Category Archives: Data Protection

ICO to keep income from UK GDPR fines

This is a significant development – the Information Commissioner will now be able to keep up to £7.5m a year from penalties, to cover their litigation and debt recovery costs:

https://www.mishcon.com/news/ico-to-keep-money-from-uk-gdpr-fines

Leave a comment

Filed under Data Protection, DCMS, GDPR, Information Commissioner, monetary penalty notice, UK GDPR

GDPR reprimands for Cabinet Office, UKIP, CPS & ors

A piece by me just uploaded to the Mishcon de Reya website, on an FOI disclosure to me of the most recent reprimands under GDPR/ UK GDPR issued by the Information Commissioner

ICO reprimands Cabinet Office, UKIP, CPS and others for (mishcon.com)

Leave a comment

Filed under Cabinet Office, Data Protection, Freedom of Information, GDPR, Information Commissioner, UK GDPR

An Open Letter to Jacob Rees-Mogg

Dear Mr Rees-Mogg

I suspect you and I wouldn’t agree on many things, but, before I moved into private practice I spent many years in the public sector. I saw many examples of efficient and inefficient working there (as well as countless dedicated officers who rarely had time to be sitting at their desks when senior management deigned to visit).

So, despite our different worldviews, and in the spirit of helping improve the efficiency of the offices of Members of Parliament, may I make a couple of suggestions about data protection compliance?

First, you said recently, before the European Scrutiny Committee, that constituents who come to see you at surgery are asked to sign a two-page disclaimer. Nothing in our data protection law requires this (in fact, expecting them to sign one is likely to be contrary to those laws). You should give anyone whose personal data you collect certain information, generally in the form of a notice, but that’s just a matter of being fair and transparent – there’s no reason at all to require a signature or a disclaimer. You could even just refer them to a notice on your own website (your current one is rather well hidden). That should save you a bit of time and money.

Second, at the same hearing, you were concerned that you needed to delete files on constituents prematurely. Again, this appears to be a misapprehension on your part. Personal data should be kept for as long as is necessary in relation to the purpose for which it was collected: if you still need it, you keep it. There – another efficiency tip!

Third, and more generally, I do find that there is a lot of misunderstanding of data protection law. It has a dual objective – to offer protection to individuals and to allow for free movement of data (both of which are obviously subject to qualifications and provisos). I don’t pretend that the law couldn’t do with some revisions, and I’ve even spoken to some of the people helping with the reform programme to suggest a few. But in general, it’s quite possible to run the public bodies and businesses efficiently and also comply with the data protection law – but I fear that training and awareness of that law have been, and continue to be, handled rather inefficiently at government level.

Yours
Jon Baines

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, GDPR, not-entirely-serious, parliament, Uncategorized

COVID booster messages and the law

GET BOOSTED NOW Every adult needs a COVID-19 booster vaccine to protect against Omicron. Get your COVID-19 vaccine or booster. See NHS website for details

On Boxing Day, this wording appears to have been sent as an SMS in effect to every mobile telephone number in the UK. The relevant government web page explains that the message is part of the national “Get Boosted Now” campaign to protect against the Omicron variant of COVID-19. The web page also thanks the Mobile Network Operators for “their assistance in helping deliver the vitally important Get Boosted Now message”.

It is inevitable that questions may get raised raised about the legality of the SMSs under data protection law. What is important to note is that, although – to the extent that the sending involved the processing of personal data – the GDPR may apply (or, rather, the UK GDPR) the relevant law is actually the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”). Under the doctrine of lex specialis where two laws govern the same situation, the more specific rules will prevail over more general rules. Put another way, if the more specific PECR can justify the sending of the SMSs, then the sending will also be justified under the more general provisions of UK GDPR.

Regulation 16A of PECR (inserted by a 2015 amendment), provides that where a “relevant communications provider” (in this case a Mobile Network Operator) is notified by a government minister (or certain other persons, such as chief constables) that an “emergency” has occurred, is occurring or is about to occur, and that it is expedient to use an emergency alert service, then the usual restrictions on the processing of traffic and location data can be disregarded. In this instance, given the wording on the government website, one assumes that such a notification was indeed made by a government minister under regulation 16A. (These are different emergency alerts to those proposed to be able to be sent under the National Emergency Alert system from 2022 which will not directly involve the mobile network operators.)

“Emergency” is not defined in PECR, so presumably will take its definition here from section 1(1)(a) of the Civil Contingencies Act 2004 – “an event or situation which threatens serious damage to human welfare in a place in the United Kingdom”.

The effect of this is that, if the SMSs are legal under PECR, they will also be legal under Article 6(1)(c) and 6(1)(e) of the UK GDPR (on the grounds that processing is necessary for compliance with a legal obligation to which the controller is subject, and/or necessary for the performance of a task carried out in the public interest).

There is an interesting side note as to whether, even though the SMSs count as emergency alerts, they might also be seen as direct marketing messages under regulations 22 and 23 of PECR, thus requiring the content of the recipient before they could be sent. Under the current guidance from the Information Commissioner (ICO), one might argue that they would be. “Direct marketing” is defined in the Data Protection Act 2018 as “the communication (by whatever means) of advertising or marketing material which is directed to particular individuals” and the ICO defines it further by saying that this “covers any advertising or marketing material, not just commercial marketing. All promotional material falls within this definition, including material promoting the aims of not-for-profit organisations”. Following that line of thought, it is possible that the Omicron SMSs were both emergency alerts and direct marketing messages. This would be an odd state of affairs (and one doubts very much that a judge – or the ICO, if challenged on this – would actually agree with its own guidance and say that these SMSs were indeed direct marketing messages). The ICO is in the process of updating its direct marketing guidance, and might be well advised to consider the issue of emergency alerts (which aren’t covered in the current consultation document).

[Edited to add: I don’t think what I say above necessarily covers all the legal issues, and no doubt there are aspects of this that could have been done better, but I doubt very much there is any substantive legal challenge which can be made.]

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under communications data, consent, Data Protection, Data Protection Act 2018, GDPR, Information Commissioner, PECR, UK GDPR

ICO calls for global cookie standards (but why not enforce the law?)

The outgoing UK Information Commissioner, Elizabeth Denham, is calling on G7 countries to adopt her office’s new “vision” for websites and cookie consent.

Her challenge to fellow G7 data protection and privacy authorities has been issued at a virtual meeting taking place on 7 and 8 September, where they will be joined by the Organisation for Economic Cooperation and Development (OECD) and the World Economic Forum (WEF).

Denham says “There are nearly two billion websites out there taking account of the world’s privacy preferences. No single country can tackle this issue alone. That is why I am calling on my G7 colleagues to use our convening power. Together we can engage with technology firms and standards organisations to develop a coordinated approach to this challenge”.

What is not clear is whether her vision is, or can be, underpinned by legal provisions, or whether it will need to take the form of a non-enforceable set of standards and protocols. The proposal is said to mean that “web browsers, software applications and device settings [should] allow people to set lasting privacy preferences of their choosing, rather than having to do that through pop-ups every time they visit a website”. The most obvious way of doing this would be through a user’s own browser settings. However, previous attempts to introduce something similar – notably the “Do Not Track” protocol – foundered on the lack of adoption and the lack of legal enforceability.

Also unaddressed, at least in the advance communications, is why, if cookie compliance is a priority area for the Information Commissioner, there has been no enforcement action under the existing legal framework (which consists primarily of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (or “PECR”)). Those current laws state that a website operator must seek consent for the placing of all cookies unless they are essential for the website to function. Although many website operators try hard to comply, there are countless examples of ones who don’t, but who suffer no penalty.

Denham says that “no single country can tackle this alone”, but it is not clear why such a single country can’t at least take steps towards tackling it on domestic grounds. It is open to her to take action against domestic website operators who flout the law, and there is a good argument that such action would do more to encourage proper compliance than will the promotion or adoption of non-binding international standards.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under cookies, Data Protection, Information Commissioner, marketing, PECR

UK adequacy confirmed

To no great final surprise, the European Commission has adopted its adequacy decisions in respect of the UK.

Here’s a piece by me on the Mishcon de Reya website.

Leave a comment

Filed under adequacy, Data Protection, Europe, GDPR, international transfers, law enforcement

New Model Clauses – a Mishcon podcast

My colleagues, partners Adam Rose and Ashley Winton, discuss the new European Commission Standard Contractual Clauses announced on 4 June 2021. I honestly can’t think of two better people to discuss what they mean.

Initial Reactions: New Standard Contractual Clauses (mishcon.com)

Leave a comment

Filed under adequacy, Brexit, consistency, Data Protection, data sharing, EDPB, Europe, GDPR, international transfers, Schrems II

You what?

Twice in recent months the outgoing Information Commissioner, Elizabeth Denham, has given speeches including these words

Data protection law was born in the 1970s out of a concern that the potential from emerging technology would be lost if we didn’t embrace innovation.

I don’t know what she means. Does anyone else?

Studies I’m aware of more generally see data protection law arising, from the 1960s through to the early 1980s, out of a combination of: increasing awareness of and focus on fundamental human rights; an understanding that use of computers would cause an exponential increase in the ability to process information; a desire that concerns about the preceding two should not lead to unnecessary barriers to international trade.

(See, for example, the UK 1972 Report of the Committee on Privacy, chaired by Kenneth Younger, and the UK 1978 Report of the Committee on Data Protection chaired by Sir Norman Lindop. See, especially, the 1980 OECD Guidelines and the 1981 Council of Europe Convention 108.)

Whatever Ms Denham’s words mean, they miss the foundational status of human rights in modern data protection law. And that is a glaring omission. Article 1 of the UKGDPR is clear – data protection law now, as it always has

protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data

There’s nothing wrong with embracing innovation (I do it myself). But let’s not misstate history.

Leave a comment

Filed under Data Protection, GDPR, human rights, Information Commissioner, UK GDPR

Gov says “no” to UK GDPR opt-out actions but…

A post by me on the Mishcon de Reya website – the government has declined to bring into operation Article 80(2) of the (UK) GDPR, but does that mean that the Supreme Court will be more likely to uphold the Court of Appeal judgment in Lloyd v Google?

Leave a comment

Filed under Data Protection, Data Protection Act 2018, DCMS, GDPR, UK GDPR

UK GDPR Resource

My firm Mishcon de Reya have created a version of the UK’s post-Brexit version of GDPR as there isn’t yet an official version. What’s more, we’ve added in links to the Recitals, and made it freely available.

The announcement is here. The actual UK GDPR is here.

Ain’t we kind?

Leave a comment

Filed under Data Protection, GDPR, UK GDPR