Category Archives: Uncategorized

It’s not fine

I’m seeing regular discussions on social media about notification of personal data breaches under Article 33 and liability for administrative fines under Article 83 of the General Data Protection Regulation (GDPR). For instance

because Carphone Warehouse had their breach start before GDPR the ICO fines will be tiny…

…Is it breach start or reported date that makes a difference?…

…So all we need to do if you have a breach is say it started in the 24th may…

These sort of discussions overlook two points.

Firstly, the Information Commissioner’s Office has repeatedly given indications that big penalty notices (to adopt the wording of the Data Protection Act 2018, which notably avoids using the word “fine”*) will not be regularly imposed under the new regime, and nor will there be a “scaling up” of penalties.

Secondly, and crucially, penalties cannot be imposed on controllers merely because they have had, and become aware of, a personal data breach. Under Article 83, penalties can be imposed by a supervisory authority for infringements of the GDPR. The fact that a personal data breach has occurred is not proof that an infringement has also occurred. Article 4 explains that a personal data breach is

a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed

Such personal data breaches might occur even where the controller has complied with its obligations under Article 5(1)(f) to ensure that personal data are

processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures

“Protection” does not impose a counsel of perfection. A personal data breach might occur but a supervisory authority might determine that the controller had done all it reasonably could, and not impose a penalty. In fact, I predict that in the vast majority of cases where controllers notify the ICO of personal data breaches, this is exactly what will happen.

So, returning to those social media discussions – what will actually determine whether GDPR applies, when it comes to the imposition of a penalty, is when the infringement took place, not when the personal data breach did.

This is not new. Some of us have been (largely vainly) arguing for years that a data security incident is not equivalent to a statutory breach, but the elision still happens.

* the word “fine” in domestic law is nearly always reserved for penalties as a sentence under criminal law.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Uncategorized

STOP THE NONSENSE PLEASE

5 Comments

Filed under Uncategorized

ICO newsletter: direct marketing, but no need to “reconsent”

I suspect everyone is now fed up to the back teeth of emails from long-forgotten and sometimes never-known businesses and organisations claiming they need us to renew our consent to receive electronic marketing from them. In many cases we never wanted the marketing in the first place and therefore almost certainly never consented to receive it, according to how “consent” has been construed in the operative law (the Data Protection Act 1998 (DPA), and, specifically, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR)). Everyone is probably equally fed up with similar emails from businesses and organisations we do have a relationship with, and from whom we do want to hear. I’m not going to rehash the law on this – I’ve written and commented multiple times elsewhere (search “Jon Baines +banging head against a brick wall”), as have other, more sage people (try Tim Turner, Adam Rose or Matt Burgess).

But I did notice that the Information Commissioner’s Office (ICO) recently issued a broadly helpful corrective to some of the misinformation out there. I say “broadly helpful” because it is necessarily, and probably correctly, cautious about giving advice which could be potentially interpreted as “do nothing”. Nonetheless, it makes clear that in some cases, doing nothing may be precisely the right thing to do: although the definition of “consent” from the General Data Protection Regulation (GDPR) will drop into PECR, replacing the definition which currently applies (the one at section 11 (3) of the DPA), this does not represent a significant reconfiguring. In general, if you had proper consent before GDPR, you’ll have proper consent under GDPR, and if you didn’t, well, you probably don’t have consent to send an email asking for consent.

Even though the ICO corrective was welcome, I’d actually already begun some slightly mischievous digging.

For a number of years, through various email addresses, I have subscribed to the ICO’s email newsletter (I invite thoughts, through the “comments” function on this blog, about the adequacy of the privacy notice given when one signs up to it, but this post is not directly about that). All the nonsense emails flying round got me to thinking – the ICO newsletter is probably “direct marketing” according to the law and the ICO’s own guidance, and when it is sent to an “individual subscriber” the PECR consent requirements kick in. So, I wondered, had the ICO reviewed whether it needed to get “GDPR-standard consent”, at least from those individual subscribers?

The answer, in response to my request for information under the Freedom of Information Act 2000, is yes – the ICO have reviewed, and no, they don’t think they need to “reconsent”.

They’ve told me that

We have reviewed our e-newsletter and consent as part of our preparations for the requirements of GDPR…we do think our newsletter constitutes direct marketing [but we] don’t think we need to seek re-consent from individuals who have already consented to receive the newsletter.  The newsletter is only sent to people who asked to receive it, this was done on an opt in basis on the back of a clear question asked separately from other information. We have a record of the date they asked to receive the newsletter. There is an unsubscribe option at the end of each newsletter and we log when people tell us they don’t want to receive it anymore – we’ve reviewed that process to make sure it is robust.

Pretty clear, I think.

I post their response here in the hope it might assist those who are in a similar position are struggling to understand whether they need to send another of those stupid “reconsent” emails flying around.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

10 Comments

Filed under Uncategorized

When will it all stop?

I saw two iterations of the same erroneous statement about the General Data Protection Regulation (GDPR) this morning, and it’s instructive to compare them.

One was in a Times article by journalist Danny Fortson. This said:

[Under GDPR] organisations large and small will have to ask for new permission to keep personal details on file

The other was contained in a brief twitter exchange which I barged into, in which a personal trainer revealed that a “GDPR consultant” had told her that she

had to regain all [client] details and destroy all the previously held info

I haven’t got anything profound to say here – just three observations: 1) GDPR absolutely does not expressly require businesses to do anything about client or customer data already held, let alone contact those people to get their consent 2) there is some shockingly bad advice about GDPR apparently being promulgated by people purporting to be competent to give it 3) there is a rather toxic feedback loop by which this shockingly bad advice is repeated in the media, and then picked up by others.

I hope it will all calm down after 25 May. And I also hope that decent people running decent businesses don’t get permanently harmed by this situation.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

2 Comments

Filed under Uncategorized

Perennial message about GDPR

Leave a comment

Filed under Uncategorized

Data protection and fake pornography

Wired’s Matt Burgess has written recently about the rise of fake pornography created using artificial intelligence software, something that I didn’t know existed (and now rather wish I hadn’t found out about):

A small community on Reddit has created and fine-tuned a desktop application that uses machine learning to morph non-sexual photos and transplant them seamlessly into pornographic videos.

The FacesApp, created by Reddit user DeepFakesApp, uses fairly rudimental machine learning technology to graft a face onto still frames of a video and string a whole clip together. To date, most creations are short videos of high-profile female actors.

The piece goes on to discuss the various potential legal restrictions or remedies which might be available to prevent or remove content created this way. Specifically within a UK context, Matt quotes lawyer Max Campbell:

“It may amount to harassment or a malicious communication,” he explains. “Equally, the civil courts recognise a concept of ‘false privacy’, that is to say, information which is false, but which is nevertheless private in nature.” There are also copyright issues for the re-use of images and video that wasn’t created by a person.

However, what I think this analysis misses is that the manipulation of digital images of identifiable individuals lands this sort of sordid practice squarely in the field of data protection. Data protection law relates to “personal data” –  information relating to an identifiable person – and “processing” thereof. “Processing” is (inter alia)

any operation…which is performed upon personal data, whether or not by automatic means, such as…adaptation or alteration…disclosure by transmission, dissemination or otherwise making available…

That pretty much seems to encapsulate the activities being undertaken here. The people making these videos would be considered data controllers (persons who determine the purposes and means of the processing), and subject to data protection law, with the caveat that, currently, European data protection law, as a matter of general principle, only applies to processing undertaken by controllers established in the European Union. (In passing, I would note that the exemption for processing done in the course of a purely personal or household activity would not apply to the extent that the videos are being distributed and otherwise made public).

Personal data must be processed “fairly”, and, as a matter of blinding obviousness, it is hard to see any way in which the processing here could conceivably be fair.

Whether victims of this odious sort of behaviour will find it easy to assert their rights, or bring claims, against the creators is another matter. But it does seem to me to be the case here, unlike in some other cases, that (within a European context/jurisdiction) data protection law potentially provides a primary initial means of confronting the behaviour.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Europe, fairness, Uncategorized

Serious DCMS error about consent and data protection 

I blogged on Monday about the government Statement of Intent regarding the forthcoming Data Protection Bill. What I missed at the time was an accompanying release on the Department for Digital, Culture,  Media and Sport (DCMS) website.  Having now seen it, I realise why so many media outlets have been making a profoundly misleading statement about consent under the new data protection law: they have lifted it directly from DCMS. The statement is

The Data Protection Bill will require ‘explicit’ consent to be necessary for processing sensitive personal data

It should only take a second to realise how wrong this is: sensitive personal data will include information about, among other things, health, and criminal convictions. Is the government proposing, say, that, before passing on information about a critically injured patient to an A&E department, a paramedic will have to get the unconscious patient’s explicit consent? Is it proposing that before passing on information about a convicted sex offender to a local authority social care department the Disclosure and Barring Service will have to get the offender’s explicit consent? 

Of course not – it’s absolute nonsense to think so, and the parliamentary drafters of the forthcoming Bill would not dream of writing the law in such a way, not least because it would contravene our obligations under the General Data Protection Regulation (GDPR) around which much of the Bill will be based. GDPR effectively mirrors the existing European Data Protection Directive (given effect in our existing Data Protection Act 1998). Under these laws, there are multiple circumstances under which personal data, and higher-category sensitive personal data can be processed. Consent is one of those. But there are, in Article 9(2) of GDPR, nine other conditions which permit the processing of special category data (the GDPR term used to replicate what is called “sensitive personal data” under existing domestic data protection law), and GDPR affords member states the power to legislate for further conditions.

What the DCMS release should say is that when consent is legitimately relied upon to process sensitive personal data the consent must be explicit. I know that sentence has got more words on it than the DCMS original, but that’s because sometimes a statement needs more words in order to be correct, and make sense, rather than mislead on a very important point regarding people’s fundamental rights.

I tweeted Matt Hancock, the minister, about the error, but with no answer as yet. I’ve also invited DCMS to correct it. The horse has already bolted though, as a Google news search for the offending phrase will show. The Information Commissioner’s Office has begun a series of pieces addressing GDPR myths, and I hope this is one they’ll talk about, but DCMS themselves should still issue a corrective, and soon.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under consent, Data Protection, DCMS, GDPR, Information Commissioner, Uncategorized

An enforcement gap?

ICO wants 200 more staff for GDPR , but its Board think there’s a risk it will instead be losing them

The General Data Protection Regulation (GDPR) is, without doubt, a major reconfiguring of European data protection law. And quite rightly, in the lead-up to its becoming fully applicable on 25 May next year, most organisations are considering how best they can comply with its obligations, and, where necessary, effecting changes to achieve that compliance. As altruistic as some organisations are, a major driver for most is the fear that, under GDPR, regulatory sanctions can be severe. Regulators (in the UK this is the Information Commissioner’s Office (ICO)) will retain powers to force organisations to do, or to stop, something (equivalent to an enforcement notice under our current Data Protection Act 1998 (DPA)), but they will also have the power to levy civil administrative fines of up to €20 million, or 4% of annual global turnover. Much media coverage has, understandably, if misleadingly, focused on these increased “fining” powers (the maximum monetary under the DPA is £500,000). I use the word “misleadingly”, because it is by no means clear that regulators will use the full fining powers available to them: GDPR provides regulators with many other options (see Article 58) and recital 129 in particular states that measures taken should be

appropriate, necessary and proportionate in view of ensuring compliance with this Regulation [emphasis added]

Commentators stressing the existence of these potentially huge administrative fines should be referred to these provisions of GDPR. 

But in the UK, at least, another factor has to be born in mind, and that is the regulator’s capacity to effectively enforce the law. In March this year, the Information Commissioner herself, Elizabeth Denham, told the House of Lords EU Home Affairs Sub-Committee that with the advent of GDPR she was going to need more resource

With the coming of the General Data Protection Regulation we will have more responsibilities, we will have new enforcement powers. So we are putting in new measures to be able to address our new regulatory powers…We have given the government an estimate that we will need a further 200 people in order to be able to do the job.

Those who rather breathlessly reported this with headlines such as “watchdog to hire hundreds more staff” seem to have forgotten the old parental adage of “I want doesn’t always get”. For instance, I want a case of ’47 Cheval Blanc delivered to my door by January Jones, but I’m not planning a domestic change programme around the possibility.

In fact, the statement by Denham might fall into a category best described as “aspirational”, or even “pie in the sky”, when one notes that the ICO Management Board recently received an item on corporate risk, the minutes from which state that

Concern was expressed about the risk of losing staff as GDPR implementation came closer. There remained a risk that the ICO might lose staff in large numbers, but to-date the greater risk was felt to be that the ICO could lose people in particular roles who, because of their experience, were especially hard to replace.

The ICO has long been based in the rather upmarket North West town of Wilmslow (the detailed and parochial walking directions from the railway station to the office have always rather amused me). There is going to be a limited pool of quality candidates there, and ICO pays poorly: current vacancies show case officers being recruited at starting salary of £19,527, and I strongly suspect case officers are the sort of extra staff Denham is looking at.

If ICO is worried about GDPR being a risk to staff retention (no doubt on the basis that better staff will get poached by higher paying employers, keen to have people on board with relevant regulatory experience), and apparently can’t pay a competitive wage, how on earth is it going to retain (or replace) them, and then recruit 200 more, from those sleepy Wilmslow recruitment fairs?

I write this blogpost, I should stress, not in order to mock or criticise Denham’s aspirations – she is absolutely right to want more staff, and to highlight the fact to Westminster. Rather, I write it because I agree with her, and because, unless someone stumps up some significant funding, I fear that the major privacy benefits that GDPR should bring for individuals (and the major sanctions against organisations for serious non-compliance) will not be realised.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, enforcement, GDPR, Information Commissioner, Uncategorized

Making even more criminals

Norfolk Police want your dashcam footage. Do you feel lucky, punk?

I wrote recently about the change to the Information Commissioner’s Office (ICO) registration process, which enables domestic users of CCTV to notify the ICO of that fact, and pay the requisite fee of £35. I noted that this meant that

it is the ICO’s apparent view that if you use CCTV in your household and capture footage outside the boundaries of your property, you are required to register this fact publicly with them, and pay a £35 fee. The clear implication, in fact the clear corollary, is that failure to do so is a criminal offence.

I didn’t take issue with the correctness of the legal position, but I went on to say that

The logical conclusion…here is that anyone who takes video footage anywhere outside their home must register

I even asked the ICO, via Twitter, whether users of dashcams should also register, to which I got the reply

If using dashcam to process personal data for purposes not covered by domestic exemption then would need to comply with [the Data Protection Act 1998]

This subject was moved from the theoretical to the real today, with news that Norfolk Constabulary are encouraging drivers using dashcams to send them footage of “driving offences witnessed by members of the public”.

Following the analyses of the courts, and the ICO, as laid out here and in my previous post, such usage cannot avail itself of the exemption from notification for processing of personal data “only” for domestic purposes, so one must conclude that drivers targeted by Norfolk Constabulary should notify, and pay a £35 fee.

At this rate, the whole of the nation would eventually notify. Fortunately (or not) the General Data Protection Regulation becomes directly applicable from May next year. It will remove the requirement to give notification of processing. Those wishing, then, to avoid the opprobrium of being a common criminal have ten months to send their fee to the ICO. Others might question how likely it is that the full force of the law will discover their criminality, and prosecute, in that short time period.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, GDPR, Information Commissioner, police, Uncategorized

Making criminals of us all

The Information Commissioner thinks that countless households operating CCTV systems need to register this, and pay a £35 fee for doing so. If they don’t, they might be committing a crime. The Commissioner is probably mostly correct, but it’s a bit more complex than that, for reasons I’ll explain in this post.

Back in 2014, to the surprise of no one who had thought about the issues, the Court of Justice of the European Union (CJEU) held that use of domestic CCTV to capture footage of identifiable individuals in public areas could not attract the exemption at Article 3(2) of the European data protection directive for processing of personal data

by a natural person in the course of a purely personal or household activity

Any use of CCTV, said the CJEU, for the protection of a house or its occupiers but which also captures people in a public space is thus subject to the remaining provisions of the directive:

the operation of a camera system, as a result of which a video recording of people is stored on a continuous recording device such as a hard disk drive, installed by an individual on his family home for the purposes of protecting the property, health and life of the home owners, but which also monitors a public space, does not amount to the processing of data in the course of a purely personal or household activity, for the purposes of that provision

As some commentators pointed out at the time, the effect of this ruling was potentially to place not just users of domestic CCTV systems under the ambit of data protection law, but also, say, car drivers using dashcams, cyclists using helmetcams, and many other people using image recording devices in public for anything but their own domestic purposes.

Under the directive, and the UK Data Protection Act 1998, any data controller processing personal data without an exemption (such as the one for purely personal or household activity) must register the fact with the relevant supervisory authority, which in the UK is the Information Commissioner’s Office (ICO). Failure to register in circumstances under which a data controller should register is a criminal offence punishable by a fine. There is a two-tier fee for making an entry in the ICO’s register, set at £35 for most data controllers, and £500 for larger ones.

For some time the ICO has advised corporate data controllers that if they use CCTV on their premises they will need to register:


But I recently noticed that the registration page itself had changed, and that there is now a separate button to register “household CCTV”


If one clicks that button one is taken to a page which informs that, indeed, a £35 fee is payable, and that the information provided will be published online 


There is a link to the ICO’s overarching privacy notice [ed. you’re going to have to tighten that up for GDPR, guys] but the only part of that notice which talks about the registration process relates only to “businesses”


Continuing the household CCTV registration process, one then gets to the main screen, which requires that the responsible person in the household identify themselves as data controller, and give either their household or email address for publication


What this all means is that it is the ICO’s apparent view that if you use CCTV in your household and capture footage outside the boundaries of your property, you are required to register this fact publicly with them, and pay a £35 fee. The clear implication, in fact the clear corollary, is that failure to do so is a criminal offence.

(In passing, there is a problem here: the pages and the process miss the point that for the registration to be required, the footage needs to be capturing images of identifiable individuals, otherwise no personal data is being processed, and data protection law is simply not engaged. What if someone has installed a “nest cam” in a nearby wooded area? Is ICO saying they are committing a criminal offence if they fail to register this? Also, what if the footage does capture identifiable individuals outside the boundaries of a household, but the footage is only taken for household, rather than crime reduction purposes? The logical conclusion of the ICO pages here is that anyone who takes video footage anywhere outside their home must register, which contradicts their guidance elsewhere.)

What I find particularly surprising about all this is that, although fundamentally it is correct as a matter of law (following the Ryneš decision by the CJEU), I have seen no publicity from the ICO about this pretty enormous policy change. Imagine how many households potentially *should* register, and how many won’t? And, therefore, how many the ICO is implying are committing a criminal offence?

And one thing that is really puzzling me is why this change, now? The CJEU ruling was thirty months ago, and in another eleven months, European data protection law will change, removing – in the UK also – the requirement to register in these circumstances. If it was so important for the ICO to effect these changes before then, why keep it quiet?

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

9 Comments

Filed under Data Protection, Directive 95/46/EC, GDPR, Information Commissioner, Uncategorized