August 25, 2024 · 8:47 am

Manifestly EIR

[reposted from LinkedIn]

I’m dumbfounded how a public authority, all of the staff at the Information Commissioner’s Office – including its litigation lawyers – and the three people hearing the appeal in the Information Tribunal, failed to identify that this request clearly should have been handled under the Environmental Information Regulations 2004 and not the Freedom of Information Act 2000 – it’s about land use, a boundary dispute and planning. The ICO decision notice even states that “it relates to the status of the Council’s land adjacent to the complainant’s property”.

It may be that, on analysis, the request – which was refused on the grounds that it was vexatious – a decision with which both the ICO and Tribunal agreed – would have been considered manifestly unreasonable under the EIR, but that is no excuse. The refusal was wrong as a matter of law, the ICO decision notice is wrong as a matter of law, and the Tribunal judgment is wrong as a matter of law.

I have raised this issue before of public authorities, ICO and the Tribunal failing to deal with requests under the correct regime. I’m now minded to raise the issue formally with, at least, the ICO.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Environmental Information Regulations, FOIA, Information Commissioner, Information Tribunal

Tagged as , , ,

August 11, 2024 · 10:06 am

Soft opt in marketing for non-profits

Why can’t charities send speculative promotional emails and text messages to customers and enquirers, in circumstances where commercial organisations can? And should the law be changed?

Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) deals with circumstances under which a person can send an unsolicited direct marketing communication by email, or text message.

In simple and general terms, a person cannot send an unsolicited direct marketing email or text message to an individual’s private email account, unless the individual has consented to receive it. “Consent”, here, has the stringent requirements imposed by Article 4(11) and Article 7 of the UK GDPR.

(The actual law is more complex – it talks of an “individual subscriber”. This is the person who is a party to a contract with a provider of public electronic communications (for which, read “email” and “text message”) services for the supply of such services. So, if you have signed up for, say, a gmail account, you have a contract with Google, and you are – if you are an individual – an individual subscriber.)

The exception to the requirement to have the recipient’s consent is at regulation 22(3) of PECR, which says that the sender of the marketing communication does not need the prior consent of the recipient where the sender: obtained the contact details of the recipient of that electronic mail in the course of the sale or negotiations for the sale of a product or service to that recipient; the direct marketing is in respect of the sender’s similar products and services only; and the recipient has been given a simple means of refusing the use of their contact details for the purposes of such direct marketing, at the time that the details were initially collected, and at the time of each subsequent communication.

This exception to the general “consent required” rule has long (and probably unhelpfully) been known as the “soft opt in”.

The notable requirement for the soft opt in is, though, that the recipient’s contact details must have been collected in the course of the sale or negotiations for the sale of a product or service.

There are various types of non-profit organisation which may well correspond with, and wish to send promotional emails and text messages to individuals, but which don’t as a rule sell products or services. Perhaps the most obvious of these are charities, but political parties also fall into the type.

The Information Commissioner’s Office (ICO) has long held that promotional communications sent by such non-profits do constitute “marketing” (and the Information Tribunal upheld this approach as far back as in 2006, when the SNP appealed enforcement action by the ICO). (I happen to think that there’s still an interesting argument to be had about what “marketing” means in the PECR and data protection scheme, and at one end of that argument would be a submission that it implies a commercial relationship between the parties. However, no one has yet taken the issue – as far as I’m aware – to an appellate court.)

But the combined effect of regulation 22(3) and the interpretation of “marketing” as covering promotional emails and text messages by charities, means that those charities (and political parties etc.) can’t send soft opt in communications.

The Data Protection and Digital Information Bill, which tripped and fell yards from the finishing line, when Mr Sunak, in a strategic master stroke, called the general election early, proposed, in clause 115, to extend the soft opt in where the direct marketing was “solely for the purpose of furthering a charitable, political or other non-commercial objective” of the sender.

Will the new Labour administration’s proposed Digital Information and Smart Data Bill revive the clause? The government’s background paper on the legislative agenda in the King’s Speech doesn’t refer to it, but that may be because it’s seen as a relatively minor issue. But, in fact, for many charities, the issue carries very significant implications for their operations and their ability effectively to fundraise.

It should be revived, and it should be enacted.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

2 Comments

Filed under charities, Data Protection Bill, Information Commissioner, marketing, PECR, political parties

Tagged as , ,

August 8, 2024 · 6:38 am

Fly Me (three quarters of the way) To The Moon?

When the ICO’s annual report was published a few weeks ago, I noted the proliferation of flights taken by ICO staff (which have more than tripled from 2022/2023 to 2023/2024 (from 206 to 774)).

And now, I note a response by the ICO to a WhatDoTheyKnow FOI request asking for the number of (publicly funded) air miles the Information Commissioner himself has flown. The figure is pretty remarkable: 275,182 km, or 171,000 miles.

By my calculations that’s the equivalent of 75% of the way to the moon, or seven times round the world.

It is only fair to note that a large chunk of this consists of flights to the Commissioner’s home country, New Zealand. Anyone can be excused for wanting to visit home, and family.

But the ICO has an Environment Policy, which commits it to “minimising damaging environmental impacts which may arise from the conduct of our activity”, and the government which recommended his appointment to the Crown published its “Jet Zero” strategy only months after he had been appointed.

Did anyone at DCMS consider the environmental impact of appointing a Commissioner whose home is on the other side of the world? Is anyone at the ICO considering whether it is complying with its own Policy (and maybe just general environmental ethics) when racking up the numbers of flights?

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under environment, Information Commissioner, Uncategorized

Tagged as

August 8, 2024 · 5:09 am

Blistering criticism for Home Office and ICO

[From a LinkedIn post]

A blistering judgment of the Information Tribunal upholding an FOI appeal by Bail for Immigration Detainees (BID) against the decision by the Information Commissioner’s Office (ICO) to uphold the Home Office’s refusal to disclose info about the process for deportation to Eritrea and Somalia (and by extension, the likelihood of deportees being either detained, or bailed, pending removal).

The request, about how many Emergency Travel Documents were requested, how many issued, how many people were then removed and how long this took, was refused by the HO on grounds that disclosure would be likely to harm international relations and would prejudice the operation of immigration controls.

The HO failed to reply to the ICO’s enquiries until served with a formal Information Notice. But the ICO then agreed that the exemptions were engaged.

The Tribunal did not agree.

The judgment notes the HO “made no effort to engage” with the appeals, and its evidence consisted of “thinly reasoned assertions, with no evidential support”, and

…we hope that the reasons were not meant to be comprehensive. It would betray a rather dim view by the Home Office of other countries’ governments to think that “many if not most” only care about money, and whether their citizens commit crimes or migrate unlawfully – as humans from all countries do.

To the extent the FOIA exemptions were engaged, the public interest test fell heavily in favour of disclosure. In the face of evidence from BID about levels of unlawful detention (in the form of the number of cases in which it had successfully appealed refusals of bail for detainees) the Tribunal observed that

For hundreds of years, the common law has demanded that administrative detention must be justified and be capable of proper challenge…The work done by BID, both on behalf of individuals and more broadly, supports that public interest. Disclosure…would help it to achieve those ends and avoid injustice.

There were minimal factors in favour of disclosure. In fact “it is difficult to conceive of a case concerning this exemption where the scales could be less weighted in favour of exemption”.

And, in closing, the Tribunal had a blast at the ICO, noting

our surprise that [he] thought it appropriate to accept the [HO’s] bare assertions, given the way in which it had responded to the previous requests described above and the compulsion required before it then properly engaged with these. In turn the…Decision Notices disclose no consideration of the various public interest factors carefully put forward by BID. A pattern of conduct has been established on the part of the [HO] that is within neither the spirit nor the letter of FOIA, and which can now be seen as having resulted in considerable delay together with expense of resources both on the part of the Tribunal and BID…We hope that future decisions will be reached after considerably more care and scrutiny.

Let’s see.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, FOIA, Freedom of Information, Home Office, Information Commissioner, Information Tribunal, LinkedIn Post

Tagged as , ,

August 7, 2024 · 6:11 pm

Who was the first ever DPO?

Prompted by a rather strange comment on LinkedIn, by someone who claimed they were the UK’s first DPO in 2007, and then claimed they meant “Data Privacy Officer” and not “Data Protection Officer” I thought I’d do some in-depth research into who might have been (you can thank Aaron Needham for setting the thought in my mind).

By, “in-depth” research, I mean half an hour or so on Google Books Advanced Search, so my findings are as authoritative as that would indicate. I would welcome others’ research.

As I mentioned on LinkedIn, NADPO, of which I am Chair, was founded in 1993, as the “National Association of Data Protection Officers”. The fact that its founder members thought it appropriate to create a national association of DPOs indicates that there were already a fair few of them around. And of course that was the case: the UK had had a Data Protection Act since 1984. Although that Act didn’t create a formal, statutory, role of DPO, it undoubtedly created the statutory scheme that gave rise to widespread adoption of the title, and the role.

And the UK was behind some other countries, in particular Germany. Although the person who might appear to be the world’s first DPO (or Datenschutzbeauftragter), Willi Birkelbach, is in fact more correctly characterised as the first Data Protection Supervisory Authority.

But who, you ask me, was the UK’s first DPO (and DPO proper)? Well, my friends, the earliest candidate I’ve so far managed to find, from an entry in the Commonwealth Universities Yearbook of 1979, was a certain “Halstead, J” of Lancaster University.

Therefore, unless or until someone comes up with a better candidate, I am going to bestow the title of the UK’s first DPO on J. Halstead.

It would be great to know more about them, as well, so if anyone has any info, I’d love to hear it.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Data Protection Officer, DPO, NADPO

Tagged as ,

July 30, 2024 · 7:19 am

Immunity from suit in data protection (and other) claims

[reposted from LinkedIn]

All too often, in my experience, public authorities might inadvertently disclose confidential information about one person to someone with whom that person is in dispute, or from whom that person is in danger. Typical examples are when a council discloses information about one resident to a neighbour, or when the police disclose information about a vulnerable person to their abusive partner.

This can also happen during the process of court proceedings.

There is a long-standing – and complex – common law concept of “immunity from suit”, which, in the very simplest and most general of terms, will prevent someone from being sued for something they say in court.

This judgment involves a fascinating, but headache-inducing, analysis of the different types of immunity from suit – witness immunity at court, advocate’s immunity at court, witness immunity before court, advocate’s immunity before court and legal proceedings immunity before court (which may apply to lawyers, police officers or administrative staff preparing a case for trial).

The background facts are grim: a woman fleeing from domestic violence was forced to flee from safe homes because twice her addresses were inadvertently disclosed (or at least indicated) to the perpetrator, against whom criminal proceedings were being brought – once by the police and once by the CPS.

The woman brought claims against both public authorities under the Human Rights Act 1998, the Data Protection Act 2018 and in misuse of private information. However, the defendants initially succeeded in striking the claims out/getting summary judgment (one part of the claim against the police was permitted to continue).

Mr Justice Richie upheld the appeal against the strike out/summary judgment, with rather a tour de force run through of the history and authorities on immunity (para 66 begins with the words “I start 439 years ago”).

In very short summary, he held that strike out/summary judgment had been inappropriate, because “the movement in the last 25 years in the appellate case law has been away from absolutism, towards careful consideration of whether the facts of each case actually do fit with the claimed ‘immunity’ by reference to whether the long-established justifications for the immunity apply” (at 106). In the examples here, it was at least arguable that immunity was being claimed not over evidence in the case, but “extraneous or peripheral or administrative matters”. The judge should have applied a balancing exercise to the facts to decide whether immunity applied: she had failed to do so, and had not been entitled to determine that there was no arguable claim

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under compensation, damages, Data Protection Act 2018, human rights, judgments, LinkedIn Post, litigation, misuse of private information, police

Tagged as , , , ,

July 20, 2024 · 9:11 pm

Crowdstrike and personal data breaches: loss vs unavailability

I ran a poll on LinkedIn in recent days which asked “If a controller temporarily can’t access personal data on its systems because of the Crowdstrike/MSFT incident is it a personal data breach?” 

I worded the question carefully.

50% of the 100-odd people who voted said “no” and 50% said “yes”. The latter group are wrong. I say this with some trepidation because there are people in that group whose opinion I greatly respect. 

But here’s why they, and, indeed, the Information Commissioner’s Office and the European Data Protection Board, are wrong.

Article 4(12) of the GDPR/UK GDPR defines a “personal data breach”. This means that it is a thing in itself. And that is why I try always to use the full term, or abbreviate it, as I will here, to “PDB”. 

This is about the law, and in law, words are important. To refer to a PDB as the single word “breach” is a potential cause of confusion, and both the ICO and the EDPB guidance are infected by and diminished by sloppy conflation of the terms “personal data breach” and “breach”. In English, at least, and in English law, the word “breach” will often be used to refer to a contravention of a legal obligation: a “breach of the law”. (And in information security terminology, a “breach” is generally used to refer to any sort of security breach.) But a “breach” is not coterminous with a “personal data breach”.

And a PDB is not a breach of the law: it is a neutral thing. It is also crucial to note that nowhere do the GDPR/UK GDPR say that there is an obligation on a person (whether controller or processor) not to experience a PDB, and nowhere do GDPR/UK GDPR create liability for failing to prevent one occurring. This does not mean that where a PDB has occurred because of an infringement of other provisions which do create obligations and do confer liability (primarily Article 5(1)(f) and Article 32) there is no potential liability. But not every PDB arises from an infringement of those provisions.

The Article 4(12) definition is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. Let us break that down:

  • A breach of security…
  • leading to [one or more of]
  • accidental or unlawful…
  • 1. destruction of…
  • 2. loss of…
  • 3. alteration of…
  • 4. unauthorised disclosure of…
  • 5. unauthorised access to…
  • personal data processed.

If an incident is not a breach of security, then it’s not a PDB. And if it is a breach of security but doesn’t involve personal data, it’s not a PDB. But even if it is a breach of security, and involves personal data, it’s only a PDB if one of the eventualities I’ve numbered 1 to 5 occurs.

Note that nowhere in 1 to 5 is there “unavailability of…” or “loss of access to…”. 

Now, both the ICO, and the EDPB, read into the words “loss of…personal data…” the meaning, or potential meaning “loss of availability of personal data”. But in both cases they appear to do so in the context of saying, in terms, “loss of availability is Article 4(12) ‘loss’ because it can cause harm to data subjects”. I don’t dispute, and nor will many millions of people affected by the Crowdstrike incident, that unavailability of personal data can cause harm. But to me, “loss” means loss: I had something, and I no longer have it. I believe that that is how a judge in the England and Wales courts would read the plain words of Article 4(12), and decide that if the legislator had intended “loss” to mean something more than the plain meaning of “loss” – so that it included a meaning of “temporary lack of access to” – then the legislator would have said so. 

Quite frankly, I believe the ICO and EDPB guidance are reading into the plain wording of the law a meaning which they would like to see, and they are straining that plain wording beyond what is permissible.

The reason, of course, that this has some importance is that Article 33 of the GDPR/UK GDPR provides that “in the case of” (note the neutral, “passive” language) a PDB, a controller must in general make a notification to the supervisory authority (which, in the UK, is the ICO), and Article 34 provides that where a PDB is likely to result in a high risk to the rights and freedoms of natural persons, those persons should be notified. If a PDB has not occurred, no obligation to make such notifications arises. That does not mean of course, that notifications cannot be made, through an exercise of discretion (let’s forget for the time being – because they silently resiled from the point – that the ICO once bizarrely and cruelly suggested that unnecessary Article 33 notifications might be a contravention of the GDPR accountability principle.)

It might well be that the actions or omissions leading to a PDB would constitute an infringement of Articles 5(1)(f) and 32, but if an incident does not meet the definition in Article 4(12), then it’s not a PDB, and no notification obligation arises. (Note that this is an analysis of the position under the GDPR/UK GDPR – I am not dealing with whether notification obligations to any other regulator arise.)

I can’t pretend I’m wholly comfortable saying to 50% of the data protection community, and to the ICO and EDPB, that they’re wrong on this point, but I’m comfortable that I have a good arguable position, and that it’s one that a judge would, on balance agree with. 

If I’m right, maybe the legislator of the GDPR/UK GDPR missed something, and maybe availability issues should be contained within the Article 4(12) definition. If so, there’s nothing to stop both the UK and the EU legislators amending Article 4(12) accordingly. And if I’m wrong, there’s nothing to stop them amending it to make it more clear. In the UK, in particular, with a new, energised government, a new Minister for Data Protection, and a legislative agenda that will include bills dealing with data issues, this would be relatively straightforward. Let’s see.

And I would not criticise any controller which decided it was appropriate to make an Article 33 notification. It might, on balance, be the prudent thing for some affected controllers to do so. The 50/50 split on my poll indicates the level of uncertainty on the part of the profession. One also suspects that the ICO and the EU supervisory authorities might get a lot of precautionary notifications.

Heck, I’ll say it – if anyone wants to instruct me and my firm to advise, both on law and on legal strategy – we would of course be delighted to do so.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under Data Protection, EDPB, GDPR, Information Commissioner, Let's Blame Data Protection, LinkedIn Post, personal data breach, UK GDPR

Tagged as , ,

July 19, 2024 · 8:18 pm

Yes, Minister for Data Protection

This is important news for data protection lawyers and practitioners. And indeed for data subjects. The government has created a role of Minister of State for Data Protection and Telecomms, and has appointed Sir Chris Bryant as the first post-holder.

He will have responsibility for Digital infrastructure and telecoms, Building Digital UK (BDUK), Data protection, including the “Data Bill” (does this mean the Digital Information and Smart Data (DISM) Bill, or something else to come down the line?), the Information Commissioner’s Office (ICO), Digital inclusion, and
Space sector growth and UK Space Agency (UKSA).

In debates on the Data Protection and Digital Information Bill Bryant, then the Shadow Culture secretary, supported the proposed reforms to the ICO and provisions on digital verification and smart data (which have been revived now in the DISM Bill), but opposed what Labour saw as attempts by the then government to water down subject access rights, and opposed extending the PECR soft opt-in to political party marketing. He also expressed notable concerns about the proposal to confer wide powers on DWP to get information from financial service providers.

In those debates, Bryant said that Labour wanted a law which “would unlock the new potential for data that improves public services, protects workers from data power imbalances and delivers cutting-edge scientific research, while also building trust for consumers and citizens”.

Perhaps a bit platitudinous (would anyone disagree with that desire?) but also perhaps an indication of the tone he will want to set in this new role.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, political parties

Tagged as

July 18, 2024 · 4:21 am

FOIA appeals in the UT: when is there an “error of law”?

Here is a good and interesting judgment in the Upper Tribunal from Judge Citron, on a Freedom of Information Act 2000 (FOIA) case arising from defects in the 2019 “11+” exam run by The Buckinghamshire Grammar Schools (TBGS), with test materials designed and supplied by a third party – GL Assessment Limited. TBGS, as a limited company made up of a consortium of state schools, is a public authority under s6(1)(b) FOIA (by way of s6(2)(b)).

The FOI request was, in broad terms, for the analysis that had subsequently been conducted into the defects, and the statistical solution that had been adopted.

TBGS had refused the request on grounds including that disclosure of the requested information would be an actionable breach of confidence. The ICO upheld this, and, on appeal, the First-tier Tribunal agreed, although only by a majority decision (the dissent was on the part of the judge, and it’s worth reading his reasons, at 85-90 of the FTT judgment).

Possibly bolstered by the vehemence of that dissenting view of the FTT judge, the applicant appealed to the Upper Tribunal.

Judge Citron’s judgment is a measured one, addressing how an appellate court should approach an argument to the effect that there was an error of law at first instance, with a run-through, at 35, of the authorities (unfortunately, from that point, the paragraph numbering goes awry, because the judgment, at “67”, follows the numbering of the judgment it has just quoted).

Judge Citron twice notes that a different FTT might have approached the facts and the evidence in a different way, and weighted them differently, but

that is no indicator of the evaluative judgement reached being in error of law…The question is whether the evaluative judgement…was one no reasonable tribunal could have reached on the evidence before it; it whether some material factor was not taken into account. I am not persuaded.

Therefore, the FTT had made no material error in dismissing the appeal.

A final note. This was a judgment on the papers, but – remember – the Information Commissioner will always be a party to FOIA cases, because it is his decision that is at issue. In this instance, the Commissioner chose not to participate. Paragraph 32 records that he was “directed” to make a response to the appeal, but did not. If this correctly records a failure by the Commissioner to comply with a direction of the court, it is surprising there’s no note of disapproval from the judge.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under FOIA, Freedom of Information, Information Commissioner, Information Tribunal, Upper Tribunal

Tagged as , ,

July 16, 2024 · 8:34 am

“Mom, we have discussed this”

A few years ago Gwyneth Paltrow’s daughter Apple took to social media to gently berate her mother for posting an image (not this one) which included her: “You may not post anything without my consent”. I’ve no idea whether Apple has other fine qualities, but I admired her approach here.

I was reminded of it by the – also admirable – approach by the Prime Minister and his wife to their two children’s privacy. Remarkably, it appears that their names and photographs have so far been kept from publication. It’s doubtful that will be able to continue forever (in any case, the children are at or coming to an age where they can take their own decisions) but I like the marked contrast with how many senior politicians co-opt their children into their campaigning platform.

One of the concerns of the legislator, when GDPR was being drafted, was children’s rights: recital 65 specifically addresses the situation of where a child has consented to publication of their data online, but later wants it removed.

Although Gwyneth Paltrow’s publishing of her child’s image would likely have been out of the material scope of GDPR under Article 2(2)(a) (and quite possibly out of its territorial scope) the thrust of recital 38 should apply generally: “Children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data”.

[Image licensed under CC BY-NC 4.0, creator not stated. Image altered to obscure children’s faces]

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under children, consent, Data Protection, GDPR, Privacy, UK GDPR

Tagged as , ,