The Regulation: what are the big changes to the Data Protection Act regime?

I thought I would devote a blog to answer the following question: “What would I say, if a manager asked me what were the key changes to the data protection regime as a result of the Regulation?”. So please use/amend the text for this purpose if need be. Note the blog is only about the Regulation:– not the law enforcement elements where there is a separate Directive also published today.

The first point to make is that a Regulation has to be followed by Member States whilst a Directive has to be implemented by Member States. In theory, a Regulation means that the whole European Union follows the same set of data protection rules instead of, as in the case of Directive 95/46/EC, many diverse implementations. See the Regulation as the “Lord of the Rings” approach towards data protection harmonisation in all Member States: “One Regulation to rule them all, and in its interpretation bind them”.

Such harmonisation, so the theory goes, has immediate effects. Data protection authority rulings in one jurisdiction is likely to apply in another; rights in one country are standardised in another; if one data protection authority accepts a set of Binding Corporate Rules, then every data protection authority can accept them. Immediately you can also see that because of this standardisation, there will be stronger co-operation and knowledge transfers between data protection authorities. Overseas businesses trading personal data with Europe operate in a standardised environment and vice-versa (notice I did not say “easier”).

Codes of practice become more important. If one data protection authority produces a code of practice it can be more or less adopted in other countries.

The Regulation identifies fines that “shall be levied” (no flexibility here) if an intentional or negligent breach on the part of a data controller is identified; there are different fine maximums for different transgressions – so you need to look at the detail. However, fines can range from 100 Euros to 1,000,000 Euros (or 2% of annual turnover if a commercial enterprise is involved). Now no doubt the 2% figure will get the headlines:– but to exceed the 1,000,000 Euro maximum, the turnover has to be 50,000,000 Euros (or about £42 million).

As you know, the UK has a maximum monetary penalty fine of £500,000 (about 600,000 Euros – say); if £500,000 represents 2% of turnover, then the total turnover is £25 million (30,000,000 Euros).  So what you can say that is for a private sector data controller the maximum fine level could actually decrease if turnover is less than £25 million but increase to 2% of turnover if over £25 million (stress maximum please – don’t follow the hype). For a public sector body data controller the maximum fine is about two thirds bigger (£830,000).

As an aside, the maximum fine could actually decrease for most SMEs. Take the ACS Law Ltd case, where the civil liberties lobby argued for a £500,000 fine. The turnover for ACS Law, (as found on the internet) was about £1 million, so the maximum fine levied at 2% is £12,500; a far cry from the aspirations of “les sans-culottes” of the privacy movement.

If the turnover is zero (e.g. the firm folds business), then the fine is zero. Also, I have no idea what happens if the Euro-zone collapses or the Euro survives to become stronger that the pound sterling. I assume the Commission will fix a nominal exchange rate for non Euro Member States at the time the Regulation is agreed.

All marketing by personal data has to have data subject consent. Does this mean the death of “opt-out”? I am not sure about this to be honest, but the definition of consent has been strengthened to be “explicit” consent (i.e. the current Schedule 3 standard for consent). So if your “opt-out” statement at the moment just passes the “consent” threshold under the Data Protection Act, I would assume that it may be unreliable under the new regime.

I also think “explicit consent” with an “opt-out” box returned by the data subject has, at the very least, to be very prominent, include the mode of marketing (e.g. post, email) and has to be more detailed in the items of personal data are used for marketing and who does the marketing (e.g. “The name and address you have provided .....” instead of “The information you have provided...”).

I think you can safely alert marketing people to this kind of change, but leave the detail until the Regulation is actually adopted. I should add that there is a whole Article devoted to strengthening “consent” (e.g. consent shall not be valid if there is a significant imbalance between the position of the data subject and the controller).

Security of processing is an example of where implicit obligations currently under the Seventh Principle become formalised and explicit. For instance, if there is a data loss, this has to be notified to the Commissioner within 24 hrs. This notification includes the nature of the personal data lost, categories and number of data subjects concerned, the categories and number of data records concerned, possible adverse effects of the personal data breach and the measures proposed or taken by the controller to address the personal data breach. Processors have to notify the controller immediately a data loss is confirmed.

Registration (or notification) with the Commissioner is being abolished, and because of that, the data protection authority knows nothing about a data controller. So there are stronger and more immediate powers for regulator to find out what is going on and force data controllers to comply or to halt the processing.

The general assumption is that data controllers are doing the “right thing”; this means, of course, that when the data protection authority knocks on the door, you have to make available records of compliance which must contain certain elements. Some of these were the subject of registration (e.g. the name and contact details of the controller, or any joint controller or processor, and of the representative; the name and contact details of the data protection officer, if any; the purposes of the processing, including the legitimate interests pursued by the controller; description of the category or categories of data subjects and of the personal data or categories of data relating to them; the recipients or categories of recipients of the personal data, including the controllers to whom personal data are disclosed for the legitimate interest pursued by them).

So in practice notification to the UK’s Information Commissioner is replaced by the data controller keeping the registration/notification detail as well as other items (which for a public authority, can be subject to FOI requests!). So when the European Commission say “notification is gone”, it is a statement that is arguably “economic with the truth”. The expense of collecting these details is still there; what’s gone is the £35/£500 fee.

The data controller also has to keep further documentation about data protection compliance (e.g. policies, procedures), implementing the data security requirements, performing a data protection impact assessment. Large data controllers (more than 250 employees) have to designate a data protection officer. I would say that this data protection officer has to be fully trained (but I have to admit this sentence reads like a marketing “Mandy Rice-Davies” moment: “well he would say that, wouldn't he?").

Privacy Impact Assessments (PIA) and Privacy by Design become mandatory (e.g. PIA for CCTV of public spaces, use of biometrics, children data – child is under 18 by the way). Privacy by Design techniques have to be considered (although in our PIA course I show that these are an implicit consequence of the Seventh Principle in relation to keeping up to date with the “state of technology”).

Data Processors are given some explicit obligations, obligations which they should be implicitly carrying out contractually already. For instance, act only on instructions from the controller, in particular, where the transfer of the personal data used is prohibited; employ only staff who have committed themselves to confidentiality or are under a statutory obligation of confidentiality; or subcontract  only with the prior permission of the controller.

The current rights of data subjects are more or less the same but there is more detail to be provided on subject access (e.g. about retention times and information about new rights). There is a right to get the personal data corrected by the data controller – currently this right only relates to the Court or implicitly via the Fourth Principle which deals with accuracy) and the right to object includes profiling.

There is a new right to be forgotten – which effectively only applies if the processing is already underway with data subject consent (new definition remember). If the “forget me” right is successfully applied, then third parties who have given the personal data by the data controller have to be notified if reasonably practicable.

However there are a number of exemptions (e.g. when a data controller needs proof of some action, research, when freedoms of speech issues are raised, or when personal data about other individuals are present, or where the accuracy of personal data are contested).  In some circumstances, “removal” rather than “deletion” is legitimate. So don’t panic at this right (at the moment).

There is a right to portability of personal data. For instance where personal data are processed by electronic means in a commonly used format, the data subject can obtain a copy of those data in that format. Where the data subject has provided the personal data and the processing is based on consent or by a contract, the data subject is given the right to transmit those personal data without hindrance from the controller from whom the personal data are being withdrawn. This clearly overlaps with the right of access, but is limited to ‘consent’ and the ‘electronic commonly used format’ subset of the personal data held by the data controller.

If you are interested in Binding Corporate Rules, then there are provisions that make them function properly (once accepted by a data protection authority). There are more definitions (e.g. “child”, “genetic data” which becomes an item of Sensitive Personal Data).

A great deal of the Directive is given over to things that should not worry data controllers (e.g. ensuring the data protection authority is fit for purpose, having a pan-European Data Protection Board that can be empowered ensure consistency of the data protection rules across Europe, and the inevitable minutiae concerning the dark arts of internal EU Committology).

My own view? I think many Member States will oppose this Proposal because of the current economic circumstances and because it is far more prescriptive than the Directive it replaces. It is not a simplification; it is a more prescriptive complication that many will argue increases the burdens on business. The Regulation is OK for large organisations, for SMEs I suspect it will be overkill. If the Council of Ministers do eventually agree the Proposal, I suspect that it will be a different text and a longer lead in time, currently set at two years.

So at a hunch – we are looking at three years down the line (at least).

References

Download the regulation here (61 pages) Download Regulation_DP_jan2012

Our Update session on March 26th  has half a day devoted to this. (London; £195+VAT; details on www.amberhawk.com (events and update) or top left of blog). As well as a guest speaker from the ICO on the Regulation, we have sessions on:
•    What are changes in the Definitions
•    What are changes in the Principles
•    What are changes in the Rights
•    What are changes in the Enforcement and other odds and end?

USA offers an adequate level of protection: EU accepts disproportionate processing, excessive retention, a lack of respect for privacy and minimal accountability.

The Article 29 Data Protection Working Party (WP) has just published its comments on the EU-USA Passenger Name Record (PNR) Agreement; a deal that I analysed just before Xmas as having the following characteristics: “data protection is weak, proportionality not guaranteed, and obvious safeguards absent” (see references). This view is substantiated by the WP’s comments.

As a general assessment, the WP notes that there have been “modest” improvements from earlier drafts “but does not see its serious concerns removed”.  Primarily that “the legislators oblige carriers and computer reservation systems to make PNR data of all their passengers – nearly all of them being innocent and unsuspected citizens available to foreign law enforcement agencies”.

The WP adds that “Since the negotiations of the first PNR agreement, the WP has expressed its doubts that sufficient evidence has been provided to demonstrate the necessity and the proportionality of mass transfer and use of PNR data for law enforcement purposes”;  the “WP notes that no new evidence is offered now” (to justify the Agreement).

Then WP states that “there remains a high degree of uncertainty about what DHS (Department for Homeland Security in the USA) is intending to do with the transferred data” and that “the agreement lacks clarity when defining the limits within which PNR data can be used”. It notes that “it is troubling that all definitions provided are not exclusive” (this is because most definitions use words such as “including” and “in particular” which can expand their meaning – something we drum into our ISEB delegates!).

So for example “the definition of transnational serious crime does not only appear to be quite wide-ranging ... it also appears not to be necessarily related to law enforcement in the US”. Indeed “it covers all crimes where more than one jurisdiction is involved” and provides that “on a case-by-case basis” PNR can be used for all crimes regardless of whether they are serious, and even for other actions not related to crimes at all, if ordered by a court”.

In summary “it appears to be rather clear that it will also be used for cases other than relating to terrorism and serious transnational crime and the Working Party considers this use disproportionate”.

With respect to data retention, the WP state that “the improvements of the agreement do not remove the fact that data of unsuspected citizens is stored for up to 15 years, only its use would be more limited”. The WP “cannot see how these long retention periods can be substantiated and justified” and “considers them to be excessive and disproportionate”.

In relation to the rights of access the WP states that for “many years” it “has expressed doubts as to whether US law and the agreements concluded with the US provide for the right of access and redress mechanisms in line with requirements of fundamental rights under EU law”.

With respect to the provisions on domestic sharing and onward transfer, the WP “regrets that the agreement is not more specific on how compliance with these terms or safeguards can practically be ensured, particularly with respect to retention periods”. The WP adds that the EU has stipulated that “the data protection level in the US is adequate despite its excessive retention periods and its lack of independent supervision”.

The WP notes that the PNR Agreement can be reviewed but “regrets that it is not explicitly provided (in the PNR Agreement) that the representatives of the European Union shall include representatives of the Member State’s data protection authorities”.

Finally, the WP adds “that many of the fundamental concerns expressed .... are also valid for the already concluded PNR agreement between the European Union and Australia”. It consequently asks for these concerns be taken “into consideration when negotiating and deciding upon the PNR agreement with Canada”.

So there you have it: a level of adequacy acceptable to the European Commission (i.e. it satisfies the UK's 8th Principle by law) but is clearly unacceptable to the collective view of all Europe’s Data Protection Commissioner (and the European Data Protection Supervisor - see references). All this too in the week where the Commission will trumpet "data protection day" and publish the Regulation that replaces Directive 95/46/EC.  

There is no doubt the Commission will use the events of this week to flaunt its data protection credentials and spray the air with sweet, "privacy scented" press releases (just like those issued with this PNR Agreement). I for one will be holding my nose; I advise blog-readers to do likewise.

References

EU/USA PNR Agreement: data protection is weak, proportionality not guaranteed, and obvious safeguards absent.: http://amberhawk.typepad.com/amberhawk/2011/12/euusa-pnr-agreement-data-protection-is-weak-proportionality-not-guaranteed-and-obvious-safeguards-ab.html

Download my analysis of the “Agreement between the United States of America and the European Union on the use and Transfer of Passenger Name Records to the United States Department of Homeland Security” Download Eu-usa-pnr-deal-amberhawk analysis

Letter of the WP29 working party can be downloaded here Download WPletter_pnr_Jan2012

EDPS opinion on EU-US Passenger Name Record agreement (13.12.2011) and press release: http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2011/11-12-09_US_PNR_EN.pdf

Watch out for the Data Protection Regulation at end of January

A brief note: between January 25th (most likely) and January 28th the official draft of a Regulation is expected to be published; it eventually result in changes to the UK's Data Protection Act. I will do an analysis of it for the blog in the following weeks. Also, our UPDATE session on March 26th in London will be revised in order to have at least a half day devoted to the Regulation and what it means for data controllers. Our guest speaker is Jonathan Bamford from the ICO;  he will be speaking on – yes you have guessed – the Regulation.

As you know the draft was leaked and thankfully it is being revised in order for it to be released. How the text will emerge from the shadows is yet unknown – but this is what I am hoping for.

First, the Commission should trust the Data Protection Authorities to get it right. There is no need for a Regulation to say when “consent” is needed or mandate what should appear on a fair processing notice or with a subject access request or say anything about data loss except to say, for example, that significant losses of personal data in a non-protected form should be reported to the Data Protection Authority who can order, if need be, the necessary corrective action (e.g. contact with the data subjects).  In other words, make sure the Regulation leaves most of the interpretative detail of broad Principles to the Data Protection Authorities and give them full powers to enforce the Principles.

These Authorities can determine common standards via their meetings (e.g. A.29WP); they should be trusted to arrive at a collective view that possesses the right balance. Note that if decisions are collective, then there is little risk of a rogue Authority holding sway. Also, the involvement of broad Principles can deal with changes in technology. In other words, less Regulation is more individual protection – so long as each Data Protection Authority is fit for purpose.

You also need the ability of a Member State to refer a collective decision of the Data Protection Authorities to the Council of Ministers for debate. This protects the interests of Member States and removes the argument that they have no say in the matter. If Member States have a collective view that is different to the Data Protection Authorities, and that alternative view is supported by national and European Parliaments, then I would argue that the alternative view should prevail.

This is different to the current structure that has resulted in, for example, the UK's surveillance state and PNR Agreements that have minimal data protection: this arises when Member States enact laws that trampled over the Principles.

The fine level and offences should be left to Member States. But if a Member State enacts meagre penalties, the Commission could order a corrective measure, following a report from the Data Protection Authorities.

What you do legislate for is a strong data protection corrective mechanism that ensures consistency across Europe; so when a Member State gets out of line, the Data Protection Authorities can start the ball rolling for a correction. The fact that the changes are led by the Data Protection Authorities means that corrections are based on data protection grounds and not on the vested interests of a Government or a commercial sector.

It might take 7 years to get to consistency across Europe, but as readers know this is about the length of time it has taken to half find out what is wrong with the UK’s Data Protection Act!

References

See comments about the leaked Regulation: http://amberhawk.typepad.com/amberhawk/2011/12/draft-data-protection-regulation-leaked-doubtful-whether-it-will-get-enacted-in-this-form.html

What is wrong with the UK Act and infraction proceedings: http://amberhawk.typepad.com/amberhawk/2011/05/privacy-new-government-revelations-amplify-concerns-surrounding-deficiencies-in-uks-data-protection-.html

Details of UPDATE: go to www.amberhawk.com

 

Judgement reinforces the link between “lawful processing”, the First Data Protection Principle and human rights/other laws.

Belated Happy New Year, but we start 2012 with a report that has a lot in it. Stick with this judgement as, in summary, it states that:

(a) the term “lawful” processing in First Principle relates to that processing which is consistent with the application of any relevant law including law of confidence (the Information Commissioner is not keen to enforce “lawful processing”); I should add that the implications of “lawful processing” have yet to be applied to other Principles (e.g. to the Seventh Principle and security considerations);

(b) the purpose of the Data Protection Directive is to implement Article 8 of the Human Rights Act; so in theory, the Information Commissioner could consider “lawfulness” in terms of Article 8; and

(c) the Information Commissioner ignores the Lindqvist decision (see references) in his detailed commentary on the application of the domestic purpose exemption to personal data on a website; the Court says the Commissioner’s advice is inconsistent with the law.

The judgement concerns the “SolictorsFromHell” website (see references). The publisher (and data controller) of that web-site claimed that “under Article 10 of the European Convention on Human Rights, you have the right to freedom of speech and expression to voice your complaint! But it must accurate and truthful. You can complain here. RIGHT NOW! NAME and SHAME your OPPRESSOR Problem Solicitor? No need to register or even leave your name. Click on the link below and add them to our list of 'Solicitors from Hell'”.

Despite the plea for accuracy, the website collected a vast number of unattributable, unchecked allegations concerning named solicitors, some of which alleged activities of a salacious or criminal nature. In other words the personal data involved sensitive personal data; this probably explains why the publisher had also lost a number of previous libel cases and was bankrupt.

Three complainants (one of which was the Law Society) took up the cudgels against the publisher in order to stop the further processing of personal data. In an uncontested action, they argued that that the Data Controller (i.e. the publisher) had breached:

i) The First Data Protection Principle because the processing was unfair and there was no Schedule 2 condition to legitimise the processing (and in the case of some sensitive personal data no Schedule 3 condition). In the event, the Court concluded “None of the conditions in Schedule 2 of the DPA is met by the Defendant in respect of the processing of this data on the Website” and that “the Defendant has processed the said data in a grossly unfair and unlawful way”;

ii) The Fourth Data Protection Principle: that personal data shall be accurate and, where necessary, kept up to date. In the event, the Court concluded “the personal and sensitive personal data about the Third Claimant processed by the Defendant and published on the Website are false and accordingly wholly inaccurate”;

iii) The Sixth Data Protection Principle: that personal data shall be processed in accordance with the rights of data subjects under the Data Protection Act 1998; in particular the Defendant had ignored the exercise of the right to object to the processing of personal data. The Court agreed, and granted a notice under section 10(4) of the Act.

So that’s the case and outcome; now look at what the judge said re the First Principle (at para 78; my emphasis):

The reference to ‘lawfully’ in the First Data Protection Principle applies to any form of conduct that is unlawful, including breach of confidence, libel, and harassment. As Patten J said in Murray v Express Newspapers Ltd [2007] EWHC 1908 (Ch) [200] EMLR 22 at para [72]:

“It seems to me that the reference to lawfully in Schedule 1, Part 1 must be construed by reference to the current state of the law in particular in relation to the misuse of confidential information. The draftsman of the Act has not attempted to give the word any wider or special meaning and it is therefore necessary to apply to the processor of the personal data the same obligations of confidentiality as would otherwise apply but for the Act”

The Information Commissioner (ICO) is reluctant to deal with complaints of unlawful processing because they require him to understand how any piece of legislation defines what is lawful so that lawfulness under the Data Protection Act can be assessed. The ICO claims that he cannot be an expert in every law – and that is why, in some case, he prefers to deal with such cases in terms of “fair processing” issues (where the subject is purely a data protection issue).

His guidance makes this clear;  in the context of lawful processing, states that his office may not

“pursue allegations of breach of copyright (or any other law) as this would go beyond the remit of the Data Protection Act. Many areas of law are complex, and the ICO is not and cannot be expected to be expert in all of them” (my emphasis)”.

Despite these difficulties, unlawful processing has now, in these two judgements, been given a clean bill of health; data subjects clearly can ask for assessments whether or not such and such a processing is lawful (e.g. in terms of copyright, confidence and any other law) – and expect them to be considered in these terms.

Another possible consequence may be the inclusion of the Seventh Principle in cases were breaches of confidence involving personal data are the issue. This is clear from the text of the Principle which requires “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data....etc ” (my emphasis). So if a data controller failed to secure personal data of a confidential nature (e.g. loss of health personal data), then a breach of confidence can also be extended to include a Seventh Data Protection Principle breach.

Another “advance” in the judgment is the express linkage between Article 8 and Data Protection (a particular hobby-horse of mine – see references); I think it means that it is legitimate to ask the ICO for an assessment whether the processing is lawful in terms of Article 8. This is because the judge says (at para 97):

“...The purpose of the (Data Protection) Directive was to give effect in the context of data protection to the Art 8 rights of the ECHR (right to respect for private life). See Recitals (8) to (12). It is a privacy statute, although its scope is limited by a number of provisions, including the definition of data in s.1 and the application of the Act delimited in s.5”. (A big hurray from me!)

Lindqvist and blogging

The Information Commissioner’s analysis is panned I am afraid. He had argued that the “Solicitors from Hell” website fell within the “domestic purpose exemption”, and in a letter to one of the complainants, he explained this fact. The Court concluded that in the context of lawful processing:

“I do not find it possible to reconcile the views on the law expressed in the Commissioner’s letter with authoritative statements of the law. The DPA does envisage that the Information Commissioner should consider what it is acceptable for one individual to say about another, because the First Data Protection Principle requires that data should be processed lawful.” (para 100)

This is important as the relevant part of the Commissioner’s letter is clearly very wrong. It states (para 96):

 “The inclusion of the “domestic purposes” exemption in the Data Protection Act (s.36) is intended to balance the individual’s rights to respect for his/her private life with the freedom of expression. These rights are equally important and I am strongly of the view that it is not the purpose of the DPA to regulate an individual right to freedom of expression – even where the individual uses a third party website, rather than his own facilities, to exercise this. (The s.36 exemption clearly did not anticipate individuals using third party websites to carry out their ‘personal’ processing).

The situation would clearly be impossible were the Information Commissioner to be expected to rule on what it is acceptable for one individual to say about another be that a solicitor or another individual.  This is not what my office is established to do.  This is particularly the case where other legal remedies are available – for example, the law of libel or incitement. ….

This analysis (and the Court’s conclusions by the way) ignores the case of Lindqvist (see references) where the European Court of Justice decided that in the context of the domestic purpose exemption:

"As regards the exception ... which concerns ... the processing of data carried out by a natural person in the exercise of activities which are exclusively personal or domestic, correspondence and the holding of records of addresses.

That exception must therefore be interpreted as relating only to activities which are carried out in the course of private or family life of individuals, which is clearly not the case with the processing of personal data consisting in publication on the internet so that those data are made accessible to an indefinite number of people”. (paras 46 and 47 of Lindqvist)

This interpretation of the exemption should be binding in the UK context (but it was missed). It states that if personal data are published on a website then this processing CANNOT fall within the domestic purpose exemption. This in turn means that any argument re Freedom of Speech is simply not relevant.

This then focuses on those infraction proceedings where the European Commission has said the Data Protection Act is a deficient implementation of the Directive. One of the myriad of grounds claimed by the Commission is that “the inclusion of “recreational purposes” in the Data Protection Act which, in the Commission’s view appeared to be broader than household activities” (see references).

In other words, the Commissioner’s interpretation of the law with respect to websites could have been based on the Government’s incorrect implementation of the Data Protection Directive (the details of which been kept secret for seven years).

The result, if true, is serious: ALL data subjects (and not just the ones who had the time and money to take this action) have been denied the protection that the Act affords if personal data about them is published on websites; additionally they may have been denied proper access to the ICO to explore the data protection issues.

This in turn increases the importance of knowing the issues surrounding the UK Government’s approach to the implementation of the Directive. It also means the ICO should revisit his policy re "lawful" processing.

References

Load the Solicitors from Hell ([2011] EWHC 3185 (QB)) judgement here:Download Jan2012_solfromhel

Load Lindqvist (ECJ, Case C-101/01, 6 November 2003)  here: Download Jan2012_Lindqvist

Article 8 and the first data protection principle links are: “Information  Commissioner should enforce Article 8 privacy-rights”:
http://amberhawk.typepad.com/amberhawk/2010/04/information-commissioner-should-enforce-article-8-privacy-rights.html

Infraction proceedings link: http://amberhawk.typepad.com/amberhawk/2011/05/privacy-new-government-revelations-amplify-concerns-surrounding-deficiencies-in-uks-data-protection-.html