Could there have been a better day to hold this year’s SCL Data Protection Update Seminar than European Data Protection Day? We think not! On 28 January 2014, members of the data protection and privacy community flocked down to the SCL event hosted by Bristows LLP and chaired by Hazel Grant, also of Bristows. The team of speakers included David Smith from the ICO, Professor Christopher Millard of Bristows, Timothy Pitt-Payne QC, Ellis Parry from BP Legal, and Hazel Grant stepping in as Jonathan Baines, Information Rights Officer for Buckinghamshire County Council, Chair of NADPO – the National Association of Data Protection and Freedom of Information Officers and leading DP tweeter and blogger (who unfortunately was unable to attend for family reasons).
David Smith kicked-off the evening’s proceedings with an insight into the ICO’s activities in achieving its ‘2020 Vision’ for information rights. The ICO faces three main challenges: first, the speed of growth of the organisation as a result of changes in public policy, business and technology; second, funding cuts (particularly if income from registration fees disappears); and third, the uncertain regulatory landscape. Consequently, the ICO is looking ahead to deliver better for less, and to be fit for the future by adopting a more strategic approach that will respond to change.
David discussed new happenings in the ICO, including increased use of casework as a source of intelligence, coordinating enforcement with other regulators, and reaching out to international organisations such as the US Federal Trade Commission. The ICO will also be developing the use of trust marks and privacy seals, and promoting self-regulation.
David could not of course have escaped the topic of the proposed EU General Data Protection Regulation, although this was dealt with in more detail by Christopher Millard. David highlighted the contribution of the ICO in the development of the Regulation, in working with DAPIX and the UK members of the European Parliament. Finally, David also dealt with enforcement and the application of PECR case law. He remarked that the requirement that in order to issue a Monetary Penalty Notice the breach in question must have caused ‘substantial’ damage or distress set a high threshold and one which was often difficult to establish in practice.
Christopher Millard gave us an insightful update on EU data protection reform and where the EU has got to on the proposed Regulation. Progress seems slow. The Commission undoubtedly aims for a deal before the expiration of the terms of office of the current Commissioners on 31 October 2014 but many observers are less optimistic. However, determined comments by many of the parties involved, including Viviane Reding, mean it should not be dismissed just yet. Christopher ran through some of the highlights from the LIBE text from 21 October 2013, including the development of a single ‘main establishment’ test for data controllers and processors, and the giving of consent requiring ‘clear affirmative action’ rather than ‘mere use of a service’. Christopher also suggested that a new ‘anti-NSA provision’ in the LIBE text, influenced by the Snowden revelations, will generate much conflict – with many organisations arguing it is unrealistic to require prior authorisation for disclosure of personal data to foreign law enforcement.
Christopher went on to discuss recent Opinions from the Article 29 Working Party on matters such as apps on smart devices, a DPIA template for Smart Grid and Smart Metering, and Smart Borders which considers the proposed Schengen Entry/Exit System.
The final question posed by Christopher was whether it is worth reading 70 pages on purpose limitation (also known as the Article 29 Working Party’s Opinion 02/2013, published in April). In short, it is worth at least a look. The core guidance in the Opinion is that purposes must be specified, explicit and legitimate (in the broad legal sense) as viewed by the reasonable person – which, as we know in the UK, is not a clear test. The examples given by the Working Party to demonstrate purpose limitation’s application to big data analytics did not escape Christopher’s scrutiny; he was sceptical, for example, that price discrimination on an e-commerce site based on the type of computer a customer uses was ‘obviously incompatible’.
Timothy Pitt-Payne QC spoke about ‘five hot issues’ in the area of data protection, discussing recent cases in respect of each topic. Beginning with how to define personal data, he discussed Advocate General Sharpston’s conclusion in the Dutch case YS, M, and S v Minister voor Immigratie, Integratie en Asiel (C-141/12 and C/372/12). The Advocate General took the view that facts in a minute of advice which dealt with the individuals’ right to be granted residence status were personal data, but the legal analysis (ie the reasoning process based on these facts) was not.
Moving on to the ‘use and abuse’ of the subject access right, Timothy discussed Re Southern Pacific Personal Loans Limited [2013] EWHC 2485 (Ch). The High Court held that liquidators of a company are not data controllers and also said (albeit obiter) that Durant was not authority that a data controller could refuse a subject access request because of the purpose for which it was made. Nevertheless, the purpose is relevant to the exercise of the Court’s discretion under s 7(9) of the Data Protection Act.
In relation to the right to be forgotten, Timothy commented on Advocate General Jääskinen’s view in Google Spain SL and Google Inc v Agencia Española de Protección de Datos and Gonzalez (C-131/12) that Google is not the data controller of the personal data in its search results. In his view, Mario Costeja González does not have the right to require Google to remove information about him from those search results. A decision from the CJEU is expected later this year.
Timothy also updated us on current case law relating to damages under s 13 of the Data Protection Act. In Vidal-Hall and others v Google Inc [2014] EWHC 13 (QB), the judge found that, since he considered that each claimant had a sufficiently arguable case that their Article 8 rights were engaged, it was his ‘preliminary view’ that ‘damage’ would include non-pecuniary loss. In light of this decision, Timothy Pitt Payne QC queried the extent to which Article 8 must be engaged in order to show that Johnson (a case where Article 8 was not engaged) could be distinguished.
Timothy’s last ‘hot issue’ was monetary penalty notices. In CLCH v ICO [2013] UKUT 0551 (AAC), the Upper Tribunal ruled that the ICO had the power to impose a fine notwithstanding that the data controller voluntarily reports the data protection breach and co-operates fully with the subsequent investigation. The ICO’s early payment discount scheme was also held to be lawful. In Scottish Borders Council v The Information Commissioner EA/2012/0212, meanwhile, the Tribunal underlined the need to distinguish between the data controller’s contravention of the Data Protection Act and the data security incident which caused the contravention. It is the contravention itself which must be likely to cause substantial damage or distress in order for the ICO to be able to issue a penalty under s 55A. Finally, in Christopher Niebel v The Information Commissioner EA/2012/0260, a penalty imposed under the PECR for sending 286 spam texts was overturned on the basis that the contravention was not of a kind likely to cause substantial damage or distress. The Tribunal concluded that, even if hundreds of such texts had been sent, no distress would have been caused. In view of these recent appeals, Timothy concluded by saying that where the ICO has imposed a fine (particularly at the top end of the scale) it may be worth trying to overturn it, suggesting that there are perhaps underlying problems with the drafting of s 55A.
Ellis Parry from BP Legal then gave us an insight into the key data protection issues currently faced by a global corporation. Ellis’ comments were from his personal perspective and were not a BP view. A later report may expand upon his contribution.
Hazel Grant stepped in for Jonathan Baines to give us the public sector perspective on current data protection issues. The first ‘burning issue’ which Jon had identified was the benefits and risks of data sharing, particularly in light of the trend towards partnership-working across the public sector and the Government’s transparency agenda and the difficulty of achieving truly anonymised personal data. When discussing data breaches and ICO enforcement, it was suggested that the ICO may be shifting its focus from data security to ‘fairness’ under the first data protection principle, as in the case of Southampton City Council v IC EA/2012/0171 (CCTVs in taxis) and the Royston ‘ring of steel’. Finally, Jon wanted to raise concerns in respect of the ICO’s proposed ‘less interventionist’ approach to DPA complaints received from the public (see the ICO’s recent consultation “Our new Approach to Data Protection Concerns” which closed on 31 January 2014).
At the end of the presentations, Hazel Grant opened the discussion to questions from the audience, leading to debates on topics including the discrepancy between the heavy protection given to consumer rights under competition law versus the less substantial penalties for breaches of data protection law, in addition to how the claimants in Vidal-Hall and others v Google Inc are funding their claim.
Other questions focused on how to obtain consent in relation to the use of personal information in big data analytics and whether the ICO was concerned with the prospect of multiple reporting obligations in light of the EU Directive 2013/40 on attacks against information systems.
The topic of the Safe Harbor regime was also raised again, with Christopher expressing the view that, although rumours of its death have been exaggerated, a number of European data protection authorities are clearly uncomfortable with it and he thought it was likely to be modified in the future.
Claire Davies is a Trainee Solicitor at Bristows LLP.
Hannah Crowther is an Associate at Bristows LLP.
Emma Charlton is a Trainee Associate at Bristows LLP.