Author Archives: Jon Baines

April 15, 2025 · 7:45 am

Recital 63 of the GDPR is nonsensical

[reposted from my LinkedIn account]

I’m sure I’ve mentioned this before (but that sort of thing never stops me banging on about stuff) but whenever I read recital 63 of the GDPR it irritates me, because a comma is in the wrong place. The result is that the clause in question is slightly nonsensical. It reads:

A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing.

The literal reading of that clause is that the right of access exists in order that a data subject can be “aware of the lawfulness” of processing and “verify the lawfulness” of processing. The latter is fine on its own but what does the former mean? And if one becomes “aware of the lawfulness” of the processing then why should one then “verify” it?

Surely the need is to be aware of the processing, and then verify its lawfulness?

Clearly, the comma should be moved, so it says

…in order to be aware of, and verify the lawfulness of, the processing.

And when I’m Prime Minister a UK GDPR (Recital 63 Correction) Amendment Bill is the first thing I will table.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

2 Comments

Filed under Data Protection, GDPR, nonsense, subject access, UK GDPR

April 14, 2025 · 8:51 am

Personal use of work devices – an Irish judgment

A frequent headache for data protection practitioners and lawyers is how to separate (conceptually and actually) professional and personal information on work devices and accounts. It is a rare employer (and an even rarer employee) who doesn’t encounter a mix of the two categories.

But, if I use, say, my work phone to send a couple of text messages (as I did on Saturday after the stupid SIM in my personal phone decided to stop working), who is the controller of the personal data involved in that activity? I’d be minded to say that I am, (and that my employer becomes, at most, a processor).

That is also the view taken by the High Court in Ireland, in an interesting recent judgment.

The applicant was an employee of the Health Service Executive (HSE), and did not, in this case, have authority or permission to use his work phone for personal use. He nonetheless did so, and then claimed that a major data breach in 2021 at the HSE led to his personal email account and a cryptocurrency account being hacked, with a resultant loss of €1400. He complained to the Irish Data Protection Commissioner, who said that as his personal use was not authorised, the HSE was not the controller in respect of the personal data at issue.

The applicant sought judicial review of the DPC decision. This of course meant the application would only succeed if it met the high bar of showing that the DPC had acted unlawfully or irrationally. That bar was not met, with the judge holding that:

The DPC did not purport to adopt an unorthodox interpretation of the definition of data controller. Instead, against the backdrop of the factual matrix before it, it found that the HSE had not “determined the purposes and means 28of the processing” of the data relating to the Gmail, Yahoo, Fitbit and Binance accounts accessed by the applicant on his work phone. That finding appears to me to be self-evident, where that use of the phone clearly was not authorised by the HSE.

I think that has to be correct. But I’m not sure I quite accept the full premise, because I think that even if the HSE had authorised personal use, the legal position would be the same (although possibly not quite as unequivocally so).

In genuinely interested in others’ thoughts though.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under controller, Data Protection, employment, GDPR, Ireland, judgments, Uncategorized

Tagged as

April 11, 2025 · 11:41 am

Subject access, Leeds United, and ****

[reposted from my LinkedIn account]

You’d have thought most football fans would be keen to prove they’d not attended a Leeds United match [#bantz], but when Melvyn Flower was told by the club he couldn’t renew his season ticket for next season, because he’d not used his current one often enough, he resorted to data protection law to vindicate his support for the club.

The information disclosed to him showed that he attended matches on all the occasions the club had said he hadn’t.

I don’t quite understand how the club searched for and disclosed his personal data, without (when doing so) realising its mistake (maybe he asked for footage from a specific camera near his reserved seat). But in any case, it’s a nice little story, and topped off with an excellent point from Mr Flower:

Why would I buy a season ticket and not go this season, of all seasons, given the **** I’ve sat through since 1978?

1 Comment

Filed under Data Protection, not-entirely-serious, Sport, subject access

Tagged as , ,

April 11, 2025 · 5:03 am

Retaining data for journalistic purposes?

This is a quite extraordinary data protection story, by Jamie Roberton and Amelia Jenne of Channel 4 News , involving a mother of a woman who died in suspicious circumstances.

It appears that a “Victims’ Right to Review” exercise was undertaken by Gloucestershire Police, at the request of the family of Danielle Charters-Christie, who was found dead inside the caravan that she shared with her partner – who had been accused of domestic abuse – in Gloucestershire on 26 February 2021.

Officers then physically handed a 74-page document to Danielle’s mother, and the contents of it were subsequently reported by Channel 4 News. But, now, the police say that the Review report was “inadvertently released”, are demanding that Danielle’s mother destroy it, and have referred her apparent refusal to do so to the Information Commissioner’s Office as a potential offence under s170(3) of the Data Protection Act 2018.

That provision creates an offence of “knowingly,…after obtaining personal data, [retaining] it without the consent of the person who was the controller in relation to the personal data when it was obtained”.

But here’s a thing: it is a defence, under s170(3)(c) for a person charged with the offence to show that they acted (and here, the retention of the data would be the “action”) for the purposes of journalism, with a view to the publication by a person of any journalistic material, and in the reasonable belief that in the particular circumstances the retaining was justified as being in the public interest.

The ICO is tasked as a prosecutor for various data protection offences, including the one at s170 DPA. No doubt whoever at the ICO is handed this file will be having close regard to whether this statutory defence would apply, but will also, in line with the ICO’s duty as a prosecutor, to consider evidential factors, but also whether a prosecution would be in the public interest.

At the same time, of course, the ICO has civil enforcement powers, and might well be considering what were the circumstances under which the police, as a controller, wrongly disclosed personal data in such apparently serious circumstances.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection Act 2018, Information Commissioner, law enforcement, offences, police

Tagged as , , ,

April 8, 2025 · 7:11 am

Machine learning lawful basis on a case-by-case approach – really?

The Information Commissioner’s Office has published its response to the government’s consultation on Copyright and AI. There’s an interesting example in it of a “oh really?!” statement.

The government proposes that, when it comes to text and data-mining (TDM) of datasets that contain copyright works) a broad exception to copyright protection should apply, under which “AI developers would be able to train on material to which they have lawful access, but only to the extent that right holders had not expressly reserved their rights”. Effectively, rights holders would have to opt out of “allowing” their works to be mined.

This is highly controversial, and may be the reason that the Data (Use and Access) Bill has stalled slightly in its passage through Parliament. When the Bill was in the Lords, Baroness Kidron successfully introduced a number of amendments in relation to use of copyright info for training AI models, saying that she feared that the government’s proposals in its consultation “would transfer [rights holders’] hard-earned property from them to another sector without compensation, and with it their possibility of a creative life, or a creative life for the next generation”. Although the government managed to get the Baroness’s amendments removed in Commons’ committee stage, the debate rumbles on.

The ICO’s response to the consultation notes the government’s preferred option of a broad TDM exception, with opt-out, but says that, where personal data is contained in the training data, such an exception would not “in and of itself constitute a determination of the lawful basis for any personal data processing that may be involved under data protection law”. This must be correct: an Article 6(1) UK GDPR lawful basis will still be required. But it goes on to say “the lawfulness of processing would need to be evaluated on a case-by-case basis”. A straightforward reading of this is that for each instance of personal data processing when training a model on a dataset, a developer would have to identify a lawful basis. But this, inevitably, would negate the whole purpose of using machine learning on the data. What I imagine the ICO intended to mean was that a developer should identify a broad, general lawful basis for each dataset. But a) I don’t think that’s what the words used mean, and b) I struggle to reconcile that approach with the fact that a developer is very unlikely to know exactly what personal data is in a training dataset, before undertaking TDM – so how can they properly identify a lawful basis?

I should stress that these are complex and pressing issues. I don’t have answers. But opponents of the consultation will be likely to jump on anything they can.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under AI, Data Protection, datasets, DUAB, Information Commissioner, Lawful basis, parliament, Uncategorized

Tagged as , ,

April 2, 2025 · 5:02 am

The legality of data processing in the course of litigation

There is very convoluted litigation taking place which has as its focus a witness statement, prepared by a solicitor acting for a number of insurance companies who are defending personal injury claims arising from road traffic accidents (RTAs). And part of the argument (and a satellite claim) has now become about compliance with data protection law.

Five original claims were made for damages arising from RTAs. The defendant insurance companies were represented by law firm DWF, and one of DWF’s solicitors prepared a witness statement which contained an analysis of claims data collected by DWF in relation to a number of claims submitted by claimants represented by the solicitors who acted on behalf of the five claimants. The statement sought to adduce that in an unusually high number of the claims claimants had been referred for further psychological assessment, by a doctor who in 100% of those cases diagnosed a psychiatric condition and in two thirds of those cases said that the recovery period would be over two years. In short, a large number of claimants in the relevant RTAs appeared to develop long-term psychiatric conditions.

The claimant sought unsuccessfully to debar the witness statement, although the judge (on appeal) noted that it would be “for the Judge at trial to make of this evidence what they will [although] there are questions as to the extent to which this evidence assists without more in proving fundamental dishonesty”.

Notwithstanding this, an initial 317 (now reduced to three) claims were then made by people whose personal data was accepted to have been processed by DWF for the purposes of preparing the witness statement above. The claims here are for various breaches of the UK GDPR (such as excessive processing, and lack of fairness, lawful basis and transparency).

In a judgment handed down on 1 April, on an application by the claimants for specific disclosure in the UK GDPR claim (and an application by the defendant to amend its defence and strike out a witness statement of the claimants’ solicitor) Mrs Justice Eady DBE dismissed the disclosure applications (made under various headings), on the basis that much of the information would clearly be privileged material, or not relevant, or that the application was a fishing expedition.

If this gets to trial it will be interesting though. This sort of processing of personal data takes place in the course of (non-data-protection) private litigation routinely. It is generally not assumed that any issues of illegality arise. Any ultimate findings would be notable for litigators, and those who need to advise them on data protection compliance.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, judgments, litigation, UK GDPR

Tagged as

March 27, 2025 · 4:53 am

A new data protection duty?

I’ve been looking in more detail at the recent subject access judgment in Ashley v HMRC. One key point of general application stands out for me, and that is that it states that in some cases (i.e. where it is necessary for intelligibility purposes) a controller has a duty to provide contextual information in addition to copies of personal data.

As the judge put it

Article 15(1) and 15(3), read with Article 12(1) and (2) of the UK GDPR, did require the Defendant to go beyond providing a copy of the Claimant’s personal data where contextual information was necessary for that personal data to be intelligible in the sense of enabling the data subject to exercise their rights conferred by the UK GDPR effectively. It follows that insofar as the Defendant did not adopt this approach, it was in breach of this duty.

And although she couched the following as “guidance” for the HMRC when reconsidering the request, I feel it has general application:

…it is unlikely that providing an extract that simply comprises the Claimant’s name or his initials or other entirely decontextualised personal data of that sort, will amount to compliance with this obligation.

In arriving at this conclusion the judge drew in part on both pre- and post-Brexit case law of the Court of Justice of the European Union. Most notably she decided to have regard to case C-487/21. Even though this does not bind the domestic courts, the effect of section 6(2) of European Union (Withdrawal) Act 2018 is that courts may have regard to EU case law where it is relevant to the matter before them.

Of course, there are also times when merely providing a snippet in the form of a name constitutes a failure to provide all of the personal data in scope (omitting the final five words of “Jon Baines works at Mishcon de Reya” would be to omit some of my personal data). But the “context duty” seems to me to go further, and creates, where it is necessary, an obligation to provide information beyond what is in the source documents.

Most of the other points in the judgment, as important as they were to the facts, and as interesting they are, particularly on the concept of “relating to” in the definition of “personal data”, will not necessarily change things for most data subjects and controllers.

But this “context duty” feels to me to be an advancement of the law. And I suspect controllers can now expect to see data subjects and their lawyers, when making subject access requests (or when challenging responses), begin to argue that the “context duty” applies.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, GDPR, judgments, subject access, UK GDPR

Tagged as ,

March 25, 2025 · 8:08 am

NADPO Webinar – 25 March

On the lunchtime of Tuesday 25 March I’ll be chairing one of the regular NADPO webinars. We have Dr Judith Townend talking about learning from ‘open justice’ and other data/technology contexts, and Dr Lachlan Urquhart on “Clever Computing through Accountable Design: Cybersecurity in Smart Homes”.

Members will already have received the joining instructions.

A reminder that membership is bargain £130 for two years, and gets you free attendance at all webinars, as well as at our annual conference and other ad hoc events, plus a range of other benefits (for example we’ve recently hosted free training sessions for members run by Tim Turner and a free session on databreaches and cybersecurity from 5 Essex Chambers and CyXcel). Members also get complimentary free attendance at UK Data Protection Forum events.

Leave a comment

Filed under Uncategorized

March 22, 2025 · 5:55 am

O’Carroll v Meta – what now for targeted adverts on Facebook

Following the news that claimant Tanya O’Carroll and defendant Meta have settled ahead of what was likely to be a landmark data protection case, what are the implications?

Ms O’Carroll argued that advertising served to her on Facebook, because it was targeted at her, met the definition of “direct marketing” under section 122(5) of the Data Protection Act 2018 (“the communication (by whatever means) of advertising or marketing material which is directed to particular individuals”) and thus the processing of her personal data for the purposes of serving that direct marketing was subject to the absolute right to object under Article 21(2) and (3) UK GDPR.

Meta had disputed that the advertising was direct marketing.

The “mutually agreed statement” from Ms O’Carroll says “In agreeing to conclude the case, Meta Platforms, Inc. has agreed that it will not display any direct marketing ads to me on Facebook, will not process my data for direct marketing purposes and will not undertake such processing (including any profiling) to the extent it is related to such direct marketing”.

One concludes from this that Meta will, at least insofar as the UK GDPR applies to its processing, now comply with any Article 21(2) objection, and, indeed, that is how it is being reported.

But will the upshot of this be that Meta will introduce ad-free services in the UK, but for a charge (because its advertising revenues will be likely to drop if people object to targeted ads)? It is indicating so, with a statement saying “Facebook and Instagram cost a significant amount of money to build and maintain, and these services are free for British consumers because of personalised advertising. Like many internet services, we are exploring the option of offering people based in the UK a subscription and will share further information in due course”.

The ICO intervened in the case, and have uploaded a summary of their arguments, which were supportive of Ms O’Carroll’s case, and her lawyers AWO Agency have also posted an article on the news.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Data Protection Act 2018, facebook, Information Commissioner, marketing, Meta, Right to object, UK GDPR

Tagged as , ,

March 13, 2025 · 6:32 am

Cabinet Office unsuccessfully appeals FOIA information notices

When a public authority relies on an exemption to refuse to disclose information in response to a Freedom of Information Act request, the requester can ask the Information Commissioner’s Office for a decision as to whether the refusal was in accordance with the law. In order to make such a decision, the ICO may often need to see the information withheld by the public authority. Where the public authority is unwilling to provide this, or perhaps drags its heels over it, the ICO may serve, under section 51 of FOIA, an “information notice”, requiring the information to be provided. Failure to comply with an Information Notice can be certified as contempt of court, but there is a right of appeal to the First-tier Tribunal.

And so it was that the Tribunal recently found itself hearing appeals by the Cabinet Office in relation to two Information Notices served on it by the ICO, who is investigating whether FOIA requests for information relating to Rishi Sunak’s declarations of interest when he was Prime Minister.

The Cabinet Office sought to argue, among other things, that access by the ICO was not necessary, was unfair and damaging to the process of handling ministerial declarations of interest, and would constitute unlawful processing of personal data. All of these arguments got short shrift from the Tribunal – ultimately, it held that it would not be possible to determine whether any of the exemptions prayed in aid by the Cabinet Office were made out without an examination of the material, and the appeals were dismissed.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Cabinet Office, Freedom of Information, Information Commissioner, information notice, Information Tribunal, judgments

Tagged as ,