Tag Archives: Data Protection Reform

Data Protection Act 2018

Earlier this week the House of Lords and the House of Commons completed their game of ping pong with the Data Protection Bill and it completed its journey through the Parliamentary procedure; a journey which began when the Bill was introduced to the House of Lords by the Department for Culture, Media and Sport (DCMS) in September 2017. Almost eight months later, and after quite a bit of amendment, the Bill has now received Royal Assent to become the Data Protection Act 2018.

It is expected that the various pieces of secondary legislation which are required to bring the Act into force and make transitional provisions will be signed by a Minister in the DCMS later today or tomorrow to ensure that the Act comes into force on Friday.

The new Data Protection Act 2018 does a number of things: (1) it deals with those areas within the GDPR, such as exemptions, which have been left to Member States to deal with individually; (2) applies the GDPR (with appropriate medications) to areas which are not within the competence of the European Union; and (3) gives effect to the Law Enforcement Directive (which should have been in place by the 6^th May 2018, but better late than never).

Data Protection law has become much more complex than was the case under the Data Protection Act 1998; it requires individuals to look in many more places to get a proper handle upon what the law requires (and that’s before we start to get decisions from the European and domestic courts).

There has been an indication by some campaign groups that there might be an early challenge to the immigration exemption within the Bill which will have an impact upon the information that data subjects can obtain from the Home Office under the subject access provisions within the GDPR. It will certainly be interesting to see whether such a challenge is in fact made and what the outcome of it is – and of course, we will cover any decision on that point should one be made by a court.

Alistair Sloan

If you require further information in relation any data protection or privacy law concern then please do contact Alistair Sloan on 0141 229 0880 or by E-mail. You can also follow our dedicated information law account on twitter for news and updates concerning data protection, privacy and freedom of information.

Data Protection Impact Assessments under the GDPR

Accountability is an important aspect of the General Data Protection Regulation (GDPR). The accountability principle in Article 5(2) of the GDPR obliges data controllers to be able to demonstrate that they are complying with the data protection principles in Article 5(1) of the GDPR. Some of the technical requirements placed upon data controllers within the GDPR can be traced back, at least in part, to the accountability principle. One of the requirements of the GDPR which will assist data controllers to demonstrate compliance with the data protection principles is the requirement to complete, in certain circumstances, a Data Protection Impact Assessment (DPIA).

For a number of years supervisory authorities around the EU, including the UK Information Commissioner, have encouraged organisations to conduct a Privacy Impact Assessment (PIA) as part of their promotion of good data protection practice. DPIAs are simply PIAs by another name. The requirements for DPIAs are set out in Articles 35 and 36 of the GDPR.

When do I need to perform a DPIA?

Article 35(1) of the GDPR requires data controllers to conduct an assessment of the impact of envisaged processing operations on the protection of personal data, where a type of processing, in particular using new technologies; and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons. The DPIA must be conducted prior to undertaking the processing envisaged.

Article 35(3) sets out specific circumstances where a DPIA should be carried out by a data controller and those are:-

(a) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;

(b) processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or

When deciding whether a DPIA is required it will be important for data controllers to check the ICO’s website. The Information Commissioner is required to publish a list of the kind of processing operations which are subject to the requirement for a DPIA. If the processing operations envisaged by a controller appear on this list, then they will be required to carry out a DPIA. Article 35(5) also empowers the Information Commissioner (but does not require her) to establish and publish a list of the kind of processing operations for which no data protection impact assessment is required.

What does a DPIA require?

Article 35(7) sets out what the DPIA must include as a minimum; these are:-

a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller
an assessment of the necessity and proportionality of the processing operations in relation to the purposes
an assessment of the risks to the rights and freedoms of data subjects (the risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage – see recital 75 of the GDPR for more detail)
the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data; and to demonstrate compliance with the GDPR taking into account the rights and legitimate interests of data subjects and other persons concerned

It should be noted that requirements set out in Article 35(7) for the content of a DPIA are a minimum; there may be situations when a DPIA requires to go beyond what is set above.

The role of the Data Protection Officer

If you have appointed a Data Protection Officer, then Article 35(2) of the GDPR requires that you seek advice from them when carrying out a DPIA. It should be remembered that a DPIA might change a number of time during the process; you should therefore keep your DPO involved throughout and be seeking advice from them regularly at appropriate junctures. Seeking advice from the DPO is not simply a box ticking exercise and should therefore not be treated as such. If you treat it as a simple box-ticking you could find yourself not complying properly with the requirements of the GDPR and could potentially be missing out on valuable advice. Remember that controllers are not obliged to follow the advice of their DPO, but if they elect to act contrary to that advice then they should document this and could be required to defend that decision.

The Role of The Information Commissioner

I have already indicated that the Information Commissioner has a role in the DPIA process, but her role is more extensive than has already been covered above. There are circumstances, set out in Article 36 of the GDPR, in which controllers will be required to consult with the ICO. This applies where, in the absence of any mitigating measures by the controller, the DPIA indicates that the processing would result in a high risk to the rights and freedoms of data subjects.

Within a period of 8 weeks following receipt of the request for consultation (but this may be extended by a further 6 weeks in appropriate cases) the Information Commissioner is required to provide written advice to the controller where she is of the opinion that the intended processing would infringe this Regulation. It’s therefore important that you consult the Commissioner well in advance of undertakng the envisaged processing to ensure that you have enough time to receive any written advice from the Commissioner and to consider and apply it.

The Information Commissioner’s role does not end there; she is not simply limited to giving written advice to the controller. She can also become much more involved by conducting a data protection audit; issuing a formal warning that the intended processing is likely to infringe the provisions of the GDPR and even limit or prohibit (temporarily or indefinitely) a data controller from undertaking the proposed processing.

Penalties

A failure by a controller to comply with its obligations to conduct a DPIA where one is required can attract an administrative fine of up to €10,000,000 or 2% of global turnover (whichever is greater); as can a failure to consult with the Information Commissioner where consultation is required under Article 36 of the GDPR. Failure to comply with an order limiting or prohibiting the processing (whether temporary or indefinite) can attract an administrative fine of up to €20,000,000 or 4% of global turnover (whichever is greater).

Can I undertake a DPIA when one is not required by the GDPR?

Yes you can; a properly completed DPIA will be of assistance to you in demonstrating that you are complying the the data protection principles. A DIPA on its own will usually be insufficient to completely comply with the Artcile 5(2) obligations (even where it is required by Article 35), but a properly completed DPIA is certainly something that you can produce to the Information Commissioner to help evidence that you are taking your data protection obligations seriously.

Alistair Sloan

If you require advice or assistance with Data Protection Impact Assessments or any other data protection matter then contact Alistair Sloan on 0141 229 0880 or by E-mail. Alistair can also assist with other aspects of information law.

The Tension Continues: GDPR, FOI and EIRs

An exemption that is frequently deployed by Scottish public authorities is the exemption in section 38 of Freedom of Information (Scotland) Act 2002 (along with its corresponding exception in the Environmental Information (Scotland) Regulations 2004, regulation 11) which relates to personal data; both the personal data of the requester themselves as well as the personal data of third parties. Data protection law is changing later this month and as a consequence section 38 (as well as Regulation 11 of the Environmental Information Regulations) will also see some amendment.

The Data Protection Bill proposes amendments to both the Freedom of Information (Scotland) Act 2002 (“FOISA”) as well as the Environmental Information (Scotland) Regulations 2004 (“the Scottish EIRs”). The Bill is still making its way through the UK Parliamentary procedure and is due to have its third reading later today (9 May 2018) and, subject to completing its passage through Parliament in time, will come into force on 25 May 2018. There are currently no amendments tabled in the Commons ahead of the Bill’s third reading that would affect the relevant provisions in the Bill, but it is important to bear in mind that until the Bill completes its journey through the various stages of the legislative process it can be amended – even if it passes the Commons today, it still has to go back to the House of Lords and could become locked in a game of ping-pong between to the Commons and the Lords during which time it could be further amended. However, it seems unlikely that there will be any changes to the relevant provisions within the Bill.

Schedule 18 to the Bill proposes the amendments that should be made to a wide range of primary and secondary legislation, both reserved and devolved. Paragraphs 88-90 of Schedule 18 (as it stands at the time of writing) contain the amendments that will be made to section 38 of FOISA; meanwhile paragraphs 292-294 of Schedule 18 contain the amendments that will be made to the Scottish EIRs.

The Office of the Scottish Information Commissioner has published, in draft form, updated guidance on the application of section 38 to take account of the GDPR and the expected amendments to the relevant parts of FOISA and the Scottish EIRs. As it is still in draft form, anybody relying upon it (requester or public authority) should continue to monitor it to ensure that it has not been updated.

The proposed amendments to FOISA and the Scottish EIRs look, on the face of it, quite significant. However, the addition of a lot of text to section 38 and regulation 11 does not necessarily mean that there will be a drastic change in practice on the ground. One thing that public authorities should be aware of is the proposed subsection (5A) to section 38 and the proposed paragraph (7) of regulation 11. These proposals will have the effect of re-instating the ‘legitimate interests’ condition for lawful processing where public authorities are considering the release of third party personal data under the FOISA or the Scottish EIRS.

In short, what this will mean is that public authorities will be able to consider legitimate interests in the same way as they do now under condition 6 of schedule 2 when dealing with FOI requests under either regime. Had it not been for these proposed provisions then the GDPR might well have had a significant impact upon the release of third party personal data under FOISA and the Scottish EIRs; it would have had the effect of removing the processing condition mostly relied upon when releasing third party personal data in response to FOI requests. It should be noted that Schedule 18 to the Data Protection Bill proposes re-instating the legitimate interests condition in respect of the release of third party personal data under the Freedom of Information Act 2000 and the Environmental Information Regulations 2004 (see, as at the time of writing, paragraphs 58 and 289 of Schedule 18 respectively).

There is very little difference between condition 6 of Schedule 2 to the Data Protection Act 1998 and the legitimate interests condition in Article 6 of the GDPR and in practical terms there is almost no difference at all. The only real area where there may be some difference is where the third party personal data is that of a child where Article 6(1)(f) of the GDPR instructs data controllers to have particular regard to the interests and fundamental rights and freedoms of data subjects who are children. In reality, the fact that a data subject is a child is likely to always have been a factor that has been taken into consideration when undertaking the balancing exercise required by Condition 6 of Schedule 2 and so even to this extent there is unlikely to be much in the way of change.

Of course, the provisions are untested and the Commissioner and courts could take a different view, but in my view we are likely to see the release of the same sorts of third party personal data under FOISA and the Scottish EIRs after the GDPR as we do now. Furthermore, there is the question as to whether the re-introduction of legitimate interests for FOI purposes is lawful in terms of EU law. Article 85 of the GDPR does require Member States to reconcile the right to protection of personal data under the GDPR with the right to freedom of expression and information. Whether the UK Government’s method of reconciling the two, by effectively disapplying the prohibition on public authorities relying upon legitimate interests in respect of the performance of their tasks, is permitted by EU law is something we might need to wait to discover (then again, the UK might not be in the EU long enough for that matter to be determined – but that’s a whole different issue).

In conclusion both requesters and public authorities should familiarise themselves with the amended section 38 and regulation 11. In practice not much, if anything, is likely to change when it comes to the releasing of third party personal data under FOI laws (both Scottish and UK regimes). However, public authorities and requesters should keep a close eye on the decisions of both the Scottish and UK Information Commissioners as well as the First-Tier Tribunal, Upper Tribunal, English and Welsh Court of Appeal, the Court of Session and the UK Supreme Court.

Alistair Sloan

If you require any assistance with any Freedom of Information or Data Protection/Privacy law matter you can contact Alistair Sloan on 0141 229 0880 or by E-mail. We also have a twitter account dedicated to information law matters from across the UK.

The Law Enforcement Directive: Data Subjects’ Rights (Part 1)

Earlier this month I wrote a blog post providing an introduction to the Law Enforcement Directive (“LED”); in that post I indicated that I would look separately at the rights of data subjects under the LED. I had anticipated that I would do this earlier on in the month, but then came Cambridge Analytica and the Information Commissioner’s power to obtain a search warrant. This is part 1 of my look at the rights of data subjects under the LED and will focus on the rights in Artciles 13-16 of the LED.

Part 3 of the Data Protection Bill will implement the provisions of the LED in the UK. Clauses 43 to 54 of the Bill (as the Bill presently stands) make provisions in respect of the rights of data subjects under Part 3. The rights within the Data Protection Bill are derived from the LED itself, which is very much based upon the rights contained within the General Data Protection Regulation. Chapter III of the LED sets out the rights which Member States must make available to data subjects where personal data is being processed for the law enforcement purposes.

Information to be made available, or given, to the data subject
Article 13 of the LED makes certain provisions in relation to the information that controllers, who are processing personal data for the law enforcement purposes, should normally make available to data subjects. The provisions of Article 13 are contained within clause 44 of the Data Protection Bill (although, I make reference to the LED Articles it should be kpet in mind that the LED is a Directive rather than a Regulation and therefore does not have direct effect. It will be the domestic provisions upon which data subjects will rely upon in their dealings with the competent authorities, Information Commissioner and domestic courts rather than the LED’s Articles).

Controllers who are processing personal data for the law enforcement purposes are to make the following information available:

The identity and contact details of the controller;
The contact details of the data protection officer (where there is one);
The purposes for which the controller processes personal data;
The existence of the data subject’s rights to (i) subject access; (ii) rectification; (iii) erasure of personal data or the restriction of its use; and (iv) to make a complaint to the Information Commissioner;
information about the period for which the personal data will be stored or, where that is not possible, about the criteria used to determine that period;
where applicable, information about the categories of recipients of the personal data (including recipients in third countries or international organisations)
where necessary, further information to enable the exercise of the data subject’s rights under Part 3, in particular where the personal data are collected without the knowledge of the data subject

Controllers can restrict the level of information that is provided to the data subject in order to: (a) avoid obstructing official or legal inquiries, investigations or procedures; (b) avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties; (c) protect public security (d) protect national security; or (e) protect the rights and freedoms of others.

This right to information will not be unfamiliar to anyone who is familiar with the provisions of the GDPR; however, it’s not surprising that the right is limited to a degree to take account of the nature of the personal data that falls to be dealt with under the LED and Part 3 of the Data Protection Bill.

Subject Access
The right of subject access remains a fundamental aspect of data protection law emanating from the European Union. I have previously looked at the right of subject access within the General Data Protection Regulation on this blog. The right of such fundamental importance that it appears within LED; Articles 14 and 15 of the LED covers the right of subject access and this aspect of the LED is to be given effect to by clause 45 of the Data Protection Bill (as it currently stands)

If you are familiar with the right of subject access under the current Data Protection Act 1998 and/or the General Data Protection Regulation, then nothing much will surprise you vwithin Articles 14 and 15 and clause 45. The right of subject access within the LED and Part 3 of the Data Protection Bill provides the data subject the same rights as they have under the GDPR. It must be complied within one month and no fee can generally be charged for dealing with a Subject Access Request (SAR).

The controller can restrict the data subject’s right to subject access and these provisions are presently found within clause 45(4) of the Data Protection Bill. The controller can restrict the data subject’s right to the extent and for so long as it is a necessary and proportionate measure to: (a) avoid obstructing an official or legal inquiry, investigation or procedure; (b) avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;(c) protect public security; (d) protect national security; or (e) protect the rights and freedoms of others. In determining whether the restriction is a necessary and proportionate measure the controller must have regard to the fundamental rights and legitimate interests of the data subject.

Where a data subject’s right to subject access under Part 3 of the Data Protection Bill is to be restricted, the Bill (in its current form) requires the data subject to be given information relating to the restriction except to the extent that to provide such information it would undermine the purpose of the restriction. For example, if an individual who was being investigated by the Police for fraud made a Subject Access Request the police would be entitled to restrict the data subject’s rights insofar as it related to that investigation and that police would be able to do so without telling them that they have restricted their subject access rights.

The next part will look at the right to restriction of processing; the right to erasure and the data subject’s rights in relation to automated processing in the context of the LED and Part 3 of the Data Protection Bill. Remember, the LED is due to be implemented by 6th May 2018, which is almost 3 weeks before the date upon which the GDPR becomes applicable.

Alistair Sloan

If you require any advice and assistance with matters relating to the Law Enforcement Directive or any other Privacy/Data Protection legal matter then contact Alistair Sloan on 0141 229 0880 or send him an E-mail. You can follow Inksters’ dedicated Information Law Twitter account: @UKInfoLaw

Cambridge Analytica, Facebook and the Data Protection Bill

In light of the investigation currently being undertaken by the Information Commissioner into Facebook and Cambridge Analytica, I thought it was worthwhile considering some of the relevant provisions of the Data Protection Bill as it currently stands.

One of the issues that has arisen is the apparent inability of the Information Commissioner to obtain a warrant for entry and inspection of Cambridge Analytica’s offices; I’ve already looked at the Commissioner’s current powers to obtain such a warrant under the Data Protection Act 1998 generally. Schedule 15 to the Data Protection Bill deals with the Commissioner’s powers of entry and inspection; it sets up the same scheme that is currently in place in terms of Schedule 9 to the Data Protection Act 1998. There have been some comments about the need for the Information Commissioner to give 7 days’ written notice demanding entry before applying for a warrant; but as I noted in my blog post earlier this week, the judge can grant a warrant without those conditions having been met in certain defined circumstances. Whether this process causes confusion for the Information Commissioner’s staff or not is only something that the Commissioner herself can comment on at this stage; however, it is not unusual for the Commissioner to obtain warrants – indeed her office executed a warrant in Scotland only yesterday.

Another part of the Data Protection Bill which may be of relevance is the provisions therein concerning the consent of children in relation to Information Society Services. The General Data Protection Regulation sets the age of consent at 16, but allows Member States to reduce the age to no lower than 13. Clause 9 of the Data Protection Bill currently provides that in the United Kingdom the age will be reduced from 16 to 13. Information Society Services include, but are not limited to, social media websites such as Facebook.

There are provisions within the Data Protection Bill which would require the Information Commissioner to prepare and publish, after approval, a code on age-appropriate design. This code can be taken into account by the Commissioner and the courts and tribunals, but the Bill provides expressly that failure to comply with such a code “does not of itself make that person liable to legal proceedings in a court or tribunal” (Clause 126(1) of the Data Protection Bill).

The provisions governing the age at which a child can consent to the processing of their personal data for Information Society Services has caused some concern during the Bill’s passage through parliament; it is ressonable to assume that the issue will come up again once the Bill reaches its final stage of the Parliamentary process in the House of Commons in light of developments over the past week.

Another clause in the Data Protection Bill which has caused some concern in light of the Cambridge Analytica revelations is the provision in Clause 6(e). What this provides for is that an “activity that supports or promotes democratic engagement” is to be considered “processing of personal data that is necessary for the performance of a task carried out in the public interest or in the exercise of the controller’s official authority” for the purposes of Article 6(1)(e) of the GDPR. The Information Commissioner has raised concerns that this would legitimise the activities of Cambridge Analytica. This was inserted, as a Government amendment, during the Public Bill committee stage of the Bill’s passage through the House of Commons.

In moving the amendment, the Minister explained that “term has been deliberately chosen with the intention of covering a range of activities carried out with a view to encouraging the general public to get involved in the exercise of their democratic rights”. It may be that between now and the Bill being finally agreed to by the House of Commons that this provision is tightened up somewhat to ensure that activities like those carried out by Cambridge Analytica do not fall within the ambit of that clause.

I would tend to agree with the Commissioner’s assessment on the impact of clause 6(e) in relation to the sorts of activities we are concerned with in respect of the Cambridge Analytica and Facebook investigations. The clause is extremely wide and while it is subject to a necessity test, it is entirely possible that these activities could fall within the ambit of clause 6(e). The Government may well be wise to revisit clause 6(e) and see if it can be tightened up in any way to ensure that its scope is narrowed.

As can be seen, there are a number of issues concerning the Data Protection Bill (of which the above are only some) arising out of the Cambridge Analytical and Facebook investigations; it will be necessary to wait and see how, if at all, the House of Commons reacts and whether there are any changes to the Bill as a consequence.

Alistair Sloan

If you require assistance with the General Data Protection Regulation or the Data Protection Bill; or any other information law matter, you can contact Alistair Sloan on 0141 229 0880. Alternatively you can E-mail Alistair. You can also follow Inksters dedicated Information Law Twitter account: @UKInfoLaw.

Data Protection Bill: Committee Day 1

The Data Protection Bill has been winding its way through the legislative process since it was first introduced to the House of Lords in September 2017. Since then it has completed its passage through the House of Lords and is now being scrutinised by MPs in the House of Commons, having received its second Reading last week. I made some initial observations on the Bill shortly after it was first published and thought that it was about time that I revisited the general subject of the Bill.

The Bill has now reached the committee stage in the House of Commons and is being considered by a Public Bills Committee, the first meetings of which took place yesterday. You can read the first sitting, which took place yesterday the morning, in Hansard, meanwhile the second sitting, which took place yesterday afternoon, can be found in Hansard here.

There was a debate yesterday morning on a proposed amendment (‘new clause 12’) which would insert a new clause into the Bill incorporating Article 8 of the Charter of Fundamental Rights of the European Union. Article 8 of the Charter makes specific provision for the protection of personal data; the amendment was tabled by MPs from opposition parties and was resisted by the Government. The source of the government’s concern, as set out by the Minister of State yesterday, is that new clause 12 would, in the government’s view, create “a new and free-standing right”. The Minister went on to say that “[t]he new right in new clause 12 would create confusion if it had to be interpreted by a court.” This was contested by Liam Byrne MP, who moved the amendment. Mr Byrne noted that this was a refined version of an amendment that was unsuccessfully moved in the House of Lords. Mr Byrne described the suggestion that new clause 12 was creating a new and unfettered right as being “nonsense”. The amendment, while debated yesterday, was not put to a vote; decisions on whether to insert new clauses are not due to be taken until towards the end of the Committee’s consideration of the Bill. We will need to therefore wait to learn whether it is ultimately included in the Bill or not.

Some amendments were considered and agreed to yesterday, while some others were considered and not agreed to. In Clause 3 of the Bill, the definition of ‘processing’ has been amended to remove reference to ‘personal data’ and to replace it with ‘information’. This means that the definition of processing in the Data Protection Bill now reads: “Processing”, in relation to information, means an operation or set of operations which is performed on information, or on sets of information, such as”. This means that the definition of processing in Clause 3 of the Data Protection Bill differs from the definition within the GDPR.

The explanation proffered by the Minister in support of these amendments was that they were “designed to improve clarity and consistency of language.” The Minister argued that “the amendments ensure consistency with terminology in other legislation.” She also gave her view that the amendments have “no material impact on the use of the term “processing” in parts 2 to 7 of the Bill”.

Clause 7 of the Bill (which deals with the meaning of ‘public authority’ and ‘public body’) has also been amended so as to provide that Ministers, exercising their delegated powers to designate and undesignated (for the purposes of data protection law) public authorities and public bodies, can do so not simply by identifying specific bodies or organisations, but also by way of description. The changes effectively mean that the provisions in the Data Protection Bill work in the same way as the similar provisions do within the Freedom of Information Act 2000 and the Freedom of Information (Scotland) Act 2002.

The controversial immigration exemption in paragraph 4 of Schedule 2 to the Data protection Bill saw a great deal of debate in the afternoon’s sitting. An amendment to remove the immigration exemption entirely from the Bill was moved and a division took place. The amendment to remove the exemption from the Bill was defeated by 10 votes to 9 and therefore the exemption remains in the Bill. The split was among party lines with the Government’s MPs successfully voting down the amendment with all MPs from opposition parties voting in favour of it.

It would not be possible to discuss everything that went on during the course of the committee’s two sittings yesterday, but I have tried to pick out some of the key aspects from yesterday’s proceedings. The amendment to the definition of processing seems to me to be rather odd and quite frankly unfathomable. Personal data is a well understood term within the field of data protection and privacy law. How the courts and Commissioner will interpret “information” is something that we will need to wait and see; if the amendment does in fact make no material change, then it will have been a completely pointless amendment.

I don’t see the controversy of the immigration amendment going away anytime soon. The Government is satisfied that the exemption strikes the right balance and is one that is permissible in terms of the GDPR. Campaign groups in opposition to the amendment say that it goes too far and, in any event, is unlawful as it is not permitted by the GDPR. It will certainly be interesting to see where matters go in that regard.

The attempt to replicate Article 8 of the EU Charter is an interesting proposal; one of the Government’s red lines in relation to the EU withdrawal process is that the EU Charter will cease to apply in the United Kingdom, how the effective inclusion of one article of the Charter would go down with certain members of Parliament is something that remains to be seen. Whether its inclusion will assist with the issue of ‘adequacy’ following the United Kingdom’s withdrawal from the European Union is debatable (for what it is worth, my initial reaction is it’s unlikely that it would have any bearing at all upon the question of adequacy).

The Committee’s consideration of the Bill is due to continue tomorrow (Thursday 15^th March 2018) with sittings starting at 11:30am and again at 2pm. This is a large and complex Bill and the task of undertaking a line by line scrutiny of it is no easy task, especially in a timetable that will see this line by line scrutiny come to an end on 27^th March 2018.

Alistair Sloan

If you would like advice on the General Data Protection Regulation, the new Data Protection Bill or any other Information Law concern then contact our Alistair Sloan on 0345 450 0123 or by completing the form on the contact page of this blog. Alternatively, you can send him an E-mail directly.

An introduction to the Law Enforcement Directive

Among all of the hype surrounding the General Data Protection Regulation (GDPR) some other aspects of information law are being overlooked; I have already written about the Privacy and Electronic Communications (EC Directive) Regulations 2003 and how they are forgotten about. The GDPR is not the only new piece of EU law which is due to take effect in May and which will impact data protection and privacy law in the United Kingdom. The processing of personal data by data controllers for the purpose of law enforcement falls outside of the scope of the GDPR; instead this is dealt with by the Law Enforcement Directive (LED). As the LED a Directive rather than a Regulation, the LED does not have direct effect and therefore requires to be transposed into Member States’ domestic law. This is being achieved in the UK through Part 3 the Data Protection Bill.

The LED is perhaps not as visible as the GDPR because of its much more limited scope. However, this blog aims to cover all information law bases and it would be remiss of me not to write something on it at least. The LED, and therefore the provisions of Part 3 of the Data Protection Bill, applies to what have been termed as “competent authorities” for the purposes of “the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security”; these purposes are collectively known as the “law enforcement purposes”.

So, who needs to bother about the LED? Obviously, competent authorities have to bother about it because it governs how they process personal data for the law enforcement purposes; however, they are not the only ones. Data Subjects should also be concerned about the LED as it governs how their personal data is processed by these competent authorities and sets out what rights they have in relation to personal data processed by them for law enforcement purposes. The competent authorities are mostly set out in Schedule 7 to the Data Protection Bill; however, clause 30(1)(b) of the Data Protection Bill provides that “any other person if and to the extent that the person has statutory functions for any of the law enforcement purposes” is also a competent authority. The most obvious competent authority is the police; however, there are quite a few others listed within Schedule 7 including Revenue Scotland, the Department for Work and Pensions, the Police Investigations and Review Commissioner and HMRC. Of course, both the Information Commissioner and Scottish Information Commissioner process personal data for the law enforcement purposes and therefore Part 3 of the Data Protection Bill would apply to them when they’re processing personal data in the capacity. In terms of 30(1)(b) competent authorities, the most obvious example would be local authorities who are responsible for things such as Trading Standards provision and also the investigation of fraud concerning benefits administered by them.

One thing that should be noted is that the security and intelligence services (The Security Service, Secret Intelligence Service and GCHQ) are not covered by the LED. National Security falls outside of the scope of EU law and therefore the European Union has no competence to regulate these areas. Therefore, although the Security Services process personal data for law enforcement purposes, the LED does not apply to them. The Data Protection Bill does make provision for the processing of personal data by the security and intelligence agencies; this can be found in Part 4 of the Data Protection Bill (and falls outside of the scope of this blog post).

Chapter 1 of Part 3 of the Data Protection Bill provides the key definitions which require to be used when applying Part 3. The definitions are broadly the same as those to be found in the GDPR with relevant modifications being made. Therefore if you are familiar with data protection law then these definitions will not be too alien to you.

Chapter 2 of Part 3 of the Data Protection Bill sets out the six principles to be complied with when processing personal data under Part 3. Meanwhile, Chapter 3 sets out data subjects’ rights; including the right to subject access, the right to rectification and the right to erasure or restriction of processing.

The rights of data subjects under part 3 of the Data Protection Bill will be the subject of a separate blog post later in the month; however, it is suffice to say that they have a more limited scope than under the GDPR because of the nature of the processing being dealt with.

There is one final part of the Data Protection Bill to make mention of in this blog post and that is Schedule 8 to the Data Protection Bill. This Schedule sets out the conditions which must be met before a competent authority can carry out sensitive processing of personal data under Part 3.

The LED is supposed to be transposed into Member States’ domestic law by 6th May 2018; it remains to be seen whether the Data Protection Bill will complete its passage through Parliament and receive Royal Assent in time to allow Part 3 to be commenced by then.

Alistair Sloan

If you require any advice or assistance in connection with the provisions of the Law Enforcement Directive or any other information law concern, please contact Alistair Sloan on 0345 450 0123 or send him an E-mail.

New Data Protection Fees

The draft Data Protection (Charges and Information) Regulations 2018 have now been laid before Parliament by the UK Government; it is intended that they will enter into force on 25^th May 2018. The Regulations will introduce the new charging regime that is to replace “notification fees”, once the requirement upon data controllers to notify the Information Commissioner of their processing of personal data.

As expected, the fees will move from the current two-tier structure to a three-tier structure; however, the fee amounts are different to what was proposed in the consultation last year. The tiers are as follows:

Tier 1
Data controllers who fall into tier 1 will pay an annual fee of £40 to the Information Commissioner. You fall into this fist tier if you have a turnover of less than or equal to £632,000 for your financial year, or you have no more than 10 members of staff. Charities also fall into this category as do small occupational pension providers.

Tier 2
Data controllers who fall into tier 2 will pay an annual fee of £60 to the Information Commissioner. You will fall into this tier if you do not fall into tier 1 and have a turnover less than or equal to £36m for your financial year, or have no more than 250 members of staff.

Tier 3
Data controllers who fall into tier 3 will pay an annual fee of £2,900 to the Information Commissioner. All non-exempt data controllers who do not fall into the first two tiers will fall into tier three. The Commissioner has indicated that they will assume that every data controller falls into tier 3 unless they prove the contrary.

These fees do represent a shift from the levels that were consulted on last year. In particular the top-tier fee that was suggested in October was £1,000 but has now become £2,900. Data controllers can save themselves a bit of money (a grand total of £5) by paying their annual fees by Direct Debit.

The fees structure that was consulted on had suggested that there would be a premium to be paid by any data controller that also carried out direct marketing activities by electronic means; however, that hasn’t been given effect to in the draft Regulations that have been laid before Parliament,

In terms of working out how many members of staff you have for the purposes of these regulations you can’t just count the number of employees you have. A member of staff, for the purposes of the Regulations, is: (i) an employee; (ii) a worker, within the meaning of s.296 of the Trade Union and Labour Relations (Consolidation) Act 1992; (iii) an office holder; or (iv) a partner. Part-time members of staff are counted as one member for these purposes. To calculate the members of staff you need to work out how many members of staff you employed each month in your last financial year, add together the monthly totals and then divide it by the number of months in your last financial year. Even members of staff who work outside of the United Kingdom (and, indeed, the European Union) need to be counted.

You do not need to work out how many members of staff you have if you are a charity or if you are a small occupational pension scheme. Public authorities are required to ignore those reference to turnover and are required only to determine how many members of staff that they have.

If you are processing personal data solely for one of the following eight purposes, you do not need to pay a fee to the Information Commissioner:

Staff Administration;
Advertising, marketing or public relations,
Accounts and records,
Not-for-profit purposes
Personal, family or household affairs
Maintaining a public register
Judicial functions
Processing personal information without an automated system such as a computer

To be able to rely upon this exemption your processing must be solely for one or more of the above noted purposes. If your processing is for one of those activities in addition to another activity then you will need to pay the fee at the appropriate tier.

In order to ensure that data controllers are paying the correct level of fee, the draft Regulations have provision within them for data controllers to supply various pieces of information to the Information Commissioner; this information fits around establishing which, if any, of the three tiers the controller falls into.

There are a couple of final things to note. The first is that if you pay a notification fee prior to 25^th May 2018 then you will not be required to pay the new fees until that notification has expired. Therefore, if you are due to notify the ICO under the Data Protection Act 1998 on or before 24^th May 2018 you will not be required to pay the new fees until next year. The final thing to note is that these Regulations are only in draft form; they are still subject to parliamentary approval and could be amended. However, this blog post reflects the position as contained within the draft Regulations. Large organisations should, however, be planning to pay significantly more to the Information Commissioner than the £500 they have been paying until now.

Alistair Sloan

If you would like advice or assistance with a privacy or data protection matter, including the GDPR, or any other information law matter then contact Alistair Sloan on 0345 450 0123 or send him an E-mail.

It’s just legitimite interests, isn’t it?

The General Data Protection Regulation (GDPR) becomes applicable in the United Kingdom on 25^th May 2018. Preparations are well underway in business, government and the regulator for the new privacy and data protection landscape. People are trying to find their way through the GDPR and the Data Protection Bill to understand exactly what it is that they’re required to do in order to comply with the new framework, but there are a lot of misunderstandings about certain requirements of the GDPR. I have already dealt with one of those, the issue as to whether or not consent is required under the GDPR on this blog. Another area where there appears to a lot of misunderstanding is with the legitimate interests ground for processing, especially in the area of direct marketing.

Article 6(1)(f) of the GDPR provides that it is lawful to process the personal data of a data subject where the “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.” This is the legitimate interests ground for processing; but as can be seen from a proper reading of the condition, it is not the silver bullet condition that some people seem to think that it is.

There are essentially three elements to the condition: (1) necessity; (2) legitimate interests of the controller or a third party; (3) the interests or fundamental rights of the data subject. Therefore before being able to rely upon legitimate interests as the processing condition, it is essential that controllers go through a three stage process. The first stage is to identify what the interests are. In determining whether the interest identified by the data controller is a legitimate interest, it is necessary for them to consider whether a data subject can reasonably expect, at the time and in the context of the collection of the personal data, that processing for this purpose may take place. If a data subject could not reasonably expect that the processing envisaged by the data controller may take place, at the time and in the context of collection of the personal data, it will not be a legitimate interest.

The second stage is to consider necessity; the processing must be necessary for the legitimate interest(s) being pursued. If the processing is not necessary then a data controller cannot rely upon the ‘legitimate interests’ condition for processing the personal data in question. The ICO currently puts it this way “[i]f you can reasonably achieve the same result in another less intrusive way, legitimate interests will not apply.” It is therefore essential to consider whether there are other ways to fulfil the legitimate interest(s) identified. The test does not require it to be “strictly necessary” or “absolutely necessary”, but it is still a high test

The final element that needs to be considered before a decision to rely upon legitimate interests can be taken, is whether the legitimate interests are overridden by the fundamental rights and freedoms of the data subject. This can be a very difficult assessment to make and can, on occasions, be on a knife-edge. It is fundamentally about proportionality and in a lot of cases the data subject’s fundamental rights and freedoms will override the legitimate interests with the result that another condition needs to be found to enable processing take place.

At the very outset I did mention that there is a lot of misunderstanding about legitimate interests in the field of direct marketing. It is true that the GDPR does state, in Recital 47, that “[t]he processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”, but it’s not as simple as that. Firstly it is important to note that the Recital states that it “may be” a legitimate interest; that is not the same thing as saying that it “will be” or “is” a legitimate interest. It only opens the door to marketing being a legitimate interest; it does not remove the need to consider whether it is, in any given context, a legitimate interest.

Secondly, it is important not to consider the GDPR in isolation. I have already written about the forgotten relative of the GDPR: The Privacy and Electronic Communications (EC Directive) Regulations 2003. These are extremely relevant when conducting direct marketing by electronic means (such a by telephone, E-mail or text message). Processing personal data for the purposes of marketing might well be lawful because it can be shown that it is a legitimate interest for the controller or a third party, but how that marketing is then delivered must comply with the other relevant laws and codes which regulate marketing activity.

The legitimate interests condition is a flexible one, but data controllers should not assume that if no other condition applies, or is appropriate, that they can simply say “it’s legitimate interests” and be done with it. Where a controller does rely upon legitimate interests, the accountability principle will kick in and the supervisory authority may well ask for it to be justified. Therefore, where it is proposed to rely upon legitimate interests a record should be kept demonstrating how each of three elements to the legitimate interests condition is met.

Alistair Sloan

If you would like advice or assistance with a privacy or data protection matter, or any other information law matter then contact Alistair Sloan on 0345 450 0123 or send him an E-mail.

PECR: The forgotten relative

Much of the focus in relation to data protection and privacy law is on implementation of the Genera Data Protection Regulation, which becomes applicable from 25 May 2018. However, many of the discussions that are taking place in respect of GDPR implementation are forgetting the GDPR’s older cousin: the snappily named Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications). This Directive from the European Union dating from 2002 was implemented in the United Kingdom through the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”).

The Directive on privacy and electronic communications is concerned with the processing of personal data and the protection of privacy in the electronic communications sector and is of importance to telecommunications providers, Internet Service Providers and any person or organisation who conducts direct marketing by electronic means; however, this blog post is concerned only with direct marketing and is a follow-up to my recent blog post on whether consent is required under the GDPR.

The GDPR might be the big thing at the moment, but it is important not to consider it in isolation. When thinking about GDPR implementation it is necessary to take a holistic view and think about how it interacts with other laws because these other laws don’t stop having effect just because of the GDPR. Therefore, it is essential to consider how these other laws affect your GDPR implementation.

The rules on direct marketing by electronic means are relatively simple and straightforward, but this does not stop unlawful behaviour from taking place on an industrial scale. Rarely does a month go past without the Information Commissioner’s Office publishing information on enforcement action it has taken against businesses arising out of failing to comply with PECR, especially since the law changed to lower the legal threshold for Monetary Penalty Notices in relation to PECR infringements.

Electronic Mail
Electronic Mail includes E-mail and SMS text messaging. The general rule for direct marketing by electronic mail is that you need consent, as defined by the 1995 Data Protection Directive. This means that you must have a freely given, specific and informed indication that the person to whom you are directing the marketing wants to receive such marketing.

There is an exception to this which is referred to as the “soft opt-in”. This applies where you have obtained a person’s personal data “in the course of the sale or negotiations for the sale of a product or service” to them. You can then send direct marketing to this person, without first gaining their express consent, where you are marketing your own similar products or services. The data subject must be “given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of his contact details for the purposes of such direct marketing, at the time that the details were initially collected”.

Each direct marketing communication that is sent must include a simple means of opt-out of further direct marketing content (and this must be free of charge, except for the costs of transmission of the opt-out).

Telephone: Automated calls
The rules for direct marketing by telephone are split into automated and unsolicited live telesales calls. In the case of automated calls with recorded information played when the phone line being called is answered, the subscriber (i.e. the person who has contracted with the telephone service provider) must have notified the caller (or the person instigating the call where the caller is a third party acting on behalf of the instigator) that, for the time being, they consent to receiving such calls. Again, this requires there to be a freely given, specific and informed indication. Consent can be withdrawn.

Telephone: Unsolicited live telesales calls
You do not require consent to make such calls; however, you must not make such calls where the subscriber has notified you that they do not wish to receive such calls, or if the number is registered with the Telephone Preference Service (TPS). You can call numbers registered with the TPS where the subscriber has consented to receiving calls from you, notwithstanding that the number is registered with the TPS. Consent can, as always, be withdrawn at a later date.

Fax
Yes, it is still a thing and some people (and indeed whole sectors) still use fax machines. However, as it is more or less an obsolete technology all I will say on the matter is that PECR regulates the use of fax for direct marketing and the relevant parts are Regulations 20 and 25.

That is a very brief run through of the relevant law as it stands today. However, a couple of points to note in closing: Firstly, the EU is currently working on a replacement to the current Directive. It had been anticipated that the new E-Privacy Regulation would be implemented alongside the GDPR, but work started on it too late and so it won’t. Whether it will be finalised in and in force prior to Brexit is something that we will need to wait and see. Secondly, depending on what happens with the Brexit negotiations it may still end up being part of UK law even if it comes into force after the UK leaves the EU. Thirdly, there is likely to be some temporary adjustments to PECR from 25 May 2018, that is because PECR adopts a lot of definitions from the Data Protection Act 1998 and the 1995 Data Protection Directive (both of which will be repealed on 25 May 2018). Finally, the domestic Regulations were made under the European Communities Act 1972; therefore the European Union (Withdrawal) Bill may well have some impact upon them.

Alistair Sloan

If you would like advice or assistance with a privacy or data protection matter, or any other information law concern then contact Alistair Sloan on 0345 450 0123 or send him an E-mail.

Information Law Blog

From Inksters Solicitors

Tag Archives: Data Protection Reform

Data Protection Act 2018

The Law Enforcement Directive: Data Subjects’ Rights (Part 1)

Data Protection Bill: Committee Day 1

An introduction to the Law Enforcement Directive