The monthly NADPO lunchtime webinars resume today at 12:30 to 14:00, with talks by Robin Hopkins of 11KBW on ‘Insights from recent High Court judgments’and Ashley Winton of Mishcon de Reya LLP on ‘DPIA => AIIA, a look at the wider laws that will apply to AI’.
NADPO members should have the joining details in their inboxes, but if anyone would like a free guest place, to test the NADPO waters, as it were, do either message me here, or on chair at NADPO dot co dot uk, as we have a couple available.
It shouldn’t be too controversial to state that to commit a criminal offence is a serious matter: although there are – obviously – different levels of severity, certain acts or omissions are so injurious to society as a whole that they warrant prosecution.
The majority of infringements of data protection law are not criminal offences, but, rather, contravention of civil law. But there are a few offences in the statutory scheme. Section 132 of the Data Protection Act 2018 (DPA) is one such. It says that it is an offence for the Information Commissioner, or a member of his staff, to disclose information
which—
(a)has been obtained by, or provided to, the Commissioner in the course of, or for the purposes of, the discharging of the Commissioner’s functions,
(b)relates to an identified or identifiable individual or business, and
(c)is not available to the public from other sources at the time of the disclosure and has not previously been available to the public from other sources,
However, it will not be an offence if the disclosure is made with “lawful authority”, and a disclosure is made with lawful authority only if and to the extent that
(a)the disclosure was made with the consent of the individual or of the person for the time being carrying on the business,
(b)the information was obtained or provided as described in subsection (1)(a) for the purpose of its being made available to the public (in whatever manner),
(c)the disclosure was made for the purposes of, and is necessary for, the discharge of one or more of the Commissioner’s functions,
(d)the disclosure was made for the purposes of, and is necessary for, the discharge of an EU obligation,
(e)the disclosure was made for the purposes of criminal or civil proceedings, however arising, or
(f)having regard to the rights, freedoms and legitimate interests of any person, the disclosure was necessary in the public interest.
This means that, for instance, if an individual or a business has given (willingly or under compulsion) information to the Commissioner for the purposes of a regulatory investigation, and the information is not already public, then the Commissioner must not disclose it, unless he has lawful authority to do so.
Where, also for instance, the Commissioner publishes a legal decision notice, or monetary penalty notice, or the like, this will ordinarily contain information of this kind, but the Commissioner can point to the lawful authority he has under section 132(2)(c) – namely that the disclosure was made for the purposes of, and is necessary for, the discharge of one or more of the Commissioner’s functions. No offence committed.
But section 132 is why the Commissioner’s Office might refuse, under the Freedom of Information Act 2000 (FOIA), to disclose information it has received from an individual or business. For instance, a notification report a controller has submitted pursuant to its “personal data breach” obligations under Article 33 UK GDPR. Here is an example. The ICO withholds the “breach report” in question, citing the exemption at section 44, because of the offence provisions at section 132 DPA.
Whether this is an over-cautious stance is one thing, but it is understandable.
What puzzles me, though, is the inconsistency, because elsewhere, in very similar circumstances, in response to a FOIA request, the ICO has disclosed a personal data report (albeit with redactions). Here, also.
If the Commissioner’s staff in the first example feel that they would commit an offence by disclosing the report, do the staff dealing with the second or third examples not feel that they would also?
One thing that should certainly not happen is claiming exemptions because it is easier to do so than not. I am not saying that has happened here, but there certainly seems to be inconsistency. And inconsistency, or uncertainty, about whether a regulator and his staff might commit a criminal offence is not a good situation.
The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
Answer – when Parliament approveslegislation to remove it
Rather quietly, the government is introducing secondary legislation which will have the effect of removing the (admittedly odd) situation whereby the UK GDPR describes the right to protection of personal data as a fundamental right.
Currently, Article 1(2) of the UK GDPR says “This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data”. For the purposes of the EU GDPR this makes sense (and made sense when the UK was part of the EU) because the Charter of Fundamental Rights of the European Union (“the Charter”) identifies the right to protection of personal data as a free-standing right.
There is no direct equivalent to the right to the protection of personal data in the UK law. However, the protection of personal data falls within the right to respect for private and family life under Article 8 of the European Convention of Human Rights, which is enshrined in UK law by the Human Rights Act 1998. Data protection rights are also protected by UK GDPR, the Data Protection Act 2018 and will continue to be protected by the Data Protection and Digital Information Bill in our domestic legislation.
None of this addresses the point that the EU specifically decided, in the Charter, to separate the right to protection of personal data from the right to respect for a private and family life. One reason being that sometimes personal data is not notably, or inherently, private, but might, for instance, be a matter of public record, or in the public domain, yet still merit protection.
The explanatory memorandum also says, quite understandably, that the UK GDPR has to be amended so as to ensure that
references to retained EU rights and freedoms which would become redundant at the end of 2023 are replaced with references to rights under the European Convention on Human Rights (ECHR) which has been enshrined in the UK’s domestic law under the Human Rights Act 1998
Nonetheless, it was interesting for a while that the UK had a fundamental right in its domestic legislation that was uncoupled from its source instrument – but that, it seems, will soon be gone.
There is no update. Nothing from the ICO at all, other than, at four weeks – after chasing – a message saying it’s taking six to eight weeks to allocate cases.
don’t have “reject all” on your top level [cookie banner]…are breaking the law. ..There is no excuse for that. The ICO is paying attention in this area and will absolutely issue fines if we see organizations are not taking that seriously and taking steps.
Having a ‘reject all’ button on a cookies banner that is just as prominent as an ‘accept all’ button helps people to more easily exercise their information rights. The ICO is closely monitoring how cookie banners are used in the UK and invites industry to review their cookies compliance now. If the ICO finds that cookies banners breach the law, it will seriously consider using the full range of its powers, including fines.
Then, on 9 August, in conjunction with the Competition and Markets Authority, your office stated
One clear example of often harmful design are cookie consent banners. A website’s cookie banner should make it as easy to reject non-essential cookies as it is to accept them. Users should be able to make an informed choice on whether they want to give consent for their personal information to be used, for example, to profile them for targeted advertising. The ICO will be assessing cookie banners of the most frequently used websites in the UK, and taking action where harmful design is affecting consumers.
In view of all of these statements, I wish to complain, under Article 77 UK GDPR, and simultaneously request, under regulation 32 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”), that you exercise your enforcement functions, in relation to the use of cookies and similar technology by Associated Newspapers Limited, or alternatively DMG Media (whichever is applicable) as controller of, and person responsible for confidentiality of communications on, the “MailOnline” website at https://www.dailymail.co.uk/home/index.html (the “Website”).
The Website presents a visitor using the Safari browser on an iPhone 11 Pro with a “cookie banner” (see attached screenshot) which does not offer visitors a “reject all” option.
Furthermore, the whole set-up is opaque. If one clicks “Cookie Settings” one is faced with an initially straightforward set of options (one of them set by default to accept cookies for personalised advertising on the basis of “legitimate interest”, which is clearly not compliant with regulation 6 of PECR). However, if one then clicks on the tab for “Vendors”, one is faced with a frankly farcically long list of such “vendors”, and options, many of them set by default to “legitimate interest”. I consider myself reasonably knowledgeable in this area, but it is far from clear what is actually going on, other than to say it plainly appears to be falling short of compliance with regulation 6, and, to the extent my personal data is being processed, the processing plainly appears to be in contravention of the UK GDPR, for want – at least – of fairness, lawful basis and transparency.
It is worth noting that much of MailOnline’s content is likely to be of interest to and accessed by children (particularly its sports and “celebrity news” content), even if the publisher does not actively target children. You state, in your guidance
if children are likely to access your service you will need to ensure that both the information you provide and the consent mechanism you use are appropriate for children.
But the complexity and opacity of the Website’s cookie use means that it is largely incomprehensible to adults, let alone children.
It is, obviously, not for me to specify how you undertake an investigation of my complaint, but you must, of course, by reference to Article 57(1)(f) UK GDPR, investigate to the “extent appropriate”. Given the clear messages your office has delivered about cookie banners and the like, and given the weight of evidence as to non-compliance, I would suggest an investigation to the extent appropriate must – at the very least – result in a clear finding as to legality, with reasons, and recommendations for the investigated party.
I cannot claim to be distressed by the infringements I allege, but I do claim to be irritated, and to have, cumulatively, been put to excess time and effort repeatedly trying to “opt out” of receiving cookies on the Website and understand what sort of processing is being undertaken, and what sort of confidentiality of communications exists on it.
Of course the Website here is not the only example of apparent non-compliance: poor practice is rife. Arguably, it is rife because of a prolonged unwillingness by your office and your predecessors to take firm action. However, if you would like me to refer to other examples, or require any further information, please don’t hesitate to ask.
Yours sincerely
Jon Baines
The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
Under section 45 of the Freedom of Information Act 2000 (FOIA), the Minister for the Cabinet Office is required to issue a Code of Practice providing guidance to public authorities as to the practice which it would, in his opinion, be desirable for them to follow. A Code of Good Practice, if you will. The Information Commissioner’s Office (ICO) says, about the most recent version of the section 45 Code, that it
should be used as a handbook which sets out best practice to help you with the day to day handling of requests. Adhering to the Code will result in positive benefits for your authority, and in practical terms, offer good customer service.
And under section 47(1)(b) of FOIA the ICO has a duty to perform his functions so as to promote the observance of the Code.
Paragraph 8.5 of the Code says that
Public authorities with over 100 Full Time Equivalent (FTE) employees should, as a matter of best practice, publish details of their performance on handling requests for information under [FOIA…and] should do so on a quarterly basis…
However, the ICO themselves do not do, indeed never have done, this.
I recently made a FOIA request to the ICO, in which I queried the absence of they published statistics under paragraph 8.5 of the Code, and asked for disclosure of the last two years’ statistics. The response revealed statistics that are not particularly interesting, other than that they show that the ICO has made commendable improvements in its own compliance, following the dip which coincided with the pandemic. But all that was said about the proactive publication point was
We are not presently publishing our quarterly stats
No explanation as to why, and the fact that it appears expressly contrary to the ICO’s duty under section 47 to promote observance of the Code.
The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
I’ve written on the Mishcon de Reya website about the Information Commissioner’s Office’s use of reprimands for data protection infringements, despite the absence of any published guidance or procedure. Coupled with the lack of any way of appealing a reprimand, does this risk putting recipients in an unfair position?
The modern digital economy allows us to order goods (and have them delivered) with a few taps on our phones. But the infrastructure behind locating, packaging and delivering those goods necessitates that a chain of people have access to the specific of our orders, and, in some cases, our contact details. A consequence of this appears to be an extraordinary prevalence of customers receiving unwanted contact as a result: research commissioned by the Information Commissioner’s Office (ICO) indicates that 29% of 18-34-year-olds have received unwanted contact after giving their personal details to a business.
It is to the ICO’s credit that it is looking at this issue, and calling for evidence of what it correctly calls this “illegal behaviour”. But I found it surprising that the ICO did not explain, in its communications, that if someone obtains a customer’s contact details from a business, and uses it for personal purposes which are different from (and not approved by) the business, they are very likely to be committing the criminal offence of unlawfully obtaining personal data without the consent of the controller, under section 170(1)(a) of the Data Protection Act 2018 (DPA).
The ICO says it will be contacting
some of the major customer-facing employers in the country to emphasise their legal responsibilities as well as to learn more about what safeguards they have in place
Which is all fine, but maybe a quicker and more effective action would be to remind those employers in turn to make their staff aware that using customer data for such purposes may well see them ending up with a criminal record.
Under section 197 of the DPA prosecutions for section 170 offences can only be brought, in England, Wales and Northern Ireland at least, by the ICO itself (or with the permission of the Director of Public Prosecutions or equivalent). One wonders if the sheer numbers of incidents where customer data is being obtained and misused in this way means that the ICO’s criminal prosecution team simply doesn’t have the capacity to deal with it. If so, maybe Parliament needs to look at giving the CPS a role, or even whether private prosecutions could be allowed.
I’ve been running this blog for about 15 years now. I’m not a records manager, but I recognise that information has a lifecycle. Maybe I could weed some older posts, but the thing is, I occasionally find some of the old posts useful. For instance when news broke of recent nasty data breaches involving police forces (including the Police Service of Northern Ireland, or “PSNI”) and freedom of Information disclosures, I was able to point to a ten-year-old post on this blog which illustrated that concerns about such disclosures have been around for a long time.
So I was rather surprised to see the Information Commissioner’s Office (ICO) saying – in response to claims from two former anti-terrorist officers that the recent incidents were part of a pattern of serious mistakes, and that their information had previously been compromised (albeit not by PSNI itself) – that
Having checked with relevant teams, we do not appear to have record of an investigation regarding this data controller for the time frame noted. This may be due to our retention policy
The retention policy in question says (at page 28) that information in relation to regulatory investigations will normally be retain for five or six years, but that in civil enforcement cases where no action was taken information will be destroyed after two years.
There is nothing inherently “wrong” about this; unless there is a statutory requirement to retain information it will fall to each public body to determine what is an appropriate retention period. However, the ICO elsewhere emphasises the need to consider patterns in compliance. The regulatory action policy, for instance, says that an organisation’s “prior regulatory history” including the “pattern…of complaints” might be an aggravating factor when it comes to taking enforcement action, and that “as issues or patterns of issues escalate in frequency or severity then we will issue more significant powers in response”. But the retention policy means that, unless formal action has been taken against an organisation, such patterns might only be able to be taken into account when they involve incidents occurring within the previous two years. Is that sufficient or adequate?
I would suggest not. The policy’s version history illustrates that it is regularly reviewed (including an annual review). I would hope that the next review consider whether there is compelling evidence to suggest that retaining investigation information for longer than two years is warranted, especially in light of recent events.
informationrightsandwrongs 