Sunday 14 January 2018

Information Commissioner fines The Carphone Warehouse £400,000 for breaching the Seventh Data Protection Principle










Jane Lambert

In GDPR - Fines 7 Dec 2017 I outlined the Information Commissioner's existing powers under s.55A of the Data Protection Act 1998 and The Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010 to impose monetary penalties on data controllers who contravene s.4 (4) of the Act. As I noted in that article, the maximum penalty that the Commissioner can impose is limited to £500,000 by reg 2 of those Regulations.

By a monetary penalty notice dated 8 Jan 2018 the Information Commissioner fined the Carphone Warehouse £400,000 (80% of the maximum under reg 2) for failing to prevent unauthorized access to the personal data of over 3 million of its customers and some 1,000 of its employees. 

Paragraph 7 of Sched. 1 of the Act provides:
"Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."
Paragraphs 9 to 12 of the schedule add:
"The seventh principle
9. Having regard to the state of technological development and the cost of implementing any measures, the measures must ensure a level of security appropriate to—
(a)   the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage as are mentioned in the seventh principle, and
(b)   the nature of the data to be protected.
10. The data controller must take reasonable steps to ensure the reliability of any employees of his who have access to the personal data.
11. Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller must in order to comply with the seventh principle—
(a)   choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out, and
(b)   take reasonable steps to ensure compliance with those measures.
12. Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller is not to be regarded as complying with the seventh principle unless—
(a) the processing is carried out under a contract—
(i)      which is made or evidenced in writing, and
(ii)     under which the data processor is to act only on instructions from the data controller, and
(b) the contract requires the data processor to comply with obligations equivalent to those imposed on a data controller by the seventh principle."
Based on evidence that had been submitted by the Carphone Warehouse which included reports by forensic specialists, the Commissioner found at paragraph 22 that the data controller had contravened the above data protection principle in 11 respects ranging from the use of out of date software to inadequate vulnerability scanning.  Having regard to the state of technological development, the cost of implementing any measures, the nature of the relevant personal data and the harm that might ensue from its misuse, the Commissioner's held was that there were multiple inadequacies in Carphone Warehouse's technical and organisational measures for ensuring the security of personal data on the System.

The Commissioner concluded that the requirements of s.55A (1) had been met. After considering both aggravating and mitigating factors she fixed the penalty at £400,000 to be paid by the 8 Feb 2018.  She offered the data controller a 20% discount if it pays the fine in full by 7 Feb 2018 and does not appeal. If it exercises its right of appeal it will forego the £80,000 discount. That leaves a very difficult decision for The Carphone Warehouse and its lawyers. If the company accepts the Commissioner's finding it risks claims for compensation in the civil courts by any one or more of its 3 million customers and 1,000 employees. On the other hand it will not be easy to appeal and the costs could well exceed £320,000.

Should anyone wish to discuss this note or data protection generally, he or she should call me on 020 7404 5252 during normal business hours or send me a message through my contact form.

Friday 12 January 2018

Two Talks on GDPR on 24 Jan 2018 that are particularly worth attending















Jane Lambert

The BCS Law Specialist Group is one of a number of specialist groups within the British Computer Society. There are over 50 of them covering everything from advanced programming to software testing. You can find a list on the Specialist Groups page of the British Computer Society website. You can attend some meetings of some of those groups evers two talks on that subject which in my view are well worth attending if you live in or near, or happen to be in, London on 24 Jan 2018. On that day  Dr Sally Leivesley PhD Lond., MSPD, BA(Hons) Qld., FICPEM, FRSA, MACE, MIABTI, MRSES will talk about GDPR and Cryptography - Catastrophic Risk Principles between 18:30 and 19:15 and Ms Chiara Rustici will lead the BCS Specialist Group's second GDPR workshop between 19:30 and 20:45. Further details of both talks are available on the event web page.

Admission to both talks costs £10 for BCS members and £15 for everybody else which is very reasonable considering the eye-watering fees charged by some seminar organizers and commercial consultancies for a good deal less. The talks take place on the 1st floor of the Davidson Building at 5 Southampton Street, London, WC2E 7HA.

Friday 5 January 2018

Claims by Data Subjects against Data Controllers and Processors under the GDPR

Royal Courts of Justice
Author Rafa Esteve
Licence Creative Commons Attribution Share Alike 4.0 International
Source Wikipedia


















Jane Lambert

In my article How the GDPR works 3 Dec 2017 I wrote that the General Data Protection Regulation ("GDPR") establishes a set of principles for processing personal data (data by which living human beings can be identified) and machinery for monitoring and enforcing compliance.  I added that "that machinery takes the form of rights for data subjects (the individuals who can be identified from the data) and obligations upon data controllers (those who control the processing of personal data) and processors (those who carry out the processing) to take reasonable steps to minimize the risk or effect of non-compliance."

Previous legislation required EU member states to establish supervisory authorities to regulate the processing of personal data in their respective territories and the supervisory authority for the United Kingdom is the Information Commissioner in Wilmslow near Manchester.  If a data subject believes that his or her rights under the GDPR have been infringed, he or she will be able to complain to the Information Commissioner or the supervisory authority of some other member state or sue the data controller or processor in the courts of the United Kingdom or some other member state.

This article considers the circumstances in which a data subject might wish to bring an action against a data controller or processor in the courts of England and Wales and how he or she might do so.

What is the GDPR?

In my Introduction to the GDPR 2 Dec 2017 I wrote that "the initials GDPR stand for the words “General Data Protection Regulation” which is "the short title for a law officially known as Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC." I added:
"The GDPR is thus a law to protect the interests of living individuals throughout the EU with regard to the processing of data by which they may be identified while safeguarding the free flow of information throughout the EU. It will come into being with equal effect in every member state without further intervention of the governments of those states."
It will come into force on 25 May 2018 and remain for as long as the United Kingdom remains in the European Union. However, many of its provisions will be preserved in a new Data Protection Bill which is now proceeding through Parliament (see my article Introduction to the Data Protection Bill  16 Sept 2017).

Right of Action

Art 79 (1) of the GDPR provides:
"Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation."
Such a right of action is not new.  EU member states are already required to provide a judicial remedy for any breach of the rights guaranteed by the national law applicable to the processing in question under art 22 of the Data Protection Directive (Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data). In the United Kingdom, the judicial remedy mentioned in art 22 is implemented by s.15 (1) of the Data Protection Act 1998.

In what Circumstances could a Data Subject sue?

A data subject might wish to go to law to seek compensation under art 82 (1) of the GDPR for any material or non-material damage that he or she may have suffered as a result of an infringement of the regulation or for an order for the rectification or erasure of data, the restriction of data processing or any other relief that can only be granted by a court.

In which Court?

Art 79 (2) of the CDPR allow proceedings for compensation or other remedy to be brought in any member state in which the controller or processor.  Alternatively, they may be brought before the courts of the member state where the data subject has his or her habitual residence unless the controller or processor is a public authority of a member state acting in the exercise of its public powers. In that case the authority must be sued in the member state where it is located.  Clause 92 (13) of the Data Protection Bill provides that the jurisdiction to compel subject access requests may be exercised by the High Court in England and Wales, the High of Northern Ireland or the Court of Session in Scotland. Similarly, those courts have jurisdiction to hear objections to process under clause 97 (7) and to make orders for the rectification or erasure of personal data under clause 98 (6).  There is no equivalent provision for compliance orders under clause 158 or compensation under clause 159. By contrast, s.15 (1) of the Data Protection Act 1998 provides that claims under the Act may be brought before the High Court or the County Court in England and Wales or the Court of Session or a sheriff's court in Scotland.

How to bring Proceedings under the GDPR

It would appear that a claimant must prove:
  • the existence of a right under the GDPR;
  • an actual or threatened infringement of that right; and
  • damage resulting from the infringement.
The right may be express such as those that arise under Chapter III of the regulation or implied such as the right to object to the transfer of personal data abroad without the safeguards provided by Chapter V. The damage may be material or non-material and it must have resulted or be likely to result from an infringement of the data subject's right. A controller or processor has a complete defence under art 82 (3) of the GDPR if he or she can prove that he or she is not in any way responsible for the event giving rise to the damage.

Liability of Processors

One of the changes brought about by the GDPR is that processors can be sued for damage caused by non-compliance with the regulation or acts outside or contrary to the lawful instructions of the controller. This change is probably more apparent than real because processors that have failed to comply with relevant data protection legislation can usually be joined as Part 20 defendants either for breach of express or implied terms of their service level agreements or a common law duty of care.

Procedure

In the absence of a pre-action protocol for data protection complaints, data subjects, controllers and processors will be expected to comply with paragraph 6 of the Practice Direction - Pre-action Conduct and Protocols. Wherever possible, disputes should be settled through direct negotiations, arbitration, mediation or some other form of alternative dispute resolution. Those that cannot be resolved through negotiation or ADR may be brought in either the Queen's Bench Division or the Chancery Division. Claims for compensation are more likely to be brought in the Queen's Bench Division whereas those for compliance orders are more likely in the Chancery Division

Alternative Dispute Resolution

Parties seeking the appointment of a neutral to resolve a dispute under the GDPR or other data protection legislation may wish to consider one of the arbitrators or mediators of 4-5 Gray's Inn Square as James Bridgeman SC, the Hon Louis Harms, Caroline Kenny QC, Anthony Connerty, several other members of chambers and I have relevant knowledge and experience.

Further Information

Anyone wishing to discuss this article, the GDPR or data protection in general is invited to call me on +44 (0)20 7404 5252 during office hours or send me a message through my contact form.