Heathrow is public authority under EIRs, says ICO

A post by me on the Mishcon de Reya website, on a recent ICO decision holding that Heathrow Airports Ltd is subject to the Environmental Information Regulations 2004.

Leave a comment

Filed under access to information, Environmental Information Regulations, Freedom of Information, Information Commissioner

Event on collective redress for databreaches

Via the Mishcon de Reya website – an event run in association with the British Institute for International and Comparative Law on identifying, building, bringing and defending Group actions for data protection infringements.

Leave a comment

Filed under Uncategorized

DSARs – the clock doesn’t stop for clarification of a request

A thread on Twitter by solicitor Martin Sloan has drawn attention to a change to official guidance on the question of when a subject access request (pursuant to Article 15 of the General Data Protection Regulation (GDPR)) “starts”, in circumstances where a controller processes large amounts of data and asks the data subject to specify what information is sought.

Recital 63 of GDPR says that where a controller processes “a large quantity of information concerning the data subject [it] should be able to request that, before the information is delivered, the data subject specify the information or the processing activities to which the request relates”. This certainly seems to suggest that it is only when the controller is ready to “deliver” the information (i.e. when it has already searched for and retrieved it) that it can ask for the request to be, in effect, narrowed down.

However, guidance from the Information Commissioner’s Office (ICO) used to say* “If you process a large amount of information about an individual you can ask them for more information to clarify their request. You should only ask for information that you reasonably need to find the personal data covered by the request. You need to let the individual know as soon as possible that you need more information from them before responding to their request. The period for responding to the request begins when you receive the additional information” (emphasis added). This was similar to the position which obtained under the prior Data Protection Act 1998, which provided that a controller was not obliged to comply with a request unless it was supplied with such information as was reasonably required to locate the information which the data subject sought.

But the ICO now says: “If you process a large amount of information about an individual, you may ask them to specify the information or processing activities their request relates to before responding to the request. However, this does not affect the timescale for responding – you must still respond to their request within one month” (emphasis also added).

The change appears to be correct as a matter of law (by reference to recital 63), but it is possible that it may lead to an increase in reliance by controllers on Article 12(3), which potentially allows an extension to the one month period for compliance if a request is complex.

The new wording is contained in the ICO’s draft detailed guidance on subject access requests, which is currently out for consultation. One presumes the ICO thought this particular change was sufficiently important to introduce it in advance, but it is rather surprising that no announcement was made.

[UPDATE: Martin has now got a piece on Brodies’ own website about this].

[*the link here is to an archived page].

Leave a comment

Filed under Data Protection, GDPR, Information Commissioner, subject access

Why the big pause? ICO delay agreed re GDPR fines

On the Mishcon website: ICO agrees delay over GDPR fines with both BA and Marriott

 

Leave a comment

Filed under Data Protection, Data Protection Act 2018, enforcement, GDPR, Information Commissioner, monetary penalty notice

€9.5m GDPR fine to German telco for insecure customer authentication

Another post by me on the Mishcon de Reya website – federal telecoms regulator issues fine for Article 32 failings after callers could give customer name and d.o.b. and obtain further information.

Leave a comment

Filed under Data Protection, Europe, GDPR, monetary penalty notice

The Cost of Enforcement

I wrote recently, on the Mishcon de Reya Data Matters blog, about whether BA and Marriott might actually avoid the fines the Information Commissioner’s Office (ICO) intends to serve on them. In that piece, I said

one has no doubt whatsoever that BA and Marriott will have had lawyers working extensively and aggressively on challenging the notices of intent.

With that in mind, it is interesting to note that, in commentary on recent management accounts, the ICO warns that

Legal expenses…are tracking at much higher levels than budgeted and are expected to be adverse to budget for the full financial year

Indeed, the ICO’s legal spend for this year is forecast to be £2.65m, against a budget of £1.98m. These sound like large sums (and of course they are), but, compared with the likely legal budgets of BA, or Marriott, or indeed, many other of the huge companies whose processing is potentially subject to enforcement action by ICO, they are tiny. Any large controller faced with a huge fine will almost inevitably spend large sums in challenging the action.

Query whether ICO can, realistically, actually afford to levy fines at the level GDPR envisages?

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, enforcement, GDPR, Information Commissioner, monetary penalty notice

First prosecution under DPA 2018?

The Information Commissioner has successfully prosecuted a former Social Services Support Officer at Dorset County Council for an offence under section 170 of the Data Protection Act 2018 – I think that this is the first such prosecution under the 2018 Act. Section 170 is in broadly similar terms to section 55 of the Data Protection Act 1998, under which any number of prosecutions were brought for unlawfully obtaining (etc) personal data without the consent of the controller.

Just as the 1998 Act did, the 2018 Act reserves such prosecutions to the Commissioner (except that they may also be brought by or with the consent of the Director of Public Prosecutions – see s197 of the 2018 Act).

What we have not yet seen is a prosecution of the “new” offence at section 170(1)(c) of retaining personal data (after obtaining it) without the consent of the person who was the controller when it was obtained. This is a most interesting provision – I have wondered whether the mischief it aims to address is that which arises when someone inadvertently obtains personal data (perhaps as a result of a mistake by the controller) but then refuses to hand it back. This is not an infrequent occurrence, and powers at civil law to address the issue are potentially complex and expensive to exercise. It will be interesting to see whether prosecutions in this regard emerge in due course.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under crime, Data Protection, Data Protection Act 2018, Information Commissioner

Sign-up available for Mishcon Data Matters blog

Just a very quick post to say that it is now possible to subscribe to the Mishcon de Reya Data Matters blog. I often post on there, as do several of my colleagues.

Leave a comment

Filed under Uncategorized

Storm clouds

Another post by me on the Mishcon de Reya website: my crystal ball may be way off, but I wonder if genuine enforcement action might be on its way for AdTech and its biggest players.

Leave a comment

Filed under adtech, Data Protection, enforcement, GDPR, Information Commissioner

Whither the ICO fines for BA and Marriott?

I have a new post on the Mishcon de Reya website, asking what is happening regarding the notices of intent served some months ago on BA and Marriott Inc.

Leave a comment

Filed under Data Protection, GDPR, Information Commissioner, monetary penalty notice