I have this piece on the Mishcon de Reya website. More than a year since they were first proposed, ICO has still not converted its notices of intent into actual fines. Will it ever?
Tag Archives: GDPR
I have a piece on the Mishcon de Reya website, questioning whether the Coronavirus might fundamentally affect the likelihood of BA and Marriott receiving huge GDPR fines.
A thread on Twitter by solicitor Martin Sloan has drawn attention to a change to official guidance on the question of when a subject access request (pursuant to Article 15 of the General Data Protection Regulation (GDPR)) “starts”, in circumstances where a controller processes large amounts of data and asks the data subject to specify what information is sought.
Recital 63 of GDPR says that where a controller processes “a large quantity of information concerning the data subject [it] should be able to request that, before the information is delivered, the data subject specify the information or the processing activities to which the request relates”. This certainly seems to suggest that it is only when the controller is ready to “deliver” the information (i.e. when it has already searched for and retrieved it) that it can ask for the request to be, in effect, narrowed down.
However, guidance from the Information Commissioner’s Office (ICO) used to say* “If you process a large amount of information about an individual you can ask them for more information to clarify their request. You should only ask for information that you reasonably need to find the personal data covered by the request. You need to let the individual know as soon as possible that you need more information from them before responding to their request. The period for responding to the request begins when you receive the additional information” (emphasis added). This was similar to the position which obtained under the prior Data Protection Act 1998, which provided that a controller was not obliged to comply with a request unless it was supplied with such information as was reasonably required to locate the information which the data subject sought.
But the ICO now says: “If you process a large amount of information about an individual, you may ask them to specify the information or processing activities their request relates to before responding to the request. However, this does not affect the timescale for responding – you must still respond to their request within one month” (emphasis also added).
The change appears to be correct as a matter of law (by reference to recital 63), but it is possible that it may lead to an increase in reliance by controllers on Article 12(3), which potentially allows an extension to the one month period for compliance if a request is complex.
The new wording is contained in the ICO’s draft detailed guidance on subject access requests, which is currently out for consultation. One presumes the ICO thought this particular change was sufficiently important to introduce it in advance, but it is rather surprising that no announcement was made.
[UPDATE: Martin has now got a piece on Brodies’ own website about this].
[*the link here is to an archived page].
On the Mishcon website: ICO agrees delay over GDPR fines with both BA and Marriott
Another post by me on the Mishcon de Reya website – federal telecoms regulator issues fine for Article 32 failings after callers could give customer name and d.o.b. and obtain further information.
I wrote recently, on the Mishcon de Reya Data Matters blog, about whether BA and Marriott might actually avoid the fines the Information Commissioner’s Office (ICO) intends to serve on them. In that piece, I said
one has no doubt whatsoever that BA and Marriott will have had lawyers working extensively and aggressively on challenging the notices of intent.
With that in mind, it is interesting to note that, in commentary on recent management accounts, the ICO warns that
Legal expenses…are tracking at much higher levels than budgeted and are expected to be adverse to budget for the full financial year
Indeed, the ICO’s legal spend for this year is forecast to be £2.65m, against a budget of £1.98m. These sound like large sums (and of course they are), but, compared with the likely legal budgets of BA, or Marriott, or indeed, many other of the huge companies whose processing is potentially subject to enforcement action by ICO, they are tiny. Any large controller faced with a huge fine will almost inevitably spend large sums in challenging the action.
Query whether ICO can, realistically, actually afford to levy fines at the level GDPR envisages?
The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
I have a new post on the Mishcon de Reya website, asking what is happening regarding the notices of intent served some months ago on BA and Marriott Inc.
I have a new post on the Mishcon de Reya website, drawing attention to a change from draft to agreed EDPB guidance which might make being a GDPR representative much more attractive.
I have a post on the Mishcon de Reya website, on an odd, but potentially very significant, change of position by the Information Commissioner’s Office, when it comes to calculating GDPR time limits for data subject requests.
Might there have been a breach of data protection law in the recording, apparently by neighbours, of incidents at Boris Johnson’s home, and the passing of the recording to the media and the police? Almost certainly not.
(In this post I would like to avoid, as far as possible, broader ethical questions, and I will restrict any political observations to this: if Johnson becomes leader of the Conservative Party, and therefore prime minister, the two main UK political parties will be being led by people less fit to hold the role than at any time in my lifetime.)
In general, processing of personal data done for one’s own domestic purposes avoids the need for compliance with data protection law: Article 2(2)(c) of the General Data Protection Regulation (GDPR) – which of course provides the overarching statutory framework for most processing of personal data – says that the GDPR itself “does not apply to the processing of personal data…by a natural person in the course of a purely personal or household activity”. This is understandable: were there not such a carve-out, one’s children might, say, try to sue one for unlawful processing of their pocket-money data.
However, that word “purely” is key in Article 2. Processing which is not in the course of a “purely” domestic activity, such as, say, passing a recording of an altercation involving one’s neighbours to the media and the police, will be within GDPR’s scope.
So if GDPR is likely to apply, what are the considerations?
Firstly, passing information to the police about an altercation involving one’s neighbours is straightforward: GDPR permits processing which is necessary for the performance of a task carried out in the public interest (Article 6(1)(e)) and where the processing is necessary for the purposes of someone’s legitimate interests (provided that such interests are not overridden by the rights of the data subject) (Article 6(1)(f)).
But what of passing such information to the media? Well, here, the very broad exemption for the purposes of journalism will apply (even though the neighbours who are reported to have passed the information to the media are not, one assumes, journalists as such). GDPR requires members states to reconcile the right to the protection of personal data with the right to freedom of expression and information, including processing for journalistic purposes, and this obligation is given effect in UK law by paragraph 26 of Schedule 2 to the Data Protection Act 2018. This provides that the GDPR provisions (for the most part) do not apply to processing of personal data where it
is being carried out with a view to the publication by a person of journalistic, academic, artistic or literary material, and…the controller reasonably believes that the publication of the material would be in the public interest [and] the controller reasonably believes that the application of [the GDPR provisions] would be incompatible with the… purposes [of journalism].
Here, the controller is not just going to be the journalist or media outlet to whom the information was passed, but it is also likely to be the non-journalist person who actually passes the information (provides that the latter passes it with a view to its publication and does so under a reasonable belief that such publication would be in the public interest).
The equivalent exemption in the prior law (the Data Protection Act 1998) was similar, but, notably, applied to processing which was only carried for the purposes of journalism (or its statutory bedfellows – literature and art). The absence of the word “only” in the 2018 Act arguably greatly extends the exemption, or at least removes ambiguity (there was never any notable example of action being taken under the prior law against the media for processing which was alleged to be unlawful and which was for more than one purposes (i.e. not solely for the purposes of journalism)).
It seems almost certain, then, that Johnson’s non-journalist neighbours could avail themselves of the “journalism” exemption in data protection law. As could anyone who processes personal data with a view to its publication and who reasonably believes such publication is in the public interest: we should prepare to see this defence aired frequently over the coming years. Whether the exemption is too broad is another question.
Because of the breadth of the journalism exemption in data protection law, actions are sometimes more likely to be brought in the tort of misuse of private information (see, for example, Cliff Richard v BBC, and Ali v Channel 5). Whether such a claim might be available in this case is also another question, and not one for this blog.
The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.