Tag Archives: data protection

Betting and Gaming GDPR Code of Conduct proposed

A new piece on the Mishcon de Reya website, co-authored by me, on a proposed Article 40 Code (one of the first) prepared by the European Gaming and Betting Association.

Leave a comment

Filed under Code of Conduct, Data Protection, EDPB, GDPR

There’s nothing like consistency

A tale of two Member States, and two supervisory authorities.

First, the Belgium Data Protection Authority is reported to have fined a controller €50,000 for, among other infringements, appointing its director of audit, risk and compliance as its Data Protection Officer (DPO). This was – the DPA appears to have said – a conflict of  interest, and therefore an infringement of Article 38(6) of the General Data Protection Regulation (GDPR).

Second (and bearing in mind that all cases turn on their specific facts), one notes that, in the UK, the Data Protection Officer for the Information Commissioner’s Office (ICO), is its Head of Risk and Governance.

Let’s speculate –

Are the tasks of a Head of Risk and Governance likely to be similar to those of a director of audit, risk and compliance?

Would the Belgium DPA take the view that its UK equivalent is infringing GDPR, by appointing as DPO someone in circumstances which create a conflict of interest? (ICO notably says “[In respect of the combined roles of] DPO and Head of Risk and Governance, the tasks and focus of each role complement each other, and do not conflict. Neither responsibility is focused on determining the purposes and means of processing personal data but are both focused on providing advice about the risks, mitigations, safeguards and solutions required to ensure our processing is compliant and supported by our business decisions“).

What view would the European Data Protection Board take, if asked to consider the matter under the GDPR consistency mechanism (for instance on receipt of a request for an Opinion, under Article 64(2))?

Does it matter, given Brexit?

And if doesn’t matter immediately, might the status and position of the ICO’s DPO be one of the factors the European Commission might subsequently take into account, when deciding whether post-Brexit UK has an adequate level of protection, as a third country?

No answers folks, just questions.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under adequacy, Brexit, consistency, Data Protection, Europe, GDPR, Information Commissioner

High Court – subject access, breach of confidence and the offence of reidentification

An interesting case is being heard in the High Court, arising from an apparent error whereby, in responding to a subject access request (SAR), the London Borough of Lambeth allowed the recipient (and now defendant) data subject to electronically manipulate the information sent to him. This in turn enabled him to remove redactions, and identify someone who had made allegations against him and his wife (about the care they were providing to their child).

This is nightmare scenario for a controller – to inadvertently disclose extremely sensitive information, while responding to a SAR. In this instance, Lambeth have now brought a claim in breach of confidence against the defendant data subject, on the grounds that: the data was provided to the data subject in circumstances where he knew it was confidential; that he breached that confidentiality by unredacting the data, retaining an unredacted copy of the file, using the evidence to write a pre-action letter to the person who made allegations against him and his wife and threatening to bring court proceedings against them based on the information; and that it is integral to the work of Children’s Services that people who bring to its attention instances of perceived inadequate care or neglect of children are able to do so under conditions of confidentiality and can be assured that their confidentiality will be respected.

The instant proceedings were primarily concerned with a strike-out application by the defendant data subject, on the grounds of non-compliance by Lambeth with its (litigation) disclosure obligations. This application was roundly dismissed, and the matter will proceed to trial.

But of particular note is that, notwithstanding that the original error was Lambeth’s, it was revealed in the proceedings that the Information Commissioner’s Office (ICO) is also prosecuting the defendant data subject on charges of committing the offences of knowingly or recklessly re-identifying de-identified personal data, without the consent of the data controller, and knowingly or recklessly processing re-identified personal data, without the consent of the data controller. These are new offences created by sections 171(1) and 171(5) of the Data Protection Act 2018, and, when that Act was passed, it appeared that the mischief the provisions sought to address was the risk of hackers and fraudsters attempting to identify data subjects from large datasets (see the debates at Bill stage). It will be interesting to see if the ICO’s prosecution here results in a conviction. But it will also be interesting to see if ICO considers similar prosecutions in other circumstances. Although there is a public interest defence (among others) to section 171 charges, it is not an uncommon occurrence for public authorities (particularly) to inadvertently disclose or publish information with imperfect redactions. It certainly appears, on a plain reading of section 171, that someone re-identifying de-identified personal data (even if, say, for idle reasons of curiosity) might not always be able to avail themselves of the public interest defence.

And what is unsaid in the judgment, is whether Lambeth are facing any sort of civil, regulatory action from the ICO, arising from their error in sending the imperfectly redacted information in the first place.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under anonymisation, Data Protection, Data Protection Act 2018, Information Commissioner, local government, subject access

ICO – report a databreach to us, and we might take action against you

Data protection practitioners (and many others) are well aware that a failure to comply with the general obligation on a controller to notify the Information Commissioner’s Office (ICO), in the event of a personal data breach, is an infringement of the General Data Protection Regulation (GDPR). What may be less known, however, is that making a notification, in circumstances where it wasn’t required, might also be an infringement, and might result in sanctions from the ICO. That, at least, appears to be the ICO’s own view of the law, when it says

Over reporting breaches which have not been appropriately risk assessed in terms of their impact on the data subject may be seen as evidence of failing to comply with the GDPR accountability principle. This can also result in regulatory action.

I don’t know about you, but I think that’s a pretty extraordinary statement.

Of course, controllers should assess whether, as an exception to the general obligation, they are not required to make a notification, on the grounds that the personal data breach (defined at Article 4(12) of GDPR as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”) is unlikely to result in a risk to the rights and freedoms of natural persons. Such a risk assessment (because that’s what it is) will be, though, a nuanced challenge. What, after all, constitutes a likely “risk to the rights and freedoms of natural persons”? Although recital 85 to GDPR gives some clues, it still leaves much to be determined on the facts:

 

…physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.

Article 83 makes a failure to notify, in circumstances where one should notify, an infringement with a maximum administrative fine attached of €10m or 2% of global annual turnover (whichever is higher). Is it any surprise then, that some controllers might have taken what they thought to be a cautious, or precautionary, approach, and notified ICO of personal data breaches even when they weren’t sure it was necessary to do so?

Although the ICO has been suggesting for some time that controllers have been too keen to make personal data breach notifications, the web page in question appears to have only very recently been amended to say this (an archived version only from 31 May 2020 lacks the wording).  And it seems to me a little bit mean-spirited (and potentially confusing to some controllers) to start threatening the use of  sanctions against those who are making a regulatory notification in good faith.

In fact, I’m not at all sure that – as ICO suggests – it is potentially an infringement of the Article 5(2) obligation (by which a controller shall be responsible for, and be able to demonstrate compliance with, the Article 5(1) principles) to make a notification without properly assessing risk. And to say that it is such an infringement, is – I submit – stretching the accountability principle further than, in other circumstances, ICO would expect it to be stretched.

And don’t start thinking about whether an excessive notification of a personal data breach is a personal data breach which requires notification. That way madness (or is it Wilmslow?) lies.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Breach Notification, Data Protection, GDPR, Information Commissioner

Yet more delays to proposed ICO BA and Marriott fines

I have this piece on the Mishcon de Reya website. More than a year since they were first proposed, ICO has still not converted its notices of intent into actual fines. Will it ever?

Leave a comment

Filed under Data Protection, Data Protection Act 2018, GDPR, Information Commissioner, monetary penalty notice

COVID-19 and ICO’s proposed fines for BA and Marriott

I have a piece on the Mishcon de Reya website, questioning whether the Coronavirus might fundamentally affect the likelihood of BA and Marriott receiving huge GDPR fines.

Leave a comment

Filed under Data Protection, Data Protection Act 2018, GDPR, Information Commissioner, monetary penalty notice

DSARs – the clock doesn’t stop for clarification of a request

A thread on Twitter by solicitor Martin Sloan has drawn attention to a change to official guidance on the question of when a subject access request (pursuant to Article 15 of the General Data Protection Regulation (GDPR)) “starts”, in circumstances where a controller processes large amounts of data and asks the data subject to specify what information is sought.

Recital 63 of GDPR says that where a controller processes “a large quantity of information concerning the data subject [it] should be able to request that, before the information is delivered, the data subject specify the information or the processing activities to which the request relates”. This certainly seems to suggest that it is only when the controller is ready to “deliver” the information (i.e. when it has already searched for and retrieved it) that it can ask for the request to be, in effect, narrowed down.

However, guidance from the Information Commissioner’s Office (ICO) used to say* “If you process a large amount of information about an individual you can ask them for more information to clarify their request. You should only ask for information that you reasonably need to find the personal data covered by the request. You need to let the individual know as soon as possible that you need more information from them before responding to their request. The period for responding to the request begins when you receive the additional information” (emphasis added). This was similar to the position which obtained under the prior Data Protection Act 1998, which provided that a controller was not obliged to comply with a request unless it was supplied with such information as was reasonably required to locate the information which the data subject sought.

But the ICO now says: “If you process a large amount of information about an individual, you may ask them to specify the information or processing activities their request relates to before responding to the request. However, this does not affect the timescale for responding – you must still respond to their request within one month” (emphasis also added).

The change appears to be correct as a matter of law (by reference to recital 63), but it is possible that it may lead to an increase in reliance by controllers on Article 12(3), which potentially allows an extension to the one month period for compliance if a request is complex.

The new wording is contained in the ICO’s draft detailed guidance on subject access requests, which is currently out for consultation. One presumes the ICO thought this particular change was sufficiently important to introduce it in advance, but it is rather surprising that no announcement was made.

[UPDATE: Martin has now got a piece on Brodies’ own website about this].

[*the link here is to an archived page].

Leave a comment

Filed under Data Protection, GDPR, Information Commissioner, subject access

€9.5m GDPR fine to German telco for insecure customer authentication

Another post by me on the Mishcon de Reya website – federal telecoms regulator issues fine for Article 32 failings after callers could give customer name and d.o.b. and obtain further information.

Leave a comment

Filed under Data Protection, Europe, GDPR, monetary penalty notice

The Cost of Enforcement

I wrote recently, on the Mishcon de Reya Data Matters blog, about whether BA and Marriott might actually avoid the fines the Information Commissioner’s Office (ICO) intends to serve on them. In that piece, I said

one has no doubt whatsoever that BA and Marriott will have had lawyers working extensively and aggressively on challenging the notices of intent.

With that in mind, it is interesting to note that, in commentary on recent management accounts, the ICO warns that

Legal expenses…are tracking at much higher levels than budgeted and are expected to be adverse to budget for the full financial year

Indeed, the ICO’s legal spend for this year is forecast to be £2.65m, against a budget of £1.98m. These sound like large sums (and of course they are), but, compared with the likely legal budgets of BA, or Marriott, or indeed, many other of the huge companies whose processing is potentially subject to enforcement action by ICO, they are tiny. Any large controller faced with a huge fine will almost inevitably spend large sums in challenging the action.

Query whether ICO can, realistically, actually afford to levy fines at the level GDPR envisages?

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, enforcement, GDPR, Information Commissioner, monetary penalty notice

First prosecution under DPA 2018?

The Information Commissioner has successfully prosecuted a former Social Services Support Officer at Dorset County Council for an offence under section 170 of the Data Protection Act 2018 – I think that this is the first such prosecution under the 2018 Act. Section 170 is in broadly similar terms to section 55 of the Data Protection Act 1998, under which any number of prosecutions were brought for unlawfully obtaining (etc) personal data without the consent of the controller.

Just as the 1998 Act did, the 2018 Act reserves such prosecutions to the Commissioner (except that they may also be brought by or with the consent of the Director of Public Prosecutions – see s197 of the 2018 Act).

What we have not yet seen is a prosecution of the “new” offence at section 170(1)(c) of retaining personal data (after obtaining it) without the consent of the person who was the controller when it was obtained. This is a most interesting provision – I have wondered whether the mischief it aims to address is that which arises when someone inadvertently obtains personal data (perhaps as a result of a mistake by the controller) but then refuses to hand it back. This is not an infrequent occurrence, and powers at civil law to address the issue are potentially complex and expensive to exercise. It will be interesting to see whether prosecutions in this regard emerge in due course.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under crime, Data Protection, Data Protection Act 2018, Information Commissioner