Monday, 11 December 2017

Morrisons - Primary and Vicarious Liability for Breaches of Data Protection Act 1998

Morrisons' head office in Bradford
Author Michael Ely




















Jane Lambert

Queen's Bench Division (Mr Justice Langstaff)  Various Claimants v Wm Morrisons Supermarkets Plc (Rev 1) [2017] EWHC 3113 (QB) (1 Dec 2017)

On 12 Jan 2014 a disgruntled member of the staff pf Wm Morrison Supermarkets plc posted a file containing the personal details of nearly 100,000 of the company's employees on a file sharing website. The information included names, addresses, gender, dates of birth, phone numbers (home or mobile), national insurance numbers, bank sort codes, bank account numbers and salaries. The person responsible was caught, prosecuted and sentenced to 8 years imprisonment.

Some 5,518 of those employees have brought an action for damages against the company for breach of statutory duty under s.4 (4) of the Data Protection Act 1998, breach of confidence and misuse of personal information. The action was split into two: first a trial on liability and, if necessary, an assessment of damages.

The trial on liability came on before Mr Justice Langstaff who decided that Morrisons was not  primarily liable for breaches of statutory duty, breach of confidence or misuse of personal information it was vicariously liable for the wrongdoing of its employee. The judge was troubled by his decision because it assisted the wrongdoer to accomplish his ends which was to injure his employer but the claimants had suffered and were entitled to be compensated. I shall analyse his judgment in a longer case note in NIPC Law.

It is likely that a similar conclusions have been reached under the General Data Protection Regulation. Art 5 (1) of the GDPR requires the controller to be responsible for, and be able to demonstrate compliance with, the principles relating to processing of personal data just as s.4 (4) requires a data controller to comply with the data protection principles in relation to all personal data with respect to which he is the data controller. The definition of data controller under the GDPR is broadly the same as in the Act and Directive 95/46/EC. Art 82 (1) of the GDPR entitles any person who has suffered material or non-material damage as a result of an infringement of the regulation to receive compensation from the controller or processor for the damage suffered. Nothing in the GDPR would affect our rules on vicarious liability.

Anyone who wishes to discuss this article or data protection in general should call me on +44 (0)20 7404 5252 during office hours or send me a message through my contact form.

Thursday, 7 December 2017

GDPR - Fines

















Jane Lambert

This is the last of my articles on the GDPR for the time being. I have decided to discuss fines because it is one of the topics that has received most publicity recently.  The prospect of eye-watering fines has been used by some to raise awareness of data protection and to encourage good practices which must be good but it has also been used more cynically to boost sales of systems and services that may or may not be needed which is not so good.

Art 24 of the Data Protective Directive required member states to "adopt suitable measures to ensure the full implementation of the provisions" of the directive and, in particular, to lay down the sanctions to be imposed in case of infringement of the provisions adopted pursuant to the directive. However, it left it to the authorities in the member states to lay down what those sanctions should be. In the UK, the Information Commissioner has power to impose monetary penalties under s.55A of the Data Protection Act 1998.  S.55A (1) provides:
"The Commissioner may serve a data controller with a monetary penalty notice if the Commissioner is satisfied that—
(a) there has been a serious contravention of section 4 (4) by the data controller,
(b) the contravention was of a kind likely to cause substantial damage or substantial distress, and
(c) subsection (2) or (3) applies."
S.55A (2) applies if the contravention was deliberate and s.55A (3) if the data controller knew or ought to have known that there was a risk that the contravention would occur, and that such a contravention would be of a kind likely to cause substantial damage or substantial distress, but failed to take reasonable steps to prevent the contravention. S.55A (5) limits the amount of the monetary penalty to "the prescribed amount" which is set at £500,000 by reg 2 of The Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010 (SI 2010 No 31). The Commissioner has given some guidance about the issue of monetary penalties prepared and issued under section 55C (1) of the Data Protection Act 1998. The Information Commissioner will continue to have the power to impose fines under art 58 (2) (i) of the GDPR in accordance with guidelines to be drawn up by the European Data Protection Board (a body consisting of representatives of the EU and national data protection supervising authorities) pursuant to art 70 (1) (k).


The Information Commissioner's power to fine will increase greatly as a result of art 83 of the GDPR. She will have power to impose administrative fines up to €20 million or up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher in the circumstances prescribed in art 83 (5). However, any fine that she does impose under that provision must be effective, proportionate and dissuasive. Paragraph (148) of the recitals provides the following guidance as to how the power to fine should be exercised:
"In order to strengthen the enforcement of the rules of this Regulation, penalties including administrative fines should be imposed for any infringement of this Regulation, in addition to, or instead of appropriate measures imposed by the supervisory authority pursuant to this Regulation. In a case of a minor infringement or if the fine likely to be imposed would constitute a disproportionate burden to a natural person, a reprimand may be issued instead of a fine. Due regard should however be given to the nature, gravity and duration of the infringement, the intentional character of the infringement, actions taken to mitigate the damage suffered, degree of responsibility or any relevant previous infringements, the manner in which the infringement became known to the supervisory authority, compliance with measures ordered against the controller or processor, adherence to a code of conduct and any other aggravating or mitigating factor. The imposition of penalties including administrative fines should be subject to appropriate procedural safeguards in accordance with the general principles of Union law and the Charter, including effective judicial protection and due process."
Paragraph (150) provides the following additional guidance
"In order to strengthen and harmonise administrative penalties for infringements of this Regulation, each supervisory authority should have the power to impose administrative fines. This Regulation should indicate infringements and the upper limit and criteria for setting the related administrative fines, which should be determined by the competent supervisory authority in each individual case, taking into account all relevant circumstances of the specific situation, with due regard in particular to the nature, gravity and duration of the infringement and of its consequences and the measures taken to ensure compliance with the obligations under this Regulation and to prevent or mitigate the consequences of the infringement. Where administrative fines are imposed on an undertaking, an undertaking should be understood to be an undertaking in accordance with Articles 101 and 102 TFEU for those purposes. Where administrative fines are imposed on persons that are not an undertaking, the supervisory authority should take account of the general level of income in the Member State as well as the economic situation of the person in considering the appropriate amount of the fine. The consistency mechanism may also be used to promote a consistent application of administrative fines. It should be for the Member States to determine whether and to which extent public authorities should be subject to administrative fines. Imposing an administrative fine or giving a warning does not affect the application of other powers of the supervisory authorities or of other penalties under this Regulation."
The representatives of the national data protection supervising authorities who will constitute the European Data Protection Board after 25 May 2018 adopted Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679 on 3 Oct 2017 which can be downloaded from What's New section of the Information Commissioner's website.

Art 85 (2) provides that administrative fines shall be imposed in addition to, or instead of, the other sanctions that are available to the Information Commissioner under art 58 (2). When deciding whether or not to impose an administrative fine and, if so, the amount due regard must be given to the following considerations:
"(a) the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;
(b) the intentional or negligent character of the infringement;
(c) any action taken by the controller or processor to mitigate the damage suffered by data subjects;
(d) the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32;
(e) any relevant previous infringements by the controller or processor;
(f) the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;
(g) the categories of personal data affected by the infringement;
(h) the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement;
(i) where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures;
(j) adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and
(k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement."
In other words, only the most egregious infringements are likely to attract the heaviest fines. Art 85 (4) limits the fine for certain infringements such as failure to obtain the appropriate consent in relation to a child to €10 million or 2% of turnover. In the case of all others, the maximum penalty is €20 million or 4%,

It is important to note that art 83 (8) GDPR subjects the exercise by the Information Commissioner of her powers to "appropriate procedural safeguards in accordance with Union and Member State law, including effective judicial remedy and due process." In other words, the Commissioner will have to follow due process when imposing a fine and there will be a right of appeal against her decisions probably to the General Regulatory Chamber and from there to the civil courts. Also, for so long as the UK remains in the European Union points of EU law can be referred to the Court of Justice of the European Union,

Should anyone wish to discuss this article, fines, the GDPR or data protection generally he or she should call me on 020 7404 5252 or send me a message through my contact form.

Further Reading

Date
Author and Title
Publication
1 Dec 2017
NIPC Data Protection
11 Aug 2017
NIPC Data Protection

Tuesday, 5 December 2017

GDPR - Lawfulness of Processing and Consent

Jane Lambert











Yesterday I gave a talk on the GDPR to some 132 local authority personnel. The audience included the chief executive, heads of service, in-house legal advisers and managers and officials of all the council's departments. There were so many that the council chamber was the only room big enough to hold us all.  Some knew a lot about data protection in general and the GDPR in particular. Others wanted some basic information and it was for them that I wrote my Introduction to the GDPR and How the GDPR works.

"You've got them for two hours" said the head of legal before the talk, "tell them a few jokes to stop them falling asleep." As all my clean jokes are about Yorkshire and Yorkshire folk, I thought about telling them how the first Yorkshire pudding was made which, incidentally, was once made into a lovely dance by Jonathan Watkins for Northern Ballet (see  Sapphire 15 March 2015 Terpsichore).  However, we never got that far as the audience turned out to be quite lively and talkative.  What they wanted to talk about most was the legality of processing and consent.

To recap, I wrote on Sunday in How the GDPR works that there are 6 GDPR principles (or 7 if you include "accountability") that are set out in art 5 of the regulation.  The first of these is the "lawfulness, fairness and transparency" principle which is as follows:
"Personal data shall be:
(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);"
 Art 6 (1) sets out the circumstances in which data can be lawfully processed:
"Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b)  processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks."
The audience knew that processing could be justified by "consent" but did such consent have to be in writing and was it necessary to ask members of the public who had already given their consent for a particular purpose (say a mailing list for a newsletter about tourist attractions) for their consent again just to comply with the GDPR?

Well, paragraph (32) of the recitals assists here:
"Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided."
So consent does not have to be written and signed but, if it is given orally. it does need to be recorded because art 7 (1) requires data controllers to be able to demonstrate that the data subject has consented to processing of his or her personal data. In answer to the other question, there is nothing in the GDPR that requires data controllers to mither their data subjects for confirmation of consent that they have already given for a specific purpose so long as the consent that they already have is genuine, informed and freely given.

A few other points to remember: -

  • Art 6 (1) (a) requires consent to be given for one or more specific purposes. Data subjects must know exactly and precisely what they are consenting to.
  • If a data subject's consent is given in the context of a written declaration which also concerns other matters, art 7 (2) requires any request for such consent to be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.
  • Art 7 (4) provides that "utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract" when assessing whether consent is freely given.
Readers should also remember that other rules in relation to consent apply in relation to children and young people and particularly sensitive categories of data which I shall discuss in future articles. In the meantime, if you have any questions in relation to consent, lawful processing, the GDPR or data protection generally, call me on 020 7404 5252 during office hours or send me a message through my contact form.

Further Reading


Date
Author and Title
Publication
1 Dec 2017
NIPC Data Protection
11 Aug 2017
NIPC Data Protection

Sunday, 3 December 2017

How the GDPR works

Author Mauro Cateb
Licence Creative Commons Attribution-Share Alike 3.0 unported

















Jane Lambert

In my introduction to the GDPR 2 Dec 2017 I wrote that the regulation sought to balance two conflicting imperatives, namely the need to protect the public from the harm that can result from malicious, negligent or even careless processing of data that identifies living individuals and the need to safeguard free flows of such data for legitimate purposes.  As I also wrote in that article, there is nothing new about any of that. That policy is exactly the same as that of the Data Protection Directive, the Data Protection Act 1998, the Data Protection Act 1984, the Council of Europe Convention and the OECD Guidelines.

The GDPR also seeks to achieve that objective in much the same way as previous legislation.  It establishes a set of principles for processing personal data (data by which living human beings can be identified) and machinery for monitoring and enforcing compliance.  That machinery takes the form of rights for data subjects (the individuals who can be identified from the data) and obligations upon data controllers (those who control the processing of personal data) and processors (those who carry out the processing) to take reasonable steps to minimize the risk or effect of non-compliance.

The GDPR's data processing principles require personal data to be:
(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89 (1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89 (1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)."
It is the data controller's duty to be responsible for and demonstrate compliance with those principles.

So long as data controllers and processors process personal data in accordance with those principles they are unlikely to go far wrong. However, if they stray from them, whether intentionally or not, they risk legal action in the civil courts or fines or other sanctions by the Information Commissioner or the equivalent supervisory authority of another EU member state.

As an obvious way round the legislation would be to export the data to a country that does not regulate the processing of personal data either at all or to the same extent and in the same way, the regulation restricts transfers of data abroad unless Commission is satisfied with the legal protection of personal data processing that is available in the recipient country or enforceable contractual arrangements are in place for the protection of such data. The GDPR makes clear that the regulation applies not just to data controllers and processors that are in the EU, but also to data controllers outside the EU which offer goods or services to data subjects in the EU or monitor the behaviour of such data subjects within the EU.

In the next few articles I shall drill down into each of those topics in more detail.  Should anyone wish to discuss this article, the GDPR or data protection generally, he or she should call me on +44 (0)20 7404 5252 during office hours or send me a message through my contact form.

Further Reading


Date
Author and Title
Publication
2 Dec 2017
NIPC Data Protection
1 Dec 2017
NIPC Data Protection
11 Aug 2017
NIPC Data Protection

Saturday, 2 December 2017

Introduction to the GDPR


Standard YouTube Licence

Jane Lambert

This is the first of a series of articles that I am writing on the GDPR. So much has been written about the topic by lawyers, computer consultancies, government agencies and others that you might think that we need some more articles on GDPR like we need a hole in the head. But we probably do as I found out while looking for materials on the subject for a presentation that I am giving to a local authority on Monday because much of what has appeared to date has been alarming, confusing or even downright misleading.

The initials GDPR stand for the words “General Data Protection Regulation”. That is the short title for a law officially known as Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC. That is a bit of a mouthful but the title states exactly and precisely what the law is and what it does.

First, it is a regulation of the European Parliament and the European Council. The European Parliament and Council are the legislature of the European Union. The European Parliament consists of 751 members directly elected by the citizens of the European Union 73 of whom represent constituencies in the United Kingdom while the Council consists of representatives of national governments including our own. The European Parliament and Council make three kinds of laws known respectively as regulations, directives and decisions.

 Regulations are laws that come into being upon adoption by the European Parliament and Council with equal effect throughout the European Union without any intervention from the governments of the member states. Directives are instructions from the Parliament and Council to national governments to make or amend their national laws so that they comply with an agreed text. 

 A good example of a directive is Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (“the Data Protection Directive”) which required the EU member states to enact data protection regulation by 24 Oct 1998. The United Kingdom implemented the Data Protection Directive by enacting the Data Protection Act 1998 which regulates the processing of personal data in this country in accordance with that directive. 

 Decisions are laws of less importance. One that has been in the news lately is Decision No 445/2014/EU of the European Parliament and of the Council of 16 April 2014 establishing a Union action for the European Capitals of Culture for the years 2020 to 2033 and repealing Decision No 1622/2006/EC which set out the procedure for selecting the European Capital of Culture between 2020 and 2023 which I discussed in Jane Lambert European Capital of Culture 28 Nov 2017 NIPC Brexit. The GDPR is a law that will come into effect on 25 May 2018 throughout the European Union including the United Kingdom as we shall still be in the European Union on that day without any further intervention from the British or any other national government.

Secondly, the title makes clear that the regulation protects the interests of living human beings when data that relates to them are processed by computer or otherwise. The need to control the way such data are collected, collated and used has been recognized ever since the end of the 1960s. In the United Kingdom, the problem was considered by a committee chaired by Sir Kenneth Younger which produced the Younger Committee Report on Privacy (Cmnd 5012) in 1972 and Sir Norman Lindop who wrote a follow-up report on data protection shortly afterwards. Sir Norman wrote:
"The speed of computers, their capacity to store, combine, retrieve and transfer data, their flexibility, and the low unit cost of the work which they can do have the following practical implications for privacy:
(1) they facilitate the maintenance of extensive record systems and the retention of data in these systems,
(2) they can make data easily and quickly available from many distant points;
(3) they can make it possible for data to be transferred quickly from one information system to another;
(4) they make it possible for data to be concealed in ways that might not otherwise be practicable,
(5) because the data are stored, processed and often transmitted in a form which is not directly intelligible, few people may know what is in the records or what is happening to them" (see para 7 of the Report of the Committee on Data Protection (Cmnd 7341)).
Those problems have become even more serious with the growth of the internet.

The third aspect of the law is contained in the words “the free movement of [personal] data. The Younger and Lindop reports might have been left on the shelf to gather dust had the Swedish parliament not enacted a data protection law in 1973. That law, like all subsequent data protection laws, contained a provision restricting the transmission of personal data to countries that did not provide similar protection for such data. When a Swedish local authority wanted to export personal data to a British company that had won an order to make identity cards for the authority, the Swedish data protection authority blocked the transfer because there was no data protection law in the United Kingdom at that time. Even in the 1970s information flows were vital for international business particularly for financial services which have always been important for the UK. The need to protect personal data was quickly perceived as an impediment to business which required a prompt solution.

The OECD proposed a set of guidelines known as the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data on 23 Sept 1980 that allowed international data flows to continue on the understanding that data controllers would process personal data in accordance with those guidelines. The US government encouraged businesses in the USA to follow those guidelines voluntarily on the basis that it was in their interests to do so and many did so. Successive US administrations always believed that self-regulation and encouraging best practice is a more effective way of protecting personal data than legislation and for that reason, it has never enacted a federal data protection statute although several states have done so. 

Europe has followed a different approach. On 28 Jan 1981, The Council of Europe proposed a regional convention as a model for national data protection laws known as the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data and it was this latter model that the UK followed when we enacted our first Data Protection Act 1984. I wrote about the origins of data protection law in Jane Lambert Another Data Protection Act! "You're joking! Not another one!" - A Short History of Data Protection Legislation in the UK 23 Sep 2017 NIPC Law. 

 The policy of the OECD Guidelines and the Council of Europe were very similar. Both aimed at protecting personal data while safeguarding data flows. That policy is reflected in art 1 of the GDPR:
“Subject-matter and objectives
1. This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.
2. This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.
3. The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.”
The GDPR is thus a law to protect the interests of living individuals throughout the EU with regard to the processing of data by which they may be identified while safeguarding the free flow of information throughout the EU. It will come into being with equal effect in every member state without further intervention of the governments of those states.

The final element of the title is the phrase “repeating Directive 95/46/EC”. The recitals to the GDPR state that the objectives and principles of the Data Protection Directive remain sound, but the directive has not always prevented fragmentation in the implementation of data protection across the EU, legal uncertainty or a widespread public perception that there are significant risks to the protection of natural persons, in particular with regard to online activity. It was feared that differences in the level of protection of the rights and freedoms of natural persons, in particular the right to the protection of personal data, with regard to the processing of personal data in the member states could prevent the free flow of personal data throughout the EU. It was also feared that those differences might constitute an obstacle to the pursuit of economic activities at EU level, distort competition and impede authorities in the discharge of their responsibilities under EU law.

Para (10) of the recitals declared that in order to ensure a consistent and high level of protection of natural persons and to remove the obstacles to flows of personal data within the EU, the level of protection of the rights and freedoms of natural persons with regard to the processing of such data should be equivalent in all Member States. A regulation was necessary to:
  • ensure a consistent level of protection for natural persons throughout the EU, 
  • prevent divergences hampering the free movement of personal data within the internal market, 
  • provide legal certainty and transparency for economic operators, including micro-businesses and SME, 
  • provide natural persons in all member states with the same level of legally enforceable rights and obligations and responsibilities for controllers and processors, and ensure consistent monitoring of the processing of personal data, and equivalent sanctions in all Member States as well as effective cooperation between the supervisory authorities of different Member States. 
Art 94 (1) of the GDPR repeals the Data Protection Directive from the day when the regulation takes effect. It will not automatically repeal the Data Protection Act 1998 or other national statutes that were enacted to implement the diective (though the primacy of EU law would have that effect as the statute would be disregarded wherever the act and the regulation conflict) but that will be done by the new Data Protection Bill after it receives royal assent.

Should anyone wish to discuss this or any of my other articles on data protection, call me on 020 7404 5252 during office hours or send me a message through my contact form.

Further Reading

Date
Author and Title
Publication
1 Dec 2017
NIPC Data Protection
11 Aug 2017
NIPC Data Protection

Monday, 23 October 2017

Transfer of Data to the USA: Data Protection Commissioner v Facebook and another

Author S Kopp
Reproduced with kind permission of the author
Source Wikipedia 













Jane Lambert

Irish High Court (Ms Justice Costello) The Data Protection Commissioner v Facebook Ireland Ltd and Another [2017] IEHC 545 (3 Oct 2017)

A number of US technology companies including Facebook Inc. serve their customers in Europe through subsidiaries in the Republic of Ireland. That necessitates the transfer of personal data relating to those customers in the USA.

As I said in Another Data Protection Act! "You're joking! Not another one!" - A Short History of Data Protection Legislation in the UK 23 Sept 2017 NIPC Law, the United States and Europe take different approaches to the processing of personal data. In the EU such processing  is regulated by statutes like our Data Protection Act 1998 which implement Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data ("the Data Protection Directive"). In the USA businesses are encouraged to adopt good data processing practices in accordance with the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data and some states regulate data processing in the public sector but there is no equivalent to the Data Protection Directive or our Data Protection Act as such.

To facilitate the free flow of personal data from the EU to the USA, the Commission negotiated an agreement with the US government to require companies that wished to export and process such data in the USA to offer safeguards for data subjects in Europe that were thought to be substantially similar to the protection enjoyed here under the statutes that implement the Data Protection Directive.  Those safeguards were known as the "Safe Harbor" principles. They resulted in a number of arbitration schemes one of which was operated by my chambers service company before we merged with 4-5 Gray's Inn Square in 2013.

Safe Harbor appeared to work well enough for most businesses and data subjects but the scheme was challenged by one Maximillian Schrems ("Mr Schrems") who feared that personal data flows to the USA would be intercepted and misused by US intelligence services. Whereas US citizens enjoyed rights of redress and remedies against such misuse nationals of other countries did not. He objected to the transfer of such data and complained to the Irish Data Protection Commissioner. The Commissioner took the view that he could not investigate the complaint because he was bound by the Safe Harbor agreement.

Mr Schrems asked the Irish High Court to review the Commissioner's decision. The Court considered that Mr Schrems's complaint raised issues of EU law that required a preliminary ruling under art 267 of the Treaty on the Functioning of the European Union and referred those issues to the Court of Justice of the European Union. In Case C‑362/14, Schrems v the Data Protection Commissioner   [2016] 2 WLR 873, [2016] 2 CMLR 2, [2015] EUECJ C-362/14, [2016] CEC 647, EU:C:2015:650, [2016] QB 527, [2015] WLR(D) 403, ECLI:EU:C:2015:650 the Court ruled:
"Article 25(6) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data as amended by Regulation (EC) No 1882/2003 of the European Parliament and of the Council of 29 September 2003, read in the light of Articles 7, 8 and 47 of the Charter of Fundamental Rights of the European Union, must be interpreted as meaning that a decision adopted pursuant to that provision, such as Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46 on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce, by which the European Commission finds that a third country ensures an adequate level of protection, does not prevent a supervisory authority of a Member State, within the meaning of Article 28 of that directive as amended, from examining the claim of a person concerning the protection of his rights and freedoms in regard to the processing of personal data relating to him which has been transferred from a Member State to that third country when that person contends that the law and practices in force in the third country do not ensure an adequate level of protection."
It also ruled that the Commission decision implementing the Safe Harbor principles was invalid.

The present Data Protection Commissioner has begun to investigate Mr  Schrems's complaint and has found that she is unable to do so without a ruling from the CJEU on the validity of three decisions of the Commission insofar as they apply to data transfers from the European Economic Area (“the EEA”) to the USA:
As the Data Protection Commissioner has no power to refer questions of EU law to the Court of Justice she has asked the Irish High Court to do so in The Data Protection Commissioner v Facebook Ireland Ltd and Another [2017] IEHC 545 (3 Oct 2017). She brought those proceedings against Facebook's Irish subsidiary and Mr Schrems to enable them to put their arguments before the court. The action came on before Ms Justice Costello who also allowed the government of the USA plus the Business Software Alliance, Digital Europe and the Electronic Privacy Information Centre to address her as amici curiae.

After hearing submissions from each of those parties the learned judge has decided to refer the Commissioner's questions to the Court of Justice and has invited all those who made submissions to her to address her again on the formulation of the questions to be put to the Court.  I shall report any further hearing or decision in this blog.

Should anyone wish to discuss this article, the transfer of personal data to the USA or data protection to the USA generally, he or she should call me on +44 (0)20 7404 5252 during normal office hours or send me a message through my contact form.

Tuesday, 17 October 2017

Data Protection Bill: Second Reading

Author HM Government
Licence Open Government Licence v.3
Source Gov.UK website
















Jane Lambert

Lord Ashton, the Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport, presented the Data Protection Bill for its second reading in the House of Lords on 10 Oct 2017. Twelve peers spoke in the debate: three Conservative, two Labour, two Liberal Democrat, one bishop and four cross-benchers. The debate is reported in Hansard (see 15:34 and 18:52 on 10 Oct 2017).

The most interesting speeches were Lord Ashton's who outlined the legislation and the reasons for introducing the legislation and Lord Pannick's who explored the relationship of the Bill to the General Data Protection Regulation. The Bill was given a fair wind by the opposition parties but concern was expressed on the new burdens it might impose on small local authorities and the protection it afforded to children and other vulnerable persons.

The Bill will now be scrutinized by a committee of the whole House at the end of this month.

Should anyone wish to discuss this article, the Bill, the General Data Protection Regulation or data protection generally, he or she should call me on 020 7404 5252 or send me a message through my contact form.