Sunday, 12 September 2021

Consultation on Changing the Data Protection Laws


 








Jane Lambert

In his press release of 26 Aug 2021 which I discussed in Dowden's Data Protection Plans on 27 Aug 2021, Oliver Dowden MP, Secretary of State for Digital, Culture, Media and Sport, announced a consultation on changes to the UK's data protection laws.  That consultation was launched on 10 Sept 2021 with the publication of the consultation document, Data: a New DirectionResponses must be submitted by 19 Nov 2021.

The consultation document is 146 pages long and is divided into an introduction, 5 chapters. a page on whom the Department for Digital, Culture. Media and Sport ("DCMA")  is seeking to consult, how to respond and what happens next and a privacy notice.  DCMS states that it is keen to hear from "a representative cross section of society, ensuring diversity and inclusion", It believes that the consultation will have particular relevance to 

  • Individuals 
  • Start-ups and small businesses 
  • Technology companies and data-driven or data-rich companies 
  • Investors in technology and data-driven or data-rich companies 
  • Civil society organisations focused on consumer rights, digital rights, privacy and data protection 
  • Academics, and research and policy organisations with a particular interest in the role of data in the economy and society, or as data controllers in their own right 
  • Organizations involved in international data standards, regulation, and governance 
  • Law firms and other professional business services.
Respondents are urged to use the DCMS's online survey platform but responses can also be submitted by email or post.  The DCMS will publish its response in due course.

The 5 chapters are as follows:
  • Chapter 1- Reducing barriers to responsible innovation
  • Chapter 2 - Reducing burdens on businesses and delivering better outcomes for people
  • Chapter 3 - Boosting trade and reducing barriers to data flows
  • Chapter 4 - Delivering better public services, and 
  • Chapter 5 - Reform of the Information Commissioner's Office.
The reason for reducing barriers to responsible innovation are set out in para 30:

"The government has heard from stakeholders that elements of the law can create barriers to responsible innovation. Some definitions are unclear and lack explanatory case law or regulatory guidance that could take years to develop; organisations may choose not to use data as fully as they could owing to unfounded concerns about legality. For example, the rules for some organisations to use and to re-use personal data for research are difficult to navigate, despite the public being generally in favour of their personal data being used for scientific research that can deliver real benefits to society.5 The government has also heard evidence that uncertainty about when different lawful grounds for processing personal data should be used has led to an overreliance on seeking consent from individuals. This creates an unnecessary burden for consumers as well as for organisations. Finally, the increasing adoption and potential of new data-driven technologies is dependent on clear and consistent rules about the use of personal data."

The criticism of the present system is contained in para 139:

"The current legislation is based on a model that prescribes a series of activities and controls that organisations must adopt in order to be considered compliant. Although a key goal of the EU's GDPR was to create a regime that focussed on the accountability of organisations, the current model, in practice, tends towards a ‘box-ticking’ compliance regime, rather than one which encourages a proactive and systemic approach, and risks undermining the intentions of the principle of accountability."

One of those burdens is said to be subject access requests.  It is said that organizations have difficulty in processing such requests and with the threshold for making requests.  One of the solutions canvassed by the DCMS is the reintroduction of a fee for subject access requests and that is one of the proposals on which the Department is consulting. 

On "Boosting trade and reducing barriers to data flows" the DCMS explains at 240:

"Recent legal developments, including the Schrems II judgment, have made it more difficult for UK data exporters to transfer personal data overseas (see explanatory box below). The invalidation of the Privacy Shield by this judgment was particularly disruptive given the volume of trade it supported and the very many small and medium-sized businesses that were relying on it. Outside of the European Union, the UK has an opportunity to consider both the impact of this judgment on its transfers regime and how best to support international data flows in the future."

Data protection law became horrendously complex with the adoption of the General Data Protection Regulation and the implementation of the Law Enforcement Directive by the Data Protection Act 2018 on 25 May 2018.  Brexit has greatly exacerbated that complexity.   A snapshot of the current law since the expiry of the transition or implementation period on 31 Dec 2020 is set out in The Data Protection Legislation which I published on 28 Aug 2021.

Anyone wishing to discuss this article or any of its contents can call me on 020 7404 5252 during normal office hours or send me a message through my contact form at other times.

Friday, 27 August 2021

Dowden's Data Protection Plans


Jane Lambert

In the last few months, this government has made one ambitious promise after another. In his foreword to Global Britain in a competitive age, the Prime Minister wrote that his government's aim is for the UK to become a science and tech superpower by 2030 (see NIPC Brexit 19 March 2021). In his foreword to the UK Innovation Strategy Leading the future by creating it Kwasi Kwarteng, Secretary of State for Business, said that the UK would in science and technology what it is in finance (see UK Innovation Strategy, NIPC Inventors Club 12 Aug 2021). With similar hyperbole, Oliver Dowden, Secretary of State for Culture, Media and Sport has announced "a world-leading data regime" by "forging new global partnerships and designing our own common sense data laws" (see UK unveils post-Brexit global data plans to boost growth, increase trade and improve healthcare DCMS press release 26 Aug 2021).

The Press Release

Mr Dowden's press release makes three announcements:
  • an intention to negotiate "data adequacy partnerships" with Australia, Colombia, the Dubai International Financial Centre, Singapore, South Korea and the USA;
  • the appointment of John Edwards, the New Zealand Privacy Commissioner, as the next Information Commissioner; and 
  • a consultation on changes to the UK's data protection laws "to break down barriers to innovative and responsible uses of data so it can boost growth, especially for startups and small firms, speed up scientific discoveries and improve public services."
Data Protection Legislation 

On 25 May 2018, the General Data Protection Regulation ("GDPR") came into force across the European Union including the UK.  Art 94 of the GDPR repealed Directive 95/46/EC which had been implemented in the UK by the Data Protection Act 1998.  As it was a regulation of the European Council and Parliament, the GDPR took effect automatically.  The UK Parliament enacted the Data Protection Act 2018 which repealed the Data Protection Act 1998, supplemented the GDPR and applied a broadly equivalent regime to certain types of processing to which the GDPR did not apply.  

When the UK left the EU on 31 Jan 2020, the GDPR remained in force in the UK during the transition or implementation period that ended on 31 Dec 2020 pursuant to art 127 of the withdrawal agreement.  At the end of the transition period, the GDPR was incorporated into English, Welsh, Scots and Northern Irish law by s.3 (1) of the European Union  (Withdrawal) Act 2018.  Reg 3 and Sched. 1 of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019 No 418) amended the provisions of the GDPR that have been incorporated into domestic law.   Reg 4 and Sched 2 of those regulations amended the Data Protection Act 2018.  

Transfer of Data Abroad

A fundamental principle of all data protection laws is that personal data should not be transferred abroad without adequate safeguards for its protection.  Art 44 of the GDPR provides:
"Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation."

One of the conditions on which personal data may be transferred overseas is set out in art 45 (1):

"A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. Such a transfer shall not require any specific authorisation."

The decision of whether a third country provides adequate protection depends on a number of elements set out in art 45 (2).   The Commission has already made an adequacy decision in favour of the UK by its Decision of  26 June 2021 which I discussed in Commission Adequacy Decisions on 29 June 2021.  

Amendments to Art 45

Para 38 (2) of  Sched 1 of  The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 changed art 45 (1) of the GDPR to:
"A transfer of personal data to a third country or an international organisation may take place where it is based on adequacy regulations (see section 17A of the 2018 Act) ”. Such a transfer shall not require any specific authorisation."

Para 38 (3) of that Sched deleted most o the rest of the article.  Para 23 of Sched 2 inserted new sections 17A, 17B and 17C into the Data Protection Act 2018.  Those new sections contain new provisions for determining the adequacy of other countries' protection of personal data.  These include the power to make regulations.    

Para 42  of Sched 2 inserted new sections 74A and 74B into the Data Protection Act 2018,   These provide for the transfer abroad of data not covered by the GDPR in accordance with the above-mentioned regulations.   S.74A (4) of the Act is in substantially the same terms as art 45 (2) of the GDPR.

"Adequacy Partnerships"

The pairing of the noun "partnership" with the adjective "adequacy" suggests that adequacy decisions could depend on reciprocity and commercial advantage rather than the criteria in art 45 (1).   The press release reinforces that impression:
"The government believes it can unlock more trade and innovation by reducing unnecessary barriers and burdens on international data transfers, thereby opening up global markets to UK businesses. In turn this will help give UK customers faster, cheaper and more reliable products and services from around the world."

 Those concerns are at least partially allayed by the "Test for Adequacy" section of the guidance note International data transfers: building trust, delivering growth and firing up innovation published on 26 Aug 2021.  On paper, at least, the test for adequacy is objective and not dissimilar to the test in art 45 (2) of the GDPR. 

Risk of Losing the European Commission Adequacy Finding

A problem of seeking adequacy partnerships with countries operating very different regimes for protecting personal data is that the Commission could revoke its decision on the adequacy of protection in the UK under art 3 (4). That paragraph provides:

"Where the Commission has indications that an adequate level of protection is no longer ensured, the Commission shall inform the competent United Kingdom authorities and may suspend, repeal or amend this Decision."
Such a situation could arise if data were to flow without restriction from the EU to the UK and then from the UK to the USA but not directly from the EU to the  USA.   It would be unfortunate if the UK jeopardized its status in the European Economic Area in a quest for more distant and generally smaller markets overseas. 

Consultation

There is as yet no green paper or consultation on changing the law.   The only indication of what the government has in mind at this stage is that it believes improved data sharing could help deliver more agile, effective and efficient public services and help make the UK a science and technology superpower.   

Further Information

Anyone wishing to discuss this article or data protection generally my call me on 020 7404 5252 during office hours or send me a message through my contact form.

Tuesday, 29 June 2021

Commission Adequacy Decision

European Commission
Author EmDee Licence CC BY-SA 4.0  Source Wikipedia Commons

 









Jane Lambert

The uninterrupted exchange of personal data across borders is vital for the financial and other service industries. As I noted in Another Data Protection Act! "You're joking! Not another one!" - A Short History of Data Protection Legislation in the UK 23 Sept 2017 NIPC Law, it was restrictions on the transfer of personal data from countries that had enacted data protection legislation rather than the Younger and Lindop reports that prompted Parliament to enact the first Data Protection Act in 1984. Until 23:00 on 31 Dec 2020 businesses in the UK could rely on art 1 (3) of the General Data Protection Regulation (Regulation (EU) 2016/679 which provides that the free movement of personal data within the European Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data. That was because EU law continued to apply to the UK between 23:00 on 31 Jan and 23:00 on 31 Dec 2020 pursuant to art 127 (1) of the agreement by which the UK withdrew from the EU.

Upon the expiry of that period, the United Kingdom became a "third country" for the purposes of art 44 of the GDPR.  That article provides:

"Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation. All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined."

Art 45 (1), however, provides:

"A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. Such a transfer shall not require any specific authorisation."
The rest of that article sets out the criteria by which the Commission can make such a decision and the procedure for reaching it.

By a decision dated 28 June 2021 (Commission Implementing Decision of 28.6.2021 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate protection of personal data by the United Kingdom (C(2021) 4800 final)), the Commission has decided that for the purposes of art 45 of the GDPR the UK ensures an adequate level of protection for personal data transferred within the scope of the GDPR from the EU to the UK. The decision consists of 93 pages almost all of which are recitals setting out the Commission's reasons.  The decision on adequacy is contained in art 1 (1).  Art 3 (1) of the Decision requires the Commission to "monitor the application of the legal framework upon which this Decision is based, including the conditions under which onward transfers are carried out, individual rights are exercised and United Kingdom public authorities have access to data transferred on the basis of this Decision, with a view to assessing whether the United Kingdom continues to ensure an adequate level of protection within the meaning of Article 1." The Commission has power under art 3 (4) to suspend, repeal or amend the decision where it has indications that an adequate level of protection is no longer ensured.  It can also suspend, repeal or amend the decision under art 3 (5) if a lack of cooperation of the UK government prevents the Commission from determining whether the finding in art 1 (1) is affected.   The decision shall expire on 27 June 2025, unless extended in accordance with art 93 (2) of the GDPR.

Art 1 (2) of the decision makes clear that it does not cover personal data that is transferred for purposes of UK immigration control or that otherwise falls within the scope of the exemption from certain data subject rights for purposes of the maintenance of effective immigration control pursuant to para 4 (1) of Sched. 2 to the Data Protection Act 2018.  Art 2 (2) (d) of the GDPR states that the regulation does not apply to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.   Such processing is regulated by the Law Enforcement Directive (Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA). 

Art 35 (1) of the directive imposes the following obligation upon EU member states:

"Member States shall provide for any transfer by competent authorities of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation including for onward transfers to another third country or international organisation to take place, subject to compliance with the national provisions adopted pursuant to other provisions of this Directive, only where the conditions laid down in this Chapter are met, namely:
(a) the transfer is necessary for the purposes set out in Article 1 (1);
(b) the personal data are transferred to a controller in a third country or international organisation that is an authority competent for the purposes referred to in Article 1 (1);
(c) where personal data are transmitted or made available from another Member State, that Member State has given its prior authorisation to the transfer in accordance with its national law;
(d) the Commission has adopted an adequacy decision pursuant to Article 36, or, in the absence of such a decision, appropriate safeguards have been provided or exist pursuant to Article 37, or, in the absence of an adequacy decision pursuant to Article 36 and of appropriate safeguards in accordance with Article 37, derogations for specific situations apply pursuant to Article 38; and
(e)  in the case of an onward transfer to another third country or international organisation, the competent authority that carried out the original transfer or another competent authority of the same Member State authorises the onward transfer, after taking into due account all relevant factors, including the seriousness of the criminal offence, the purpose for which the personal data was originally transferred and the level of personal data protection in the third country or an international organisation to which personal data are onward transferred."
Art 36 of the Law Enforcement Directive is very similar to art 45 of the GDPR.  By Commission Implementing Decision of 28.6.2021 pursuant to Directive (EU), 2016/680 of the European Parliament and of the Council on the adequate protection of personal data by the United Kingdom (C(2021) 4801 final) the Commission found that the UK ensures an adequate level of protection for personal data transferred from the EU to UK public authorities responsible for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties for the purposes of art 36. The decision requires the Commission to monitor the UK government's compliance with the legal framework and enables the Commission to suspend, repeal or amend the decision in the event of non-compliance or non-cooperation.  Subject to that provision, the decision also remains in force until 27 June 2025.

In an ICO statement in response to the EU Commission’s announcement on the approval of the UK’s adequacy, the Information Commissioner said:
“This is a positive result for UK businesses and organisations.
Approved adequacy means that businesses can continue to receive data from the EU without having to ake any changes to their data protection practices.
Adequacy is the best outcome as it means organisations can carry on with data protection as usual. And people will continue to enjoy the protections that their data will be used fairly, lawfully and transparently.
The result is also a testament to the strength of the UK’s data protection regime.”

Anyone wishing to discuss this article or data protection generally my call me on 020 7404 5252 during office hours or send me a message through my contact form. 

Saturday, 25 July 2020

Schrems II (Transfers of Data to the USA) Data Protection Commissioner v Facebook Ireland Ltd and Another

Damien Slattery / CC BY-SA (https://creativecommons.org/licenses/by-sa/3.0)






































Jane Lambert

Court of Justice of the European Union (K. Lenaerts, President, R. Silva de Lapuerta, Vice-President, A. Arabadjiev, A. Prechal, M. Vilaras, M. Safjan, S. Rodin, P.G. Xuereb, L.S. Rossi and I. Jarukaitis, Presidents of Chambers, M. Ilešič, T. von Danwitz (Rapporteur), and D. Šváby, Judges)  Case C‑311/18, Data Protection Commissioner v Facebook Ireland Ltd and another [2020] EUECJ C-311/18, EU:C:2020:559, ECLI:EU:C:2020:559 

This was a request for a preliminary ruling by Ms Justice Costello of the High Court of Ireland pursuant to art 267 of the Treaty on the Functioning of the European Union.  The request came at the behest of the Data Protection Commissioner of the Republic of Ireland.  The Commissioner had been asked by one Maximilian Schrems ("Mr Schrems") to require Facebook Ireland Ltd. ("Facebook") to cease or suspend transfers of personal data of which Mr Schrems was the data subject to Facebook's holding company in the United States where it could be intercepted and processed by US security and intelligence services without any legal redress.

The SCC Decisions
The Commissioner believed that she could not perform her task without a ruling of the validity of three Commission Decisions (referred to collectively as the "SCC Descirions") setting conditions for the transfer of personal data to the USA as a result of the Court of Justice's decision in Case C‑362/14, Schrems v Data Protection Commissioner  EU:C:2015:650, ECLI:EU:C:2015:650, [2016] QB 527, [2015] EUECJ C-362/14, [2016] 2 CMLR 2, [2016] 2 WLR 873, [2016] CEC 647, [2015] WLR(D) 403.  The Commissioner invited the Irish High Court either to make a finding on the validity of the SCC Decisions on its own initiative or to refer the question of their validity to Luxembourg under art 267 TFEU.

The Reference
In The Data Protection Commissioner v Facebook Ireland Limited and another [2017] IEHC 545, Ms Justice Costello found grounds for believing that the SCC Decisions were invalid. It was in her view extremely important for there to be uniformity on the issue throughout the European Union. On that basis, she believed that a reference was necessary and appropriate. Her ladyship delivered her order for a reference to the parties on 12 April 2018 whereupon Facebook Ireland appealed her decision to make a reference and applied for a stay of the reference pending their appeal.   Ms Justice Costello heard and rejected Facebook Ireland's application for a stay in Data Protection Commissioner v Facebook Ireland Ltd and another [2018] IEHC 236 (2 May 2018).

The Questions
The questions that Ms Justice Costlello referred to the Court of Justice were set out at paragraph [68] of the Court's judgment in Case C‑311/18, Data Protection Commissioner v Facebook Ireland Ltd [2020] EUECJ C-311/18, EU:C:2020:559, ECLI:EU:C:2020:559:
"(1) In circumstances in which personal data is transferred by a private company from a European Union (EU) Member State to a private company in a third country for a commercial purpose pursuant to [the SCC Decision] and may be further processed in the third country by its authorities for purposes of national security but also for purposes of law enforcement and the conduct of the foreign affairs of the third country, does EU law (including the Charter) apply to the transfer of the data notwithstanding the provisions of Article 4 (2) TEU in relation to national security and the provisions of the first indent of Article 3 (2) of Directive [95/46] in relation to public security, defence and State security?
(2)
 (a) In determining whether there is a violation of the rights of an individual through the transfer of data from the [European Union] to a third country under the [SCC Decision] where it may be further processed for national security purposes, is the relevant comparator for the purposes of [Directive 95/46]:
(i) the Charter, the EU Treaty, the FEU Treaty, [Directive 95/46], the [European Convention for the Protection of Human Rights and Fundamental Freedoms, signed at Rome on 4 November 1950] (or any other provision of EU law); or
(ii) the national laws of one or more Member States?
(b) If the relevant comparator is (ii), are the practices in the context of national security in one or more Member States also to be included in the comparator?
(3) When assessing whether a third country ensures the level of protection required by EU law to personal data transferred to that country for the purposes of Article 26 of [Directive 95/46], ought the level of protection in the third country be assessed by reference to:
(a) the applicable rules in the third country resulting from its domestic law or international commitments, and the practice designed to ensure compliance with those rules, to include the professional rules and security measures which are complied with in the third country; or
(b) the rules referred to in (a) together with such administrative, regulatory and compliance practices and policy safeguards, procedures, protocols, oversight mechanisms and non-judicial remedies as are in place in the third country?
(4) Given the facts found by the High Court in relation to US law, if personal data is transferred from the European Union to the United States under [the SCC Decision] does this violate the rights of individuals under Articles 7 and/or 8 of the Charter?
(5) Given the facts found by the High Court in relation to US law, if personal data is transferred from the European Union to the United States under [the SCC Decision]:
(a) does the level of protection afforded by the United States respect the essence of an individual’s right to a judicial remedy for breach of his or her data privacy rights guaranteed by Article 47 of the Charter?
If the answer to Question 5(a) is in the affirmative:
(b) are the limitations imposed by US law on an individual’s right to a judicial remedy in the context of US national security proportionate within the meaning of Article 52 of the Charter and do not exceed what is necessary in a democratic society for national security purposes?
(6)
 (a) What is the level of protection required to be afforded to personal data transferred to a third country pursuant to standard contractual clauses adopted in accordance with a decision of the Commission under Article 26(4) [of Directive 95/46] in light of the provisions of [Directive 95/46] and in particular Articles 25 and 26 read in the light of the Charter?
(b) What are the matters to be taken into account in assessing whether the level of protection afforded to data transferred to a third country under [the SCC Decision] satisfies the requirements of [Directive 95/46] and the Charter?
(7) Does the fact that the standard contractual clauses apply as between the data exporter and the data importer and do not bind the national authorities of a third country who may require the data importer to make available to its security services for further processing the personal data transferred pursuant to the clauses provided for in [the SCC Decision] preclude the clauses from adducing adequate safeguards as envisaged by Article 26(2) of [Directive 95/46]?
(8) If a third country data importer is subject to surveillance laws that in the view of a data protection authority conflict with the [standard contractual clauses] or Article 25 and 26 of [Directive 95/46] and/or the Charter, is a data protection authority required to use its enforcement powers under Article 28(3) of [Directive 95/46] to suspend data flows or is the exercise of those powers limited to exceptional cases only, in light of recital 11 of [the SCC Decision], or can a data protection authority use its discretion not to suspend data flows?
(9)
 (a) For the purposes of Article 25(6) of [Directive 95/46], does [the Privacy Shield Decision] constitute a finding of general application binding on data protection authorities and the courts of the Member States to the effect that the United States ensures an adequate level of protection within the meaning of Article 25(2) of [Directive 95/46] by reason of its domestic law or of the international commitments it has entered into?
(b) If it does not, what relevance, if any, does the Privacy Shield Decision have in the assessment conducted into the adequacy of the safeguards provided to data transferred to the United States which is transferred pursuant to the [SCC Decision]?
(10) Given the findings of the High Court in relation to US law, does the provision of the Privacy Shield ombudsperson under Annex A to Annex III to the Privacy Shield Decision when taken in conjunction with the existing regime in the United States ensure that the US provides a remedy to data subjects whose personal data is transferred to the United States under the [SCC Decision] that is compatible with Article 47 of the Charter]?
(11) Does the [SCC Decision] violate Articles 7, 8 and/or 47 of the Charter?’
Admissibility
The admissibility of the reference was challenged by Facebook and the British and German governments. Facebook argued that the reference served no useful purpose as the Data Protection Directive (Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data OJ L 281, 23.11.1995, p. 31–50) had been repealed by the General Data Protection Regulation ("GDPR") (Regulation (EU)  2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) OJ 4.5.2016 L119/1). The Court noted that the Directive was in force when the reference was made and the relevant articles of the Directive had been substantially reproduced in the GDPR. The German government contended that the Commissioner had not expressed an opinion but only doubts on the validity of the SCC Decisions and that the referring court had not made a finding on whether or not Mr Schrems had consented to the data transfer.  The British government submitted that there had been no finding that the transfer of data had been made in reliance on the SCC Decisions. The Court rejected both governments' contentions finding that the request for the preliminary reference had been well-founded.

The First Question
The Court reformulated the first question as follows at paragraph [80]:

"By its first question, the referring court wishes to know, in essence, whether Article 2 (1) and Article 2 (2) (a), (b) and (d) of the GDPR, read in conjunction with Article 4 (2) TEU, must be interpreted as meaning that that regulation applies to the transfer of personal data by an economic operator established in a Member State to another economic operator established in a third country, in circumstances where, at the time of that transfer or thereafter, that data is liable to be processed by the authorities of that third country for the purposes of public security, defence and State security."

Art 2 (1) of the GDPR provides:
"This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system."
However, art 2 (2) limits the scope of art 2 (1):
"This Regulation does not apply to the processing of personal data:
(a)  in the course of an activity which falls outside the scope of Union law;
(b)  by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU;
(c)  ................
(d) by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security."
 Art 4 (2) of the Treaty on European Union provides:
"The Union shall respect the equality of Member States before the Treaties as well as their national identities, inherent in their fundamental structures, political and constitutional, inclusive of regional and local self-government. It shall respect their essential State functions, including ensuring the territorial integrity of the State, maintaining law and order and safeguarding national security. In particular, national security remains the sole responsibility of each Member State."
The Court held that art 4 (2) applies only to member states of the EU and not to non-member states such as the USA.   None of the limitations of art 2 (2) applies to Facebook. It concluded at paragraph [89]:
"the answer to the first question is that Article 2 (1) and (2) of the GDPR must be interpreted as meaning that that regulation applies to the transfer of personal data for commercial purposes by an economic operator established in a Member State to another economic operator established in a third country, irrespective of whether, at the time of that transfer or thereafter, that data is liable to be processed by the authorities of the third country in question for the purposes of public security, defence and State security."
The Second, Third and Sixth Questions
The Court took the second, third and sixth questions together:
"[90] By its second, third and sixth questions, the referring court seeks clarification from the Court, in essence, on the level of protection required by Article 46 (1) and Article 46 (2) (c) of the GDPR in respect of a transfer of personal data to a third country based on standard data protection clauses. In particular, the referring court asks the Court to specify which factors need to be taken into consideration for the purpose of determining whether that level of protection is ensured in the context of such a transfer." 
Art 46 (1) and (2) (c) of the GDPR are as follows:
"(1) In the absence of a decision pursuant to Article 45(3), a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.
(2) The appropriate safeguards referred to in paragraph 1 may be provided for, without requiring any specific authorisation from a supervisory authority, by
.............................
(c)  standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93 (2)......"
In the absence of an adequacy decision under art 45 (3) GDPR, the Court held that a controller or processor may transfer personal data to a third country only if the controller or processor has provided ‘appropriate safeguards’, and on the condition that ‘enforceable data subject rights and effective legal remedies for data subjects’ are available. These can be provided by contract unless public authorities in the recipient country can override those contracts.   Consequently, the answer to the second, third and sixth questions is that art  46 (1) and art 46 (2) (c) GDPR must be interpreted as meaning that the appropriate safeguards, enforceable rights and effective legal remedies required by those provisions must ensure that data subjects whose personal data are transferred to a third country pursuant to standard data protection clauses are afforded a level of protection essentially equivalent to that guaranteed within the European Union by that regulation, read in the light of the Charter of Fundamental Rights of the European Union ("the Charter").

The Eighth Question
The Court interpreted the Irish High Cour's eighth question as follows:
"By its eighth question, the referring court wishes to know, in essence, whether Article 58 (2) (f) and (j) of the GDPR must be interpreted as meaning that the competent supervisory authority is required to suspend or prohibit a transfer of personal data to a third country pursuant to standard data protection clauses adopted by the Commission, if, in the view of that supervisory authority, those clauses are not or cannot be complied with in that third country and the protection of the data transferred that is required by EU law, in particular by Articles 45 and 46 of the GDPR and by the Charter, cannot be ensured, or as meaning that the exercise of those powers is limited to exceptional cases."
Art 58 (2) (f) and (j) of the GDPR are as follows:

"Each supervisory authority shall have all of the following corrective powers:
.............
(f) to impose a temporary or definitive limitation including a ban on processing;
.............
(j) to order the suspension of data flows to a recipient in a third country or to an international organisation."
Arts 45 and 46 provide safeguards for the transfer of data outside the EU. 

The Court observed that supervisory authorities have to enforce compliance with the GDPR in accordance with the Charter. They have to take particular care with transfers of data outside the EU and be diligent in dealing with data subjects' complaints.  It answered the eighth question as follows:
"In the light of the foregoing considerations, the answer to the eighth question is that Article 58 (2) (f) and (j) of the GDPR must be interpreted as meaning that, unless there is a valid Commission adequacy decision, the competent supervisory authority is required to suspend or prohibit a transfer of data to a third country pursuant to standard data protection clauses adopted by the Commission, if, in the view of that supervisory authority and in the light of all the circumstances of that transfer, those clauses are not or cannot be complied with in that third country and the protection of the data transferred that is required by EU law, in particular by Articles 45 and 46 of the GDPR and by the Charter, cannot be ensured by other means, where the controller or a processor has not itself suspended or put an end to the transfer."

The Seventh and Eleventh Questions
The Court took the seventh and eleventh questions together and interpreted them as follows:
"By its 7th and 11th questions, which it is appropriate to consider together, the referring court seeks clarification from the Court, in essence, on the validity of the SCC Decision in the light of Articles 7, 8 and 47 of the Charter."
The SCC Decision was Commission Decision of 15 June 2001 on standard contractual clauses for the transfer of personal data to third countries, under Directive 95/46/EC (OJ L 181, 4.7.2001, p. 19–31). It has been modified by Commission Decision of 27 December 2004 amending Decision 2001/497/EC as regards the introduction of an alternative set of standard contractual clauses for the transfer of personal data to third countries (notified under document number C(2004) 5271)Text with EEA relevance (OJ L 385, 29.12.2004, p. 74–84) and Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (notified under document C(2010) 593) (Text with EEA relevance) (OJ L 39, 12.2.2010, p. 5–18). The three Decisions are referred to collectively as the SCC Decisions.

The Court noted that art 1 of the SCC Decision provides that the standard data protection clauses set out in its annexe are considered to offer adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals in accordance with the requirements of art 26 (2) of the Data Protection Directive and now arts 46 (1) and 46 (2) (c) of the GDPR. Those clauses bind the recipient of a data transfer in a country outside the EU but not the public authorities of that country.  However, the clauses impose contractual obligations on both the controller and processor in the EU and the recipient of the data not to transfer data if the contractual safeguards cannot be guaranteed.   In the light of all of the foregoing considerations, the Court answered the 7th and 11th questions as follows:  "examination of the SCC Decision in the light of Articles 7, 8 and 47 of the Charter has disclosed nothing to affect the validity of that decision."

The Fourth, Fifth, Ninth and Tenth Questions
The Court interpreted those questions as follows at paragraph [150] of its judgment:
"By its ninth question, the referring court wishes to know, in essence, whether and to what extent findings in the Privacy Shield Decision to the effect that the United States ensures an adequate level of protection are binding on the supervisory authority of a Member State. By its 4th, 5th and 10th questions, that court asks, in essence, whether, in view of its own findings on US law, the transfer to that third country of personal data pursuant to the standard data protection clauses in the annex to the SCC Decision breaches the rights enshrined in Articles 7, 8 and 47 of the Charter and asks the Court, in particular, whether the introduction of the ombudsperson referred to in Annex III to the Privacy Shield Decision is compatible with Article 47 of the Charter."
The Privacy Shield Decision is Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield (notified under document C(2016) 4176) (Text with EEA relevance) C/2016/4176  (OJ L 207, 1.8.2016, p. 1–112).  This decision was made after the Data Protection Commissioner began her action in the Irish High Court. It is relevant to the proceedings because Facebook relies on the Privacy Shield Decision and alleges that it is binding on the Commissioner. The Court considered the provisions of the Decision and whether they provided adequate safeguards for data subjects.   It concluded that they did not and determined at [201] that the Privacy Shield Decision was invalid.

Further Proceedings
It is to be assumed that the Data Protection Commissioner's action will now be relisted for a  further hearing in the Irish High Court.  Irish readers are asked whether the relisted proceedings can be taken by Ms Justice Costello as she now sits in the Court of Appeal.

Further Information
Anyone wishing to discuss this case or data protection generally may call my clerk on 07986 948267 or send me a message through my contact page.

Friday, 3 April 2020

Supreme Court allows Morrison's Appeal


UK Supreme Court


















Jane Lambert

Supreme Court (Lady Hale, Lord Reed, Lord Kerr, Lord Hodge and Lord Lloyd-Jones) Wm Morrison Supermarkets plc v Various Claimants [2020] UKSC 12 (01 April 2020)

On 12 Jan 2014, a disgruntled member of the staff of Wm Morrison Supermarkets plc called Andrew Skelton posted a file containing the personal details of nearly 100,000 of the company's employees on a file-sharing website. The information included names, addresses, gender, dates of birth, phone numbers (home or mobile), national insurance numbers, bank sort codes, bank account numbers and salaries. Mr Skelton was caught, prosecuted, convicted and sentenced to 8 years imprisonment.

Some 5,518 of those employees have brought an action for damages against the company for breach of statutory duty under s.4 (4) of the Data Protection Act 1998, breach of confidence and misuse of personal information. The action was split into two: first, a trial on liability and, if necessary, an assessment of damages.    The trial on liability came on before Mr Justice Langstaff who decided that Morrisons was not primarily liable for breaches of statutory duty, breach of confidence or misuse of personal information but it was vicariously liable for the wrongdoing of its employee. The judge was troubled by his decision because it assisted the wrongdoer to accomplish his ends which were to injure his employer. However, the claimants had suffered and were entitled to be compensated  (see Various Claimants v WM Morrisons Supermarket Plc (Rev 1) [2018] IRLR 200, [2018] EMLR 12, [2017] EWHC 3113 (QB), [2018] 3 WLR 691 and Morrisons - Primary and Vicarious Liability for Breaches of Data Protection Act 1998 11 Dec 2017).

The company appealed to the Court of Appeal on the following grounds:
"First, the Judge ought to have concluded that, on its proper interpretation and having regard to the nature and purposes of the statutory scheme, [the Data Protection Act 1998 ("the DPA")] excludes the application of vicarious liability. Second, the Judge ought to have concluded that, on its proper interpretation, the DPA excludes the application of causes of action for misuse of private information and breach of confidence and/or the imposition of vicarious liability for breaches of the same. Third, the Judge was wrong to conclude (a) that the wrongful acts of Mr Skelton occurred during the course of his employment by Morrisons, and, accordingly, (b) that Morrisons was vicariously liable for those wrongful acts."
The appeal came on before the Master of the Rolls and Lord Justices Bean and Flaux who dismissed the appeal (see  WM Morrison Supermarkets Plc v Various Claimants [2018] EWCA Civ 2339, [2019] 2 All ER 579, [2019] ICR 357, [2019] 2 WLR 99, [2019] QB 772, [2019] IRLR 73, [2018] WLR(D) 653 and The Morrisons Appeal - Vicarious Liability for Employees' Breaches of Confidence and Statutory Duty 24 Oct 2018).

As for the first and second grounds, the Lord Justices held at para [48] that it was clear that the vicarious liability of an employer for misuse of private information by an employee and for breach of confidence by an employee had not been excluded by the Data Protection Act 1998. With regard to the third ground, the Court of Appeal referred to the judgment of Lord Toulson in Mohamud v Wm Morrison Supermarkets Plc [2016] UKSC 11, [2016] IRLR 362, [2016] ICR 485, [2016] 2 WLR 821, [2017] 1 All ER 15, [2016] AC 677, [2016] PIQR P11, [2016] WLR(D) 109. At para [44] Lord Toulson had asked "what functions or "field of activities" have been entrusted by the employer to the employee, or, in everyday language, what was the nature of his job?" Next "the court must decide whether there was sufficient connection between the position in which he was employed and his wrongful conduct to make it right for the employer to be held liable under the principle of social justice which goes back to Holt CJ." As to Lord Toulson's first question, the Court of Appeal endorsed the trial judge's finding that Morrisons had entrusted Skelton with payroll data. It was part of his job to disclose it to a third party. He had clearly exceeded his authority but that did not matter because his wrongdoing was nonetheless closely related to the task that he had to do. As to the second part of Lord Toulson's test. the Court endorsed the Mr Justice Langstaff's finding that there was an unbroken thread that linked his work to the disclosure,

The supermarket chain appealed to the Supreme Court which heard argument on 6 and 7 Nov 2019 and delivered judgment on 1 April 2020.  Readers can see the following video recordings of counsels' argument (morning 6 Nov, afternoon 6 Nov and morning 7 Nov) and Lord Reed's summary of the judgment of 1 April 2020). They can also find the full judgment (see Wm Morrison Supermarkets plc v Various Claimants [2020] UKSC 12 (1 April 2020) and a press summary.  The issues before the Supreme Court were:
"(1) Whether Morrisons is vicariously liable for Skelton’s conduct.
(2) If the answer to (1) is in the affirmative:
(a) Whether the DPA excludes the imposition of vicarious liability for statutory torts committed by an employee data controller under the DPA.
(b) Whether the DPA excludes the imposition of vicarious liability for misuse of private information and breach of confidence."
Allowing the appeal, Lord Reed remarked in the opening paragraph of his judgment (with which the rest of the Court agreed) that the appeal provided the court with an opportunity to address the misunderstandings which have arisen since its decision in the case of Mohamud v WM Morrison Supermarkets plc [2016] UKSC 11; [2016] AC 677.

Lord Reed made clear in paragraph [17] that Lord Toulson’s judgment in Mohamud was not intended to effect a change in the law of vicarious liability. The judgments at first instance and in the Court of Appeal focused on the final paragraphs which were taken out of context and treated as establishing legal principles which would represent a departure from the precedents that Lord Toulson was expressly following.

The basic principles on vicarious liability were summri\ed by Baron Parke in Joel v Morison 172 ER 1338, [1834] EWHC KB J39, (1834) 6 C & P 501, 503:
“The master is only liable where the servant is acting in the course of his employment. If he was going out of his way, against his master’s implied commands, when driving on his master’s business, he will make his master liable; but if he was going on a frolic of his own, without being at all on his master’s business, the master will not be liable.”
That principle had been affirmed recently by the House of Lords in Dubai Aluminium Company Ltd v. Salaam  [2003] 2 AC 366, [2002] UKHL 48, [2002] 3 WLR 1913, [2003] 1 LLR 65, [2003] 1 CLC 1020, [2003] 2 All ER (Comm) 451, [2003] 1 Lloyd's Rep 65, [2003] 1 BCLC 32, [2003] 1 All ER 97, [2003] WTLR 163, [2003] IRLR 608:
“A distinction is to be drawn between cases such as Hamlyn v John Houston & Co [1903] 1 KB 81, where the employee was engaged, however misguidedly, in furthering his employer’s business, and cases where the employee is engaged solely in pursuing his own interests: on a ‘frolic of his own’, in the language of the time-honoured catch phrase … The matter stands differently when the employee is engaged only in furthering his own interests, as distinct from those of his employer. Then he ‘acts as to be in effect a stranger in relation to his employer with respect to the act he has committed’: see Isaacs J in Bugge v Brown (1919) 26 CLR 110, 118.”
In  Attorney General v. Hartwell  [2004] WLR 1273, [2004] PIQR P27, [2004] UKPC 12, [2004] 1 WLR 1273, the Privy Council refused to impose liability on Virgin Islands government for the actions of one of its constables who had deserted his post to pursue a domestic quarrel which had resulted in his discharging a firearm causing injury to a passer-by.  This was quite different from Bernard v. Attorney General of Jamaica  [2005] IRLR 398, [2004] UKPC 47 where an officer fired his weapon in the execution of his duty.

The distinction between Mohamud's case and Skelton's was expressed in paragraph [47[ pf the judgment:
"All these examples illustrate the distinction drawn by Lord Nicholls at para 32 of Dubai Aluminium [2003] 2 AC 366 between “cases … where the employee was engaged, however misguidedly, in furthering his employer’s business, and cases where the employee is engaged solely in pursuing his own interests: on a ‘frolic of his own’, in the language of the time-honoured catch phrase.” In the present case, it is abundantly clear that Skelton was not engaged in furthering his employer’s business when he committed the wrongdoing in question. On the contrary, he was pursuing a personal vendetta, seeking vengeance for the disciplinary proceedings some months earlier. In those circumstances, applying the test laid down by Lord Nicholls in Dubai Aluminium in the light of the circumstances of the case and the relevant precedents, Skelton’s wrongful conduct was not so closely connected with acts which he was authorised to do that, for the purposes of Morrisons’ liability to third parties, it can fairly and properly be regarded as done by him while acting in the ordinary course of his employment."
Though logical and consistent with nearly 200 years of authority, the news that they can no longer expect a payout that they had been expecting since 2017 will be bitterly disappointing for thousands of supermarket workers who are risking their health and in some cases their lives to feed their communities.

Although no longer necessary for the disposal of the appeal, Lord Reed addressed the second question of whether the Data Protection Act 1998 excluded the imposition of vicarious liability for:
(a) statutory torts committed by an employee data controller under the Act and
(b) misuse of private information and breach of confidence,
as those matters had been fully argued.

His lordship noted that the appellant company had intended to argue that the former Data Protection Directive (Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data OJ L 281, 23/11/1995 P. 0031 - 0050) had been designed to harmonize national laws governing the processing of personal data and that the existence of vicarious liability under English law in circumstances falling within the scope of that directive, was therefore precluded.  The opinion of Mr Advocate-General Bobek in Case C‑40/17 Fashion ID GmbH & Co KG v Verbraucherzentrale NRW eV (Facebook Ireland Ltd intervening) ECLI:EU:C:2018:1039, [2020] 1 WLR 969, EU:C:2018:1039, [2018] EUECJ C-40/17_O had undermined that argument. It was therefore obliged to argue that the statute impliedly excluded the vicarious liability of an employer for breaches of statutory duty and breaches of confidence. It referred to s.13 (1), (2) and (3) of the Act and to paragraph 10 of Schedule 1 on the interpretation of the Seventh Data Protection Principle,  The company contended that those provisions implied that liability was to be imposed only on data controllers, and only where they had acted without reasonable care.

Their lordships were not persuaded.   Lord Reed said at [54]:
"The imposition of a statutory liability upon a data controller is not inconsistent with the imposition of a common law vicarious liability upon his employer, either for the breach of duties imposed by the DPA, or for breaches of duties arising under the common law or in equity. Since the DPA is silent about the position of a data controller’s employer, there cannot be any inconsistency between the two regimes. That conclusion is not affected by the fact that the statutory liability of a data controller under the DPA, including his liability for the conduct of his employee, is based on a lack of reasonable care, whereas vicarious liability is not based on fault. There is nothing anomalous about the contrast between the fault-based liability of the primary tortfeasor under the DPA and the strict vicarious liability of his employer. A similar contrast can often be drawn between the fault-based liability of an employee under the common law (for example, for negligence) and the strict vicarious liability of his employer, and is no more anomalous where the employee’s liability arises under statute than where it arises at common law."
The Court's pronouncement on the second question, albeit obiter, means that an employer will not be exonerated from the consequences of data breaches occasioned by its employees in all circumstances.  For example, if a loss is caused by an employee's negligence in carrying out his employer's instructions the employer will be vicariously liable.

Anyone wishing to discuss this article, this decisions or data protection and privacy law generally should call my clerk Stephen on 07986 948267 during normal office hours for the duration of the coronavirus crisis or on our usual number afterwards.  Alternatively, message me through my contact page.

Monday, 13 January 2020

GDPR as a Business Opportunity in a Data-Driven Economy

Author OCHA Licence CC BY 3.0 
Source Wikipedia Croatia


















Jane Lambert

One of the most intriguing topics to be discussed at a conference organized by the Croatian presidency of the European Council to mark Data Protection Day is "GDPR as a business opportunity in a data-driven economy."  In the months preceding the implementation of the GDPR (Regulation  (EU) 2016/679 of the European Parliaments and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC), the emphasis was on the burden of compliance and the sanctions for breaches of the regulation. Very little was said about the cost-savings and other business benefits resulting from meeting the regulatory requirements.

One of the most valuable resources in medical research are patient records.  Many new treatments have been discovered through the analysis of patient data.  Computer programs can detect patterns in such data that can assist in formulating optimum dosage or second or more medical uses for known compounds.  Such findings can have enormous commercial value but the data from which they are derived are highly sensitive and must be processed with due regard to patients' privacy. Businesses and researchers from countries that require compliance with the GDPR enjoy an obvious competitive advantage over those that do not.

Although the EU has led the way with data protection, other countries have followed its lead.   The California Privacy Rights Act of 2020, which came into force at the beginning of this month, contains many provisions that are similar to those in the GDPR.  Consultancies and hardware and software suppliers with experience of complying with the regulation have a clear advantage have an obvious advantage over those from other countries in those new markets.

According to the conference programme, there will be three speakers on this topic:
  • Mr Bruno Gencarelli, Head of Unit for International Data Flows and Protection, European Commission who will speak on “Data protection: the increasing convergence at international level”; 
  • Dr Katarina Šiber Makar, President of the Board, IN2 LLC, who will discuss "Data protection in the online world“; and  
  • Dr Dražen Lučić, Head of the Information Security Department, Croatian Chamber of Economy who will address "Information Security: A Cost or a Cost-Saving Measure for Digital Economy".
There will also be a session on the closely related topic of artificial intelligence later in the day.

The conference will take place at the Vatroslav Lisinski Concert Hall in Zagreb between 09:00 and 18:00 on 16 Jan 2019 further information can be obtained from the Croatian Personal Data Protection Agency. Anyone wishing to discuss this article or the data protection law generally may call me on +44 (0)20 7404 5252 or send me a message through my contact page.

Friday, 4 October 2019

Lloyd v Google LLC

Author Gciriani
Licence CC BY-SA 4.0
Source Wikipedia Google























Jane Lambert

Court of Appeal (Dame Victoria Sharp P, Sir Geoffrey Vos C, Lord Justice Davis) Lloyd v Google LLC [2019] EWCA Civ 1599 (2 Oct 2019)

This was an appeal against Mr Justice Warby's refusal to allow the claimant, Richard Lloyd ("Mr Lloyd"), to serve proceedings on Google LLC ("Google") outside the jurisdiction claiming damages on behalf of 4 million i-phone users for  allegedly tracking secretly their internet activity for commercial purposes between 9 Aug 2011 and 15 Feb 2012.  The appeal was heard on 16 and 17 July 2019 by the President of the Queen's Bench Division, the Chancellor and Lord Justice Davis. Judgment was given on 2 Oct 2019. The lead judgment was delivered by the Chancellor, Sir Geoffrey Vos.

The Issues
The facts in this appeal were very similar to those in Google Inc v Vidal-Hal and others [2015] 3 WLR 409, [2015] CP Rep 28, [2015] FSR 25, [2015] 3 CMLR 2, [2015] WLR(D) 156, [2015] EMLR 15, [2015] EWCA Civ 311, [2016] QB 1003, [2016] 2 All ER 337 where the Court of Appeal dismissed Google's appeal against Mr Justice Tugendhat's decision to allow a similar claim to be served  outside the jurisdiction (see Vidal-Hall and others v Google Inc [2014] EWHC 13 (QB) (16 Jan 2014)  [2014] EMLR 14, [2014] 1 WLR 4155, [2014] WLR 4155, [2014] FSR 30, [2014] 1 CLC 201, [2014] WLR(D) 21, [2014] EWHC 13 (QB)). However, the Chancellor pointed out at paragraph [3] of his judgment that there was one crucial difference between the two cases.   In Vidal-Hall, the individual claimants claimed damages for distress as a result of Google's breaches of the Data Protection Act 1998 ("DPA").  In the present case, Mr Lloyd claimed a uniform amount by way of damages on behalf of each person within the defined class without seeking to allege or prove any distinctive facts affecting any of them, save that they did not consent to the abstraction of their data.

The Chancellor analysed Mr Justice Warby's decision between paragraphs [25] and [39] of his judgment.  According to the Chancellor, the grounds on which the application had been refused were  "that: (a) none of the represented class had suffered 'damage' under section 13 of the Data Protection Act 1998 (the 'DPA'), (b) the members of the class did not anyway have the 'same interest' within CPR Part 19.6 (1) so as to justify allowing the claim to proceed as a representative action, and (c) the judge of his own initiative exercised his discretion under CPR Part 19.6 (2) against allowing the claim to proceed."

His lordship summarized the main issues raised by the appeal as follows:
"(a) whether the judge was right to hold that a claimant cannot recover uniform per capita damages for infringement of their data protection rights under section 13 of the DPA, without proving pecuniary loss or distress, (b) whether the judge was right to hold that the members of the class did not have the same interest under CPR Part 19.6 (1) and were not identifiable, and (c) whether the judge's exercise of discretion can be vitiated."
The Facts
Sir Geoffrey adopted the following paragraphs from Mr Justice Warby's judgment:
"[7]. The case concerns the acquisition and use of browser generated information or "BGI". This is information about an individual's internet use which is automatically submitted to websites and servers by a browser, upon connecting to the internet. BGI will include the IP address of the computer or other device which is connecting to the internet, and the address or URL of the website which the browser is displaying to the user. As is well-known, "cookies" can be placed on a user's device, enabling the placer of the cookie to identify and track internet activity undertaken by means of that device.
[8]. Cookies can be placed by the website or domain which the user is visiting, or they may be placed by a domain other than that of the main website the user is visiting ("Third Party Cookies"). Third Party Cookies can be placed on a device if the main website visited by the user includes content from the third party domain. Third Party Cookies are often used to gather information about internet use, and in particular sites visited over time, to enable the delivery to the user of advertisements tailored to the interests apparently demonstrated by a user's browsing history ("Interest Based Adverts").
[9]. Google had a cookie known as the "DoubleClick Ad cookie" which could operate as a Third Party Cookie. It would be placed on a device if the user visited a website that included content from Google's Doubleclick domain. The purpose of the DoubleClick Ad cookie was to enable the delivery and display of Interest Based Adverts.
[10]. Safari is a browser developed by Apple. At the relevant time, unlike most other internet browsers, all relevant versions of Safari were set by default to block Third Party Cookies. However, a blanket application of these default settings would prevent the use of certain popular web functions, so Apple devised some exceptions to the default settings. These exceptions were in place until March 2012, when the system was changed. But in the meantime, the exceptions enabled Google to devise and implement the Safari Workaround. Stripped of technicalities, its effect was to enable Google to set the DoubleClick Ad cookie on a device, without the user's knowledge or consent, immediately, whenever the user visited a website that contained DoubleClick Ad content.
[11]. This enabled Google to identify visits by the device to any website displaying an advertisement from its vast advertising network, and to collect considerable amounts of information. It could tell the date and time of any visit to a given website, how long the user spent there, which pages were visited for how long, and what ads were viewed for how long. In some cases, by means of the IP address of the browser, the user's approximate geographical location could be identified. Over time, Google could and did collect information as to the order in which and the frequency with which websites were visited. It is said by the claimant that this tracking and collating of BGI enabled Google to obtain or deduce information relating not only to users' internet surfing habits and location, but also about such diverse factors as their interests and habits, race or ethnicity, social class, political or religious views or affiliations, age, health, gender, sexuality, and financial position.
[12]. Further, it is said that Google aggregated BGI from browsers displaying sufficiently similar patterns, creating groups with labels such as "football lovers", or "current affairs enthusiasts". Google's DoubleClick service then offered these groups to subscribing advertisers, allowing them to choose … the type of people that they wanted to direct their advertisements to".
Proceedings in the USA
The US Federal Trade Commission bought proceedings for misrepresenting to Safari users that it would not place tracking cookies on their browsers or send targeted advertising which Google settled by agreeing to pay a civil penalty of US$22.5 million.  It also settled an action by 37 states and the District of Columbia on behalf of their consumers by agreeing to pay US$17 million damages and giving certain undertakings.

Proceedings in the UK
 Mr Justice Warby had noted at paragraph [14] of his judgment that similar proceedings had not been brought in the UK by the Information Commissioner but he mentioned Vidal-Hall's claim that I discussed above. 

Applicable Law
Sir Geoffrey referred to paragraphs (2), (7), (8), (10), (11) and (55) of the recitals and arts 1, 22 and 23 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data ("the Directive").  He also referred to ss.1 (1) (a) and (b), 3, 4 (1) and (4), 13 (1) and (2) and 14 (4) of the Data Protection Act 1998. Finally, he referred to CPR 19.6 (1), (2), (3) and (4).

Was the judge right to hold that a claimant cannot recover uniform per capita damages for infringement of their data protection rights under section 13 without proving pecuniary loss or distress?
The Chancellor affirmed that s.13 of the Data Protection Act 1998 has to be construed in accordance with art 23 of the Directive which had been adopted to give effect to art 8 of the European Convention on Human Rights. He also noted that the parties had agreed that there was a de minimis threshold for an award of damages. After considering the Court of Appeal's decisions in Gulati and others v MGN Ltd [2015] WLR(D) 232, [2015] EWHC 1482 (Ch) which was a case on the misuse of personal information, Halliday v Creation Consumer Finance Ltd (CCF) [2013] EWCA Civ 333 (15 March 2013) which was on damages under s.13 of the Data Protection Act 1998 and other authorities, his lordship concluded at [70] "that damages are in principle capable of being awarded for loss of control of data under article 23 and section 13, even if there is no pecuniary loss and no distress."  He added that it was only by construing the legislation in this way that individuals can be provided with an effective remedy for the infringement of their rights under the Act.

Was the judge was right to hold that the members of the class did not have the same interest under CPR Part 19.6(1) and were not identifiable?
CPR 19.6 (1) provides:
"Where more than one person has the same interest in a claim –
(a) the claim may be begun; or
(b) the court may order that the claim be continued,
by or against one or more of the persons who have the same interest as representatives of any other persons who have that interest."
Mr Justice Warby had held that a representative claim was disqualified unless (a) "every member of the class [had] suffered the same damage (or their share of a readily ascertainable aggregate amount [was] clear)", and (b) different potential defences were not available in respect of claims by different members of the class.  In the present case, for example, some in the claimant class would have been heavy internet users with much BGI taken; it was not credible that all the specified categories of data were obtained by Google from each represented claimant. The same variations would apply if the user principle were applied. Neither the breach of duty nor the impact of it was uniform across the entire class membership.

Sir Geoffrey believed that Mr Justice Earby had applied too stringent a test of "same interest" partly because of his earlier finding on recoverable damages.  H observed at [75]:
"Once it is understood that the claimants that Mr Lloyd seeks to represent will all have had their BGI – something of value - taken by Google without their consent in the same circumstances during the same period, and are not seeking to rely on any personal circumstances affecting any individual claimant (whether distress or volume of data abstracted), the matter looks more straightforward. The represented class are all victims of the same alleged wrong, and have all sustained the same loss, namely loss of control over their BGI. Mr Tomlinson disavowed, as I have said, reliance on any facts affecting any individual represented claimant. That concession has the effect, of course, of reducing the damages that can be claimed to what may be described as the lowest common denominator. But it does not, I think, as the judge held, mean that the represented claimants do not have the same interest in the claim. Finally, in this connection, once the claim is understood in the way I have described, it is impossible to imagine that Google could raise any defence to one represented claimant that did not apply to all others. The wrong is the same, and the loss claimed is the same. The represented parties do, therefore, in the relevant sense have the same interest. Put in the more old-fashioned language of Lord Macnaghten in The Duke of Bedford at [8], the represented claimants have a 'common interest and a common grievance' and 'the relief sought [is] in its nature beneficial to all'".
Mr Justice Warby had also held that a class of claimants having the same interest could not be identified. The Chancellor disagreed.  He said at [81]:  Havi
"In my judgment, therefore, the judge ought to have held that the members of the represented class had the same interest under CPR Part 19.6(1) and that they were identifiable."
Can the judge's exercise of discretion be vitiated?
Having reached a different conclusion on the other two issues, the Chancellor considered that it was appropriate for the court to exercise its discretion afresh.  Having considered carefully all the factors raised by both sides he concluded that this was a claim which, as a matter of discretion, should be allowed to proceed.

Conclusion
The President of the Queen's Bench Divison and Lord Justice Davis agreed with the Chancellor's judgment.  The appeal was therefore allowed and permission was granted to the claimants to serve their claim on Google in the USA.

Anyone wishing to discuss this appeal pr data protection generally should call me on +44 (0)20 7404 5252 or send me a message through my contact form.