April 8, 2025 · 7:11 am

Machine learning lawful basis on a case-by-case approach – really?

The Information Commissioner’s Office has published its response to the government’s consultation on Copyright and AI. There’s an interesting example in it of a “oh really?!” statement.

The government proposes that, when it comes to text and data-mining (TDM) of datasets that contain copyright works) a broad exception to copyright protection should apply, under which “AI developers would be able to train on material to which they have lawful access, but only to the extent that right holders had not expressly reserved their rights”. Effectively, rights holders would have to opt out of “allowing” their works to be mined.

This is highly controversial, and may be the reason that the Data (Use and Access) Bill has stalled slightly in its passage through Parliament. When the Bill was in the Lords, Baroness Kidron successfully introduced a number of amendments in relation to use of copyright info for training AI models, saying that she feared that the government’s proposals in its consultation “would transfer [rights holders’] hard-earned property from them to another sector without compensation, and with it their possibility of a creative life, or a creative life for the next generation”. Although the government managed to get the Baroness’s amendments removed in Commons’ committee stage, the debate rumbles on.

The ICO’s response to the consultation notes the government’s preferred option of a broad TDM exception, with opt-out, but says that, where personal data is contained in the training data, such an exception would not “in and of itself constitute a determination of the lawful basis for any personal data processing that may be involved under data protection law”. This must be correct: an Article 6(1) UK GDPR lawful basis will still be required. But it goes on to say “the lawfulness of processing would need to be evaluated on a case-by-case basis”. A straightforward reading of this is that for each instance of personal data processing when training a model on a dataset, a developer would have to identify a lawful basis. But this, inevitably, would negate the whole purpose of using machine learning on the data. What I imagine the ICO intended to mean was that a developer should identify a broad, general lawful basis for each dataset. But a) I don’t think that’s what the words used mean, and b) I struggle to reconcile that approach with the fact that a developer is very unlikely to know exactly what personal data is in a training dataset, before undertaking TDM – so how can they properly identify a lawful basis?

I should stress that these are complex and pressing issues. I don’t have answers. But opponents of the consultation will be likely to jump on anything they can.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under AI, Data Protection, datasets, DUAB, Information Commissioner, Lawful basis, parliament, Uncategorized

Tagged as , ,

April 2, 2025 · 5:02 am

The legality of data processing in the course of litigation

There is very convoluted litigation taking place which has as its focus a witness statement, prepared by a solicitor acting for a number of insurance companies who are defending personal injury claims arising from road traffic accidents (RTAs). And part of the argument (and a satellite claim) has now become about compliance with data protection law.

Five original claims were made for damages arising from RTAs. The defendant insurance companies were represented by law firm DWF, and one of DWF’s solicitors prepared a witness statement which contained an analysis of claims data collected by DWF in relation to a number of claims submitted by claimants represented by the solicitors who acted on behalf of the five claimants. The statement sought to adduce that in an unusually high number of the claims claimants had been referred for further psychological assessment, by a doctor who in 100% of those cases diagnosed a psychiatric condition and in two thirds of those cases said that the recovery period would be over two years. In short, a large number of claimants in the relevant RTAs appeared to develop long-term psychiatric conditions.

The claimant sought unsuccessfully to debar the witness statement, although the judge (on appeal) noted that it would be “for the Judge at trial to make of this evidence what they will [although] there are questions as to the extent to which this evidence assists without more in proving fundamental dishonesty”.

Notwithstanding this, an initial 317 (now reduced to three) claims were then made by people whose personal data was accepted to have been processed by DWF for the purposes of preparing the witness statement above. The claims here are for various breaches of the UK GDPR (such as excessive processing, and lack of fairness, lawful basis and transparency).

In a judgment handed down on 1 April, on an application by the claimants for specific disclosure in the UK GDPR claim (and an application by the defendant to amend its defence and strike out a witness statement of the claimants’ solicitor) Mrs Justice Eady DBE dismissed the disclosure applications (made under various headings), on the basis that much of the information would clearly be privileged material, or not relevant, or that the application was a fishing expedition.

If this gets to trial it will be interesting though. This sort of processing of personal data takes place in the course of (non-data-protection) private litigation routinely. It is generally not assumed that any issues of illegality arise. Any ultimate findings would be notable for litigators, and those who need to advise them on data protection compliance.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, judgments, litigation, UK GDPR

Tagged as

March 27, 2025 · 4:53 am

A new data protection duty?

I’ve been looking in more detail at the recent subject access judgment in Ashley v HMRC. One key point of general application stands out for me, and that is that it states that in some cases (i.e. where it is necessary for intelligibility purposes) a controller has a duty to provide contextual information in addition to copies of personal data.

As the judge put it

Article 15(1) and 15(3), read with Article 12(1) and (2) of the UK GDPR, did require the Defendant to go beyond providing a copy of the Claimant’s personal data where contextual information was necessary for that personal data to be intelligible in the sense of enabling the data subject to exercise their rights conferred by the UK GDPR effectively. It follows that insofar as the Defendant did not adopt this approach, it was in breach of this duty.

And although she couched the following as “guidance” for the HMRC when reconsidering the request, I feel it has general application:

…it is unlikely that providing an extract that simply comprises the Claimant’s name or his initials or other entirely decontextualised personal data of that sort, will amount to compliance with this obligation.

In arriving at this conclusion the judge drew in part on both pre- and post-Brexit case law of the Court of Justice of the European Union. Most notably she decided to have regard to case C-487/21. Even though this does not bind the domestic courts, the effect of section 6(2) of European Union (Withdrawal) Act 2018 is that courts may have regard to EU case law where it is relevant to the matter before them.

Of course, there are also times when merely providing a snippet in the form of a name constitutes a failure to provide all of the personal data in scope (omitting the final five words of “Jon Baines works at Mishcon de Reya” would be to omit some of my personal data). But the “context duty” seems to me to go further, and creates, where it is necessary, an obligation to provide information beyond what is in the source documents.

Most of the other points in the judgment, as important as they were to the facts, and as interesting they are, particularly on the concept of “relating to” in the definition of “personal data”, will not necessarily change things for most data subjects and controllers.

But this “context duty” feels to me to be an advancement of the law. And I suspect controllers can now expect to see data subjects and their lawyers, when making subject access requests (or when challenging responses), begin to argue that the “context duty” applies.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, GDPR, judgments, subject access, UK GDPR

Tagged as ,

March 25, 2025 · 8:08 am

NADPO Webinar – 25 March

On the lunchtime of Tuesday 25 March I’ll be chairing one of the regular NADPO webinars. We have Dr Judith Townend talking about learning from ‘open justice’ and other data/technology contexts, and Dr Lachlan Urquhart on “Clever Computing through Accountable Design: Cybersecurity in Smart Homes”.

Members will already have received the joining instructions.

A reminder that membership is bargain £130 for two years, and gets you free attendance at all webinars, as well as at our annual conference and other ad hoc events, plus a range of other benefits (for example we’ve recently hosted free training sessions for members run by Tim Turner and a free session on databreaches and cybersecurity from 5 Essex Chambers and CyXcel). Members also get complimentary free attendance at UK Data Protection Forum events.

Leave a comment

Filed under Uncategorized

March 22, 2025 · 5:55 am

O’Carroll v Meta – what now for targeted adverts on Facebook

Following the news that claimant Tanya O’Carroll and defendant Meta have settled ahead of what was likely to be a landmark data protection case, what are the implications?

Ms O’Carroll argued that advertising served to her on Facebook, because it was targeted at her, met the definition of “direct marketing” under section 122(5) of the Data Protection Act 2018 (“the communication (by whatever means) of advertising or marketing material which is directed to particular individuals”) and thus the processing of her personal data for the purposes of serving that direct marketing was subject to the absolute right to object under Article 21(2) and (3) UK GDPR.

Meta had disputed that the advertising was direct marketing.

The “mutually agreed statement” from Ms O’Carroll says “In agreeing to conclude the case, Meta Platforms, Inc. has agreed that it will not display any direct marketing ads to me on Facebook, will not process my data for direct marketing purposes and will not undertake such processing (including any profiling) to the extent it is related to such direct marketing”.

One concludes from this that Meta will, at least insofar as the UK GDPR applies to its processing, now comply with any Article 21(2) objection, and, indeed, that is how it is being reported.

But will the upshot of this be that Meta will introduce ad-free services in the UK, but for a charge (because its advertising revenues will be likely to drop if people object to targeted ads)? It is indicating so, with a statement saying “Facebook and Instagram cost a significant amount of money to build and maintain, and these services are free for British consumers because of personalised advertising. Like many internet services, we are exploring the option of offering people based in the UK a subscription and will share further information in due course”.

The ICO intervened in the case, and have uploaded a summary of their arguments, which were supportive of Ms O’Carroll’s case, and her lawyers AWO Agency have also posted an article on the news.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Data Protection Act 2018, facebook, Information Commissioner, marketing, Meta, Right to object, UK GDPR

Tagged as , ,

March 13, 2025 · 6:32 am

Cabinet Office unsuccessfully appeals FOIA information notices

When a public authority relies on an exemption to refuse to disclose information in response to a Freedom of Information Act request, the requester can ask the Information Commissioner’s Office for a decision as to whether the refusal was in accordance with the law. In order to make such a decision, the ICO may often need to see the information withheld by the public authority. Where the public authority is unwilling to provide this, or perhaps drags its heels over it, the ICO may serve, under section 51 of FOIA, an “information notice”, requiring the information to be provided. Failure to comply with an Information Notice can be certified as contempt of court, but there is a right of appeal to the First-tier Tribunal.

And so it was that the Tribunal recently found itself hearing appeals by the Cabinet Office in relation to two Information Notices served on it by the ICO, who is investigating whether FOIA requests for information relating to Rishi Sunak’s declarations of interest when he was Prime Minister.

The Cabinet Office sought to argue, among other things, that access by the ICO was not necessary, was unfair and damaging to the process of handling ministerial declarations of interest, and would constitute unlawful processing of personal data. All of these arguments got short shrift from the Tribunal – ultimately, it held that it would not be possible to determine whether any of the exemptions prayed in aid by the Cabinet Office were made out without an examination of the material, and the appeals were dismissed.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Freedom of Information, Information Commissioner, Information Tribunal, Cabinet Office, access to information, information notice, judgments

Tagged as ,

March 12, 2025 · 4:50 am

Cabinet Office wins Covid face masks FOIA appeal

The Information Tribunal has overturned a decision of the Information Commissioner’s Office and ruled that the Cabinet Office is not required to disclose minutes of meetings in June and July 2020 at which policy decisions were taken to make mandatory the wearing of face masks in shops and on public transport.

It is a shame that, for a decision of some import, the judgment reads like a stream-of-consciousness draft, and that it is infused with unnecessary sarcasm at various points.

The ICO had determined that although the exemption at s35 FOIA (for information relating to the formulation of government policy) was engaged. He acknowledged the importance of a protected space for government decision-making, and of the principle of collective responsibility, but decided that the “exceptionally weighty” public interest favoured disclosure.

The Tribunal, however, via reasoning which is – frankly – very difficult to follow, appears to have focused on the issue of “accountability”, something that the requester had mentioned rather in passing in support of his request, but which was not a matter expressly mentioned in the ICO’s decision. Having fixed on this concept, the Tribunal appears to have decided that as those in government at the time have since been held accountable in various ways, there was diminished public interest in achieving accountability by way of disclosure of the requested information. The key passage is probably this (at 57):

In considering the context of this request there is a stark contrast between the salience and effectiveness of other multiple forms of accountability…and the value of the information sought – in contrast with the risk of harm to the functioning of government caused by its release disproportionate to any benefit.

I do not say the Tribunal has necessarily got this wrong, but I do say that this a FOIA case of some significance, and that it warranted a clearer judgment.

Whether the judgment is amenable to an appeal is not entirely clear, but it’s worth pointing out that the original requester was not a party to, and was not joined to, these proceedings, and so I do not believe he himself has a right of appeal to the Upper Tribunal, and one wonders whether the ICO will have the enthusiasm to do so, given the costs involved.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Cabinet Office, FOIA, Freedom of Information, Information Commissioner, Information Tribunal, judgments

Tagged as , ,

March 11, 2025 · 8:47 am

An offence of unlawful access to records of the dead?

I’m starting to wonder whether Parliament should consider a new offence of accessing and/or retaining records of the deceased without lawful excuse.

The BBC, and others, are reporting concerns that there may have been unauthorised access to medical records of the victim of killer Valdo Calocane. In the last few years we have also seen similar stories emerging in relation to police files on the murders of Sarah Everard, Bibaa Henry and Nicole Smallman (and I am sure there are many others).

The offence at section 170 of the Data Protection Act 2018 cannot be engaged when the records in question relate to someone who is dead, and although there is the potential for prosecutions for misconduct in a public office, or under the Computer Misuse Act 1990, there will be times when these do not apply.

Such unwarranted access seems to be a serious risk which arises wherever there is a high profile killing, and it must cause immense extra distress for the families and friends of the victims.

I wonder if now is the time for a debate on the topic, with an agenda item of whether there is need for a new criminal offence.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under access to information, Confidentiality, crime, parliament

Tagged as

March 11, 2025 · 6:04 am

Why is the ICO so quiet about prosecutions?

Not infrequently, I get contacted (personally and professionally) by individuals who are concerned that their personal data has been compromised in circumstances that may constitute the criminal offence of “obtaining” or “retaining”, under section 170 of the Data Protection Act 2018.

In many cases, there is not much I can bring to the table. If an offence has been committed then this is a matter for the prosecutor. Normally, for data protection offences, this is the Information Commissioner’s Office.

But what strikes me is that there appears to be no information on the ICO website for anyone who wants to report an alleged or potential offence. Their “For the public” pages don’t cover the scenario, and all of the data protection complaints information there is predicated on the assumption that the individual will be complaining about the data controller’s compliance (whereas, in a section 170 offence, the controller is more of the status of “victim”).

In fact, the best I can find is one brief reference (at page 61) of a lengthy guide to the DPA 2018, aimed at “organisations and individuals who are already familiar with data protection law”, and which doesn’t even actually explain that the offences described can be prosecuted by the ICO.

Dr David Erdos has recently highlighted both the low number of ICO prosecutions, and the rather slapdash way in which the ICO appears to be handling information about them. But the section 170 provisions are criminal ones for a reason: they will sometimes involve the most distressing and serious interferences with people’s data protection and privacy rights.

Surely the ICO should pay more attention to such incidents, and assist concerned data subjects (or others) who might want to report potential offences?

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Data Protection Act 2018, Information Commissioner, offences

Tagged as ,

March 8, 2025 · 6:31 am

Can a data subject inspect withheld information in court proceedings?

When a controller, in response to a subject access request, has withheld personal data on the grounds of an exemption or exemptions, the data subject can apply to the court for a compliance order, under section 167 of the Data Protection Act 2018. That application will be determined by a judge who must determine whether the personal data was properly withheld or not. But general rules in adversarial proceedings do not permit one side and the judge to have access to material when the other side does not. So can the claimant and his/her lawyers therefore have access to the withheld information? Of course not – you all say – that would be absurd. However, the picture is not quite as clear as one might think.

Section 15(2) of the Data Protection Act 1998 specifically dealt with this issue: it said that the information should “be made available for [the judge’s] own inspection but shall not, pending the determination of that question in the applicant’s favour, require the information sought by the applicant to be disclosed to him or his representatives”.

But no such provision is contained in the equivalent sections of the 2018 Act. That appears to have been a drafting error.

The issue came up in X -v- The Transcription Agency LLP [2024] 1 WLR 33, and the court there held that

it would defeat the purpose of the legislation if a person challenging the application of an exemption were to be given sight of the material for the purpose of advancing his or her arguments…It would bring about a situation in which a party seeking personal data “would have obtained the very thing which the hearing was designed to decide”

As a result, I imagine, of the X case, Parliament moved to address the lacuna in the law: the Data Protection and Digital Information Bill contained a clause which would have given the court the express power contained in section 15(2) of the 1998 Act. That Bill was, of course, dropped just before the 2024 General Election, but the Data (Use and Access) Bill, now speeding through the Commons, contains something similar, at clause 103.

And so it was that the issue again arose in recent proceedings – Cole v Marlborough College [2024] EWHC 3575 (KB) – involving a former pupil who is seeking information through subject access regarding an investigation into a disciplinary matter in his former school.

As in X, the judge noted the absence of any express power to inspect the materials without permitting their disclosure to the claimant. But, relying on X, the judge held that there was an implied power (either implied within section 167) and/or in exercise of the court’s inherent jurisdiction.

Given the impending amendment of the statute to make the power express, rather than implied, these cases will probably just become footnotes, rather than landmark judgments. But they’re interesting for illustrating how courts will find implied powers and procedures where justice demands it.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

4 Comments

Filed under access to information, subject access, Data Protection Act 2018, judgments

Tagged as ,