Tag Archives: data protection

Whither the ICO fines for BA and Marriott?

I have a new post on the Mishcon de Reya website, asking what is happening regarding the notices of intent served some months ago on BA and Marriott Inc.

Leave a comment

Filed under Data Protection, GDPR, Information Commissioner, monetary penalty notice

Data protection and legal knowledge – it cuts both ways

In his recent annual COMBAR lecture, the Chancellor of the High Court, Sir Geoffrey Vos, said

an insight into the law relating to data and data protection should be one of the most important specialisms in the armoury of a modern commercial lawyer

To which I say, “spot on, Sir Geoffrey”. As he goes on to add

Whilst many glaze over at the mention of “data protection”, it will become something that every lawyer at all levels will need to understand and advise upon

Ignore the cruel jibe – he is right, or almost so: in fact lawyers at all levels should already be understanding and advising on data protection.

But it cuts both ways – those who are not qualified lawyers, but who practise in the area of data protection, need to understand its basis in law. Too often one sees non-lawyer practitioners failing to ground their advice in the legal definitions and statutory principles, and being unaware of prior court decisions, or the concept of stare decisis itself, or even how to navigate a statute.

I’m not here to recommend any particular provider, or offering, but I will say that all lawyers could benefit from good training in at least data protection, and all data protection practitioners could benefit from good training in the basics of the law.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Uncategorized

No direct liability under GDPR for representatives, says EDPB

I have a new post on the Mishcon de Reya website, drawing attention to a change from draft to agreed EDPB guidance which might make being a GDPR representative much more attractive.

Leave a comment

Filed under EDPB, EU representative, Europe, GDPR

The most boring blogpost on this blog?

Although GDPR, and the Data Protection Act 2018 (DPA18), took effect from 25 May 2018, it has been notable that the Information Commissioner’s Office (ICO) has continued to exercise its enforcement powers under the prior law. There is no problem with this, and it is only to be expected, given that regulatory investigations can take some time. The DPA18 contains transitional provisions which mean that certain sections of the Data Protection Act 1998 continue to have effect, despite its general repeal. This is the reason, for instance, why the ICO could serve its recent enforcement notice on Hudson Bay Finance Ltd using the powers in section 40 of the 1998 – paragraph 33 of Schedule 20 to the DPA18 provides that section 40 of the 1998 Act continues to apply if the ICO is satisfied that the controller contravened the old data protection principles before the rest of the 1998 Act was repealed.

However, what is noticeable in the Hudson Bay Finance Ltd enforcement notice is that it says that it was prompted by a request for assessment by the complainant, apparently made on 21 September 2018, purportedly made under section 42 of the 1998 Act. I say “purportedly” because the transitional provisions in Schedule 20 of DPA18 require the ICO to consider a request for assessment made before 25 May 2018, but in all other respects, section 42 is repealed. Accordingly, as a matter of law, a data subject can (after 25 May 2018) no longer exercise their right to request an assessment under section 42 of the 1998 Act.

This is all rather academic, because it appears to me that the ICO has discretion – even if it does not have an obligation – to consider a complaint by a data subject relating to compliance with the 1998 Act. And ICO clearly (as described above) has the power still to take enforcement action for contraventions of the 1998 Act. But no one ever told me I can’t use my blog to make arid academic points.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Data Protection Act 2018, enforcement, Information Commissioner

Blagging as academic research

A white paper on GDPR subject access rights, presented at the Blackhat USA 2019 conference, got a lot of UK media coverage recently. Less discussion was had, however, about whether the research raised questions about the ethics and legality of “blagging”.

The paper, by Oxford University DPhil researcher James Pavur and Casey Knerr, talked of “Using Privacy Laws to Steal Identities” and describes Pavur’s attempts to acquire another person’s (Knerr’s) data, by purporting to be that person and pretending to exercise their access rights under Article 15 of the General Data Protection Regulation (GDPR). It should be emphasised that Knerr was fully acquiescent in the exercise.

Pavur and Knerr’s paper has a section entitled “Ethical and legal concerns” but what it notably fails to address is the fact that deliberately obtaining personal data without the consent of the controller is potentially a criminal offence under UK law.

Since 1998 it has been an offence to deliberately obtain personal data by deception, with defences available where the obtaining was, for instance, justified as being in the public interest. The Data Protection Act 2018 introduces, at section 170, a new defence where the obtaining is for academic purposes, with a view to publication and where the person doing the obtaining reasonably believes that it was justified in the public interest. Previously, this defence was only available where the obtaining was for the “special purposes” of journalism, literature or art.

It would certainly appear that Pavur obtained some of the data without the consent of the controller (the controller cannot properly be said to have consented to its disclosure if it was effected by deception – indeed, such is the very nature of “blagging”), but it also appears that the obtaining was done for academic purposes and with a view to publication and (it is likely) in the reasonable belief that the obtaining was justified in the public interest.

However, one would expect that prior to conducting the research, some analysis of the legal framework would have revealed the risk of an offence being committed, and that, if this analysis had been undertaken, it would have made its way into the paper. Its absence makes the publicity given to the paper by Simon McDougall, of the Information Commissioner’s Office (ICO), rather surprising (McDougall initially mistakenly thought the paper was by the BBC’s Leo Kelion). Because although Pavur (and Knell) could almost certainly fall back on the “academic purposes” defence to the section 170 offence, a fear I have is that others might follow their example, and not have the same defence. Another fear is that an exercise like this (which highlights risks and issues with which controllers have wrestled for years, as Tim Turner points out in his excellent blogpost on the subject) might have the effect of controllers becoming even more keen to demand excessive identification credentials for requesters, without considering – as they must – the proportionality of doing so.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Information Commissioner

ICO change to guidance on Subject Access Request time limits

I have a post on the Mishcon de Reya website, on an odd, but potentially very significant, change of position by the Information Commissioner’s Office, when it comes to calculating GDPR time limits for data subject requests.

ICO change to guidance on Subject Access Request time limits

Leave a comment

Filed under Data Protection, GDPR, Information Commissioner

Information Tribunal rejects data subject appeals under new Data Protection Act

The Information Tribunal has recently heard the first applications under the Data Protection Act 2018 for orders regarding the Information Commissioner’s handling of data protection complaints. As I write on the Mishcon de Reya website, the Tribunal has peremptorily dismissed them.

Leave a comment

Filed under Data Protection, enforcement, GDPR, Information Commissioner, Information Tribunal

ICO – HMRC must delete 5 million voice records

I have a piece on the Mishcon de Reya website, on news that the ICO has required HMRC to delete 5 million unlawfully gathered Voice ID records.

Leave a comment

Filed under consent, Data Protection, HMRC, Information Commissioner

Farrow & Ball lose appeal for non-payment of data protection fee

I have a new post on the Mishcon de Reya website, drawing attention to the first (and unsuccessful) attempt to appeal an ICO monetary penalty for failing to pay the statutory data protection fee.

Leave a comment

Filed under Data Protection, Information Commissioner, Information Tribunal, monetary penalty notice

ICO hasn’t given own staff a GDPR privacy notice

The first principle of GDPR says that personal data shall be processed in a transparent manner. Articles 13 and 14 give details of what information should be provided to data subjects to comply with that principle (and that information should be provided at the time it is collected (if it is collected directly from the data subject)).

As the Information Commissioner’s Office (ICO) says

Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR. [emphasis added]

and

Getting the right to be informed correct can help you to comply with other aspects of the GDPR and build trust with people, but getting it wrong can leave you open to fines and lead to reputational damage

If you read the ICO’s Guide to GDPR, it is largely predicated on the understanding that privacy notices will be made available to data subjects, effectively as a prerequisite to overall compliance.

So, one thing a data controller must – surely – prioritise (and have prioritised, in advance of GDPR becoming applicable in May 2018) is the preparation and giving of appropriate privacy notices, including to its own employees.

With that in mind, I was interested surprised astounded well-and-truly-gobsmacked to see an admission, on the “WhatDoTheyKnow” website, that the ICO itself has – almost a year on from GDPR’s start – not yet prepared, let alone given, its own staff a GDPR privacy notice

I can confirm we do not currently hold the information you have requested. The privacy notice for ICO employees is currently under construction.

As getting the right to be informed wrong can leave one open to fines (as well as reputational damage), one wonders if ICO is considering fining itself for this fundamental infringement of a fundamental right?

The views in this post (and indeed all posts on this blog, unless they indicate otherwise) are my personal ones, and do not represent the views of any organisation I am involved with.

10 Comments

Filed under Data Protection, fairness, GDPR, Information Commissioner, privacy notice, transparency