Category Archives: Data Protection

Facebook challenging temporary stop processing order by Irish DPC

Earlier this week it was reported that the Irish Data Protection Commission had taken action to temporarily suspend data transfers from the EU to the US by Facebook. It has now been reported that Facebook is challenging that decision in the Irish Courts by way of judicial review proceedings.

Following the European Court of Justice invalidating the Privacy Shield agreement between the EU and the US, Facebook decided to switch its transfer mechanism to standard contractual clauses (SSCs). The judgment of the ECJ in Schrems II approved of the SSCs, but made it clear that simply relying upon SSCs was not enough. The effect of the Schrems II decision is that supervisory authorities are required to suspend or prohibit transfers of personal data transferred in reliance of standard contractual clauses where they are not being complied with or are incapable of being complied with.

There was always going to be some doubt about whether SSCs were an effective alternative to privacy shield because the same issues that resulted in the invalidation of privacy shield exist in relation to transfers to the US utilising SSCs The Irish DPC appears to have taken a preliminary view which cannot be a favourable one given the action it has taken.

Little is known at this stage about the basis of Facebook’s judicial review, more on this will likely come to light as matters progress before the courts in Ireland. This is a case that anyone involved in international transfers of personal data should keep an eye on; the Irish Courts may apply some gloss onto the additional layers that may need to be added to SSCs in order to make them effective in particular situations.

The ability to order a controller to stop processing personal data (in whole or in part) is probably the most overlooked of the powers that supervisory authorities have; the impact of such orders can be more immediate and painful to controllers than an administrative fine. If the preliminary decision by the Irish Data Protection Commission survives judicial review then the implications for Facebook (and other companies that rely significantly on international transfers of personal data to third countries) could be significant.

Alistair Sloan

If you would like advice or assistance in relation to a data protection matter, or any other information law matter, then contact our team on 0141 229 0880 or by E-mail.

Data Subject Complaints: delays at the regulator

At the beginning of July it was reported that the Irish High Court had given permission for a judicial review of the Irish Data Protection Commission (“DPC”) to proceed. The judicial review has been brought by the European Centre for Digital Rights in respect of significant delays at the DPC in their handling of complaints made to them under the GDPR.

The application is being brought by the applicant as a representative body under Article 80 of the GDPR. The application pertains to two complaints made by two separate complainants; one in relation to Whatsapp Ireland Limited and one against Facebook Ireland Limited (as operator of Instagram). Both complaints were made on 25 May 2018, the day on which the GDPR became applicable throughout the European Union. The complaints, having originally been made to the German and Belgium supervisory authorities (respectively), were transferred by those supervisory authorities to the DPC as the lead supervisory authority for both companies.

The DPC is still to make a decision on the complaints, more than two years after they were made. Judicial Review is sought seeking (principally): (1) a declaration that the DPC has failed to catty out an investigation into the complaints within a reasonable period, contrary to their duty under Article 57 of the GDPR and/or section 113 of the Irish Data Protection Act 2018; (2) a declaration that the DPC has not provided information and/or a draft decision to the relevant national authorities without delay, contrary to its obligation under Article 60(3); (3) a declaration that the DPC is in beach of its obligations under the GDPR and or Irish data protection law; (4) an order directing the DPC to complete its investigation of the complaints within a time frame directed by the court; (5) a reference under Article 267, if required.

This is an interesting case from Ireland that is well worth keeping an eye on to see what the ultimate result is. Those who are familiar with the UK’s supervisory authority, the Information Commissioner, will see some similarities between the ICO and the DPC. The ICO is not renowned for acting quickly in respect of its regulatory functions; it’s yet to take a decision on regulatory action against British Airways and Marriott after issuing Notices of Intent (a precursor to a Penalty Notice; or, in GDPR parlance, an “administrative fine”) in excess of twelve months ago.

What can data subjects in the UK do where the ICO’s investigation of their complaint is moving at a glacial pace? The answer is to be found in section 166 of the Data Protection Act 2018; which makes provision for the First-Tier Tribunal to make orders requiring the Information Commissioner to progress a complaint.

Section 166 is a fairly limited provision; it does not create a route of appeal to the First-Tier Tribunal where the data subject is unhappy with the outcome of the complaint. It only provides a remedy to get the Information Commissioner to move the complaint forward to an outcome. Neither section 165 (which provides a right of complaint where Article 77 of the GDPR does not apply) nor section 166 requires the Commissioner to do anything more than investigate the subject matter of the complaint to the extent that is appropriate and to inform the complainant about the progress of the complaint (including about whether further investigation or co-ordination with another supervisory authority or foreign designated authority is necessary); they do not require the ICO to do anything at all about any breaches that may have occurred. Section 166 is therefore not a right of appeal against a decision of the Information Commissioner that there has been no breach of the relevant data protection laws or against a refusal to take enforcement action in respect of a breach.

The decision of the ECJ in respect of Schrems II, which was published last month; does, however, provide some scope of challenging a failure to act by the ICO. The ECJ was very clear about the duties and obligations on supervisory authorities to ensure that the GDPR is being complied with (and that includes positive obligations to stop processing where it is not being complied with). However, such a challenge would require to be by the much more expensive route of a judicial review in the Court of Session (Scotland) or the High Court (England and Wales / Northern Ireland).

Alistair Sloan

If you are a data subject who submitted a complaint to the Information Commissioner more than 3 months ago and have not had your complaint resolved or are dissatisfied with the outcome of your complaint to the Information Commissioner then we would be happy to discuss this with you. You can contact our Alistair Sloan on 0141 229 0880 or by E-mail.

Commissioner Dispenses GDPR Administrative Fine

On 20th December 2019, the Information Commissioner published a Penalty Notice [pdf] it had issued under the Data Protection Act 2018 to Doorstep Dispensaree Limited in the sum of £275,000. While we have had the Marriot and British Airways Notices of Intent, this is the first penalty notice published by the Information Commissioner exercising her powers under the Data Protection Act 2018 and the General Data Protection Regulation to issue administrative fines (formally known in the UK as “Penalty Notices”).

In this case, the Information Commissioner was acting upon information received from another UK Regulator (the Medicines and Healthcare Products Regulatory Agency, or “MHRA”). The MHRA had executed a search warrant under its own regulatory scheme and discovered in a courtyard approximately 500,000 documents containing personal data, all of which were contained in an insecure manner. The MHRA inspected the documents and discovered that they contained personal data and special category personal data. The documents were dated from January 2016 to June 2018 and the condition of them indicated that they had been stored in the courtyard for some time. The Information Commissioner began an investigation; she wrote to the data controller asking a number of questions. The controller responded, via its solicitor; however, its response didn’t answer any of the Commissioner’s questions, but instead it seemed to the Commissioner (as recorded in the penalty notice) that the controller was denying any knowledge of the documents.

The Commissioner followed-up with more information and repeated the questions initially asked. The controller refused to answer those questions and the Commissioner records that it appears as though the Controller was conflating the separate investigation by the Commissioner with the one being undertaken by the MHRA. The Commissioner thereafter issued it with an information notice, which the controller (unsuccessfully) appealed to the First-Tier Tribunal. The Commissioner’s Penalty Notice then records that after the appeal was disposed of by the Tribunal, the controller did not comply timeously with the notice and the Commissioner had to threaten the controller with obtaining an information order and/or issuing a penalty notice.

The controller finally responded to the Information Notice, refusing to provide some information (under section 143(6) of the Data Protection Act 2018) on the basis that providing that information would open the controller up to prosecution by the MHRA in its separate criminal investigation. The controller provided various documents to the Commissioner, most of which were dated from 2015.

The Commissioner ultimately found that the controller’s infringements of data protection law were systemic in nature; the Commissioner pointed to the inadequate and outdated policies and procedures that it had in place. Furthermore, its privacy notice fell far short of what was enquired by Articles 13 and 14 of the GDPR. Interestingly, there appears to be no reference in the Penalty Notice to the early payment discount that was a feature of monetary penalty notices issued by the ICO under the Data Protection Act 1998.

The controller was also issued with an Enforcement Notice [pdf] by the Commissioner; which requires the controller to, among other things, update its internal policies and procedures, appoint a member of staff as an Information Governance Lead or Data Protection Officer, introduce mandatory training and update its privacy notice in line with Articles 13 and 14.

This Penalty Notice contains much that can be of assistance to controllers when it comes to enforcement action under the GDPR. The first point that is worth mentioning is that it is not recommended that controllers do not co-operate with the ICO during investigations. Indeed, controllers (and processors) and their representatives are under a positive duty to co-operate with the Commissioner (Article 31 of the GDPR). In any event, the Commissioner has a range of powers to ensure that she can properly investigate alleged breaches of data protection law; including, the power to issue an information notice, obtain an information order and obtain (and execute) a search warrant. It’s important that where you’re facing multiple regularly investigations simultaneously that you take each one seriously and understand precisely what each regulator is investigating and what their respective powers are.

It also appears that the Commissioner has dropped the early payment discount that used to be offered to controllers to encourage them to pay the penalty notice (an appeal automatically meant that the controller lost the early payment discount, as it would delay payment of the monetary penalty).

Alistair Sloan

We are able to assist data subjects, controllers and processors with data protection law matters, as well as a range of other information law concerns. If you would like to speak to us about an information law matter, then please contact our team on 0141 229 0880 or by E-mail.

Penalty Notices and Notices of Intent

Yesterday there was a great deal of excitement as some news outlets reported that British Airways had been fined £183m by the Information Commissioner’s Office. It became apparent fairly quickly that this wasn’t what had happened and that we are still waiting for the Commissioner to issue the first “penalty notice” for a breach of the General Data protection Regulation.

What did come to light yesterday was that the Commissioner had issued a notice of intent to British Airways giving them notice that she intends on issuing a penalty notice in the sum f £183m. This is not the first time where news of a notice of intent has resulted in reporting that the Commissioner had actually issued a financial penalty. The last time was when she issued Facebook with a notice of intent in respect of a pre-GDPR breach (a penalty was subsequently served on Facebook in the sum of £500,000 and that penalty is currently the subject of an appeal to the First-Tier Tribunal).

There is quite a bit of difference between a notice of intent and a penalty notice (formally known as a monetary penalty notice in the Data Protection Act 1998) and they shouldn’t be confused with one another. So, given the confusion, I thought I might write a brief guide to the process adopted in the UK in respect of administrative fines under the GDPR and the Law Enforcement Directive.

The process essentially begins with the Commissioner opening an investigation. This could be as a result of a mandatory breach notification by the controller, a complaint made by a data subject or  it having come to the attention of the Commissioner in some other way (for example, via the media). The Commissioner then enters into an information gathering phase, and she has the power to compel (subject to appeal and some other limited exceptions) data controllers to provide her with information by issuing an information notice should data controllers refuse to engage with her office.

At some stage the Commissioner will decide whether enforcement action is appropriate in the particular case. There will have been a dialogue of sorts going on between the Commissioner’s office and the controller during the information gathering phase. A financial penalty is not the only option available to the Commissioner. If the Commissioner decides that an administrative fine (in GDPR language, or “penalty notice” in the language of the Data Protection Act 2018 (“DPA2018”)) might be the appropriate means to deal with the breach, then she is required by Paragraph 2(1) of Schedule 16 to the DPA2018 to the to give written notice to the controller of her intent to do so; this is known as a “notice of intent”. This notice must contain certain information, which is set out in paragraph 3 of Schedule 16 to the DPA2018.

The notice of intent is an important step because, by virtue of paragraph 3(4) of Schedule 16, the notice of intent must contain details of a period in which the controller can make written representations to the Commissioner; this period must not be less than 21 days. The Commissioner is prohibited from serving a penalty notice until this period has expired (paragraph 4(1) of Schedule 16). Furthermore, before deciding to issue a penalty and before finally deciding upon the amount of any penalty, the Commissioner must consider any written or oral representations made by or on behalf of the controller (paragraph 4(2) of Schedule 16).

Essentially, the notice of intent forms part of the due process of law. The Commissioner sets out in the notice the basis upon which she believes a penalty notice is appropriate and the proposed amount of the penalty notice. The controller then has an opportunity to make its case to the Commissioner and put forward a legal or factual case which:- (a) argues that no penalty notice should or can be given; (b) challenges proposed findings in fact contained within the notice of intent; and/or (c) challenge the proposed amount.

When the commissioner issues a notice of intent, she (and her office) must continue to have an open mind. It is not simply a tick-box exercise; it is an important part of a formal legal process. The Commissioner must be open to being persuaded by the controller that she is wrong in any of the matters set out in the notice of intent; including, being persuaded that the legal tests for issuing a penalty notice has not been met.

A notice of intent is certainly not (or shouldn’t be) a guarantee that a penalty notice will follow, or that it will be in the amount specified in the notice of intent. It is no more than a formal document giving notice to a controller of the Commissioner’s intentions and forms part of the legal process for issuing an administrative fine.

Once a notice of intent has been served by the Commissioner, she is normally required to issue the penalty notice within 6 months (paragraph 2(2) of Schedule 16); this includes the time permitted for written, and where applicable, oral representations. However, this period can be extended where the Commissioner and the controller agree (paragraph 2(3) of Schedule 16)

Appeals
Unlike a notice of intent, a penalty notice is subject of a right of appeal to the First-Tier Tribunal. In such an appeal all of the relevant factual and legal matters are reconsidered by the Tribunal. The Tribunal is empowered to uphold the penalty notice, modify the penalty notice or quash the penalty notice. Thereafter, there are appeals (but not as of right, only with permission) to the Upper Tribunal and the courts on points of law. Failures within the notice of intent procedure would give rise to grounds of appeal in respect the penalty notice. Depending upon the nature of the defects they could ultimately lead to the Tribunal quashing the Penalty Notice.

“One Stop Shop”
One final thing of note is that the Information Commissioner is acting as the “lead supervisory authority” in the British Airways matter; this is a mechanism which exists in the General Data Protection Regulation and applies so long as the United Kingdom remains a member of the European Union. Other supervisory authorities from elsewhere in the EU will also have the opportunity to comment on the Commissioner’s enforcement action in this case. This is an important aspect to note in relation to all enforcement action, not just penalty notices. Before taking a final decision in the British Airways case the Information Commissioner will have to circulate a draft of her decision to those other supervisory authorities, who are then permitted to make comments; the Commissioner must take these comments into account. This mechanism applies where there is cross-border processing taking place (see Article 4(23) of the General Data Protection Regulation for a definition of “cross-border processing”), which was the case in repsect of the British Airways data breach.

Alistair Sloan

We are able to assist data subjects, controllers and processors with data protection law matters, as well as a range of other information law concerns. If you would like to speak to us about an information law matter, then please contact our team on 0141 229 0880 or by E-mail.

Domestic CCTV and Data Protection

There was a time where CCTV systems were of a very poor quality and were rather expensive and were therefore limited to commercial premises. However it is now possible to get reasonably good quality CCTV cameras for less than £20 and as such there has been a steady rise in the number of homeowners installing CCTV cameras to help with home security.

Article 2 of the General Data Protection Regulation (GDPR) sets out the Regulation’s material scope; it includes a carve-out for processing of personal data “by a natural person in the course of a purely personal or household activity.” This replicates the language of the Directive which the GDPR replaces and which was reflected in section 36 of the Data Protection Act 1998 (the “domestic purposes” exemption).

On the face of it a home operated CCTV system seems to fall squarely within the scope of the carve-out for personal and household activities in Article 2 of the GDPR; however, the case law which interpreted the old Directive adds some complexity to matters. The placing of a home CCTV system is of particular importance; in particular, what is caught by the camera. If the camera is placed incorrectly then it can result in individuals falling outside of the carve-out in Article 2 of the GDPR and becoming a controller; with all of the liability and responsibility that this entails.

Domestic CCTV can be particularly useful in situations where there are neighbour disputes or where there is allegations of harassment; however, equally these are situations where a particular risk in terms of data protection law enters into the equation.

The issue of the use of domestic CCTV is something that I am increasingly being asked to advise on by clients; both the owners of the CCTV system and their neighbours. Invariably, there are issues that require to be resolved about the use of the domestic CCTV systems in these circumstances.

The matter has never been tested under the GDPR; however, given that the relevant provisions are substantially the same it seems likely that the cases decided under the older Directive and the now repealed Data Protection Act 1998 remain of relevance and will very likely be followed by the courts. Care should therefore be taken when installing domestic CCTV systems to ensure that you can continue to rely upon the domestic purposes exemption and not accidentally incur liability to third parties. People are becoming increasingly more privacy aware and concerned and as such it is becoming more important for domestic CCTV users to become aware of the limits of the domestic purposes exemption and how to avoid incurring liability under data protection laws.

Alistair Sloan

If you require advice and assistance in respect of the use of CCTV by individuals or business; or any other data protection or privacy law concern; then you can contact our team on 0141 229 0880 or by E-mail to info@inksters.com. You can also follow our dedicated information law twitter account for news and updates on a range of information law matters.

True Vision Productions & Bounty UK

The Information Commissioner has recently served two Monetary Penalty Notices (“MPNs”) that are worthy of some note. They were both issued for breaches which occurred prior to 25 May 2018 and are therefore both under the Data Protection Act 1998. This means that the maximum penalty in both cases was £500,000, rather than the larger penalties under the General Data Protection Regulation.

The first MPN [pdf] of the two MPNs that will be discussed in this blog was served on True Visions Productions (“TVP”) in connection with filming undertaken in a maternity unit operated by Cambridge University Hospitals NHS Foundation Trust (“CUH”).

Between July 2017 and 29 November 2019 TVP had placed static CCTV-style cameras with audio recording capabilities within three out of the four assessment rooms at the maternity unit. This was to gather footage for possible use in a television documentary on still births. The Commissioner accepted that there was a public interest in documentaries of this nature; however, she found that TVP had breach the first data protection principle in Schedule 1 to the Data Protection Act 1998.

TVP had not done enough to ensure that they had the explicate consent of those being filmed and there appeared to be no way for CUH staff to turn the cameras off. Therefore, if anyone did not wish to be filmed they would need to be seen in the one room without cameras; if that room was unavailable then the patient would have no choice but to be filmed. The fact that no human had access to the footage without first having the consent of the patient was insufficient: the recording and temporary storage of the footage was processing of personal data and would have required the Schedule 3 condition of explicate consent. Very little was done to bring the filming to the attention of patients; CUH staff were only required to answer questions if asked and there were notices placed in the premises along with information on tables; however, these were inadequate. TVP was served with a MPN in the amount of £120,000.

The second MPN of note is one served on Bounty (UK) Ltd in the amount of £400,000 [pdf]. Bounty UK gives itself the description of being a pregnancy and parenting support club. It provides information and markets services (including offers) to parents at different stages from pre-conception to pre-school. As part of this it distributes packs to new parents. The company also operates as a data brokering service and had previously also supplied data to third parties for the purpose of direct marketing by electronic means (although this apparently ended on 30 April 2018). Bounty collected personal data for the purpose of registering new members and did so in a number of ways, including directly from new mothers at their hospital bedsides.

Bounty had shared personal data with a range of organisations including a credit reference agency, a marketing and profiling agency and a telecommunications company; all for the purposes of direct marketing by electronic means. This related to about 14,300,000 unique individuals. Each record could be shared on multiple occasions. This was, apparently, all done on the basis that Bounty had obtained consent from the data subjects concerned.

The Commissioner found that Bounty had failed to comply with the fairness requirement within the first data protection principle in Schedule 1 to the Data Protection Act 1998. Bounty had not been transparent enough in providing information about the purposes for which personal data would be used. Bounty failed to process personal data fairly because they did not adhere to individual’s reasonable expectations of how their personal data would be used.

The consent apparently obtained by Bounty did not meet the requirements of the Data Protection Act 1998; it was neither specific nor informed.

Of course, both Bounty (UK) Limited and TVP have a right of appeal against the MPNs issued to them (both in terms of the decision to impose a penalty and the amount of that penalty). It remains to be seen whether either will seek to appeal to the First-Tier Tribunal.

Alistair Sloan

We are able to assist with a wide range of privacy and data protection matters. If you would like advice or assistance on these issues, or any other information law matter, contact Alistair Sloan on 0141 229 0880 or by E-mail. You can also follow our dedicated information law twitter account

Information Notices: UKIP v Information Commissioner (Part 2)

Last year I blogged on UKIP’s appeal to the First-Tier Tribunal (Information Rights) (“FTT”) against an Information Notice issued by the Commissioner; the FTT dismissed UKIP’s appeal. UKIP sought (and was granted) permission to appeal to the Upper Tribunal. The Upper Tribunal has now issued its decision. The decision has not yet been published by HMCTS; however, the wonderful people at 11KBW have published it [pdf] on their Panopticon blog (you can read Robin Hopkin’s post on their blog here). If you can’t be bothered reading to the end; the spoiler is that UKIP’s appeal was also dismissed by the Upper Tribunal.

By the time that UKIP’s appeal came before the Upper Tribunal, there were four “heads of appeal”: (1) The FTT had erred in law in terms of its approach to the exercise of the Commissioner’s discretion in issuing the notice; (2) the FTT had erred in law in terms of the scope of the notice; (3) the FTT had erred in law in terms of the timeframe for the notice; and (4) the FTT had erred in law in terms of irrationality.

The first head of appeal related to whether or not the FTT was correct, in law, to conclude that the scope of the information notice was clear. Upper Tribunal Judge Wikeley, at paragraph 24, concluded that taking the first five paragraphs of the information notice together, they were sufficient to comply with the requirements in section 43(2)(b) of the Data Protection Act 1998 (“DPA98”). Judge Wikeley did concede that the FTT did not provide as full reasons as he had, but they were clear enough that the FTT was satisfied that the notice complied with the requirement in section 43(2)(b) of the DPA98. The Judge, again said (having said it previously in another case), that the FTT does not need to set out in detail “every twist and turn of its assessment of the evidence and its consequential reasoning.” It is enough that the decision shows that the FTT has applied the correct legal test and has explained its decision in “broad terms”.

The second head of appeal related to the period for which the Commissioner wanted information from UKIP. The notice made reference to the 2015 General Election, but then asked questions about the 2016 referendum of the UK’s membership of the European Union. The judge accepted “that some of the drafting of the information notice is not ideal.” The notice had used both the former and present tense; sometimes together as alternatives. The Upper Tribunal concluded that “on a fair and objective reading of the notice as a whole, the information sought was plainly not confined to the 2015 General Election; rather it related to the ongoing processing of personal data” and also noted that the notice “should not be read as if it were a criminal indictment.” [para 27].

The third head of appeal related to the Commissioner’s exercise of discretion. UKIP argued that the Commissioner should have used the ‘least restrictive’ means of obtaining the information that she wanted; in other words she could have and therefore should have simply written a further letter to UKIP. This submission was based on principles which were developed in the context of the legitimate interests ground of processing personal data in the DPA98; it was “inappropriate” to try and “read across” [para 29]. Further, UKIP argued that it did not have the resources to provide a satisfactory response to the Commissioner’s initial letter: this was given short shrift by the judge.

The final head of appeal was that the Tribunal’s final decision was irrational in legal terms. The FTT had started out by giving a provisional view that the notice lacked clarity in its scope, but ended up concluding that it was, in fact, clear. Again, the judge accepted that the FTT’s reasoning was “sparse”, but nonetheless concluded that it was “sufficient.” [para 34]

Therefore, UKIP’s appeal was dismissed and the information notice, once again, stands. It will need to be complied with, subject to any further appeal, within 30 days of the Upper Tribunal’s decision being sent to the parties.

One final point is worth noting; the Upper Tribunal comments that, like a decision notice issued pursuant to section 50 of the Freedom of Information Act 2000, the Commissioner cannot vary an information notice once it has been issued: the commissioner can, unlike a decision notice, cancel the notice and re-issue a fresh notice. That is a consequence of the statutory framework: the statute gives the Commissioner the power to cancel a notice and makes no mention of varying (however, the statute does make mention of the Commissioner being able to vary other notices). In the circumstances an information notice cannot be varied once it is issued; if there is a problem with it then the notice must be cancelled by the Commissioner and a fresh notice issued. The same, in my view, would hold true for information notice issued under the Data Protection Act 2018. The statute provides that the Commissioner can cancel a notice, but makes no mention of varying the notice (whereas, she can vary, for example, an enforcement notice – the statute expressly provides for that in section 153).

From this decision we can take the following:-

  1. An information notice does not need to give a detailed statement as to why the Commissioner requires the information requested in the notice.
  2. The commissioner’s drafting of information notices gets a pass, but could be better.
  3. The commissioner doesn’t need to utilise less intrusive methods of obtaining information instead of exercising her discretion to issue an information notice.
  4. A controller’s lack of resources is not a reason why the Commissioner should not issue an information notice (indeed, it may even be a reason in favour of exercising discretion to issue an information notice).
  5. The FTT is not bound by a preliminary view it expresses and can change its mind.
  6. The Commissioner cannot vary an information notice should there be a problem with it: only cancel it and issue a fresh notice.

Alistair Sloan

If you require advice or assistance in respect of a privacy/data protection, or any other information law, matter then contact Alistair Sloan on 0141 229 0880 or you can send him an E-mail. You can also follow our dedicated information law twitter account.

Data Protection and Brexit: Changes to UK law (Part 1)

This is the first in a series of blog posts that I intend on doing over the next period which look at some of the changes to the GDPR and the Data Protection Act 2018 that will be brought about by the withdrawal of the United Kingdom from the European Union. In my 2018 information law review, published in January, I noted that the UK Government had published The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (Draft). These regulations, made pursuant to the powers conferred upon the Government in terms of the European Union (Withdrawal) Act 2018, make significant changes to the GDPR and the Data Protection Act 2018 in order to ensure that they both still work and make sense once the UK has withdrawn from the European Union. They will not enter into force until “exit day”.

Representatives
Currently any controller or processor (excluding those who fall within limited exceptions) established outside of the EU require to appoint a representative within the EU as a point of contact for data subjects and the supervisory authorities. The draft 2019 Regulations will amend this requirement so that any controller or processor not established in the United Kingdom will be required to appoint such a representative within the United Kingdom. This will apply to controllers and processors based in EU and EEA states after “exit day”. Therefore it is important that EU and EEA businesses who are not established with the UK, but collect personal data of data subjects in the UK, turn their minds to appointing such a representative within the UK in time for exit day.

Equally, it should be noted that UK businesses currently do not need to appoint such representatives within the EU/EEA because the UK is an EU member. When the UK leaves the European Union it will be necessary for UK businesses to comply with Article 27 of the EU GDPR; therefore, a representative within one of the 27 EU member states will need to be appointed.

Adequacy decisions
Under the GDPR the European Commission has the power to make adequacy decisions. These are decisions which allow the flow of personal data to a territory (or a part of a territory or sector within a territory) outside of the EU. The draft 2019 Regulations will insert new provisions (sections 17A and 17B) into the Data Protection Act 2018 establishing a very similar regime which will allow the Secretary of State to make “adequacy regulations” these will function in much a similar way. It is probably quite likely that one of the first adequacy regulations to be made will specify that the EU and EEA states have an adequate level of personal data protection.

The UK, upon exit day, will fall outside of the European Commission agreements and adequacy decisions (such as the EU-US “safe harbour” agreement). Similar agreements will need to be agreed with the UK. Controllers who currently rely on adequacy decisions of the Commission will need to think about how they will comply with UK data protection law in respect of international transfers of personal data, post-brexit.

Standard data protection clauses
Under the GDPR the European Commission has the power to adopt standard data protection clauses which, if used, will give an adequate level of protection for personal data when that personal data is transferred to a non-EU member state.

The draft 2019 Regulations will insert a section 17C into the Data Protection Act 2018, which will give the Secretary of State the power to make regulations specifying “standard data protection clauses which the Secretary of State considers provide appropriate safeguards for the purposes of transfers of personal data to a third country or an international organisation in reliance on Article 46 of the UK GDPR.”  In essence, the power of the Commission will transfer to the Secretary of State on exit day.

Administrative Fines
The power of the Information Commissioner to issue administrative fines (or, in the language of the Data Protection Act 2018, ‘Penalty Notices’) will continue to exist when the UK leaves the European Union. The maximum amounts of those penalties are currently expressed in Euros (although the Data Protection Act 2018 requires the Information Commissioner to issue the penalties in pounds sterling). The draft 2019 Regulations will amend the maximum amounts to convert them into pounds sterling as opposed to Euros. The €10,000,000 figure will change to £8,700,000; while the €20,000,000 figure will become £17,500,000. These figures are roughly what the euro figures convert to using the current exchange rates.

These are just some of the many changes that will be made by the draft 2019 Regulations. I hope to be able to do some more blog posts looking at some of the other changes contained within the draft 2019 regulations as we approach the 29th March 2019 (the date on which the UK is scheduled to leave the European Union).

Alistair Sloan

If you require advice or assistance in respect of a privacy/data protection, or any other information law, matter then contact Alistair Sloan on 0141 229 0880 or you can send him an E-mail. You can also follow our dedicated information law twitter account.

Data Protection and Privacy Enforcement: November 2018

0The year is progressing quickly and we’re now onto looking at November’s enforcement action published by the Information Commissioner’s Office in relation to privacy and data protection matters. We are beginning to see enforcement action under the Data Protection Act 2018 (“DPA18”) filter through, but the majority is very much still under the Data Protection Act 1998 (“DPA98”) in respect of breaches which occurred prior to 25 May 2018.

Key Points

  • Carrying out a Data Protection Impact Assessment in the early stages of any project where it is envisaged that personal data will be processed is a useful tool to help highlight privacy and data protection concerns so that they can be addressed in the planning phase. Data protection by design and privacy impact assessments were recommended good practice under the DPA98; however, the GDPR mandates data protection by design and default (Article 25) and the carrying out of data protection impact assessments in certain circumstances (Article 35). Even if the GDPR does not require you to complete a DPIA, it is worthwhile undertaking one in any event – it can also be a helpful document to present to the Commissioner should her office begin any investigation into your organisation.
  • It is important to regularly download an updated version of the Telephone Preference Service list and to do so as close as possible to an intended direct marketing campaign. If you undertake regular direct marketing campaigns then you should probably be downloading the updated list once per month. Relying on an out of date version could mean that you unlawfully call numbers – the cost of regularly obtaining a copy of the TPS list is insignificant compared to the financial penalties that can be issued by the Information Commissioner for contraventions of Regulation 21 of the Privacy and Electronic Communications (EC Directive) Regulations 2003.
  • It should go without saying that if the Information Commissioner takes enforcement action against you for contravening privacy and data protection laws then you should ensure that you take adequate remedial measures to ensure that the contravention doesn’t happen again.
  • If you obtain a list of telephone numbers to call for marketing purposes from a third party the obligation rests with you to ensure that you have lawful authority to make (or instruct others on you behalf to make) calls to each intended number.
  • Controllers may no longer be required to notify the Commissioners of their processing of personal data; however, they are still required to make payment to the Commissioner of a fee. Those who either (a) don’t know they are due to pay  a fee; or (b) miss paying their fee and rectify the matter once the Commissioner has contacted them about their non-payment will likely not face formal enforcement action, but those who continue to fail to pay the fee once the Commissioner has contacted them can expect to be required to pay a financial penalty for failure to pay the fee.

Enforcement Action published by the ICO during November 2018

Metropolitan Police Service
The Commissioner of Police of the Metropolis (MPS) was served with an Enforcement Notice by the Information Commissioner [pdf] requiring the MPS to take a number of specified steps; including the conducting of a data protection impact assessment, in respect of its Gangs Matrix. The Gangs Matrix is part of the MPS’ ongoing effort to reduce the incidences of crime in London arising from gangs. The Notice only emphasises the Commissioner’s primary concerns in respect of the MPS’ compliance with the data protection principles, rather than listing every single contravention. The Notice makes reference to contraventions of the first, third, fourth, fifth and seventh data protection principles

DM Bedroom Design Ltd
The Information Commissioner served DM Bedroom Design Ltd with a monetary penalty in the sum of £160,000 [pdf] and also served it with an Enforcement Notice [pdf] after finding that the company had contravened Regulation 21 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”). This was not the first time that the company had received a monetary penalty from the Commissioner for contravening PECR. The company operated an internal suppression list and also advised the Commissioner that it screened lists against the Telephone Preference Service (“TPS”) list; however, the Commissioner found that the company had not downloaded the TPS list since March 2017.

Solartech North East Limited
Solaretech North East Limited (“Solartech”) was served by the Information Commissioner with a monetary penalty in the amount of £90,000 [pdf] and an enforcement notice [pdf]. The Commissioner found that Solartech had contravened Regulation 21 of PECR by making almost 75,000 calls unlawfully to numbers listed with the Telephone Preference Service. Solartech had previously came to the attention of the Commissioner’s office in 2014 and had bene provided with advice from her office as well as subjected to a period of monitoring. Despite this, and further advice and monitoring in 2016/17 Solartech continued to contravene Regulation 21 of PECR. Solartech sought (unsuccessfully) to blame third parties for these contraventions.

Uber
Uber is a popular app which provides taxi services to its users by linking them with Uber drivers in their area. It has bene the subject of many recent legal battles in the Employment field and has now also come to the attention of data protection supervisory authorities in the United Kingdom and the Netherlands. The Information Commissioner served Uber with a monetary penalty notice in the amount of £385,000 following a cyber attack. [pdf] The Commissioner found that Uber had breached the seventh data protection principle by failing to have in place adequate technical and organisational measures.

Fixed Penalty Notices: Data Protection Fees
The old notification requirement and fee under the DPA98 has gone, but has been replaced with a new data protection fee payable by controllers who are not exempt from the fee. The new fees regulations are found in The Data Protection (Charges and Information) Regulations 2018. Organisations who are required to pay the fee and fail to do so may be served with a penalty notice by the Commissioner requiring them to pay a fixed penalty calculated in relation to the amount of the fee payable under the Regulations by the controller. The Commissioner has taken enforcement action, in the form of fixed penalty notices, against a number of controllers in the business, manufacturing and finance sectors for failure to pay their data protection fees; even after being contacted by the Commissioner about the unpaid fee. The Commissioner has not published all of the penalty notices, or even a list of controllers subject to enforcement action, but has instead published “example” notices (which read more like templates than examples) for each of the three sectors.

Alistair Sloan

If you require advice and assistance in connection with any of the data protection/privacy issues above, or any other Information Law matter, please do contact Alistair Sloan on 0141 229 0880 or by sending him an E-mail directly.  You can also follow our dedicated information law twitter account.

Data Protection and Privacy Enforcement: October 2018

Regular readers of this blog will know that every month I look at the published enforcement action taken by the Information Commissioner in respect of privacy and data protection law. The infractions are often very similar and the same key lessons to take away from the enforcement action appear frequently; October’s enforcement action proves no different. There is, however, a mixture of enforcement action taken under the Data Protection Act 1998 (“DPA98) – in respect of breaches that occurred prior to the 25 May 2018 – and enforcement action taken under the Data Protection Act 2018 (”DPA18).

Key Lessons

  • When the Commissioner’s office makes contact with you in the course of an investigation it is advisable to cooperate with the investigation. The Commissioner has powers to require persons (not just data controllers) to provide her office with information. It is a criminal offence not to comply with an information notice issued by the Commissioner under the DPA98 while a person who fails to comply with an Information Notice served under the DPA18 can be made the subject of an Information Order by the court.
  • Before making telephone calls for the purpose of direct marketing it is essential that organisations check their list against the list held by the Telephone Preference Service. It is against the law to call a number listed with the TPS for the purposes of direct marketing unless you can show that the recipient has not objected, for the time being, to receiving marketing calls from you. The law has recently been changed and the Commissioner will soon be able to serve a monetary penalty on directors of a company for breaches of the requirements of the Privacy and Electronic Communications (EC Directive) Regulations 2003.
  • Any removable media such as CDs and USB memory sticks should be encrypted to prevent unauthorised access to personal data in the event that the media is lost or stolen. Controllers should also consider putting in place technical barriers to ensure that personal data is not unnecessarily being put onto removable media.
  • When drafting privacy statements where you are seeking to obtain consent for direct marketing; it is important to be specific about just what marketing might be sent. It is insufficient to rely upon statements along the lines of “you consent to receive marketing from our carefully selected third party affiliates” and similar.
  • The person who instigates a call is liable for a contravention of PECR, not the person who makes the call. Therefore you cannot avoid liability by engaging a third party contractor to make calls on your behalf. If you have directed that the calls be made then you are liable for any contraventions of PECR. Therefore, companies who engage third parties to undertake telemarketing on their behalf need to ensure that they have in place adequate due diligence to ensure that there are no negligent contraventions of PECR.
  • It’s not enough to simply rely upon your own internal suppression lists when making telephone calls for the purposes of direct marketing; it is also important that call lists as screened against the list maintained by the Telephone Preference Service. It’s also important that companies engaging in telesales regularly obtain an updated version of the list maintained by the TPS and you should never seek to rely upon a version of the list that is more than 28 days old.
  • It can be worthwhile brining appeals against Notices served by the Commissioner – especially where the terms of the notice are unclear. Where reasons are provided for a decision they generally require to be intelligible.

Enforcement action published by the Information Commissioner in October 2018

Oaklands Assist UK Limited
Oaklands Assist UK Limited (“OAUK”) was served with a Monetary Penalty Notice  in the sum of £150,000 [pdf] after the Commissioner found that OAUK had used a public electronic communications service for the purpose of direct marketing in contravention of Regulation 21 of the Privacy and electronic Communications (EC Directive) Regulations 2003 (“PECR”). It appears that OAUK did not initially comply with the Commissioner’s investigation as the penalty notice states that the Commissioner had to serve an Information Notice on OAUK and it only made contact with the Commissioner’s office when they were threated with prosecution for failure to comply with an Information Notice. The Commissioner found that OAUK had made 63,724 direct marketing calls to numbers that were listed on the TPS, in contravention of Regulation 21 of PECR.

Heathrow Airport Limited
Heathrow Airport Limited (“LHR”) was served with a monetary penalty notice in the sum of £120,000 [pdf] after the Commissioner found that it had breached the seventh data protection principle in schedule 1 to the DPA98. LHR had lost an unencrypted USB memory stick which had been found by a member of the public in West London. The member of the public who found the USB memory stick took it to a public library where they accessed it. Approximately 1% of the files on the memory stick contained personal data, including sensitive personal data. The Commissioner found that the use of removable media was widespread within LHR, but that there was little in the way of measures in places to ensure oversight. Furthermore, there were no technical barriers in place to limit or restrict the downloading of information from LHR’s systems onto removable media.

Boost Finance Limited
Boost Finance Limited (“Boost”) was served with a monetary penalty notice in the sum of £90,000 [pdf] after the Commissioner found that it was responsible for a large number of unsolicited E-mails in respect of pre-paid funeral plans. The Commissioner found that Boost (trading as findmeafuneralplan.com) had instigated, via affiliates that it had appointed, in excess of 4 million unsolicited marketing E-mails contrary to Regulation 22 of PECR. The E-mails were sent to individuals who had subscribed to a number of Boost’s affiliates. The Commissioner concluded [para 16] that Boost had “relied upon inadequate, generic, vague, misleading, tiered and incomplete personal data collection methods and privacy statements as a way of obtaining consent to send direct marketing E-mails.”

Aggregate IQ Data Services Limited
This is not a new Enforcement Notice, but rather it is a notice of variation of the first ever enforcement notice served under the DPA18 [pdf]. Aggregate IQ Data Services Limited (“AIQ”) was served with an enforcement notice by the Commissioner in respect of her investigation into data analytics in politics (which arose out of the allegations surrounding Facebook and Cambridge Analytica). AIQ had appealed the Notice to the First-Tier Tribunal (Information Rights) and has since discontinued that appeal. The revised notice is in much tighter terms than the original notice served by the Commissioner. The revised notice requires AIQ to “[e]rase any personal data of individuals in the UK, determined by reference to the domain name of the email address processed by AIQ, retained by AIQ on its servers as notified to the Information Commissioner…” AIQ is required to do this within 30 days of the Office of the Information and Privacy Commissioner of British Columbia notifying it that either the OIPC no longer requires it for an investigation, or that the OIPC informs AIQ that it is happy for AIQ to comply with the notice (whichever occurs the soonest).

Facebook Ireland Ltd
Facebook Ireland Ltd is the company who UK users (and indeed other EU users) of the Facebook social media platform have a relationship with. The Commissioner served Facebook Ireland with a monetary penalty notice in the sum of £500,000 for breaches of the first and seventh data protection principles [pdf]. The Commissioner considered that Facebook UK Limited, a UK establishment, had carried out certain activities on behalf of Facebook Ireland and Facebook Inc. As the breaches occurred while the DPA98 was still in force, £500,000 represents the maximum penalty that the Commissioner could issue. It is understood that Facebook Ireland has appealed the monetary penalty to the First-Tier Tribunal (Information Rights).

ACT Response Limited
The Information Commissioner served ACT Response Limited (“ACT”) with a monetary penalty notice in the amount of £140,000 [pdf] after she found that ACT had instigated in excess of £490,000 telephone calls for the purposes of direct marketing in contravention of Regulation 21 of PECR. The company operated its own internal suppression list, but did not screen its lists against the Telephone Preference Service list. ACT provided a copy of a training manual to the commissioner during her investigation, which contained a script which directed those making the calls to ask whether a person was listed on the TPS and to apologise if they were. ACT tried to blame the contravention on one of its sister companies as the company that made the calls, but the sister company made the calls on behalf of ACT and the lines used to make the calls were registered to ACT.

Alistair Sloan

If you require advice and assistance in connection with any of the data protection/privacy issues above, or any other Information Law matter, please do contact Alistair Sloan on 0141 229 0880 or by sending him an E-mail directly.  You can also follow our dedicated information law twitter account.