A piece in The Times by me and my Mishcon de Reya colleague Emma Woollcott, on the recent Hurbain v Belgium “right to be forgotten” case:
Author Archives: Jon Baines
Arbitrary criminality and data protection
It shouldn’t be too controversial to state that to commit a criminal offence is a serious matter: although there are – obviously – different levels of severity, certain acts or omissions are so injurious to society as a whole that they warrant prosecution.
The majority of infringements of data protection law are not criminal offences, but, rather, contravention of civil law. But there are a few offences in the statutory scheme. Section 132 of the Data Protection Act 2018 (DPA) is one such. It says that it is an offence for the Information Commissioner, or a member of his staff, to disclose information
which—
(a)has been obtained by, or provided to, the Commissioner in the course of, or for the purposes of, the discharging of the Commissioner’s functions,
(b)relates to an identified or identifiable individual or business, and
(c)is not available to the public from other sources at the time of the disclosure and has not previously been available to the public from other sources,
However, it will not be an offence if the disclosure is made with “lawful authority”, and a disclosure is made with lawful authority only if and to the extent that
(a)the disclosure was made with the consent of the individual or of the person for the time being carrying on the business,
(b)the information was obtained or provided as described in subsection (1)(a) for the purpose of its being made available to the public (in whatever manner),
(c)the disclosure was made for the purposes of, and is necessary for, the discharge of one or more of the Commissioner’s functions,
(d)the disclosure was made for the purposes of, and is necessary for, the discharge of an EU obligation,
(e)the disclosure was made for the purposes of criminal or civil proceedings, however arising, or
(f)having regard to the rights, freedoms and legitimate interests of any person, the disclosure was necessary in the public interest.
This means that, for instance, if an individual or a business has given (willingly or under compulsion) information to the Commissioner for the purposes of a regulatory investigation, and the information is not already public, then the Commissioner must not disclose it, unless he has lawful authority to do so.
Where, also for instance, the Commissioner publishes a legal decision notice, or monetary penalty notice, or the like, this will ordinarily contain information of this kind, but the Commissioner can point to the lawful authority he has under section 132(2)(c) – namely that the disclosure was made for the purposes of, and is necessary for, the discharge of one or more of the Commissioner’s functions. No offence committed.
But section 132 is why the Commissioner’s Office might refuse, under the Freedom of Information Act 2000 (FOIA), to disclose information it has received from an individual or business. For instance, a notification report a controller has submitted pursuant to its “personal data breach” obligations under Article 33 UK GDPR. Here is an example. The ICO withholds the “breach report” in question, citing the exemption at section 44, because of the offence provisions at section 132 DPA.
Whether this is an over-cautious stance is one thing, but it is understandable.
What puzzles me, though, is the inconsistency, because elsewhere, in very similar circumstances, in response to a FOIA request, the ICO has disclosed a personal data report (albeit with redactions). Here, also.
If the Commissioner’s staff in the first example feel that they would commit an offence by disclosing the report, do the staff dealing with the second or third examples not feel that they would also?
One thing that should certainly not happen is claiming exemptions because it is easier to do so than not. I am not saying that has happened here, but there certainly seems to be inconsistency. And inconsistency, or uncertainty, about whether a regulator and his staff might commit a criminal offence is not a good situation.
The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
When is a fundamental right no longer fundamental?
Answer – when Parliament approves legislation to remove it
Rather quietly, the government is introducing secondary legislation which will have the effect of removing the (admittedly odd) situation whereby the UK GDPR describes the right to protection of personal data as a fundamental right.
Currently, Article 1(2) of the UK GDPR says “This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data”. For the purposes of the EU GDPR this makes sense (and made sense when the UK was part of the EU) because the Charter of Fundamental Rights of the European Union (“the Charter”) identifies the right to protection of personal data as a free-standing right.
However, the draft Data Protection (Fundamental Rights and Freedoms) (Amendment) Regulations 2023 will amend Article 1(2) of the UK GDPR so that it will simply say “This Regulation contributes to the protection of individuals’ fundamental rights and freedoms.”
The explanatory memorandum to the draft regulations states that
There is no direct equivalent to the right to the protection of personal data in the UK law. However, the protection of personal data falls within the right to respect for private and family life under Article 8 of the European Convention of Human Rights, which is enshrined in UK law by the Human Rights Act 1998. Data protection rights are also protected by UK GDPR, the Data Protection Act 2018 and will continue to be protected by the Data Protection and Digital Information Bill in our domestic legislation.
None of this addresses the point that the EU specifically decided, in the Charter, to separate the right to protection of personal data from the right to respect for a private and family life. One reason being that sometimes personal data is not notably, or inherently, private, but might, for instance, be a matter of public record, or in the public domain, yet still merit protection.
The explanatory memorandum also says, quite understandably, that the UK GDPR has to be amended so as to ensure that
references to retained EU rights and freedoms which would become redundant at the end of 2023 are replaced with references to rights under the European Convention on Human Rights (ECHR) which has been enshrined in the UK’s domestic law under the Human Rights Act 1998
Nonetheless, it was interesting for a while that the UK had a fundamental right in its domestic legislation that was uncoupled from its source instrument – but that, it seems, will soon be gone.
Filed under Data Protection, human rights, parliament, UK GDPR
An open complaint to the ICO about MailOnline cookies
***UPDATE at 8 November***
There is no update. Nothing from the ICO at all, other than, at four weeks – after chasing – a message saying it’s taking six to eight weeks to allocate cases.
It’s now more than eight weeks.
***END UPDATE***
Dear Mr Edwards
In June this year Stephen Bonner told MLex that websites which
don’t have “reject all” on your top level [cookie banner]…are breaking the law. ..There is no excuse for that. The ICO is paying attention in this area and will absolutely issue fines if we see organizations are not taking that seriously and taking steps.
Subsequently, your office said to law firm Mishcon de Reya
Having a ‘reject all’ button on a cookies banner that is just as prominent as an ‘accept all’ button helps people to more easily exercise their information rights. The ICO is closely monitoring how cookie banners are used in the UK and invites industry to review their cookies compliance now. If the ICO finds that cookies banners breach the law, it will seriously consider using the full range of its powers, including fines.
Then, on 9 August, in conjunction with the Competition and Markets Authority, your office stated
One clear example of often harmful design are cookie consent banners. A website’s cookie banner should make it as easy to reject non-essential cookies as it is to accept them. Users should be able to make an informed choice on whether they want to give consent for their personal information to be used, for example, to profile them for targeted advertising. The ICO will be assessing cookie banners of the most frequently used websites in the UK, and taking action where harmful design is affecting consumers.
In view of all of these statements, I wish to complain, under Article 77 UK GDPR, and simultaneously request, under regulation 32 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”), that you exercise your enforcement functions, in relation to the use of cookies and similar technology by Associated Newspapers Limited, or alternatively DMG Media (whichever is applicable) as controller of, and person responsible for confidentiality of communications on, the “MailOnline” website at https://www.dailymail.co.uk/home/index.html (the “Website”).
The Website presents a visitor using the Safari browser on an iPhone 11 Pro with a “cookie banner” (see attached screenshot) which does not offer visitors a “reject all” option.
Furthermore, the whole set-up is opaque. If one clicks “Cookie Settings” one is faced with an initially straightforward set of options (one of them set by default to accept cookies for personalised advertising on the basis of “legitimate interest”, which is clearly not compliant with regulation 6 of PECR). However, if one then clicks on the tab for “Vendors”, one is faced with a frankly farcically long list of such “vendors”, and options, many of them set by default to “legitimate interest”. I consider myself reasonably knowledgeable in this area, but it is far from clear what is actually going on, other than to say it plainly appears to be falling short of compliance with regulation 6, and, to the extent my personal data is being processed, the processing plainly appears to be in contravention of the UK GDPR, for want – at least – of fairness, lawful basis and transparency.
It is worth noting that much of MailOnline’s content is likely to be of interest to and accessed by children (particularly its sports and “celebrity news” content), even if the publisher does not actively target children. You state, in your guidance
if children are likely to access your service you will need to ensure that both the information you provide and the consent mechanism you use are appropriate for children.
But the complexity and opacity of the Website’s cookie use means that it is largely incomprehensible to adults, let alone children.
It is, obviously, not for me to specify how you undertake an investigation of my complaint, but you must, of course, by reference to Article 57(1)(f) UK GDPR, investigate to the “extent appropriate”. Given the clear messages your office has delivered about cookie banners and the like, and given the weight of evidence as to non-compliance, I would suggest an investigation to the extent appropriate must – at the very least – result in a clear finding as to legality, with reasons, and recommendations for the investigated party.
I cannot claim to be distressed by the infringements I allege, but I do claim to be irritated, and to have, cumulatively, been put to excess time and effort repeatedly trying to “opt out” of receiving cookies on the Website and understand what sort of processing is being undertaken, and what sort of confidentiality of communications exists on it.
Of course the Website here is not the only example of apparent non-compliance: poor practice is rife. Arguably, it is rife because of a prolonged unwillingness by your office and your predecessors to take firm action. However, if you would like me to refer to other examples, or require any further information, please don’t hesitate to ask.
Yours sincerely
Jon Baines
The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
Filed under adtech, consent, cookies, Data Protection, Information Commissioner, PECR, UK GDPR
ICO breaching section 45 FOI code which it has a duty to promote
Under section 45 of the Freedom of Information Act 2000 (FOIA), the Minister for the Cabinet Office is required to issue a Code of Practice providing guidance to public authorities as to the practice which it would, in his opinion, be desirable for them to follow. A Code of Good Practice, if you will. The Information Commissioner’s Office (ICO) says, about the most recent version of the section 45 Code, that it
should be used as a handbook which sets out best practice to help you with the day to day handling of requests. Adhering to the Code will result in positive benefits for your authority, and in practical terms, offer good customer service.
And under section 47(1)(b) of FOIA the ICO has a duty to perform his functions so as to promote the observance of the Code.
Paragraph 8.5 of the Code says that
Public authorities with over 100 Full Time Equivalent (FTE) employees should, as a matter of best practice, publish details of their performance on handling requests for information under [FOIA…and] should do so on a quarterly basis…
However, the ICO themselves do not do, indeed never have done, this.
I recently made a FOIA request to the ICO, in which I queried the absence of they published statistics under paragraph 8.5 of the Code, and asked for disclosure of the last two years’ statistics. The response revealed statistics that are not particularly interesting, other than that they show that the ICO has made commendable improvements in its own compliance, following the dip which coincided with the pandemic. But all that was said about the proactive publication point was
We are not presently publishing our quarterly stats
No explanation as to why, and the fact that it appears expressly contrary to the ICO’s duty under section 47 to promote observance of the Code.
The ICO has, in recent months, indicated a willingness to get a bit tougher on public authorities don’t comply with FOIA, but if it does not itself comply, the effect of such tougher enforcement is greatly weakened.
The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
ICO and reprimands – unfair to recipients?
I’ve written on the Mishcon de Reya website about the Information Commissioner’s Office’s use of reprimands for data protection infringements, despite the absence of any published guidance or procedure. Coupled with the lack of any way of appealing a reprimand, does this risk putting recipients in an unfair position?
https://www.mishcon.com/news/icos-regulatory-use-of-reprimands-does-it-need-a-rethink
Filed under Uncategorized
“Text pests” and data protection criminal offences
The modern digital economy allows us to order goods (and have them delivered) with a few taps on our phones. But the infrastructure behind locating, packaging and delivering those goods necessitates that a chain of people have access to the specific of our orders, and, in some cases, our contact details. A consequence of this appears to be an extraordinary prevalence of customers receiving unwanted contact as a result: research commissioned by the Information Commissioner’s Office (ICO) indicates that 29% of 18-34-year-olds have received unwanted contact after giving their personal details to a business.
It is to the ICO’s credit that it is looking at this issue, and calling for evidence of what it correctly calls this “illegal behaviour”. But I found it surprising that the ICO did not explain, in its communications, that if someone obtains a customer’s contact details from a business, and uses it for personal purposes which are different from (and not approved by) the business, they are very likely to be committing the criminal offence of unlawfully obtaining personal data without the consent of the controller, under section 170(1)(a) of the Data Protection Act 2018 (DPA).
The ICO says it will be contacting
some of the major customer-facing employers in the country to emphasise their legal responsibilities as well as to learn more about what safeguards they have in place
Which is all fine, but maybe a quicker and more effective action would be to remind those employers in turn to make their staff aware that using customer data for such purposes may well see them ending up with a criminal record.
Under section 197 of the DPA prosecutions for section 170 offences can only be brought, in England, Wales and Northern Ireland at least, by the ICO itself (or with the permission of the Director of Public Prosecutions or equivalent). One wonders if the sheer numbers of incidents where customer data is being obtained and misused in this way means that the ICO’s criminal prosecution team simply doesn’t have the capacity to deal with it. If so, maybe Parliament needs to look at giving the CPS a role, or even whether private prosecutions could be allowed.
PSNI data breaches and questions over ICO’s investigations retention policy
I’ve been running this blog for about 15 years now. I’m not a records manager, but I recognise that information has a lifecycle. Maybe I could weed some older posts, but the thing is, I occasionally find some of the old posts useful. For instance when news broke of recent nasty data breaches involving police forces (including the Police Service of Northern Ireland, or “PSNI”) and freedom of Information disclosures, I was able to point to a ten-year-old post on this blog which illustrated that concerns about such disclosures have been around for a long time.
So I was rather surprised to see the Information Commissioner’s Office (ICO) saying – in response to claims from two former anti-terrorist officers that the recent incidents were part of a pattern of serious mistakes, and that their information had previously been compromised (albeit not by PSNI itself) – that
Having checked with relevant teams, we do not appear to have record of an investigation regarding this data controller for the time frame noted. This may be due to our retention policy
The retention policy in question says (at page 28) that information in relation to regulatory investigations will normally be retain for five or six years, but that in civil enforcement cases where no action was taken information will be destroyed after two years.
There is nothing inherently “wrong” about this; unless there is a statutory requirement to retain information it will fall to each public body to determine what is an appropriate retention period. However, the ICO elsewhere emphasises the need to consider patterns in compliance. The regulatory action policy, for instance, says that an organisation’s “prior regulatory history” including the “pattern…of complaints” might be an aggravating factor when it comes to taking enforcement action, and that “as issues or patterns of issues escalate in frequency or severity then we will issue more significant powers in response”. But the retention policy means that, unless formal action has been taken against an organisation, such patterns might only be able to be taken into account when they involve incidents occurring within the previous two years. Is that sufficient or adequate?
I would suggest not. The policy’s version history illustrates that it is regularly reviewed (including an annual review). I would hope that the next review consider whether there is compelling evidence to suggest that retaining investigation information for longer than two years is warranted, especially in light of recent events.
ICO failing to inform complainants of investigation outcomes
I’d like you to imagine two people (Person A and Person B). Both receive an unsolicited direct marketing call to their personal mobile phone, in which the caller says the recipient’s name (e.g. “am I speaking to Jon Baines?”) Both are registered with the Telephone Preference Service. Both are aggrieved at receiving the unlawful call.
Person A knows nothing much about electronic marketing laws, and nothing much about data protection law. But, to them, quite reasonably, the call would seem to offend their data protection rights (the caller has their name, and their number). They do know that the Information Commissioner enforces the data protection laws.
Person B knows a lot about electronic marketing and data protection law. They know that the unsolicited direct marketing call was not just an infringement of the Privacy and Electronic Communications (EC Directive) Regulations 2003, but also involved the processing of their personal data, thus engaging the UK GDPR.
Both decide to complain to the Information Commissioner’s Office (ICO). Both see this page on the ICO website
They see a page for reporting Nuisance calls and messages, and, so, fill in the form on that page.
And never hear anything more.
Why? Because, as the subsequent page says “We will use the information you provide to help us investigate and take action against those responsible. We don’t respond to complaints individually” (emphasis added).
But isn’t this a problem? If Person A’s and Person B’s complaints are (as they seem to be) “hybrid” PECR and UK GDPR complaints, then Article 57(1)(f) of the latter requires the ICO to
handle complaints lodged by a data subject…and investigate, to the extent appropriate, the subject matter of the complaint and inform the complainant of the progress and the outcome of the investigation within a reasonable period (emphasis added)
What Article 57(1)(f) and the words “investigate, to the extent appropriate” mean, has been the subject of quite a bit of litigation in recent years (the basic summary of which is that the ICO has broad discretion as to how to investigate, and even a mere decision to cease handling a complaint will be likely to suffice (see Killock & Veale & others v Information Commissioner (GI/113/2021 & others)).
But nowhere has anyone suggested that ICO can simply decide not to “inform the complainant of the progress and the outcome of the investigation”, in hybrid complaints like the Person A’s and Person B’s would be.
Yet that is what undoubtedly happens in many cases. And – it strikes me – it has happened to me countless times (I have complained about many, many unsolicited calls over the years, but never heard anything of the progress and outcome). Maybe you might say that I (who, after all, have found time to think about and write this post) can’t play the innocent. But I strongly believe that there are lots of Person As (and a fair few Person Bs) who would, if they knew that – to the extent theirs is a UK GDPR complaint – the law obliges the ICO to investigate and inform them of the progress and the outcome of that investigation, rightly feel aggrieved to have heard nothing.
This isn’t just academic: unsolicited direct marketing is the one area that the ICO still sees as worthy of fines (all but two of the twenty-three fines in the last year have been under that regime). So a complaint about such a practice is potentially a serious matter. Sometimes, a single complaint about such marketing has resulted in a large fine for the miscreant, yet – to the extent that the issue is also a UK GDPR one – the complainant themselves often never hears directly about the complaint.
In addition to the Killock & Veale case, there have been a number of cases looking at the limits to (and discretion regarding) ICO’s investigation of complaints. As far as I know no one has actually yet raised what seems to be a plain failure to investigate and inform in these “hybrid” PECR and UK GDPR cases.
The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
Filed under Data Protection, Information Commissioner, PECR, UK GDPR
Has the Information Commissioner’s Office lost its FOI purposes?
When Parliament passed the Data Protection Act 1984 it created a role of a regulator for that new data protection law. Section 3(1)(a) said that
For the purposes of this Act there shall be…an officer known as the Data Protection Registrar
The office remained in this form until the passing of the Data Protection Act 1998, section 6(1) of which provided that
The office originally established by section 3(1)(a) of the Data Protection Act 1984 as the office of Data Protection Registrar shall continue to exist for the purposes of this Act but shall be known as the office of Data Protection Commissioner
The advent of the Freedom of Information Act 2000 necessitated a change, so as to create a role of regulator for that Act. Paragraph 13(2) of Schedule 2 to the Freedom of Information Act 2000 amended section 6(1) of the Data Protection Act 1998 so it read
For the purposes of this Act and of the Freedom of Information Act 2000 there shall be an officer known as the Information Commissioner
So, at this point, and indeed, until 25 May 2018, there was an Information Commissioner “for the purposes of” the Data Protection Act 1998, and “for the purposes of” the Freedom of Information Act 2000.
25 May 2018 marked, of course the date from which (by effect of its Article 99) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, or “GDPR“, applied.
Also on 25 May 2018, by effect of the Data Protection Act 2018 (Commencement No. 1 and Transitional and Saving Provisions) Regulations 2018, section 114 of the Data Protection Act 2018 commenced. This provided (and provides)
There is to continue to be an Information Commissioner.
However, paragraph 44 of schedule 19 to the Data Protection Act 2018 (commenced also by effect of the Data Protection Act 2018 (Commencement No. 1 and Transitional and Saving Provisions) Regulations 2018) repealed the “FOIA purpose” provisions of section 6(1) of the Data Protection Act 1998 (which, to recall, said that “for the purposes of…the Freedom of Information Act 2000 there shall be an officer known as the Information Commissioner“). At the same time, paragraph 59 of schedule 19 to the Data Protection Act 2018 repealed section 18(1) (which had provided that “The Data Protection Commissioner shall be known instead as the Information Commissioner“).
So, the Information Commissioner is no longer described, in statute, as an officer which shall be for the purposes of the Freedom of Information Act 2000.
Probably nothing turns on this. Elsewhere in the Freedom of Information Act 2000 it is clear that the Information Commissioner has various functions, powers and duties, which are not removed by the repeal (and subsequent absence of) the “FOIA purpose” provisions. However, the repeal (and absence) do raise some interesting questions. If Parliament thought it right previously to say that, for the purposes of the Freedom of Information Act 2000 there should have been an Information Commissioner, why does it now think it right not to? No such questions arise when it comes to the data protection laws, because section 114 and schedule 12 of the Data Protection Act 2018, and Articles 57 and 58 of the UK GDPR, clearly define the purposes (for those laws) of the Information Commissioner.
Maybe all of this rather painful crashing through the thickets of the information rights laws is just an excuse for me to build up to a punchline of “what’s the purpose of the Information Commissioner?” But I don’t think that is solely what I’m getting at: the implied uncoupling of the office from its purposes seems odd, and something that could easily have been avoided (or could easily be remedied). If I’m wrong, or am missing something – and I very much invite comment and correction – then I’ll happily withdraw/update this post.
Please note that links to statutes here on the legislation.gov.uk website are generally to versions as they were originally enacted.
The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
informationrightsandwrongs 