A new piece by me on the Mishcon de Reya website – BA’s parent company’s latest financial filings indicate it’s planning for (at most?) a E22m fine.
Category Archives: Data Protection
Schrems II – what now?
A piece I have written with my Mishcon colleague Adam Rose, looking at the issues for businesses involved in international transfers (esp. to the US).
Make no mistake – the effect of Schrems II is to make bulk/regular transfers of personal data to the US problematic (putting it at its lowest). It arguably has the same effect in respect of transfers to most, if not all, third countries.
Schrems II – this time it’s serious
As soon as judgment came out, my Mishcon de Reya colleague Adam Rose and I recorded our initial reactions to the CJEU’s decision in Schrems II. Here’s the link to the recording. Excuse my lockdown locks.
Some takeaways
- The EU-US Privacy Shield arrangement for transferring personal data to the US is declared invalid.
- Parties using Standard Contractual Clauses to transfer personal data from the EEA to countries outside must not do so if, in their assessment, the recipient country doesn’t provide an adequate level of protection. There must now be serious questions as to whether any transfers to the US can be valid.
- The Binding Corporate Rules regime used by some of the world’s biggest international groups must now also be open to challenge.
- Data Protection Authorities (such as the ICO) must intervene to stop transfers under SCCs which are made to countries without an adequate level of protection.
- Post-Brexit UK may be seen as an attractive place for US companies to base operations, but there may well be further legal challenges to such arrangements.
Betting and Gaming GDPR Code of Conduct proposed
A new piece on the Mishcon de Reya website, co-authored by me, on a proposed Article 40 Code (one of the first) prepared by the European Gaming and Betting Association.
Filed under Code of Conduct, Data Protection, EDPB, GDPR
There’s nothing like consistency
A tale of two Member States, and two supervisory authorities.
First, the Belgium Data Protection Authority is reported to have fined a controller €50,000 for, among other infringements, appointing its director of audit, risk and compliance as its Data Protection Officer (DPO). This was – the DPA appears to have said – a conflict of interest, and therefore an infringement of Article 38(6) of the General Data Protection Regulation (GDPR).
Second (and bearing in mind that all cases turn on their specific facts), one notes that, in the UK, the Data Protection Officer for the Information Commissioner’s Office (ICO), is its Head of Risk and Governance.
Let’s speculate –
Are the tasks of a Head of Risk and Governance likely to be similar to those of a director of audit, risk and compliance?
Would the Belgium DPA take the view that its UK equivalent is infringing GDPR, by appointing as DPO someone in circumstances which create a conflict of interest? (ICO notably says “[In respect of the combined roles of] DPO and Head of Risk and Governance, the tasks and focus of each role complement each other, and do not conflict. Neither responsibility is focused on determining the purposes and means of processing personal data but are both focused on providing advice about the risks, mitigations, safeguards and solutions required to ensure our processing is compliant and supported by our business decisions“).
What view would the European Data Protection Board take, if asked to consider the matter under the GDPR consistency mechanism (for instance on receipt of a request for an Opinion, under Article 64(2))?
Does it matter, given Brexit?
And if doesn’t matter immediately, might the status and position of the ICO’s DPO be one of the factors the European Commission might subsequently take into account, when deciding whether post-Brexit UK has an adequate level of protection, as a third country?
No answers folks, just questions.
The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
Filed under adequacy, Brexit, consistency, Data Protection, Europe, GDPR, Information Commissioner
High Court – subject access, breach of confidence and the offence of reidentification
(See also the follow-up piece here)
An interesting case is being heard in the High Court, arising from an apparent error whereby, in responding to a subject access request (SAR), the London Borough of Lambeth allowed the recipient (and now defendant) data subject to electronically manipulate the information sent to him. This in turn enabled him to remove redactions, and identify someone who had made allegations against him and his wife (about the care they were providing to their child).
This is nightmare scenario for a controller – to inadvertently disclose extremely sensitive information, while responding to a SAR. In this instance, Lambeth have now brought a claim in breach of confidence against the defendant data subject, on the grounds that: the data was provided to the data subject in circumstances where he knew it was confidential; that he breached that confidentiality by unredacting the data, retaining an unredacted copy of the file, using the evidence to write a pre-action letter to the person who made allegations against him and his wife and threatening to bring court proceedings against them based on the information; and that it is integral to the work of Children’s Services that people who bring to its attention instances of perceived inadequate care or neglect of children are able to do so under conditions of confidentiality and can be assured that their confidentiality will be respected.
The instant proceedings were primarily concerned with a strike-out application by the defendant data subject, on the grounds of non-compliance by Lambeth with its (litigation) disclosure obligations. This application was roundly dismissed, and the matter will proceed to trial.
But of particular note is that, notwithstanding that the original error was Lambeth’s, it was revealed in the proceedings that the Information Commissioner’s Office (ICO) is also prosecuting the defendant data subject on charges of committing the offences of knowingly or recklessly re-identifying de-identified personal data, without the consent of the data controller, and knowingly or recklessly processing re-identified personal data, without the consent of the data controller. These are new offences created by sections 171(1) and 171(5) of the Data Protection Act 2018, and, when that Act was passed, it appeared that the mischief the provisions sought to address was the risk of hackers and fraudsters attempting to identify data subjects from large datasets (see the debates at Bill stage). It will be interesting to see if the ICO’s prosecution here results in a conviction. But it will also be interesting to see if ICO considers similar prosecutions in other circumstances. Although there is a public interest defence (among others) to section 171 charges, it is not an uncommon occurrence for public authorities (particularly) to inadvertently disclose or publish information with imperfect redactions. It certainly appears, on a plain reading of section 171, that someone re-identifying de-identified personal data (even if, say, for idle reasons of curiosity) might not always be able to avail themselves of the public interest defence.
And what is unsaid in the judgment, is whether Lambeth are facing any sort of civil, regulatory action from the ICO, arising from their error in sending the imperfectly redacted information in the first place.
The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
ICO – report a databreach to us, and we might take action against you
[EDITED TO ADD: since I wrote this piece, it appears that ICO has silently amended its guidance, so it no longers threatens regulatory action for over-reporting. For posterity’s sake, (and to show I wasn’t making it up) I provide this link to the archived page.]
Data protection practitioners (and many others) are well aware that a failure to comply with the general obligation on a controller to notify the Information Commissioner’s Office (ICO), in the event of a personal data breach, is an infringement of the General Data Protection Regulation (GDPR). What may be less known, however, is that making a notification, in circumstances where it wasn’t required, might also be an infringement, and might result in sanctions from the ICO. That, at least, appears to be the ICO’s own view of the law, when it says
Over reporting breaches which have not been appropriately risk assessed in terms of their impact on the data subject may be seen as evidence of failing to comply with the GDPR accountability principle. This can also result in regulatory action.
I don’t know about you, but I think that’s a pretty extraordinary statement.
Of course, controllers should assess whether, as an exception to the general obligation, they are not required to make a notification, on the grounds that the personal data breach (defined at Article 4(12) of GDPR as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”) is unlikely to result in a risk to the rights and freedoms of natural persons. Such a risk assessment (because that’s what it is) will be, though, a nuanced challenge. What, after all, constitutes a likely “risk to the rights and freedoms of natural persons”? Although recital 85 to GDPR gives some clues, it still leaves much to be determined on the facts:
…physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.
Article 83 makes a failure to notify, in circumstances where one should notify, an infringement with a maximum administrative fine attached of €10m or 2% of global annual turnover (whichever is higher). Is it any surprise then, that some controllers might have taken what they thought to be a cautious, or precautionary, approach, and notified ICO of personal data breaches even when they weren’t sure it was necessary to do so?
Although the ICO has been suggesting for some time that controllers have been too keen to make personal data breach notifications, the web page in question appears to have only very recently been amended to say this (an archived version only from 31 May 2020 lacks the wording). And it seems to me a little bit mean-spirited (and potentially confusing to some controllers) to start threatening the use of sanctions against those who are making a regulatory notification in good faith.
In fact, I’m not at all sure that – as ICO suggests – it is potentially an infringement of the Article 5(2) obligation (by which a controller shall be responsible for, and be able to demonstrate compliance with, the Article 5(1) principles) to make a notification without properly assessing risk. And to say that it is such an infringement, is – I submit – stretching the accountability principle further than, in other circumstances, ICO would expect it to be stretched.
And don’t start thinking about whether an excessive notification of a personal data breach is a personal data breach which requires notification. That way madness (or is it Wilmslow?) lies.
The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
Podcast – GDPR two years on
Here’s a podcast I recently recorded with my Mishcon de Reya colleague Adam Rose, looking at some of the issues we think are salient two years after GDPR became directly applicable in the U.K.
Filed under Data Protection, Data Protection Act 2018, GDPR
Yet more delays to proposed ICO BA and Marriott fines
I have this piece on the Mishcon de Reya website. More than a year since they were first proposed, ICO has still not converted its notices of intent into actual fines. Will it ever?
COVID-19 and ICO’s proposed fines for BA and Marriott
I have a piece on the Mishcon de Reya website, questioning whether the Coronavirus might fundamentally affect the likelihood of BA and Marriott receiving huge GDPR fines.
informationrightsandwrongs 