I have this piece on the Mishcon de Reya website. More than a year since they were first proposed, ICO has still not converted its notices of intent into actual fines. Will it ever?
Category Archives: GDPR
I have a piece on the Mishcon de Reya website, questioning whether the Coronavirus might fundamentally affect the likelihood of BA and Marriott receiving huge GDPR fines.
A thread on Twitter by solicitor Martin Sloan has drawn attention to a change to official guidance on the question of when a subject access request (pursuant to Article 15 of the General Data Protection Regulation (GDPR)) “starts”, in circumstances where a controller processes large amounts of data and asks the data subject to specify what information is sought.
Recital 63 of GDPR says that where a controller processes “a large quantity of information concerning the data subject [it] should be able to request that, before the information is delivered, the data subject specify the information or the processing activities to which the request relates”. This certainly seems to suggest that it is only when the controller is ready to “deliver” the information (i.e. when it has already searched for and retrieved it) that it can ask for the request to be, in effect, narrowed down.
However, guidance from the Information Commissioner’s Office (ICO) used to say* “If you process a large amount of information about an individual you can ask them for more information to clarify their request. You should only ask for information that you reasonably need to find the personal data covered by the request. You need to let the individual know as soon as possible that you need more information from them before responding to their request. The period for responding to the request begins when you receive the additional information” (emphasis added). This was similar to the position which obtained under the prior Data Protection Act 1998, which provided that a controller was not obliged to comply with a request unless it was supplied with such information as was reasonably required to locate the information which the data subject sought.
But the ICO now says: “If you process a large amount of information about an individual, you may ask them to specify the information or processing activities their request relates to before responding to the request. However, this does not affect the timescale for responding – you must still respond to their request within one month” (emphasis also added).
The change appears to be correct as a matter of law (by reference to recital 63), but it is possible that it may lead to an increase in reliance by controllers on Article 12(3), which potentially allows an extension to the one month period for compliance if a request is complex.
The new wording is contained in the ICO’s draft detailed guidance on subject access requests, which is currently out for consultation. One presumes the ICO thought this particular change was sufficiently important to introduce it in advance, but it is rather surprising that no announcement was made.
[UPDATE: Martin has now got a piece on Brodies’ own website about this].
[*the link here is to an archived page].
On the Mishcon website: ICO agrees delay over GDPR fines with both BA and Marriott
Another post by me on the Mishcon de Reya website – federal telecoms regulator issues fine for Article 32 failings after callers could give customer name and d.o.b. and obtain further information.
I wrote recently, on the Mishcon de Reya Data Matters blog, about whether BA and Marriott might actually avoid the fines the Information Commissioner’s Office (ICO) intends to serve on them. In that piece, I said
one has no doubt whatsoever that BA and Marriott will have had lawyers working extensively and aggressively on challenging the notices of intent.
With that in mind, it is interesting to note that, in commentary on recent management accounts, the ICO warns that
Legal expenses…are tracking at much higher levels than budgeted and are expected to be adverse to budget for the full financial year
Indeed, the ICO’s legal spend for this year is forecast to be £2.65m, against a budget of £1.98m. These sound like large sums (and of course they are), but, compared with the likely legal budgets of BA, or Marriott, or indeed, many other of the huge companies whose processing is potentially subject to enforcement action by ICO, they are tiny. Any large controller faced with a huge fine will almost inevitably spend large sums in challenging the action.
Query whether ICO can, realistically, actually afford to levy fines at the level GDPR envisages?
The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
Another post by me on the Mishcon de Reya website: my crystal ball may be way off, but I wonder if genuine enforcement action might be on its way for AdTech and its biggest players.
I have a new post on the Mishcon de Reya website, asking what is happening regarding the notices of intent served some months ago on BA and Marriott Inc.
I have a new post on the Mishcon de Reya website, drawing attention to a change from draft to agreed EDPB guidance which might make being a GDPR representative much more attractive.
I have a post on the Mishcon de Reya website, on an odd, but potentially very significant, change of position by the Information Commissioner’s Office, when it comes to calculating GDPR time limits for data subject requests.