Tag Archives: Administrative Fines

Information Law Review of 2019

Well, it is that time again; the beginning of a New Year and therefore time for my third annual look at what happened in the world of information law in the previous twelve months and what those with an interest in the field should be looking out for in 2020. I would like to begin by wishing all readers of the Information Law Blog, both new and old, a very happy New Year.

My reviews of 2017 and 2018 began by looking at the case of Various Claimants v WM Morrisons Supermarkets Limited. I shall keep the tradition going by looking once again at this case. In 2018, the Court of Appeal dismissed the appeal by Morrisons against the decision of Mr Justice Langstaff holding them vicariously liable for the actions of an ex-employee. This case rumbled on again in 2019, with the Supreme Court hearing an appeal by Morrisons on 6th and 7th November. By the end of 2019, the Supreme Court had not yet issued its judgment and so that will be something to look out for in 2020; the Supreme Court’s judgment (although concerned with the Data Protection Act 1998, rather than the GDPR and Data Protection Act 2018) will have ramifications for data subjects and controllers, regardless of which way it goes.

Brexit continued to be a feature of 2019 in the Information law world. We have seen the changes that will take effect in data protection law as a result of the UK’s withdrawal from the European Union, which is now scheduled to take place at the end of this month. Brexit, however, will not stop being a feature of information law at 23:00 on 31st January (assuming there are no further delays). We will be in a transition period until the end of the year, but we don’t yet know exactly what we’re transitioning to which might start to become clearer by the Summer.

Brexit also featured in the information law world in other respects as well. There are still some data protection and privacy concerns floating around from the 2016 referendum on the UK’s membership of the EU. Indirectly related to that have been proceedings in the Upper Tribunal involving UKIP and in also in the First-Tier Tribunal. If reports are anything to go by, proceedings in the First-Tier Tribunal at the end of 2019 could result in an extremely critical decision against the Commissioner, so that is something to look out for in 2020.

We also saw the first GDPR administrative fine issued in the UK by the Information Commissioner (some 19 or so months after the GDPR became applicable and quite a bit behind other regulators in other EU Member States). The Commissioner has issued two Notices of Intent against two other Controllers (that we’re aware of) both of which were due to expire this month, but it has been confirmed by the Information Commissioner that the statutory six month period has been extended by agreement (in accordance with the statutory provisions). The reasons for this have not been made public at this time.

Just before Christmas the Advocate General of the European Court of Justice gave his opinion in Data Protection Commissioner v Facebook Ireland & Schrems concerning standard contractual clauses. We can expect a decision from the European Court of Justice to follow soon, whether that is before or after “exit day” at the end of January remains to be seen.

In the wider field of privacy law, the Court of Appeal took a look at the judgment of Mr Justice Arnold in the case involving Channel 5’s fly-on-the-wall documentary ‘Can’t Pay? We’ll Take it Away’. The Court of Appeal dismissed the appeals by the Respondents in respect of liability and the cross-appeal by the Claimants on the issue of quantum of damages. Meanwhile, in Scotland, Lord Bannatyne (for the first time) declared that there exists in the law of Scotland a common law right to privacy.

In May, Information Notices were again a feature of the decisions flowing from the First-Tier Tribunal; this time, however, it was concerning the Commissioner’s powers under the Freedom of Information Act 2000. The Tribunal confirmed that the Commissioner can issue an information notice in order to obtain information as part of her process for determining whether a person is a public authority for the purposes of the Environmental Information Regulations 2004.

In 2019, the Scottish Parliament’s Public Audit and Post-Legislative Scrutiny Committee began undertaking Post-Legislative Scrutiny of the Freedom of Information (Scotland) Act 2002. In 2019, I gave both written and oral [pdf] evidence to the Committee. The Committee is expected to release its report and recommendations next month.

In 2019, we saw the expansion of FOI in Scotland with Registered Social Landlords formally being designated as Scottish public authorities for the purposes of the Freedom of Information (Scotland) Act 2002.

We also had one of those rare things: a decision from the Court of Session in an appeal against a decision of the Scottish Information Commissioner. In the sole decision in such an appeal issued by the Court of Session in 2019, my client successfully challenged (on a point of law) a finding by the Commissioner that information he had requested was not held by a local council for the purpose of the Freedom of Information (Scotland) Act 2002. This case provides some useful guidance on determining whether information is held, or not, for the purposes of the Freedom of Information (Scotland) Act 2002.

Alistair Sloan

If you would like advice or assistance with Privacy and Data Protection matters or with UK and Scottish Freedom of Information requests contact our team on 0141 229 0880.

Commissioner Dispenses GDPR Administrative Fine

On 20th December 2019, the Information Commissioner published a Penalty Notice [pdf] it had issued under the Data Protection Act 2018 to Doorstep Dispensaree Limited in the sum of £275,000. While we have had the Marriot and British Airways Notices of Intent, this is the first penalty notice published by the Information Commissioner exercising her powers under the Data Protection Act 2018 and the General Data Protection Regulation to issue administrative fines (formally known in the UK as “Penalty Notices”).

In this case, the Information Commissioner was acting upon information received from another UK Regulator (the Medicines and Healthcare Products Regulatory Agency, or “MHRA”). The MHRA had executed a search warrant under its own regulatory scheme and discovered in a courtyard approximately 500,000 documents containing personal data, all of which were contained in an insecure manner. The MHRA inspected the documents and discovered that they contained personal data and special category personal data. The documents were dated from January 2016 to June 2018 and the condition of them indicated that they had been stored in the courtyard for some time. The Information Commissioner began an investigation; she wrote to the data controller asking a number of questions. The controller responded, via its solicitor; however, its response didn’t answer any of the Commissioner’s questions, but instead it seemed to the Commissioner (as recorded in the penalty notice) that the controller was denying any knowledge of the documents.

The Commissioner followed-up with more information and repeated the questions initially asked. The controller refused to answer those questions and the Commissioner records that it appears as though the Controller was conflating the separate investigation by the Commissioner with the one being undertaken by the MHRA. The Commissioner thereafter issued it with an information notice, which the controller (unsuccessfully) appealed to the First-Tier Tribunal. The Commissioner’s Penalty Notice then records that after the appeal was disposed of by the Tribunal, the controller did not comply timeously with the notice and the Commissioner had to threaten the controller with obtaining an information order and/or issuing a penalty notice.

The controller finally responded to the Information Notice, refusing to provide some information (under section 143(6) of the Data Protection Act 2018) on the basis that providing that information would open the controller up to prosecution by the MHRA in its separate criminal investigation. The controller provided various documents to the Commissioner, most of which were dated from 2015.

The Commissioner ultimately found that the controller’s infringements of data protection law were systemic in nature; the Commissioner pointed to the inadequate and outdated policies and procedures that it had in place. Furthermore, its privacy notice fell far short of what was enquired by Articles 13 and 14 of the GDPR. Interestingly, there appears to be no reference in the Penalty Notice to the early payment discount that was a feature of monetary penalty notices issued by the ICO under the Data Protection Act 1998.

The controller was also issued with an Enforcement Notice [pdf] by the Commissioner; which requires the controller to, among other things, update its internal policies and procedures, appoint a member of staff as an Information Governance Lead or Data Protection Officer, introduce mandatory training and update its privacy notice in line with Articles 13 and 14.

This Penalty Notice contains much that can be of assistance to controllers when it comes to enforcement action under the GDPR. The first point that is worth mentioning is that it is not recommended that controllers do not co-operate with the ICO during investigations. Indeed, controllers (and processors) and their representatives are under a positive duty to co-operate with the Commissioner (Article 31 of the GDPR). In any event, the Commissioner has a range of powers to ensure that she can properly investigate alleged breaches of data protection law; including, the power to issue an information notice, obtain an information order and obtain (and execute) a search warrant. It’s important that where you’re facing multiple regularly investigations simultaneously that you take each one seriously and understand precisely what each regulator is investigating and what their respective powers are.

It also appears that the Commissioner has dropped the early payment discount that used to be offered to controllers to encourage them to pay the penalty notice (an appeal automatically meant that the controller lost the early payment discount, as it would delay payment of the monetary penalty).

Alistair Sloan

We are able to assist data subjects, controllers and processors with data protection law matters, as well as a range of other information law concerns. If you would like to speak to us about an information law matter, then please contact our team on 0141 229 0880 or by E-mail.

Penalty Notices and Notices of Intent

Yesterday there was a great deal of excitement as some news outlets reported that British Airways had been fined £183m by the Information Commissioner’s Office. It became apparent fairly quickly that this wasn’t what had happened and that we are still waiting for the Commissioner to issue the first “penalty notice” for a breach of the General Data protection Regulation.

What did come to light yesterday was that the Commissioner had issued a notice of intent to British Airways giving them notice that she intends on issuing a penalty notice in the sum f £183m. This is not the first time where news of a notice of intent has resulted in reporting that the Commissioner had actually issued a financial penalty. The last time was when she issued Facebook with a notice of intent in respect of a pre-GDPR breach (a penalty was subsequently served on Facebook in the sum of £500,000 and that penalty is currently the subject of an appeal to the First-Tier Tribunal).

There is quite a bit of difference between a notice of intent and a penalty notice (formally known as a monetary penalty notice in the Data Protection Act 1998) and they shouldn’t be confused with one another. So, given the confusion, I thought I might write a brief guide to the process adopted in the UK in respect of administrative fines under the GDPR and the Law Enforcement Directive.

The process essentially begins with the Commissioner opening an investigation. This could be as a result of a mandatory breach notification by the controller, a complaint made by a data subject or  it having come to the attention of the Commissioner in some other way (for example, via the media). The Commissioner then enters into an information gathering phase, and she has the power to compel (subject to appeal and some other limited exceptions) data controllers to provide her with information by issuing an information notice should data controllers refuse to engage with her office.

At some stage the Commissioner will decide whether enforcement action is appropriate in the particular case. There will have been a dialogue of sorts going on between the Commissioner’s office and the controller during the information gathering phase. A financial penalty is not the only option available to the Commissioner. If the Commissioner decides that an administrative fine (in GDPR language, or “penalty notice” in the language of the Data Protection Act 2018 (“DPA2018”)) might be the appropriate means to deal with the breach, then she is required by Paragraph 2(1) of Schedule 16 to the DPA2018 to the to give written notice to the controller of her intent to do so; this is known as a “notice of intent”. This notice must contain certain information, which is set out in paragraph 3 of Schedule 16 to the DPA2018.

The notice of intent is an important step because, by virtue of paragraph 3(4) of Schedule 16, the notice of intent must contain details of a period in which the controller can make written representations to the Commissioner; this period must not be less than 21 days. The Commissioner is prohibited from serving a penalty notice until this period has expired (paragraph 4(1) of Schedule 16). Furthermore, before deciding to issue a penalty and before finally deciding upon the amount of any penalty, the Commissioner must consider any written or oral representations made by or on behalf of the controller (paragraph 4(2) of Schedule 16).

Essentially, the notice of intent forms part of the due process of law. The Commissioner sets out in the notice the basis upon which she believes a penalty notice is appropriate and the proposed amount of the penalty notice. The controller then has an opportunity to make its case to the Commissioner and put forward a legal or factual case which:- (a) argues that no penalty notice should or can be given; (b) challenges proposed findings in fact contained within the notice of intent; and/or (c) challenge the proposed amount.

When the commissioner issues a notice of intent, she (and her office) must continue to have an open mind. It is not simply a tick-box exercise; it is an important part of a formal legal process. The Commissioner must be open to being persuaded by the controller that she is wrong in any of the matters set out in the notice of intent; including, being persuaded that the legal tests for issuing a penalty notice has not been met.

A notice of intent is certainly not (or shouldn’t be) a guarantee that a penalty notice will follow, or that it will be in the amount specified in the notice of intent. It is no more than a formal document giving notice to a controller of the Commissioner’s intentions and forms part of the legal process for issuing an administrative fine.

Once a notice of intent has been served by the Commissioner, she is normally required to issue the penalty notice within 6 months (paragraph 2(2) of Schedule 16); this includes the time permitted for written, and where applicable, oral representations. However, this period can be extended where the Commissioner and the controller agree (paragraph 2(3) of Schedule 16)

Appeals
Unlike a notice of intent, a penalty notice is subject of a right of appeal to the First-Tier Tribunal. In such an appeal all of the relevant factual and legal matters are reconsidered by the Tribunal. The Tribunal is empowered to uphold the penalty notice, modify the penalty notice or quash the penalty notice. Thereafter, there are appeals (but not as of right, only with permission) to the Upper Tribunal and the courts on points of law. Failures within the notice of intent procedure would give rise to grounds of appeal in respect the penalty notice. Depending upon the nature of the defects they could ultimately lead to the Tribunal quashing the Penalty Notice.

“One Stop Shop”
One final thing of note is that the Information Commissioner is acting as the “lead supervisory authority” in the British Airways matter; this is a mechanism which exists in the General Data Protection Regulation and applies so long as the United Kingdom remains a member of the European Union. Other supervisory authorities from elsewhere in the EU will also have the opportunity to comment on the Commissioner’s enforcement action in this case. This is an important aspect to note in relation to all enforcement action, not just penalty notices. Before taking a final decision in the British Airways case the Information Commissioner will have to circulate a draft of her decision to those other supervisory authorities, who are then permitted to make comments; the Commissioner must take these comments into account. This mechanism applies where there is cross-border processing taking place (see Article 4(23) of the General Data Protection Regulation for a definition of “cross-border processing”), which was the case in repsect of the British Airways data breach.

Alistair Sloan

We are able to assist data subjects, controllers and processors with data protection law matters, as well as a range of other information law concerns. If you would like to speak to us about an information law matter, then please contact our team on 0141 229 0880 or by E-mail.

Data Protection and Brexit: Changes to UK law (Part 1)

This is the first in a series of blog posts that I intend on doing over the next period which look at some of the changes to the GDPR and the Data Protection Act 2018 that will be brought about by the withdrawal of the United Kingdom from the European Union. In my 2018 information law review, published in January, I noted that the UK Government had published The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (Draft). These regulations, made pursuant to the powers conferred upon the Government in terms of the European Union (Withdrawal) Act 2018, make significant changes to the GDPR and the Data Protection Act 2018 in order to ensure that they both still work and make sense once the UK has withdrawn from the European Union. They will not enter into force until “exit day”.

Representatives
Currently any controller or processor (excluding those who fall within limited exceptions) established outside of the EU require to appoint a representative within the EU as a point of contact for data subjects and the supervisory authorities. The draft 2019 Regulations will amend this requirement so that any controller or processor not established in the United Kingdom will be required to appoint such a representative within the United Kingdom. This will apply to controllers and processors based in EU and EEA states after “exit day”. Therefore it is important that EU and EEA businesses who are not established with the UK, but collect personal data of data subjects in the UK, turn their minds to appointing such a representative within the UK in time for exit day.

Equally, it should be noted that UK businesses currently do not need to appoint such representatives within the EU/EEA because the UK is an EU member. When the UK leaves the European Union it will be necessary for UK businesses to comply with Article 27 of the EU GDPR; therefore, a representative within one of the 27 EU member states will need to be appointed.

Adequacy decisions
Under the GDPR the European Commission has the power to make adequacy decisions. These are decisions which allow the flow of personal data to a territory (or a part of a territory or sector within a territory) outside of the EU. The draft 2019 Regulations will insert new provisions (sections 17A and 17B) into the Data Protection Act 2018 establishing a very similar regime which will allow the Secretary of State to make “adequacy regulations” these will function in much a similar way. It is probably quite likely that one of the first adequacy regulations to be made will specify that the EU and EEA states have an adequate level of personal data protection.

The UK, upon exit day, will fall outside of the European Commission agreements and adequacy decisions (such as the EU-US “safe harbour” agreement). Similar agreements will need to be agreed with the UK. Controllers who currently rely on adequacy decisions of the Commission will need to think about how they will comply with UK data protection law in respect of international transfers of personal data, post-brexit.

Standard data protection clauses
Under the GDPR the European Commission has the power to adopt standard data protection clauses which, if used, will give an adequate level of protection for personal data when that personal data is transferred to a non-EU member state.

The draft 2019 Regulations will insert a section 17C into the Data Protection Act 2018, which will give the Secretary of State the power to make regulations specifying “standard data protection clauses which the Secretary of State considers provide appropriate safeguards for the purposes of transfers of personal data to a third country or an international organisation in reliance on Article 46 of the UK GDPR.”  In essence, the power of the Commission will transfer to the Secretary of State on exit day.

Administrative Fines
The power of the Information Commissioner to issue administrative fines (or, in the language of the Data Protection Act 2018, ‘Penalty Notices’) will continue to exist when the UK leaves the European Union. The maximum amounts of those penalties are currently expressed in Euros (although the Data Protection Act 2018 requires the Information Commissioner to issue the penalties in pounds sterling). The draft 2019 Regulations will amend the maximum amounts to convert them into pounds sterling as opposed to Euros. The €10,000,000 figure will change to £8,700,000; while the €20,000,000 figure will become £17,500,000. These figures are roughly what the euro figures convert to using the current exchange rates.

These are just some of the many changes that will be made by the draft 2019 Regulations. I hope to be able to do some more blog posts looking at some of the other changes contained within the draft 2019 regulations as we approach the 29th March 2019 (the date on which the UK is scheduled to leave the European Union).

Alistair Sloan

If you require advice or assistance in respect of a privacy/data protection, or any other information law, matter then contact Alistair Sloan on 0141 229 0880 or you can send him an E-mail. You can also follow our dedicated information law twitter account.

Facebook, Fines and Enforcement: ICO investigation into political campaigning

In March the Commissioner executed a warrant under the Data Protection Act 1998, to much fanfare and press coverage, on Cambridge Analytica – the data analytics firm who had been involved in the election campaign by US President Donald Trump and who had allegedly undertaken work for Leave.EU in the 2016 referendum on whether the UL should remain a member of the European Union or not. At the same time the Information commissioner announced a much wider investigation into compliance with data protection and privacy laws in political campaigning.

The Information Commissioner has today published a report giving an update on that wider investigation [pdf]. There has been much fanfare around this report and in particular a suggestion that Facebook has been served with a Monetary Penalty Notice in the amount of £500,000. This would be big news; it may not be a large sum of money to Facebook, but £500,000 is the maximum that the Information commissioner can serve a Monetary Penalty Notice for under the Data Protection Act 1998.

However, it has become clear that Facebook has not been served with a Monetary Penalty Notice in the amount of £500,000. The first thing to note here is that the Data Protection Act 1998 still applies; the alleged breaches of data protection law that the Commissioner is concerned with pre-dated 25 May 2018 and therefore the powers under the General Data Protection Regulation (GDPR) do not apply. What has happened is that the Information Commissioner has served a “Notice of Intent” on Facebook indicating that the Commissioner intends on serving Facebook with a Monetary Penalty Notice in the amount of £500,000. This is the first stage in the process of serving a Monetary Penalty Notice, but it is by no means guaranteed that (a) a Monetary Penalty Notice will be issued; and (b) that it will be in the amount of £500,000.

Facebook will have the opportunity to make written representations to the Information Commissioner on various matters, including whether the statutory tests for serving a Monetary Penalty Notice have been met and on the amount of the Penalty. The Commissioner must take account of these representations when making a final decision on serving the Monetary Penalty Notice: not to do so would likely result in an appeal against the Notice to the First-Tier Tribunal (Information Rights), which could ultimately result in the Monetary Penalty Notice being reduced in amount or quashed altogether. If Facebook brings forward evidence to the Commissioner that means she can no longer make certain findings in fact that will have an impact on both her ability to serve the Monetary Penalty Notice and the amount of that notice.

It could be many more weeks, if not months before we know whether a Monetary Penalty Notice is in fact being served on Facebook and how much it is for. The Commissioner must serve the Monetary Penalty Notice on Facebook within six month of serving the Notice of Intent.

There are some other aspects of the Commissioner’s report that are worthy of some brief consideration. The Commissioner has announced that she is intending on prosecuting SCL Elections Limited. The information given by the Commissioner suggests that this prosecution is to be limited to one very specific issue: their failure to comply with an Enforcement Notice previously served on the company. The Enforcement Notice was served on the company after they failed to comply with a subject access request received by them from a US academic. The company was in administration when the Enforcement Notice was served and remains in administration today. The Information Commissioner is able to prosecute offences under the legislation it is responsible for enforcing in its own right; except in Scotland where it requires to report the matter to the Procurator Fiscal in the same way as every other law enforcement agency is required. How successful that prosecution will be and what benefit it will bring remains to be seen given that the company is in administration. Even if the company is successfully

We have also seen what appears to be the first piece of enforcement action taken under the Data Protection Act 2018 and the General data Protection Regulation.  The Commissioner has served an Enforcement Notice on the Canadian company, Aggregate IQ [pdf]. This amounts to what could be termed as a “stop processing notice” and it requires Aggregate IQ to, within 30 days, “cease processing any personal data of UK or EU citizens obtained from UK political organisations or otherwise for the purposes of data analytics, political campaigning, or any other advertising.”

Failure to comply with an Enforcement Notice under the Data Protection Act 2018 and the GDPR is not (unlike under the Data Protection Act 1998) a criminal offence; however, a failure to comply can result in an administrative fine of up to €20 million or 4% of global turnover (whichever is the greater). How successful the ICO will be at enforcing this enforcement notice, given that the company is located in Canada and appears to have no established base in the UK, or any other EU member state, remains to be seen.

Other investigations are still ongoing. The Commissioner appears to be continuing to investigate whether there was any unlawful data sharing between Leave.EU and Eldon Insurance. Investigations are also being undertaken into the main ‘Remain’ campaign in the EU referendum and also into all of the UK’s main political parties. It remains to be seen what will happen there.

The Commissioner’s report also informs us that the appeal by the United Kingdom Independence Party (UKIP) against an Information Notice previously served upon them has been dismissed. The First-Tier Tribunal (Information Rights) has not yet published a decision in that case on its website, but should it do so I shall endeavour to blog on that decision (especially given that there has never to my knowledge been an appeal to the Tribunal against an Information Notice). Failure to comply with an Information Notice is a criminal offence, and a company was recently fined £2,000 at Telford Magistrates’ Court for that very offence.

Alistair Sloan

If you require advice or assistance on a matter relating to data protection or privacy law then you can contact Alistair Sloan on 0141 229 0880 or send him an E-mail. You can also follow our twitter account dedicated to information law matters.

Data Protection Impact Assessments under the GDPR

Accountability is an important aspect of the General Data Protection Regulation (GDPR).  The accountability principle in Article 5(2) of the GDPR obliges data controllers to be able to demonstrate that they are complying with the data protection principles in Article 5(1) of the GDPR.  Some of the technical requirements placed upon data controllers within the GDPR can be traced back, at least in part, to the accountability principle.  One of the requirements of the GDPR which will assist data controllers to demonstrate compliance with the data protection principles is the requirement to complete, in certain circumstances, a Data Protection Impact Assessment (DPIA).

For a number of years supervisory authorities around the EU, including the UK Information Commissioner, have encouraged organisations to conduct a Privacy Impact Assessment (PIA) as part of their promotion of good data protection practice. DPIAs are simply PIAs by another name. The requirements for DPIAs are set out in Articles 35 and 36 of the GDPR.

When do I need to perform a DPIA?

Article 35(1) of the GDPR requires data controllers to conduct an assessment of the impact of envisaged processing operations on the protection of personal data, where a type of processing, in particular using new technologies; and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons.  The DPIA must be conducted prior to undertaking the processing envisaged.

Article 35(3) sets out specific circumstances where a DPIA should be carried out by a data controller and those are:-

(a) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;

(b) processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or

(c) a systematic monitoring of a publicly accessible area on a large scale.

When deciding whether a DPIA is required it will be important for data controllers to check the ICO’s website. The Information Commissioner is required to publish a list of the kind of processing operations which are subject to the requirement for a DPIA.  If the processing operations envisaged by a controller appear on this list, then they will be required to carry out a DPIA.  Article 35(5) also empowers the Information Commissioner (but does not require her) to establish and publish a list of the kind of processing operations for which no data protection impact assessment is required.

What does a DPIA require?

Article 35(7) sets out what the DPIA must include as a minimum; these are:-

  • a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller
  • an assessment of the necessity and proportionality of the processing operations in relation to the purposes
  • an assessment of the risks to the rights and freedoms of data subjects (the risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage – see recital 75 of the GDPR for more detail)
  • the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data; and to demonstrate compliance with the GDPR taking into account the rights and legitimate interests of data subjects and other persons concerned

It should be noted that requirements set out in Article 35(7) for the content of a DPIA are a minimum; there may be situations when a DPIA requires to go beyond what is set above.

The role of the Data Protection Officer

If you have appointed a Data Protection Officer, then Article 35(2) of the GDPR requires that you seek advice from them when carrying out a DPIA. It should be remembered that a DPIA might change a number of time during the process; you should therefore keep your DPO involved throughout and be seeking advice from them regularly at appropriate junctures. Seeking advice from the DPO is not simply a box ticking exercise and should therefore not be treated as such. If you treat it as a simple box-ticking you could find yourself not complying properly with the requirements of the GDPR and could potentially be missing out on valuable advice. Remember that controllers are not obliged to follow the advice of their DPO, but if they elect to act contrary to that advice then they should document this and could be required to defend that decision.

The Role of The Information Commissioner

I have already indicated that the Information Commissioner has a role in the DPIA process, but her role is more extensive than has already been covered above. There are circumstances, set out in Article 36 of the GDPR, in which controllers will be required to consult with the ICO.  This applies where, in the absence of any mitigating measures by the controller, the DPIA indicates that the processing would result in a high risk to the rights and freedoms of data subjects.

Within a period of 8 weeks following receipt of the request for consultation (but this may be extended by a further 6 weeks in appropriate cases) the Information Commissioner is required to provide written advice to the controller where she is of the opinion that the intended processing would infringe this Regulation.  It’s therefore important that you consult the Commissioner well in advance of undertakng the envisaged processing to ensure that you have enough time to receive any written advice from the Commissioner and to consider and apply it.

The Information Commissioner’s role does not end there; she is not simply limited to giving written advice to the controller.  She can also become much more involved by conducting a data protection audit; issuing a formal warning that the intended processing is likely to infringe the provisions of the GDPR and even limit or prohibit (temporarily or indefinitely) a data controller from undertaking the proposed processing.

Penalties

A failure by a controller to comply with its obligations to conduct a DPIA where one is required can attract an administrative fine of up to €10,000,000 or 2% of global turnover (whichever is greater); as can a failure to consult with the Information Commissioner where consultation is required under Article 36 of the GDPR.  Failure to comply with an order limiting or prohibiting the processing (whether temporary or indefinite) can attract an administrative fine of up to €20,000,000 or 4% of global turnover (whichever is greater).

Can I undertake a DPIA when one is not required by the GDPR?

Yes you can; a properly completed DPIA will be of assistance to you in demonstrating that you are complying the the data protection principles. A DIPA on its own will usually be insufficient to completely comply with the Artcile 5(2) obligations (even where it is required by Article 35), but a properly completed DPIA is certainly something that you can produce to the Information Commissioner to help evidence that you are taking your data protection obligations seriously.

Alistair Sloan

If you require advice or assistance with Data Protection Impact Assessments or any other data protection matter then contact Alistair Sloan on 0141 229 0880 or by E-mail. Alistair can also assist with other aspects of information law.

Compensation in Data Protection law

Section 13 of the Data Protection Act 1998 makes provision for a data subject to raise court proceedings for payment of damages where there has been a breach of the Data Protection Act 1998 which has caused them damage and/or distress.  The provisions in Section 13 have not been used as often as they might otherwise have; this may have been partly down to the way in which the legislation was initially drafted, but that was rectified (in England, at least) by the English Court of Appeal in Google Inc v Vidal-Hall and ors [2015] EWCA Civ 311.

The General Data Protection Regulation, which is due to become applicable in the UK from 25th May 2018, makes provision for data subjects to obtain compensation from controllers and processors in Article 82.  The right is for “any person who has suffered material or non-material damage as a result of an infringement of [the GDPR]” to be compensated.  Clause 159(1) of the Data Protection Bill (which is still in the early stages of the parliamentary process), provides that this “includes financial loss, distress and other adverse effects.”

A Data Subject is not limited to claiming compensation from the controller.  The GDPR provides that a processor will “be liable for the damage caused by processing only where it has not complied with the obligations…specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.”

Article 82(3) of the GDPR introduces a defence to such a claim for compensation, but it is an exceptionally high test.  No liability arises where the controller or processor “proves that it is not in any way responsible for the event giving rise to the damage.”  The burden of proof falls on the controller or process and liability attaches even where the processor or controller is responsible for the event causing the damage in the most minor of ways.

The terms of Article 82(3) create joint and several liability for controllers and processors.  In a situation where multiple controllers and/or processors are all partially responsible for the event giving rise to the damage; the data subject could elect to sue any one of them (or indeed, all of them).  Where the data subject elects to sue just one controller/processor who is responsible, controller/processor is entitled to recover from the other controllers/processors “that part of the compensation corresponding to their part of responsibility for the damage.”

Where the data subject elects to sue more than one controller/processor then Recital 146 of the GDPR explains that, in accordance with Member State law, compensation may be apportioned by the court according to the responsibility of each controller or processor for the damage caused by the processing.

The GDPR does not stipulate any maximum amount of compensation that can be awarded to data subjects; however, Recital 146 of the GDPR explains that data subjects should receive full and effective compensation for the damage they have suffered.  Quite what “full and effective compensation” mean is something that will be worked out as the courts grapple with the new provisions.  There have been almost no published decisions from the Scottish courts in respect of claims for compensation under Section 13 of the Data Protection Act 1998, but where there have been decisions the compensation awarded has not been particularly high.  For example, Sheriff Ross awarded the each of the Pursuers £8,364 in Woolley v Akbar [2017] SC Edin 7.  That case concerned the use of CCTV at private dwellings and the compensation figure was calculated on a nominal rate of £10 per day that the Defender was in breach of the Act.

The GDPR only applies to processing of personal data in areas which are within the competence of the European Union; however, the Data Protection Bill extends the scope of the GDPR to areas beyond the competence of the European Union.  Clause 160 of the Bill provides for compensation where it cannot be claimed under Article 82 and the clause mirrors the terms of Article 82.

In Scotland both the Sheriff Court and the Court of Session will have jurisdiction to hear claims under Article 82 of the GDPR and Clause 160 of the Data Protection Bill (as is the case with claims under Section 13 of the Data Protection Act 1998).  In practice it is likely that the vast majority of claims will be heard in the Sheriff Court given that it is unlikely that any claim will exceed £100,000 and will therefore be within the privitive jurisdiction of the Sheriff Court.  However, with the advent of Group Proceedings (see Section 17 of the Civil Litigation (Expenses and Group Proceedings) (Scotland) Bill [pdf]) it is possible the Article 82 claims will end up the Court of Session as the Bill only provides for a group proceedings procedure in the Court of Session.

Those who process personal data should be aware that the right of a data subject to claim compensation, whether that be under the Data Protection Act 1998, the GDPR or the Data Protection Bill (when it becomes an Act), arising out of a data protection breach is in addition to any enforcement action that the Information Commissioner takes, such as the issuing of an administrative fine.

Alistair Sloan

If you would like to pursue a claim for compensation for a data breach, or if you require to defend such a claim; or if you would like advice and assistance with any other Information Law matter we would be pleased to hear from you. You can contact Alistair Sloan on 0345 450 0123.  Alternatively, you can send him an E-mail.

Subject Access Requests under the GDPR

The right of subject access has been a cornerstone of the Data Protection Act 1998 (“the DPA”).  This is the right that allows individual data subjects to, among other things, receive confirmation from a data controller whether or not the controller is processing their personal data and to obtain copies of that data which is being processed by the data controller.  Under the DPA, data controllers have 40 calendar days in which to respond to a subject access requests and can charge a fee which does not exceed the prescribed limit (which is £10 for most data controllers).

The critical importance of the right of subject access means there is no surprise that the General Data Protection Regulation (“GDPR”), which becomes applicable from 25 May 2018, continues to have in place a right of subject access. The right of subject access is to be found in Article 15 of the GDPR and has been incorporated into Clause 43 of the Data Protection Bill, published by the government earlier this month.  There have been some changes to that right which are designed to make it much more effective for data subjects.  This blog post explores some of the key changes to the right of subject access; however, it is by no means comprehensive.

The first key change to note is the length of time that data controllers will have to comply with a subject access request; this is being reduced from the current 40 calendar days to 30.  Where the data controller has “reasonable doubts as to the identity of an individual making” as subject access request, then they may request the provision of additional information to enable the controller to confirm the identity.  Where such a request is made, Clause 52 of the Data Protection Bill provides that the 30 day period does not begin to be calculated until the day on which that information is provided to the data contoller.  It should be noted though that this does not provide a route to delay the fulfilling of a subject access request; the data controller must have doubts as to the identity of the requester and those doubts must be reasonable.

In terms of fees, there is no provision within the GDPR for a data controller to request a fee for making a subject access request; however, Article 15(3) of the GDPR does permit data controllers to charge a reasonable fee based on administrative costs for providing copies of the personal data being processed beyond the first copy (i.e. the first copy is free).  For subsequent copies, what will be considered a “reasonable fee” remains to be seen.  The Data Protection Bill has supplemented this provision and allows the Secretary of State to set a cap on such fees.  There has not yet been any indication as to whether (a) the Secretary of State will set such a cap; and (b) if so, what that cap will be.

The administrative fines provisions of the GDPR apply to the right of subject access and a failure to comply with the requirements of Article 15 can attract a maximum administrative fine of the greater of €20m or 4% of global turnover.

Data Controllers have sometimes interpreted the right of subject access under Section 7 of DPA as only providing a right to receive copies of the personal data processed, but that is not the case; and it continues to be the case under the GDPR.  Data Controllers should therefore familiarise themselves with the full suite of rights that a data subject has under the heading of subject access; these can be found in Clause 43(2) of the Data Protection Bill or in Article 15 of the GDPR.

There are a number of circumstances in which a data controller can restrict a data subject’s right of subject access.  These are set out in Clause 43(4) of the Data Protection Bill and are:

  • to avoid obstructing an official or legal inquiry, investigation or procedure;
  • avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;
  • to protect public security;
  • to protect national security

However, where a data controller has restricted the data subject’s right to subject access, the data contoller is required to provide certain information to the data subject in writing and without undue delay.  That information is:

  • that the rights of the data subject have been restricted;
  • the reasons for the restriction;
  • the data subject’s right to make a request to the Information Commissioner to check that the processing is compliant;
  • the data subject’s right to make a complaint to the Information commissioner; and
  • the data subject’s rights to make an application to the court (in Scotland, the Court of Session or the Sheriff Court).

One additional point of note about subject access requests is that the GDPR, in recital 63 and unlike the Data Protection Directive, upon which the Data Protection Act 1998 is based, states that the purpose of the right to subject access is to enable the data subject “to be aware of, and verify, the lawfulness of the processing.”  This may mean that Subject Access Requests may be rejected where they are submitted for other reasons.  Whether the courts will consider Recital 63 as exhaustive as to the purposes for which an individual may exercise their rights of subject access or not remains to be seen.

There is a lot to the right of subject access and there are some key changes which will come into effect on 25 May 2018.  This is a cornerstone of data protection law and data controllers should be attaching substantial weight to compliance as a consequence.

Alistair Sloan

If you would like any advice and assistance on subject access requests, either under the GDPR or the Data Protection Act 1998, or any other Information Law matter; then contact Alistair Sloan on 0345 450 0123.  Alternatively, you can send him an E-mail.

The GDPR and Personal Data Breaches

Under the current data protection framework in the UK only some data controllers are placed under an obligation to notify the Information Commissioner’s Office of data breaches.  That will change on 25 May 2018 when the General Data Protection Regulation (“GDPR”) becomes applicable.   Under the GDPR all data controllers will be required to report certain types of data breaches to the Supervisory Authority (the Information Commissioner in the UK); it will also place an obligation to report some breaches to the affected data subjects.

What breaches need to be reported to the ICO?

It should be stressed that the provisions in the GDPR regarding notification of breaches apply to all data controllers.  If you’re a data controller that isn’t presently under an obligation to report data breaches then it is important that you prepare for having to comply with this requirement.  The timescales for reporting a breach to the ICO are tight.

A personal data breach is defined in the GDPR as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

All personal data breaches will require to be reported to the ICO, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.   Therefore, only the most minor of personal data breaches will not require to be reported.  The obligation is on the data controller to decide whether or not the breach meets the threshold to be reported and equally, the obligation on being able to justify why a personal data breach did not need to be reported falls on the data controller.

When do I need to report the breach to the ICO?

The GDPR requires that personal data breaches which require to be brought to the attention of the ICO need to be reported without undue delay and, where feasible, not later than 72 hours after the data controller becomes aware of it.  Where the ICO is notified of the breach more than 72 hours after the data controller became aware of it, the data controller must explain the delay when making the report.

It is likely that only the most exceptional of justifications will be accepted when reporting a data breach outside of the maximum window of 72 hours.  This is because the data controller does not need to supply all of the required information to the ICO at the same time; the data controller can pass on information as they become aware of it.  This means that data controllers should not delay the notification of the breach until after the conclusion of internal investigations.

When do affected data subjects require to be notified of a data breach?

The GDPR requires that affected data subjects be notified of a breach in certain circumstances; although it will likely be considered good practice to notify affected data subjects about most breaches, even when there is no legal obligation to do so.  The threshold for telling affected data subjects is higher than the threshold for reporting personal data breaches to the ICO; not all breaches reported to the ICO will need to be reported to the affected data subjects.

Affected data subjects require to be told of the data breach where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.  Affected data subjects should be told without undue delay.

Are there any Exceptions?

The Data Protection Bill, which has now started its journey through the parliamentary process, proposes that the obligations under Articles 33 (requirement to notify the Information Commissioner of a personal data breach) and 34 (requirement to notify data subjects of a personal data breach) will not apply where exemption is required for either (a) the prupose of safeguarding national security; or (b) defence purposes.

Clause 25 makes provision for a member of the Cabinet, the Attorney General or the Advocate General of Scotland to certify “that exemption from all or any of the provisions listed in section 24(2) is, or at any time was, required in relation to any personal data for the purpose of safeguarding national security” and that such a certificate is “conclusive of that fact”, although there will be a right to appeal such a certificate to the First-Tier Tribunal (Information Rights) who shall be required to apply the same principles as would apply to a claim or petition for judicial review.

Penalties

The GDPR provides for financial penalties for (a) not reporting a personal data breach to the ICO when notification was required; (b) delays in reporting the personal data breach to the ICO; and (c) failure to notify affected data subjects when there was a requirement to do so.  The financial penalties can be significant – potentially up to €10m or 2% of global turnover, whichever is greater.

It is far too early to say anything about the level of penalties that might be imposed by the ICO and in what circumstances they will make use of these powers.  The power exists and data controllers should be aware of the power to impose administrative fines, but it is probably best not to think too much about the maximum penalties.  I have already published a blog post which covers the subject of administrative fines under the GDPR, which you can read here.

What to do?

It’s going to be important for data controllers to have robust policies and procedures in place around personal data breaches.  These will need to cover identifying personal data breaches, what to do when a personal data breach has been identified and the reporting and monitoring of personal data breaches.  It will also be essential to ensure that there are sufficient resources in place to ensure that reports are made to the ICO in time; someone being on holiday or off sick is unlikely to be considered sufficient justification for a delay in reporting a personal data breach (especially in medium sized and large organisations).

Alistair Sloan

If you would like advice on personal data breaches under the GDPR, or on any other information law matter, then you can contact Alistair Sloan on 0345 450 0123 or you can send him an E-mail.

Data Protection Bill 2017: initial observations and comments

Last week the UK Government finally introduced their much anticipated Data Protection Bill [pdf], which is required to deal with certain aspects of the General Data Protection Regulation.  I have spent some time since then reading through the Bill and this blog post is intended as an initial introduction to the new Bill.

The first thing to note is that the Bill is not an easy read and certainly much of the commentary and discussion has centred on how uneasy a Bill it is to read.  This may well create some difficulties for practitioners going forward, and indeed may also cause some difficulties for data subjects who are trying to understand what their data protection rights are.

There are a few things of note which clarify a number of matters.  The GDPR requires public bodies to appoint a Data Protection Officer, but the GDPR does not stipulate what is and what is not a public body; this was left up to member states to deal with.  The proposed answer comes in Clause 6 of the Bill which gives it the same meaning as public authority in the Freedom of Information Act 2000 and Scottish public authority in the Freedom of Information (Scotland) Act 2002.  So, a public authority for the purposes of FOI is also a public authority for the purpose of the GDPR.  The definition does not include those bodies who are subject only to the Environmental Information Regulations 2004 or the Environmental Information (Scotland) Regulations 2004.

It should be noted that it is proposed that the Secretary of State will have the power to provide, in regulations, that a public body, as defined by clause 6, is not in fact a public body for the purposes of the GDPR.  It is also proposed that the Secreatry of State shall have the power to provide that a body that is not a public body, as defined by clause 6, is in fact a public body for the purposes of the GDPR.  There has been no indication as yet that the Secretary of State intends on making any Regulations under these powers and so for the time being it would be prudent to work on the basis that every person and organisation who is subject to the provisions of either the UK or Scottish FOI Acts is a public body for the purposes of the GDPR.

Although the Scottish Ministers cannot directly decide that a person or body ought to be (or ought not to be) a public body for the purposes of the GDPR, the exercising of their powers under Sections 4 and 5 of the Freedom of Information (Scotland) Act 2002 can result in persons or bodies becoming, or ceasing to be, public bodies for the purpose of the GDPR.  This effect is something to consider when the Scottish Government is seeking to extend the coverage of the Freedom of Information (Scotland) Act 2002; the obvious example is housing associations in Scotland.  The Scottish Government is currently considering whether they ought to be Scottish public authorities for the purposes of the Freedom of Information (Scotland) Act 2002 or not.  If they lay Regulations to make housing associations a Scottish public authority this will have the effect of making housing associations a public body for the purposes of the GDPR as well.  Of course, the Secretary of State would have the power to then make Regulations which would have the effect of not making housing associations in Scotland a public authority for GDPR purposes.

This may well have an effect on how quickly an order under Section 5 of the Freedom of Information (Scotland) Act 2002 can come into force.  The data controller would become a public authority for the purposes of the GDPR immediately upon the coming into force of the “Section 5 Order”; if they do not already have a Data Protection Officer appointed then they will need to recruit an dappoint someone in advance of the Section 5 Order entering into force.

The definition of who is a public body also has implications beyond the need to appoint a Data Protection Officer.  Public bodies are not allowed to rely upon the “legitimate interests” condition for processing personal data in the performance of the public body’s tasks.

In relation to consent, the GDPR allows member states to set an age between 13 and 16 for the purposes of when a child can give consent for the processing of their personal data by ‘information society services’ (e.g. Twitter, Facebook, Snapchat); Clause 8 of the Data Protection Bill proposes setting this at 13 in the UK.  It should be stressed that this only applies to consent provided to information society services and not consent more generally.  A child who is younger than 13 may be capable of providing consent more generally under the GDPR (and ineed, the presumtion in Scotland will continue to be that a child of 12 can provide consent).

The GDPR allows data controllers to charge fees, in limited circumstances, when dealing with subject access requests.  Clause 11 of the Data Protection Bill provides that the Secretary of State may “by regulations specify limits on the fees that a controller may charge”.   The inclusion of this power within the Bill suggests that it is the Government’s intention to place a cap on what can be charged by data controllers in those circumstances where a fee can be charged.  The general right to charge a fee in order to process a subject access request, that is in place under the current Data Protection Act, will go.  A more detailed blog on the topic of subject access requests under the GDPR shall follow.

The Monetary Penalty Notice is to remain (although it will now just be a penalty notice) and this is the way in which the Information Commissioner will be able to exercise her powers under the GDPR to issue administrative fines.  The procedure adopted under the current monetary penalty regime is retained with the requirement for the Commissioner to issue a “notice of intent” in advance of serving a penalty.  It will also continue to be a requirement that the penalty notice be issued within 6 months of the notice of intent (see Schedule 16 of the Data Protection Bill).  The Commissioner will be able to issue a penalty notice to a data controller who has failed to comply with an enforcement notice.

These are just a few of the notable points from the new Data Protection Bill and there is plenty more to write about, but that will come in future blog posts.  The Bill has only just been introduced to the House of Lords and still has to go through the full process of scrutiny in both the House of Lords and the House of Commons; therefore, it is entirely possible that the Bill’s 194 clauses and 18 schedules will be amended during the passage of the Bill through Parliament.  The Bill is due to have its Second Reading in the House of Lords, at which the House of Lords will agree (or not) to the general principles of the Bill, on 10th October 2017.

Alistair Sloan

If you would like advice on the General Data Protection Regulation or on the new Data Protection Bill then contact our Alistair Sloan on 0345 450 0123 or by completing the form on the contact page of this blog.  Alternatively, you can send him an E-mail directly.