« Section 55 custodial offence left waiting for Leveson and party politics | Main | Spot the terrorist? Data protection and the seizure of personal data on laptops at airports. »

15/08/2013

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

But doesn't the current data protection regime already contemplate this situation? Isn't article 7(c) of the Data Protection Directive broad enough to cover a situation where a processor releases information without the knowledge or consent of either the controller or data subject?

RESPONSE

Article 7 of Directive 95/46/EC (see schedule 2 of the DPA and the text of the 1st Principle) sets out the requirement that the data controller’s processing operation has to fall within one of the grounds specified in A.7; if there is no grounds, the data controller can’t process. If he does process without a ground then it’s a breach.

So a data controller might be under a legal obligation to disclose (A.7(c)). He can instruct his data processor to disclose. The data processor cannot disclose unless instructed to do so; if this occurs, the data processor is deemed to be a data controller (see WP29 on SWIFT where this was debated at length).

What the Regulation does is allow the data processor to disclose without telling the data controller. Even if a data controller says “tell me data processor if the law enforcement authorities approach you for disclosure”, then the instruction could be ignored.

The problem is A.21 puts all the exemptions together; effectively it says to Member States. You can defined your own exemption. Take any combination of (a) one to five Principles in A5 and (b) any combination of rights in A.12-A.20 and if needed (c) A.32 and apply that exemption if any of the conditions (aa) to (f) in A.21 applies.

Different countries are allowed to have different combinations; if this happens you don’t get harmonisation!

The comments to this entry are closed.

All materials on this website are the copyright of Amberhawk Training Limited, except where otherwise stated. If you want to use the information on the blog, all we ask is that you do so in an attributable manner.