Tag Archives: Data Protection Act 2018

Data Subject Complaints: delays at the regulator

At the beginning of July it was reported that the Irish High Court had given permission for a judicial review of the Irish Data Protection Commission (“DPC”) to proceed. The judicial review has been brought by the European Centre for Digital Rights in respect of significant delays at the DPC in their handling of complaints made to them under the GDPR.

The application is being brought by the applicant as a representative body under Article 80 of the GDPR. The application pertains to two complaints made by two separate complainants; one in relation to Whatsapp Ireland Limited and one against Facebook Ireland Limited (as operator of Instagram). Both complaints were made on 25 May 2018, the day on which the GDPR became applicable throughout the European Union. The complaints, having originally been made to the German and Belgium supervisory authorities (respectively), were transferred by those supervisory authorities to the DPC as the lead supervisory authority for both companies.

The DPC is still to make a decision on the complaints, more than two years after they were made. Judicial Review is sought seeking (principally): (1) a declaration that the DPC has failed to catty out an investigation into the complaints within a reasonable period, contrary to their duty under Article 57 of the GDPR and/or section 113 of the Irish Data Protection Act 2018; (2) a declaration that the DPC has not provided information and/or a draft decision to the relevant national authorities without delay, contrary to its obligation under Article 60(3); (3) a declaration that the DPC is in beach of its obligations under the GDPR and or Irish data protection law; (4) an order directing the DPC to complete its investigation of the complaints within a time frame directed by the court; (5) a reference under Article 267, if required.

This is an interesting case from Ireland that is well worth keeping an eye on to see what the ultimate result is. Those who are familiar with the UK’s supervisory authority, the Information Commissioner, will see some similarities between the ICO and the DPC. The ICO is not renowned for acting quickly in respect of its regulatory functions; it’s yet to take a decision on regulatory action against British Airways and Marriott after issuing Notices of Intent (a precursor to a Penalty Notice; or, in GDPR parlance, an “administrative fine”) in excess of twelve months ago.

What can data subjects in the UK do where the ICO’s investigation of their complaint is moving at a glacial pace? The answer is to be found in section 166 of the Data Protection Act 2018; which makes provision for the First-Tier Tribunal to make orders requiring the Information Commissioner to progress a complaint.

Section 166 is a fairly limited provision; it does not create a route of appeal to the First-Tier Tribunal where the data subject is unhappy with the outcome of the complaint. It only provides a remedy to get the Information Commissioner to move the complaint forward to an outcome. Neither section 165 (which provides a right of complaint where Article 77 of the GDPR does not apply) nor section 166 requires the Commissioner to do anything more than investigate the subject matter of the complaint to the extent that is appropriate and to inform the complainant about the progress of the complaint (including about whether further investigation or co-ordination with another supervisory authority or foreign designated authority is necessary); they do not require the ICO to do anything at all about any breaches that may have occurred. Section 166 is therefore not a right of appeal against a decision of the Information Commissioner that there has been no breach of the relevant data protection laws or against a refusal to take enforcement action in respect of a breach.

The decision of the ECJ in respect of Schrems II, which was published last month; does, however, provide some scope of challenging a failure to act by the ICO. The ECJ was very clear about the duties and obligations on supervisory authorities to ensure that the GDPR is being complied with (and that includes positive obligations to stop processing where it is not being complied with). However, such a challenge would require to be by the much more expensive route of a judicial review in the Court of Session (Scotland) or the High Court (England and Wales / Northern Ireland).

Alistair Sloan

If you are a data subject who submitted a complaint to the Information Commissioner more than 3 months ago and have not had your complaint resolved or are dissatisfied with the outcome of your complaint to the Information Commissioner then we would be happy to discuss this with you. You can contact our Alistair Sloan on 0141 229 0880 or by E-mail.

Penalty Notices and Notices of Intent

Yesterday there was a great deal of excitement as some news outlets reported that British Airways had been fined £183m by the Information Commissioner’s Office. It became apparent fairly quickly that this wasn’t what had happened and that we are still waiting for the Commissioner to issue the first “penalty notice” for a breach of the General Data protection Regulation.

What did come to light yesterday was that the Commissioner had issued a notice of intent to British Airways giving them notice that she intends on issuing a penalty notice in the sum f £183m. This is not the first time where news of a notice of intent has resulted in reporting that the Commissioner had actually issued a financial penalty. The last time was when she issued Facebook with a notice of intent in respect of a pre-GDPR breach (a penalty was subsequently served on Facebook in the sum of £500,000 and that penalty is currently the subject of an appeal to the First-Tier Tribunal).

There is quite a bit of difference between a notice of intent and a penalty notice (formally known as a monetary penalty notice in the Data Protection Act 1998) and they shouldn’t be confused with one another. So, given the confusion, I thought I might write a brief guide to the process adopted in the UK in respect of administrative fines under the GDPR and the Law Enforcement Directive.

The process essentially begins with the Commissioner opening an investigation. This could be as a result of a mandatory breach notification by the controller, a complaint made by a data subject or  it having come to the attention of the Commissioner in some other way (for example, via the media). The Commissioner then enters into an information gathering phase, and she has the power to compel (subject to appeal and some other limited exceptions) data controllers to provide her with information by issuing an information notice should data controllers refuse to engage with her office.

At some stage the Commissioner will decide whether enforcement action is appropriate in the particular case. There will have been a dialogue of sorts going on between the Commissioner’s office and the controller during the information gathering phase. A financial penalty is not the only option available to the Commissioner. If the Commissioner decides that an administrative fine (in GDPR language, or “penalty notice” in the language of the Data Protection Act 2018 (“DPA2018”)) might be the appropriate means to deal with the breach, then she is required by Paragraph 2(1) of Schedule 16 to the DPA2018 to the to give written notice to the controller of her intent to do so; this is known as a “notice of intent”. This notice must contain certain information, which is set out in paragraph 3 of Schedule 16 to the DPA2018.

The notice of intent is an important step because, by virtue of paragraph 3(4) of Schedule 16, the notice of intent must contain details of a period in which the controller can make written representations to the Commissioner; this period must not be less than 21 days. The Commissioner is prohibited from serving a penalty notice until this period has expired (paragraph 4(1) of Schedule 16). Furthermore, before deciding to issue a penalty and before finally deciding upon the amount of any penalty, the Commissioner must consider any written or oral representations made by or on behalf of the controller (paragraph 4(2) of Schedule 16).

Essentially, the notice of intent forms part of the due process of law. The Commissioner sets out in the notice the basis upon which she believes a penalty notice is appropriate and the proposed amount of the penalty notice. The controller then has an opportunity to make its case to the Commissioner and put forward a legal or factual case which:- (a) argues that no penalty notice should or can be given; (b) challenges proposed findings in fact contained within the notice of intent; and/or (c) challenge the proposed amount.

When the commissioner issues a notice of intent, she (and her office) must continue to have an open mind. It is not simply a tick-box exercise; it is an important part of a formal legal process. The Commissioner must be open to being persuaded by the controller that she is wrong in any of the matters set out in the notice of intent; including, being persuaded that the legal tests for issuing a penalty notice has not been met.

A notice of intent is certainly not (or shouldn’t be) a guarantee that a penalty notice will follow, or that it will be in the amount specified in the notice of intent. It is no more than a formal document giving notice to a controller of the Commissioner’s intentions and forms part of the legal process for issuing an administrative fine.

Once a notice of intent has been served by the Commissioner, she is normally required to issue the penalty notice within 6 months (paragraph 2(2) of Schedule 16); this includes the time permitted for written, and where applicable, oral representations. However, this period can be extended where the Commissioner and the controller agree (paragraph 2(3) of Schedule 16)

Appeals
Unlike a notice of intent, a penalty notice is subject of a right of appeal to the First-Tier Tribunal. In such an appeal all of the relevant factual and legal matters are reconsidered by the Tribunal. The Tribunal is empowered to uphold the penalty notice, modify the penalty notice or quash the penalty notice. Thereafter, there are appeals (but not as of right, only with permission) to the Upper Tribunal and the courts on points of law. Failures within the notice of intent procedure would give rise to grounds of appeal in respect the penalty notice. Depending upon the nature of the defects they could ultimately lead to the Tribunal quashing the Penalty Notice.

“One Stop Shop”
One final thing of note is that the Information Commissioner is acting as the “lead supervisory authority” in the British Airways matter; this is a mechanism which exists in the General Data Protection Regulation and applies so long as the United Kingdom remains a member of the European Union. Other supervisory authorities from elsewhere in the EU will also have the opportunity to comment on the Commissioner’s enforcement action in this case. This is an important aspect to note in relation to all enforcement action, not just penalty notices. Before taking a final decision in the British Airways case the Information Commissioner will have to circulate a draft of her decision to those other supervisory authorities, who are then permitted to make comments; the Commissioner must take these comments into account. This mechanism applies where there is cross-border processing taking place (see Article 4(23) of the General Data Protection Regulation for a definition of “cross-border processing”), which was the case in repsect of the British Airways data breach.

Alistair Sloan

We are able to assist data subjects, controllers and processors with data protection law matters, as well as a range of other information law concerns. If you would like to speak to us about an information law matter, then please contact our team on 0141 229 0880 or by E-mail.

Data Protection and Privacy Enforcement: November 2018

0The year is progressing quickly and we’re now onto looking at November’s enforcement action published by the Information Commissioner’s Office in relation to privacy and data protection matters. We are beginning to see enforcement action under the Data Protection Act 2018 (“DPA18”) filter through, but the majority is very much still under the Data Protection Act 1998 (“DPA98”) in respect of breaches which occurred prior to 25 May 2018.

Key Points

  • Carrying out a Data Protection Impact Assessment in the early stages of any project where it is envisaged that personal data will be processed is a useful tool to help highlight privacy and data protection concerns so that they can be addressed in the planning phase. Data protection by design and privacy impact assessments were recommended good practice under the DPA98; however, the GDPR mandates data protection by design and default (Article 25) and the carrying out of data protection impact assessments in certain circumstances (Article 35). Even if the GDPR does not require you to complete a DPIA, it is worthwhile undertaking one in any event – it can also be a helpful document to present to the Commissioner should her office begin any investigation into your organisation.
  • It is important to regularly download an updated version of the Telephone Preference Service list and to do so as close as possible to an intended direct marketing campaign. If you undertake regular direct marketing campaigns then you should probably be downloading the updated list once per month. Relying on an out of date version could mean that you unlawfully call numbers – the cost of regularly obtaining a copy of the TPS list is insignificant compared to the financial penalties that can be issued by the Information Commissioner for contraventions of Regulation 21 of the Privacy and Electronic Communications (EC Directive) Regulations 2003.
  • It should go without saying that if the Information Commissioner takes enforcement action against you for contravening privacy and data protection laws then you should ensure that you take adequate remedial measures to ensure that the contravention doesn’t happen again.
  • If you obtain a list of telephone numbers to call for marketing purposes from a third party the obligation rests with you to ensure that you have lawful authority to make (or instruct others on you behalf to make) calls to each intended number.
  • Controllers may no longer be required to notify the Commissioners of their processing of personal data; however, they are still required to make payment to the Commissioner of a fee. Those who either (a) don’t know they are due to pay  a fee; or (b) miss paying their fee and rectify the matter once the Commissioner has contacted them about their non-payment will likely not face formal enforcement action, but those who continue to fail to pay the fee once the Commissioner has contacted them can expect to be required to pay a financial penalty for failure to pay the fee.

Enforcement Action published by the ICO during November 2018

Metropolitan Police Service
The Commissioner of Police of the Metropolis (MPS) was served with an Enforcement Notice by the Information Commissioner [pdf] requiring the MPS to take a number of specified steps; including the conducting of a data protection impact assessment, in respect of its Gangs Matrix. The Gangs Matrix is part of the MPS’ ongoing effort to reduce the incidences of crime in London arising from gangs. The Notice only emphasises the Commissioner’s primary concerns in respect of the MPS’ compliance with the data protection principles, rather than listing every single contravention. The Notice makes reference to contraventions of the first, third, fourth, fifth and seventh data protection principles

DM Bedroom Design Ltd
The Information Commissioner served DM Bedroom Design Ltd with a monetary penalty in the sum of £160,000 [pdf] and also served it with an Enforcement Notice [pdf] after finding that the company had contravened Regulation 21 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”). This was not the first time that the company had received a monetary penalty from the Commissioner for contravening PECR. The company operated an internal suppression list and also advised the Commissioner that it screened lists against the Telephone Preference Service (“TPS”) list; however, the Commissioner found that the company had not downloaded the TPS list since March 2017.

Solartech North East Limited
Solaretech North East Limited (“Solartech”) was served by the Information Commissioner with a monetary penalty in the amount of £90,000 [pdf] and an enforcement notice [pdf]. The Commissioner found that Solartech had contravened Regulation 21 of PECR by making almost 75,000 calls unlawfully to numbers listed with the Telephone Preference Service. Solartech had previously came to the attention of the Commissioner’s office in 2014 and had bene provided with advice from her office as well as subjected to a period of monitoring. Despite this, and further advice and monitoring in 2016/17 Solartech continued to contravene Regulation 21 of PECR. Solartech sought (unsuccessfully) to blame third parties for these contraventions.

Uber
Uber is a popular app which provides taxi services to its users by linking them with Uber drivers in their area. It has bene the subject of many recent legal battles in the Employment field and has now also come to the attention of data protection supervisory authorities in the United Kingdom and the Netherlands. The Information Commissioner served Uber with a monetary penalty notice in the amount of £385,000 following a cyber attack. [pdf] The Commissioner found that Uber had breached the seventh data protection principle by failing to have in place adequate technical and organisational measures.

Fixed Penalty Notices: Data Protection Fees
The old notification requirement and fee under the DPA98 has gone, but has been replaced with a new data protection fee payable by controllers who are not exempt from the fee. The new fees regulations are found in The Data Protection (Charges and Information) Regulations 2018. Organisations who are required to pay the fee and fail to do so may be served with a penalty notice by the Commissioner requiring them to pay a fixed penalty calculated in relation to the amount of the fee payable under the Regulations by the controller. The Commissioner has taken enforcement action, in the form of fixed penalty notices, against a number of controllers in the business, manufacturing and finance sectors for failure to pay their data protection fees; even after being contacted by the Commissioner about the unpaid fee. The Commissioner has not published all of the penalty notices, or even a list of controllers subject to enforcement action, but has instead published “example” notices (which read more like templates than examples) for each of the three sectors.

Alistair Sloan

If you require advice and assistance in connection with any of the data protection/privacy issues above, or any other Information Law matter, please do contact Alistair Sloan on 0141 229 0880 or by sending him an E-mail directly.  You can also follow our dedicated information law twitter account.

Data Protection and Privacy Enforcement: October 2018

Regular readers of this blog will know that every month I look at the published enforcement action taken by the Information Commissioner in respect of privacy and data protection law. The infractions are often very similar and the same key lessons to take away from the enforcement action appear frequently; October’s enforcement action proves no different. There is, however, a mixture of enforcement action taken under the Data Protection Act 1998 (“DPA98) – in respect of breaches that occurred prior to the 25 May 2018 – and enforcement action taken under the Data Protection Act 2018 (”DPA18).

Key Lessons

  • When the Commissioner’s office makes contact with you in the course of an investigation it is advisable to cooperate with the investigation. The Commissioner has powers to require persons (not just data controllers) to provide her office with information. It is a criminal offence not to comply with an information notice issued by the Commissioner under the DPA98 while a person who fails to comply with an Information Notice served under the DPA18 can be made the subject of an Information Order by the court.
  • Before making telephone calls for the purpose of direct marketing it is essential that organisations check their list against the list held by the Telephone Preference Service. It is against the law to call a number listed with the TPS for the purposes of direct marketing unless you can show that the recipient has not objected, for the time being, to receiving marketing calls from you. The law has recently been changed and the Commissioner will soon be able to serve a monetary penalty on directors of a company for breaches of the requirements of the Privacy and Electronic Communications (EC Directive) Regulations 2003.
  • Any removable media such as CDs and USB memory sticks should be encrypted to prevent unauthorised access to personal data in the event that the media is lost or stolen. Controllers should also consider putting in place technical barriers to ensure that personal data is not unnecessarily being put onto removable media.
  • When drafting privacy statements where you are seeking to obtain consent for direct marketing; it is important to be specific about just what marketing might be sent. It is insufficient to rely upon statements along the lines of “you consent to receive marketing from our carefully selected third party affiliates” and similar.
  • The person who instigates a call is liable for a contravention of PECR, not the person who makes the call. Therefore you cannot avoid liability by engaging a third party contractor to make calls on your behalf. If you have directed that the calls be made then you are liable for any contraventions of PECR. Therefore, companies who engage third parties to undertake telemarketing on their behalf need to ensure that they have in place adequate due diligence to ensure that there are no negligent contraventions of PECR.
  • It’s not enough to simply rely upon your own internal suppression lists when making telephone calls for the purposes of direct marketing; it is also important that call lists as screened against the list maintained by the Telephone Preference Service. It’s also important that companies engaging in telesales regularly obtain an updated version of the list maintained by the TPS and you should never seek to rely upon a version of the list that is more than 28 days old.
  • It can be worthwhile brining appeals against Notices served by the Commissioner – especially where the terms of the notice are unclear. Where reasons are provided for a decision they generally require to be intelligible.

Enforcement action published by the Information Commissioner in October 2018

Oaklands Assist UK Limited
Oaklands Assist UK Limited (“OAUK”) was served with a Monetary Penalty Notice  in the sum of £150,000 [pdf] after the Commissioner found that OAUK had used a public electronic communications service for the purpose of direct marketing in contravention of Regulation 21 of the Privacy and electronic Communications (EC Directive) Regulations 2003 (“PECR”). It appears that OAUK did not initially comply with the Commissioner’s investigation as the penalty notice states that the Commissioner had to serve an Information Notice on OAUK and it only made contact with the Commissioner’s office when they were threated with prosecution for failure to comply with an Information Notice. The Commissioner found that OAUK had made 63,724 direct marketing calls to numbers that were listed on the TPS, in contravention of Regulation 21 of PECR.

Heathrow Airport Limited
Heathrow Airport Limited (“LHR”) was served with a monetary penalty notice in the sum of £120,000 [pdf] after the Commissioner found that it had breached the seventh data protection principle in schedule 1 to the DPA98. LHR had lost an unencrypted USB memory stick which had been found by a member of the public in West London. The member of the public who found the USB memory stick took it to a public library where they accessed it. Approximately 1% of the files on the memory stick contained personal data, including sensitive personal data. The Commissioner found that the use of removable media was widespread within LHR, but that there was little in the way of measures in places to ensure oversight. Furthermore, there were no technical barriers in place to limit or restrict the downloading of information from LHR’s systems onto removable media.

Boost Finance Limited
Boost Finance Limited (“Boost”) was served with a monetary penalty notice in the sum of £90,000 [pdf] after the Commissioner found that it was responsible for a large number of unsolicited E-mails in respect of pre-paid funeral plans. The Commissioner found that Boost (trading as findmeafuneralplan.com) had instigated, via affiliates that it had appointed, in excess of 4 million unsolicited marketing E-mails contrary to Regulation 22 of PECR. The E-mails were sent to individuals who had subscribed to a number of Boost’s affiliates. The Commissioner concluded [para 16] that Boost had “relied upon inadequate, generic, vague, misleading, tiered and incomplete personal data collection methods and privacy statements as a way of obtaining consent to send direct marketing E-mails.”

Aggregate IQ Data Services Limited
This is not a new Enforcement Notice, but rather it is a notice of variation of the first ever enforcement notice served under the DPA18 [pdf]. Aggregate IQ Data Services Limited (“AIQ”) was served with an enforcement notice by the Commissioner in respect of her investigation into data analytics in politics (which arose out of the allegations surrounding Facebook and Cambridge Analytica). AIQ had appealed the Notice to the First-Tier Tribunal (Information Rights) and has since discontinued that appeal. The revised notice is in much tighter terms than the original notice served by the Commissioner. The revised notice requires AIQ to “[e]rase any personal data of individuals in the UK, determined by reference to the domain name of the email address processed by AIQ, retained by AIQ on its servers as notified to the Information Commissioner…” AIQ is required to do this within 30 days of the Office of the Information and Privacy Commissioner of British Columbia notifying it that either the OIPC no longer requires it for an investigation, or that the OIPC informs AIQ that it is happy for AIQ to comply with the notice (whichever occurs the soonest).

Facebook Ireland Ltd
Facebook Ireland Ltd is the company who UK users (and indeed other EU users) of the Facebook social media platform have a relationship with. The Commissioner served Facebook Ireland with a monetary penalty notice in the sum of £500,000 for breaches of the first and seventh data protection principles [pdf]. The Commissioner considered that Facebook UK Limited, a UK establishment, had carried out certain activities on behalf of Facebook Ireland and Facebook Inc. As the breaches occurred while the DPA98 was still in force, £500,000 represents the maximum penalty that the Commissioner could issue. It is understood that Facebook Ireland has appealed the monetary penalty to the First-Tier Tribunal (Information Rights).

ACT Response Limited
The Information Commissioner served ACT Response Limited (“ACT”) with a monetary penalty notice in the amount of £140,000 [pdf] after she found that ACT had instigated in excess of £490,000 telephone calls for the purposes of direct marketing in contravention of Regulation 21 of PECR. The company operated its own internal suppression list, but did not screen its lists against the Telephone Preference Service list. ACT provided a copy of a training manual to the commissioner during her investigation, which contained a script which directed those making the calls to ask whether a person was listed on the TPS and to apologise if they were. ACT tried to blame the contravention on one of its sister companies as the company that made the calls, but the sister company made the calls on behalf of ACT and the lines used to make the calls were registered to ACT.

Alistair Sloan

If you require advice and assistance in connection with any of the data protection/privacy issues above, or any other Information Law matter, please do contact Alistair Sloan on 0141 229 0880 or by sending him an E-mail directly.  You can also follow our dedicated information law twitter account.

Non-payment of Data Protection Fees: The ICO announces first steps in enforcement

Under the Data Protection Act 1998 it was an offence to process personal data without notifying with the Information Commissioner (and paying the required notification fee) unless you were exempt from having to notify. The position changed in May when the GDPR and Data Protection Act 2018 entered into force. The requirement to notify, which had its origin in the 1995 Data Protection Directive, was done away with. This left the UK with a particular problem: the Information Commissioner’s work in relation to the enforcement of data protection was funded entirely by the notification fees paid by data controllers. The solution was to introduce a system of fees which data controllers are required to pay to the Information Commissioner unless they are exempt from having to do so.

The law was also changed so that non payment of the data protection fee by a controller required to pay it is no longer a criminal offence. There are duplicate provisions in law which allow the Information Commissioner to charge these fees. The duplicate provisions are section 137 of the Data Protection Act 2018 and section 108 of the Digital Economy Act 2017. The fees payable are current specified within The Data Protection (Charges and Information) Regulations 2018, which were made exercising the powers under section 108 of the Digital Economy Act (the Regulations being made prior to the enactment of the Data Protection Act 2018 in May). There are, however, no provisions within the Digital Economy Act 2017 in respect of penalties for non-payment of these fees; the only provision which provides for non-payment of these fees is section 158 of the Data Protection Act 2018, which applies to fees made under section 137 of the Data Protection Act 2018.

In terms of section 158 of the Data Protection Act 2018, the maximum penalty for non-payment of the fee is 150% of the highest charge payable in accordance with the fees regulations, disregarding any discount available under the fees regulations.

It seems that a number of data controllers, who the Commissioner believes should be paying a fee, have not paid their fee. Earlier this week it was announced that the Information Commissioner’s Office had started to take enforcement action against 34 such organisations. The enforcement regime in section 158 of the Data protection Act 2018 applies to regulations made under section 108 of the Digital Economy Act 2017 by virtue of a provision within Schedule 20 to the Data Protection Act 2018 which provides that Regulations made under section 108 of the Digital Economy Act 2017 are to have effect as if they were Regulations made under section 137 of the Data Protection Act 2018 after the coming into force of section 137 of the Data Protection act 2018 (which happened on 25 May 2018).

The Notices of Intent, according to the ICO press release, have been issued to a range of controllers across the public and private sectors and that there are others in the process of being about to be issued. They act as a final warning by the ICO they if organisations don’t pay then they will be the recipient of a fixed penalty. It seems that the ICO is taking a relatively strong stance against non-payers from the outset and data controllers should therefore ensure that they pay their registration fees (where applicable) as and when their notification under the Data Protection Act 1998 comes to an end; or immediately where they were did not notify under the Data Protection Act 1998.

Alistair Sloan

If you would like advice on a data protection or privacy matter than contact Alistair on 0141 229 0880 or you can E-mail him directly. You can also follow our twitter account dedicated to the field of Information law

Facebook, Fines and Enforcement: ICO investigation into political campaigning

In March the Commissioner executed a warrant under the Data Protection Act 1998, to much fanfare and press coverage, on Cambridge Analytica – the data analytics firm who had been involved in the election campaign by US President Donald Trump and who had allegedly undertaken work for Leave.EU in the 2016 referendum on whether the UL should remain a member of the European Union or not. At the same time the Information commissioner announced a much wider investigation into compliance with data protection and privacy laws in political campaigning.

The Information Commissioner has today published a report giving an update on that wider investigation [pdf]. There has been much fanfare around this report and in particular a suggestion that Facebook has been served with a Monetary Penalty Notice in the amount of £500,000. This would be big news; it may not be a large sum of money to Facebook, but £500,000 is the maximum that the Information commissioner can serve a Monetary Penalty Notice for under the Data Protection Act 1998.

However, it has become clear that Facebook has not been served with a Monetary Penalty Notice in the amount of £500,000. The first thing to note here is that the Data Protection Act 1998 still applies; the alleged breaches of data protection law that the Commissioner is concerned with pre-dated 25 May 2018 and therefore the powers under the General Data Protection Regulation (GDPR) do not apply. What has happened is that the Information Commissioner has served a “Notice of Intent” on Facebook indicating that the Commissioner intends on serving Facebook with a Monetary Penalty Notice in the amount of £500,000. This is the first stage in the process of serving a Monetary Penalty Notice, but it is by no means guaranteed that (a) a Monetary Penalty Notice will be issued; and (b) that it will be in the amount of £500,000.

Facebook will have the opportunity to make written representations to the Information Commissioner on various matters, including whether the statutory tests for serving a Monetary Penalty Notice have been met and on the amount of the Penalty. The Commissioner must take account of these representations when making a final decision on serving the Monetary Penalty Notice: not to do so would likely result in an appeal against the Notice to the First-Tier Tribunal (Information Rights), which could ultimately result in the Monetary Penalty Notice being reduced in amount or quashed altogether. If Facebook brings forward evidence to the Commissioner that means she can no longer make certain findings in fact that will have an impact on both her ability to serve the Monetary Penalty Notice and the amount of that notice.

It could be many more weeks, if not months before we know whether a Monetary Penalty Notice is in fact being served on Facebook and how much it is for. The Commissioner must serve the Monetary Penalty Notice on Facebook within six month of serving the Notice of Intent.

There are some other aspects of the Commissioner’s report that are worthy of some brief consideration. The Commissioner has announced that she is intending on prosecuting SCL Elections Limited. The information given by the Commissioner suggests that this prosecution is to be limited to one very specific issue: their failure to comply with an Enforcement Notice previously served on the company. The Enforcement Notice was served on the company after they failed to comply with a subject access request received by them from a US academic. The company was in administration when the Enforcement Notice was served and remains in administration today. The Information Commissioner is able to prosecute offences under the legislation it is responsible for enforcing in its own right; except in Scotland where it requires to report the matter to the Procurator Fiscal in the same way as every other law enforcement agency is required. How successful that prosecution will be and what benefit it will bring remains to be seen given that the company is in administration. Even if the company is successfully

We have also seen what appears to be the first piece of enforcement action taken under the Data Protection Act 2018 and the General data Protection Regulation.  The Commissioner has served an Enforcement Notice on the Canadian company, Aggregate IQ [pdf]. This amounts to what could be termed as a “stop processing notice” and it requires Aggregate IQ to, within 30 days, “cease processing any personal data of UK or EU citizens obtained from UK political organisations or otherwise for the purposes of data analytics, political campaigning, or any other advertising.”

Failure to comply with an Enforcement Notice under the Data Protection Act 2018 and the GDPR is not (unlike under the Data Protection Act 1998) a criminal offence; however, a failure to comply can result in an administrative fine of up to €20 million or 4% of global turnover (whichever is the greater). How successful the ICO will be at enforcing this enforcement notice, given that the company is located in Canada and appears to have no established base in the UK, or any other EU member state, remains to be seen.

Other investigations are still ongoing. The Commissioner appears to be continuing to investigate whether there was any unlawful data sharing between Leave.EU and Eldon Insurance. Investigations are also being undertaken into the main ‘Remain’ campaign in the EU referendum and also into all of the UK’s main political parties. It remains to be seen what will happen there.

The Commissioner’s report also informs us that the appeal by the United Kingdom Independence Party (UKIP) against an Information Notice previously served upon them has been dismissed. The First-Tier Tribunal (Information Rights) has not yet published a decision in that case on its website, but should it do so I shall endeavour to blog on that decision (especially given that there has never to my knowledge been an appeal to the Tribunal against an Information Notice). Failure to comply with an Information Notice is a criminal offence, and a company was recently fined £2,000 at Telford Magistrates’ Court for that very offence.

Alistair Sloan

If you require advice or assistance on a matter relating to data protection or privacy law then you can contact Alistair Sloan on 0141 229 0880 or send him an E-mail. You can also follow our twitter account dedicated to information law matters.

Personal Data and FOI: to anonymise or not to anonymise

I recently wrote a blog post covering the release of third party personal data under freedom of information laws in both Scotland and the rest of the UK. Requests which seek the release of third party personal data, or where information within the scope of a FOI request constitutes the personal data of a third party, are the most common examples of where freedom of information and data protection overlap; however, they are not the only examples.

On Friday of last week, the Herald contained a piece covering calls which had been made to anonymise FOI requests which are sent to government advisers. These calls follow on from some high profile disagreements between the Scottish Government and journalists. The allegations levelled against the Scottish Government is that ministers and their advisers are having undue influence over what information is and is not released under the Freedom of Information (Scotland) Act 2002; in particular where the request comes from a journalist. The Scottish Information Commissioner is currently carrying out an “intervention” which is looking at this matter alongside one which has a wider remit in relation to the Scottish Government’s handling of FOI requests. It is understood that the Commissioner’s Office will report its findings of these interventions in the next month or so.

These wider issues are not, however, the focus of this blog post. Rather, the focus of this blog post relates to the call to anonymise FOI requests in this way and whether this is a practice that public authorities ought to be following in any event.

The General Data Protection Regulation and the Data protection Act 2018 now govern how organisations, such as public authorities, process personal data. Reducing the data protection framework down to its most basic requirement, data controllers should not be processing the personal data of a data subject unless they have a lawful basis to do so.

When a public authority circulates a request for information, or a proposed response to a request for information, that is not stripped of the personal data of the requester then that would amount to the processing of personal data of which the requester is the data subject. What is the lawful basis of processing in Article 6 of the GDPR which enables the public authority to process the requester’s personal data in that way?  Clearly there is a need for the requester’s personal data to be processed in order to enable the response to be issued to the requester and there will no doubt be some central record which records who has made FOI requests, what the request was for and what the outcome of the request was – if only to enable the authority to respond to an internal review, appeal to the Commissioner or appeal to the tribunal/courts.

The Authority cannot possibly have the consent of the data subject to process their personal data by circulating it around the authority. Consent cannot be inferred in the way that would be necessary in order to rely upon consent. There’s no contract with the data subject which would require the processing of their personal data in this way.

Answering a FOI request is a legal obligation on behalf of the public authority, but is it necessary to provide the name of the requester to the department(s) who need to search for the information or to an official or adviser who is having in put into the response? Probably not, especially when set against the ‘applicant blind’ way in which FOI requests are supposed to be dealt with. Is it necessary in order to protect the vital interests of the data subject or of another natural person? I’d have thought it unlikely. Again, it’s unlikely to be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. Finally, it’s unlikely that it would be necessary for the purposes of the legitimate interests pursued by the controller or by a third party.

In short, it’s unlikely that it is necessary for those searching for the information or considering the proposed response to know who the requester is. There are, of course, situations where a different course might be required. For example, if considering refusing the request on the grounds that it is vexatious under section 14 of the Freedom of Information (Scotland) Act 2002 or section 14 of the Freedom of Information Act 2000; it will often be necessary to speak with other areas of the organisation, especially persons responsible for handling complaints. In such circumstances it would be necessary for those being consulted to know the identity of the requester, otherwise the evidence required in order to justify reliance upon the vexatious provisions could not be gathered.

In normal circumstances, public authorities should probably be removing personal data such as a requester’s name, place of work and job title (where included) from a request before sending it out to those who need to perform searches for information or those who, in accordance with the authority’s internal procedures, need to approve responses before they’re issued. Only where the identity of the requester is directly relevant to the response, such as where consideration is being given to refusing the request on the grounds that it is vexatious, should the identity of the requester be disclosed otherwise it may amount to a breach of data protection law.

It may be relevant at this juncture to look, briefly, at the applicant blind requirement of freedom of information law. The applicant blind requirement is not specifically provided for within the relevant legislation; however, it has been understood for some considerable time that requests ought to be dealt with in a way that means that they are applicant blind.  The applicant blind requirement is often largely over-stated.  There are clearly situations where the applicant’s identity will be relevant; for example is it a request for that person’s own personal data or is it a vexatious/repeated request or are you aware of any disability which may mean that you need to make reasonable adjustments in terms of the Equality Act 2010?  If public authorities applied the applicant blind requirement absolutely and slavishly, it would cause difficulties in those situations and also in others.

The purpose of the applicant blind test is to ensure that, other than where the exemption necessitates it, the requester’s identity does not form part of the decision in whether to apply an exemption or in the application of the public interest balancing test. Anonymising FOI requests when they go out to the wider organisation or to selected individuals for comment/approval assists to ensure that the applicant blind aspect of the FOI regime is also complied with.

Alistair Sloan

If you require advice and assistance in connection with a freedom of information or data protection matter then contact Alistair Sloan on 0141 229 0880. Alternatively you can send Alistair and E-mail.

Data Protection Act 2018

Earlier this week the House of Lords and the House of Commons completed their game of ping pong with the Data Protection Bill and it completed its journey through the Parliamentary procedure; a journey which began when the Bill was introduced to the House of Lords by the Department for Culture, Media and Sport (DCMS) in September 2017.  Almost eight months later, and after quite a bit of amendment, the Bill has now received Royal Assent to become the Data Protection Act 2018.

It is expected that the various pieces of secondary legislation which are required to bring the Act into force and make transitional provisions will be signed by a Minister in the DCMS later today or tomorrow to ensure that the Act comes into force on Friday.

The new Data Protection Act 2018 does a number of things: (1) it deals with those areas within the GDPR, such as exemptions, which have been left to Member States to deal with individually; (2) applies the GDPR (with appropriate medications) to areas which are not within the competence of the European Union; and (3) gives effect to the Law Enforcement Directive (which should have been in place by the 6th May 2018, but better late than never).

Data Protection law has become much more complex than was the case under the Data Protection Act 1998; it requires individuals to look in many more places to get a proper handle upon what the law requires (and that’s before we start to get decisions from the European and domestic courts).

There has been an indication by some campaign groups that there might be an early challenge to the immigration exemption within the Bill which will have an impact upon the information that data subjects can obtain from the Home Office under the subject access provisions within the GDPR.  It will certainly be interesting to see whether such a challenge is in fact made and what the outcome of it is – and of course, we will cover any decision on that point should one be made by a court.

Alistair Sloan

If you require further information in relation any data protection or privacy law concern then please do contact Alistair Sloan on 0141 229 0880 or by E-mail. You can also follow our dedicated information law account on twitter for news and updates concerning data protection, privacy and freedom of information.