upper Tribunal was extremely critical of this approach by the Commissioner.  The Commissioner did modify her position before the Upper Tribunal; however, the Upper Tribunal remained extremely critical.  At paragraph 95 of its decision, the Upper Tribunal stated:

We acknowledge the resource difficulties of the Information Commissioner but we consider that the course adopted here of effectively permitting the other tow Respondents to be the decision-maker on the challenge to their stance of the application of the absolute exemption in section 23 is unfair.

The Upper Tribunal went on to state in paragraph 97 of its decision that:

If the relevant public authority wishes to avoid a consideration of the relevant documents and so information and disaggregation issues, we have not thought of any circumstances in which it could rely on an assurance rather than a certificate given pursuant to s. 23(2) that can be appealed under section 60.

A certificate under section 23(2) is signed by a Minister of the Crown certifying that the information to which the certificate applies was directly or indirectly supplied by, or relates to, any of the bodies specified in section 23(3) is conclusive evidence of that fact.  The conclusiveness of the certificate is, however, subject to section 60 of FOIA which allows the Commissioner or any requester who is affected by the certificate to appeal the certificate to the First-Tier Tribunal.  The Tribunal can, if it decides that the information in question is not covered by section 23(1), quash the certificate.

Such a certificate may not ultimately prevent the First-tier Tribunal from carrying out the exercise that the Upper Tribunal ultimately carried out in this case, but it does prevent the Commissioner from doing so as the Commissioner is bound to rely upon such a certificate as being conclusive evidence of the application of section 23(1).

Comment

This was an important decision of the Upper Tribunal which clarifies the scope of Section 23(1) of FOIA and which also makes it clear how the Commissioner should conduct her investigations where a requester is challenging the application of section 23(1) of FOIA, but where no Minister of the Crown has signed a certificate pursuant to Section 23(2) of FOIA.

The Upper Tribunal has provided for a more defined exemption rather than for the blanket approach that was being taken by the Respondents.  What can be taken from this case is that information which may be of interest to those bodies listed in section 23(3) of FOIA, and thereby relate to them, will not automatically engage the exemption in section 23.

The Upper Tribunal’s comments on the way in which the Information Commissioner conducted her investigations in relation to these complaints are also of note, and indeed of wider importance.  It is clear that the Upper Tribunal expects the independent regulator to be independent (perhaps not an unsurprising conclusion); in this case it appears that she did not act as independently as she should have.  It was not appropriate for the Commissioner to rely on assurances given by the public bodies concerned and she ought to have required that a copy of the disputed information be provided to her for her consideration or a certificate issued pursuant to section 23(2) of FOIA.  While sympathetic to the pressure on resources that the Commissioner was experiencing, this did not provide an excuse to her for failing to properly investigate an area of contention between the requesters and the public authorities (and indeed between the public authorities themselves, who arrived at the same conclusion but for different reasons).

Alistair Sloan

We have experience of appeals against decisions of the UK Information Commissioner to the First-Tier and Upper Tribunals and also of handling appeals against decisions of the Scottish Information Commissioner.  If you would like to discuss a Freedom of Information matter with Alistair Sloan then you can contact him on 0345 450 0123 or send him an E-mail.

Information Law Review of 2017

2018 is now upon us and this is a big year in the field of Information Law, the General Data Protection Regulation will at last become applicable in the United Kingdom.  If you are a data controller or a data processor, your preparations for the GDPR should be well under way; however, if you have not yet started to prepare for these regulations then it is not yet too late.  The lesser known brother of the GDPR also kicks in this year, the Law Enforcement Directive, which governs the processing of personal data by law enforcement agencies.

However, before I get stuck into what is coming this year in the field of Information law, I want to take a moment to look back at some of the things that happened in 2017.  At the tail end of 2017 the High Court in England issued its anticipated judgment in the case of Various Claimants v WM Morrisons Supermarket PLC  [2017] EWHC 3113 (QB)This represented a significant development in the data protection field and opens up a much wider range of circumstances in which data subjects can sue a data controller under Section 13 of the Data Protection Act 1998.

In October 2017, the Irish High Court made a reference to the Court of Justice of the European Union at the request of the Irish Data Protection Commissioner seeking a preliminary ruling on “Privacy Shield”, the successor to the Safe Harbour rules which had previously been held to be unlawful by the European Court.

In September 2017, the Grand Chamber of the European Court of Human Rights issued a decision concerning the application of the right to a private and family life contained in Article 8 of the European Court of Human Rights to the monitoring of a person’s communications by their employer.

Also in September 2017, the UK Government published its Data Protection Bill which will replace the Data Protection Act 1998, extends GDPR standards to areas not within the competence of the European Union and implements the Law Enforcement Directive, among other things.

Now looking ahead to 2018, it is possible that we might see a decision from the English Court of Appeal in the Morrisons case referred to above, the judge having granted permission to Morrisons to appeal his findings in relation to vicarious liability.  We may also see claims for compensation being made based upon the Morrisons decision.

In Scotland, we will be expecting to see some more progress made by the Scottish Parliament in its consideration of the Children and Young People (Information Sharing) (Scotland) Bill.  I provided written evidence to the Education and Skills Committee on this Bill last year.  The Committee has had some difficulty in completing its Stage 1 consideration of the Bill and the previous deadline of 22 November 2017 for completion of Stage 1 was removed by the Scottish Parliament.

It is also possible that we will see the Scottish Parliament’s Public Audit and Post-Legislative scrutiny Committee begin to undertake a post-legislative inquiry into the operation of the Freedom of Information (Scotland) Act 2002 (or announce that such an inquiry will take place in due course).  If such an inquiry does take place, it will be the first time that there will have been a complete review of the Scottish FOI Act and how it is operating.

Staying on the subject of Freedom of Information in Scotland, we are likely to see the outcome of the Scottish Information Commissioner’s formal intervention in respect of the Scottish Government’s compliance with the Freedom of Information (Scotland) Act 2002.  We are also likley to see an Order being made under Section 5 of the Freedom of Information (Scotland) Act 2002 designating Registered Social Landlords as scottish public authorities with effect from 1st April 2019.

By the end of 2018 we should also hopefully have a much better idea as to what the UK’s relationship with the European Union will be after it leaves, and in particular what impact this will have on data protection and privacy law in Scotland and the rest of the UK.

There will no doubt be a raft of new court decisions in relation to both Privacy/Data Protection and Freedom of Information over the course of the next 12 months and I will attempt to address the most important and unusual decisions here on the Information Law Blog from Inksters Solicitors.

Alistair Sloan

If you would like advice or assistance with Privacy and Data Protection matters (including GDPR preparation) or with UK and Scottish Freedom of Information requests contact Alistair Sloan on 0345 450 0123 or you can E-mail him.