Tag Archives: Data Subject Rights

Compensation for identifiable third parties following a data breach

The subject of data protection has, once again, been visited by the England and Wales Court of Appeal. At the end of last week the Court (Gross LJ, McFarlane LJ and Coulson LJ) gave its judgment in an appeal brought by the Secretary of State for the Home Department and the Home Office against a decision of the England and Wales High Court in which it was found liable to three members of a family following a data breach.

The Factual Background
The facts as found proved by the court at first instance are more fully set out in the judgment of Mitting J ([2016] EWHC 2217 (QB)), but they can be summarised for the purposes of this blog post in the following way.  The case concerns three members of a family TLT, TLU and TLV. TLT and TLU are married (but have different surnames) and TLU is the teenage son of TLT (sharing the same surname). In 2010 the family lawfully arrived in the United Kingdom. They claimed asylum. They were also jointed by an older child who was, in 2010, 17 years of age. Upon turning 18, he applied for asylum in his own right. His application fro asylum was rejected and he was returned to Iran in 2012. TLT and TLU heard from relatives in Iran that upon his return to Iran their son had been detained and tortured and subsequently released after paying a bribe.

On 15th October 2013 the Home Office suffered a data breach when it accidently published more information than it had intended to concerning the family return process. It had intended to publish the statistics contained in the first sheet of a spreadsheet, but not the underlying data that was contained in a second sheet. The error was discovered on 28th October 2013 and the spreadsheet was immediately removed from the internet. It was discovered that by the time the spreadsheet was removed at least one unknown individual had downloaded and saved the spreadsheet.

In November 2014 a person who had downloaded the page and the spreadsheet from the UK Border Agency’s website uploaded the spreadsheet onto a US website; this was later removed on 18 December 2013.

The personal data of TLT was included within the spreadsheet; in particular it included both his forename and surname, his nationality (Iranian), his date of birth and age. It also noted that “assisted return” was being pursued and stated that the removal case type was “Family with Children – Voluntary”. It further acknowledged that asylum had been claimed.

In March 2014, TLU received some communications from a family member in Iran. These communications advised that the Iranian authorities had detained another member of TLU’s family and questioned them about “you”. It was said that the authorities in Iran claimed to have documentation showing that TLT and his family had claimed asylum.

The issues on appeal
There were three issues on appeal:

  • Did the spreadsheet in question contain the private and/or confidential information?
  • Did the spreadsheet contain personal data of which TLU and TLV were the data subjects?
  • Even if the information in the spreadsheet did not contain the personal data of TLU and TLV, are they entitled to damages for the distress they have suffered under section 13 of the Data Protection Act 1998 in any event?

The first issue
This issue amounts to a common law tort in English law. At para 28 of the judgment of the Court of Appeal Gross LJ said that “this issue is short, straightforward and essentially one of fact.” Gross LJ had “no hesitation in concluding that the Home Office’s publication of the spreadsheet misused TLU’s and TLV’s private and confidential information.” [31] TLT was the lead family claimant and the detailed nature of the information concerning TLT as such meant that TLU and TLV “could readily be identified by third parties” and that they “had a reasonable expectation of privacy and confidentiality in respect of their information in the spreadsheet.” [31]

The second Issue
In terms of section 1 of the Data Protection Act 1998, personal data was defined as meaning “data which relate to a living individual who can be identified (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.” The Data Protection Act 1998 was the domestic vehicle through which the United Kingdom implemented is obligations under Directive 95/46/EC (which has, of course, now been replaced by the General Data Protection Regulation, but is still relevant for the purpose of this case as that was the law in force at the time). Recital 26 of the Directive noted that the “principles of protection” should take account “of all the means likely reasonably to be used either by the controller or by any other person to identify the” data subject.

In the present case, limb (b) of the definition of personal data was met in relation to TLU and TLV. The Home Office had argued that the information contained in row 1101 of the spreadsheet (which concerned TLT) did not “relate to” TLU and TLV. This was rejected by the court with reference to the statutory language. [39]

The Home Office had also sought to rely on Durant v Financial Services Authority as a means of trying to limit the scope of personal data (and therefore its liability) in this case. However, Gross LJ held that Durant, when properly applied, “powerfully reinforces the case for TLU and TLV” [44] and that Auld LJ was simply stating “a broad, practical working assumption.” [42] There was nothing within Durant that enabled the Court to depart from the conclusions that they must reach in light of the decision by the Court of Appeal in Vidal-Hall v Google and the Supreme Court in Common Services Agency v Scottish Information Commissioner

Third Issue
In the circumstances, this issue did not arise and the court felt it best to leave resolution of it “to a case where a decision is required” on it. [48]

Comment
The appeal was therefore dismissed by Gross LJ on all three issues that were raised and McFarlane LJ and Coulson LJ simply agreed adding no further comments of their own.

This is an interesting, but not unexpected, decision from the Court of Appeal which will be binding on all lower courts in England and Wales and will be persuasive in Scotland. It is difficult to find fault with the approach taken by the Court of Appeal or the judge at first instance; indeed, this is very much the view of the Court of Appeal. It does make it clear though that it will be possible for data subjects not directly referred to within the compromised data arising out of a data breach to sue for damages in certain circumstances. The first instance case had become an important case when such situations arose and now that the Court of Appeal has confirmed the approach adopted by the first instance judge it is likely that we will see more claims of this nature being made.

The circumstances in the present case are fairly clear-cut, but not all situations where liability might arise will be as clear-cut. The GDPR is not going to have any real impact upon this position; the definition of personal data essentially adopts the same two-stage test as was to be found within section 1 of the Data Protection Act 1998. Therefore this pre-GDPR case will continue to be instructive in the post-GDPR world we now inhabit.

Alistair Sloan

If you require further information in relation any data protection or privacy law matter then please do contact Alistair Sloan on 0141 229 0880 or by E-mail. You can also follow our dedicated information law account on twitter for news and updates concerning data protection, privacy and freedom of information.

Data Protection Impact Assessments under the GDPR

Accountability is an important aspect of the General Data Protection Regulation (GDPR).  The accountability principle in Article 5(2) of the GDPR obliges data controllers to be able to demonstrate that they are complying with the data protection principles in Article 5(1) of the GDPR.  Some of the technical requirements placed upon data controllers within the GDPR can be traced back, at least in part, to the accountability principle.  One of the requirements of the GDPR which will assist data controllers to demonstrate compliance with the data protection principles is the requirement to complete, in certain circumstances, a Data Protection Impact Assessment (DPIA).

For a number of years supervisory authorities around the EU, including the UK Information Commissioner, have encouraged organisations to conduct a Privacy Impact Assessment (PIA) as part of their promotion of good data protection practice. DPIAs are simply PIAs by another name. The requirements for DPIAs are set out in Articles 35 and 36 of the GDPR.

When do I need to perform a DPIA?

Article 35(1) of the GDPR requires data controllers to conduct an assessment of the impact of envisaged processing operations on the protection of personal data, where a type of processing, in particular using new technologies; and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons.  The DPIA must be conducted prior to undertaking the processing envisaged.

Article 35(3) sets out specific circumstances where a DPIA should be carried out by a data controller and those are:-

(a) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;

(b) processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or

(c) a systematic monitoring of a publicly accessible area on a large scale.

When deciding whether a DPIA is required it will be important for data controllers to check the ICO’s website. The Information Commissioner is required to publish a list of the kind of processing operations which are subject to the requirement for a DPIA.  If the processing operations envisaged by a controller appear on this list, then they will be required to carry out a DPIA.  Article 35(5) also empowers the Information Commissioner (but does not require her) to establish and publish a list of the kind of processing operations for which no data protection impact assessment is required.

What does a DPIA require?

Article 35(7) sets out what the DPIA must include as a minimum; these are:-

  • a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller
  • an assessment of the necessity and proportionality of the processing operations in relation to the purposes
  • an assessment of the risks to the rights and freedoms of data subjects (the risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage – see recital 75 of the GDPR for more detail)
  • the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data; and to demonstrate compliance with the GDPR taking into account the rights and legitimate interests of data subjects and other persons concerned

It should be noted that requirements set out in Article 35(7) for the content of a DPIA are a minimum; there may be situations when a DPIA requires to go beyond what is set above.

The role of the Data Protection Officer

If you have appointed a Data Protection Officer, then Article 35(2) of the GDPR requires that you seek advice from them when carrying out a DPIA. It should be remembered that a DPIA might change a number of time during the process; you should therefore keep your DPO involved throughout and be seeking advice from them regularly at appropriate junctures. Seeking advice from the DPO is not simply a box ticking exercise and should therefore not be treated as such. If you treat it as a simple box-ticking you could find yourself not complying properly with the requirements of the GDPR and could potentially be missing out on valuable advice. Remember that controllers are not obliged to follow the advice of their DPO, but if they elect to act contrary to that advice then they should document this and could be required to defend that decision.

The Role of The Information Commissioner

I have already indicated that the Information Commissioner has a role in the DPIA process, but her role is more extensive than has already been covered above. There are circumstances, set out in Article 36 of the GDPR, in which controllers will be required to consult with the ICO.  This applies where, in the absence of any mitigating measures by the controller, the DPIA indicates that the processing would result in a high risk to the rights and freedoms of data subjects.

Within a period of 8 weeks following receipt of the request for consultation (but this may be extended by a further 6 weeks in appropriate cases) the Information Commissioner is required to provide written advice to the controller where she is of the opinion that the intended processing would infringe this Regulation.  It’s therefore important that you consult the Commissioner well in advance of undertakng the envisaged processing to ensure that you have enough time to receive any written advice from the Commissioner and to consider and apply it.

The Information Commissioner’s role does not end there; she is not simply limited to giving written advice to the controller.  She can also become much more involved by conducting a data protection audit; issuing a formal warning that the intended processing is likely to infringe the provisions of the GDPR and even limit or prohibit (temporarily or indefinitely) a data controller from undertaking the proposed processing.

Penalties

A failure by a controller to comply with its obligations to conduct a DPIA where one is required can attract an administrative fine of up to €10,000,000 or 2% of global turnover (whichever is greater); as can a failure to consult with the Information Commissioner where consultation is required under Article 36 of the GDPR.  Failure to comply with an order limiting or prohibiting the processing (whether temporary or indefinite) can attract an administrative fine of up to €20,000,000 or 4% of global turnover (whichever is greater).

Can I undertake a DPIA when one is not required by the GDPR?

Yes you can; a properly completed DPIA will be of assistance to you in demonstrating that you are complying the the data protection principles. A DIPA on its own will usually be insufficient to completely comply with the Artcile 5(2) obligations (even where it is required by Article 35), but a properly completed DPIA is certainly something that you can produce to the Information Commissioner to help evidence that you are taking your data protection obligations seriously.

Alistair Sloan

If you require advice or assistance with Data Protection Impact Assessments or any other data protection matter then contact Alistair Sloan on 0141 229 0880 or by E-mail. Alistair can also assist with other aspects of information law.

The Law Enforcement Directive: Data Subjects’ Rights (Part 1)

Earlier this month I wrote a blog post providing an introduction to the Law Enforcement Directive (“LED”); in that post I indicated that I would look separately at the rights of data subjects under the LED.  I had anticipated that I would do this earlier on in the month, but then came Cambridge Analytica and the Information Commissioner’s power to obtain a search warrant.  This is part 1 of my look at the rights of data subjects under the LED and will focus on the rights in Artciles 13-16 of the LED.

Part 3 of the Data Protection Bill will implement the provisions of the LED in the UK.  Clauses 43 to 54 of the Bill (as the Bill presently stands) make provisions in respect of the rights of data subjects under Part 3.   The rights within the Data Protection Bill are derived from the LED itself, which is very much based upon the rights contained within the General Data Protection Regulation.  Chapter III of the LED sets out the rights which Member States must make available to data subjects where personal data is being processed for the law enforcement purposes.

Information to be made available, or given, to the data subject
Article 13 of the LED makes certain provisions in relation to the information that controllers, who are processing personal data for the law enforcement purposes, should normally make available to data subjects.  The provisions of Article 13 are contained within clause 44 of the Data Protection Bill (although, I make reference to the LED Articles it should be kpet in mind that the LED is a Directive rather than a Regulation and therefore does not have direct effect.  It will be the domestic provisions upon which data subjects will rely upon in their dealings with the competent authorities, Information Commissioner and domestic courts rather than the LED’s Articles).

Controllers who are processing personal data for the law enforcement purposes are to make the following information available:

  • The identity and contact details of the controller;
  • The contact details of the data protection officer (where there is one);
  • The purposes for which the controller processes personal data;
  • The existence of the data subject’s rights to (i) subject access; (ii) rectification;  (iii) erasure of personal data or the restriction of its use; and (iv) to make a complaint to the Information Commissioner;
  • information about the period for which the personal data will be stored or, where that is not possible, about the criteria used to determine that period;
  • where applicable, information about the categories of recipients of the personal data (including recipients in third countries or international organisations)
  • where necessary, further information to enable the exercise of the data subject’s rights under Part 3, in particular where the personal data are collected without the knowledge of the data subject

Controllers can restrict the level of information that is provided to the data subject in order to: (a) avoid obstructing official or legal inquiries, investigations or procedures; (b) avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties; (c) protect public security (d) protect national security; or (e) protect the rights and freedoms of others.

This right to information will not be unfamiliar to anyone who is familiar with the provisions of the GDPR; however, it’s not surprising that the right is limited to a degree to take account of the nature of the personal data that falls to be dealt with under the LED and Part 3 of the Data Protection Bill.

Subject Access
The right of subject access remains a fundamental aspect of data protection law emanating from the European Union.  I have previously looked at the right of subject access within the General Data Protection Regulation on this blog.  The right of such fundamental importance that it appears within LED; Articles 14 and 15 of the LED covers the right of subject access and this aspect of the LED is to be given effect to by clause 45 of the Data Protection Bill (as it currently stands)

If you are familiar with the right of subject access under the current Data Protection Act 1998 and/or the General Data Protection Regulation, then nothing much will surprise you vwithin Articles 14 and 15 and clause 45.  The right of subject access within the LED and Part 3 of the Data Protection Bill provides the data subject the same rights as they have under the GDPR.  It must be complied within one month and no fee can generally be charged for dealing with a Subject Access Request (SAR).

The controller can restrict the data subject’s right to subject access and these provisions are presently found within clause 45(4) of the Data Protection Bill.  The controller can restrict the data subject’s right to the extent and for so long as it is a necessary and proportionate measure to: (a) avoid obstructing an official or legal inquiry, investigation or procedure; (b) avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;(c) protect public security; (d) protect national security; or (e) protect the rights and freedoms of others.  In determining whether the restriction is a necessary and proportionate measure the controller must have regard to the fundamental rights and legitimate interests of the data subject.

Where a data subject’s right to subject access under Part 3 of the Data Protection Bill is to be restricted, the Bill (in its current form) requires the data subject to be given information relating to the restriction except to the extent that to provide such information it would undermine the purpose of the restriction.  For example, if an individual who was being investigated by the Police for fraud made a Subject Access Request the police would be entitled to restrict the data subject’s rights insofar as it related to that investigation and that police would be able to do so without telling them that they have restricted their subject access rights.

The next part will look at the right to restriction of processing; the right to erasure and the data subject’s rights in relation to automated processing in the context of the LED and Part 3 of the Data Protection Bill.  Remember, the LED is due to be implemented by 6th May 2018, which is almost 3 weeks before the date upon which the GDPR becomes applicable.

Alistair Sloan

If you require any advice and assistance with matters relating to the Law Enforcement Directive or any other Privacy/Data Protection legal matter then contact Alistair Sloan on 0141 229 0880 or send him an E-mail.  You can follow Inksters’ dedicated Information Law Twitter account:  @UKInfoLaw

Data Protection, Facebook and Cambridge Analytica

We know that the Information Commissioner is investigating the circumstances surrounding the obtaining of personal data of a considerable number of individuals by Cambridge Analytica.  Cambridge Analytica is a data analytics company that is in the midst of what can only be described as a data protection and privacy scandal.

There are a number of significant allegations being made against Cambridge Analytica about how it obtains and processes personal data.  The Information Commissioner has also revealed that Cambridge Analytica is not cooperating with her investigation to the extent that she is going to apply for a warrant to enter and search their premises.  This means that, in all probability, the Commissioner has already sought access and it has been refused.  Schedule 9 to Data Protection Act 1998 sets out the Information Commissioner’s powers of entry and inspection; it permits the Commissioner to obtain a warrant from the court where the court is satisfied that a data controller has contravened or is contravening any of the data protection principles, or that an offence under this Act has been or is being committed, and that evidence of the contravention or of the commission of the offence is to be found on any premises specified.

This story is moving at quite a pace and is constantly changing with new revelations coming to light; it’s also the subject of an investigation by the Information Commissioner and there is the possibility that the company might face prosecution for offences under Section 55 of the Data Protection Act 1998 depending upon what the Commissioner finds during the course of her investigation.  I am therefore going to try and keep this blog post broad and theoretical rather than trample upon the toes of a live regulatory investigation.

A data controller has a duty to comply with the data protection principles in relation to all of the personal data for which they are the controller, subject to certain specified exemptions set out in statute.  The First data protection principle requires that personal data be “processed fairly and lawfully”; this requires the data controller to meet one or more of the conditions set out in Schedule 2 to the Data Protection Act 1998 (and, in respect of sensitive personal data, a condition in Schedule 3 also requires to be satisfied).

What can individuals do if they are concerned about whether Cambridge Analytica has any personal data concerning them and what they’ve been doing with it?  Data Subjects have a number of rights under the Data Protection Act 1998 and the cornerstone of those rights is the right of subject access.  This is currently given effect to in section 7 of the Data Protection Act 1998 and is not simply about getting copies of the personal data being processed by a data controller:  it consists of a whole suite or rights, of which getting a copy of the personal data is only one aspect.  Under the current law, data controllers are entitled to charge a fee up to a prescribed maximum for dealing with such requests; a request of this nature would attract a fee of £10, but many individuals might well think that this is a price worth paying to know if and how they have been affected by this issue.  Data Controllers have up to 40 days in which to comply with a subject access request.  Some key changes to the right of subject access will come into effect on 25th May 2018, but for now the law contained within the Data Protection Act 1998 is still applicable.

Once you have the response to your subject access request your rights do not end there; once you’ve established what a data controller is processing about you, what they’re doing with it and where they got it from there are a number of other steps that you might be able to take, such as requiring them to cease processing your personal data, complaining to the Information Commissioner or making a claim for compensation.

For data controllers, what is currently unfolding should be seen as an important lesson.  Data can be a useful tool to a business; whether it is being used for targeted marketing campaigns or to work out what consumers want from products and services in your market.  However, there are laws governing data protection and privacy and at the heart of those laws are the principles of fairness and transparency.  Controllers need to be careful as to how they obtain personal data, where they obtain it from, what they do with it and be certain that they have a lawful basis for processing that personal data in the ways that they want to do so; that may be because you have the consent of the data subject, because you have a legitimate interest in the processing or some other lawful ground for processing.  Don’t forget the Privacy and Electronic Communications (EC Directive) Regulations 2003 when conducting direct marketing by electronic means.

Simply because a person has made their personal data available, for example through social media, does not mean that is free to be used by whomever and for whatever they want.  The principles of the Data Protection Act 1998 still apply and the reputational damage that can be suffered may well vastly outweigh any regulatory action taken by the Information Commissioner or by data subjects themselves.

Alistair Sloan

If you are a data controller or an individual who is looking for advice and assistance with any aspect of data protection or privacy law, then you can contact Alistair Sloan on 0345 450 0123 or 0141 229 08800.  Alternatively, you can send him an E-mail.

Data Protection and Privacy Enforcement: February 2018

February is a short month, and did not see the same level of publicity by the Information Commissioner’s Office in respect of enforcement action taken to enforce privacy and data protection laws as was seen in January.

Key points 

  • Failing to comply with an Enforcement Notice is a criminal offence (see section 47 of the Data Protection Act 1998); there is a right of appeal to the First-Tier Tribunal (Information Rights) against the terms of an Enforcement Notice and so if you do not agree with the terms of the notice you should seek legal advice about the possibility of making such an appeal.
  • Employees should be careful what they do with personal data; in most cases the enforcement liability will lie with the employer (although, your employer might take disciplinary action against you for failing to comply with company policies and procedures).  However, there are circumstances when employees can be held personally, and indeed criminally, liable for breaches of the Data Protection act 1998.
  • The right of subject access is a fundamental right of data subjects and data controllers must ensure that they comply with their obligations in respect of a subject access request made by a data subject.  The right of subject access remains a key feature of the new European data protection framework and the GDPR strengthens the right of subject access for data subjects.

Enforcement action published by the ICO during February 2018

Pennine Care NHS Foundation Trust
The ICO has conducted a follow-up assessment [pdf] with Pennine Care NHS Foundation Trust finding that the Trust had complied with the terms of the undertaking which it had previously given [pdf] following a consensual audit [pdf] by the Commissioner’s staff.

Gain Credit LLC
Gain Credit LLC was served with an Enforcement Notice [pdf] by the Information Commissioner for failing to comply with a subject access request made to it.  This came to light after the data subject in question made a request to the Information Commissioner that she carry out an assessment pursuant to section 42 of the Data Protection Act 1998 into whether it was likely or unlikely that the processing by Gain Credit LLC was in accordance with the provisions of the Act.

Direct Choice Home Improvements Limited
In March 2016 Direct Choice Home Improvements Limited was served with a Monetary Penalty Notice in the amount of £50,000 [pdf] and also an Enforcement Notice [pdf] for breaching Regulation 21 of the Privacy and Electronic Communications (EC) Directive Regulations 2003 (PECR).  The company continued to breach Regulation 21 of PECR and the Commissioner prosecuted it for breaching the Enforcement Notice.  The company was not represented at Swansea Magistrates’ Court and was convicted in absence.  The company was fined £400 as well as being ordered to pay £364.08 in prosecution costs and a victim surcharge of £40. (Don’t forget that PECR remains part of the privacy and data protection law landscape when the GDPR becomes applicable in May.)

Other Prosecutions
A former employee of Nationwide Accident Repair Services Limited was prosecuted by the Information Commissioner for unlawfully obtaining personal data contrary to section 55 of the Data Protection Act 1998.  The defendant had sold the personal data of his employers’ customers to a third party who then made use of the personal data to contact some of those customers concerning their accident.  The defendant was convicted and fined £500 as well as being ordered to pay costs of £364 and a victim surcharge of £50.  An offence of unlawfully disclosing personal data was admitted to and taken into consideration by the Court.

A former local authority education worker was prosecuted after she unlawfully disclosed personal data contrary to section 55 of the Data Protection Act 1998.  The defendant had taken a screenshot of a council spreadsheet which concerned the eligibility of named children to free school meals and then sent it onto an estranged parent of one of the children.  She pled guilty to three offences and was fined £850 by Westminster Magistrates’ Court as well as being ordered to pay £713 in costs.

Alistair Sloan

If you require advice or assistance in respect of a data protection or privacy law matter, or any other Information Law matter; then contact Alistair Sloan on 0345 450 0123, or send him and E-mail.

It’s just legitimite interests, isn’t it?

The General Data Protection Regulation (GDPR) becomes applicable in the United Kingdom on 25th May 2018.  Preparations are well underway in business, government and the regulator for the new privacy and data protection landscape.  People are trying to find their way through the GDPR and the Data Protection Bill to understand exactly what it is that they’re required to do in order to comply with the new framework, but there are a lot of misunderstandings about certain requirements of the GDPR.  I have already dealt with one of those, the issue as to whether or not consent is required under the GDPR on this blog.  Another area where there appears to a lot of misunderstanding is with the legitimate interests ground for processing, especially in the area of direct marketing.

Article 6(1)(f) of the GDPR provides that it is lawful to process the personal data of a data subject where the “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”  This is the legitimate interests ground for processing; but as can be seen from a proper reading of the condition, it is not the silver bullet condition that some people seem to think that it is.

There are essentially three elements to the condition:  (1) necessity; (2) legitimate interests of the controller or a third party; (3) the interests or fundamental rights of the data subject.  Therefore before being able to rely upon legitimate interests as the processing condition, it is essential that controllers go through a three stage process.  The first stage is to identify what the interests are.  In determining whether the interest identified by the data controller is a legitimate interest, it is necessary for them to consider whether a data subject can reasonably expect, at the time and in the context of the collection of the personal data, that processing for this purpose may take place.  If a data subject could not reasonably expect that the processing envisaged by the data controller may take place, at the time and in the context of collection of the personal data, it will not be a legitimate interest.

The second stage is to consider necessity; the processing must be necessary for the legitimate interest(s) being pursued.  If the processing is not necessary then a data controller cannot rely upon the ‘legitimate interests’ condition for processing the personal data in question.  The ICO currently puts it this way “[i]f you can reasonably achieve the same result in another less intrusive way, legitimate interests will not apply.”  It is therefore essential to consider whether there are other ways to fulfil the legitimate interest(s) identified.  The test does not require it to be “strictly necessary” or “absolutely necessary”, but it is still a high test

The final element that needs to be considered before a decision to rely upon legitimate interests can be taken, is whether the legitimate interests are overridden by the fundamental rights and freedoms of the data subject.  This can be a very difficult assessment to make and can, on occasions, be on a knife-edge.  It is fundamentally about proportionality and in a lot of cases the data subject’s fundamental rights and freedoms will override the legitimate interests with the result that another condition needs to be found to enable processing take place.

At the very outset I did mention that there is a lot of misunderstanding about legitimate interests in the field of direct marketing.  It is true that the GDPR does state, in Recital 47, that “[t]he processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”, but it’s not as simple as that.  Firstly it is important to note that the Recital states that it “may be” a legitimate interest; that is not the same thing as saying that it “will be” or “is” a legitimate interest.  It only opens the door to marketing being a legitimate interest; it does not remove the need to consider whether it is, in any given context, a legitimate interest.

Secondly, it is important not to consider the GDPR in isolation.  I have already written about the forgotten relative of the GDPR:  The Privacy and Electronic Communications (EC Directive) Regulations 2003.  These are extremely relevant when conducting direct marketing by electronic means (such a by telephone, E-mail or text message).  Processing personal data for the purposes of marketing might well be lawful because it can be shown that it is a legitimate interest for the controller or a third party, but how that marketing is then delivered must comply with the other relevant laws and codes which regulate marketing activity.

The legitimate interests condition is a flexible one, but data controllers should not assume that if no other condition applies, or is appropriate, that they can simply say “it’s legitimate interests” and be done with it.  Where a controller does rely upon legitimate interests, the accountability principle will kick in and the supervisory authority may well ask for it to be justified.  Therefore, where it is proposed to rely upon legitimate interests a record should be kept demonstrating how each of three elements to the legitimate interests condition is met.

Alistair Sloan

If you would like advice or assistance with a privacy or data protection matter, or any other information law matter then contact Alistair Sloan on 0345 450 0123 or send him an E-mail.

 

Data Protection, Brexit and the Charter of Fundamental Rights

On the face of it the Irish Supreme Court’s decision in Minister for Justice v O’Conner [2018] IESC 3 has no place on a blog focused on information law matters as they apply in Scotland and the wider United Kingdom.  The case involves a European Arrest Warrant (EAW) issued by the United Kingdom and the surrender of the individual to the United Kingdom under that EAW.  The Irish Supreme Court has granted leave to Mr. O’Connor to appeal to it; this is so that a reference can to be made to the Court of Justice of the European Union.  The context of that reference is the giving of notice by the United Kingdom under Article 50 of the Treaty on the European Union and that as a consequence the United Kingdom will leave the European Union.

It is not obvious what this has to do with information law at all; however, it might well have an impact upon the flow of personal data between the United Kingdom and the European Union.

The UK Government has identified a number of ‘red lines’ in its negotiations with the European Union; one of those red lines is that the Charter of Fundamental Rights of the European Union will cease to apply to the United Kingdom when it leaves the European Union.  All of the public statements which have been made by Ministers is suggestive that the Charter will not be incorporated into UK domestic law and it will not agree to a treaty with the European Union which continues its application.  Whether or not that is the case at the end of the day remains to be seen; however, it is creating uncertainty.

My initial thoughts on this case are that it could be significant beyond the question of extradition under the EAW scheme.  From a reading of the judgment of the Irish Supreme Court, it is clear that there are fundamental issues of European Union Law to be addressed in this reference.

It is a consequence of the operation of Article 50 that at the end of the two year period provided for therein that the treaties cease to apply to the leaving State (subject to an agreement to extend the Article 50 period or any agreement between the EU and the leaving state which continues the application of EU law).  At its most basic, it means that European Union Law ceases to apply to the leaving state.  This is a very real problem and is the reason for the European Union (Withdrawal) Bill, which has its aim to ensure that the domestic statute book works and certainty is given as to what the law in the United Kingdom is.

So, what precisely does this have to do with information law?  Articles 44-50 of the General Data Protection Regulation deal with transfers to third countries; a third country being a country which is outside of the Union.  Upon Brexit the United Kingdom will be outside of the Union and the flow of personal data from controllers and processors inside of the Union to controllers and processors in the United Kingdom will need to be in compliance with Articles 44-50 of the GDPR.

What most people in the data protection world are hoping for is that the United Kingdom will get a favourable adequacy decision from the European Commission; which will enable the free flow of personal data between the Union and the United Kingdom on much the same basis as it is presently while the United Kingdom remains part of the European Union.  However, many are sceptical as to whether the United Kingdom will be successful in gaining such a decision; it may not be enough simply to show that the GDPR still forms part of UK domestic law, but that is a topic for another blog post.

What appears to be the underlying issue in the reference being made by the Irish Supreme Court, is whether a person can be surrendered to the United Kingdom under a EAW while there is uncertainty about what the arrangements will be after Brexit in terms of that citizen’s rights under European Union Law.  The Charter of Fundamental Rights of the European Union features a number of times in the judgment and seems to be one of the areas of EU law that is at issue (and Article 8 of the Charter guarantees rights to the protection of personal data).

It seems to me that if the opinion issued by the Court of Justice of the European Union in respect of the reference made is in any way supportive of Mr. O’Connor’s position, it could raise questions not only about personal data transferred between the Union and the UK post-Brexit; but also about personal data which is transferred pre-Brexit and which will continue to be processed in the United Kingdom post-Brexit.

This reference to the Court of Justice of the European Union is certainly one that data protection professionals ought to be keeping an eye on; it has the potential to cause severe headaches for controllers and processors who rely on personal data coming in from the other 27 members of the European Union.

Alistair Sloan

If you would like advice or assistance with a privacy or data protection matter, or any other information law concern then contact Alistair Sloan on 0345 450 0123 or send him an E-mail.

PECR: The forgotten relative

Much of the focus in relation to data protection and privacy law is on implementation of the Genera Data Protection Regulation, which becomes applicable from 25 May 2018.  However, many of the discussions that are taking place in respect of GDPR implementation are forgetting the GDPR’s older cousin:  the snappily named Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications).  This Directive from the European Union dating from 2002 was implemented in the United Kingdom through the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”).

 The Directive on privacy and electronic communications is concerned with the processing of personal data and the protection of privacy in the electronic communications sector and is of importance to telecommunications providers, Internet Service Providers and any person or organisation who conducts direct marketing by electronic means; however, this blog post is concerned only with direct marketing and is a follow-up to my recent blog post on whether consent is required under the GDPR.

The GDPR might be the big thing at the moment, but it is important not to consider it in isolation.  When thinking about GDPR implementation it is necessary to take a holistic view and think about how it interacts with other laws because these other laws don’t stop having effect just because of the GDPR.  Therefore, it is essential to consider how these other laws affect your GDPR implementation.

The rules on direct marketing by electronic means are relatively simple and straightforward, but this does not stop unlawful behaviour from taking place on an industrial scale.  Rarely does a month go past without the Information Commissioner’s Office publishing information on enforcement action it has taken against businesses arising out of failing to comply with PECR, especially since the law changed to lower the legal threshold for Monetary Penalty Notices in relation to PECR infringements.

Electronic Mail
Electronic Mail includes E-mail and SMS text messaging.  The general rule for direct marketing by electronic mail is that you need consent, as defined by the 1995 Data Protection Directive.  This means that you must have a freely given, specific and informed indication that the person to whom you are directing the marketing wants to receive such marketing.

There is an exception to this which is referred to as the “soft opt-in”.  This applies where you have obtained a person’s personal data “in the course of the sale or negotiations for the sale of a product or service” to them.  You can then send direct marketing to this person, without first gaining their express consent, where you are marketing your own similar products or services.  The data subject must be “given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of his contact details for the purposes of such direct marketing, at the time that the details were initially collected”.

Each direct marketing communication that is sent must include a simple means of opt-out of further direct marketing content (and this must be free of charge, except for the costs of transmission of the opt-out).

Telephone:  Automated calls
The rules for direct marketing by telephone are split into automated and unsolicited live telesales calls.  In the case of automated calls with recorded information played when the phone line being called is answered, the subscriber (i.e. the person who has contracted with the telephone service provider) must have notified the caller (or the person instigating the call where the caller is a third party acting on behalf of the instigator) that, for the time being, they consent to receiving such calls.  Again, this requires there to be a freely given, specific and informed indication.  Consent can be withdrawn.

Telephone:  Unsolicited live telesales calls
You do not require consent to make such calls; however, you must not make such calls where the subscriber has notified you that they do not wish to receive such calls, or if the number is registered with the Telephone Preference Service (TPS).  You can call numbers registered with the TPS where the subscriber has consented to receiving calls from you, notwithstanding that the number is registered with the TPS.  Consent can, as always, be withdrawn at a later date.

Fax
Yes, it is still a thing and some people (and indeed whole sectors) still use fax machines.  However, as it is more or less an obsolete technology all I will say on the matter is that PECR regulates the use of fax for direct marketing and the relevant parts are Regulations 20 and 25.

That is a very brief run through of the relevant law as it stands today.  However, a couple of points to note in closing:  Firstly, the EU is currently working on a replacement to the current Directive.  It had been anticipated that the new E-Privacy Regulation would be implemented alongside the GDPR, but work started on it too late and so it won’t.  Whether it will be finalised in and in force prior to Brexit is something that we will need to wait and see.  Secondly, depending on what happens with the Brexit negotiations it may still end up being part of UK law even if it comes into force after the UK leaves the EU.  Thirdly, there is likely to be some temporary adjustments to PECR from 25 May 2018, that is because PECR adopts a lot of definitions from the Data Protection Act 1998 and the 1995 Data Protection Directive (both of which will be repealed on 25 May 2018).  Finally, the domestic Regulations were made under the European Communities Act 1972; therefore the European Union (Withdrawal) Bill may well have some impact upon them.

Alistair Sloan

If you would like advice or assistance with a privacy or data protection matter, or any other information law concern then contact Alistair Sloan on 0345 450 0123 or send him an E-mail.

GDPR: Do I need consent?

The General Data Protection Regulation becomes applicable in the United Kingdom later this year, the 25th May to be precise.  There is a lot of information out there on the GDPR; some of which is incorrect.  Relying upon incorrect information could cause data controllers and processors unnecessary headaches.

In this blog post I am going to focus on just one aspect of the GDPR, upon which there seems to still be a large amount of misinformation floating around.  It is an issue of such fundamental importance that getting it wrong will inevitably lead to headaches and crises in businesses and other organisations that simply do not need to exist:  that aspect is consent.

It is not difficult to find information on the internet selling the idea that the GDPR requires the consent of data subjects before a data controller can process personal data.  It should be obvious, but in case it is not, that is completely false.  Article 6 of the GDPR sets out six grounds which make the processing of personal data lawful under the GDPR; one of those six grounds is indeed consent, but it therefore follows that there are five other grounds of lawful processing which do not require the consent of the data subject.

It is important to understand Article 6 to ensure that your GDPR preparations are on the right track; one of the first things that any data controller who is preparing for the GDPR needs to establish is upon what basis they are processing the personal data.  If a data controller goes off in the wrong direction by assuming that consent is always required then they’re going to hit a problem:  what if a data subject refuses you consent, or withdraws consent which was previously given, to process personal data where you have a statutory obligation or some other compelling business need to process it?  You’re still going to have to process that personal data, but having asked the data subject for their consent you have given them a false impression.  One of the most fundamental aspects of the GDPR is fairness:  giving a data subject a false impression on the need for consent cannot be considered to be fair.  In short, if you need to process personal data irrespective of whether the data subject has given their consent; then consent is not the appropriate Article 6 ground to rely upon.

As noted above, there are a total of six grounds in Article 6 of the GDPR which make the processing lawful.  The grounds in Article 6 are (and note they do not appear in any special order of importance):

  • the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  • the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
  • the processing is necessary for compliance with a legal obligation to which the controller is subject
  • the processing is necessary in order to protect the vital interests of the data subject or of another natural person
  • the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
  • the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child

Picking the right Article 6 grounds to legitimise your processing is vital; it feeds into so many other aspects of data protection compliance (such as your privacy notice).  Consent should only become a consideration where none of the other grounds of lawful processing in Article 6 apply.  Where some may be becoming confused with regards to consent is the requirement to be transparent with data subjects.  You have to tell data subjects clearly, and in easy to understand language, what personal data you are processing about them, how it is being processed and why you are processing it.  This is not the same as gaining their consent and should not be confused as such.

Alistair Sloan

If you require advice and assistance with any aspect of getting prepared for the GDPR, or any other Privacy and Data Protection law matter then contact us on 0345 450 0123 or you can send Alistair Sloan and E-mail.

Ireland: High Court to refer Privacy Shield to the Court of Justice of the European Union

One of the primary requirements of the European Data Protection Framework is that personal data of European citizens must not be transferred to a country which is outside of the European Economic Area unless the country to which the personal data is to be transferred “ensures an adequate level of protection”; this is provided for within Article 25 of the 1995 Data Protection Directive and is given effect to in the UK in the form of the eighth data protection principle in Schedule 1 to the Data Protection Act 1998.

The United States of America has, for some time, been a somewhat contentious destination for personal data of European citizens.  The European Commission and the United States Government sought to assist the flow of personal data between the EU and the US through a scheme called “Safe Harbour”.  This scheme was challenged and in 2015 the Court of Justice of the European Union held that the European Commission’s decision in respect of the “safe harbour” scheme was invalid.

The Court of Justice’s decision on safe harbour came following a request for a preliminary ruling by the Irish High Court.  This followed a complaint to the Irish Data Protection Commissioner by an Austrian citizen, Max Schrems, in respect of Facebook.  Under Facebook’s terms and conditions all of its users in Europe have a relationship with ‘Facebook Ireland’ and as such, it falls to the Irish Data Protection Commissioner to regulate the use of personal data by Facebook.

Following that decision the European Commission and the US negotiated a new scheme, known as “Privacy Shield”.   There has been much debate about whether privacy shield is itself adequate and a challenge, also by Max Schrems, is underway.  The Irish Data Protection Commissioner sought from the Irish High Court a reference to the Court of Justice of the European Union and today the Irish High Court has agreed to make the reference.

The Irish Data Protection Commissioner has, the court decided, identified a number of “well founded concerns” and that the introduction of the Privacy Shield Ombudsman mechanism does not “eliminate” those concerns.

Although this is an Irish case, the outcome of a decision from the Court of Justice of of the European Union could have profound consequences for data controller’s right across the European Union.  In the event that the Court invalidates the privacy shield agreement, data controllers who are reliant upon it will find themselves in a situation where their compliance with data protection laws will be in doubt.

The exact questions which will be referred to the Court of Justice of the European Union by the Irish High Court are yet to be determined and the judge in the case will be addressed by parties on this issue in due course.

This is certainly a case that data controllers (and indeed data subjects) should keep a close eye on.  Data controllers who transfer personal data from the EU to the United States of America should think about reviewing their transfers and assessing whether they would continue to be permitted, within the context of the EU data protection framework, in the event that privacy shield is invalidated by the Court of Justice of the European Union in due course.

Alistair Sloan

If you would like advice or assistance on a data protection/privacy matter, or any other information law matter, then you can contact Alistair Sloan on 0345 0345 450 0123.  Alternatively, you can send him an E-mail.