Category Archives: GDPR

€9.5m GDPR fine to German telco for insecure customer authentication

Another post by me on the Mishcon de Reya website – federal telecoms regulator issues fine for Article 32 failings after callers could give customer name and d.o.b. and obtain further information.

Leave a comment

Filed under Data Protection, Europe, GDPR, monetary penalty notice

The Cost of Enforcement

I wrote recently, on the Mishcon de Reya Data Matters blog, about whether BA and Marriott might actually avoid the fines the Information Commissioner’s Office (ICO) intends to serve on them. In that piece, I said

one has no doubt whatsoever that BA and Marriott will have had lawyers working extensively and aggressively on challenging the notices of intent.

With that in mind, it is interesting to note that, in commentary on recent management accounts, the ICO warns that

Legal expenses…are tracking at much higher levels than budgeted and are expected to be adverse to budget for the full financial year

Indeed, the ICO’s legal spend for this year is forecast to be £2.65m, against a budget of £1.98m. These sound like large sums (and of course they are), but, compared with the likely legal budgets of BA, or Marriott, or indeed, many other of the huge companies whose processing is potentially subject to enforcement action by ICO, they are tiny. Any large controller faced with a huge fine will almost inevitably spend large sums in challenging the action.

Query whether ICO can, realistically, actually afford to levy fines at the level GDPR envisages?

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, enforcement, GDPR, Information Commissioner, monetary penalty notice

Storm clouds

Another post by me on the Mishcon de Reya website: my crystal ball may be way off, but I wonder if genuine enforcement action might be on its way for AdTech and its biggest players.

Leave a comment

Filed under adtech, Data Protection, enforcement, GDPR, Information Commissioner

Whither the ICO fines for BA and Marriott?

I have a new post on the Mishcon de Reya website, asking what is happening regarding the notices of intent served some months ago on BA and Marriott Inc.

Leave a comment

Filed under Data Protection, GDPR, Information Commissioner, monetary penalty notice

No direct liability under GDPR for representatives, says EDPB

I have a new post on the Mishcon de Reya website, drawing attention to a change from draft to agreed EDPB guidance which might make being a GDPR representative much more attractive.

Leave a comment

Filed under EDPB, EU representative, Europe, GDPR

ICO change to guidance on Subject Access Request time limits

I have a post on the Mishcon de Reya website, on an odd, but potentially very significant, change of position by the Information Commissioner’s Office, when it comes to calculating GDPR time limits for data subject requests.

ICO change to guidance on Subject Access Request time limits

Leave a comment

Filed under Data Protection, GDPR, Information Commissioner

Boris Johnson and GDPR

Might there have been a breach of data protection law in the recording, apparently by neighbours, of incidents at Boris Johnson’s home, and the passing of the recording to the media and the police? Almost certainly not.

(In this post I would like to avoid, as far as possible, broader ethical questions, and I will restrict any political observations to this: if Johnson becomes leader of the Conservative Party, and therefore prime minister, the two main UK political parties will be being led by people less fit to hold the role than at any time in my lifetime.)

In general, processing of personal data done for one’s own domestic purposes avoids the need for compliance with data protection law: Article 2(2)(c) of the General Data Protection Regulation (GDPR) – which of course provides the overarching statutory framework for most processing of personal data – says that the GDPR itself “does not apply to the processing of personal data…by a natural person in the course of a purely personal or household activity”. This is understandable: were there not such a carve-out, one’s children might, say, try to sue one for unlawful processing of their pocket-money data.

However, that word “purely” is key in Article 2. Processing which is not in the course of a “purely” domestic activity, such as, say, passing a recording of an altercation involving one’s neighbours to the media and the police, will be within GDPR’s scope.

So if GDPR is likely to apply, what are the considerations?

Firstly, passing information to the police about an altercation involving one’s neighbours is straightforward: GDPR permits processing which is necessary for the performance of a task carried out in the public interest (Article 6(1)(e)) and where the processing is necessary for the purposes of someone’s legitimate interests (provided that such interests are not overridden by the rights of the data subject) (Article 6(1)(f)).

But what of passing such information to the media? Well, here, the very broad exemption for the purposes of journalism will apply (even though the neighbours who are reported to have passed the information to the media are not, one assumes, journalists as such). GDPR requires members states to reconcile the right to the protection of personal data with the right to freedom of expression and information, including processing for journalistic purposes, and this obligation is given effect in UK law by paragraph 26 of Schedule 2 to the Data Protection Act 2018. This provides that the GDPR provisions (for the most part) do not apply to processing of personal data where it

is being carried out with a view to the publication by a person of journalistic, academic, artistic or literary material, and…the controller reasonably believes that the publication of the material would be in the public interest [and] the controller reasonably believes that the application of [the GDPR provisions] would be incompatible with the… purposes [of journalism].

Here, the controller is not just going to be the journalist or media outlet to whom the information was passed, but it is also likely to be the non-journalist person who actually passes the information (provides that the latter passes it with a view to its publication and does so under a reasonable belief that such publication would be in the public interest).

The equivalent exemption in the prior law (the Data Protection Act 1998) was similar, but, notably, applied to processing which was only carried for the purposes of journalism (or its statutory bedfellows – literature and art). The absence of the word “only” in the 2018 Act arguably greatly extends the exemption, or at least removes ambiguity (there was never any notable example of action being taken under the prior law against the media for processing which was alleged to be unlawful and which was for more than one purposes (i.e. not solely for the purposes of journalism)).

It seems almost certain, then, that Johnson’s non-journalist neighbours could avail themselves of the “journalism” exemption in data protection law. As could anyone who processes personal data with a view to its publication and who reasonably believes such publication is in the public interest: we should prepare to see this defence aired frequently over the coming years. Whether the exemption is too broad is another question.

Because of the breadth of the journalism exemption in data protection law, actions are sometimes more likely to be brought in the tort of misuse of private information (see, for example, Cliff Richard v BBC, and Ali v Channel 5). Whether such a claim might be available in this case is also another question, and not one for this blog.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, GDPR, journalism, police

Information Tribunal rejects data subject appeals under new Data Protection Act

The Information Tribunal has recently heard the first applications under the Data Protection Act 2018 for orders regarding the Information Commissioner’s handling of data protection complaints. As I write on the Mishcon de Reya website, the Tribunal has peremptorily dismissed them.

Leave a comment

Filed under Data Protection, enforcement, GDPR, Information Commissioner, Information Tribunal

ICO hasn’t given own staff a GDPR privacy notice

The first principle of GDPR says that personal data shall be processed in a transparent manner. Articles 13 and 14 give details of what information should be provided to data subjects to comply with that principle (and that information should be provided at the time it is collected (if it is collected directly from the data subject)).

As the Information Commissioner’s Office (ICO) says

Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR. [emphasis added]

and

Getting the right to be informed correct can help you to comply with other aspects of the GDPR and build trust with people, but getting it wrong can leave you open to fines and lead to reputational damage

If you read the ICO’s Guide to GDPR, it is largely predicated on the understanding that privacy notices will be made available to data subjects, effectively as a prerequisite to overall compliance.

So, one thing a data controller must – surely – prioritise (and have prioritised, in advance of GDPR becoming applicable in May 2018) is the preparation and giving of appropriate privacy notices, including to its own employees.

With that in mind, I was interested surprised astounded well-and-truly-gobsmacked to see an admission, on the “WhatDoTheyKnow” website, that the ICO itself has – almost a year on from GDPR’s start – not yet prepared, let alone given, its own staff a GDPR privacy notice

I can confirm we do not currently hold the information you have requested. The privacy notice for ICO employees is currently under construction.

As getting the right to be informed wrong can leave one open to fines (as well as reputational damage), one wonders if ICO is considering fining itself for this fundamental infringement of a fundamental right?

The views in this post (and indeed all posts on this blog, unless they indicate otherwise) are my personal ones, and do not represent the views of any organisation I am involved with.

10 Comments

Filed under Data Protection, fairness, GDPR, Information Commissioner, privacy notice, transparency

ICO – no GDPR fines in the immediate pipeline

FOI request reveals ICO has served no “notices of intent” to serve fines under GDPR. A new piece by me on the Mishcon de Reya website.

Leave a comment

Filed under Data Protection, Freedom of Information, GDPR, Information Commissioner, monetary penalty notice