SCL Event Report: Annual Data Protection Update 2015

February 24, 2015

To review the busy year in data protection and celebrate European Data Protection Day, the event’s Chair Hazel Grant, Head of Privacy at Fieldfisher, was joined by Anya Proops, barrister at 11KBW, James Leaton Gray, Information Policy Controller at the BBC and Dr Simon Rice, Technology Manager at the Information Commissioner’s Office.

Hazel Grant kicked the night off by providing a brief summary of some of the major stories from 2014.  It wouldn’t be an annual update without discussing the ‘progress’ of the draft General Data Protection Regulation.  Since the Council raised doubts about the legality of the One Stop Shop mechanism in December 2013, its progression slowed and the 2014 deadline passed with no agreement in sight.  The European Parliament adopted the LIBE committee draft in full in March.  In June the Council agreed a ‘partial general approach’: nothing is agreed until everything is.  In the October meetings a number of compromises were suggested which have still yet to be agreed. A number of sticking points remain:  on the One Stop Shop, the consistency mechanism, breach notification requirements, application to the public sector etc.

Hazel then discussed UK enforcement activities.  Although the number of Monetary Penalty Notices issued by the ICO has fallen since 2012, the average value has remained consistently around the £110,000 mark.  Significant MPNs included one against the Ministry of Justice for £180,000 after unencrypted hard drives of prisoner data were lost and one against the British Pregnancy Advisory Service for £200,000 for insufficient web site security.  There were also 35 undertakings issued, 31 of which were for inappropriate disclosure.  For most organisations, the reputational damage that can result from being named and shamed can be far more damaging than a fine.

Finally Hazel listed some of the key pieces of regulator guidance that emerged in 2014, including guidance on Privacy Impact Assessments, Big Data and CCTV from the ICO; Legitimate Interest, Internet of Things and Device Fingerprinting from the Article 29 Working Party; and IoT and Enforcement Cooperation from the International Conference of Data Protection and Privacy Commissioners.

Anya Proops then took the podium to discuss a ‘seismic’ CJEU case, Google Spain v Gonzalez.  Mr González asked Google to remove some links to a newspaper website containing old stories about his social security debts. The newspaper could not itself be compelled to remove the links and there was no suggestion that the stories were untrue or otherwise defamatory.  The court ruled on four questions, holding that: (1) Google Inc, a US corporation, fell within the territorial reach of Directive 95/46/EC on personal data (‘the Directive’) as the search engine it operated was commercially supported by the operations of an EU subsidiary; (2) Google was processing the relevant data, as it was collecting, storing and indexing it; (3) Google was also the data controller, particularly as it shaped how data was presented to users and, finally, (4) the rights afforded under the Directive coalesced into a so-called ‘right to be forgotten’ (‘RtbF’) which could be enforced against Google, in common with other internet search engines.  The Court held that whenever the RtbF asserted, the relevant search engine would in general have to delete the disputed links unless, on the facts of the case, the individual’s right to privacy was positively outweighed by the public’s right to know.

Anya explained that the judgment is flawed for a number of reasons.  First, the judgment appeared to prioritise Article 8 privacy rights over Article 10 freedom of expression rights, when all the existing Strasbourg jurisprudence suggested that these were rights which were equally fundamental and important.  Second, Google’s ability to undertake the balancing exercise presupposed by the judgment must be doubted given that, in contrast with most ordinary data controllers, it will typically be a stranger to the data in issue and the overall context. Third, there were serious questions as to whether it was appropriate for a private-sector, profit-driven company to assume such a censorial role within the online environment. Fourth, the ruling would appear only to apply to the EU versions of the web-browser so, even if a RtbF has been asserted, the full results can still in any event be seen on google.com. The Article 29 Working Party released an Opinion in November stating the RTBF should apply to the .com domain but query whether, in jurisdictional terms, this opinion stretches the reach of the Directive to beyond breaking point. 

Ironically, those seeking to rely on the RtbF have tended to attract more attention to the stories they are trying to consign to online oblivion.  One such claimant is Max Mosely, who has launched a case designed to force Google to make certain sex party pictures and videos involving him entirely unavailable on the internet.  Google has agreed to remove certain URLs but denies Mr Mosely has any expectation of privacy given that the pictures have been downloaded millions of times.

Further, on the subject of data protection rights within the online environment, the Court of Appeal is considering an appeal in Vidal-Hall v Google, which concerns the legality of Google’s actions of secretly tracking the browsing habits of online users of its search engine.  The claims suggest that the tracking operation, which is designed so as to facilitate targeted advertising, is a breach of privacy rights and data protection rights.  Google disagrees. It claims that there is no breach of privacy and that data protection rights are not engaged because its tracking activities relate to particular devices; Google itself is unable to identify the individual users who may stand behind relevant devices. Google also contends that the data protection claims in any event cannot proceed because the claimants have suffered no financial loss as a result of the tracking. If the court decides that compensation for breach of data protection rights is available even in the absence of pecuniary loss, that could potentially lead to a surge in data protection claims.

James Leaton Gray then gave an animated talk on the BBC’s Big Data project, myBBC.  The fundamental starting point was trust. It is better to be open and transparent so the audience know why their personal data is being requested.  That way, individuals are more likely to consent to processing.  myBBC has now become central to the future of a more personalised BBC; for example, the aim is that one day it might know the specific radio shows one listens to and create a personal channel made up only of those shows.

So that the audience is aware they are providing their personal data, the whole system will launch behind a sign-in stage.  The BBC will then explain the value exchange: you are providing this data so we can personalise your experience.  There is then a set of the BBC’s own data protection principles (never sell the data, not pass it outside the BBC etc).  Rather than rely on snapshot consent as the main basis for processing, the BBC intend to allow the audience to easily control their permissions.

myBBC has a robust governance structure in place.  It will be overseen by a personal data guidance group reporting to the Executive Board, it is supported by a set of new or updated policies, it conducts multiple privacy impact assessments (‘PIAs’), and will be supported by a statement of intent, similar to the BBC’s ‘inform, educate, entertain’.  James firmly believes Big Data projects can be run in a privacy-friendly way, but the key is getting the data subjects involved.  We can expect to see myBBC from September this year.

Simon Rice then gave an amusing look at security from the regulator’s perspective.  He went through a ‘typical’ day in an IoT world and pointed out all the stages at which our data will be collected.  The alarm clock wired into our sleep patterns which communicates to the lights in our home and coffee machines, the route to work and how many paces we take, using the internet at lunch, shopping and going to the gym on the way home and watching some smart TV.  From this our sleeping habits, caffeine intake, health data, daily commute, working hours, shopping habits and watching habits have all been recorded.  Huge amounts of personal data that it was not possible previously to record, store or analyse.

Hence data security is an increasingly important issue, as we have seen with recent high profile breaches.  There are a number of areas where organisations can improve.  Encryption is a good start but often not maintained and there are disagreements as to the required standard.  People are central as many breaches are due to human error (eg not changing default passwords or deleting data from BYOD devices), but also humans are generally better than software at assessing risk.  Physical security is often overlooked even though it is simpler and more cost effective than expensive technological security.  Organisations should have a breach plan in place and keep it updated.

In terms of privacy, Simon felt organisations should consider what they are doing and ask whether they need to do it.  PIAs are a useful tool but should be reviewed periodically.  Giving control back to the user can be an effective way of building trust.  One running app suggests users alter their running schedule if they always leave the house empty at predictable times, for example. 

Interestingly the reasons for the top ten breaches have changed little over the years despite technological advancements.  The main causes are: hacking known code weaknesses, poor decommissioning of old hardware, no updating hardware/software, weak passwords, un-enabled encryption software and inappropriate storage.

Finally Simon detailed the ICO’s IT lab capabilities, which provide useful evidence for their investigations.  They can replicate systems, check permissions, see how data is being processed and conduct cookies sweeps.  In doing so the ICO is looking at the system objectively, not relying on what the data controller says.  This assists with its dual role of enforcing the law and ensuring policy works in reality.

Alexander de Gaye is a trainee solicitor at Fieldfisher.