Tag Archives: Article 6 (GDPR)

Data Protection, Facebook and Cambridge Analytica

We know that the Information Commissioner is investigating the circumstances surrounding the obtaining of personal data of a considerable number of individuals by Cambridge Analytica.  Cambridge Analytica is a data analytics company that is in the midst of what can only be described as a data protection and privacy scandal.

There are a number of significant allegations being made against Cambridge Analytica about how it obtains and processes personal data.  The Information Commissioner has also revealed that Cambridge Analytica is not cooperating with her investigation to the extent that she is going to apply for a warrant to enter and search their premises.  This means that, in all probability, the Commissioner has already sought access and it has been refused.  Schedule 9 to Data Protection Act 1998 sets out the Information Commissioner’s powers of entry and inspection; it permits the Commissioner to obtain a warrant from the court where the court is satisfied that a data controller has contravened or is contravening any of the data protection principles, or that an offence under this Act has been or is being committed, and that evidence of the contravention or of the commission of the offence is to be found on any premises specified.

This story is moving at quite a pace and is constantly changing with new revelations coming to light; it’s also the subject of an investigation by the Information Commissioner and there is the possibility that the company might face prosecution for offences under Section 55 of the Data Protection Act 1998 depending upon what the Commissioner finds during the course of her investigation.  I am therefore going to try and keep this blog post broad and theoretical rather than trample upon the toes of a live regulatory investigation.

A data controller has a duty to comply with the data protection principles in relation to all of the personal data for which they are the controller, subject to certain specified exemptions set out in statute.  The First data protection principle requires that personal data be “processed fairly and lawfully”; this requires the data controller to meet one or more of the conditions set out in Schedule 2 to the Data Protection Act 1998 (and, in respect of sensitive personal data, a condition in Schedule 3 also requires to be satisfied).

What can individuals do if they are concerned about whether Cambridge Analytica has any personal data concerning them and what they’ve been doing with it?  Data Subjects have a number of rights under the Data Protection Act 1998 and the cornerstone of those rights is the right of subject access.  This is currently given effect to in section 7 of the Data Protection Act 1998 and is not simply about getting copies of the personal data being processed by a data controller:  it consists of a whole suite or rights, of which getting a copy of the personal data is only one aspect.  Under the current law, data controllers are entitled to charge a fee up to a prescribed maximum for dealing with such requests; a request of this nature would attract a fee of £10, but many individuals might well think that this is a price worth paying to know if and how they have been affected by this issue.  Data Controllers have up to 40 days in which to comply with a subject access request.  Some key changes to the right of subject access will come into effect on 25th May 2018, but for now the law contained within the Data Protection Act 1998 is still applicable.

Once you have the response to your subject access request your rights do not end there; once you’ve established what a data controller is processing about you, what they’re doing with it and where they got it from there are a number of other steps that you might be able to take, such as requiring them to cease processing your personal data, complaining to the Information Commissioner or making a claim for compensation.

For data controllers, what is currently unfolding should be seen as an important lesson.  Data can be a useful tool to a business; whether it is being used for targeted marketing campaigns or to work out what consumers want from products and services in your market.  However, there are laws governing data protection and privacy and at the heart of those laws are the principles of fairness and transparency.  Controllers need to be careful as to how they obtain personal data, where they obtain it from, what they do with it and be certain that they have a lawful basis for processing that personal data in the ways that they want to do so; that may be because you have the consent of the data subject, because you have a legitimate interest in the processing or some other lawful ground for processing.  Don’t forget the Privacy and Electronic Communications (EC Directive) Regulations 2003 when conducting direct marketing by electronic means.

Simply because a person has made their personal data available, for example through social media, does not mean that is free to be used by whomever and for whatever they want.  The principles of the Data Protection Act 1998 still apply and the reputational damage that can be suffered may well vastly outweigh any regulatory action taken by the Information Commissioner or by data subjects themselves.

Alistair Sloan

If you are a data controller or an individual who is looking for advice and assistance with any aspect of data protection or privacy law, then you can contact Alistair Sloan on 0345 450 0123 or 0141 229 08800.  Alternatively, you can send him an E-mail.

GDPR: Do I need consent?

The General Data Protection Regulation becomes applicable in the United Kingdom later this year, the 25th May to be precise.  There is a lot of information out there on the GDPR; some of which is incorrect.  Relying upon incorrect information could cause data controllers and processors unnecessary headaches.

In this blog post I am going to focus on just one aspect of the GDPR, upon which there seems to still be a large amount of misinformation floating around.  It is an issue of such fundamental importance that getting it wrong will inevitably lead to headaches and crises in businesses and other organisations that simply do not need to exist:  that aspect is consent.

It is not difficult to find information on the internet selling the idea that the GDPR requires the consent of data subjects before a data controller can process personal data.  It should be obvious, but in case it is not, that is completely false.  Article 6 of the GDPR sets out six grounds which make the processing of personal data lawful under the GDPR; one of those six grounds is indeed consent, but it therefore follows that there are five other grounds of lawful processing which do not require the consent of the data subject.

It is important to understand Article 6 to ensure that your GDPR preparations are on the right track; one of the first things that any data controller who is preparing for the GDPR needs to establish is upon what basis they are processing the personal data.  If a data controller goes off in the wrong direction by assuming that consent is always required then they’re going to hit a problem:  what if a data subject refuses you consent, or withdraws consent which was previously given, to process personal data where you have a statutory obligation or some other compelling business need to process it?  You’re still going to have to process that personal data, but having asked the data subject for their consent you have given them a false impression.  One of the most fundamental aspects of the GDPR is fairness:  giving a data subject a false impression on the need for consent cannot be considered to be fair.  In short, if you need to process personal data irrespective of whether the data subject has given their consent; then consent is not the appropriate Article 6 ground to rely upon.

As noted above, there are a total of six grounds in Article 6 of the GDPR which make the processing lawful.  The grounds in Article 6 are (and note they do not appear in any special order of importance):

  • the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  • the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
  • the processing is necessary for compliance with a legal obligation to which the controller is subject
  • the processing is necessary in order to protect the vital interests of the data subject or of another natural person
  • the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
  • the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child

Picking the right Article 6 grounds to legitimise your processing is vital; it feeds into so many other aspects of data protection compliance (such as your privacy notice).  Consent should only become a consideration where none of the other grounds of lawful processing in Article 6 apply.  Where some may be becoming confused with regards to consent is the requirement to be transparent with data subjects.  You have to tell data subjects clearly, and in easy to understand language, what personal data you are processing about them, how it is being processed and why you are processing it.  This is not the same as gaining their consent and should not be confused as such.

Alistair Sloan

If you require advice and assistance with any aspect of getting prepared for the GDPR, or any other Privacy and Data Protection law matter then contact us on 0345 450 0123 or you can send Alistair Sloan and E-mail.