Category Archives: GDPR

ICO SAR guidance – open to challenge?

A new piece by me and a colleague on the Mishcon de Reya website, about the ICO’s new SAR guidance https://www.mishcon.com/news/ico-guidance-on-subject-access-requests

A couple of NB points where this guidance differs from the draft version:

ICO suggests one of the factors to take into account when deciding whether a request is excessive is “Whether refusing to provide the information or even acknowledging it is held may cause substantive damage to the individual”. To me, this is pretty extraordinary, and might have the effect of putting the requester to proof as to damage caused by non-compliance.

ICO also has shifted its position, and suggest that staff time perse (rather than disbursements) might be charged for in the event of excessive or manifestly unfounded requests. 

I have my own views on whether these propositions are positive or negative. I suspect though that we will see challenges.

Leave a comment

Filed under access to information, Data Protection, Data Protection Act 2018, GDPR, Information Commissioner

ICO (bizarrely) suggests DPO conflict of interest is criminal offence

*UPDATE, 17.11.20: ICO has now “reissued” its FOI response, saying that there was an error in the original, and that section 31 (dealing, broadly, with prejudice to regulatory functions), rather than section 30, of FOIA applies. If this was a plain example of a typo, I would not have drawn attention, but the original response specifically showed that the author thought that criminality would arise in a case of DPO conflict of interest.

I would add two things. First, the exemption is still questionable in my view – I can’t see how disclosing whether organisations have been investigated regarding DPO conflicts (and if so, the numbers involved) could conceivably cause or be likely to cause prejudice to ICO’s regulatory functions. Second, I raised this, as NADPO chair, as a matter of concern with ICO, but, despite the withdrawal of the offending response, I have heard nothing yet. END UPDATE*

As chair of NADPO* (the National Association of Data Protection and Freedom of Information Officers) I’m understandably interested in information and news about data protection officers (DPOs). In particular, what the Information Commissioner’s Office (ICO) (as the regulatory body most DPOs will interact with) says on this subject will be especially notable.

When I saw that someone had made a Freedom of Information (FOI) request to the ICO about whether the latter had investigated or taken enforcement action against any controllers for reasons relating to potential conflict of interest regarding DPO positions, I was intrigued to see what the response would be (I knew no fines had been issued, but I wanted to know how many investigations might have taken place – indeed, I had blogged about the ICO’s own DPO role a few months previously).

However, the ICO’s response to the FOI request is, let’s say, odd. They have refused to disclose (in fact, have refused even to confirm or deny whether they hold) the requested information, citing the FOI exemption that applies to information held for the purposes of investigations into whether someone should be charged with a criminal offence: remarkably, the ICO seems to think that a conflict of interest such as envisaged by Article 38(6) of the General Data Protection Regulation (GDPR) would amount to a criminal offence – “it is likely that, if proven, an offence under the DPA [Data Protection Act 2018] may have been committed”. This cannot be the case though – there are no offence provisions under the DPA which come close to criminalising a potential conflict of interest regarding a DPO role, and it would be extraordinary if parliament had decided to make it an offence.

Why the ICO should suggest that there are such provisions is not at all clear, and – if it is not just a stray error – might indicate a rather worrying lack of understanding of both data protection and FOI law.

One final point to note – even the part of the FOI response which didn’t mistakenly assume criminal law provisions were engaged, said, in respect of the part of the request which asked for any information the ICO holds “to assist public authorities protect [sic] against a conflict of interest with the role of the DPO”, that staff at the ICO had been consulted and “there is no information held”. However, on the ICO’s website, in plain view, is guidance on the subject (admittedly not in any detail, but clearly in scope of this request).

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

*I notice that the cookie notice on the NADPO site has somehow slipped into error – I am on the blower to our webdev as we speak.

Leave a comment

Filed under Data Protection, Data Protection Act 2018, DPO, Freedom of Information, GDPR, Information Commissioner, Uncategorized

One third of personal data breaches reported “late” to ICO

By me, on the Mishcon de Reya website.

…a recent request to the ICO under the Freedom of Information Act 2000 (FOIA) has revealed that, from the available data, of the 21705 personal data breaches notified to the ICO since May 2018, 14,365 were notified within 72 hours, and 7340 were not – meaning that approximately one third of personal data breaches are reported later than within 72 hours

Leave a comment

Filed under Breach Notification, Data Protection, data security, GDPR, Information Commissioner

Manhattan (and Syrian) Transfer

When data protection law (e.g. Chapter V of the General Data Protection Regulation (GDPR) and Article 25 of the prior Data Protection Directive) talks about a “transfer” of personal data to a third country, no one quite knows what it means: “transfer” is not defined. There’s been a fair bit of legal and academic discussion about this.

But, as far back as 2002 it has been established law that, if I upload personal data onto an internet page, so that that data becomes accessible to people outside the EU, this does not constitute a transfer of data to a third country. The Court of Justice of the European Union held so, in the case of Lindqvist (C-101/01), pointing out that, if that were the case

every time that personal data are loaded onto an internet page, that transfer would necessarily be a transfer to all the third countries where there are the technical means needed to access the internet

with the result that, if even one third country in the world did not ensure adequate protection of personal data, EU Member States – following, as they must, EU data protection law – would be obliged to prevent any personal data being placed on the internet. As a matter of public policy, and indeed of common sense, that could not have been the intention of the legislator.

But notably (and oddly, given its generally relaxed approach to international transfer issues) the Information Commissioner’s Office (ICO), eighteen years on from Lindqvist appears to take an opposing view, saying

Putting personal data on to a website will often result in a restricted transfer. The restricted transfer takes place when someone outside the EEA accesses that personal data via the website…If you load personal data onto a UK server which is then available through a website, and you plan or anticipate that the website may be accessed from outside the EEA, you should treat this as a restricted transfer.

Which is all well and good, but, if that is indeed the case, then how does ICO find a basis in Chapter V of GDPR for its transfer of my personal data (and others’) to, say, Syria, or South Sudan, or Cambodia, or anywhere else in the world? There is no adequacy decision in place, (presumably) no standard contractual clauses or other appropriate safeguards, and no apparent Article 49 derogation. Is this, then, an unlawful transfer?

I’m just mightily relieved we haven’t got some bizarre constitutional crisis on the immediate horizon, under which these issue are going to get even more complex.

Leave a comment

Filed under Data Protection, GDPR, Information Commissioner

GDPR’s scope – does it extend to China?

The answer to the question in the title is, of course, “yes”, if the processing in question is of personal data of data subjects in the EU, by a controller outside the EU, and related to the monitoring of data subjects’ behaviour as far as their behaviour takes place within the Union.

So, the activities of Zhenhua Data, in compiling its Overseas Key Individual Database, as described in The Mail, will be squarely within the scope of Article 3(2) of the General Data Protection Regulation (GDPR):

Boris Johnson and the Queen are among 40,000 Britons listed on a database compiled by a Chinese tech firm with reported links to Beijing’s military and intelligence networks, it can be disclosed.

Files on senior British politicians including the Prime Minister, members of the Royal Family, UK military officers and their families, and religious leaders are currently being stored by Zhenhua Data, a technology company based in Shenzhen, China as part of a ‘global mass surveillance system on an unprecedented scale’.

It seems difficult to imagine that the processing can possibly comply with GDPR. Where is the Article 14 notice? What is the Article 6 legal basis? Or the Article 9 exception to the general prohibition on processing special categories of data? Or the Article 30 record of processing activities? Or…or…or…?

But here’s the problem with any legislative attempt to extend the scope of laws beyond geographical and jurisdictional borders, to the activities of those who are not consulted, nor assigned rights, nor (in all likelihood) bothered: how does one enforce those laws? In 2018 (oh those heady early GDPR days!) the Information Commissioner’s Office (ICO) was reported to have told the Washington Post that its practice of only allowing those who paid for its premium subscription to refuse tracking cookies was unlawful. How many figs the WaPo gave is evidenced by a glance at its current subscription model:

(i.e. it appears to have changed nothing.)

Indeed, as the ICO said at the time

We hope that the Washington Post will heed our advice, but if they choose not to, there is nothing more we can do in relation to this matter

If there was nothing ICO could do against a newspaper outside the jurisdiction, consider how unrealistic is the idea that it might enforce against a Chinese company rumoured to work for the Chinese military, and which is said to view its mission as ‘using big data for the “great rejuvenation of the Chinese nation”‘.

The logical question, though, which arises is this – in the absence of an effective regulatory scheme to enforce them what exactly is the point of GDPR’s (or even more trenchantly, the UK GDPR’s) extra-territorial scope provisions?

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, enforcement, Europe, GDPR, Information Commissioner

If ICO won’t regulate the law, it must reboot itself

The exercise of the right of (subject) access under Article 15 of the General Data Protection Regulation (GDPR) is the exercise of a fundamental right to be aware of and verify the lawfulness of the processing of personal data about oneself.

That this is a fundamental right is emphasised by the range of enforcement powers available to the Information Commissioner’s Office (ICO), against those controllers who fail to comply with their obligations in response to an access request. These include the power to serve administrative fines to a maximum amount of €20m, but, more prosaically, the power to order the controller to comply with the data subject’s requests to exercise his or her rights. This, surely, is a basic function of the ICO – the sort of regulatory action which underlines its existence. This, much more than operating regulatory sandboxes, or publishing normative policy papers, is surely what the ICO is fundamentally there to do.

Yet read this, a letter shown to me recently which was sent by ICO to someone complaining about the handling of an access request:

 

Dear [data subject],

Further to my recent correspondence, I write regarding the way in which [a London Borough] (The Council) has handled your subject access request.

I have contacted the Council and from the evidence they have provided to me, as stated before, it appears that they have infringed your right to access under the GDPR by failing to comply with your SAR request. However, it does not appear as though they are willing to provide you with any further information and we have informed them of our dissatisfaction with this situation.

It is a requirement under the Data protection Act 2018 that we investigate cases to the ‘extent appropriate’ and after lengthy correspondence with the Council, it appears they are no longer willing co-operate with us to provide this information. Therefore, you may have better results if you seek independent legal advice regarding the matters raised in this particular case.

Here we have the ICO telling a data subject that it will not take action against a public authority data controller which has infringed her rights by failing to comply with an access request. Instead, the requester must seek her own legal advice (almost inevitably at her own significant cost).

Other controllers might look at this and wonder whether they should bother complying with the law, if no sanction arises for failing to do so. And other data subjects might look at it and wonder what is the point in exercising their rights, if the regulator will not enforce them.

This is the most stark single example in a collection of increasing evidence that the ICO is failing to perform its basic tasks of regulation and enforcement.

It is just one data subject, exercising her right. But it is a right which underpins data protection law: if you don’t know and can’t find out what information an organisation has about you, then your ability to exercise other rights is stopped short.

The ICO should reboot itself. It should, before and above all else, perform its first statutory duty – to monitor and enforce the application of the GDPR.

I don’t understand why it does not want to do so.

[P.S. I think the situation described here is different, although of the same species, to situations where ICO finds likely non-compliance but declines to take punitive action – such as a monetary penalty. Here, there is a simple corrective regulatory power available – an enforcement notice (essentially a “steps order”) under section 148 Data Protection Act 2018.]

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Data Protection, GDPR, human rights, Information Commissioner

ICO – fines, what fines?

No surprise…but ICO has only issued four notices of intent to serve a fine since GDPR came into application (and one fine)

I made a quick Freedom of Information Act (FOIA) request a few weeks ago to the Information Commissioner’s Office (ICO), asking

since 25 May 2018
1) how many notices of intent have been given under paragraph 2(1) of schedule 16 to the Data Protection Act 2018?
2) How many notices of intent given under 1) have not resulted in a monetary penalty notice being given (after the period of 6 months specified in paragraph 2(2) of the same schedule to same Act)?

I have now received (4 September) received a response, which says that four notices of intent only have been issued in that time. Three of those are well known: one was in respect of Doorstep Dispensaree (who have since received an actual fine – the only one issued under GDPR – of £275,000); two are in respect of British Airways and of Marriott Inc., which have become long-running, uncompleted sagas; the identity of the recipient of the final one is not known at the time of writing.

The contrast with some other European data protection authorities is stark: in Spain, around 120 fines have been issued in the same time; in Italy, 26; in Germany (which has separate authorities for its individual regions), 26 also.

Once again, questions must be asked about whether the aim of the legislator, in passing GDPR, to homogenise data protection law across the EU, has been anywhere near achieved.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Data Protection Act 2018, GDPR, Information Commissioner, monetary penalty notice

Complaining

When A-Levels results were announced last week, the Information Commissioner’s Office (ICO) advised those unhappy with the processing of their personal data to

raise those concerns with the exam boards first, then report to us if they are not satisfied

And in its “service standards” the ICO even says

we expect you to give the organisation the opportunity to consider it first. In order for us to look at their information rights practices we need you to provide us with their reply [emphasis added]

and

Our role is not to investigate or adjudicate on every individual complaint. We are not an ombudsman.

(This last bit is, I would submit, correct – the ICO is not an ombudsman according to my understanding of such a role (under which an ombudsman has powers to investigate complaints, but only to make recommendations as a result, rather than legally enforceable orders). How this squares with Elizabeth Denham’s confident pronouncement in the foreword to the ICO’s Regulatory Action Policy that she is “both an educator and an ombudsman”, I’ve never quite grasped, but, in her support, the ICO is a member of the Ombudsman Association. What a muddle.)

As I mentioned a few days ago, the ICO does not have the power simply to refuse to investigate a complaint by a data subject – it must, under Article 77 of GDPR, handle complaints and investigate them “to the extent appropriate”. I can see that in normal cases, it might be beneficial, and provide a complete picture, for there to have been correspondence between the data subject and the controller, but in some other cases, it hardly seems helpful, let alone a legal requirement, to raise a complaint with a controller first. So data subjects do not have to complain to exam boards first. (Please note – I’m not encouraging, or wishing for, a flood of complaints to be made to ICO, but, equally, if data subjects have specific complaint rights under GDPR, we (and I include the ICO in “we”) can’t just pretend they don’t exist.)

So, if data subjects were to complain to (and hold their ground with) ICO, what would happen next? How long does an investigation take?

As to the last question, oddly, it is difficult to know. In recent months, I have asked ICO on a few occasions through their chat service how long data protection complaints are taking merely to be allocated to a caseworker. I have regularly been told that cases are taking around three months to be allocated (a Freedom of Information request by someone else from June last year got the same figure). However, the ICO’s annual report, published only a few weeks ago says, at page 50, “we unfortunately have not been able to meet our target of 80% of [data protection] cases being resolved within 12 weeks” but they have achieved 74% being resolved within 12 weeks. I may be missing something, but how can 74% of data protection cases have been resolved within 12 weeks, when 100% of them are not allocated to a caseworker until 12 weeks have passed? The only way I can square these figures is if caseworkers “resolve” 74% of cases effectively on the day they get them. If that is the case, it might raise questions of the amount of rigour in the investigation process.

In any case, it seems clear that if an aggrieved student wished to complain about the processing of her personal data during the awarding of A-Levels this year, she would a) (probably wrongly) be expected by ICO first to complain to the exam body, then wait to receive a response, before b) then complaining to the ICO, and waiting three months for her complaint to be allocated to a caseworker. At that point, she might have her complaint investigated in line with Article 77 of GDPR. If the best a student this year might expect would be that her complaint might get allocated to a caseworker by December, more than three months after the distressing debacle which was the awards process, would the ICO realistically be said to be complying with its Article 57(1)(f) task to investigate complaints “within a reasonable period”?

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, GDPR, Information Commissioner

GDPR compensation claims – not all infringements are alike

A very interesting piece by my Mishcon de Reya colleague Adam Rose, distinguishing between different types of GDPR infringement, and looking at which types the courts might consider justify compensation/damages awards (hint: by no means all).

Leave a comment

Filed under damages, Data Protection, GDPR

Cometh the hour…

One thing in particular struck me about the statement from the Information Commissioner’s Office (ICO) in response to the huge distress and uncertainty facing thousands of students and their families, following the announcement of A-level grades:

Anyone with any concerns about how their data has been handled should raise those concerns with the exam boards first, then report to us if they are not satisfied

In some ways, this is standard. Even the ICO’s “contact us” page leads a potential complainant through various stages before telling people who haven’t raised their concerns by “contacting the [offending] organisation in writing” to “Raise your concern with the organisation handling your information”.

Whilst I can understand the reason for this general approach (ICO’s resources are limited, and many complaints can no doubt be resolved at source), it is difficult to reconcile it with what the law requires the ICO to do. Article 77 GDPR says that a supervisory authority must handle complaints lodged by a data subject, and investigate, to the extent appropriate, the subject matter of the complaint. There is no caveat, no exemption. It does leave the option open for the ICO to handle a complaint, and choose not to investigate it all, but that is not what the ICO is doing here (and in its general approach).

But it must be said that sometimes, as it is permitted to, under Articles 57 and 58, the ICO does conduct investigations of its volition. It also has a range of powers, including the power to give an opinion to parliament and/or the government. Given that its Norwegian counterpart has indicated it will take strong action against the International Baccalaureate Organisation, I am hopeful that, as a new week of uncertainty for students approaches, the ICO will take this particular bit between its teeth, and properly investigate such a pressing issue.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, fairness, GDPR, Information Commissioner, parliament