Category Archives: Uncategorized

August 28, 2025 · 7:34 am

Data protection legislation – constitutional statute?

It is a principle of parliamentary sovereignty that Parliament’s law making powers are not subject to any restriction, and therefore Parliament cannot bind its successors (see e.g. Dicey: “Parliament has, under the English [sic] constitution, the right to make or unmake any law whatever; and, further, that no person or body is recognised by the law of England [sic] as having a right to override or set aside the legislation of Parliament.”)

It follows that where two Acts of Parliament are inconsistent with each other, the courts will take the most recent one to be authoritative, through a doctrine of “implied repeal”.

However, in recent years, it has become accepted that certain statutes have, or have assumed, constitutional status, such that they are immune from implied repeal – examples being including: Magna Carta 1297, the Bill of Rights 1688, the Human Rights Act 1998 (notably, the European Communities Act 1972 was also felt to be one such, which opens up a whole new debate). Lord Justice Laws’ judgement [what a great set of words there] in Thoburn v Sunderland City Council [2002] EWHC 195 (Admin) is sometimes taken to be the definitive explanation of this.

What I’d missed, during the passage of the Data (Use and Access) Bill through Parliament, was the report of the Select Committee on the Constitution, which gave its opinion that the insertion of new section 183A into the Data Protection Act 2018 conferred constitutional statute status on that Act.

Section 183A provides that

A relevant enactment or rule of law which imposes a duty, or confers a power, to process personal data does not override a requirement under the main data protection legislation relating to the processing of personal data [except where] a relevant enactment [forms] part of the main data protection legislation [or] an enactment makes express provision to the contrary referring to this section or to the main data protection legislation (or a provision of that legislation)

(so, unless a further enactment is part of the data protection legislation, or expressly repeals a provision of the existing data protection legislation, the latter is immune from implied repeal).

What the Committee says is this

the courts have generally considered certain acts of Parliament to be of such constitutional significance that they should be treated as ‘constitutional statutes’ and protected from implied repeal. Clause 105 in effect seeks to bestow a status equivalent to that of a ‘constitutional statute’ on the Data Protection Act 2018. We draw this to the attention of the House.

I’ve not seen much discussion of this, and I don’t recall it coming up in the parliamentary debates. But it strikes me as interesting, at least.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Uncategorized

Tagged as ,

April 14, 2025 · 8:51 am

Personal use of work devices – an Irish judgment

A frequent headache for data protection practitioners and lawyers is how to separate (conceptually and actually) professional and personal information on work devices and accounts. It is a rare employer (and an even rarer employee) who doesn’t encounter a mix of the two categories.

But, if I use, say, my work phone to send a couple of text messages (as I did on Saturday after the stupid SIM in my personal phone decided to stop working), who is the controller of the personal data involved in that activity? I’d be minded to say that I am, (and that my employer becomes, at most, a processor).

That is also the view taken by the High Court in Ireland, in an interesting recent judgment.

The applicant was an employee of the Health Service Executive (HSE), and did not, in this case, have authority or permission to use his work phone for personal use. He nonetheless did so, and then claimed that a major data breach in 2021 at the HSE led to his personal email account and a cryptocurrency account being hacked, with a resultant loss of €1400. He complained to the Irish Data Protection Commissioner, who said that as his personal use was not authorised, the HSE was not the controller in respect of the personal data at issue.

The applicant sought judicial review of the DPC decision. This of course meant the application would only succeed if it met the high bar of showing that the DPC had acted unlawfully or irrationally. That bar was not met, with the judge holding that:

The DPC did not purport to adopt an unorthodox interpretation of the definition of data controller. Instead, against the backdrop of the factual matrix before it, it found that the HSE had not “determined the purposes and means 28of the processing” of the data relating to the Gmail, Yahoo, Fitbit and Binance accounts accessed by the applicant on his work phone. That finding appears to me to be self-evident, where that use of the phone clearly was not authorised by the HSE.

I think that has to be correct. But I’m not sure I quite accept the full premise, because I think that even if the HSE had authorised personal use, the legal position would be the same (although possibly not quite as unequivocally so).

In genuinely interested in others’ thoughts though.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under controller, Data Protection, employment, GDPR, Ireland, judgments, Uncategorized

Tagged as

April 8, 2025 · 7:11 am

Machine learning lawful basis on a case-by-case approach – really?

The Information Commissioner’s Office has published its response to the government’s consultation on Copyright and AI. There’s an interesting example in it of a “oh really?!” statement.

The government proposes that, when it comes to text and data-mining (TDM) of datasets that contain copyright works) a broad exception to copyright protection should apply, under which “AI developers would be able to train on material to which they have lawful access, but only to the extent that right holders had not expressly reserved their rights”. Effectively, rights holders would have to opt out of “allowing” their works to be mined.

This is highly controversial, and may be the reason that the Data (Use and Access) Bill has stalled slightly in its passage through Parliament. When the Bill was in the Lords, Baroness Kidron successfully introduced a number of amendments in relation to use of copyright info for training AI models, saying that she feared that the government’s proposals in its consultation “would transfer [rights holders’] hard-earned property from them to another sector without compensation, and with it their possibility of a creative life, or a creative life for the next generation”. Although the government managed to get the Baroness’s amendments removed in Commons’ committee stage, the debate rumbles on.

The ICO’s response to the consultation notes the government’s preferred option of a broad TDM exception, with opt-out, but says that, where personal data is contained in the training data, such an exception would not “in and of itself constitute a determination of the lawful basis for any personal data processing that may be involved under data protection law”. This must be correct: an Article 6(1) UK GDPR lawful basis will still be required. But it goes on to say “the lawfulness of processing would need to be evaluated on a case-by-case basis”. A straightforward reading of this is that for each instance of personal data processing when training a model on a dataset, a developer would have to identify a lawful basis. But this, inevitably, would negate the whole purpose of using machine learning on the data. What I imagine the ICO intended to mean was that a developer should identify a broad, general lawful basis for each dataset. But a) I don’t think that’s what the words used mean, and b) I struggle to reconcile that approach with the fact that a developer is very unlikely to know exactly what personal data is in a training dataset, before undertaking TDM – so how can they properly identify a lawful basis?

I should stress that these are complex and pressing issues. I don’t have answers. But opponents of the consultation will be likely to jump on anything they can.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under AI, Data Protection, datasets, DUAB, Information Commissioner, Lawful basis, parliament, Uncategorized

Tagged as , ,

March 25, 2025 · 8:08 am

NADPO Webinar – 25 March

On the lunchtime of Tuesday 25 March I’ll be chairing one of the regular NADPO webinars. We have Dr Judith Townend talking about learning from ‘open justice’ and other data/technology contexts, and Dr Lachlan Urquhart on “Clever Computing through Accountable Design: Cybersecurity in Smart Homes”.

Members will already have received the joining instructions.

A reminder that membership is bargain £130 for two years, and gets you free attendance at all webinars, as well as at our annual conference and other ad hoc events, plus a range of other benefits (for example we’ve recently hosted free training sessions for members run by Tim Turner and a free session on databreaches and cybersecurity from 5 Essex Chambers and CyXcel). Members also get complimentary free attendance at UK Data Protection Forum events.

Leave a comment

Filed under Uncategorized

February 19, 2025 · 1:03 pm

FOI doesn’t need a “purpose”

[reposted from my LinkedIn account]

At the close of an otherwise unobjectionable and unsurprising refusal of a Freedom of Information Act 2000 appeal (on the issue of a vexatious request), the Information Tribunal judge says this:

“FOIA exists to safeguard freedom of information. It was not enacted to serve as a tool for furthering personal campaigns and causes, however heartfelt they may be.”

When Parliament enacted FOIA it expressly declined to insert a “purpose clause”. As its explanatory notes say “A request for information can be made by any individual or body, regardless of the purpose of the application.” So if someone wants to use FOIA as a tool for furthering personal campaigns and causes, then (as long as their requests are not, as they were here, vexatious) they jolly well can. And judges should respect this.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, FOIA, Freedom of Information, Information Tribunal, judgments, Uncategorized

Tagged as

January 24, 2025 · 7:27 am

Cookies, compliance and individuated consent

[reposted from my LinkedIn account]

Much will be written about the recent High Court judgment on cookies, direct marketing and consent, in RTM v Bonne Terre & Anor, but treat it all (including, of course, this, with caution).

This was a damages claim by a person with a gambling disorder. The claim was, in terms, that the defendant’s tracking of his online activities, and associated serving of direct marketing, were unlawful, because they lacked his operative consent, and they led to damage because they caused him to gamble well beyond his means. The judgment was only on liability, and at the time of writing this post there has been no ruling on remedy, or quantum of damages.

The domestic courts are not regulators – they decide individual cases, and where a damages claim is made by an individual any judicial analysis is likely to be highly fact specific. That is certainly the case here, and paragraphs 179-181 are key:

such points of criticism as can be made of [the defendant’s] privacy policies and consenting mechanisms…are not made wholesale or in a vacuum. Nor are they concerned with any broader question about best practice at the time, nor with the wisdom of relying on this evidential base in general for the presence of the consents in turn relied on for the lawfulness of the processing undertaken. Such general matters are the proper domain of the regulators.

In this case, the defendant could not defeat a challenge that in the case of this claimant its policies and consenting mechanisms were insufficient:

If challenged by an individual data subject, a data controller has to be able to demonstrate the consenting it relies on in a particular case. And if that challenge is put in front of a court, a court must decide on the balance of probabilities, and within the full factual matrix placed before it, whether the data controller had a lawful consent basis for processing the data in question or not.

Does this mean that a controller has to get some sort of separate, individuated consent for every data subject? Of course not: but that does not mean that a controller whose policies and consenting mechanisms are adequate in the vast majority of cases is fully insulated from a specific challenge from someone who could not give operative consent:

In the overwhelming majority of cases – perhaps nearly always – a data controller providing careful consenting mechanisms and good quality, accessible, privacy information will not face a consent challenge. Such data controllers will have equipped almost all of their data subjects to make autonomous decisions about the consents they give and to take such control as they wish of their personal data…But all of that is consistent with an ineradicable minimum of cases where the best processes and the most robust evidential provisions do not, in fact, establish the necessary presence of autonomous decision-making, because there is specific evidence to the contrary.

This is, one feels, correct as a matter of law, but it is hardly a happy situation for those tasked with assessing legal risk.

And the judgment should (but of course won’t) silence those who promise, or announce, “full compliance” with data protection and electronic marketing law.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under adtech, consent, cookies, Data Protection, GDPR, judgments, marketing, PECR, Uncategorized

Tagged as , ,

October 29, 2024 · 7:54 am

ICO and functus officio

[reposted from LinkedIn]

Can the Information Commissioner’s Office (ICO) withdraw or amend a decision notice it has issued under section 50 of the Freedom of Information Act 2000? And, if not, why not?

This FOI disclosure by the ICO states the orthodox (and surely correct) position that, once a section 50 decision has been made, “the Commissioner has discharged his duties under section 50…We can only act in accordance with our powers under the legislation. There is no provision in the FOIA that allows the Commissioner to amend or cancel a DN once it has been issued.”

But the letter goes on to say “…it [is not] accurate to say there is a law that prohibits us from amending a DN”. This is, to the contrary, surely incorrect: there may be no express statutory provision, but common law doctrine of “functus officio” applies.

Functus officio applies where “a judicial, ministerial or administrative actor has performed a function in circumstances where there is no power to revoke or modify it” (R (Commissioner of Police of the Metropolis) v Independent Police Complaints Commission [2015] EWCA Civ 1248, [2016] PTSR 891).

Although there may be exceptions where the decision has been obtained by fraud or it is based on a fundamental mistake of fact (R (Sambotin) v Brent London Borough Council [2018] EWCA Civ 1826, [2019] PTSR 371), the doctrine is most certainly “a law that prohibits” the ICO from amending a decision notice.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under common law, Freedom of Information, Information Commissioner, Uncategorized

Tagged as ,

October 5, 2024 · 9:11 am

Join NADPO, get free Tim Turner training

If I told you that you could secure attendance at two half-day online training sessions on data protection, with one of the UK’s leading experts and trainers, for the meagre sum of £130 and that payment bought you two years’ membership of NADPO, with all the other benefits that brings (regular webinars, a stellar annual conference, regular newsletters, discounts on training), you would snap it up, wouldn’t you?

Well, dear friends, that’s what we’re offering our members. On Wednesday 9 October and Wednesday 16 October the fantastic Tim Turner of 2040 Training will be delivering sessions exclusively for NADPO members. So, if you purchase a membership in the next few days you’ll be entitled to attend both sessions (plus get all those other benefits).

I can’t think how any rational person could turn such an offer down.

Leave a comment

Filed under Data Protection, NADPO, Uncategorized

Tagged as ,

September 3, 2024 · 7:03 am

CCTV and commercial property leases

[reposted from LinkedIn]

There is a minor, but interesting, data protection point in this judgment on a dispute between a landlord and commercial tenant about a lease.

The claimant was a dentist who had become suspended and therefore could not practise as a fully registered dentist in accordance with the terms of the lease. The dispute was about whether she had done so, and, if so, whether the court should grant relief from forfeiture (it did, on the facts).

The claimant also sought and was granted a declaration, in relation to the landlord’s siting of internal CCTV cameras, “that the processing of the claimant’s data by the defendant is unlawful and breached the provisions of the Data Protection Act 2018 and the regulations [sic] relating thereto”. 

The evidence was that “a CCTV camera was installed by the defendant by being affixed to the door frame above the entrance to the toilets in the building, on the same floor as the room let to the claimant, pointing at the stairs and the door to the claimant’s…premises”. Although the defendant landlord claimed that “the CCTV was placed there for the legitimate purpose of monitoring those going to the building’s toilets”(!), the judge did not accept that: “as it was placed, [it] had a distinct view of the entrance to the claimant’s room, and, when it was opened, into the room itself. There is no real reason why it could not have been so positioned to exclude that, or why indeed it could not have been located to point in the opposite direction to monitor those coming out of the toilet area door[!]… it was an attempt to monitor who was attending the claimant’s room and its use.”

Unfortunately, the judge does not appear to have made findings as to what precisely were the infringements of the data protection law (one notes that the declaration was sought only in respect of the claimant’s own data, and not of those attending her premises, but the finding appears to be in respect of both). 

So, as I say, a minor point, but interesting. Landlords, even in commercial property agreements (and disputes arising), should not simply assume they have the right to place CCTV on their property in such a way as it infringes the data protection rights of individuals using the property (whether they be tenants, employees of tenants, or the tenant’s visitors).

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

2 Comments

Filed under CCTV, Data Protection, judgments, property dispute, Uncategorized

Tagged as ,

August 8, 2024 · 6:38 am

Fly Me (three quarters of the way) To The Moon?

When the ICO’s annual report was published a few weeks ago, I noted the proliferation of flights taken by ICO staff (which have more than tripled from 2022/2023 to 2023/2024 (from 206 to 774)).

And now, I note a response by the ICO to a WhatDoTheyKnow FOI request asking for the number of (publicly funded) air miles the Information Commissioner himself has flown. The figure is pretty remarkable: 275,182 km, or 171,000 miles.

By my calculations that’s the equivalent of 75% of the way to the moon, or seven times round the world.

It is only fair to note that a large chunk of this consists of flights to the Commissioner’s home country, New Zealand. Anyone can be excused for wanting to visit home, and family.

But the ICO has an Environment Policy, which commits it to “minimising damaging environmental impacts which may arise from the conduct of our activity”, and the government which recommended his appointment to the Crown published its “Jet Zero” strategy only months after he had been appointed.

Did anyone at DCMS consider the environmental impact of appointing a Commissioner whose home is on the other side of the world? Is anyone at the ICO considering whether it is complying with its own Policy (and maybe just general environmental ethics) when racking up the numbers of flights?

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under environment, Information Commissioner, Uncategorized

Tagged as