Category Archives: Information Commissioner

The Cost of Enforcement

I wrote recently, on the Mishcon de Reya Data Matters blog, about whether BA and Marriott might actually avoid the fines the Information Commissioner’s Office (ICO) intends to serve on them. In that piece, I said

one has no doubt whatsoever that BA and Marriott will have had lawyers working extensively and aggressively on challenging the notices of intent.

With that in mind, it is interesting to note that, in commentary on recent management accounts, the ICO warns that

Legal expenses…are tracking at much higher levels than budgeted and are expected to be adverse to budget for the full financial year

Indeed, the ICO’s legal spend for this year is forecast to be £2.65m, against a budget of £1.98m. These sound like large sums (and of course they are), but, compared with the likely legal budgets of BA, or Marriott, or indeed, many other of the huge companies whose processing is potentially subject to enforcement action by ICO, they are tiny. Any large controller faced with a huge fine will almost inevitably spend large sums in challenging the action.

Query whether ICO can, realistically, actually afford to levy fines at the level GDPR envisages?

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, enforcement, GDPR, Information Commissioner, monetary penalty notice

First prosecution under DPA 2018?

The Information Commissioner has successfully prosecuted a former Social Services Support Officer at Dorset County Council for an offence under section 170 of the Data Protection Act 2018 – I think that this is the first such prosecution under the 2018 Act. Section 170 is in broadly similar terms to section 55 of the Data Protection Act 1998, under which any number of prosecutions were brought for unlawfully obtaining (etc) personal data without the consent of the controller.

Just as the 1998 Act did, the 2018 Act reserves such prosecutions to the Commissioner (except that they may also be brought by or with the consent of the Director of Public Prosecutions – see s197 of the 2018 Act).

What we have not yet seen is a prosecution of the “new” offence at section 170(1)(c) of retaining personal data (after obtaining it) without the consent of the person who was the controller when it was obtained. This is a most interesting provision – I have wondered whether the mischief it aims to address is that which arises when someone inadvertently obtains personal data (perhaps as a result of a mistake by the controller) but then refuses to hand it back. This is not an infrequent occurrence, and powers at civil law to address the issue are potentially complex and expensive to exercise. It will be interesting to see whether prosecutions in this regard emerge in due course.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under crime, Data Protection, Data Protection Act 2018, Information Commissioner

Storm clouds

Another post by me on the Mishcon de Reya website: my crystal ball may be way off, but I wonder if genuine enforcement action might be on its way for AdTech and its biggest players.

Leave a comment

Filed under adtech, Data Protection, enforcement, GDPR, Information Commissioner

Whither the ICO fines for BA and Marriott?

I have a new post on the Mishcon de Reya website, asking what is happening regarding the notices of intent served some months ago on BA and Marriott Inc.

Leave a comment

Filed under Data Protection, GDPR, Information Commissioner, monetary penalty notice

The most boring blogpost on this blog?

Although GDPR, and the Data Protection Act 2018 (DPA18), took effect from 25 May 2018, it has been notable that the Information Commissioner’s Office (ICO) has continued to exercise its enforcement powers under the prior law. There is no problem with this, and it is only to be expected, given that regulatory investigations can take some time. The DPA18 contains transitional provisions which mean that certain sections of the Data Protection Act 1998 continue to have effect, despite its general repeal. This is the reason, for instance, why the ICO could serve its recent enforcement notice on Hudson Bay Finance Ltd using the powers in section 40 of the 1998 – paragraph 33 of Schedule 20 to the DPA18 provides that section 40 of the 1998 Act continues to apply if the ICO is satisfied that the controller contravened the old data protection principles before the rest of the 1998 Act was repealed.

However, what is noticeable in the Hudson Bay Finance Ltd enforcement notice is that it says that it was prompted by a request for assessment by the complainant, apparently made on 21 September 2018, purportedly made under section 42 of the 1998 Act. I say “purportedly” because the transitional provisions in Schedule 20 of DPA18 require the ICO to consider a request for assessment made before 25 May 2018, but in all other respects, section 42 is repealed. Accordingly, as a matter of law, a data subject can (after 25 May 2018) no longer exercise their right to request an assessment under section 42 of the 1998 Act.

This is all rather academic, because it appears to me that the ICO has discretion – even if it does not have an obligation – to consider a complaint by a data subject relating to compliance with the 1998 Act. And ICO clearly (as described above) has the power still to take enforcement action for contraventions of the 1998 Act. But no one ever told me I can’t use my blog to make arid academic points.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Data Protection Act 2018, enforcement, Information Commissioner

Blagging as academic research

A white paper on GDPR subject access rights, presented at the Blackhat USA 2019 conference, got a lot of UK media coverage recently. Less discussion was had, however, about whether the research raised questions about the ethics and legality of “blagging”.

The paper, by Oxford University DPhil researcher James Pavur and Casey Knerr, talked of “Using Privacy Laws to Steal Identities” and describes Pavur’s attempts to acquire another person’s (Knerr’s) data, by purporting to be that person and pretending to exercise their access rights under Article 15 of the General Data Protection Regulation (GDPR). It should be emphasised that Knerr was fully acquiescent in the exercise.

Pavur and Knerr’s paper has a section entitled “Ethical and legal concerns” but what it notably fails to address is the fact that deliberately obtaining personal data without the consent of the controller is potentially a criminal offence under UK law.

Since 1998 it has been an offence to deliberately obtain personal data by deception, with defences available where the obtaining was, for instance, justified as being in the public interest. The Data Protection Act 2018 introduces, at section 170, a new defence where the obtaining is for academic purposes, with a view to publication and where the person doing the obtaining reasonably believes that it was justified in the public interest. Previously, this defence was only available where the obtaining was for the “special purposes” of journalism, literature or art.

It would certainly appear that Pavur obtained some of the data without the consent of the controller (the controller cannot properly be said to have consented to its disclosure if it was effected by deception – indeed, such is the very nature of “blagging”), but it also appears that the obtaining was done for academic purposes and with a view to publication and (it is likely) in the reasonable belief that the obtaining was justified in the public interest.

However, one would expect that prior to conducting the research, some analysis of the legal framework would have revealed the risk of an offence being committed, and that, if this analysis had been undertaken, it would have made its way into the paper. Its absence makes the publicity given to the paper by Simon McDougall, of the Information Commissioner’s Office (ICO), rather surprising (McDougall initially mistakenly thought the paper was by the BBC’s Leo Kelion). Because although Pavur (and Knell) could almost certainly fall back on the “academic purposes” defence to the section 170 offence, a fear I have is that others might follow their example, and not have the same defence. Another fear is that an exercise like this (which highlights risks and issues with which controllers have wrestled for years, as Tim Turner points out in his excellent blogpost on the subject) might have the effect of controllers becoming even more keen to demand excessive identification credentials for requesters, without considering – as they must – the proportionality of doing so.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Information Commissioner

ICO change to guidance on Subject Access Request time limits

I have a post on the Mishcon de Reya website, on an odd, but potentially very significant, change of position by the Information Commissioner’s Office, when it comes to calculating GDPR time limits for data subject requests.

ICO change to guidance on Subject Access Request time limits

Leave a comment

Filed under Data Protection, GDPR, Information Commissioner

Open by Design, Closed by Default?

The Information Commissioner’s Office (ICO) have published their new access to information strategy. Something strikes me about their “Goal #2”:

Goal #2: Providing excellent customer service to individuals making requests to us and lead by example in fulfilling our own statutory functions

The thing strikes me is that, bizarrely, they seem to have misunderstood the goal they’ve set themselves (I nearly referred to it as their “own goal”, which has a bit of a ring about it). They say

We have a varied range of individuals who request an independent review from us and a diverse range of public authorities within our jurisdiction from large central government departments to very small parish councils.

What they don’t say is “we are a public authority, subject to the Freedom of Information Act, and have to comply with its timescales, and promote observance of it by example”.

And, unfortunately, there is much evidence recently of a failure to do this.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Freedom of Information, Information Commissioner, transparency

ICO still breaching law it’s meant to oversee

A month ago I pointed out some rather concerning  failings by the Information Commissioner’s Office (ICO) in its own compliance with Freedom of Information (FOI) law. At the time, the ICO press office told me

We acknowledge that we have fallen short of expectations in these instances but can confirm that the responses to both requests will be issued soon

It’s with some incredulity, therefore, that I see that one of the requests has still not been responded to, despite a further twenty working days having elapsed, and despite the (even greater) incredulity of the requester:

You have missed your own deadline, months after you should have answered this request. Your inability to answer a simple FOI promptly would be a disgrace if you were a local council. The fact that you are the FOI regulator makes your handling of my request a scandal.

I am utterly powerless here – I cannot complain to the regulator about your contempt for FOI because you are supposed to be the organisation I would complain to. Do you have no shame at all? No self respect?

What am I supposed to do now?

The other request I highlighted at the time has had a response, albeit one that was cursory, to say the best, and which is now the subject of a request for internal review.

My own request for the ICO’s compliance figures is now the subject of a formal complaint (with a request for a decision notice under section 50 of the FOI Act), although I am told that there will be, er, a delay in getting to it.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Freedom of Information, Information Commissioner, transparency

Information Tribunal rejects data subject appeals under new Data Protection Act

The Information Tribunal has recently heard the first applications under the Data Protection Act 2018 for orders regarding the Information Commissioner’s handling of data protection complaints. As I write on the Mishcon de Reya website, the Tribunal has peremptorily dismissed them.

Leave a comment

Filed under Data Protection, enforcement, GDPR, Information Commissioner, Information Tribunal