The Regulation: what are the big changes to the Data Protection Act regime?

I thought I would devote a blog to answer the following question: “What would I say, if a manager asked me what were the key changes to the data protection regime as a result of the Regulation?”. So please use/amend the text for this purpose if need be. Note the blog is only about the Regulation:– not the law enforcement elements where there is a separate Directive also published today.

The first point to make is that a Regulation has to be followed by Member States whilst a Directive has to be implemented by Member States. In theory, a Regulation means that the whole European Union follows the same set of data protection rules instead of, as in the case of Directive 95/46/EC, many diverse implementations. See the Regulation as the “Lord of the Rings” approach towards data protection harmonisation in all Member States: “One Regulation to rule them all, and in its interpretation bind them”.

Such harmonisation, so the theory goes, has immediate effects. Data protection authority rulings in one jurisdiction is likely to apply in another; rights in one country are standardised in another; if one data protection authority accepts a set of Binding Corporate Rules, then every data protection authority can accept them. Immediately you can also see that because of this standardisation, there will be stronger co-operation and knowledge transfers between data protection authorities. Overseas businesses trading personal data with Europe operate in a standardised environment and vice-versa (notice I did not say “easier”).

Codes of practice become more important. If one data protection authority produces a code of practice it can be more or less adopted in other countries.

The Regulation identifies fines that “shall be levied” (no flexibility here) if an intentional or negligent breach on the part of a data controller is identified; there are different fine maximums for different transgressions – so you need to look at the detail. However, fines can range from 100 Euros to 1,000,000 Euros (or 2% of annual turnover if a commercial enterprise is involved). Now no doubt the 2% figure will get the headlines:– but to exceed the 1,000,000 Euro maximum, the turnover has to be 50,000,000 Euros (or about £42 million).

As you know, the UK has a maximum monetary penalty fine of £500,000 (about 600,000 Euros – say); if £500,000 represents 2% of turnover, then the total turnover is £25 million (30,000,000 Euros).  So what you can say that is for a private sector data controller the maximum fine level could actually decrease if turnover is less than £25 million but increase to 2% of turnover if over £25 million (stress maximum please – don’t follow the hype). For a public sector body data controller the maximum fine is about two thirds bigger (£830,000).

As an aside, the maximum fine could actually decrease for most SMEs. Take the ACS Law Ltd case, where the civil liberties lobby argued for a £500,000 fine. The turnover for ACS Law, (as found on the internet) was about £1 million, so the maximum fine levied at 2% is £12,500; a far cry from the aspirations of “les sans-culottes” of the privacy movement.

If the turnover is zero (e.g. the firm folds business), then the fine is zero. Also, I have no idea what happens if the Euro-zone collapses or the Euro survives to become stronger that the pound sterling. I assume the Commission will fix a nominal exchange rate for non Euro Member States at the time the Regulation is agreed.

All marketing by personal data has to have data subject consent. Does this mean the death of “opt-out”? I am not sure about this to be honest, but the definition of consent has been strengthened to be “explicit” consent (i.e. the current Schedule 3 standard for consent). So if your “opt-out” statement at the moment just passes the “consent” threshold under the Data Protection Act, I would assume that it may be unreliable under the new regime.

I also think “explicit consent” with an “opt-out” box returned by the data subject has, at the very least, to be very prominent, include the mode of marketing (e.g. post, email) and has to be more detailed in the items of personal data are used for marketing and who does the marketing (e.g. “The name and address you have provided .....” instead of “The information you have provided...”).

I think you can safely alert marketing people to this kind of change, but leave the detail until the Regulation is actually adopted. I should add that there is a whole Article devoted to strengthening “consent” (e.g. consent shall not be valid if there is a significant imbalance between the position of the data subject and the controller).

Security of processing is an example of where implicit obligations currently under the Seventh Principle become formalised and explicit. For instance, if there is a data loss, this has to be notified to the Commissioner within 24 hrs. This notification includes the nature of the personal data lost, categories and number of data subjects concerned, the categories and number of data records concerned, possible adverse effects of the personal data breach and the measures proposed or taken by the controller to address the personal data breach. Processors have to notify the controller immediately a data loss is confirmed.

Registration (or notification) with the Commissioner is being abolished, and because of that, the data protection authority knows nothing about a data controller. So there are stronger and more immediate powers for regulator to find out what is going on and force data controllers to comply or to halt the processing.

The general assumption is that data controllers are doing the “right thing”; this means, of course, that when the data protection authority knocks on the door, you have to make available records of compliance which must contain certain elements. Some of these were the subject of registration (e.g. the name and contact details of the controller, or any joint controller or processor, and of the representative; the name and contact details of the data protection officer, if any; the purposes of the processing, including the legitimate interests pursued by the controller; description of the category or categories of data subjects and of the personal data or categories of data relating to them; the recipients or categories of recipients of the personal data, including the controllers to whom personal data are disclosed for the legitimate interest pursued by them).

So in practice notification to the UK’s Information Commissioner is replaced by the data controller keeping the registration/notification detail as well as other items (which for a public authority, can be subject to FOI requests!). So when the European Commission say “notification is gone”, it is a statement that is arguably “economic with the truth”. The expense of collecting these details is still there; what’s gone is the £35/£500 fee.

The data controller also has to keep further documentation about data protection compliance (e.g. policies, procedures), implementing the data security requirements, performing a data protection impact assessment. Large data controllers (more than 250 employees) have to designate a data protection officer. I would say that this data protection officer has to be fully trained (but I have to admit this sentence reads like a marketing “Mandy Rice-Davies” moment: “well he would say that, wouldn't he?").

Privacy Impact Assessments (PIA) and Privacy by Design become mandatory (e.g. PIA for CCTV of public spaces, use of biometrics, children data – child is under 18 by the way). Privacy by Design techniques have to be considered (although in our PIA course I show that these are an implicit consequence of the Seventh Principle in relation to keeping up to date with the “state of technology”).

Data Processors are given some explicit obligations, obligations which they should be implicitly carrying out contractually already. For instance, act only on instructions from the controller, in particular, where the transfer of the personal data used is prohibited; employ only staff who have committed themselves to confidentiality or are under a statutory obligation of confidentiality; or subcontract  only with the prior permission of the controller.

The current rights of data subjects are more or less the same but there is more detail to be provided on subject access (e.g. about retention times and information about new rights). There is a right to get the personal data corrected by the data controller – currently this right only relates to the Court or implicitly via the Fourth Principle which deals with accuracy) and the right to object includes profiling.

There is a new right to be forgotten – which effectively only applies if the processing is already underway with data subject consent (new definition remember). If the “forget me” right is successfully applied, then third parties who have given the personal data by the data controller have to be notified if reasonably practicable.

However there are a number of exemptions (e.g. when a data controller needs proof of some action, research, when freedoms of speech issues are raised, or when personal data about other individuals are present, or where the accuracy of personal data are contested).  In some circumstances, “removal” rather than “deletion” is legitimate. So don’t panic at this right (at the moment).

There is a right to portability of personal data. For instance where personal data are processed by electronic means in a commonly used format, the data subject can obtain a copy of those data in that format. Where the data subject has provided the personal data and the processing is based on consent or by a contract, the data subject is given the right to transmit those personal data without hindrance from the controller from whom the personal data are being withdrawn. This clearly overlaps with the right of access, but is limited to ‘consent’ and the ‘electronic commonly used format’ subset of the personal data held by the data controller.

If you are interested in Binding Corporate Rules, then there are provisions that make them function properly (once accepted by a data protection authority). There are more definitions (e.g. “child”, “genetic data” which becomes an item of Sensitive Personal Data).

A great deal of the Directive is given over to things that should not worry data controllers (e.g. ensuring the data protection authority is fit for purpose, having a pan-European Data Protection Board that can be empowered ensure consistency of the data protection rules across Europe, and the inevitable minutiae concerning the dark arts of internal EU Committology).

My own view? I think many Member States will oppose this Proposal because of the current economic circumstances and because it is far more prescriptive than the Directive it replaces. It is not a simplification; it is a more prescriptive complication that many will argue increases the burdens on business. The Regulation is OK for large organisations, for SMEs I suspect it will be overkill. If the Council of Ministers do eventually agree the Proposal, I suspect that it will be a different text and a longer lead in time, currently set at two years.

So at a hunch – we are looking at three years down the line (at least).

References

Download the regulation here (61 pages) Download Regulation_DP_jan2012

Our Update session on March 26th  has half a day devoted to this. (London; £195+VAT; details on www.amberhawk.com (events and update) or top left of blog). As well as a guest speaker from the ICO on the Regulation, we have sessions on:
•    What are changes in the Definitions
•    What are changes in the Principles
•    What are changes in the Rights
•    What are changes in the Enforcement and other odds and end?

USA offers an adequate level of protection: EU accepts disproportionate processing, excessive retention, a lack of respect for privacy and minimal accountability.

The Article 29 Data Protection Working Party (WP) has just published its comments on the EU-USA Passenger Name Record (PNR) Agreement; a deal that I analysed just before Xmas as having the following characteristics: “data protection is weak, proportionality not guaranteed, and obvious safeguards absent” (see references). This view is substantiated by the WP’s comments.

As a general assessment, the WP notes that there have been “modest” improvements from earlier drafts “but does not see its serious concerns removed”.  Primarily that “the legislators oblige carriers and computer reservation systems to make PNR data of all their passengers – nearly all of them being innocent and unsuspected citizens available to foreign law enforcement agencies”.

The WP adds that “Since the negotiations of the first PNR agreement, the WP has expressed its doubts that sufficient evidence has been provided to demonstrate the necessity and the proportionality of mass transfer and use of PNR data for law enforcement purposes”;  the “WP notes that no new evidence is offered now” (to justify the Agreement).

Then WP states that “there remains a high degree of uncertainty about what DHS (Department for Homeland Security in the USA) is intending to do with the transferred data” and that “the agreement lacks clarity when defining the limits within which PNR data can be used”. It notes that “it is troubling that all definitions provided are not exclusive” (this is because most definitions use words such as “including” and “in particular” which can expand their meaning – something we drum into our ISEB delegates!).

So for example “the definition of transnational serious crime does not only appear to be quite wide-ranging ... it also appears not to be necessarily related to law enforcement in the US”. Indeed “it covers all crimes where more than one jurisdiction is involved” and provides that “on a case-by-case basis” PNR can be used for all crimes regardless of whether they are serious, and even for other actions not related to crimes at all, if ordered by a court”.

In summary “it appears to be rather clear that it will also be used for cases other than relating to terrorism and serious transnational crime and the Working Party considers this use disproportionate”.

With respect to data retention, the WP state that “the improvements of the agreement do not remove the fact that data of unsuspected citizens is stored for up to 15 years, only its use would be more limited”. The WP “cannot see how these long retention periods can be substantiated and justified” and “considers them to be excessive and disproportionate”.

In relation to the rights of access the WP states that for “many years” it “has expressed doubts as to whether US law and the agreements concluded with the US provide for the right of access and redress mechanisms in line with requirements of fundamental rights under EU law”.

With respect to the provisions on domestic sharing and onward transfer, the WP “regrets that the agreement is not more specific on how compliance with these terms or safeguards can practically be ensured, particularly with respect to retention periods”. The WP adds that the EU has stipulated that “the data protection level in the US is adequate despite its excessive retention periods and its lack of independent supervision”.

The WP notes that the PNR Agreement can be reviewed but “regrets that it is not explicitly provided (in the PNR Agreement) that the representatives of the European Union shall include representatives of the Member State’s data protection authorities”.

Finally, the WP adds “that many of the fundamental concerns expressed .... are also valid for the already concluded PNR agreement between the European Union and Australia”. It consequently asks for these concerns be taken “into consideration when negotiating and deciding upon the PNR agreement with Canada”.

So there you have it: a level of adequacy acceptable to the European Commission (i.e. it satisfies the UK's 8th Principle by law) but is clearly unacceptable to the collective view of all Europe’s Data Protection Commissioner (and the European Data Protection Supervisor - see references). All this too in the week where the Commission will trumpet "data protection day" and publish the Regulation that replaces Directive 95/46/EC.  

There is no doubt the Commission will use the events of this week to flaunt its data protection credentials and spray the air with sweet, "privacy scented" press releases (just like those issued with this PNR Agreement). I for one will be holding my nose; I advise blog-readers to do likewise.

References

EU/USA PNR Agreement: data protection is weak, proportionality not guaranteed, and obvious safeguards absent.: http://amberhawk.typepad.com/amberhawk/2011/12/euusa-pnr-agreement-data-protection-is-weak-proportionality-not-guaranteed-and-obvious-safeguards-ab.html

Download my analysis of the “Agreement between the United States of America and the European Union on the use and Transfer of Passenger Name Records to the United States Department of Homeland Security” Download Eu-usa-pnr-deal-amberhawk analysis

Letter of the WP29 working party can be downloaded here Download WPletter_pnr_Jan2012

EDPS opinion on EU-US Passenger Name Record agreement (13.12.2011) and press release: http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2011/11-12-09_US_PNR_EN.pdf

Watch out for the Data Protection Regulation at end of January

A brief note: between January 25th (most likely) and January 28th the official draft of a Regulation is expected to be published; it eventually result in changes to the UK's Data Protection Act. I will do an analysis of it for the blog in the following weeks. Also, our UPDATE session on March 26th in London will be revised in order to have at least a half day devoted to the Regulation and what it means for data controllers. Our guest speaker is Jonathan Bamford from the ICO;  he will be speaking on – yes you have guessed – the Regulation.

As you know the draft was leaked and thankfully it is being revised in order for it to be released. How the text will emerge from the shadows is yet unknown – but this is what I am hoping for.

First, the Commission should trust the Data Protection Authorities to get it right. There is no need for a Regulation to say when “consent” is needed or mandate what should appear on a fair processing notice or with a subject access request or say anything about data loss except to say, for example, that significant losses of personal data in a non-protected form should be reported to the Data Protection Authority who can order, if need be, the necessary corrective action (e.g. contact with the data subjects).  In other words, make sure the Regulation leaves most of the interpretative detail of broad Principles to the Data Protection Authorities and give them full powers to enforce the Principles.

These Authorities can determine common standards via their meetings (e.g. A.29WP); they should be trusted to arrive at a collective view that possesses the right balance. Note that if decisions are collective, then there is little risk of a rogue Authority holding sway. Also, the involvement of broad Principles can deal with changes in technology. In other words, less Regulation is more individual protection – so long as each Data Protection Authority is fit for purpose.

You also need the ability of a Member State to refer a collective decision of the Data Protection Authorities to the Council of Ministers for debate. This protects the interests of Member States and removes the argument that they have no say in the matter. If Member States have a collective view that is different to the Data Protection Authorities, and that alternative view is supported by national and European Parliaments, then I would argue that the alternative view should prevail.

This is different to the current structure that has resulted in, for example, the UK's surveillance state and PNR Agreements that have minimal data protection: this arises when Member States enact laws that trampled over the Principles.

The fine level and offences should be left to Member States. But if a Member State enacts meagre penalties, the Commission could order a corrective measure, following a report from the Data Protection Authorities.

What you do legislate for is a strong data protection corrective mechanism that ensures consistency across Europe; so when a Member State gets out of line, the Data Protection Authorities can start the ball rolling for a correction. The fact that the changes are led by the Data Protection Authorities means that corrections are based on data protection grounds and not on the vested interests of a Government or a commercial sector.

It might take 7 years to get to consistency across Europe, but as readers know this is about the length of time it has taken to half find out what is wrong with the UK’s Data Protection Act!

References

See comments about the leaked Regulation: http://amberhawk.typepad.com/amberhawk/2011/12/draft-data-protection-regulation-leaked-doubtful-whether-it-will-get-enacted-in-this-form.html

What is wrong with the UK Act and infraction proceedings: http://amberhawk.typepad.com/amberhawk/2011/05/privacy-new-government-revelations-amplify-concerns-surrounding-deficiencies-in-uks-data-protection-.html

Details of UPDATE: go to www.amberhawk.com

 

Judgement reinforces the link between “lawful processing”, the First Data Protection Principle and human rights/other laws.

Belated Happy New Year, but we start 2012 with a report that has a lot in it. Stick with this judgement as, in summary, it states that:

(a) the term “lawful” processing in First Principle relates to that processing which is consistent with the application of any relevant law including law of confidence (the Information Commissioner is not keen to enforce “lawful processing”); I should add that the implications of “lawful processing” have yet to be applied to other Principles (e.g. to the Seventh Principle and security considerations);

(b) the purpose of the Data Protection Directive is to implement Article 8 of the Human Rights Act; so in theory, the Information Commissioner could consider “lawfulness” in terms of Article 8; and

(c) the Information Commissioner ignores the Lindqvist decision (see references) in his detailed commentary on the application of the domestic purpose exemption to personal data on a website; the Court says the Commissioner’s advice is inconsistent with the law.

The judgement concerns the “SolictorsFromHell” website (see references). The publisher (and data controller) of that web-site claimed that “under Article 10 of the European Convention on Human Rights, you have the right to freedom of speech and expression to voice your complaint! But it must accurate and truthful. You can complain here. RIGHT NOW! NAME and SHAME your OPPRESSOR Problem Solicitor? No need to register or even leave your name. Click on the link below and add them to our list of 'Solicitors from Hell'”.

Despite the plea for accuracy, the website collected a vast number of unattributable, unchecked allegations concerning named solicitors, some of which alleged activities of a salacious or criminal nature. In other words the personal data involved sensitive personal data; this probably explains why the publisher had also lost a number of previous libel cases and was bankrupt.

Three complainants (one of which was the Law Society) took up the cudgels against the publisher in order to stop the further processing of personal data. In an uncontested action, they argued that that the Data Controller (i.e. the publisher) had breached:

i) The First Data Protection Principle because the processing was unfair and there was no Schedule 2 condition to legitimise the processing (and in the case of some sensitive personal data no Schedule 3 condition). In the event, the Court concluded “None of the conditions in Schedule 2 of the DPA is met by the Defendant in respect of the processing of this data on the Website” and that “the Defendant has processed the said data in a grossly unfair and unlawful way”;

ii) The Fourth Data Protection Principle: that personal data shall be accurate and, where necessary, kept up to date. In the event, the Court concluded “the personal and sensitive personal data about the Third Claimant processed by the Defendant and published on the Website are false and accordingly wholly inaccurate”;

iii) The Sixth Data Protection Principle: that personal data shall be processed in accordance with the rights of data subjects under the Data Protection Act 1998; in particular the Defendant had ignored the exercise of the right to object to the processing of personal data. The Court agreed, and granted a notice under section 10(4) of the Act.

So that’s the case and outcome; now look at what the judge said re the First Principle (at para 78; my emphasis):

The reference to ‘lawfully’ in the First Data Protection Principle applies to any form of conduct that is unlawful, including breach of confidence, libel, and harassment. As Patten J said in Murray v Express Newspapers Ltd [2007] EWHC 1908 (Ch) [200] EMLR 22 at para [72]:

“It seems to me that the reference to lawfully in Schedule 1, Part 1 must be construed by reference to the current state of the law in particular in relation to the misuse of confidential information. The draftsman of the Act has not attempted to give the word any wider or special meaning and it is therefore necessary to apply to the processor of the personal data the same obligations of confidentiality as would otherwise apply but for the Act”

The Information Commissioner (ICO) is reluctant to deal with complaints of unlawful processing because they require him to understand how any piece of legislation defines what is lawful so that lawfulness under the Data Protection Act can be assessed. The ICO claims that he cannot be an expert in every law – and that is why, in some case, he prefers to deal with such cases in terms of “fair processing” issues (where the subject is purely a data protection issue).

His guidance makes this clear;  in the context of lawful processing, states that his office may not

“pursue allegations of breach of copyright (or any other law) as this would go beyond the remit of the Data Protection Act. Many areas of law are complex, and the ICO is not and cannot be expected to be expert in all of them” (my emphasis)”.

Despite these difficulties, unlawful processing has now, in these two judgements, been given a clean bill of health; data subjects clearly can ask for assessments whether or not such and such a processing is lawful (e.g. in terms of copyright, confidence and any other law) – and expect them to be considered in these terms.

Another possible consequence may be the inclusion of the Seventh Principle in cases were breaches of confidence involving personal data are the issue. This is clear from the text of the Principle which requires “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data....etc ” (my emphasis). So if a data controller failed to secure personal data of a confidential nature (e.g. loss of health personal data), then a breach of confidence can also be extended to include a Seventh Data Protection Principle breach.

Another “advance” in the judgment is the express linkage between Article 8 and Data Protection (a particular hobby-horse of mine – see references); I think it means that it is legitimate to ask the ICO for an assessment whether the processing is lawful in terms of Article 8. This is because the judge says (at para 97):

“...The purpose of the (Data Protection) Directive was to give effect in the context of data protection to the Art 8 rights of the ECHR (right to respect for private life). See Recitals (8) to (12). It is a privacy statute, although its scope is limited by a number of provisions, including the definition of data in s.1 and the application of the Act delimited in s.5”. (A big hurray from me!)

Lindqvist and blogging

The Information Commissioner’s analysis is panned I am afraid. He had argued that the “Solicitors from Hell” website fell within the “domestic purpose exemption”, and in a letter to one of the complainants, he explained this fact. The Court concluded that in the context of lawful processing:

“I do not find it possible to reconcile the views on the law expressed in the Commissioner’s letter with authoritative statements of the law. The DPA does envisage that the Information Commissioner should consider what it is acceptable for one individual to say about another, because the First Data Protection Principle requires that data should be processed lawful.” (para 100)

This is important as the relevant part of the Commissioner’s letter is clearly very wrong. It states (para 96):

 “The inclusion of the “domestic purposes” exemption in the Data Protection Act (s.36) is intended to balance the individual’s rights to respect for his/her private life with the freedom of expression. These rights are equally important and I am strongly of the view that it is not the purpose of the DPA to regulate an individual right to freedom of expression – even where the individual uses a third party website, rather than his own facilities, to exercise this. (The s.36 exemption clearly did not anticipate individuals using third party websites to carry out their ‘personal’ processing).

The situation would clearly be impossible were the Information Commissioner to be expected to rule on what it is acceptable for one individual to say about another be that a solicitor or another individual.  This is not what my office is established to do.  This is particularly the case where other legal remedies are available – for example, the law of libel or incitement. ….

This analysis (and the Court’s conclusions by the way) ignores the case of Lindqvist (see references) where the European Court of Justice decided that in the context of the domestic purpose exemption:

"As regards the exception ... which concerns ... the processing of data carried out by a natural person in the exercise of activities which are exclusively personal or domestic, correspondence and the holding of records of addresses.

That exception must therefore be interpreted as relating only to activities which are carried out in the course of private or family life of individuals, which is clearly not the case with the processing of personal data consisting in publication on the internet so that those data are made accessible to an indefinite number of people”. (paras 46 and 47 of Lindqvist)

This interpretation of the exemption should be binding in the UK context (but it was missed). It states that if personal data are published on a website then this processing CANNOT fall within the domestic purpose exemption. This in turn means that any argument re Freedom of Speech is simply not relevant.

This then focuses on those infraction proceedings where the European Commission has said the Data Protection Act is a deficient implementation of the Directive. One of the myriad of grounds claimed by the Commission is that “the inclusion of “recreational purposes” in the Data Protection Act which, in the Commission’s view appeared to be broader than household activities” (see references).

In other words, the Commissioner’s interpretation of the law with respect to websites could have been based on the Government’s incorrect implementation of the Data Protection Directive (the details of which been kept secret for seven years).

The result, if true, is serious: ALL data subjects (and not just the ones who had the time and money to take this action) have been denied the protection that the Act affords if personal data about them is published on websites; additionally they may have been denied proper access to the ICO to explore the data protection issues.

This in turn increases the importance of knowing the issues surrounding the UK Government’s approach to the implementation of the Directive. It also means the ICO should revisit his policy re "lawful" processing.

References

Load the Solicitors from Hell ([2011] EWHC 3185 (QB)) judgement here:Download Jan2012_solfromhel

Load Lindqvist (ECJ, Case C-101/01, 6 November 2003)  here: Download Jan2012_Lindqvist

Article 8 and the first data protection principle links are: “Information  Commissioner should enforce Article 8 privacy-rights”:
http://amberhawk.typepad.com/amberhawk/2010/04/information-commissioner-should-enforce-article-8-privacy-rights.html

Infraction proceedings link: http://amberhawk.typepad.com/amberhawk/2011/05/privacy-new-government-revelations-amplify-concerns-surrounding-deficiencies-in-uks-data-protection-.html

 

The Data Protection Officer's ABC

There is a folk tradition which involves ABC songs; the “Sailor’s ABC” and the “Socialist’s ABC” are perhaps the most notable. So to sing at parties or around the holiday log-fires, I offer an addition to the genre. It is called "The Data Protection Officer's ABC".

 

 When that I was a tiny, tiny boy, my daddy said to me;

"The time has come, me bonny, bonny bairn, to learn your ABC."

Now my daddy was a privacy man and had a data protection mind

So his ABC was different from the kindergarten kind.

 

He sang,

"A is for access to data; and the details we all can get back.

And B is the Blairite Government; it thinks FOIA is worse than Iraq!

C is for CCTV, installed so we can all be surveilled.

And D is for data of all kinds; even adult videos when played.

E is for excessive exemptions; which occur in all access regimes.

And F is for effing refusals; full access occurs only in dreams.

G is GCHQ; which intercepts e-mails to you.

And H is for horrid Home Office; it drafts laws so it’s easy to do.

I is for intelligence data; MI5 and 6 on our side.

And J is the judgement these spies make; it’s OK if you’ve nothing to hide.

K is for kind Kenneth Younger; his report on privacy was so good.

And L is for lovely Lord Leveson; his findings, I fear, will be dud.

M is for matching or mining of data; assumptions made with mouse clicks.

And N are the non-disclosure provisions; they get the details to coppers real quick.

O is for ongoing observation; and the cookies which catch us on-line.

And P is for privacy policy; pure lies most of the time.

Q is for queries and queuing;  understanding the law needs a sage.

And R is repetitive ringtones; as the Commissioner's helpline’s engaged.

S is for sources of data; who share secrets behind our backs.

And T is for the tabloid papers; and the telephones they like to hack.

U is for undervaluation; as DPO's pay is so poor.

And V is the salute that we’re given; when like Oliver, we ask for more.

W is for all written warrants; which stay lawful for quite a while.

And that’s why X, Y and Z, my old daddy said, will be found in a Special Branch file.

 

Now that I'm not a tiny, tiny boy, my daddy says to me,

'"Please try to forget the things I said, especially that ABC."

For daddy is no longer a privacy man, and he's had to change his plea.

His alphabet is different now …since they made him ….Home Secretary.

Comment

Please accept our warm wishes for the coming holiday; hopefully a time when we can erase all thoughts about economic doom and gloom. Hawktalk will be back in early January.

Reference

If you can think of other couplets or improvements, please post them as comments. The metre of the above ABC is that of the late Alex Glasgow’s Socialist’s ABC: http://www.youtube.com/watch?v=gqfz4-sMgak

 

EU/USA PNR Agreement: data protection is weak, proportionality not guaranteed, and obvious safeguards absent.

Did you see the recent press coverage extolling the virtues of latest European Union Agreement with the USA as to how Europe will exchange Passenger Name Records (PNR)? Much of the press coverage was highly favourable, highlighting additional privacy protections, shorter periods of data retention and thorough respect for data subject rights. All these assertions are somewhere between misleading and wrong.

Yesterday, the European Data Protection Supervisor (EDPS) entered the fray. His analysis (see references) concludes that: the 15-year retention period is excessive; the purposes should be limited to combating terrorism or a well defined list of transnational serious crimes; the list of data to be transferred to the USA is disproportionate; data subjects' rights are ineffective, and the Department of Homeland Security (DHS) should not transfer the data to other US authorities or third countries unless they guarantee an equivalent level of data protection.

Also yesterday, the USA Deputy Secretary of Homeland Security , Jane Holl Lute, signed the PNR Agreement and stated: "Today's signing of the new agreement on the transfer of Passenger Name Records (PNR) is a significant step forward in strengthening our cooperation with the EU to combat terrorism and transnational threats, while respecting our commitment to privacy and data protection. ..."

So who do you believe?

This is why in the last few days I have been admiring the text of this Agreement in detail and have prepared an annotated version which highlights several shortcomings.  This analysis confirms and provides the evidence that justifies the EDPS’s stance. I should add that the Agreement that I have read bears no relationship to the Agreement described in the official Press Releases and as reported in the press.

In summary these are the major issues I have identified:

1.    Proportionality is not an obligation; it is an aspiration. The Agreement does not stipulate that any data sharing has to be proportionate, even when there are transfers, made by the USA, to third countries or internally within the USA. There is a requirement to be “mindful” of data protection obligations but not “conform with” or “apply” them.

2.    The Agreement is being promoted to the public as an aid to prevent “serious transnational crime and terrorism”; however, the term “serious transnational crime” is not found in the Agreement other than in its preamble, nor is it a defined term. The Agreement also covers data sharing that is not related to crime nor terrorism.

3.    The retention period could be far longer than has been stated by the Commission. This arises because after 7 years of operation, the Agreement is renegotiated where “the necessity of a 10-year dormant period of retention will be considered”(see Article 8(6)) and the “consultations shall in particular examine whether any future EU PNR system would apply less stringent data protection standards than those provided for in the present Agreement” (see Article 20).  Get the gist! Although the text might say there is 10 year retention period, any renegotiation might add on a further 10 years.

4.    The data subject rights are very weak because they are limited to PNR data; most passengers will know how they paid for their flight, where they were going and when. In other words, most of the rights apply to personal data that passengers already know; these rights are rarely going to be exercised. Although there may be circumstances where the rights could be useful for data subjects, I contend that for the vast majority of data subjects, the PNR data will be of little (probably no) interest at all.

5.    Most of the data protection issues will reside in the other personal data (i.e. other than the PNR data). For example, suppose a name of flyer is shared with a known criminal etc and the authorities think the criminal is flying to the USA. It is when this kind of mix-up occurs, that the other personal data that needs correcting, updating etc.  Any damage to the data subject arises from the other information and not the PNR data – but the Agreement, as it relates to PNR data, does not relate to this other information. Nor does it state how this kind of issue will be resolved.

6.    There is no role for the data protection authority, not even an advisory one in the circumstances identified above. These bodies who have been established in Europe to protect the data subjects’ interests have been airbrushed out of the Agreement (even when there is a large personal data loss, a major privacy incident or when “rights of access and correction” go awry).  Even the provisions that describe the reviews of the data protection elements, do not give a role for any data protection authority.

7.    Reporting on how the Agreement works in practice, or assessing its privacy protection is undertaken by the parties who want to exchange the PNR data; there is no independent audit, no independent reporting, no requirement to keep statistics that would show that the Agreement is worthwhile. Any analysis runs the risk of being flawed, skewed, self-serving and lacking in credibility. At worst, it’s like asking Count Dracula (yes him again) to report on the effectiveness of the distribution of blood from a blood bank, where our blessed Count manages that blood bank.

8.    The press release associated with the Agreement does not even pass the threshold of being “economic with the truth”. If I am honest, it turns being “misleading by omission” into an art form. The Commission evidently also restricted Euro MPs from seeing the Agreement when issuing its press release thus ensuring the absence of critical commentary based on its text. If this is true, it is truly shocking.

The real problem is the conflict of interest that arises because the European Union (EU) has two responsibilities: (a) it negotiates the terms of the Agreement to facilitate the transfer of PNR data, and (b) it also decides whether the privacy protection in the USA is adequate. As the EU has a vested interest in getting PNR data from the USA to support Europe’s law enforcement bodies, the suspicion is that it has compromised on data protection standards to get these data.

The role of the data protection authority should be to act as an independent counter-balance that ensures that any compromise on the personal data needs of law enforcement does not unfairly prejudice individual privacy.  In a nutshell, the exclusion of these authorities means that there is no independent counter-balance in this Agreement that protects the interests of data subjects.

Just ask a simple question: “Who should have oversight of an issue that involves data protection?”. The answer the Agreement comes to is “the law enforcement bodies that are responsible for the interference with private and family life in the first place”.

If you want the detail of the annotated Agreement (plus press release) see below – but have a stiff drink by your side.

References specific to the EU-USA PNR Agreement

1. Follow the link to download my analysis of the “Agreement between the United States of America and the European Union on the use and Transfer of Passenger Name Records to the United States Department of Homeland Security” and related press release Download Eu-usa-pnr-deal-amberhawk analysis

2. To get the full agreement down load here Download Eu-usa-pnr-deal-com-807_November 2011

3. To download the (“economic with the truth”) Press Release from the Commission’s web-site just go to http://europa.eu/rapid/pressReleasesAction.do?reference=IP/11/1368

4. EDPS opinion on EU-US Passenger Name Record agreement (13.12.2011) and press release

http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2011/11-12-09_US_PNR_EN.pdf

http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/EDPS/PressNews/Press/2011/EDPS-2011-12_US-PNR_EN.pdf

5. The Commission evidently restricted Euro MPs from seeing the agreement when issuing its press release; if this is true, it is truly shocking: 

http://www.itworld.com/government/225603/eu-parliamentarians-speak-out-over-gag-order-data-deal)

Related references to the general data sharing PNR Directive between EU Member States

The general PNR Directive which deals with internal flights shows many of the faults of the EU-USA PNR Agreement. See Hawktalk on:

• “Analysis of proposed PNR Directive exposes absent or minimal data protection and privacy safeguards”: http://amberhawk.typepad.com/amberhawk/2011/06/my-entry.html

• “Data Protection: UK wants to extend PNR Directive despite proportionality fears and the lack of evidence”:http://amberhawk.typepad.com/amberhawk/2011/04/data-protection-uk-wants-to-extend-pnr-directive-despite-proportionality-fears-and-the-lack-of-evidence.html

• “Why the PNR Directive is disproportionate and does not protect privacy”: http://amberhawk.typepad.com/amberhawk/2011/02/why-the-pnr-directive-is-disproportionate-and-does-not-protect-privacy.html

• The problems with data sharing with the USA are unbalanced in relation to the financial sector also. See “Financial data sharing agreement with USA remains unbalanced and defective”: http://amberhawk.typepad.com/amberhawk/2010/06/financial-data-sharing-agreement-with-usa-remains-unbalanced-and-defective.html

• Spoof:  “Oyster Card Passenger Name Record system to protect London Olympics” : http://amberhawk.typepad.com/amberhawk/2011/04/oyster-card-passenger-name-record-system-to-protect-london-olympics.html

Draft data protection directive leaked on law enforcement and policing

Last week I wrote about the leaked draft of the Regulation that is to replace Directive 95/46/EC. This week’s leak is the Directive that extends data protection to Europe's law enforcement agencies. ("Proposal for a Directive on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of crime”).

This Directive has one main objective: data sharing between Europe's law enforcement agencies. This is a complex matter and not all Member States will like the interference from Brussels - nor will they like the implication that there can be sharing. This in turn means that the text of the Directive will be subject to detailed discussion by all Member States of the Union and is likely to undergo extensive modification before a final text is agreed.

For that reason, I am not going to analyse it much – but enough to give you a steer as to its content. I would not spend too much time on it - but please note: extension of sensitive personal data, role of data protection officer, mandatory data loss provisions, mandatory Privacy Impact Assessments, the concept of a "co-controller", and detailed attention to Article 8 of the Human Rights Convention.

The purpose of the Directive is to lay down rules relating to the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties. If Member States implement the protective elements of the Directive (i.e towards individuals), then personal data can be exchanged by competent authorities (i.e. law enforcement bodies) within the European Union.

This Directive contains the definitions for terms used in the Directive 95/46/EC, adding new definitions such as ‘personal data breach’, ‘genetic data’ and ‘biometric data’. A ‘competent authorities’ is any law enforcement agency with the power to prosecute whilst a child is someone under 18. This latter provision will not endear itself to the UK - did you see all those children in last August's riots? I can imagine the Daily Mail headline already!

The data protection principles are augmented with a transparency principle, a data minimisation principle and 'principle of accountability'. Article 5 is a new provision as it requires the distinction between personal data of different categories of data subjects. These categories of data subjects are:

(a) persons where there are serious grounds for believing that they have committed or are about to commit a criminal offence;
(b) persons convicted of a criminal offence;
(c) victims of a criminal offence, or persons with regard to whom certain facts give reasons for believing that he or she could be the victim of a criminal offence;
(d) third parties to the criminal offence, such as persons who might be called on to testify in investigations in connection with criminal offences or subsequent criminal proceedings, or a person who can provide information on criminal offences, or a contact or associate to one of the persons mentioned in (a) and (b); and
(e) persons who do not fall within any of the categories referred to above.

The implication is that the data protection rules will apply differently to the above categories of data subjects.

The Directive reduces the valid criteria for the processing of personal data (Schedule 2 for those familiar with the UK's DPA) by law enforcement bodies to “processing is necessary for the performance of a task carried out by a competent authority” (e.g. for a law enforcement purposes) or the “processing is necessary in order to protect the vital interests of the data subject”. No other options are possible (except where sensitive personal data has been made public by the data subject).

Article 8-11 sets out a number of general prohibitions. For example, if the purpose of the processing changes, then that change has to be prescribed by law Article 10 establishes rules on the processing of genetic data, “codifying” ECtHR case law (e.g Marper v UK); genetic data are classified as “Sensitive Personal Data” for those familiar with the UK Act. Article 11 requires profiling to be authorised by law.

Article 14 provides the obligation of Member States to ensure the data subject's right of access. Exemptions to this right must be enshrined by law and “constitutes a necessary and proportionate measure in a democratic society” (i.e. my emphasis of an explicit link to Article 8(2))). These exemptions have to be justified in terms of:

“(a) to avoid obstructing official or legal inquiries, investigations or procedures;
(b) to avoid prejudicing the prevention, detection, investigation and prosecution of criminal offences or for the execution of criminal penalties;
(c) to protect public security;
(d) to protect national security;
(e) to protect the rights and freedoms of others.”

Articles 20-25, responds to the debate on a "principle of accountability” and sets out obligations that demonstrate compliance, including the adoption of policies and mechanisms for ensuring compliance. Such data controllers “must ensure the compliance of the controller with the obligations arising from the principles of data protection by design and default” and clarify “the position and obligation of data processors”. There is new status of “co-controllers”  (e.g. a processor that processes data beyond the controller's instructions is to be considered a co-controller).

The security provisions are based on those in Article 17(1) of Directive 95/46/E|C except there is an obligation to notify personal data breaches, inspired by the personal data breach notification in Article 4(3) of the ePrivacy Directive 2002/58/EC, clarifying and separating the obligations to notify the supervisory authority (Article 29) and to communicate, in qualified circumstances, to the data subject Data controllers and processors are to carry out a data protection impact assessment prior to risky processing operations by relevant information.

Areas where a PIA is envisaged includes:

(a) processing of personal data in large scale filing systems for the purposes of the prevention, detection, investigation or prosecution of criminal offences and the execution of criminal penalties;
(b) processing of special categories of personal data (i.e. sensitive personal data) related to children and of biometric data for the purposes of the prevention, detection, investigation or prosecution of criminal offences and the execution of criminal penalties.
(c) an evaluation of personal aspects relating to a natural person or for analysing or predicting in particular the natural person's behaviour, which is based on automated processing and likely to result in measures that produces legal effects concerning the individual or significantly affects the individual; (d) monitoring publicly accessible areas, especially when using optic-electronic
devices (video surveillance); or
(e) other processing operations for which the consultation of the supervisory authority is required (because of the potentially controversial nature.

Articles 33-35 follows last week’s leaked Regulation and introduces a mandatory data protection officer of the controller, sets out the position of the data protection officer and defines the core tasks of the data protection officer. A Data Protection Officer has definitely become flavour of the month (indeed, I wonder where these guys can get training?).

Article 36 sets out the general principles for data transfers to third countries or international organisations, including onward transfers. It clarifies that transfers may take place to third countries in relation to which the Commission has adopted an adequacy decision or, in the absence of such decision, where appropriate safeguards are in place in a legally binding instrument, such as an international agreement.

I don't like these provisions. They give carte-blanche for the European Commission to determine any territory as  offering an "adequate" level of protection. As with some transfers of PNR data to the USA, Europe's data protection authoritites disagree with what the Commission thinks as "adequate".

The rest of the Directive sets out the provisions similar to the Regulation with respect to a European Data Protection Board and the powers of national data protection supervisory authorities.

References

You can load the Proposed Directive by following the link: http://www.statewatch.org/news/2011/dec/ep-dp-leas-draft-directive.pdf

 

Draft data protection regulation leaked; doubtful whether it will get enacted in this form.

The first impression of this leaked text is that this version of the Regulation is more prescriptive than Directive 95/46/EC and will get up most data controllers and Governmental noses. I think the text makes far too many fundamental changes than can be reasonably done via a Regulation (which has three times as many Articles as the Directive it replaces). And this conclusion is from someone who thinks changes to the UK data protection regime are badly needed (see references).

I think this text is open to the argument that the Regulation is so long that it should be discussed as a new Directive which can be debated by Member States and national Parliaments; this ensures the issue then goes into the long grass.

Another risk is that many Governments will respond to data controller complaints and argue that in the current economic circumstances that this Regulation should be shelved. I can see the Greeks, Spanish, Portuguese, Irish, Italians and UK opposing the text for this reason. Indeed, I wonder whether this is the intent of the leak, but that is perhaps too Machiavellian.

I cannot see the UK accepting this – and to be honest, I doubt whether it will make progress in its current form!! However, this is a summary of its content for what its worth. Remember it is a leaked version and I would not depend on it; wait until you see the real McCoy (on Data Protection Day, January 25th)

In summary:

Article 3 contains new definitions (‘personal data breach’ based on Article 2(i) of the e-privacy Directive 2002/58/EC as amended by Directive 2009/136/EC, ‘genetic data’, ‘biometric data’, ‘data concerning health’ which is based on the definition of ‘health data’ provided for by ISO 27799, ‘main establishment’, ‘representative’, ‘enterprise’, ‘group of undertakings’, ‘binding corporate rules’, and of a ‘child’ which is based on the United Nation’s Convention on the Rights of the Child.)

Article 4 sets out the principles relating to personal data processing, which correspond to those in Article 6 of Directive 95/46/EC. Additional new elements are in particular the transparency principle, the clarification of the data minimisation principle and the establishment of a comprehensive responsibility and liability of the controller.

Article 5 sets out, based on Article 7 of Directive 95/46/EC, the criteria for lawful processing, which are further specified as regards the balance of interest criterion and processing for the purposes of direct marketing for commercial purposes, the compliance with legal obligations and public interest.

Article 6 clarifies the conditions the change of purpose of the processing, i.e. for another purpose than that for which the data have been initially collected.

Article 7 clarifies the conditions for consent to be valid as a legal ground for lawful processing. Public authorities cannot rely on consent

Article 8 sets out the general prohibition for processing special categories of personal data and the exceptions from this general rule, building on Article 8 of the Directive 95/46/EC.

Article 9 introduces the obligation for transparent and easily accessible and understandable information, inspired in particular by the Madrid Resolution on international standards on the protection of personal data and privacy

Article 10 obliges the controller to provide procedures and mechanism for exercising the data subject's rights, including means for electronic requests, requiring response to the data subject's request within a defined a deadline, and the motivation of refusals. 

Article 11 provides rights in relation to recipients, based on Article 12(c) of Directive 95/46/EC, extended to all recipients, including joint controllers and processors

Article 15 provides the data subject's right to be forgotten and to erasure. It further elaborates and specifies the right of erasure in Article 12(b) of Directive 95/46/EC and provides the conditions of the right to be forgotten, including the right to obtain erasure of any public Internet link to, copy of, or replication of the personal data relating to the data subject contained in any publicly available communication service. It also integrates the right to have the processing restricted in certain cases, avoiding the ambiguous terminology “blocking”.

Article 16 introduces the data subject's right to data portability, i.e. to transfer data from one automated processing system to and into another, without being prevented from doing so by the controller. As a precondition, it provides the right to obtain from the controller those data in a commonly used format.

Article 17 provides the data subject's rights to object. It is based on Article 14 of Directive 95/46/EC, with some modifications, including as regards the burden of proof and its application to non-commercial direct marketing, in contrast to Article 5(2) which provides that for purposes of commercial direct marketing the data subject's consent is required to make the processing lawful. There is also to be a right to object to profiling.

Article 19 takes account of the debate on a "principle of accountability" and describes in detail the obligation of responsibility of the controller to comply with this Regulation and to demonstrate this compliance, including by way of adoption of internal policies and mechanisms for ensuring such compliance.

Article 20 sets out the obligations of the controller arising from the principles of data protection by design and by default.

Article 21 on joint controllers clarifies the responsibilities of joint controllers as regards their internal relationship and towards the data subject.

Article 22 obliges controllers not established in the Union, where the Regulation applies to their processing activities, to designate a representative in the Union.

Article 27 obliges the controller and the processor to implement appropriate measures for the security of processing, based on Article 17(1) of Directive 95/46/EC and extending that obligation to processors, irrespective of the contract with the controller.  There is an obligation of controllers to inform the supervisory body within 24 hours of any breach, and to inform data subjects within 24 hours if the breach endangers their personal data.

Article 32 introduces a mandatory data protection officer for the public sector, and, in the private sector, for large enterprises or where the core activities of the controller or processor consist of processing operations which require regular and systematic monitoring.

There is to be a stronger data protection authority, more trans-European co-ordination on data protection issues (A European Data Protection Board), higher penalties and more powers to the Commission to get consistency and an obligation on national governments to give their supervisory bodies sufficient monies to operate effectively.

An that is why I think it won’t see the light of day in this form. I am not doing a further analysis of it; I await the final text. I suggest you do likewise

References: draft leaked version of a Regulation is on http://www.statewatch.org/news/2011/dec/eu-com-draft-dp-reg-inter-service-consultation.pdf

See also "European Commission explains why UK’s Data Protection Act is deficient": http://amberhawk.typepad.com/amberhawk/2011/02/european-commission-explains-why-uks-data-protection-act-is-deficient.html

We will be discussing the final text at our UPDATE session in March with a speaker from the ICO's office describing the main changes for UK data controllers. 

Successful action for compensation: damage caused by unlawful disclosure of personal data

It's very rare that I post another blog, but this is a rare event indeed: a data subject has taken successful action for compensation under section 13 of the Data Protection Act. Normally what happens if a data controller has caused damage, there is an out-of-court settlement with a gagging (sorry “confidentiality”) clause so no-one is the wiser.

The claimant brought an action following an unauthorised disclosure of his personal medical data, in or about December 2007. The partner of the data subject had unlawfully accessed his medical records in the course of her employment as a nurse and thereby committed a breach of the Act.  This and the handling of his resultant complaint caused a 4 ½ year exacerbation of a pre-existing paranoid personality disorder and prevented him also from accepting an offer of employment.

Honour Judge Cotter QC, sitting at Plymouth County Court, assessed damages for personal injury under s.13 of the Data Protection Act 1998. He awarded £12,500 was awarded for exacerbation of the Claimant’s pre-existing condition and £4,800 for loss of earnings on the premise that he had been offered 6 months work but in light of the medical evidence, viz that he would have been unable, probably, to sustain employment for any length of time, likely to have held a job down for only 8 weeks also.

A claim for aggravated damages failed

For a few more details of this unreported case (Sean Robert Grinyer v Plymouth Hospital NHS Trust; 28th October 2011) go to  http://www.unitystreetchambers.com/blog/?p=131. But if anyone knows more, can you email me as Hawktalk would like to know.

Email marketing under PECR and the Data Protection Act

I have just had published an article on PECR and Data Protection in the context of email marketing. I think it might be useful to practitioners so I have added it to the blog. It combines the marketing rules under PECR with the Data Protection obligations and goes into the overlap between subscriber, user and data subject. The article will be useful for practitioners from the public and private sector data controllers, as well as those sitting the ISEB exam.

Enjoy reading. I had a heavy teaching load last week, so that explains the absence of a blog. Hope this makes up!

To download the article, just click on the link Download Article_marketing by electronic mail_dec2011_v2