Recital 7 of the new SCCs – it’s a doozy

Post by me on the Mishcon de Reya website.

Everyone needs to understand the new model clauses for international transfers, and recital 7 is a red flag.

Leave a comment

Filed under Uncategorized

New Model Clauses – a Mishcon podcast

My colleagues, partners Adam Rose and Ashley Winton, discuss the new European Commission Standard Contractual Clauses announced on 4 June 2021. I honestly can’t think of two better people to discuss what they mean.

Initial Reactions: New Standard Contractual Clauses (mishcon.com)

Leave a comment

Filed under adequacy, Brexit, consistency, Data Protection, data sharing, EDPB, Europe, GDPR, international transfers, Schrems II

ICO not compliant with post-Schrems II data protection law?

In which I finally receive a reply to my complaint about ICO’s Facebook page.

The issue of the transfer of personal data to the US has been the subject of much debate and much litigation. In 2015 the Court of Justice of the European Union (CJEU) struck down one of the then key legal mechanisms (“Safe Harbor”) for doing so. And in 2020 the CJEU did so with its successor, “Privacy Shield”. Both cases were initiated by complaints by lawyer and activist Max Schrems, and focused on the transfer of data from the EU to the US by Facebook.

Put simply, European data protection law, in the form of the GDPR and (as we must now talk about the UK in separate terms) UK data protection law, in the form of UKGDPR, outlaw the transfer of personal data to the US (or any other third country), unless the level of protection the data would receive in the EU, or the UK, is “not undermined” (see Chapter V of and recital 101 of GDPR/UKGDPR).

In “Schrems II” – the 2020 case – the CJEU not only struck down Privacy Shield – it effectively also laid down rules which needed to be followed if the alternative mechanisms, for instance using “standard contractual clauses” were to be used for transfers of personal data. Following the judgment, the European Data Protection Board (EDPB) issued guidance in the form of FAQs, which recommended an “assessment, taking into account the circumstances of the transfers, and supplementary measures you could put in place”. The EDPB guidance was subsequently endorsed by the UK’s own Information Commissioner’s Office (ICO)

The EDPB has recommended that you must conduct a risk assessment as to whether SCCs provide enough protection within the local legal framework, whether the transfer is to the US or elsewhere

What struck me as odd in all this is that the ICO themselves have a Facebook page. Given that Facebook’s own data governance arrangements involve the transfer of EU and UK users’ data to the US, and given that ICO don’t just operate their page as a newsletter, but actively encourage users to comment and interact on their page, it seemed to me that ICO were enabling the transfer of personal data by Facebook to the US. But even further than that, another CJEU judgment has previously made clear that operators of corporate Facebook pages may well function as a controller under the GDPR/UKGDPR, where they set parameters on the page. The Wirtschaftsakademie case held that – in the case of someone operating a “fan page”

While the mere fact of making use of a social network such as Facebook does not make a Facebook user a controller jointly responsible for the processing of personal data by that network, it must be stated, on the other hand, that the administrator of a fan page hosted on Facebook, by creating such a page, gives Facebook the opportunity to place cookies on the computer or other device of a person visiting its fan page, whether or not that person has a Facebook account.

By extension, it seemed to me, the ICO were in this position with their page.

So I put the point to them. After four months, and some chasing, I received a reply which not only confirmed my understanding that they are, and accept that they are, a controller, but that, nearly a year on from the Schrems II decision, they have not finished reviewing their position and have not updated their privacy notice to reflect their controller status in respect of their Facebook processing. (They also say that their legal basis for processing is “Article 6 (1) (e) of UK GDPR, public task” because “as a regulator we have a responsibility to promote good practice and engage with the public at large about data protection issues via commonly used platforms”, but I’d observe that they fail to give any attention to the proportionality test that reliance on this condition requires, and fail to point to the justification in domestic law, as required by Article 6.)

What the ICO response doesn’t do is actually respond to me as a data subject in respect of my complaint nor explain how they are complying with the international data transfer provisions of Chapter V of the GDPR/UKGDPR, and whether they have conducted any sort of transfer impact assessment (one presumes not).

As I said in my original complaint to ICO, I am aware that I might be seen as being mischievous, and I’m also aware I might be seen as having walked ICO into a trap. Maybe I am, and maybe I have, but there’s also a very serious point to be made. The cost to UK business of the Schrems II decision has been enormous, in terms of the legal advice sought, the internal governance reviews and risk assessments undertaken, and the negotiating or novation of contracts. At the same time the business and legal uncertainty is significant, with many wondering about their exposure to legal claims but also (and especially) to regulatory enforcement. If, though, the regulator is not complying with the relevant law, ten months on from the judgment (and five months on from my raising it with them as a concern) then what are controllers meant to do? And where do they turn to for guidance on the regulatory approach?

THE ICO RESPONSE

Firstly, it may be helpful to explain that following the findings of the CJEU in Wirtschaftsakademie, we started a review of the transparency information we provide to visitors of the page. The review was delayed when Schrems11 decision was issued as we needed to consider the impact of the judgement on any transfer element to the US.

We agree that as the Facebook page administrator, we are processing personal data of the visitors of our page and therefore we are controllers for this information. We process the names of the users as they appear on their Facebook profiles and any personal data they may share through their comments on our posts or via messages to us. We process this information in reliance on Article 6 (1) (e) of UK GDPR, public task. We consider that, as a regulator we have a responsibility to promote good practice and engage with the public at large about data protection issues via commonly used platforms.

For the cookies and similar technologies, Facebook is responsible for setting the cookies, when you visit our Facebook page.

We also receive anonymous information from Facebook in the form of aggregate statistics of all those who visit our page, regardless of whether they have a Facebook account or not. In line with the findings of the CJEU in Wirtschaftsakademie we are joint controllers with Facebook for this information. We process this information under Article 6 (1) (e) as well. The Insights include information on page viewings, likes, sharing of posts, age range, the device used and how it was accessed and breakdown of demographics. All Insights are received from Facebook by the ICO in aggregate format. Our PN will updated shortly to reflect the above information.

Like other regulators, the ICO is currently reviewing its position on international transfers following the judgment in Schrems II. As part of that review, it will, amongst other things, consider the questions that you have raised about the ICO’s use of Facebook. The ICO intends to publish its guidance on how UK organisations should address the question of international transfers, in due course, and will act in accordance with its guidance. That work is still in progress, and it will be published in due course.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under adequacy, data sharing, EDPB, facebook, GDPR, Information Commissioner, international transfers, privacy notice, privacy shield, safe harbor, Schrems II, UK GDPR

You what?

Twice in recent months the outgoing Information Commissioner, Elizabeth Denham, has given speeches including these words

Data protection law was born in the 1970s out of a concern that the potential from emerging technology would be lost if we didn’t embrace innovation.

I don’t know what she means. Does anyone else?

Studies I’m aware of more generally see data protection law arising, from the 1960s through to the early 1980s, out of a combination of: increasing awareness of and focus on fundamental human rights; an understanding that use of computers would cause an exponential increase in the ability to process information; a desire that concerns about the preceding two should not lead to unnecessary barriers to international trade.

(See, for example, the UK 1972 Report of the Committee on Privacy, chaired by Kenneth Younger, and the UK 1978 Report of the Committee on Data Protection chaired by Sir Norman Lindop. See, especially, the 1980 OECD Guidelines and the 1981 Council of Europe Convention 108.)

Whatever Ms Denham’s words mean, they miss the foundational status of human rights in modern data protection law. And that is a glaring omission. Article 1 of the UKGDPR is clear – data protection law now, as it always has

protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data

There’s nothing wrong with embracing innovation (I do it myself). But let’s not misstate history.

Leave a comment

Filed under Data Protection, GDPR, human rights, Information Commissioner, UK GDPR

Regulatory breach reporting webinar

My firm recently held a webinar on regulatory notification obligations. We had Laura Middleton, head of ICO’S breach reporting team, as well as me and a couple of colleagues.

The highlights of the recording are here: https://www.mishcon.com/news/tv/-self-reporting-regulators-advantages-pitfalls

Leave a comment

Filed under Uncategorized

Gov says “no” to UK GDPR opt-out actions but…

A post by me on the Mishcon de Reya website – the government has declined to bring into operation Article 80(2) of the (UK) GDPR, but does that mean that the Supreme Court will be more likely to uphold the Court of Appeal judgment in Lloyd v Google?

Leave a comment

Filed under Data Protection, Data Protection Act 2018, DCMS, GDPR, UK GDPR

UK GDPR Resource

My firm Mishcon de Reya have created a version of the UK’s post-Brexit version of GDPR as there isn’t yet an official version. What’s more, we’ve added in links to the Recitals, and made it freely available.

The announcement is here. The actual UK GDPR is here.

Ain’t we kind?

Leave a comment

Filed under Data Protection, GDPR, UK GDPR

Search and (don’t) destroy

Martin Lewis’s Money Saving Expert (MSE) site reports that over £1m is apparently held by Highways England (HE) in respect of Dartford Crossing pre-paid online accounts (Freedom of Information requests were apparently used to establish the amount). It is of course by no means uncommon for money to lie dormant in money accounts – for instance, banks across the world hold fantastic sums which never get claimed. MSE itself suggests elsewhere that the total amount in the UK alone might be around £15bn – but what these FOI requests to HE also revealed is an approach to retention of personal data which may not comply with HE’s legal obligations.

People appear to have received penalty charges after assuming that their pre-paid accounts – in credit when they were last used – would still cover the crossing charge (even where the drivers had been informed that their accounts had been closed for lack of use). MSE reports the case of Richard Riley, who

had been notified by email that his account would be closed, but he’d wrongly assumed it would be reactivated when he next made the crossing (this is only the case if you cross again within 90 days of being notified). On looking into it further, Richard also realised he had £16 in his closed account

However, HE apparently explained to MSE that

…it’s unable to reopen automatically closed accounts or automatically refund account-holders because it has to delete personal data to comply with data protection rules.

This cannot be right. Firstly, as the MSE article goes on to explain, if someone suspects or discovers that they have credit in a closed Dartford Crossing account, they can telephone HE and “any money will be paid back to the debit or credit card which was linked to the account. If this isn’t possible, a refund will be issued by cheque.”

So HE must retain some personal data which enables them to confirm whose money it is that they hold. But if it is true that HE feels that data protection law requires them to delete personal data which would otherwise enable them to refund account-holders when accounts are closed, then I fear that they are misreading two of the key principles of that law.

Article 5(1)(e) of the UK GDPR (the “storage limitation principle”) requires that personal data be “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed” (emphasis added), and Article 5(1)(c) ( the “data minimisation principle”) requires that personal data be “limited to what is necessary in relation to the purposes for which they are processed” (emphasis added). Both of these make clear that where personal data is still needed for the purposes for which it is processed, then it can (and should) be retained. And when one adds the point, under Article 5(1)(c), that personal data should also be “adequate” for the purposes for which it is processed, it becomes evident that unnecessary deletion of personal data which causes a detriment or damage to the data subject can in itself be an infringement.

This matter is, of course, on a much lower level of seriousness than, for instance, the unnecessary destruction of landing cards of members of the Windrush Generation, or recordings of witnesses in the Ireland Mother and Baby Homes enquiry, but it strikes me that it is – in general – a subject that is crying out for guidance (and where necessary enforcement) by the Information Commissioner. Too many people feel, it seems, that “data protection” means they have to delete, or erase or destroy personal data.

Sometimes, that is the worst thing to do.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under accuracy, adequacy, Data Protection, Information Commissioner, Let's Blame Data Protection, UK GDPR

You don’t “register” with the ICO

“Data protection public register…find organisations and people registered with the ICO under the Data Protection Act”, says the Information Commissioner’s Office (ICO) website. Which is funny, because you can’t register with the ICO under the Data Protection Act.

Under the now-repealed 1995 European Data Protection Directive, given domestic effect in the UK by the now-repealed Data Protection Act 1998 (DPA98), all data controllers had to notify with their version of the ICO (unless they were exempt from doing so). And under section 19 of the now-repealed DPA98, the ICO had to keep a register and make it publicly available. The obvious way of doing that was to put it online.

It was a criminal offence to process personal data and not be notified (registered) with the ICO.

But, the General Data Protection Regulation (aka GDPR, and now to be known as the “EU GDPR”), did away with statutory notification as a matter of European law (on the grounds that it achieved nothing, and was an administrative headache). In the UK, where (as part of the notification scheme) controllers had to pay a fee to the ICO, this risked a major budget shortfall for the ICO. So, cleverly, we passed law that requires controllers to pay a fee purely to fund the ICO’s data protection work (the explanatory memo to that law even says it is “to make provision to ensure that the [Information Commissioner] has the financial resources necessary for the performance of her tasks and exercise of her powers”. Failure to pay this fee is a civil wrong, punishable by the imposition of a civil monetary penalty (of up to £4350). There is no requirement for the ICO to maintain a register, no requirement for it to be made public, and it is certainly not the case that what they do publish is a register of people “registered with the ICO under the Data Protection Act”.

What they publish is a non-statutory register of controllers who’ve paid their fee. Presence on that register says nothing other than that the controller has paid its fee.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Information Commissioner

Oil well not personal data shock

In news that should surprise no one, the Information Commissioner’s Office (ICO) has ruled that the locations of two oprhaned oil or gas well bores do not amount to personal data, for the purposes of the Environmental Information Regulations 2004 (EIR).

Perhaps more interestingly, the ICO cites the much-derided-but-probably-still-good-law case of Durant:

The Commissioner accepts that placing the two addresses into the public domain would allow the [owners of the land] to be identified. However, she does not consider that the information that would be revealed via disclosure “relates to” those individuals and it is therefore not their personal data…

And specifically refers to the famous dicta of Mr Justice Auld (as he was) from the Durant case

Mere mention of the data subject in a document held by a data controller does not necessarily amount to his personal data. Whether it does so in any particular instance depends on where it falls in a continuum of relevance or proximity to the data subject as distinct, say, from transactions or matters in which he may have been involved to a greater or lesser degree. It seems to me that there are two notions that may be of assistance. The first is whether the information is biographical in a significant sense, that is, going beyond the recording of the putative data subject’s involvement in a matter or an event that has no personal connotations, a life event in respect of which his privacy could not be said to be compromised. The second is one of focus. The information should have the putative data subject as its focus rather than some other person with whom he may have been involved or some transaction or event in which he may have figured or have had an interest, for example, as in this case, an investigation into some other person’s or body’s conduct that he may have instigated. In short, it is information that affects his privacy, whether in his personal or family life, business or professional capacity

So, at least for now, oil wells will stay out of the list of Things Which Have Been Found to be Personal Data.

And as my esteemed colleague Adam Rose notes, oil’s well that ends well. Pun complaints should be addressed here.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Environmental Information Regulations, Freedom of Information, Information Commissioner