Data Protection – are you up to date with the latest developments?

The field of data protection law and practice is constantly evolving, with reviews being conducted nationally and at European level, as well as case-law and the future overhaul of this entire area with the forthcoming Data Protection Regulation. This update gives you a brief overview of what has been going on recently with further detailed coverage to follow.

ICO publishes new guidance on monetary penalty notices

The Information Commissioner has published new guidance regarding monetary penalty notices, which it can impose under the Data Protection Act (DPA). At present the ICO can impose monetary penalty notices up to £500,000 if a data controller seriously contravenes the DPA or the Privacy and Electronic Communications Regulations 2003 (PECR). For the DPA, the test is whether the contravention caused substantial damage or substantial distress. Currently, the Guidance provides that this is the case also for the PECR, although with effect from 6th April 2015 amendments to PECR removed the need to prove “substantial damage or substantial distress” for serious breaches of PECR and it is likely that the ICO will issue new guidance in relation to this issue.

The Guidance emphasises that the objective of the ICO in imposing monetary penalty notices is to promote compliance of the DPA and PECR. Also the possibility of such a penalty should encourage compliance or at least act as deterrent for non-compliance. At the same time the nature of the relevant provisions in the legislation means that such penalties are intended for the most serious situations. In determining the amount of a monetary penalty notice the ICO will take into account the sector that the organisation is operating it for example if it is a voluntary organisation and also the size of the organisation, to ensure that the penalty notice does not impose undue financial hardship. However, the ICO points out that complying with the DPA and PECR should not been viewed as an extra requirement for businesses, it is in fact an integral part of any business activity. Further details of the Guidance are available on the ICO website.

ICO launches review of children’s websites and apps

The ICO as part of an international project is reviewing websites and apps used by children focusing on privacy and the type of personal information that they collect. The ICO has announced that it will look at 50 websites and apps and consider what information they collect from children, how collection is explained and whether permission from parents is sought. Following its review, together with 28 other privacy enforcement authorities, a report will be published. The ICO has also said that it will also consider taking action against website and apps found to be in breach of the Data Protection Act. Previously the Office of Fair Trading looked into games and apps for children from a consumer perspective and recommended 8 principles clarifying the industry’s obligations under consumer law.

ICO hosts European Conference of Data Protection Authorities

In May, the Information Commissioner welcomed around 90 data regulators and international bodies to Manchester where he called for a practical approach to data protection regulation and the need for regulators to keep up with technological changes, which impact on how personal information is used. Mr. Graham said “the digital revolution has implications for every aspect of our lives – as citizens, as consumers, as individuals”. This is because as we communicate, consume and transact, “unless we are very alert, we are also tracked” as “we live in a world of Big Data and the Internet of Things”. In light of this the Commissioner called on regulators to be practical due to numerous challenges.

He went on to say that from various studies it is apparent that the public want from data protection the following: “control over their personal data; transparency; to understand the different purposes and benefits of data sharing; security of their personal data and specific rights of access, deletion and portable personal data”. Similarly, from data protection authorities the public expect: “consistency; visibility; privacy certification; responsiveness to new technologies and enforcement”.

With regard to the draft Data Protection Regulation (Draft Regulation), Mr Graham said that the ICO is already in development mode. For example it is in the process of developing certification mechanisms and data protection seals as provided for in the Draft Regulation. On the availability of fines of up to 2% of global turnover, as a punishment this would fit the crime and the perpetrator said the Commissioner but he also called for data protection authorities to have “discretion to be able to focus on the biggest threats, not be forced to fine every case of non-compliance regardless of priorities”. In relation to fines he outlined the experience of the civil monetary fines where the ICO issued 68 fines totalling £7.5million. Full details of his speech can be found on the ICO website.

Codes of Practice

Three different Codes of Practice are now in force, which supplement the current legal framework of data protection. The Home Office published the Data Sharing for the Prevention of Fraud: Code of Practice (the Code), which further supplements the ICO’s Data Sharing Code of Practice in 2011. Under the Serious Crimes Act 2007, local authorities must have regard to the Prevention of Fraud Code of Practice, which provides that public authorities should prepare agreed sharing documents. The Code also covers fairness and transparency including fair processing notices, the rights of data subject such as retaining their data and keeping it secure and access to personal information under the Data Protection Act 1998 and the Freedom of Information Act 2000.

With regard to retention, acquisition and disclosure of communication data, two statutory codes of practice are also now in force. The Retention of Communications Data: Draft Code of Practice provides guidance on procedures to follow when communications data is retained under the Data Retention and Investigatory Powers Act 2015and the Data Retention Regulations 2014. The Acquisition and Disclosure of Communication Data: Draft Code of Practice is an updated version of a previous code on this subject and it applies to relevant public authorities within the meaning of the Regulation of Investigatory Powers Act 2000 providing guidance on procedures to follow when acquisition of data takes place.

CJEU rules on use of biometric data

Individuals in the Netherlands who had applied for passports and in some cases Identity Cards refused to provide digital fingerprints and a facial image on the basis that this would breach their physical integrity and right to privacy since it was unclear who would have access to the data and how secure it was. A Dutch court referred the case to the CJEU and one of the questions it was asking related to obligations of Member States when implementing Regulation 2252/2004 on standards for security features and biometrics in passports and travel documents issues by Member States (the Regulation). In particular, in light of other obligations relating to privacy (the Charter of Fundamental Rights, the European Convention on Human Rights and the Data Protection Directive), should member states guarantee that information collected should be used only for the purpose of issuing the documents?

The CJEU in Willems and others v Burgemeester van Nuth and Others ruled that the Regulation did not create such an obligation as collecting, processing and storing data was a matter for national law. Additionally, it was unnecessary to consider whether storage and use of data for purposes other than those provided in the Regulation was compatible with the Charter of Fundamental Rights.

Draft General Data Protection Regulation – are we there yet?

The European Union three years ago began a process to review the 1985 Data Protection Directive. Following numerous drafts and discussions between the European institutions, the European Council has announced that agreement has been reached on a draft of the General Data Protection Regulation (the draft Regulation). Before the final version is agreed, the European institutions consisting of the Commission, the Council and the Parliament have now announced that they are undertaking a three way negotiating process known as trilogue with the aim of finalising it by the end of the year. Once finalised, it is likely that it will be in force by 2017, which is not quite around the corner. However, considering the content of the final draft that is public, it is important to consider what’s to come as there are a number of changes.

The key changes in the current draft Regulation if implemented include:

  • The concept of personal data is likely to include pseudonymous data, genetic data and biometric data;
  • Processing data requires a valid ground for processing with a higher bar for consent, with data controllers required to show that they have consent for each separate purpose;
  • Possibly expanding the territorial scope to cover controllers or processors potentially who sell to data subjects in the EU or monitor the behaviour of data subjects in the EU;
  • Sensitive personal data may be expanded to include genetic data and criminal convictions and it will continue to be governed by a stricter regime;
  • Legal obligations for processors in addition to controllers including maintaining records of processing activities and implementing appropriate technical and organisational information security measures;
  • Subject access rights are maintained including rectification with procedures and standardised information policies to be introduced;
  • New rights introduced include data portability, the right to be forgotten and certain rights in terms of profiling;
  • Accountability as a principle, which was referred to in the Directive is likely to be embedded into the Regulation through which a number of obligations may arise including having different policies, conducting audits and appointing a Data Protection Officer;
  • Design and default to ensure that compliance is designed in and is the default in produces and processes;
  • Detailed contractual arrangements are likely to be required by the Regulation when data is shared and the possibility of having joint controllership where processors become joint controllers due to acting outside their instructions;
  • Mandatory security breach reporting to be reported to the supervisory authority without undue delay and currently there is no harm threshold;
  • One stop shop to ensure comprehensive enforcement of data protection;
  • Higher penalties for breaches currently 2% of annual worldwide annual turnover;
  • Data Protection Officer likely to become a requirement; and

–       Privacy certification and seals, is another element that may be introduced.

Whilst it is unclear whether all of the above changes will make it to the final draft of the Regulation, it is clear that all organisations will be affected by what’s to come and should consider how best to prepare for some of these potential changes in stages and think about the long term impact. It is also important to consider the developments taking place further afield such as in the Netherlands where the Dutch Data Protection Act is already being amended reflecting provisions of the Regulation, although with fines permitted as high as 10% of a company’s annual net turnover. Similarly, regulators are not shying away from taking enforcement action even in highly disputed cases. The Belgian Privacy Commission has found that Facebook’s plug-ins on third party websites including the “Like” and “Share” buttons are not compliant with Belgian and EU law as they track users and Facebook’s current opt out does not meet the conditions for lawful consent. Even though Facebook disputes that the Belgian authority has jurisdiction to deal with this issue as it is not subject to Belgian Privacy regulations, the Belgian Privacy Commission has said that on the basis of the CJEU “right to be forgotten” case it does have jurisdiction. Similarly, France’s data protection authority has issued a notice calling on Google to implement the “right to be forgotten” on all domains worldwide rather than just delisting search results on EU domains.

Forbes Solicitors provides advice on data protection law and practice covering a range of issues. If you would like further information on any of the issues mentioned in this briefing or require advice or training on any data protection related matter, please contact Daniel Milnes.

Nat Avdiu

About Nat Avdiu

Nat Avdiu is a Paralegal in the Contracts and Projects team at Forbes Solicitors. Nat provides updates for clients on a range of issues including: governance, data protection and freedom of information, procurement and charity law.
This entry was posted in Corporate & Restructuring, Housing Litigation and tagged , , , , , , , , .