Category Archives: Data Protection

ICO calls for global cookie standards (but why not enforce the law?)

The outgoing UK Information Commissioner, Elizabeth Denham, is calling on G7 countries to adopt her office’s new “vision” for websites and cookie consent.

Her challenge to fellow G7 data protection and privacy authorities has been issued at a virtual meeting taking place on 7 and 8 September, where they will be joined by the Organisation for Economic Cooperation and Development (OECD) and the World Economic Forum (WEF).

Denham says “There are nearly two billion websites out there taking account of the world’s privacy preferences. No single country can tackle this issue alone. That is why I am calling on my G7 colleagues to use our convening power. Together we can engage with technology firms and standards organisations to develop a coordinated approach to this challenge”.

What is not clear is whether her vision is, or can be, underpinned by legal provisions, or whether it will need to take the form of a non-enforceable set of standards and protocols. The proposal is said to mean that “web browsers, software applications and device settings [should] allow people to set lasting privacy preferences of their choosing, rather than having to do that through pop-ups every time they visit a website”. The most obvious way of doing this would be through a user’s own browser settings. However, previous attempts to introduce something similar – notably the “Do Not Track” protocol – foundered on the lack of adoption and the lack of legal enforceability.

Also unaddressed, at least in the advance communications, is why, if cookie compliance is a priority area for the Information Commissioner, there has been no enforcement action under the existing legal framework (which consists primarily of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (or “PECR”)). Those current laws state that a website operator must seek consent for the placing of all cookies unless they are essential for the website to function. Although many website operators try hard to comply, there are countless examples of ones who don’t, but who suffer no penalty.

Denham says that “no single country can tackle this alone”, but it is not clear why such a single country can’t at least take steps towards tackling it on domestic grounds. It is open to her to take action against domestic website operators who flout the law, and there is a good argument that such action would do more to encourage proper compliance than will the promotion or adoption of non-binding international standards.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under cookies, Data Protection, Information Commissioner, marketing, PECR

UK adequacy confirmed

To no great final surprise, the European Commission has adopted its adequacy decisions in respect of the UK.

Here’s a piece by me on the Mishcon de Reya website.

Leave a comment

Filed under adequacy, Data Protection, Europe, GDPR, international transfers, law enforcement

New Model Clauses – a Mishcon podcast

My colleagues, partners Adam Rose and Ashley Winton, discuss the new European Commission Standard Contractual Clauses announced on 4 June 2021. I honestly can’t think of two better people to discuss what they mean.

Initial Reactions: New Standard Contractual Clauses (mishcon.com)

Leave a comment

Filed under adequacy, Brexit, consistency, Data Protection, data sharing, EDPB, Europe, GDPR, international transfers, Schrems II

You what?

Twice in recent months the outgoing Information Commissioner, Elizabeth Denham, has given speeches including these words

Data protection law was born in the 1970s out of a concern that the potential from emerging technology would be lost if we didn’t embrace innovation.

I don’t know what she means. Does anyone else?

Studies I’m aware of more generally see data protection law arising, from the 1960s through to the early 1980s, out of a combination of: increasing awareness of and focus on fundamental human rights; an understanding that use of computers would cause an exponential increase in the ability to process information; a desire that concerns about the preceding two should not lead to unnecessary barriers to international trade.

(See, for example, the UK 1972 Report of the Committee on Privacy, chaired by Kenneth Younger, and the UK 1978 Report of the Committee on Data Protection chaired by Sir Norman Lindop. See, especially, the 1980 OECD Guidelines and the 1981 Council of Europe Convention 108.)

Whatever Ms Denham’s words mean, they miss the foundational status of human rights in modern data protection law. And that is a glaring omission. Article 1 of the UKGDPR is clear – data protection law now, as it always has

protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data

There’s nothing wrong with embracing innovation (I do it myself). But let’s not misstate history.

Leave a comment

Filed under Data Protection, GDPR, human rights, Information Commissioner, UK GDPR

Gov says “no” to UK GDPR opt-out actions but…

A post by me on the Mishcon de Reya website – the government has declined to bring into operation Article 80(2) of the (UK) GDPR, but does that mean that the Supreme Court will be more likely to uphold the Court of Appeal judgment in Lloyd v Google?

Leave a comment

Filed under Data Protection, Data Protection Act 2018, DCMS, GDPR, UK GDPR

UK GDPR Resource

My firm Mishcon de Reya have created a version of the UK’s post-Brexit version of GDPR as there isn’t yet an official version. What’s more, we’ve added in links to the Recitals, and made it freely available.

The announcement is here. The actual UK GDPR is here.

Ain’t we kind?

Leave a comment

Filed under Data Protection, GDPR, UK GDPR

Search and (don’t) destroy

Martin Lewis’s Money Saving Expert (MSE) site reports that over £1m is apparently held by Highways England (HE) in respect of Dartford Crossing pre-paid online accounts (Freedom of Information requests were apparently used to establish the amount). It is of course by no means uncommon for money to lie dormant in money accounts – for instance, banks across the world hold fantastic sums which never get claimed. MSE itself suggests elsewhere that the total amount in the UK alone might be around £15bn – but what these FOI requests to HE also revealed is an approach to retention of personal data which may not comply with HE’s legal obligations.

People appear to have received penalty charges after assuming that their pre-paid accounts – in credit when they were last used – would still cover the crossing charge (even where the drivers had been informed that their accounts had been closed for lack of use). MSE reports the case of Richard Riley, who

had been notified by email that his account would be closed, but he’d wrongly assumed it would be reactivated when he next made the crossing (this is only the case if you cross again within 90 days of being notified). On looking into it further, Richard also realised he had £16 in his closed account

However, HE apparently explained to MSE that

…it’s unable to reopen automatically closed accounts or automatically refund account-holders because it has to delete personal data to comply with data protection rules.

This cannot be right. Firstly, as the MSE article goes on to explain, if someone suspects or discovers that they have credit in a closed Dartford Crossing account, they can telephone HE and “any money will be paid back to the debit or credit card which was linked to the account. If this isn’t possible, a refund will be issued by cheque.”

So HE must retain some personal data which enables them to confirm whose money it is that they hold. But if it is true that HE feels that data protection law requires them to delete personal data which would otherwise enable them to refund account-holders when accounts are closed, then I fear that they are misreading two of the key principles of that law.

Article 5(1)(e) of the UK GDPR (the “storage limitation principle”) requires that personal data be “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed” (emphasis added), and Article 5(1)(c) ( the “data minimisation principle”) requires that personal data be “limited to what is necessary in relation to the purposes for which they are processed” (emphasis added). Both of these make clear that where personal data is still needed for the purposes for which it is processed, then it can (and should) be retained. And when one adds the point, under Article 5(1)(c), that personal data should also be “adequate” for the purposes for which it is processed, it becomes evident that unnecessary deletion of personal data which causes a detriment or damage to the data subject can in itself be an infringement.

This matter is, of course, on a much lower level of seriousness than, for instance, the unnecessary destruction of landing cards of members of the Windrush Generation, or recordings of witnesses in the Ireland Mother and Baby Homes enquiry, but it strikes me that it is – in general – a subject that is crying out for guidance (and where necessary enforcement) by the Information Commissioner. Too many people feel, it seems, that “data protection” means they have to delete, or erase or destroy personal data.

Sometimes, that is the worst thing to do.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under accuracy, adequacy, Data Protection, Information Commissioner, Let's Blame Data Protection, UK GDPR

You don’t “register” with the ICO

“Data protection public register…find organisations and people registered with the ICO under the Data Protection Act”, says the Information Commissioner’s Office (ICO) website. Which is funny, because you can’t register with the ICO under the Data Protection Act.

Under the now-repealed 1995 European Data Protection Directive, given domestic effect in the UK by the now-repealed Data Protection Act 1998 (DPA98), all data controllers had to notify with their version of the ICO (unless they were exempt from doing so). And under section 19 of the now-repealed DPA98, the ICO had to keep a register and make it publicly available. The obvious way of doing that was to put it online.

It was a criminal offence to process personal data and not be notified (registered) with the ICO.

But, the General Data Protection Regulation (aka GDPR, and now to be known as the “EU GDPR”), did away with statutory notification as a matter of European law (on the grounds that it achieved nothing, and was an administrative headache). In the UK, where (as part of the notification scheme) controllers had to pay a fee to the ICO, this risked a major budget shortfall for the ICO. So, cleverly, we passed law that requires controllers to pay a fee purely to fund the ICO’s data protection work (the explanatory memo to that law even says it is “to make provision to ensure that the [Information Commissioner] has the financial resources necessary for the performance of her tasks and exercise of her powers”. Failure to pay this fee is a civil wrong, punishable by the imposition of a civil monetary penalty (of up to £4350). There is no requirement for the ICO to maintain a register, no requirement for it to be made public, and it is certainly not the case that what they do publish is a register of people “registered with the ICO under the Data Protection Act”.

What they publish is a non-statutory register of controllers who’ve paid their fee. Presence on that register says nothing other than that the controller has paid its fee.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Information Commissioner

ICO and Article 27 representative liability

The ever-entertaining (but more importantly, ever-illuminating) Tim Turner has made available a recording of a webinar he did recently on the subject of representatives under Article 27 of the EU GDPR and the UK GDPR. Such representatives are required to be designated by controllers or processors who are outside the relevant jurisdiction, but who are subject to the extra-territorial provisions of Article 3(2) of EU GDPR or UK GDPR (thus, under Article 27 EU GDPR, a company outside the EU but offering goods or service to, or monitoring the behaviour of, data subjects in the EU, must appoint a representative in the EU, and under Article 27 UK GDPR, a company outside the UK but offering goods or service to, or monitoring the behaviour of, data subjects in the UK, must appoint a representative in the UK).

Tim’s webinar deals, in part, with what is expected of representatives, but also touches on their potential liability, and he points to – but doesn’t actually address – a remarkable assertion on the website of the Information Commissioner’s Office (ICO)

The EDPB’s view is that supervisory authorities are able to initiate enforcement action (including fines) against a representative in the same way as they could against the controller or processor that appointed them.

I describe this as remarkable, because it seems to completely misrepresent the guidance (of the European Data Protection Board) to which it refers (and links).

The issue of representative liability is an important one – many companies offer a contracted service under which they will act as a representative, and a commercial evaluation of such a service will inevitably need to consider whether being a representative exposes oneself to the possibility of regulatory action. Recital 80 of the EU GDPR and the UK GDPR says “The designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor” and much debate is there to be had on what it means. But the EDPB’s view is pretty clear, and it’s nothing like the view attributed to it by the ICO

The GDPR does not establish a substitutive liability of the representative in place of the controller or processor it represents in the Union. It should however be noted that the concept of the representative was introduced precisely with the aim of facilitating the liaison with and ensuring effective enforcement of the GDPR against controllers or processors that fall under Article 3(2) of the GDPR. To this end, it was the intention to enable supervisory authorities to initiate enforcement proceedings through the representative designated by the controllers or processors not established in the Union. This includes the possibility for supervisory authorities to address corrective measures or administrative fines and penalties imposed on the controller or processor not established in the Union to the representative… [emphasis added]

(It goes on to say that a representative will be directly liable only to the extent that it is infringing its direct obligations – namely to provide information to a supervisory authority under Article 58(1)(a) of GDPR, and to maintain a record of processing activities under Article 30.)

Whether the ICO’s assertion represents what it thinks a proper reading of the UK GDPR (including recital 80) should be, is an interesting question. The EDPB is, of course, no part of the UK GDPR regulatory and legal scheme, so ICO is free to disregard its views. What it shouldn’t be free to do though, really, is to attribute to the EDPB a position totally at odds with what the EDPB actually says.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, EDPB, EU representative, GDPR, Information Commissioner, UK GDPR

High Court – subject access, breach of confidence and the offence of reidentification (part 2)

In June last year I wrote about an unsuccessful strike-out application by the defendant in the High Court in proceedings arising from a very unfortunate incident, whereby Lambeth Council had imperfectly redacted highly sensitive data when responding to a subject access request.

The requester was the father (“AM”) of a child about whom a referral had been made to Lambeth social services, and the person whose identity was inadvertently revealed (when AM disapplied redactions made using Adobe software) was the person who made the referral – “HJ” – who happened to be AM’s sister.

The substantive proceedings have now come to trial, with a judgment now published (London Borough of Lambeth v AM (Judgment No. 2) [2021] EWHC 186 (QB)). Unsurprisingly, the judge held that AM acted in breach of confidence by removing the redactions, by retaining a copy of the information and refusing to return or destroy it, and by using the information to write a letter before action accusing HJ of malicious defamation, breach of confidence and harassment.

There were no further allusions to an apparent criminal prosecution of AM by the Information Commissioner’s Office. One waits to see if further news about that emerges.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Data Protection, local government