This module continued SCL’s Foundations of IT Law program. It was hosted by Fieldfisher and chaired by head of privacy Hazel Grant. She was joined by Nicola Fulford, head of data protection at Kemp Little, and later by Emma Butler, data protection officer at LexisNexis.
Nicola Fulford commenced the evening by setting out the main legislation and key concepts in data protection law. The principle piece of legislation is the Data Protection Act 1998, which implemented the European Data Protection Directive EC/95/46/EC. In addition there is a right to private and family life under both the European Convention on Human Rights and the EU Charter on Fundamental Rights.
Understanding the definition of ‘personal data’ is vital: information that comes within the definition is subject to all the obligations and protections of the data protection regime, and that which does not is completely outside the scope. The definition is wide: ‘data which relates to a living individual who can be identified (or is identifiable) from those data‘, and can include cookies or situations where general categories of data are used, none of which, taken alone, could identify an individual but may do in combination. The UK’s data protection authority, the Information Commissioner’s Office (‘ICO‘) has produced a quick reference guide to assist organisations in ascertaining whether data is personal. Nicola noted that IT companies, particularly those not traditionally consumer-facing but now moving in that direction, should be aware of the host of personal data in the online world: location tracking, apps, social media, the Internet of Things, call recordings, communications meta data etc. There is a further category of ‘sensitive personal data’ which includes physical/mental health, ethnic origin, criminal records etc. for which there are additional obligations.
One method to remove information from the data protection regime is anonymisation. However, organisations should note that just because data is not attached to an individual’s name does not mean it is not personal. If it is possible to identify the individual by piecing several data points together, such as an IMEI code and location data, it will be personal. The test to be used is that of the ‘motivated intruder’ – could a suitably determined reasonably competent person with access to the usual resources identify the individual? ICO is in favour of anonymisation and has provided guidance on good practice.
Nicola then described the three main actors in data protection law. The ‘data subject’ is the human individual whose data is being processed; the ‘data controller’ prompts the processing, decides why and how it occurs and has legal obligations; the ‘data processor’ carries out the actual processing on behalf of the controller. The work of most IT companies will involve both the processing of customer, client or employee data (where the IT company will generally be a data controller) and the processing as a service provider, such as hosting or cloud services (where the IT company will generally be a data processor). Care should be taken when sourcing a processor as the legal responsibility remains with the controller, even when the processor is at fault. Processor contracts should include clear instructions to process only for the customer, to not use the data for other purposes and to have adequate security. Attention should also be directed to the controller’s own internal policies, training and privacy notices.
Hazel Grant then spoke about the obligations on controllers and the international nature of data protection law. The Directive sets out a number of obligations for all data controllers. Firstly, they must register with the relevant DPA, namely the ICO in the UK. A company doing business throughout Europe will have to register with the local DPA in each country in which it is established. Secondly, the processing must be transparent, which is usually achieved using privacy notices that explain what data is being collected and for what purpose. Thirdly, the processing has to be legitimate, which means meeting one of the specified conditions – the chief two being prior consent of the subject and the legitimate interests of the controller.
The UK implementation of the Directive clearly sets out the eight data protection principles underpinning the legislation, including key obligations such as that data must be processed fairly, lawfully, for a specific purpose, not retained longer than necessary, and securely. Data security is a hot topic these days so IT companies need to ensure they have appropriate technology and security measures in place. There is little ICO guidance on this for the UK but more prescriptive rules in other European nations such as Spain. Hazel pointed out that most data breaches were not due to a weakness in cybersecurity but human error so equal weight should be given to data protection policies and training.
In addition to the Directive, multinationals must consider the many other countries with data protection regimes, currently 101 globally (and set to increase). The nature of modern commerce means data is highly transferable and projects are often international. Data does not even need to be physically transferred to count as a transfer, being accessible from another country suffices.
Transferring within the EEA and the short list of countries considered by the European Commission to provide ‘adequate protection’ (eg Argentina, Canada, Israel) is straightforward. Transferring elsewhere requires one of four methods, each of which has complications:
Consent – the data subject can consent to the transfer as long as it is free, informed and specific consent. However, this must be done on an individual basis and employees are not (generally) considered to be free to consent.
Model Clauses – these are a set of contracts approved by the European Commission that can be incorporated into other documents. However, they cannot be amended and are required for each transfer arrangement.
Safe Harbor – a voluntary scheme between the US and EU where organisations must agree to a set of principles and which is enforced by the Federal Trade Commission. However, it only applies to US/EU transfers and has fallen out of favour due to recent security concerns.
Binding Corporate Rules – aimed at large multinationals to facilitate inter-group transfers. Requires lots of time and effort to set up but loved by regulators. These are now available to processors (and so of more use to IT companies), in which context it is known as Binding Safe Processor rules.
The advent of cloud computing has raised additional data protection issues. Guidance from the Article 29 Working Party (an EU advisory group) and the ICO considers service providers to be processors and clients controllers and thus responsible, which is positive for IT companies. Difficulties arise from the requirement that the controller must know who is undertaking the processing (which they often will not know in the cloud) and must maintain control (ie if the provider changes).
Hazel moved on to the issue of cookies, which are back in the news thanks to a recent coordinated sweep undertaken by some European DPAs. When the Privacy and Electronic Communications Regulations were amended in 2011 this was interpreted as possibly requiring that specific opt-in consent was required before placing cookies, leading to the risk of irritating pop-ups. However, the ICO takes a more realistic view and, as long as a clear cookie notice is displayed with a link to further information for those who wish to read on, a fading banner this will suffice for most cookies (eg web analytics cookies). More intrusive cookies (eg those designed for OBA or online behavioural advertising) may need additional compliance measures.
The PECR also contain rules on direct marketing. Essentially companies contacting individuals need their prior consent before contacting them to promote their services, unless following up on a prior relationship. The ICO has the power to fine for breaches but the threshold of harm it has to establish is high, which led to a large fine for spam texters being overturned. The government is currently consulting on whether to reduce or remove the threshold.
IT companies also have to consider data protection issues in relation to their employees as they often hold sensitive personal data about employees. As data controllers they are obliged to respond to Subject Access Requests (where a data subject requests all their data held by the controller); these are often used in employment disputes. Employees are increasingly using their own devices for work purposes, so companies should have robust Bring Your Own Device policies in place, including a notice that employees will lose their personal data if the device is remotely wiped.
Finally Hazel mentioned the ongoing efforts to reform the Directive at EU level. There is a proposed Regulation – so automatically applicable in all Member States – which would bring significant changes if passed. Proposals include a One-Stop Shop mechanism so multinationals operating across the EEA need only be regulated by one DPA; increasing fines up to €100m or 5% of turnover; requirements to employ a data processing officer beyond a certain threshold; and an obligation to report data breaches immediately and in any case within 72 hours. The debate is ongoing with final implementation not expected before 2017.
Nicola then returned to the podium to discuss the issue of enforcement, which is conducted by the ICO and forms part of its corporate objectives. The ICO uses a range of actions including fines of up to £500,000, criminal prosecution, enforcement notices, undertakings, participatory audits, compliance meetings and public ‘naming and shaming’. It generally seeks to work with breaching organisations to improve their behaviour and will only fine persistent breaches as a last resort or if significant harm was caused.
Recently the ICO has taken a new approach to complaints and concerns. There has also been more coordination with other DPAs to tackle global players. Whilst there is currently no legal obligation to report a data breach, ICO expects to be informed if a breach is serious and will consider non-cooperation an aggravating factor. Nicola pointed out that the PR fallout from a data breach can be worse than the breach itself so companies should formulate a coordinated response.
After a lively Q and A session, Emma Butler took to the stage to describe a typical day of a data protection officer. Her varied workload falls into four main categories: long-term projects, work being followed with some involvement but that other people have responsibility for, regular meetings and questions and issues that need an immediate response. The previous week was made up of meetings, catch-up calls, attendance at committees, a back-to-basics discussion on the definition of personal data, legal updates, advising the business on going into the cloud , responding to marketing queries, advising on data protection clauses in contracts, raising awareness, dealing with complaints and strategising.
She made the point that companies often lose sight of the fact that the law is not there to protect data but the individual. Data protection officers are often seen as naysayers, so it is important to engage with the business early and ascertain what they want to do, then find a compliant solution.
Alexander de Gaye is a trainee solicitor in the Technology, Outsourcing and Privacy department at Fieldfisher.