Category Archives: UK GDPR

March 24, 2023 · 7:37 am

SRA, data protection and the solicitors roll

In August 2022 the Solicitors Regulation Authority (SRA) announced plans to change its rules and reinstate the annual “keeping of the roll” exercise. Until 2014, all solicitors without practising certificates were required to complete an application each year and pay an administration fee if they wished to remain on the roll. This requirement was dispensed with in 2014 in part because the annual process was seen as burdensome for solicitors.

One of the justifications now for reintroducing the keeping of the roll is given by the SRA as

There are also requirements under the General Data Protection Regulation (GDPR) 2016 [sic] and the seven principles that govern the holding and retention of data. Under GDPR we have responsibility as a data controller to ensure we maintain accurate data relating to individuals and we are processing it fairly and lawfully.

What is slightly odd is that when, in 2014, the SRA proposed to scrap the keeping of the roll, it was not troubled by the observations of the then Information Commissioner about the importance of accuracy and privacy of information. In its reply to the then Commissioner’s consultation response it said that it had “fully considered the issues” and

We consider that the availability of the SRA’s online system, mySRA, to non- practising solicitors as a means of keeping their details up to date, serves to mitigate the possibility of data become inaccurate…To further mitigate the risk of deterioration of the information held on the roll, the SRA can include reminders to keep contact details up to date in standard communications sent to solicitors.

If that was the position in 2014, it is difficult to understand why it is any different today. The data protection principles – including the “accuracy principle” – in the UK GDPR (not in fact the “GDPR 2016” that the SRA refers to) are effectively identical to those in the prior Data Protection Act 1998.

If the SRA was not concerned by data protection considerations in 2014 but is so now, one might argue that it should explain why. The Information Commissioner does not appear to have responded to the consultation this time around, so there is no indication that his views swayed the SRA.

If the SRA was concerned about the risk of administrative fines (potentially larger under the UK GDPR than under the Data Protection Act 1998) it should have reassured itself that any such fines must be proportionate (Article 83(1) UK GDPR) and by the fact that the Commissioner has repeatedly stressed that he is not in the business of handing out fines for minor infringements to otherwise responsible data controllers.

I should emphasise that data protection considerations were not the only ones taken into account by the SRA, and I don’t wish to discuss whether, in the round, the decision to reintroduce the keeping of the roll was correct or not (Joshua Rozenberg has written on this, and the effect on him). But I do feel that the arguments around data protection show a confused approach to that particular issue.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under accuracy, Data Protection, Information Commissioner, Let's Blame Data Protection, UK GDPR

Tagged as , , , ,

March 12, 2023 · 12:49 pm

Where’s the Tories’ privacy notice? (just don’t mention the footballer)

The Conservative Party, no doubt scrabbling to gather perceived support for its contentious immigration policies and measures is running a web and social media campaign. The web page encourages those visiting it to “back our plan and send a message” to other parties:

Further down the page visitors are invited to “send Labour a message”

Clicking on either of the red buttons in those screenshots results in a pop-up form, on which one can say whether or not one supports the Tory plans (in the screenshot below, I’ve selected “no”)

One is then required to give one’s name, email address and postcode, and there is a tick box against text saying “I agree to the Conservative Party, and the wider Conservative Party, using the information I provide to keep me updated via email about the Party’s campaigns and opportunities to get involved”

There are two things to note.

First, the form appears to submit whether one ticks the “I agree” box or not.

Second, and in any case, none of the links to “how we use your data”, or the “privacy policy”, or the “terms and conditions” works.

So anyone submitting their special category data (information about one’s views on a political party’s policies on immigration is personal data revealing political opinions, and so Article 9 UK GDPR applies) has no idea whatsoever how it will subsequently be processed by the Tories.

I suppose there is an argument that anyone who happens upon this page, and chooses to submit the form, has a good idea what is going on (although that is by no means certain, and people could quite plausibly think that it provides an opportunity to provide views contrary to the Tories’). In any event, it would seem potentially to meet to definition of “plugging” (political lobbying under the guide of research) which ICO deals with in its direct marketing guidance.

Also in any event, the absence of any workable links to privacy notice information means, unavoidably, that the lawfulness of any subsequent processing is vitiated.

It’s the sort of thing I would hope the ICO is alive to (I’ve seen people on social media saying they have complained to ICO). But I won’t hold my breath on that – many years ago I wrote about how such data abuse was rife across the political spectrum – but little if anything has changed.

And finally, the most remarkable thing of all is that I’ve written a whole post on what is a pressing and high-profile issue without once mentioning Gary Lineker.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Information Commissioner, marketing, PECR, privacy notice, social media, spam, UK GDPR

Tagged as , , , ,

December 18, 2022 · 8:58 am

Data protection misunderstandings in court

There is something that distinguishes those who have practised data protection law for more than five years and those who have come to it more recently. The former are in possession of a secret. It is this: GDPR did not change the fundamentals of data protection.

Look at the keystones of the law – the data protection principles in Schedule One of the Data Protection Act of 1998 (the prior law) and in Article 5 UK GDPR (the current). They are effectively identical. And in fact, they have barely changed from the principles in the 1984 Data Protection Act, and those in the Council of Europe Data Protection Convention 108 of 1981.

Yet even in the courts one still sees from time to time the misconception that the GDPR rights and obligations were something fundamentally new.

An example is a recent case in the Employment Appeal Tribunal. The details of the case are not important for this post, but what is relevant is that the claimant employee argued that information about his previous employment history at the respondent employer (from 2008-2011) should not have been allowed in evidence. One argument in support of this was that the lengthy retention of this information was in breach of the employer’s data protection obligations (and the claimant had received correspondence from the Information Commissioner’s Office broadly agreeing with this).

But in response to this argument the respondent employer asserted that

Prior to [GDPR coming into effect on 25 May 2018] there was no right to erase. Accordingly, the period during which the respondent should arguably have taken steps to delete data was around nine months from this point until 28 February 2019.

This fails to recognise that, even if there was no express right to erasure prior to GDPR (n.b. there was certainly an implied right, as the European Court of Justice found in Google Spain) there was certainly an obligation on a data controller employer not to retain personal data for longer than was necessary (see paragraph 5 Schedule One to the 1998 Act).

The judge, however, accepted the respondent’s argument (although in all fairness to her she does point out that neither party took her to the legislation or the case law):

I accept that the ICO’s reference to retention being likely to breach data protection requirements, was (at its highest) concerned with the nine month period between the GDPR coming into effect and the claimant indicating an intention to commence litigation

That is not what the the quoted correspondence (at paragraph 17) from the ICO said, and it is not a correct statement of the law. If the period of retention of the data was excessive, there is no reason to say it was not in contravention of the prior law, as well as GDPR.

Ultimately, it is doubtful that this would have made much difference. As often in such proceedings, the relevance of the information to the matter was key:

in so far as the Respondent was in breach of data protection law for the nine month period I have referred to, it does not follow from this that the documentation was inadmissible in the [Employment Tribunal] proceedings

But one wonders if the judge might have taken a slightly different view of, instead, she had found that the Respondent was in fact in breach of data protection law for several years (rather than just nine months).

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, employment, GDPR, UK GDPR

Tagged as , , ,

November 2, 2022 · 5:11 pm

ICO threatened Matt Hancock with £17.5m fine (sort of)

It’s well known that, under the UK GDPR, and the Data Protection Act 2018 (DPA), the Information Commissioner can fine a controller or a processor a maximum of £17.5m (or 4% of global annual turnover). Less well known (to me at least) is that he can fine any person, including you, or me, or Matt Hancock, the same, even if they are not a controller or processor.

Section 142 of the DPA empowers the Commissioner to serve “Information Notices”. These fall broadly into two types: those served on a controller or processor requiring them to provide information which the Commissioner reasonably requires for the purposes of carrying out his functions under the data protection legislation; and those requiring

any person to provide the Commissioner with information that the Commissioner reasonably requires for the purposes of—

(i)investigating a suspected failure of a type described in section 149(2) or a suspected offence under this Act, or

(ii)determining whether the processing of personal data is carried out by an individual in the course of a purely personal or household activity.

And by section 155(1) of the DPA, the Commissioner may serve a monetary penalty notice (aka “fine”) on any “person” who fails to comply with an Information Notice. That includes you, or me, or Matt Hancock. (Section 157(4) provides that the maximum amount is £17.5m, or 4% of global annual turnover – although I doubt that you, I, or Matt Hancock has an annual global turnover.)

All very interesting and theoretical, you might think. Well, so might Matt Hancock have thought, until an Information Notice (which the Commissioner has recently uploaded to the ICO website) dropped onto his figurative doormat last year. The Notice was in relation to the Commissioner’s investigation of the leaking of CCTV images showing the former Secretary of State for Health and Social Care and his former aide enjoying each other’s company. The investigation – which was into the circumstances of the leak, and not Matt Hancock’s conduct – concluded in April of this year, with the ICO deciding that there was insufficient evidence to justify further action. But the Notice states clearly at paragraph 7 that failure to comply is, indeed, punishable with a fine of up to £17.5m (etc.).

The Matt Hancock Notice admittedly addresses him as if he were a controller (it says the ICO is looking at his compliance with the UK GDPR) although I am not sure that is correct – Matt Hancock will indeed be a controller in respect of his constituency work, and his work as an MP outside ministerial duties, but the normal approach is that a ministerial department will be the relevant controller for personal data processed in the context of that department (thus, the Department for Health and Social Care shows as a controller on the ICO register of fee payers).

Nonetheless, the ICO also issued an Information Notice to Matt Hancock’s former aide (as well as to Helen Whateley MP, the Minister of State), and that one makes no mention of UK GDPR compliance or a suggestion she was a controller, but does also “threaten” a potential £17.5m fine.

Of course, realistically, no one, not even Matt Hancock, was really ever at risk of a huge fine (section 155(3) of the DPA requires the Commissioner to have regard to various factors, including proportionality), but it strikes me as a remarkable state of affairs that you, I or any member of the public caught up in a matter that leads to ICO investigation, and who might have relevant information, is as a matter of law vulnerable to a penalty of £17.5m if they don’t comply with an Information Notice.

Even Matt Hancock.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Data Protection Act 2018, Information Commissioner, information notice, monetary penalty notice, UK GDPR

Tagged as , ,

October 7, 2022 · 7:42 am

GDPR is rubbish

I was challenged recently along the lines that “you don’t like change – you think that GDPR is great and any amendments are negative”.

After I’d spluttered in rage that this wasn’t true, I checked my thoughts. I don’t think the challenge was fair – I don’t mind the idea of repeal or reform of the UK GDPR model – but I do still think that any change needs to be planned and drafted very carefully, so as not to interfere with the core data protection concepts, and checks and balances, that have – broadly – carried through and developed over a series of legal instruments, starting with the Council of Europe Convention 108 of 1981 and the OECD Guidelines of 1980.

But, also, I’m happy to point out that, at times, GDPR is simply rubbish. And I don’t mean in broad legal terms – see for instance David Erdos’s interesting criticisms – I mean that it sometimes doesn’t make sense.

There’s an example in recital 63

A data subject should have the right of access to personal data…in order to be aware of, and verify, the lawfulness of the processing.

I think this is meant to mean “a data subject should have the right of access in order to be aware of the processing and verify its lawfulness”. But, as drafted, it suggests the data subject should be able to be aware of the lawfulness of the processing, and verify that lawfulness, which lacks logic.

But that’s in the recitals, and no one reads the recitals do they?

But consider one of the substantive provisions. Article 5(2), which describes the “accountability principle” says

The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).

Think about what that says: “the controller shall be responsible for…paragraph 1” (paragraph 1 containing the core data protection principles). What it is surely intended to mean is “the controller shall be responsible for compliance with paragraph 1”, but it doesn’t say that. In literal terms it says that the controller has responsibility for the legislative words.

And it’s worth noting that in the French text (French being the only other language this lumbering English person has really even vague familiarity with), the wording does say that: “…est responsable du respect du paragraphe 1…”.

I’m not suggesting this is a big problem: a regulator and a court would almost certainly read the wording so as to give effect to the legislator’s intention.

It just irritates me.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, GDPR, not-entirely-serious, UK GDPR

Tagged as ,

October 3, 2022 · 8:21 pm

Certainly uncertain – data protection reform developments

In recent weeks the future of data protection law in the UK has been not just hard to predict, but also hard to keep up with.

Since Brexit, the UK has had its own version of the EU’s GDPR, called, obviously enough, the “UK GDPR“. Then, on 18 July, a Data Protection and Digital Information Bill was presented in Parliament – it proposed some significant (but possibly not hugely so) changes to the current regime, but it retained the UK GDPR. It was scheduled to have its second reading in the House of Commons on 5 September, but this was postponed “to allow Ministers to consider the legislation further”.  

Following this, on 22 September, the Retained EU Law (Revocation and Reform) Bill was introduced. This appeared to propose the “sunsetting” (i.e. the repeal) of multiple data and information laws, including the UK GDPR, by the end of 2023.

The next development, on the first day of the Conservative Party conference, is the announcement by the Culture Secretary, Michelle Donelan, that

we will be replacing GDPR with our own business and consumer-friendly data protection system… Many…smaller organisations and businesses only in fact employ a few people. They don’t have the resources or money to negotiate the regulatory minefield that is GDPR. Yet right now, in the main, they’re forced to follow this one-size-fits-all approach.

She also suggested that businesses had suffered from an 8% reduction in profit from GDPR. It is not immediately clear where this figure comes from, although some have suggested that an Oxford Martin School paper is the source. This paper contains some remarkably complex equations. I have no competence in assessing, and no reason to doubt, the authors’ economic and statistical prowess, but I can say (with a nod to the ageless concept of “garbage in, garbage out”) that their understanding of data protection law is so flawed as to compromise the whole paper. They say, for instance

websites are prohibited from sharing user data with third parties, without the consent from each user

and

companies that target EU residents are required to encrypt and anonymise any personal data it [sic] stores

and (probably most bizarrely)

as users incur a cost when prompted to give consent to using their data, they might reduce online purchases, leading to lower sales

To be quite clear (as politicians are fond of saying): websites are not prohibited from sharing data without the consent from “users” (if they were, most ecommerce would grind to a halt, and the internet economy would collapse); companies subject to GDPR are not required to anonymise personal data they store (if they did, they would no longer be able to operate, leading to the collapse of the economy in general); and “users” do not have to consent to the use of their data, and I am still scratching my head at why even if they did they would incur a cost.

If the authors base their findings on the economic cost of GDPR on these bases, then there are some very big questions for them to answer from anyone reviewing their paper.

I may have the wrong paper: I actually really hope the government will back up its 8% figure with something more sensible.

But regardless of the economic thinking this paper, or underpinning the developments in the statutory regime, it is possible that all the developments cohere: that the Data Protection and Digital Information Bill, when it re-emerges, will have been amended so as to have the effect of removing references to “GDPR” or the “UK GDPR”, and that this will mean that, in substance, if not in name, the principles of the UK GDPR are assimilated into a new piece of domestic legislation.

But (given that the government’s focus is on it) business, just as nature, abhors a vacuum – many business owners (and indeed many data protection practitioners) must be hoping that there is a clear route forward so that the UK’s data protection regime can be considered, and applied, with at least a degree of certainty.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under adequacy, consent, Data Protection, Data Protection Act 2018, Data Protection Bill, GDPR, parliament, UK GDPR

Tagged as ,

September 26, 2022 · 4:20 pm

Government urged to take action to protect UK citizens’ information rights

The Retained EU Law (Revocation and Reform) Bill was introduced to Parliament on 22 September 2022. The Bill sets a “sunset date” of 31 December 2023 by which all remaining retained EU Law will either be repealed, unless expressly assimilated into UK domestic law. The sunset may be extended for specified pieces of retained EU Law until 2026. A large number of UK laws which cover “information rights” appear to be caught by the Bill.

Mishcon de Reya has written an open letter to the Minister of State at the Department for Digital, Culture, Media & Sport, Julia Lopez, to highlight the risk to these laws.

Government urged to take action to protect UK citizens’ (mishcon.com)

Leave a comment

Filed under access to information, Data Protection, DCMS, Environmental Information Regulations, Freedom of Information, UK GDPR

Tagged as ,

September 1, 2022 · 7:12 pm

ICO investigates collection of barristers’ names

News from the Mishcon de Reya website on data protection concerns arising from criminal barristers’ dispute with the MoJ

https://www.mishcon.com/news/information-commissioner-investigates-collection-of-criminal-barristers-names

Leave a comment

Filed under Data Protection, fairness, Information Commissioner, Ministry of Justice, UK GDPR

Tagged as , ,

August 10, 2022 · 8:11 am

No, 43% of retail businesses have NOT been fined for CCTV breaches

A bizarre news story is doing the rounds, although it hasn’t, as far as I can see, hit anything other than specialist media. An example is here, but all the stories contain similar wording, strongly suggesting that they have picked up on and reported on a press release from the company (“Secure Redact”) that undertook the research behind the story.

We are told that

research reveals that 43% of UK retailers reported that they had been fined for a violation of video surveillance GDPR legislation…Of these retailers, 37% reported paying an equivalent of 2% of their annual turnover, 30% said the fine amounted to 3% of annual turnover, and 15% said the fine was 45% [sic] of annual turnover…A staggering 33% of those fined also had to close stores as a result of enforcement action

The research was apparently based on a survey of 500 respondents in retail businesses (50% in businesses with less than 250 employees, 50% in businesses with more than 250).

What is distinctly odd about this is that since GDPR has been in force in the UK, including since it has become – post-Brexit – UK GDPR, there has been a sum total of zero fines imposed by the Information Commissioner in respect of CCTV. 43% of retail businesses have not been fined for CCTV infringements – 0% have.

You can check here (direct link to .csv file) if you doubt me.

It’s difficult to understand what has gone wrong here: maybe the survey questions weren’t clear enough for the respondents or maybe the researchers misinterpreted the data.

Whatever the reasons behind the stories, those in the retail sector – whilst they should certainly ensure they install and operate CCTV in compliance with GDPR/UK GDPR – should not be alarmed that there is a massive wave of enforcement action on the subject which threatens to put some of them out of business.

Because there isn’t.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under CCTV, GDPR, Information Commissioner, monetary penalty notice, UK GDPR

Tagged as , , ,

July 22, 2022 · 8:53 am

High Court muddle over data protection regime

A relatively common error by those unaccustomed to the rather odd structure of the data protection statutory regime in the UK, is to look first to the Data Protection Act 2018 (“DPA”) for the applicable law, instead of the UK GDPR. This is despite the fact that the very first section of the DPA instructs us in how the regime works. Section 1(2) provides that “most processing of personal data is subject to the UK GDPR”, and then sections 1(4) and (5) explain that Parts 3 and 4 of the DPA deal with those parts of the regime (law enforcement processing and intelligence services processing) which are out of the scope of UK GDPR.

“Put me to one side” – says the DPA tactfully – “you should have picked up your copy of the UK GDPR first, and not me”.

Accordingly, the key provisions, and the basic principles, applying to most processing, are to be found in the UK GDPR.

The result of this relatively common error, is that people will sometimes cite, say, section 45 of the DPA in relation to a generic subject access request, when in fact, the applicable provision is Article 15 of the UK GDPR (section 45 applies to subject access requests to competent authorities for the purposes of law enforcement).

Occasionally, I have seen non-specialist lawyers make this mistake.

And now, I have seen a high court judge do the same. In a judicial review case in the High Court of Northern Ireland, challenging the accuracy of a child’s social care records, part of the claim (which was primarily an Article 8 human rights claim) was pleaded as also a breach of Article 5(1) and (6) of the “GDPR” (the correct pleading should have been, and maybe was, by reference to the UK GDPR) and Part 1 of the DPA. Article 5(1) of the UK GDPR contains the data protection principles.

The judge, however, stated that

It seems to the court that in fact the relevant part of the 2018 Act are sections 86 to 91 which set out the six data protection principles in relation to data processing.

This is simply wrong. Sections 86 to 91 of the DPA lay out the data protection principles only in relation to intelligence services processing (i.e. processing of personal data by the Security Service, the Secret Intelligence Service or by the Government Communications Headquarters).

It isn’t clear whether there was any discussion about this in the court (quite possibly not), but it appears not to have been picked up when the judgment was circulated in draft or published to the parties. As it is, it seems very likely that nothing turns on it. This is because the Part 4 DPA principles, like the Part 3 DPA principles, effectively mirror the principles in Article 5(1) UK GDPR, and so the analysis, for the purposes of the substantive matter, was sound.

So this was an error of form, more than substance.

However, there are some differences between the UK GDPR regime, the Part 3 DPA regime and the Part 4 DPA regime, and in different circumstances an error like this could result in an outcome which is wrong, and harmful.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under accuracy, Data Protection, Data Protection Act 2018, GDPR, human rights, Ireland, judiciary, UK GDPR

Tagged as , ,