A very interesting piece by my Mishcon de Reya colleague Adam Rose, distinguishing between different types of GDPR infringement, and looking at which types the courts might consider justify compensation/damages awards (hint: by no means all).
Category Archives: Data Protection
GDPR compensation claims – not all infringements are alike
Filed under damages, Data Protection, GDPR
Cometh the hour…
One thing in particular struck me about the statement from the Information Commissioner’s Office (ICO) in response to the huge distress and uncertainty facing thousands of students and their families, following the announcement of A-level grades:
Anyone with any concerns about how their data has been handled should raise those concerns with the exam boards first, then report to us if they are not satisfied
In some ways, this is standard. Even the ICO’s “contact us” page leads a potential complainant through various stages before telling people who haven’t raised their concerns by “contacting the [offending] organisation in writing” to “Raise your concern with the organisation handling your information”.
Whilst I can understand the reason for this general approach (ICO’s resources are limited, and many complaints can no doubt be resolved at source), it is difficult to reconcile it with what the law requires the ICO to do. Article 77 GDPR says that a supervisory authority must handle complaints lodged by a data subject, and investigate, to the extent appropriate, the subject matter of the complaint. There is no caveat, no exemption. It does leave the option open for the ICO to handle a complaint, and choose not to investigate it all, but that is not what the ICO is doing here (and in its general approach).
But it must be said that sometimes, as it is permitted to, under Articles 57 and 58, the ICO does conduct investigations of its volition. It also has a range of powers, including the power to give an opinion to parliament and/or the government. Given that its Norwegian counterpart has indicated it will take strong action against the International Baccalaureate Organisation, I am hopeful that, as a new week of uncertainty for students approaches, the ICO will take this particular bit between its teeth, and properly investigate such a pressing issue.
The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
Filed under Data Protection, fairness, GDPR, Information Commissioner, parliament
Elizabeth Denham and international transfers
One question prompted by the news (original source: 2040training) that Elizabeth Denham, the Information Commissioner, is currently working from her home in Canada, is whether the files and matters she is working on, to the extent they contain or constitute personal data, are being transferred to her in accordance with Chapter 5 of the General Data Protection Regulation (GDPR).
Chapter 5’s provisions mean that personal data can only be transferred to a country outside the European Economic Area in certain circumstances. In general, these boil down to: 1) if the European Commission has made an adequacy determination in respect of the country, 2) if Commission-approved standard contractual clauses are in place, 3) if binding corporate rules are in place, 4) if Article 49 derogations for specific situations are in place.
So, can one play a distracting little parlour game looking at what international transfer mechanism Ms Denham and the Information Commissioner’s Office (ICO) in the UK have adopted? No need, says the ICO. What is going on is not an international transfer of the type envisaged by GDPR.
The ICO’s guidance on the subject introduces the not-unhelpful term “restricted transfers”, to describe those transfers of personal data to which Chapter 5 of GDPR applies. However, it includes in its category of transfers which are not restricted, the following example
if you are sending personal data to someone employed by you or by your company, this is not a restricted transfer. The transfer restrictions only apply if you are sending personal data outside your organisation
So (at least to the extent that she, as Commissioner, is employed by, or embodies, the ICO) transfers of personal data to Ms Denham in Canada are not restricted transfers to which Chapter 5 of GDPR applies. There is, as it were, a corner of a foreign field that is forever Wilmslow.
The basis for the ICO’s position here, though, is not entirely easy to discern, and the position does not appear to be one that is obviously shared by other data protection authorities, or the European Data Protection Board (unless the latter’s impending guidance on international transfers proves me wrong).
And it does strike me that the ICO’s position is potentially open to abuse. What if, for instance, someone decided to set up a medical data analytics company in the UK, with no UK employees, but a branch office in, say, Syria, employing hundreds of people there, and to where all of medical data it gathered was sent for storage and further processing, would the ICO still take the view that this was not a restricted transfer? Given the intense scrutiny which the CJEU applied to the US surveillance regime in the Schrems litigation, is it really likely that it would agree with a legal approach which resulted in data manifestly being in a state whose laws were deficient, but such data was not protected by the Chapter 5 provisions?
A similar issue might arise with another aspect of the ICO’s guidance, which implies that a transfer to a country outside the EEA, but which is a transfer to a controller to which the GDPR extra-territorial provisions apply, is also not a restricted transfer. If that controller was in, say South Sudan, would the ICO hold its position?
None of this is to say, of course, that the fact that a transfer may not be a restricted one means that all the other GDPR obligations are set aside. They continue to apply, and, no doubt, Ms Denham and the ICO are doing all they can to comply with them.
The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
Filed under Data Protection, GDPR, Information Commissioner
Why does the UK stop students accessing their mock exam and assignments data?
UPDATE: 23.08.20 In this piece Chris Pounder identifies what the government sees as a justification for the exam scripts exemption. In a document prepared to assist adequacy discussions with the European Commission, it is said that the exemption “aims to protect the integrity of exams by ensuring that exam scripts cannot be accessed outside established processes” (on the basis that exam boards often re-use or re-purpose exam questions). However, and as Chris implies, this simply isn’t sufficient to justify the blanket exemption, not the breadth of its scope. Moreover the ICO’s meek acceptance that it permits an interpretation which even covers assignments and, presumably, other coursework, is deeply disappointing. END UPDATE.
Domestic data protection law says that students can’t later access data recorded by themselves during an exam or assessment. Why is that? And is it compatible with the UK’s obligations under GDPR and more general human rights law?
As is well known, the General Data Protection Regulation (GDPR) has direct effect on member states of the EU. This is, however, subject to certain provisions which allow member states to legislate for specific exemptions or restrictions. An example is Article 23 of GDPR, which allows member states to restrict by way of a legislative measure the scope of certain data subject rights, including the right of access at Article 15. Such restrictions must, though, respect “the essence of the fundamental rights and freedoms” and be a “necessary and proportionate measure in a democratic society” to safeguard, among a list of things, important objectives of general public interest.
The specific UK restrictions made in respect of Article 23 lie primarily in Schedule 2 of the Data Protection Act 2018. Of particular interest at the current time is the Schedule 2, paragraph 25(1) exemption to the Article 15 right of subject access which says that the right does “not apply to personal data consisting of information recorded by candidates during an exam” (and paragraph 25(4) says that “‘exam’ means an academic, professional or other examination used for determining the knowledge, intelligence, skill or ability of a candidate and may include an exam consisting of an assessment of the candidate’s performance while undertaking work or any other activity”).
Thus it is that guidance from the Information Commissioner’s Office (ICO) says, in relation to this year’s exam awards
The exam script exemption applies to information that has been recorded by the students themselves during an exam or assessment. Therefore students do not have a right to get copies of their answers from mock exams or assignments used to assess their performance
But why does this exemption exist? Search me. Why did it also exist in the 1998 Data Protection Act? Also, search me. Also search Hansard, like I have done, and you may struggle to find out. (Please let me know if I’ve missed something).
So in what way can the exam script exemption be said to respect the essence of the fundamental rights and freedoms and be a necessary and proportionate measure in a democratic society? Is this a case where Parliament merely nodded through a provision which it also merely nodded through 22 years ago?
Note that this is not a question as to whether information recorded by candidates during an exam is their personal data. It most certainly is, as the CJEU found in 2017 in Nowak. But note also that the court, in that case, observed that “the use of [such] information, one consequence of [the use of the information] being the candidate’s success or failure at the examination concerned, is liable to have an effect on his or her rights and interests, in that it may determine or influence, for example, the chance of entering the profession aspired to or of obtaining the post sought”. The court also noted, in holding that such information was personal data, the importance of the data subject’s rights of access, rectification and objection.
And let us remember recital 63 GDPR, which reminds us that one purpose of the right of subject access is to be able to “verify the lawfulness of the processing”. In the absence of any indication as to why the UK decided to restrict the right of access in such a way as to prevent students, especially this year’s students, accessing their own assignment and mock exam data, one must query how those students can adequately verify the lawfulness of the processing by those who determined their grades.
P.S. there is an argument that the ICO should do something about this, under its Article 57 tasks to monitor and enforce GDPR, to handle complaints from data subjects, and to advise parliament, the government, and other institutions and bodies. It has the power under Article 58 to issue an opinion to those bodies.
The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
A-levels and data protection – potential challenges?
A new post by me on the Mishcon de Reya website, looking at whether GDPR and the DPA offer the potential for challenges to A-level results.
UPDATE: 14.08.20
A rather odd statement has just been put out by the ICO which suggests that Ofqual have told the former that automated decision making didn’t take place. I’ve updated the Mishcon piece to say this:
The ICO has now issued a statement saying that “Ofqual has stated that automated decision making does not take place when the standardisation model is applied, and that teachers and exam board officers are involved in decisions on calculated grades”. This appears at odds with the statement in Ofqual’s “Privacy Impact Assessment“, which states that the process does involve “automated elements as well as human elements”. Whether this means that the Ofqual standardisation model did not involve “solely” automated decision making will no doubt be determined in the various legal challenges which are apparently currently being mounted.
Oddly, the ICO also says that concerns should be raised with exam boards first, before the ICO will get involved. This does not immediately appear to be in line with the ICO’s obligation to handle complaints, under Article 57 of GDPR (which doesn’t say anything about data subjects having to raise concerns with someone else first).
Some PECR figures in light of a new monetary penalty notice
Presented without comment.
21,166,574 unsolicited direct marketing messages
£100,000 monetary penalty
Only £1k in the bank at the last filings
Zero chance of recovery?
The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
BA hints at massively reduced size of ICO proposed fine
A new piece by me on the Mishcon de Reya website – BA’s parent company’s latest financial filings indicate it’s planning for (at most?) a E22m fine.
Schrems II – what now?
A piece I have written with my Mishcon colleague Adam Rose, looking at the issues for businesses involved in international transfers (esp. to the US).
Make no mistake – the effect of Schrems II is to make bulk/regular transfers of personal data to the US problematic (putting it at its lowest). It arguably has the same effect in respect of transfers to most, if not all, third countries.
Schrems II – this time it’s serious
As soon as judgment came out, my Mishcon de Reya colleague Adam Rose and I recorded our initial reactions to the CJEU’s decision in Schrems II. Here’s the link to the recording. Excuse my lockdown locks.
Some takeaways
- The EU-US Privacy Shield arrangement for transferring personal data to the US is declared invalid.
- Parties using Standard Contractual Clauses to transfer personal data from the EEA to countries outside must not do so if, in their assessment, the recipient country doesn’t provide an adequate level of protection. There must now be serious questions as to whether any transfers to the US can be valid.
- The Binding Corporate Rules regime used by some of the world’s biggest international groups must now also be open to challenge.
- Data Protection Authorities (such as the ICO) must intervene to stop transfers under SCCs which are made to countries without an adequate level of protection.
- Post-Brexit UK may be seen as an attractive place for US companies to base operations, but there may well be further legal challenges to such arrangements.
Betting and Gaming GDPR Code of Conduct proposed
A new piece on the Mishcon de Reya website, co-authored by me, on a proposed Article 40 Code (one of the first) prepared by the European Gaming and Betting Association.
Filed under Code of Conduct, Data Protection, EDPB, GDPR
informationrightsandwrongs 