Monday 11 December 2017

Morrisons - Primary and Vicarious Liability for Breaches of Data Protection Act 1998

Morrisons' head office in Bradford
Author Michael Ely




















Jane Lambert

Queen's Bench Division (Mr Justice Langstaff)  Various Claimants v Wm Morrisons Supermarkets Plc (Rev 1) [2017] EWHC 3113 (QB) (1 Dec 2017)

On 12 Jan 2014 a disgruntled member of the staff of Wm Morrison Supermarkets plc posted a file containing the personal details of nearly 100,000 of the company's employees on a file sharing website. The information included names, addresses, gender, dates of birth, phone numbers (home or mobile), national insurance numbers, bank sort codes, bank account numbers and salaries. The person responsible was caught, prosecuted and convicted and sentenced to 8 years imprisonment.

Some 5,518 of those employees have brought an action for damages against the company for breach of statutory duty under s.4 (4) of the Data Protection Act 1998, breach of confidence and misuse of personal information. The action was split into two: first a trial on liability and, if necessary, an assessment of damages.

The trial on liability came on before Mr Justice Langstaff who decided that Morrisons was not  primarily liable for breaches of statutory duty, breach of confidence or misuse of personal information but it was vicariously liable for the wrongdoing of its employee. The judge was troubled by his decision because it assisted the wrongdoer to accomplish his ends which were to injure his employer. However, the claimants had suffered and were entitled to be compensated. I shall analyse his judgment in a longer case note in NIPC Law.

It is likely that a similar conclusions have been reached under the General Data Protection Regulation. Art 5 (1) of the GDPR requires the controller to be responsible for, and be able to demonstrate compliance with, the principles relating to processing of personal data just as s.4 (4) requires a data controller to comply with the data protection principles in relation to all personal data with respect to which he is the data controller. The definition of data controller under the GDPR is broadly the same as in the Act and Directive 95/46/EC. Art 82 (1) of the GDPR entitles any person who has suffered material or non-material damage as a result of an infringement of the regulation to receive compensation from the controller or processor for the damage suffered. Nothing in the GDPR would affect our rules on vicarious liability.

Anyone who wishes to discuss this article or data protection in general should call me on +44 (0)20 7404 5252 during office hours or send me a message through my contact form.

Thursday 7 December 2017

GDPR - Fines

















Jane Lambert

This is the last of my articles on the GDPR for the time being. I have decided to discuss fines because it is one of the topics that has received most publicity recently.  The prospect of eye-watering fines has been used by some to raise awareness of data protection and to encourage good practices which must be good but it has also been used more cynically to boost sales of systems and services that may or may not be needed which is not so good.

Art 24 of the Data Protective Directive required member states to "adopt suitable measures to ensure the full implementation of the provisions" of the directive and, in particular, to lay down the sanctions to be imposed in case of infringement of the provisions adopted pursuant to the directive. However, it left it to the authorities in the member states to lay down what those sanctions should be. In the UK, the Information Commissioner has power to impose monetary penalties under s.55A of the Data Protection Act 1998.  S.55A (1) provides:
"The Commissioner may serve a data controller with a monetary penalty notice if the Commissioner is satisfied that—
(a) there has been a serious contravention of section 4 (4) by the data controller,
(b) the contravention was of a kind likely to cause substantial damage or substantial distress, and
(c) subsection (2) or (3) applies."
S.55A (2) applies if the contravention was deliberate and s.55A (3) if the data controller knew or ought to have known that there was a risk that the contravention would occur, and that such a contravention would be of a kind likely to cause substantial damage or substantial distress, but failed to take reasonable steps to prevent the contravention. S.55A (5) limits the amount of the monetary penalty to "the prescribed amount" which is set at £500,000 by reg 2 of The Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010 (SI 2010 No 31). The Commissioner has given some guidance about the issue of monetary penalties prepared and issued under section 55C (1) of the Data Protection Act 1998. The Information Commissioner will continue to have the power to impose fines under art 58 (2) (i) of the GDPR in accordance with guidelines to be drawn up by the European Data Protection Board (a body consisting of representatives of the EU and national data protection supervising authorities) pursuant to art 70 (1) (k).


The Information Commissioner's power to fine will increase greatly as a result of art 83 of the GDPR. She will have power to impose administrative fines up to €20 million or up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher in the circumstances prescribed in art 83 (5). However, any fine that she does impose under that provision must be effective, proportionate and dissuasive. Paragraph (148) of the recitals provides the following guidance as to how the power to fine should be exercised:
"In order to strengthen the enforcement of the rules of this Regulation, penalties including administrative fines should be imposed for any infringement of this Regulation, in addition to, or instead of appropriate measures imposed by the supervisory authority pursuant to this Regulation. In a case of a minor infringement or if the fine likely to be imposed would constitute a disproportionate burden to a natural person, a reprimand may be issued instead of a fine. Due regard should however be given to the nature, gravity and duration of the infringement, the intentional character of the infringement, actions taken to mitigate the damage suffered, degree of responsibility or any relevant previous infringements, the manner in which the infringement became known to the supervisory authority, compliance with measures ordered against the controller or processor, adherence to a code of conduct and any other aggravating or mitigating factor. The imposition of penalties including administrative fines should be subject to appropriate procedural safeguards in accordance with the general principles of Union law and the Charter, including effective judicial protection and due process."
Paragraph (150) provides the following additional guidance
"In order to strengthen and harmonise administrative penalties for infringements of this Regulation, each supervisory authority should have the power to impose administrative fines. This Regulation should indicate infringements and the upper limit and criteria for setting the related administrative fines, which should be determined by the competent supervisory authority in each individual case, taking into account all relevant circumstances of the specific situation, with due regard in particular to the nature, gravity and duration of the infringement and of its consequences and the measures taken to ensure compliance with the obligations under this Regulation and to prevent or mitigate the consequences of the infringement. Where administrative fines are imposed on an undertaking, an undertaking should be understood to be an undertaking in accordance with Articles 101 and 102 TFEU for those purposes. Where administrative fines are imposed on persons that are not an undertaking, the supervisory authority should take account of the general level of income in the Member State as well as the economic situation of the person in considering the appropriate amount of the fine. The consistency mechanism may also be used to promote a consistent application of administrative fines. It should be for the Member States to determine whether and to which extent public authorities should be subject to administrative fines. Imposing an administrative fine or giving a warning does not affect the application of other powers of the supervisory authorities or of other penalties under this Regulation."
The representatives of the national data protection supervising authorities who will constitute the European Data Protection Board after 25 May 2018 adopted Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679 on 3 Oct 2017 which can be downloaded from What's New section of the Information Commissioner's website.

Art 85 (2) provides that administrative fines shall be imposed in addition to, or instead of, the other sanctions that are available to the Information Commissioner under art 58 (2). When deciding whether or not to impose an administrative fine and, if so, the amount due regard must be given to the following considerations:
"(a) the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;
(b) the intentional or negligent character of the infringement;
(c) any action taken by the controller or processor to mitigate the damage suffered by data subjects;
(d) the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32;
(e) any relevant previous infringements by the controller or processor;
(f) the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;
(g) the categories of personal data affected by the infringement;
(h) the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement;
(i) where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures;
(j) adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and
(k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement."
In other words, only the most egregious infringements are likely to attract the heaviest fines. Art 85 (4) limits the fine for certain infringements such as failure to obtain the appropriate consent in relation to a child to €10 million or 2% of turnover. In the case of all others, the maximum penalty is €20 million or 4%,

It is important to note that art 83 (8) GDPR subjects the exercise by the Information Commissioner of her powers to "appropriate procedural safeguards in accordance with Union and Member State law, including effective judicial remedy and due process." In other words, the Commissioner will have to follow due process when imposing a fine and there will be a right of appeal against her decisions probably to the General Regulatory Chamber and from there to the civil courts. Also, for so long as the UK remains in the European Union points of EU law can be referred to the Court of Justice of the European Union,

Should anyone wish to discuss this article, fines, the GDPR or data protection generally he or she should call me on 020 7404 5252 or send me a message through my contact form.

Further Reading

Date
Author and Title
Publication
1 Dec 2017
NIPC Data Protection
11 Aug 2017
NIPC Data Protection

Tuesday 5 December 2017

GDPR - Lawfulness of Processing and Consent

Jane Lambert











Yesterday I gave a talk on the GDPR to some 132 local authority personnel. The audience included the chief executive, heads of service, in-house legal advisers and managers and officials of all the council's departments. There were so many that the council chamber was the only room big enough to hold us all.  Some knew a lot about data protection in general and the GDPR in particular. Others wanted some basic information and it was for them that I wrote my Introduction to the GDPR and How the GDPR works.

"You've got them for two hours" said the head of legal before the talk, "tell them a few jokes to stop them falling asleep." As all my clean jokes are about Yorkshire and Yorkshire folk, I thought about telling them how the first Yorkshire pudding was made which, incidentally, was once made into a lovely dance by Jonathan Watkins for Northern Ballet (see  Sapphire 15 March 2015 Terpsichore).  However, we never got that far as the audience turned out to be quite lively and talkative.  What they wanted to talk about most was the legality of processing and consent.

To recap, I wrote on Sunday in How the GDPR works that there are 6 GDPR principles (or 7 if you include "accountability") that are set out in art 5 of the regulation.  The first of these is the "lawfulness, fairness and transparency" principle which is as follows:
"Personal data shall be:
(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);"
 Art 6 (1) sets out the circumstances in which data can be lawfully processed:
"Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b)  processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks."
The audience knew that processing could be justified by "consent" but did such consent have to be in writing and was it necessary to ask members of the public who had already given their consent for a particular purpose (say a mailing list for a newsletter about tourist attractions) for their consent again just to comply with the GDPR?

Well, paragraph (32) of the recitals assists here:
"Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided."
So consent does not have to be written and signed but, if it is given orally. it does need to be recorded because art 7 (1) requires data controllers to be able to demonstrate that the data subject has consented to processing of his or her personal data. In answer to the other question, there is nothing in the GDPR that requires data controllers to mither their data subjects for confirmation of consent that they have already given for a specific purpose so long as the consent that they already have is genuine, informed and freely given.

A few other points to remember: -

  • Art 6 (1) (a) requires consent to be given for one or more specific purposes. Data subjects must know exactly and precisely what they are consenting to.
  • If a data subject's consent is given in the context of a written declaration which also concerns other matters, art 7 (2) requires any request for such consent to be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.
  • Art 7 (4) provides that "utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract" when assessing whether consent is freely given.
Readers should also remember that other rules in relation to consent apply in relation to children and young people and particularly sensitive categories of data which I shall discuss in future articles. In the meantime, if you have any questions in relation to consent, lawful processing, the GDPR or data protection generally, call me on 020 7404 5252 during office hours or send me a message through my contact form.

Further Reading


Date
Author and Title
Publication
1 Dec 2017
NIPC Data Protection
11 Aug 2017
NIPC Data Protection

Sunday 3 December 2017

How the GDPR works

Author Mauro Cateb
Licence Creative Commons Attribution-Share Alike 3.0 unported

















Jane Lambert

In my introduction to the GDPR 2 Dec 2017 I wrote that the regulation sought to balance two conflicting imperatives, namely the need to protect the public from the harm that can result from malicious, negligent or even careless processing of data that identifies living individuals and the need to safeguard free flows of such data for legitimate purposes.  As I also wrote in that article, there is nothing new about any of that. That policy is exactly the same as that of the Data Protection Directive, the Data Protection Act 1998, the Data Protection Act 1984, the Council of Europe Convention and the OECD Guidelines.

The GDPR also seeks to achieve that objective in much the same way as previous legislation.  It establishes a set of principles for processing personal data (data by which living human beings can be identified) and machinery for monitoring and enforcing compliance.  That machinery takes the form of rights for data subjects (the individuals who can be identified from the data) and obligations upon data controllers (those who control the processing of personal data) and processors (those who carry out the processing) to take reasonable steps to minimize the risk or effect of non-compliance.

The GDPR's data processing principles require personal data to be:
(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89 (1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89 (1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)."
It is the data controller's duty to be responsible for and demonstrate compliance with those principles.

So long as data controllers and processors process personal data in accordance with those principles they are unlikely to go far wrong. However, if they stray from them, whether intentionally or not, they risk legal action in the civil courts or fines or other sanctions by the Information Commissioner or the equivalent supervisory authority of another EU member state.

As an obvious way round the legislation would be to export the data to a country that does not regulate the processing of personal data either at all or to the same extent and in the same way, the regulation restricts transfers of data abroad unless Commission is satisfied with the legal protection of personal data processing that is available in the recipient country or enforceable contractual arrangements are in place for the protection of such data. The GDPR makes clear that the regulation applies not just to data controllers and processors that are in the EU, but also to data controllers outside the EU which offer goods or services to data subjects in the EU or monitor the behaviour of such data subjects within the EU.

In the next few articles I shall drill down into each of those topics in more detail.  Should anyone wish to discuss this article, the GDPR or data protection generally, he or she should call me on +44 (0)20 7404 5252 during office hours or send me a message through my contact form.

Further Reading


Date
Author and Title
Publication
2 Dec 2017
NIPC Data Protection
1 Dec 2017
NIPC Data Protection
11 Aug 2017
NIPC Data Protection

Saturday 2 December 2017

Introduction to the GDPR


Standard YouTube Licence

Jane Lambert

This is the first of a series of articles that I am writing on the GDPR. So much has been written about the topic by lawyers, computer consultancies, government agencies and others that you might think that we need some more articles on GDPR like we need a hole in the head. But we probably do as I found out while looking for materials on the subject for a presentation that I am giving to a local authority on Monday because much of what has appeared to date has been alarming, confusing or even downright misleading.

The initials GDPR stand for the words “General Data Protection Regulation”. That is the short title for a law officially known as Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC. That is a bit of a mouthful but the title states exactly and precisely what the law is and what it does.

First, it is a regulation of the European Parliament and the European Council. The European Parliament and Council are the legislature of the European Union. The European Parliament consists of 751 members directly elected by the citizens of the European Union 73 of whom represent constituencies in the United Kingdom while the Council consists of representatives of national governments including our own. The European Parliament and Council make three kinds of laws known respectively as regulations, directives and decisions.

 Regulations are laws that come into being upon adoption by the European Parliament and Council with equal effect throughout the European Union without any intervention from the governments of the member states. Directives are instructions from the Parliament and Council to national governments to make or amend their national laws so that they comply with an agreed text. 

 A good example of a directive is Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (“the Data Protection Directive”) which required the EU member states to enact data protection regulation by 24 Oct 1998. The United Kingdom implemented the Data Protection Directive by enacting the Data Protection Act 1998 which regulates the processing of personal data in this country in accordance with that directive. 

 Decisions are laws of less importance. One that has been in the news lately is Decision No 445/2014/EU of the European Parliament and of the Council of 16 April 2014 establishing a Union action for the European Capitals of Culture for the years 2020 to 2033 and repealing Decision No 1622/2006/EC which set out the procedure for selecting the European Capital of Culture between 2020 and 2023 which I discussed in Jane Lambert European Capital of Culture 28 Nov 2017 NIPC Brexit. The GDPR is a law that will come into effect on 25 May 2018 throughout the European Union including the United Kingdom as we shall still be in the European Union on that day without any further intervention from the British or any other national government.

Secondly, the title makes clear that the regulation protects the interests of living human beings when data that relates to them are processed by computer or otherwise. The need to control the way such data are collected, collated and used has been recognized ever since the end of the 1960s. In the United Kingdom, the problem was considered by a committee chaired by Sir Kenneth Younger which produced the Younger Committee Report on Privacy (Cmnd 5012) in 1972 and Sir Norman Lindop who wrote a follow-up report on data protection shortly afterwards. Sir Norman wrote:
"The speed of computers, their capacity to store, combine, retrieve and transfer data, their flexibility, and the low unit cost of the work which they can do have the following practical implications for privacy:
(1) they facilitate the maintenance of extensive record systems and the retention of data in these systems,
(2) they can make data easily and quickly available from many distant points;
(3) they can make it possible for data to be transferred quickly from one information system to another;
(4) they make it possible for data to be concealed in ways that might not otherwise be practicable,
(5) because the data are stored, processed and often transmitted in a form which is not directly intelligible, few people may know what is in the records or what is happening to them" (see para 7 of the Report of the Committee on Data Protection (Cmnd 7341)).
Those problems have become even more serious with the growth of the internet.

The third aspect of the law is contained in the words “the free movement of [personal] data. The Younger and Lindop reports might have been left on the shelf to gather dust had the Swedish parliament not enacted a data protection law in 1973. That law, like all subsequent data protection laws, contained a provision restricting the transmission of personal data to countries that did not provide similar protection for such data. When a Swedish local authority wanted to export personal data to a British company that had won an order to make identity cards for the authority, the Swedish data protection authority blocked the transfer because there was no data protection law in the United Kingdom at that time. Even in the 1970s information flows were vital for international business particularly for financial services which have always been important for the UK. The need to protect personal data was quickly perceived as an impediment to business which required a prompt solution.

The OECD proposed a set of guidelines known as the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data on 23 Sept 1980 that allowed international data flows to continue on the understanding that data controllers would process personal data in accordance with those guidelines. The US government encouraged businesses in the USA to follow those guidelines voluntarily on the basis that it was in their interests to do so and many did so. Successive US administrations always believed that self-regulation and encouraging best practice is a more effective way of protecting personal data than legislation and for that reason, it has never enacted a federal data protection statute although several states have done so. 

Europe has followed a different approach. On 28 Jan 1981, The Council of Europe proposed a regional convention as a model for national data protection laws known as the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data and it was this latter model that the UK followed when we enacted our first Data Protection Act 1984. I wrote about the origins of data protection law in Jane Lambert Another Data Protection Act! "You're joking! Not another one!" - A Short History of Data Protection Legislation in the UK 23 Sep 2017 NIPC Law. 

 The policy of the OECD Guidelines and the Council of Europe were very similar. Both aimed at protecting personal data while safeguarding data flows. That policy is reflected in art 1 of the GDPR:
“Subject-matter and objectives
1. This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.
2. This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.
3. The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.”
The GDPR is thus a law to protect the interests of living individuals throughout the EU with regard to the processing of data by which they may be identified while safeguarding the free flow of information throughout the EU. It will come into being with equal effect in every member state without further intervention of the governments of those states.

The final element of the title is the phrase “repeating Directive 95/46/EC”. The recitals to the GDPR state that the objectives and principles of the Data Protection Directive remain sound, but the directive has not always prevented fragmentation in the implementation of data protection across the EU, legal uncertainty or a widespread public perception that there are significant risks to the protection of natural persons, in particular with regard to online activity. It was feared that differences in the level of protection of the rights and freedoms of natural persons, in particular the right to the protection of personal data, with regard to the processing of personal data in the member states could prevent the free flow of personal data throughout the EU. It was also feared that those differences might constitute an obstacle to the pursuit of economic activities at EU level, distort competition and impede authorities in the discharge of their responsibilities under EU law.

Para (10) of the recitals declared that in order to ensure a consistent and high level of protection of natural persons and to remove the obstacles to flows of personal data within the EU, the level of protection of the rights and freedoms of natural persons with regard to the processing of such data should be equivalent in all Member States. A regulation was necessary to:
  • ensure a consistent level of protection for natural persons throughout the EU, 
  • prevent divergences hampering the free movement of personal data within the internal market, 
  • provide legal certainty and transparency for economic operators, including micro-businesses and SME, 
  • provide natural persons in all member states with the same level of legally enforceable rights and obligations and responsibilities for controllers and processors, and ensure consistent monitoring of the processing of personal data, and equivalent sanctions in all Member States as well as effective cooperation between the supervisory authorities of different Member States. 
Art 94 (1) of the GDPR repeals the Data Protection Directive from the day when the regulation takes effect. It will not automatically repeal the Data Protection Act 1998 or other national statutes that were enacted to implement the diective (though the primacy of EU law would have that effect as the statute would be disregarded wherever the act and the regulation conflict) but that will be done by the new Data Protection Bill after it receives royal assent.

Should anyone wish to discuss this or any of my other articles on data protection, call me on 020 7404 5252 during office hours or send me a message through my contact form.

Further Reading

Date
Author and Title
Publication
1 Dec 2017
NIPC Data Protection
11 Aug 2017
NIPC Data Protection

Monday 23 October 2017

Transfer of Data to the USA: Data Protection Commissioner v Facebook and another

Author S Kopp
Reproduced with kind permission of the author
Source Wikipedia 













Jane Lambert

Irish High Court (Ms Justice Costello) The Data Protection Commissioner v Facebook Ireland Ltd and Another [2017] IEHC 545 (3 Oct 2017)

A number of US technology companies including Facebook Inc. serve their customers in Europe through subsidiaries in the Republic of Ireland. That necessitates the transfer of personal data relating to those customers in the USA.

As I said in Another Data Protection Act! "You're joking! Not another one!" - A Short History of Data Protection Legislation in the UK 23 Sept 2017 NIPC Law, the United States and Europe take different approaches to the processing of personal data. In the EU such processing  is regulated by statutes like our Data Protection Act 1998 which implement Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data ("the Data Protection Directive"). In the USA businesses are encouraged to adopt good data processing practices in accordance with the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data and some states regulate data processing in the public sector but there is no equivalent to the Data Protection Directive or our Data Protection Act as such.

To facilitate the free flow of personal data from the EU to the USA, the Commission negotiated an agreement with the US government to require companies that wished to export and process such data in the USA to offer safeguards for data subjects in Europe that were thought to be substantially similar to the protection enjoyed here under the statutes that implement the Data Protection Directive.  Those safeguards were known as the "Safe Harbor" principles. They resulted in a number of arbitration schemes one of which was operated by my chambers service company before we merged with 4-5 Gray's Inn Square in 2013.

Safe Harbor appeared to work well enough for most businesses and data subjects but the scheme was challenged by one Maximillian Schrems ("Mr Schrems") who feared that personal data flows to the USA would be intercepted and misused by US intelligence services. Whereas US citizens enjoyed rights of redress and remedies against such misuse nationals of other countries did not. He objected to the transfer of such data and complained to the Irish Data Protection Commissioner. The Commissioner took the view that he could not investigate the complaint because he was bound by the Safe Harbor agreement.

Mr Schrems asked the Irish High Court to review the Commissioner's decision. The Court considered that Mr Schrems's complaint raised issues of EU law that required a preliminary ruling under art 267 of the Treaty on the Functioning of the European Union and referred those issues to the Court of Justice of the European Union. In Case C‑362/14, Schrems v the Data Protection Commissioner   [2016] 2 WLR 873, [2016] 2 CMLR 2, [2015] EUECJ C-362/14, [2016] CEC 647, EU:C:2015:650, [2016] QB 527, [2015] WLR(D) 403, ECLI:EU:C:2015:650 the Court ruled:
"Article 25(6) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data as amended by Regulation (EC) No 1882/2003 of the European Parliament and of the Council of 29 September 2003, read in the light of Articles 7, 8 and 47 of the Charter of Fundamental Rights of the European Union, must be interpreted as meaning that a decision adopted pursuant to that provision, such as Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46 on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce, by which the European Commission finds that a third country ensures an adequate level of protection, does not prevent a supervisory authority of a Member State, within the meaning of Article 28 of that directive as amended, from examining the claim of a person concerning the protection of his rights and freedoms in regard to the processing of personal data relating to him which has been transferred from a Member State to that third country when that person contends that the law and practices in force in the third country do not ensure an adequate level of protection."
It also ruled that the Commission decision implementing the Safe Harbor principles was invalid.

The present Data Protection Commissioner has begun to investigate Mr  Schrems's complaint and has found that she is unable to do so without a ruling from the CJEU on the validity of three decisions of the Commission insofar as they apply to data transfers from the European Economic Area (“the EEA”) to the USA:
As the Data Protection Commissioner has no power to refer questions of EU law to the Court of Justice she has asked the Irish High Court to do so in The Data Protection Commissioner v Facebook Ireland Ltd and Another [2017] IEHC 545 (3 Oct 2017). She brought those proceedings against Facebook's Irish subsidiary and Mr Schrems to enable them to put their arguments before the court. The action came on before Ms Justice Costello who also allowed the government of the USA plus the Business Software Alliance, Digital Europe and the Electronic Privacy Information Centre to address her as amici curiae.

After hearing submissions from each of those parties the learned judge has decided to refer the Commissioner's questions to the Court of Justice and has invited all those who made submissions to her to address her again on the formulation of the questions to be put to the Court.  I shall report any further hearing or decision in this blog.

Should anyone wish to discuss this article, the transfer of personal data to the USA or data protection to the USA generally, he or she should call me on +44 (0)20 7404 5252 during normal office hours or send me a message through my contact form.

Tuesday 17 October 2017

Data Protection Bill: Second Reading

Author HM Government
Licence Open Government Licence v.3
Source Gov.UK website
















Jane Lambert

Lord Ashton, the Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport, presented the Data Protection Bill for its second reading in the House of Lords on 10 Oct 2017. Twelve peers spoke in the debate: three Conservative, two Labour, two Liberal Democrat, one bishop and four cross-benchers. The debate is reported in Hansard (see 15:34 and 18:52 on 10 Oct 2017).

The most interesting speeches were Lord Ashton's who outlined the legislation and the reasons for introducing the legislation and Lord Pannick's who explored the relationship of the Bill to the General Data Protection Regulation. The Bill was given a fair wind by the opposition parties but concern was expressed on the new burdens it might impose on small local authorities and the protection it afforded to children and other vulnerable persons.

The Bill will now be scrutinized by a committee of the whole House at the end of this month.

Should anyone wish to discuss this article, the Bill, the General Data Protection Regulation or data protection generally, he or she should call me on 020 7404 5252 or send me a message through my contact form.

Saturday 16 September 2017

Introduction to The Data Protection Bill


Standard YouTube Licence


Jane Lambert

On 14 Sept 2017, the Government introduced The Data Protection Bill into the House of Lords. The purpose of the Bill is to
"Make provision for the regulation of the processing of information relating to individuals; to make provision in connection with the Information Commissioner’s functions under certain regulations relating to information; to make provision for a direct marketing code of conduct; and for connected purposes."
The Bill is needed to implement Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA which comes into force on the 5 May 2018 and to maintain in force the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance) ("the GDPR") after we leave the EU.

The need to continue the provisions of the GDPR was spelt out in the Commission's Position Paper on the Use of Data and Protection of Information Obtained or Processed before the Withdrawal Date which I discussed in Commission Position Paper on Data Protection and Protection of Information obtained or processed before the Withdrawal Date 15 Sep 2017 NIPC Brexit:
"It is recalled that the United Kingdom's access to networks, information systems and databases established by Union law is, as a general rule, terminated on the date of withdrawal.
The United Kingdom or entities in the United Kingdom may keep and continue to use data or information received/processed in the United Kingdom before the withdrawal date and referred to below only if the conditions set out in this paper are fulfilled. Otherwise such data or information (including any copies thereof) should be erased or destroyed.
The principles set out in this paper should also apply, mutatis mutandis, to personal data, data or information which was received /processed by the United Kingdom or entities in the United Kingdom after the withdrawal date pursuant to the Withdrawal Agreement."
The conditions set out in the Position Paper will be implemented by the GDPR and continued by the Bill when it comes into law.

The Bill consists of 194 clauses and 18 Schedules. Clause 1 contains an overview:
"1  Overview (1) This Act makes provision about the processing of personal data.
(2) Most processing of personal data is subject to the GDPR.
(3) Part 2 supplements the GDPR (see Chapter 2) and applies a broadly equivalent regime to certain types of processing to which the GDPR does not apply (see Chapter 3).
(4) Part 3 makes provision about the processing of personal data by competent authorities for law enforcement purposes and implements the Law Enforcement Directive.
(5) Part 4 makes provision about the processing of personal data by the intelligence services.
(6) Part 5 makes provision about the Information Commissioner.
(7) Part 6 makes provision about the enforcement of the data protection legislation.
(8) Part 7 makes supplementary provision, including provision about the application of this Act to the Crown and to Parliament."
 The Department of Culture, Media and Sport has published the press release Data laws to be made fit for digital age and fact sheets containing an Overview of the Bill, General Data Processing, Law Enforcement Data Processing, National Security Data Processing and The Information Commissioner and Enforcement. There are also Explanatory Notes.

The Bill has already had its first reading in the House of Lords and will have its second on the 10 Oct 2017. I will follow the Bill as it makes its way through Parliament and analyse its provisions. I will also analyse the GDPR and the Directive as the day for their implementation approaches.

Should anyone wish to discuss the Bill or the GDPR and Directive, he or she should call me during office hours on +44 (0)20 7404 5252 or send me a message through my contact form. 

Saturday 26 August 2017

HMG's Exchange and Protection of Personal Data Position Paper














Jane Lambert

Even though it has absolutely nothing to do with the rights of the citizens of the remaining member states in the UK or those of British citizens rights in the remaining member states, the Irish border or our residual financial commitments to the EU budget that are the subject of the present art 50 negotiations. our government has published a position paper entitled  The exchange and protection of personal data. The paper discusses how the UK could continue to cooperate with the Commission and the supervisory authorities of the other member states on data protection if and when it leaves the EU in March 2019.

The government's thinking is not hard to discern.  Despite attempts by the Coalition and Conservative Governments to rebalance the British economy since 2010, it remains overwhelmingly services orientated. Financial services are particularly important to the United Kingdom and these depend on the free flow of personal data.  If and when we leave the European Union, the General Purpose Data Protection Regulation will cease to apply to us and we shall become a "third country" for the purposes of the Regulation.

Art 44 of the Regulation would then apply:
"Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation. All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined."
In other words, the unrestricted flow of personal data between financial institutions in the UK and their customers, suppliers and partners in the remaining EU member states, which is the lifeblood of the banking, insurance, fintech and so many other industries, ceases unless and insofar as the provisions of Chapter V of the Regulation can be met.

The position paper seems to be a response to art 44 of the Regulation. Paragraph 4 of the paper states:
"After the UK leaves the EU, new arrangements to govern the continued free flow of personal data between the EU and the UK will be needed, as part of the new, deep and special partnership. The UK starts from an unprecedented point of alignment with the EU. In recognition of this, the UK wants to explore a UK-EU model for exchanging and protecting personal data, which could build on the existing adequacy model, by providing sufficient stability for businesses, public authorities and individuals, and enabling the UK’s Information Commissioner’s Office (ICO) and partner EU regulators to maintain effective regulatory cooperation and dialogue for the benefit of those living and working in the UK and the EU after the UK’s withdrawal."
Paragraph 6 emphasizes the UK's vulnerability in this regard:
"Estimates suggest that around 43 per cent of all large EU digital companies are started in the UK, and that 75 per cent of the UK’s cross-border data flows are with EU countries. Analysis indicates that the UK has the largest internet economy as a percentage of GDP of all the G20 countries, and has an economy dominated by service sectors in which data and data flows are increasingly vital. The UK accounted for 11.5 per cent of global cross-border data flows in 2015, compared with 3.9 per cent of global GDP and 0.9 per cent of global population, but the value of data flows to the whole economy and the whole of society are greater still."
As the next paragraph notes, any disruption of cross-channel data flows would harm both the UK and the remaining member states but it would harm the UK more because financial services are so important to this country. Moreover, disruption of data flows between London and the rest of the EU might be the ill wind that diverts business and investment from London to continental financial centres and Dublin.

The paper is very short - some 15 pages including the covers.  The first 4 paragraphs are an executive summary.  The next 5 are an introduction which stresses the importance of transborder data flows for financial services and security cooperation. The following 3 headed "Context" explain why states need data protection laws. The paper traces the UK's commitment to data protection back to Younger though it omits to mention that a major incentive to implement our own data protection legislation was the refusal of the Swedish data protection authority on 12 April 1974 to allow a Swedish local authority to transmit health and social security records to a British company that had contracted to supply plastic identity tags. The next four paragraphs summarize the General Data Protection Regulation and the Data Protection Directive and the UK's plan to continue the protection afforded by that legislation with a new Data Protection Bill (see my article What will happen to the GDPR in the United Kingdom after Brexit? 10 Aug 2017 NIPC Brexit). Other international arrangements for data protection such as the Council of Europe Convention and the OECD Guidelines on Transborder Data Flows are discussed in paragraphs 17 and 18.

The really interesting bits of the paper are paragraphs 19 and 22 which outline the UK's objectives. Paragraph 21 states that it is the UK’s ambition to remain a global leader on data protection, by promoting both the flow of data internationally and appropriate high levels of data protection rules and paragraph 22 explains why:
"as the UK and the EU build a new, deep and special partnership, it is essential that we agree a UK-EU model for exchanging and protecting personal data, that:
  • maintains the free flow of personal data between the UK and the EU; 
  • offers sufficient stability and confidence for businesses, public authorities and individuals; 
  • provides for ongoing regulatory cooperation between the EU and the UK on current and future data protection issues, building on the positive opportunity of a partnership between global leaders on data protection; 
  • continues to protect the privacy of individuals; 
  • respects UK sovereignty, including the UK’s ability to protect the security of its citizens and its ability to maintain and develop its position as a leader in data protection; 
  • does not impose unnecessary additional costs to business; and 
  • is based on objective consideration of evidence."
The remainder of the paper discusses the close cooperation between the Information Commissioner and her opposite numbers elsewhere and the undoubted advantages of maintaining that cooperation. Realistically, the paper also includes an annexe on how businesses can comply with Chapter V of the Regulation if there is no UK-EU model but observes that that would be much more burdensome for business than somehow finding a way to continue the existing arrangements.

The paper shows that a UK-EU model for exchanging and protecting personal data is something that the British need badly from the art 50 negotiations. It is not yet on the formal agenda and if I were advising Michel Barnier and his team I would not be in a hurry to put it on the agenda unless and until we see some movement on the rights of citizens at least equivalent to those of investors in bilateral investment treaties and maybe a little bit more money into the divorce settlement.

Should anyone wish to discuss this article or data protection law generally, he or she should call me on +44 (0)20 7404 5252 during office hours or send me a message through my contact form.

Friday 11 August 2017

Welcome to NIPC Data Protection

Jane Lambert











On 25 May 2018 the General Data Protection Regulation ("the GDPR") takes effect in every member state of the European Union including the United Kingdom. The position has been complicated in this country by last year's referendum on EU membership which means that the Regulation will cease to apply to the UK on the 29 March 2019 when we leave the EU unless there is evidence of a sufficient change of heart on the part of the public to persuade the government to change tack.

A fair size industry of consultants, publishers and conference organizers has grown up to prepare businesses for the introduction of this legislation. As Elizabeth Denham, our Information Commissioner has pointed out in GDPR – sorting the fact from the fiction 9 Aug 2017, there have been a lot of scare stories about the GDPR and not a little misinformation. There will be some changes as a result of the GDPR.  Data subjects will get new rights on 25 May 2018 and there will be increased sanctions for non-compliance. Those changes, however, are evolutionary rather than revolutionary. It should not be too difficult to prepare for them or to manage them.

Because it is a regulation rather than a directive, the GDPR does not require any implementing legislation.  However, there will be a new data protection statute for the United Kingdom for three reasons. The first is to transpose the Data Protection Law Enforcement Directive into the laws of the United Kingdom. The second is to confer rights on data subjects that are not provided by the GDPR such as the right to require social media platforms to delete information held on them at age 18. The third reason for the new Act is to preserve the provisions of the GDPR after Brexit day as I noted in
What will happen to the GDPR in the United Kingdom after Brexit? 10 Aug 2017 NIPC Brexit.

Like the Data Protection Directive which it replaces, the policy of the GDPR is to give effect to the Council of Europe Data Protection Convention and the OECD Guidelines on Transborder Data Flow having regard to changing technology and applying the experience of the operation of the Data Protection Directive. As before, the objectives are to facilitate transborder data flow while protecting the privacy and other interests of individuals

The Data Protection Law Enforcement Directive is new. It seeks to harmonize the use of information technology by law enforcement agencies throughout the member states. However, that legislation also traces its wellspring the Council of Europe's Data Protection Convention which itself applies the European Convention on Human Rights to data processing. Art 63 (1) of the Law Enforcement Directive requires member states to transpose it into national law by 6 May 2018.

Over the next few weeks I shall write about various aspects of the Law Enforcement Directive and the GDRP as the 6 and 25 May 2018 draw closer. I shall also write about the Data Protection Bill as it makes its way through Parliament. I have started with a glossary as the terminology used in the GDPR is different from that of the Data Protection Directive. In that endeavour, I hope to remove some of the hot air and panic about the new legislation.

Should anyone wish to discuss this article or data protection generally, he or she should call me on +44 (0)20 7404 5252 during office hours or send me a message through my contact form.