Tuesday 27 March 2018

Information Commissioner's Charges after GDPR

Bank of England
Author Adrian Pingstone
Licence Copyright waived by owner
Source Wikipedia























Jane Lambert

The General Data Protection Regulation ("GDPR") imposes a number of new obligations on data controllers but it does not require them to pay any money unlike the Data Protection Act 1984 and the Data Protection Act 1998.  A small but very welcome concession in exchange for responsibilities that will increase the costs of compliance one might have thought.

Fat chance! Our own Parliament has passed the Digital Economy Act 2017 section 108 (1) of which enables the Secretary of State to make regulations that "require data controllers to pay charges of an amount specified in the regulations to the Information Commissioner." The government has now published draft regulations under that provision known as The Data Protection (Charges and Information) Regulations 2018 which will come into effect on 25 May 2018. The Explanatory Note  states that they will replace The Data Protection (Notification and Notification Fees) Regulations 2000 SI 2000 No 188.

According to the Information Commissioner;s press release, this legislation has been enacted because the government has a statutory duty to ensure that the Information Commissioner's Office is adequately funded (see New model announced for funding the data protection work of the Information Commissioner’s Office 21 Feb 2018 ICO's News and Blogs). They have a point there.  I for one was heartened by photos of ICO investigators doing their job in relation to recent personal data misuse allegations (see Investigators complete seven-hour Cambridge Analytica HQ search 24 March 2018 The Guardian).

The amount of the new charges is set out in reg 3 (1):
"For the purposes of regulation 2 (2), the charge payable by a data controller in—
(a) tier 1 (micro organisations), is £40;
(b) tier 2 (small and medium organisations), is £60
(c) tier 3 (large organisations), is £2,900."
To qualify as a "micro organisation" a business must:
(i)  have a turnover of less than or equal to £632,000 for the data controller’s financial year,
(ii) no more that 10 members of staff;
(iii) be a charity, or
(iv) be a small occupational pension scheme.
As micro organizations will be offered a £5 discount if they pay by direct debit, the new rules will not increase their payments at all if they take advantage of the concession.   For businesses in tier 3 there will be a massive increase from £500 to £2,900 per year.   The new rates are intended to reflect the relative risk for each category of data controller.

Anyone wishing to discuss these rules or data protection in general should call me on 020 7404 5252 during office hours or send me a message through my contact form.

Friday 23 March 2018

Consent to Processing of Personal Data

Author The Opte Project
Licence CC BY 2.5
Source Wikimedia Commons


























Jane Lambert

One of the questions I am asked most frequently whenever I give a talk on the General Data Protection Regulation  ("GDPR") is whether it is necessary to seek renewed consent from existing subscribers to newsletters and other services. That ties up  with something else that has happened over the last few days.  I have received several requests to renew subscriptions to newsletters and other online services that I have used for years.

The reason for that most frequently asked question is that art 5 (2) of the  Regulation requires data controllers not only to comply with data protection principles that have existed in one form or another in every previous data protection statute as well as the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data and the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data but also to demonstrate compliance with those principles. The first of those principles is that personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.  Art 6 (1) of the GDPR provides 6 grounds for the lawful processing of personal data one of which is that "(a)  the data subject has given consent to the processing of his or her personal data for one or more specific purposes" (art 6 (1) (a) GDPR). Data controllers have focused on that ground because it is easiest to prove. 

However, such consent must be freely given, specific, informed and unambiguous.  Art 7 (1) provides:
"Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data."
Art 7 (4) adds:
"When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract. 
Paragraph 32 of the recitals explains the policy for this requirement:
"Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided."
To ensure that the consent is informed, paragraph 42 adds:
"Where processing is based on the data subject's consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation. In particular in the context of a written declaration on another matter, safeguards should ensure that the data subject is aware of the fact that and the extent to which consent is given. In accordance with Council Directive 93/13/EEC a declaration of consent pre-formulated by the controller should be provided in an intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms. For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended. Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment."
Paragraph 43 adds:
"In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation. Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance."
Pausing there, it is clear from paragraph 42 of the recitals that consent does not have to be in writing but it does have to be recorded if it is to be proved.  Art 7 (2) indicates that consent can be sought on a form that contains other matter.  However, if it is, the part  relating to consent must be clear and cover all the purposes for which the data is to be processed.  If the data are to be processed for more than one purpose, then the data subject's consent must be obtained separately for each of those processes.  Art 7 (3) of the GDPR entitles a data subject to withdraw his or her consent at any time.  Data subjects should be advised of their right to withdraw their consent at any time before they give it. It should not be more difficult to withdraw consent than it is to give consent.  Where the data controller and data subject have unequal bargaining power, the data controller should avoid using (or even giving the impression of using) its leverage to extract a data subject;'s consent.

Nothing in the GDPR suggests that consent has to be obtained or renewed specifically to comply with the Regulation but any consent that has been obtained in the past must have met the Regulation's conditions.  Indeed, paragraph 171 of the recitals states that where processing is based on consent pursuant to the existing law, it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of the GDPR, so as to allow the controller to continue such processing after the date of application of this Regulation.

The last sentence of art 7 (2) provides:
"Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding."
In other words, a data controller cannot rely on a data user's consent unless the above as a defence to any administrative action, civil claim or criminal prosecution unless the above conditions have been complied with,  On the other hand, if a data subject who has validly given his or her consent subsequently withdraws it, art 7 (3) makes clear that the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

If a data subject is under the age of 16 (or such other age between 13 and 16 that a member state may set) art 8 (1) requires consent to be obtained from the person having parental responsibility for that data subject.  Art 8 (2) requires the data controller to make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.

Anyone wishing to discuss this article or data protection in general should call me on +44 (0)20 7404 5252 during office hours or message me through my contact form.