Data Protection, Privacy Regulators and Supervisory Authorities 9781526514219, 9781526514240, 9781526514233

Citation preview

Data Protection, Privacy Regulators and Supervisory Authorities

Data Protection, Privacy Regulators and Supervisory Authorities Dr Paul Lambert BA, LLB, LLM, TMA, CTMA, Adjunct Lecturer, Qualified Lawyer, CTMA, PhD, Consultant

BLOOMSBURY PROFESSIONAL Bloomsbury Publishing Plc 41–43 Boltro Road, Haywards Heath, RH16 1BJ, UK BLOOMSBURY and the Diana logo are trademarks of Bloomsbury Publishing Plc First published in Great Britain 2020 Copyright © Bloomsbury Professional, 2020 All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage or retrieval system, without prior permission in writing from the publishers. While every care has been taken to ensure the accuracy of this work, no responsibility for loss or damage occasioned to any person acting or refraining from action as a result of any statement in it can be accepted by the authors, editors or publishers. All UK Government legislation and other public sector information used in the work is Crown Copyright ©. All House of Lords and House of Commons information used in the work is Parliamentary Copyright ©. This information is reused under the terms of the Open Government Licence v3.0 (http://www.nationalarchives.gov.uk/doc/opengovernment-licence/version/3) except where otherwise stated. All Eur-lex material used in the work is © European Union, http://eur-lex.europa.eu/, 1998-2018. British Library Cataloguing-in-Publication Data A catalogue record for this book is available from the British Library. ISBN:

HB Epub E-pdf

978 1 52651 421 9 978 1 52651 422 6 978 1 52651 423 3

Typeset by Evolution Design & Digital Ltd (Kent) Printed and bound by CPI Group (UK) Ltd, Croydon, CRO 4YY To find out more about our authors and books visit www.bloomsburyprofessional.com. Here you will find extracts, author information, details of forthcoming events and the option to sign up for our newsletters

In loving memory of Carmel and to Leah, Tomás and Elizabeth

v

Contents Prefacexiii Abbreviationsxv Table of statutes xvii Table of statutory instruments xix Table of cases xxi Chapter 1  Introduction 1 Introduction1 Backdrop and Change 1 Regulators3 Focus4 Terminology4 Data Protection Import  6 Data Rules 11 Conclusion15 Chapter 2  Law and Regulators 17 Introduction17 Data Regulators 17 Dual Laws 18 Obligation to Establish Data Regulator 20 Regulator Must Be Independent 20 Regulator Activities 22 Tasks23 Regulator Fines 33 Other Regulator Powers 38 Remedies38 Current Decision Trends 41 Conclusion43 Chapter 3  National Laws 45 Introduction45 Context45 Regulations and Directives 46 Other Data Protection and Privacy Laws 51 Chapter 4  Regulators and Authorities 57 Introduction57 EU Member States 58 Europe59 EEA60 Other Examples 61 UK61 Ireland  77 Chapter 5  ICO Before, During and After Brexit Introduction  ICO and the Need for a Stable, Clear, Data Environment  The Data Problem at the Heart of Brexit 

vii

87 87 87 89

Contents

General Transfer Rule  90 Transfer Exceptions and Procedures  91 Importance of a UK Adequacy Exception 91 The Timing of Adequacy Decision 93 Additional Problems 95 Changes from the GDPR 95 Data Protection Act 2018 Keeling Schedule Amendments 96 General Data Protection Regulation Keeling Schedule Amendments  97 Pressure for Advice and Clarity 98 ICO Official Advice 99 Guidance from the European Data Protection Supervisor 107 Guidance from the Commission 110 Guidance from the European Data Protection Board  111 Brexit Certain 111 Conclusion112 Chapter 6  European Data Protection Board 113 Introduction113 Establishment114 Independence115 EDPB Tasks115 Additional Tasks 122 EDPB Reports122 Opinions and Reports 123 Registers126 Resources and Topic Documents 126 Chair of EDPB 129 Secretariat130 EDPB Procedures131 Conclusion131 Chapter 7  European Data Protection Supervisor 133 Introduction133 Establishment134 Mission135 Scope135 Technological Development 136 Role in Monitoring and Policing Tech Change 136 Duties and Powers 137 Rules137 Independence138 Tasks138 Powers140 Investigative Powers 140 Corrective Powers 141 Authorisation and Advisory Powers 142 Breach Notifications 142 Guidelines143 International Cooperation 147 Professional Secrecy 148 Conclusion148

viii

Chapter 8  Data Protection and Privacy Regulation in the US 149 Introduction149 Federal Privacy Gap 149 Current Federal Approach 149 Privacy Interests and EU–US Privacy Bridges 150 Increasing Federal Focus 152 States Lead by Example 153 The FTC as a Federal DPP Regulator 155 EU Data Transfer to the US 156 No Safe Harbour 157 EU–US Privacy Shield 158 Annual Review 158 FTC Actions159 Federal Law Proposals 160 Conclusion161 Chapter 9  Powers of National Data Protection Supervisory Authorities 163 Introduction163 Types of Powers 164 Investigative Powers 167 Corrective Powers 168 Authorisation and Advisory Powers 170 Tasks and the GDPR 178 Reports/Activity Reports  180 Conclusion181 Chapter 10  Corporate Contention 183 Introduction183 Authorities and Companies 184 Penalties and Fines 189 Powers196 Controller and Processor Obligations 201 Data Protection Officers 210 Director Responsibility, Liability and Offences 211 Individuals and Companies 213 Notices217 Conclusion223 Chapter 11  Individual Contention  225 Introduction225 Individual, Rights and Remedies 225 Individuals and Companies 227 Individual and Authority 235 Representation of Data Subjects 245 Conclusion246 Chapter 12  Independence  247 Introduction247 General Independence of Authority 247 Staff Resources and Independence 248

ix

Contents

Technical Resources and Independence 248 Financial Resources and Independence 249 Office Resources and Independence 249 Infrastructure Resources and Independence 250 German Independence Case 250 Austria Independence Case 255 Comparison and Transition 264 Independence of EDPB 267 Independence of European Data Protection Supervisor 268 Conclusion268 Chapter 13  Funding  271 Introduction271 Financial Independence 271 Staff and Staff Funding 272 Independence from External Direct and Indirect Influence 272 Funding and Resource Increases 272 Irish Data Protection Commission 273 Allocation and Funding of EDPB Secretariat 277 Conclusion278 Chapter 14  Interactions and Cooperation  281 Introduction281 Cooperation281 Mutual Assistance 283 Joint Operations 285 Consistency and Consistency Mechanism 286 Dispute Resolution by EDPB 288 Urgency Procedure 290 Exchange of Information 290 ‘One-stop Shop’ and Respective Authorities 291 WP29/EDPB Guidelines294 Conclusion295 Chapter 15  Conclusion  297 Introduction297 New and Developing Data Protection Issues 298 Profiling298 Facial Recognition 300 Smart Toys 301 Ride Shares and Self Driving 302 Blockchain302 Algorithms305 Pseudonymisation and Anonymisation 305 Ethics, Data Ethics and Responsibility 306 Disposal of Computer Hardware 308 Increasing Action  308 Data Transfers 310 EDPS Hot Topics 312 Politics, Profiling and Political Attacks 314 Conclusion314

x



Appendices 1: Data Protection Supervisory Authority Details  2: ICO Enforcement, Fines and Prosecutions  3: Data Protection Act 2018: Changes from GDPR 4: Proposed UK Changes to GDPR re ICO 5: Proposed UK Changes to DPA 2018 re Data Protection

317 324 346 351 360

Index375

xi

Preface Data protection and privacy (DPP) are arguably the most topical and developing areas of law and policy. Conferences, articles, headline media stories and intense policy discussions are all being directed at the important and often developing issues contained within the field of data protection and privacy. There has also been a significant increase in recent and proposed regulations. Not least among these are the General Data Protection Regulation (GDPR) in the EU and the California Consumer Privacy Act (CCPA) in California, and other laws internationally. California and the California Consumer  Privacy  Act (CCPA) have been positively compared to the GDPR.1 While many are becoming familiar with new laws and regulations in this area2 (and compliance obligations3) and are being warned by in-house and external lawyers and other service providers (eg compliance oversight, training, education, security, software tools, etc) of the dangers of getting things wrong and of the consequences of data breaches – such as massive fines and penalties – no text is yet covering in any authoritative manner the rules, powers and contestability of fine and penalty powers of data protection and privacy regulators and supervisory authorities. Without doubt, some organisations will be unhappy with some penalty decisions and will wish to appeal or judicially review these decisions. (Facebook, for example, was reported to be seeking to appeal one of the largest ICO fines of £500,000.) However, there are other orders and enforcement actions which regulators can engage in apart from just fines and penalties, which third parties may, on occasion, wish to contest. Separately, complainants have arisen when individuals or data protection and privacy groups have been upset when their issues are not followed through in the manner they would like; these may also lead to appeals or judicial reviews. Apart from the above, there is a whole new corpus of regulatory and official legal rules which underpin the creation and appointment of different data protection and privacy regulators and supervisory authorities. There have already been some significant cases dealing with: (a) necessary independence of data protection and privacy regulators and supervisory authorities, for instance, where politicians or government seeks to limit, curtail or even interfere in their powers or activities; and 1 2 3

Pardau, SL, ‘The California Consumer Privacy Act: Towards a European-Style Privacy Regime in the United States’ Journal of Technology Law & Policy (2018–2019)(23:1) 68. See, for example, Lambert, P, A User’s Guide to Data Protection (Bloomsbury, 2018). See, for example, Lambert, P, The Data Protection Officer, Profession, Rules and Role (Routledge, Taylor and Francis, 2016).

xiii

Preface

(b) the necessary appropriate funding and resources needed for data protection and privacy regulators and supervisory authorities to properly function. For instance, politicians may unduly underfund the efforts of these important and necessary data protection and privacy protection regulators. This can arise by accident – but unfortunately may also arise, in a more deliberate manner. New cases will continue to explore this area. Companies will no doubt seek to catch regulators out or suggest that they have imposed penalties that are too high. These cases will be very important in deciding the extent of powers of the data protection supervisory authorities and filling in parts of the landscape of data protection and privacy. There will also be disputes where companies seek to suggest that a given fine in one country is too high as compared with regulators in other countries. Regulators will also be mindful of judicial guidance on which regulators should deal with problem matters where a company or group may have more than one presence. It is understood that a Belgian case has already been referred to the Court of Justice of the European Union (CJEU) on the GDPR’s so-called ‘onestop shop’ mechanism. Indeed, certain companies may prefer to have disputes decided in one country over another, leading to litigation on this point alone. The above only serves to demonstrate that this increasingly important aspect of data protection and privacy, the role, powers and activities of data protection and privacy regulators and supervisory authorities, requires its own dedicated review and resources. There is no textbook or analysis, or comparison, of these various underpinnings (and the respective powers) of the data protection and privacy regulators and supervisory authorities, and hence the need for this resource. The importance, role and activities of the various data protection and privacy regulators and supervisory authorities are only set to increase in importance in the near, and long-term, future. Paul Lambert January 2020

xiv

Abbreviations DPP Personal data Data subject Controller Processor

GDPR DPD 95/46

DPA DPA 2018 DPA 1998 EUWA CCPA ICO DPC 1

2 3

4 5

6

data protection and privacy. data relating to an individual, or individual data subject as referred to in data protection laws.1 the individual the subject of personal data.2 the entity holding (and or collecting, using, processing and storing) personal data relating to a data subject.3 an outsource entity acting for and on behalf of a main controller entity and which may receive or otherwise process personal data for the controller.4 General Data Protection Regulation.5 the data protection law in the EU before the GDPR, namely, the Data Protection Directive 1995.6 Now replaced by the GDPR. Data Protection Act. Data Protection Act 2018. Data Protection Act 1998 European Union (Withdrawal) Act. California Consumer Privacy Act. Information Commissioner’s Office (the UK data protection supervisory authority). Data Protection Commission; Data Protection Commissioner.

The GDPR defines ‘personal data’ as ‘any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’. See GDPR Art 4(1). The GDPR defines ‘data subject’ as ‘an identified or identifiable natural person (‘data subject’). See GDPR Art 4(1). The GDPR defines ‘controller’ as ‘the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law’. See GDPR Art 4(7). The GDPR defines ‘processor’ as ‘a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller’. See GDPR Art 4(8). Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance). OJ L 119, 4.5.2016, pp 1–88. Directive 95/46/EC of the European Parliament and of the Council of 24  October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. OJ L 281, 23.11.1995, pp 31–50.

xv

Abbreviations

Commission FTC CJEU ECJ

EU Commission. Federal Trade Commission. Court of Justice of the European Union. European Court of Justice (the previous name for the CJEU).

xvi

Table of statutes References are to paragraph number Data Protection Act 1998..........1.6; 4.7; 11.3 s 2A.............................................. 10.46 (1)......................................... 10.46 2B.............................................. 10.46 (1)(b)..................................... 10.46 2D.............................................. 10.46 13............................................... 11.3 (1).......................................... 11.3 (2).......................................... 11.3 (a), (b)............................... 11.3 Pt VI (ss 51–75)........................... 9.7 s 149............................................. 9.7 Sch 19 s 43.......................................1.6 Data Protection Act 2018.........1.6, 1.7, 1.11, 1.14; 2.5, 2.10, 2.37; 3.4, 3.5; 4.6, 4.7, 4.8, 4.9, 4.10, 4.11, 4.12, 4.14; 5.2, 5.3, 5.6, 5.8, 5.9, 5.10, 5.13, 5.14, 5.15, 5.16; 9.6, 9.18, 9.23; 10.39, 10.46; 13.6; 15.28 s 2................................................. 10.46 (1)(a), (b)................................. 10.46 (c)(i), (ii)............................. 10.46 9................................................. 2.10 Pt 5 (ss 114–141)......................... 2.5 s 114............................................. 2.5 115–117..................................... 2.5; 9.20 118–128..................................... 2.5 129............................................. 2.5; 9.13 130–138..................................... 2.5 139–141..................................... 2.5; 9.20 142............................................. 2.5; 9.14 143...........................................2.5; 10.46 (6)........................................ 10.46 144............................................. 2.5 145............................................. 2.5; 9.15 146.............................................  2.5; 9.9 147............................................. 2.5; 9.10 148............................................. 2.5; 9.11 149............................................. 2.5 150............................................. 2.5 (2)........................................ 9.7 151.............................................  2.5; 9.8 152, 153..................................... 2.5 154............................................. 2.5; 9.12 155.............................................  2.5; 9.6 (2), (3).................................. 9.6 156............................................. 2.5

Data Protection Act 2018 – contd s 157.............................................  2.5; 9.6 158–169..................................... 2.5 170............................................. 2.5; 9.17 171....................................2.5; 9.18, 9.19 172............................................. 2.5; 9.19 173–181..................................... 2.5 184, 185..................................... 9.21 198............................................. 10.39 (1)........................................ 10.39 Sch 12........................................... 2.5; 9.20 Sch 13........................................... 2.5; 9.20 Sch 15........................................... 9.12 Sch 17........................................... 9.20 Sch 20........................................... 2.5 Data Retention and Investigatory Powers Act 2014...................... 1.6 European Communities Act 1972.... 4.13 s 2(1)............................................ 4.13 European Union (Withdrawal) Act 2018............................... 3.4; 4.10, 4.11, 4.12, 4.13, 4.14; 5.16 s 1................................................. 4.13 3................................................. 4.13 (1)..........................................4.13, 4.14 (2)(a)......................................4.13, 4.14 4................................................. 4.14 (4)............................................ 4.14 5................................................. 4.14 (1), (2), (4), (5)........................ 4.14 6................................................. 4.14 (1)............................................ 4.14 (b)........................................ 4.14 (2)............................................ 4.14 (4), (5)...................................... 4.14 (7)............................................ 4.14 7................................................. 4.14 (1), (2)...................................... 4.14 (5)(f)........................................ 4.14 (6)............................................ 4.14 9(1)............................................ 4.14 (3)(e)........................................ 4.14 (4)............................................ 4.14 20............................................... 4.13 (4).......................................... 4.14 110...........................................4.17, 4.18 Sch 6...........................................4.13; 5.11 European Union (Withdrawal) Act 2019......................................... 3.4

xvii

Table of statutes European Union (Withdrawal) (No 2) Act 2019....................... 3.4 Human Rights Act 1998..... 4.14; 10.46; 11.3 s 3................................................. 11.3 (1)............................................ 11.3 Police and Criminal Evidence Act 1984......................................... 10.46

Data Protection Act 2018................. 3.5; 4.15 Pt 2 (ss?)....................................... 3.6 s 10............................................... 3.6 15(1).......................................... 3.6

AUSTRIA Civil Servants (Employment) Act 1979 (No 333/1979) (BeamtenDienstrechtsgesetz) (BDG) para 45(1)................................12.12, 12.13 Data Protection Act 2000 (No 165/1999) (Datenschutzgesetz) (DSG) para 36(3)...............................12.12, 12.13 (3a)................................... 12.13 37(1)............................... 12.12, 12.13 38(1)..................................... 12.13 (2)............................... 12.12, 12.13 Wage Limitation Act 1997 (No 64/1997) (Bezugesbegrenzungsgesetz) (BVG) art 20(2)...................................12.12, 12.13

UNITED STATES Bank Secrecy Act 1970.................... 8.3 California Consumer Privacy Act 2018 8.6 Children’s Online Privacy Protection Act 1998..................  8.3, 8.7 Controlling the Assault of NonSolicited Pornography and Marketing Act 2003 (15 USC § 7701-13)...................................  1.5; 8.3 Electronic Communications Privacy Act 1986................................... 8.3 Fair Credit Reporting Act 1970 (15 USC § 1681)...................... 8.3 Family Educational Rights and Privacy Act 1974 (20 USC § 1232g)................................... 8.3 Financial Modernization Act 1999 see Gramm-Leach-Billey Act 1999 Foreign Account Tax Compliance Act 2010................................... 6.37 Gramm-Leach-Billey Act 1999........ 8.3 Health Insurance Portability and Accountability Act 1996.......... 8.3 Right to Financial Privacy Act 1978.8.3 Video Privacy Protection Act 1998 (18 USC § 2710)).....................  1.5; 8.3

BELGIUM GDPR Implementation Act 2018..... 3.8 GERMANY Federal Data Protection Act 2017 (Bundesdatenschutzgesetz) (BDSG) 3.7 IRELAND Copyright and Related Rights Act 2000 s 140............................................. 10.46

SPAIN Organic Law (03/2018).................... 3.11

xviii

Table of statutory instruments References are to paragraph number Data Protection, Privacy and Electronic Communications (amendments etc) (EU Exit) Regulations 2019, SI 2019/419.............................. 5.10 European Union (Withdrawal) Act 2018 (Exit Day) (Amendment) Regulations 2019, SI 2019/718.............................. 4.14

Network and Information Systems Regulations 2018, SI 2018/506.............................. 5.15 Privacy and Electronic Communications (EC Directive) Regulations 2003, SI 2003/2426.................. 5.15

xix

Table of cases References are to paragraph number A Amann v Switzerland (Application 27798/95) [2000] 2  WLUK  586, (2000) 30 EHRR 843.........................................................................................................12.10 Austrian Supervisory Authority v Austrian Post (23 October 2019).............................2.46 Austria Supervisory Authority (DSB) v Medical Co (August 2019).............................2.46 B Baden-Wurttenberg Supervisory Authority v Knuddels.de (21 November 2018).........2.46 Ba rbulescu v Romania (Case No 61496/08) [2017] 9 WLUK 42, [2017] IRLR 1032, 44 BHRC 17...........................................................................................................4.6 Benkharbouche & Janah v Embassy of Sudan [2015] EWCA Civ 33, [2016] QB 347, [2015] 3 WLR 301.................................................................................................11.3 Berlin Supervisory Authority v Delivery Hero (19 September 2019)...........................2.46 British Gas v Data Protection Registrar [1998] 3  WLUK  464, [1997-98] Info TLR 393.................................................................................................................4.6 Bulgaria Supervisory Authority v (KZLD) v DSK Bank (28 August 2019).................2.46 C CCN Systems v Data Protection Registrar [1991] UKIT DA90....................................4.6 CG v Facebook Ireland Ltd [2016] NICA 54, [2017] EMLR 12..................................11.2 Campbell v Mirror Group Newspapers Ltd [2004] UKHL 22, [2004] 2 AC 457, [2004] 2 WLR 1232...........................................................................................................4.6 Common Services Agency v Scottish Information Comr [2008]  UKHL  47, [2008] 1 WLR 1550, [2008] 4 All ER 851........................................................................4.6 Czech Supervisory Authority (UOOU) v Finance Co (4 February 2019).....................2.46 Czech Supervisory Authority (UOOU) v X (28 February 2019)...................................2.46 D Data Protection Comr v Facebook Ireland Ltd & Maxmillian Schrems see Schrems v Data Protection Comr (Case C-362/14) Digital Rights Ireland Ltd v Minister for Communications, Marine & Natural Resources; Proceedings brought by Karntner Landesrgierung (Cases C-293/12 and C-594/12) [2015]  QB  127 [2014] 3  WLR  1607, [2014] 2  All ER (Comm) 1...............................................................................................................1.6 Doorstep Dispensaree Ltd v ICO (EA/2018/0265) [2019] 1 WLUK 456.................. 9.7; 10.46 Douglas v Hello! Ltd (No  6) [2005]  EWCA  Civ 595, [2006]  QB  125, [2005] 3 WLR 881.............................................................................................................4.6 Durham County Council v Dunn [2012]  EWCA  Civ 1654, [2013] 1  WLR  2305, [2013] 2 All ER 213...............................................................................................4.6 Dutch Supervisory Authority (AP) v Haga Hospital (18 June 2019)............................2.46 E EMI  Records (Ireland) v Data Protection Comr [2012]  IEHC  264; aff’d [2013] IESC 34......................................................................................................10.46 European Commission v Austria (Case C-614/10) [2012] 10  WLUK  443, [2013] 1 CMLR 23, [2013] All ER (EC) 237................................. 2.5; 4.27; 12.11, 12.13; 13.13 European Commission v Bavarian Lager Co Ltd (Case C-28/08P) [2011] Bus LR 867, [2010] 6 WLUK 672, [2011] 1 CMLR 1...............................................................4.6

xxi

Table of cases European Commission v Germany (Case C-518/07) [2010]  ECR  I-1885, [2010] 3 WLUK 243, [2010] 3 CMLR 3................................2.5; 4.27; 12.8, 12.10, 12.13; 13.13 F French Supervisory Authority (CNIL) v Active Assurances (25 July 2019).................2.46 French Supervisory Authority (CNIL) v Sergic (28 May 2019)....................................2.46 French Supervisory Authority (CNIL) v Uniotrad (13 June 2019)................................2.46 G Ghaidan v Godin-Mendoza [2004]  UKHL  30, [2004] 2  AC  557, [2004] 3 WLR 113.............................................................................................................11.3 Glawischnig-Piesczek v Facebook Ireland Ltd (Case C-18/18) [2019] 10 WLUK 37, [2020] EMLR 3........................................................................................6.37; 11.2; 14.10 Google Inc v Vidal-Hall see Vidal-Hall v Google Inc Google Spain SL  v Agencia Espanola de Protección de Datos (AEPD) (Case C-131/12) [2014]  QB  1022, [2014] 3  WLR  659, [2014] 2  All ER (Comm) 301....................................................................................................1.6; 4.6; 11.2 Greece Supervisory Authority (HDPA) v Telecoms Co (7 October 2019)....................2.46 Greece Supervisory Authority (HDPA) v PWC (30 July 2019)....................................2.46 H HMRC v IDT Card Ltd see R (on the application of IDT Card Services Ireland Ltd) v C & E Comrs Halford v United Kingdom (Application 20605/92) [1997] 6  WLUK  443, [1997] IRLR 471, (1997) 24 EHRR 523...............................................................4.6 Hamburg Supervisory Authority v Kolibri Image Regina und Dirk Maass GbR (17 December 2018)..............................................................................................2.46 Hamburg Supervisory Authority v X (2018).................................................................2.46 Hungarian Supervisory Authority v X (5 April 2019)...................................................2.46 Hungary Supervisory Authority (NAIH) v Financial Co (4 March 2019).....................2.46 Hungary Supervisory Authority (NAIH) v Political Party (5 April 2019).....................2.46 Hungary Supervisory Authority (NAIH) v X (18 December 2018)..............................2.46 I Information Comr v British Airways (BA) (8 July 2019)..............................................2.46 Information Comr v Christopher Niebel & Gary McNeish [2014] UKUT 255 (AAC), [2014] 6 WLUK 316....................................................................................1.6; 4.6; 10.39 Information Comr v Lara Davies (December 2012)......................................................4.6 Information Comr v Marriott International Inc (9 July 2019).......................................2.46 Information Comr v Prudential......................................................................................1.11; 4.6 Information Comr v Sony (July 2013)...........................................................................4.6 Italian Supervisory Authority (Garante) v Movimento 5 Stelle (17 April 2019)...........2.46 J Johnson v Medical Defence Union Ltd [2007] EWCA Civ 262, [2008] Bus LR 503, [2007] 3 WLUK 734..............................................................................................11.3 L Latvia Supervisory Authority (DSI) v Online Services (26 August 2019)....................2.46 Lindqvist, criminal proceedings against (Case C-101/01) [2004]  QB  1014, [2004] 2 WLR 1385, [2003] ECR I-12971........................................................................4.6 Lithuanian Supervisory Authority (VDAI) v UAB Mister Tango (16 May 2019)........2.46 Litster v Forth Dry Dock & Engineering Co Ltd [1990] 1 AC 546, [1989] 2 WLR 634, [1989] 1 All ER 1134.............................................................................................11.3 M McCall v Facebook (20 September 2012).....................................................................4.6

xxii

Table of cases Malta Supervisory Authority v Lands Authority (18 February 2019)...........................2.46 Marleasing SA v La Comercial Internacional de Alimentacion SA (Case C-106/89) [1990] ECR I-4135, [1990] 11 WLUK 195, [1993] BCC 421..............................11.3 Microsoft Corpn v McDonald (t/a Bizads) [2006]  EWHC  3410 (Ch), [2007] Bus LR 548, [2006] 12 WLUK 245..............................................................................4.6 Motion Picture Association v BT (28 July 2011)..........................................................4.6 N NT1 & NT2 v Google [2018]  EWHC  799 (QB), [2019]  QB  344, [2018] 3 WLR 1165......................................................................................................10.39; 11.2 Norweigan Supervisory Authority (Datalisynet) v Bergen Municipality (March 2019)......................................................................................................................2.46 Norweigan Supervisory Authority (Datalisynet) v Oslo Municipal Education Department (29 April 2019)...................................................................................2.46 P Pickstone v Freemans plc [1989]  AC  66, [1988] 3  WLR  265, [1988] 2  All ER 803...................................................................................................................11.3 Polish Supervisory Authority (UODO) v A Company (26 March 2019)......................2.46 Polish Supervisory Authority (UODO) v Morele.net (10 September 2019).................2.46 Portuguese Supervisory Authority (CNPD) v Hospital (17 July 2018).........................2.46 R R  (on the application of IDT  Card Services Ireland Ltd) v C  & E  Comrs [2006] EWCA Civ 29, [2006] STC 1252, [2006] 1 WLUK 534...........................11.3 R  (on the application of Robertson) v Wakefield MDC  [2001]  EWHC Admin 915, [2002] QB 1052, [2002] 2 WLR 889.....................................................................4.6 Rechnungshof v Österreichischer Rundfunk (Cases C-465/00, C-138/01 & C-139/01) [2003] ECR I-4989, [2003] 5 WLUK 598, [2003] 3 CMLR 10............................12.10 Romanian Supervisory Authority (ANSPDCP) v Legal Co & Tax Hub SRL (5 July 2019)......................................................................................................................2.46 Romanian Supervisory Authority (ANSPDCP) v Raiffeisen Bank SA  (9  October 2019)......................................................................................................................2.46 Romanian Supervisory Authority (ANSPDCP) v Uttis Industries SRL  (17  October 2019)......................................................................................................................2.46 Romanian Supervisory Authority (ANSPDCP) v Vreau Credit SRL  (9  October 2019)......................................................................................................................2.46 Romanian Supervisory Authority (ANSPDCP) v World Trade Center Bucharest SA (2 July 2019)....................................................................................................2.46 Rotaru v Romania (Application 28341/95) [2000] 5 WLUK 77, 8 BHRC 449............12.10 Rugby Football Union v Viagogo Ltd [2012] UKSC 55, [2012] 1 WLR 3333, [2013] 1 All ER 928...........................................................................................................4.6 S Schrems v Data Protection Commissioner (Case C-362/14) [2016] QB 527, [2016] 2 WLR 873, [2015] 10 WLUK 117.......................1.11; 4.6, 4.26; 8.10; 11.2, 11.5; 15.27 Spain Supervisory Authority (AEPD) v Iberdrola Clientes (16 October 2019)............2.46 Spanish Supervisory Authority (AEPD) v La Liga (11 June 2019)...............................2.46 Spanish Supervisory Authority v Xfera Moviles SA (16 October 2019)......................2.46 Sweden Supervisory Authority v School (20 June 2019)..............................................2.46 Sweden Supervisory Authority v School (20 August 2019)..........................................2.46 T Tamiz v Google Inc [2012]  EWHC  449 (QB), [2012] 3  WLUK  112, [2012] EMLR 24...............................................................................................................4.6 Tietosuojavaltuutettu v Satakunnan Markkinapörssi Oy (Case C-73/07) [2008] ECR I-9831, [2008] 12 WLUK 441, [2010] All ER (EC) 213..................12.10

xxiii

Table of cases U United States of America (on behalf of the Federal Trade Commission) v Facebook Inc (Case 19-cv-2184)............................................................................................8.7 United States of America (on behalf of the Federal Trade Commission) and People of the State of New York, by Letitia James, A-G of the State of New York v Google LLC & YouTube (FTC Case 172 3083, 2019).......................................................8.7 V Vidal-Hall v Google Inc [2015] EWCA Civ 311, [2016] QB 1003, [2015] 3 WLR 409 aff’d [2014] EWHC 13 (QB), [2014] 1 WLR 4155, [2014] 1 WLUK 262...........4.6; 6.1; 11.2, 11.3 Von Hannover v Germany (Applications 40660/08 & 60641/08) [2012] 2 WLUK 191, [2012] EMLR 16, (2012) 55 EHRR 15.................................................................4.6 W Weltimmo sro v Nemzeti Adatvédelmi és Információszabadság Hatóság (Case C-230/14) [2016] 1 WLR 863, [2015] 10 WLUK 12............................................4.6 Wightman v Secretary of State for Exiting the European Union (Case C-621/18) [2019] QB 199, [2018] 3 WLR 1965, [2018] 12 WLUK 94.................................5.22

xxiv

CHAPTER 1

Introduction INTRODUCTION 1.1 Data protection and privacy never stands still. There are always new technological (and other) developments, and some of these will give rise to problem issues. For instance, there are new developments promoting new forms of digital cash from Bitcoin, other digital currencies and, most recently, an effort to develop a new digital currency by Facebook which would be called Libra. None of these are without controversy and significant further detailed examination and vetting are required. Politicians, financial regulators and even data protection supervisory authorities (including the Information Commissioner’s Office (ICO)) have voiced concern at the proposed Libra currency.1 This is obviously a developing area.

BACKDROP AND CHANGE 1.2 The issue of data breaches and attacks on the personal data of individuals, which are unfortunately continuing in frequency and scale, have escalated the need for new or updated data protections. In addition to data breach and data losstype issues, attention is also being paid to other discrete areas of data protection and privacy. This includes an increasing consumer-based focus,2 rights focus, fundamental rights and interests focus3 and even examination of individualised effects of different engagements and models as they affect individuals (eg, trust and trust levels).4 Just some of these include: 1 See ‘ICO  Joins International Signatories in Raising Libra Data Protection Concerns’ ICO statement. Available at: www.ICO.org.uk, 5 August 2019. 2 For example, Carugati, C, (2018) ‘The 2017 Facebook Saga: A  Competition, Consumer and Data Protection Story’ 2(1) European Competition and Regulatory Law Review (CoRe) 4; Nauwelaerts, W (2017) ‘GDPR – The Perfect Privacy Storm: You Can Run From the Regulator, But You Cannot Hide From the Consumer’ 3(2) European Data Protection Law Review (EDPL) 251. 3 Leinarte, E, ‘EU Fundamental Rights and Their Enforcement’ (2019) 78(1) Cambridge Law Journal (2019)(78:1) 31; Sales, P, ‘Rights and Fundamental Rights in English Law’ Cambridge Law Journal (2016)(75:1) 86. 4 Hodges, C, ‘Delivering Data Protection: Trust and Ethical Culture’ European Data Protection Law Review (EDPL) (2018)(4:1) 65; Hartzog, W, (2018) ‘Are  Privacy  Laws Deficient’ International Journal for the Data Protection Officer, Privacy Officer and Privacy Counsel (IDPP) (2018)(2:10) 17; Waldman, AE, ‘Privacy’s  Law of Design’ UC  Irvine Law Review (2019)(9:5) 1239; Savage, CW, ‘Managing the Ambient Trust Commons: The Economics of Online Consumer Information  Privacy’ Stanford Technology Law Review (2019)(22:1) 95; Hodges, C ‘Delivering Data Protection: Trust and Ethical Culture’ European Data Protection Law Review (EDPL) (2018)(4:1) 65.

1

1.2  Introduction

•

earlier compliance and pre-problem solving (eg, privacy by design, data protection by design, data protection by default, early compliance from day one or project initiation (as opposed to an add-on or afterthought), data protection impact assessments, risk assessments, etc). Data protection and privacy is now an integral (early) design issue, not merely a once-over narrow headline review just before a new product or service goes live in the marketplace;

•

takedown, erasure and forgetting issues, particularly online personal data;5

•

revenge porn and other forms of online abuse, and new and expanding forms of online abuse;6

•

drones and drone image personal data;

•

doorbell and security device image personal data;

•

body camera image personal data;

•

home devices recording what individuals say or instruct (often called voice assistants) (brands include Beeb, Alexa, Siri, Google Assistant);7

•

home devices which record individuals even when they are not meant to be on (and not recording);

•

televisions which film and record homeowners;

•

airline seats which record passengers;

•

important issues of child personal data; and

•

courts who are having to consider the impact of new technological developments on judicial processes.8

The history of recent data protection and privacy development is linked with the capacity to electronically store data and personal data. This capacity is continuing at great pace with internet, database and cloud developments. The European Data Protection Supervisor has commented on the need for contract review and research on the part of the data protection supervisory authorities to protect personal data. The Supervisor states as follows: ‘Data protection has always been about technology. It was the arrival of computers in the business and public administration domains that triggered the development of data protection laws and principles which in turn led to the creation of data protection authorities. 5 See Lambert, P, The Right to be Forgotten (Bloomsbury, 2019). 6 See, for example, Lambert, P, International Handbook of Social Media Law (Bloomsbury, 2014); Social Networking, Law, Rights and Policy (Clarus Press, 2014); Lambert, P, A Users’ Guide to Data Protection (Bloomsbury, 2018). 7 A recent article in points is Lynskey, D, ‘Alexa, Are You Invading My Privacy? The Dark Side of Our Voice Assistants’ Guardian, 9 October 2019. 8 See, for example, Lambert, P, Courting Publicity, Twitter and Television Cameras in Court (Bloomsbury, 2011); Lambert, P, Television Courtroom Broadcasting, Distraction Effects and Eye Tracking (Intellect, 2012); Television Courtroom Broadcasting Effects, The Empirical Research and the Supreme Court Challenge (University Press of America, 2013).

2

Regulators 1.3

Technical development allows for more sophisticated and increasing amounts of personal data collection and processing. Though advanced technologies increase the risk to privacy and data protection, they may also integrate technological solutions for better transparency and control for the persons whose data is processed. Data protection authorities must keep abreast of both the potential risks and opportunities offered by these advances: they invest to understand the possibilities of new technology and at the same time encourage the integration of data protection by design and data protection by default into the innovation process.’

The data protection supervisory authorities must place ‘strategic importance on integrating the technological dimension of data protection into our work’. The Supervisor and data protection supervisory authorities should ‘ensure that our work properly assesses technological implications’ and demonstrate that each: •

‘[m]onitors  technological developments which may have an impact on privacy and data protection such as  cloud computing,  PIMS,  Big Data, malicious software;

•

analyses  and understands the potential impact of technology driven policy and proposed legislative measures as demonstrated in our opinions and comments;

•

advances the public debate by  reporting  on new technology related to privacy and data protection for instance, in the  TechDispatch,  EDPS newsletter,  papers  and  other publications  and  events  such as IPEN Workshops and CPDP;

•

[o]ffers support to the EU institutions, National Data Protection Authorities and the public at large by being a reference point for clarifying technological issues related to privacy and data protection;

•

has the technological knowledge and tools to perform effective inspections of IT systems and other technical solutions used as means to process personal data; and

•

[g]uides, influences, raises awareness and provides advice on technology developments relevant to privacy, data protection and the proper implementation of the privacy by design and privacy by default principles.’9

REGULATORS 1.3 To ensure that the duties are complied with and the rights of individuals vindicated, an official data protection supervisory authority has been established to monitor and act as appropriate in relation to compliance with and the efficient operation of the data protection regime. This role is fulfilled in the UK by the 9

EDPS. Available at: https://edps.europa.eu/data-protection/our-work/technology-monitoring_en.

3

1.4  Introduction

Commissioner and Information Commissioner’s Office (ICO). The role of the ICO and data protection supervisory authorities in other EU Member States (and privacy regulators in countries internationally) has increased significantly and cannot be ignored by organisations. Companies and organisations must include assessment of the new role and powers of data protection supervisory authorities in the overall compliance assessments and compliance programmes.10 UK data protection research and enforcement has made a significant contribution in the field of data protection and privacy.11 Even in the event of Brexit and the UK becoming a country outside the EU (known in data protection terminology as a ‘third country’), the UK will likely continue to make valuable contributions.

FOCUS 1.4 This is not a general introduction to data protection and privacy rules (which have other resources available).12 It is rather focused directly on the data protection and privacy regulators and supervisory authorities who are tasked with promoting compliance, respect for data protection and privacy, ensuring compliance, investigating, researching and enforcing as appropriate the data protection and privacy rules – an important part of which includes fines and penalties and, increasingly, prosecutions in court.

TERMINOLOGY 1.5 Some issues around terminology should also be addressed. The book refers generally to data protection and privacy. Some people may use the terms ‘data protection’ and ‘privacy’ interchangeably. However, there are differences between them. Some may also suggest that data protection is an aspect of or a subset of privacy. There are also some international differences. In the US, many people use the term or concept of ‘privacy’ when discussing these types of issues. In Europe, people refer to data protection and data protection rules are well defined and understood – and are linked to express legislation, most recently the General 10 Note generally, Hustinx, P, ‘The Role of Data Protection Authorities’ in Gutwirth, S, De Hert, P, Poullet, Y and de Terwangne, C, Reinventing Data Protection? (Springer, 2009) 131; Giurgiu, A, and TA  Larsen, ‘Roles and Powers of National Data Protection Authorities – Moving from Directive 95/46/EC to the GDPR: Stronger and More ‘European’ DPAs as Guardians of Consistency?’ European Data Protection Law Review (2016)(2:3) 342; Schütz, P, ‘The Set Up of Data Protection Authorities as a New Regulatory Approach’ in Gutwirth, S, De Hert, P, Leenes , RE and Poullet, Y, European Data Protection: In Good Health? (2012) 125; McGeveran, W ‘Friending the Privacy Regulators’ Arizona Law Review (2016)(58:4) 959. 11 de Hert, P, and V  Papakonstantinou ‘The Rich  UK  Contribution to the Field of EU  Data Protection: Let’s Not Go For “Third Country” Status After Brexit’ Computer Law & Security Review: The International Journal of Technology Law and Practice (2017)(33:3) 354. 12 See, for example, Jay, R, Data Protection and Privacy Law (Sweet and Maxwell, 2012); Lambert, P, A Users’ Guide to Data Protection (Bloomsbury, 2018); Lambert, P, Understanding the New European Data Protection Rules (Routledge, Taylor and Francis, 2017).

4

Terminology 1.5

Data Protection Regulation (GDPR). Broadly speaking, while the same issues may be the focus of discussion, the US often refers to privacy, while the EU refers to data protection. Having said that, there are increasingly frequent examples of the term ‘data protection’ being used in the US. The increase in similar problems and issues of concern in the US, EU and internationally (after all, the internet is global in nature) and the significant public attention gained by the new EU GDPR and also to certain EU cases, is also contributing to EU laws, concepts and terminology being used elsewhere. While the problem issues that arise are often the same given internet and international progress, there are some legal differences. The EU has an overarching, general data protection law governing the collection, use and processing of all personal data. In the US only some personal data is covered by federal law protection given that there are only discrete issue-by-issue federal laws protecting personal data in the sector identified, as opposed to one general law encompassing all personal data. Examples of these issue-only protections include marketing Spam personal data13 and video rental personal data.14 It is important to understand, however, that, notwithstanding the lack of an overarching federal privacy law, there are lots of individual state laws and there is a push for a federal law. In practice, the Federal Trade Commission (FTC) which ostensibly deals with consumer protection and related issues has developed a practice of investigating and even prosecuting certain abuses of privacy in the US. So, it should not be assumed that in the absence of or pending a US general federal privacy law comparable to the GDPR privacy breaches are not investigated, fined or prosecuted. In fact, some recent examples demonstrate the teeth of the FTC, such as fines involving Facebook ($5 billion),15 YouTube ($170 million)16 and others. (Interestingly, both of these fines, while significant, have been criticised as being too low in the circumstances.) In time, these FTC fines may be outpaced by fines in the EU given that GDPR fines can now involve a percentage of worldwide turnover. It also needs to be pointed out that, in Europe, while these issues are correctly viewed through the lens of data protection and formal data protection laws, this is not at the expense of privacy rules. EU legal norms recognise both data protection rights and interests as well as privacy rights and interests as being fundamental. It is possible, therefore, that a European case dispute may draw in judicial consideration of both data protection and privacy laws.

13 Controlling the Assault of Non-Solicited Pornography and Marketing Act (CANSPAM Act). 14 Video Privacy Protection Act (VPPA). 15 This relates to breaches involved in the Facebook and Cambridge Analytica scandal, tied to the Russian attack on the 2016 US Presidential election. 16 This relates to breaches involved in the collection of children’s personal data.

5

1.6  Introduction

DATA PROTECTION IMPORT 1.6 Data protection aims to protect the privacy and personal information of individuals. It provides a regulatory protection regime around personal information or personal data. Personal data is data or information which relates to or identifies an individual either directly or indirectly. The data protection legal regime governs when and how organisations may collect, use and process personal data. This applies to all sorts of personal information ranging from general to highly confidential and sensitive (eg, the latter include sensitive health data and details of criminal convictions). The data protection regime is twofold in the sense of: (a) providing obligations (which are inward- and outward-facing, see below) with which organisations must comply; and (b) providing individuals (known as data subjects) with various data protection rights which they or the Information Commissioner’s Office (ICO) can invoke or enforce as appropriate. Significantly, recent measures expand the ability to invoke the data protection rights to privacy groups and collective data protection organisations including in group or class-type actions (see the GDPR). The new Data Protection Act 2018 and new GDPR bring ‘comprehensive reform’17 to the UK and EU data protection regimes. The previous Data Protection Act 1998 is now repealed.18 Certain specific sections of industry and certain specific activities (eg, data transfers abroad, direct marketing, cookies) also have additional data protection compliance rules. Individuals can invoke their rights directly with organisations, with the ICO and also via the courts in legal proceedings. Compensation can also be awarded. In addition, criminal offences can be prosecuted. Data protection compliance is extremely important. As regards implementing compliance frameworks, an organisation must have defined structures, policies and teams19 in place to ensure that it knows what personal data it has; for what purposes it is being used; that it is held fairly, lawfully and in compliance with the data protection regime; and that it is safely secured against the increasing problem of damage, loss and unauthorised access. The cost of loss or a security breach can be significant both financially and publicly. The IBM Cost of Data Breach Study (2019) puts the average cost at $3.9 million (and still increasing). The UK  TalkTalk data breach is estimated to have cost £35 million. The Target data breach was estimated at €162 million 17 In Brief, Communications Law (2012) (17) 3. 18 Data Protection Act, Sch 19, Pt 1, s 43, at p 233. 19 Hyman, DA, and Kovacic, WE, ‘Implementing Privacy Policy: Who Should Do What’ Fordham Intellectual Property, Media & Entertainment Law Journal (2019)(29:4) 1117.

6

Data Protection Import 1.6

plus  a 5.3% drop in sales. More recent data breaches have led to drops of at least 40% of share price value. Breaches which are criminal offences can be prosecuted. In addition, personal liability can attach to organisational personnel in addition to the liability of the organisation itself One Editorial notes that ‘the waves of [data protection concern are] riding high’.20 The increasing ‘centralisation of information through the computerisation of various records has made the right of [data protection and of] privacy a fundamental concern’.21 Data protection is important, increasingly topical and an issue of legally required compliance for all organisations. More importantly it is part of management and organisational best practice. Individuals, employees and customers expect that their personal data will be respected by organisations. They are increasingly aware of their rights, and they increasingly enforce them. The coverage of data protection has also increased in the mainstream media. This is due in part to a large number of data loss and data breach incidents. These have involved the personal data of millions of individuals being lost not only by commercial organisations but also trusted government entities. The issue of online abuse, which involves, among other things, privacy and data protection, has also been hitting the headlines. Tragically, such online abuse can unfortunately contribute to suicide. This is a particular concern in relation to children and teenagers. It is also in the headlines because of public and official data protection supervisory authority (eg ICO in UK) concerns with the problem of the damage of ‘permanent’ data online. The Court of Justice in the light of such concerns issued an important decision in the Google Spain case involving the Right to Delete/Right to be Forgotten, directing that certain personal data online had to be deleted, following a complaint, from search engine listing results.22 The Court of Justice also pronounced on the often contentious area of official data retention – the obligation placed by countries on internet service providers (ISPs) to retain certain customer data in relation to telephone calls, internet searches, etc, so that (certain) official agencies can ask to access or obtain copies of such data in the future. There is much debate as to whether this should be permitted at all, if so, when and under what circumstances, how long ISPs must store such data, the cost of retaining the same, etc. The strongest argument for an official data retention regime may relate to the prevention or investigation of terrorism. Serious crime may come next. There are legitimate concerns that the privacy and data protection costs are such that official data retention, if permitted, should not extend to ‘common decent crime’ or unlimited access and unlimited retention. The EU Data Retention Directive has been held to be invalid as have similar laws 20 Saxby, S Computer Law & Security Review (2012) (28) 251–53, at 251. 21 ‘Personal Data Protection and Privacy’ Counsel of Europe. Available at: www.coe.int/en/. 22 See Google Spain SL, Google Inc v Agencia Española de Protección de Datos (AEPD), Mario Costeja González, Court of Justice (Grand Chamber), Case C-131/12, 13 May 2014.

7

1.6  Introduction

in Member States including the UK in whole or in part.23 No doubt argument, debate and research will ensue in relation to data retention, which remains a contentious issue. While the issues of official data retention are important, it is a separate subject to data protection. This work focuses on data protection alone. A further reason as to why data protection is important and is increasingly the focus of press attention is that organisations are increasingly using security and respect for data protection as a commercial differentiator in the marketplace. Apple has repeatedly indicated that it does not operate a user-data-intrusive model collecting user data and has even criticised some of its technology competitors. Microsoft has, for many years, promoted the data protection and privacy friendly policy of Data Protection by Design (DPbD) and by default. Post Snowden, many US technology companies have been heavily lobbying the US administration for a roll back of certain activities and practices, particularly those they feel are extra-judicial and extra-legal, on the basis that it will disadvantage the US-based cloud industry. Many non-US cloud companies have been highlighting that they are not US based. There are even calls for more privacy laws in the US, including adopting parts of the GDPR. All organisations collect and process personal data. Whether they are big or new start-ups, they need to comply with the data protection regime. It should also be borne in mind that even a new technology start-up can scale relatively quickly to millions of users. Many issues enhance the importance of getting organisational data protection understanding and compliance right from day one. These include legal obligations, director, board and officer obligations, investigations, fines, prosecutions, being ordered to delete databases, adverse publicity, commercial imperatives and even commercial advantages. If one also considers some of the recent large-scale data breaches, there are examples of chief technology officers as well as managing directors/CEOs, losing their jobs as a result. In addition, organisations often fail to realise that data protection compliance is frequently an issue of dual compliance. They need to be looking both inward and outward. Internally, they have to be data protection compliant in relation to all of their employees’ (and contractors’) personal data, which traditionally may have related to HR files and employee contracts, but now includes issues of electronic 23 Judgment in Joined Cases C-293/12 and C-594/12, Digital Rights Ireland and Seitlinger and Others, Court of Justice, 8 April 2014. Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC (OJ 2006 L105, p 54). Rauhofer, J, and Mac Sithigh, D, ‘The Data Retention Directive Never Existed’ SCRIPTed (2014)(11:1) 118. The Data Retention and Investigatory Powers Act (DRIPA 2014) was invalidated after a challenge by two MPs. This was brought in after the Directive was invalidated. The second replacement Act (the Investigatory Powers Act 2016) was also successfully challenged by Liberty. In relation to data protection as a fundamental right, see, for example, Rodata, S, ‘Data Protection as a Fundamental Right’ in Gutwirth, S, Poullet, Y, de Hert, P, de Terwangne, C, and Nouwt, S, Reinventing Data Protection? (Springer, 2009) 77.

8

Data Protection Import 1.6

communication, social media, internet usage, filtering, monitoring abuse and onsite and off-site activity, etc. Separately, organisations must be concerned about other sets of personal data, such as those relating to persons outside the organisation (eg customers, prospects, etc). Comprehensive data protection compliance is also required here. The consequences for non-compliance are significant. Substantial fines have been imposed in a number of recent cases. In some instances, organisations have been ordered to delete their database. In a new internet or technology start-up situation, or indeed in an established organisation, this can be the company’s most valuable asset. Until recently, the issue of data loss was a small story. However, the loss of personal data files of tens of millions of individuals in the UK – and from official governmental sources  – makes UK data loss a front-page issue. There is increased scrutiny from the ICO and others and increasing regulation of data security issues, preparedness and reactivity. Organisations must look at security issues with increasing rigour. They can face liability issues in breach incidents but also in the aggravating situation where a vulnerability may have already been highlighted internally but not acted upon, thus contributing to the breach incident. As well as an official investigation, fined and sanctions, organisations also face liability issues to users and, in some instances, potentially to banks and financial intermediaries. In the UK and elsewhere there are enhanced obligations to report data losses; as well as potentially enhanced financial penalties and, in some instances, personal director responsibility for data loss. The need for compliance is now a boardroom issue and an important issue of corporate compliance. Proactive and complete data protection compliance is also a matter of good corporate governance, brand loyalty and a means to ensuring user and customer goodwill. The frequency and scale of breaches of security (eg 3 UK, CEX, Bupa, TalkTalk, Target, Sony Playstation (the personal data of 70 million individuals24 in one instance and 25 million in another25) and Cambridge Analytica) make the importance of data security compliance for personal data ever more important. HMRC’s loss of discs with the names, dates of birth, bank and address details involved 25 million individuals in the UK.26 There are many UK cases involving substantial fines for data protection breaches. Brighton and Sussex University Hospitals NHS  Trust was fined £325,000 by

24 See, for example, Martin, G, ‘Sony Data Loss Biggest Ever’ Boston Herald, 27 April 2011. 25 See, for example, Arthur, C, ‘Sony Suffers Second Data Breach with Theft of 25m More User Details’ Guardian, 3 May 2011. 26 See, for example, ‘Brown Apologises for Record Loss: Prime Minister Gordon Brown has said he “Profoundly Regrets” the Loss of 25 Million Child Benefit Records’ BBC, 21 November 2007.

9

1.6  Introduction

the ICO.27 Zurich Insurance was fined £2.3 million for losing data in relation to 46,000 customers.28 Sony was fined £250,000. Apart from data loss incidents, in ICO v Christopher Niebel and Gary McNeish, two Spam texters were fined a total of £440,000 in respect of their company.29 The size of the penalty is significant. However, possibly more significant is that it involved director liability. The ICO also issued a substantial data fine in relation to breach of the data protection regime by way of incorrect storage and processing when the financial data and files of individual customers were mixed up. Potentially, a customer could have suffered financial loss and adverse consequences. Prudential was fined £50,000. In another case, a health trust was fined £225,000 in relation to third party gaining unauthorised access to files.30 Employees have been prosecution for unauthorised access to personal records.31 The GDPR and DPA  2018 vastly increase the potential fines available (up to €20 million or 4% of worldwide turnover). We can expect the level of fines on organisations to increase. National data protection authorities are increasingly proactive and undertake audits of data protection compliance frameworks, as well as incidents of breaches.32 The ICO also investigated personal data issues in the recent Cambridge Analytica scandal33 and the Leveson Inquiry on the phone-hacking scandal,34 entitled Operation Motorman.35 Under the GDPR, organisations will also have to engage with the ICO where risk-related processing operations are envisaged and when data protection impact assessments are carried out.

27 See, for example, ‘Largest Ever Fine for Data Loss Highlights Need for Audited Data Wiping’ ReturnOnIt. Available at: www.returnonit.co.uk/largest-ever-fine-for-data-loss-highlightsneed-for-audited-data-wiping.php. 28 See, for example, Oates, J, ‘UK Insurer Hit with Biggest Ever Data Loss Fine’ The Register, 24 August 2010. This was imposed by the Financial Services Authority (FSA). 29 ICO v Christopher Niebel and Gary McNeish (2012). ICO, ‘Spam Techers Fined Nearly Half a Million Pounds’. Available at: https://ico.org.uk. However, note that this was appealed. 30 Belfast Health and Social Care (BHSC) Trust. ICO, ‘Belfast Trust Fined £22,500 after Leaving Thousands of Patient Records in Disused Hospital’. Available at: https:// ico.org.uk. 31 Eg ICO, ‘Bank Employee Fined for Reading Partners’ Ex Wife’s Statements’. Available at: https://ico.org.uk. 32 Facebook was audited by one of the EU data protection authorities. Available at: https:// dataprotection.ie. Note also Europe Against Facebook. Available at: http://europe-v-facebook. org/EN/en.html. 33 See, for example, ICO v Facebook (25 October 2018) resulting in fine of £500,000. Facebook originally announced an intention to appeal but has since agreed to pay the fine and accept the decision. There are also related investigations and cases regarding Cambridge Analytica and its related entities SCLE Elections Limited and SCLE Group. 34 Available at: www.levesoninquiry.org.uk/. 35 For more details see ‘Operation Motorman – Steve Whittamore Notebooks’ ICO website. Available at: www.ico.org.uk.

10

Data Rules 1.10

DATA RULES 1.7 Personal data protection is enshrined in the DPA 2018 in the UK, and the GDPR. (The GDPR is directly effective and applicable in each EU Member State in addition to national legislation.) Brexit will require further data protection legislative changes.

Outward-Facing Data Protection Compliance 1.8 The data protection regime creates legal obligations which organisations must comply with when collecting and processing the personal data of individuals. ‘[I]f someone can be distinguished from other people, data protection legislation is applicable.’36 This applies to customers and prospective customers, hence there are outward-facing obligations. It can also apply to non-customers who may be using a particular website but are not a registered customer, if their personal data is being collected.

Inward-facing Data Protection Compliance 1.9 The data protection regime also applies to the organisation in its dealings regarding the personal data of its employees. Equally, where the organisation is engaging third-party independent contractors but is collecting, processing and using their personal data, the data protection regime will also apply. Hence, in relation to organisations, it is inward facing. As well as creating legal compliance obligations for organisations, the data protection regime enshrines certain rights or data protection rights for individuals in terms of ensuring their ability to know what personal data are being collected, to consent – or not consent – to the collection of their personal data and to control the uses to which their personal data may be put. There is also a mechanism through which individuals can complain to controllers holding their personal data, the ICO and also via the courts directly.

Definitions 1.10 The data protection regime contains a number of key definitions. These are central to understanding the data protection regime and are essentially the building blocks of the regime. While these can be ‘complex concepts’,37 organisations need to fully understand them. Some examples of the matters defined include: 36 Costa, L and Y Poullet ‘Privacy and the Regulation of 2012’ Computer Law & Security Review (2012) (28:4) 254 at 256. 37 Hallinan, D, Friedewald , M, and McCarthy, P, ‘Citizens’ Perceptions of Data Protection and Privacy in Europe’ Computer Law & Security Review (2012)(28) 263.

11

1.11  Introduction

•

data subject;

• controller; • processor; • personal data; •

processing; and

•

special personal data.

Data Protection Aims and Concepts 1.11 Why have a data protection regime? We have a data protection regime because of the legal and political recognition that society respects the personal privacy and informational privacy of individuals. In the context of data protection, that means respect for, control of, and security in relation to informational personal data. DPA  2018 protects personal data relating to individuals, which includes employees, contractors, customers and users. Data protection exists to ensure: •

protection and regulation of the collection, use, processing and transfer of personal information;

•

protection in relation to personal information;

•

the consent of individuals is obtained to collect and process personal data;

•

security in respect to the right to privacy and personal information;

•

protection against privacy and informational privacy abuse;

•

protection against privacy theft and identity theft;

•

protection against unsolicited direct marketing (DM); and

•

remedies are available to individual data subjects.

The threat to personal data and informational privacy has increased as has the ease with which personal data can be collected and transferred electronically. This has increased further with digital technology, more devices, computer processing power, the rise of Internet 2.0, social media and now connected home and lifestyle devices.38 Controllers must comply with a number of data protection issues, perhaps the foremost of which relate to, • fairness; • transparency; 38 Note, generally, the ICO’s comments in relation to Privacy by Design (PbD), and the report Privacy by Design. Available at: www.ico.org.uk.

12

Data Rules 1.11

• consent; • accuracy; • security; •

proper procedures for processing;

•

proportionality of the need and use of personal data;

•

risk assessments – and mandated risk engagement with regulators;

•

deletion after purpose lifecycle is completed; and

•

erasure, takedown and forgetting.

The collection, use and onward transfer of personal data must be fair, legitimate and transparent. Transparency (and access to a person’s personal data) is increasingly being emphasised in importance in relation to the internet and social media. While this is beginning to be examined and there have been improvements with some websites, there is still a long way to go. Some have more improvements to make, even including the implementation of privacy policies and statements, reporting mechanisms and procedures. These also need to be assessed at the front and back end. In the Prudential case, where a fine of £50,000 was issued, there was potential financial loss to the data subject. The personal data must be correct and accurate. The reason is that damage or harm to the individual data subject can be a consequence of inaccurately held personal data. For example, a credit rating could be adversely affected through incorrect or wrong personal data records regarding personal payment histories. There is a general obligation in terms of safeguarding personal data. Organisations must assess and implement security measures to protect personal data. Increasingly, this is also being considered in relation to the developing cloud environment and the increasing use of processors and third parties.39 There is also an obligation on controllers to register or notify the ICO as regards their data processing activities. If personal data is permitted to be transferred to third countries, it must qualify under a specific exemption, as well as the general security conditions. (Note that the issue of the EU–US Safe Harbor exemption mechanism is a matter of particular contention and import at this time given that the Court of Justice has invalidated this 39 In relation to cloud generally, see Kuan, W, Hon, and Millard C, ‘Data Export Cloud Computing – How Can Personal Data be Transferred Outside the EEA? The Cloud of Unknowing’ SCRIPTed; (2012) (9:1) 25; Singh, G, and Mishra, S, ‘Cloud Computing Security and Data Protection: A Review’ International Journal of Computers & Technology (2015)(14:7) 5887; Pfarr, F, Buckel , T, and Winkelmann, A, ‘Cloud Computing Data Protection – A Literature Review and Analysis’ (2014) 47th Hawaii International Conference on System Sciences 5018.

13

1.12  Introduction

mechanism40 and the EU and US have had to negotiate a replacement mechanism to legitimise the controlled transfer of EU data to the US, known as the EU– US Privacy Shield. The UK now needs to address how it might legitimately transfer UK data to the US, which is deemed to have lesser data protection standards than both the UK and the EU; and separately between the UK and EU). Controllers can have a duty of care to individuals as regards their personal data being processed by the organisation, particularly if loss or damage arises or if risks are identified in relation to processing and even potential processing. Controllers and processors have obligations in certain circumstances to have legal contracts in place between them. Processors process and deal with personal data for and on behalf of a controller in relation to specific defined tasks (eg activities such as outsourced payroll, HR, marketing, market research, customer satisfaction surveys, etc). Additional issues and considerations arise for cloud services and data protection compliance. From an organisational perspective, it is sometimes considered that organisational customers have less opportunity to negotiate clauses in cloud service provider contracts, including processor and security-related contracts. There is, therefore, a greater obligation to be satisfied with the cloud service provider, where data is located and the security measures and security documentation available. Risk management is increasingly important across the tech landscape but is now also promoted as an issue of consideration and compliance in the data protection field with the GDPR.41 The GDPR includes extensive new security obligations. As part of this there is a requirement to take into account, and hence to identify risk issues.42 This is understood to be very important, however some have raised some questions about this approach.43

Processing Criteria 1.12 Generally, to lawfully collect and process personal data, a controller should be aware that: •

the individual data subject must consent to the collection and processing of their personal data;

•

the data subject may say that they object to processing or continued processing;

40 Schrems v Commissioner, Court of Justice, Case C-362/14, 6  October 2015. The case technically related to Prism and Facebook Europe and transfers to the US. However, the wider import turned out to be the entire EU–US Safe Harbor Agreement and data transfers to the US. 41 Duncan, B, and Zhao, Y, ‘Risk Management for Cloud Compliance with the EU General Data Protection Regulation’ 2018 International Conference on High Performance Computing & Simulation (HPCS) HPCS High Performance Computing & Simulation (HPCS) (July 2018). 42 See GDPR Art 32(1); and other references. 43 Quelle, C, ‘Enhancing Compliance Under the General Data Protection Regulation: The Risky Upshot of the Accountability and Risk-Based Approach’ European Journal of Risk Regulation (EJRR) (2018)(9:3) 502.

14

Conclusion 1.14

•

legal data protection requirements are complied with;

•

the prior information requirements, principles of data protection, lawful processing conditions, special personal data lawful processing conditions (in the case of sensitive special personal data), and security obligations are required to be complied with; and

•

the rights and interests of the individual data subject must be respected and complied with.

The interests of the controller can sometimes be relevant in particular instances in deciding what data processing is necessary and permitted.

Lawful Processing 1.13 There is a prohibition on the collection and processing of personal data and sensitive special personal data unless: •

the processing complies with the principles of data protection;

•

the processing comes within one of a limited number of specified conditions (the lawful processing conditions); and

•

the processing must also comply with the security requirements.

CONCLUSION 1.14 The DPA 2018 and GDPR (and also further Brexit legal changes) set out a number of structures, obligations, rights and implementing criteria which, together, form the basis of the legal data protection regime in the UK. The main criteria and obligations to be respected and complied with to be able to legally collect and process personal data include: •

the definitions of personal data and the data protection regime;

•

the principles of data protection, also known as the ‘data quality principles’;

•

the lawful processing conditions;

•

the requirement that processing of personal data be ‘legitimate’ under at least one of the lawful processing conditions;

•

recognising the two categories of personal data covered by the data protection regime, namely, sensitive special personal data and non-special general personal data;

•

in the case of special personal data, complying with the additional special personal data lawful processing conditions;

•

ensuring the fair obtaining of all personal data collected and processed; 15

1.14  Introduction

•

taking and ensuring appropriate security measures in relation to all processing activities;

•

implementing formal legal contracts when engaging or dealing with thirdparty processors (eg outsourcing data processing tasks or activities);

•

complying with the separate criteria in relation to automated decisionmaking processes or automated decisions;

•

complying with the legal criteria for direct marketing (DM);

•

a duty of care can exist in relation to the individual data subjects whose personal data the organisation is collecting and processing;

•

the jurisdictional transfer of personal data is strictly controlled. Personal data may not be transferred unless specifically permitted under the data protection regime;

•

access requests, or requests by individuals for copies of their personal data held by the organisation, must be complied with (with limited exceptions);

•

registration obligations by organisations must be complied with;

•

implementing internal privacy policies and terms;

•

implementing outward-facing privacy policies for customers, etc;

•

implementing outward-facing website privacy statements (generally a data protection policy covers organisation-wide activities, whereas a website privacy statement governs only the online collection and processing of personal data);

•

implementing mobile, computer, device, and internet usage policies;

•

implementing data loss, data breach, incident handling and incident reporting policies and associated reaction plans;44

•

keeping abreast of the increasing trend towards sector/issue specific rules (eg Spam); direct marketing (DM); industry codes of conduct45 and certification mechanisms in relation to personal data, etc;

•

risk identification, risk elimination and minimisation and mandated consultations with data protection supervisory authorities on risk issues as now mandated; and

•

complying with new legal developments.

Central to policing and ensuring compliance by companies and other organisations are the ICO and data protection supervisory authorities. These regulators are also critical in assisting individual data subjects to enforce and vindicate their data protection rights. 44 Note, for example, the ICO PECR security breach notifications – guidance for service providers. Available at: www.ico.org.uk. 45 The DPA and the EU data protection regime provide for codes of conduct being agreed with national data protection authorities such as the ICO in relation to specific industry sectors.

16

CHAPTER 2

Law and Regulators INTRODUCTION 2.1 This chapter introduces the concept of data protection regulators or supervisory authorities and how the General Data Protection Regulation (GDPR), etc, set out important provisions relating to these entities.1 The rules, norms, rights and obligations set out in the data protection regime are each very important. However, part of the essential machinery of data protection requires an entity to be responsible for monitoring problem issues, promoting compliance with and understanding of the data protection rules and for actions in relation to enforcement to ensure compliance and vindicate rights. This responsibility falls to the respective entities referred to as the data protection supervisory authorities as referred to in Europe and other places (or data privacy regulators in other areas).

DATA REGULATORS 2.2 Data protection supervisory authorities ‘represent one of the key actors, not only when it comes to the execution of privacy and data protection policies, but also in terms of awareness raising, consultancy and networking. Since they comprise the spearhead of regulators in the field of privacy and data protection regulation, their independence from the private as well as the political becomes of the utmost importance’.2 What is a data protection supervisory authority? A data protection ‘supervisory authority’ is defined in the GDPR to mean, ‘an independent public authority which is established by a Member State pursuant to [GDPR] Article 51’.3

1

See generally, Lambert, P, Understanding the New European Data Protection Rules (Routledge, Taylor and Francis, 2017); Lambert, P, A User’s Guide to Data Protection (Bloomsbury, 2018). 2 Schutz, P, ‘Comparing Formal Independence of Data Protection Authorities in Selected EU  Member States’ Conference Paper for the 4th Biennial Standing Group for Regulatory Governance Conference 2012. 3 GDPR Art 4(21).

17

2.3  Law and Regulators

A data protection ‘supervisory authority’ is, therefore, an official ‘independent public authority’.4 Chapter VI of the GDPR refers to the independent national data protection supervisory authorities. Section 1 therein refers to independence issues, and Section 2 refers to competence, tasks and powers of data protection supervisory authorities.5

DUAL LAWS 2.3 When considering the data protection supervisory authorities it is necessary to consider the dual implication (and requirements) of EU law and national law. While the GDPR sets out important provisions, powers, and requirements in relation to the data protection supervisory authorities, it is also clear that the actual setting up or establishment of the regulatory entities are left to respective national legislation. The GDPR wording indicates that the independent, official regulatory authorities are ‘established by … Member State’ law – pursuant to (and reflecting) the GDPR.6 It is also reflected to be particularly pursuant to Article 51 of the GDPR. Article 51 is headed ‘supervisory authority’ and is referred to below. Section 1 of Chapter VI of the GDPR is headed ‘independence’ and contains three component Articles which each respectively deal with, •

supervisory authorities (Article 51);

•

independence (of data protection supervisory authorities)(Article 52); and

•

rules on the establishment of the supervisory authorities (Article 53).

While the GDPR is the overarching EU-wide data protection law and is, by virtue of being an EU Regulation, directly effective throughout the EU, there is a need 4

Ibid. A further definition also appears, namely, a ‘supervisory authority concerned’ is defined to mean a supervisory authority which is concerned by the processing of personal data because: the controller or processor is established on the territory of the Member State of that supervisory authority; data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or a complaint has been lodged with that supervisory authority. See GDPR Art 4(22). 5 Note generally the increasing general commentary, such as Hoofnagle, CJ, van der Sloot, B, and Borgesius, FZ, ‘The European Union General  Data  Protection  Regulation: What It Is and What It Means’ Information & Communications Technology Law (2019)(28:1) 65; Nauwelaerts, W, ‘GDPR – The Perfect Privacy Storm: You Can Run From the Regulator, But You Cannot Hide From the Consumer’ European Data Protection Law Review (EDPL) (2017) (3:2) 251; Wimmer, K, ‘The Long Arm of the European Privacy Regulator: Does the New EU GDPR Reach US Media Companies?’ Communications Lawyer (2017)(33:1) 16; Houser, KA, and Voss, WG, ‘GDPR: The End of Google and Facebook or a New Paradigm in Data Privacy’ Richmond Journal of Law & Technology (2018)(25:1) 1; Reetz, M, ‘GDPR: Does Coverage Exist for Fines and  Penalties  for Noncompliance?’ TortSource (2019)(21:3) 8. Quelle, C, ‘Enhancing Compliance Under the General Data Protection Regulation: The Risky Upshot of the Accountability-and Risk-Based Approach’ European Journal of Risk Regulation (EJRR) (2018)(9:3) 502. 6 See GDPR Art 4(21).

18

Dual Laws 2.3

for either an EU enforcement authority of some kind or for national authorities. It was decided to follow the national regulator model, making national law very relevant. There is a need to enforce the application of the rules, rights and obligations. This requires some national or oversight mechanism. National law plays a critical role in establishing and providing for the data protection supervisory authorities. The GDPR does not establish the respective national authorities. Rather, it obliges the Member States to establish data protection supervisory authorities in their respective states to undertake enforcement and other activities – but pursuant to implementing and following the aims of the GDPR. Each Member State must provide for one or more independent public authorities to be responsible for monitoring the application of the GDPR.7 The national data protection supervisory authorities are also established ‘in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the [EU]’.8 (A natural person is an individual or individual data subject – as opposed to a created corporate or official entity.9) Each Member State must also notify the Commission of the provisions of its law which it adopts pursuant to Chapter VI of the GDPR (independent supervisory authorities).10 Member States were meant to do so by no later than 25  May 2018.11 They must also ‘without delay’ notify the Commission of any subsequent amendment(s) to or affecting such laws.12 The UK has currently only partly done so. The UK Data Protection Act 2018 only partly implements the GDPR – replying on the rest being (currently) directly effective. (There is an intention that the remainder will be implemented in future legislation as part of Brexit and which will be referred to as the ‘UK GDPR’. See Chapter 5 below.) Each national data protection supervisory authority must contribute to the consistent application of the GDPR. For that purpose, the data protection supervisory authorities must cooperate with each other and the Commission (in accordance with Chapter VII).13 The authorities that existed under the previous Directive 95/4614 already cooperated and communicated with each other. This is reemphasised in the GDPR and in greater detail. The previous authorities also worked together and cooperated under the aegis of the previous Article  29 Working Party (WP29) (now replaced by the European Data Protection Board).

7 GDPR Art 51(1). 8 Ibid. 9 Also see definitions in GDPR Art 4, including Art 4(1). 10 GDPR Art 51(4). 11 Ibid. 12 Ibid. 13 GDPR Art 51(2). 14 Directive 95/46/EC of the European Parliament and of the Council of 24  October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. OJ L 281, 23.11.1995, pp 31–50.

19

2.4  Law and Regulators

If more than one data protection supervisory authority is established in a Member State, that Member State must designate the data protection supervisory authority which is to represent those authorities in the EDPB.15 The Member State must also set out the mechanism to ensure compliance by the other authorities with the rules relating to the consistency mechanism (referred to in Article 63 of the GDPR).16 As an example, Germany has more than one data protection supervisory authority.

OBLIGATION TO ESTABLISH DATA REGULATOR 2.4 Each Member State is obliged to provide by (its own) law for all the following: • the establishment of each data protection supervisory authority;17 •

the qualifications and eligibility conditions required to be appointed as member of each data protection supervisory authority;

•

the rules and procedures for the appointment of the member or members of each data protection supervisory authority;

•

the duration of the term of the member or members of each data protection supervisory authority of no less than four years, except for the first appointment after 24 May 2016, part of which may take place for a shorter period where that is necessary to protect the independence of the data protection supervisory authority by means of a staggered appointment procedure;

•

whether and, if so, for how many terms the member or members of each data protection supervisory authority is eligible for reappointment; and

•

the conditions governing the obligations of the member or members and staff of each data protection supervisory authority, prohibitions on actions, occupations and benefits incompatible therewith during and after the term of office and rules governing the cessation of employment.18

REGULATOR MUST BE INDEPENDENT 2.5 Each data protection supervisory authority must act with ‘complete independence’ in performing its tasks and exercising its powers in accordance with the GDPR.19 As if it was not enough to stipulate express ‘independence’, the GDPR emphasises this by expressly saying ‘complete independence’. Independence should mean independence but perhaps the history of some limited examples of data protection supervisory authorities being prone to interference 15 GDPR Art 51(3). 16 Ibid. 17 GDPR Art 54(1)(a). 18 GDPR Art 54(1)(a)–(f). 19 GDPR Art 52(1).

20

Regulator Must Be Independent 2.5

under the old regime or being established in such a manner so as not to disassociate them sufficiently from other or superior agencies, departments or official entities20 led to the drafters of the GDPR seeing a need to emphasise to the Member States that ‘independence’ must be whole and meaningful, thus completely beyond undue influence or restriction from outside officials, politicians and regulators. (See also Chapters 12 and 13 below.) In addition to the requirement of complete independence, the member or members of each data protection supervisory authority must, in the performance of their tasks and exercise of their powers in accordance with the GDPR, remain ‘free from external influence, whether direct or indirect, and shall neither seek nor take instructions from anybody’ (emphasis added).21 So, even indirect external influence is prohibited. Member or members of each data protection supervisory authority must refrain from any action incompatible with their duties and must not, during their term of office, engage in any incompatible occupation, gainful or not.22 This also ringfences overall independence. The ICO (also referred to as the Commissioner) is referred to in the UK DPA 2018 at Part V  (in particular sections 114–181) and Schedules 12, 13, 20 (Part 6). Section 114 states that ‘[t]here is to continue to be an Information Commissioner’ and that ‘Schedule 12 makes provision about the Commissioner’. Therefore, some of the aspects of the requirement of independence and prohibition on undue influence measures are expressly included in the GDPR, which is arguably stronger that the previous regime: •

requirement of independence;

•

requirement of complete independence;

•

prohibition on direct external influence; and

•

prohibition on indirect external influence.

Each Member State must ensure (the words ‘shall ensure’ are used) that each data protection supervisory authority is ‘provided with the human, technical and financial resources, premises and infrastructure necessary for the effective performance of its tasks and exercise of its powers’.23 The added emphasis on financial resources stresses the importance of independence. This is provided to include those to be carried out in the context of mutual assistance, cooperation and participation in the EDPB.24 20 See Commission v Germany, Case C-518/07 [2010] ECR I-1885. Commission v Republic of Austria, CJEU, Case C-614/10, 16 October 2012. 21 GDPR Art 52(2). 22 GDPR Art 52(3). 23 GDPR Art 52(4). 24 Ibid.

21

2.6  Law and Regulators

Each Member State must ensure that each data protection supervisory authority chooses and has ‘its own staff’ which shall be subject to the ‘exclusive direction of the member or members of the data protection supervisory authority’ concerned.25 Each Member State must ensure that each data protection supervisory authority is subject to financial control which does ‘not affect its independence’ (emphasis added) and that it has separate, public annual budgets, which may be part of the overall state or national budget.26 It is clear, therefore, that as well as independence, there must be financial independence for the respective data protection supervisory authorities. See further commentary in Chapter 13 and also the previous CJEU cases dealing with independence issues.27 There is also a current complaint to the EU  Commission that one of the data protection supervisory authorities is being undermined in terms of its independence by underfunding of its necessary resources.28 If the Commission agrees, this may have an important impact of data protection supervisory authorities more generally, ultimately strengthening the authorities and their independence (including funding) even more.

REGULATOR ACTIVITIES 2.6 Section 2 of Chapter VI of the GDPR refers to competence, tasks and powers. These are referred to below (see Chapter 9 in relation to powers). Each data protection supervisory authority must be competent for the performance of the tasks assigned to and the exercise of the powers conferred on it in accordance with the GDPR on the territory of its own Member State.29 Where processing is carried out by public authorities or private bodies acting on the basis of Article 6(1)(c) or (e), the data protection supervisory authority of the Member State concerned must be competent.30 In such cases, Article 56 (competence of the lead supervisory authority) does not apply.31 Data protection supervisory authorities are not competent to supervise processing operations of courts acting in their judicial capacity.32 There is, in effect, a judicial carveout. One can image, for example, the policy reasons in preventing access requests to a judge’s personal case notes. Obviously, there may be Brexit impact, which is still an ongoing and developing issue (see Chapter 5 for more particular details in this regard). 25 GDPR Art 52(5). 26 GDPR Art 52(6). 27 See Commission v Germany, Case C-518/07 [2010] ECR I-1885. Commission v Republic of Austria, CJEU, Case C-614/10, 16 October 2012. 28 See Cantillon, ‘Is Ireland Breaching EU Rules by Underfunding Data Regulator?’ Irish Times, 12 October 2019. 29 GDPR Art 55(1). 30 GDPR Art 55(2). 31 Ibid. 32 GDPR Art 55(3).

22

Tasks 2.7

TASKS 2.7 Section 2 of Chapter VI of the GDPR refers to competence, tasks and powers. Each data protection supervisory authority must carry out certain specified tasks and activities. Article 57 refers to 22 types of tasks. 33 These are specified to be without prejudice to other tasks set out under the GDPR.34 Each data protection supervisory authority must carry out the following specified tasks, •

monitor and enforce GDPR;

•

promote public awareness and understanding of the risks, rules, safeguards and rights – and specifically relating to children;

•

advise on legislative and administrative measures;

•

promote awareness of controllers and processors obligations;

•

provide information on rights;

•

handle complaints, and investigate;

•

cooperate with other supervisory authorities to ensure the consistency;

•

conduct investigations;

•

monitor developments;

•

adopt standard contractual clauses;

•

list data protection impact assessment requirements;

•

advise on processing operations referred to in Article 36(2);

•

encourage codes of conduct, approve such codes;

•

encourage certification mechanisms, seals and marks, and criteria;

•

reviews of certifications;

•

publish code of conduct body accreditation criteria;

•

conduct accreditation of a body for monitoring codes of conduct and certification;

•

authorise contractual clauses;

•

approve binding corporate rules;

•

contribute to the EDPB;

•

keep records of GDPR infringements and of measures taken; and

•

fulfil any other tasks related to the protection of personal data.

33 GDPR Art 57(1). 34 Ibid.

23

2.8  Law and Regulators

While the tasks and activities should remain broadly the same both pre-and postBrexit, this remains to be seen and compared like-for-like once any final version of the final GDPR implementation is implemented. Any disparities will need to be looked at very closely, particularly in the context of ensuring an equivalence and effective safeguard for the protection of personal data and fundamental rights, and as same may be considered during the processing of a data transfer adequacy decision review.

Complaint and Investigation 2.8 The data protection supervisory authority will ‘handle’ complaints lodged by a data subject or by a body, organisation or association in accordance with Article 80 and ‘investigate’ ‘to the extent appropriate’, the subject matter of the complaint.35 The data protection supervisory authority must also inform the complainant of the progress and the outcome of the investigation within a ‘reasonable period’ if further investigation or coordination with another data protection supervisory authority is necessary.36

Monitor and Enforce GDPR 2.9 The data protection supervisory authority will monitor and enforce the application of the GDPR.37 Note the proposals for further legislation to include a so-called ‘UK GDPR’. The ICO will in practice (regardless of what may be specified) have to monitor UK as well as EU GDPR developments.

Promote Awareness 2.10 The data protection supervisory authority will promote public awareness and understanding of the ‘risks, rules, safeguards and rights’ in relation to processing.38 In addition, ‘[a]ctivities addressed specifically to children shall receive specific attention’.39 (The GDPR sets out obligations in terms of conditions applicable to child’s consent in relation to information society services.40 Note that the draft indicative additions to and changes to UK law intended to implement the GDPR

35 GDPR Art 57(1)(f). 36 Ibid. 37 GDPR Art 57(1)(a). 38 GDPR Art 57(1)(b). 39 Ibid. 40 GDPR Art 8.

24

Tasks 2.14

and UK GDPR appears to delete section 9 of the (UK) Data Protection Act 2018, headed ‘child’s consent in relation to information society services’.41

Advice 2.11 The data protection supervisory authority will ‘advise’ in accordance with Member State law, the national parliament, the government, and other institutions and bodies on legislative and administrative measures relating to the protection of natural persons’ rights and freedoms with regard to processing.42 Of course, national governments will also have their own legal advice from, for example, the Attorney General. Individual government departments will often also avail of their own internal legal advisors. In addition, government departments often also engage external professional advisors.

Promote Awareness of Obligations 2.12 The data protection supervisory authority will be to promote the awareness of controllers and processors of their obligations under the GDPR.43

Provide Information 2.13 The data protection supervisory authority will ‘upon request’ provide information to any data subject concerning the exercise of their rights under the GDPR.44 In addition, if appropriate, the data protection supervisory authority must cooperate with the respective supervisory authorities in other Member States to that end.45

Cooperation 2.14 The data protection supervisory authority will cooperate with, including sharing information and provide mutual assistance to, other supervisory authorities to ensure the consistency of application and enforcement of the GDPR.46 In a Brexit scenario, however, while there may continue to be mutual cooperation, the obligation, legal status and basis may change by virtue of the

41 See Data Protection Act 2018 Keeling Schedule. Available at: https://assets.publishing.service. gov.uk/government/uploads/system/uploads/attachment_data/file/779334/Keeling_Schedule_ for_Data_Protection_Act_2018.pdf. Section 9 is marked in strike through. 42 GDPR Art 57(1)(c). 43 GDPR Art 57(1)(d). 44 GDPR Art 57(1)(e). 45 Ibid. 46 GDPR Art 57(1)(g).

25

2.15  Law and Regulators

EU GDPR itself not directly applying to the UK and by virtue of same, to the ICO also.

Investigation 2.15 The data protection supervisory authority will conduct investigations on the application of the GDPR, including on the basis of information received from another data protection supervisory authority or other public authority.47 This suggestion that there are, therefore, at least two types of investigations, one relating to investigations on foot of complaints received; proactive investigations on foot of media reports (eg a publicised data breach); and investigations, as in this instance, of a more general industry or issue-wide review which extends beyond any one company or entity.

Monitor Developments 2.16 The data protection supervisory authority will ‘monitor relevant developments’, insofar as they have an impact on the protection of personal data, in particular the development of information and communication technologies and commercial practices.48 It can be suggested that national data protection supervisory authorities and the previous Article 29 Working Party (WP29), would have been engaging in review of developments and technologies in any event. However, the GDPR makes this obligation much more pronounced. Indeed, it also raises the possibility of thirdparty criticism arising if certain new recognised technology risk issues are not being reviewed and/or commented upon in some manner by supervisory authorities.

Adopt Standard Contractual Clauses Tasks 2.17 The data protection supervisory authority will adopt standard contractual clauses (as referred to in Article 28(8) and in Article 46(2)(d)).49

Data Protection Impact Assessment Tasks 2.18 The data protection supervisory authority will establish and maintain a list in relation to the requirement for data protection impact assessment pursuant to Article 35(4).50 Arguably this clause may have benefited from further clarity of drafting. 47 48 49 50

GDPR Art 57(1)(h). GDPR Art 57(1)(i). GDPR Art 57(1)(j). GDPR Art 57(1)(k).

26

Tasks 2.20

Advice on Processing Tasks 2.19 The data protection supervisory authority will ‘give advice’ on the processing operations referred to in Article 36(2).51 Article 36(2) states that: ‘Where the supervisory authority is of the opinion that the intended processing referred to in paragraph 1 would infringe this Regulation, in particular where the controller has insufficiently identified or mitigated the risk, the supervisory authority must, within period of up to eight weeks of receipt of the request for consultation, provide written advice to the controller and, where applicable to the processor, and may use any of its powers referred to in Article 58. That period may be extended by six weeks, taking into account the complexity of the intended processing. The supervisory authority must inform the controller and, where applicable, the processor, of any such extension within one month of receipt of the request for consultation together with the reasons for the delay. Those periods may be suspended until the supervisory authority has obtained information it has requested for the purposes of the consultation.’

Encourage Codes 2.20 The data protection supervisory authority will encourage the drawing up of codes of conduct (pursuant to Article 40(1)).52 The data protection supervisory authority will also provide ‘an opinion and approve such codes of conduct which provide sufficient safeguards’ (pursuant to Article 40(5)).53 The opinion referred to would appear to be whether or not a given code meets and provides sufficient safeguards. Article 40(1) provides that ‘[t]he Member States, the supervisory authorities, the [EDPB] and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper application of this Regulation, taking account of the specific features of the various processing sectors and the specific needs of micro, small and medium-sized enterprises’. Article  40(5) provides that: ‘Associations and other bodies referred to in paragraph  2 of this Article which intend to prepare a code of conduct or to amend or extend an existing code shall submit the draft code, amendment or extension to the supervisory authority which is competent pursuant to Article 55. The supervisory authority shall provide an opinion on whether the draft code, amendment or extension complies with [the GDPR] and shall approve that draft code, amendment or extension if it finds that it provides sufficient appropriate safeguards.’

51 GDPR Art 57(1)(l). 52 GDPR Art 57(1)(m). 53 Ibid.

27

2.21  Law and Regulators

Encourage Certification, Seals and Mark 2.21 The data protection supervisory authority will ‘encourage the establishment of data protection certification mechanisms and of data protection seals and marks pursuant to Article 42(1) and approve the criteria of certification pursuant to Article 42(5)’.54 Again, this clause may have benefited from further drafting. However, it does appear clear that there is an encouragement and promotion role and a separate approval and compliance  role. The encouragement and promotion role relates to certification, seals and marks. The separate approval and compliance role is limited to approving the criteria of (or for) certification. Article  42 deals with certification. Article  42(1) provides that: ‘[t]he Member States, the supervisory authorities, the [EDPB] and the Commission shall encourage, in particular at [EU] level, the establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors. The specific needs of micro, small and medium-sized enterprises shall be taken into account.’ Article  42(5) provides that ‘[a] certification pursuant to this Article shall be issued by the certification bodies referred to in Article 43 or by the competent supervisory authority, on the basis of criteria approved by that competent supervisory authority pursuant to Article  58(3) or by the [EDPB] pursuant to Article 63. Where the criteria are approved by the [EDPB], this may result in a common certification, the European Data Protection Seal.’

Review Certifications Issued 2.22 The data protection supervisory authority will ‘where applicable’, carry out a ‘periodic review’ of certifications issued (in accordance with Article 42(7)).55 Article  42(7) provides that: ‘Certification shall be issued to a controller or processor for a maximum period of three years and may be renewed, under the same conditions, provided that the relevant requirements continue to be met. Certification shall be withdrawn, as applicable, by the certification bodies referred to in Article  43 or by the competent supervisory authority where the requirements for the certification are not or are no longer met.’ It is clear, therefore, that certification lasts up to three years and, as such, may be specified to be for a period less than three years (eg two years).

54 GDPR Art 57(1)(n). 55 GDPR Art 57(1)(o).

28

Tasks 2.25

It is less clear as to whether reviews may be carried only during the renewal process or at other occasions and intervals. One would perhaps expect that there may also be some inherent power or ability for a data protection supervisory authority to carry out reviews in any event.

Criteria for Accreditation of Code Bodies 2.23 The data protection supervisory authority will draft and publish the criteria for accreditation of a body for monitoring codes of conduct (pursuant to Article 41) and of a certification body (pursuant to Article 43).56 Article  41 sets out the main provisions for and obligations in relation to the monitoring of approved codes of conduct. (Article  40 sets out the primary provisions in relation to codes of conduct and data protection processing.) Article 43 sets out the provisions in relation to certification bodies.

Accredit Code Bodies 2.24 The data protection supervisory authority will conduct the accreditation of a body for monitoring codes of conduct (pursuant to Article  41) and of a certification body (pursuant to Article 43).57

Authorise Contractual Clauses 2.25 The data protection supervisory authority will authorise contractual clauses and provisions referred to in Article 46(3).58 Article  46 refers to transfers subject to appropriate safeguards. Article  46(3) provides that: ‘Subject to the authorisation from the competent supervisory authority, the appropriate safeguards referred to in paragraph 1 may also be provided for, in particular, by: (a) contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation; or (b) provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights.’

56 GDPR Art 57(1)(p). 57 GDPR Art 57(1)(q). 58 GDPR Art 57(1)(r).

29

2.26  Law and Regulators

Approve Binding Corporate Rules 2.26 The data protection supervisory authority will approve binding corporate rules pursuant to Article  47.59 Article  47 provides for binding corporate rules. Article 47(1) provides that: ‘[t]he competent supervisory authority shall approve binding corporate rules in accordance with the consistency mechanism’. (The consistency mechanism is set out in Article 63.) ‘[B]inding corporate rules’ are defined to mean ‘personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity’.60

Contribute to EDPB 2.27 The data protection supervisory authority will contribute to the activities of the EDPB,61 which provides wide latitude. Note, however, that, post Brexit, the entitlement of the ICO  Commissioner to attend and be a member of and contribute as a member to the EDPB will cease.

Infringement Records and Actions Taken 2.28 The data protection supervisory authority will keep internal records of infringements of the GDPR and of measures taken in accordance with Article 58(2).62 Article  58(2) provides that ‘[e]ach supervisory authority shall have all of the following corrective powers’ and sets out a list of ten corrective powers (separate and distinct from other powers). So, the ‘measures taken’ refer to corrective power measures. The reference to ‘records of infringements’ would seem to be drafted somewhat wider and more generally. It may be that a data protection supervisory authority may take this to mean infringements limited to or linked to actions involving the use of its corrective powers as referred to in Article 58(2). However, some might also feel that the internal records to be kept can be those referring to any kind of infringement or infringement complaint. Ultimately, however, as the records are referred to be ‘internal’ it may be that such records are likely to be of little use to third parties. 59 60 61 62

GDPR Art 57(1)(s). GDPR Art 4(20). GDPR Art 57(1)(t). GDPR Art 57(1)(u).

30

Tasks 2.31

Other Tasks 2.29 The final of these listed tasks is to fulfil ‘any other’ tasks related to the protection of personal data.63 This provides wide latitude and is also a catch-all in the event that some necessary task has not been expressly included above.

Regulator Rules 2.30 Member States must provide for each member of their supervisory authorities is appointed by means of a transparent procedure by: their parliament, their government, their head of State or an independent body entrusted with the appointment under Member State law.64 Each member must have the qualifications, experience and skills, in particular in the area of the protection of personal data, required to perform its duties and exercise its powers.65 The duties of a member shall end in the event of the expiry of the term of office, resignation or compulsory retirement, in accordance with the law of the Member State concerned.66 A member shall be dismissed only in cases of serious misconduct or if the member no longer fulfils the conditions required for the performance of the duties.67

Regulator Secrecy 2.31 Confidentiality is obviously very important for data protection supervisory authorities especially as they receive a great deal of both (general) personal data68 and more sensitive special personal data69 in dealing with complaints and investigations. The member or members and the staff of each data protection supervisory authority must, in accordance with EU or Member State law, be subject to a duty of professional secrecy both during and after their term of office, with regard to any confidential information which has come to their knowledge in the course of the performance of their tasks or exercise of their powers.70 During their term of office, that duty of professional secrecy must in particular apply to reporting by natural persons of infringements of the GDPR.71

63 GDPR Art 57(1)(v). 64 GDPR Art 53(1). 65 GDPR Art 53(2). 66 GDPR Art 53(3). 67 GDPR Art 53(4). 68 See definition of ‘personal data’ in GDPR Art 4(1). 69 See description of special personal data in GDPR Art 9. 70 GDPR Art 54(2). 71 Ibid.

31

2.32  Law and Regulators

Regulators’ Cooperation 2.32 Section 2 of Chapter VI of the GDPR refers to competence, tasks and powers. Without prejudice to Article 55 (competence), the data protection supervisory authority of the main establishment or of the single establishment of the controller or processor must be competent to act as lead data protection supervisory authority for the cross-border processing carried out by that controller or processor in accordance with the procedure provided in Article 60.72 By derogation from the above obligation, each data protection supervisory authority is competent to handle a complaint lodged with it or a possible infringement of the GDPR, if the subject matter relates only to an establishment in its Member State or substantially affects data subjects only in its Member State.73 In the cases referred to in the above paragraph (Article 56(2)), the data protection supervisory authority must inform the lead supervisory authority without delay on that matter.74 Within a period of three weeks after being informed the lead data protection supervisory authority must decide whether or not it will handle the case in accordance with the procedure provided in Article 60 (cooperation between lead supervisory authority and other supervisory authorities concerned), taking into account whether or not there is an establishment of the controller or processor in the Member State of which the data protection supervisory authority informed it.75 Where the lead data protection supervisory authority decides to handle the case, the procedure provided in Article  60 (cooperation between lead supervisory authority and other supervisory authorities concerned) shall apply.76 The data protection supervisory authority which informed the lead supervisory authority may submit to the lead supervisory authority a draft for a decision.77 The lead supervisory authority must take utmost account of that draft when preparing the draft decision referred to in Article 60(3).78 Where the lead data protection supervisory authority decides not to handle the case, the supervisory authority which informed the lead supervisory authority must handle it according to Articles  61 (mutual assistance) and 62 (joint operations of supervisory authorities).79 The lead data protection supervisory authority will be the sole interlocutor of the controller or processor for the cross-border processing carried out by that controller or processor.80 72 GDPR Art 56(1). 73 GDPR Art 56(2). 74 GDPR Art 56(3). 75 Ibid. 76 GDPR Art 56(4). 77 Ibid. 78 Ibid. 79 GDPR Art 56(5). 80 GDPR Art 56(6).

32

Regulator Fines 2.34

There will be a Brexit impact in relation to the ICO and its authority and dealings as regards lead supervisory authority, which is still a developing issue (See Chapter 5).

Cooperation and Suspension 2.33 Where a competent court of a Member State has information on proceedings concerning the same subject matter as regards processing by the same controller or processor that are pending in a court in another Member State, it must contact that court in the other Member State to confirm the existence of such proceedings.81 Where proceedings concerning the same subject matter as regards processing of the same controller or processor are pending in a court in another Member State, any competent court other than the court first seized may suspend its proceedings.82 Where those proceedings are pending at first instance, any court other than the court first seized may also, on the application of one of the parties, decline jurisdiction if the court first seized has jurisdiction over the actions in question and its law permits the consolidation thereof.83 While the GDPR refers to the ability, or obligation, in terms of the suspension of proceedings as regards similar or identical proceedings in respective Member States, this will not apply to the UK and the ICO in a post-Brexit scenario by virtue of the GDPR being no longer directly effective in the UK. Of course, it may be that some compromise or similar provision is agreed in Brexit-related or Brexit-consequential legislation. Even regardless of same, it may be that the ICO or another partly might make an application to a UK court in a given case for a suspension or an adjournment pending the resolution of similar proceedings elsewhere, even proceedings in the post-Brexit EU.84

REGULATOR FINES 2.34 Each data protection supervisory authority must ensure that the imposition of administrative fines pursuant to this Article in respect of infringements of the GDPR referred to in paragraphs  4, 5 and 6 must, in each individual case, be effective, proportionate and dissuasive.85

81 82 83 84

GDPR Art 81(1). GDPR Art 81(2). GDPR Art 81(3). However, there is potentially a whole different discussion needed in terms of the EU, UK and international treaties in terms of the enforcement of decisions and judgments, even beyond data protection issues. This wider discussion may, however, cross over and have relevance to certain data protection court decisions. 85 GDPR Art 83(1).

33

2.34  Law and Regulators

Administrative fines must, depending on the circumstances of each individual case, be imposed in addition to, or instead of, measures referred to in Article 58(2) (a)–(h) and (j).86 When deciding whether to impose an administrative fine and deciding on the amount in each individual case due regard must be given to the following, •

the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;

•

the intentional or negligent character of the infringement;

•

any action taken by the controller or processor to mitigate the damage suffered by data subjects;

•

the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles  25 (data protection by design and default) and 32 (security of processing);

•

any relevant previous infringements by the controller or processor;

•

the degree of cooperation with the data protection supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;

•

the categories of personal data affected by the infringement;

•

the manner in which the infringement became known to the data protection supervisory authority, in particular whether and, if so, to what extent, the controller or processor notified the infringement;

•

where measures referred to in Article 58(2) (powers) have previously been ordered against the controller or processor concerned with regard to the same subject matter, compliance with those measures;

•

adherence to approved codes of conduct (pursuant to Article 40) or approved certification mechanisms (pursuant to Article 42); and

•

any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.87

If a controller or processor intentionally or negligently, for the same or linked processing operations, infringes several provisions of the GDPR, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement.88

86 GDPR Art 83(2). 87 GDPR Art 83(2)(a)–(k). 88 GDPR Art 83(3).

34

Regulator Fines 2.35

Fines 1 2.35 Infringements of the following provisions must, in accordance with paragraph 2, be subject to administrative fines up to €10 million or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher, •

the obligations of the controller and the processor pursuant to Articles  8 (conditions applicable to child’s consent in relation to information society services), 11 (processing which does not require identification), 25–39 and 42 (certification) and 43 (certification bodies);

•

the obligations of the certification body (pursuant to Articles 42 and 43); and

•

the obligations of the monitoring body (pursuant to Article 41(4)).89

Articles 25–39 refer to: •

data protection by design and default (Article 25);

•

joint controllers (Article 26);

•

representatives of controllers or processors not established in the EU (Article 27);

•

processors (Article 28);

•

processing under authority of the controller or processor (Article 29);

•

records of processing activities (Article 30);

•

cooperation with the data protection supervisory authority (Article 31);

•

security of processing (Article 32);

•

notification of a personal data breach to the data protection supervisory authority (Article 33);

•

communication of a personal data breach to the data subject (Article 34);

•

data protection impact assessment (Article 35);

•

prior consultation (Article 36);

•

designation of the Data Protection Officer (Article 37);90

•

position of the Data Protection Officer (Article 38); and

•

tasks of the Data Protection Officer (Article 39).

89 GDPR Art 83(4). 90 See Lambert, P, The Data Protection Officer, Profession, Rule and Role (Routledge, Taylor and Francis, 2016).

35

2.36  Law and Regulators

Fines 2 2.36 Infringements of the following provisions must, in accordance with paragraph 2, be subject to administrative fines up to €20 million or, in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher: •

the basic principles for processing, including conditions for consent, pursuant to Articles 5 (principles of data protection), 6 (lawfulness of processing), 7 (conditions for consent), and 9 (processing of special categories of personal data);

•

the data subjects’ rights pursuant to Articles 12 to 22 (see below);

•

the transfers of personal data to a recipient in a third country or an international organisation pursuant to Articles 44 to 49 (see below);

•

any obligations pursuant to Member State law adopted under Chapter IX (provisions relating to specific processing situations);

•

non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the data protection supervisory authority pursuant to Article 58(2) or failure to provide access in violation of Article 58(1).91

Articles 12–22 refer to, •

transparency and modalities (Article 12);

•

information to be provided where personal data are collected from the data subject (Article 13);

•

information to be provided where personal data have not been obtained from the data subject (Article 14);

•

right of access by the data subject (Article 15);

•

right to rectification (Article 16);

•

right to erasure (right to be forgotten) (Article 17);

•

right to restriction of processing (Article 18);

•

notification obligation regarding rectification or erasure of personal data or restriction of processing (Article 19);

•

right to data portability (Article 20);92

•

right to object (Article 21);

•

automated individual decision-making, including profiling (Article 22).

91 GDPR Art 83(5). 92 Note Quintel, T, ‘EDPS and Article 29 Working Party Opinions About the Commission Proposals on the Interoperability of Database’ European Data Protection Law Review (EDPL) (2018) (4:2) 217.

36

Regulator Fines 2.37

Articles 44–49 refer to: •

general principle for transfers (Article 44);

•

transfers based on the adequacy decision (Article 45);

•

transfers subject to appropriate safeguards (Article 46);

•

binding corporate rules (Article 47);

•

transfers or disclosures authorised by EU law (Article 48); and

•

derogations for specific situations (Article 49).

Fines 3 2.37 Non-compliance with an order by the data protection supervisory authority as referred to in Article 58(2) must, in accordance with paragraph 2 of this Article, be subject to administrative fines up to €20 million, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.93 Without prejudice to the corrective powers of supervisory authorities pursuant to Article 58(2), each Member State may lay down the rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State.94 The exercise by the data protection supervisory authority of its powers under this Article shall be subject to appropriate procedural safeguards in accordance with EU and Member State law, including effective judicial remedy and due process.95 Where the legal system of the Member State does not provide for administrative fines, this Article may be applied in such a manner that the fine is initiated by the competent data protection supervisory authority and imposed by competent national courts, while ensuring that those legal remedies are effective and have an equivalent effect to the administrative fines imposed by supervisory authorities. In any event, the fines imposed must be effective, proportionate and dissuasive.96 Those Member States were obliged notify to the Commission the provisions of their laws which they adopt pursuant to this paragraph by 25 May 2018. They must also notify, without delay, any subsequent amendment law or amendment affecting them. The issues of penalties in a post-Brexit situation will require careful analysis, and comparison, given that fines and penalties will be at the cutting edge of enforcement practices. In addition, there is a very interesting and overlooked 93 94 95 96

GDPR Art 83(6). GDPR Art 83(7). GDPR Art 83(8). GDPR Art 83(9).

37

2.38  Law and Regulators

point that Brexit could introduce a very unwelcome prospect of double GDPR fines and penalties. The GDPR introduces fines of up to 4% of worldwide turnover for particular data protection violations or breaches. On the basis that the UK will have the same fines and penalties regime via the Data Protection Act 2018 (as proposed to be amended under Brexit) and the ‘UK GDPR’ as proposed to be introduced, a given international company operating in the UK, the EU, and elsewhere, could face a 4% fine in the UK as well as the EU. This is an important and consequential issue in a developing and changing political area but will need to be reviewed in detail given its potential consequence.

Other Fines and Penalties 2.38 Member States must lay down the rules on other penalties applicable to infringements of the GDPR in particular for infringements which are not subject to administrative fines (pursuant to Article 83) and must take all measures necessary to ensure that they are implemented. Such penalties must be effective, proportionate and dissuasive.97 Each Member State was obliged to notify to the Commission about the provisions of its law which it adopts pursuant to the above by 25 May 2018. They must also notify, without delay, any subsequent amendment affecting these laws.98

OTHER REGULATOR POWERS 2.39 The powers of the respective data protection supervisory authorities are critical. See Chapter 3 for more particular details.

REMEDIES 2.40 There are various types of remedies provided for. Chapter VIII refers to remedies, liability and penalties. This refers specifically to: •

right to lodge a complaint with a data protection supervisory authority;

•

right to an effective judicial remedy against a data protection supervisory authority;

•

right to an effective judicial remedy against a controller or processor;

•

representation of data subjects;

•

suspension of proceedings;

•

right to compensation and liability;

97 GDPR Art 84(1). 98 GDPR Art 84(2).

38

Remedies 2.42

•

general conditions for imposing administrative fines; and

• penalties.99

Complaints to Regulator 2.41 Without prejudice to any other administrative or judicial remedy, every data subject must have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes the GDPR.100 The data protection supervisory authority with which the complaint has been lodged must inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78.101

Complaints Against Regulator 2.42 Without prejudice to any other administrative or non-judicial remedy, each natural or legal person must have the right to an effective judicial remedy against a legally binding decision of a data protection supervisory authority concerning them.102 Without prejudice to any other administrative or non-judicial remedy, each data subject must have the right to a an effective judicial remedy where the data protection supervisory authority which is competent pursuant to Articles 55 and 56 neither handles a complaint nor informs the data subject within three months on the progress or outcome of the complaint lodged pursuant to Article 77.103 Proceedings against a data protection supervisory authority must be brought before the courts of the Member  State where the data protection supervisory authority is established.104 Where proceedings are brought against a decision of a data protection supervisory authority which was preceded by an opinion or a decision of the EDPB in the consistency mechanism, the data protection supervisory authority must forward that opinion or decision to the court.105

99 GDPR Arts 77–84. 100 GDPR Art 77(1). 101 GDPR Art 77(2). 102 GDPR Art 78(1). 103 GDPR Art 78(2). 104 GDPR Art 78(3). 105 GDPR Art 78(4).

39

2.43  Law and Regulators

Complaints Against Controller or Processor 2.43 Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a data protection supervisory authority pursuant to Article  77, each data subject must have the right to an effective judicial remedy where he or she considers that his or her rights under the GDPR have been infringed as a result of the processing of his or her personal data in non-compliance with the GDPR.106 Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment.107 Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers.108

Complaints for Data Subjects 2.44 The data subject must have the right to mandate a not-for-profit body, organisation or association which has been properly constituted in accordance with the law of a Member  State, has statutory objectives which are in the public interest and is active in the field of the protection of data subjects’ rights and freedoms with regard to the protection of their personal data to lodge the complaint on his or her behalf, to exercise the rights referred to in Articles 77 (right to lodge a complaint with data protection supervisory authority), 78 (right to an effective judicial remedy against a data protection supervisory authority) and 79 (right to an effective judicial remedy against a controller or processor) on his or her behalf, and to exercise the right to receive compensation (referred to in Article 82) on his or her behalf where provided for by Member State law.109 Member States may provide that any body, organisation or association referred to in paragraph 1 of this Article, independently of a data subject’s mandate, has the right to lodge, in that Member State, a complaint with the data protection supervisory authority which is competent pursuant to Article 77 (right to lodge a complaint with data protection supervisory authority) and to exercise the rights referred to in Articles  78 (right to an effective judicial remedy against a data protection supervisory authority) and  79 (right to an effective judicial remedy against a controller or processor) if it considers that the rights of a data subject under the GDPR have been infringed as a result of the processing.110

106 GDPR Art 79(1). 107 GDPR Art 79(2). 108 Ibid. 109 GDPR Art 80(1). 110 GDPR Art 80(2).

40

Current Decision Trends 2.46

Compensation and Liability 2.45 Any person who has suffered material or non-material damage as a result of an infringement of the GDPR must have the right to receive compensation from the controller or processor for the damage suffered.111 Any controller involved in processing must be liable for the damage caused by processing which infringes the GDPR. A  processor shall be liable for the damage caused by processing only where it has not complied with obligations of the GDPR specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.112 A  controller or processor shall be exempt from liability under paragraph  2 if it proves that it is not in any way responsible for the event giving rise to the damage.113 Where more than one controller or processor, or both a controller and a processor, are involved in the same processing and where they are, under paragraphs 2 and 3, responsible for any damage caused by processing, each controller or processor shall be held liable for the entire damage to ensure effective compensation of the data subject.114 Where a controller or processor has, in accordance with paragraph  4, paid full compensation for the damage suffered, that controller or processor shall be entitled to claim back from the other controllers or processors involved in the same processing that part of the compensation corresponding to their part of responsibility for the damage, in accordance with the conditions set out in paragraph 2.115 Court proceedings for exercising the right to receive compensation shall be brought before the courts competent under the law of the Member State referred to in Article 79(2).116

CURRENT DECISION TRENDS 2.46 We are still in the early days after the ‘go live’ of the GDPR. However, there are some developing trends in the available decisions coming from the respective data protection supervisory authorities following the GDPR. We look at some of the developing trends below.

111 GDPR Art 82(1). 112 GDPR Art 82(2). 113 GDPR Art 82(3). 114 GDPR Art 82(4). 115 GDPR Art 82(5). 116 GDPR Arti 82(6).

41

2.46  Law and Regulators

At the time of writing and on the basis of the most available decisions from the data protection supervisory authorities most of the decisions are concentrated in four main areas in double digits for each, and a spread across a range of other issues in low single digit numbers. The four main areas are (in priority of highest to lowest of these four areas): (1) breaches of the principles of data protection (GDPR Article 5);117 (2) breaches of the lawful processing rules (GDPR Article 6); 118 (3) breaches of security obligations (GDPR Article 32);119 and (4) breaches of the right of access (or refusal to comply or fully comply with access requests from individual data subjects (GDPR Article 15).120 The other areas trending include breaches of the following: •

consent rules (GDPR Article 7);121

•

special (sensitive) personal data rules (GDPR Article 9);122

•

transparency rules (GDPR Article 12);123

•

prior information rules (GDPR Articles 13 and 14);124

117 See, for example, Austrian Supervisory Authority v Austrian Post, 23 October 2019. 118 Ibid; Spanish Supervisory Authority v Xfera Moviles SA, 16 October 2019. 119 Some of these examples include: Romanian Supervisory Authority (ANSPDCP) v Raiffeisen Bank SA, 9 October 2019; Romanian Supervisory Authority (ANSPDCP) v Vreau Credit SRL, 9  October 2019; Polish Supervisory Authority (UODO) v Morele.net, 10  September 2019; Bulgaria Supervisory Authority (KZLD) v National Revenue Agency, 28 August 2019; Bulgaria Supervisory Authority (KZLD) v DSK  Bank, 28 August 2019; French Supervisory Authority (CNIL) v Active Assurances, 25  July 2019; Information Commissioner (ICO) v Marriott International, Inc, 9  July 2019; Information Commissioner (ICO) v British Airways (BA), 8 July 2019; Romanian Supervisory Authority (ANSPDCP) v Legal Company & Tax Hub SRL, 5 July 2019; Romanian Supervisory Authority (ANSPDCP) v World Trade Center Bucharest SA, 2 July 2019; Dutch Supervisory Authority (AP) v Haga Hospital, 18 June 2019; French Supervisory Authority (CNIL) v Uniontrad, 13 June 2019; French Supervisory Authority (CNIL) v Sergic, 28  May 2019; Norwegian Supervisory Authority (Datatilsynet) v Oslo Municipal Education Department, 29 April 2019; Italian Supervisory Authority (Garante) v Movimento 5 Stelle, 17 April 2019; Norwegian Supervisory Authority (Datatilsynet) v Bergen Municipality, March 2019; Czech Supervisory Authority (UOOU) v X, 28 February 2019; Malta Supervisory Authority v Lands Authority, 18  February 2019; Czech Supervisory Authority (UOOU) v Finance Company, 4 February 2019; Baden-Wuerttemberg Supervisory Authority v Knuddels. de, 21 November 2018; Portuguese Supervisory Authority (CNPD) v Hospital, 17 July 2018. 120 See, for example, Berlin Supervisory Authority v Delivery Hero, 19 September 2019; Hungarian Supervisory Authority v X, 5 April 2019. 121 See Spanish Supervisory Authority (AEPD) v La Liga, 11 June 2019. 122 See Sweden Supervisory Authority v School, 20 June 2019. 123 See Romania Supervisory Authority v (ANSPDCP) v Uttis Industries SRL, 17 October 2019; French Supervisory Authority (CNIL) v Uniontrad, 13 June 2019. 124 See, for example, Romania Supervisory Authority v (ANSPDCP) v Uttis Industries SRL, 17  October 2019; Austria Supervisory Authority (DSB) v Medical Company, August 2019; Greece Supervisory Authority (HDPA) v PWC, 30  July 2019; French Supervisory Authority (CNIL) v Uniontrad, 13  June 2019; Polish Supervisory Authority (UODO) v A  Company, 26 March 2019.

42

Conclusion 2.47

•

takedown, erasure and forgetting (GDPR Article 17);125

•

restriction of processing rules (GDPR Article 18);126

•

right to object (GDPR Article 21);127

•

data protection by design and by default (GDPR Article 25);128

•

processor rules (GDPR Article 28);129

•

cooperation rules (GDPR Article 31);130

•

notifying breach rules (GDPR Articles 33 and 34);131

•

data protection impact assessment rules (GDPR Article 35);132

•

prior consultation rules (GDPR Article 36);133 and

•

Data Protection Officer (DPO) rules (GDPR Article 37).134

CONCLUSION 2.47 Regardless of Brexit, the GDPR and its provisions in relation to data protection supervisory authorities are important and cannot be ignored. Even in a post-Brexit UK, the equivalent of the GDPR provision generally in terms of obligations and rights (and specifically regarding regulator issues) – the so-called ‘UK GDPR’ – is intended to be enacted. There are additional implications in terms of policymakers, the ICO and corporations having to consider the GDPR rules as regards transfers, the EU–UK, and EU–third countries. The minutae of the UK GDPR, once enacted, will be closely scrutinised for its impact, its effect (most particularly in terms of supporting a UK adequacy decision application), and for changes or divergences from the EU GDPR. As noted above, the issue of fines and penalties are consequential and must be carefully reviewed as Brexitdata protection legislation advances.

125 See Berlin Supervisory Authority v Delivery Hero, 19  September 2019; Latvia Supervisory Authority (DSI) v Online Services, 26 August 2019; Hungary Supervisory Authority (NAIH) v Financial Company, 4 March 2019. 126 See Hungary Supervisory Authority (NAIH) v X, 18 December 2018. 127 See Greece Supervisory Authority (HDPA) v Telecoms Company, 7  October 2019; Berlin Supervisory Authority v Delivery Hero, 19 September 2019. 128 See Greece Supervisory Authority (HDPA) v Telecoms Company, 7 October 2019. 129 See Hamburg Supervisory Authority v Kolibri Image Regina und Dirk Maass GbR, 17 December 2018. 130 See Spain Supervisory Authority (AEDP) v Iberdrola Clientes, 16 October 2019. 131 See Lithuanian Supervisory Authority (VDAI) v UAB Mister Tango, 16 May 2019; Hungary Supervisory Authority (NAIH) v Political Party, 5 April 2019; Hamburg Supervisory Authority v X, 2018. 132 See Sweden Supervisory Authority v School, 20 August 2019. 133 Ibid. 134 See Austria Supervisory Authority (DSB) v Medical Company, August 2019.

43

CHAPTER 3

National Laws INTRODUCTION 3.1 The data protection regime provides or enshrines a number of rights to individuals in relation to their informational data and informational privacy and related obligations on both organisations and companies. The rules will become increasingly important as the amount of online personal content continues to grow. The wide definition of personal data1 and the wide concept of personal data and data protection2 emphasise this. There are also additional concepts to consider. Transparency and consent are important aspects of respecting and enabling such fundamental rights to be vindicated, utilised and enforced by individual data subjects. The principle of proportionality is also very important, for example, ensuring proportionality in terms of what personal data is collected, processed and stored. There should not be over-collection or disproportionate collections.3 The problem(s) of over-collection are an increasing problem area for data protection supervisory authorities to police.4 Related issue include additional uses and data feature creep. Individual data subjects have a right of access to personal data.5 Data subjects also have other rights, including, for example, a right to object.6 There are also time limits to be complied with by a controller in relation to replying to an individual data subject access request (ie a request to access or obtain a copy of their personal data that the organisation holds).

CONTEXT 3.2 The background to Member State data protection law is, broadly speaking, the EU General Data Protection Regulation (GDPR) which had a ‘go live’ date of 25  May 2018. While directly effective in respective EU  Member States by virtue of being an EU  Regulation (as distinct from being an EU directive), such as the previous data protection regime by virtue of the Data 1 GDPR Art 4(1). 2 Purtova, N, ‘The  Law  of Everything: Broad Concept of Personal  Data and Future of EU Data Protection Law’ Innovation and Technology (2018)(10:1) 40. 3 See GDPR Art 5(a), (b) (c), and (e). 4 Just one recent example of seeming over-collection appears to be the practice of certain universities in the US to start profiling students even before they apply to university. MacMillan, D and Anderson, N, ‘Student Tracking, Secret Scores: How College Admissions Offices Rank Prospects Before They Apply’ Washington Post, 14 October 2019. 5 GDPR Art 15. 6 GDPR Art 21. See GDPR Chapter III more generally.

45

3.3  National Laws

Protection Directive (Directive 95/467), the GDPR does leave certain scope for individual Member States to further specify and particularise certain specific data protection rules. The UK has scope, therefore, to particularise certain limited aspects and aspects of exemptions from GDPR data protection matters in its national law. Member States would also have to engage in considering the appropriateness of deleting old Directive 95/46-based national laws,8 given that Directive 95/46 has now been replaced by the GDPR. A  data protection ‘supervisory authority’ is ‘an independent public authority which is established by a Member State pursuant to Article  51’9 (emphasis added). However, while the GDPR sets certain criteria for data protection supervisory authorities (see Chapter 4), it is up to national legislation to establish the authorities. Some of the main national legal settings, including that in the UK, are outlined below. Careful consideration of existing aspects of UK law which seek to reflect aspects of the GDPR, and future laws predicated on Brexit occurring and which are indicated to be the means by which a GDPR equivalent (the ‘UK GDPR’) will occur need to be examined as political developments occur. These are discussed further below

REGULATIONS AND DIRECTIVES 3.3 EU law can be embodied in a variety of EU legal instruments. The origin or source of these instruments can also differ somewhat. In terms of the EU data protection regime we need to consider the two primary legislative routes adopted. These are Directives and Regulations. The data protection Directive 95/4610 was a Directive.11 One description of Directives is that they ‘are normative acts addressed to the Member States, which are then required, within a specified deadline, to adopt the necessary national 7

Directive 95/46/EC of the European Parliament and of the Council of 24  October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. OJ L 281, 23.11.1995, pp 31–50. 8 Ibid. 9 GDPR Art 4(21). 10 Directive 95/46/EC of the European Parliament and of the Council of 24  October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. OJ L 281, 23.11.1995, pp 31–50. 11 Article 288, para 3, TFEU. Usher, JA, EC Institutions and Legislation (Longman, 1998) 131; Barnard, C and Peers, S, European Union Law (OUP, 2014) 100; Chapter 8 ‘Consequences of EC  Legislation: The Direct Effect and Indirect Effect’ in Usher, JA, EC  Institutions and Legislation (Longman, 1998) at 144; Halsbury, EU  Legislation Implementator 2018: The Guide to the Implementation of Directives (LexisNexis: 2018). Also Dickson, J, ‘Directives in  EU  Legal  Systems: Whose Norms Are They Anyway?’ European Law Journal (2011) (17:2) 190.

46

Regulations and Directives 3.4

provisions to give effect to (“transpose”) the policy objectives set out in the directive, and to notify the Commission of their transposition measures’.12 The GDPR, in contrast and partly to ensure a more uniform application of EU data protection rules across the EU Member States, is a Regulation.13 A Regulation is described as ‘in effect the equivalent of a statute or law in a national legal order’.14 A Regulation has direct effect15 in Member States without any further implementation being necessary.16 (Directives can also have direct effect issues to consider in certain circumstances.17) However, the GDPR as a directly effective Regulation will cease to have such effect in the UK a post-Brexit scenario.

The UK 3.4 The current legal background and status of data protection and the role of the ICO as data protection supervisory authority and tied in with proposals for updating even recent changes (such as the Data Protection Act 2018) make complex and difficult reading. They are not always clear and user friendly. The texts are also located in disparate source locations. In addition, even the effective interim legislation, namely the Data Protection Act 2018 (DPA 2018), is a complex and difficult text. In addition, while it relates to data protection, it only refers to certain aspects of the GDPR – not its entire effect – and includes additional non-GDPR matters. Overall, it can create more confusion than might have been desired in a measure intended to solely deal with UK GDPR-related issues.18

12 Barnard, C and Peers, S, European Union Law (OUP, 2014) 100. 13 Article  288, para  2, TFEU. See, for example, Usher, A, EC  Institutions and Legislation (Longman, 1998) 128; Barnard, C  and Peers, S, European Union Law (OUP, 2014) 99; Usher, JA, EC Institutions and Legislation (Longman, 1998) 129; Chapter 8 ‘Consequences of EC  Legislation: The Direct Effect and Indirect Effect’ in Usher, A, EC  Institutions and Legislation (Longman, 1998) at 144. 14 Barnard, C and Peers, S, European Union Law (OUP, 2014) 99. 15 Schütze, R, ‘Direct Effect and Indirect Effects of Union Law’ in Schütze, R and Tridimas, T, Oxford Principles of European Union Law (OUP, 2018) at 265. 16 However, in terms of the practicalities of the application of the GDPR in respective Member States, many have also introduced national data protection legal measures, in some instances to repeal past national laws implemented previously to implement and comply with the DPD 95/6; or, in some instances, also to deal with certain national law nuances that needed to be tailored to align with the new GDPR. 17 Rasmussen, M  ‘How to Enforce  European  Law? A  New History of the Battle Over the Direct Effect of Directives, 1958–1987’ European Law Journal (2017)(23:3/4) 290; Carolin Hübner, D, ‘The Decentralized Enforcement of European Law: National Court Decisions on EU  Directives With and Without Preliminary Reference Submissions’ Journal of European Public Policy (2018)(25:12) 1817; Rasmussen, M, ‘How to Enforce European Law? A New History of the Battle Over the Direct Effect of Directives, 1958–1987’ European Law Journal (2017)(23:3/4) 290. 18 See commentary in Lambert, P, Gringras, The Laws of the Internet, 5th edition (Bloomsbury, 2018).

47

3.4  National Laws

The data protection legal background and status in the UK includes the GDPR (in terms of the UK at the time of writing still being a part of the EU) and the new UK DPA 2018. This Act was passed by both houses of Parliament on 21 May 2018. It received Royal Assent on 23  May 2018. The Act came into force on 25 May 2018, the same date as the ‘go live’ of the GDPR.19 Note, however, that the UK Data Protection Act 2018 does not or does not fully, implement the GDPR. Further legislation is required to implement the GDPR or to implement a data protection regime in the UK which is equivalent to and compatible with it. There are significant consequences if Brexit occurs and there is no UK GDPR equivalent and compatible legislation implemented – especially in relation to the commercial transfer of personal data as between the EU and the UK (see further details in the following two chapters). The UK data protection supervisory authority is the Information Commissioner’s Office (ICO). There is a proposed Withdrawal Act, plus a Keeling Schedule of amendments from the GDPR which refer to protection additional changes to UK data protection laws.20 The exact position, however, remains uncertain given the requirement for further negotiations, transition periods, extension(s), etc, in relation to data protection (see further Chapter 5). The UK Data Protection Act is more complex than may have been wished for. In addition, it does not fully deal with the GDPR, and adds further confusion by including reference to additional matters. In addition, interested parties also need to refer to: •

The UK European Union (Withdrawal) Act 2018.21

•

The UK European Union (Withdrawal) Act 2019.

•

The UK European Union (Withdrawal)(No 2) Act 2019.

•

The ‘Data Protection Act 2018 Keeling Schedule’ of proposed amendments.22

•

The ‘General Data Protection Regulation Keeling Schedule’ of proposed amendments.23

19 The text of the Act is available at: www.legislation.gov.uk/ukpga/2018/12/pdfs/ukpga_2018 0012_en.pdf. 20 In fact, there are two separate Keeling schedules. See ‘Data Protection Regulation Keeling Schedule at https://assets.publishing.service.gov.uk/government/uploads/system/uploads/ attachment_data/file/685632/2018-03-05_Keeling_Schedule.pdf; and ‘Data Protection Act 2018 Keeling Schedule’. Available at: https://assets.publishing.service.gov.uk/government/ uploads/system/uploads/attachment_data/file/779334/Keeling_Schedule_for_Data_ Protection_Act_2018.pdf/. 21 European Union (Withdrawal) Act 2018. Available at: www.legislation.gov.uk/ukpga/2018/16/ contents/enacted. 22 Data Protection Act 2018 Keeling Schedule. Available at: https://assets.publishing.service.gov. uk/government/uploads/system/uploads/attachment_data/file/779334/Keeling_Schedule_for_ Data_Protection_Act_2018.pdf. 23 General Data Protection Regulation Keeling Schedule. Available at: https://assets.publishing. service.gov.uk/government/uploads/system/uploads/attachment_data/file/685632/2018-0305_Keeling_Schedule.pdf.

48

Regulations and Directives 3.6

In addition, there is a growing list of ICO, other data protection supervisory authority, and other official guidance on the problem Brexit data protection issues.

Ireland 3.5 It is also useful to look at the example of Ireland as it refers to EU data protection and the GDPR. It is useful from a comparative perspective, from a relationship and proximity perspective, from the perspective of the increasing interest in data protection supervisory authority issues and investigations in Ireland (particularly as they relate to international and multinational issues), and given that Ireland will remain in the EU post Brexit. The data protection legal background in Ireland includes the GDPR (being directly effective) and the new Irish Data Protection Act 2018. The Data Protection Act 2018 came into force on 25 May 2018, again coinciding with the ‘go live’ of the GDPR.24, 25 As part of this legal change, the previous data protection supervisory authority in Ireland (the Data Protection Commissioner) was replaced by the Data Protection Commission.26 While up to three Data Protection Commissioners of the Data Protection Commission are provided for in the new law,27 only one has so far been appointed.

France 3.6 The GDPR applies by way of direct effect. The French National Assembly adopted the text of the new data protection law on 14 May 2018. The Senate made a referral to the French Constitutional Council. The Constitutional Council provided its decision on 12 June 2018. The French law was published in the French Official Journal on 21 June 2018.28 The draft ordinance consolidating this new legal framework with the other data protection law was adopted on 12 December 2018. It was to enter into force no later than 1 June 2019, together with the Decree of application of the new law. The Bill to ratify the ordinance was presented to the Council of Ministers on 1 April 2019.

24 McLaughlin, S, ‘Ireland: A  Brief Overview of the Implementation of the GDPR’ European Data Protection Law Review (EDPL) (2018)(4:2) 227. 25 The Data Protection Act is available at: www.irishstatutebook.ie/eli/2018/act/7/enacted/en/ html. 26 Established pursuant to the (Irish) Data Protection Act 2018, Pt 2, s 10. 27 Ibid s 15(1). 28 See www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000037085952&dateTexte= &categorieLien=id.

49

3.7  National Laws

Germany 3.7 The data protection legal status includes the following. Germany has national federal data protection laws as well as local state data protection laws. The new Federal Data Protection Act (covering both GDPR and the Police Directive and some amendments to the laws of the federal intelligence agencies) was adopted in the two parliamentary chambers in May 2017. It was published in the Official Journal on 30 June 2017. The Act entered into force on 25 May 2018, again coinciding with the ‘go live’ of the GDPR.29 The German government also approved approximately 154 amendments to sector-specific legislation on 5 September 2018.30 A first set of these amendments (to some federal legal acts in the tax and social security areas) was adopted in July 2017. These were published in the Official Journal on 17 July 2018 and entered into force on 25 May 2018. The 16 German Bundesländer (states) have adopted their own general data protection laws.31

Belgium 3.8 The Belgian data protection supervisory authority has been reformed through the adoption of the law of 3  December 2017. The Belgian GDPR Implementation Act of 30 July 2018 was published in the Moniteur Belge on 5 September 2018.32

29 The new Federal Data Protection Act can be found at: www.bgbl.de/xaver/bgbl/start.xav? startbk=Bundesanzeiger_BGBl#__bgbl__%2F%2F*%5B%40attr_id%3D%27bgbl117s209 7.pdf%27%5D__1519203215836, or https://germanlawarchive.iuscomp.org/?p=712. 30 The drafts can be found at: www.bmi.bund.de/SharedDocs/downloads/DE/veroeffentlichungen/​ 2018/dsanpug.pdf;jsessionid=A250D36F41A80F0321F354195365D87D.2_cid373?__ blob=publicationFile&v=2. 31 An overview of these state respective laws (as well as think to the respective state laws) is available at: www.esv.info/aktuell/umsetzung-der-dsgvo-neues-ausbayern-undnordrheinwestfalen/id/​93637/meldung.html. 32 See http://timelex.eu/frontend/files/userfiles/files/nieuwe-belgischeprivacywet-30-07-2018.pdf.

50

Other Data Protection and Privacy Laws 3.12

Austria 3.9 The Austrian law covering the GDPR (and the Law Enforcement Directive33) has been adopted by parliament and entered into force on 25 May 2018.34 Austria has also adopted two amendments to the new data protection law, which also entered into force on 25 May 2018.35

Italy 3.10 Decree No 101/2018 was adopted on 10 August 2018 and published in the Official Journal on 4  September 2018. The Italian Code on the protection of personal data, as amended by the above law of 10 August 2018 entered into force on 19  September 2018.36 This legislative decree has introduced national provisions for the adaptation of national legislation to comply with the GDPR.37

Spain 3.11 On 21  November 2018, the Organic Law 03/2018 was passed by the Senate. It was published in the Official Journal on 6 December 2018.38

OTHER DATA PROTECTION AND PRIVACY LAWS 3.12 There are a range of other data protection laws in the other Member States. Other countries around the world also have their own new or updated (having seen the new GDPR) data protection and privacy laws. This includes other parts of Europe, Asia, Central America, South America, Australia, New Zealand and Canada.39 33 Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA. OJ L 119, 4.5.2016, pp 89–131. 34 The text can be found at: www.ris.bka.gv.at/Dokumente/BgblAuth/BGBLA_2017_I_120/ BGBLA_2017_I_120.pdf 35 The texts can be found  at: www.ris.bka.gv.at/Dokumente/BgblAuth/BGBLA_2018_I_23/ BGBLA_2018_I_23.pdfsig; and www.ris.bka.gv.at/Dokumente/BgblAuth/BGBLA_2018_I_​ 24/​BGBLA_2018_I_24.pdfsig 36 See www.garanteprivacy.it/documents/10160/0/Codice+in+materia+di+protezione+dei+dati+​pe rsonali+%28Testo+coordinato%29.pdf/b1787d6b-6bce-07da-a38f-3742e3888c1d?version=1.6. 37 See www.gazzettaufficiale.it/eli/id/2018/09/04/18G00129/sg. 38 The text is available at: www.boe.es/buscar/doc.php?id=BOE-A-2018-16673. 39 Morgan, S, Private Sector Audits and the Office of the  Privacy  Commissioner of Canada’ International Journal for the Data Protection Officer, Privacy Officer and Privacy Counsel (IDPP) (2017)(1:1) 11.

51

3.12  National Laws

Part of the inevitable backdrop to this discussion of data protection laws around the world is, of course, the new European legal regime pursuant to the GDPR.40 The backdrop then focuses upon EU data protection law41 and commentary.42 Complying with data protection and privacy laws, and the manner of that compliance, is an important aspect of the data protection regime.43 The wide concept of personal data and data protection is an integral part of any such consideration.44 There are a growing number of academic references to EU data protection law45 and numerous laws and texts dedicated to EU data protection law.46

40 See, for example, texts such as Schütze, R  and Tridimas, T, Oxford Principles of European Union Law (OUP, 2018); Foster, N, EU Law (OUP, 2018); Kirk, E, EU Law (Pearson, 2015); Tridimas, T, General Principles of EU  Law (OUP, 2019); Schütze, R, An Introduction to European Law (CUP, 2015); Jones, E, Menon, A and Westherill, S, The Oxford Handbook of the European Union (OUP, 2014); Barnard, C and Peers, S, European Union Law (OUP, 2014); Chalmers, D, Davies, G and Monti, G, European Union Law (CUP, 2014); Craig, P and de Búrca, G, The Evolution of EU Law (OUP, 2011); Barnard, C, The Substantive Law of the EU, The Four Freedoms (OUP, 2016); Tridimas, T, The General Principles of EU Law (OUP, 2006); Hartley, TC, European Union Law in a Global Context (CUP, 2004); Raworth, P, Introduction to the Legal System of the European Union (Oceana, 2001); Usher, JA, EC Institutions and Legislation (Longman, 1998); Chapter 8 ‘Consequences of EC Legislation: The Direct Effect and Indirect Effect’ in Usher, JA, EC  Institutions and Legislation (Longman, 1998) at 144; Craig, P, and Harlow, C, Law Making in the European Union (Kluwer, 1998); Reinisch, A, Essential Questions in EU Law (CUP, 2009); Szabo, S, ‘European Values, Fundamental Rights and the Private International Law of the European Union’ Hungarian Yearbook of International Law and European Law (2014) 307; Hartkamp, A, Sieburgh, C, and Devroe, W, Cases, Materials, and Text on European Law and Private Law (Hart, 2017); Macchia, M, ‘Research Handbook on EU Administrative Law’ Italian Journal of Public Law (2017)(9:2) 420; Gordon, R, QC, and Moffat, R, EU Law in Judicial Review (OUP, 2014); Gordon, R, QC and Moffat, R, EU Law in Judicial Review (OUP, 2014). 41 Hartkamp, A, Sieburgh, C and Devroe, W, Cases, Materials, and Text on European Law and Private Law (Hart, 2017). 42 Iftimiei, A, ‘Protection of Personal Data: Aspects of  European  Law’ Analele Stiintifice Ale Universitatii Alexandru Ioan Cuza Din Iasi Stiinte Juridice (2018)(64:1) 273; Lynskey, O, The Foundations of EU Data Protection Law (OUP, 2015). Sammut, I, Constructing Modern European Private Law: A Hybrid System (Cambridge Scholars Publishing, 2016). 43 Determann, L, Determann’s Field Guide to Data Privacy Law: International Corporate Compliance (Elgar, 2015); Lambert, P, Understanding the New European Data Protection Rules (Taylor & Francis, 2017); Lambert, P, ‘Complying with the Data Protection Regime’ International Journal for the Data Protection Officer, Privacy Officer and Privacy Counsel (IDPP) (2018)(2:7) 17. 44 Purtova, N, ‘The  Law  of Everything: Broad Concept of Personal  Data and Future of EU Data Protection Law, Law’ Innovation and Technology (2018)(10:1) 40. 45 Hartkamp, Ar, Sieburgh, C and Devroe, W, Cases, Materials, and Text on European Law and Private Law (Hart, 2017). 46 Iftimiei, A, ‘Protection of Personal Data: Aspects of  European  Law’ Analele Stiintifice Ale Universitatii Alexandru Ioan Cuza Din Iasi Stiinte Juridice (2018)(64:1) 273; Lynskey, O, The Foundations of EU Data Protection Law (OUP, 2015). Sammut, I, Constructing Modern European Private Law: A Hybrid System (Cambridge Scholars Publishing, 2016).

52

Other Data Protection and Privacy Laws 3.12

Complying with data protection and privacy laws is also increasingly the focus of scholars and professional guidance and intelligence firms.47 How data protection laws exist and are used generally in the different EU Member States are also the focus of dedicated texts. This also includes reference to these issues after commencement of the GDPR. Just some of the Member States are: • Germany48 • Spain49 • Italy50

47 Determann, L, above; Lambert, P, Understanding the New European Data Protection Rules (Routledge, Taylor & Francis, 2017). 48 von dem Bussche, AF, and Voigt, P, Data Protection in Germany: Including EU  General Data Protection Regulation 2018 (Beck, 2017); Wolff, HA, ‘The Implementation of Administrative Fines Under the General Data Protection Regulation From the German Perspective’ International Journal for the Data Protection Officer, Privacy Officer and Privacy Counsel (IDPP) (2018)(2:11) 11; Gömann, M, ‘The New Territorial Scope of EU  Data Protection Law: Deconstructing a Revolutionary Achievement’ Common Market Law Review (2017)(54:2) 567; Essers, L  ‘Facebook Must Comply with  German  Data  Protection  Law, Court Rules’ Good Gear Guide (18  February 2014) 4; English, N, and Bieker, F, ‘Upholding Data Protection Law Against Multinational Corporations: German Administrative Measures Relating to Facebook’ German Yearbook of International Law (2012)(55) 587; Hoeren, T, ‘The New  German  Data  Protection  Act and Its Compatibility with the European  Data  Protection  Directive’ Computer Law & Security Review (2009)(25:4) 318; Bachmann, G, Bialski, P, and Hansen, M, ‘The Terms of Anonymity: An Interview With Marit Hansen, German Data Protection Expert’ Ephemera: Theory & Politics in Organization (May 2017)(17:2) 421; Schallbruch, M and Isabel, S, Cybersecurity in Germany (Springer, 2018); Kirchner, J, Kremp, PR and Magotsch, M, Key Aspects of German Employment and Labour Law (Springer-Verlag, 2018); Chapter 12 ‘Data Protection and Monitoring’ by Grentzenberg, V and Kirchner, J, in Kirchner, Kremp and Magotsch, Key Aspects of German Employment and Labour Law (Springer-Verlag, 2018); Chapter 18 ‘Compliance‘ by Kremp, PR, and Kirchner, J, in Kirchner, Kremp and Magotsch Key Aspects of German Employment and Labour Law (Springer-Verlag, 2018). Studt, N, ‘Germany:  Data  Protection  Law  Scuppers Archive on Serial Litigants’ Venulex Legal Summaries (2010 Q2, Special section) 14; de Hingh, A, ‘Some Reflections on Dignity as an Alternative Legal Concept in Data Protection Regulation’ German Law Journal (October 2018)(19:5) 1269. 49 Recio, M, ‘Spain: Preparations for a New  Law  on  Data  Protection  to Implement the GDPR’ European Data Protection Law Review (EDPL) (2017)(3:3) 376; Leiva, AM, ‘Data Protection Law in Spain and Latin America: Survey of Legal Approaches’ International Law News (2012)(41:4) 16; Álvarez, C, ‘Perspectives on the GDPR: Spanish Privacy Professionals Association’ International Journal for the Data Protection Officer, Privacy Officer and Privacy Counsel (IDPP) (2018)(2:3) 14. 50 Hampson, NCN, ‘The Internet is Not a Lawless Prairie: Data Protection and Privacy in Italy’ Boston College International and Comparative Law Review (2011)(34:2) 477; Ziccardi, G, Cyber Law in Italy (Turpin, 2011); Bologna, S, Bellavista, A, Corso, PP, and Zangara, G, Electronic Health Record in  Italy  and Personal  Data Protection (Brill, 2016); Di Ciommo, F, ‘Privacy in Europe after Regulation (EU) No 2016/679: What Will Remain of the Right to Be Forgotten’ Italian Law Journal (2017)(3:2) 623; Riccio, GM, ‘Perspectives on the GDPR, A View from Italy’ International Journal for the Data Protection Officer, Privacy Officer and Privacy Counsel (IDPP) (2018)(2:3) 24; Soro, A, President Italian Data Protection Authority, ‘Perspectives on the GDPR: Italian Data Protection Authority’ International Data Protection Officer, Privacy Officer and Privacy Counsel (IDPP) (2018)(2:3) 13.

53

3.12  National Laws

• Denmark51 • Ireland52 • Greece53 • UK54 (including Brexit issues) • Scotland55 (but part of UK). Data protection laws in other countries are also variously referred to, for example, • Canada56 •

New Zealand57

• Mexico58 • Brazil59 •

El Salvador60

51 Blume, P, ‘The  Data  Protection  Directive and Danish  Law’ International Review of Law, Computers & Technology (1997)(11:1) 65. 52 Lambert, P, Data Protection Law in Ireland, Sources and Issues (Clarus, 2013); O’Dell, E, ‘Compensation for Breach of the General Data Protection Regulation’ Dublin University Law Journal (2017)(40:1) 97. 53 Katrakazi, M, ‘Road to GDPR Compliance: Developments in Greece’ International Journal for the Data Protection Officer, Privacy Officer and Privacy Counsel (IDPP) (2018)(2:3) 23. 54 Elizabeth Denham, UK  Information Commissioner, ‘Perspective on the GDPR and Current Issues from the UK Information Commissioner’ International Journal for the Data Protection Officer, Privacy Officer and Privacy Counsel (IDPP) (2018)(2:3) 12. Cremer, H-J, Human Rights and the Protection of Privacy in Tort Law: A Comparison Between English and German Law (Routledge-Cavendish, 2011). Lambert, P, Gringras, The Laws of the Internet, 5th edition (Bloomsbury, 2018). Lambert, P, A User’s Guide to Data Protection (Bloomsbury, 2018). 55 Christie Reid, E, Personality, Confidentiality and Privacy in Scots Law (W Green/Thomson Reuters, 2010). 56 Privacy Commissioner of Canada, ‘A Canadian Perspective on Modernizing Privacy Legislation’ International Journal for the Data Protection Officer, Privacy Officer and Privacy Counsel (IDPP) (2018)(2:3); Morgan, S, ‘Private Sector Privacy Audits, Undertaken by the Privacy Commissioner of Canada and the Impact of Impending Privacy Regulations’ International Journal for the Data Protection Officer, Privacy Officer and Privacy Counsel (IDPP) (2017)(1:1) 11; Morgan, S, ‘Preparing for the Canadian Data Breach Reporting Requirements’ International Journal for the Data Protection Officer, Privacy Officer and Privacy Counsel (IDPP) (2018)(2:7) 8. 57 David Harvey, Hon Judge and Professor, ‘Perceptions to the GDPR: New Zealand’ International Journal for the Data Protection Officer, Privacy Officer and Privacy Counsel (IDPP) (2018) (2:3) 10; Roos, A, ‘Personal  Data  Protection  in New Zealand: Lessons for South Africa?’ Potchefstroom Electronic Law Journal (2008)(11:4) 61. 58 Determann, L, and Legorreta, S, ‘New  Data  Privacy  Law  in Mexico’ Computer & Internet Lawyer (2010)(27)12) 8. 59 Bousso, F, ‘Perspectives of the European General Data Protection Regulation (GDPR) in Brazil’ International Journal for the Data Protection Officer, Privacy Officer and Privacy Counsel (IDPP) (2018)(2:3) 31; Opice Blum, R, and C Rioja, ‘Brazil’s “GDPR” Sanctioned’ International Journal for the Data Protection Officer, Privacy Officer and Privacy Counsel (IDPP) (2018)(2:9) 12. 60 Bonilla, R, ‘“Perspectives for Supranational Digital Regulation in Developing Countries’ International Journal for the Data Protection Officer, Privacy Officer and Privacy Counsel (IDPP) (2018)(2:3) 21.

54

Other Data Protection and Privacy Laws 3.12

•

South Africa61

• Columbia62 • US.63 Data protection is also sometimes referred to on a regional basis, for example, •

Central Europe64

•

Latin America65

• Asia66 • Africa67 •

Middle East.68

There is also comparison of issues as between different countries.69 This also extends to how EU law influences and is applied in national systems70 and how

61 Yav, C, ‘Perspectives on the GDPR  From South Africa’ International Journal for the Data Protection Officer and Privacy Counsel (IDPP) (2018)(2:3) 19. 62 Peña, P, “The Future of Data Protection after the New Government in Colombia’ International Journal for the Data Protection Officer, Privacy Officer and Privacy Counsel (IDPP) (2018) (2:6) 18. 63 Dort, KK, Criss, JT, and Thakrar, R, ‘Trends in Cybersecurity Law, the Privacy Shield, and Best Practices for Businesses Operating in the Global Marketplace’ International Journal for the Data Protection Officer, Privacy Officer and Privacy Counse (IDPP) (2017)(1:1) 15; Katyal, SK, ‘Perceptions to the GDPR: US’ IDPP  (2018)(2:3) 16; Nojeim, G, ‘Wider Implications of Carpenter v United States’ International Journal for the Data Protection Officer, Privacy Officer and Privacy Counsel (IDPP) (2018)(2:6) 8. 64 Majtenyi, L, ‘Ensuring  Data  Protection  in East-Central Europe’ Social Research (2002) (69:1) 151. 65 Leiva, AM, ‘Data  Protection  Law  in  Spain  and Latin America: Survey of Legal Approaches’ International Law News (2012)(41:4) 16. 66 Greenleaf, G, Asian Data Privacy Laws (OUP, 2017). 67 Makulilo, AB, ‘The GDPR Implications for Data Protection and Privacy Protection in Africa’ International Journal for the Data Protection Officer, Privacy Officer and Privacy Counsel (IDPP) (2017)(1:2) 12. 68 Meenagh, B, and Elsayed, O, ‘The GDPR  From Saudi Arabia and United Arab Emirates’ International Journal for the Data Protection Officer, Privacy Officer and Privacy Counsel (IDPP) (2018)(2:3) 26. 69 Cremer, H-J, Human Rights and the Protection of Privacy in Tort Law: A Comparison Between English and German Law (Routledge-Cavendish, 2011). 70 Bobek, M, ‘The Effect of EU Law in the National Legal Systems’ in Barnard, C and Peers, S, European Union Law (OUP, 2014) 143; A-M Slaughter, A-M, Stone Sweet, A and Weiler, JHH, The European Court and National Courts-Doctrine and Jurisprudence (Hart, 1998); Usher, JA, EC Institutions and Legislation (Longman, 1998); Chapter 8 ‘Consequences of EC Legislation: The Direct Effect and Indirect Effect’ in Usher, JA, EC Institutions and Legislation (Longman, 1998) at 144; Macchia, M, ‘Research Handbook on EU Administrative Law’ Italian Journal of Public Law (2017)(9:2) 420. Also in national systems such as Varju-Varnay (eds), The Law of the  European  Union in Hungary (HVG-ORAc, 2014) Hungarian Yearbook of International Law and European Law (2016) 745; Beatrice Gabriela, C, ENE-DINU, The Impact of Preliminary Rulings Pronounced by the Court of Justice of the European Union on the Activity of the Romanian Courts of Law, Challenges of the Knowledge Society (2017)(7) 440.

55

3.12  National Laws

different implantation routes can exist. Indeed, this is evident between how the previous data protection regime was implemented (via the DPD  95/4671) as opposed to the new data protection regime (implemented in the form of the GDPR). Discussion and comparison exist between the EU and US leading to increasing calls for a general US federal privacy law (in relation to which, see further details in Chapter 8).

71 Directive 95/46/EC of the European Parliament and of the Council of 24  October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. OJ L 281, 23.11.1995, pp 31–50.

56

CHAPTER 4

Regulators and Authorities INTRODUCTION 4.1 The data protection regime could not function without the data protection supervisory authorities. The current background to data protection and privacy regulators and supervisory authorities is without doubt the EU  General Data Protection regulation (GDPR).1 This went live on 25  May 2018. It is directly effective in respective EU Member States by virtue of being an EU Regulation (as distinct from the previous EU data protection directive (Directive 95/462)). The GDPR sets certain criteria, roles, powers, etc, for data protection supervisory authorities. A data protection ‘supervisory authority’ is ‘an independent public authority which is established by a Member State’3 (emphasis added). It is up to national legislation to establish the authorities. The data protection supervisory authorities are listed and referred to below. Some of the other data protection and privacy regulators are also outlined below. In general, data protection supervisory authorities refer to authorities under data protection rules, whereas regulator refers to privacy and privacy-type regulators. The GDPR and developments elsewhere (such as the increasing fines of the Federal Trade Commission (FTC) in the US) make clear that there is an increasing general role for data protection supervisory authorities and other privacy regulators and there are important enhanced powers of enforcement.4

1

2 3 4

See generally, Lambert, P, Understanding the New European Data Protection Rules (Routledge, Taylor and Francis, 2017); Lambert, P, A  User’s Guide to Data Protection (Bloomsbury, 2018). See, also, Wright, D  and de Hert, P, eds, Enforcing Privacy: Regulatory, Legal and Technological Approaches (Springer, 2016). Directive 95/46/EC of the European Parliament and of the Council of 24  October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. OJ L 281, 23.11.1995, pp 31–50. Definition in GDPR Art 4(21). This is pursuant to GDPR Art 51. Note generally, Hustinx, P, ‘The Role of Data Protection Authorities’ in Gutwirth, S, De Hert, P, Poullet, Y and de Terwangne, C, Reinventing Data Protection? (2009) 131; Giurgiu, A and Larsen, TA, ‘Roles and Powers of National Data Protection Authorities – Moving from Directive 95/46/EC to the GDPR: Stronger and More “European” DPAs as Guardians of Consistency?’ European Data Protection Law Review (2016)(2:3) 342; Schütz, P, ‘The Set Up of Data Protection Authorities as a New Regulatory Approach’ in Gutwirth, S, De Hert, P, Leenes, RE and Poullet, Y, European Data Protection: In Good Health? (2012) 125; McGeveran, W, ‘Friending the Privacy Regulators’ Arizona Law Review (2016)(58:4) 959.

57

4.2  Regulators and Authorities

EU MEMBER STATES 4.2 The main national EU data protection supervisory authorities are as follows. Country Austria Belgium

Data Protection Supervisory Authority Datenschutzbehörde Autorité de la protection des donnéesGegevensbeschermingsautoriteit Bulgaria Commission for Personal Data Protection Croatia Croatian Personal Data Protection Agency Cyprus Commissioner for Personal Data Protection Czech Republic Office for Personal Data Protection Denmark Datatilsynet Estonia Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) Finland Office of the Data Protection Ombudsman France Commission Nationale de l’Informatique et des Libertés  Germany Die Bundesbeauftragte für den Datenschutz und die InformationsfreiheitFederal DPA of Germany Greece Hellenic Data Protection Authority Hungary Hungarian National Authority for Data Protection and Freedom of Information Ireland Data Protection Commission Italy Garante per la protezione dei dati personali Latvia Data State Inspectorate Lithuania State Data Protection Inspectorate Luxembourg Commission Nationale pour la Protection des Données Malta Office of the Information and Data Protection Commissioner Netherlands Autoriteit Persoonsgegevens Poland Urząd Ochrony Danych Osobowych (Personal Data Protection Office) Portugal Comissão Nacional de Protecção de Dados Romania The National Supervisory Authority for Personal Data Processing Slovakia Office for Personal Data Protection of the Slovak Republic 58

Abbreviation DSK APD-GBA CPDP CPDPA CPDP OPDP EDPI/AI ODPO CNIL FDPA

HDPA HNADPFI DPC Garante DSI SDPI CNPD OIDPC AP

CNPD NSAPDP OPDPSR

Europe 4.3

Slovenia Spain Sweden United Kingdom

Information Commissioner of the Republic of Slovenia Agencia Española de Protección de Datos Datainspektionen Information Commissioner’s Office

ICRS AEPD ICO

EUROPE 4.3 There are also additional entities to consider, namely, the European Data Protection Board (EDPB) and the European Data Protection Supervisor. The EDPB is established under the GDPR.5 It effectively replaces the previous data protection Article 29 Working Party (WP29) as was established6 and existed under the previous data protection regime as established under the prior data protection directive (Directive 95/467). The EBPB is made up and composed of the head of one data protection supervisory authority for each respective Member State plus the European Data Protection Supervisor.8 So it is made up of the various data protection supervisory authorities in terms of its members. The EDPB undertakes various tasks and issues opinions and advices on matters of data protection.9 The European Data Protection Supervisor is an authority of sorts – but deals with particular data protection compliance issues of the EU institutions as opposed to main day-to-day issues in respective Member States. There are various interested institutional parties. In a wider context, there can also be consideration of the different institutions of the EU relating to roles, policy and legislation issues, such as the EU  Commission10 and 5 See GDPR Art 68(1). 6 See data protection Directive 95/46 29(1). Directive 95/46/EC of the European Parliament and of the Council of 24  October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Official Journal L 281, 23/11/1995 pp 0031–0050. In terms of its workings and activities generally, see for example, Quintel, T, ‘EDPS and Art 29 Working Party Opinions About the Commission Proposals on the Interoperabity of Database’ European Data Protection Law Review (EDPL) (2018)(4:2) 217. 7 Directive 95/46/EC of the European Parliament and of the Council of 24  October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. OJ L 281, 23.11.1995, pp 31–50. 8 See GDPR Art 68(3). 9 See, for example, GDPR Arts 64 (opinions), 70 (list of tasks), 71 (reports), 70 (issuing and drafting various guidelines), etc. 10 Nugent, N  and Rhinard, M, The European Commission (Palgrave, 2015); Schmidt, SK and Wonka, A, ‘European Commission’, in Jones, E, Menon, A  and Westherill, S, The Oxford Handbook of the European Union (OUP, 2014) at 336; Cini, M, The European Commission (Manchester University Press, 1996); Usher, JA, EC Institutions and Legislation (Longman, 1998).

59

4.4  Regulators and Authorities

EU  Parliament,11 or how wider EU laws are interpreted judicially including cases before the CJEU.12 Note also that the respective EU institutions are located or headquartered in different Member States, and some have offices in different states. In addition, the European Data Protection Supervisor is increasingly active in discussing and promoting data protection more generally. Separate legislation to the GDPR also applies to the European Data Protection Supervisor. Article  52 of Regulation 2018/172513 provides that ‘[t]he European Data Protection Supervisor is hereby established’. The duties and powers of the European Data Protection Supervisor are also set out in Regulation 2018/1725.14 EU

Data Protection Supervisory Authority European Data Protection Supervisor

Abbreviation EDPS

EU

Data Protection Advisory Authority European Data Protection Board

Abbreviation EDPB

EEA 4.4 Some other countries while not formally a part of the EU maintain a close relationship with the EU and adopt similar laws as the EU. Some of these maintain a close relationship with the EU  via the European Economic Area

11 Bradley, K, ‘The European Parliament’ in Schütze, R and Tridimas, T, Oxford Principles of European Union Law (OUP, 2018) at 457; Raunio, T, ‘The European Parliament’ in Jones, E, Menon, A and Westherill, S, The Oxford Handbook of the European Union (OUP, 2014) at 365; Usher, JA, EC Institutions and Legislation (Longman, 1998). 12 Tridimas, T, ‘The Court of Justice of the European Union’ in Schütze, R  and Tridimas, T, Oxford Principles of European Union Law (OUP, 2018) at 581; Wägenbaur, B, Court of Justice of the European Union (Beck, Hart, Nomos, 2013); Arnull, A, The European Union and Its Court of Justice (OUP, 2006); de Búrca, G and Weiler, JHH, The European Court of Justice (OUP, 2001); March Hunnings, N, The European Courts (Cartermill, 1996); Poiares Maduro, M, We The Court, the European Court of Justice and the European Economic Constitution (Hart 1998); Stone Sweet, A, ‘The European Court of Justice’ in Craig, P and de Búrca, G, The Evolution of EU Law (OUP, 2011) at 121; Slaughter, A-M, Stone Sweet, A and Weiler, JHH, The European Court and National Courts-Doctrine and Jurisprudence (Hart, 1998); Azoulai, L and Dehousse, R, ‘The European Court of Justice and Legal Dynamics of Integration’ in Jones, E, Menon, A and Westherill, S, The Oxford Handbook of the European Union (OUP, 2014) at 350; Saurugger, S and Trepan, F, The Court of Justice of the European Union and the Politics of Law (Palgrave, 2017); Usher, JA, EC Institutions and Legislation (Longman, 1998); Szabo, M, ‘General Principles of Law in the Practice of International Courts and the European Court of Justice’ Hungarian Yearbook of International Law and European Law (2016) 135; Lasok, KPE, Lasok’s European Court Practice and Procedure (Bloomsbury, 2017). 13 Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC. 14 Ibid.

60

UK 4.6

(EEA) agreement.15 The members of the EEA and EEA agreement are Iceland, Lichtenstein, and Norway. Similar data protection laws to the GDPR are just examples of some of the EU or EU-compatible laws that these countries maintain. Country Iceland Liechtenstein Norway

Data Protection Supervisory Authority Persónuvernd Data Protection Office, Principality of Liechtenstein Datatilsynet

Abbreviation DPO

Also note that while Switzerland is not an EEA Member State, it maintains a similar type relationship with the EU which includes having similar laws in a range of areas, including data protection. It therefore has laws similar and compatible with the GDPR. Country Switzerland

Data Regulator Federal Data Protection and Information Commissioner

Abbreviation FDPIC

OTHER EXAMPLES 4.5 Some other examples of data privacy regulators or data protection supervisory authorities include, Country Canada

Australia New Zealand

Data Protection Supervisory Authority Office of the Privacy Commissioner of Canada/Commissaire à la Protection de la Vie Privée Canada Office of the Australian Information Commissioner Office of the Privacy Commissioner

Abbreviation OPCC

OAIC OPC

UK Information Commissioner’s Office 4.6 A data protection ‘supervisory authority’ means ‘an independent public authority which is established by a Member State pursuant to Article 51’.16 Some of the national data protection supervisory authorities, including the UK, are referred to below. (Also, see further details in relation to the respective data 15 See EEA Agreement 192, which came into effect on 1 January 1994. 16 GDPR Art 4(21).

61

4.6  Regulators and Authorities

protection supervisory authorities, including contact details, contained in the attached schedules.) The UK national data protection supervisory authority is the Information Commissioner’s Office or ICO. The ICO is very active in UK and EU (and even international) data protection issues, from discussion and promotion of data protection awareness of issues, to complex issues of investigations and enforcement. It obviously also deals with a wide range of domestic data protection and compliance issues.17 The ICO provides a number of guides and interpretations in relation to specific data protection issues and industry sectors. These include guides for: •

the new DPA 2018;

•

the GDPR and implications of GDPR for UK;

• Brexit; •

political profiling;

•

apps, online and electronic devices;

• audits; • Big Data; •

Cambridge Analytica;

• CCTV; • charity; •

construction blacklists;

•

credit and finance;

•

crime mapping;

•

criminal, court and police records;

•

data processing;

•

data sharing;

•

data subject access;

•

data protection – general;

• deletion; •

Driver and Vehicle Licensing Agency (DVLA);

• drones; 17 Denham, E, ‘Perspective on the GDPR and Current Issues from the UK Information Commissioner’ International Journal for the Data Protection Officer, Privacy Officer and Privacy Counsel (IDPP) (2018)(2:3) 12.

62

UK 4.6

• education; •

electoral register;

•

electronic communications and marketing;

• employment; • finance; • health; •

health records;

• housing; •

identity theft;

•

identity scanning;

•

international transfer;

• marketing; • media; •

monetary penalties;

•

elected officials;

• online; •

online and electronic devices;

•

Operation Motorman (re newspaper hacking);

• personal data; •

privacy and electronic communications – general;

•

data protection by design (DPbD);

•

privacy notice; 

•

relevant filing system;

•

RFID tags; 

•

schools, universities and colleges;

• security;  • spam; •

spatial information; and

• telecommunications.18

18 See, for example, ICO, Data Protection and Privacy and Electronic Communications. Available at: https://ico.org.uk.

63

4.6  Regulators and Authorities

Useful reference material is available as set out below. The Data Protection Act 2018 is available at: www.legislation.gov.uk/ukpga/2018/12/enacted The Data Protection Act 2018 Keeling Schedule of proposed amendments is available at: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/ attachment_data/file/779334/Keeling_Schedule_for_Data_Protection_ Act_2018.pdf The General Data Protection Regulation Keeling Schedule of proposed UK amendments is available at: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/ attachment_data/file/685632/2018-03-05_Keeling_Schedule.pdf The ICO is available at: https://ico.org.uk/ The EU Commission is available at: http://ec.europa.eu/justice/data- protection/index_en.htm The EDPB is available at: https://edpb.europa.eu/ The European Data Protection Supervisor is available at: https://edps.europa.eu/ The Article 29 Working Party (WP29)(now replaced by the EDPB) is available at: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinionrecommendation/index_en.htm The European Court of Justice website is available at: http://europa.eu/about-eu/institutions-bodies/court-justice/index_en.htm Court of Justice (previously ECJ and CJEU) cases19 are at: http://curia.europa.eu/juris/recherche.jsf? language=en 19 Tzanou, M, ‘Balancing Fundamental Rights, United in Diversity? Some Reflections on the Recent Case Law of the European Court of Justice on Data Protection’ CYELP (2010)(6) 53.

64

UK 4.6

The ECHR website is available at: http://echr.coe.int/Pages/home.aspx?p=home ICO complaints, cases and case studies which may be useful for organisations to consider, •

ICO investigation of facial recognition usage, including halting the toll out of facial identification by the police;20

•

ICO WhatsApp data sharing investigation and the apparent halting of such sharing;21

•

ICO v Prudential;22

•

Microsoft v Paul Martin McDonald;23

•

ICO v Niebel, ICO v McNeish;24

•

Rugby Football Union v Viagogo Limited;25

•

Durham County Council v Dunn;26

•

British Gas v Data Protection Registrar;27

•

Brian Reed Beetson Robertson;28

•

Campbell v MGM;29

•

CCN Systems v Data Protection Registrar;30

•

Lindqvist v Kammaraklagaren;31

•

Commission v Bavarian Lager;32

•

Common Services Agency v Scottish Information Commissioner;33

•

Douglas v Hello!;34

20 ‘UK Information Commissioner: Halt Police Rollout of Face ID’Biometric Technology Today (2019)(4) 11. 21 White, C, ‘WhatsApp Data Sharing U-turn After ICO Probe’ Intellectual Property Magazine (2016)(December) 13. 22 ICO v Prudential, ‘Prudential Fined £50,000 for Customer Account Confusion’ 6 November 2012. 23 Microsoft v Paul Martin McDonald [2006] EWHC 3410. 24 ICO v Niebel, ICO v McNeish, 28 November 2012. 25 Rugby Football Union v Viagogo Limited [2012] UKSC 55. 26 Durham County Council v Dunn [2012] EWCA Civ 1654. 27 British Gas v Data Protection Registrar [1998] UKIT DA98 – 3/49/2, 4 March 1998. 28 Brian Reed Beetson Robertson [2001] EWHC Admin 915. 29 Campbell v MGM [2004] UKHL 22. 30 CCN Systems v Data Protection Registrar [1991] UKIT DA90. 31 Lindqvist v Kammaraklagaren Case C-101/01, ECR I-12971. 32 Commission v Bavarian Lager Case C-28/08. 33 Common Services Agency v Scottish Information Commissioner [2008] UKHL 47. 34 Douglas v Hello! [2005] EWCA Civ 595.

65

4.6  Regulators and Authorities

•

Halford v UK;35

•

Von Hannover v Germany;36

•

Mosley;37

•

Motion Picture Association v BT;38

•

WP29 (now EDPB) and Data Protection Authorities/Google (re Google policy change and breaches);

•

Barclays/Lara Davies prosecution;39

•

ICO v Sony;40

•

Facebook Beacon case (US);41

•

Digital Rights Ireland and Seitlinger and Others;42

•

Schrems v Commissioner;43

•

Tamiz v Google;44

•

Google v Vidal-Hall;45

•

Mosley v Google;46

•

Google Spain SL Google Inc v Agencia Española de Protección de Datos, Mario Costeja González;47

•

Weltimmo v Nemzeti Adatvédelmi és Információszabadság Hatóság;48 and

•

Bărbulescu v Romania.49

(Note also that there has been a body called the Information Rights Tribunal, later the Information Tribunal, and later again the First Tier Tribunal (Information 35 Halford v UK [1997] IRLR 47, ECHR. 36 Von Hannover v Germany, [2004] ECHR 294 (24 June 2004) (2005) 40 EHRR 1, 16 BHRC 545, 40 EHRR 1, [2004] ECHR 294, [2004] EMLR 21, [2005] 40 EHRR 1. 37 Mosley v News Group Newspapers Ltd [2008] EWHC 1777 (QB) (24 July 2008) [2008] EMLR 20, [2008] EWHC 1777 (QB). 38 Motion Picture Association v BT, 28 July 2011. 39 ICO v Lara Davies, December 2012. 40 ICO v Sony, July 2013. 41 McCall v Facebook, 20 September 2012. 42 Digital Rights Ireland and Seitlinger and Others, Joined Cases C-293/12 and C-594/12, 8 April 2014. 43 Schrems v Commissioner, Case C-362/14, 6 October 2015. 44 Tamiz v Google [2012] EWHC 449 (QB) 3 December 2012. 45 Google v Vidal-Hall [2014] EWHC 13 (QB). 46 There are various other Mosley cases apart from that references at note 37 above. These include Mosley v Google Inc & Anor [2015] EWHC 59 (QB) (15 January 2015) [2015] EMLR 11, [2015] EWHC 59 (QB). There are also cases in other counties. 47 Google Spain SL  Google Inc v Agencia Española de Protección de Datos, Mario Costeja González Case C-131/121. 48 Weltimmo v Nemzeti Adatvédelmi és Információszabadság Hatóság, Case C-230/14, 1 October 2015. 49 Bărbulescu v Romania ECHR, Case No 61496/08, 12 January 2016.

66

UK 4.7

Rights), where appeals can be taken of certain decisions of the ICO.50 The Data Protection Act 2018 (DPA 2018) refers to the Tribunal and First-Tier Tribunal at sections 201–203).51

Investigations and Cases 4.7 Perhaps most notably recently, the ICO raided and investigated Cambridge Analytica – even obtaining a High Court order to raid its offices to preserve and obtain relevant evidence. It ultimately prosecuted Cambridge Analytica for failure to comply with an enforcement notice issued fines.52 Facebook was also investigated in relation to the same scandal and was ultimately fined £500,000.53 This was under the Data Protection Act 1998, prior to the new GDPR law and the new Data Protection Act 2018 and which is officially acknowledged. The categories of investigations and cases are also instructive, perhaps even more so than each individual investigation or official case. The ICO refers to its investigations and enforcement type activities it has undertaken, in particular in relation to the following categories or sectors, • marketing; •

finance, insurance and credit;

•

criminal justice;

•

land or property services;

•

general business;

• health; •

online technology and telecoms;

•

retail and manufacture;

•

central government;

•

local government;

50 Note generally ‘Guidance: Information Rights and Data Protection: Appeal Against the Information Commissioner’ at www.gov.uk/guidance/information-rights-appeal-against-thecommissioners-decision; and brief commentary at Schutz, P, ‘Comparing Formal Independence of Data Protection Authorities in Selected EU Member States’ Conference Paper for the 4th Biennial standing Group for Regulatory Governance Conference (2012) at 19. 51 Also see general commentary on the First-Tier Tribunal (Information Rights) and Upper Tribunal, Chapter 28 in Jay, R, Data Protection Law and Practice (Sweet and Maxwell, 2012). Also see, for example, Gertz, R, ‘Freedom of  Information  and Healthcare Data – The First  UK Appeal: Common Services Agency v the Scottish  Information  Commissioner’ European Journal of Health Law (2007)(14:2) 189. 52 Cambridge Analytica is also known as SCL See ICO, ‘SCL Elections Prosecuted for Failing to Comply with Enforcement Notice’ ICO statement, 9 January 2019. 53 ICO, ‘ICO Issues Maximum £500,000 Fine to Facebook For Failing to Protect Users’ Personal Information’ ICO statement, 25 October 2018. It is understood that Facebook wishes to appeal.

67

4.8  Regulators and Authorities

•

transport and leisure;

•

education and childcare;

•

charitable and voluntary;

• media; •

membership association;

•

political; and

• utilities.54 Some of the ICO investigations include the following, •

Facebook investigation and fine re Cambridge Analytica (£500,000);55 and

•

Cambridge Analytica investigation and action for failure to comply with an enforcement notice.56

Data Protection Act 2018 4.8 The UK  Data Protection Act 2018 (DPA  2018) was passed by both Houses of Parliament on Monday 21  May 2018. It received Royal Assent on 23 May 2018 and came into force on 25 May 2018.57 However, the Act does not implement the GDPR. Further legislation is needed to do this. The general rule or principal is that transfers of personal data to outside of the EU are prohibited per se. This is a longstanding bedrock position in data protection rules. It is a default transfer ban. Therefore, on Brexit day, the use and transfer of personal data required for countless transactions from and between the EU must cease. This will have undoubted consequences for commerce and City financial entities. Article 44 of the GDPR sets out the general principle for transfers within the EU under the data protection regime. The rule provides that: ‘Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation. All provisions in this Chapter shall 54 Information Commissioner’s Office. Available at: https://ico.org.uk/action-weve-taken/ enforcement/. 55 ICO, ‘ICO Issues Maximum £500,000 Fine to Facebook For Failing to Protect Users’ Personal Information’ ICO statement, 25 October 2018. It is understood that Facebook wishes to appeal. 56 See ICO, ‘SCL Elections Prosecuted For Failing to Comply With Enforcement Notice’ ICO statement, 9 January 2019. 57 The Act is available at: www.legislation.gov.uk/ukpga/2018/12/pdfs/ukpga_2018 0012_en.pdf.

68

UK 4.9

be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined.’

Therefore, ‘any’ transfer to a third country outside of the EU or EEA may ‘take place only if’58 certain conditions are met. So, the default position is that external transfers should not occur. Only if specified conditions are satisfied by way of exemption from the default rule might the transfer become permissible. Once Brexit occurs, the UK will no longer be an EU or an EEA member country. The default rule kicks in and post-Brexit transfers by default are no longer permitted between the EU and UK. One can imagine the important consequences and the imperative, therefore, to consider whether the UK can fit within one of the exceptions for (continued) data transfers. There are a limited number of exceptions to the EU transfer ban and processes through which it may be permitted by way of exemption to undertake data transfers of personal data from the EU to an outside jurisdiction. One of these is that the EU has made a determination called an ‘adequacy decision’ permitting such data transfers to a named country from the EU on the basis that the recipient jurisdiction has an adequate level of protection and rights in relation to personal data at least equivalent to those in the EU. This should not be thought of as an exception but rather a mechanism by which to seek an exception from the default transfer ban set out in Article 44 of the GDPR. It should also be noted that while there are other exceptions or mechanisms, the adequacy mechanism refers not to what each individual company might seek to do but operates on a national or nation-state basis. If the adequacy mechanism was to apply, it would apply to the UK per se not company by company. (Individual organisations would benefit to the extent that they were located in the UK.) There is great benefit, therefore, in the UK pursuing and successfully obtaining such an adequacy decision from the EU in relation to the transfer of data to the UK.

Whether the Data Protection Act 2018 Fully Implements the GDPR 4.9 The 2018 Data Protection Act is new. It is also complex and makes many changes, some complementing, though overall not implementing, the GDPR. It seems to have been based on the premise that the GDPR as an EU regulation is directly effective and, as such, does not need national implementing laws. The problem with that is that on day one of Brexit, the GDPR will no longer directly apply in the UK.59

58 Emphasis added. 59 Notwithstanding that there is the possibility of a transitional period post-Brexit. However, it remains unclear what will or will not be encompassed in any transitional period.

69

4.10  Regulators and Authorities

In terms of an assessment of whether the GDPR is implanted and there are EU-equivalent safeguards in the EU, the DPA  2018, amongst other things, will need to be assessed. This will not necessarily be a easy exercise given the Act’s complexity and the necessary individualised assessments of every change, provision and aspect, both intended and unintended.

Need for Second Data Protection Act 4.10 As indicated above, on day one of Brexit, the GDPR will not apply in the UK qua a directly effective EU regulation. The next question is whether DPA  2018 implements the GDPR – or GDPR in entirely – into UK law. It is clear from the Act that it does not. This is re-emphasised from statements and guidance from the ICO that UK business need to look at the Act and also the GDPR for their compliance obligations. If one half of this equation falls away on day one of Brexit, which it must, it follows that UK law is not at all equivalent with EU law in terms of data protection. It would seem inevitable that a new Data Protection Act (or equivalent) will be needed in the event of Brexit and the economic imperative to continue to deal with the EU, particularly in services, banking, fintech and technology. Indeed, the need for additional data protection legislation has been officially acknowledged. This includes the European Union (Withdrawal) Act 2018 (and secondary legislation and regulations as may occur thereunder); the Data Protection Act 2018 Keeling Schedule of proposed amendments;60 and the General Data Protection Regulation Keeling Schedule of proposed UK amendments.61

The No Deal Brexit Path 4.11 The discussion has broadly advanced as to what the issues and complications might be for UK data protection law and practice in a planned Brexit scenario. Much of the discussion in this scenario centred on how quickly an EU adequacy decision might take and whether there might be any complications. This has all been blown up by recent events that bring the previously unthought of No Deal data protection Brexit to the fore. This latter situation is significantly more problematic and complicated – and, unfortunately for organisations – much less certain. The more recent heightened discussions in relation to the possibility of a No Deal Brexit also raises the potential for no urgency for or no immediate possibility of an adequacy review.

60 Available at: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/ attachment_data/file/779334/Keeling_Schedule_for_Data_Protection_Act_2018.pdf. 61 Available at: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/ attachment_data/file/685632/2018-03-05_Keeling_Schedule.pdf.

70

UK 4.11

Sometimes the devil is in the detail. In this scenario, the devil lies in the data and the adequacy or inadequacy of data protection. The consequences and temporal urgency are of high political and commercial import. As a result of the 23  June 2016 referendum on the UK’s membership of the EU, the UK Government is currently considering and negotiating the form that ‘Brexit’ will take. The implications of Brexit on current EU legislation referred to in this book depend, in large part, on the strategy that is adopted for the UK’s future relationship with the EU. Arguably, some of the strategy, negotiations and the shape of the future relationship – and the all-important interim exitdeal, transition period, etc, are still confusing. A  significant overarching point for lawyers and corporate interests is that the possibility of a so-called No Deal Brexit still remains. However, regardless of the exit strategy, there are undoubtedly many areas of EU law that will continue to have an effect on UK business, for example, because they remain part of UK law itself or because compliance and or equivalence is necessary to effectively do business with EU Member States and the inherently cross-jurisdictional nature of the Internet. The 2017 Queen’s Speech proposed, amongst other legislation, a European Union (Withdrawal) Bill, a Trade Bill, a Customs Bill and a Data Protection Bill – all of which may have implications in the e-commerce/Brexit field. A draft Brexit Agreement was issued on 14 November 2018, approved by the Cabinet and later approved by EU Member States on 25 November 2018. Parliamentary approval is also being sought. (The initial attempt to obtain parliamentary approval was shelved in late 2018, possibly portending future difficulties ahead.) Brexit Day (also referred to as exit day in the European Union (Withdrawal) Act 2018) (having been triggered per the Article  50 procedure) was originally 29  March 2019 but this was since extended and delayed. Further negotiations will no doubt continue after the recent election. The proposal is to have a transition period from Brexit Day until 31 December 2020. Various negotiations on various specific topics will continue during the transition period. Ultimately, on or prior to 31  December 2020 there is anticipated to be a final Withdrawal Treaty. On or before the Withdrawal Treaty there were expected to be various new national laws catering for the new arrangements (and catering for equivalency as between the UK and EU legal norms). The leadership change in government was suggested as increasing the prospects of a No Deal Brexit. Notwithstanding the recent election, it remains a matter of uncertainty. Notwithstanding parliamentary efforts to block a No Deal Brexit exit from the EU, the situation remains unclear. The current timetable is that Brexit should begin on 31  January 2020 – but there a further extension may be requested.. As regards data protection, in particular catering for ongoing data transfers, an Adequacy Decision from the EU as regards permitting data transfers on the basis of UK law being equivalent in terms of personal data (which it is not, 71

4.12  Regulators and Authorities

ie  the DPA  2018 did not implement the GDPR into the UK). (Note also that the government has published a Keeling Schedule for the GDPR, which shows planned amendments.)62

Data and European Union (Withdrawal) Act 2018 4.12 One of the most important issues concerns organisations have about the changing data protection regime and Brexit is whether they can continue to engage in data transfers with the EU. As indicated above, however, there is uncertainty as to (a) whether there will be a deal; (b) when the direct effect of the GDPR ends in the UK; and (c) when an adequacy decision review process can commence and when it will likely end. (One further issue is that an adequacy decision process is never guaranteed to result in a successful adequacy recommendation. This is a whole dimension of additional problem and risk issues to consider.) The author made official enquiries, including, in particular, when direct effect ends and when an adequacy decision review process can commence. While there is no guidance on these particular issues as yet, some of the other official correspondence is useful to highlight. Official guidance by way of correspondence (from the Department for Digital, Culture, Media & Sport) indicates that: ‘The EU (Withdrawal) Act 2018 (EUWA) retains the GDPR in UK law. The fundamental principles, obligations and rights that organisations and data subjects have become familiar with will stay the same. To ensure the UK data protection framework continues to operate effectively when the UK is no longer as EU Member State, the government will make appropriate changes to the GDPR and Data Protection Act 2018 using regulation-making powers under the EUWA.’

The guidance then directs readers to the ICO website. The above is helpful as it indicates a possible roadmap ahead. It would seem to be the road ahead intended in terms of a deal scenario. However, given the imperative of continuing commercial relations and inherent data transfers to the economy, it may well be that the EUWA changes will occur even in the event of No Deal. The overall paragraph, plus the statement that the ‘government will make appropriate changes to the GDPR and to the Data Protection Act 2018 using regulation-making powers under the EUWA’ suggests that there will be legislation 62 In fact, there are two separate Keeling schedules. See ‘Data Protection Regulation Keeling Schedule. Available at: https://assets.publishing.service.gov.uk/government/uploads/ system/uploads/attachment_data/file/685632/2018-03-05_Keeling_Schedule.pdf; and ‘Data Protection Act 2018 Keeling Schedule’. Available at: https://assets.publishing.service.gov.uk/ government/uploads/system/uploads/attachment_data/file/779334/Keeling_Schedule_for_ Data_Protection_Act_2018.pdf/.

72

UK 4.13

(primary or secondary) to come as regards data protection. In some respects, it may be preferable to have a Data Protection Act 2019/2020, but the EUWA seems to suggest otherwise. This also may clarify the concerns in terms of when an adequacy process can begin. The EUWA may suggest that the process may not commence, or may not be meaningful, before the EUWA changes are made and available for external review as part of the normal adequacy process.

European Union (Withdrawal) Act 2018 Official Explanation 4.13 Detailed explanatory notes are available with the EUWA  2018. The Overview indicates that the EUWA ‘repeals the European Communities Act 1972 (ECA) on the day the United Kingdom leaves the European Union’ thus ending the supremacy of EU law. The query arises as to whether this means the entire EUWA only becomes active ‘on’ exit day. The ‘principal purpose of the Act is to provide a functioning statute book on the day the UK leaves the EU’.63 ‘As a general rule, the same rules and laws will apply on the day after exit as on the day before. It will then be for Parliament and, where appropriate, the devolved legislatures to make any future changes.’64 It adds that: ‘The approach in the act to preserving EU law is to ensure that all EU laws which are directly applicable in the UK and all laws which have been made in the UK in order to implement our obligations as a member of the EU are converted into domestic law on the day the UK leaves the EU, subject to some limited exceptions.’65

Section 1 repeals the European Communities Act 1972.66 EU legislation is ‘given legal effect in the UK via section 2(1) of the ECA, which described how such legislation is to have effect “in accordance with the EU treaties”. It is this which ensures that, for example, EU regulations are directly applicable and fully binding in all Member States.’67 The guidance adds that: ‘Section 3 … convert[s] “direct EU legislation” into domestic legislation at the point of exit.’68 ‘Subsection (1) therefore provides for the conversion into domestic law of this direct EU legislation.’69

63 Explanatory note (EN) at 10. 64 Ibid. 65 Ibid at 48. 66 Ibid at 74. 67 Ibid at 81. 68 Ibid at 82. 69 Ibid at 83.

73

4.14  Regulators and Authorities

‘Subsection (2)(a) converts EU regulations, certain EU decisions and EU tertiary legislation (now known as delegated and implementing acts), as they have effect immediately before exit day. These terms are defined at section 20. Section 20 and Schedule 6 provide that certain instruments are exempt EU instruments. These exemptions reflect that certain EU instruments did not apply to the UK because the UK did not adopt the Euro, or because the UK did not participate in certain aspects of the EU acquis, in the area of freedom, security and justice. EU decisions which are addressed only to a member state other than the UK are also not converted into domestic law. Additionally, so far as EU-derived domestic legislation under section 2 reproduces the effect of an EU regulation, decision or tertiary legislation, these instruments are not converted under this section. This is to avoid duplication on the statute book after exit.’70

European Union (Withdrawal) Act Details 4.14 As indicated above, the DPA 2018 does not implement the GDPR in the UK given the current direct effect of the GDPR. Post Brexit, it may be preferable to have a DPA 2019/2020 which does. Unfortunately, matters may become more complicated as a consequence of the EUWA 2018. We therefore need to refer to the EUWA in more detail. Surprisingly, perhaps, neither the Department nor the ICO directs concerned parties to the section(s) of the EUWA relevant to the GDPR and data protection generally. One of the main aims is to maintain pre-existing EU law already applicable in the UK after Brexit. There is also power for various Ministerial changes in future. However, neither data protection, the GDPR nor transfers appears to be expressly referred to. The EUWA received Royal Assent on 26 June 2018. The definitions are referred to throughout. The following are relevant to consider. Section 20 refers to interpretation, including: •

a definition of the Charter of Fundamental Rights;

•

‘exit day’ (‘means 29  March 2019 at 11.00pm …’ (this has now been extended by the European Union (Withdrawal) Act 2018 (Exit Day) (Amendment) Regulations 2019 (SI 2019/718) in the UK and at EU level by European Council Decision 2019/476/EU) and a further extension to 31 October 2019 was granted provided the UK held EU elections (unless it left without a deal by 1 June 2019). This was extended to 31 January 2020;

•

‘EU regulation’ (‘means a regulation within the meaning of Article 288 of the Treaty on the Functioning of the European Union’);

•

‘EU directive’;

70 Ibid at 84.

74

UK 4.14

•

‘retained direct EU legislation’ (‘means any direct EU legislation which forms part of domestic law by virtue of section (as modified by or under this Act or by other domestic law from time to time, and including any instruments made under it on or after exit day)’;

•

‘withdrawal agreement’.

Section 20(4) provides that: ‘A Minister of the Crown may by regulations – (a) Amend the definition of “exit day” in subsection (1) to ensure that the day and time specified in the definition are the day and time that the Treaties are to cease to apply to the United Kingdom, and (b) Amend subsection (2) in consequence of such amendment.’

Section 9(1) provides that ‘A Minister … may by regulation make such provision as the Minister considers appropriate for the purposes of implementing the withdrawal agreement if the Minister considers that such provision should be in force on or before exit day, subject to the prior enactment of a statute by Parliament approving the final terms of withdrawal of the United Kingdom from the EU.’ Note that ‘regulations under this section may not … amend, repeal or revoke the Human Rights Act 1998 or any subordinate legislation made under it’ (s 9(3)(e)). Also ‘[n]o regulations may be made under this section after exit day’ (s 9(4)). Section 2 refers to ‘Saving for EU-derived domestic legislation’. It includes the following: ‘EU-derived domestic legislation, as it has effect in domestic law immediately before exit day, continues to have effect in domestic law and after exit day.’

This potentially includes the DPA 2018. However, it does not, at least currently, include the GDPR or any UK measure transposing or bringing the GDPR into UK law. Section 3, however, may be more pertinent. It states that, ‘Direct EU legislation, so far as operative immediately before exit day, forms part of domestic law on and after exit day’ (s 3(1)).

This would seem to include an EU regulation – which may then include the GDPR. However, there remains some uncertainty, as organisations may then have to refer to the DPA 2018, the EUWA, any Ministerial legislation and any other legislation that may ensue plus the withdrawal agreement itself, subject to an adequacy decision being issued, that may also be referred to. There is also a definition of ‘direct EU legislation’ (s  3(2)(a)). This includes reference to ‘any EU regulation …’ Section 4 refers to a saver for rights, powers, liabilities, obligations, restrictions, remedies and procedures which were in effect immediately before exit day. These are to continue after exit day. 75

4.14  Regulators and Authorities

There are also provisions in relation to exceptions for saving and incorporations.71 This refers to the principle of supremacy of EU ceasing for laws after exit day.72 However, it may apply to ‘relevant’ issues of interpretation.73 The Charter ‘is not part of domestic law on or after exit day’.74 (This may have potential to interact with issues of a future transfer adequacy decision assessment process.) However, note that ‘Subsection (4) does not affect the retention in domestic law on or after exit day in accordance with this Act of any fundamental rights or principles which exist irrespective of the charter (and references to the Charter in any case law are, so far as necessary for this purpose, to be read as if they were references to any corresponding retaining fundamental rights or principles).’75 This may require closer examination. Section 6 refers to interpretation of ‘retained EU law’. This section confirms that courts are not bound by ‘any principles laid down, or any decision made, on or after exit day by the European Court’.76 UK courts cannot continue to refer matters to the European Court.77 Having said that, UK courts ‘may have regard to anything done on or after exit day by the European court, another EU entity or the EU so far as it is relevant to any other matter before the court’.78 The Supreme Court and High Court are ‘not bound’ by any retained EU case law (see s 6(4)).79 ‘In deciding whether to depart from any retained EU case law, the Supreme Court or the High Court … must apply the same test as it would apply in deciding whether to depart from its own case law.’80 Definitions for ‘retained case law’, ‘retained EU law’, ‘retained general principles of EU law’ amongst others are set out in section 6(7). Section 7 refers to the status of retained EU law. It provides that: ‘Anything which – (a) was, immediately before exit day, primary legislation of a particular kind, subordinate legislation of a particular kind or another enactment of a particular kind; and (b) continues to be domestic law as an enactment of the same kind.’81

71 72 73 74 75 76 77 78 79 80 81

EUWA 2018, s 5. Ibid, s 5(1). Ibid, s 5(2). Ibid, s 5(4). Ibid, s 5(5). Ibid, s 6(1). Ibid, s 6(1)(b). Ibid, s 6(2). Ibid, s 6(4). Ibid, s 6(5). Ibid, s 7(1).

76

Ireland 4.16

‘Retained direct principal EU legislation cannot be modified other than as specified.’82 Section 7(5)(f) also refers to the Human Rights Act 1998. It also contains a definition of ‘retained direct principal EU legislation’.83 (See Chapter 5 for further details in relation to Brexit and related data protection issues).

IRELAND Data Protection Commission 4.15 It is also apt to consider the data protection supervisory authority in Ireland for a number of reasons, not least that a substantial number of multinationals have established their EU headquarters in Ireland and thus many data issues relating to these entities and groups will be investigated by the Irish Data Protection Commission when problems arise. In addition, when Brexit happens, the attention that will be given to the Irish Data Protection Commission in terms of its statements, guidance, investigations and enforcement will only increase further. The GDPR and the new Irish Data Protection Act 2018 (IDPA  2018)84 apply the data protection rules in Ireland. The IDPA 2018 came into force on 25 May 2018, the same date as the ‘go live’ of the GDPR. The previous data protection supervisory authority (the Data Protection Commissioner) was effectively reconstituted or replaced under the new law as the Data Protection Commission. The new law provides for three Data Protection Commissioners as part of the Data Protection Commission. Only one Commissioner has so far been appointed.

Investigations and Cases 4.16 The categories of investigations and cases undertaken by the Data Protection Commission over time assists in understanding some of the scope of its activities. Some examples are: • prosecutions; •

access requests;

•

disclosure of CCTV footage;

•

the importance of data controllers having appropriate mechanisms in place to respond to access requests and document compliance;

82 Ibid, s 7(2). 83 Ibid, s 7(6). 84 The Irish Data Protection Act 2018 is available at: www.irishstatutebook.ie/eli/2018/act/7/ enacted/en/html.

77

4.16  Regulators and Authorities

•

right to be forgotten;

•

loss of sensitive personal data contained in an evidence file kept by police;

•

use of CCTV footage in a disciplinary process;

•

disclosure of sensitive personal data by a hospital to a third party;

•

publication of personal information – journalistic exemption;

•

compliance with a subject access request and disclosure of personal data/ capture of images using CCTV;

•

failure to respond fully to an access request;

•

personal data of a third party withheld from an access request made by the parent of a minor;

•

disclosure of personal data via a social media app;

•

failure by a department to impose the correct access restrictions on access to medical data of an employee;

•

prosecution of private investigator;

•

disclosure of personal data to a third party in response to a subject access request;

•

data breach at retail and online service provider;

•

prosecution of glen collection investments limited and one of its directors;

•

further processing of an individual’s personal data in an incompatible manner;

•

disclosure of personal information to a third party by a data processor;

•

the necessity to give clear notice when collecting biometric data at a point of entry;

•

residential care home’s legitimate use of audio recording and photograph of data subject concerning allegations of misconduct;

•

disclosure of personal information to a third party;

•

failure of a data controller to keep individual’s personal information accurate and up to date which resulted in the disclosure of personal data to a third party;

•

failure by bank to properly verify the identity of individual on the phone which resulted in the disclosure of personal information to a third party;

•

data controller obliged to demonstrate effort made to locate data within the statutory 40-day period;

•

personal data withheld from an access request by air bnb based on an opinion given in confidence;

•

crypto ransomware attack on a primary school; 78

Ireland 4.16

•

data breach at an online retailer;

•

incorrect association of an individual’s personal details with another file;

•

prosecution of marketing offences; 

•

marketing offences by property company – prosecution;

•

marketing offences by waste company – prosecution;

•

marketing offences by telecoms companies – prosecution;

•

defence forces – failure to keep data safe and secure;

•

further processing of personal data by a state body;

•

supermarket’s excessive use of CCTV to monitor member of staff;

•

disclosure of personal information to a third party by the department of social protection;

•

covert CCTV installed without management knowledge;

•

bank erroneously shares account information with third parties;

•

failure to update customer’s address compromises the confidentiality of personal data;

•

unfair use of CCTV data;

•

prosecutions: private investigators;

•

prosecutions: marketing offences;

•

excessive data collection by post office;

•

disclosure of employee salary details by the health agency;

•

excessive data collection by a letting agency;

•

disclosure of financial information by a credit union;

•

patient denied right of access;

•

excessive data collection by the department of agriculture;

•

personal data disclosed by local council;

•

failure to meet statutory timeframe for processing access request;

•

third-level student data appeared on third-party website;

•

data controller discloses personal data to business partner;

•

employee of financial institution resigns taking customer personal data;

•

theft of unencrypted laptop; and

•

compromise of Adobe Network.85

85 Data Protection Commission. Available at: www.dataprotection.ie/en/pre-gdpr/case-studies.

79

4.17  Regulators and Authorities

The Data Protection Commission has carried out several recent investigations; noteworthy as some involve multinational technology companies. Some relate to data breach issues, but others allege that problem issues are also being investigated. There are indicated to be at least 21 such large-scale or significant investigations. The Data Protection Commissioner (of the Data Protection Commission) is reported as stating that where breaches are found, fines as well as directed or mandated corrective actions can be ordered.86 The Commissioner states that: ‘They are subject to statutory investigation for which, as you said, there can be significant sanctions in the form of administrative fines. But I think even more impactful are going to be the corrective measures that we can apply where we find there are infringements.’

She also states that: ‘[w]e’re obliged to implement the fines … if we find infringement. So it will happen.’ Importantly, she adds that: ‘[t]he fines will accumulate for certain companies if they don’t apply any remedial actions.’ Some of the Data Protection Commission (DPC) current and recent investigations include the following. Some include multiple investigations relating to the same entity or group. Google 4.17

The Commission advises that: ‘Arising from  the Data Protection Commission’s ongoing examination of data protection  compliance  in the area of personalised  online advertising and a number of submissions to the Data Protection Commission, including those  made  by Dr. Johnny Ryan of Brave, a statutory inquiry pursuant to section 110 of the Data Protection Act 2018 has been commenced in respect of Google Ireland  Limited’s  processing of personal data in the context of its online Ad Exchange. The purpose of the inquiry is to establish whether processing of personal data carried out at each stage of an advertising transaction is in compliance with the relevant provisions of the General Data Protection Regulation (GDPR). The GDPR principles of transparency and data minimisation, as well as Google’s retention practices, will also be examined.’87

There is also a separate Goole investigation: ‘DPC Ireland notes the media reports in relation to Google and location data. For clarity, DPC Ireland, in the immediate aftermath (on the 15th August) of the publication of the Associated Press story, raised a number of questions with Google in relation to those issues and required an urgent response. Google has committed to a response in the coming days. Once in receipt of that response, the DPC will assess the position and take all appropriate next steps.’88 86 Pogatchnik, S, ‘Tech Giants Face Fines and Other Measures’ Irish Independent, 13 September 2019. 87 Data Protection Commission statement, 22 May 2019. 88 Ibid, 23 August 2018.

80

Ireland 4.18

Facebook 4.18

The Commission advises that: ‘The Data Protection Commission was notified by Facebook that it had discovered that hundreds of millions of user passwords, relating to users of Facebook, Facebook Lite and Instagram, were stored by Facebook in plain text format in its internal servers. We have this week commenced a statutory inquiry in relation to this issue to determine whether Facebook has complied with its obligations under relevant provisions of the GDPR.’89

There is also a separate Facebook investigation, ‘While we understand that Facebook’s proposal to integrate the Facebook, WhatsApp and Instagram platforms is at a very early conceptual stage of development, the Irish DPC has asked Facebook Ireland for an urgent briefing on what is being proposed. The Irish DPC will be very closely scrutinising Facebook’s plans as they develop, particularly insofar as they involve the sharing and merging of personal data between different Facebook companies. Previous proposals to share data between Facebook companies have given rise to significant data protection concerns and the Irish DPC will be seeking early assurances that all such concerns will be fully taken into account by Facebook in further developing this proposal. It must be emphasised that ultimately the proposed integration can only occur in the EU if it is capable of meeting all of the requirements of the GDPR.’90

There is also a separate (data breach(es)) investigation, ‘The Data Protection Commission has received a number of breach notifications from Facebook since the introduction of the GDPR on 25  May  2018. With reference to these data breaches,  including the most recent  breach received,  we have this week commenced  a statutory inquiry examining  Facebook’s  compliance with the relevant provisions  of the GDPR.’91

There is also a separate investigation, ‘The Irish Data Protection Commission (DPC) has today, 3  October 2018, commenced an investigation under Section 110 of the Data Protection Act 2018 into the Facebook data breach for which notification was received by the DPC on Friday 28 September. In particular, the investigation will examine Facebook’s compliance with its obligation under the General Data Protection Regulation to implement technical and organisational measures to ensure the security and safeguarding of the personal data it processes. Facebook has informed the DPC that their internal investigation is continuing and that the company continues to take remedial actions to mitigate the potential risk to users.’92 89 90 91 92

Ibid, 25 April 2019. Ibid, 28 January 2019. Ibid, 17 December 2018. Ibid, 3 October 2018.

81

4.19  Regulators and Authorities

WhatsApp 4.19

The statement from the Data Protection Commission states: ‘The Data Protection Commission (DPC) has been informed (Monday evening 13 May 2019) by WhatsApp Ireland of a serious security vulnerability on the WhatsApp platform. The DPC understands that the vulnerability may have enabled a malicious actor to install unauthorised software and gain access to personal data on devices which have WhatsApp installed. At this point, WhatsApp has not notified the DPC of the matter under Article  33 (Notification of a personal data breach to a data protection supervisory authority) of the GDPR as WhatsApp are still investigating as to whether any WhatsApp EU user data has been affected as a result of this incident. While the possibility remains that EU users were affected and in light of the understood severity of the incident, all WhatsApp users are urged to ensure that the latest version of the WhatsApp application is installed on their device, available via the Apple Store or Google Play Store. The DPC is actively engaging with WhatsApp Ireland to determine if and to what extent any WhatsApp EU user data has been affected. To update to the latest version of WhatsApp, users should: For iPhone •

Open the App Store and along the bottom select updates.

•

Any pending app updates will be listed here.

•

Select ‘WhatsApp’ and Update

For Android •

Open the Play Store and tap on the 3 lines in the upper left corner.

•

Select ‘My apps & games’ from the menu.

•

Select ‘WhatsApp’ and Select Update.’93

There is also a separate investigation, ‘While we understand that Facebook’s proposal to integrate the Facebook, WhatsApp and Instagram platforms is at a very early conceptual stage of development, the Irish DPC has asked Facebook Ireland for an urgent briefing on what is being proposed. The Irish DPC will be very closely scrutinising Facebook’s plans as they develop, particularly insofar as they involve the sharing and merging of personal data between different Facebook companies. Previous proposals to share data between Facebook companies have given rise to significant data protection concerns and the Irish DPC will be seeking early assurances that all such concerns will be fully taken into account by Facebook in further developing this proposal. It must be emphasised that ultimately the proposed integration can only occur in the EU if it is capable of meeting all of the requirements of the GDPR.’94 93 Data Protection Commission statement, 14 May 2019. 94 Ibid, 28 January 2019.

82

Ireland 4.22

Instagram 4.20

The Commission advises that: ‘While we understand that Facebook’s proposal to integrate the Facebook, WhatsApp and Instagram platforms is at a very early conceptual stage of development, the Irish DPC has asked Facebook Ireland for an urgent briefing on what is being proposed. The Irish DPC will be very closely scrutinising Facebook’s plans as they develop, particularly insofar as they involve the sharing and merging of personal data between different Facebook companies. Previous proposals to share data between Facebook companies have given rise to significant data protection concerns and the Irish DPC will be seeking early assurances that all such concerns will be fully taken into account by Facebook in further developing this proposal. It must be emphasised that ultimately the proposed integration can only occur in the EU if it is capable of meeting all of the requirements of the GDPR.’95

Twitter 4.21

The Commission advises that: ‘The Data Protection Commission (DPC) is currently investigating Twitter’s compliance with its obligations under the GDPR to implement technical and organisational measures to ensure the safety and safeguarding of the personal data it processes. This investigation commenced in November 2018 following receipt of a number of breach notifications from the company since the introduction of the GDPR. The DPC has this week opened a new statutory inquiry into the latest data breach it received from Twitter on 8 January 2019. This inquiry will examine a discrete issue relating to Twitter’s compliance with Article 33 of the GDPR.’96

There is also a separate investigation, ‘[T]he Data Protection Commission opened a statutory inquiry into Twitter’s compliance with the relevant provisions of the GDPR following receipt of a number of breach notifications from the company since the introduction of the GDPR.’97

There is also reported to be a third Twitter investigation. Apple 4.22 There are reported to be Apple investigations. One relates to a data access notification. Another relates to how Apple processes personal data for targeted advertising activities and whether its policies are sufficiently transparent.

95 Ibid. 96 Ibid, 25 January 2019. 97 Data Protection Commission statement, 19 December 2018.

83

4.23  Regulators and Authorities

Quantcast International Limited 4.23 This is pursuant to a complaint filing by Privacy International. The Commission advises that: ‘The purpose of the inquiry is to establish whether the company’s processing and aggregating of personal data for the purposes of profiling and utilising the profiles generated for targeted advertising is in compliance with the relevant provisions of the GDPR. The GDPR principle of transparency and retention practices will also be examined.’98

LinkedIn 4.24

There is reported to be an ongoing LinkedIn investigation.

Official Public Service Card 4.25 There was also an investigation relating to an official public service card. This relates to an official card, as opposed to any multinational issue. It relates to the introduction of a mandatory public service card by the government. The Data Protection Commission investigation found that the purpose and collections for the public service card were in breach of the data protection rules.99 Public service-type cards have been controversial for many years in the UK and Ireland. It appears that, ultimately, there may be a fine coming in relation to this matter. There are also some indications that litigation and/or appeals may occur. This is obviously an ongoing and developing issue. This is also an interesting example from another perspective. Obviously, independence raises issues of inappropriate influence, pressure and interference. These can be express or formal and pronounced but they can also be more indirect and nuanced. Philip Schultz previously referred to the possibility of data protection supervisory authorities being subject to attacks on their independence via official criticism, or even ‘harsh criticism’.100 In the case of the Data Protection Commission and the finding regarding the unlawful public service card, there appears to have been various official criticisms. These may come to be of some relevance when independence issues are potentially looked at by the EU Commission on foot of a budget underfunding complaint.101 Thirdparty officials and politicians may have to be more circumspect in their future statements.

98 Ibid, 2 May 2019. 99 Data Protection Commission, 16 August 2019. 100 Schutz, P, ‘Comparing Formal Independence of Data Protection Authorities in Selected EU  Member States’ Conference Paper for the 4th Biennial standing Group for Regulatory Governance Conference (2012) 12. 101 Cantillon, ‘Is Ireland Breaching EU  Rules by Underfunding Data Regulator?’ Irish Times, 12 October 2019.

84

Ireland 4.26

Privacy Shield 4.26 Data transfer issues have often been controversial and are increasingly being litigated.102 The consideration of EU to US data transfers has been particularly problematic.103 Readers will recall that the CJEU struck down the Safe Harbour scheme intended to permit the transfer of personal data from the EU to the US. Subsequently a new scheme, entitled the Privacy Shield, was introduced with the aim of permitting such transfers. The new Privacy Shield and the standard contractual clauses arrangement were challenged and a complaint was made to the Irish Data Protection Commission relating to Facebook and its transfers to the US. The Commission ultimately agreed with the complaints. The Irish Supreme Court upheld the High Court referral of questions of law in relation to the decision of the Data Protection Commissions findings in relation to adequacy. Thus, the Supreme Court rejected the appeal by Facebook of the High Court decision. ‘On 31  May 2016, the Data Protection Commissioner (DPC) commenced proceedings in the Irish High Court. The purpose of these proceedings was to seek a reference to the Court of Justice of the European Union (CJEU) in relation to the “standard contractual clauses” (SCCs) mechanism under which, at present, personal data can be transferred from the EU to the US. The title of those proceedings is “Data Protection Commissioner v Facebook Ireland Limited & Maximilian Schrems.”’104

A detailed history of the case is also referred to on the Data Protection Commission website.105 These issues are obviously ongoing and will no doubt result in further contention and court decisions.

102 Schwartz, PM and Piefer, K-N, ‘Transatlantic Data Privacy Law’ Georgetown Law Journal (2017)(106:1) 115; Krouse, W, ‘The Inevitable Demise of Privacy Shield, How to Prepare’ The Computer and Internet Lawyer (2018)(36:6) 19; Fischer, P, ‘From the Safe Harbor to the Privacy Shield: Selected Aspects of the EU–US  Privacy Shield’ International Business Law Journal (2018)(2) 143. Also see Kuner, C, Transborder Data Flows and Data Privacy Law (OUP, 2013). 103 Kuner, C, Transborder Data Flows and Data Privacy Law (OUP, 2013); Schwartz, PM and Peifer, K-N, ‘Transatlantic Data  Privacy  Law’ Georgetown Law Journal (November 2017) (106:1) 115; Rustad, ML and Kulevska, S, Reconceptualizing the Right to be Forgotten to Enable Transatlantic  Data  Flow, Harvard Journal of Law (2015)(28:2) 349; Berge, J-S, Grumbach, S and Zeno-Zencovich, V, ‘The Datasphere, Data Flows Beyond Control and the Challenges for Law and Governance’ European Journal of Comparative Law and Governance (2018)(5:2) 144 104 Data Protection Commission statement, 17 December 2018. Data Protection Commissioner v Facebook Ireland Limited & Maximilian Schrems [2016/4809P]. 105 Available at: www.dataprotection.ie/en/legal/explanatory-memoranda-litigation-concerningstandard-contractual-clauses-sccs

85

4.27  Regulators and Authorities

Independence and Funding Complaint 4.27 It is reported that a complaint has been filed with the EU Commission that there is a problem with independence and funding issues with the Data Protection Commission.106 The complaint is understood to be on the basis that the Commission has been underfunded as compared to the funding requested by the Commission itself to undertake its duties and tasks. There are several CJEU cases dealing with aspects of the required independence and standard of independence for the respective data protection supervisory authorities.107 (See further details in Chapters 12 and 13.)

106 Cantillon, ‘Is Ireland Breaching EU  Rules by Underfunding Data Regulator?’ Irish Times, 12 October 2019. 107 See Commission v Germany, Case C-518/07 [2010] ECR I-1885. Commission v Republic of Austria, CJEU, Case C-614/10, 16 October 2012.

86

CHAPTER 5

ICO Before, During and After Brexit INTRODUCTION 5.1 Brexit has grabbled lots of attention because of what it is, how it occurred and where it might lead. Naturally there is a lot of discussion focused on how it might work and what the implications will be. It is a momentous event, regardless of what may happen and is extremely complex both politically and legally. Vanberg and Maunick describe how the only certainty is uncertainty.1 Many may feel a general frustration with developments and the potential implications.2 One of the significant issues, which is receiving greater attention, is how Brexit may impact issues of data protection, its impact on particular issues and industries,3 wider institutional issues4 – and especially data transfer issues.5 There is a further significant data protection issue which is receiving far less attention. Careful consideration should be given to what happens to the data protection supervisory authority in the UK (currently the Information Commissioner’s Office (ICO)) before, during and after Brexit. The issue of role, establishment and influence may need to be carefully looked at. In addition, other issues arise such as enforcement cases which may commence under the GDPR in the UK, but which will come to be decided after Brexit when the GDPR is no longer directly effective in the UK. Depending on specific developments, this may be the type of issue which comes to be argued in a given case in the future.

ICO AND THE NEED FOR A STABLE, CLEAR, DATA ENVIRONMENT 5.2 Brexit issues are equally prominent in the list of newsworthy ‘hot button’ topics. Most organisations should now be familiar with the General 1 2 3

4 5

Vanberg, AD, and Maunick, M, ‘Data Protection in the UK Post-Brexit: The Only Certainty Is Uncertainty’ International Review of Law, Computers & Technology (2018)(32:1) 190. Day, W, ‘Isn’t Brexit Frustrating?’ Cambridge Law Journal (2019)(78:2) 270. Lewis, ZA, ‘A Dramatic Brexit: Why the United Kingdom’s EU Referendum Vote Could Send the UK Film Industry Reeling’ Syracuse Journal of International Law and Commerce (2017) (45:1) 83; Butler, O, ‘Obligations Imposed on Private Parties by the GDPR and UK  Data Protection Law: Blurring the Public-Private Divide’ European Public Law (2018)(24:3) 555. Chang, M, ‘Brexit and the EU Economic & Monetary Union: From EMU Outsider to Instigator’ The Law and Politics of Brexit (2017) 163. Lambert, P, ‘Data Protection and Brexit Threats – Will Adequacy Work?’ Communications Law (2018)(23:4) 1.

87

5.2  ICO Before, During and After Brexit

Data Protection Regulation6 (GDPR) and the new UK Data Protection Act 2018 (DPA  2018)7 – and be advanced in their compliance efforts. Less understood, however, is the impact of Brexit on data protection – and the ability of organisations to trade with and communicate personal data back and forth with the EU. Given the huge uncertainties in relation to Brexit (including both pre- and postBrexit and in the leadup to the deadline (as extended)), there are significant uncertainties, both for the ICO itself and for commercial entities seeking a certain regulatory environment in which to operate (not least their internal and external advisers). A data protection ‘supervisory authority’ means ‘an independent public authority which is established by a Member State pursuant to Article  51’.8 For this purpose, the Information Commissioner’s Office (ICO) is the UK data protection supervisory authority. The ICO has a number of problems to contend with, Brexit being, perhaps, at the forefront.9 In addition to seeking clarity on the details of the data protection rules that will apply, there are also issues to consider in terms of the role of the ICO itself before, during and after Brexit. For example, some will question whether the international role and status of the ICO may diminish in a post-Brexit world. Another issue is what relationship the ICO may – or may not – have with the European Data Protection Board (EDPB) if and when the UK is no longer an EU member. If the UK is outside the EU, it seems clear that the ICO can no longer be a member of the EDPB. But could it have some other role or association? There are many UK data protection supervisory authority issues that can arise in terms of Brexit. Some of these will only become fully apparent on and after Brexit, but there are already some questions which we should start thinking further about: •

Who and how will the data protection supervisory authority in the UK be established and provided for after Brexit occurs?

•

What will the legal basis be?

•

Given that the current ICO will no longer be an EU data protection supervisory authority and thus a member of the EDPB, what, if any,

6

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation). OJ L 119, 4.5.2016, pp 1–88. 7 Data Protection Act 2018 enacted 23  May 2018. Available at www.legislation.gov.uk/ ukpga/2018/12/contents/enacted. 8 GDPR Art 4(21). 9 Denham, E, ‘Perspective on the GDPR and Current Issues from the UK Information Commissioner’ International Journal for the Data Protection Officer, Privacy Officer and Privacy Counsel (2018)(2:3) 12.

88

The Data Problem at the Heart of Brexit 5.3

relationship will it have or seek to establish with the EDPB and with other respective data protection supervisory authorities in the EU? •

What changes in UK data protection law will occur and how will these impact the role, dealings and advice coming from the new UK data protection supervisory authority?

•

Given the importance of assuring EU–UK data transfers post Brexit, what role will the UK data protection supervisory authority have in promoting or assisting the making of a UK application to the Commission for the commencement of a review necessary for the consideration of an adequacy decision?10

•

What role will the UK data protection supervisory authority play in the review process and engagement with the EU during the consideration of an adequacy decision?

•

What is the impact on ICO investigations after Brexit that commenced prior to Brexit?

•

What is the impact on ICO enforcement actions after Brexit that commenced prior to Brexit?

•

What is the impact on ICO court prosecutions after Brexit that commenced prior to Brexit?

•

What impact will there be for the UK data protection supervisory authority post-Brexit if there are certain aspects of the GDPR which are not implemented in the UK or if UK law is in some way different from the GDPR?

Most focus has been on the law that may apply before, during and after Brexit, but time and attention also needs to be devoted to asking questions regarding the impact on the data protection supervisory authority.

THE DATA PROBLEM AT THE HEART OF BREXIT 5.3 The data transfer issues after Brexit occurs are significant and underestimated. Only after the possibility of a No Deal Brexit increased did the attention of many begin to fix on the data transfer problem, arguably the biggest problem or data problem at the heart of Brexit. The UK can apply for an adequacy decision to (re)commence EU–UK data transfer post Brexit.11 After all, one of the intentions of the new UK DPA 2018 was to comply with EU level rules set out in the GDPR. 10 On adequacy decisions as an exemption mechanism from the default ban on personal data transfers to third-party countries from the EU, see GDPR Art 45. 11 The following countries and territories have also successful adequacy decisions (whether in whole or in part): Andorra, Argentina, Canada (partial), Faroe Islands, Guernsey, Israel, the Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the United States (EU–US Privacy Shield only).

89

5.4  ICO Before, During and After Brexit

Here is the problem. An adequacy decision is predicated on a process of detailed review by the EU of the laws, rights and norms of the intended recipient third country. This process normally takes many years. Therefore, there is a danger that this process for the UK may take a considerable period of time and that it only commences on or after Brexit day. In the interim, the default ban kicks in, causing a world of difficulty for financial and other firms. It is not inconceivable that the default transfer ban poses the single biggest post-Brexit threat. As Article  45(1) makes clear, the EU  Commission makes the decision on whether the destination jurisdiction of the transfer is deemed acceptable and adequate to exempt such transfers from the default transfer ban. It also seems clear that before such a decision may be arrived at, the intended destination country must apply for an adequacy assessment culminating in an adequacy decision. While there is reference to an adequacy decision, it would seem that an application can result in a negative as well as a positive outcome. It is less clear if there is a positive and negative adequacy decision or rather if an adequacy decision only arises from a positive assessment. While this may be a semantic differentiation, practically speaking it may be that most applications are well considered in advance of application as to the merits and chances of a successful outcome. There is also the possibility of advance discussions between the parties.

GENERAL TRANSFER RULE 5.4 The general rule or principle is that transfers of personal data outside the EU are prohibited per se. This is a longstanding bedrock position in data protection rules. It is a default transfer ban. Therefore, on Brexit-day, the use and transfer of personal data required for countless transactions from and between the EU must cease. This will have undoubted consequences for commerce and City financial entities. Article 44 of the GDPR sets out the general principle for transfers within the EU under the data protection regime. The rule provides that: ‘Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation. All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined.’

90

Importance of a UK Adequacy Exception 5.6

Therefore, ‘any’ transfer to a third country outside of the EU or EEA12 may ‘take place only if’13 certain conditions are met. So, the default position is that external transfers should not occur. Only if specified conditions are satisfied by way of exemption from the default rule might the transfer become permissible. Once Brexit occurs, the UK will no longer be a member country of either the EU or the EEA. The default rule kicks in and post-Brexit transfers by default are no longer permitted between the EU and UK. One can only imagine the consequences and the imperative, therefore, to consider whether the UK can fit within one of the exceptions for (continued) data transfers.

TRANSFER EXCEPTIONS AND PROCEDURES 5.5 There are a limited number of exceptions to the EU transfer ban and processes through which it may be permitted by way of exemption to undertake transfers of personal data from the EU to an outside jurisdiction. One of these is that the EU has made a determination called an ‘adequacy decision’ permitting such data transfers to a named country from the EU on the basis that the recipient jurisdiction has an adequate level of protection and rights in relation to personal data that are at least equivalent to those in the EU.

IMPORTANCE OF A UK ADEQUACY EXCEPTION 5.6 One of the exceptions provided is known as the ‘adequacy exception’ or condition. This will be particularly important for the UK post-Brexit. It is difficult to overestimate the importance of this issue – both legally and commercially. The UK will be seeking to avail of the application procedure to have itself deemed adequate for the purposes of data transfers and that the UK laws at the time are sufficient to be deemed compatible and equivalent to those in the EU. As it currently stands, they do not, because the DPA 2018 does not implement the GDPR. There are also other potential obstacles to a smooth adequacy decision occurring (eg human rights, interception of communications). Article 45 of the GDPR provides as follows: ‘1. A  transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. Such a transfer shall not require any specific authorisation. 2. When assessing the adequacy of the level of protection, the Commission shall, in particular, take account of the following elements:

12 The EEA is the European Economic Area, which currently comprises the EU countries plus Iceland, Liechtenstein, and Norway. 13 Emphasis added.

91

5.6  ICO Before, During and After Brexit

(a) the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data, as well as the implementation of such legislation, data protection rules, professional rules and security measures, including rules for the onward transfer of personal data to another third country or international organisation which are complied with in that country or international organisation, case-law, as well as effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data are being transferred; (b) the existence and effective functioning of one or more independent supervisory authorities in the third country or to which an international organisation is subject, with responsibility for ensuring and enforcing compliance with the data protection rules, including adequate enforcement powers, for assisting and advising the data subjects in exercising their rights and for cooperation with the supervisory authorities of the Member States; and (c) the international commitments the third country or international organisation concerned has entered into, or other obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems, in particular in relation to the protection of personal data. 3. The Commission, after assessing the adequacy of the level of protection, may decide, by means of an implementing act, that a third country, a territory or one or more specified sectors within a third country or an international organisation ensures an adequate level of protection within the meaning of paragraph 2 of this Article. The implementing act shall provide for a mechanism for a periodic review, at least every four years, which shall take into account all relevant developments in the third country or international organisation. The implementing act shall specify its territorial and sectoral application and, where applicable, identify the supervisory authority or authorities referred to in point (b) of paragraph 2 of this Article. The implementing act shall be adopted in accordance with the examination procedure referred to in Article 93(2). 4. The Commission shall, on an ongoing basis, monitor developments in third countries and international organisations that could affect the functioning of decisions adopted pursuant to paragraph 3 of this Article and decisions adopted on the basis of Article 25(6) of Directive 95/46/ EC.14 5. The Commission shall, where available information reveals, in particular following the review referred to in paragraph  3 of this Article, that a third country, a territory or one or more specified sectors within a third country, or an international organisation no longer ensures an adequate level of protection within the meaning of paragraph 2 of this Article, to 14 Directive 95/46/EC of the European Parliament and of the Council of 24  October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. OJ L 281, 23.11.1995, pp 31–50.

92

The Timing of the Adequacy Decision 5.7

the extent necessary, repeal, amend or suspend the decision referred to in paragraph 3 of this Article by means of implementing acts without retroactive effect. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 93(2). On duly justified imperative grounds of urgency, the Commission shall adopt immediately applicable implementing acts in accordance with the procedure referred to in Article 93(3). 6. The Commission shall enter into consultations with the third country or international organisation with a view to remedying the situation giving rise to the decision made pursuant to paragraph 5. 7. A decision pursuant to paragraph 5 of this Article is without prejudice to transfers of personal data to the third country, a territory or one or more specified sectors within that third country, or the international organisation in question pursuant to Articles 46 to 49. 8. The Commission shall publish in the Official Journal of the European Union  and on its website a list of the third countries, territories and specified sectors within a third country and international organisations for which it has decided that an adequate level of protection is or is no longer ensured. 9. Decisions adopted by the Commission on the basis of Article  25(6) of Directive  95/46/EC shall remain in force until amended, replaced or repealed by a Commission Decision adopted in accordance with paragraph 3 or 5 of this Article.’

This should not be thought of as an exception but rather a mechanism by which to seek an exception from the default transfer ban set out in Article 44 of the GDPR. It should also be noted that while there are other exceptions or mechanisms, the adequacy mechanism refers not to what each individual company might seek to do but operates on a national or nation-state basis. If the adequacy mechanism was to apply, it would apply to the UK per se not company by company. (Individual organisations would benefit to the extent that they were located in the UK.) There is great benefit, therefore, in the UK pursuing and successfully obtaining such an adequacy decision from the EU in relation to the transfer of data to the UK.

THE TIMING OF THE ADEQUACY DECISION 5.7 The government has apparently already called for an early adequacy decision from the EU – thus, at least recognising the threat. However, there is no guarantee of this happening or happening as early as the government might like. However, there is a critical problem. In general, an adequacy decision application and review process can take years. That is problematic, to say the least, for Brexit. Optimally, the UK would like a positive adequacy decision to kick in on day one of Brexit. That seems unrealistic, if not impossible as the normal process timeframe takes years. 93

5.7  ICO Before, During and After Brexit

The most recent example of an application for an adequacy decision was filed by Japan. The Commission announced in January 2017 that it had launched a dialogue with the aim of reaching an adequacy decision with Japan.15 On 17 July 2018, the Commission and Japan concluded the negotiations on a reciprocal finding of an adequate level of protection by the EU and Japan:16 ‘[t]he Commission will now launch the process leading to the adoption of the adequacy decision under the  General Data Protection Regulation. This includes obtaining an opinion from the European Data Protection Board [EDPB], which brings together all the national data protection authorities, and the green light from a committee composed of representatives of the EU  Member States. Once this procedure will have been completed, the Commission will adopt the adequacy decision’.17

The Commission described the next stages of the process in more detail: ‘The Commission is planning on adopting the adequacy decision in autumn this year, following the usual procedure: •

approval of the draft adequacy decision by the College;

•

Opinion from the European Data Protection Board (EDPB), followed by a comitology procedure;

•

update of the European Parliament Committee on Civil Liberties, Justice and Home Affairs;

•

adoption of the adequacy decision by the College.’18

Therefore, the process involves even further processes. Ultimately, the Commission announced that the adequacy decision was finalised and adopted on 23  January 2019. It cannot be predicted, however, that a UK adequacy decision would be finalised within the same timeframe. The MPs on the Exiting the EU committee are reported as issuing a report stating that ‘[t]he UK government should immediately open talks to secure a Data Adequacy Decision from the European Commission, MPs said in a new report published on Tuesday (2 July)’.19 The Committee warns that:

15 ‘International Data Flows: Commission Launches the Adoption of Its Adequacy Decision on Japan’ European Commission Press Release, 5 September 2018. Available at: http://europa.eu/ rapid/press-release_IP-18-5433_en.htm. 16 ‘Questions & Answers on the Japan Adequacy Decision,’ European Commission – Fact Sheet, Tokyo, 17  July 2018. Available at: http://europa.eu/rapid/press-release_MEMO-18-4503_ en.htm. 17 Ibid. 18 ‘The European Union and Japan Agreed to Create the World’s Largest Area of Safe Data Flows’ European Commission Press Release, 17 July 2018. Available at: http://europa.eu/rapid/pressrelease_IP-18-4501_en.htm. 19 Fox, B, ‘Seek New Data Deal with EU Immediately, MPs Tell May’ EurActive.com, 2 July 2018. The Exiting the UK Committee, and it reports are available at: www.parliament.uk/business/ committees/committees-a-z/commons-select/exiting-the-european-union-committee/.

94

Changes from the GDPR 5.9

‘An adequacy decision is not automatic and, because this is the first time a Member State has chosen to leave the UK and then seek an adequacy decision, the timetable is difficult to predict. There is a risk that it could take longer than the transitional period.’20

ADDITIONAL PROBLEMS 5.8 That is not the only problem. The adequacy review process examines compatibility with EU rules, norms and rights in relation to personal data. While a new Data Protection Act has been implemented, there is potential that it (a) may not have fully implemented the GDPR; (b) a new Data Protection Act is also needed; and (c) some aspect of the existing Act may have omitted to implement some of the GDPR or introduced some element counter to the GDPR. In addition, the UK is proposing many other changes jettisoning previous European and EU rules (eg human rights, some of which are consider essential to data protection rules). The potential to undermine a positive adequacy decision should not be underestimated.

CHANGES FROM THE GDPR 5.9 The above points to the need on or from day one of Brexit for a Data Protection Act 2019 which will implement the equivalent of the GDPR into UK law.21 Even supposing discussions may have commenced in the background, or a request for the review process to commence was made at this stage, a review of the current status of data protections as they exist in the UK would be required and a comparison made to those operating in the EU. In any such current review, issues such as the following would be looked at: how the DPA 2018 does not implement the GDPR; how the Act varies aspects of the GDPR and whether these are permissible or overbroad; how additional changes in the Act may or may not be compatible with the GDPR; how additional legal changes other than in the Act may or may not be compatible with the GDPR (think of human rights, individual rights and freedoms, etc); how announced or proposed changes to UK law would vary and differ from EU law and how this may impact on personal data issues. The government has published a ‘Keeling Schedule of possible changes to the GDPR’.22 It remains to be seen how these will transpire.

20 Ibid. 21 On the basis that there is currently no Data Protection Act 2019, any agreed draft or even a recognition or firm proposal for one, one wonders if there is any current basis upon which to make an adequacy application in relation to UK data protection as it will exist post-Brexit. 22 In fact, there are two separate Keeling schedules. See ‘Data Protection Regulation Keeling Schedule, at https://assets.publishing.service.gov.uk/government/uploads/system/uploads/ attachment_data/file/685632/2018-03-05_Keeling_Schedule.pdf; and ‘Data Protection Act 2018 Keeling Schedule’ at https://assets.publishing.service.gov.uk/government/uploads/ system/uploads/attachment_data/file/779334/Keeling_Schedule_for_Data_Protection_ Act_2018.pdf/

95

5.10  ICO Before, During and After Brexit

While there is a new DPA  2018, there is a possibility of new changes or (secondary) regulations pursuant to the European Union (Withdrawal) Act 2018, and further potential amendments are currently contained in two schedules of (currently) proposed amendments, namely: •

the DPA 2018 Keeling Schedule of proposed amendments;23 and

•

the General Data Protection Regulation Keeling Schedule of proposed UK amendments.24

DATA PROTECTION ACT 2018 KEELING SCHEDULE AMENDMENTS 5.10 The DPA  2018 Keeling Schedule of proposed ‘illustrative’ UK amendments as may be made by what is referred to as the Data Protection, Privacy and Electronic Communications (amendments, etc)(EU Exit) Regulations 2019 (DPPEC). It is also indicated in the draft that these are ‘subject to Parliamentary approval’. The DPA 2018 Keeling Schedule of proposed amendments include, •

the UK provisions referring to the GDPR are to be changed to refer to the UK GDPR, for example in the heading of Chapter 2;

•

deletion of section 9 referring to child’s consent in relation to information society services;

•

change of ‘restriction’ to ‘exemptions’ in sections 15 and 16;

•

change of ‘accreditation’ to ‘certification’ in section 17;

•

insertion of new section 17A regarding transfers based on adequacy regulations;

•

insertion of new section 17B regarding transfers based on adequacy regulations: review];

•

insertion of new section 17C regarding standard data protection clauses;

•

change to headings on Chapter 3;

•

changes to section 21 (definitions);

•

deletion of sections 21 and 23 regarding application of GDPR;

•

national security changes (section 28);

•

changes to sections 74, 74A, 74B (re transfers);

•

change from GDPR to UK GDPR section 115;

•

change to section 118 regarding cooperation, and the Data Protection Convention;

23 Ibid. 24 Available at: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/ attachment_data/file/685632/2018-03-05_Keeling_Schedule.pdf

96

General Data Protection Regulation Keeling Schedule Amendments 5.11

•

insertion of new section 119A regarding standard clauses for transfers to third countries, etc;

•

various new insertions throughout the Act; and

•

various changes to the schedules to the Act.

GENERAL DATA PROTECTION REGULATION KEELING SCHEDULE AMENDMENTS 5.11 The General Data Protection Regulation Keeling Schedule of proposed ‘illustrative’ UK amendments as may be made will be by what is referred to as ‘Schedule 6 to the Bill’. These proposed amendments include: •

definitions (Article 4);

•

lawful processing (Article 6(2) and (3));

•

conditions for consent (Article 7(2));

•

conditions applicable to child’s consent in relation to information society services (Article 8);

•

processing of special categories of personal data (Article 9);

•

processing of personal data relating to criminal convictions and offences (Article 10);

•

rights of data subjects (Articles 12, 13, 14, 15, 17, 22);

•

restrictions (Article 23);

•

joint controller (Article 26);

•

representatives (Article 27);

•

processors (Article 28);

•

records (Article 30);

•

cooperation (Article 31);

•

data protection impact assessments (Article 35);

•

prior consultations (Article 36);

•

data protection officers (Articles 37, 39);

•

codes (Articles 40, 41);

•

certification (Articles 42, 43);

•

transfers (Articles 44, 45, 46, 47, 48);

•

derogations (Article 49);

•

data protection supervisory authority (Articles 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66); 97

5.12  ICO Before, During and After Brexit

•

EDPB (67, 68, 69, 70, 71, 72, 73, 74, 75, 76);

•

complaints (Article 77);

•

court remedies (Article 78);

•

remedies (Article 79);

•

representation (Article 80);

•

suspension (Article 81);

•

compensation (Article 82);

•

fines and penalties (Articles 83, 83);

•

specific situations (Articles 85, 86, 87, 88, 89, 90, 91);

•

delegated acts (Article 92); and

•

further amendments.

There are therefore two references to the GDPPR as it may come to be implemented in the UK, namely, the ‘applied GDPR’ and ‘UK GDPR’.

PRESSURE FOR ADVICE AND CLARITY 5.12 While the official position is progressing in terms of a deal, transition and exit, there is also increased focus on seeking to provide official guidance in terms of the possibility of a No Deal Brexit. An example of this is the ICO No Deal guidance issued in late 2018, •

ICO announcements, descriptions and statements on No Deal Brexit;

•

ICO Six Steps to Take guide on No Deal Brexit;

•

ICO ‘Broader’ guidance document on leaving EU if no withdrawal agreement; and

•

ICO Overview FAQs guidance on No Deal Brexit.

There is also new advice and commentary on data protection, transfers and on, •

the European Union (Withdrawal) Act 2018; and

•

department update.

There is also a recent updated guidance from the ICO, partly in light of the enhanced possibility of a No Deal Brexit. Given the enhanced potential for a No Deal Brexit, it is imperative for organisations both inside and outside the UK to consider the implications of this. Indeed, a number of external data protection supervisory authorities are beginning to address demand for guidance from parties outside of the UK who may currently be dealing with entities inside the UK. Organisations inside the UK should already be anticipating some of the queries that external partners may have to ask and plan and respond accordingly. 98

ICO Official Advice 5.13

The issue of Brexit generally and what will happen in terms of data protection and data transfers is an obvious concern for commercial entities and their advisors. While there are, on the one hand, potential problems for data transfers in the event of a No Deal Brexit, there are also several problem issues even where there may be a Deal. Unfortunately, concerns in relation to the possibility of a No Deal Brexit, a further extension and a new election have increased of late. (The latest development is that another extension granted on 28 October extends the extension period to 31 January 2020.) All of this leads to uncertainty and risk.

ICO OFFICIAL ADVICE 5.13 There has been a flurry of recent official guidance which is welcome. The ICO has issued new guidance documents to assist organisations prepare for the possibility of a No Deal Brexit. These began with a new press release on 13 December 2018 and related statements and electronic update announcements. The release acknowledges that: ‘[w]hile the basis on which the UK will leave the EU has still to be decided, the ICO has today published new guidance and practical tools to help organisations understand the implications in the event of a no deal’.

The set of ICO documentation includes: •

announcements and descriptions (press statement, blog post, etc);

•

Six Steps to Take guide;

•

‘broader’ guidance document on leaving EU if no withdrawal agreement; and

•

overview FAQs guidance.

The ICO blog post is more detailed than the press release. It notes that the ‘Government has made clear that the [GDPR] will be absorbed into UK law at the point of exit, so there will be no substantive change’. However, readers will note that the DPA 2018 does not absorb or implement the GDPR. While the GDPR is currently directly effective, it would help to understand what date it ceases to be so. Is it Brexit Day (originally due to be March 2019 but now delayed) or exit day (originally due to be December 2020)? While official confirmation of when the GDPR direct effect ceases has been requested, nothing has thus far been received. This may be quite important for planning purposes. The blog also suggests that the ‘two-way free flow of personal information will no longer be the case if the UK leaves the EU without a withdrawal agreement that specifically provides [and hopefully expressly so provide] for the continued flow of personal data’. However, it may also be that an official EU Adequacy Decision may be needed also. If all goes well in terms of a withdrawal agreement being reached, and exit day occurring as planned at the end of January 2020 (predicated on Brexit Day occurring as originally planned), one would have to 99

5.14  ICO Before, During and After Brexit

assume that there must also be a formal Adequacy Decision (in due course). However, issues arise as to when an application for an Adequacy Decision can be made and when the formal review process can commence. Can it be during the transition period between Brexit Day and exit day or must it wait until exit day? More official certainty would be welcome. The ICO blog advises organisations to take ‘precautionary preparations’ to ‘ensure these data flows continue’ in the event of No Deal. However, there remains uncertainty even if there is a deal. The official advice is to ‘carefully consider alternative transfer mechanisms to maintain data flows’. One of these is the standard contractual clauses route. It is indicated that there will be further official guidance and assistance in relation to these contracts. Another route, but one generally reserved for multinational organisations is approved binding corporate rules. These take time. However, it is suggested in the guidance that they may need to be reviewed.

Six-step Guide 5.14 The ICO has also issued a six-step assistance guide. It states that ‘[i]f you operate in the EEA, you may need to comply with both the UK data protection regime and the EU regime after the UK exits the EU. You may also need to appoint a representative in the EEA’. The six steps for ‘Leaving the EU’ are: 1.

continue to comply;

2.

transfers to the UK;

3.

transfers from the UK;

4.

European operations;

5.

documentation; and

6.

organisational awareness.

Point 1 (Continue to comply) states, inter alia, that: ‘The [DPA 2018] will remain in place. The government intends to bring the GDPR directly into UK law on exit, to sit alongside it. There will be some technical adjustments to the UK version of the GDPR so that it works in a UK-only context – for example, amending provisions referring to EU law and enforcement cooperation.’

Point 1 (transfers to the UK) states, inter alia, that organisations must: ‘Review your data flows and identify where you receive data from the EEA, including from suppliers and processors. Think about what GDPR safeguards you can put in place to ensure that data can continue to flow once we are outside the EU.’

100

ICO Official Advice 5.14

It continues that this ‘means the sender needs to make sure there are adequate safeguards in place, or one of the exceptions listed in the GDPR’. It also refers to the importance of the adequacy decision issue. It states that: ‘If the EU makes a formal adequacy decision that the UK regime offers an adequate level of protection, there will be no need for specific safeguards. However, on exit date there may not be such a decision in place. So you should plan to implement adequate safeguards.’

Again, while useful, there is no confirmation of when the GDPR direct effect ends; neither on when adequacy can be applied for, nor when the review process can commence. Readers will again note that a normal adequacy review process can take years – and that is even in the event of relatively fixed and static laws, not a dynamic, large-scale, law-change environment such as now presents itself. The ICO guidance advises that ‘[y]ou may want to consider putting standard contractual clauses (SCCs) in place if you are receiving data from the EEA’. Further ICO assistance is also coming. Point 3 (transfers from the UK) refers to transfers from the UK to the EU; and to transfers from the UK to countries outside the European Economic Area (EEA). In terms of the later, the guidance states, inter alia, [w]e expect the UK government to confirm that the UK will reflect existing EU adequacy decisions, approved EU SCCs and BCRs. It then cross-refers to the more detailed guidance. Readers will note that this is descriptive of some future governmental and legal decisions and rules. It is unclear specifically what this refers to, or when. Point 4 (European operations) states, inter alia, that ‘[i]f you operate across Europe, you should review your structure, processing operations and data flows to assess how the UK’s exit from the EU will affect the data protection regimes that apply to you’. It also refers to data protection regimes and reiterates that organisations may need to comply with EU and the UK data protection regimes, highlighting the need for dual compliance exercises. Issues of branches and establishments within the post-Brexit EU must be considered. A further consideration is having to deal with the UK and one or more respective data protection authorities. It refers also to lead authority and One-Stop-Shop, and states, inter alia, that ‘[i]f the UK is currently your lead [data protection] supervisory authority, you should review the structure of your European operations to assess whether you will continue to be able to have a lead authority and benefit from One-Stop-Shop’. The need to appoint a representative located in the EU is also highlighted. Point 5 (documentation) highlights the need to review the organisation’s locations, documentation flows, processes and relationships. This applies to both inward 101

5.15  ICO Before, During and After Brexit

and outward facing. Once changes occur there will be additional changes, such as identifying and differentiating EU and UK legal references in documentation, policies, notices, etc. Point 6 (organisational awareness) reiterates the need for training and internal awareness raising processes. This is needed generally, but also needs to be utilised as Brexit-related data changes arise, as well as engagement and consultation to identify these issues in advance and make appropriate preparations. Reference is also made to the need for organisations to have, and to update, their risk register.

‘Broader’ Guidance 5.15 The ICO also issued a broader Brexit transfer guidance. This highlights that the (various) guidance is particularly relevant to organisations which: •

operate in the EEA, which includes the EU;

•

send personal data outside the UK; or

•

receive personal data from the EEA.

It is also indicated to be relevant where the following apply to the organisation: •

the Privacy and Electronic Communications (EC  Directive) Regulations (PECR);25

•

the Network and Information Systems Regulations (NIS);26 or

•

EU Regulation 910/2014 on electronic identification and trust services for electronic transactions in the internal market (eIDAS).

The guidance refers to the DPA 2018. It points out that it came into force at the same time as the GDPR, and covers four data protection regimes, namely: •

Part 2, Chapter 2: General processing – the GDPR – ‘this chapter supplements the GDPR so that it operates in a UK context’;

•

Part 2, Chapter 3: Other general processing – ‘this chapter applies a UK version of the GDPR (the “applied GDPR”) to those areas outside the scope of EU law, such as defence’;

•

Part 3: Law enforcement processing – ‘this chapter brings into UK law the EU Data Protection Directive 2016/680 (the Law Enforcement Directive)’;

•

Part 4: Intelligence services processing.

25 Privacy and Electronic Communications (EC  Directive) Regulations 2003 (SI  2003/2426) (PECR). 26 Network and Information Systems Regulations 2018 (SI 2018/506) (NIS).

102

ICO Official Advice 5.16

FAQ Guidance 5.16 The ICO frequently asked questions (FAQs) guidance refers to the following: •

Will the GDPR still apply if we leave EU without a deal?

•

What will the UK data protection law be if we leave without a deal?

•

Is the old ICO guidance still relevant?

•

Can we still transfer data to and from Europe if we leave without a deal?

•

Do PECR rules still apply?

•

Do network and information system (NIS) rules still apply?

•

Do the electronic identification and trust services for electronic transactions in the internal market (eIDAS) rules still apply?

•

Do FOIA still apply?

•

Do the environmental information regulations (EIR) still apply?

•

Will ICO be producing more guidance?

The first question advises that: ‘The GDPR is an EU Regulation and, in principle, it will no longer apply to the UK if we leave the EU on 29 March 2019 without a deal. However, if you operate inside the UK, you will need to comply with UK data protection law. The government intends to incorporate the GDPR into UK data protection law when we exit the EU – so in practice there will be little change to the core data protection principles, rights and obligations found in the GDPR’ (emphasis added and 29 March 2019 has now been superseded by extensions).

In terms of organisations wishing to continue dealing with EU, its adds that the ‘GDPR may also still apply directly to you if you operate in Europe, offer goods or services to individuals in Europe, or monitor the behaviour of individuals in Europe’. The GDPR will also ‘still apply to any organisations in Europe who send you data, so you may need to help them decide how to transfer personal data to the UK in line with the GDPR’. The guidance cross-refers to the six points above. Question 2 above indicates that the DPA  2018 ‘which currently supplements and tailors the GDPR within the UK, will continue to apply’. Again, referring to the future intent, it states that the ‘government also intends to incorporate the provisions of the GDPR directly into UK law if we leave the EU without a deal, to sit alongside the DPA 2018’. In addition, the ICO ‘expect the government to use new legislation to make technical amendments to the GDPR so that it works in a UK-only context’. Question 4 above asks if an organisation can still transfer data to and from Europe if the UK leaves without a deal. The ICO guidance is as follows: 103

5.17  ICO Before, During and After Brexit

‘The government has said that transfers of data from the UK to the European Economic Area (EEA) will not be restricted. However, if we leave the EU without a deal, GDPR transfer rules will apply to any data coming from the EEA into the UK. You need to consider what GDPR safeguards you can put in place to ensure that data can continue to flow into the UK.’

In terms of Question 5, referring to the PECR rules, the ICO states: ‘Yes. The current PECR rules cover marketing, cookies and electronic communications. They derive from EU law but are set out in UK law. They will continue to apply after we exit the EU.’

Forthcoming EU changes are also noted: ‘The EU is replacing the current e-privacy law with a new e-privacy Regulation (ePR). The new ePR is not yet agreed. It is unlikely to be finalised before the UK exists the EU. This means the ePR will not form part of UK law if we leave without a deal.’

Question 6 refers to NIS rules. The guidance advises, inter alia, that organisations may need to appoint local representatives in the EU and to review and comply with local NIS rules. This guidance concludes by saying that ‘[i]n the meantime, given that we expect UK data protection law to remain aligned with the GDPR, our Guide to GDPR remains a good source of advice and guidance on how to comply with UK and EU data protection rules both now and after we leave the EU’. The guidance will be variously updated as changes and new developments occur. However, the European Union (Withdrawal) Act 2018 is not referred to.

Further Guidance 5.17 Given recent obvious concerns regarding growing uncertainty and the enhanced potential for a No Deal Brexit (including in relation to data protection, data transfers, etc), the ICO has decided to issue further guidance referring expressly to the issues arising on a No Deal Brexit scenario. This is commercially focused guidance (with the ICO noting that separate guidance may be issued in future for the benefit of individuals). In particular, this No Deal Brexit guidance27 is aimed at businesses and organisations: •

operating in the EU or EEA;

•

sending personal data outside the UK; or

•

receiving personal data from the EU or EEA.

27 Entitled ‘Data Protection If There’s No Brexit Deal’.

104

ICO Official Advice 5.17

The ICO advises that the guidance should be reviewed if the GDPR applies to the organisation (which really does not exclude many). The GDPR is explained, as is its point of direct effect. The ICO comments that ‘[w]hen the UK exits the EU, the EU GDPR will no longer be law in the UK. The UK government intends to write the GDPR into UK law, with necessary changes to tailor its provisions for the UK (the “UK GDPR”). The government has published a Keeling Schedule for the GDPR, which shows planned amendments’.28 In planning for a No Deal Brexit scenario, the ICO advises that the following should be considered: •

‘Data Protection If There’s No Brexit Deal’;

•

‘International data transfers’;

•

‘EU representatives’;

• ‘One-stop Shop regulatory oversight by a lead data protection authority’. It is the government’s intention that: ‘the UK GDPR will also apply to controllers and processors based outside the UK, where their processing activities relate to: •

offering goods or services to individuals in the UK; or

•

monitoring the behaviour of individuals taking place in the UK.’

The ICO gives examples where transfers by a UK business to its consumers outside the UK are permitted; while transfers to third-party organisations or service providers (including cloud service) can trigger the GDPR or UK GDPR. Those who currently make data transfers outside the EEA should ‘already’ have compliance strategies in place. On exit day, organisations need to consider if they are intending to make restricted transfers outside the UK (permissible IF covered by an adequacy decision; an appropriate safeguard; or an exception); and if it is receiving personal data from outside of the UK. The ICO also refers to the European Data Protection Board (EDPB) advices in relation to transfers in the event of a No Deal Brexit, the ICO data transfers guide as well as any future guidance. Various detailed references and examples are made to adequacy decisions and appropriate safeguards (eg standard contractual clauses; binding corporate rules) 28 In fact, there are two separate Keeling schedules. See ‘Data Protection Regulation Keeling Schedule. Available at: https://assets.publishing.service.gov.uk/government/uploads/ system/​uploads/attachment_data/file/685632/2018-03-05_Keeling_Schedule.pdf and ‘Data Protection Act 2018 Keeling Schedule’. Available at: https://assets.publishing.service.gov.uk/ government/uploads/system/uploads/attachment_data/file/779334/Keeling_Schedule_for_ Data_Protection_Act_2018.pdf/.

105

5.18  ICO Before, During and After Brexit

for restricted transfers. These should be considered in detail as appropriate. Some of this is contingent on future UK legislation. As regards those in the UK who propose to continue to receive personal data from the EU, it is reiterated that the GDPR applies to such transfers and to the transferor. It is noted that the UK will, on exit day, become a so-called third country (outside the EU), in which case additional restrictions apply to transfers. The ICO has further transfer guidance, as does the EDPB. Organisations should ‘take a broad interpretation of [what is] a restricted transfer’ (ICO). The EU transferor will ‘only’ be able to make the transfer to the UK transferee organisation if one of the following apply: •

there is an EU adequacy decision (eg  adequacy decision; appropriate safeguards; standard contractual clauses). Additional provisions may apply to public bodies. (Unfortunately, from the UK perspective, ‘[a]t exit date there may not be an adequacy decision by the European Commission regarding the UK’ (ICO)[that would seem to be an understatement at present]);

•

an exception outside of the above applies – but which are interpreted very narrowly and restrictively (such as medical emergencies; explicit consent; occasional contract transfers; occasional public interest transfers; occasional legal defence transfers; transfers from public registers; exceptional compelling legitimate interest transfers). The transferor will decide if applicable, not the UK recipient.

There is guidance in relation to transfers from jurisdictions covered by an EU adequacy decision (as opposed to the EU itself). Organisations, therefore, must consider where potential post-Brexit transfers to the UK may come from.

Preparation Guidance 5.18 The ICO advises that preparation is necessary. The advices state that organisations should: •

assess their data flows and transfers in order to identify problem restricted transfers in advance;

•

consider if and how transfers may continue, especially in the absence of a possible future EU adequacy decision which may not have issued yet;

•

consider standard contractual clauses with the counter party (note the ICO tool available and their draft template contracts);

•

update binding corporate rules, if previously utilised;

•

update documentation and privacy notices; and

•

carry out compliance vetting by the transferor entity.

Particular considerations also arise for UK entities who do not have an office, branch or establishment in the EU or EEA after exit day. Other entities may 106

Guidance from the European Data Protection Supervisor 5.19

have appointed a representative in the EU for GDPR purposes. The ICO provides commentary on these situations. Indeed, many organisations will already have established branches outside the UK or even moved outside of the UK as a result of preparing for the possibility of Brexit. GDPR compliance must be considered. Details and commentary on these scenarios are referred to in the ICO guidance. Organisations may need to review their: •

agreements, contracts and appointments;

•

terms, contracts, policies and websites;

•

rights of data subjects;

•

transfer documentation;

•

data protection impact assessments (DPIAs);29

•

Data Protection Officer or Officers;30 and

•

further ICO and other official guidance.

Other data protection supervisory authorities are also beginning to issue advice and guidance in relation to Brexit, particularly as the possibility of No Deal increases.

GUIDANCE FROM THE EUROPEAN DATA PROTECTION SUPERVISOR 5.19 The European Data Protection Supervisor has also issued guidance in relation to the possibility of a No Deal Brexit.31 The European Data Protection Supervisor notes that, as of 1 November 2019, the UK will be a third country as referred to under the data protection rules and transfer restrictions automatically kick in. (This is unless the Withdrawal Agreement takes effects prior to that date, which currently does not seem likely, in which case transfers should be able to continue until 31 December 2020 (an effective transition period) pending final arrangements and negotiations. Note, the 2020 deadline may be extended by two years. This seems moot presently.) The European Data Protection Supervisor notes that a No Deal Brexit ‘would have [immediate] repercussions for the protection of personal data … because … EU … law, including data protection law, will cease to apply in the UK’. 29 See also GDPR  Art 35. Also see Warren, A, Bayley, R, Bennett, C, Charlesworth, A, Clarke, R, Oppenheim, C, ‘Privacy Impact Assessments: International Experience as a Basis for  UK  Guidance’ Computer Law and Security Review: The International Journal of Technology and Practice (2008)(24:3) 233; Friedewald, M, Hansen, M, Bieker, F  and Obersteller, H, ‘A Process for Data Protection Impact Assessment Under the European General Data Protection Regulation’ conference, 4th Annual Privacy Forum, APF 2016 (2016). 30 See also GDPR Art 39. 31 ‘Information Note on International Data Transfers After Brexit’ 16 July 2019.

107

5.19  ICO Before, During and After Brexit

The GDPR requirements and restrictions on data transfers to less safe or nonequivalent third countries will apply.32 There is a default transfer ban, unless one of the limited number of transfer mechanisms can be established for particular data transfers or transactions involving personal data. The level of protection for the data being transferred must not be undermined.33 Businesses and their advisers must therefore consider whether there is a business need for data transfers which will be adversely affected by a No Deal Brexit. If so, the organisation needs to assess how best to establish safeguards and the application of one of the limited number of transfer mechanisms in this scenario ‘to enable the transfer to a third country’ – the UK in this instance. The European Data Protection Supervisor refers to: •

adequacy decisions (see GDPR  Article  47 regarding adequate levels of protection);

•

appropriate safeguards (GDPR Article 48), eg, –

standard contractual clauses expressly adopted by the Commission for such purposes (transfers to controllers 2001/497, 2004/915)(transfers to processors 2010/87);

–

binding corporate rules (BCRs)(applicable to a group of companies – and importantly approved by one of the respective data protection supervisory authorities. Note, prior BCRs can continue to apply but may need certain amendments post the GDPR. Currently, BCRs may be applied for in the UK, but this takes time and it remains unclear how the ICO could approve BCRs in a No Deal Brexit);34

–

codes of conduct and certification mechanisms. (However, the exact nature of how this would work is not fully established and more guidance is awaited);

–

ad hoc contractual clauses. However, prior authorisation from a data protection supervisory authority would be necessary;35 and

– derogations.36 The European Data Protection Supervisor notes that a common feature in the above is that data subject rights must be enforceable and effective. In terms of derogations, the European Data Protection Supervisor notes that these are exhaustively mentioned in Article 50:

32 See GDPR Chapter V. 33 GDPR Art 46. 34 See GDPR Arts 46–48. 35 GDPR Art 48(3)(a). 36 GDPR Art 50(1).

108

Guidance from the European Data Protection Supervisor 5.19

•

explicit consent of the individual to the transfer – ‘having been provided with all necessary information about the risks associated with the transfer’;

•

where the transfer is necessary for contract performance to which the data subject is a part;

•

where the transfer is necessary to conclude or perform a contract concluded in the interest of the data subject;

•

where the transfer is necessary for important public interest reasons;

•

where the transfer is necessary for legal claims;

•

where the transfer is necessary to protect the vital interests of the data subject (or someone else) and the data subject is physically or legally incapable of giving consent; and

•

where the transfer is made from a public register.

In what may be an important clarification, the European Data Protection Supervisor notes that the Commission in a position paper37 says that personal data transferred (to the UK) before the Withdrawal Date may continue to be processed. However, a note of caution is advised in that data processing activities must be judged both at the time of collection, processing and storage. That initial collection may be lawful and permissible, does not absent an organisation from the assessment of ascertaining a current lawful basis for current processing – especially the further in time current processing for the time being moves away from the initial date of collection. Moreso, in the event of secondary uses or purposes of processing. Later storage also requires a separate assessment of the basis for ongoing storage. The European Data Protection Supervisor referring to the Commission Position Paper reads as follows, ‘The European Commission in the Position Paper on the Use of Data and Protection of Information Obtained or Processed Before the Withdrawal Date concludes that UK-based controllers and processors may continue to process personal data transferred before the withdrawal date only if these data enjoy the protection of EU data protection law. Such protection will be guaranteed, in the case that a Withdrawal Agreement is put in place.’

The above caution should be noted, however, as anything to do with Brexit and data transfers is far from simple or assured in the current climate and data processing activities can be varied and more nuanced than a very headline description may suggest. The European Data Protection Supervisor acknowledges and cautions that ‘[t]he developments on this sensitive issue should be closely followed and the EDPS 37 Commission, ‘Position paper on the Use of Data and Protection of Information Obtained or Processed Before the Withdrawal Date,’ 20 September 2017.

109

5.20  ICO Before, During and After Brexit

[and others] may provide further guidance’ as necessary. After all, this is a very fluid situation. The European Data Protection Supervisor sets out five steps to prepare for Brexit, which businesses and organisations should consider, namely: •

map the data processing activities;

•

check available data transfer mechanisms that best suit;

•

implement the correct data transfer mechanism before 1 November 2019;

•

update internal documentation; and

•

update data protection notices.

(These steps are also included in guidance from the European Data Protection Board (EDPB) in guidance of 12 February 2019.)

GUIDANCE FROM THE COMMISSION 5.20 In addition to the above Position Paper referred to by the EDPS, the Commission has also issued a ‘Notice to Stakeholders Withdrawal of the United Kingdom from the Union and EU  Rules in the Field of Data Protection’ on 9 January 2018. This notes that given the Article 50 notice submitted by the UK (on 29 March 2017) that EU law ceases to apply in the UK – unless there is a validated Withdrawal Agreement. (Note, the latest extension was granted in October, extending the period to 21 January 2020.) The Commission ‘Notice to Stakeholders’ notes the ‘considerable uncertainties’ and that ‘all stakeholders processing personal data are reminded of legal repercussions, which need to be considered when the [UK] becomes a third country’. The Commission highlights the possibility and need to consider: •

standard data protection clauses (as approved by Commission);

•

binding corporate rules (but which generally only apply to certain large group entities only, and in any event require prior approval from a data protection supervisory authority);

•

approved codes of conduct; and

•

approved certification mechanisms.

The Commission notes that the rules relating to some of these mechanisms have been simplified in the GDPR as compared with the prior DPD95/46.38 38 Directive 95/46/EC of the European Parliament and of the Council of 24  October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. OJ L 281, 23.11.1995, pp 31–50.

110

Brexit Certain 5.22

GUIDANCE FROM THE EUROPEAN DATA PROTECTION BOARD 5.21 The European Data Protection Board (EDPB) issued guidance entitled ‘Information Note on Data Transfers Under the GDPR in the Event of a No Deal Brexit’.39 In this scenario it reiterates the need to consider: •

standard or ad hoc data protection clauses;

•

binding corporate rules;

•

codes of conduct and certification mechanisms; and

• derogations. It also includes reference to the five steps referred to above. It notes that at the time of issue, ‘[a]ccording to the UK Government, the current practice, which permits personal data to flow freely from the UK to the EEA, will continue in the event of a no-deal Brexit’. However, matters have shifted politically since then and the immediate next steps remain somewhat less certain, which is unfortunate for business entities which require the ability to plan forward. The ‘UK Government’s and the ICO’s website should be regularly consulted’. While there is uncertainty, organisations wishing to continue dealing and receiving personal data from their unconnected business partners located inside the EU must implement most likely standard contractual clauses, given that binding corporate rules will only apply to the largest of organisations and in a pre-approved manner. In addition, there will be increased pressure on parties in the EU wishing to continue to deal with UK entities, to implement appropriate mechanisms and safeguards from their end, in which case they will be raising queries directly with their UK counterparties.

BREXIT CERTAIN 5.22 Following the referendum, the formal process of beginning the withdrawal from the EU and beginning the necessary negotiations commenced under the Article 50 procedure and the formal Article 50 notice was sent by the UK to the EU. Since then there had seemed to be growing public and political momentum for a means to cancel Brexit. There was some discussion around a new referendum or whether there was a possibility of withdrawing the Article 50

39 European Data Protection Board (EDPB), ‘Information Note on Data Transfers Under the GDPR in the Event of a No Deal Brexit’ 12 February 2019.

111

5.23  ICO Before, During and After Brexit

notice.40 Some commentary had suggested that such a notice could never be withdrawn but, in the Wightman case, the CJEU decided that it could.41 The November 2019 election result has put paid to that discussion.

CONCLUSION 5.23 This all creates immense uncertainty for the ICO and how it promotes and advises on data protection issues in a manner which creates certainty for the recipients and its intended audience. The above highlights the complexities of Brexit, Deal and No Deal Brexit, adequacy decisions and how a UK adequacy decision would be critical for the UK in the event of Brexit. However, even in normal circumstances the review process can take some time and may not have been successfully completed by day one of Brexit. Worse still, in the event of a No Deal Brexit scenario, the possibility of an adequacy review process being commenced or an existing process (if any) being stalled or delayed further or delayed until there is a deal, become more complex problems. Given the economic importance of continued access to EU trade and data from the EU, it is not difficult to imagine that data protection and adequacy issues are one of the most important pressing Brexit problems for those dealing with the negotiations, not to mention those sectors of the economy potentially most affected. After Brexit, regardless of whether there is a Deal, there will be a UK data protection supervisory authority. However, the exact form, establishment, continuity, new set up, new relationships, legal impacts, transfer role, enforcement, etc, that will exist post Brexit is not yet clear. All the regulator issues deserve attention. Transfers and an application for an adequacy decision must also be considered from the perspective of the data protection supervisory authority. In addition, such applications take time and cannot be presumed to occur quickly or within a certain timeframe. Critically, it appears that such an application can only commence on or immediately after Brexit. There are also significant investigation and enforcement roll-over issues to consider, as otherwise particular enforcement actions, legal actions or even prosecutions may prove problematic and more contentious. Ultimately, the new government following the recent election will announce its plans as regards following through on Brexit and its associated data protection issues. It is expected that further official guidance will also be issued in due course. 40 Kenneth AA, ‘The Right to Revoke an EU Withdrawal Notification: Putting the Bullet Back in the Article 50 Chamber?’ Cambridge Law Journal (2019)(78:1) 3; Feldman, D, ‘Pulling a Trigger Or Starting a Journey? Brexit in the Supreme Court,’ Cambridge Law Journal (2017) (76:2) 217; Ostendorf, O, ‘The Withdrawal Cannot be Withdrawn: The Irrevocability of a Withdrawal Notification under Art. 50(2)  TEU’ European Law Review (2017)(42:5)  X; Papageorgiou, I, ‘The (Ir-)revocability of The Withdrawal Notification Under Article 50 TEU’ (Directorate General for Internal Policies, Policy Department for Citizen’s Rights and Constitutional Affairs, January 2018). 41 Wightman v Secretary of State for Exiting the European Union, CJEU, Case C-621/18.

112

CHAPTER 6

European Data Protection Board INTRODUCTION 6.1 The data protection rules in the EU prior to the GDPR were established by the Data Protection Directive 1995 (Directive 95/46).1 Even then it was seen that there was a benefit, if not a need, for a body which would coordinate the various data protection supervisory authorities and issue advice and opinions on the interpretation of data protection issues. Article 29 of Directive 95/462 established the Working Party on the Protection of Individuals with regard to the Processing of Personal Data (or Working Party 29, also referred to as WP29). Article 29(1) provides that a Working Party on the Protection of Individuals with regard to the Processing of Personal Data (hereinafter referred to as ‘the Working Party’) was set up. It was provided that ‘[i]t shall have advisory status and act independently’. The Working Party was composed of a representative of the supervisory authority or authorities designated by each Member State and of a representative of the authority or authorities established for the Community institutions and bodies, and of a representative of the Commission.3 ‘Each member of the Working Party shall be designated by the institution, authority or authorities which he represents. Where a Member State has designated more than one supervisory authority, they shall nominate a joint representative. The same shall apply to the authorities established for Community institutions and bodies.’4 The Article 29 Working Party (WP29) was to: •

examine any question covering the application of the national measures adopted under this Directive in order to contribute to the uniform application of such measures;

•

give the Commission an opinion on the level of protection in the Community and in third countries;

•

advise the Commission on any proposed amendment of this Directive, on any additional or specific measures to safeguard the rights and freedoms of natural persons with regard to the processing of personal data and on any

1

Directive 95/46/EC of the European Parliament and of the Council of 24  October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. OJ L 281, 23.11.1995, pp 31–50. 2 Ibid. 3 Directive 95/45 Art 29(2). 4 Ibid.

113

6.2  European Data Protection Board

other proposed Community measures affecting such rights and freedoms; and •

give an opinion on codes of conduct drawn up at Community level.5

The various opinions of the WP29 and the EDPB in due course are very influential not only with the respective data protection supervisory authorities and practitioners but also with respective courts and in court decisions.6

ESTABLISHMENT 6.2 The European Data Protection Board (EDPB) is referred to in Section 3 of Chapter VII of the GDPR. The GDPR refers to and creates the EDPB in Article  68 and Article  68(1) in particular. It states that ‘[t]he European Data Protection Board (the “Board” [or EDPB]) is hereby established as a body of the [EU] and shall have legal personality’. The EDPB must be represented by its chair (see below).7 The EDPB is composed of the head of one data protection supervisory authority of each Member State and of the European Data Protection Supervisor, or their respective representatives.8 The individual data protection supervisory authority heads may also delegate. Where a Member State (eg  Germany) has more than one data protection supervisory authority responsible for monitoring the application of the provisions pursuant to the GDPR, a joint representative must be appointed in accordance with that Member State’s law.9 The Commission also has the right to participate in the activities and meetings of the EDPB under Article  68(5). However, the Commission does not have voting rights.10 The Commission designates a representative to attend the EDPB meetings. The chair of the EDPB also communicates to the Commission its various activities.11 Note, however, Article 68(6) which provides that ‘[i]n the cases referred to in Article 65 [referring to dispute resolution activities by the EDPB], the European Data Protection Supervisor shall have voting rights only on decisions which concern principles and rules applicable to the [EU] institutions, bodies, offices and agencies which correspond in substance to those of this Regulation’. 5 6

Directive 95/46 Art 30(1). One example of judicial reference to WP29 opinions is at para 90 of Vidal-Hall v Google Inc [2014] EWHC 13 (QB) (16 January 2014). 7 GDPR Art 68(2). 8 Ibid Art 68(3). 9 Ibid Art 68(4). 10 Ibid Art 68(5). 11 Ibid.

114

EDPB Tasks 6.4

INDEPENDENCE 6.3

The EDPB is independent in its activities. Article 69(1) provides that: ‘The [EDPB] shall act independently when performing its tasks or exercising its powers pursuant to Articles 70 and 71.’

It is stipulated that (without prejudice to requests by the Commission referred to in Article 70(1)(b) and in Article 70(2)): ‘the [EDPB] shall, in the performance of its tasks or the exercise of its powers, neither seek nor take instructions from anybody’.12

The EDPB is, therefore, independent in terms of its tasks, deliberations, work schedule, opinions and recommendations. There is a carveout, however, referred to in the preceding or introductory statement that this is separate or without prejudice to two matters. The without prejudice carveouts are: Article 70(1)(b) This refers to ‘advise the Commission on any issue related to the protection of personal data in the [EU], including on any proposed amendment of’ the GDPR. Article 70 refers to tasks of the EDPB; and Article 70(2) This refers to ‘[w]here the Commission requests advice from the [EDPB], it may indicate a time limit, taking into account the urgency of the matter’.

However, in a post-Brexit situation, the Commissioner of the ICO will no longer be an automatic member of the EDPB and will thus no longer be directly involved in those tasks and activities. It remains to be seen what association or cooperation (whether direct or indirect) the ICO will seek to maintain with the EDPB. One might assume that the ICO will wish to seek to align or adopt as closely as possible with ongoing EDPB decisions, opinions, activities, etc, and, indeed, ongoing CJEU decisions. How this will transpire and/or may be facilitated (or hindered) by the new and proposed legislation remains to be seen.

EDPB TASKS 6.4 The various tasks of the EDPB are referred to in Article 70 of the GDPR. The EDPB must carry out a list of 25 tasks which are specified in Article 70(1). The EDPB is obliged to ‘ensure the consistent application of the GDPR’.13 ‘To that end, the [EDPB] shall, on its own initiative or, where relevant, at the request of the Commission’ carry out the twenty-five listed task activities.’14 12 Ibid Art 69(2). 13 Ibid Art 70(1). 14 Ibid.

115

6.4  European Data Protection Board

The EDPB must: •

monitor and ensure the correct application of the GDPR as provided for in Articles 64 (opinion of the EDPB) and 65 (dispute resolution by the EDPB);

•

advise the Commission on the protection of personal data;

•

advise the Commission on aspects of binding corporate rules;

•

issue guidelines, recommendations and best practices on procedures for erasing online links, copies or replications of personal data;

•

examine the application of the GDPR and issue guidelines, recommendations and best practices;

•

issue guidelines for decisions based on profiling;

•

issue guidelines for establishing personal data breaches and determining undue delay and for circumstances where a controller or a processor is required to notify the personal data breach;

•

issue guidelines for data breaches likely to result in a high risk;

•

issue guidelines for requirements for personal data transfers based on binding corporate rules;

•

issue guidelines for data transfers based on Article 49(1);

•

draw up guidelines for supervisory authorities concerning the application of measures referred to in Article  58(1), (2) and (3) and the setting of administrative fines;

•

review the practical application of the guidelines, recommendations and best practices;

•

issue guidelines for reporting by natural persons of GDPR infringements;

•

encourage codes of conduct, certification mechanisms and data protection seals and marks;

•

issue the accreditation of certification bodies;

•

specify requirements for accreditation of certification bodies;

•

provide the Commission with an opinion on certification requirements;

•

provide the Commission with an opinion on icons;

•

provide the Commission with an opinion on the adequacy of the level of protection in a third country;

•

issue opinions on draft decisions of supervisory authorities pursuant to the consistency mechanism;

•

promote the cooperation and exchange of information and best practices between the supervisory authorities;

•

promote common training programmes and facilitate personnel exchanges between the supervisory authorities; 116

EDPB Tasks 6.9

•

promote the exchange of knowledge and documentation on data protection legislation and practice;

•

issue opinions on codes of conduct; and

•

maintain a public register on consistency mechanism decisions.

Monitoring the Application of GDPR 6.5 The EDPB will ‘monitor and ensure the correct application of this Regulation in the cases provided for in Articles 64 and 65 without prejudice to the tasks of national supervisory authorities’.15

Advising Commission 6.6 The EDPB will ‘advise the Commission on any issue related to the protection of personal data in the [EU], including on any proposed amendment of this Regulation’.16

Online Erasure and Forgetting 6.7 The EDPB will ‘issue guidelines, recommendations, and best practices on procedures for erasing links, copies or replications of personal data from publicly available communication services as referred to in Article 17(2)’.17

GDPR Review 6.8 The EDPB will ‘examine, on its own initiative, on request of one of its members or on request of the Commission, any question covering the application of this Regulation and issue guidelines, recommendations and best practices in order to encourage consistent application of the GDPR’.18

Profiling 6.9 The EDPB will ‘issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for further specifying the criteria and conditions for decisions based on profiling pursuant to Article 22(2)’.19

15 16 17 18 19

Ibid Art 70(1)(a). Ibid Art 70(1)(b). Ibid Art 70(1)(d). Ibid Art 70(1)(e). Ibid Art 70(1)(f).

117

6.10  European Data Protection Board

Delay and Data Breach Reporting 6.10 The EDPB will ‘issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for establishing the personal data breaches and determining the undue delay referred to in Article 33(1) and (2) and for the particular circumstances in which a controller or a processor is required to notify the personal data breach’.20

High-risk Data Breaches 6.11 The EDPB will ‘issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph as to the circumstances in which a personal data breach is likely to result in a high risk to the rights and freedoms of the natural persons referred to in Article 34(1)’.21 Risk identification, risk management and security are increasingly important across the tech landscape but they are now promoted as an issue of consideration and compliance in the data protection field with the GDPR.22 The GDPR includes extensive new security obligations; as part of this, there is a requirement to take into account, and hence to identify, risk problem issues.23

GDPR Breach Reporting 6.12 The EDPB will ‘issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for establishing common procedures for reporting by natural persons of infringements of this Regulation pursuant to Article 54(2)’.24

Binding Corporate Rules 6.13 The EDPB will ‘advise the Commission on the format and procedures for the exchange of information between controllers, processors and supervisory authorities for binding corporate rules’.25 ‘[B]inding corporate rules’ are defined to mean ‘personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third

20 Ibid Art 70(1)(g). 21 Ibid Art 70(1)(h). 22 Duncan, B, and Zhao, Y, ‘Risk Management for Cloud Compliance with the EU General Data Protection Regulation’ 2018 International Conference on High Performance Computing & Simulation (HPCS) HPCS High Performance Computing & Simulation (HPCS) (July 2018). 23 See GDPR Art 32(1) and other references. 24 Ibid Art 70(1)(m). 25 Ibid Art 70(1)(c).

118

EDPB Tasks 6.18

countries within a group of undertakings, or group of enterprises engaged in a joint economic activity’.26

Guidelines on Binding Corporate Rules 6.14 The EDPB will ‘issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for the purpose of further specifying the criteria and requirements for personal data transfers based on binding corporate rules adhered to by controllers and binding corporate rules adhered to by processors and on further necessary requirements to ensure the protection of personal data of the data subjects concerned referred to in Article 47’.27

Guidelines on Data Transfers 6.15 The EDPB will ‘issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for the purpose of further specifying the criteria and requirements for the personal data transfers on the basis of Article 49(1)’.28

Guidelines and Fines 6.16 The EDPB will ‘draw up guidelines for supervisory authorities concerning the application of measures referred to in Article 58(1), (2) and (3) and the setting of administrative fines pursuant to Article 83’.29

Review 6.17 The EDPB will ‘review the practical application of the guidelines, recommendations and best practices referred to in points (e) and (f)’.30

Code, Certification, Seal and Mark 6.18 The EDPB will ‘encourage the drawing-up of codes of conduct and the establishment of data protection certification mechanisms and data protection seals and marks pursuant to Articles 40 and 42’.31

26 27 28 29 30 31

Ibid Art 4(20). Ibid Art 70(1)(i). Ibid Art 70(1)(j). Ibid Art 70(1)(k). Ibid Art 70(1)(l). Ibid Art 70(1)(n).

119

6.19  European Data Protection Board

Opinions on Codes 6.19 The EDPB will ‘issue opinions on codes of conduct drawn up at [EU] level pursuant to Article 40(9)’.32

Accrediting Certification Body 6.20 The EDPB will ‘carry out the accreditation of certification bodies and its periodic review pursuant to Article 43 and maintain a public register of accredited bodies pursuant to Article 43(6) and of the accredited controllers or processors established in third countries pursuant to Article 42(7)’.33

Requirements for Certification Bodies 6.21 The EDPB will ‘specify the requirements referred to in Article  43(3) with a view to the accreditation of certification bodies under Article 42’.34

Opinions on Certification 6.22 The EDPB will ‘provide the Commission with an opinion on the certification requirements referred to in Article 43(8)’.35 Article 43(8) (dealing with certification bodies) provides that ‘[t]he Commission shall be empowered to adopt delegated acts in accordance with Article 92 for the purpose of specifying the requirements to be taken into account for the data protection certification mechanisms’ (referred to in Article 42(1)).

Opinions on Icons 6.23 The EDPB will ‘provide the Commission with an opinion on the icons referred to in Article 12(7)’.36 Article 12(7) provides that ‘[t]he information to be provided to data subjects pursuant to Articles 13 [ie, information to be provided where personal data are collected from the data subject] and 14 [ie, information to be provided where personal data have not been obtained from the data subject] may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner a meaningful overview of the intended processing. Where the icons are presented electronically, they shall be machine-readable.’

32 33 34 35 36

Ibid Art 70(1)(x). Ibid Art 70(1)(o). Ibid Art 70(1)(p). Ibid Art 70(1)(q). Ibid Art 70(1)(r).

120

EDPB Tasks 6.28

Opinions on Third Countries 6.24 The EDPB will ‘provide the Commission with an opinion for the assessment of the adequacy of the level of protection in a third country or international organisation, including for the assessment whether a third country, a territory or one or more specified sectors within that third country, or an international organisation no longer ensures an adequate level of protection. To that end, the Commission shall provide the [EDPB] with all necessary documentation, including correspondence with the government of the third country, with regard to that third country, territory or specified sector, or with the international organisation’.37

Opinions on Consistency 6.25 The EDPB will ‘issue opinions on draft decisions of supervisory authorities pursuant to the consistency mechanism referred to in Article  64(1) on matters submitted pursuant to Article  64(2) and to issue binding decisions pursuant to Article 65, including in cases referred to in Article 66’.38

Cooperating and Exchange 6.26 The EDPB will ‘promote the cooperation and the effective bilateral and multilateral exchange of information and best practices between the supervisory authorities’.39

Training and Exchange 6.27 The EDPB will ‘promote common training programmes and facilitate personnel exchanges between the supervisory authorities and, where appropriate, with the supervisory authorities of third countries or with international organisations’.40

Law and Practice Exchange 6.28 The EDPB will ‘promote the exchange of knowledge and documentation on data protection legislation and practice with data protection supervisory authorities worldwide’. 41

37 38 39 40 41

Ibid Art 70(1)(s). Ibid Art 70(1)(t). Ibid Art 70(1)(u). Ibid Art 70(1)(v). Ibid Art 70(1)(w).

121

6.29  European Data Protection Board

Consistent Decisions 6.29 The EDPB will ‘maintain a publicly accessible electronic register of decisions taken by supervisory authorities and courts on issues handled in the consistency mechanism’.42

ADDITIONAL TASKS Advice to Commission 6.30 Where the Commission requests advice from the EDPB, it may indicate a time limit for reply, taking into account the urgency of the matter.43 By implication, therefore, the Commission may request advices from the EDPB.

Furnishing Documentation to the Commission 6.31 The EDPB will forward its opinions, guidelines, recommendations, and best practices to the Commission and to the committee referred to in Article  93 (ie  the committee provided to assist the Commission) and make them public. 44

Consulting Interested Parties 6.32 The EDPB will, where appropriate, consult interested parties and give them the opportunity to comment within a reasonable period. The EDPB will, without prejudice to Article 76 (referring to confidentiality), make the results of the consultation procedure publicly available.45

EDPB REPORTS 6.33 The EDPB must draw up an annual report regarding the protection of natural persons with regard to processing in the EU and, where relevant, in third countries and international organisations.46 The report must be made public and be transmitted to the European Parliament, the Council and to the Commission.47

42 Ibid Art 70(1)(y). 43 Ibid Art 70(2). 44 Ibid Art 70(3). 45 Ibid Art 70(4). 46 Ibid Art 71(1). 47 Ibid.

122

Opinions and Reports 6.34

OPINIONS AND REPORTS 6.34 One of the most important activities of the EDPB and the previous data protection Working Party (WP29), is to provide opinions and reports on specific issue topics. These are then very influential for how organisations, respective data protection supervisory authorities, courts and the CJEU may interpret and apply the data protection rules. Some examples of the previous Opinions issued from WP29 include: • WP29, Opinion 01/2017 on the Proposed Regulation for the ePrivacy Regulation (2002/58/EC) (WP247) 13 February 2018; • WP29, Opinion 03/2016 on the Evaluation and Review of the ePrivacy Directive (WP240) 23 November 2016; • WP29, Opinion 2/2017 on Data Processing at Work (WP249) 23 June 2017; • WP29, Update of Opinion 8/2010 on Applicable Law in Light of the CJEU Judgement in Google Spain (WP179 update) 23 November 2016; • WP29, Cookie Sweep 23 November 2016;

Combined

Analysis,

Report

(WP229)

• WP29, Opinion 01/2015 on Privacy and Data Protection Issues Relating to the Utilisation of Drones (WP231) 23 November 2016; • WP29, Opinion 02/2015 on C-SIG Code of Conduct on Cloud Computing (WP232) 23 November 2016; • WP29, Opinion 01/2016 on the EU–U.S. Privacy Shield Draft Adequacy Decision (WP238) 23 November 2016; and • WP29, Opinion 04/2016 on European Commission Amendments Proposals Related to the Powers of Data Protection Authorities in Standard Contractual Clauses and Adequacy Decisions (WP241) 8 November 2016. Recently, the EDPB has also adopted and endorsed certain of the previous WP29 Opinions, 48 namely: •

Guidelines on consent under Regulation 2016/679 (WP259 rev.01);

•

Guidelines on transparency under Regulation 2016/679 (WP260 rev.01);

•

Guidelines on automated individual decision-making and profiling for the purposes of Regulation 2016/679 (WP251rev.01);

•

Guidelines on personal data breach notification under Regulation 2016/679 (WP250 rev.01);

•

Guidelines on the right to data portability under Regulation 2016/679 (WP242 rev.01);

48 This began during the first plenary meeting of the EDPB.

123

6.34  European Data Protection Board

•

Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is ‘likely to result in a high risk’ for the purposes of Regulation 2016/679 (WP248 rev.01);49

•

Guidelines on Data Protection Officers (‘DPO’) (WP243 rev.01);

•

Guidelines for identifying a controller or processor’s lead supervisory authority (WP244 rev.01);

•

Position Paper on the derogations from the obligation to maintain records of processing activities pursuant to Article 30(5) GDPR;

•

Working Document Setting Forth a Co-operation Procedure for the approval of “Binding Corporate Rules” for controllers and processors under the GDPR (WP 263 rev.01);

•

Recommendation on the Standard Application for Approval of Controller Binding Corporate Rules for the Transfer of Personal Data (WP 264);

•

Recommendation on the Standard Application for Approval of Processor Binding Corporate Rules for the Transfer of Personal Data (WP 265);

•

Working Document setting up a table with the elements and principles to be found in Binding Corporate Rules (WP 256 rev.01);

•

Working Document setting up a table with the elements and principles to be found in Processor Binding Corporate Rules (WP 257 rev.01);

•

Adequacy Referential (WP 254 rev.01); and

•

Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679 (WP 253).

The EDPB also lists what is referred to as guidelines, recommendations, best practice documentation, namely: •

Guidelines 3/2019 on Processing of Personal Data through Video Devices (version for public consultation);

•

Recommendation 01/2019 on the Draft List of the European Data Protection Supervisor Regarding the Processing Operations Subject to the Requirement of a Data Protection Impact Assessment (Article 39.4 of Regulation (EU) 2018/1725);

•

Guidelines 2/2019 on the Processing of Personal Data Under Article 6(1)(b) GDPR in the Context of the Provision of Online Services to Data Subjects (version adopted after public consultation);

49 Also see Warren, A, Bayley, R, Bennett, C, Charlesworth, A, Clarke, and R, Oppenheim, C, ‘Privacy Impact Assessments: International Experience as a Basis for UK Guidance’ Computer Law and Security Review: The International Journal of Technology and Practice (2008)(24:3) 233; Friedewald, M, Hansen, M, Bieker, F, and Obersteller, H, ‘A Process for Data Protection Impact Assessment Under the European General Data Protection Regulation’ conference, 4th Annual Privacy Forum, APF 2016 (2016).

124

Opinions and Reports 6.34

•

EDPB  Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679 (version adopted after public consultation);

•

EDPB  Guidelines 4/2018 on the Accreditation of Certification Bodies Under Article  43 of the General Data Protection Regulation (2016/679) (version adopted after public consultation);

•

EDPB Guidelines 3/2018 on the Territorial Scope of the GDPR (Article 3) (version for public consultation);

•

EDPB Guidelines 2/2018 on Derogations of Article 49 Under Regulation 2016/679; and

•

EDPB  Guidelines 1/2018 on Certification and Identifying Certification Criteria in Accordance with Articles 42 and 43 of the Regulation (version adopted after public consultation).

The EDPB has also published other documents (including legal pleadings), such as the following: •

EDPB Pleading Before the CJEU in Case C-311/18 (Facebook Ireland and Schrems)(9 July 2019);

•

EDPB LIBE  Report on the Implementation of the GDPR  (26  February 2019);

•

EDPB Statement 3/2019 on an ePrivacy Regulation;

•

EDPB  Statement 2/2019 on the Use of Personal Data in the Course of Political Campaigns;

•

Annex I to Statement 2/2019 on the use of Personal Data in the Course of Political Campaigns;

•

EDPB Statement 01/2019 on the US Foreign Account Tax Compliance Act (FATCA);

•

Information Note on Data Transfers under the GDPR in the Event of a No Deal Brexit (12 February 2019);

•

Information Note on BCRs for Companies which have ICO as BCR Lead Supervisory Authority (12 February 2019);

•

Opinion 3/2019 Concerning the Questions and Answers on the Interplay Between the Clinical Trials Regulation (CTR) and the General Data Protection Regulation (GDPR) (23 January 2019);

•

EU–US Privacy Shield – Second Annual Joint Review Report (22 January 2019);

•

Opinion 28/2018 Regarding the European Commission Draft Implementing Decision on the Adequate Protection of Personal Data in Japan;

•

Opinion 23/2018 on Commission Proposals on European Production and Preservation Orders for Electronic Evidence in Criminal Matters; 125

6.37  European Data Protection Board

•

EDPB Statement on Economic Concentration (27 August 2018);

•

EDPB Statement on ePrivacy (25 May 2018).

Joint Opinions: EDPB/EDPS 6.37 •

A Joint Opinion has also been issued: EDPB-EDPS Joint Opinion 1/2019 on the Processing of Patients’ Data and the Role of the European Commission within the eHealth Digital Service Infrastructure (eHDSI).

REGISTERS 6.38 The EDPB either maintains, or will maintain, registers for particular data protection matters as follows: •

Register for decision taken by supervisory authorities and courts on issues handled in the consistency mechanism;

•

Register for codes of conduct, amendments and extensions; and

•

Register of approved binding corporate rules.

RESOURCES AND TOPIC DOCUMENTS 6.39 The EDPB also lists a range of issue topics and provides, or will provide, information, guidance and or commentary as follows: • accountability; •

adequate countries;

•

administrative fines;

• anonymisation; •

artificial intelligence;

•

automated individual decision making;

•

automated processing;

• Big Data; •

binding decisions;

• biometrics; •

borders, asylum, migration;

•

case law and litigation;

•

Charter of the Fundamental Rights; 126

Resources and Topic Documents 6.39

•

children’s privacy protection;

•

cloud computing;

•

code of conduct;

• competition; • complaints; • compliance; • consent; •

consistency mechanism;

• consumer; • controller; • cookies; • cyberbullying; • cybersecurity; •

data breach;

•

data portability;50

•

data protection impact assessment (DPIA);

•

Data Protection Officer;

•

data retention;

•

decisions of the board;

•

digital single market;

• discrimination; • e-Commerce; • e-Government; •

e-Privacy Regulation;

• education; •

electronic communications, information society;

• employment; •

European Data Protection Board;

• finance; • fraud; 50 Quintel, T, ‘EDPS and Article 29 Working Party Opinions About the Commission Proposals on the Interoperabity of Database’ European Data Protection Law Review (EDPL) (2018) (4:2) 217.

127

6.39  European Data Protection Board

•

General Data Protection Regulation (GDPR);

• geolocation; • health; •

identity theft;

•

information security;

• insurance; •

internal market;

•

international agreements;

•

international cooperation;

•

Internet of Things;

•

judicial cooperation;

•

law enforcement directive;

•

lawful processing;

• litigation; • marketing; • media; •

necessity and proportionality;

• one-stop shop; •

Opinions of the EDPB;

• personal data; •

privacy by default;

•

privacy by design;

•

privacy principles;

•

privacy shield;

• processor; • profiling; • proportionality; • pseudonymisation;51 •

Regulation 45/2001;

51 Mourby, M, Mackey, E, Elliot, M, Gowans, H, and Wallace, S, ‘Are “Pseudonymised” Data Always Personal Data? Implications of the GDPR for Administrative Data Research in the UK’ Computer Law & Security Review: The International Journal of Technology Law and Practice (2018)(34:2) 222.

128

Chair of EDPB 6.40

• research; •

rights of individuals;

• robotics; •

search engines;

•

secretariat of the board;

• sensitive data; •

social media;

• spam; •

data protection supervisory authority;

• surveillance; •

targeted advertising;

•

targeted monitoring;

• tax; • technologies; • telecommunication; •

third countries;

•

transfers of data;

• transparency; • transport; •

whistleblowing; and

• workplace.

CHAIR OF EDPB 6.40 The EDPB elects a chair and two deputy chairs from among its members by simple majority.52 The term of office of the chair and of the deputy chairs is five years.53 The terms of office may be renewed, but only once.54 The chair has the following tasks: •

to convene the meetings of the EDPB and prepare its agenda;

•

to notify decisions adopted by the EDPB (pursuant to Article 65) to the lead supervisory authority and the supervisory authorities concerned; and

52 GDPR Art 73(1). 53 Ibid Art 73(2). 54 Ibid.

129

6.41  European Data Protection Board

•

to ensure the timely performance of the tasks of the EDPB in relation to the consistency mechanism (referred to in Article 63).55

The EDPB – not the chair – is responsible for establishing the allocation of tasks between the chair and the deputy chairs in its rules of procedure.56 The ICO or Commissioner will no longer available to be so elected as chair post Brexit.

SECRETARIAT 6.41 The EDPB has a secretariat, which is provided by the European Data Protection Supervisor.57 The secretariat performs its tasks exclusively under the instructions of the chair of the EDPB.58 The staff of the European Data Protection Supervisor involved in carrying out the tasks conferred on the EDPB by the GDPR are subject to separate reporting lines from the staff involved in carrying out tasks conferred on the European Data Protection Supervisor.59 Where appropriate, the EDPB and the European Data Protection Supervisor will establish and publish a Memorandum of Understanding implementing Article 75 of the GDPR, determining the terms of their cooperation, and applicable to the staff of the European Data Protection Supervisor involved in carrying out the tasks conferred on the EDPB by the GDPR.60 The secretariat provides analytical, administrative and logistical support to the EDPB and is responsible for:61 •

the daily business of the EDPB;

•

communication between the members of the EDPB, its chair, and the Commission;

•

communication with other institutions and the public;

•

the use of electronic means for the internal and external communication;

•

the translation of relevant information;

•

the preparation and follow-up of the meetings of the EDPB; and

•

the preparation, drafting and publication of opinions, decisions on the settlement of disputes between supervisory authorities and other texts adopted by the EDPB.62

55 56 57 58 59 60 61 62

Ibid Art 74. Ibid Art 74(2). Ibid Art 75(1). Ibid Art 75(2). Ibid Art 75(3). Ibid Art 75(4). Ibid Art 75(5). Ibid Art 75(6)(a)–(g).

130

Conclusion 6.45

EDPB PROCEDURES 6.42 The EDPB takes decisions by a simple majority of its members, unless otherwise provided for in the GDPR.63 The EDPB adopts its own rules of procedure by a two-thirds majority of its members. It also organises its own operational arrangements.64

Confidentiality 6.43 The discussions of the EDPB ‘shall be confidential where the [EDPB] deems it necessary, as provided for in its rules of procedure’.65 Access to documents submitted to members of the EDPB, experts and representatives of third parties ‘shall be governed by’ Regulation 1049/2001.66

Cooperation 6.44 The EDPB refers to the need for cooperation, including international cooperation. It states that: ‘[w]e cooperate with international organisations and the supervisory authorities of countries outside the EU, to support the effective enforcement of the law and to share best practices … We do this by working within a number of international frameworks, either as the EDPB or via our individual members. We also promote common training programmes and personnel exchanges’.

CONCLUSION 6.45 The EDPB is very important as it is a resource focal point and provides a lead on the interpretation of some of the most important current data protection issues. Given that it is made up of the respective data protection supervisory authorities, its statements and opinions assist, if not guide, the direction and practice of the national authorities. In addition, it is very useful for organisations, individuals and practitioners in providing important respected resources, statements and opinions on some of the problem issues being encountered. From a Brexit perspective, the main issue may not be the impact of the ICO leaving the EDBP, but rather how the ICO may seek to mirror in some way and not materially diverge from the future significant outputs from the EDPB. The EDPB will remain relevant even post Brexit. The extent of this relevance remains to be discussed and elucidated further. 63 64 65 66

Ibid Art 72(1). Ibid Art 72(2). Ibid Art 76(1). Regulation (EC) No 1049/2001 of the European Parliament and of the Council of 30 May 2001 regarding public access to European Parliament, Council and Commission documents (OJ L 145, 31.5.2001, p 43). GDPR Art 76(2).

131

CHAPTER 7

European Data Protection Supervisor INTRODUCTION 7.1 The European Data Protection Supervisor (EDPS) is an increasingly influential independent data protection supervisory authority. It is the EU’s  or EU institutions’ independent data protection authority. When we consider the EU official institutions, we often think of the EU Commission,1 the EU Parliament,2 the CJEU3 and other bodies. One of the distinguishing features is that the entities are EU official bodies or institutions as opposed to national official bodies, department or entities. It, therefore, has a somewhat different focus than the General Data Protection Regulation (GDPR), which is aimed at individuals, private entities and official organisations other than the primary EU institutions.4 From a Brexit perspective, somewhat similar to the EDPB referred to in the previous chapter, the documentation, views and reportage from the European 1

Nugent, N  and Rhinard, M, The European Commission (Palgrave, 2015); Schmidt, SK and Wonka, A, ‘European Commission’ in Jones, E, Menon, A  and Westherill, S, The Oxford Handbook of the European Union (OUP, 2014) at 336; Cini, M, The European Commission (Manchester University Press, 1996); Usher, JA, EC Institutions and Legislation (Longman, 1998). 2 Bradley, K, ‘The European Parliament’ in Schütze, R and Tridimas, T, Oxford Principles of European Union Law (OUP, 2018) at 457; Raunio, T, ‘The European Parliament’ in Jones, E, Menon, Aand Westherill, S, The Oxford Handbook of the European Union (OUP, 2014) at 365; Usher, JA, EC Institutions and Legislation (Longman, 1998). 3 Tridimas, T, ‘The Court of Justice of the European Union’ in Schütze, R  and Tridimas, T, Oxford Principles of European Union Law (OUP, 2018) at 581; Wägenbaur, B, Court of Justice of the European Union (Beck, Hart, Nomos, 2013); Arnull, A, The European Union and Its Court of Justice (OUP, 2006); de Búrca, G and Weiler, JHH, The European Court of Justice (OUP, 2001); March Hunnings, N, The European Courts (Cartermill, 1996); Poiares Maduro, M, We The Court, the European Court of Justice and the European Economic Constitution (Hart 1998); Stone Sweet, A, ‘The European Court of Justice’ in Craig, P and de Búrca, G, The Evolution of EU Law (OUP, 2011) at 121; Slaughter, A-M, Stone Sweet, A and Weiler, JHH, The European Court and National Courts-Doctrine and Jurisprudence (Hart, 1998); Azoulai, L and Dehousse, R, ‘The European Court of Justice and Legal Dynamics of Integration’ in Jones, E, Menon, A and Westherill, S, The Oxford Handbook of the European Union (OUP, 2014) at 350; Saurugger, S and Trepan, F, The Court of Justice of the European Union and the Politics of Law (Palgrave, 2017); Usher, JA, EC Institutions and Legislation (Longman, 1998); Szabo, M, ‘General Principles of Law in the Practice of International Courts and the European Court of Justice’ Hungarian Yearbook of International Law and European Law (2016) 135; Lasok, KPE, Lasok’s European Court Practice and Procedure (Bloomsbury, 2017). 4 Generally also note Sajfert, J, ‘New Data Protection Regulation for EU Bodies – Another Piece of the Puzzle Completed’ European Data Protection Law Review (EDPL) (2018)(4:2) 213; Quintel, T, ‘EDPS and Article 29 Working Party Opinions about the Commission Proposals on the Interoperabity of Database’ European Data Protection Law Review (EDPL) (2018) (4:2) 217.

133

7.2  European Data Protection Supervisor

Data Protection Supervisor are of influence and assistance to the ICO as opposed to being anything binding. (In any event the European Data Protection Supervisor output, whilst beneficial, is already guiding and influential rather than the Supervisor being directly concerned with the formal institutional organs of the EU. Having said that, the European Data Protection Supervisor is increasing acknowledged as an influential and promotional assistant in relation to data protection rights and issues.) On occasion, the European Data Protection Supervisor can become involved as a party in litigation and has done so in support of the Commission in each of the CJEU cases dealing with the enforcement of the independence of the respective data protection supervisory authorities.5

ESTABLISHMENT 7.2 Article  52 of Regulation 2018/1725 refers to the appointment of the European Data Protection Supervisor. It provides that ‘[t]he European Data Protection Supervisor is hereby established’. The European Data Protection Supervisor is currently headed by a Supervisor and an Assistant Supervisor. These are supported by an office (secretariat) of experienced lawyers, IT specialists and administrators.6 With respect to the processing of personal data, the European Data Protection Supervisor must be responsible for ensuring that the fundamental rights and freedoms of natural persons and, in particular, their right to data protection, are respected by EU institutions and bodies.7 The European Data Protection Supervisor must be responsible for monitoring and ensuring the application of the provisions of this Regulation and of any other EU act relating to the protection of the fundamental rights and freedoms of natural persons with regard to the processing of personal data by an EU institution or body, and for advising EU institutions and bodies and data subjects on all matters concerning the processing of personal data.8 To those ends, the European Data Protection Supervisor shall fulfil the tasks set out in Article 57 and exercise the powers granted in Article 58.9 Regulation (EC) No 1049/2001 shall apply to documents held by the European Data Protection Supervisor.10 The European Data Protection Supervisor shall

5

The European Data Protection Supervisor was a party in the following cases, in support of the EU Commission, namely, Commission v Germany, Case C-518/07 [2010] ECR I-1885; and Commission v Republic of Austria, CJEU, Case C-614/10, 16 October 2012. 6 See https://edps.europa.eu/about-edps_en. 7 Regulation 2018/1725 Art 52(2). 8 Ibid Art 52(3). 9 Ibid. 10 Ibid Art 52(4).

134

Scope 7.4

adopt detailed rules for applying Regulation (EC) No 1049/2001 with regard to those documents.11

MISSION 7.3 The European Data Protection Supervisor serves as ‘an impartial centre of excellence for enforcing and reinforcing EU data protection and privacy standards, both in practice and in law’.12 The general mission outlined on the official website is to: •

monitor and ensure the protection of personal data and privacy when EU institutions and bodies process the personal information of individuals;

•

advise EU institutions and bodies on all matters relating to the processing of personal data, on request or on our own initiative. In particular, we are consulted by the European Commission on proposals for legislation, international agreements, as well as implementing and delegated acts with impact on data protection and privacy;

•

monitor  new technology that may affect the protection of personal information;

•

intervene  before the CJEU to provide expert advice on interpreting data protection law; and

•

cooperate  with national supervisory authorities and other supervisory bodies to improve consistency in protecting personal information.13

SCOPE 7.4 Together with the basic requirement of independence, the European Data Protection Supervisor’s remit includes: •

developing and communicating an overall vision, thinking in global terms and proposing concrete recommendations and practical solutions;

•

providing policy guidance to meet new and unforeseen challenges in the area of data protection; and

•

operating at the highest levels and developing and maintaining effective relationships with a diverse community of stakeholders in other EU institutions, Member States, non-EU countries and other national or international organisations.14

11 Ibid. 12 See https://edps.europa.eu/about-edps_en. 13 Ibid. 14 Ibid.

135

7.5  European Data Protection Supervisor

TECHNOLOGICAL DEVELOPMENT 7.5 The European Data Protection Supervisor notes the history of technological change, electronic and digital data and how this has greatly impacted the need and development of data protection and privacy laws. It states: ‘Data protection has always been about technology. It was the arrival of computers in the business and public administration domains that triggered the development of data protection laws and principles which in turn led to the creation of data protection authorities. Technical development allows for more sophisticated and increasing amounts of personal data collection and processing. Though advanced technologies increase the risk to privacy and data protection, they may also integrate technological solutions for better transparency and control for the persons whose data is processed. Data protection authorities must keep abreast of both the potential risks and opportunities offered by these advances: they invest to understand the possibilities of new technology and at the same time encourage the integration of data protection by design and data protection by default into the innovation process.’

As a result, the data protection supervisory authorities and privacy regulators must, according to the European Data Protection Supervisor, ‘place … strategic importance on integrating the technological dimension of data protection into our work’.

ROLE IN MONITORING AND POLICING TECH CHANGE 7.6 The European Data Protection Supervisor notes the importance of the role of data protection supervisory authorities in monitoring and policing technological change and its impact. It states: ‘The main objective is to ensure that our work properly assesses technological implications and demonstrates that the EDPS, • monitors  technological developments which may have an impact on privacy and data protection such as  cloud computing,  PIMS,  Big Data, malicious software; • analyses  and understands the potential impact of technology driven policy and proposed legislative measures as demonstrated in our opinions and comments; •

advances the public debate by  reporting  on new technology related to privacy and data protection for instance, in the TechDispatch, EDPS newsletter, papers and other publications and events such as IPEN Workshops and CPDP;

•

offers support to the EU institutions, National Data Protection Authorities and the public at large by being a  reference  point for clarifying technological issues related to privacy and data protection;

136

Rules 7.8

• has the technological knowledge and tools to perform effective inspections of IT systems, and other technical solutions used as means to process personal data; and •

guides, influences, raises awareness and provides advice on technology developments relevant to privacy, data protection and the proper implementation of the privacy by design and privacy by default principles.’15

DUTIES AND POWERS 7.7 The duties and powers of the European Data Protection Supervisor are set out in Regulation 2018/1725.16 It should be noted that these duties and powers appear in a Regulation separate and in addition to the GDPR Regulation.17 The former deals mainly with data protection and the EU institutional bodies; while the latter deals mainly with the personal data of individual data subjects and the compliance of public and (commercial and non-commercial) non-public entities (other than the EU institutions). The latter obviously has a much wider impact given that it applied to a significantly wider audience.

RULES 7.8 Article  54 refers to regulations and general conditions governing the performance of the European Data Protection Supervisor’s duties, staff and financial resources. The European Data Protection Supervisor shall be considered equivalent to a judge of the CJEU as regards the determination of remuneration, allowances, retirement pension and any other benefit in lieu of remuneration.18 The budgetary authority must ensure that the European Data Protection Supervisor is provided with the human and financial resources necessary for the performance of his or her tasks.19 The budget of the European Data Protection Supervisor must be shown in a separate budgetary heading in the section related to administrative expenditure of the general budget of the EU.20 15 See https://edps.europa.eu/data-protection/our-work/technology-monitoring_en. 16 Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC. 17 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance). OJ L 119, 4.5.2016, pp 1–88. 18 Regulation 2018/1725 Art 54(1). 19 Ibid Art 54(2). 20 Ibid Art 54(3).

137

7.9  European Data Protection Supervisor

The European Data Protection Supervisor must be assisted by a secretariat. The officials and other staff members of the secretariat must be appointed by the European Data Protection Supervisor and their superior shall be the European Data Protection Supervisor. They must be subject exclusively to his or her direction. Their numbers must be decided each year as part of the budgetary procedure. Article  75(2) of Regulation (EU) 2016/679 shall apply to the staff of the European Data Protection Supervisor involved in carrying out the tasks conferred on the European Data Protection Board (EDPB) by EU law.21 The officials and the other staff members of the secretariat of the European Data Protection Supervisor shall be subject to the rules and regulations applicable to officials and other servants of the EU.22

INDEPENDENCE 7.9 The European Data Protection Supervisor must act with complete independence when performing his or her tasks and exercising his or her powers in accordance with this Regulation.23 The European Data Protection Supervisor must, in the performance of his or her tasks and exercise of his or her powers in accordance with this Regulation, remain free from external influence, whether direct or indirect, and must neither seek nor take instructions from anybody.24 The European Data Protection Supervisor must refrain from any action incompatible with his or her duties and must not, during his or her term of office, engage in any other occupation, whether gainful or not.25 After his or her term of office, the European Data Protection Supervisor must behave with integrity and discretion as regards the acceptance of appointments and benefits.26

TASKS 7.10 Without prejudice to other tasks set out under the Regulation, the European Data Protection Supervisor must:

21 22 23 24 25 26

Ibid Art 54(4). Ibid Art 54(5). Ibid Art 55(1). Ibid Art 55(2). Ibid Art 55(3). Ibid Art 55(4).

138

Tasks 7.10

•

monitor and enforce the application of this Regulation by EU institutions and bodies, with the exception of the processing of personal data by the CJEU acting in its judicial capacity;27

•

promote public awareness and understanding of the risks, rules, safeguards and rights in relation to processing. Activities addressed specifically to children must receive specific attention;28

•

promote the awareness of controllers and processors of their obligations under this Regulation;29

•

upon request, provide information to any data subject concerning the exercise of their rights under this Regulation and, if appropriate, cooperate with the national supervisory authorities to that end;30

•

handle complaints lodged by a data subject, or by a body, organisation or association in accordance with Article  67, and investigate, to the extent appropriate, the subject matter of the complaint and inform the complainant of the progress and the outcome of the investigation within a reasonable period, in particular if further investigation or coordination with another data protection supervisory authority is necessary;31

•

conduct investigations on the application of this Regulation, including on the basis of information received from another data protection supervisory authority or other public authority;32

•

advise, on his or her own initiative or on request, all EU institutions and bodies on legislative and administrative measures relating to the protection of natural persons’ rights and freedoms with regard to the processing of personal data;33

•

monitor relevant developments, insofar as they have an impact on the protection of personal data, in particular the development of information and communication technologies;34

•

adopt standard contractual clauses referred to in Article  29(8) and in Article 48(2)(c);35

•

establish and maintain a list in relation to the requirement for data protection impact assessment (pursuant to Article 39(4));36

•

participate in the activities of the European Data Protection Board (EDPB);37

27 28 29 30 31 32 33 34 35 36 37

Ibid Art 57(1)(a). Ibid Art 57(1)(b). Ibid Art 57(1)(c). Ibid Art 57(1)(d). Ibid Art 57(1)(e). Ibid Art 57(1)(f). Ibid Art 57(1)(g). Ibid Art 57(1)(h). Ibid Art 57(1)(i). Ibid Art 57(1)(j). Ibid Art 57(1)(k).

139

7.11  European Data Protection Supervisor

•

provide the secretariat for the European Data Protection Board (EDPB), in accordance with Article 75 of Regulation (EU) 2016/679;38

•

give advice on the processing (referred to in Article 40(2));39

•

authorise contractual clauses and provisions referred to in Article 48(3);40

•

keep internal records of infringements of this Regulation and of measures taken in accordance with Article 58(2);41

•

fulfil any other tasks related to the protection of personal data;42 and

•

establish his or her Rules of Procedure.43

Where requests are manifestly unfounded or excessive, in particular because of their repetitive character, the European Data Protection Supervisor may refuse to act on the request.44 The European Data Protection Supervisor will bear the burden of demonstrating the manifestly unfounded or excessive character of the request.

POWERS 7.11 The European Data Protection Supervisor has investigative powers, corrective powers, authorisation and advisory powers, and power to refer the matter to the CJEU.45

INVESTIGATIVE POWERS 7.12 The European Data Protection Supervisor has the following investigative powers: •

to order the controller and the processor to provide any information it requires for the performance of his or her tasks;

•

to carry out investigations in the form of data protection audits;

•

to notify the controller or the processor of an alleged infringement of this Regulation;

•

to obtain, from the controller and the processor, access to all personal data and to all information necessary for the performance of his or her tasks; and

38 39 40 41 42 43 44 45

Ibid Art 57(1)(l). Ibid Art 57(1)(m). Ibid Art 57(1)(n). Ibid Art 57(1)(o). Ibid Art 57(1)(p). Ibid Art 57(1)(g). Ibid Art 57(4). Ibid Art 58.

140

Corrective Powers 7.13

•

to obtain access to any premises of the controller and the processor, including to any data processing equipment and means, in accordance with EU law.46

CORRECTIVE POWERS 7.13 The European Data Protection Supervisor has the following corrective powers: •

to issue warnings to a controller or processor that intended processing operations are likely to infringe provisions of this Regulation;47

•

to issue reprimands to a controller or a processor where processing operations have infringed provisions of this Regulation;48

•

to refer matters to the controller or processor concerned and, if necessary, to the European Parliament, the Council and the Commission;49

•

to order the controller or the processor to comply with the data subject’s requests to exercise his or her rights pursuant to this Regulation;50

•

to order the controller or processor to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period;51

•

to order the controller to communicate a personal data breach to the data subject;52

•

to impose a temporary or definitive limitation including a ban on processing;53

•

to order the rectification or erasure of personal data or restriction of processing (pursuant to Articles  18, 19 and 20) and the notification of such actions to recipients to whom the personal data have been disclosed pursuant to Article 19(2) and Article 21;54

•

to impose an administrative fine (pursuant to Article  66) in the case of non-compliance by an EU institution or body with one of the measures referred to in points (d) to (h) and (j) of this paragraph, depending on the circumstances of each individual case;55 and

46 47 48 49 50 51 52 53 54 55

Ibid Art 58(1). Ibid Art 58(2)(a). Ibid Art 58(2)(b). Ibid Art 58(2)(c). Ibid Art 58(2)(d). Ibid Art 58(2)(e). Ibid Art 58(2)(f). Ibid Art 58(2)(g). Ibid Art 58(2)(h). Ibid Art 58(2)(i).

141

7.14  European Data Protection Supervisor

•

to order the suspension of data flows to a recipient in a Member State, a third country or to an international organisation.56

AUTHORISATION AND ADVISORY POWERS 7.14 The European Data Protection Supervisor must have the following authorisation and advisory powers: •

to advise data subjects in the exercise of their rights;57

•

to advise the controller in accordance with the prior consultation procedure referred to in Article 40, and in accordance with Article 41(2);58

•

to issue, on his or her own initiative or on request, opinions to EU institutions and bodies and to the public on any issue related to the protection of personal data;59

•

to adopt standard data protection clauses referred to in Article 29(8)(c) and in Article 48(2);60

•

to authorise contractual clauses referred to in Article 48(3)(a);61

•

to authorise administrative arrangements referred to in Article 48(3)(b);62 and

•

to authorise processing operations pursuant to implementing acts adopted under Article 40(4).63

The European Data Protection Supervisor must have the power to refer the matter to the CJEU under the conditions provided for in the Treaties and to intervene in actions brought before the CJEU.64 The exercise of the powers conferred on the European Data Protection Supervisor pursuant to this Article must be subject to appropriate safeguards, including effective judicial remedies and due process, set out in EU law.65

BREACH NOTIFICATIONS 7.15 Article  34 of Regulation 2018/1725 provides for the notification of a personal data breach to the European Data Protection Supervisor. 56 57 58 59 60 61 62 63 64 65

Ibid Art 58(2)(j). Ibid Art 58(3)(a). Ibid Art 58(3)(b). Ibid Art 58(3)(c). Ibid Art 58(3)(d). Ibid Art 58(3)(e). Ibid Art 58(3)(f). Ibid Art 58(3)(g). Ibid Art 58(4). Ibid Art 58(5).

142

Guidelines 7.16

In the case of a personal data breach, the controller must, without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the European Data Protection Supervisor, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.66 Where the notification to the European Data Protection Supervisor is not made within 72 hours, it must be accompanied by reasons for the delay.67 The processor must notify the controller without undue delay after becoming aware of a personal data breach.68 The notification must at least: •

describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;

•

communicate the name and contact details of the data protection officer;

•

describe the likely consequences of the personal data breach; and

•

describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.69

Where and insofar as it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.70 The controller must inform the data protection officer about the personal data breach.71 The controller must document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation must enable the European Data Protection Supervisor to verify compliance with this Article.72

GUIDELINES 7.16 The European Data Protection Supervisor also issues influential guidance and guidelines. These include, •

International data transfers after Brexit;

•

Information note on international data transfers after Brexit;

66 Ibid Art 34(1). 67 Ibid. 68 Ibid Art 34(2). 69 Ibid Art 34(3). 70 Ibid Art 34(4). 71 Ibid Art 34(5). 72 Ibid Art 34(6).

143

7.16  European Data Protection Supervisor

•

Data Protection Impact Assessment List;

•

Under Article 39(4) of Regulation (EU) 2018/1725, the EDPS must adopt a list of the kinds of processing operations subject to a data protection impact assessment (DPIA).73 Under paragraph  5 of the same Article, the EDPS may adopt a list of the kinds of processing operations not subject to a DPIA. For further information on how to use this list, please see the Accountability on the ground toolkit (17 July 2019);

•

Accountability on the ground: Guidance on documenting processing operations for EU institutions, bodies and agencies (16 July 2019);

•

EDPS  Guidelines on assessing the proportionality of measures that limit the fundamental rights to privacy and to the protection of personal data (25 February 2019);

•

EDPS  Guidance on Article  25 of the Regulation 2018/1725 and internal rules (20 December 2018);

•

EDPS guidelines on personal data breach notification for the European Union Institutions and Bodies (7 December 2018);

•

IT governance and IT management (23 March 2018); and

•

Guidelines on the use of cloud computing services by the European institutions and bodies (16 March 2018).

The European Data Protection Supervisor also refers to a list of topics and issues upon which it has, or will, issue guidance, documentation or commentary, which include the following: • accountability; •

artificial intelligence;

•

Big Data & Digital Clearinghouse;

•

borders, asylum, migration;

•

case law and litigation;

•

Charter of Fundamental Rights;

•

common foreign and security policy;

• competition; • consumers; •

data breach;

73 See also Warren, A, Bayley, R, Bennett, C, Charlesworth, A, Clarke, R and Oppenheim, C ‘Privacy Impact Assessments: International Experience as a Basis for UK Guidance’ Computer Law and Security Review: The International Journal of Technology and Practice (2008)(24:3) 233; Friedewald, M, Hansen, M, Bieker, F and Obersteller, H, ‘A Process for Data Protection Impact Assessment Under the European General Data Protection Regulation’ conference, 4th Annual Privacy Forum, APF 2016 (2016).

144

Guidelines 7.16

•

Data Protection Officer (DPO);

•

digital single market;

•

electronic communications, information society;

• ethics; • eGovernment; •

ePrivacy Directive;

•

finance and economy;

•

General Data Protection Regulation (GDPR);

• health; • IPEN; •

information security;

•

internal market;

•

international agreements;

•

international cooperation;

•

international standards;

•

Internet of Things (IoT);

• interoperability; •

judicial cooperation;

•

large-scale IT systems;

•

necessity and proportionality;

•

net neutrality;

•

personal information management system;

•

police cooperation;

•

Police Directive;

•

privacy by default (also note data protection by default);

•

privacy by design (PbD)(also note data protection by design (DPbD);

•

privacy in the EU institutions;

•

Regulation 2018/1725;

•

Regulation 45/2001;

•

research and science;

•

rights of the individual;

• robotics; 145

7.16  European Data Protection Supervisor

•

supervision coordination;

• surveillance; • technologies; •

transfers of data;

• transparency; •

transport; and

• whistleblowing. It also refers to so-called current ‘hot topic’ issues, namely: •

artificial intelligence;

•

Big Data & Digital Clearinghouse;

• competition; •

data breach;

• ethics; • IPEN; •

international agreements;

•

international cooperation;

•

Internet of Things (IoT); and

•

necessity and proportionality.

There is also a resource bank referred to as a reference library, which refers to the following: •

access to eCommunications data when an employee is absent;

•

administrative inquiries and disciplinary proceedings;

•

anti-harassment procedures;

•

anti-fraud procedures;

•

asset freezing;

• Big Data; •

blacklisting and early warning systems;

•

Data Protection Officer (DPO);

•

evaluation of staff;

•

health data in the workplace;

•

information security;

•

international transfers; 146

International Cooperation 7.17

•

leave management;

•

mobile devices;

•

prevention of conflicts of interest;

•

private use of electronic communications in the workplace;

•

procurement and external experts;

•

selection and recruitment of staff;

•

video-surveillance; and

• whistleblowing.

INTERNATIONAL COOPERATION 7.17 It also provided a non-exhaustive list of international cooperation frameworks in relation to data protection and privacy matters. This list contains the following: •

Council of Europe (CoE) international institution which promotes human rights, including data protection. The Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108) is open to accession by both European and non-European countries.

•

Organisation for Economic Cooperation and Development (OECD) – international organisation which promotes the improvement of economic and social lives of people around the world. Its Working Party on Security and Privacy in the Digital Economy (SPDE) works on policies which ensure that digital security and privacy protection support the development of the digital economy.

•

International Conference of Data Protection and Privacy Commissioners (ICDPPC) – global conference.

•

Spring Conference of European Data Protection Authorities.

•

Global Privacy Enforcement Network (GPEN) – network of privacy enforcement authorities.

•

Berlin Group – International Working Group on Data Protection in Telecommunications (ICDPPC).

•

French-speaking Association of Personal Data Protection Authorities (AFAPDP).

•

Central and Eastern Europe Data Protection Authorities (CEEDPA).

•

Asia Pacific Privacy Forum (APPA) – network of Asian privacy authorities.

•

Asia-Pacific Economic Cooperation (APEC). 147

7.18  European Data Protection Supervisor

•

Common Thread Network (CTN).

•

Ibero-American data protection network (RIPD).

PROFESSIONAL SECRECY 7.18 The European Data Protection Supervisor and his or her staff must, both during and after their term of office, be subject to a duty of professional secrecy with regard to any confidential information which has come to their knowledge in the course of the performance of their official duties.74

CONCLUSION 7.19 The European Data Protection Supervisor plays an important role in terms of the regulation and oversight of data protection and rights compliance in relation to the employees and activities of the respective EU institutions. However, in recent years it has played an important role in terms of discussing and promoting data protection issues as well as highlighting new and developing issues – including to a wider community than just the EU institutions themselves. It also has an important role in terms of being a part of the EDPB (in addition to the members of the respective data protection supervisory authorities in the Member States).

74 Regulation 2018/1725 Art 56.

148

CHAPTER 8

Data Protection and Privacy Regulation in US INTRODUCTION 8.1 Increasingly any of the issues that are of concern in data protection and privacy are similar regardless of location. This includes the US as much as it does the UK. These issues naturally concern the appropriate data protection and privacy regulator or data protection supervisory authority. In the US, however, there is no federal law equivalent to the GDPR. There is equally no exact equivalent of a data protection ‘supervisory authority’ as exists in the EU, such as the Information Commissioner’s Office (ICO).1

FEDERAL PRIVACY GAP 8.2 The legal background and status of privacy law is different in the US than in the UK or EU. Data protection and privacy in the US are somewhat different than in the EU to the extent that presently there is no overarching general federal data protection and privacy law equivalent to the GDPR (nor indeed equivalent to the previous data protection Directive 95/462). Rather data protection and privacy interests are protected on an individual issue or sector-by-sector approach. Under this model, while certain issues are therefore expressly protected, most issues and sectors are not protected at all. Each issue and sector requires its own specific data protection and privacy legislation to be enacted – but this has not occurred and without it there is largely no federal protection.3 Hence, the federal privacy gap.

CURRENT FEDERAL APPROACH 8.3 As mentioned above, the US approach (prior to and apart from recent moves and calls for a general federal data protection and privacy law) has been

1 GDPR Art 4(21). 2 Directive 95/46/EC of the European Parliament and of the Council of 24  October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. OJ L 281, 23.11.1995, pp 31–50. 3 Note generally also Eric P Robinson, US chapter in Lambert, P, International Handbook of Social Media Laws (Bloomsbury, 2014) 617.

149

8.4  Data Protection and Privacy Regulation in US

issue and sector specific. These areas where there is some data protection and privacy regulation at a US federal level include: •

personal video rentals and video rental histories (dating, however, from a pre-streaming era);4

•

financial sector;5

•

telecoms sector;6

•

certain personal health data (but also dating from an era pre the recent explosion in personal health and personal wellness applications);7

•

credit reporting;8

•

certain personal data pertaining to children (particularly marketing focused);9 and

•

certain direct marketing activities and personal data (a frequent, if not growing, area of contention).10

PRIVACY INTERESTS AND EU–US PRIVACY BRIDGES 8.4 There is also additional research in terms of reconciling EU and US privacy enforcement differences.11 Efforts have been made to bridge the divide in common interest in EU and US privacy interests.12 The Privacy Bridges project involves researchers from the US and EU. The mission of the research is indicated as follows: ‘The EU and US share a common commitment to privacy protection as a cornerstone of democracy. Following the Treaty of Lisbon, data privacy is a fundamental right that the European Union must proactively guarantee. In the United States, data privacy derives from constitutional protections in the First, Fourth and Fifth Amendment as well as federal and state statute, 4

Video Privacy Protection Act, dating from 1988. 18 USC § 2710. Codified at 18 USC § 2710 (2002). 5 Bank Secrecy Act, Right to Financial Privacy Act, the Gramm-Leach-Bliley Act and the Fair Credit Reporting Act. 6 Electronic Communications Privacy Act (ECPA) Pub.L. 99–508§. 7 Health Insurance Portability and Accountability Act (HIPPA) Pub.L. 104–191; Family Educational Rights and Privacy Act (FERPA) 20 USC § 1232g. 8 Fair Credit Reporting Act (FCRA), 15 USC § 1681. 9 Children’s Online Privacy Protection Act (COPPA) 15  USC §§ 6501–6506. Google and YouTube were recently fined in relation to children’s data collection. 10 Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM)  Act, Pub.L.108–187. 11 Narielwala, N, ‘Post-Digital Era Reconciliation Between United States and European Union Privacy Law Enforcement’ Washington University Global Studies Law Review (2018) (17:3) 707. 12 See, for example, Privacy Bridges: EU and US  Privacy Experts in Search of Transatlantic Privacy Solutions, report (Massachusetts Institute for Technology Computer Science and Artificial Intelligence Laboratory and the Institute for Information Law of the University of Amsterdam, 21 October 2015); also https://privacybridges.mit.edu/.

150

Privacy Interests and EU–US Privacy Bridges 8.4

consumer protection law and common law. The ultimate goal of effective privacy protection is shared. However, current friction between the two legal systems poses challenges to realizing privacy and the free flow of information across the Atlantic. Recent expansion of online surveillance practices underline these challenges. Over nine months, the group prepared a consensus report outlining a menu of privacy “bridges” that can be built to bring the European Union and the United States closer together. The efforts are aimed at providing a framework of practical options that advance strong, globally-accepted privacy values in a manner that respects the substantive and procedural differences between the two jurisdictions.’13

The research output, in the form of a report entitled Privacy Bridges, EU and US  Experts in Search of Transatlantic Privacy Solutions,14 identifies and researches certain specific areas of common concern and interest. Bridge 1: Bridge 2: Bridge 3: Bridge 4: Bridge 5: Bridge 6: Bridge 7: Bridge 8: Bridge 9: Bridge 10:

Deepen the Art. 29 Working Party/Federal Trade Commission relationship User controls New approaches to transparency User-complaint mechanisms: Redress of violations outside a user’s region Government access to private sector personal data Best practices for de-identification of personal data Best practices for security breach notification Accountability Greater government-to-government engagement Collaborating on privacy research programmes.15

The report also comments on similarity and common interests as follows: ‘Globalization and technological advances pose common challenges to providing a progressive, sustainable model for protecting privacy in the global Internet environment. Tensions between different legal systems such as the European Union and the United States result in loss of confidence on the part of users and confusions by commercial entities. The goal of this report is to identify practical steps to bridge gaps between the existing approaches to data privacy of the European Union (EU) and the United States (US), in a way that produces a high level of protection, furthering the interests of individuals and increasing certainty for commercial organizations. These “privacy bridges” are designed to advance strong privacy values in a manner that respects the substantive and procedural differences between the two jurisdictions. While 13 Privacy Bridges, ibid 14 See Privacy Bridges, EU and US Experts in Search of Transatlantic Privacy Solutions. Available at: https://privacybridges.mit.edu/sites/default/files/documents/PrivacyBridges-FINAL.pdf. 15 Ibid.

151

8.5  Data Protection and Privacy Regulation in US

our focus is privacy protection in the transatlantic region, we hope that some, if not most, of these privacy bridges may prove useful in other regions as well. This report emerged from a series of in-person meetings and discussions among a group of independent EU and US experts in the field of privacy and data protection. This group was convened on the initiative of Jacob Kohnstamm, chairman of the Dutch Data Protection Authority, and jointly organized by the Massachusetts Institute of Technology Cybersecurity and Internet Policy Research Initiative, and the University of Amsterdam’s Institute for Information Law. We present ten privacy bridges that will both foster stronger transatlantic collaboration and advance privacy protection for individuals.’16

There is also separate research and efforts to build understanding and bridges between computer science and data protection ad privacy.17 Other research refers to bridges as between data protection and privacy and other areas such as competition law, and consumer law.18

INCREASING FEDERAL FOCUS 8.5 This lack of legislation has, however, become an increasing focus of attention and many politicians, policymakers and others are seeking to address the need for a general, global overarching federal data protection and privacy law in the US. There are various calls for a US EU-style federal data protection framework.19 Indeed, it is also noteworthy to point out that during 2019, there has been a notable increase in corporations recognising and also calling for a US federal data protection and privacy law. This was partly in response to this lack of a general federal privacy law, the large-scale gaps, the inconsistent patchwork and gaps and, also, by Apple CEO Tim Cook’s speech at a prominent data protection conference in Brussels.20 The latter was soon followed by similar calls from other 16 Ibid at 5. 17 Nissim, K, Bembeneck, A, Wood, A, Bun, M, Gaboardi, M, Gasser, U, O’Brien, DR, Steinke, T  and Vadhan, S, ‘Bridging the Gap between Computer Science and Legal Approaches to Privacy’ Harvard Journal of Law & Technology (Harvard JOLT) (2018)(31:2) 687. 18 Graef, I, Valcke, P and Clifford, D, ‘Fairness and Enforcement: Bridging Competition, Data Protection and Consumer Law’ International Data Privacy Law (2018)(8:3) 200. 19 Pope, C, ‘Biometric Data Collection in an Unprotected World: Exploring the Need for Federal Legislation Protecting Biometric Data’ Journal of Law and Policy (2018)(26:2) 769; Myers, JM, ‘Creating  Data  Protection  Legislation in the United States: An Examination of Current Legislation in the European Union’ Case Western Reserve Journal of International Law (1997) (29:1) 109; Cutler, S, ‘The Face-Off Between Data Privacy and Discovery: Why US Courts Should Respect EU  Data  Privacy  Law  When Considering the Production of Protected Information’ Boston College Law Review (2018)(59:4) 1512. 20 Cook, T, at Debating Ethics, 2018 International Conference of Data Protection and Privacy Commissioners, Brussels, 24  October 2018. Cook, T, ‘Privacy Speech at ICDPPC  2018’ International Journal for the Data Protection Officer, Privacy Officer and Privacy Counsel (IDPP) (2018)(2:10) 8.

152

States Lead by Example 8.6

US corporations such as Microsoft and Facebook. Recently, Julie Brill (Deputy General Counsel at Microsoft) stated: ‘Now it is time for Congress to take inspiration from the rest of the world and enact federal legislation that extends the privacy protections in GDPR to citizens in the United States.’21 Apple champions better tech responsibility, data protection and privacy.22 Many US tech companies have now announced support for a US general federal privacy law. However, as always, the devil will be in the detail.23 This has been broadly welcomed.24 There has also been commentary in terms of the need for guidance in implementing specific data protection and privacy issues.25 There is also related discussion in terms of the existing Federal Trade Commission (FTC) and its ambit in terms of privacy issues.26 There is even a call for an inter-American approach to data protection and privacy issues.27 Some have recognised the need for more data protection and privacy law in the US and even how it would be perceived to help to restore privacy interests for individuals or to restore the balance – which is argued to have shifted too far in favour of corporate (free-for-all) interests. A federal privacy law has been described as a ‘resurrection’ for privacy, allowing individuals (in the US) to ‘reclaim their lives’.28

STATES LEAD BY EXAMPLE 8.6 Below the important federal level, there are, however, hundreds of individual state laws which deal directly and indirectly with certain data 21 Referred to in Davies, J, ‘Microsoft Starts Ruffling Privacy Feathers in the US’ Telecoms.com, 21 May 2019. 22 Cook, T, ‘Privacy Speech at ICDPPC  2018’ International Journal for the Data Protection Officer, Privacy Officer and Privacy Counsel (IDPP) (2018)(2:10) 8. 23 The concept of personal dignity is also being considered in terms of an additional basis of, or separate justification for individual rights and remedies. de Hingh, A, ‘Some Reflections on Dignity as an Alternative Legal Concept in Data Protection Regulation’ German Law Journal (2018)(19:5) 1269. 24 European Data Protection Supervisor, ‘Reactions and Comments to Apple’s Tim Cook’s ICDPPC Privacy Speech’ IDPP; Data Protection Commission Ireland, ‘Reactions and Comments to Apple’s Tim Cook’s ICDPPC Privacy Speech’ IDPP; Raether, P, ‘Reactions and Comments to Apple’s Tim Cook’s ICDPPC Privacy Speech’ IDPP; Fernández, D, ‘Reactions and Comments to Apple’s Tim Cook’s ICDPPC Privacy Speech’ IDPP; Bartel, P, ‘Reactions and Comments to Apple’s Tim Cook’s ICDPPC Privacy Speech’ IDPP; Farley, J, ‘Reactions and Comments to Apple’s Tim Cook’s ICDPPC Privacy Speech’ IDPP; Landes-Gronowski, L, ‘Comment on Tim Cook’s Brussels Speech’ – each of the above in the International Journal for the Data Protection Officer, Privacy Officer and Privacy Counsel (IDPP) (2018) 12, and (2018)(2:11) 25. 25 Webb, HC, ‘“People Don’t Forget”: The Necessity of Legislative Guidance in Implementing a US Right to Be Forgotten’ George Washington Law Review (2017)(85:4)1304. 26 Hoofnagle, CJ, Federal Trade Commission Privacy Law and Policy (CUP, 2016); Solove, DJ and Hartzog, W, ‘The FTC and the New Common  Law  of  Privacy’ Columbia Law Review (2014)(114:3) 583. 27 Garrido Villareal, M, ‘The Grey Digital Divide and the  Right  to be  Forgotten: An InterAmerican Approach’ Asia Pacific Journal of Health Law & Ethics (2017)(11:1) 83. 28 Shuntich, S, ‘The Life, the Death and the Long-Awaited Resurrection of Privacy: How Americans Can Reclaim Their Lives From the Internet With a Right to be Forgotten’ Human Rights (2016)(41:4) 2

153

8.6  Data Protection and Privacy Regulation in US

protection and privacy issues. There is, unfortunately, a great disparity between these and they are neither uniform nor equivalent to federal law, thus causing compliance, transparency, certainty and cost issues for corporations and other entities, as well as individuals. A further difficulty is that some of the state laws are unique to one state or a small number of states. However, there are other issues which when addressed by one state’s laws are followed in some manner by many others. Examples of the latter include so-called Spam laws, and also data breach and data breach notification laws. (It must be pointed out, however, that just because most states may have a Spam law (or to be specific an anti-Spam law), or a data breach law (eg  a notification mandate to notify data breaches to a nominated state regulator and/or to notify individual victims affected by a given data breach) does not mean that all states will have exactly the same laws, rules and mandates. In many instances, there can be a wide disparity as between issues or sector-specific data laws in respective US states. Obviously, this complexity can provide difficulties for both individuals and corporate entities. Some of the other examples of state data laws include rules on data security, data disposals, data policies (eg privacy policies and privacy statements online), social security number access and usage. Pending a uniform federal privacy law, some of the states are leading by example. Other state laws can sometimes be useful in leading a path for other states to follow (or even for federal laws to follow). Often California and New York are at the forefront of seeking to address existing or developing data problem issues. A recent example of this is the California Consumer Privacy Act 2018 (CCPA). California and the California Consumer  Privacy  Act (CCPA) are positively compared to the GDPR.29 The important ‘go live’ date for the CCPA is 1 January 2020. The CCPA is significant because of its broad reach across all sectors, new definitions and new obligations on companies and organisations on the collection, use and transfer (disclosure) of personal data. EU and California state data protection interests30 and rules are actually quite similar and are certainly interested in seeking to recognise and protect the rights and interests of individual data subjects. It may be that an express US RtbF is state based before it is federal based. However, there is increasing pressure in the US for a US federal privacy law. Adding momentum to this is the increasing vocal support for such a law from technology companies, including Apple,31 Facebook, Microsoft and Twitter.

29 Pardau, SL, ‘The California Consumer Privacy Act: Towards a European-Style Privacy Regime in the United States’ Journal of Technology Law & Policy (2018–2019)(23:1) 68. 30 Vogel, D and Swinnen, JFM, Transatlantic Regulatory Cooperation: The Shifting Roles of the EU, the US and California (Edward Elgar, 2011). 31 Cook, T, ‘Privacy Speech at ICDPPC  2018’ International Journal for the Data Protection Officer, Privacy Officer and Privacy Counsel (IDPP) (2018)(2:10) 8.

154

The FTC as a Federal DPP Regulator 8.7

THE FTC AS A FEDERAL DPP REGULATOR 8.7 It is very important to note that one of the federal regulators does have a significant role in relation to the use of personal data. While not originally intended to be the same as data protection supervisory authorities as envisaged under EU data protection laws, the US  Federal Trade Commission (FTC) has utilised federal level consumer protection laws to deal with certain consumer data privacy problems. The FTC is broadly acknowledged as the de facto federal data protection and privacy regulator in the US – notwithstanding the current lack of a general, overarching data protection and privacy law at federal level. The FTC was created in 1914 (well before the modern internet) when President Woodrow Wilson signed the Federal Trade Commission Act into law. Its mission is to protect consumers and promote competition.32  The FTC is ‘a bipartisan federal agency with a unique dual mission to protect consumers and promote competition’.33 However, its consumer protection role has allowed it to expand to privacy and technology-related issues in pursuit of consumer protection. This (arguably unofficial) ambit has expanded as the complexities of technology increase.34 That, however, does not mean that there is any less need for a general federal law, or a general law expressly cementing the FTC’s personal data role. The FTC role is specifically to deal with so-called deceptive practices prejudicing consumers. This is taken to include deceptive or unfair data and privacy activities affecting consumers. On a number of occasions, the FTC has investigated data complaints and data problem issues and also issued sanctions including fines and penalties. There have also been several settlement agreements under which individual companies have agreed to changes and long-lasting data protection and privacy reviews. The FTC ‘develops policy and research tools through hearings, workshops, and conferences’. It also collaborates with law enforcement partners across the country (and around the world) to advance consumer protection and competition. Outside the US, it ‘cooperate[s] with international agencies and organizations to protect consumers in the global marketplace’.35 It seeks to protect consumers by ‘stopping unfair, deceptive or fraudulent practices in the marketplace. We conduct investigations, sue companies and people that violate the law, develop rules to ensure a vibrant marketplace, and educate consumers and businesses about their rights and responsibilities’. It ‘collect[s] complaints about hundreds of issues from data security and deceptive 32 FTC, Our History. Available at: www.ftc.gov. 33 FTC, What We Do. Available at: www.ftc.gov. 34 Weaver, JF, ‘Everything Is Not Terminator: Helping AI to Comply with the Federal Trade Commission Act’ RAIL: The Journal of Robotics, Artificial Intelligence & Law (2019)(2:4) 291; Hoofnagle, CJ, ‘Assessing the Federal Trade Commission’s Privacy Assessments’ IEEE, Privacy Security & Privacy (2016)(14:2) 58; Rustad, ML, and Koenig, TH, ‘Towards a Global Data Privacy Standard’ Florida Law Review (2019)(71:2) 365. 35 FTC, What We Do. Available at: www.ftc.gov.

155

8.8  Data Protection and Privacy Regulation in US

advertising to identity theft and Do Not Call violations, and make them available to law enforcement agencies worldwide for follow-up’. It refers to its ‘experienced and motivated staff us[ing] 21st century tools to anticipate – and respond to – changes in the marketplace’.36 The role of the FTC should not be underestimated. Its ability to level fines and penalties is not insignificant. During 2019 it has fined Facebook $5 billion in relation to certain breaches relating to unauthorised collection and profiling of citizen data for election profiling and manipulation purposes, including, in particular, activities relating to Cambridge Analytica.37 By contrast, Facebook has been fined £500 million by the Information Commissioner’s Office in the UK (the UK data protection supervisory authority) in relation to the same or similar activities.38 The FTC has also fined YouTube $170 million in relation to the unauthorised collection and use of children’s personal data without parental consent and in breach of the Children’s Online Privacy Protection Act (COPPA)39. (COPPA is one of the US federal data protection and privacy laws.) Importantly, as well as enforcing compliance with existing laws, the FTC also has the authority to establish rules in certain areas (some of which related to personal data related issues). A  general federal privacy law would certainly elevate the protection for individuals’ personal data beyond the current complex patchwork, but would also have the benefit of certainty, clarity and streamlined compliance for businesses. The exact nature and timeframe for such a federal law is not yet certain. There are, however, a number of federal proposed laws.

EU DATA TRANSFER TO THE US 8.8 Some issues can be very problematic, not least the best way to provide for the protection of personal data which may be sought to be transferred from the EU to the US. Under the EU data protection regime, including the new GDPR, there is a de facto safeguard ban on the transfer of personal data to locations outside of the EU/EEA – unless one of a limited number of exemptions can be satisfied. These exemptions are:

36 Ibid. 37 United States of America (on behalf of the Federal Trade Commission) v Facebook Inc, case 19-cv-2184. 38 ICO Monetary Penalty Notice, 24 October 2018. Available at: https://ico.org.uk/media/actionweve-taken/mpns/2260051/r-facebook-mpn-20181024.pdf. 39 United States of America (on behalf of the Federal Trade Commission) and People of the State of New York, by Letitia James, Attorney General of the State of New York v Google LLC and YouTube, LLC, FTC case 172 3083, court case 1:19-cv-02642, 2019.

156

No Safe Harbour 8.9

•

country adequacy decisions as determined, after a detailed examination process, by the EU Commission, determining that there is an adequate level of protection for personal data in the recipient country;

•

standard contractual clause rules, as approved by the EU Commission;

•

binding corporate rules, for an organisation and which are individually approved by one of the respective national data protection supervisory authorities;

•

EU–US data transfers as covered by the EU–US Privacy Shield;

• certification; •

codes of conduct; or

•

as otherwise individually approved officially.

There can also be agreed international agreements permitting certain data transfers specific to particular sectors (eg  rules pertaining to passenger names and tracking terrorist financing). The US is not an EU/EEA Member State and, as such, is a deemed a third country for personal data transfer purposes. It is also deemed to have a lessor standard of protection in relation to personal data, particularly that which may be proposed to be sent to this country from the EU. Therefore, in order to receive transfers of personal data from the EU, such transfers must fit within a specific approved exemption mechanism. The question arises, therefore, whether there is an approved mechanism to facilitate personal data transfers from the EU to this third country.

NO SAFE HARBOUR 8.9 The initial mechanism to assist privacy transfers from the EU to the US and to deal with the default transfer ban (given that the US is a third country and deemed not to have identical, equivalent or adequate protection for personal data), was called the EU–US  Safe Harbour arrangement. However, this data transfer regime was struck down by the Court of Justice in the Schrems case (Schrems 1).40 The Safe Harbour regime was held to be invalid. For transfer to continue or recommence, as the case may be, the Safe Harbour regime would have to be renegotiated.

40 Maximilian Schrems v Data Protection Commissioner, Court of Justice, Case C-362/14, 6 October 2015. The case is technically related to Prism and Facebook Europe and transfers to the US. However, the wider import turned out to be the entire EU–US  Safe Harbour Agreement and data transfers to the US. Note the WP29 statement on the case: ‘Statement on the implementation of the judgment of the Court of Justice of the European Union of 6 October 2015 in Maximilian Schrems v Data Protection Commissioner (C-362/14).’

157

8.10  Data Protection and Privacy Regulation in US

EU–US PRIVACY SHIELD 8.10 Negotiations between the EU  Commission and the US authorities commenced after the CJEU decision striking down the Safe Harbour arrangement. The replacement agreement is entitled the EU–US Privacy Shield. It should be noted also that there have been some concerns that the same or similar reasons for the striking down of the Safe Harbour regime may cause concerns for some of the other transfer legitimising mechanisms. It remains to be seen if further challenges or concerns will arise. The EU has approved certain personal data transfers to the US by way of a review and the Safe Harbour arrangement (see Schrems v Data Protection Commissioner (Schrems 1))41 – but which was deemed unlawful by the CJEU (in Schrems 1) and subsequently replaced by the Privacy Shield arrangement.42 ‘In the light of the fact that the level of protection afforded by the US legal order may be liable to change, the Commission, following adoption of this decision, will check periodically whether the findings relating to the adequacy of the level of protection ensured by the United States under the EU-US Privacy Shield are still factually and legally justified. Such a check is required, in any event, when the Commission acquires any information giving rise to a justified doubt in that regard.’43

ANNUAL REVIEW 8.11 The Privacy Shield arrangement is ‘subject to an Annual Joint Review which will cover all aspects of the functioning of the EU-US  Privacy Shield, including the operation of the national security and law enforcement exceptions to the Principles. In addition, since the adequacy finding may also be influenced by legal developments in [EU] law, the entry into application of the GDPR’.44 The Third Annual Review of the Privacy Shield was carried out on 12 September 2019.45 It was attended by EU Commissioner Věra Jourová and US Commerce

41 Schrems v Data Protection Commissioner, joined party Digital Rights Ireland, CJEU, Case C-362/14, 6 October 2015. 42 See Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU–U.S. Privacy Shield (notified under document C(2016) 4176). OJ L 207/1. 43 2016/61250, para 145. 44 Ibid, para 146. 45 See ‘Remarks by Secretary Wilbur Ross at the Privacy Shield Framework, Third Annual Review’. Available at: www.commerce.gov/news/speeches/2019/09/remarks-secretary-wilburross-privacy-shield-framework-third-annual-review. Also see the Joint Press Statement from Commissioner Věra Jourová and Secretary of Commerce Wilbur Ross on the Third Annual EUUS  Privacy Shield Review. Available at: www.commerce.gov/news/press-releases/2019/09/ joint-press-statement-commissioner-vera-jourova-and-secretary-commerce.

158

FTC Actions 8.12

Secretary Wilbur Ross, who welcomed the fact that Privacy Shield now involves 5,000 active US company participants.46 The FTC prosecuted and reached settlements with five companies over allegations that they falsely claimed certification under the EU–US  Privacy Shield Framework. As part of the settlements with the FTC, all five companies are prohibited from misrepresenting their participation in any privacy or security programme sponsored by a government or any self-regulatory or standard-setting organisation. In conjunction with the announcement, the FTC issued a  blog post reminding companies about the obligations associated with certifying under Privacy Shield and the potential consequences of making false claims regarding Privacy Shield participation.47 The FTC reached a settlement with a background screening company over allegations that it falsely claimed to be a participant in the EU–US and Swiss– US  Privacy Shield Frameworks. As part of its settlement with the FTC, the company is prohibited from misrepresenting its participation in any privacy or security programme sponsored by a government or any self-regulatory or standard-setting organisation. Separately, the FTC sent warning letters to 13 companies who had falsely claimed they were participants in the US–EU Safe Harbour and the US–Swiss Safe Harbour Frameworks. These Safe Harbour frameworks are no longer in place and the last valid self-certifications for both frameworks have expired.48

FTC ACTIONS 8.12 The FTC filed an administrative complaint against data analytics company Cambridge Analytica for allegedly employing deceptive tactics to harvest personal information for voter profiling and targeting. The FTC also alleges that Cambridge Analytica falsely claimed that it was a participant in the EU–US Privacy Shield and failed to adhere to the Privacy Shield requirement that companies who cease to participate in the programme affirm to the Department of Commerce that they will continue to apply the Privacy Shield protections to personal information collected pursuant to it. The US seeks to ensure the integrity of the Privacy Shield programme.49 Some of the recent FTC actions, fines, prosecutions and or settlements include: •

Facebook fine of $5 billion;50

•

YouTube and Google fine of $170 million;51

46 47 48 49 50

Statement on 1 January 2019. Statement on 3 September 2018. Statement on 14 June 2019. Statement on 24 July 2019. This relates to breaches involved in the Facebook and Cambridge Analytica scandal, tied to the Russian attack on the 2016 US Presidential election. 51 This relates to breaches involved in the collection of children’s personal data.

159

8.13  Data Protection and Privacy Regulation in US

•

LifeLock fine of $100 million for breach of previous settlement order;52 and

•

various actions in relation to non-compliance with the EU–US  Privacy Shield requirements.

FEDERAL LAW PROPOSALS 8.13

The main proposals for new federal privacy laws include:

•

the Social Media Privacy and Consumer Rights Act (proposed by Senators Amy Klobuchar and John Kennedy);

•

the American Data Dissemination Act (ADD) (proposed by Senator Marco Rubio);

•

the Consumer Data Protection Act (proposed by Senator Ron Wyden);

•

the Data Care Act (proposed by Senator Schatz);

•

the Information Transparency and Personal Data Control Act (H.R. 6864) (introduced by Representative Suzan DelBene);

•

an Internet Bill of Rights (proposed by Representative Ro Khanna);

• a federal baseline privacy legislation (Centre for Democracy and Technology); •

the Innovative and Ethical Data Use Act (David Hoffman of Intel); and

•

the Consumer Rights, Integrity, Safety and Privacy in Information (CRISPI) Act (an academic proposal).

There is increasing pressure for federal measures with the increasing awareness of the harm to individuals and society caused by issues such as mass data breaches.53 There is some recognition that there are a number of diverse issues which need attention (to protect individuals), that piecemeal patches may no longer be sufficient, and that a more comprehensive approach to solutions is needed.54 EPIC (a privacy rights and promotion group) has also made recommendations for the FTCs activities.55 52 See www.ftc.gov/enforcement/cases-proceedings/072-3069-x100023/lifelock-inc-corporation. 53 Kuhn, McKenzie L, ‘147 Million Social Security Numbers for Sale: Developing Data Protection Legislation After Mass Cybersecurity Breaches’ Iowa Law Review (2018)(104:1) 417. 54 Purcell, C  and Zhan, J, ‘Adapting  US  Privacy  Laws  to the Internet: Is Patching Enough?’ 2007 International Conference on Machine Learning and Cybernetics Machine Learning and Cybernetics, 2007 International Conference on. 5:3000-3005 Aug, 2007; Sloane, JN, ‘Raising  Data  Privacy Standards: The United States’ Need for a Uniform Data Protection Regulation’ John Marshall Law Journal (2018–2019)(12) 23. 55 ‘EPIC Privacy and Data Protection Recommendations for FTC Strategic Plan’ International Journal for the Data Protection Officer, Privacy Officer and Privacy Counsel (IDPP) (2018) (2:1) 15.

160

Conclusion 8.14

Given the interest in this area, there may be further proposals. It is as yet unclear when one or more of these will pass. Regardless of being in the UK or US (or elsewhere), it should be important to keep in mind federal and FTC developments in this US.56

CONCLUSION 8.14 At the end of the day all individuals and generally have the same interests and the same concerns. People, both in the US and the EU, all have data protection and privacy interests.57 EU and California state data protection interests58 and rules are actually quite similar and are certainly interested in seeking to recognise and protect the rights and interests of individual data subjects. There is growing pressure in the US for a general federal privacy law.59 Adding momentum to this is the increasing vocal support for such a law from technology companies, including Apple,60 Facebook, Microsoft and Twitter. There is also significant discussion in the US on its own perspective on a range of data protection and privacy issues ranging from commentary,61 assessments,62 US attitudes,63 consideration of EU–US data transfers,64 search engines,65 implications for existing case law,66

56 See, for example, Boshell, PM, ‘Survey of Developments in Federal Privacy Law’ Business Lawyer (2018–2019)(74) 191. 57 Weiss, MA and Archick, K, Data Privacy and Protection in the  EU  and the United States (Congressional Research Service: Report: 2/12/2016) 1. 58 Vogel, D and Swinnen, J FM, Transatlantic Regulatory Cooperation: The Shifting Roles of the EU, the US and California (Elgar, 2011). 59 Humerick, M, ‘The Tortoise and the Hare of International Data Privacy Law: Can the United States Catch up to Rising Global Standards’ Catholic University Journal of Law and Technology (2018)(27:1) 77. Purcell, C and Zhan, J, ‘Adapting US Privacy Laws to the Internet: Is Patching Enough?’ 2007 International Conference on Machine Learning and Cybernetics 2007 5:3000– 3005 Aug, 2007. 60 Cook, T, ‘Privacy Speech at ICDPPC  2018’ International Journal for the Data Protection Officer, Privacy Officer and Privacy Counsel (IDPP) (2018)(2:10) 8. 61 Kelly, JM and Satola, D, ‘The Right to be Forgotten’ University of Illinois Law Review (2017) (1) 65. 62 Lyons, D, ‘Assessing the Right to be Forgotten’ Boston Bar Journal (2015)(59:4) 26. 63 Bode, L  and Jones, M, ‘Ready to Forget: American Attitudes Toward the  Right  to Be Forgotten’ Information Society (2017)(33:2) 76. 64 Kuner, C, Transborder Data Flows and Data Privacy Law (OUP, 2013); Schwartz, PM and Peifer, K-N, ‘Transatlantic Data  Privacy  Law’ Georgetown Law Journal (November 2017) (106:1) 115; Rustad, ML and Kulevska, S, ‘Reconceptualizing the Right to be Forgotten to Enable Transatlantic  Data  Flow’ Harvard Journal of Law (2015)(28:2) 349; Berge, J-S, Grumbach, S and Zeno-Zencovich, V, ‘The Datasphere, Data Flows Beyond Control and the Challenges for Law and Governance’ European Journal of Comparative Law and Governance (2018)(5:2) 144 65 Andrus, MT, ‘The Right  to Be  Forgotten  in America: Have Search Engines Inadvertently Become Consumer Reporting Agencies’ Business Law Today (May 2016)(5) 1; Slane, A, ‘Search Engines and the Right to Be Forgotten: Squaring the Remedy with Canadian Values on Personal Information Flow’ Osgoode Hall Law Journal (2018)(55:2) 349. 66 Tobin, CD and Walz, CN, ‘Right to be Forgotten: Expungement Laws Raise New Challenges on the 40th Anniversary of Cox Broadcasting v Cohn’ Communications Lawyer (2015)(31:4) 4.

161

8.14  Data Protection and Privacy Regulation in US

US constitutional issues,67 US privacy issues and laws,68 EU and US norms,69 US and EU data protection laws70 and US–EU data protection issues and protections,71 as well as specific issues such as the right to be forgotten (RtbF).72 Some of these reactions are disproportionate. Some may be self-interested. Frequently, they neither address nor take into account the interests of individuals or the problem content issues they face. These must be put into the proper context. It should also be assumed that the FTC’s role will expand significantly if a general federal data protection and privacy law is passed in the US. It is expected that there will be US–UK trade negotiations following the recent election. However, any such trade deal would have to be respective to data protection interests and standards, and to maintain standards and protections for personal data. Any changes, diminutions or erosion of protection – or the creation of gaps – would be potentially counterproductive to corresponding negotiations with the EU and an EU adequacy decision for the UK.

67 Andrus, MT, ‘Constitutional Issues in Granting Americans a “Right  to Dispute” Personal Information with Search Engines Akin to the Existing Remedy Afforded to Europeans Via Europe’s Right to Be Forgotten’ Business Law Today (2016)(Nov) 1. 68 Myers, JM, ‘Creating  Data  Protection  Legislation in the United States: An Examination of Current Legislation …’ Case Western Reserve Journal of International Law (Winter 97)(29:1) 109; Schreiber, C, ‘Google’s Targeted Advertising: An Analysis of Privacy Protections in an Internet Age’ Transnational Law (2014)(24:1) 269; Hoofnagle, CJ, Federal Trade Commission Privacy Law and Policy  (CUP, 2016); Solove, DJ and Hartzog, W, ‘The FTC and the New Common  Law  of  Privacy’ Columbia Law Review (2014)(114:3) 583; Hartzog, W, Privacy Blueprint, the Battle to Control Design of New Technologies (Harvard University Press, 2018); Hartzog, W, ‘Are Privacy Laws Deficient?’ International Journal for the Data Protection Officer, Privacy Officer and Privacy Counsel (IDPP) (2018)(2:10) 17; Richards, N and Hartzog, W, ‘Taking Trust Seriously in Privacy Law’ Stanford Technology Law Review (2016)(19:3) 431. 69 de Búrca, G and Scott, J, Law and New Governance in the EU and the US (Hart, 2006). 70 Vogel, D and Swinnen, JFM, Transatlantic Regulatory Cooperation: The Shifting Roles of the EU, the US and California (Edward Elgar, 2011). 71 Burkhard Hess, Prof Dr HC and Mariottini, Dr CM, Protecting Privacy in Private International and Procedural Law and by Data Protection: European and American Developments (Nomos, 2015); Miller, RA, Privacy and Power: A Transatlantic Dialogue in the Shadow of the NSA-Affair (CUP, 2017); Bennett, CJ and Raab, CD, ‘The Adequacy of Privacy: The European Union Data Protection Directive and the North American Response’ Information Society (1997)(13:3) 245; Berge, J-S, Grumbach, S, Zeno-Zencovich, V, ‘The Datasphere, Data Flows Beyond Control and the Challenges for  Law  and Governance’ European Journal of Comparative Law and Governance (2018)(5:2) 144; Schwartz, PM and Peifer, K-N, ‘Transatlantic Data Privacy Law’ Georgetown Law Journal (2017)(106:1) 115. 72 McCarthy, HJ, ‘All the World’s a Stage: The European Right to be Forgotten Revisited from a US Perspective’ Journal of Intellectual Property Law (2016)(11:5) 360. See also GDPR Art 17 and Lambert, P, The Right to be Forgotten (Bloomsbury, 2019).

162

CHAPTER 9

Powers of National Data Protection Supervisory Authorities INTRODUCTION 9.1 What happens if an organisation does not comply with the data protection regime when dealing with the personal data of its customers? Previously, the data protection supervisory authorities have had various powers of enforcement available. However, the new data protection regime enhances the powers and tools of enforcement. The vastly increased fines and penalties available, some of which can be linked to a percentage of turnover of the errant company or organisation, mean that the stakes for non-compliance are now significantly higher. In dealing with a data incident and in planning for compliance with customer (and other) personal data, organisations must be aware of the various data protection supervisory authority enforcement powers. These emphasise the importance of consequences for non-compliance. Enforcement proceedings can be issued by the data protection supervisory authority resulting in significant fines and penalties. Potentially, individual customers may decide to sue for damage, loss and breach of their personal data rights. When things go wrong, there can also be legal and publicity consequences for the organisation. An immediate cross-team effort is needed to deal with the impact of the data protection breach.1 However, in terms of real-time compliance and putting plans and personnel in place to deal with data events and data protection supervisory authorities as soon as these events arise, it is vital that companies and organisations raise their game. The enforcement consequences can now be very stark and financially costly. A range of addition orders and powers are also available to investigating data protection supervisory authorities. We are still in the early stages of the new data protection regime and, as such, it is important for companies to familiarise themselves not just with the headline changes (such as their direct obligations and rights issues) but also with the options available to the data protection supervisory authorities. It is only a matter of time before many companies will be engaged with some of the new and enhanced powers and enforcement mechanisms.

1

Data protection compliance is also an important due diligence issue when organisations are reviewed sale and purchase and, indeed, at other times. It can affect a sale or purchase as well as the value involved. In some instances where there is non-compliance, a customer database – in some instances, the most valuable asset of a commercial organisation – may have to be deleted. That is a real cost of non-compliance and not getting things right from day one.

163

9.2  Powers of National Data Protection Supervisory Authorities

Given that these new powers are still new, it is almost inevitable that one or more companies will seek to test their limits. They may disagree directly with a data protection supervisory authority on some action that it is engaging in or likely to undertake. When certain action decisions arise, a company may seek to appeal the decision. A large fine that the company disagrees with is perhaps the most obvious example. Yet, there are many other official actions with which a company may feel it disagrees. For instance, a company may be surprised that the data protection supervisory authority requires it to furnish a range of information and documents or is asking for access to its systems and data. In its planning, practice and preparation activities for data breaches and other data events, the company is also well advised to undertake advance consideration of the powers of the data protection supervisory authority. It should plan to ensure that its contact and communications with the data regulator run as smoothly and noncontentiously as possible. This is important in and of itself, but is also a strategy to assist in minimising possible fines or other actions. The area of enforcement is increasingly important2 and is also an area of increasing research focus.3

TYPES OF POWERS 9.2 A data protection ‘supervisory authority’ means ‘an independent public authority which is established by a Member State pursuant to Article  51’.4 The respective powers of the data protection supervisory authorities are very important. They are tools by which these authorities enforce, implement and promote the rules of the GDPR and data protection regime more generally. Of course, there are primary first principle obligations of compliance on the various controller and processor entities by which they themselves must ensure compliance. However, when they do not or there is some other type of breach, there are options of investigation and enforcement available to the data protection supervisory authorities. Chapter VI of the GDPR refers to the independent national data protection supervisory authorities. Section 1 therein refers to independence issues, while Section 2 refers to competence, tasks and powers. There are various distinct types of powers provided to the data protection supervisory authorities. Section 2 of Chapter VI of the GDPR refers to competence, tasks and powers. There are: •

investigative powers (see below);

•

corrective powers (see below); and

•

authorisation and advisory powers (see below).

2 Wright, D  and de Hert, P, eds, Enforcing Privacy: Regulatory, Legal and Technological Approaches (Springer, 2016). 3 Ceross, A, ‘Examining Data Protection Enforcement Actions Through Qualitative Interviews and Data Exploration’ International Review of Law, Computers & Technology (2018)(32:1) 99. 4 GDPR Art 4(21).

164

Types of Powers 9.2

The exercise of the powers conferred on the data protection supervisory authority pursuant to Article  58 must be subject to appropriate safeguards, including effective judicial remedy and due process, set out in EU and Member State law in accordance with the Charter.5 Each Member  State must provide by law that its data protection supervisory authority must have the power to bring infringements of the GDPR to the attention of the judicial authorities and, where appropriate, to commence or engage otherwise in legal proceedings, in order to enforce the provisions of the GDPR.6 Each Member State may provide by law that its data protection supervisory authority must have additional powers to those referred to in paragraphs  1, 2 and 3 of Article 58.7 The exercise of those powers does not impair the effective operation of Chapter VII of the GDPR (cooperation and consistency).8 Pursuant to the new GDPR, each data protection supervisory authority must have the following investigative powers: •

to order the controller and the processor and, where applicable, their representative to provide any information it requires for the performance of its tasks;

•

to carry out investigations in the form of data protection audits;

•

to carry out a review on certifications issued (pursuant to Article 42(7));

•

to notify the controller or the processor of an alleged infringement of the GDPR;

•

to obtain, from the controller and the processor, access to all personal data and to all information necessary for the performance of its tasks; and

•

to obtain access to any premises of the controller and the processor, including to any data processing equipment and means, in accordance with EU law or state procedural law.9

Each data protection supervisory authority must have the following corrective powers: •

to issue warnings to a controller or processor that intended processing operations are likely to infringe provisions of the GDPR;

•

to issue reprimands to a controller or a processor where processing operations have infringed provisions of the GDPR;

5 Ibid Art 58(4). 6 Ibid Art 58(5). 7 Ibid Art 58(6). 8 Ibid. 9 Ibid Art 58(1).

165

9.2  Powers of National Data Protection Supervisory Authorities

•

to order the controller or the processor to comply with the data subject’s requests to exercise their rights pursuant to the GDPR;

•

to order the controller or processor to bring processing operations into compliance with the provisions of the GDPR, where appropriate, in a specified manner and within a specified period;

•

to order the controller to communicate a personal data breach to the data subject;

•

to impose a temporary or definitive limitation including a ban on processing;

•

to order the rectification or erasure of data (pursuant to Articles 16, 17 and 18) and the notification of such actions to recipients to whom the personal data have been disclosed (pursuant to Articles 17(2) and 19);

•

to withdraw a certification or to order the certification body to withdraw a certification issued (pursuant to Articles  42 and 43), or to order the certification body not to issue certification if the requirements for the certification have not been or are no longer, met;

•

to impose an administrative fine (pursuant to Articles 83), in addition to, or instead of measures referred to in this paragraph, depending on the circumstances of each individual case;

•

to order the suspension of data flows to a recipient in a third country or to an international organisation.10

Each data protection supervisory authority must have the following authorisation and advisory powers: •

to advise the controller in accordance with the prior consultation procedure referred to in Article 36;

•

to issue, on its own initiative or on request, opinions to the national parliament, the state government or, in accordance with national law, to other institutions and bodies as well as to the public on any issue related to the protection of personal data;

•

to authorise processing referred to in Article 36(5), if the law of the state requires such prior authorisation;

•

to issue an opinion and approve draft codes of conduct (pursuant to Article 40(5));

•

to accredit certification bodies (pursuant to Article 43);

•

to issue certifications and approve criteria of certification in accordance with Article 42(5);

•

to adopt standard data protection clauses referred to in Article 28(8) and in Article 43(2)(d);

10 Ibid Art 58(2)).

166

Investigative Powers 9.3

•

to authorise contractual clauses referred to in Article 46(3)(a);

•

to authorise administrative agreements referred to in Article 46(3)(b); and

•

to approve binding corporate rules (pursuant to Article 47).11

The exercise of the powers conferred on the data protection supervisory authority pursuant to this Article must be subject to appropriate safeguards, including effective judicial remedy and due process, set out in EU and state law in accordance with the Charter of Fundamental Rights of the EU.12 Each state must provide by law that its data protection supervisory authority must have the power to bring infringements of the GDPR to the attention of the judicial authorities and, where appropriate, to commence or otherwise engage in legal proceedings, in order to enforce the provisions of the GDPR.13 Each state may provide by law that its data protection supervisory authority must have additional powers to those referred to in Article  58(1), (2) and (3). The exercise of these powers must not impair the effective operation of Chapter VII.14

INVESTIGATIVE POWERS 9.3 Companies also need to be aware that the data protection supervisory authorities have the power to carry out investigations. These can arise when a problem event arises with an individual company, but can also be part of sectorwide reviews. Each data protection supervisory authority must have the following six investigative powers: •

to order the controller and the processor and, where applicable, the controller’s or the processor’s representative,15 to provide any information it requires for the performance of its tasks;16

•

to carry out investigations in the form of data protection audits;17

•

to carry out a review on issued certifications (issued pursuant to Article 42(7));18

•

to notify the controller or the processor of an alleged infringement of the GDPR;19

11 12 13 14 15 16 17 18 19

Ibid Art 58(3). Ibid Art 58(4)). Ibid Art 58(5). Ibid Art 58(6). In certain circumstances a controller or processor may have to appoint a representative in the EU in relation to data protection compliance matters where they themselves are located outside of the EU. See GDPR Art 27. GDPR Art 58(1)(a). Ibid Art 58(1)(b). Ibid Art 58(1)(c). Ibid Art 58(1)(d).

167

9.4  Powers of National Data Protection Supervisory Authorities

•

to obtain, from the controller and the processor, access to all personal data and to all information necessary for the performance of its tasks;20 and

•

to obtain access to any premises of the controller and the processor, including to any data processing equipment and means, in accordance with EU or Member State procedural law. 21

Organisations will have to pay particular attention these powers (on top of their overall compliance obligations. Increasingly, investigations occur where there is a publicised or reported data breach. Recall that now there is an obligation on companies to report particular data breaches.22 In an increasing number of data breach incidents fines are also issued, especially when the number of individual data subjects are very large. Some breach examples include: •

Yahoo!: fined £250,000 for significant hack data breach by ICO.

•

Facebook: fined £500,000 for political (Cambridge Analytica) related data breaches by ICO.

•

Sony: fined £250,000 for significant hack data breaches by ICO.

•

Facebook: fined $5 billion for political (Cambridge Analytica) related data breaches by FTC (US).

Other data fines include: •

Google: fined €50 million for GDPR consent, transparency and user control breaches by CNIL (French data protection supervisory authority).

•

YouTube and Google fined $170 million for child-consent-related breaches by FTC (US).

CORRECTIVE POWERS 9.4 Companies must be aware that the data protection supervisory authorities have the power to issue corrective orders or directions to take action or change procedures, particularly after an investigation has occurred. Each data protection supervisory authority will have to deal with issues of breaches and the enforcement of the data protection rules. The GDPR specifies that the data protection supervisory authorities must have essential enforcement tools. To that purpose the respective authorities must have the following ten corrective powers:

20 Ibid Art 58(1)(e). 21 Ibid Art 58(1)(f). 22 See obligation to report a personal data breach to the data protection supervisory authority in GDPR Art 33 (and a corresponding obligation to notify data subjects in GDPR Art 34).

168

Corrective Powers 9.4

•

to issue warnings to a controller or processor that intended processing operations are likely to infringe provisions of the GDPR;23

•

to issue reprimands to a controller or a processor where processing operations have infringed provisions of the GDPR;24

•

to order the controller or the processor to comply with the data subject’s requests to exercise his or her rights pursuant to the GDPR;25

•

to order the controller or processor to bring processing operations into compliance with the provisions of the GDPR, where appropriate, in a specified manner and within a specified period;26

•

to order the controller to communicate a personal data breach to the data subject;27

•

to impose a temporary or definitive limitation including a ban on processing;28

•

to order the rectification or erasure of personal data or restriction of processing pursuant to Articles  16 (right to rectification), 17 (right to erasure (right to be forgotten)) and 18 (right to restriction of processing) and the notification of such actions to recipients to whom the personal data have been disclosed pursuant to Article 17(2) and Article 19 (notification obligation regarding rectification or erasure of personal data restriction of processing);29

•

to withdraw a certification or to order the certification body to withdraw an issued certification (issued pursuant to Articles 42 and 43), or to order the certification body not to issue certification if the requirements for the certification are not or are no longer met;30

•

to impose an administrative fine (pursuant to Article  83), in addition to, or instead of measures referred to in this paragraph, depending on the circumstances of each individual case;31 and

•

to order the suspension of data flows to a recipient in a third country or to an international organisation. 32

It is important to point out that for these mechanisms to work most effectively, in addition to general obligations of compliance with the data protection regime placed upon controllers and processors, there can also be specific obligations on

23 24 25 26 27 28 29 30 31 32

GDPR Art 58(2)(a). Ibid Art 58(2)(b). Ibid Art 58(2)(c). Ibid Art 58(2)(d). Ibid Art 58(2)(e). Ibid Art 58(2)(f). Ibid Art 58(2)(g). Ibid Art 58(2)(h). Ibid Art 58(2)(i). Ibid Art 58(2)(j).

169

9.5  Powers of National Data Protection Supervisory Authorities

organisation to also comply with requests, directions, orders and decisions of the data protection supervisory authorities. Article 31 of the GDPR is headed ‘Cooperation with the supervisory authority’. It specifies that: ‘The controller and the processor and, where applicable, their representatives, shall cooperate, on request, with the supervisory authority in the performance of its tasks.’

National legislation may also specify obligations to comply and set out specific offences for non-compliance.

AUTHORISATION AND ADVISORY POWERS 9.5 Companies must be aware that the data protection supervisory authorities have the power in relation to certain authorisations and advisory activities. Each data protection supervisory authority must have the following ten authorisation and advisory powers: •

to advise the controller in accordance with the prior consultation procedure (referred to in Article 36);33

•

to issue, on its own initiative or on request, opinions to the national parliament, the Member State government or, in accordance with Member State law, to other institutions and bodies as well as to the public on any issue related to the protection of personal data;34

•

to authorise processing (referred to in Article  36(5)), if the law of the Member State requires such prior authorisation;35

•

to issue an opinion and approve draft codes of conduct (pursuant to Article 40(5));36

•

to accredit certification bodies (pursuant to Article 43);37

•

to issue certifications and approve criteria of certification (in accordance with Article 42(5));38

•

to adopt standard data protection clauses (referred to in Article 28(8) and in Article 46(2)(d));39

•

to authorise contractual clauses (referred to in Article 46(3)(a));40

33 34 35 36 37 38 39 40

Ibid Art 58(3)(a). Ibid Art 58(3)(b). Ibid Art 58(3)(c). Ibid Art 58(3)(d). Ibid Art 58(3)(e). Ibid Art 58(3)(f). Ibid Art 58(3)(g). Ibid Art 58(3)(h).

170

Authorisation and Advisory Powers 9.6

•

to authorise administrative arrangements (referred to in Article 46(3)(b));41 and

•

to approve binding corporate rules (pursuant to Article 47).42

Powers and Penalties 9.6 This may be one of the areas which prove more contentious in future company controller cases. Section  155 of the Data Protection Act 2018 (DPA 2018) refers to the ICO imposing monetary penalties and penalty notices. If the ICO is satisfied that a person: •

has failed or is failing as specified; or

•

has failed to comply with an information notice, an assessment notice, or an enforcement,

It requires the person to pay the amount specified. The ICO must have regard to particular issues when deciding to issue such a notice. A detailed list of such matters are contained in section 155(2) and (3) of the DPA 2018. Some examples include: •

the nature, gravity and duration of the failure;

•

the intentional or negligent character of the failure;

•

any action taken by the controller or processor to mitigate the damage or distress suffered by data subjects; and

•

past failures.

Section 157 refers to the maximum amount of penalties. It states that in relation to an infringement of the GDPR, the maximum amount that may be imposed by a penalty notice is the amount specified in GDPR Article 83 or, if an amount is not specified there, the standard maximum amount. There are also provisions in relation to penalty amounts as regards the DPA 2018. The Secretary of State is also permitted to make additional rules as regards penalty issues. The new GDPR provides that each data protection supervisory authority must ensure that the imposition of administrative fines pursuant to the GDPR referred to in Article  83(4), (5) and (6) must, in each individual case, be effective, proportionate and dissuasive.43 41 Ibid Art 58(3)(i). 42 Ibid Art 58(3)(j). 43 Ibid Art 83(1).

171

9.6  Powers of National Data Protection Supervisory Authorities

Administrative fines must, depending on the circumstances of each individual case, be imposed in addition to, or instead of, measures referred to in Article 83(a)– (h) and (j). When deciding whether to impose an administrative fine and deciding on the amount in each individual case, due regard must be given to the following: •

the nature, gravity and duration of the infringement taking into account the nature, scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;

•

the intentional or negligent character of the infringement;

•

action taken by the controller or processor to mitigate the damage suffered by data subjects;

•

the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them (pursuant to Articles 25 and 32);

•

any relevant previous infringements by the controller or processor;

•

the degree of cooperation with the data protection supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;

•

the categories of personal data affected by the infringement;

•

the manner in which the infringement became known to the data protection supervisory authority, in particular whether and, if so, to what extent, the controller or processor notified the infringement;

•

where measures referred to Article  58(2), have previously been ordered against the controller or processor concerned in regard to the same subjectmatter, compliance with these measures;

•

adherence to approved codes of conduct (pursuant to Article 40) or approved certification mechanisms (pursuant to Article 42); and

•

any other aggravating or mitigating factors applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.44

If a controller or processor intentionally or negligently, for the same or linked processing operations, infringes several provisions of the GDPR, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement.45 Infringements of the following provisions must, in accordance with Article 83(2), be subject to administrative fines up to €10 million or, in case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher: 44 Ibid Art 83(2). 45 Ibid Art 83(3).

172

Authorisation and Advisory Powers 9.6

•

the obligations of the controller and the processor (pursuant to Articles 8, 11, 25–39 and 42 and 43);

•

the obligations of the certification body (pursuant to Articles 42 and 43); and

•

the obligations of the monitoring body (pursuant to Article 41(4)).46

Infringements of the following provisions must, in accordance with Article 83(2), be subject to administrative fines up to €20 million or, in case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher: •

the basic principles for processing, including conditions for consent (pursuant to Articles 5, 6, 7 and 9);

•

the data subjects’ rights (pursuant to Articles 12–22);

•

the transfers of personal data to a recipient in a third country or an international organisation (pursuant to Articles 44–49);

•

any obligations pursuant to state laws adopted under Chapter IX; and

•

non-compliance with an order or a temporary or definite limitation on processing or the suspension of data flows by the supervisory authority (pursuant to Article  58(2)) or does not provide access in violation of Article 53(1).47

Non-compliance with an order by the data protection supervisory authority as referred to in Article 58(2) must, in accordance with Article 83(2), be subject to administrative fines up to €20 million or, in case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.48 Without prejudice to the corrective powers of supervisory authorities pursuant to Article 58(2), each state may lay down the rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that state.49 The exercise by the data protection supervisory authority of its powers under this Article must be subject to appropriate procedural safeguards in conformity with EU law and state law, including effective judicial remedy and due process.50 Where the legal system of the state does not provide for administrative fines, Article  83 may be applied in such a manner that the fine is initiated by the competent data protection supervisory authority and imposed by competent 46 47 48 49 50

Ibid Art 83(4). Ibid Art 83(5). Ibid Art 83(6). Ibid Art 83(7). Ibid Art 83(8).

173

9.7  Powers of National Data Protection Supervisory Authorities

national courts, while ensuring that these legal remedies are effective and have an equivalent effect to the administrative fines imposed by supervisory authorities. In any event, the fines imposed must be effective, proportionate and dissuasive. Those states must notify to the Commission the provisions of their laws which they adopt pursuant to this paragraph by 25 May 2018 and, without delay, any subsequent amendment law or amendment affecting them.51 The new GDPR provides that states must lay down the rules on penalties applicable to infringements of the GDPR in particular for infringements which are not subject to administrative fines pursuant to Article 83 and must take all measures necessary to ensure that they are implemented. Such penalties must be effective, proportionate and dissuasive.52 Each state must notify to the Commission those provisions of its law which it adopts pursuant to Article  84(1), by 25  May 2018 and, without delay, any subsequent amendment affecting them.53

Enforcement Notices 9.7 In terms of the ICO, Part 6 of DPA 1998 referred to enforcement and related actions. Section 149 provides that if the ICO is satisfied that a controller has either contravened or is contravening any of the principles of data protection, in relation to the use of customer, etc personal data, it may serve a notice (referred to as ‘an enforcement notice’). The enforcement notice will require compliance by the organisation with the data protection principles or principle in question and as specified in the notice. Where the ICO is satisfied that a person has either failed or is failing, as described in section 149, it may give the person a written notice which requires the person: •

to take steps specified in the notice:

•

to refrain from taking steps specified in the notice;

• or both. Breaches which might give rise to an enforcement notice can be varied but include: •

a breach of the principles;

•

a breach of rights;

•

a breach of obligations of controllers and processors;

•

a breach of a requirement to communicate a data breach to the ICO or to data subjects; and

•

a breach of the transfer restrictions.

51 Ibid Art 83(9). 52 Ibid Art 84(1). 53 Ibid Art 84(2).

174

Authorisation and Advisory Powers 9.9

There are other types of breaches referred to which can also give rise to an enforcement notice. The enforcement notice is, therefore, very wide in terms of what the ICO can require. It can encompass all types of non-compliance or breach in relation to customer, etc personal data. The ICO considers if the contravention has caused or is likely to cause personal damage or distress, in deciding whether to serve an enforcement notice (DPA 2018, s 150(2)). This would encompass non-compliance in terms of collecting and processing customer, etc personal data. However, the ICO may reserve such notices for more serious instances of non-compliance or breach. It may be argued that an actual data breach or data loss instance is naturally a serious incident and therefore may lean towards investigation and enforcement, particularly if the breach has not been remedied by the time the ICO is notified. Enforcement notices are import and must be complied with. However, there can be circumstances where a given enforcement notice may be successfully challenged.54 A  number of issues may need to be considered, including fairness,55 whether proper procedures were followed, entitlement to make the particular order in the circumstances, etc. 9.8 Section 151 of the DPA 2018 also refers to enforcement notices in the context of rectification and erasure of personal data. The provisions are detailed and would require attention when procedures are designed to comply with the principles, rights and other requirements of the data protection legislation, When a data subject feels that there is non-compliance with their rights and/or a request in the context of rectification or erasure, there is potential for these issues to arise if the request is being refused, whether in whole or in part.

Assessment Notices 9.9 Section 146 of the DPA 2018 relates to assessment notices that may be issued by the ICO. The ICO may serve a controller with a notice (referred to as an ‘assessment notice’) for the purpose of enabling it to carry out an assessment of whether the controller or processor has complied or is complying with the data protection legislation. An assessment notice may require the controller or processor to carry out a range of actions, including permitting the ICO to enter the premises. (Note that the ICO previously had to apply for a court order to enter the Cambridge Analytica premises.)

54 Doorstep v ICO  (28  January 2019)  EA  2018/0265; ‘Enforcement Notice Successfully Challenged, Doorstep v ICO’ International Journal for the Data Protection Officer, Privacy Officer and Privacy Counsel (IDPP) (2019)(3:5) 17. 55 Butterworth, M, ‘The  ICO  and Artificial Intelligence: The Role of Fairness in the GDPR Framework’ Computer Law & Security Review: The International Journal of Technology Law and Practice (2018)(34:2) 257.

175

9.10  Powers of National Data Protection Supervisory Authorities

Limitations and Restrictions 9.10 Section 147 refers to assessment notices and limitations and restrictions. These should be consulted in the event of such a notice arising.

Destroying/Falsifying Documents and Information 9.11 Section 148 refers to particular provisions and consequences which may arise in the event of destroying or falsifying information as regards information notices and assessment notices. Various offences can potentially arise.

Powers of Entry and Inspection 9.12 Section 154 and Schedule 15 of the DPA 2018 refer to powers of entry and inspection.

Request for Audit 9.13 Section 129 of the DPA 2018 refers to a request for a consensual audit, which organisations can request from the ICO.

Information Notices 9.14 Section  142 refers to information notices. The ICO may issue an information notice requiring: •

a controller or processor to provide information for the purposes of carrying out the ICO’s functions; or

•

any person to provide information required for investigating suspected breaches or offences, or for determining whether the processing of personal data is carried out by an individual in the course of a purely personal or household activity.

It is an offence to make a statement which is false or reckless in response to an information notice.

Information Orders 9.15 Section  145 refers to special information orders. The ICO can apply to court from an information order where a person fails to comply with an information notice. The order would essential direct that certain action or information be provided. 176

Authorisation and Advisory Powers 9.19

Failure to Comply 9.16 A failure to comply with a notice regardless of type can have serious consequences. Further investigations and actions can occur, including court actions directing assistance to the ICO. In addition, depending on what the ICO finds, penalties, fines and prosecutions can ensue.

Unlawful Obtaining Etc of Personal Data 9.17 Section  170 of the DPA  2018 refers to the unlawful obtaining etc, of personal data. It is an offence for a person knowingly or recklessly: •

to obtain or disclose personal data without the consent of the controller;

•

to procure the disclosure of personal data to another person without the consent of the controller or processor; or

•

after obtaining personal data, to retain it without the consent of the person who was the controller in relation to the personal data when it was obtained.

This is likely to be utilised increasingly frequently, particularly where employees or agents seek to use, access, copy or transfer personal data in a manner other than as envisaged by the controller.

Re-identifying De-identified Personal Data 9.18 The DPA 2018 also introduces provisions in relation to re-identifying personal data which was originally de-identified. Section 171 provides that it is an offence for a person knowingly or recklessly to re-identify information that is de-identified personal data without the consent of the controller responsible for de-identifying the personal data. This will be one of the more interesting sections to look at to see how it might be interpreted and applied by the organisations, researchers, the ICO and by the courts. The extent of the defences specified will need to be considered.

Re-identification and Testing 9.19 There is also a related provision in section 172 of the DPA  2018 relating to effectiveness testing conditions and re-identification. This follows on from some of the defence-related provisions in section 171. An individual or organisation will have to be particularly careful and considered (even in advance) to avoid the offences and or avail of the defences. Issues of public interest and knowledge and intent may also be involved. It is always difficult to definitively confirm or assess in advance as to how this may be interpreted by a court. 177

9.20  Powers of National Data Protection Supervisory Authorities

TASKS AND THE GDPR 9.20 Companies must be more proactive in seeking to identify if and when a data protection supervisory authority goes beyond its powers, tasks and remit, particularly in the area of fines and enforcement action. Without prejudice to other tasks set out under the GDPR, each supervisory authority must on its territory: •

monitor and enforce the application of the GDPR;

•

promote public awareness and understanding of the risks, rules, safeguards and rights in relation to processing. Activities addressed specifically to children must receive specific attention;

• advise, in accordance with national law, the national parliament, the government and other institutions and bodies on legislative and administrative measures relating to the protection of natural person’s rights and freedoms with regard to processing; •

promote the awareness of controllers and processors of their obligations under the GDPR;

•

upon request, provide information to any data subject concerning the exercise of their rights under the GDPR and, if appropriate, cooperate with the supervisory authorities in other states to this end;

•

handle complaints lodged by a data subject, or by a body, organisation or association in accordance with Article  80 and investigate, to the extent appropriate, the subject matter of the complaint and inform the complainant of the progress and the outcome of the investigation within a reasonable period, in particular if further investigation or coordination with another data protection supervisory authority is necessary;

•

cooperate with, including sharing information and provide mutual assistance to other supervisory authorities with a view to ensuring the consistency of application and enforcement of the GDPR;

•

conduct investigations on the application of the GDPR, including on the basis of information received from another data protection supervisory authority or other public authority;

•

monitor relevant developments, insofar as they have an impact on the protection of personal data, in particular the development of information and communication technologies and commercial practices;

•

adopt standard contractual clauses (referred to in Article 28(8) and 46(2) (d));

•

establish and maintain a list in relation to the requirement for data protection impact assessment (pursuant to Article 35(4));

•

give advice on the processing operations (referred to in Article 36(2)); 178

Tasks and the GDPR 9.20

•

encourage the drawing up of codes of conduct (pursuant to Article 40(1)) and give an opinion and approve such codes of conduct which provide sufficient safeguards (pursuant to Article 40(5));

•

encourage the establishment of data protection certification mechanisms and of data protection seals and marks (pursuant to Article  42(1)) and approve the criteria of certification pursuant to Article 42(5);

•

where applicable, carry out a periodic review of certifications issued (in accordance with Article 42(7));

•

draft and publish the criteria for accreditation of a body for monitoring codes of conduct (pursuant to Article 41) and of a certification body (pursuant to Article 43);

•

conduct the accreditation of a body for monitoring codes of conduct (pursuant to Article 41) and of a certification body (pursuant to Article 43);

•

authorise contractual clauses and provisions referred to in Article 46(3);

•

approve binding corporate rules (pursuant to Article 47);

•

contribute to the activities of the EDPB;

•

keep internal records of breaches of the GDPR and of measures taken in accordance with Article 58(2); and

•

fulfil any other tasks related to the protection of personal data (Article 57(1)).

Risk issues are increasingly important and are promoted as an issue of consideration and compliance in the data protection field with the GDPR.56 The GDPR includes extensive new security obligations and as part of this there is a requirement to take into account and hence to identify risk issues.57 Each data protection supervisory authority must facilitate the submission of complaints referred to in Article  57(1)(f), by measures such as a complaint submission form which can also be completed electronically, without excluding other means of communication.58 The performance of the tasks of each data protection supervisory authority must be free of charge for the data subject and, where applicable, for the DPO.59 Where requests are manifestly unfounded or excessive, in particular because of their repetitive character, the data protection supervisory authority may charge a reasonable fee based on administrative costs or refuse to act on the request. The

56 Duncan, B and Zhao, Y, ‘Risk Management for Cloud Compliance with the EU General Data Protection Regulation’ 2018 International Conference on High Performance Computing & Simulation (HPCS) HPCS High Performance Computing & Simulation (HPCS) (July 2018). 57 See GDPR Art 32(1) and other references 58 Ibid Art 57(2). 59 Ibid Art 57(3).

179

9.21  Powers of National Data Protection Supervisory Authorities

data protection supervisory authority must bear the burden of demonstrating the manifestly unfounded or excessive character of the request.60 Sections 115–117 and Schedules 12 and 13 of the DPA 2018 also refer to the general functions of the ICO. Other sections also specify that certain report and reviews must be undertaken by the ICO (eg DPA 2018, ss 139–141; Schedule 17).

Prohibition of Requirement to Produce Certain Records 9.21 A frequent area of concern previously was the practice of organisations seeking to force individuals to apply for certain official and police records and to produce these, in particular, to new or prospective employers. Section 184 refers to a prohibition on requirements as to produce certain records. It is an offence to require a person to provide or provide access to relevant records in connection with, •

the recruitment of an employee;

•

the continued employment of a person; or

•

a contract for the provision of services to them.

It is also an offence to require a person to give or give access to a relevant record if: •

they are involved in the provision of goods, facilities or services to the public or a section of the public; and

•

the requirement is a condition of providing or offering to provide goods, facilities or services to the other person or a third party.

Section 185 also provides for the avoidance of certain contractual terms relating to health records. If prohibited terms are included, they are deemed to be void.

REPORTS/ACTIVITY REPORTS 9.22 Each data protection supervisory authority must draw up an annual report of its activities.61 These may include a list of the types of infringement notified and details of the types of measures taken (in accordance with Article  58(2)). The reports must be transmitted to the national parliament, the government and other authorities as designated by Member State law. They must also be made available to the public, the Commission and to the EDPB.62 Companies should carefully review the various reports to glean important information and trends to be proactive and to try to deal with issues in advance of new problems arising. 60 Ibid Art 57(4). 61 Ibid Art 59. 62 Ibid.

180

Conclusion 9.23

CONCLUSION 9.23 Data protection is important. Personal data is considered important and sensitive to customers. This should be respected by organisations. Organisations are not permitted to collect or process customer, etc, personal data without being data protection compliant. It is in this context that there can be severe consequences for organisations for non-compliance, whether in collecting personal data initially or in the subsequent processing of the personal data. The ICO can impose financial penalties or can prosecute for non-compliance. Alternatively, enforcement notices can be imposed which specify certain actions that must be implemented by the organisation. Certain types of organisation can be the recipient of separate types of notices, namely assessment notices. In any of these events, customers, etc will be particularly concerned that their personal data has been collected, is being processed in a certain manner and/or may have been subject to a breach event. This can have its own consequences. Overall, it should also be noted that the consequences of breach or non-compliance are becoming increasingly important as enforcement actions and penalties are increasing in frequency, number and financial scale. The new regime also further changes the enforcement rules. The stakes for data use and compliance have been raised. There is a distinct increase in the fine that can be levelled in the EU (including fines of up to €20 million or 4% of worldwide turnover) or up to at least $5 billion in the US (where FTC fines are not similarly capped). Even still, we are in a state of transition on both sides of the Atlantic. We have a new set of data protection laws in Europe (from the GDPR to the DPA 2018) and a new reality that technology and data usage requires greater attention in the US (from the FTC to the potential for a new general federal privacy law). The natural transition from old to new data protection laws will lead to a certain level of case law and examination of the nature and extent of the (new) powers of the data protection supervisory authorities. That fines and penalties are trending upwards only increases the incentive for companies to seek to explore the possibility of contesting or seeking to limit them.

181

CHAPTER 10

Corporate Contention INTRODUCTION 10.1 Corporate disputes and contention inevitably arise between corporate entities and regulators, in this case data protection regulators and supervisory authorities, a data protection ‘supervisory authority’ being ‘an independent public authority’.1 Such potential contention can arise as a result of a given data protection supervisory authority investigating or pursuing enforcement actions or powers as against the company in question. The respective powers of the data protection supervisory authorities are thus very important. These powers are tools by which these authorities enforce, implement and promote the rules of the GDPR and data protection regime more generally. These instances of contention will also likely increase given the much enhanced potential for very significant penalties and fines to be levied by the data protection supervisory authorities pursuant to the new GDPR and which can amount to a percentage of the worldwide turnover of the company2 found to be in breach. Indeed, it should also be pointed out that very significant fines can arise elsewhere, particularly in the US (such as those that may be issued by the US  Federal Trade Commission (FTC)). See Chapter 8 for further discussion of the US position. GDPR Chapter VIII refers to remedies, liability and penalties and refers specifically to: •

right to lodge a complaint with a data protection supervisory authority;

•

right to an effective judicial remedy against a data protection supervisory authority;

•

right to an effective judicial remedy against a controller or processor;

•

representation of data subjects;

•

suspension of proceedings;

•

right to compensation and liability;

•

general conditions for imposing administrative fines; and

• penalties.3 1 2 3

That is, ‘an independent public authority which is established by a Member State pursuant to Article 51’. See definition in GDPR Art 4(21). Ibid Arts 83 and 84. Ibid Arts 77–84.

183

10.2  Corporate Contention

AUTHORITIES AND COMPANIES Company Court Remedy Against Authority 10.2 Without prejudice to any other administrative or non-judicial remedy, each natural or legal person must have the right to an effective judicial remedy against a legally binding decision of a data protection supervisory authority concerning them.4 Without prejudice to any other administrative or non-judicial remedy, each data subject must have the right to a an effective judicial remedy where the data protection supervisory authority which is competent pursuant to Articles  55 and 56 does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint lodged pursuant to Article 77.5 Proceedings against a data protection supervisory authority must be brought before the courts of the Member  State where the data protection supervisory authority is established.6 Where proceedings are brought against a decision of a data protection supervisory authority which was preceded by an opinion or a decision of the EDPB in the consistency mechanism, the data protection supervisory authority must forward that opinion or decision to the court.7

Right to Lodge Complaint with Data Protection Supervisory Authority 10.3 Without prejudice to any other administrative or judicial remedy, every data subject must have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes the GDPR.8 The data protection supervisory authority with which the complaint has been lodged must inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78.9

4 5 6 7 8 9

Ibid Art 78(1). Ibid Art 78(2). Ibid Art 78(3). Ibid Art 78(4). Ibid Art 77(1). Ibid Art 77(2).

184

Authorities and Companies 10.4

Fines 10.4 There are an increasing number of very significant fines being issued (and across a range of countries and data protection supervisory authorities and privacy regulators) which will be of concern to companies (and their respective internal officers and advisors) and also their external advisors. In addition, the recent changes brought about by the GDPR make provision for: •

fines of up to €20 million; or

•

fines of up to 4% of worldwide turnover.10

Some of these recent examples include fines of: •

£500,000 (Facebook re Cambridge Analytica) (ICO);

•

£250,000 (Sony re massive data breach from a data hack it suffered) (ICO);

•

£250,000 (Yahoo! Re massive data breach from a data hack it suffered) (ICO);

•

$5 billion (Facebook re Cambridge Analytica and political data profiling) (FTC);

•

$170 million (YouTube and Google re children’s data and child consent); and

•

$575 million (Equifax massive data breach of personal financial data) (FTC).

There are numerous other examples in relation to a variety of breach issues (eg including failure to incorporate appropriate mandated consideration of data protection by design and by default).11 Each data protection supervisory authority must ensure that the imposition of administrative fines pursuant to this Article in respect of infringements of the GDPR referred to in paragraphs  4, 5 and 6 must, in each individual case, be effective, proportionate and dissuasive.12 Administrative fines must, depending on the circumstances of each individual case, be imposed in addition to, or instead of, measures referred to in Article 58(2) (a)–(h) and (j).13 When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard must be given to the following:

10 Ibid Arts 83 and 84. 11 This is referred to in GDPR Art 25. Examples include a data protection supervisory decision in Greece involving a telecommunications service provider (7 October 2019); Romania involving Unicredit Bank and a fine of €130,000 (27 June 2019). 12 GDPR Art 83(1). 13 Ibid Art 83(2).

185

10.4  Corporate Contention

•

the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;

•

the intentional or negligent character of the infringement;

•

any action taken by the controller or processor to mitigate the damage suffered by data subjects;

•

the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles  25 (data protection by design and default) and 32 (security of processing);

•

any relevant previous infringements by the controller or processor;

•

the degree of cooperation with the data protection supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;

•

the categories of personal data affected by the infringement;

•

the manner in which the infringement became known to the data protection supervisory authority, in particular whether and, if so to what extent, the controller or processor notified the infringement;

•

where measures referred to in Article 58(2) (powers) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures;

•

adherence to approved codes of conduct (pursuant to Article 40) or approved certification mechanisms (pursuant to Article 42); and

•

any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.14

If a controller or processor intentionally or negligently, for the same or linked processing operations, infringes several provisions of the GDPR, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement.15 Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to €10 million or, in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher: •

the obligations of the controller and the processor pursuant to Articles  8 (conditions applicable to child’s consent in relation to information society services), 11 (processing which does not require identification), 25 to 39 and 42 (certification) and 43 (certification bodies);

14 Ibid Art 83(2)(a)–(k). 15 Ibid Art 83(3).

186

Authorities and Companies 10.4

•

the obligations of the certification body (pursuant to Articles 42 and 43); and

•

the obligations of the monitoring body (pursuant to Article 41(4)).16

Articles 25–39 refer to: •

data protection by design and default (Article 25);

•

joint controllers (Article 26);

•

representatives of controllers or processors not established in the EU (Article 27);

•

processors (Article 28);

•

processing under authority of the controller or processor (Article 29);

•

records of processing activities (Article 30);

•

cooperation with the data protection supervisory authority (Article 31);

•

security of processing (Article 32);

•

notification of a personal data breach to the data protection supervisory authority (Article 33);

•

communication of a personal data breach to the data subject (Article 34);

•

data protection impact assessment (Article 35);

•

prior consultation (Article 36);

•

designation of the Data Protection Officer (Article 37);17

•

position of the Data Protection Officer (Article 38); and

•

tasks of the Data Protection Officer (Article 39).

Infringements of the following provisions must, in accordance with paragraph 2, be subject to administrative fines up to €20 million or, in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher: •

the basic principles for processing, including conditions for consent, pursuant to Articles 5 (principles of data protection), 6 (lawfulness of processing), 7 (conditions for consent) and 9 (processing of special categories of personal data);

•

the data subjects’ rights pursuant to Articles 12 to 22 (see below);

•

the transfers of personal data to a recipient in a third country or an international organisation pursuant to Articles 44 to 49 (see below);

16 Ibid Art 83(4). 17 See Lambert, P, The Data Protection Officer, Profession, Rule and Role (Routledge, Taylor and Francis, 2016).

187

10.4  Corporate Contention

•

any obligations pursuant to Member State law adopted under Chapter IX (provisions relating to specific processing situations); and

•

non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the data protection supervisory authority pursuant to Article 58(2) or failure to provide access in violation of Article 58(1).18

Articles 12 to 22 refer to: •

transparency and modalities (Article 12);

•

information to be provided where personal data are collected from the data subject (Article 13);

•

information to be provided where personal data have not been obtained from the data subject (Article 14);

•

right of access by the data subject (Article 15);

•

right to rectification (Article 16);

•

right to erasure (right to be forgotten) (Article 17);

•

right to restriction of processing (Article 18);

•

notification obligation regarding rectification or erasure of personal data or restriction of processing (Article 19);

•

right to data portability (Article 20);19

•

right to object (Article 21); and

•

automated individual decision making, including profiling (Article 22).

Articles 44 to 49 refer to: •

general principle for transfers (Article 44);

•

transfers based on an adequacy decision (Article 45);

•

transfers subject to appropriate safeguards (Article 46);

•

binding corporate rules (Article 47);

•

transfers or disclosures authorised by EU law (Article 48); and

•

derogations for specific situations (Article 49).

Non-compliance with an order by the data protection supervisory authority as referred to in Article 58(2) must, in accordance with paragraph 2 of this Article, be subject to administrative fines up to €20 million or, in the case of an undertaking, 18 GDPR Art 83(5). 19 Quintel, T, ‘EDPS and Article 29 Working Party Opinions About the Commission Proposals on the Interoperabity of Database’ European Data Protection Law Review (EDPL) (2018) (4:2) 217.

188

Penalties and Fines 10.6

up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.20 Without prejudice to the corrective powers of supervisory authorities pursuant to Article 58(2), each Member State may lay down the rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State.21 The exercise by the data protection supervisory authority of its powers under this Article must be subject to appropriate procedural safeguards in accordance with EU and Member State law, including effective judicial remedy and due process.22 Where the legal system of the Member State does not provide for administrative fines, this Article may be applied in such a manner that the fine is initiated by the competent data protection supervisory authority and imposed by competent national courts, while ensuring that those legal remedies are effective and have an equivalent effect to the administrative fines imposed by supervisory authorities. In any event, the fines imposed must be effective, proportionate and dissuasive.23 Those Member States were obliged notify to the Commission about the provisions of their laws which they adopt pursuant to this paragraph by 25 May 2018. They must also notify, without delay, any subsequent amendment law or amendment affecting them.

Penalties 10.5 Member States must lay down the rules on other penalties applicable to infringements of the GDPR in particular for infringements which are not subject to administrative fines (pursuant to Article 83) and must take all measures necessary to ensure that they are implemented. Such penalties must be effective, proportionate and dissuasive.24 Each Member State was obliged notify to the Commission the provisions of its law which it adopts pursuant to the above by 25  May 2018. They must also notify, without delay, any subsequent amendment affecting these laws.25

PENALTIES AND FINES Nature, Gravity and Duration 10.6 When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case, due regard must 20 21 22 23 24 25

GDPR Art 83(6). Ibid Art 83(7). Ibid Art 83(8). Ibid Art 83(9). Ibid Art 84(1). Ibid Art 84(2).

189

10.6  Corporate Contention

be given to the following: the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them.26 Therefore, companies need to be aware that specific considerations for data protection supervisory authorities will include: •

the nature of the infringement;

•

the gravity of the infringement; and

•

the duration of the infringement.

Obviously, companies will seek to avoid problem issues arising but, where they do arise, they must seek to ensure that they are resolved appropriately as quickly as possible and the duration is as short as possible. In addition, as and when issues arise, companies will be seeking to point to these factors in their favour to present or reflect that a particular issue is minimised in terms of gravity. There is additional reference to account being taken of the ‘nature scope or purpose’ of the data processing. This may all be approximately the same thing. However, there is a possible equivalence appearing as between ‘nature’, ‘scope’ and ‘purpose’. However, it might be suggested that, in general, terms ‘scope’ and ‘purpose’ can mean different things, not the same or equivalent things. An additional factor for consideration is the number of data subjects involved. This is reasonably quantifiable and would appear to be something that a company would not be able to alter or massage. In terms of being considered by a data protection supervisory authority, the more people involved, the higher the potential fine or need for additional remedial measures. There is also specified to be a need to consider ‘the level of damage suffered’ by the data subjects. This obviously points to damage issues having to be considered or are capable of being included in consideration by the data protection supervisory authorities. On another level of analysis, it might be considered whether this criterion is presuming that there is or will be damage. On many occasions in the past it seems to have been suggested by companies, particularly if they are defending claims, that there is no damage to an individual unless there is definitive financial or monetary damage and placing the onus on an individual to prove such financial loss. It would seem that such penal, restrictive and limiting arguments of the past may be limited to the past, as this criterion suggest a more realistic and real consideration of loss and damage-type issues. Where this issue may result in contention is whether this applies to fines and penalties as from the data protection supervisory authorities only, or whether the wider interpretation also applies to damages and data subject cases. 26 Ibid Art 83(2)(a)–(k).

190

Penalties and Fines 10.8

Intent 10.7 When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case, due regard must be given to the intentional or negligent character of the infringement.27 Therefore, companies (and data protection supervisory authorities) will be looking at the record of events to assess how these confirm if there was a discernible intention leading to the infringing action at issue. Even where there may not be an express purposeful decision or intention to do an infringing act, or some action or set of actions leading to or resulting in the infringing action, that there is an additional criterion of wider negligence means that negligence or a failure to take the necessary action to avoid the infringing activity can be considered as detrimental to the company. A  further point to note is that the obligations of compliance are now greatly enhanced and include higher obligations, more obligations and a requirement to demonstrate compliance by, for example, record keeping, records of complying with the principles of data protection, advance consideration of risk and impact issues, advance consideration of data protection by design and by default, etc. Therefore, even where there is no documented record of intent to breach, a lack of documented records of all appropriate compliance consideration, processes, decisions, actions, policies, pre-problem solving, etc, could, in appropriate circumstances, lead to or assist a finding of negligence on the part of the company.

Mitigation Actions 10.8 When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case, due regard must be given to the following, any action taken by the controller or processor to mitigate the damage suffered by data subjects.28 Therefore, companies in seeking to put their best foot forward with the data protection supervisor (or supervisors)(and indeed from a wider perspective also, eg public facing or in dealing with data subjects) identify the various actions it is taking, or has taken, in order to mitigate the damage. One can also suggest that, as we move forward, the types of actions and activities that can assist to mitigate matters generally and specifically for the data subjects will increase in scope and possibility. The range of remedial and mitigation actions available in a year’s time will likely be much greater than those available today. Over time, individual data subjects (and data protection supervisory authorities) will be aware of and will expect more remedial and mitigation actions. Where 27 Ibid Art 83(2)(a)–(k). 28 Ibid.

191

10.9  Corporate Contention

such actions have not been adopted, a data protection supervisory authority may draw an adverse conclusion, which may impact on whether there may be a fine and/or the level of such a fine. An unfortunate consequence of both modern and internet technologies, is that where a data breach or other data event occurs, the damage and scale of dissemination that can potentially arise is ever increasing. In that context, the number and scale of remedial and mitigations actions with which a company engages must also increase. What may be reasonable to proportionate today may not be so in 12 month’s time.

Degree of Responsibility 10.9 When deciding whether to impose an administrative fine and deciding on the amount of that fine in each individual case, due regard must be given to the following: the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 (data protection by design and default) and 32 (security of processing).29 This will be an interesting issue to keep appraised of as it points to the responsibility of the company for the data breach event in question. However, a company as a controller of personal data is always responsible for what happens. Even in hacking data breach situations there are examples of companies being fined and declared responsible for the event – even though a third-party hacker was also involved. Sometimes this may occur where updates in safeguards were known but ignored (as is understood to have occurred in some instances) or even where there were safeguards but a hacker still managed to gain access. It may also be considered perhaps from the perspective of what the reasonable and objective range of technical and organisational measures may be at a given point in time. An important point to note is that today’s safeguards will not be sufficient in 12 month’s time – or even earlier – depending on the circumstances. It also needs to be understood that reference to technical and organisationaltype measures were previously referenced only in the context of security measures operated by the company.30 The above criterion refers both security and 29 Ibid. 30 Henry, L, ‘Information Privacy and Data Security’ Cardozo Law Review De-Novo (2015) 107; Dort, KK, Criss, JT and Thakrar, R, ‘Trends in Cybersecurity Law, the  Privacy  Shield and Best Practices for Businesses Operating in the Global Marketplace’ International Journal for the Data Protection Officer, Privacy Officer and Privacy Counsel (2017)(1:1) 15; Serrato, JK, ‘Connecting the Dots: Key Developments and Best Practices for Evaluating Privacy and Security Risks in IoT  Investments’ RAIL: The Journal of Robotics, Artificial Intelligence & Law (2018)(1:1) 35; Nguyen, V, ‘Shopping for Privacy: How Technology in Brick-and-Mortar Retail Stores Poses  Privacy  Risks for Shoppers’ Fordham Intellectual Property, Media & Entertainment Law Journal (2019)(29:2) 535.

192

Penalties and Fines 10.11

pre-problem measures in the form of data protection by design and by default. Therefore, it is clear that security on its own will be insufficient to absolve the company. In addition, the appropriate measures must have been in place prior to the breach event, as opposed to being introduced afterwards. While there is value and indeed a compliance necessity to introduce such measures even after a breach event, this criterion will look to the environment before the problem arose and in terms of what measures were active prior to and which were meant to prevent or minimise problem events in the first place.

History of Infringement 10.10 When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case, due regard must be given to the following, any relevant previous infringements by the controller or processor.31 Therefore, companies need to understand that if there is a history of a past problem data event, or worse, this can lead to adverse finding or action on the part of the data protection supervisory authority. Alternatively, it may lead to the enhancement of whatever actions the data protection supervisory authority may take or order. It should go without saying that in the event of a past breach or infringement, the company should be proactive in upgrading its processes and procedures to (a) avoid or minimise the potential for a repeat data event arising; and (b) to ensure that there are a variety of new processes, procedures, actions, policies, security and safeguards, pre-problem solving, etc, all of which are documented and can be utilised as appropriate in communicating with the data protection supervisory authority when there may be a new data event and to appraise the authority of the proactive improvement steps engaged in since the last event.

Cooperation 10.11 When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case, due regard must be given to the following, the degree of cooperation with the supervisory authority, to remedy the infringement and mitigate the possible adverse effects of the infringement.32 Therefore, it is obvious that a company should bend over backwards to be facilitative and cooperative with data protection supervisory authorities generally and specifically when data events occur. Lack of cooperation can result in adverse actions and/or enhanced fines and related action orders. 31 GDPR Art 83(2)(a)–(k). 32 Ibid.

193

10.12  Corporate Contention

This should, perhaps, also be looked at in the wider context. A narrow view could be taken in, for example, a data breach event, seeing the obligation to only report it to the data protection supervisory authority and not to be more facilitative. Notwithstanding that there are clearly other obligations, a narrow focused view could result in the authority perceiving this to be an act of obstruction or omission of apprising them of all the relevant facts resulting in adverse consequences. While this relates to a different field, the Federal Aviation Authority (FAA) in the US is taking an adverse view that Boeing did or did not immediately disclose to the FAA pertinent text messages which appear to indicate that there were known safety problems in advance of the fated Boeing 737 Max aircraft being sold to airlines. Merely notifying the authority that there was a data breach or crash is not sufficient; all relevant details must continue to be notified as they become available. Another example which might be relevant under this criterion may be whether the data protection supervisory authority needs to issue any interim orders, notices or enforcement notices – or worse, whether it had to go to court to obtain interim court orders. In the past there have unfortunately been examples where a company has simply refused to engage with data subjects and with the data protection supervisory authority. This and related criterion make it more expressly clear that these are factors that can be taken into account.

Type(s) of Personal Data 10.12 When deciding whether to impose an administrative fine and deciding on the amount in each individual case, due regard must be given to the categories of personal data affected by the infringement.33 Therefore, in planning its processing operation and related security, risk and preventative measures, all companies should differentiate between: •

general personal data;

•

special (sensitive) personal data;

•

adult’s and children’s data; and

•

other data factors.

The more important the data category and the risk associated with it will mean that there should be greater safeguards around it.

How the Authority Becomes Aware 10.13 When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case, due regard must 33 Ibid.

194

Penalties and Fines 10.15

be given to the following: the manner in which the infringement became known to the supervisory authority, in particular whether and, if so, to what extent, the controller or processor notified the infringement.34 Therefore, where an appropriate data event occurs it is incumbent on the company to appraise the data protection supervisory authority as soon as possible and before the authority may otherwise become aware of it. It is clear that an adverse view can be taken of the lack of an appropriate notification or distinctly late notification.

Compliance with Previous Orders 10.14 When deciding whether to impose an administrative fine and deciding on the amount in each individual case, due regard must be given to the following: where measures referred to in Article  58(2) (powers) have previously been ordered against the controller or processor concerned with regard to the same subject matter and their compliance with those measures.35 Therefore, it is expressly important where there have been prior actions, enforcement and/or orders issuing from a data protection supervisory authority that such directions have been fully complied with. Particular adverse consequences can arise for the company, including enhanced fines, where a new event arises or the authority discovers the non-compliance. An interesting point may be that, in Europe, orders of an enforcement nature tend to be more immediate in terms of what is required; whereas some (but not all) of the measures in the US emanating from the Federal Trade Commission (FTC) can include more longterm obligations of specific compliance measures including repeated compliance reviews, to occur over a specified period – sometimes decades.

Complying with Codes or Certification 10.15 When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case, due regard must be given to the following: adherence to approved codes of conduct (pursuant to Article 40) or approved certification mechanisms (pursuant to Article 42). 36 Therefore, there can be benefit for a company in being a member of an appropriate organisation or signing on or becoming accredited under an appropriate code or certification mechanism. However, given that the ‘go live’ of the GDPR (under which the above provision is included) is still recent, it will be some time before the range of these options become fully available to companies. It also remains to be determined the extent to which pre-existing associations or accreditations 34 Ibid. 35 Ibid. 36 Ibid.

195

10.16  Corporate Contention

may fit within these envisaged mechanisms, whether they will be confined to new mechanism or a combination of same. This will be an area of development to keep appraised of.

Aggravating or Mitigating Factors 10.16 When deciding whether to impose an administrative fine and deciding on the amount in each individual case, due regard must be given to the following, any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.37 Therefore, there are a range of criterion and factors which can assist a company in seeking to minimise official data protection supervisory authority actions against it, including fines. It is equally clear that there are a variety of criterion and factors which, if they exist, can be applied adversely against the company. From a corporate perspective, such criterion are pre-defined in a fixed list. From the perspective of a data protection authority, individuals and ultimately the courts, a fixed limited list of criterion could be viewed as limiting in some ways the actions that an authority may take or the factors that it may take into account when acting. It could also preclude an authority from taking into account new factors and new developments (including, perhaps, new technology issues) which it may otherwise find pertinent. These potential limitations are avoided, however, as there is a ‘catch-all’ criterion which permits a data protection supervisory authority to take into account ‘any other aggravating or mitigating factor’. The inclusion of ‘any’ is significant to the extent of permitting a wide ability, if not a discretion, to the data protection supervisory authority. Companies may seek to argue that there are certain limits on this. This catch-all criterion is further widened by the inclusion of an open-ended list of examples by way of the term ‘such as’. Additional aggravating or mitigating factors can include: •

financial benefits gained (directly or indirectly) from the infringement; and

•

losses avoided (directly or indirectly) from the infringement.

POWERS 10.17 There are primary first-principle obligations of compliance on the various controller and processor entities by which they themselves must ensure compliance. However, when a company does not or there is some other type 37 Ibid.

196

Powers 10.18

of breach, there are options of investigation and enforcement available to the data protection supervisory authorities. For the next number of years, as the GDPR and other new data protection rules, come to be better understood, there will be companies who seek to dispute the powers or the interpretations of the authorities and their enforcement activities.38 Chapter VI of the GDPR refers to the independent national data protection supervisory authorities. Section 1 therein refers to independence issues and section 2 refers to competence, tasks and powers. There are various distinct types of powers provided to the data protection supervisory authorities. Section 2 of Chapter VI of the GDPR refers to competence, tasks and powers. There are several distinct types of powers: •

investigative powers;

•

corrective powers; and

•

authorisation and advisory powers.

The exercise of the powers conferred on the data protection supervisory authority pursuant to Article  58 must be subject to appropriate safeguards, including effective judicial remedy and due process, set out in EU and Member State law in accordance with the Charter.39 Each Member  State must provide by law that its data protection supervisory authority must have the power to bring infringements of the GDPR to the attention of the judicial authorities and, where appropriate, to commence or otherwise engage in legal proceedings, in order to enforce the provisions of the GDPR.40 Each Member State may provide by law that its data protection supervisory authority must have additional powers to those referred to in paragraphs  1, 2 and 3 of Article 58.41 The exercise of those powers do not impair the effective operation of Chapter VII of the GDPR (cooperation and consistency).42

Investigative Powers 10.18 Each data protection supervisory authority must have the following six investigative powers:

38 On interpretation issues generally see, eg, Slocum, BG, Ordinary Meaning: A Theory of the Most Fundamental Principle of Legal Interpretation (University of Chicago Press, 2015). 39 GDPR Art 58(4). 40 Ibid Art 58(5). 41 Ibid Art 58(6). 42 Ibid.

197

10.19  Corporate Contention

•

to order the controller and the processor and, where applicable, their representative43 to provide any information it requires for the performance of its tasks;44

•

to carry out investigations in the form of data protection audits;45

•

to carry out a review on issued certifications (issued pursuant to Article 42(7));46

•

to notify the controller or the processor of an alleged infringement of the GDPR;47

•

to obtain, from the controller and the processor, access to all personal data and to all information necessary for the performance of its tasks;48 and

•

to obtain access to any premises of the controller and the processor, including to any data processing equipment and means, in accordance with EU or Member State procedural law. 49

Organisations will have to pay particular attention these powers (on top of their overall compliance obligations. As indicated above, the company can be ordered to provide a wide array of information,50 to permit access to all personal data and information51 and to permit access to premises and data processing equipment. 52

Corrective Powers 10.19 Each data protection supervisory authority will have to deal with issues of breaches and the enforcement of the data protection rules. The GDPR specifies that the data protection supervisory authorities must have enforcement tools. To that end, the respective authorities must have the following ten corrective powers: •

to issue warnings to a controller or processor that intended processing operations are likely to infringe provisions of the GDPR;53

•

to issue reprimands to a controller or a processor where processing operations have infringed provisions of the GDPR;54

43 Under particular circumstances, a controller or processor may have to appoint a representative in the EU in relation to data protection compliance matters where they themselves are located outside of the EU. See GDPR Art 27 for more particular details. 44 GDPR Art 58(1)(a). 45 Ibid Art 58(1)(b). 46 Ibid Art 58(1)(c). 47 Ibid Art 58(1)(d). 48 Ibid Art 58(1)(e). 49 Ibid Art 58(1)(f). 50 Ibid Art 58(1)(a). 51 Ibid Art 58(1)(e). 52 Ibid Art 58(1)(f). 53 Ibid Art 58(2)(a). 54 Ibid Art 58(2)(b).

198

Powers 10.19

•

to order the controller or the processor to comply with the data subject’s requests to exercise his or her rights pursuant to the GDPR;55

•

to order the controller or processor to bring processing operations into compliance with the provisions of the GDPR, where appropriate, in a specified manner and within a specified period;56

•

to order the controller to communicate a personal data breach to the data subject;57

•

to impose a temporary or definitive limitation including a ban on processing;58

•

to order the rectification or erasure of personal data or restriction of processing pursuant to Articles  16 (right to rectification), 17 (right to erasure (right to be forgotten)) and 18 (right to restriction of processing) and the notification of such actions to recipients to whom the personal data have been disclosed pursuant to Article 17(2) and Article 19 (notification obligation regarding rectification or erasure of personal data restriction of processing);59

•

to withdraw a certification or to order the certification body to withdraw an issued certification (issued pursuant to Articles 42 and 43), or to order the certification body not to issue certification if the requirements for the certification are not or are no longer met;60

•

to impose an administrative fine (pursuant to Article  83), in addition to, or instead of measures referred to in this paragraph, depending on the circumstances of each individual case;61 and

•

to order the suspension of data flows to a recipient in a third country or to an international organisation.62

Particular issues for the company to note is the right of the data protection supervisory authority, as set out above, to order it to comply with the data subject’s rights;63 to order corrective actions and to issue fines. It is important to point out that for these mechanisms to work most effectively, in addition to general obligations of compliance with the data protection regime placed upon controllers and processors, there can also be specific obligations on organisation to also comply with requests, directions, orders and decisions of the data protection supervisory authorities. 55 56 57 58 59 60 61 62 63

Ibid Art 58(2)(c). Ibid Art 58(2)(d). Ibid Art 58(2)(e). Ibid Art 58(2)(f). Ibid Art 58(2)(g). Ibid Art 58(2)(h). Ibid Art 58(2)(i). Ibid Art 58(2)(j). Ibid Art 58(2)(c).

199

10.20  Corporate Contention

Article 31 of the GDPR is headed ‘Cooperation with the supervisory authority’. It specifies that, ‘the controller and the processor and, where applicable, their representatives, shall cooperate, on request, with the supervisory authority in the performance of its tasks’. National legislation may also specify obligations to comply and set out specific offences of non-compliance.

Authorisation and Advisory Powers 10.20 Each data protection supervisory authority must have the following authorisation and advisory powers: •

to advise the controller in accordance with the prior consultation procedure (referred to in Article 36);64

•

to issue, on its own initiative or on request, opinions to the national parliament, the Member State government or, in accordance with Member State law, to other institutions and bodies as well as to the public on any issue related to the protection of personal data;65

•

to authorise processing (referred to in Article  36(5)), if the law of the Member State requires such prior authorisation;66

•

to issue an opinion and approve draft codes of conduct (pursuant to Article 40(5));67

•

to accredit certification bodies (pursuant to Article 43);68

•

to issue certifications and approve criteria of certification (in accordance with Article 42(5));69

•

to adopt standard data protection clauses (referred to in Article 28(8) and in Article 46(2)(d));70

•

to authorise contractual clauses (referred to in Article 46(3)(a));71

•

to authorise administrative arrangements (referred to in Article 46(3)(b));72

•

to approve binding corporate rules (pursuant to Article 47).73

64 65 66 67 68 69 70 71 72 73

Ibid Art 58(3)(a). Ibid Art 58(3)(b). Ibid Art 58(3)(c). Ibid Art 58(3)(d). Ibid Art 58(3)(e). Ibid Art 58(3)(f). Ibid Art 58(3)(g). Ibid Art 58(3)(h). Ibid Art 58(3)(i). Ibid Art 58(3)(j).

200

Controller and Processor Obligations 10.21

CONTROLLER AND PROCESSOR OBLIGATIONS 10.21 Companies and organisation also need to be very cognisant of their obligations under the data protection rules. As an illustration, the main obligations and requirements referred to under the GDPR are referred to below but the list is by no means exhaustive. There are certain direct obligations placed on controllers (and processors) under the main GDPR section dealing with the controller, namely, Chapter IV. However, that would not give the full picture. Companies must comply with a variety matter listed otherwise than in Chapter IV of the GDPR, for example: •

the principles of data protection;74

•

the prior information and transparency rules;75

•

consent rules;76

•

the rules in relation to children online;77

•

lawful processing rules;78

•

rules regarding special personal data;79

•

the various respective rights of individual data subjects;80

•

security rules and requirements;81 and

•

rules which apply to particular data processing situations.82

These rules and obligations must, of course, be complied with. In respect of the main controller section of the GDPR (Chapter IV), it identifies rules and issues – at a headline level – in relation to:

74 Ibid Art 5. 75 Ibid Arts 13 and 14. 76 Ibid Art 7. 77 Ibid Art 8. 78 Ibid Art 6. 79 Ibid Art 9. Also notes rules in relation to criminal convictions, GDPR Art 10. 80 GDPR Chapter III. 81 GDPR Art 32. Also see Henry, L, ‘Information Privacy and Data Security’ Cardozo Law Review De-Novo (2015) 107; Dort, KK, Criss, JT and Thakrar, R, ‘Trends in Cybersecurity Law, the  Privacy  Shield and Best Practices for Businesses Operating in the Global Marketplace’ International Journal for the Data Protection Officer, Privacy Officer and Privacy Counsel (2017)(1:1) 15; Serrato, JK, ‘Connecting the Dots: Key Developments and Best Practices for Evaluating  Privacy  and Security Risks in IoT  Investments’ RAIL: The Journal of Robotics, Artificial Intelligence & Law (2018)(1:1) 35; Nguyen, V, ‘Shopping for  Privacy: How Technology in Brick-and-Mortar Retail Stores Poses  Privacy  Risks for Shoppers’ Fordham Intellectual Property, Media & Entertainment Law Journal (2019)(29:2) 535. 82 GDPR Chapter IX.

201

10.22  Corporate Contention

•

general obligations;83

•

security of personal data;84

•

data protection impact assessment and prior consultation;85

•

Data Protection Officers;86 and

•

codes of conduct and certification.87

The specifics of some of these are set out below.

Responsibility of Controller 10.22 Controllers must implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with the GDPR.88 Those measures must be reviewed and updated where necessary89 on an ongoing basis. This is to take into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons.90

Data Protection by Design and by Default 10.23 Controllers must, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation,91 which are designed to implement data protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing to meet the requirements of the GPPR and protect the rights of data subjects.92 This is to take into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing.93

83 GDPR Chapter IV, Section 1. 84 Ibid Section 2. 85 Ibid Section 3. 86 Ibid Section 4. 87 Ibid Section 5. 88 See GDPR Art 24. 89 Ibid. 90 Ibid. 91 Mourby, M, Mackey, E, Elliot, M, Gowans, H  and Wallace, S, ‘Are “Pseudonymised” Data Always Personal Data? Implications of the GDPR for Administrative Data Research in the UK’ Computer Law & Security Review: The International Journal of Technology Law and Practice (201)(34:2) 222. 92 See GDPR Art 25. 93 Ibid.

202

Controller and Processor Obligations 10.25

The need for PbD DPbD is expressly recognised and incorporated into the GDPR and there is increasing commentary on the new legal rules,94 means of implementation and also component and related concepts (eg privacy engineering,95 design,96 etc). Risks must be identified and reduced if not eliminated. Risk management is increasingly important across the tech landscape, but is now also promoted as an issue of consideration and compliance in the data protection field with the GDPR.97 The GDPR includes extensive new security obligations and, as part of this, there is a requirement to take into account and hence to identify risk issues.98 Overall risk reduction must be incorporated. Indeed, certain risks, once identified, should also mean that certain proposed processing operations should not occur at all. This is understood to be very important.

Joint Controllers 10.24 Where two or more controllers jointly determine the purposes and means of processing, they are joint controllers.99 They must, in a transparent manner, determine their respective responsibilities for compliance with the obligations under the GDPR, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14, by means of an arrangement between them unless and in so far as the respective responsibilities of the controllers are determined by EU or Member State law to which the controllers are subject. The arrangement may designate a contact point for the individual data subjects.

Representatives of Controllers/Processors Not Established in EU 10.25 Where Article 3(2) applies, the controller or the processor must designate in writing a representative in the EU.100 (Article  3(2) states that the GDPR applies to the processing of personal data of data subjects who are in the EU by a controller or processor not established in the Union, where the processing 94 Jasmontaite, L, Kamara, I, Zanfir-Fortuna, G and Leucci, S, ‘Data Protection by Design and by Default: Framing Guiding Principles into Legal Obligations in the GDPR’ European Data Protection Law Review (EDPL) (2018)(4:2) 168. Also, Waldman, AE, ‘Privacy’s  Law of Design’ UC Irvine Law Review (2019)(9:5) 1239; Danezis, G, Hansen, M, Domingo-Ferrer, J and Hoepman, J-H, Privacy and Data Protection by Design – from Policy to Engineering (European Union Agency for Network and Information Security (ENISA) 2014). 95 Danezis, G, Hansen, M, Domingo-Ferrer, J and Hoepman, J-H, Privacy and Data Protection by Design – from Policy to Engineering (European Union Agency for Network and Information Security (ENISA) 2014). 96 Waldman, AE, ‘Privacy’s Law of Design’ UC Irvine Law Review (2019)(9:5) 1239. 97 Duncan, B  and Zhao, Y, ‘Risk Management for Cloud Compliance with the EU General Data Protection Regulation’ 2018 International Conference on High Performance Computing & Simulation (HPCS) HPCS High Performance Computing & Simulation (HPCS) (July 2018). 98 See GDPR Art 32(1); and other references. 99 Ibid Art 26. 100 Ibid Art 27.

203

10.27  Corporate Contention

activities are related to: the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the EU; or the monitoring of their behaviour as far as their behaviour takes place within the EU.)

Processors 10.27 Where processing is to be carried out on behalf of a controller, the controller must only use processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject.101

Processing Under Authority 10.28 The processor and any person acting under the authority of the controller or of the processor, who has access to personal data, must not process those data except on instructions from the controller, or if required to do so by EU or Member State law.102

Records 10.29 Each controller and, where applicable, the controller’s representative, must maintain a record of processing activities under its responsibility.103 These records must contain the following information: •

the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;

•

the purposes of the processing;

•

a description of the categories of data subjects and of the categories of personal data;

•

the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;

•

where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in

101 Ibid Art 28. 102 Ibid Art 29. 103 Ibid Art 30.

204

Controller and Processor Obligations 10.31

the second subparagraph of Article  49(1), the documentation of suitable safeguards; •

where possible, the envisaged time limits for erasure of the different categories of data; and

•

where possible, a general description of the technical and organisational security measures (ie those technical and organisational security measures referred to in Article 32(1)).104

There are also record-keeping obligations for processors.105

Cooperation with Supervisory Authority 10.30 The controller and the processor and, where applicable, their representatives, must cooperate, on request, with the supervisory authority in the performance of its tasks.106

Security of Processing 10.31 Controllers and processors must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.107 The security measures must include, inter alia, as appropriate: •

the pseudonymisation108 and encryption of personal data;

•

the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

•

the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and

104 Ibid. 105 Ibid Art 30(2). 106 Ibid Art 31. 107 Ibid Art 32(1). Also see, eg, Henry, L, ‘Information Privacy and Data Security’ Cardozo Law Review De-Novo (2015) 107; Dort, KK, Criss, JT and Thakrar, R, ‘Trends in Cybersecurity Law, the Privacy Shield and Best Practices for Businesses Operating in the Global Marketplace’ International Journal for the Data Protection Officer, Privacy Officer and Privacy Counsel (2017)(1:1) 15; Serrato, JK, ‘Connecting the Dots: Key Developments and Best Practices for Evaluating  Privacy  and Security Risks in IoT  Investments’ RAIL: The Journal of Robotics, Artificial Intelligence & Law (2018)(1:1) 35; Nguyen, V, ‘Shopping for  Privacy: How Technology in Brick-and-Mortar Retail Stores Poses  Privacy  Risks for Shoppers’ Fordham Intellectual Property, Media & Entertainment Law Journal (2019)(29:2) 535. 108 Mourby, M, Mackey, E, Elliot, M, Gowans, H  and Wallace, S, ‘Are “Pseudonymised” Data Always Personal Data? Implications of the GDPR for Administrative Data Research in the UK’ Computer Law & Security Review: The International Journal of Technology Law and Practice (2018)(34:2) 222.

205

10.32  Corporate Contention

•

a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.109

In considering the appropriate security measures, the company can take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.110 Additionally, in assessing the appropriate level of security account must be taken, in particular, of the risks that are presented by processing, from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.111 Adherence to an approved code of conduct (see Article  40) or an approved certification mechanism (see Article 42) may be used as an element by which to demonstrate compliance with the security requirements above.112 The controller and processor must take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by EU or Member State law.113 Risk management issues are important per se and also as part of proper security standards within data protection compliance.114 The GDPR includes extensive new security obligations and as part of this there is a requirement to take into account and identify risk issues.115

Breach Notifications 10.32 Where there is a personal data breach, the controller must, without undue delay and, where feasible, not later than 72 hours after having become aware, notify the personal data breach to the data protection supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.116 Where the notification to the supervisory authority is not made within 72 hours, it must be accompanied by reasons for the delay when it is so notified.117 This notice must include the following details (‘at least’): 109 See GDPR Art 32(1)(a)–(d). 110 Ibid Art 32(1). 111 Ibid Art 32(2). 112 Ibid Art 32(3). 113 Ibid Art 32(4). 114 Duncan, B and Zhao, Y, ‘Risk Management for Cloud Compliance with the EU General Data Protection Regulation’ 2018 International Conference on High Performance Computing & Simulation (HPCS) HPCS High Performance Computing & Simulation (HPCS) (July 2018). 115 See GDPR Art 32(1). 116 Ibid Art 33(1). 117 Ibid.

206

Controller and Processor Obligations 10.33

•

describing the nature of the personal data breach including, where possible, the categories and approximate number of data subjects and categories and the approximate number of personal data records concerned;

•

communicating the name and contact details of the Data Protection Officer or other contact point where more information can be obtained;

•

describing the likely consequences of the personal data breach; and

•

describing the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.118

This is the minimum level of detail to be provided. Significantly more detail can be provided and, more importantly can be requested, by the data protection supervisory authority. The controller must also document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken.119 This documentation enables the data protection supervisory authority to verify compliance.120 Processors also have obligations, inter alia, to notify the controller of data breaches.121

Communicating Breach to Data Subjects 10.33 Where a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller must communicate the personal data breach to the data subject without undue delay.122 The communication must describe ‘in clear and plain language’ the nature of the personal data breach and contain at least the following measures: •

communicate the name and contact details of the Data Protection Officer or other contact point where more information can be obtained;

•

describe the likely consequences of the personal data breach; and

•

describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.123

118 Ibid Art 33(3). 119 Ibid Art 33(5). 120 Ibid. 121 Ibid Art 33(2). 122 Ibid Art 34(1). Also see Selvadurai, N, Kisswani, N and Khalaileh,Y, ‘Strengthening Data Privacy: The Obligation of Organisations to Notify Affected Individuals of Data Breaches’ International Review of Law, Computers & Technology (2019)(33:3) 271. 123 Ibid Art 34(2).

207

10.34  Corporate Contention

While one would expect that a data protection supervisory authority is permitted in any event, it is expressly provided for that  if the controller has not already communicated the personal data breach to the data subject, the data protection supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so or may decide that any of the conditions referred to in Article 34(3) are met.124 Note that in this provision a company may quibble with such a direction if it perceives that the data protection did not ‘considered the likelihood of the personal data breach resulting in a high risk’ or did not properly consider the same. Potentially, a company may seek to engage in contentious correspondence or even litigation. It would be wise, therefore, for the data protection supervisory authority to have a process for recording that there was such a review and consideration made, all appropriate factors were taken into account and ultimately to note in, for example, the correspondence notifying the direction or order to the company, that the appropriate consideration in this regard was undertaken (and any other appropriate or necessary considerations). It may become the case that, in future, the formal documentation that must be issued by data protection supervisory authorities must include language indicating that appropriate consideration or processes were engaged in when coming to conclusions, directions and/or orders. These issues may evolve further as and when issues of contention and litigation arise.

Data Protection Impact Assessment 10.34 Where a type of processing, in particular using new technologies and taking into account the nature, scope, context and purposes of the processing, is likely to result in a ‘high risk’ to the rights and freedoms of natural persons, the controller must – prior to the processing – carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.125 A single assessment may address a set of similar processing operations that present similarly high risks.126 Risk avoidance overall is becoming increasingly important – including as a result of the GDPR.127 The GDPR includes extensive new security obligations. Part of this includes a requirement to take into account risk issues.128 A data protection impact assessment is required in the case of:

124 Ibid Art 34(4). 125 Ibid Art 35(1). 126 Ibid. 127 Duncan, B and Zhao, Y, ‘Risk Management for Cloud Compliance with the EU General Data Protection Regulation’ 2018 International Conference on High Performance Computing & Simulation (HPCS) HPCS High Performance Computing & Simulation (HPCS) (July 2018). 128 See GDPR Art 32(1) and other references.

208

Controller and Processor Obligations 10.35

•

a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;

•

processing on a large scale of special categories of data (referred to in Article  9(1)) or of personal data relating to criminal convictions and offences (referred to in Article 10); or

•

a systematic monitoring of a publicly accessible area on a large scale.129

The data protection supervisory authorities may publish a list of particular activities that require data protection impact assessments130 – and may also publish a list of activities not requiring such an assessment.131 In addition, there is a provision which indicates that, where necessary, the controller must carry out a review to assess if processing is performed in accordance with the data protection impact assessment at least when there is a change of the risk represented by processing operations.132

Prior Consultation 10.35 Controllers must consult the data protection supervisory authority prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk.133 If the data protection supervisory authority is of the opinion that the intended processing would infringe data protection rules, in particular where the controller has insufficiently identified or mitigated the risk, the data protection supervisory authority must, within eight weeks of receipt of the request for consultation, provide written advice to the controller (or processor) and may use any of its powers (referred to in Article 58).134 That period may be extended by six weeks, taking into account the complexity of the intended processing.135 Periods may also be suspended until the data protection supervisory authority has obtained information from the controller (or processor) that it has requested for the purposes of the consultation.136 When engaging such consultation, the controller must provide the following to the data protection supervisory authority:

129 Ibid Art 35(3). 130 Ibid Art 35(4) 131 Ibid Art 35(5). 132 Ibid Art 35(11). 133 Ibid Art 36(1). 134 Ibid Art 36(2). 135 Ibid. 136 Ibid.

209

10.36  Corporate Contention

•

where applicable, the respective responsibilities of the controller, joint controllers and processors involved in the processing, in particular for processing within a group of undertakings;

•

the purposes and means of the intended processing;

•

the measures and safeguards provided to protect the rights and freedoms of data subjects pursuant to the GDPR;

•

where applicable, the contact details of the Data Protection Officer;

•

the data protection impact assessment; and

•

any other information requested by the data protection supervisory authority.137

It will also be necessary for controllers to consult relevant national laws which may include addition provisions in relation to such consultations.138

DATA PROTECTION OFFICERS 10.36 There are new requirements to appoint Data Protection Officers. These obligations need careful compliance consideration.139

Codes of Conduct 10.37 There are detailed provisions in relation to the ability of controllers to follow appropriate codes of conduct.140 The data protection supervisory authorities encourage such codes in terms of assisting compliance.141 These codes may include or refer to issues such as: •

fair and transparent processing;

•

the legitimate interests pursued by controllers in specific contexts;

•

the collection of personal data;

•

the pseudonymisation142 of personal data;

•

the information provided to the public and to data subjects;

137 Ibid, Art 36(3). 138 For example, GDPR Article 36(5) refers to national law and national law variations. 139 See reference to the designation of the DPO and respective tasks and position, at GDPR Arts 37– 39. Also see Lambert, P, The Data Protection Officer, Profession, Rules and Role (Routledge, Taylor and Francis, 2017). 140 See GDPR Art 40. 141 Ibid. 142 Mourby, M, Mackey, E, Elliot, M, Gowans, H  and Wallace, S, ‘Are “Pseudonymised” Data Always Personal Data? Implications of the GDPR for Administrative Data Research in the UK’ Computer Law & Security Review: The International Journal of Technology Law and Practice (2018)(34:2) 222.

210

Director Responsibility, Liability and Offences 10.39

•

the exercise of the rights of data subjects;

•

the information provided to and the protection of children and the manner in which the consent of the holders of parental responsibility over children is to be obtained;

•

the measures and procedures referred to in Articles  24 and 25 and the measures to ensure security of processing (referred to in Article 32);

•

the notification of personal data breaches to data protection supervisory authorities and the communication of such personal data breaches to data subjects;

•

the transfer of personal data to third countries or international organisations; or

•

out-of-court proceedings and other dispute resolution procedures for resolving disputes between controllers and data subjects with regard to processing (without prejudice to the rights of data subjects pursuant to Articles 77 and 79).143

There are further detailed provisions in relation to these codes.

Certification 10.38 Data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors are encouraged and supported.144 Certification shall be issued to a controller or processor for a maximum period of three years and may be renewed, under the same conditions, provided that the relevant requirements continue to be met.145 Certification must be withdrawn, as applicable, by the certification bodies referred to in Article 43 or by the competent supervisory authority where the requirements for the certification are not or are no longer met.146 There are further detailed provisions in relation to these certification mechanisms.

DIRECTOR RESPONSIBILITY, LIABILITY AND OFFENCES 10.39 All organisations collect and process personal data. Whether they are big or new start-ups, they need to comply with the data protection regime. It should also be borne in mind that even a new technology start-up can scale relatively quickly to millions of users. Many issues enhance the importance of getting organisational data protection understanding and compliance right from

143 GDPR Art 40(2). 144 Ibid Art 42(1). 145 Ibid Art 42(7). 146 Ibid.

211

10.39  Corporate Contention

day one. These include legal obligations, director, board and officer obligations, investigations, fines, prosecutions, being ordered to delete databases, adverse publicity, commercial imperatives and even commercial advantages. If one also considers some of the recent large-scale data breach incidents, there are examples of chief technology officers as well as managing directors/ CEOs, losing their positions as a result of the incident. Increasingly directors, executives and officers of a company can also be held responsible – in addition to the company entity itself. This raises the stakes and consequences for being compliant. The potential for personal liability (DPA 2018, s 198) is a significant issue for an organisation and those within positions of authority where the organisation is involved in offences. Employees can also be liable for offences if they obtain, disclose or procure the personal data in the organisation for their own purposes. Section 198 of the DPA 2018 refers to liability of directors, etc. Section 198(1) provides that where an offence under the Act has been committed by a body corporate and is proved to have been committed with the consent or connivance of or to be attributable to any neglect on the part of any director, manager, secretary or similar officer of the body corporate or any person who was purporting to act in any such capacity, they as well as the body corporate shall be guilty of that offence and be liable to be proceeded against and punished accordingly. Two Spam texters were fined a total of £440,000.147 The size of the penalty is significant. However, possibly more significant is that it involves director liability. The ICO also issued a substantial data fine in relation to breach of the data protection regime by way of incorrect storage and processing when the financial data and files of individual customers were mixed up. Potentially, a customer could have suffered financial loss and adverse consequences. Prudential was fined £50,000. In another case, a health trust was fined £225,000 in relation to third party gaining unauthorised access to files.148 Employees have been prosecuted for gaining unauthorised access to personal records.149 The GDPR and Data Protection Act 2018 vastly increase the potential fines available (up to €20 million or 4% of worldwide turnover). We can expect the level of fines to increase.

147 ICO v Christopher Niebel and Gary McNeish (2012). ICO, ‘Spam Texters Fined Nearly Half a Million Pounds’. Available at: https://ico.org.uk. However, note that this was appealed. 148 ‘Belfast Trust Fined £22,500 After Leaving Thousands of Patient Records in Disused Hospital’. Available at: https:// ico.org.uk. 149 See eg ICO, ‘Bank Employee Fined for Reading Partners Ex Wife Statements’. Available at: https://ico.org.uk.

212

Individuals and Companies 10.40

One interesting case involves using initials in case names.150 This also occurred in the recent case of NT1 and NT2,151 both of which related to the erasure and forgetting right. Many cases in European countries can have anonymised plaintiffs. While there are increasing calls for more responsibility or action against directors and executives in relation to data breaches in particular, there are also pushes in this direction in sectors such as social media.152 When breach events arise, there are also additional risks for directors and executives. Regardless of responsibility for the breach itself (eg not installing security updates and or not ensuring upgrades) if an executive were to sell their shares on the basis that the share price of the company may dip once the breach is announced publicly, essentially acting on the basis of their insider knowledge, there can be legal and ethical consequences. At least one executive was prosecuted for having sold shares before the mass data breach at Equifax was made public. The stakes, as such, are vastly increased for companies and for their individual directors, executives and officers.153 While the above refers to directors and executives in the main, there are also other parties who can be involved with data processing activities with the controller company, such as processor companies or independent contractors. These should also consider potential liability issues from their own perspective (as well as the controller likely having thought of these issues in advance).154

INDIVIDUALS AND COMPANIES Rights of Individual Data Subjects 10.40 Companies must be cognisant of the respective rights of the individual data subjects in relation to whom they collect and otherwise process data. Where 150 In a data protection-related case in Berlin, not only was the company sued but the directors were also personally named and included in the case. One of the reasons specified was to ensure that the directors made sure that the board of the company made the appropriate amendments so that the breaches were rectified and would not re-occur. A further interesting aspect of the case is that, while the directors were included personally, their names were redacted to initials. One such set of initials was ‘MZ’. See the Federal Association of Consumer Organisations and Consumer Groups, Federal Consumer Association, GB v Facebook Ireland Limited, MA, JB, DG, PT and the Chairman MZ, [names redacted], [redacted] Reach, [redacted] Quay, Dublin, Ireland. 151 NT1 and NT2 v Google [2018] EWHC 799 (QB); [2018] EMLR 18; [2018] HRLR 13. 152 Note generally Helman, L, ‘Pay for (Privacy) Performance: Holding Social Network Executives Accountable for Breaches in Data Privacy Protection’ Brooklyn Law Review (2019)(84:2) 523; Worthington, S, ‘Directors’ Duties and Improper Purposes’ Cambridge Law Journal  (2016) (75:2) 213. 153 Also note Trebble-Greening, J, ‘Raising the Stakes: Creating an International Sanction to Generate Corporate Compliance with Data  Privacy  Laws’ Columbia Business Law Review (2019)(2) 763. 154 Deakin, S, ‘Organisational Torts: Vicarious Liability Versus Non-Delegable Duty’ Cambridge Law Journal (2018)(77:1) 15; Silink, A  and Ryan, D, ‘Vicarious Liability for Independent Contractors’ Cambridge Law Journal (2018)(77:3) 458.

213

10.41  Corporate Contention

these rights are breached or otherwise not complied with, either or both of the individual data subjects and/or the data protection supervisory authority can pursue the company in question. In fact, a third-party entity may also represent the individual data subject and groups of data subjects. Therefore, the company must be familiar and be able to demonstrate compliance with155 the rights of the individual data subject. These include: •

right to transparent information, communication and modalities for the exercise of the rights of the individual data subject;156

•

information to be provided where personal data are collected from the data subject;157

•

information to be provided where personal data have not been obtained from the data subject;158

•

right of access by the data subject;159

•

right to rectification;160

•

right to erasure (right to be forgotten);161

•

right to restriction of processing;162

•

notification regarding rectification or erasure;163

•

right to data portability;164

•

right to object;165 and

•

automated individual decision making, including profiling.166

Right to Compensation and Liability 10.41 Any person who has suffered material or non-material damage as a result of an infringement of the GDPR must have the right to receive compensation from the controller or processor for the damage suffered.167

155 For example, maintaining records of compliance. See the accountability requirement and principal in GDPR Art 5(2) which requires that ‘[t]he controller shall be responsible for and be able to demonstrate compliance with [the principles outlined in Article 5(1)]. 156 See GDPR Art 12. 157 Ibid Art 13. 158 Ibid Art 14. 159 Ibid Art 15. 160 Ibid Art 16. 161 Ibid Art 17. 162 Ibid Art 18. 163 Ibid Art 19. 164 Ibid Art 20. 165 Ibid Art 21. 166 Ibid Art 22. 167 Ibid Art 82(1).

214

Individuals and Companies 10.42

Any controller involved in processing must be liable for the damage caused by processing which infringes the GDPR. A  processor must be liable for the damage caused by processing only where it has not complied with obligations of the GDPR specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.168 A  controller or processor shall be exempt from liability under paragraph  2 if it proves that it is not in any way responsible for the event giving rise to the damage.169 Where more than one controller or processor or both a controller and a processor are involved in the same processing and where they are, under paragraphs  2 and 3, responsible for any damage caused by processing, each controller or processor must be held liable for the entire damage in order to ensure effective compensation of the data subject.170 Where a controller or processor has, in accordance with paragraph  4, paid full compensation for the damage suffered, that controller or processor must be entitled to claim back from the other controllers or processors involved in the same processing that part of the compensation corresponding to their part of responsibility for the damage, in accordance with the conditions set out in paragraph 2.171 Court proceedings for exercising the right to receive compensation must be brought before the courts competent under the law of the Member State referred to in Article 79(2).172

Right to Court Remedy Against Controller 10.42 Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a data protection supervisory authority pursuant to Article  77, each data subject must have the right to an effective judicial remedy where he or she considers that his or her rights have been infringed as a result of the processing of his or her personal data in noncompliance with the GDPR.173 Proceedings against a controller will be brought before the courts of the Member  State where the controller or processor has an establishment.174 Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence, unless 168 Ibid Art 82(2). 169 Ibid Art 82(3). 170 Ibid Art 82(4). 171 Ibid Art 82(5). 172 Ibid Art 82(6). 173 Ibid Art 79(1). 174 Ibid Art 79(2).

215

10.43  Corporate Contention

the controller or processor is a public authority of a Member State acting in the exercise of its public powers.175

Right to Court Remedy Against Processor 10.43 Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a data protection supervisory authority pursuant to Article  77, each data subject must have the right to an effective judicial remedy where he or she considers that his or her rights under the GDPR have been infringed as a result of the processing of his or her personal data in non-compliance with the GDPR.176 Proceedings against a processor will be brought before the courts of the Member  State where the controller or processor has an establishment.177 Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers.178

Representation of Data Subjects 10.44 The data subject must have the right to mandate a not-for-profit body, organisation or association which has been properly constituted in accordance with the law of a Member  State, has statutory objectives which are in the public interest and is active in the field of the protection of data subjects’ rights and freedoms with regard to the protection of their personal data to lodge the complaint on his or her behalf, to exercise the rights referred to in Articles 77 (right to lodge a complaint with data protection supervisory authority), 78 (right to an effective judicial remedy against a data protection supervisory authority) and 79 (right to an effective judicial remedy against a controller or processor) on his or her behalf and to exercise the right to receive compensation (referred to in Article 82) on his or her behalf where provided for by Member State law.179 Member States may provide that a body, organisation or association referred to in paragraph  1 of this Article, independently of a data subject’s mandate, has the right to lodge, in that Member State, a complaint with the data protection supervisory authority which is competent pursuant to Article 77 (right to lodge a complaint with data protection supervisory authority) and to exercise the rights referred to in Articles  78 (right to an effective judicial remedy against a data protection supervisory authority) and  79 (right to an effective judicial remedy 175 Ibid. 176 Ibid Art 79(1). 177 Ibid Art 79(2). 178 Ibid. 179 Ibid Art 80(1).

216

Notices 10.46

against a controller or processor) if it considers that the rights of a data subject under the GDPR have been infringed as a result of the processing.180

Suspension of Proceedings 10.45 Where a competent court of a Member State has information on proceedings, concerning the same subject matter as regards processing by the same controller or processor, that are pending in a court in another Member State, it must contact that court in the other Member State to confirm the existence of such proceedings.181 Where proceedings concerning the same subject matter as regards processing of the same controller or processor are pending in a court in another Member State, any competent court other than the court first seized may suspend its proceedings.182 Where those proceedings are pending at first instance, any court other than the court first seized may also, on the application of one of the parties, decline jurisdiction if the court first seized has jurisdiction over the actions in question and its law permits the consolidation thereof.183

NOTICES 10.46 There is wide scope and justifiable circumstance and reason of data protection supervisory authorities to issue enforcement notices to controller and processors. These abilities are enhanced under the GDPR directly and by virtue also of the respective compliance obligations of controllers and processors having expended under the new data rules in the GDPR and elsewhere. Companies, for a variety of reasons (whether misunderstanding, disagreement per se, disagreement on procedure, dispute on fine or level of fine, etc) may seek to dispute a given enforcement notice or similar order from a data protection supervisory authority. Some companies may also be cognisant of national, main establishment, cooperation and so called ‘one-stop shop’ mechanisms. In some of these types of disputes it may be that the legal basis for the decision is at issue. Other or related arguments might refer to the argument that the face of the enforcement notice does not contain a clear and express indication of the reasons and basis on which the data protection supervisory authority made its decision to issue the notice. An example of this type of argument occurred in a case relating to copyright file sharing wars. The then Data Protection Commissioner in Ireland disputed 180 Ibid Art 80(2). 181 Ibid Art 81(1). 182 Ibid Art 81(2). 183 Ibid Art 81(3).

217

10.46  Corporate Contention

an agreement between music recording companies (EMI, Sony, Universal and Warner) and a particular internet service provider (Eircom) to operate a graduated ‘three strikes’ policy in relation to alleged pirate infringing users. The Commissioner was of the view that the agreement infringed user rights and data protection rules. It issued an enforcement notice directing the internet service provider not to comply with or implement the agreed policy. There are other related complicating issues, such as there being a series of cases and decisions, the ability to appeal under and as provided in the data protection legislation itself, an ability to take general judicial review-type appeals of official related decisions outside or in addition to that as provided in data protection legislation, whether affected third parties can appeal (and under what circumstances), whether and when third parties can intervene and whether consent is needed – and from whom, etc. The High Court ultimately held (arguably quite strongly) that the particular enforcement notice was not valid on the basis of an absence of any clear (or even implicit) reasons to base the decision to issue the enforcement notice.184 The Supreme Court also rejected an appeal by the Data Protection Commissioner.185 The enforcement notice contained the following: ‘1. Regulation 5(1) of the Regulations in that eircom has facilitated or is facilitating the listening, tapping, storage or other kinds of interception or surveillance of communications and related traffic data  of users of eircom’s internet services, by persons other than such users, without the consent of the users concerned by means of implementing the Protocol; 2. Regulation 6 of the Regulations in that eircom has failed (or is failing) to ensure that traffic data  relating to subscribers and users processed and stored for the purpose of the transmission of a communication (including, in particular, traffic data  comprising IP addresses assigned by eircom to a subscriber at a particular point in time) is erased or made anonymous when it is no longer needed for that purpose save to the extent that such data may be retained and processed and/or stored for a purpose prescribed in the Regulations; 3. Sections 2(1)(a) & 2D of the DP Acts in that eircom has failed (or is failing) to provide subscribers with information necessary to render the obtaining and/or processing of their personal data “fair” for the purposes of said Section 2(1)(a). 4. Section 2(1)(b) of the DP Acts in that eircom has failed (or is failing) to comply with the requirement that personal data  obtained and/or processed by or on behalf of eircom shall be accurate, eircom having incorrectly identified particular subscribers as persons who had engaged in illegal peer to peer file sharing using IP addresses assigned to eircom;

184 EMI Records (Ireland) & Ors v Data Protection Commissioner & Another [2012] IEHC 264 (27 June 2012) Charleton J. 185 EMI  Records (Ireland) & Ors v Data Protection Commissioner & Another [2013]  IESC  34 (3 July 2013).

218

Notices 10.46

5. Section 2(1)(c)(i) of the DP  Acts in that eircom has obtained (or is obtaining) personal data in respect of subscribers other than for one or more specified, explicit and legitimate purposes; 6. Section 2(1)(c)(ii) of the DP Acts in that eircom has further processed (or is further processing) personal data in respect of subscribers in a manner incompatible with the purpose for which that data was obtained and is retained; 7. Section 2A(1) of the DP  Acts in that eircom has processed (or is processing) personal data of a subscriber without the subscriber’s consent and/or without meeting any one or more of the other conditions specified in that Section; 8. Section 2B of the DP Acts in that eircom has processed (or is processing) sensitive personal data namely data relating to the commission or alleged commission  of offences further to Section 140 of the Copyright and Related Rights Act 2000, without complying with the requirements of Sections 2 and 2A of the DP Acts and/or without meeting one or more of the conditions specified in Section 2B(1)(b) thereof.’186

The order part of the enforcement notice directed to, ‘(i) take all such steps as are necessary to comply with the provisions of the DP Acts and Regulations concerned, such steps to be taken within 60 days of the date of receipt of this Notice; (ii) pending such steps being taken, to cease forthwith the obtaining and/or processing of subscriber data in the context of the implementation of the Protocol, including, for the avoidance of doubt, the receipt of subscriber data from, or the transmission of subscriber data to, any other party to the Protocol or their servants or agents; and (iii) take steps to destroy and/or erase any and all subscriber data processed by eircom in the context of the implementation of the Protocol within 60 days of receipt of this Notice.’187

A  further issue is that the court settlement which resulted in the protocol agreement containing the graduated three strikes procedure occurred in a case between the industry parties but did not include the then Data Protection Commissioner. The then Commissioner decided not to participate in those exact proceedings at the time on the basis that it would likely be expensive and it may not have had sufficient financial resources. This decision appears to have been implicitly criticised judicially. However, this highlights the wider discussion of the stipulation that Member States must clearly now provide for the full independence and funding of the respective data protection supervisory authorities (see Chapters 12 and 13). It is a necessary part of the ordinary and necessary tasks and activities of a data protection supervisory authority that it must, on some occasions, engage in litigation – which includes prosecutions for

186 EMI Records (Ireland) & Ors v Data Protection Commissioner & Another [2012] IEHC 264 (27 June 2012) Charleton J at para 4.0. 187 Ibid at para 4.1.

219

10.46  Corporate Contention

breaches as well as disputes as arise in relation to ore complex areas of data protection law, application and procedure. The Doorstep Dispensaree case is a recent UK example of an enforcement notice being successfully being appealed.188 The following is an edited extract of the recent decision in the case decided on 24 January 2019 at the First-tier Tribunal, General Regulatory Chamber, Information Rights, the new appeals mechanism post the GDPR established under the new Data Protection Act 2018 (UK). The Tribunal agreed with the appellant company appealing the validity of the enforcement notice issued by the Information Commissioner’s Office (ICO). The Tribunal decided as follows: ‘This appeal concerns an Information Notice served by the Information Commissioner (“the Commissioner”) on the Appellant company on 25 October 2018. The Commissioner’s power to serve an Information Notice, and the right of appeal to this Tribunal, were introduced by the Data Protection Act 2018 (“DPA 2018”). This is the first appeal to reach final determination under the new regime. We are grateful to Mr Lockley on behalf of the Information Commissioner and to Mr Hayden on behalf of the Appellant for their helpful oral submissions. The Information Commissioner is currently investigating the Appellant’s compliance with the General Data Protection Regulation (“GDPR”), in relation to which she is the UK supervisory authority. The Commissioner’s investigation was opened following a report to her office from the Medicines and Healthcare Products Regulatory Agency (“MHRA”) in July 2018 about the manner in which the Appellant company was apparently processing personal data. The Commissioner requested in correspondence certain information from the Appellant in connection with her investigation. The Appellant in correspondence refused to provide the requested information and so the Commissioner decided to serve the Information Notice. The Appellant appealed to the Tribunal. The lodgement of the Notice of Appeal has the effect of suspending the Appellant’s obligation to comply with the Information Notice, pending determination of this appeal. If the appeal is dismissed, the Commissioner may bring enforcement proceedings in a court. The Tribunal heard submissions from both counsel and, by agreement, rose to decide a preliminary issue as to whether the Information Notice was invalid if compliance with its terms involved a risk of self-incrimination by the recipient. We concluded that the Information Notice was not invalid on this basis … The Appellant’s Notice of Appeal dated 28  November 2018 relied on two grounds of appeal, as follows. Firstly, that “there are criminal investigations into the company by MHRA, as such the proper way to question the company is via the criminal proceedings by way of interview of its representatives 188 Doorstep Dispensaree Ltd v Information Commissioner (EA/2018/0265).

220

Notices 10.46

under the Police and Criminal Evidence Act. To do otherwise would be in contravention of the criminal code and the Human Rights Act …The questions are intended to assist the MHRA’s criminal investigation and in effect MHRA were using the ICO to assist them without recourse to due process and under the guise of requesting information under the Data Protection Act …”. Secondly, “Non-Disclosure. The ICO stated that its questioning arose as a result of the MHRA contacting them, but failed to provide, although requested, disclosure as to the root of its concerns or as appropriate disclosure …”. At the hearing, Mr Hayden refined the Appellant’s case. He submitted that the Information Notice was not in accordance with the law, as it was void for breach of s. 143(6)  DPA  2018 which provides that the recipient of an Information Notice may not be compelled to incriminate him/herself. Although the section had not been referred to expressly in the Notice of Appeal or correspondence, he submitted that the question of the Appellant’s right not to self-incriminate had been raised in the grounds of appeal and that, as the Commissioner had been aware that a criminal investigation was on foot, it had been wrong in principle for her to compel the Appellant to answer questions which might provide evidence which could be used against it in criminal proceedings. The Appellant filed witness evidence including a statement from the Appellant’s solicitor confirming that the company’s superintendent had made no comment when interviewed under caution by MHRA. Mr Hayden’s secondary submission was that, if the Information Notice was not void, then the Tribunal should amend it to remove certain questions in the Notice which he submitted would have the effect of compelling selfincrimination. The offending parts were some or all of questions 2, 3, 6 and 7 of the Information Notice. He confirmed he did not pursue the grounds that disclosure and/or PACE compliance were required. The Commissioner’s Response dated 18 December 2018 opposed the appeal on the following grounds. Firstly, that the MHRA’s investigation is entirely separate from that of the Commissioner, whose concern (and duty) is to monitor and enforce the application of the GDPR. It is commonplace for the Commissioner to conduct an investigation at the same time as other statutory agencies, but the Commissioner’s focus is on GDPR/DPA only and not on the criminal investigation being undertaken by MHRA. Secondly, that ground two is based on a misunderstanding of the Commissioner’s role and the Appellant’s duty to co-operate with her investigation. Further, that there is no requirement for disclosure by the Commissioner before requiring an answer to an Information Notice … In response to the Appellant’s case as put at the hearing, Mr Lockley submitted that Parliament had provided the necessary safeguards in DPA  2018, such that the Appellant was at liberty to raise the issue of s. 143(6) and the risk of self-incrimination in correspondence or in response to the service of an Information Notice. The Commissioner would then have to consider whether to seek to enforce the Information Notice through a court or to cancel the Notice. In summary, his submission was that s.  143(6)  DPA  2018 was relevant to the Appellant’s obligation to comply

221

10.46  Corporate Contention

with the Information Notice but did not affect the validity of a Notice which had been served … We agree with Mr Lockley’s analysis of the new legal framework, which we find to be as follows. The Commissioner may serve an Information Notice in circumstances where she requires a data controller or processor to provide her with information which she reasonably requires for the purpose of carrying out her functions. The Information Notice must meet certain procedural requirements. An Information Notice “does not require” a person to provide information which would expose them to criminal proceedings. The Act does not say that the Commissioner may not serve an Information Notice in such circumstances, or that it is invalid if she does so. It is difficult to see how Parliament could have intended such an interpretation given that the Commissioner would not generally be privy to the relevant information to allow her to make that prospective judgement. We are satisfied that the effect of s. 143(6) DPA 2018 is to permit the recipient of an Information Notice to raise the issue of risk of self-incrimination with the Commissioner on receipt of the Notice. The Commissioner must then take those submissions into account in deciding whether to apply to a court to enforce the Information Notice or to cancel the Information Notice (possibly serving an amended Notice in its stead). In this case, the Appellant has provided very limited information to the Commissioner and to the Tribunal about the scope of the criminal investigation and thus the scope for self-incrimination. The Appellant claims to have little information itself at this stage of those proceedings. However, it is clear from the information provided to the Commissioner by MHRA and placed before the Tribunal that whatever else may follow there is an issue as to GDPR compliance which warrants further investigation. We accept that the information requested was reasonably required for the Commissioner’s investigation. The role of the Tribunal is to consider whether the Commissioner’s Notice is not in accordance with the law and/or whether she should have exercised her discretion to serve it differently. The Tribunal has power to substitute a fresh Information Notice if it allows the appeal. We are satisfied in this case that the Information Notice is in accordance with the law and that the Appellant has shown no basis for finding that the Commissioner should have exercised her discretion differently. For these reasons, we dismiss the appeal. We noted at the hearing that we had received no evidence from the Commissioner as to the factors taken into account in making the decision to serve the Notice. Mr Lockley submitted that they were obvious from the correspondence, but we would have found it helpful to have received a short witness statement from the case officer. We also noted that neither the Notice itself nor the accompanying letter specifically referred the Appellant to the effect of s. 143(6)  DPA  2018, notwithstanding the fact that the Commissioner was aware of a parallel criminal investigation. We suggest that it would be fair for the standard information given to recipients of Information Notices to refer expressly to s. 143 DPA 2018.’189

189 Ibid.

222

Conclusion 10.47

CONCLUSION 10.47 The new data protection regime is relatively recent and, as such, it will take some time for the new and enhanced enforcement powers to be fully appreciated. It will also take some time for contention in case law to develop which makes clear the full extent of – and the limits on – individual enforcement powers and the respective enforcement factors and criteria. However, the new rules are particularly important in emphasising to companies that additional effort is clearly needed in complying and demonstrating such compliance and ultimately in avoiding (or at least seeking to mitigate) fines, penalties and other enforcement actions that can issue from a data protection supervisory authority. There is already evidence of corporate interests seeking to be hardnosed commercial, at least when it comes to dealing with data protection supervisory authorities in matters of fines or potential fines. Facebook had sought to appeal the Cambridge Analytica fine (of £500,000) from the ICO; and the Data Protection Commissioner (of the Irish Data Protection Commission) has indicated that some of the correspondence being issued by some of the multinational subjects of ongoing investigations by the Commission have taken on a hard edge. This is possibly with a contentious pre-litigation preparatory view in mind, which may signal that if a given company is displeased with the outcome of an investigation, a particular finding and or a fine or level of fine, that it is willing to appeal or otherwise litigate the matter. Critics may also argue that there may be a form of tactical chilling involved, seeking to influence the level of fine downwards in advance. Undoubtedly, the area of powers and fines will be a keen area to watch. It is also suggested that, even though less prominent than large fines, attention should be given to some of the non-financial remedies available to both data protection supervisory authorities and to individual data subjects. Arguably, there is a new and greater avenue available to new and creative solutions than may have previously been the case. This area should also be watched with interest. There is a possibility that companies will argue or otherwise seek to pressure data protection supervisory authorities to include increasing amounts of information or reasons for enforcement related decision or documentation.190

190 In terms of a duty to give reasons more generally, see Bell, J, ‘Reflections on Open Justice and the Status of the General Common Law Duty to Give Reasons’ Cambridge Law Journal (2018) (77:2) 240.

223

CHAPTER 11

Individual Contention INTRODUCTION 11.1 Individual data subjects are obviously important and a core part of the data protection universe. Recital 1 to the GDPR notes that the protection of natural persons in relation to the processing of personal data is a fundamental right. Article 8(1) of the Charter1 and Article 16(1) of the TFEU2 provide that everyone has the right to the protection of personal data concerning them. For individuals, contention issues can arise both in relation to disputing the data processing activities of a respective company or its breach of the rights of the individual data subject. Separate to this, an individual who may appeal having complained on a particular issue to the data protection supervisory authority (eg where the individual feels that a company has not responded appropriately when an issue was raised in the first instance) and feels that the authority was not correct in its own response, action or lack of action.3 The respective powers of the data protection supervisory authorities are very important. They are tools by which these authorities enforce, implement and promote the rules of the GDPR and data protection regime more generally. Of course, there are primary first principle obligations of compliance on the various controller and processor entities by which they themselves must ensure compliance. However, when they do not or there is some other type of breach, there are options of investigation and enforcement available to the data protection supervisory authorities.4

INDIVIDUAL, RIGHTS AND REMEDIES 11.2 Chapter VIII of the GDPR refers to the remedies for individuals and related liability and penalties issues. These refers specifically to the: •

right to lodge a complaint with a data protection supervisory authority;

•

right to an effective judicial remedy against a data protection supervisory authority;

•

right to an effective judicial remedy against a controller or processor;

1 Charter of Fundamental Rights of the European Union. 2 Treaty on the Functioning of the European Union. 3 A  data protection ‘supervisory authority’ means ‘an independent public authority which is established by a Member State pursuant to Article 51’. GDPR Art 4(21). 4 Chapter VI of the GDPR refers to the independent national data protection supervisory authorities. Section 1 therein refers to independence issues and section 2 refers to competence, tasks and powers.

225

11.2  Individual Contention

•

representation of data subjects;

•

suspension of proceedings;

•

right to compensation and liability;

•

general conditions for imposing administrative fines; and

• penalties.5 These remedy-related rights also flow from the other more primary-related rights of individual data subjects. Companies must be cognisant of the respective rights of the individual data subjects in relation to whom they collect and otherwise process data. Where these rights are breached or otherwise not complied with, either or both of the individual data subjects and/or the data protection supervisory authority can pursue the company in question. In fact, a third-party entity may also act for and represent the individual data subject and groups of data subjects. Therefore, the company needs to be familiar with, comply and be able to demonstrate compliance6 with, the rights of the individual data subject. These rights include: •

right to transparent information, communication and modalities for the exercise of the rights of the individual data subject;7

•

information to be provided where personal data are collected from the data subject;8

•

information to be provided where personal data have not been obtained from the data subject;9

•

right of access by the data subject;10

•

right to rectification;11

•

right to erasure (right to be forgotten);12

•

right to restriction of processing;13

•

notification regarding rectification or erasure;14

•

right to data portability;15

5 GDPR Arts 77–84. 6 For example, maintaining records of compliance. See the accountability requirement and principal in GDPR Art 5(2) which requires that ‘[t]he controller shall be responsible for and be able to demonstrate compliance with [the principles outlined in Article 5(1)’. 7 See GDPR Art 12. 8 Ibid Art 13. 9 Ibid Art 14. 10 Ibid Art 15. 11 Ibid Art 16. 12 Ibid Art 17. 13 Ibid Art 18. 14 Ibid Art 19. 15 Ibid Art 20.

226

Individuals and Companies 11.3

•

right to object;16 and

•

automated individual decision making, including profiling.17

There are increasing instances of individuals taking action, some examples being: •

Eva Glawischnig-Piesczek v Facebook Ireland Limited (CJEU);18

•

Google Spain SL & another v Agencia Española de Protección de Datos (AEPD);19

•

CG v Facebook Ireland Ltd;20

•

Vidal-Hall v Google Inc;21

•

NT1 and NT2 v Google;22 and

•

Maximillian Schrems v Data Protection Commissioner (CJEU).23

INDIVIDUALS AND COMPANIES Right to Compensation and Liability 11.3 One of the drivers for more case law will be the express right for individuals to seek compensation and damages from the controller. This may also increase the imperative for companies to increase their levels of compliance and efforts to seek to avoid complaints of litigation arising in the first instance. Any person who has suffered material or non-material damage as a result of an infringement of the GDPR must have the right to receive compensation from the controller or processor for the damage suffered.24 Any controller involved in processing must be liable for the damage caused by processing which infringes the GDPR. A  processor must be liable for the damage caused by processing only where it has not complied with obligations of the GDPR specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.25 A  controller or processor may be exempt from liability under paragraph  2 if it proves that it is not in any way responsible for the event giving rise to the damage.26 16 17 18 19 20 21 22 23 24 25 26

Ibid Art 21. Ibid Art 22. Eva Glawischnig-Piesczek v Facebook Ireland Limited, CJEU, Case C-18/18, 3 October 2019. Google Spain SL & another v Agencia Española de Protección de Datos (AEPD) and another Case C-131/12 [2014] QB 1022. CG v Facebook Ireland Ltd [2016] NICA 54 [2017] EMLR 12. Vidal-Hall v Google Inc [2015] EWCA Civ 311 [2016] QB 1003. NT1 & NT2 v Google LLC [2018] EWHC 799 (QB). Maximillian Schrems v Data Protection Commissioner, CJEU, Case C362/14, 6 October 2015 (Schrems 1). Ibid Art 82(1). Ibid Art 82(2). Ibid Art 82(3).

227

11.3  Individual Contention

Where more than one controller or processor or both a controller and a processor, are involved in the same processing and where they are (under paragraphs  2 and 3 of this Article), responsible for any damage caused by processing, each controller or processor will be held liable for the entire damage in order to ensure effective compensation of the data subject.27 Court proceedings for exercising the right to receive compensation should be brought before the courts competent under the law of the Member State referred to in Article 79(2).28 Where a controller or processor has, in accordance with paragraph  4, paid full compensation for the damage suffered, that controller or processor must be entitled to claim back from the other controllers or processors involved in the same processing that part of the compensation corresponding to their part of responsibility for the damage, in accordance with the conditions set out in paragraph 2.29 It is noted that there was previously a case whereby the parties and the court canvassed whether the national UK provision referring to data protection damages and compensation under the previous data protection regime (ie  the Data Protection Act 1998, to implement the data protection Directive 95/46) was adequate and a correct implementation of the Directive.30 The previous data protection Directive 95/46 provided as follows: Directive 95/46 ‘Article 23 – Liability 1. Member States shall provide that any person who has suffered damage as a result of an unlawful processing operation or of any act incompatible with the national provisions adopted pursuant to this Directive is entitled to receive compensation from the controller for the damage suffered. 2. The controller may be exempted from this liability, in whole or in part, if he provides that he is not responsible for the event giving rise to the damage.’

This was purported to be implemented in section 13 of the DPA 98, which stated as follows, Data Protection Act 1998 Section 13 ‘(1) An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage.

27 Ibid Art 82(4). 28 Ibid Art 82(6). 29 Ibid Art 82(5). 30 Vidal-Hall & Ors v Google Inc [2014] EWHC 13 (QB) (16 January 2014).

228

Individuals and Companies 11.3

(2) An individual who suffers distress by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that distress if – (a) the individual also suffers damage by reason of the contravention, or (b) [not relevant in this instance].’

The court notes that previously the EU Commission has indicated in a reasoned opinion that there were deficiencies in the UK implementation, including in relation to the ability of individuals to pursue and obtain damages for breaches of their data protection rights. The EU opinion issued to the UK reads: ‘The right to compensation for moral damage when personal information is used inappropriately is also restricted. These powers and rights are protected under the EU Data Protection Directive and must also apply in the UK. As expressed in today’s reasoned opinion, the Commission wants the UK to remedy these and other shortcomings.’31

There is also an official study raising queries as regards to adequacy of the UK implementation regarding damages.32 The court notes generally that claims of this nature might seek compensation under data protection and human rights (Human Rights Act and Convention) rights.33 While not deciding the full case at this stage of the proceedings, the court opined that damages is wider than mere pecuniary damages34 (ie that financial loss would not have to be shown for a data subject to be successful). Mr Justice Tugendhat states that ‘my preliminary view of the question is that Mr Tomlinson’s submissions are to be preferred, and so that damage in s.13 does include nonpecuniary damage’.35 The Court of Appeal in the same case36 deals with the damages provision in more detail, in particular section 13(2) of the DPA 2018. There were four issues in the appeal. The second of these was: ‘The meaning of damage in section 13 of the DPA, in particular, whether there can be a claim for compensation without pecuniary loss.’37 31 EU  Commission, Reasoned Opinion to the UK, 24  June 2010. This is the second stage of infringement proceedings against a Member States. Referred to at para 94 of Vidal-Hall & Ors v Google Inc [2014] EWHC 13 (QB) (16 January 2014). 32 European Commission Directorate-General Justice, Freedom and Security: Comparative Study of Different Approaches to New Privacy Challenges, In Particular in the Light of Technological Developments  (Contract Nr: JLS/2008/C4/011 – 30-CE-0219363/00-28), Country Studies, Douwe Korff, ed (June 2010). Referred to at para  93 of Vidal-Hall & Ors v Google Inc [2014] EWHC 13 (QB) (16 January 2014). 33 Vidal-Hall & Ors v Google Inc [2014] EWHC 13 (QB) (16 January 2014), para 98 and also paras 95–98. 34 Ibid at para 103. 35 Ibid 36 Google Inc v Vidal-Hall & Ors [2015] EWCA Civ 311 (27 March 2015); [2016] 2 All ER 337. 37 Ibid para 13(ii).

229

11.3  Individual Contention

The Court of Appeal refers as follows: ‘Two issues arise in relation to the DPA. The first is whether the claimants are entitled to recover damages for distress for the alleged breaches of the data protection principles. It is common ground that on a literal interpretation of section 13, they are not entitled to recover such damages because their claims do not fall within either section 13(2)(a) or (b). They do not allege that they suffered pecuniary loss in addition to their distress; and their claims do not relate to the processing for any of the special purposes defined in section 3. The principal questions that arise under the first issue are (i) whether the decision in  Johnson v Medical Defence Union  is authority binding on this court that the meaning of “damage” in section 13(1) is “pecuniary loss” save in the circumstances set out in section 13(2); (ii) whether “damage” in article  23 of the Directive includes non-pecuniary loss such as distress; (iii) if “damage” in article 23 includes non-pecuniary loss, whether section 13 can and should be interpreted compatibly with article 23 in accordance with the Marleasing principles: Marleasing SA v La Comercial Internacional de Alimentacion SA C-106/89 [1990] ECR I-4135 CJEU; and (iv) whether section 13(2) should be disapplied in so far as it is incompatible with article  23 of the Directive in accordance with the principles articulated by this court in  Benkharbouche and Janah v Embassy of Sudan and others [2015] EWCA Civ 33 at paras 69 to 85.’38

The court notes that ‘[i]t is a well-established principle of EU law that legal terms have an autonomous meaning which will not necessarily accord with their interpretation in domestic law’.39 The court continues: 76. ‘In our judgment, the same approach to construction leads to the conclusion that article 23 of the Directive must be given its natural and wide meaning so as to include both material and non-material damage. In reaching this conclusion, we have regard to the aim of the Directive as evidenced by the recitals in the preamble and article 1 (see paras 56 and 57 above). 77. Since what the Directive purports to protect is privacy rather than economic rights, it would be strange if the Directive could not compensate those individuals whose data privacy had been invaded by a data controller so as to cause them emotional distress (but not pecuniary damage). It is the distressing invasion of privacy which must be taken to be the primary form of damage (commonly referred to in the European context as “moral damage”) and the data subject should have an effective remedy in respect of that damage. Furthermore, it is irrational to treat EU data protection law as permitting a more restrictive approach to the recovery of damages than is available under article 8 of the Convention. It is irrational because, as we have seen at paras 56 and 57 above, the object of the Directive is to ensure that data-processing systems protect and respect the fundamental rights and freedoms of individuals “notably the right to privacy, which is recognized both in article 8 of the [Convention] 38 Ibid para 59. 39 Ibid para 72,

230

Individuals and Companies 11.3

and in the general principles of Community law”. The enforcement of privacy rights under article  8 of the Convention has always permitted recovery of non-pecuniary loss. 78. Additionally, article  8 of the Charter of Fundamental Rights of the European Union (“the Charter”) makes specific provision for the protection of the fundamental right to the protection of personal data: “everyone has the right to the protection of personal data concerning him or her”. It would be strange if that fundamental right could be breached with relative impunity by a data controller, save in those rare cases where the data subject had suffered pecuniary loss as a result of the breach. It is most unlikely that the Member States intended such a result. 79. In short, article  23 of the Directive does not distinguish between pecuniary and non-pecuniary damage. There is no linguistic reason to interpret the word “damage” in article 23 as being restricted to pecuniary damage. More importantly, for the reasons we have given such a restrictive interpretation would substantially undermine the objective of the Directive which is to protect the right to privacy of individuals with respect to the processing of their personal data. 80. Mr Tomlinson submits that “damage” for the purpose of article  23 extends to non-pecuniary loss (such as distress) where privacy rights under article 8 of the Convention are engaged, but not otherwise. In other words, he accepts that article 23 does not require compensation for nonpecuniary loss unless a data subject has suffered a violation of his rights under article 8 of the Convention. 81. In view of our conclusions as to the unrestricted meaning of “damage” in article  23, it necessarily follows that we are unable to accept this submission. But we add the following points. First, Mr Tomlinson’s analysis presupposes a two-tier approach to enforcement of rights under the DPA, with a claim for compensation only being available in cases which meet the article 8 seriousness threshold. But the Directive does not distinguish between different categories of data breach (i.e. those which technically engage article  8 rights and those which do not). It is true that the object of the Directive is to protect the right to privacy, but it does not follow that the plain language of article 23 (“damage as a result of an unlawful processing operation or of any act incompatible with the national provisions adopted pursuant to this Directive”) should not be given its natural and ordinary meaning. In many cases the resultant damage will be an invasion of privacy which meets the threshold of seriousness required by article  8 of the Convention. But in some cases it will not. There is nothing in the language of article 23 which indicates an intention to restrict the right to compensation to the former. In short, the Directive does not in terms incorporate the article 8 mechanism for protecting article 8 privacy rights, although in practice application of the data protection legislation may achieve the same results. 82. Secondly, it is in any event unnecessary in practice to distinguish between cases which reach the article 8 threshold of seriousness and those which do not. If a case is not serious in terms of its privacy implications, then

231

11.3  Individual Contention

that by itself is likely to rule out any question of recovery of compensation for mere distress.’40

Commenting on the construction of section 13(2), the Court of Appeal states, 83. ‘On a literal interpretation of section 13(2), an individual who suffers distress by reason of a contravention by a data controller of any of the requirements of the DPA is entitled to compensation only if (i) he also suffers pecuniary or material loss by reason of the contravention or (ii) the contravention relates to the processing of personal data for the “special purposes” (journalism, artistic or literary purposes). It is common ground that none of the claimants in the present proceedings can satisfy the conditions of section 13(2). They are not even able to establish an entitlement to nominal damages which would be sufficient to satisfy section 13(2)(a); and the alleged contraventions in their cases do not relate to the processing of personal data for any of the special purposes. 84. It follows that, if interpreted literally, section 13(2) has not effectively transposed article 23 of the Directive into our domestic law. It is in these circumstances that the question arises whether it is nevertheless possible to interpret section 13(2) in a way which is compatible with article 23 so as to permit the award of compensation for distress by reason of a contravention of a requirement of the DPA even in circumstances which do not satisfy the conditions set out in section 13(2)(a) or (b). 85. Mr White and Mr Tomlinson are agreed that such an interpretation is not possible. In her first submissions, Ms Proops said that the “strained construction” permitting recovery of compensation for mere nonpecuniary loss is one that can and should be adopted so as to render section 13 consistent with article 23 of the Directive. In her oral submissions, Ms Proops did not abandon her case on construction, but she showed distinctly more enthusiasm for the case based on Benkharbouche which we discuss below. 86. The Marleasing principle is not in doubt. It is that the courts of Member States should interpret national law enacted for the purpose of transposing an EU directive into its law, so far as possible, in the light of the wording and the purpose of the directive in order to achieve the result sought by the directive. The critical words (which have given rise to some difficulty) are “so far as possible”. It is recognised that there are circumstances where it is not possible to interpret domestic legislation compatibly with the corresponding directive even where there is no doubt that the legislation was intended to implement the directive. If a national court is unable to rely on the  Marleasing  principle to interpret the national legislation so as to conform with the directive, the appropriate remedy for an aggrieved person is to claim Francovich damages against the state. 87. Our courts have seen a close parallel between the Marleasing principle and section 3 of the HRA. As Arden LJ put it in  HMRC  v IDT  Card Ltd [2006] EWCA Civ 29 at para 92, any differences in approach are “more apparent than real”. In her survey of the law on the Marleasing principle, 40 Ibid.

232

Individuals and Companies 11.3

she drew heavily on the House of Lords decision on section 3 of the HRA in Ghaidan v Godin-Mendoza [2004] UKHL 3, [2004] 2 AC 557. 88. By analogy with the approach to section 3 of the HRA, the court cannot invoke the Marleasing principle to adopt a meaning which is “inconsistent with a fundamental feature of the legislation”: see per Lord Nicholls at para  33 of his speech in  Ghaidan.  Section 3 of the HRA reserves to Parliament the right to enact legislation which is not compliant with the Convention. So too the jurisprudence of the ECJ and CJEU recognises that when transposing a directive a Member State may choose not to implement it faithfully. 89. Mr White submits that there is a greater scope for applying the Marleasing principle by reading words in to a national measure (i.e. to expand its potential field of application) or by reading it down (i.e. to narrow its potential field of application) than by disapplying or striking out an incompatible measure. We accept this submission. As Lord Rodger said at para 121: “For present purposes, it is sufficient to notice that cases such as Pickstone v Freemans plc  and  Litster v Forth Dry Dock & Engineering Co Ltd suggest that, in terms of section 3(1) of the 1998 Act, it is possible for the courts to supply by implication words that are appropriate to ensure that legislation is read in a way which is compatible with Convention rights. When the court spells out the words that are to be implied, it may look as if it is “amending” the legislation, but that is not the case. If the court implies words that are consistent with the scheme of the legislation but necessary to make it compatible with Convention rights, it is simply performing the duty which Parliament has imposed on it and on others. It is reading the legislation in a way that draws out the full implications of its terms and of the Convention rights. And, by its very nature, an implication will go with the grain of the legislation. By contrast, using a Convention right to read in words that are inconsistent with the scheme of the legislation or with its essential principles as disclosed by its provisions does not involve any form of interpretation, by implication or otherwise. It falls on the wrong side of the boundary between interpretation and amendment of the statute.” 90. But it does not follow that it is never possible to interpret a measure by disapplying or striking down part of it in order to make it compatible with the Convention or a directive. Various interpretative techniques may be deployed in order to eliminate an incompatibility. The relevant question in each case is whether the change brought about by the interpretation alters a fundamental feature of the legislation or is inconsistent with its essential principles or goes against its grain, to use Lord Rodger’s memorable phrase. In our view, there is no significance in the interpretative tool that is used. Reading into a provision or reading it down may change a fundamental element of it. That is not permissible. But we do not see why, as a matter of principle, it is impermissible to disapply or strike down, say, a relatively minor incompatible provision in order to make the measure compatible. The question must always be whether the change that would result from the proposed interpretation (whichever interpretative technique is adopted) would alter a fundamental feature of the legislation. It will not

233

11.3  Individual Contention

be “possible” to interpret domestic legislation, whether by reading in, reading down or disapplying a provision, if to do so would distort or undermine some important feature of the legislation. 91. The question in this case is whether the exclusion of the right to compensation for distress where the conditions stated in section 13(2) (a) and (b) are not satisfied is a fundamental feature of the DPA. It is clear that Parliament  deliberately  chose to limit the right to compensation in the way that it did. It has not been suggested that the exclusion of distress was by oversight. In assessing how significant the exclusion was, the court is faced with the difficulty that no-one has been able to explain why Parliament chose to limit the right to recovery in this way. Recourse to Hansard has yielded nothing of relevance. There is nothing in the statutory text from which an explanation can reasonably be inferred. There is simply no evidence which indicates what Parliament had in mind. This is not, therefore, a case where an explanation has been provided from which the importance of the exclusion can be judged. 92. Nevertheless, we are satisfied that the  Marleasing  principle cannot be invoked to disapply section 13(2)(a) and (b). Section 13 is a central feature of the DPA. Section 13(2) is an important element of the compensation provisions that Parliament has enacted. It prescribes the circumstances in which an individual who suffers distress by reason of a contravention of the requirements of the DPA by a data controller is entitled to compensation. Distress is not a rare consequence of a contravention. In some cases, it may be insignificant. But it is often the only real damage that is caused by a contravention. Sometimes our courts award nominal damages where, in truth, little or no pecuniary loss has been suffered: they do this for the sole purpose of enabling the claimant to pass through the section 13(2)(a) gateway in order to claim compensation for his real loss. 93. In view of the importance to the DPA scheme as a whole of the provisions for compensation in the event of any contravention by a data controller, the limits set by Parliament to the right to compensation are a fundamental feature of the legislation. If we knew why Parliament had decided to restrict the right to compensation for distress in the way that it did, it would be impossible for the court, under the guise of interpretation, to subvert Parliament’s clear intention. The court would, in effect, be legislating against the clearly expressed intention of Parliament on an issue that was central to the scheme as whole. We do not consider that it can make any difference that we do not know why Parliament decided to restrict the right to compensation in this way. It is sufficient that, for whatever reason, Parliament decided not to permit compensation for distress in all cases. Instead, it produced a carefully calibrated scheme which permits compensation for distress but only in certain tightly defined circumstances. 94. We cannot, therefore, interpret section 13(2) compatibly with article 23.’41

41 Ibid.

234

Individual and Authority 11.5

At para 105, the Court of Appeal states: ‘… What is required in order to make section 13(2) compatible with EU law is the disapplication of section 13(2), no more and no less. The consequence of this would be that compensation would be recoverable under section 13(1) for any damage suffered as a result of a contravention by a data controller of any of the requirements of the DPA. No legislative choices have to be made by the court.’42

Court Remedy Against Controller or Processor 11.4 Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a data protection supervisory authority pursuant to Article  77, each data subject must have the right to an effective judicial remedy where he or she considers that his or her rights under the GDPR have been infringed as a result of the processing of his or her personal data in non-compliance with the GDPR.43 Proceedings against a controller or a processor must be brought before the courts of the Member State where the controller or processor has an establishment.44 Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers.45

INDIVIDUAL AND AUTHORITY Right to Complain to Data Protection Supervisory Authority 11.5 Individuals can complaint about third part companies to the data protection supervisory authority. Without prejudice to any other administrative or judicial remedy, every data subject must have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes the GDPR.46 This will often be the main or first type of complaint that an individual may seek to pursue. The data protection supervisory authority with which the complaint has been lodged must inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78.47 42 Ibid. 43 Ibid Art 79(1). 44 Ibid Art 79(2). 45 Ibid. 46 Ibid Art 77(1). 47 Ibid Art 77(2).

235

11.6  Individual Contention

This is much more pronounced and understood in the current environment post the ‘go live’ of the GDPR. Previously, however, there were some examples where legitimate complaints were arguably not properly followed through by a data protection supervisory authority. One of the more prominent EU cases in recent years was originally ignored to the extent of not following through, considering the merits of investigating the issues: the Schrems 1 case.48 Given that it changed EU and international data protection practice and resulted in the CJEU striking down the EU–US  Safe Harbour transfer arrangement.49 Initially, the data protection supervisory authority treated the complaints as not needing consideration or investigation. Ultimately, on appeal, the High Court in Dublin felt that there were serious issues to consider and referred to the matter the CJEU. The Safe Harbour arrangement was struck down by the CJEU and had to be replaced by the current EU– US  Privacy Shield. (It remains to be seen what will happen if the Privacy Shield is also complained about or attacked.)

Right to Remedy Against Data Protection Supervisory Authority 11.6 Without prejudice to any other administrative or non-judicial remedy, each natural or legal person must have the right to an effective judicial remedy against a legally binding decision of a data protection supervisory authority concerning them.50 Without prejudice to any other administrative or non-judicial remedy, each data subject must have the right to a an effective judicial remedy where the data protection supervisory authority which is competent pursuant to Articles  55 and 56 does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint lodged pursuant to Article 77.51 Proceedings against a data protection supervisory authority must be brought before the courts of the Member  State where the data protection supervisory authority is established.52 Where proceedings are brought against a decision of a data protection supervisory authority which was preceded by an opinion or a decision of the EDPB in the consistency mechanism, the data protection supervisory authority must forward that opinion or decision to the court.53

48 Maximillian Schrems v Data Protection Commissioner, CJEU, Case C362/14, 6 October 2015 (Schrems 1). 49 EU Commission Decision 2000/520 (on Safe Harbour) was declared invalid, ibid. 50 Ibid Art 78(1). 51 Ibid Art 78(2). 52 Ibid Art 78(3). 53 Ibid Art 78(4).

236

Individual and Authority 11.8

Powers 11.7 Individuals will become increasingly aware of the existence of and powers of data protection supervisory authorities and how these can be utilised to enable solutions as regardless the abuse of their personal data. Where a given company is refusing to assist, the individual can engage the data protection supervisory authority to investigate and as appropriate to engage the remedial powers available. There are various distinct types of powers provided to the data protection supervisory authorities. Section 2 of Chapter VI of the GDPR refers to competence, tasks and powers. There are several distinct types of powers referred to. There are: •

investigative powers;

•

corrective powers; and

•

authorisation and advisory powers.

The exercise of the powers conferred on the data protection supervisory authority pursuant to Article  58 must be subject to appropriate safeguards, including effective judicial remedy and due process, set out in EU and Member State law in accordance with the Charter.54 Each Member  State must provide by law that its data protection supervisory authority must have the power to bring infringements of the GDPR to the attention of the judicial authorities and where appropriate, to commence or engage otherwise in legal proceedings, in order to enforce the provisions of the GDPR.55 Each Member State may provide by law that its data protection supervisory authority must have additional powers to those referred to in paragraphs  1, 2 and 3 of Article 58.56 The exercise of those powers do not impair the effective operation of Chapter VII of the GDPR (cooperation and consistency).57

Investigative Powers 11.8 Each data protection supervisory authority must have the following six investigative powers:

54 Ibid Art 58(4). 55 Ibid Art 58(5). 56 Ibid Art 58(6). 57 Ibid.

237

11.9  Individual Contention

•

to order the controller and the processor and, where applicable, the controller’s or the processor’s representative58 to provide any information it requires for the performance of its tasks;59

•

to carry out investigations in the form of data protection audits;60

•

to carry out a review on issued certifications (issued pursuant to Article 42(7));61

•

to notify the controller or the processor of an alleged infringement of the GDPR;62

•

to obtain, from the controller and the processor, access to all personal data and to all information necessary for the performance of its tasks;63 and

•

to obtain access to any premises of the controller and the processor, including to any data processing equipment and means, in accordance with EU or Member State procedural law.64

Organisations will have to pay particular attention these powers (on top of their overall compliance obligations).

Corrective Powers 11.9 Each data protection supervisory authority will have to deal with issues of breaches and the enforcement of the data protection rules. The GDPR specifies that the data protection supervisory authorities must have essential enforcement tools. To that end, the respective authorities must have the following ten corrective powers: •

to issue warnings to a controller or processor that intended processing operations are likely to infringe provisions of the GDPR;65

•

to issue reprimands to a controller or a processor where processing operations have infringed provisions of the GDPR;66

•

to order the controller or the processor to comply with the data subject’s requests to exercise his or her rights pursuant to the GDPR;67

58 Under certain circumstances a controller or processor may have to appoint a representative in the EU in relation to data protection compliance matters where they themselves are located outside the EU. See GDPR Art 27 for more details. 59 GDPR Art 58(1)(a). 60 Ibid Art 58(1)(b). 61 Ibid Art 58(1)(c). 62 Ibid Art 58(1)(d). 63 Ibid Art 58(1)(e). 64 Ibid Art 58(1)(f). 65 Ibid Art 58(2)(a). 66 Ibid Art 58(2)(b). 67 Ibid Art 58(2)(c).

238

Individual and Authority 11.9

•

to order the controller or processor to bring processing operations into compliance with the provisions of the GDPR, where appropriate, in a specified manner and within a specified period;68

•

to order the controller to communicate a personal data breach to the data subject;69

•

to impose a temporary or definitive limitation including a ban on processing;70

•

to order the rectification or erasure of personal data or restriction of processing pursuant to Articles  16 (right to rectification), 17 (right to erasure (right to be forgotten)) and 18 (right to restriction of processing) and the notification of such actions to recipients to whom the personal data have been disclosed pursuant to Article 17(2) and Article 19 (notification obligation regarding rectification or erasure of personal data restriction of processing);71

•

to withdraw a certification or to order the certification body to withdraw an issued certification (issued pursuant to Articles 42 and 43), or to order the certification body not to issue certification if the requirements for the certification are not or are no longer met;72

•

to impose an administrative fine (pursuant to Article  83), in addition to, or instead of measures referred to in this paragraph, depending on the circumstances of each individual case;73 and

•

to order the suspension of data flows to a recipient in a third country or to an international organisation. 74

It is important to point out that for these mechanisms to work most effectively, in addition to general obligations of compliance with the data protection regime placed upon controllers and processors, there can also be specific obligations on organisation to also comply with requests, directions, orders and decisions of the data protection supervisory authorities. Article 31 of the GDPR is headed ‘Cooperation with the supervisory authority’. It specifies that: ‘The controller and the processor and, where applicable, their representatives, shall cooperate, on request, with the supervisory authority in the performance of its tasks.’

National legislation may also specify obligations to comply and set out specific offences of non-compliance. 68 69 70 71 72 73 74

Ibid Art 58(2)(d). Ibid Art 58(2)(e). Ibid Art 58(2)(f). Ibid Art 58(2)(g). Ibid Art 58(2)(h). Ibid Art 58(2)(i). Ibid Art 58(2)(j).

239

11.10  Individual Contention

Authorisation and Advisory Powers 11.10 Each data protection supervisory authority must have the following ten authorisation and advisory powers: •

to advise the controller in accordance with the prior consultation procedure (referred to in Article 36);75

•

to issue, on its own initiative or on request, opinions to the national parliament, the Member State government or, in accordance with Member State law, to other institutions and bodies as well as to the public on any issue related to the protection of personal data;76

•

to authorise processing (referred to in Article  36(5)), if the law of the Member State requires such prior authorisation;77

•

to issue an opinion and approve draft codes of conduct (pursuant to Article 40(5));78

•

to accredit certification bodies (pursuant to Article 43);79

•

to issue certifications and approve criteria of certification (in accordance with Article 42(5));80

•

to adopt standard data protection clauses (referred to in Article 28(8) and in Article 46(2)(d));81

•

to authorise contractual clauses (referred to in Article 46(3)(a));82

•

to authorise administrative arrangements (referred to in Article 46(3)(b));83 and

•

to approve binding corporate rules (pursuant to Article 47).84

Administrative Fines and Penalties 11.11 Each data protection supervisory authority must ensure that the imposition of administrative fines pursuant to this Article in respect of infringements of the GDPR referred to in paragraphs  4, 5 and 6 must, in each individual case, be effective, proportionate and dissuasive.85

75 76 77 78 79 80 81 82 83 84 85

Ibid Art 58(3)(a). Ibid Art 58(3)(b). Ibid Art 58(3)(c). Ibid Art 58(3)(d). Ibid Art 58(3)(e). Ibid Art 58(3)(f). Ibid Art 58(3)(g). Ibid Art 58(3)(h). Ibid Art 58(3)(i). Ibid Art 58(3)(j). Ibid Art 83(1).

240

Individual and Authority 11.11

Administrative fines must, depending on the circumstances of each individual case, be imposed in addition to, or instead of, measures referred to in Article 58(2) (a) to (h) and (j).86 When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard must be given to the following: •

the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;

•

the intentional or negligent character of the infringement;

•

any action taken by the controller or processor to mitigate the damage suffered by data subjects;

•

the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles  25 (data protection by design and default) and 32 (security of processing);

•

any relevant previous infringements by the controller or processor;

•

the degree of cooperation with the data protection supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;

•

the categories of personal data affected by the infringement;

•

the manner in which the infringement became known to the data protection supervisory authority, in particular whether and if so, to what extent, the controller or processor notified the infringement;

•

where measures referred to in Article 58(2) (powers) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures;

•

adherence to approved codes of conduct (pursuant to Article 40) or approved certification mechanisms (pursuant to Article 42); and

•

any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.87

If a controller or processor intentionally or negligently, for the same or linked processing operations, infringes several provisions of the GDPR, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement.88 Infringements of the following provisions must, in accordance with paragraph 2, be subject to administrative fines up to €10 million or in the case of an undertaking, 86 Ibid Art 83(2). 87 Ibid Art 83(2)(a)–(k). 88 Ibid Art 83(3).

241

11.11  Individual Contention

up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher, •

the obligations of the controller and the processor pursuant to Articles  8 (conditions applicable to child’s consent in relation to information society services), 11 (processing which does not require identification), 25–39 and 42 (certification) and 43 (certification bodies);

•

the obligations of the certification body (pursuant to Articles 42 and 43); and

•

the obligations of the monitoring body (pursuant to Article 41(4)).89

Articles 25–39 refer to: •

data protection by design and default (Article 25);

•

joint controllers (Article 26);

•

representatives of controllers or processors not established in the EU (Article 27);

•

processors (Article 28);

•

processing under authority of the controller or processor (Article 29);

•

records of processing activities (Article 30);

•

cooperation with the data protection supervisory authority (Article 31);

•

security of processing (Article 32);

•

notification of a personal data breach to the data protection supervisory authority (Article 33);

•

communication of a personal data breach to the data subject (Article 34);

•

data protection impact assessment (Article 35);

•

prior consultation (Article 36);

•

designation of the Data Protection Officer (Article 37);90

•

position of the Data Protection Officer (Article 38); and

•

tasks of the Data Protection Officer (Article 39).

Infringements of the following provisions must, in accordance with paragraph 2, be subject to administrative fines up to €20 million or, in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher:

89 Ibid Art 83(4). 90 See Lambert, P, The Data Protection Officer, Profession, Rule and Role (Routledge, Taylor and Francis, 2016).

242

Individual and Authority 11.11

•

the basic principles for processing, including conditions for consent, pursuant to Articles 5 (principles of data protection), 6 (lawfulness of processing), 7 (conditions for consent) and 9 (processing of special categories of personal data);

•

the data subjects’ rights pursuant to Articles 12 to 22 (see below);

•

the transfers of personal data to a recipient in a third country or an international organisation pursuant to Articles 44 to 49 (see below);

•

any obligations pursuant to Member State law adopted under Chapter IX (provisions relating to specific processing situations); and

•

non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the data protection supervisory authority pursuant to Article 58(2) or failure to provide access in violation of Article 58(1).91

Articles 12–22 refer to: •

transparency and modalities (Article 12);

•

information to be provided where personal data are collected from the data subject (Article 13);

•

information to be provided where personal data have not been obtained from the data subject (Article 14);

•

right of access by the data subject (Article 15);

•

right to rectification (Article 16);

•

right to erasure (right to be forgotten) (Article 17);

•

right to restriction of processing (Article 18);

•

notification obligation regarding rectification or erasure of personal data or restriction of processing (Article 19);

•

right to data portability (Article 20);

•

right to object (Article 21); and

•

automated individual decision making, including profiling (Article 22).

Articles 44–49 refer to: •

general principle for transfers (Article 44);

•

transfers based on an adequacy decision (Article 45);

•

transfers subject to appropriate safeguards (Article 46);

•

binding corporate rules (Article 47);

91 GDPR Art 83(5).

243

11.11  Individual Contention

•

transfers or disclosures authorised by EU law (Article 48); and

•

derogations for specific situations (Article 49).

Non-compliance with an order by the data protection supervisory authority as referred to in Article 58(2) must, in accordance with paragraph 2 of this Article, be subject to administrative fines up to €20 million or, in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.92 Without prejudice to the corrective powers of supervisory authorities pursuant to Article 58(2), each Member State may lay down the rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State.93 The exercise by the data protection supervisory authority of its powers under this Article must be subject to appropriate procedural safeguards in accordance with EU and Member  State law, including effective judicial remedy and due process.94 Where the legal system of the Member State does not provide for administrative fines, this Article may be applied in such a manner that the fine is initiated by the competent data protection supervisory authority and imposed by competent national courts, while ensuring that those legal remedies are effective and have an equivalent effect to the administrative fines imposed by supervisory authorities. In any event, the fines imposed must be effective, proportionate and dissuasive.95 Those Member States were obliged notify to the Commission the provisions of their laws which they adopt pursuant to this paragraph by 25 May 2018. They must also notify, without delay, any subsequent amendment law or amendment affecting them. Member States must lay down the rules on other penalties applicable to infringements of the GDPR in particular for infringements which are not subject to administrative fines (pursuant to Article  83) and must take all measures necessary to ensure that they are implemented. Such penalties must be effective, proportionate and dissuasive.96 Each Member State was obliged notify to the Commission the provisions of its law which it adopts pursuant to the above by 25  May 2018. They must also notify, without delay, any subsequent amendment affecting these laws.97

92 93 94 95 96 97

Ibid Art 83(6). Ibid Art 83(7). Ibid Art 83(8). Ibid Art 83(9). Ibid Art 84(1). Ibid Art 84(2).

244

Representation of Data Subjects 11.13

Suspension of Proceedings 11.12 Where a competent court of a Member State has information on proceedings, concerning the same subject matter pending in a court in another Member  State, it must contact that court to confirm the existence of such proceedings.98 Where proceedings concerning the same subject matter as regards processing of the same controller or processor are pending in a court in another Member State, any competent court other than the court first seized may suspend its proceedings.99 Where those proceedings are pending at first instance, any court other than the court first seized may also, on the application of one of the parties, decline jurisdiction if the court first seized has jurisdiction over the actions in question and its law permits the consolidation thereof.100

REPRESENTATION OF DATA SUBJECTS 11.13 The individual data subject also has the right to mandate a not-forprofit body, organisation or association which has been properly constituted in accordance with the law of a Member State, has statutory objectives which are in the public interest and is active in the field of the protection of data subjects’ rights and freedoms with regard to the protection of their personal data to lodge the complaint on his or her behalf, to exercise the rights referred to in Articles  77 (right to lodge a complaint with data protection supervisory authority), 78 (right to an effective judicial remedy against a data protection supervisory authority) and 79 (right to an effective judicial remedy against a controller or processor) on his or her behalf and to exercise the right to receive compensation (referred to in Article 82) on his or her behalf where provided for by Member State law.101 Member States may provide that a body, organisation or association referred to in paragraph  1 of this Article, independently of a data subject’s mandate, has the right to lodge, in that Member State, a complaint with the data protection supervisory authority which is competent pursuant to Article 77 (right to lodge a complaint with data protection supervisory authority) and to exercise the rights referred to in Articles  78 (right to an effective judicial remedy against a data protection supervisory authority) and  79 (right to an effective judicial remedy against a controller or processor) if it considers that the rights of a data subject under the GDPR have been infringed as a result of the processing.102

98 Ibid Art 81(1). 99 Ibid Art 81(2). 100 Ibid Art 81(3). 101 Ibid Art 80(1). 102 Ibid Art 80(2).

245

11.14  Individual Contention

CONCLUSION 11.14 Given the direct and indirect damage and other consequence for individuals it is inevitable that, over time, there will be an increase in cases where individuals seek both damages, compensation and other remedies. In some instances, the remedies other than financial may be even more important. Given that, increasingly, certain types of data incidents affect not just one person, but many people –sometimes even millions of people – there will be increasing pressure for multiple-type actions or class actions. This will involve specialist plaintiff lawyers or, in other instances, data protection and privacy groups or representative special interest groups. In addition, there will be increasing opportunity for actions to arise given that certain companies, or even certain sectors, will continue to push the boat out on non-compliant activities. While there is significant focus on the regulation of data protection and privacy as they afford explicit rights and remedies to individual data subjects, there is also a separate discussion on the potential need to expand the range of privacyrelated torts or civil rights of action.103 While issues of corporate contention with data protection supervisory authorities will no doubt occur, there will be a greater number of cases involving individuals and bodies representing specific individuals or individual interests more widely.

103 See, eg, Wragg, P, ‘Recognising a Privacy-Invasion Tort: The Conceptual Unity of Informational and Intrusion Claims’ Cambridge Law Journal (2019)(78: 2) 409; Deakin, S, ‘Organisational Torts: Vicarious Liability Versus Non-Delegable Duty’ Cambridge Law Journal  (2018) (77:1) 15.

246

CHAPTER 12

Independence INTRODUCTION 12.1 It is very important that the respective data protection supervisory authorities are independent,1 otherwise improper influence or pressure could adversely affect the actions and decisions of the authority to the detriment of those to whom it is tasked with protecting. However, ‘[d]espite the traditional checks and balances in a democratic state, the monitoring of governmental bodies by an authority closely linked to the government is particularly new’.2 The role and independence of the data protection supervisory authorities, therefore, is deserving of great scrutiny. Equally, the safeguarding of data protection, of privacy generally, and how the supervisory authorities are equipped to ensure protection and are not hindered in so doing. The data protection supervisory authorities are ‘one of the key actors in the field of privacy regulation, safeguarding civil liberties and consumer rights by monitoring and enforcing the compliance of data protection policies’.3

GENERAL INDEPENDENCE OF AUTHORITY 12.2 The new GDPR ‘stipulat[es] mandatory [data protection] supervisory authorities, which have to fulfil a variety of different functions’.4 Each data protection supervisory authority must act with ‘complete independence’ in performing its tasks and exercising its powers in accordance with the GDPR.5 The members of each data protection supervisory authority must, in the performance of their tasks and exercise of their powers in accordance with the

1

See generally, eg, Szydło, M, ‘The Independence of Data Protection Authorities in EU  Law: Between the Safeguarding of Fundamental Rights and Ensuring the Integrity of the Internal Market’ European Law Review (2017)(42:3) 369; Schütz, P, ‘Accountability and Independence of Data Protection Authorities – A Trade-Off?’ in Guagnin, G, Hempel, L, Ilten, C, Kroener, I, Neyland, D  and Postigo, H, Managing Privacy Through Accountability (Palgrave, 2012) 233; ‘Principles Underlying Independence of National  Data  Protection Authorities:  Commission  v Australia’ Common Market Law Review (2013)(50:6) 1809; Hustinx, P, ‘The Role of Data Protection Authorities’ in Gutwirth, S, De Hert, P, Poullet, Y and de Terwangne, C, Reinventing Data Protection? (2009) 131. 2 Schutz, P, ‘Comparing Formal Independence of Data Protection Authorities in Selected EU  Member States’. Conference Paper for the 4th Biennial Standing Group for Regulatory Governance Conference 2012. 3 Ibid. 4 Ibid. 5 GDPR Art 52(1).

247

12.3  Independence

GDPR, remain ‘free from external influence, whether direct or indirect, and shall neither seek nor take instructions from anybody’ (emphasis added).6 Members of each data protection supervisory authority must also refrain from any action incompatible with their duties and must not, during their term of office, engage in any incompatible occupation, whether gainful or not.7 Importantly, ‘[w]hen it comes to effective regulation, their independence from the privacy as well as political domain becomes of utmost importance’.8 Data protection and privacy regulators and supervisory authorities are the ‘spearhead’ and ‘guardians’ of data protection and privacy.9

STAFF RESOURCES AND INDEPENDENCE 12.3 In order to be able to undertake their tasks and at a level appropriate to the demands of those tasks, the data protection supervisory authorities must have appropriate resources and independence. Each Member State must ensure (the words ‘shall ensure’ are used) that each data protection supervisory authority is ‘provided with the human … resources … necessary for the effective performance of its tasks and exercise of its powers’.10 This is provided to include those to be carried out in the context of mutual assistance, cooperation and participation in the EDPB.11 Each Member State must ensure that each data protection supervisory authority chooses and has ‘its own staff’ which shall be subject to the ‘exclusive direction of the member or members of the data protection supervisory authority’ concerned.12

TECHNICAL RESOURCES AND INDEPENDENCE 12.4 Each Member State must ensure (the words ‘shall ensure’ are used) that each data protection supervisory authority is ‘provided with the … technical … resources … necessary for the effective performance of its tasks and exercise of its powers’.13 This is provided to include those to be carried out in the context of mutual assistance, cooperation and participation in the EDPB.14

6 Ibid Art 52(2). 7 Ibid Art 52(3). 8 Ibid. 9 Schutz, P, ‘Comparing Formal Independence of Data Protection Authorities in Selected EU  Member States’ Conference Paper for the 4th Biennial Standing Group for Regulatory Governance Conference 2012. 10 GDPR Art 52(4). 11 Ibid. 12 Ibid at 52(5). 13 Ibid at 52(4). 14 Ibid.

248

Office Resources and Independence 12.6

This can also involve a number of issues. Even where there is an appropriate level of staff, they all require appropriate resource and technical resources (such as equipment) to do their jobs. In addition, as the scope and complexity of certain data processing activities increases, so too do the skills and technical resources that staff need in order to be familiar with and able to investigate these technical issues.

FINANCIAL RESOURCES AND INDEPENDENCE 12.5 Each Member State must ensure (the words ‘shall ensure’ are used) that each data protection supervisory authority is ‘provided with the … financial resources … necessary for the effective performance of its tasks and exercise of its powers’.15 This is provided to include those to be carried out in the context of mutual assistance, cooperation and participation in the EDPB.16 Each Member State must ensure that each data protection supervisory authority is subject to financial control which does ‘not affect its independence’ (emphasis added) and that it has separate, public annual budgets, which may be part of the overall state or national budget.17 It is clear, therefore, that as well as independence, there must be financial independence for the respective data protection supervisory authorities. This is also the subject of some of the comments in the previous CJEU cases on independence of data protection supervisory authorities (see below) and a recent complaint to the Commission regarding the underfunding of one of the authorities as compared with the financial budget resources identified and requested by the particular authority.18 (See further detail on the context of the complaint in Chapter 13 below.)

OFFICE RESOURCES AND INDEPENDENCE 12.6 Each Member State must ensure (the words ‘shall ensure’ are used) that each data protection supervisory authority is ‘provided with the … premises … necessary for the effective performance of its tasks and exercise of its powers’.19 This is provided to include those to be carried out in the context of mutual assistance, cooperation and participation in the EDPB.20 The data protection supervisory authorities need enough office space to hold a sufficient number of staff appropriate to their needs and tasks. Even if there was not inappropriate restriction of staff numbers, there could be an indirect restriction by not providing or facilitating enough office space to house the staff needed. 15 Ibid at 52(4). 16 Ibid. 17 Ibid at 52(6). 18 ‘Is Ireland Breaching EU Rules by Underfunding Data Regulator?’ Irish Times, 12 October 2019. 19 GDPR Art 52(4). 20 Ibid.

249

12.7  Independence

INFRASTRUCTURE RESOURCES AND INDEPENDENCE 12.7 Each Member State must ensure (the words ‘shall ensure’ are used) that each data protection supervisory authority is ‘provided with the … infrastructure necessary for the effective performance of its tasks and exercise of its powers’.21 This is provided to include those to be carried out in the context of mutual assistance, cooperation and participation in the EDPB.22

GERMAN INDEPENDENCE CASE 12.8 One issue is the scope of the requirement of independence of the data protection supervisory authorities and or the standard of such independence. The German data protection supervisory case on independence issues relates to a CJEU decision where the EU Commission took a case against Germany for failing to fulfil its obligation (under the then data protection Directive 95/4623) to ensure the independence of the national data protection supervisory authority. The case is entitled Commission v Germany.24 This was prior to the new GDPR but is still obviously quite important. The Commission requested a declaration that ‘by making the authorities responsible for monitoring the processing of personal data outside the public sector in the different Länder subject to State oversight and by thus incorrectly transposing the requirement of “complete independence” of the supervisory authorities responsible for ensuring the protection of that data, the Federal Republic of Germany has failed to fulfil its obligations under the second subparagraph of Article  28(1) of’ data protection Directive 95/46 (emphasis added).25 The central issues involve, therefore, the significance of the impact of state oversight and control on the data protection supervisory authority. The court determined that: ‘by making the authorities responsible for monitoring the processing of personal data by non-public bodies and undertakings governed by public law which compete on the market (öffentlich-rechtliche Wettbewerbsunternehmen) in the different  Länder  subject to State scrutiny, and by thus incorrectly transposing the requirement that those authorities perform their functions ‘with complete independence’, the Federal Republic of Germany failed to fulfil its obligations under the second subparagraph of Article  28(1) of Directive 95/46’.26

21 Ibid at 52(4). 22 Ibid. 23 Directive 95/46/EC of the European Parliament and of the Council of 24  October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. OJ L 281, 23.11.1995, pp 31–50. 24 Commission v Federal Republic of Germany, CJEU, Case C-518/07, 9 March 2010. 25 Ibid para 1. 26 Ibid para 58(1).

250

German Independence Case 12.10

Issue 12.9 The case concerns two different interpretations of the words ‘with complete independence’ in the second subparagraph of Article  28(1) of the previous data protection Directive 95/4627 and of the exercise of the supervisory authorities’ functions concerning the protection of individuals with regard to the processing of their personal data.28 The Commission (and the European Data Protection Supervisor), point to a broad interpretation of the words ‘with complete independence’ and that the requirement that the data protection supervisory authorities must exercise their functions ‘with complete independence’ must be interpreted as meaning that a data protection supervising authority must be free from any influence, whether that influence is exercised by other authorities or outside the administration. They say that the fact that the data protection supervisory authorities in Germany are subject to state scrutiny in Germany constitutes an infringement of the requirement of the role.29 Germany, however, argues for a narrower interpretation of the words ‘with complete independence’ and maintains that the second subparagraph of Article  28(1) of the data protection Directive 95/4630 requires the supervisory authorities to have functional independence in the sense that those authorities must be independent of bodies outside the public sector which are under their supervision and that they must not be exposed to external influences. This seems to suggest functional independence in general day-to-day activities. However, even on that point, that would seem to suggest and even admit that there is not independence in areas which might be described as outside or other than whatever functional independence might mean. In the German view, the state scrutiny exercised in the German Länder does not constitute such an external influence, but rather the administration’s internal monitoring mechanism, implemented by the authorities attached to the same administrative machinery as the supervisory authorities and required, like the latter, to fulfil the aims of the Directive.31 The import of any such attachment is generally problematic.

Court Findings 12.10 The assessment of the substance of the case depends on the scope of the requirement of independence contained in the second subparagraph 27 Directive 95/46/EC of the European Parliament and of the Council of the protection of individuals with regard to the processing of personal movement of such data. OJ L 281, 23.11.1995, pp 31–50. 28 Ibid, para 14. 29 Ibid, para 15. 30 Directive 95/46/EC of the European Parliament and of the Council of the protection of individuals with regard to the processing of personal movement of such data. OJ L 281, 23.11.1995, pp 31–50. 31 Ibid para 16.

251

24  October 1995 on data and on the free

24  October 1995 on data and on the free

12.10  Independence

of Article  28(1) of data protection Directive 95/4632 and, therefore, on the interpretation of that provision. In that context, the wording itself of that provision and the aims and scheme of the Directive should be taken into account.33 The court indicates that in the wording of the second subparagraph of Article 28(1), because the words ‘with complete independence’ are not defined in the Directive, it is necessary to take their usual meaning into account. In relation to a public body, the term ‘independence’ normally means a status which ensures that the body concerned can act completely freely, without taking any instructions or being put under any pressure.34 There is nothing to indicate, according to the court, that the requirement of independence concerns exclusively the relationship between the data protection supervisory authorities and the bodies subject to that supervision. Contrary to the German argument, the court notes that the concept of ‘independence’ is complemented by the adjective ‘complete’ (ie  complete independence), which implies a decision-making power independent of any direct or indirect external influence on the data protection supervisory authority.35 The court also refers to the objectives of the Directive. The third, seventh and eighth Recitals in the preamble make clear that, through the harmonisation of national provisions on the protection of individuals with regard to the processing of personal data, that the Directive seeks principally to ensure the free movement of such data between the Member States, which is necessary for the establishment of and the functioning of the internal market.36 However, the free movement of personal data is liable to interfere with the right to private life as recognised, inter alia, in Article 8 of the ECHR37 and the general principles of European Community law.38 For that reason and as is apparent, in particular, from the Recital 10 and from Article 1 of data protection Directive 95/46,39 the latter seeks also not to weaken the protection guaranteed by the existing national rules but, on the contrary, to ensure in the EU, a high level of protection of fundamental rights and freedoms with respect to the processing of personal

32 Directive 95/46/EC of the European Parliament and of the Council of 24  October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. OJ L 281, 23.11.1995, pp 31–50. 33 Ibid, para 17. 34 Ibid, para 18. 35 Ibid, para 19. 36 Ibid, para 20. Within the meaning of Article 14(2) EC. See, to that effect, Joined Cases C465/00, C138/01 and C139/01  Österreichischer Rundfunk and Others  [2003]  ECR I4989, paras 39 and 70. 37 See, to that effect, the following judgments of the European Court of Human Rights: Amann v Switzerland, 16 February 2000, ECHR 2000-II, §§ 69 and 80; and Rotaru v Romania, 4 May 2000, ECHR 2000-V, §§ 43 and 46. 38 Commission v Federal Republic of Germany, CJEU, Case C-518/07, 9 March 2010, para 21. 39 Directive 95/46/EC of the European Parliament and of the Council of 24  October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. OJ L 281, 23.11.1995, pp 31–50.

252

German Independence Case 12.10

data.40 The data protection supervisory authorities are therefore the ‘guardians’ of those fundamental rights and freedoms and their existence in the Member States is considered, as is stated in the Recital 62 to the data protection Directive 95/46,41 as an essential component of the protection of individuals with regard to the processing of personal data.42 In order to guarantee that protection, the data protection supervisory authorities must ensure a fair balance between, on the one hand, observance of the fundamental right to private life and, on the other hand, the interests requiring free movement of personal data. Furthermore, under Article 28(6) of the Directive, the different national authorities are called upon to cooperate with one another and even, if necessary, to exercise their powers at the request of an authority of another Member State.43 The guarantee of the independence of national data protection supervisory authorities is intended to ensure the effectiveness and reliability of the supervision of compliance with the provisions on protection of individuals with regard to the processing of personal data and must be interpreted in the light of that aim. It was established not to grant a special status to those authorities themselves as well as their agents, but in order to strengthen the protection of individuals and bodies affected by their decisions. It follows that, when carrying out their duties, the supervisory authorities must act objectively and impartially. For that purpose, they must remain free from any external influence, including the direct or indirect influence of the State or the Länder and not of the influence only of the supervised bodies.44 In the same way as data protection supervisory bodies exist at national level, a data protection supervisory body is also provided for at European Community level, namely, the European Data Protection Supervisor. In accordance with Article 44(1) of Regulation 45/2001,45 that body is to perform its duties in complete independence. Article  44(2) thereof clarifies that concept of independence by adding that, in the performance of its duties, the European Data Protection Supervisor may neither seek nor take instructions from anybody.46

40 Commission v Federal Republic of Germany, CJEU, Case C-518/07, 9 March 2010, para 22. See, to that effect, Österreichischer Rundfunk and Others, para 70 and Case C73/07 Satakunnan Markkinapörssi and Satamedia [2008] ECR 9831, para 52. 41 Directive 95/46/EC of the European Parliament and of the Council of 24  October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. OJ L 281, 23.11.1995, pp 31–50. 42 Commission v Federal Republic of Germany, CJEU, Case C-518/07, 9 March 2010, para 23. 43 Ibid, para 24. 44 Ibid, para 25. 45 Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data. OJ L 8, 12.1.2001, pp 1–22. 46 Commission v Federal Republic of Germany, CJEU, Case C-518/07, 9 March 2010, para 27.

253

12.10  Independence

The court said that in the light of the foregoing, the second subparagraph of Article 28(1) of data protection Directive 95/4647 is to be interpreted as meaning that the supervisory authorities responsible for supervising the processing of personal data outside the public sector must enjoy an independence allowing them to perform their duties free from external influence. That independence precludes not only any influence exercised by the supervised bodies, but also any directions or any other external influence, whether direct or indirect, which could call into question the performance by those authorities of their task consisting of establishing a fair balance between the protection of the right to private life and the free movement of personal data.48 The criterion aspect of an opportunity arising to call into question performance and independence is potentially wide and impactful. The court next assesses whether the state scrutiny to which the data protection supervisory authorities are subject in Germany is consistent with the requirement of independence as defined above.49 As argued by the European Data Protection Supervisor, the government of the Land concerned may have an interest in not complying with the provisions with regard to the protection of personal data where the processing of such data by a non-public body is at issue. That government may itself be an interested party in that processing if it actually or potentially participates therein, for example, in the case of a public-private partnership or in the case of public contracts with the private sector. That government may also have a specific interest if it is necessary or even merely useful for it to have access to databases to fulfil certain of its functions, in particular for taxation or law enforcement purposes. Furthermore, that government may also tend to favour economic interests in the application of the provisions on the protection of individuals with regard to the processing of personal data by certain companies which are economically important for the Land or region.50 The mere risk (as opposed to a proof positive smoking gun demonstrating an intention and action directed at directing or influencing the data protection supervisory authority) that the scrutinising authorities could exercise a political influence over the decisions of the data protection supervisory authorities is enough to hinder the latter authorities’ independent performance of their tasks. As was stated by the Commission, there could be ‘prior compliance’ (emphasis added) on the part of those authorities in the light of the scrutinising authority’s decision-making practice. Also, for the purposes of the role adopted by those authorities as guardians of the right to private life, it is necessary that their decisions and therefore the authorities themselves, remain above any suspicion 47 Directive 95/46/EC of the European Parliament and of the Council of 24  October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. OJ L 281, 23.11.1995, pp 31–50. 48 Commission v Federal Republic of Germany, CJEU, Case C-518/07, 9 March 2010, para 30. 49 Ibid, para 31. 50 Ibid, para 35.

254

Austria Independence Case 12.11

of partiality.51 So mere risk of and an opportunity for the raising of suspicion of partiality or influence are impactful of themselves. The court held that the state scrutiny exercised over the German data protection supervisory authorities responsible for supervising the processing of personal data outside the public sector is not consistent with the requirement of independence as defined in paragraph 30 of the judgment.52 The conferring of a status independent of the general administration on the data protection supervisory authorities does not in itself deprive those authorities of their democratic legitimacy.53 The court reiterated that the independence of the data protection supervisory authorities, in so far as they must be free from any external influence liable to have an effect on their decisions, ‘is an essential element in light of the objectives of Directive 95/46’ (emphasis added). Also, ‘[t]hat independence is necessary in all the Member States in order to create an equal level of protection of personal data and thereby to contribute to the free movement of data, which is necessary for the establishment and functioning of the internal market’.54 Therefore, a broad interpretation of the requirement of independence of the data protection supervisory authorities does not go beyond the limits of the powers of the EU and the basis of the Directive.55 The court, therefore, held that by making the data protection supervisory authorities responsible for monitoring the processing of personal data by non-public bodies and undertakings governed by public law which compete on the market (öffentlich-rechtliche Wettbewerbsunternehmen) in the different Länder subject to state scrutiny and thus incorrectly transposing the requirement that those authorities perform their functions ‘with complete independence’, that Germany failed to fulfil its obligations under the second subparagraph of Article  28(1) of the data protection Directive 95/46.56 Therefore, monitoring of this kind is problematic and should be avoided.

AUSTRIA INDEPENDENCE CASE 12.11 The Austria data protection supervisory case on independence issues relates to a CJEU decision where the EU  Commission took a case against

51 52 53 54 55

Ibid, para 36. Ibid, para 37. Ibid, para 46. Ibid, para 50. The powers granted to the EU under Article 100a of the EC Treaty, which is the legal basis of the data protection Directive 95/46. Ibid, para 51. 56 Ibid, para 56.

255

12.11  Independence

Austria for failing to fulfil its obligation (under the then data protection directive 95/4657) to ensure the independence of the national data protection supervisory authority.58 The case is entitled Commission v Austria.59 This was prior to the new GDPR. The Commission seeks a declaration that Austria failed to take all of the measures necessary to ensure that the legislation meets the requirement of independence with regard to the data protection supervisory authority, the Datenschutzkommission (Data Protection Commission; ‘DSK’) and which failed to fulfil its obligations under the second subparagraph of Article 28(1) of the data protection Directive 95/46.60 The claim was that EU data protection law was infringed by the national law under which: •

the managing member of the data protection supervisory authority (Datenschutzkommission) is a federal official subject to (federal) supervision;

•

the office of the data protection supervisory authority is integrated with the departments of the Federal Chancellery; and

•

the Federal Chancellor has an unconditional right to information covering all aspects of the work of the data protection supervisory authority.61

The court determined that: ‘by failing to take all of the measures necessary to ensure that the legislation in force in Austria meets the requirement of independence with regard to the DSK, more specifically by laying down a regulatory framework under which

57 Directive 95/46/EC of the European Parliament and of the Council of 24  October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. OJ L 281, 23.11.1995, pp 31–50. 58 ‘Principles Underlying Independence of National Data Protection Authorities: Commission v Australia’ Common Market Law Review (2013)(50:6) 1809. See also Hustinx, P, ‘The Role of Data Protection Authorities’ in Gutwirth, S, De Hert, P, Poullet, Y  and de Terwangne, C, Reinventing Data Protection? (2009) 131; Szydło, M, ‘The Independence of Data Protection Authorities in EU  Law: Between the Safeguarding of Fundamental Rights and Ensuring the Integrity of the Internal Market’ European Law Review (2017)(42:3) 369; Schütz, P, ‘Accountability and Independence of Data Protection Authorities – A Trade-Off?’ in Guagnin, G, Hempel, L, Ilten, C, Kroener, I, Neyland, D and Postigo, H, Managing Privacy Through Accountability (Palgrave, 2012) 233. 59 Commission Supported by the European Data Protection Supervisory v Republic of Austria, CJEU, Case C-614/10, 16 October 2012. 60 Ibid, para 1. 61 Balthasar, A, ‘“Complete Independence” of National Data Protection Supervisory Authorities – Second Try: Comments on the Judgement of the CJEU of 16  October 2012, C-614/10 (European Commission v Austria), with Due regard to Its Previous Judgement of 9  March  2010, C-518/07 (European Commission v Germany)’ Utrecht Law Review (2013) (9:3) 26.

256

Austria Independence Case 12.12

– the managing member of the DSK is a federal official subject to supervision, – the office of the DSK is integrated with the departments of the Federal Chancellery, and –

the Federal Chancellor has an unconditional right to information covering all aspects of the work of the DSK,

the Republic of Austria has failed to fulfil its obligations under the second subparagraph of Article 28(1) of Directive 95/46.’62

Issues 12.12 The Commission and the European Data Protection Supervisor argue that Austria has incorrectly transposed the second subparagraph of Article 28(1) of the data protection Directive 95/4663 as the national legislation does not allow the DSK to exercise its functions ‘with complete independence’. First, according to the national legislation, the managing member of the DSK must always be an official of the Federal Chancellery. All day-to-day business of the DSK is thus de facto managed by a federal official, who remains bound by the instructions issued by his or her employer and is subject to supervision within the terms of paragraph 45(1) of the BDG 1979. Paragraph 37(1) of the DSG 2000 provides only for the operational autonomy of the data protection supervisory authority.64 In addition, the office of the DSK is structurally integrated with the departments of the  Federal Chancellery. As a result of that integration, the Commission contends, the DSK is not independent in either organic or substantive terms. All DSK staff members are, as is apparent from paragraph 38(2) of the DSG 2000 and from Article  7(1) of the internal rules, under the authority of the Federal Chancellery and are thus subject to its supervision.65 Lastly, the Commission and the European Data Protection Supervisor refer to the Federal Chancellor’s right to be informed pursuant to Article 20(2) of the BVG and paragraph 38(2) of the DSG 2000.66 Austria argues that the DSK is a ‘collegiate authority with judicial functions’ within the meaning of the BVG. Such a body, they argue, constitutes an independent court or tribunal within the terms of Article  267  TFEU and 62 Commission Supported by the European Data Protection Supervisory v Republic of Austria, CJEU, Case C-614/10, 16 October 2012, para 66. 63 Directive 95/46/EC of the European Parliament and of the Council of 24  October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. OJ L 281, 23.11.1995, pp 31–50. 64 Ibid, para 25. 65 Ibid, para 26. 66 Ibid, para 27.

257

12.12  Independence

Article 6(1) of the European Convention,67 which therefore meets the requirement of independence.68 According to Austria, the second subparagraph of Article 28(1) of the Directive relates to functional independence. The DSK has such independence since, in accordance with paragraph 37(1) of the DSG 2000, its members are independent and are not bound by instructions of any kind in the performance of their duties.69 Again referring to a functional independence seems to suggest there are other areas of independence which are non-functional and which are or may be compromised or have such a perception or risk. It argues that the managing member of the DSK need not necessarily be an official of the Federal Chancellery. Under Article 4(1) of the internal rules and paragraph  36(3) of the DSG  2000, the managing member is proposed from among the lawyers in the federal public administration. Moreover, the DSK can itself freely decide whom to appoint as its managing member by amending, on an autonomous basis, its internal rules. The fact that, like any other official, the managing member depends, for purposes of promotion, on the decision of his hierarchical superior and, ultimately, of a minister does not affect his independence.70 Regarding the integration of the office of the DSK with the departments of the Federal Chancellery, Austria claims that all bodies of the federal public administration come, from the point of view of budgetary law, under a ministerial department. It is for the government, in conjunction with the parliament, to ensure that the various executive bodies have adequate equipment and staff. In addition, the DSK office is exclusively responsible for the management of its action programmes. The DSK office staff comply with the instructions issued by the chairman and the managing member of the DSK. The fact that the staff of the office are, in legal terms, attached to the Federal Chancellery, both in terms of hierarchy and remuneration, does not affect their independence, it argues. Supervision, in terms of disciplinary controls, ensures the effective operation of the DSK.71 As regards the ‘right to information’ of the Federal Chancellor, Austria argues that this right seeks to ensure a certain democratic link between the autonomous bodies and the parliament. The right to information provides no scope for the exercise of influence over the DSK’s functioning, it argues. In addition, a right

67 European Convention for the Protection of Human Rights and Fundamental Freedoms, signed in Rome on 4 November 1950. Ukrow, J, ‘Data Protection Without Frontiers: On the Relationship between EU GDPR and Amended CoE  Convention 108’ European Data Protection Law Review (EDPL) (2018)(4:2) 239. 68 Commission Supported by the European Data Protection Supervisory v Republic of Austria, CJEU, Case C-614/10, 16 October 2012, para 28. 69 Ibid, para 30. 70 Ibid, para 32. 71 Ibid, para 33.

258

Austria Independence Case 12.13

to information is not contrary to the requirements of independence applicable to a court or tribunal.72

Court Findings 12.13 The second subparagraph of Article 28(1) of Directive 95/4673 requires Member States to set up one or more data protection supervisory authorities for the protection of personal data which have complete independence in exercising the functions entrusted to them. In addition, the requirement that compliance with EU rules on the protection of individuals with regard to the processing of personal data is subject to control by an independent authority derives from the primary law of the EU, inter alia, Article  8(3) of the Charter74 and Article 16(2) TFEU.75 The establishment in Member States of independent data protection supervisory authorities is an essential component of the protection of individuals with regard to the processing of personal data.76 It is necessary to consider whether the Commission argument that the law in Austria precludes the DSK from exercising its functions ‘with complete independence’ within the meaning of the second subparagraph of Article 28(1) of the Directive.77 The court rejects the Austrian argument that the DSK has the ‘degree of independence’ (emphasis added) required by the Directive since it satisfies the condition of independence inherent in Article  267 TFEU for it to qualify as a court or tribunal of a Member State.78 It follows from the Commission  v  Germany  case (above) that the words ‘with complete independence’ in the second subparagraph of Article  28(1) of Directive 95/4679 must be given an autonomous interpretation, independent of

72 Ibid, para 34. 73 Directive 95/46/EC of the European Parliament and of the Council of 24  October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. OJ L 281, 23.11.1995, pp 31–50. 74 Charter of Fundamental Rights of the European Union. 75 Treaty on the Functioning of the European Union. Commission Supported by the European Data Protection Supervisory v Republic of Austria, CJEU, Case C-614/10, 16 October 2012, para 36. 76 Commission v Germany, Case C-518/07 [2010] ECR I-1885, para 23. Commission v Republic of Austria, CJEU, Case C-614/10, 16 October 2012, para 37. 77 Ibid, para 38. 78 Ibid, para 39. 79 Directive 95/46/EC of the European Parliament and of the Council of 24  October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. OJ L 281, 23.11.1995, pp 31–50.

259

12.13  Independence

Article 267 TFEU, based on the actual wording of that provision and on the aims and scheme of the Directive.80 The Court has already held in its judgment in Commission v Germany (above, para  30), that the words ‘with complete independence’ in Article  28(1) of the Directive must be interpreted as meaning that the data protection supervisory authorities for the protection of personal data must enjoy an independence which allows them to perform their duties free from external influence. The Court also stated in that judgment that those authorities must remain free from any external influence, direct or indirect, which is liable to have an effect on their decisions.81 The fact that the DSK has functional independence in so far as, in accordance with paragraph  37(1) of the DSG  2000, its members are ‘independent and [are not] bound by instructions of any kind in the performance of their duties’ is an essential condition in order for that authority to satisfy the criterion of independence within the meaning of the second subparagraph of Article 28(1) of the Directive. However, contrary to what Austria maintains, ‘such functional independence is not by itself sufficient to protect that supervisory authority from all external influence’82 (emphasis added). The ‘independence required under the second subparagraph of Article 28(1) of Directive 95/4683 is intended to preclude not only direct influence, in the form of instructions but also, as noted in paragraph 41 above, any indirect influence which is liable to have an effect on the supervisory authority’s decisions’ (emphasis added).84 However, the various aspects of the Austrian law preclude the DSK from being capable of being regarded as performing its duties free from all indirect influence.85 The first complaint relates to the position of the managing member within the DSK. It follows from paragraphs  36(3) and  38(1) of the DSG  2000, read in conjunction with Article 4(1) of the internal rules of the DSK, that the managing member is a federal official.86 Then, paragraph 38(1) of the DSG 2000 provides that federal official manages the day-to-day business of the DSK.87 There is a service-related link between the managing member and that federal authority which allows the activities of the managing member to be supervised 80 See Commission v Germany, paras 17 and 29. Commission Supported by the European Data Protection Supervisory v Republic of Austria, CJEU, Case C-614/10, 16 October 2012, para 40. 81 See, to that effect,  Commission  v  Germany, above, paras  19, 25, 30 and  50. Commission Supported by the European Data Protection Supervisory v Republic of Austria, CJEU, Case C-614/10, 16 October 2012, para 41. 82 Ibid, para 42. 83 Directive 95/46/EC of the European Parliament and of the Council of 24  October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. OJ L 281, 23.11.1995, pp 31–50. 84 Ibid, para 43. 85 Ibid, para 44. 86 Ibid, para 45. 87 Ibid, para 46.

260

Austria Independence Case 12.13

by his or her hierarchical superior.88 Paragraph 45(1) of the BDG 1979 grants the hierarchical superior an extensive power of supervision over the officials in their department. That provision enables the hierarchical superior not only to ensure that their staff carry out their tasks in accordance with the law, efficiently and economically, but also to guide them in carrying out their duties, rectify any faults and omissions and ensure that working hours are adhered to, encourage the promotion of staff in accordance with their performance and direct them to those tasks which correspond best to their capacities.89 The second subparagraph of Article  28(1) of the Directive precludes the supervision to which the managing member is subject under paragraph 45(1) of the BDG 1979. Even if paragraph 37(1) of the DSG 2000 is designed to prevent the hierarchical superior from issuing instructions to the managing member, the fact remains that paragraph 45(1) of the BDG 1979 confers on the hierarchical superior ‘a power of supervision’ (emphasis added) liable to hinder the DSK’s operational independence.90 The evaluation of the managing member of the DSK by his hierarchical superior for the purposes of encouraging his promotion could lead to a form of ‘prior compliance’ (emphasis added) on the part of the managing member (see Commission v Germany, above, para 36).91 Given the links that the managing member of the DSK has with the political body, which is subject to the supervision of the DSK, the latter is ‘not above all suspicion of partiality’ (emphasis added). In the light of the role of the data protection supervisory authorities as ‘guardians’ of the right to privacy, the Directive requires that their decisions and, therefore, the authorities themselves, remain above all suspicion of partiality (see  Commission  v  Germany, above, paragraph 36).92 The court rejects this argument.93 As is apparent from paragraphs  48 to  52 of the present judgment, the ‘service-related link’ between the managing member of the DSK and the federal authority to which that member belongs ‘affects the DSK’s independence’. The manner in which that member is appointed does not cast doubt on that finding. It is for Austria to adopt the legal provisions necessary to guarantee that the data protection supervisory authority can exercise the functions entrusted to it ‘with complete independence’ within the meaning of the Directive.94 As to the second head of complaint (of the Commission), pursuant to paragraph 38(2) of the DSG 2000, the Federal Chancellery is required to make 88 89 90 91 92 93 94

Ibid, para 48. Ibid, para 49. Ibid, para 50. Ibid, para 51. Ibid, para 52. Ibid, para 54. Ibid, para 55.

261

12.13  Independence

available to the DSK office the necessary equipment and staff. It is not disputed that the DSK office is composed of officials of the Federal Chancellery.95 The court agrees as the Commission maintains, that the integration of the DSK office with the departments of the Federal Chancellery also does not allow the inference to be drawn that the DSK can exercise the functions entrusted to it free from all influence from the Federal Chancellery.96 It is, admittedly, true, as the Republic of Austria emphasises, that the DSK need not be given a separate budget, such as that provided for in Article 43(3) in Regulation 45/2001 for the European Data Protection Supervisor, to be able to satisfy the criterion of independence set out in the second subparagraph of Article 28(1) of Directive 95/46.97 Member States are not obliged to reproduce in their national legislation provisions similar to those of Chapter V  of Regulation 45/2001 to ensure the total independence of their respective supervisory authorities and they can therefore provide that, from the point of view of budgetary law, the supervisory authorities are to come under a specified ministerial department. However, the attribution of the necessary equipment and staff to such authorities must not prevent them from acting ‘with complete independence’ in exercising the functions entrusted to them within the meaning of the second subparagraph of Article 28(1) of Directive 95/46.98 The law in Austria fails, however, to satisfy that last condition. The staff made available to the DSK office consists of officials of the Federal Chancellery who are subject to supervision by the Federal Chancellery within the terms of paragraph 45(1) of the BDG 1979. As is apparent from the earlier paragraphs 49 to 52 of the judgment, however, such supervision by the state is not compatible with the requirement of independence set out in the second subparagraph of Article  28(1) of the Directive, which must be satisfied by data protection supervisory authorities for the protection of personal data.99 Austria’s argument that the organisation of the office cannot affect the DSK’s independence in so far as the office implements only decisions of the DSK is rejected by the court.100 In view of the work load of a data protection supervisory authority responsible for the protection of personal data, on one hand and of the fact that the members of the DSK exercise their duties under paragraph  36(3a) of the DSG  2000 at the same time as engaging in other work, on the other, it must be held that the members of such an authority rely in large measure on the staff made available to them for assistance in exercising the functions entrusted to them. The fact 95 Ibid, para 56. 96 Ibid, para 57. 97 Directive 95/46/EC of the European Parliament and of the Council of 24  October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. OJ L 281, 23.11.1995, pp 31–50. 98 Ibid, para 58. 99 Ibid, para 59. 100 Ibid, para 60.

262

Austria Independence Case 12.13

that the office is composed of officials of the Federal Chancellery, which is itself subject to supervision by the DSK, carries ‘a risk of influence’ (emphasis added) over the decisions of the DSK. Such an ‘organisational overlap’ between the DSK and the Federal Chancellery prevents the DSK from being ‘above all suspicion of partiality’ (emphasis added) and is, therefore, incompatible with the requirement of ‘independence’ within the meaning of the second subparagraph of the Directive.101 Regarding the third head of complaint, it must be held that, in accordance with Article  20(2) of the BVG and paragraph  38(2) of the DSG  2000, the Federal Chancellor has the right to be informed at all times by the chairman and the managing member of all aspects of the work of the DSK.102 Such a ‘right to information’ is also liable to subject the DSK to ‘indirect influence’ from the Federal Chancellor which is incompatible with the criterion of independence referred to in the second subparagraph of Article 28(1) of the Directive. This right to information is far reaching as it covers ‘all aspects of the work of the DSK’ and is also unconditional.103 In those circumstances, this right to information (in Article 20(2) of the BVG and paragraph 38(2) of the DSG 2000) precludes the DSK from being capable of being regarded as operating, in all circumstances, above all suspicion of partiality.104 Alexander Balthasar105 in commenting on both cases perceives that the Austria case106 diverges somewhat from the Germany case107 specifically in terms of being less onerous in terms of the obligation which the provision provides for as regards Member States and the independence of the data protection supervisory authorities. I am not sure that this critique or commentary is correct in that regard. The German case is not actually overruled or restricted. The above commentary notes that certain statements in the German case are ‘not repeated’ in the Austria case.108 However, they do not have to be. That a given statement is not repeated does not mean that it becomes relevant or does not remain part of caselaw, relevance and precedent. However, the commentary acknowledges that there is a ‘landmark’ relevance to the German case and that it is ‘relevant’ to considering other situations regarding these issues as they relate to the data protection, independence109 and discussions of the obligation of independence, standards of

101 Ibid, para 61. 102 Ibid, para 62. 103 Ibid, para 63. 104 Ibid, para 64. 105 Balthasar, A, ‘“Complete Independence” of National Data Protection Supervisory Authorities – Second Try: Comments on the Judgment of the CJEU of 16 October 2012, C-614/10 (European Commission v Austria), with Due regard to Its Previous Judgment of 9 March 2010, C-518/07 (European Commission v Germany)’ Utrecht Law Review (2013)(9:3) 26. 106 Commission Supported by the European Data Protection Supervisory v Republic of Austria, CJEU, Case C-614/10, 16 October 2012. 107 Commission v Germany, Case C-518/07 [2010] ECR I-1885. 108 Ibid, 27. 109 Ibid, 28.

263

12.14  Independence

independence and principles of separation. Issues of ‘budget autonomy’ are also discussed.110

COMPARISON AND TRANSITION 12.14 While the essence of the same independence restriction as applied in the German and Austrian cases (above) pursuant to the data protection Directive 95/46 also appear in the GDPR, there are in additional clauses and phrases expanding and further ringfencing the independence of the respective data protection supervisory authorities. The provisions are compared in the table below. The essential continuity of the obligation (and the continuing relevance of the German case), as well as the expanded obligations of independence serve to suggest that the Commission, respective data protection supervisory authorities and other interested parties will have even more grounds to complain where it is perceived that independence is being compromised or threatened in some way. The potential for additional case law in this regard is inevitable given that there is a new law. However, it may also be suggested that the potential increase in grounds and basis of independence will also mean that there may be an increase in the number of related cases. Member States as well as interested third parties will have to carefully consider the now-expanded independence provisions set out in Article 52 of the GDPR. A further point may be made. It is not inconceivable that a data protection supervisory authority may seek to directly rely on the new extended provisions. It may, for example, seek to rely on the express provisions in terms of correspondence which resists or pushes back on what it perceives to be undue interference with its independence. A further possibility also arises whereby a data protection supervisory authority may seek to consider its entitlement to litigate these issues and maintain its own rights of independence. Independence of DSPAs DPD 95/46 Article 28 1. Each Member State shall provide that one or more public authorities are responsible for monitoring the application within its territory of the provisions adopted by the Member States pursuant to this Directive. These authorities shall act with complete independence in exercising the functions entrusted to them.

110 Ibid, 37–38.

264

GDPR Article 52 1. Each supervisory authority shall act with complete independence in performing its tasks and exercising its powers in accordance with this Regulation.

Comparison and Transition 12.14

DPD 95/46 Article 28 2. Each Member State shall provide that the supervisory authorities are consulted when drawing up administrative measures or regulations relating to the protection of individuals’ rights and freedoms with regard to the processing of personal data. 3. Each authority shall in particular be endowed with: – investigative powers, such as powers of access to data forming the subjectmatter of processing operations and powers to collect all the information necessary for the performance of its supervisory duties, – effective powers of intervention, such as, for example, that of delivering opinions before processing operations are carried out, in accordance with Article 20 and ensuring appropriate publication of such opinions, of ordering the blocking, erasure or destruction of data, of imposing a temporary or definitive ban on processing, of warning or admonishing the controller, or that of referring the matter to national parliaments or other political institutions, – the power to engage in legal proceedings where the national provisions adopted pursuant to this Directive have been violated or to bring these violations to the attention of the judicial authorities. Decisions by the supervisory authority which give rise to complaints may be appealed against through the courts.

265

GDPR Article 52 2. The member or members of each supervisory authority shall, in the performance of their tasks and exercise of their powers in accordance with this Regulation, remain free from external influence, whether direct or indirect and shall neither seek nor take instructions from anybody. 3. Member or members of each supervisory authority shall refrain from any action incompatible with their duties and shall not, during their term of office, engage in any incompatible occupation, whether gainful or not. 4. Each Member State shall ensure that each supervisory authority is provided with the human, technical and financial resources, premises and infrastructure necessary for the effective performance of its tasks and exercise of its powers, including those to be carried out in the context of mutual assistance, cooperation and participation in the Board. 5. Each Member State shall ensure that each supervisory authority chooses and has its own staff which shall be subject to the exclusive direction of the member or members of the supervisory authority concerned.

12.14  Independence

DPD 95/46 Article 28 4. Each supervisory authority shall hear claims lodged by any person, or by an association representing that person, concerning the protection of his rights and freedoms in regard to the processing of personal data. The person concerned shall be informed of the outcome of the claim.

GDPR Article 52 6. Each Member State shall ensure that each supervisory authority is subject to financial control which does not affect its independence and that it has separate, public annual budgets, which may be part of the overall state or national budget.

Each supervisory authority shall, in particular, hear claims for checks on the lawfulness of data processing lodged by any person when the national provisions adopted pursuant to Article 13 of this Directive apply. The person shall at any rate be informed that a check has taken place. 5. Each supervisory authority shall draw up a report on its activities at regular intervals. The report shall be made public. 6. Each supervisory authority is competent, whatever the national law applicable to the processing in question, to exercise, on the territory of its own Member State, the powers conferred on it in accordance with paragraph 3. Each authority may be requested to exercise its powers by an authority of another Member State. The supervisory authorities shall cooperate with one another to the extent necessary for the performance of their duties, in particular by exchanging all useful information. 7. Member States shall provide that the members and staff of the supervisory authority, even after their employment has ended, are to be subject to a duty of professional secrecy with regard to confidential information to which they have access. The comparisons and expansions will likely come to be considered in future legal cases. 266

Independence of EDPB 12.15

INDEPENDENCE OF EDPB 12.15 In addition, the European Data Protection Board (EDPB) is also independent in its activities. Article 69(1) of the GDPR provides: ‘The [EDPB] shall act independently when performing its tasks or exercising its powers pursuant to Articles 70 and 71.’

It is stipulated that (without prejudice to requests by the Commission referred to in Article 70(1)(b) and Article 70(2)): ‘the [EDPB] shall, in the performance of its tasks or the exercise of its powers, neither seek nor take instructions from anybody’.111

The EDPB is, therefore, independent in terms of its tasks, deliberations, work schedule, opinions, recommendations, etc. There is a carveout, however, referred to in the preceding or introductory statement that this being separate or without prejudice to two matters. The without prejudice carveouts are: ‘Article 70(1)(b) This refers to ‘advise the Commission on any issue related to the protection of personal data in the [EU], including on any proposed amendment of’ the GDPR. Article 70 refers to tasks of the EDPB; and Article 70(2) This refers to ‘[w]here the Commission requests advice from the [EDPB], it may indicate a time limit, taking into account the urgency of the matter.’

The European Data Protection Board is independent in its activities. Article 69(1) provides that: ‘The [EDPB] shall act independently when performing its tasks or exercising its powers pursuant to Articles 70 and 71.’

It is stipulated that (without prejudice to requests by the Commission referred to in of Article 70(1)(b) and in Article 70(2)): ‘the [EDPB] shall, in the performance of its tasks or the exercise of its powers, neither seek nor take instructions from anybody’.112

The European Data Protection Board is, therefore, independent in terms of its tasks, deliberations, work schedule, opinions, recommendations, etc. There is a carveout, however, referred to in the preceding or introductory statement that this being separate or without prejudice to two matters. The without prejudice carveouts are:

111 GDPR Art 69(2). 112 Ibid.

267

12.16  Independence

Article 70(1)(b) This refers to ‘advise the Commission on any issue related to the protection of personal data in the [EU], including on any proposed amendment of’ the GDPR. Article 70 refers to tasks of the EDPB; and Article 70(2) This refers to ‘[w]here the Commission requests advice from the [EDPB], it may indicate a time limit, taking into account the urgency of the matter’.

INDEPENDENCE OF EUROPEAN DATA PROTECTION SUPERVISOR 12.16 The European Data Protection Supervisor must act with complete independence in performing his or her tasks and exercising his or her powers in accordance with this Regulation.113 The European Data Protection Supervisor must, in the performance of his or her tasks and exercise of his or her powers in accordance with this Regulation, remain free from external influence, whether direct or indirect and must neither seek nor take instructions from anybody.114 The European Data Protection Supervisor must refrain from any action incompatible with his or her duties and must not, during his or her term of office, engage in any other occupation, whether gainful or not.115 After his or her term of office, the European Data Protection Supervisor must behave with integrity and discretion as regards the acceptance of appointments and benefits.116

CONCLUSION 12.17 No doubt these issues of proper independence will continue to be developed – especially post the ‘go live’ of the GDPR (and given that the German and Austria cases (above) occurred under the previous data protection regime pursuant to the data protection Directive 95/45117). The new specific requirements of the GDPR on independence, funding, etc, will be considered of course. There will be scrutiny of the ‘formal independence’118 of the data protection supervisory authorities, as well as informal or indirect impediments. It is reported that a complaint has now been filed with the EU Commission in relation to the independence and funding of a specific data protection supervisory authority.119 113 Regulation 2018/1725 Art 55(1). 114 Ibid Art 55(2). 115 Ibid Art 55(3). 116 Ibid Art 55(4). 117 Directive 95/46/EC of the European Parliament and of the Council of 24  October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. OJ L 281, 23.11.1995, pp 31–50. 118 Schutz, P, ‘Comparing Formal Independence of Data Protection Authorities in Selected EU  Member States’ Conference Paper for the 4th Biennial standing Group for Regulatory Governance Conference 2012. 119 ‘Is Ireland Breaching EU Rules by Underfunding Data Regulator?’ Irish Times, 12 October 2019.

268

Conclusion 12.17

Philip Schultz refers to various researchers whom have undertaken comparative research of independence categories of comparison in order to assist in evaluating levels of independence.120 These types of criteria identification and comparison may be further developed and applied to the new data protection supervisory authorities and wider privacy regulators, post the ‘go live’ of the new GDPR. Research into contemporary direct and indirect means of potential influence or adversely impacting the data protection supervisory authorities would also be legitimate. In the Trump era we have seen a number of examples where officials have taken certain action (or refused to take certain action as the case may be) due not to need, policy, express direction, but rather based on the anticipated reaction of the President. Somewhat similarly, Dammann referred previously to the danger of ‘anticipatory obedience’121 by a data protection supervisory authority (or its staff) to wide government policy or actions. This is indeed an issue to consider and is noteworthy in causing less express or direct interference than some other examples. Dammann also refers to how staff in a data protection supervisory authority may later move to (or back to) a mainstream government or official department – and seek to progress through advancement.122 This can also create potential problematic issues for independence. Referring also to the research of Gilardi and of Thatcher referred to above, Philip Schutz indicates that the research: ‘demonstrates interesting ideas as to how to measure independence using quantitative methods … an independence index that aims to measure the formal independence of [[data protection] supervisory authorities] from governmental actors … [and] expand[ed] analysis to include informal sources of influence such as politicization and revolving doors … [the] researchers help to identify key determinants of formal and de facto independence’.123

Any developments arising from the complaint to the Commission124 as regards the funding or underfunding of a data protection supervisory authority will need to be monitored. 120 Referring to Gilardi, F, ‘Policy Credibility and Delegation to Independent Regulatory Agencies: A  Comparative Empirical Analysis’ Journal of European Public Policy (2002)(9:6) 873; Cukierman, A, Web, SB and Neyapti, B, ‘Measuring the Independence of Central Banks and Its Effect on Policy Outcomes’ The World Bank Economic Forum (1992)(6:2) 353; Thatcher, M, ‘Regulation After Delegation: Independent Regulatory Agencies in Europe’ Journal of European Public Policy (2002)(9:6) 959. Referred to in Schutz, P, ‘Comparing Formal Independence of Data Protection Authorities in Selected EU Member States’ Conference Paper for the 4th Biennial Standing Group for Regulatory Governance Conference (2012) 8–10. 121 Dammonn, U, ‘Bundesbeauftrager fur den Datenschutz und de Inforrmationfrieheit’ in Bundesdatenschutzgesetz – Kommentar, Simmitis, S, ed (Baden-Baden: Nomos, 2011) 1055. Referred to in Schutz, P, ‘Comparing Formal Independence of Data Protection Authorities in Selected EU  Member States’ Conference Paper for the 4th Biennial Standing Group for Regulatory Governance Conference (2012) 13. 122 Dammonn, ibid. 123 Schutz, P, ‘Comparing Formal Independence of Data Protection Authorities in Selected EU  Member States’ Conference Paper for the 4th Biennial Standing Group for Regulatory Governance Conference (2012) 21. 124 ‘Is Ireland Breaching EU Rules by Underfunding Data Regulator?’ Irish Times, 12 October 2019.

269

CHAPTER 13

Funding INTRODUCTION 13.1 Just as important as the general independence of the data protection supervisory authorities is their financial independence. Undue influence or undue restrictions can be potentially placed on a data protection supervisory authority in the form of lack of funding or underfunding. It is predicted that as the issues and work commitments of respective data protection supervisory authorities – and indeed other comparative regulators – increases, there will be greater scrutiny of the resources and funding available to them. The importance of funding is receiving greater legislative focus by way of express protection for the funding of data protection supervisory authorities. Greater analysis of the categories, types and needs of funding will likely also increase. For example, particular funding at a global level may seem significant, but more detailed analysis may reveal important gaps in funding which need to be addressed.1

FINANCIAL INDEPENDENCE 13.2 Financial independence is a requirement of the independence of the data protection supervisory authorities. This is clear from the previous and current data protection law, as well as from case law. Each data protection supervisory authority must act with ‘complete independence’ when performing its tasks and exercising its powers in accordance with the GDPR.2 Independence and complete independence can extend to financial and funding issues. The Member States must ensure (the words ‘shall ensure’ are used) that each data protection supervisory authority is ‘provided with the human, technical and financial resources, premises and infrastructure necessary for the effective performance of its tasks and exercise of its powers’.3 This is provided to include

1

2 3

Generally see Hustinx, P, ‘The Role of Data Protection Authorities’ in Gutwirth, S, De Hert, P, Poullet, Y, de Terwangne, C, Reinventing Data Protection? (Springer 2009) 131; Szydło, M, ‘The Independence of Data Protection Authorities in EU Law: Between the Safeguarding of Fundamental Rights and Ensuring the Integrity of the Internal Market’ European Law Review (2017)(42:3) 369; Schütz, P, ‘Accountability and Independence of Data Protection Authorities – A Trade-Off?’ in Guagnin, G, Hempel, L, Ilten, C, Kroener, I, Neyland, D and Postigo, H, Managing Privacy Through Accountability (Palgrave, 2012) 233. GDPR Art 52(1). Ibid Art 52(4).

271

13.3  Funding

those to be carried out in the context of mutual assistance, cooperation and participation in the European Data Protection Board (EDPB).4 Each Member State must ensure that each data protection supervisory authority is subject to financial control which does ‘not affect its independence’ (emphasis added) and that it has separate, public annual budgets, which may be part of the overall state or national budget.5 It is clear, therefore, that, as well as independence, there must be financial independence for the respective data protection supervisory authorities.

STAFF AND STAFF FUNDING 13.3 Each Member State must ensure that each data protection supervisory authority chooses and has ‘its own staff’ which shall be subject to the ‘exclusive direction of the member or members of the data protection supervisory authority’ concerned.6 To have its own staff, it must also have the necessary financial resources. We already see that issues such as staffing has received judicial attention.7 No doubt the focus on this area will increase.

INDEPENDENCE FROM EXTERNAL DIRECT AND INDIRECT INFLUENCE 13.4 The member or members of each data protection supervisory authority must, in the performance of their tasks and exercise of their powers in accordance with the GDPR, remain ‘free from external influence, whether direct or indirect and shall neither seek nor take instructions from anybody’ (emphasis added).8 The members of each data protection supervisory authority must refrain from any action incompatible with their duties and must not, during their term of office, engage in any incompatible occupation, whether gainful or not.9 Again, the influence from external official sources and insulation against the possibility of this occurring structurally has already been discussed at CJEU level.

FUNDING AND RESOURCE INCREASES 13.5 There are clearly an increasing number of data protection issues and problem issues with which the data protection supervisory authorities have to deal. As well as new tech problem issues, changes brought about by new 4 Ibid. 5 Ibid Art 52(6). 6 Ibid Art 52(5). 7 See the Austria DSPA independence case, Commission v Republic of Austria, CJEU, Case C-614/10, 16  October 2012. Also note the previous and still important case of Commission v Germany, Case C-518/07 [2010] ECR I-1885. 8 GDPR Art 52(2). 9 Ibid Art 52(3).

272

Irish Data Protection Commission 13.7

legislation (including the GDPR), international transfer issues and the process and uncertainty issues created by Brexit, there is also a normal expected increase in workload due to greater awareness. That being so, there should be an increase year-on-year of the resources, including the financial resources, available to the respective data protection supervisory authorities. Such increases must also be reflective and proportionate to need, as opposed to less than or significantly less than that which is actually required. While there will obviously be budgetary restraints from time to time, the consistent year-on-year underfunding of a data protection supervisory is problematic. In addition, it can lead to claims of a policy – whether direct or by omission – that has an impact on the independence of the data protection supervisory authority. This also relates to the previous chapter.

IRISH DATA PROTECTION COMMISSION 13.6 The Irish Data Protection Commission10 is an important data protection and privacy regulator and supervisory authority. Ireland is home to many international tech headquarters, including some notable US multinationals. As such, significant data protection regulatory issues come to be examined in Ireland. (This has been enhanced post the ‘go live’ of the GDPR.) There are a significant number of large investigations currently being undertaken. There is, therefore, a legitimate focus on the needs, size, resources and funding of the Data Protection Commission. This will only increase over time.

Calls for More Funding 13.7 The Data Protection Commission has indicated that it requires more staff, resources and funding. It made a submission for additional required funding to carry out its responsibilities. It also requested increased funding for appropriate office facilities (referred to as ‘fit-for-purpose’ offices).  Commentary indicates that ‘[t]he watchdog complained … that it was only granted a budget increase of less than a third of what it requested, despite the burden being placed on it by the demands of policing GDPR complaints from around the world’.11 It received an 11% increase in its annual funding for the coming year, increasing to €16.9 million. However, it had asked for budget funding of €21.2 million. The Data Protection Commission responded that this was inadequate given its position ‘at the front line of global data protection regulation’.

10 The Irish Data Protection Commission has been established by the new Data Protection Act 2018, replacing the previous Data Protection Commissioner as the data protection supervisory authority. Note, while there is a new Data Protection Commission regulator there is also a new Data Protection Commissioner of the Commission. 11 Duffy R and Foxe, K, ‘Revealed: Data Protection Commission’s Pleas for More Staff and “Fit For Purpose” Office’ TheJournal.ie, 12 October 2019.

273

13.8  Funding

Comparative and Needs Funding 13.8 The Data Protection Commission refers to its comparative and proportionate need for funding. It points out that, given its position and role, there is a strong argument for it to have the highest level of funding of European data protection supervisory authorities. It refers to coming in seventh in terms of comparative funding; and eighth in terms of staff levels – both of which are inadequate. The Data Protection Commission suggests that: ‘It is arguable the DPC should be the largest given the unique role of Ireland and the DPC in lead-supervising for the EU the world’s largest tech platforms under the GDPR’ (emphasis added).

The Data Protection Commission also refers to the increase in work reflected in the level of complaints that it handles having ‘more than doubled since 2017’. It adds that: ‘[g]iven the role of the DPC as a Lead Supervisory Authority, the office carries a disproportionate burden of the EU’s collective effort to regulate the data processing activities of global tech giants which are active in the European market’.

Staff Funding 13.9 Reports describe the Data Protection Commission pre-budget submission as ‘urgently seeking the funds to increase its staffing levels’.12 The Data Protection Commission is aiming for 224 employees. It is currently below this required level. The Data Protection Commission hoped to have 180 staff in place by the end of 2019. Instead, it will probably only have 148. This is indicated in part to be due to the ‘highly competitive landscape for specialist skills’.

Office Funding 13.10 The Data Protection Commission had previously been criticised, if not ridiculed, for the status of its office facilities. Following a wider government policy of decentralisation from the capital, the Data Protection Commissioner (as it then was) was decentralised to offices in Portarlington. These were perceived by many as being inappropriate to the role and functions of an agency as important as the Data Protection Commissioner. It proved to be ‘somewhat of an embarrassment for Ireland’ Inc.13 The Data Protection Commission’s pre-Budget submission is reported as stating that it is ‘critical’ that it has permanent offices located in the capital.14 It states that: 12 Ibid. 13 Ibid. 14 Ibid

274

Irish Data Protection Commission 13.12

‘The need for a fit-for-purpose permanent city-centre Dublin head office, reflecting international stakeholders’ expectations of the DPC and which is capable of housing all current and future Dublin-based staff, has been a critical requirement for some time.’

It continues that: ‘The urgency of a new premises arises in particular from the constant national and international media focus and negative commentary on the standard and location of the DPC’s offices, as well as from the significant costs of maintaining temporary office locations as the DPC continues to expand in size and the operational impact for the DPC of operating across multiple locations.’

It should be noted that there has also been an official response from the agency responsible for government premises. The office for Public Works (OPW) states that it is progressing such premises. ‘It is anticipated that the property concerned will be available for occupation by late 2020.’15

Resources and Technical Resources 13.11 Each Member State must ensure (the words ‘shall ensure’ are used) that each data protection supervisory authority is ‘provided with the … technical … resources … necessary for the effective performance of its tasks and exercise of its powers’.16 This is provided to include those to be carried out in the context of mutual assistance, cooperation and participation in the EDPB.17 This can also involve a number of issues. Even where there is an appropriate level of staff, they all require appropriate technical resources (such as equipment) to do their jobs. In addition, as the scope and complexity of certain data processing activities increases, so too do the skills and technical resources that staff require to be familiar with and be able to investigate these issues.

Response 13.12 The Data Protection Commission has expressed displeasure at the underfunding, particularly in response to the less-than-requested increase in funding it is due to receive in the 2019 budget. A statement on its website states: ‘Data Protection Commission statement on increased funding of €1.6 million in 2020 Budget 9th October 2019 •

Total 2020 funding increased by €1.6 million to €16.9 million.

•

Additional funding received is less than a third of the funding requested in the DPC’s budget submission.

15 Ibid. 16 Ibid. 17 Ibid.

275

13.13  Funding

The Data Protection Commission (DPC) has today acknowledged the additional funding of €1.6 million allocated to the regulator, announced by the Government in Budget 2020. The increase in funding for 2020 brings the total funding allocation for the DPC to €16.9 million, representing an 11% increase on the 2019 allocation. The Commissioner for Data Protection, Helen Dixon, in commenting on the funding received acknowledged the Brexit challenges in this Budget but stated that, “the DPC is disappointed that the additional funding allocated is less than one third of the funding that the DPC requested in its budget submission. The submission reflected a year of experience of regulating under the General Data Protection Regulation (GDPR) and highlighted the increased volumes and complexities involved. The DPC must now reassess its planned expenditure for 2020, particularly in relation to foreseen ‘non-pay’ expenditure for which the DPC has received a zero increase in allocation.” Since the application of the GDPR on 25  May 2018, the DPC has seen a significant increase in workload. Since 1 January 2019, over 7,000 complaints and almost 5,000 breach notifications have been received. The office has been contacted by members of the public and organisations seeking guidance over 40,000 times in the same period. Increases in funding in recent years have allowed the DPC to recruit additional staff with various specialist backgrounds towards meeting the demands of the tasks assigned under the GDPR, bringing staffing levels to 138 at present. This funding was critical given the low base from which the DPC started in 2015 to prepare for the new EU regulation which includes the Irish DPC acting as EU lead supervisory authority in respect of the many global technology multinationals with European headquarters in Ireland. This lead EU regulatory role places the DPC at the front line of global data protection regulation.’18

While it appears that the Commission in the Germany and Austria cases19 acted on its own (although this is not absolutely clear), it remains to be seen if complaints may arise in future by being initiated by respective data protection supervisory authorities direct to the EU Commission (or in some other manner). If a government sought to prevent such a complaint, that may arguably be seen as an example of interference in and of itself.

Independence and Funding Complaint 13.13 It is reported that there a complaint has now been filed with the EU  Commission in relation to the independence and funding issues with the Data Protection Commission referred to above.20 The complaint is understood to 18 Data Protection Commission, press release, 9 October 2019, Available at: www.dataprotection. ie/en/news-media/press-releases/data-protection-commission-statement-increased-fundingeu16-million-2020. 19 Commission  v  Germany, Case C-518/07 [2010] ECR I-1885; Commission v Republic of Austria, CJEU, Case C-614/10, 16 October 2012. 20 ‘Is Ireland Breaching EU Rules by Underfunding Data Regulator?’ Irish Times, 12 October 2019.

276

Allocation and Funding of EDPB Secretariat 13.14

allege that the Commission has been underfunded in comparison to the funding that is required and which it requested to undertake its duties and tasks. If the Commission agrees with this complaint, this could have significant implications for Member States in properly funding the respective data protection supervisory authorities on an individual, independent needs basis, as opposed to being caught up in wider budgetary issues and thus open to perceptions or claims that a given data protection supervisory authority is being deliberately underfunded in such a manner or extent that its independence is compromised. Ultimately, this could be viewed as a progressive development. However, we will need to see what transpires. If the Commission takes on the complaint, it may correspond with the respective government raising this issue and seeking rectification. In matters such as this, where the Commission is not satisfied with a response, with a lack of response or with action or remedial action, it can issue legal proceedings. It is understood that there has been a previous complaint in relation the independence of the data protection supervisory authority in Ireland. This relates to a legal case prepared by Digital Rights Ireland (DRI) claiming that there was a lack of independence relating to the previous Data Protection Commissioner as the office was integrated into the Department of Justice and that all its employees were civil servants.21

ALLOCATION AND FUNDING OF EDPB SECRETARIAT 13.14 The EDPB also has a secretariat provided by the European Data Protection Supervisor.22 The secretariat performs its tasks exclusively under the instructions of the chair of the EDPB.23 The staff of the European Data Protection Supervisor involved in carrying out the tasks conferred on the EDPB by the GDPR are subject to separate reporting lines from the staff involved in carrying out tasks conferred on the European Data Protection Supervisor.24 Where appropriate, the EDPB and the European Data Protection Supervisor will establish and publish a Memorandum of Understanding implementing Article 75 of the GDPR, determining the terms of their cooperation and applicable to the staff of the European Data Protection Supervisor involved in carrying out the tasks conferred on the EDPB by the GDPR.25 The secretariat provides analytical,

21 Edwards, E, ‘Independence of Data Protection Commissioner Questioned’ Irish Independent, 28  January 2016; Healy, C, ‘State Slapped with Legal Action Over Irish Data Protection Regime’ TheJournal.ie, 28 January 2016. 22 GDPR Art 75(1). 23 Ibid Art 75(2). 24 Ibid Art 75(3). 25 Ibid Art 75(4).

277

13.15  Funding

administrative and logistical support to the EDPB.26 In particular, the secretariat is responsible for: •

the daily business of the EDPB;

•

communication between the members of the EDPB, its chair and the Commission;

•

communication with other institutions and the public;

•

the use of electronic means for the internal and external communication;

•

the translation of relevant information;

•

the preparation and follow-up of the meetings of the EDPB; and

•

the preparation, drafting and publication of opinions, decisions on the settlement of disputes between supervisory authorities and other texts adopted by the EDPB.27

CONCLUSION 13.15 Funding – and associated issues of required independence – are important issues and must be carefully considered and appropriately actioned so as not to fall foul of the legal requirements of appropriate finding and independence as can be impacted by a lack of funding or underfunding. ‘[C]omplete independence’ is required in performing its tasks, powers and activities pursuant to the GDPR.28 Inappropriate influence can be indirect (as well as direct).29 Each Member State must ensure (‘shall’) that the data protection supervisory authority is ‘provided with the ‘financial resources, premises’ etc, that are ‘necessary for the effective performance of its tasks and exercise of its powers’.30 The funding of respective data protection supervisory authorities year on year and comparatively is a legitimate area for detailed research. There may also be opportunity for the EDPB or the European Data Protection Supervisor to gather and record certain data in this regard. This may be associated with other data points and factors, such as the number of individual data subject queries, complaints and results per year across the data protection supervisory authorities. Research and funding issues as an element of demonstrating (and maintaining) independence could be an increasing research focus, as distinct from other data points and data factors in research. Increasing scrutiny, especially on the tasks, tools, and technical problems being investigated should suggest greater granularity and independence of funding to data protection supervisory authorities, even within those authorities. In addition, there is increasing scrutiny where there is

26 27 28 29 30

Ibid Art 75(5). Ibid Art 75(6)(a)–(g). Ibid Art 52(1). Ibid Art 52(2). Ibid Art 52(4).

278

Conclusion 13.15

(correctly or incorrectly) a perception that no action or inaction may be due to a lack of funds or other necessary resources. Funding will no doubt be an important issue of focus in future. In addition, another area of focus will be the ability of respective data protection supervisory authorities to keep and maintain the monetary penalties levied to ensure that they are not taken, allocated to, or dipped into by other departments, official entities or central government. As briefly noted above, the extent to which a data protection supervisory authority has a mechanism to complain about underfunding adversely affecting its independence and impeding its tasks, including an ability to contact the Commission, may be an important weapon available to the respective data protection supervisory authorities.

279

CHAPTER 14

Interactions and Cooperation INTRODUCTION 14.1 In the global internet era, it is increasingly the case that when a problem issue arises in relation to data and data protection, the issue spans many countries. This can involve an entity or individual in many countries or a data event in one country but where the entity has a presence in many countries and may have moved data around. This increases the need for international cooperation by the various data protection supervisory authorities. While this may previously have occurred on an ad hoc basis, there is increasing evidence that these arrangements are becoming more formalised. While we can look to new European rules specifically referring to cooperation arrangements, we also await to see how the relationship between the Information Commissioner’s Office (ICO) in the UK and other data regulators in a post-Brexit situation.

COOPERATION 14.2 The Chapter VII of the GDPR refers to issues of cooperation and consistency between the respective data protection supervisory authorities. Section 1 of Chapter VII refers to cooperation. Section 2 refers to consistency. Article 60 of the GDPR refers to cooperation between the lead data protection supervisory authority and the other data protection supervisory authorities concerned. The lead data protection supervisory authority must cooperate with the other supervisory authorities concerned in accordance with this Article in an endeavour to reach consensus.1 The lead data protection supervisory authority and the supervisory authorities concerned shall exchange all relevant information with each other.2 The definition of supervisory authority contained in Article 4(21) of the GDPR refer to it being ‘an independent public authority which is established by a Member State pursuant to Article 51’. There is also a definition of ‘supervisory authority concerned’ at Article 4(22). The lead supervisory authority may request at any time other supervisory authorities concerned to provide mutual assistance pursuant to Article 61 and may conduct joint operations pursuant to Article 62, in particular for carrying out investigations or for monitoring the implementation

1 GDPR Art 60(1). 2 Ibid.

281

14.2  Interactions and Cooperation

of a measure concerning a controller or processor established in another Member State.3 The lead supervisory authority must, without delay, communicate the relevant information on the matter to the other supervisory authorities concerned.4 It must, without delay, submit a draft decision to the other supervisory authorities concerned for their opinion and take due account of their views.5 Where any of the other supervisory authorities concerned within a period of four weeks after having been consulted in accordance with paragraph 3 of the Article (above), expresses a relevant and reasoned objection to the draft decision, the lead supervisory authority must, if it does not follow the relevant and reasoned objection or is of the opinion that the objection is not relevant or reasoned, submit the matter to the consistency mechanism (referred to in Article 63).6 Where the lead supervisory authority intends to follow the relevant and reasoned objection made, it must submit to the other supervisory authorities concerned a revised draft decision for their opinion.7 That revised draft decision must be subject to the procedure referred to in paragraph 4 of the Article (above) within a period of two weeks.8 Where none of the other supervisory authorities concerned has objected to the draft decision submitted by the lead supervisory authority within the period referred to in paragraphs 4 and 5 of the Article, the lead supervisory authority and the supervisory authorities concerned shall be deemed to be in agreement with that draft decision and must be bound by it.9 The lead supervisory authority must adopt and notify the decision to the main establishment or single establishment of the controller or processor, as the case may be, and inform the other supervisory authorities concerned and the EDPB of the decision in question, including a summary of the relevant facts and grounds.10 The data protection supervisory authority with which a complaint has been lodged must inform the complainant of the decision.11 By derogation from this sub-section (paragraph 7), where a complaint is dismissed or rejected, the data protection supervisory authority with which the complaint was lodged must adopt the decision and notify it to the complainant and must inform the controller thereof.12

3 Ibid Art 60(2). 4 Ibid Art 60(3). 5 Ibid. 6 Ibid Art 60(4). 7 Ibid Art 60(5). 8 Ibid. 9 Ibid Art 60(6). 10 Ibid Art 60(7). 11 Ibid. 12 Ibid Art 60(8).

282

Mutual Assistance 14.3

Where the lead supervisory authority and the supervisory authorities concerned agree to dismiss or reject parts of a complaint and to act on other parts of that complaint, a separate decision must be adopted for each of those parts of the matter.13 The lead supervisory authority must adopt the decision for the part concerning actions in relation to the controller, must notify it to the main establishment or single establishment of the controller or processor on the territory of its Member State and must inform the complainant thereof, while the data protection supervisory authority of the complainant must adopt the decision for the part concerning dismissal or rejection of that complaint and must notify it to that complainant and must inform the controller or processor thereof.14 After being notified of the decision of the lead supervisory authority pursuant to paragraphs 7 and 9, the controller or processor must take the necessary measures to ensure compliance with the decision as regards processing activities in the context of all its establishments in the EU.15 The controller or processor must notify the measures taken for complying with the decision to the lead supervisory authority, which must inform the other supervisory authorities concerned.16 Where, in exceptional circumstances, a data protection supervisory authority concerned has reasons to consider that there is an urgent need to act in order to protect the interests of data subjects, the formal urgency procedure (referred to in Article 66) will apply.17 The lead data protection supervisory authority and the other supervisory authorities concerned must supply the information required under this Article to each other by electronic means, using a standardised format.18

MUTUAL ASSISTANCE 14.3 Data protection supervisory authorities must provide each other with relevant information and mutual assistance in order to implement and apply the GDPR in a consistent manner and must put in place measures for effective cooperation with one another.19 Mutual assistance must cover, in particular, information requests and supervisory measures, such as requests to carry out prior authorisations and consultations, inspections and investigations.20 Each data protection supervisory authority must take all appropriate measures required to reply to a request of another data protection supervisory authority

13 Ibid Art 60(9). 14 Ibid. 15 Ibid Art 60(10). 16 Ibid. 17 Ibid Art 60(11). 18 Ibid Art 60(12). 19 Ibid Art 61(1). 20 Ibid.

283

14.3  Interactions and Cooperation

without undue delay and no later than one month after receiving the request.21 Such measures may include, in particular, the transmission of relevant information on the conduct of an investigation. Requests for assistance must contain all the necessary information, including the purpose of and reasons for the request. Information exchanged must be used only for the purpose for which it was requested.22 The requested data protection supervisory authority must not refuse to comply with the request unless: •

it is not competent for the subject-matter of the request or for the measures it is requested to execute; or

•

compliance with the request would infringe the GDPR, EU or Member State law to which the supervisory authority receiving the request is subject.23

The requested data protection supervisory authority must inform the requesting data protection supervisory authority of the results or, as the case may be, of the progress of the measures taken in order to respond to the request.24 The requested data protection supervisory authority must provide reasons for any refusal to comply with a request.25 A data protection supervisory authority must, as a rule, supply the information requested by other supervisory authorities by electronic means, using a standardised format.26 The requested data protection supervisory authorities must not charge a fee for any action taken by them pursuant to a request for mutual assistance.27 Supervisory authorities may agree on rules to indemnify each other for specific expenditure arising from the provision of mutual assistance in exceptional circumstances. Where a data protection supervisory authority does not provide the information (referred to in paragraph  5 of the Article) within one month of receiving the request of another data protection supervisory authority, the requesting data protection supervisory authority may adopt a provisional measure on the territory of its Member State (in accordance with Article 55(1)).28 In that case, the urgent need to act under Article  66(1) must be presumed to be met and requires an urgent binding decision from the EDPB (pursuant to Article 66(2)).29

21 Ibid Art 61(2). 22 Ibid Art 61(3). 23 Ibid Art 61(4). 24 Ibid Art 61(5). 25 Ibid. 26 Ibid Art 61(6). 27 Ibid Art 61(7). 28 Ibid Art 61(8). 29 Ibid.

284

Joint Operations 14.4

The Commission may, by means of implementing acts, specify the format and procedures for mutual assistance referred to in this Article and the arrangements for the exchange of information by electronic means between supervisory authorities and between supervisory authorities and the EDPB, in particular the standardised format referred to in paragraph  6 of this Article.30 Those implementing acts must be adopted in accordance with the examination procedure referred to in Article 93(2).31

JOINT OPERATIONS 14.4 There are also provisions in relation to joint operations of respective data protection supervisory authorities. The supervisory authorities must, where appropriate, conduct joint operations including joint investigations and joint enforcement measures in which members or staff of the supervisory authorities of other Member States are involved.32 There are already a number examples of cooperation by the data protection supervisory authorities in relation to certain matters, which will no doubt continue.33 Where the controller or processor has establishments in several Member States or where a significant number of data subjects in more than one Member State are likely to be substantially affected by processing operations, a data protection supervisory authority of each of those Member States must have the right to participate in joint operations.34 The data protection supervisory authority which is competent pursuant to Article  56(1) or (4) must invite the data protection supervisory authority of each of those Member States to take part in the joint operations and must respond without delay to the request of a data protection supervisory authority to participate.35 A data protection supervisory authority may, in accordance with Member State law and with the seconding data protection supervisory authority’s authorisation, confer powers, including investigative powers, on the seconding supervisory authority’s members or staff involved in joint operations or, in so far as the law of the Member State of the host data protection supervisory authority permits, allow the seconding data protection supervisory authority’s members or staff to exercise their investigative powers in accordance with the law of the Member State of the seconding data protection supervisory authority.36 Such investigative powers may be exercised only under the guidance and in the presence of members or staff

30 Ibid Art 61(9). 31 Ibid. 32 Ibid Art 62(1). 33 Meyer, D, ‘Europe’s Privacy Regulators are Ganging Up on Uber’ Fortune.com. 30 November 2017, p 1; Stanton, L, Kirby, P and DeLeon, C, ‘Officials in Ireland, Canada, US Eye Facebook Over Privacy Practices, Data Protections’ Telecommunications Reports (2019)(85:7) 3. 34 Ibid Art 62(2). 35 Ibid. 36 Ibid Art 62(3).

285

14.5  Interactions and Cooperation

of the host data protection supervisory authority.37 The seconding authority’s members or staff must be subject to the Member  State law of the host data protection supervisory authority.38 Where, in accordance with paragraph  1 of the Article, staff of a seconding data protection supervisory authority operate in another Member State, the Member  State of the host data protection supervisory authority must assume responsibility for their actions, including liability, for any damage caused by them during their operations, in accordance with the law of the Member State in whose territory they are operating.39 The Member State in whose territory the damage was caused must make good such damage under the conditions applicable to damage caused by its own staff.40 The Member State of the seconding data protection supervisory authority whose staff has caused damage to any person in the territory of another Member State must reimburse that other Member State in full any sums it has paid to the persons entitled on their behalf.41 Without prejudice to the exercise of its rights vis-à-vis third parties and with the exception of paragraph 5 of the Article, each Member State must refrain, in the case provided for in paragraph 1, from requesting reimbursement from another Member State in relation to damage referred to in paragraph 4.42 Where a joint operation is intended and a data protection supervisory authority does not, within one month, comply with the obligation laid down in the second sentence of paragraph  2 of this Article, the other supervisory authorities may adopt a provisional measure on the territory of its Member State in accordance with Article 55.43 In that case, the urgent need to act under Article 66(1) shall be presumed to be met and will require an opinion or an urgent binding decision from the EDPB pursuant to Article 66(2).44

CONSISTENCY AND CONSISTENCY MECHANISM 14.5 In order to contribute to the consistent application of the GDPR throughout the [EU], the supervisory authorities must cooperate with each other and, where relevant, with the Commission, through the consistency mechanism as set out in this section.45 This is the important ‘consistency mechanism’.

37 Ibid. 38 Ibid. 39 Ibid Art 62(4). 40 Ibid Art 62(5). 41 Ibid. 42 Ibid Art 62(6). 43 Ibid Art 62(7). 44 Ibid. 45 Ibid Art 63.

286

Consistency and Consistency Mechanism 14.5

The EDPB must issue an opinion where a competent data protection supervisory authority intends to adopt any of the measures below.46 To that end, the competent data protection supervisory authority must communicate the draft decision to the EDPB, when it: •

aims to adopt a list of the processing operations subject to the requirement for a data protection impact assessment pursuant to Article 35(4);

•

concerns a matter pursuant to Article 40(7) whether a draft code of conduct or an amendment or extension to a code of conduct complies with the GDPR;

•

aims to approve the criteria for accreditation of a body pursuant to Article 41(3) or a certification body pursuant to Article 43(3);

•

aims to determine standard data protection clauses referred to in Article 46(2) (d) and in Article 28(8);

•

aims to authorise contractual clauses referred to in Article 46(3)(a); or

•

aims to approve binding corporate rules within the meaning of Article 47.47

Any data protection supervisory authority, the chair of the EDPB or the Commission may request that any matter of general application or producing effects in more than one Member  State be examined by the EDPB with a view to obtaining an opinion, in particular where a competent data protection supervisory authority does not comply with the obligations for mutual assistance (in accordance with Article  61) or for joint operations (in accordance with Article 62).48 In the cases referred to in paragraphs 1 and 2, the EDPB must issue an opinion on the matter submitted to it provided it has not already issued an opinion on the same matter. That opinion must be adopted within eight weeks by simple majority of the members of the EDPB.49 That period may be extended by a further six weeks, taking into account the complexity of the subject matter. Regarding the draft decision referred to in paragraph  1 circulated to the members of the EDPB in accordance with paragraph 5, a member which has not objected within a reasonable period indicated by the chair, must be deemed to be in agreement with the draft decision.50 Supervisory authorities and the Commission must, without undue delay, communicate by electronic means to the EDPB, using a standardised format, any relevant information including, as the case may be, a summary of the facts, the draft decision, the grounds which make the enactment of such measure necessary and the views of the other supervisory authorities concerned.51 46 Ibid Art 64(1). 47 Ibid. 48 Ibid Art 64(2). 49 Ibid Art 64(3). 50 Ibid. 51 Ibid Art 64(4).

287

14.6  Interactions and Cooperation

The chair of the EDPB must, without undue delay, inform by electronic means: •

the members of the EDPB and the Commission of any relevant information which has been communicated to it using a standardised format. The secretariat of the EDPB shall, where necessary, provide translations of relevant information; and

•

the data protection supervisory authority referred to, as the case may be, in paragraphs 1 and 2 and the Commission of the opinion and make it public.52

The competent data protection supervisory authority must not adopt its draft decision referred to in paragraph 1 within the period referred to in paragraph 3.53 The data protection supervisory authority referred to in paragraph  1 must take utmost account of the opinion of the EDPB and must, within two weeks of receiving the opinion, communicate to the chair of the EDPB by electronic means whether it will maintain or amend its draft decision and, if applicable, the amended draft decision, using a standardised format.54 Where the data protection supervisory authority concerned informs the chair of the EDPB within the period referred to in paragraph 7 of this Article that it does not intend to follow the opinion of the EDPB, in whole or in part, providing the relevant grounds, Article 65(1) must apply.55

DISPUTE RESOLUTION BY EDPB 14.6 In order to ensure the correct and consistent application of the GDPR in individual cases, the EDPB must adopt a binding decision in the following cases: •

where, in a case referred to in Article 60(4), a data protection supervisory authority concerned has raised a relevant and reasoned objection to a draft decision of the lead authority or the lead authority has rejected such an objection as being not relevant or reasoned. The binding decision must concern all the matters which are the subject of the relevant and reasoned objection, in particular, whether there is an infringement of the GDPR;56

•

where there are conflicting views on which of the supervisory authorities concerned is competent for the main establishment;57

•

where a competent data protection supervisory authority does not request the opinion of the EDPB in the cases referred to in Article 64(1) or does not follow the opinion of the EDPB issued under Article 64. In that case, any

52 53 54 55 56 57

Ibid Art 64(5)(a)–(b). Ibid Art 64(6) Ibid Art 64(7). Ibid Art 64(8). Ibid Art 65(1)(a). Ibid Art 65(1)(b).

288

Dispute Resolution by EDPB 14.6

data protection supervisory authority concerned or the Commission may communicate the matter to the EDPB.58 The decision referred to in paragraph 1 must be adopted within one month from the referral of the subject-matter by a two-thirds majority of the members of the EDPB.59 That period may be extended by a further month on account of the complexity of the subject matter. The decision referred to in paragraph 1 must be reasoned and addressed to the lead data protection supervisory authority and all the supervisory authorities concerned and binding on them. Where the EDPB has been unable to adopt a decision within the periods referred to in paragraph  2, it must adopt its decision within two weeks following the expiration of the second month referred to in paragraph 2 by a simple majority of the members of the EDPB.60 Where the members of the EDPB are split, the decision must by adopted by the vote of its chair. The data protection supervisory authorities concerned must not adopt a decision on the subject matter submitted to the EDPB under paragraph  1 during the periods referred to in paragraphs 2 and 3.61 The chair of the EDPB must notify, without undue delay, the decision referred to in paragraph 1 to the supervisory authorities concerned. It must inform the Commission thereof.62 The decision must be published on the website of the EDPB without delay after the data protection supervisory authority has notified the final decision referred to in paragraph 6. The lead data protection supervisory authority or, as the case may be, the data protection supervisory authority with which the complaint has been lodged, must adopt its final decision on the basis of the decision referred to in paragraph 1 of the Article, without undue delay and at the latest by one month after the EDPB has notified its decision.63 The lead data protection supervisory authority or, as the case may be, the data protection supervisory authority with which the complaint has been lodged, must inform the EDPB of the date when its final decision is notified respectively to the controller or the processor and to the data subject.64 The final decision of the supervisory authorities concerned must be adopted under the terms of Article 60(7), (8) and (9).65 The final decision must refer to the decision referred to in paragraph 1 of the Article and must specify that the decision referred to in that paragraph will be published on the website of the

58 Ibid Art 65(1)(c). 59 Ibid Art 65(2). 60 Ibid Art 65(3). 61 Ibid Art 65(4). 62 Ibid Art 65(5). 63 Ibid Art 65(6). 64 Ibid. 65 Ibid.

289

14.7  Interactions and Cooperation

EDPB in accordance with paragraph 5 of the Article.66 The final decision must attach the decision referred to in paragraph 1 of this Article.67

URGENCY PROCEDURE 14.7 In exceptional circumstances, where a data protection supervisory authority concerned considers that there is an urgent need to act in order to protect the rights and freedoms of data subjects, it may, by way of derogation from the consistency mechanism referred to in Articles  63, 64 and 65 of the GDPR or the procedure referred to in Article 60, immediately adopt provisional measures intended to produce legal effects on its own territory with a specified period of validity which must not exceed three months.68 The data protection supervisory authority must, without delay, communicate those measures and the reasons for adopting them to the other supervisory authorities concerned, to the EDPB and to the Commission. Where a data protection supervisory authority has taken a measure pursuant to paragraph 1 and considers that final measures need urgently be adopted, it may request an urgent opinion or an urgent binding decision from the EDPB, giving reasons for requesting such opinion or decision.69 Any data protection supervisory authority may request an urgent opinion or an urgent binding decision, as the case may be, from the EDPB where a competent data protection supervisory authority has not taken an appropriate measure in a situation where there is an urgent need to act, to protect the rights and freedoms of data subjects, giving reasons for requesting such opinion or decision, including for the urgent need to act.70 By derogation from Article  64(3) and Article  65(2), an urgent opinion or an urgent binding decision referred to in paragraphs 2 and 3 of this Article must be adopted within two weeks by simple majority of the members of the EDPB.71

EXCHANGE OF INFORMATION 14.8 The Commission may adopt implementing acts of general scope in order to specify the arrangements for the exchange of information by electronic means between data protection supervisory authorities and between supervisory authorities and the EDPB, in particular the standardised format referred to in

66 Ibid. 67 Ibid. 68 Ibid Art 66(1). 69 Ibid Art 66(2). 70 Ibid Art 66(3). 71 Ibid Art 66(4).

290

‘One-stop Shop’ and Respective Authorities 14.9

Article 64.72 Those implementing acts must be adopted in accordance with the examination procedure referred to in Article 93(2).73

‘ONE-STOP SHOP’ AND RESPECTIVE AUTHORITIES 14.9 The Data Protection Commission of Ireland advises that ‘[t]he GDPR provides a new mechanism, the one stop shop (OSS), for organisations that are established in the European Union and that are engaged in cross-border processing of personal data’.74 The OSS system ‘allows [an] organisation to deal with a single lead supervisory authority (LSA) for most of [its] processing activities’.75 The data protection supervisory authority ‘of the EU Member State where [the] main establishment is located will be the lead supervisory authority (LSA) for [the] organisation’s processing activities’.76 The Data Protection Commission states that the ‘key to determining … main establishment if you are a data controller is to identify which of your organisation’s establishments has the power to take decisions on the purposes and means of your processing of personal data. This may be your place of central administration in the EU, but if your organisation takes these decisions at another establishment and that establishment has the power to have the decisions implemented, then the other establishment will be your main establishment’.77 There are also lots of instances where a main controller outsources some of its activities to a third-party processor company. In the case of a data processor, the Data Protection Commission states that the ‘main establishment will be the location of your central administration in the EU unless [the] organisation does not have any central administration in the EU. If this is the case, the location where [the] organisation’s main processing activities take place will be [the] main establishment’.78 There also increasing examples of companies coming together to promote joint endeavours or joint ventures. This gives rise to the possibility of two controllers or joint controllers. In this instance, the Data Protection Commission states that ‘[i]f [the] organisation is a joint controller with one or more other organisations, you should identify which establishment of the joint controllers has the power

72 Ibid Art 67(1). 73 Ibid Art 67(2). 74 Data Protection Commission, ‘One Stop Shop’ (OSS). Available at: www.dataprotection.ie/en/ organisations/one-stop-shop-oss. 75 Ibid. 76 Ibid. 77 Ibid. 78 Ibid.

291

14.9  Interactions and Cooperation

to take and implement decisions on the purposes and means of processing. That establishment will be the main establishment of the joint controllership’.79 In addition, the Data Protection Commission states that ‘[i]f [the] organisation is engaged in a number of separate cross-border processing activities, it is possible that [it] will have more than one main establishment. You should not assume that all of your organisation’s cross-border processing activities will share the same main establishment’. It adds that ‘[t]his will be the case where decisions on the purposes and means of one processing activity are taken in the context of one establishment, while the decisions for a separate processing activity undertaken by the same organisation are taken in the context of a separate establishment’.80 The EDPB also refers to cooperation type issues, stating: ‘We cooperate with international organisations and the supervisory authorities of countries outside the EU, to support the effective enforcement of the law and to share best practices. We do this by working within a number of international frameworks, either as the EDPB or via our individual members. We also promote common training programmes and personnel exchanges.’

There is an ongoing dispute between Facebook and the data protection supervisory authority in Belgium. One of the aspects of the case relates to the ‘one-stop shop’ concept. The court in Belgium has referred a number of questions to the CJEU.81 The preliminary questions referred by the Brussels Court of Appeals (on 8 May 2019) to the CJEU for a preliminary guidance ruling are (broadly speaking and subject to an official formal translation): Question 1 Must Articles 55.1, 56–58 and 60–66 of the GDPR repealing data protection Directive 95/46, read in conjunction with Articles 7, 8 and 47 of the Charter of Fundamental Rights of the European Union, be interpreted as meaning that a supervisory authority which, pursuant to national legislation adopted pursuant to Article  58.5 of the GDPR has the power to engage in legal proceedings against infringements of the GDPR before a court of its Member State, cannot exercise this power in connection with cross-border processing if it is not the lead supervisory authority for that cross-border processing? Question 2 Does it make a difference in that regard if the controller of that cross-border processing does not have its main establishment in that Member State but has a different establishment there?

79 Ibid. 80 Ibid. 81 Court of Appeal of Brussels, 18N – 2018/AR/410, judgment dated 8 May 2019.

292

‘One-stop Shop’ and Respective Authorities 14.9

Question 3 Does it make a difference whether the national supervisory authority initiates proceedings against the main establishment of the controller or against the establishment in its own Member State? Question 4 Does it make a difference in that regard if the national supervisory authority has already initiated the legal proceedings before the entry into application of the GDPR (25 May 2018)? Question 5 Should the answer to the previous question be positive, does Article 58 (5) of the GDPR have direct effect, so that a national supervisory authority can rely on that article to initiate or continue legal proceedings against private parties, even if Article 58(5) of the GDPR has not been specifically transposed into the legislation of the Member States, notwithstanding this being required? Question 6 Should the answer to the previous questions be positive, could the outcome of such proceedings prevent an opposite finding by the lead supervisory authority where the lead supervisory authority investigates the same or similar cross-border processing activities in accordance with the mechanism contained in Articles 56 and 60 of the GDPR?82

The background to the case involves the then Belgium data protection supervisory authority objecting to various tracking technologies used by Facebook on users and non-users of the Facebook website service. This apparently included hidden tracking tools. There was a finding of non-transparency, consent and compliance with national and EU law. Enforcement orders were issued directing compliance, ceasing to use the tracking mechanism, data deletion and providing for fines of €25,000 accruing on a daily basis (but capped at €100,000) in the event of noncompliance. Facebook appealed, inter alia, on the basis that the Irish Data Protection Commission and not the Belgium Data Protection Authority should be dealing with the matter. This is on the basis of Facebook having designated Ireland as its main establishment for data protection purposes in the EU and that the cooperation and so-called ‘one-stop shop’ mechanisms designated Ireland instead of Belgium for deciding these issues. It should be noted that this case began under the data protection rules as they existed prior to the GDPR. It remains to be seen if the decision will ultimately be fully limited on that basis, or whether the CJEU will also opine on the process elements of the GDPR. One should also note that there are complicating elements of EU breaches and national Belgium breaches which may mean that 82 Obtained from the data protection supervisory authority in Belgium. Available at: www. dataprotectionauthority.be/sites/privacycommission/files/documents/Questions_referred_ CJEU_unofficial_translation.pdf.

293

14.10  Interactions and Cooperation

it is not simply or wholly a matter of a ‘one-stop shop’ for all issues. In addition, Facebook has legal entities in both Belgium and Ireland. In other cases, it may be that there is only one EU legal entity – which may be a distinguishing feature. On another point, only time will tell if fines that may be issued pursuant to the GDPR may differ, or differ significantly, from one EU country to another.

WP29/EDPB GUIDELINES 14.10 The Article  29 Working Party has issued guidelines to identify the location of the main establishment and, therefore, the lead supervisory authority.83 These guidelines, however, were issued before the ‘go live’ of the GDPR. The WP29 has now been replaced by the EDPB, which may, in time, issue new or updated guidelines. One can also imagine that there will, at some point, be a dispute by way of complaint from an individual company as to which jurisdiction or data protection supervisory authority should be dealing with a given complaint or acting as the lead data protection supervisory authority. Notwithstanding the concept of lead data protection supervisory authority, comparison may also be had with the eCommerce Directive.84 It was recently suggested and then held that that directive did not preclude the national court of Austria injuncting Facebook on certain defamatory content issues, including because this was not precluded by the directive.85 Interestingly also, this order can be on a worldwide basis and is not limited to the EU.86 The implications of this ruling on the types of issues included in the case and wider issues (including defamation, online abuse, erasure, takedown and forgetting) will take time to more fully appreciate. The decision ruling reads: Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (‘Directive on electronic commerce’), in particular Article 15(1), must be interpreted as meaning that it does not preclude a court of a Member State from: – ordering a host provider to remove information which it stores, the content of which is identical to the content of information which was previously declared to be unlawful, or to block access to that information, irrespective of who requested the storage of that information; – ordering a host provider to remove information which it stores, the content of which is equivalent to the content of information which was 83 The then WP29 website was located at http://ec.europa.eu/newsroom/document.cfm?doc_ id=44102. Note, for instance, WP29, Update of Opinion 8/2010 on applicable law in light of the CJEU judgment in Google Spain, WP29 179 Update; WP29, Opinion 8/2010 on applicable law, WP29 8/2010. 84 Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (‘Directive on electronic commerce’). OJ L 178, 17.7.2000, pp 1–16. 85 Eva Glawischnig-Piesczek v Facebook Ireland Limited, CJEU, Case C-18/18, 3 October 2019. See also Eva Glawischnig-Piesczek v Facebook Ireland Limited, CJEU, Case C-18/18, 4 June 2019, Advocate General’s Opinion. 86 Ibid.

294

Conclusion 14.11

previously declared to be unlawful, or to block access to that information, provided that the monitoring of and search for the information concerned by such an injunction are limited to information conveying a message the content of which remains essentially unchanged compared with the content which gave rise to the finding of illegality and containing the elements specified in the injunction and provided that the differences in the wording of that equivalent content, compared with the wording characterising the information which was previously declared to be illegal, are not such as to require the host provider to carry out an independent assessment of that content; and –

ordering a host provider to remove information covered by the injunction or to block access to that information worldwide within the framework of the relevant international law.87

CONCLUSION 14.11 This issue of the cooperation between the data protection supervisory authorities will, without doubt, continue and the structure and capacity to do so is enhanced by the GDPR. The issue, however, as to whether one data protection supervisory authority has some form of (initial) precedence over another as regards the conducting of investigations – and issuing fines, penalties and enforcement orders – may ultimately be further clarified by the CJEU. Such cases as may be so referred may be at the wish of respective companies taking cases or appealing decisions of data protection supervisory authorities whom they disagree with, sometimes strategically so. The selection or designation of particular countries by large companies may arguable be seen in some instances to involve at least some element of detailed consideration on their part. This aspect of the GDPR will be keenly watched. The clarity which decisions in respect of this area may bring will not affect the over trajectory of the issues and rights reflected in the GDPR, but perhaps may influence routes, lanes and procedures as between regulators.

87 Ibid, para 55. Available at: http://curia.europa.eu/juris/document/document.jsf;jsessionid=F96 025C8DF2C586E3786E3DAAE163D0F?text=&docid=218621&pageIndex=0&doclang=EN &mode=lst&dir=&occ=first&part=1&cid=7523729.

295

CHAPTER 15

Conclusion INTRODUCTION 15.1 As Philip Schultz identifies, data protection supervisory authorities ‘represent one of the key actors, not only when it comes to the execution of privacy and data protection policies, but also in terms of awareness raising, consultancy and networking’.1 They ‘comprise the spearhead of regulators in the field of privacy and data protection regulation, their independence from the private as well as the political becomes of the utmost importance’.2 They are also the ‘guardians’ of the respective rights of individual data subjects.3 Data protection compliance and the identification and reduction and/or elimination of risk issues and risky data processing activities are no longer separated and must be looked at in the round.4 In addition, even before certain types of proposed processing are undertaken, an assessment of risk issues must be considered and, in some instances, the intended processing can proceed, or proceed with certain amendments and risk reduction strategies or, in other instances, it should not proceed at all. Risk must, therefore, be understood as a part of data protection compliance.5 This applies not only to the most sensitive sectors, but to all companies and organisations.6 Appropriate audits, assessments and pre-problem vetting are a central component of the new data protection rules.7

1 Schutz, P, ‘Comparing Formal Independence of Data Protection Authorities in Selected EU  Member States’ Conference Paper for the 4th Biennial Standing Group for Regulatory Governance Conference 2012. 2 Ibid. 3 Ibid. 4 Serrato, JK, ‘Connecting the Dots: Key Developments and Best Practices for Evaluating  Privacy  and Security Risks in IoT  Investments’ RAIL: The Journal of Robotics, Artificial Intelligence & Law (2018)(1:1) 35. 5 Gellert, R, ‘Understanding Data Protection As Risk Regulation’ Internet Journal of Law (2015) (18:11) 3. 6 Nguyen, V, ‘Shopping for  Privacy: How Technology in Brick-and-Mortar Retail Stores Poses Privacy Risks for Shoppers’ Fordham Intellectual Property, Media & Entertainment Law Journal (2019)(29:2) 535. 7 Hoofnagle, CJ, ‘Assessing the Federal Trade Commission’s  Privacy  Assessments’ Privacy Security & Privacy, IEEE (2016)(14:2) 58; Morgan, S, ’Private Sector Audits and the Office of the Privacy Commissioner of Canada’ International Journal for the Data Protection Officer, Privacy Officer and Privacy Counsel (IDPP) (2017)(1:1) 11.

297

15.2  Conclusion

NEW AND DEVELOPING DATA PROTECTION ISSUES 15.2 Data protection covers many separate but important topics, many of which are directly relevant to many organisations. Unfortunately, they cannot all be adequately covered in a book such as this. However, it may assist to briefly refer to some of them. Some of the key developments and issues which also influence the data protection regime and how it is interpreted include (but are by no means limited to) the issues set out below.

PROFILING 15.3 To be sure, marketers (and salespeople before them) have always been interested in a certain level of profiling or greater identification of potential customers. However, electronic and digital storage has led them to find and store greater amounts of this potentially useful sale- or marketing-focused data. The arrival of the internet has led to additional sets of information which include personal data. These are targeted by companies for marketing purposes or may even be turned into a saleable data product. Innovative companies then used this data to create a new form of advertising on their websites using personal data aimed at their own customers. The opportunity to gather new forms of personal data changed further with the explosion from Web 1.0 to social medial and Web 2.0. The range and types of technologies targeting individuals and seeking to profile them raises the stakes for policymakers, laws and data protection supervisory authorities. There are certainly additional challenges.8 However, it should be noted that profiling is, for the first time, now expressly included in the GDPR.9

Medical and Health Data 15.4 Medical and health data comprise one of the categories of sensitive personal data. Hence, there are greater conditions and compliance obligations. There is also a greater need for higher security measures. The concerns in relation to medical and health data increase once such data is held in electronic form and on electronic databases. There is a need for enhanced practical data protection and security procedures.10 8

Bosco, F, Ferraris, V, Creemers, N and Guagnin, D, ‘Profiling Technologies and Fundamental Rights and Values: Regulatory Challenges and Perspectives from European Data Protection Authorities’ Reforming European Data Protection Law (2015) 3. 9 A definition of ‘profiling’ is located in GDPR Art 4(4) and is referred to elsewhere in the GDPR. 10 Sandea, I, ‘Analysis of the Legal Aspects Concerning Data Protection in Electronic Medical Registry’ Applied Medical Informatics (2009) (25)16; McCord, MD, ‘Bleeding Out: The Case for Strengthening Healthcare Client Portal  Data  Privacy  Regulations’ Minnesota Journal of Law, Science and Technology (2018–2019)(20:1) 282; Herveg, J, ‘Data  Protection  and Biobanks in 2018’ European Journal of Health Law (2018)(25:5) 479.

298

Profiling 15.4

There are various and increasing ways to record the personal health and related data regarding individuals, held in databases or biobanks.11 There is a concern that new activities of new uses could occur without added transparency and consent.12 One of the concerns is also the increasing possibility of profiling individuals from their bio-informatic and genetic data.13 The issue of consent in relation to bio data and biobanks is an issue of increasing concern.14 There is controversy in relation to the apparent transfer of sensitive medical health data relating to 1.6 million patients. This involves current, historical and live-feed patient data. The transfer is being made by the Royal Free NHS Trust to DeepMind and/or Google UK  Limited and/or a third party, the details of which are redacted in an Information Sharing Agreement signed by one party on 29 September 2015.15 The exact details are somewhat unclear. What is clear, however, is that serious questions arise as to how the arrangement could be a data protection complaint based on the details currently available, including lack of transparency, particularly for those patients whose sensitive personal data is involved. There does not appear to have been any opportunity or mechanism for patients to opt-in or to opt-out before any proposed data transfer. The purpose of the transfer and the details leading up to it are also unclear, which undermines the possibility of fair complaint processing. Fundamentally, the entire project relates to a new secondary use in relation to the medical data in question, as this required proper consideration and data protection compliance, which is not evident from the documentation available thus far. The data referred to is also of such a nature as to appear to go beyond the purported purpose thus far disclosed. One would expect any medical data being transferred – in particular, names, addresses and other non-necessary information – to be redacted and/or pseudononymised prior to transfer, which does not appear to have happened and which is not required under the Information Sharing Agreement. While Big Data health projects can have benefits and such projects can be worth the endeavour even without a successful resulting health benefit, they all need to be data protection complaint. Serious questions remain in relation to this project and, thus far, compliance has not been demonstrated. In fact, the information disclosed in the Data Sharing agreement and an official NHS Q&A document raise more questions than answers. Based on these documents, t appears, at this stage, to be non-data protection compliant.

11 Bygrave, LA, ‘The Body as Data? Biobank Regulation via the “Back Door” of Data Protection Law’ Law, Innovation & Technology (2010)(2) 1–25. 12 Giannuzzi, V, Bartoloni F, Landi, A and Ceci, A, A Review on Impact of General Data Protection Regulation on Clinical Studies and Informed Consent (2018). 13 Azmi, IM, ‘Bioinformatics and Genetic Privacy: The Impact of the Personal Data Protection Act 2010’ Computer Law & Security Review (2011) (27) 394. 14 See, for example, Taupitz, J and Weigel, J, ‘The Necessity of Broad Consent and Complementary Regulations for the Protection of Personal Data in Biobanks: What Can We Learn from the German Case?’ Public Health Genomics (2012) (15) 263–271. 15 ‘DeepMind Rapped’ New Scientist, 8 July 2017; Powles, J and Hodson, H, ‘Google DeepMind and Healthcare in an Age of Algorithms’ Health and Technology (2017)(7:4) 351.

299

15.5  Conclusion

Genome Data 15.5 A  related and growing area is genomic,16 genome research and the implications for individuals’ privacy and personal data. Individuals may be concerned about what happens with their own DNA gene sequence, information regarding predisposition to diseases, how this may affect them and how doctors, employers, insurers and governments may access and use such personal data. One resource relating to this area is The Governance of Genetic Information, Who Decides? by Widdows and Mullen.17

Body Scanners 15.6 The introduction of body-scanning technology in airports has been controversial.18 While the prime argument in favour relates to airline security and terrorism, not everyone is convinced and those challenged to produce evidence of successful attacks being prevented, have been less than forthcoming. The main controversy centres on the ability of the body scanners to provide a complete, graphic, internal and intrusive image of a person’s naked body once they walk through the scanner. There are, of course, different types and different settings. However, the introduction of body scanners is a perfect example of a new technology being introduced without any advance consideration of the privacy and data protection implications. Later versions have been developed which produce a line image drawing, not a biological naked image. They are equally capable of highlighting contraband material. Privacy-designed body scanners can be equally effective.

FACIAL RECOGNITION 15.7 The issues raised by body scanners are arguably tame, as they are more limited, compared to those that arise with facial recognition technologies. Facial recognition really ties two technologies together, namely closed-circuit television (CCTV) systems and new software systems which are developed to be able to run through large data sets of CCTV footage and pick out (match) individuals in the footage and, in some cases, to actually name and identify these images. More lately, some of these facial recognition systems are also being applied to real-time CCTV images. One example of this has been halted by the ICO

16 Curren, L, et al, ‘Identifiability, Genomics and UK Data Protection Law’ European Journal of Health Law (2010)(17) 329. 17 Widdows, H and Mullen, C, eds, ‘Frontmatter’ in The Governance of Genetic Information, Who Decides? (Cambridge Law, Medicine and Ethics, 2009). 18 See, eg, Mironenko, O, ‘Body Scanners Versus Privacy and Data Protection’ Computer Law & Security Review (2011)(27) 232.

300

Smart Toys 15.9

recently.19 The development and roll out of facial recognition far beyond antiterror situations is proving controversial. Just some of the issues raised will be justifiable need, fairness, proportionality, who the controller is, access, etc.

New Hardware, Software and Smart Devices 15.8 The arrival of new devices, from smartphones, combined devices and even communications devices on devices (such as RFID tags), emphasise that organisations need to be much more aware and considered in their policies and risk assessments under the data protection regime. New so-called ‘smart’ devices20 constantly raise protection and privacy issues. New gaming and headset devices (eg OR) will raise many new issues, including those concerning personal rights, consent, representations and personal data.

SMART TOYS 15.9 Many new toys are connected to the internet21 – even if this issue is unknown or underappreciated by parents. However, this raises many data protection and privacy questions for the children, for parents and for the companies themselves. There are real issues as to children, child consent and awareness of parents, in relation to the internet access often required to use the new toys or to use added features or games for the new toys. In addition to purchasing the toy, there may be some requirement to ‘register’ online or to register the product. Sometimes, there may some form of required membership which must be signed up to. Issues arise as to what disclosures and documentation are available before or after purchase and what information is available online – both before and after registration or sign up. There appears to be a big issue as to levels of protection standards and levels of transparency, etc, which differ depending on how small or how large the toy vendor is. Other issues arise as to the sales chain. Different sales chains can involve and create different types of personal data and different numbers of entities who may have access to it. However, there is a fundamental issue that new types of smart toys create new types of personal data that did not exist with previous ‘inanimate’ non-connected toys. This raises the need for a new discussion by data protection supervisory authorities as to how best to set rules and safeguards for this new personal data.

19 ‘UK Information Commissioner: Halt Police Rollout of Face ID’ Biometric Technology Today (2019)(4) 11. 20 Rustad, ML, ‘How the EU’s General Data Protection Regulation Will Protect Consumers Using Smart Devices’ Suffolk University Law Review (2019)(52:2) 227. 21 Haber, E, ‘Toying With  Privacy: Regulating the Internet of Toys’ Ohio State Law Journal (2019)(80:3) 399.

301

15.10  Conclusion

Drones 15.10 As much as there is a new GDPR data protection regime, there are also new rules and regulations being developed in relation to drones. Drones must now be registered in more and more jurisdictions, However, the privacy and data protection implications, while being highlighted in general discussion, are not yet adequately encompassed in express privacy and data protection rules. There will be increasing calls to do this, as well as increasing examples of why such an accommodation is needed. While data protection supervisory authorities (and some other regulators – eg  aviation) have started to look at drone issues, the formal consideration – and rules – in relation to drones and data protection and privacy issues are set to increase.22

RIDE SHARES AND SELF DRIVING 15.11 The issues of ride-sharing cars, self-driving cars23 and automated cars and other vehicles raise a broad host of issues relating to data protection and privacy. One of these issues, for example, relates to the location data of the individuals and their vehicles. Another relates to data recordings from the vehicles (eg speed, calls made and even image and voice data). Another perspective is access by law enforcement. More recently, concerns have arisen relating to the increasing push by the insurance industry to access data from the individual’s vehicle, devices and apps that an insurance company may wish to install. These discussions may also be different depending on whether we are referring to consumers or employees.

BLOCKCHAIN 15.12 Blockchain raises many legal and technical issues per se, but also raises issues which need to be considered in relation to data protection and privacy.24 On the one hand, there are potential new risks. On the other hand, there is also the suggestion that Blockchain can assist in better safeguarding personal data.

22 Scharf, RL, ‘Drone Invasion: Unmanned Aerial Vehicles and the Right to  Privacy’ Indiana Law Journal (2019)(94:3) 1065; Finn, RL and Wright, D, ‘Privacy, Data Protection and Ethics for Civil Drone Practice: A Survey of Industry, Regulators and Civil Society Organisations’ Computer Law & Security Review: The International Journal of Technology Law and Practice (2016)(32:4) 577. 23 Meyer, D, ‘Europe’s Privacy Regulators are Ganging Up on Uber’ Fortune.com (30 November 2017) 1. 24 ‘GDPR, Blockchain and the French  Data  Protection  Authority: Many Answers But Some Remaining Questions’ Stanford Journal of Blockchain Law & Policy (2019)(2:2) 1.

302

Blockchain 15.14

Cloud 15.13 The popularity of cloud computing and virtualisation services with users, enterprise and increasingly official organisations, is ever increasing. However, there are real concerns in relation to privacy, data protection, data security,25 continuity, discovery, liability, record keeping, etc.26 One commentator refers to cloud computing as ‘the privacy storm on the horizon’.27 Any organisation considering cloud services must carefully consider the advantages, disadvantages, assessments and contract assurances that will be required. Such organisations, as well as service operators, must also to examine how they ensure data protection compliance. Cloud risk management and assessments of GDPR compliance should also be examined.28

Internet of Things 15.14 The beginning of the so-called Internet of Things (IoT) and/or connected devices, both old and new, is now well heralded. However, a full consideration of the data protection implications is yet to be fully appreciated.29 Organisations must appreciate the implications for employees, users and their compliance systems. Manufacturers are assisted in identifying and reducing these risks by the new risk and assessment tools of the GDPR.

25 See, for example, Soghoian, C, ‘Caught in the Cloud: Privacy, Encryption and Government Back Doors in the Web 2.0 Era’ Journal of Telecommunications & High Technology Law (2010)(8) 359. Also note Pagallo, U, ‘Robots in the Cloud with Privacy: A New Threat to Data Protection?’ Computer Law & Security Report (2013)(29:5) 501. 26 ICO, Guidance on the Use of Cloud Computing. Available at: https://ico.org.uk; Article  29 Working Party, Opinion 05/2012 on Cloud Computing, WP  196, 1  July 2012; Lanois, P, ‘Caught in the Clouds: The Web 2.0, Cloud Computing and Privacy?’ Northwestern Journal of Technology and Intellectual Property (2010)(9) 29; Pinguelo, FM and Muller, BV, ‘Avoid the Rainy Day: Survey of US Cloud Computing Caselaw’ Boston College Intellectual Property & Technology Forum (2011) 1–7; Kattan, IR, ‘Cloudy Privacy Protections: Why the Stored Communications Act Fails to Protect the Privacy of Communications Stored in the Cloud’ Vandenburg Journal of Entertainment and Technology Law (2010–2011)(13) 617. 27 DeVere, AC, ‘Cloud Computing: Privacy Storm on the Horizon?’ Albany Law Journal (2010) (20) 365. 28 Duncan, B  and Zhao, Y, ‘Risk Management for Cloud Compliance with the EU General Data Protection Regulation’ 2018 International Conference on High Performance Computing & Simulation (HPCS) HPCS High Performance Computing & Simulation (HPCS) (July 2018) 664. 29 Serrato, JK, ‘Connecting the Dots: Key Developments and Best Practices for Evaluating Privacy and Security Risks in IoT  Investments’ RAIL: The Journal of Robotics, Artificial Intelligence & Law (2018)(1:1) 35; Brill, H and Jones, S, ‘Little Things and Big Challenges: Information Privacy and the Internet of Things’ American University Law Review (2017)(66:5) 1183; Haber, E, ‘Toying with Privacy: Regulating the Internet of Toys’ Ohio State Law Journal (2019)(80:3) 399; Al-Hasnawi, A, Mohammed, I and Al-Gburi, A, ‘Performance Evaluation of the Policy Enforcement Fog Module for Protecting Privacy of IoT Data’ 2018 IEEE International Conference on Electro/Information Technology (EIT) Electro/Information Technology (EIT) (May 2018)

303

15.15  Conclusion

AI and Big Data 15.15 Artificial intelligence (AI),30 Big Data and the challenges generated by mass databases containing personal data31 raise many issues for policymakers and data protection supervisory authorities to cogitate and ultimately to issue guidelines or rules concerning them. The UK government agreed to a proposal from the Science and Technology Committee to establish a ‘Council of Data Science Ethics’. It is developing an ‘ethical framework for government data science’. The committee produced a report entitled ‘The Big Data Dilemma’ in February 2016. The government issued its response in April 2016. The UK government indicated that it will not presently introduce criminal penalties for serious data breaches and will consider developments, including the new GDPR. The ICO had previously called for criminal sanctions on a number of occasions. The UK government also confirmed that it would not introduce compulsory data protection audits of local authorities, as there is already ongoing progress in that area. Nicola Blackwood, MP, the Chair of the Committee states that: ‘Big Data has enormous potential to improve public services and business productivity, but there are also justified privacy concerns when personal data is used in new applications, services and research. Getting the balance between the benefits and the risks right is vital. I am pleased therefore that the Government has accepted our call to set up a “Council of Data Science Ethics” to address the growing legal and ethical challenges associated with balancing privacy, anonymisation of data, security and public benefit.’32 30 Butterworth, M, ‘The  ICO  and Artificial Intelligence: The Role of Fairness in the GDPR Framework’ Computer Law & Security Review: The International Journal of Technology Law and Practice (2018)(34:2) 257; Weaver, JF, ‘Everything Is Not Terminator: Helping AI to Comply with the  Federal Trade  Commission Act’ RAIL: The Journal of Robotics, Artificial Intelligence & Law (2019)(2:4) 291; Bălan, SM, ‘Artificial Intelligence and Law: A Review of the Role of Correctness in the General  Data  Protection  Regulation Framework’ Juridical Current (2019)(22:1) 45. 31 Paterson, M and McDonagh, M, ‘Data Protection in an Era of Big Data: The Challenges Posed by Big Personal Data’ Monash University Law Review (2018)(44:1) 1. 32 ‘Government Agrees to set up “Council of Data Ethics”’ The Science and Technology Committee. Available at: www.parliament.uk/business/committees/committees-a-z/commonsselect/science-​and-technology-committee/news-parliament-2015/big-data-dilemmagovernment-response-15-16/. The report is available at: www.publications.parliament.uk/pa/ cm201516/cmselect/cmsctech/468/468.pdf; the government response is available at: www. publications.parliament.uk/pa/cm201516/cmselect/cmsctech/992/99202.htm. The report is officially titled House of Commons Science and Technology Committee, The Big Data Dilemma, Fourth Report of Session 2015–2016. The government response was published on 26 April 2016.

304

Pseudonymisation and Anonymisation 15.17

ALGORITHMS 15.16 There is increasing discussion about the issue, nature and effect of computer algorithms.33 The use of algorithms is extending into an increasing number of activities which impact society generally and individuals in particular. Algorithms are increasingly associated with decisions being taken in relation to individuals. These can include profiling, associating particular types of data with an identified individual or even credit decisions being made by computer algorithms. There is concern that not all such decisions are accurate and, where an error occurs, there can be significant adverse effects for the individual in question. Research is beginning to delve into the broad effects of algorithms, how they are used, how they are created or developed, ethics and responsibility, appropriate use and when human oversight and/or intervention is still required.

PSEUDONYMISATION AND ANONYMISATION 15.17 Given the increase in the technical capacity to link data, individuals are now coming to be identified in large data sets which previously would not have been thought possible. This can have significant implications – some of which are still to be fully appreciated. There are also suggestions that techniques such as the pseudonymisation and anonymisation of data 34 will be utilised to prevent unintended linkages and identifications such as this from arising. There are, however, increasing numbers of examples where researchers have, in fact, been able to reveal or find identifiable people in so-called ‘scrubbed’ data sets that were understood to have been safeguarded by means of pseudonymisation or anonymisation. These issues will continue to be very important and are already included in the GDPR. In addition, they are being recommended by data protection supervisory authorities. Given the success of researchers in identifying flaws in some of the methods used, there would appear to be scope for the development of better tools, more nuanced and dedicated tools and, potentially, for regulators or data protection supervisory authorities to specify that certain specific pseudonymisation and anonymisation are both acceptable or required, while others are unacceptable.

33 Brkan, M, ‘Do Algorithms Rule the World: Algorithmic Decision-Making and Data Protection in the Framework of the GDPR and Beyond’ International Journal of Law and Information Technology (2019)(27:2) 91. 34 Mourby, M, Mackey, E, Elliot, M, Gowans, H  and Wallace, S, ‘Are “Pseudonymised” Data Always Personal Data? Implications of the GDPR for Administrative Data Research in the UK’ Computer Law & Security Review: The International Journal of Technology Law and Practice (2018)(34:2) 222.

305

15.18  Conclusion

ETHICS, DATA ETHICS AND RESPONSIBILITY 15.18 There is an increasing literature and discussion of issues of ethics and data ethics as they relate to personal data.35 The European Data Protection Supervisor, for example, is actively promoting some of these discussions. Coincidentally, there is a very recent discussion being promoted among some of the titans of industry and the tech industry as to whether a narrow focus by corporate leaders on commercial success and profit/shareholder-profit alone is still either appropriate or justifiable. The suggestion is that companies and management executives must include a wider focus of responsibility to include the effects of their commercial activities (or perhaps more nuanced, of individual products) on wider society. The effect of zero-hour contracts might be an example in this regard. However, the developing discussion has particular application in the area of large tech companies and aspects of tech such as social media, which have been harshly criticised of late, including by both shareholders and employees. A  Business Roundtable of CEOs agreed that the modern purpose of a company means that all stakeholders must be taken into account, not only shareholders but also society and employees.36 A further recent suggestion is that UK companies need to have a global duty of care as regards their commercial operations.37 One can see how this might apply to all global companies and some particular sectors. This is also something which might be developed both within a legal context, but also outside of or in addition to individual legal rules (eg responsibility, good corporate governance, ethics, etc).

Data Trust 15.19 A new and developing area in seeking to enhance data protection and privacy, is to seek to do so by increasing levels of consumer trust of data collections and data practices by given companies, known as data trust.38 Initiatives seek 35 Hodges, C, ‘Delivering Data Protection: Trust and Ethical Culture’ European Data Protection Law Review (EDPL) (2018)(4:1) 65; Finn, RL, Wright, D, ‘Privacy, Data Protection and Ethics for Civil Drone Practice: A Survey of Industry, Regulators and Civil Society Organisations’ Computer Law & Security Review: The International Journal of Technology Law and Practice (201)(32:4) 577; Kulesza, E, ‘The  Protection  of Customer Personal  Data  as an Element of Entrepreneurs’ Ethical Conduct’ Annales Etyka w Życiu Gospodarczym (2018)(21:7) 27. 36 Benoit, D, ‘Move Over, Shareholders: Top CEOs Say Companies Have Obligations to Society’ Wall Street Journal, 19 August 2019. 37 Chapman, B, ‘UK Firms Must Have Global “Duty of Care” to Stop Environmental Damage, Say Lib Dems’ Independent (UK), 23 October 2019. 38 See, for example, Hodges, C, ‘Delivering Data Protection: Trust and Ethical Culture’ European Data Protection Law Review (EDPL) (2018)(4:1) 65; Hartzog, W, ‘Are Privacy Laws Deficient’ International Journal for the Data Protection Officer, Privacy Officer and Privacy Counsel (IDPP) (2018)(2:10) 17; Waldman, AE, ‘Privacy’s  Law of Design’ UC  Irvine Law Review (2019)(9:5) 1239; Savage, CW, ‘Managing the Ambient Trust Commons: The Economics of Online Consumer Information  Privacy’ Stanford Technology Law Review (2019)(22:1) 95; Hodges, C, ‘Delivering Data Protection: Trust and Ethical Culture’ European Data Protection Law Review (EDPL) (2018)(4:1) 65.

306

Ethics, Data Ethics and Responsibility 15.20

to identify and increase these levels of data trust. It is an incumbent part of successful data trust increases, that the wider data protection compliance of the company also increases in a very transparent (if not mutually engaging) manner. While some of these initiatives – increasingly being encouraged by professional consulting firms – often focus on web contacts, web terms, web consents, mandates, etc, there should also be increasing explanation of pre-problem tools such as privacy by design (PbD), data protection by design (DPbD), data protection by default, product audits, product risk assessments and engagement with such tools. This area of discussion also seeks to legitimately point out the general low levels of trust and low levels of data trust, in companies in certain sectors. Obviously, these low data trust levels can and should be improved and improving data protection practices is central to this.

New Data Protection Research 15.20 There are increasing opportunities for developing research into new forms of protections, risk identification and risk minimisation, etc. There is increasing research in relation to international data protection issues, international organisations,39 increasing global standards,40 the enhancing the US data rules,41 influence of the GDPR,42 developments towards a global standard or standards of data protection and privacy,43 issues of using international sanctions to improve compliance44 and comparative issues.45 New research is also continuing to identify new cross-disciplinary comparisons which can advance the broader discussion. Some of these relate to synergies and bridges between technology, computer science and data protection laws.46 There are increasing examples of data protection supervisory authorities (and other regulators) cooperating on investigations of specific companies and even specific

39 Kuner, C, ‘International Organizations and the EU  General  Data  Protection  Regulation: Exploring the Interaction between EU Law and International Law’ International Organizations Law Review (2019)(16:1) 158. 40 Humerick, M, ‘The Tortoise and the Hare of International Data Privacy Law: Can the United States Catch Up to Rising Global Standards’ Catholic University Journal of Law and Technology (2018)(27:1) 77. 41 Ibid. 42 Wimmer, K, ‘The Long Arm of the European Privacy Regulator: Does the New EU GDPR Reach US Media Companies?’ Communications Lawyer (2017)(33:1) 16. 43 Rustad, ML and Koenig, TH, ‘Towards a Global Data Privacy Standard’ Florida Law Review (2019)(71:2) 365. 44 Trebble-Greening, J, ‘Raising the Stakes: Creating an International Sanction to Generate Corporate Compliance with Data Privacy Laws’ Columbia Business Law Review (2019)(2) 763. 45 Sullivan, C, ‘EU GDPR or APEC CBPR? A Comparative Analysis of the Approach of the EU and APEC to Cross-border  Data  Transfers and  Protection  of Personal  Data  in the IoT  Era’ Computer Law & Security Review: The International Journal of Technology Law and Practice (2018)(35:4) 380. 46 Nissim, K, Bembeneck, A, Bun, M, Gaboardi, M, Gasser, U, O’Brien, DR, Steinke, T  and Vadhan, S, ‘Bridging the Gap Between Computer Science and Legal Approaches to Privacy’ Harvard Journal of Law & Technology (Harvard JOLT) (2018)(31:2) 687.

307

15.21  Conclusion

sectors. Examples include Uber,47 the Libra currency proposed by Facebook48 and a group of data protection supervisory authorities sitting together in the UK parliament questioning and investigating Facebook about a range of activities including political profiling.49 There are also various coordinated review audits of policies on websites in targeted sectors. Another research focus refers to the identification of similarities and common data protection and privacy interests existing in the US and the EU, thus creating common privacy bridges. There is a report entitled Privacy Bridges, EU and US Experts in Search of Transatlantic Privacy Solutions,50 identifying certain specific areas of common concern and interest. There is also research comparing, linking and ‘bridging [c]ompetition, [d]ata [p]rotection and [c]onsumer law’.51 A  further example links economics and data protection, referring to research and the economics of data protection and privacy.52

DISPOSAL OF COMPUTER HARDWARE 15.21 Particular care is required when considering the disposal of IT hardware, equipment and software as they may still contain personal data files even when it appears that they have been wiped or deleted. There are many examples of accessible personal data still being available on a device even after it is believed to have been deleted and the device has been handed over to a third party or worse, sold on. This could quite easily be a breach of a number of principles in the data protection regime. It is always advised to take professional legal, IT and or forensic advice when considering disposing of computer devices.

INCREASING ACTION 15.22 There will be increasing enforcement and fines facing organisations when compliance goes wrong and when data breach incidents arise. In addition to the actions of regulators such as the ICO, there will also be increasing actions from individual data subjects, class actions and representative organisations. While this might occur most frequently where financial or sensitive data is concerned, it

47 Meyer, D, ‘Europe’s Privacy Regulators are Ganging Up on Uber’ Fortune.com (30 November 2017) 1. 48 ‘ICO Joins International Signatories in Raising Libra Data Protection Concerns’ ICO statement. Available at: www.ICO.org.uk, 5 August 2019. 49 Stanton, L, Kirby, P  and Deleon, C, ‘Officials in Ireland, Canada, US  Eye Facebook Over Privacy Practices, Data Protections’ Telecommunications Reports (2019)(85:7) 3. 50 Privacy Bridges, Privacy Bridges, EU and US Experts in Search of Transatlantic Privacy Solutions. Available at: https://privacybridges.mit.edu/sites/default/files/documents/ PrivacyBridges-FINAL.pdf. 51 Graef, I, Valcke, P and Clifford, D, ‘Fairness and Enforcement: Bridging Competition, Data Protection and Consumer Law’ International Data Privacy Law (2018)(8:3) 200. 52 Ceross, A and Simpson, A, ‘The Use of Data Protection Regulatory Actions as a Data Source for Privacy Economics’ conference paper, Safevomp 2017(2017).

308

Increasing Action 15.25

will not be limited to these areas. For example, there are already examples of data breach and data loss in relation to IoT devices and services which open up new areas of exposure. Many new actions will relate to data breaches, but other areas will relate to such issues as refusal to comply with data access requests, right to be forgotten (RtbF)53 and companies seeking to dispute official actions, demands, investigations, fines and penalties.54

Investigation, Discovery and Evidence 15.23 The issue of electronic evidence is important, whether for the organisation or the data subject wishing to use such evidence. It is recommended that organisations consider these issues proactively in advance rather than having to deal with them adequately in a reactive manner.

On-Site/Off-Site 15.24 Organisations must tackle the issues presented by employees not only working onsite, but also travelling and working at home or other locations offsite. This can impact, for example, the security and security risks regarding personal data collected and processed by the organisation. It also means that devices may be taken offsite and/or that third-party devices may exist which are utilised to access the organisation’s systems remotely.

Online Abuse 15.25 The increasingly evident problem of online abuse such as cyberbullying, trolling, defamation copying and utilising personal data to abuse and blackmail

53 Lambert, P, The Right to be Forgotten (Bloomsbury 2019); Tsesis, A, ‘Data Subjects’  Privacy  Rights: Regulation of Personal Data Retention and Erasure’ University of Colorado Law Review (2019)(90:2) 593; Kirkwood, P, ‘NT1 & NT2 v Google LLC – The Secretive Case Giving the UK Its First Decision on the Right to Be Forgotten’ European Data Protection Law Review (EDPL) (2018)(4:3) 384. 54 The following examples indicate just some of the parameters involved in the area of fines and penalties, namely, Lambert, P, ‘Data Protection, Data Loss and Penalties’ Irish Business Law Quarterly (2012)(4:4) 22; Reetz, M, ‘GDPR: Does Coverage Exist for Fines and Penalties for Noncompliance?’ TortSource (2019)(21:3) 8; Mulligan, SP, ‘Google Fined for Violation of EU  Data  Protection  Law’ Congressional Research Service: Report (22  February 2019) 1; ‘Fines for Data Misuse’ New Scientist (2018)(240:3203) 4; Wolff, HA, ‘The Implementation of Administrative  Fines  Under the General  Data  Protection  Regulation from the German Perspective’ International Journal for the Data Protection Officer, Privacy Officer and Privacy Counsel (IDPP) (2018)(2:11) 11; Golla, SJ, ‘Is Data Protection Law Growing Teeth: The Current Lack of Sanctions in Data Protection Law and Administrative Fines under the GDPR’ Journal of Intellectual Property, Information Technology and Electronic Commerce Law (2017)(8:1) 70; Eskens, SJ, ‘New Notification Obligations and Fines under the Dutch Data Protection Act’ European Data Protection Law Review (EDPL) (2016)(2:2) 224; Rowan, S, ‘The “Legitimate Interest in Performance” in the Law on Penalties’ Cambridge Law Journal (2019)(78:1) 148.

309

15.26  Conclusion

children, teenagers, etc, are issues which need to be considered by all organisations as well as policymakers. Pierre Trudel, for example, notes that the risks to individuals increase from many online activities, including in relation to data protection, safety, etc.55

New Regime 15.26 The new GDPR overhauls and modernises the data protection regime throughout the EU (and elsewhere). UK organisations currently have to ensure that they comply with the GDPR. Some of the specific changes and updates for organisations are highlighted earlier. In addition, controller will also have to ensure that they are aware of and comply with Brexit data protection legal changes which should be intended to be essentially equivalent to the GDPR legal norms – but perhaps in a more complex manner. The whole area of transfers of personal data outside of the EEA (TBDFs or data transfers) is regularly changing, for example, as new countries are added to a white list of permitted export countries having been examined on behalf of the EU  Commission. There are also other changes such as contractual clauses  and binding corporate rules (BCR) (and noting related updates in relation to safe harbour and the debate as to whether there are knock-on consequences for contractual clauses and BCRs). If an organisation has to consider the possibility of data transfer exports to non-EEA countries, the current most up-to-date transfer rules should be assessed, as well as appropriate professional advice. It may be necessary to have specific legal contracts in place. These rules may also be sector-specific for certain industries (eg  airlines flying to the US from Europe). The EDPB (previously WP29) is also an important resource for organisations and it regularly analyses any further topical issues. One of the main areas for controllers to take stock of will be the impact of Brexit on data transfers, and when and how an adequacy decision may occur after Brexit.

DATA TRANSFERS 15.27 The issue of data transfers is obviously very important in the context of Brexit and what will happen in a post-Brexit situation (see Chapter 5). However, there is a general issue in terms of the international transfer of personal data and data transfers in the context of internet services, Cloud services, etc. There is ongoing discussion as regards different transfer regimes

55 Trudel, P, ‘Privacy Protection on the Internet: Risk Management and Networked Normativity’ in Gutwirth, S, Poullet, Y, de Hert, P, de Terwange, C and Nouwt, S, Reinventing Data Protection? (Springer, 2009) 317.

310

Data Transfers 15.27

and respective restrictions.56 Conflicts can arise.57 Data transfer issues are increasingly litigated.58 There is also discussion of developing international data transfer norms and additional or alternative solutions for personal data.59 In the European context, we have already seen that the utmost care should be given to crafting transfer mechanisms and appropriate safeguards for personal data that may be transferred – and which protection must exist and be available on a continuing basis. The previous EU–US data transfer regime, known as the Safe Harbour arrangement, was struck down by the CJEU when challenged. While a new arrangement has been developed to replace the measure – the EU–US Privacy Shield60 –it remains to be seen if the new Privacy Shield itself will withstand similar criticisms. Already, a case has been referred from Ireland to the CJEU which may shield or unravel the new arrangement – the latter of which would again put cross-Atlantic data transfers (and transfers elsewhere) into turmoil.61 The new Privacy Shield and the standard contractual clauses arrangement were challenged and complained about to the Irish Data Protection Commission by way of a complaint relating to Facebook and its transfers to the US. The Commission ultimately agreed with the complaints. The Irish Supreme Court upheld the High Court referral of questions of law in relation to the decision of the Data Protection Commission’s findings in relation to adequacy to the CJEU. This case, Data Protection Commissioner v Facebook Ireland

56 Sullivan, C, ‘EU GDPR or APEC CBPR? A Comparative Analysis of the Approach of the EU and APEC to Cross Border  Data Transfers and  Protection  of Personal  Data  in the IoT  Era’ Computer Law & Security Review: The International Journal of Technology Law and Practice (2018)(35:4) 380. 57 Mattoo, A  and Meltzer, JP, ‘International Data Flows and  Privacy: The Conflict and Its Resolution’ Journal of International Economic Law (2018)(21:4) 769. 58 Schwartz, PM and Piefer, K-N, ‘Transatlantic Data Privacy Law’ Georgetown Law Journal (2017)(106:1) 115; Krouse, W, ‘The Inevitable Demise of Privacy Shield, How to Prepare’ The Computer and Internet Lawyer (2018)(36:6) 19; Fischer, P, ‘From the Safe Harbor to the Privacy Shield: Selected Aspects of the EU–US  Privacy Shield’ International Business Law Journal (2018)(2) 143. Also see Kuner, C, Transborder Data Flows and Data Privacy Law (OUP, 2013). 59 Toy, A and Gunasekara, G, ‘Is There a Better Option Than the Data Transfer Model to Protect Data Privacy’ University of New South Wales Law Journal (2019)(42:2) 719. Dort, KK, Criss, JT and Thakrar, R, ‘Trends in Cybersecurity Law, the Privacy Shield and Best Practices for Businesses Operating in the Global Marketplace’ International Journal for the Data Protection Officer, Privacy Officer and Privacy Counsel (IDPP) (2017)(1:1) 15. 60 Dort, KK, Criss, JT and Thakrar, R, ‘Trends in Cybersecurity Law, the Privacy Shield and Best Practices for Businesses Operating in the Global Marketplace’ International Journal for the Data Protection Officer, Privacy Officer and Privacy Counsel (IDPP) (2017)(1:1) 15. Voss, WG, ‘European Union Data Privacy Law Reform: General Data Protection Regulation, Privacy Shield and the Right to Delisting’ Business Lawyer (2016/2017)(72:1) 221. 61 Kuner, C, Transborder Data Flows and Data Privacy Law (OUP, 2013); Schwartz, PM and Peifer, K-N, ‘Transatlantic Data  Privacy  Law’ Georgetown Law Journal (November 2017) (106:1) 115; Rustad, ML and Kulevska, S, ‘Reconceptualizing the Right to be Forgotten to Enable Transatlantic  Data  Flow’, Harvard Journal of Law and Technology (2015)(28:2) 349; Berge, J-S, Grumbach, S and Zeno-Zencovich, V, ‘The Datasphere, Data Flows Beyond Control and the Challenges for Law and Governance’ European Journal of Comparative Law and Governance (2018)(5:2) 144

311

15.28  Conclusion

Limited & Maximilian Schrems62 will have important implications either way. These issues are obviously ongoing and will no doubt result in further court decisions.

EDPS HOT TOPICS 15.28 The European Data Protection Supervisor also refers to some specific upcoming hot topic issues, as follows: •

artificial intelligence;

•

Big Data and Digital Clearinghouse;

• competition; •

data breach;

• ethics; • IPEN;63 •

international agreements;

•

international cooperation;

•

Internet of Things (IoT); and

•

necessity and proportionality.

The issue of data breaches and attacks on the personal data of individuals, which attacks are unfortunately continuing in frequency and scale, have escalated the need for new or updated data protections. In addition to data breach and data losstype issues, attention is also being paid to other discrete areas of data protection and privacy. Just some of these include: •

earlier compliance and pre-problem solving (eg  privacy by design, data protection by design, data protection by default, early compliance from day-one or project initiation (as opposed to an add-on or afterthought), data protection impact assessments, risk assessments, etc). Data protection and privacy is now an integral (early) design issue, not merely a once over narrow headline review just before a new product or service goes live in the marketplace;

•

takedown, erasure and forgetting issues, particularly online personal data;64

62 Data Protection Commission statement, 17  December 2018. Data Protection Commissioner v  Facebook Ireland Limited & Maximilian Schrems  [2016/4809P]. A  detailed history of the case is also referred to on the Data Protection Commission website at: www.dataprotection.ie/ en/legal/explanatory-memoranda-litigation-concerning-standard-contractual-clauses-sccs 63 Internet Privacy Engineering Network (IPEN). 64 See Lambert, P, The Right to be Forgotten (Bloomsbury, 2019).

312

EDPS Hot Topics 15.28

•

revenge porn and other forms of online abuse and even new and expanding forms of online abuse;65

•

doorbell and security device image personal data;

•

home devices recording what individuals say or instruct (often called voice assistants) (brands include Beeb, Alexa, Siri, Google Assistant);66

•

home devices which record individuals even when they should neither be on nor recording;

•

televisions which film and record homeowners;

•

airline seats which record passengers;

•

important issues of child personal data;

•

even courts are subject to having to consider the impact of new technological developments on judicial processes;67

•

data transfers, safe harbours, Privacy Shield and other data transfer legitimising mechanisms;

•

data breach incidents;

•

insurance for data breach incidents;

•

preparedness and team preparations for incidents arising;

•

risk assessments;

•

privacy impact assessments;

•

mandated Data Protection Officers (DPOs) in organisations;

•

deletion, take down and the Right to be Forgotten;

•

security requirements for business;

•

employee monitoring and consent;

•

spam and direct marketing;

•

the relationship between the controller and the processor and which relationship needs to be formalised in contract pursuant to the DPA and GDPR; and

•

websites and social media compliance with the data protection regime.

65 See, for example, Lambert, P, International Handbook of Social Media Law (Bloomsbury, 2014); Social Networking, Law, Rights and Policy (Clarus Press, 2014); Lambert, P, A User’s Guide to Data Protection (Bloomsbury, 2018). 66 A recent article in points is Lynskey, D, ‘Alexa, Are You Invading My Privacy? The Dark Side of Our Voice Assistants’ The Guardian, 9 October 2019. 67 See, for example, Lambert, P, Courting Publicity, Twitter and Television Cameras in Court (Bloomsbury, 2011); Lambert, P, Television Courtroom Broadcasting, Distraction Effects and Eye Tracking (Intellect, 2012); Television Courtroom Broadcasting Effects, The Empirical Research and the Supreme Court Challenge (University Press of America, 2013).

313

15.29  Conclusion

POLITICS, PROFILING AND POLITICAL ATTACKS 15.29 The attack on the 2016 US presidential election and other political and election attacks, is arguably of a different nature to many of the issues mentioned above. It involves issues of society, elections and democracy itself.68 These types of attacks are continuing and while the solutions are multifaceted, there is an increasing role for the data protection supervisory authorities. While there is a focus on the errant attackers, security issues and electorate education, the data protection supervisory authorities in various countries have been focusing on social media and how social media data can be harvested and used to target profiled errant advertising in a form of influence campaign. Facebook and Cambridge Analytica is one example of this.69 Recently, a group of regulators cooperated to jointly investigate this issue While the types of attacks, profiling and micro-targetting70 for political influence continue, there will be a continuing if not enhanced need for data protection supervisory authorities to increase their involvements, investigations and enforcement. There is a distinct and valuable contribution being to be made.71

CONCLUSION 15.30 The latest annual report from the European Data Protection Supervisor (2018) states: ‘The biggest threat to individual freedom and dignity stems from the excessive informational power of certain companies, or controllers and the wider, incompressible ecosystem of trackers, profilers and targeters that are able to gather and use this information.’

Just three months before the GDPR became fully enforceable, the abuse of personal data became headline news and the subject of official enquiries, not only in the European Parliament, but also in national capitals, from Washington DC to London to Delhi. Public policymakers are now very much alive to the threat the current situation poses, not just to the freedom of consumers in the eCommerce environment, but also to democracy itself.

68 Bosco, F, Ferraris, V, Creemers, N and Guagnin, D, ‘Profiling Technologies and Fundamental Rights and Values: Regulatory Challenges and Perspectives from European Data Protection Authorities’ Reforming European Data Protection Law (2015)(20) 3–33. 69 Carugati, C, ‘The 2017 Facebook Saga: A Competition, Consumer and Data Protection Story’ European Competition and Regulatory Law Review (CoRe) (2018)(2:1) 4 70 Woods, L, ‘ICO Reacts to Use of Data Analytics in Micro-Targetting for Political Purposes’ European Data Protection Law Review (EDPL) (2018)(4:3) 381. 71 Sihvola, E, ‘Privacy and Political Integrity: How European Data Protection Laws May Limit the Regulation of Foreign Political Interference in US Elections’ Columbia Journal of European Law (2019)(25:1) 135.

314

Conclusion 15.30

The whole system is susceptible, not only to breaches, but also to manipulation by actors with political agendas aiming to undermine trust and societal cohesion. Coherent enforcement of all rules, including data protection, to prevent and punish unlawful interference during elections, will be vitally important. The ICO information rights strategic plan for 2017–2021 states: ‘This strategic plan sets out the Information Commissioner’s mission to increase the trust the public has in government, public bodies and the private sector: trust in transparency, in the digital economy and in digital public service delivery. Our strategic approach highlights a commitment to: •

lead the implementation and effective oversight of the GDPR and other live data protection reforms;

•

explore innovative and technologically agile ways of protecting privacy;

•

strengthen transparency and accountability and promote good information governance; and

•

protect the public in a digital world.’

The latest annual report from the ICO (2018–2019), states: ‘The GDPR also brought in a step change in how organisations approach data protection. It increased the onus on organisations to take a proactive approach to data protection, identifying what risks they were creating through their use of data and working to reduce and mitigate those risks. The greater enforcement powers granted to regulators helped to establish compliance as a board level issue.’

Data protection compliance has never been a ‘one size fits all’ or a single onetime policy document. The nature of what amounts to personal data and the activities for which such data can be processed are ever changing. Those within an organisation, therefore, must be constantly alert to compliance issues and changes. Organisations must also be constantly alert to new issues and dangers. The ICO and respective data protection supervisory authorities will continue to have to delve deeper in discovering and then understanding the impact for data protection and privacy of an ever-growing list of physical and non-physical technologies. As we get more used to the latest data protection laws, companies will be only a step behind with an interest in seeking to mitigate the harshest financial consequences of fines and penalties – which will, at least in some instances, involve challenges and appeals in the courts. As users, consumers, consumer privacy groups and other related groups, all begin to further appreciate the expanded rights of individual data subjects and the expanding ability to seek damages and compensation, litigation will also increase. 315

15.30  Conclusion

The respective remedies in relation to data protection and privacy72 whether those available to individuals or to the data protection supervisory authorities, will be an important focus as the new data protection rules bed in. The message of the positive benefits of data protection and privacy should not be forgotten.73 There are valuable commercial benefits for companies. It is also important for data protection supervisory authorities and promoting this message is something with which they should continue to engage.

72 Scholz, LH, ‘Privacy Remedies’ Indiana Law Journal (2019)(94:2) 653. 73 Allison, PR, ‘How  Data  Privacy Can Be A  Benefit, Not A  Burden’ Computer Weekly (13 August 2019) 26. Poritskiy, N, Oliveira, F and Almeida, F, ‘The Benefits and Challenges of General Data Protection Regulation for the Information Technology Sector’ Digital Policy, Regulation and Governance (2019)(21:5) 510.

316

Appendices Appendix 1: Data Protection Supervisory Authority Details EU Data Protection Supervisory Authorities The main national EU data protection supervisory authorities are as follows. Austria Österreichische Datenschutzbehörde Barichgasse 40-42 1030 Wien Tel. +43 1 52152 2550 e-mail: [email protected] Website: www.dsb.gv.at/ Belgium Autorité de la protection des données – Gegevensbeschermingsautoriteit (APD-GBA) Rue de la Presse 35 – Drukpersstraat 35 1000 Bruxelles – Brussel Tel. +32 2 274 48 00 e-mail: [email protected] Website: www.autoriteprotectiondonnees.be/ – www.gegevensbeschermingsautoriteit.be/ Bulgaria Commission for Personal Data Protection 2, Prof. Tsvetan Lazarov blvd. Sofia 1592 Tel. + 359 2 915 3580 e-mail: [email protected] Website: www.cpdp.bg/ Croatia Croatian Personal Data Protection Agency Martićeva 14 10000 Zagreb Tel. +385 1 4609 000 e-mail: [email protected] 317

Appendices

Website: www.azop.hr/ Cyprus Commissioner for Personal Data Protection 1 Iasonos Street, 1082 Nicosia P.O. Box 23378, CY-1682 Nicosia Tel. +357 22 818 456 e-mail:  [email protected] Website:  www.dataprotection.gov.cy/ Czech Republic Office for Personal Data Protection Pplk. Sochora 27 170 00 Prague 7 Tel. +420 234 665 111 e-mail:  [email protected] Website:  www.uoou.cz/ Denmark Datatilsynet Borgergade 28, 5 Tel. +45 33 1932 00 e-mail: [email protected] Website: www.datatilsynet.dk/ Estonia Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) Tatari 39 10134 Tallinn Tel. +372 6828 712 e-mail: [email protected] Website:  www.aki.ee/ Finland Office of the Data Protection Ombudsman P.O. Box 800 FIN-00521 Helsinki Tel. +358 29 56 66700 e-mail:  [email protected] Website:  www.tietosuoja.fi/en/ France Commission Nationale de l’Informatique et des Libertés – CNIL 3 Place de Fontenoy TSA 80715 – 75334 Paris 318

Data Protection Supervisory Authority Details

Cedex 07 Tel.  +33 1 53 73 22 22 Website:  www.cnil.fr/ Germany Die Bundesbeauftragte für den Datenschutz und die Informationsfreiheit Husarenstraße 30 53117 Bonn Tel.  +49 228 997799 0; +49 228 81995 0 e-mail:  [email protected] Website:  www.bfdi.bund.de/ In Germany, the competence in the field of data protection is split among different data protection supervisory authorities. The authorities are listed at: www.bfdi.bund.de/bfdi_wiki/index.php/Aufsichtsbeh%C3%B6rden_und_ Landesdatenschutzbeauftragte Greece Hellenic Data Protection Authority Kifisias Av. 1-3, PC 11523 Ampelokipi Athens Tel.  +30 210 6475 600 e-mail:  [email protected] Website:  www.dpa.gr/ Hungary Hungarian National Authority for Data Protection and Freedom of Information Szilágyi Erzsébet fasor 22/C H-1125 Budapest Tel.  +36 1 3911 400 e-mail:  [email protected] Website:  www.naih.hu/ Ireland Data Protection Commission 21 Fitzwilliam Square Dublin 2 D02 RD28 Ireland Tel.  +353 76 110 4800 e-mail:  [email protected] Website:  www.dataprotection.ie/ Italy Garante per la protezione dei dati personali 319

Appendices

Piazza di Monte Citorio, 121 00186 Roma Tel. +39 06 69677 1 e-mail:  [email protected] Website:  www.garanteprivacy.it/ Latvia Data State Inspectorate Blaumana str. 11/13-15 1011 Riga Tel.  +371 6722 3131 e-mail:  [email protected] Website:  www.dvi.gov.lv/ Lithuania State Data Protection Inspectorate A. Juozapaviciaus str. 6 LT-09310 Vilnius Tel.  + 370 5 279 14 45 e-mail:  [email protected] Website:  www.ada.lt/ Luxembourg Commission Nationale pour la Protection des Données 1, avenue du Rock’n’Roll L-4361 Esch-sur-Alzette Tel.  +352 2610 60 1 e-mail:  [email protected] Website:  www.cnpd.lu/ Malta Office of the Information and Data Protection Commissioner Second Floor, Airways House High Street, Sliema SLM 1549 Tel.  +356 2328 7100 e-mail:  [email protected] Website:  www.idpc.org.mt/ Netherlands Autoriteit Persoonsgegevens Bezuidenhoutseweg 30 P.O. Box 93374 2509 AJ Den Haag/The Hague Tel.  +31 70 888 8500 Website:  autoriteitpersoonsgegevens.nl/nl Poland 320

Data Protection Supervisory Authority Details

Urząd Ochrony Danych Osobowych (Personal Data Protection Office) ul. Stawki 2 00-193 Warsaw Tel.  +48 22 531 03 00 e-mail:  [email protected]; [email protected] Website:  uodo.gov.pl/ Portugal Comissão Nacional de Protecção de Dados – CNPD Av. D. Carlos I, 134, 1º 1200-651 Lisboa Tel.  +351 21 392 84 00 e-mail:  [email protected] Website:  www.cnpd.pt/ Romania The National Supervisory Authority for Personal Data Processing B-dul Magheru 28-30 Sector 1, BUCUREŞTI Tel.  +40 31 805 9211 e-mail:  [email protected] Website:  www.dataprotection.ro/ Slovakia Office for Personal Data Protection of the Slovak Republic Hraničná 12 820 07 Bratislava 27 Tel.:  + 421 2 32 31 32 14 e-mail:  [email protected] Website:  www.dataprotection.gov.sk/ Slovenia Information Commissioner of the Republic of Slovenia Ms Mojca Prelesnik Dunajska 22 1000 Ljubljana Tel.  +386 1 230 9730 e-mail:  [email protected] Website:  www.ip-rs.si/ Spain Agencia Española de Protección de Datos (AEPD) C/Jorge Juan, 6 28001 Madrid Tel.  +34 91 266 3517 321

Appendices

e-mail: [email protected] Website: www.aepd.es/ Sweden Datainspektionen Drottninggatan 29 5th Floor Box 8114 104 20 Stockholm Tel.  +46 8 657 6100 e-mail:  [email protected] Website:  www.datainspektionen.se/ United Kingdom The Information Commissioner’s Office Water Lane, Wycliffe House Wilmslow – Cheshire SK9 5AF Tel.  +44 1625 545 700 e-mail:  [email protected] Website:  ico.org.uk EU – European Data Protection Supervisor European Data Protection Supervisor Rue Wiertz 60 1047 Bruxelles/Brussel Office: Rue Montoyer 30, 6th floor Tel.  +32 2 283 19 00 e-mail:  [email protected] Website:  www.edps.europa.eu/EDPSWEB/

Other Data Protection Supervisory Authorities – EEA Some examples of the other data protection and privacy supervisory authorities include, in accordance with the European Economic Area (EEA) agreement, the EEA countries, of Iceland, Lichtenstein, Norway, and Iceland. Iceland Persónuvernd Rauðarárstígur 10 105 Reykjavík Tel: +354 510 9600 e-mail:  [email protected] Website: www.personuvernd.is or www.dpa.is Liechtenstein Data Protection Office, Principality of Liechtenstein Städtle 38 9490 Vaduz 322

Data Protection Supervisory Authority Details

Principality of Liechtenstein Tel. +423 236 6090 e-mail:  [email protected] Website: www.datenschutzstelle.li Norway Datatilsynet Tollbugata 3 0152 Oslo Tel +47 22 39 69 00 e-mail:  [email protected] Website: www.datatilsynet.no

323

Appendix 2: ICO Enforcement, Fines and Prosecutions Party

Breach

Penalty

Social media [ ] and politics

Issue

Date

Facebook

Cambridge Analytica and political data harvesting and profiling

£500,000

Spam

Superior Style

Spam Calls to TPS users

£150,000

Enforcement 12/8/19 notice

Hudson Bay

Failure to respond to access Enforcement right notice

Spam

2/8/19

Make It Easy

Spam calls

£160,000

Security

19/7/19

Life at Parliament View

Leaving personal data exposed for two years

£80,000

Enforcement notice

25/6/19

Metropolitan Police Repeated failures to comply Enforcement with access rights Notice

Spam

24/6/19

EE Ltd

Spam

100,000

Claims and claims data. Unlawful collection

24/6/19

David Cullen

Former MD of claims company, unlawfully obtaining and disclosing personal data

Prosecution

Spam

13/6/19

Smart Home Protection

Spam calls

£90,000

Unlawful access

7/6/19

Wendy Masterson

Charity worker unlawful access to personal data without permission.

Prosecution

Unlawful disclosure of sensitive data

6/6/19

Jeanette Baines.

Justice caseworker prosecuted for sending sensitive personal data.

Prosecution

Enforcement 10/5/19 notice

Revenue

Enforcement notice. Failure Enforcement to get adequate consent Notice. from callers.

Spam

7/5/19

Hall and Hanley

Spam

£120,000

Spam calls

16/4/19

Avalon Direct

Calls to people on telephone preference service

£64,000

Unlawful sharing

11/4/19

Bounty UK

Sharing personal data unlawfully

£400,000

True Visions

Unfair and unlawful filming £120,000 in maternity ward

17/9/19

Unlawful 10/4/19 filming in sensitive area

324

ICO Enforcement, Fines and Prosecutions Issue

Date

Party

Breach

Penalty

Health data disclosure

5/4/19

Shamim Shadiq

Former GP manager, sending personal data to own personal e-mail account

Prosecution

Police database release

4/4/19

London Borough of Disclosure of data on Newham individuals on a police database

£145,000

Spam

26/3/19

Grove Pension

Spam e-mail

£40,000

Spam

19/3/19

Vote Leave

Text spam

£40,000

Unlawful access

15/3/19

Jayana MorganDavis

Former employee unlawfully accessing customer and employee data

Prosecution

Unlawful access

15/3/19

Faye Caughey

Former health official. Prosecution Heath data records accessed without permission.

Unlawful access and distribution

26/2/19

Kevin Bunsell

Former official. Passing job Prosecution rival information to partner.

Enforcement 7/2/19 notice

Magnacrest

Failure to comply with enforcement notice.

Prosecution

Spam

1/2/19

Leave.EU (2)

Spam

£15,000

Spam

1/2/19

Leave.EU (1)

Spam

£45,000

Marketing

31/1/19

Alistar Green Legal Penalty and enforcement services notice

Spam

22/1/19

NWR Ltd

Spam calls; enforcement notice

Spam

13/12/18

Tax return Ltd

Spam fine

£200,000

Child data

3/12/18

Darren Harrison

Former head teacher and child data access

Prosecution

Records, security

28/11/12

Hannah Pepper

Former doctor employee and inappropriate access

Prosecution

Hacking

28/11/18

Uber

Failure to secure customer personal data

£385,000

Hacking

7/6/18

British and Foreign Responsible for exposure Bible Society of computer system to hacking attack.

£100,000

Data breach

21/5/18

Yahoo!

£250,000

Records, security

23/5/18

Bayswater Medical Sensitive personal data and medical records left in unattended building.

Mass data breach, ISP

325

£80,000

£35,000

Appendices Issue

Date

Party

Breach

Security breach

21/5/18

University of Greenwich

£120,000 Serious security breach, data of 20K people, included sensitive personal data

Data breach, 17/5/18 security, offence, unlawful obtaining

Daniel Short

Recruitment agent took candidate details for new job

Security, encryption

16/5/18

Crown Prosecution Loss of police interviews Service on DVD, not encrypted

£325,000

Unlawful access

23/4/18

Michelle Harrison

Hospital health employee accessing patient records without need

Prosecution

Unlawful 16/4/16 identification

Royal Burough of Kensington and Chelsea

Unlawfully identified people

£120,000

Security

5/4/18

Humberside Police

Rape victim interview recording on disk lost

£130,000

Unlawful access

7/2/18

Philip Bagnall

Unlawfully obtaining customer data of former employer

Prosecution

Consent

31/1/18

Holmes Financial Services

Automated marketing calls £300,000 without consent

Nuisance calls

15/9/17

Your Money Rights 146 million illegal nuisance £350,000 Ltd and heavy-handed nuisance spam calls.

Sensitive heath data breach. Unlawful access and disclosure

11/8/17

Brioney Woolfe

Former Colchester hospital employee prosecuted for (a) unlawfully obtaining sensitive heath data of friends and (b) unlawfully disclosing sensitive health data.

Prosecuted at Colchester Magistrates’ Court. Convicted

Data breach

11/8/17

TalkTalk

Customer data breach.

£100,000

Nuisance calls

3/8/17

Laura Anderson TA Virgo Home Improvements

Nuisance calls and breach of do not call register telephone preference service.

£80,000

Nuisance calls

3/8/17

HPAS TA Safestyle Nuisance calls and breach of do not call register telephone preference service.

£70,000

326

Penalty

Prosecution

ICO Enforcement, Fines and Prosecutions Issue

Date

Party

Breach

Penalty

Unlawful disclosure

21/7/17

Stuart Franklin

Unlawful disclosure of CVs of applicants to then employer, the Controller, to third party.

Birmingham Magistrates’ Court. Conviction.

Span e-mail

20/7/17

Moneysupermarket. Price comparison website com fined for

£80,000

Spam texts

17/7/17

Provident Personal Credit Union

Spam marketing texts.

£80,000

Data breach

3/7/17

Royal Free

Sensitive health data. Various unlawful data breaches by hospital to third party research company DeepMind

Curiously no fine. Curiously no deletion.

Website data 27/7/17 breach

Boomerang Video

Website cyberattack. Did not take preventative steps.

£60,000

Nuisance calls

22/6/17

MyHome Installations

Nuisance calls and breach of do not call register telephone preference service.

£50,000

Marketing e-mails

16/6/17

Morrisons supermarkets

Incorrect use of data and customer marketing.

£10,500

Data breach

12/6/17

Gloucester City Council

Cyber attach and access to sensitive employee data

£100,000

Blagging calls

8/6/17

Joseph Walker

Prosecution Blagging calls to obtain data from insurance companies re claims and to resell data

Data breach

31/5/17

Basildon Borough Council

Unlawfully publishing sensitive data about a family in online planning documents.

Spam texts

17/5/17

Concept Car Credit Spam texts.

£40,000

Spam calls

17/5/17

Brighter Home Solutions

Nuisance calls and breach of do not call register telephone preference service.

£50,000

Unlawful access

16/5/17

Sally Anne Day

Employee unlawful access of sensitive patient health data.

Prosecution. Conviction.

Spam texts

16/5/17

Onecom

Spam texts.

£100,000

Spam calls

10/5/17

Keourboom Communications

99.5 million Spam calls

‘Record’ £400,000

Data breach

4/5/17

Greater Manchester 3 DVDs lost with videos of £150,000 Police sensitive sex crime victim interviews lost

327

£150,000

Appendices Issue

Date

Party

Breach

Penalty

Data breach

2/5/17

Construction Materials Online

Failed to protect customer data.

£55,000

Spam texts

19/4/17

Moneva

Spam texts.

£40,000

Various breaches

5/4/17

Great Ormaond Street Hospital Childrens Charity

Sharing records with other charities. Profiling. Matching data from other data sources not provided directly.

£11,000

Collection breach

5/4/17

Battersea Dogs and Finding personal data not Cats Home provided.

£9,000

Various breaches

5/4/17

Cancer Research UK

£16,000

Unlawful disclosure

5/4/17

Cancer Support UK Sharing data with others regardless of cause.

£16,000

Various breaches

5/4/17

Macmillan Cancer Support

Profiling. Matching data from other data sources not provided directly.

£14,000

Various breaches

5/4/17

NSPCC

Profiling. Matching data from other data sources not provided directly.

£12,000

Matching

5/4/17

Oxfam

Matching data from other data sources not provided directly

£6,000

Various breaches

5/4/17

Guide Dogs for Blind

Profiling. Matching data from other data sources not provided directly.

£15,000

Various breaches

5/4/17

International Fund Sharing data with others for Animal Welfare regardless of cause. Profiling. Matching data from other data sources not provided directly.

£18,000

Various breaches

5/4/17

Royal British Legion

Profiling. Matching data from other data sources not provided directly.

£12,000

Various breaches

5/4/17

WWF UK

Profiling. Matching data from other data sources not provided directly.

£9,000

328

Profiling. Matching data from other data sources not provided directly.

ICO Enforcement, Fines and Prosecutions Issue

Date

Party

Breach

Unlawfull accesss

5/4/17

Eileen McMillan

Prosecution Hospital employee unlawfully access sensitive health files on estranged family members

Spam texts

30/3/17

PRS Media

Pam texts without consent of 4.4 million people

£140,000

Spam calls

30/3/17

Xternal Property

Nuisance calls and breach of do not call register telephone preference service.

£80,000

Spam e-mails 27/3/17

Flybe

3.3 million spam e-mails despite objection opt outs.

£70,000

E-mails

27/3/17

Honda

PECR breach

£13,000

Data breach

20/3/17

Norfolk County Council

Old files including sensitive £60,000 data left in cabinet given to second-hand shop.

Breach

16/3/17

Barrister

Senior barrister failed to keep client file secure.

Unlawful obtaining

16/3/17

Gregory Oram

Prosecution Leaving employee unlawfully obtaining personal data from employer and e-mailing to personal e-mail to start rival recruitment firm.

Spam texts

14/3/17

Munee Hut

Outsourcing spam texts.

Prosecution. Also fined £20,000

Spam calls

9/3/17

Media Tactics

22 million spam calls

£270,000

Unlawful access

3/3/17

Elaine Lewis

Former nurse unlawfully accessed sensitive medical records.

Prosecution

Security

28/2/17

HCA International

Health company failed to keep IVF fertility records secure.

£200,000

Spam texts

15/2/17

Digitonomy

Spam texts.

£120,000

Sale and spam

2/2/17

Data Supply Company

Sale of records, resulting in £20,000 purchaser spam texts

CCTV

1/2/17

Karthikesu

Newsagent uses CCTV. Section 17 offence.

Prosecution

Texts

24/1/17

LAD Media

Spam texts.

£50,000

Unlawful obtaining

18/1/17

Rebecca Gray

Employee leaving recruitment company e-mails client personal data when moving to new recruitment firm

Prosecution

329

Penalty

£1,000

Appendices Issue

Date

Party

Breach

Penalty

Spam calls

16/1/17

IT Project Ltd

Nuisance calls and breach of do not call register telephone preference service.

£40,000

Data loss

10/1/17

Royal and Sun Alliance

Data loss of 60,000 customers

£150,000

Unlawful access

10/1/17

Minty, Leong and Craddock

Unlawfull access (blagging) Prosecution of insurance data to make claims

Access

20/12/16

Wainwrights Estate Failure to comply with information notice after failure to comply with access request.

Unlawful processing

9/12/16

British Heart Foundation

Secretly screened and £18,000 profiled to target for money

Unlawful processing

9/12/16

RSPCA

Matching, profiling, screening for wealth targeting.

£25,000

Unlawful access

2/12/16

Monnapula

Former health employee unlawfully accessed sensitive heath files of people she knew

Prosecution

Spam texts

30/12/16

Oracle Insurance Brokers

Spam texts

£30,000

Spam texts

29/11/16

Silver City

Spam texts

£100,000

Unlawful access Blagging

11/11/16

Severs and Billington

Unlawful access. Blagging.

Prosecution

Spam calls

10/11/16

Assist Law

Nuisance calls and breach of do not call register telephone preference service.

£30,000

Spam texts

7/11/16

Prosecution

Nouveau Finance

2.2 m spam texts

£70,000

Unlawful use 2/11/16

Tandon

E-mail data to personal e-mail and sold to third party

Prosecution

Unlawful access

28/10/16

Evans

Former NHS employee Prosecution unlawful accessed sensitive data of girlfriend of partner

Unlawful access

25/10/16

Wooltorton

Former hospital employee Prosecution unlawfully accessing sensitive data of people she knew

Spam texts

13/10/16

Rainbow (UK) Ltd

Spam texts

330

£20,000

ICO Enforcement, Fines and Prosecutions Issue

Date

Party

Breach

Penalty

Data breach

5/10/16

Talk Talk

Data breach. Cyber attack accessing customer data. 160,000 customers.

£400,000

Spam texts

28/9/16

Ocean Finance

Spam texts

£130,000

Spa texts

15/9/16

CarFinance 247

Spam texts

£30,000

Texts

8/9/16

Vincent Bond

Unsolicited texts

£40,000

Spam calls

8/9/16

Omega

1.6 million spam calls

£60,000

Security

25/8/16

Whitehead Nursing Not protecting sensitive data.

Data breach

16/8/16

Hampshire County Council

Personal data files found in £100,000 disused building.

Unlawful disclosure

11/8/16

Regal Chambers Surgery

Unlawful disclosure of data £40,000 of woman and family to estranged husband

Information notice

21/7/16

Clarity Leeds

Failure to comply with information notice after failure to comply with access request.

Prosecution

Spam calls

9/6/16

Advanced VOIP

Spam calls

£180,000

Spam texts

9/6/16

Quigley and Carter

Spam texts

£80,000

Data breach

8/6/16

Chief Constable of Dyfed-Powys

E-mail identifying sex £150,000 offenders sent to member of public in error.

Spam calls

16/5/16

Check Point Claims 17.5m spam calls.

£250,000

Spam texts

11/5/16

Better for the Country

500,000 spam Brexit texts

£50,000

Unlawful disclosure

9/5/16

Chelsea and Westminster Hospital

Revealed e-mails of HIV patients.

£180,000

Data breach. 4/5/16 Unlawful disclosure

Blackpool Teaching Hospitals NHS Foundation Trust

£185,000 Inadvertently published online workers’ confidential data including their National Insurance number, date of birth, religious belief and sexual orientation.

Nuisance calls

27/4/16

Nevis Home Improvements Ltd

2.5 million recorded phone £50,000 calls.

Data breach/ 21/4/16 Unlawful disclosure

Chief Constable of Kent Police

£80,000 Fined after sensitive personal details of woman who accused her partner of domestic abuse passed to the suspect.

331

£15,000

Appendices Party

Breach

Trying to buy 7/4/16 data without consent.

Issue

Date

David Barlow Lewis

Prosecution Former LV employee and fine. David Barlow Lewis prosecuted at Bournemouth Magistrates’ Court for attempting to commit a s 55 offence, by attempting to obtain personal data without the controller’s consent. Pleaded guilty to trying to get an existing LV employee to sell him customer data.

Penalty

Failure to 5/4/16 comply with notice

Keurboom Communications Limited and director Gregory Rudd

Both prosecuted at Luton Magistrates’ Court for failing to comply with a third-party information notice issued by the Commissioner in relation to an investigation for PECR breaches. The communication company pleaded guilty to the s 47 offence.

Prosecution of company and directors. Company fined £1,500, plus costs and director fined £1,000

Nuisance 1/4/16 calls with fake number

Advice Direct Ltd

Fined by ICO.

£20,000

Failure to comply with breach notification rules

24/3/16

TalkTalk Telecom Group Plc

Data breach and failure to comply with breach notification rules. Privacy and Electronic Communications (EC Directive) Regulations 2003.

£1,000 per reg 5C(2) of PECR

Nuisance calls

17/3/16

FEP Heatcare

Spam calls. 2.6 million calls.

£180,000

Access request

29/3/16

MI Wealth Management Ltd

Failure to comply with access request

Ordered to comply

Security of data

10/3/16

Chief Constable Wiltshire Constabulary

Investigation file lost. Data breach.

Undertaking to comply with Seventh Principle

Nuisance calls

29/2/16

Prodial Ltd

Spam calls. 46 million calls.

£350,000

Spam texts

22/11/15

UKMS Money Solutions Ltd (UKMS)

Spamming. 1.3 million Spam texts.

£80,000

332

ICO Enforcement, Fines and Prosecutions Issue

Date

Party

Breach

Penalty

Spam calls

10/11/15

Oxygen Ltd

Unsolicited automated marketing calls.

£120,000

Stolen laptops

4/11/15

Crown Prosecution Stolen laptops with police £200,000 Service (CPS) interview videos of victims and witnesses, mostly for ongoing violent or sexual type cases.

Spam texts

27/10/15

Help Direct UK Ltd Unsolicited marketing text messages.

20/10/15

Pharmacy 2U Ltd

£130,000 Online pharmacy sold details of more than 20,000 customers to marketing companies. No Consent. No notification to customers.

Information notice

8/10/15

Nuisance Call Blocker Ltd

Failing to respond to information notice.

Prosecuted

Automated marketing calls

30/9/15

Home Energy and Lifestyle Management Ltd (HELM)

6 million automated marketing calls. Breach of marketing call regulations.

£200,000

Unsolicited marketing calls

16/9/15

Cold Call Elimination Ltd

Unsolicited marketing calls. £75,000

Enforcement 20/8/15 notice Right to be Forgotten.

Google Inc

Enforcement Ordered to remove nine notice search results after ICO ruled the information linked was no longer relevant.

Nuisance calls

10/8/15

Point One Marketing Ltd (previously Conservo Digital Ltd)

Nuisance calls.

Lost data

6/8/15

The Money Shop

Loss of computer £180,000 equipment with significant amount of customer details.

Nonnotification

4/8/15

Consumer Claims Solutions Ltd

Personal injury claims telemarketing company.

333

£200,000

£50,000

Prosecution. Guilty plea to the s 17 nonnotification offence

Appendices Issue

Date

Party

Loss of unencrypted DVDs

18/5/15

South Wales Police Fine for losing a video recording which formed part of the evidence in a sexual abuse case. Despite containing a graphic and disturbing account, DVDs were unencrypted and left in a desk drawer.

Breach

£160,000

Nonnotification

16/4/15

Lismore Recruitment Ltd

Failing to notify with the ICO.

Prosecution. Guilty plea

Spam calls

1/4/15

Direct Assist Ltd

Direct marketing calls to people without their consent.

£80,000

Unauthorised 30/3/15 disclosure

Serious Fraud Office

Witness in a serious fraud, £180,000 bribery and corruption investigation mistakenly sent evidence relating to 64 other people in case.

Spam texts

24/3/15

Sweet Media Ltd

Enforcement notice to stop Enforcement notice sending nuisance Spam texts. ICO raid. SIM cards and computers seized. Sent over 4.5 million texts.

Spam texts

17/3/15

Help Direct UK

Order to stop Spam texts.

Unlawful access

12/3/15

Yasir Manzoor

Prosecution Former customer service assistant at Lloyds Banking Group prosecuted for unlawfully accessing a former partner’s bank account.

Unlawful access

26/2/15

Bernard Fernandes

Former support clerk at Transport for London prosecuted for unlawfully accessing the Oyster card records of family and neighbours.

334

Penalty

Enforcement notice

Prosecution

ICO Enforcement, Fines and Prosecutions Issue

Date

Party

Breach

Hack Security Breach

24/2/15

Staysure.co.uk Ltd

£175,000 IT security failings let hackers access customer records. More than 5,000 customers had their credit cards used by fraudsters after the attack on the online holiday insurance company. Hackers potentially accessed over 100,000 live credit card details, and customers’ medical details. Credit card CVV numbers were also accessible despite industry rules that they should not be stored at all.

Privacy Policy

30/1/15

Google Inc

Privacy Google Inc signs undertaking committing to Policy making further changes to its amalgamated Privacy Policy to ensure compliance with the first principle of DPA 1998.

Failure to respond to information notice

6/1/15

Tivium Ltd

Failure to respond to information notice.

Spam texts

6/1/15

Optical Express (Westfield) Ltd

Enforcement notice to stop Enforcement Spam texts. notice

Spam calls

27/12/14

£90,000 Kwik Fix Plumbers Nuisance Spam calls Ltd targeting vulnerable victims. In several cases, the calls resulted in elderly people being tricked into paying for boiler insurance they did not need.

Failure to 19/12/14 report breach

Penalty

Prosecution. Fined £5,000, plus compensation plus costs.

£1,000 Failure to comply with the personal data breach reporting requirements under the Privacy and Electronic Communications (EC Directive) Regulations 2003.

Vodafone

335

Appendices Issue

Date

Party

Spam texts

5/12/14

70,000 Parklife Manchester Unsolicited marketing Ltd texts. Text sent to 70,000 people bought tickets to last year’s event and appeared on recipients’ mobile phone as sent by ‘Mum’.

Breach

Penalty

Enforcement 19/11/14 notice Data breach

Grampian Health Board (NHS Grampian)

Enforcement ICO ordered notice NHS Grampian to ensure patients’ information better protected. Six data breaches in 13 months where papers containing sensitive personal data were left abandoned in public areas of a hospital. In one case the data was found at a local supermarket.

Unlawful access

13/11/14

Harkanwarjit Dhanju

Prosecution Former West Sussex Primary Care Trust pharmacist prosecuted for unlawfully accessing medical records of family members, work colleagues and local health professionals.

Spam calls

12/11/14

Hot House Roof Company

Enforcement notice to stop Enforcement Spam calls. notice

Company director

11/11/14

Matthew Devlin

Company director Matthew Prosecution Devlin fined after illegally accessing Everything Everywhere’s (EE) customer database, to target them with services of his own telecoms companies.

Hack Security Breach

5/11/14

Worldview Ltd

£7,500 Serious data breach when vulnerability on company’s site allowed hackers to access full payment card details of 3,814 customers.

Abdul Tayub

Enforcement notice. Sending unsolicited marketing mail by electronic means without providing information as to his identity and without prior consent.

Spam e-mail 21/10/14

336

Enforcement notice

ICO Enforcement, Fines and Prosecutions Issue

Date

Party

Breach

Penalty

Spam calls

1/10/14

EMC Advisory Services Ltd

Spam calls. Also failure to ensure persons registered with Telephone Preference Service (TPS), or who previously asked not to be contacted, were not called.

£70,000

Spam e-mail 12/9/14

All Claims Marketing Ltd

Enforcement Enforcement notice. notice Spam e-mail and without providing information as to its identity.

Spam calls

3/9/14

Winchester and Deakin Limited (also trading as Rapid Legal and Scarlet Reclaim)

Enforcement notice. Spam calls. Included calls to people who had registered with the Telephone Preference Service (TPS), or who had asked not to be contacted.

Enforcement notice

Breach

24/8/14

Ministry of Justice

Serious failings in the way prisons handed people’s information.

£180,000

Unlawful access

22/8/14

Dalvinder Singh

Santander banker fined for Prosecution reading 11 colleagues’ bank accounts, to see their salary and bonuses.

Failure to notify with ICO

6/8/14

A Plus Recruitment Failure to notify with ICO. Limited

Prosecution

Failure to notify with ICO

5/8/14

1st Choice Properties (SRAL)

Failure to notify with ICO.

Prosecution

Spam calls

28/7/14

Reactiv Media Ltd

Spam calls. Calls to people who registered with Telephone Preference Service (TPS).

£50,000

Hack Security Breach

23/7/14

Think W3 Limited

£150,000 Online travel services company. Serious breach of DPA 1998. Thousands of people’s data accessed by hacker.

Company owner Failure to notify ICO of changes to his notification

15/7/14

Jayesh Shah

Owner of a marketing company (Vintels) prosecuted for failing to notify ICO of changes to his notification.

337

Prosecution. Fined £4,000, plus costs and victim surcharge

Appendices Issue

Date

Party

Breach

Penalty

Failure to notify with ICO

14/7/14

Hayden Nash Consultants

Recruitment company. Failure to notify with ICO.

Prosecution

Unlawful access Unlawful sale

10/7/14

Stephen Siddell

Prosecution Former branch manager for Enterprise Rent-A-Car prosecuted for unlawfully stealing the records of almost two thousand customers and selling them to a claim’s management company.

Failure to notify with ICO

9/7/14

Global Immigration Failure to notify with ICO. Consultants Ltd

Prosecution.

Spam calls

16/6/14

DC Marketing Ltd

Enforcement notice. Spam calls.

Enforcement notice

Director Failure to notify with ICO

6/6/14

Darren Anthony Bott

Director of pensions review Prosecution. company prosecuted for failure to notify with ICO.

5/6/14 Failure to comply with information notice

API Telecom

Failure to comply with information notice.

Prosecution

Unlawful disclosure

29/5/14

Wolverhampton City Council

Investigation into a data breach at the council that occurred in January 2012, when a social worker who had not received data protection training, sent a report to a former service user detailing their time in care. The social worker failed to remove highly sensitive information about the recipient’s sister that should not have been included.

Enforcement notice

Failure to notify with ICO

13/5/14

QR Lettings

Failure to notify with ICO.

Prosecution

Failure to notify with ICO

25/4/14

Allied Union Ltd

Failure to notify with ICO.

Prosecution

Guilty plea

338

ICO Enforcement, Fines and Prosecutions Issue

Date

Spam calls

3/4/14

Party

Failure to notify with ICO

25/3/14

Help Direct UK Ltd Failure to notify with ICO.

Security Unlawful access

19/3/14

Kent Police

£100,000 Highly sensitive and confidential information, including copies of police interview tapes, were left in a basement at the former site of a police station.

12/3/14 Directors and company Failure to notify with ICO

Boilershield Limited

Failure to notify with ICO.

Prosecution. Both fined £1,200, plus costs and surcharge

Failure to notify with ICO

11/3/14

Becoming Green (UK) Ltd

Failure to notify with ICO.

Prosecution

Spam calls

10/3/14

Isisbyte Limited

Enforcement notice, Spam calls.

Enforcement notice

Spam calls

10/3/14

SLM Connect Limited

Enforcement notice. Spam calls.

Enforcement notice

Hack Security Breach

7/3/14

British Pregnancy Advice Service (BPAS)

Hacker threatened to publish thousands of names of people who sought advice on abortion, pregnancy and contraception.

£200,000

Blagging

24/1/14

ICU Investigations Ltd

Blagging. Six men who were part of a company that tricked organisations into revealing personal details about customers has today been sentenced for conspiring to breach the DPA.

Prosecution

Security Unlawful disclosure

11/1/14

Department of Justice Northern Ireland

A monetary penalty notice has been served on Department of Justice Northern Ireland after a filing cabinet containing details of a terrorist incident was sold at auction.

£185,000

339

Breach

Penalty

Unsolicited Spam calls to people who registered with Telephone Preference Service (TPS).

£50,000

Prosecution

Appendices Issue

Date

Party

Breach

Penalty

Spam texts

16/12/13

First Financial (UK) Ltd

Millions of Spam texts.

£175,000

Security. Unlawful disclosure No encryption

29/10/13

North East Lincolnshire Council

Loss of an unencrypted memory device containing personal data and sensitive personal data relating to 286 children.

£80,000

Security Unlawful disclosure

22/10/13

Ministry of Justice

£140,000 Failure to keep personal data securely, after spreadsheets showing prisoners’ details were e-mailed to members of the public in error.

Data breach

2/1/13

Sony

Hack breach

£250,000

6/11/12 Unlawful access Customer financial data Bank employee

Lara Davies

Bank employee obtained unlawfully access to bank statements of her partner’s ex-wife. Court prosecution. Pleaded guilty to 11 DPA offences.

Court conviction. Fined. Lost job.

Spam

28/11/12

Christopher Niebel and Gary McNeish, joint owners of Tetrus Telecoms

An ICO monetary penalty was issued. The company had sent millions of unlawful spam texts to the public over the past three years. This case involved the prosecution of directors.

£300,000 £140,000

Data Loss/ Data Breach Unlawful disclosure Sensitive data

22/11/12

Plymouth City Council

An ICO monetary penalty issued for a serious breach of the seventh data protection principle. A social worker sent part of a report relating to family A, to family B due to printing issues. The photocopied report contained confidential and highly sensitive personal data relating to the two parents and their four children, including of allegations of child neglect in ongoing care proceedings.

£60,000

340

ICO Enforcement, Fines and Prosecutions Issue

Date

6/11/12 Incorrect storage and processing Potential loss and damage Financial institution

Party

Breach

Penalty

Prudential

An ICO monetary penalty issued after a mix-up over the administration of two customers’ accounts led to tens of thousands of pounds, meant for an individual’s retirement fund, ending up in the wrong account. This was the first case in relation to a fine for incorrect storage and processing.

£50,000

Data Loss/ Data Breach Unlawful disclosure Sensitive data

25/10/12

Stoke-on-Trent City An ICO monetary penalty £120,000 Council issued following a serious breach of the Data Protection Act that led to sensitive information about a child protection legal case being e-mailed to the wrong person.

Data Loss/ Data Breach Police

16/10/12

Greater Manchester An ICO monetary penalty Police issued after the theft of a memory stick containing sensitive personal data from an officer’s home. The device, which had no password protection, contained details of more than 1,000 people with links to serious crime investigations.

Data Loss/ Data Breach Charity

10/10/12

Norwood Ravenswood Ltd

An ICO monetary penalty £70,000 issued after highly sensitive information about the care of four young children was lost after being left outside a London home. This was a charity which was fined.

Data Loss/ Data Breach

11/9/12

Scottish Borders Council

An ICO monetary penalty £250,000 issued after former employees’ pension records were found in an over-filled paper recycling bank in a supermarket car park.

341

£150,000

Appendices Issue

Date

Party

Breach

Unlawful disclosure Sensitive data

6/8/12

Torbay Care Trust

An ICO monetary penalty £175,000 issued after sensitive personal information relating to 1,373 employees was published on the Trust’s website.

Unlawful disclosure Sensitive data

12/7/12

St George’s Healthcare NHS Trust

An ICO monetary penalty £60,000 issued after a vulnerable individual’s sensitive medical details were sent to the wrong address.

Data Loss/ Data Breach

5/7/12

Welcome Financial An ICO monetary Services Ltd penalty issued following a serious breach of the Data Protection Act. The breach led to the personal data of more than 500,000 customers being lost.

£150,000

Data Loss/ Data Breach Sensitive data

19/6/12

Belfast Health and Social Care Trust

£225,000

Unlawful disclosure Sensitive data

6/6/12

Telford and Wrekin An ICO monetary penalty £90,000 Council issued for two serious breaches of the seventh data protection principle. A Social Worker sent a core assessment report to the child’s sibling instead of the mother. The assessment contained confidential and highly sensitive personal data. Whilst investigating the first incident, a second incident was reported to the ICO involving the inappropriate disclosure of foster carer names and addresses to the children’s mother. Both children had to be re-homed.

342

An ICO monetary penalty issued following a serious breach of the Data Protection Act. The breach led to the sensitive personal data of thousands of patients and staff being compromised. The Trust also failed to report the incident to the ICO.

Penalty

ICO Enforcement, Fines and Prosecutions Issue

Date

Party

Breach

Penalty

Unlawful disclosure Sensitive data Security

1/6/12

Brighton and Sussex University Hospitals NHS Trust

An ICO monetary penalty issued following the discovery of highly sensitive personal data belonging to tens of thousands of patients and staff – including some relating to HIV and Genito Urinary Medicine patients – on hard drives sold on an Internet auction site in October and November 2010.

£325,000

Unlawful disclosure Sensitive data

21/5/12

Central London Community Healthcare NHS Trust

An ICO monetary penalty issued for a serious contravention of the DPA, which occurred when sensitive personal data was faxed to an incorrect and unidentified number. The contravention was repeated on 45 occasions over a number of weeks and compromised 59 data subjects’ personal data.

£90,000

Data Loss/ Data Breach Sensitive data

15/5/12

London Borough of An ICO monetary penalty Barnet issued following the loss of sensitive information relating to 15 vulnerable children or young people, during a burglary at an employee’s home.

£70,000

Unlawful disclosure Sensitive data

30/4/12

Aneurin Bevan Health Board

An ICO monetary penalty £70,000 issued following an incident where a sensitive report – containing explicit details relating to a patient’s health – was sent to the wrong person.

Unlawful disclosure Sensitive data

14/3/12

Lancashire Constabulary

An ICO monetary penalty £70,000 issued following the discovery of a missing person’s report containing sensitive personal information about a missing 15-year-old girl.

343

Appendices Issue

Date

Party

Breach

Unlawful disclosure Sensitive data

15/1/12

Cheshire East Council

An ICO monetary penalty £80,000 issued after an e-mail containing sensitive personal information about an individual of concern to the police was distributed to 180 unintended recipients.

Data Loss/ Data Breach Sensitive data

13/2/12

Croydon Council

An ICO monetary penalty issued after a bag containing papers relating to the care of a child sex abuse victim was stolen from a London pub.

£100,000

Unlawful disclosure Sensitive data

13/2/12

Norfolk County Council

An ICO monetary penalty issued for disclosing information about allegations against a parent and the welfare of their child to the wrong recipient.

£80,000

Unlawful disclosure Sensitive data

30/1/12

Midlothian Council An ICO monetary penalty issued for disclosing sensitive personal data relating to children and their carers to the wrong recipients on five separate occasions. The penalty is the first that the ICO has served against an organisation in Scotland.

Unlawful disclosure Sensitive data

6/12/11

Powys County Council

An ICO monetary penalty £130,000 issued for a serious breach of the Data Protection Act after the details of a child protection case were sent to the wrong recipient.

Unlawful disclosure Sensitive data

28/11/11

North Somerset Council

An ICO monetary penalty £60,000 issued for a serious breach of the Data Protection Act where a council employee sent five e-mails, two of which contained highly sensitive and confidential information about a child’s serious case review, to the wrong NHS employee.

344

Penalty

£140,000

ICO Enforcement, Fines and Prosecutions Issue

Date

Party

Breach

Penalty

Unlawful disclosure Sensitive data

28/11/11

Worcestershire County Council

An ICO monetary penalty issued for an incident where a member of staff e-mailed highly sensitive personal information about a large number of vulnerable people to 23 unintended recipients.

£80,000

Unlawful disclosure Sensitive data

9/6/11

Surrey County Council

An ICO monetary penalty issued for a serious breach of the Data Protection Act after sensitive personal information was e-mailed to the wrong recipients on three separate occasions.

£120,000

Unlawful disclosure Sensitive data Security

10/5/11

Andrew Jonathan Crossley, formerly trading as solicitors firm ACS Law

An ICO monetary penalty £1,000 issued for failing to keep sensitive personal information relating to around 6,000 people secure.

Data Loss/ Data Breach Laptop Encryption

8/2/11

Ealing Council

An ICO monetary penalty issued following the loss of an unencrypted laptop which contained personal information. Ealing Council breached the Data Protection Act by issuing an unencrypted laptop to a member of staff in breach of its own policies.

£80,000

Data Loss/ Data Breach Laptop Encryption

8/2/11

Hounslow Council

An ICO monetary penalty issued following the loss of an unencrypted laptop which contained personal information. Hounslow Council breached the Act by failing to have a written contract in place with Ealing Council. Hounslow Council also did not monitor Ealing Council’s procedures for operating the service securely.

£70,000

345

Appendices

Appendix 3 Data Protection Act 2018 The new UK Data Protection Act 2018 is the most important development in UK data protection law in over 20 years. The DPA 1998 is repealed – as specified in Schedule 19, s 44 of the DPA 2018. The DPA 2018 is long and complex, comprising, •

215 sections over 130 pages; and

•

20 Schedules (comprising 1–9 Parts depending on the schedule) over 208 pages.

The Act is also complicated by the fact that it addresses more than just the GDPR itself, and consequent repeal of the prior legislation. In addition to the GDPR related issues, the Act also encompasses the following, •

Part 3: Law Enforcement Processing;

•

Part 4: Intelligence Services Processing;

•

Part 2, Chapter 3: applying the GDPR rules via the Act to other information and data not covered by the GDPR;

•

Part 3 refers to Law Enforcement Processing and makes provisio about the processing of personal data by competent authorities for law enforcement purposes and implements the EU Law Enforcement Directive in the UK;

•

Part 4 refers to Intelligence Services Processing and makes provision about the processing of personal data by the intelligence services.

There are many changes from the GDPR. Some of these are referred to below.

DPA 2018 CHANGES FROM GDPR GDPR

Description

Change

DPA 2018

Art 8

Age for information society Change to: services: 13 16

s 9

GDPR

GDPR

Extends GDPR to additional information areas

Part 2

Art 4(7)

Meaning of ‘Controller’

Change to definition

s 6(2) s 209 s 210

346

Data Protection Act 2018 GDPR

Description

Change

DPA 2018

Meaning of ‘public Specifying UK public authorities authority’ and ‘public body’

s 7

Art 6(1) (e)

Lawfulness of processing: public interest, etc

Specifies examples for UK

s 8

Art 9(1)

Special categories of personal data and criminal convictions

Makes provisions in UK:

s 10

re (b) Employment, social security and social protection; re (g) Substantial public interest; re (h) Health and social care; re (i) Public health; re (j) Archiving, research and statistics

Art 9(2) (h)

Processing for health or social care purposes

Special categories of personal data: supplementary / health or social care

s 11

Art 15(1)– Controller obligations (3)

Obligations of credit reference agencies

s 13

Art 22(1); 22(2)(b)

Automated decisions

Makes exception Art 22(1).

s 14

GDPR

GDPR

Schedules 2, 3, 4 make s 15 exemptions from, and restrictions and adaptation on GDPR

Arts 13–21, 34

Prior information requirements;

Adaptation or restriction on Arts 13–21 and 34

Automated decision making authorised by law: safeguards

csxRight of access; Right of rectification; Right of erasure and forgetting; Right to restriction of processing; Notification obligation; Right to data portability; Right to object; Communicating breach to Data Subject

347

Sch 2, Part 1

Appendices GDPR

Description

Change

DPA 2018

Arts 13 – 21, 34

Prior information requirements;

Restriction on Arts 13–21, 34

Sch 2, Part 2

Right of access; Right of rectification; Right of erasure and forgetting; Right to restriction of processing; Notification obligation; Right to data portability; Right to object; and Communicating breach to data subject Art 15

Right of access

Restriction from Art 15

Sch 2, Part 3

Arts

Prior information requirements;

Restriction on Arts 13–15

Sch 2, Part 4

Exemptions derogation on GDPR Chapters II, III, IV, and VII

Sch 2, Part 5

Derogations from rights in Arts 15, 16, 18, 19, 20 and 21

Sch 2, Part 6

13–15

Right of access; Chs II, III, Principles; IV, VII Rights of data subjects; Controllers and Processors; Cooperation and consistency Arts 15, Right of access; 16, 18, 19, Right of rectification; 20, 21 Right to restriction of processing; Notification obligation; Right to data portability; Right to object

348

Data Protection Act 2018 GDPR

Description

Change

DPA 2018

Arts

Prior information requirements;

Restricting rules in Arts 13 – 21 to health, social work, education and child abuse data

Sch 3

Restricting rules in Arts 13–21

Sch 4

13–21

Right of access; Right of rectification; Right of erasure and forgetting; Right to restriction of processing; Notification obligation; Right to data portability; Right to object Arts 13–21

Prior information requirements; Right of access; Right of rectification; Right of erasure and forgetting; Right to restriction of processing; Notification obligation; Right to data portability; Right to object

Art 89(1)

Safeguards and derogations Makes provision re archiving, re processing for archiving research and statistical purposes: in public interest, scientific safeguards or historic research purposes or statistical purposes

s 19

Art 80

Representation of data subjects

Further specifics on bodies representing data subjects

s 187

GDPR

GDPR various

Various

Schedules

The DPA  2018 is quite a complex piece of legislation and will require organisations and their representatives to undertake careful re-reading to get an overview understanding. Large elements of the Act will not be relevant in the ordinary course of dealing for most organisations, in particular Part 3 and Part 4. The GDPR extended section (Part 2, Chapter 3)(eg, freedom of information) will also not be directly relevant to most organisation, especially those in the commercial sphere. Note that these 349

Appendices

elements of the Act while so encompassed, are outside of core data protection and are beyond the preset scope. In terms of the remainder data protection sections of the Act, it should be noted that these differ from the DPA 1998. The DPA 1998 was intended to implement the DPD95 into the UK. EU Directives by the nature need local law implementation. EU Regulations are different. The GDPR is directly effective in all EU Member States – including the UK. The DPA 2018 is not technically required to implement the GDPR in the UK as it is already applicable directly. However, like many other EU Member States, the UK recognises that it needs a new law to repeal the old law (ie  the DPA  1998); and to deal with specific local law issues. In addition, the GDPR specifies that certain provisions from the GDPR can be tailored in each individual Member State depending on the local issues and environment. For example, while the GDPR provides that information society services must have an age of consent of 16, it provides that states may derogate from this. The UK utilises this derogation to apply an age of consent of 13 instead of 16. Numerous other derogations and changes are made in the DPA 2018. While the GDPR is directly effective presently, in the event that Brexit occurs, this direct effect will likely cease. In that Brexit scenario a further Data Protection Act will be needed to bring the GDPR provisions which are not incorporated already in the DPA 2018 into UK law. There would be a political and economic need to ensure that UK law after the GDPR stops being directly effective, to ensure a level of legal equivalence between the UK law protections for personal data and those in the EU. If there is no equivalency of protection and rights, transfers of important economic and financial data which incorporates personal data cannot continue to flow between the EU and UK. Many business flows of data would have to cease as it would be caught by the default transfer ban from the EU to areas not formally recognised as being of equivalent standards. A  new Data Protection Act may have to follow the DPA  2018, depending on political developments. An EU formal adequacy finding may also be required. However, given the political turmoil, further comment or prediction is beyond this current work.

350

Appendix 4: Proposed Changes to GDPR Re ICO The following is an extract from the Keeling Schedule1 drafted by the government and containing proposed amendments from the GDPR to be applied in UK data protection law. This extract is limited to changes to the main provision dealing with the data protection supervisory authorities.

CHAPTER VI Independent supervisory authorities The Commissioner Section 1 Independent status Article 51 Supervisory authority The Commissioner 1.

Each Member State shall provide for one or more independent public authorities to be [The Commissioner is] responsible for monitoring the application of this Regulation the applied GDPR, in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free f low of personal data within the Union (‘supervisory authority’).

2.

Each supervisory authority shall contribute to the consistent application of this Regulation throughout the Union. For that purpose, the supervisory authorities shall cooperate with each other and the Commission in accordance with Chapter VII.

3. Where more than one supervisory authority is established in a Member State, that Member State shall designate the supervisory authority which is to represent those authorities in the Board and shall set out the mechanism to ensure compliance by the other authorities with the rules relating to the consistency mechanism referred to in Article 63. 4. Each Member State shall notify to the Commission the provisions of its law which it adopts pursuant to this Chapter, by 25 May 2018 and, without delay, any subsequent amendment affecting them.

1

General Data Protection Regulation Keeling Schedule, at https://assets.publishing.service.gov. uk/government/uploads/system/uploads/attachment_data/file/685632/2018-03-05_Keeling_ Schedule.pdf

351

Appendices

Article 52 Independence 1.

Each supervisory authority The Commissioner shall act with complete independence in performing its tasks and exercising its powers in accordance with this Regulation the applied GDPR.

2.

The member or members of each supervisory authority [The Commissioner] shall, in the performance of their [the Commissioner’s] tasks and exercise of their [the Commissioner’s] powers in accordance with this Regulation the applied GDPR, remain free from external influence, whether direct or indirect, and shall neither seek nor take instructions from anybody.

3.

Member or members of each supervisory authority [The Commissioner] shall refrain from any action incompatible with their [the Commissioner’s] duties and shall not, during their [the Commissioner’s] term of office, engage in any incompatible occupation, whether gainful or not.

4. Each Member State shall ensure that each supervisory authority is provided with the human, technical and financial resources, premises and infrastructure necessary for the effective performance of its tasks and exercise of its powers, including those to be carried out in the context of mutual assistance, cooperation and participation in the Board. 5. Each Member State shall ensure that each supervisory authority chooses and has its own staff which shall be subject to the exclusive direction of the member or members of the supervisory authority concerned. 6.

Each Member State shall ensure that each supervisory authority is subject to financial control which does not affect its independence and that it has separate, public annual budgets, which may be part of the overall state or national budget. Article 53

General conditions for the members of the supervisory authority2 1. Member States shall provide for each member of their supervisory authorities to be appointed by means of a transparent procedure by: – their parliament; – their government; – their head of State; or – an independent body entrusted with the appointment under Member State law. 2. Each member shall have the qualifications, experience and skills, in particular in the area of the protection of personal data, required to perform its duties and exercise its powers.

2

Clause 114 and Schedule 12 to the Bill make provision about the independence, functions and constitution of the Information Commissioner and her office.

352

Proposed Changes to GDPR Re ICO

3.

The duties of a member shall end in the event of the expiry of the term of office, resignation or compulsory retirement, in accordance with the law of the Member State concerned.

4.

A member shall be dismissed only in cases of serious misconduct or if the member no longer fulfils the conditions required for the performance of the duties. Article 54

Rules on the establishment of the supervisory authority 1.

Each Member State shall provide by law for all of the following: (a) the establishment of each supervisory authority; (b) the qualifications and eligibility conditions required to be appointed as member of each supervisory authority; (c) the rules and procedures for the appointment of the member or members of each supervisory 16 Clause 114 and Schedule 12 to the Bill make provision about the independence, functions and constitution of the Information Commissioner and her office. authority; (d) the duration of the term of the member or members of each supervisory authority of no less than four years, except for the first appointment after 24 May 2016, part of which may take place for a shorter period where that is necessary to protect the independence of the supervisory authority by means of a staggered appointment procedure; (e) whether and, if so, for how many terms the member or members of each supervisory authority is eligible for reappointment; (f) the conditions governing the obligations of the member or members and staff of each supervisory authority, prohibitions on actions, occupations and benefits incompatible therewith during and after the term of office and rules governing the cessation of employment.

2.

The member or members and the staff of each supervisory authority shall, in accordance with Union or Member State law, be subject to a duty of professional secrecy both during and after their term of office, with regard to any confidential information which has come to their knowledge in the course of the performance of their tasks or exercise of their powers. During their term of office, that duty of professional secrecy shall in particular apply to reporting by natural persons of infringements of this Regulation.

353

Appendices

Section 2 Competence, tasks and powers Article 55 Competence 1.

Each supervisory authority The Commissioner shall be competent for the performance of the tasks assigned to and the exercise of the powers conferred on it in accordance with this Regulation the applied GDPR on the territory of its own Member State.

2.

Where processing is carried out by public authorities or private bodies acting on the basis of point (c) or (e) of Article 6(1), the supervisory authority of the Member State concerned shall be competent. In such cases Article 56 does not apply.

3.

Supervisory authorities The Commissioner shall not be competent to supervise processing operations of courts acting in their judicial capacity. Article 56

Competence of the lead supervisory authority 1. Without prejudice to Article  55, the supervisory authority of the main establishment or of the single establishment of the controller or processor shall be competent to act as lead supervisory authority for the cross-border processing carried out by that controller or processor in accordance with the procedure provided in Article 60. 2. By derogation from paragraph  1, each supervisory authority shall be competent to handle a complaint lodged with it or a possible infringement of this Regulation, if the subject matter relates only to an establishment in its Member State or substantially affects data subjects only in its Member State. 3. In the cases referred to in paragraph  2 of this Article, the supervisory authority shall inform the lead supervisory authority without delay on that matter. Within a period of three weeks after being informed the lead supervisory authority shall decide whether or not it will handle the case in accordance with the procedure provided in Article 60, taking into account whether or not there is an establishment of the controller or processor in the Member State of which the supervisory authority informed it. 4. Where the lead supervisory authority decides to handle the case, the procedure provided in Article  60 shall apply. The supervisory authority which informed the lead supervisory authority may submit to the lead supervisory authority a draft for a decision. The lead supervisory authority shall take utmost account of that draft when preparing the draft decision referred to in Article 60(3). 354

Proposed Changes to GDPR Re ICO

5. Where the lead supervisory authority decides not to handle the case, the supervisory authority which informed the lead supervisory authority shall handle it according to Articles 61 and 62. 6.

The lead supervisory authority shall be the sole interlocutor of the controller or processor for the crossborder processing carried out by that controller or processor. Article 57 Tasks

1.

Without prejudice to other tasks set out under this Regulation the applied GDPR, each supervisory authority shall on its territory [the Commissioner is to]: (a) monitor and enforce the application of this Regulation the applied GDPR; (b) promote public awareness and understanding of the risks, rules, safeguards and rights in relation to processing. Activities addressed specifically to children shall receive specific attention; (c) advise, in accordance with Member State law domestic law, the national parliament [both Houses of Parliament], the government, and other institutions and bodies on legislative and administrative measures relating to the protection of natural persons’ rights and freedoms with regard to processing; (d) promote the awareness of controllers and processors of their obligations under this Regulation the applied GDPR; (e) upon request, provide information to any data subject concerning the exercise of their rights under this Regulation the applied GDPR and, if appropriate, cooperate with the supervisory authorities in other Member States to that end; (f) handle complaints lodged by a data subject, or by a body, organisation or association in accordance with Article  80 of the applied GDPR, and investigate, to the extent appropriate, the subject matter of the complaint and inform the complainant of the progress and the outcome of the investigation within a reasonable period, in particular if further investigation or coordination with another supervisory authority is necessary; (g) cooperate with, including sharing information and provide mutual assistance to, other supervisory authorities with a view to ensuring the consistency of application and enforcement of this Regulation; (h) conduct investigations on the application of this Regulation the applied GDPR, including on the basis of information received from another supervisory authority or other public authority; 355

Appendices

(i) monitor relevant developments, insofar as they have an impact on the protection of personal data, in particular the development of information and communication technologies and commercial practices; (j) adopt standard contractual clauses referred to in Article 28(8) of the applied GDPR and in point (d) of Article 46(2) of the applied GDPR; (k) establish and maintain a list in relation to the requirement for data protection impact assessment pursuant to Article 35(4); (l) give advice on the processing operations referred to in Article 36(2) of the applied GDPR; (m) encourage the drawing up of codes of conduct pursuant to Article 40(1) of the applied GDPR and provide an opinion and approve such codes of conduct which provide sufficient safeguards, pursuant to Article 40(5) of the applied GDPR; (n) encourage the establishment of data protection certification mechanisms and of data protection seals and marks pursuant to Article 42(1) of the applied GDPR, and approve the criteria of certification pursuant to Article 42(5) of the applied GDPR; (o) where applicable, carry out a periodic review of certifications issued in accordance with Article 42(7) of the applied GDPR; (p) draft and publish the criteria for accreditation of a body for monitoring codes of conduct pursuant to Article 41 of the applied GDPR and of a certification body pursuant to Article 43 of the applied GDPR; (q) conduct the accreditation of a body for monitoring codes of conduct pursuant to Article  41 of the applied GDPR and of a certification body pursuant to Article 43 of the applied GDPR; (r) authorise contractual clauses and provisions referred to in Article 46(3) of the applied GDPR; (s) approve binding corporate rules pursuant to Article  47 of the applied GDPR; (t) contribute to the activities of the Board; (u) keep internal records of infringements of this Regulation the applied GDPR and of measures taken in accordance with Article 58(2) of the applied GDPR; and (v) fulfil any other tasks related to the protection of personal data. [1A In this Article and Article 58 of the applied GDPR, references to “this Regulation the applied GDPR” have effect as references to this Regulation the applied GDPR and section 28(3) of the 2018 Act.] 2.

Each supervisory authority The Commissioner shall facilitate the submission of complaints referred to in point (f) of paragraph  1 by 356

Proposed Changes to GDPR Re ICO

measures such as a complaint submission form which can also be completed electronically, without excluding other means of communication. 3. The performance of the tasks of each supervisory authority the Commissioner shall be free of charge for the data subject and, where applicable, for the data protection officer. 4.

Where requests are manifestly unfounded or excessive, in particular because of their repetitive character, the supervisory authority the Commissioner may charge a reasonable fee based on administrative costs, or refuse to act on the request.3 The supervisory authority The Commissioner shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request. Article 58 Powers

1.

Each supervisory authority The Commissioner shall have all of the following investigative powers: (a) to order the controller and the processor, and, where applicable, the controller’s or the processor’s representative to provide any information it requires for the performance of its tasks; (b) to carry out investigations in the form of data protection audits; (c) to carry out a review on certifications issued pursuant to Article 42(7) of the applied GDPR; (d) to notify the controller or the processor of an alleged infringement of this Regulation the applied GDPR; (e) to obtain, from the controller and the processor, access to all personal data and to all information necessary for the performance of its tasks; (f) to obtain access to any premises of the controller and the processor, including to any data processing equipment and means, in accordance with Union or Member State procedural law [domestic law].4

2.

Each supervisory authority The Commissioner shall have all of the following corrective powers: (a) to issue warnings to a controller or processor that intended processing operations are likely to infringe provisions of this Regulation the applied GDPR;

3 4

Clause 135 of the Bill provides for the Commissioner to either charge a reasonable fee or refuse a request from a data subject which is unfounded or excessive. Clause 115(4) to (9) and Schedule 15 to the Bill provides safeguards on the exercise of the Information Commissioner’s powers.

357

Appendices

(b) to issue reprimands to a controller or a processor where processing operations have infringed provisions of this Regulation the applied GDPR; (c) to order the controller or the processor to comply with the data subject’s requests to exercise his or her rights pursuant to this Regulation the applied GDPR; (d) to order the controller or processor to bring processing operations into compliance with the provisions of this Regulation the applied GDPR, where appropriate, in a specified manner and within a specified period; (e) to order the controller to communicate a personal data breach to the data subject; (f) to impose a temporary or definitive limitation including a ban on processing; (g) to order the rectification or erasure of personal data or restriction of processing pursuant to Articles 16, 17 and 18 of the applied GDPR and the notification of such actions to recipients to whom the personal data have been disclosed pursuant to Article  17(2) of the applied GDPR and Article 19 of the applied GDPR; (h) to withdraw a certification or to order the certification body to withdraw a certification issued pursuant to Articles  42 and 43 of the applied GDPR, or to order the certification body not to issue 17 Clause 135 of the Bill provides for the Commissioner to either charge a reasonable fee or refuse a request from a data subject which is unfounded or excessive. 18 Clause 115(4) to (9) and Schedule 15 to the Bill provides safeguards on the exercise of the Information Commissioner’s powers. certification if the requirements for the certification are not or are no longer met; (i) to impose an administrative fine pursuant to Article 83 of the applied GDPR, in addition to, or instead of measures referred to in this paragraph, depending on the circumstances of each individual case; (j) to order the suspension of data flows to a recipient in a third country or to an international organisation. 3.

Each supervisory authority The Commissioner shall have all of the following authorisation and advisory powers: (a) to advise the controller in accordance with the prior consultation procedure referred to in Article 36 of the applied GDPR; (b) to issue, on its own initiative or on request, opinions to the national parliament [both Houses of Parliament], the Member State government [the Secretary of State] or, in accordance with Member State law domestic law, to other institutions and bodies as well as to the public on any issue related to the protection of personal data;

358

Proposed Changes to GDPR Re ICO

(c) to authorise processing referred to in Article 36(5), if the law of the Member State requires such prior authorisation; (d) to issue an opinion and approve draft codes of conduct pursuant to Article 40(5) of the applied GDPR; (e) to accredit certification bodies pursuant to Article  43 of the applied GDPR; (f) to issue certifications and approve criteria of certification in accordance with Article 42(5) of the applied GDPR; (g) to adopt standard data protection clauses referred to in Article 28(8) of the applied GDPR and in point (d) of Article  46(2) of the applied GDPR; (h) to authorise contractual clauses referred to in point (a) of Article 46(3) of the applied GDPR; (i) to authorise administrative arrangements referred to in point (b) of Article 46(3) of the applied GDPR; (j) to approve binding corporate rules pursuant to Article  47 of the applied GDPR. 4.

The exercise of the powers conferred on the supervisory authority pursuant to this Article shall be subject to appropriate safeguards, including effective judicial remedy and due process, set out in Union and Member State law in accordance with the Charter.

5.

Each Member State shall provide by law that its supervisory authority shall have the power to bring infringements of this Regulation to the attention of the judicial authorities and where appropriate, to commence or engage otherwise in legal proceedings, in order to enforce the provisions of this Regulation.

6. Each Member State may provide by law that its supervisory authority shall have additional powers to those referred to in paragraphs 1, 2 and 3. The exercise of those powers shall not impair the effective operation of Chapter VII. Article 59 Activity reports Each supervisory authority The Commissioner shall draw up an annual report on its activities, which may include a list of types of infringement notified and types of measures taken in accordance with Article 58(2) of the applied GDPR. Those reports shall be transmitted to the national parliament [both Houses of Parliament], the government and other authorities as designated by Member State law [and the Secretary of State]. They shall be made available to the public, to the Commission and to the Board. 19 359

Appendices

Appendix 5: Proposed UK Changes to DPA 2018 re Data Protection Extract1 THE DATA PROTECTION ACT 2018 KEELING SCHEDULE SHOWING CHANGES WHICH WOULD BE AFFECTED BY THE DATA PROTECTION, PRIVACY AND ELECTRONIC COMMUNICATIONS (AMENDMENTS ETC)(EU EXIT) REGULATIONS 2019 LAID ON 14 JANUARY 2019 Data Protection Act 2018 … Data Protection Act 2018 CHAPTER 12 CONTENTS PART 1 PRELIMINARY 1 Overview 2

Protection of personal data

3

Terms relating to the processing of personal data PART 2 GENERAL PROCESSING CHAPTER 1 SCOPE AND DEFINITIONS

4

Processing to which this Part applies

5 Definitions CHAPTER 2 THE GDPR THE UK GDPR Meaning of certain terms used in the GDPR UK GDPR 6

Meaning of “controller”

7

Meaning of “public authority” and “public body” Lawfulness of processing

1 Full text available at https://assets.publishing.service.gov.uk/government/uploads/system/ uploads/attachment_data/file/779334/Keeling_Schedule_for_Data_Protection_Act_2018.pdf.

360

Proposed UK Changes to DPA 2018 re Data Protection

8

Lawfulness of processing: public interest etc

9

Child’s consent in relation to information society services Special categories of personal data

10 Special categories of personal data and criminal convictions etc data 11 Special categories of personal data etc: supplementary Rights of the data subject 12 Limits on fees that may be charged by controllers 13 Obligations of credit reference agencies 14 Automated decision-making authorised by law: safeguards Restrictions on data subject’s rights Exemptions etc 15 Exemptions etc 16 Power to make further exemptions etc by regulations Accreditation of certification providers Certification 17 Accreditation of certification providers Transfers of personal data to third countries etc [17A Transfers based on adequacy regulations] [17B Transfers based on adequacy regulations: review etc] [17C Standard data protection clauses] 18 Transfers of personal data to third countries etc[: public interest] Specific processing situations 19 Processing for archiving, research and statistical purposes: safeguards 20 Meaning of “court” Minor definition CHAPTER 3 OTHER GENERAL PROCESSING EXEMPTIONS FOR MANUAL UNSTRUCTURED PROCESSING AND FOR NATIONAL SECURITY AND DEFENCE PURPOSES Scope Definitions 21 Processing to which this Chapter applies Definitions 361

Appendices

Application of the GDPR 22 Application of the GDPR to processing to which this Chapter applies 23 Power to make provision in consequence of regulations related to the GDPR Exemptions etc 24 Manual unstructured data held by FOI public authorities 25 Manual unstructured data used in longstanding historical research 26 National security and defence exemption 27 National security: certificate 28 National security and defence: modifications to Articles  9 and 32 of the applied GDPR the UK GDPR PART 3 LAW ENFORCEMENT PROCESSING CHAPTER 1 SCOPE AND DEFINITIONS Scope 29 Processing to which this Part applies Definitions 30 Meaning of “competent authority” 31 “The law enforcement purposes” 32 Meaning of “controller” and “processor” 33 Other definitions CHAPTER 2 PRINCIPLES 34 Overview and general duty of controller 35 The first data protection principle 36 The second data protection principle 37 The third data protection principle 38 The fourth data protection principle 39 The fifth data protection principle 40 The sixth data protection principle 41 Safeguards: archiving 42 Safeguards: sensitive processing 362

Proposed UK Changes to DPA 2018 re Data Protection

CHAPTER 3 RIGHTS OF THE DATA SUBJECT Overview and scope 43 Overview and scope Information: controller’s general duties 44 Information: controller’s general duties Data subject’s right of access 45 Right of access by the data subject Data subject’s rights to rectification or erasure etc 46 Right to rectification 47 Right to erasure or restriction of processing 48 Rights under section 46 or 47: supplementary Automated individual decision-making 49 Right not to be subject to automated decision-making 50 Automated decision-making authorised by law: safeguards Supplementary 51 Exercise of rights through the Commissioner 52 Form of provision of information etc 53 Manifestly unfounded or excessive requests by the data subject 54 Meaning of “applicable time period” CHAPTER 4 CONTROLLER AND PROCESSOR Overview and scope 55 Overview and scope General obligations 56 General obligations of the controller 57 Data protection by design and default 58 Joint controllers 59 Processors 60 Processing under the authority of the controller or processor 61 Records of processing activities 62 Logging 63 Co-operation with the Commissioner 363

Appendices

64 Data protection impact assessment 65 Prior consultation with the Commissioner Obligations relating to security 66 Security of processing Obligations relating to personal data breaches 67 Notification of a personal data breach to the Commissioner 68 Communication of a personal data breach to the data subject Data protection officers 69 Designation of a data protection officer 70 Position of data protection officer 71 Tasks of data protection officer CHAPTER 5 TRANSFERS OF PERSONAL DATA TO THIRD COUNTRIES ETC Overview and interpretation 72 Overview and interpretation General principles for transfers 73 General principles for transfers of personal data 74 Transfers on the basis of an adequacy decision [74A Transfers based on adequacy regulations] [74B

Transfers based on adequacy regulations: review etc]

75 Transfers on the basis of appropriate safeguards 76 Transfers on the basis of special circumstances Transfers to particular recipients 77 Transfers of personal data to persons other than relevant authorities Subsequent transfers 78 Subsequent transfers CHAPTER 6 SUPPLEMENTARY 79 National security: certificate 80 Special processing restrictions 81 Reporting of infringements 364

PART 4 INTELLIGENCE SERVICES PROCESSING CHAPTER 1 SCOPE AND DEFINITIONS Scope 82 Processing to which this Part applies Definitions 83 Meaning of “controller” and “processor” 84 Other definitions CHAPTER 2 PRINCIPLES Overview 85 Overview The data protection principles 86 The first data protection principle 87 The second data protection principle 88 The third data protection principle 89 The fourth data protection principle 90 The fifth data protection principle 91 The sixth data protection principle CHAPTER 3 RIGHTS OF THE DATA SUBJECT Overview 92 Overview Rights 93 Right to information 94 Right of access 95 Right of access: supplementary 96 Right not to be subject to automated decision-making 97 Right to intervene in automated decision-making 98 Right to information about decision-making 99 Right to object to processing 100 Rights to rectification and erasure 365

Appendices

CHAPTER 4 CONTROLLER AND PROCESSOR Overview 101 Overview General obligations 102 General obligations of the controller 103 Data protection by design 104 Joint controllers 105 Processors 106 Processing under the authority of the controller or processor Obligations relating to security 107 Security of processing Obligations relating to personal data breaches 108 Communication of a personal data breach CHAPTER 5 TRANSFERS OF PERSONAL DATA OUTSIDE THE UNITED KINGDOM 109 Transfers of personal data outside the United Kingdom CHAPTER 6 EXEMPTIONS 110 National security 111 National security: certificate 112 Other exemptions 113 Power to make further exemptions PART 5 THE INFORMATION COMMISSIONER The Commissioner 114 The Information Commissioner General functions 115 General functions under the GDPR UK GDPR and safeguards 116 Other general functions 117 Competence in relation to courts etc 366

Proposed UK Changes to DPA 2018 re Data Protection

International role 118 Co-operation and mutual assistance Co-operation between parties to the Data Protection Convention 119 Inspection of personal data in accordance with international obligations [119A Standard clauses for transfers to third countries etc] 120 Further international role Codes of practice 121 Data-sharing code 122 Direct marketing code 123 Age-appropriate design code 124 Data protection and journalism code 125 Approval of codes prepared under sections 121 to 124 126 Publication and review of codes issued under section 125(4) 127 Effect of codes issued under section 125(4) 128 Other codes of practice Consensual audits 129 Consensual audits Records of national security certificates 130 Records of national security certificates Information provided to the Commissioner 131 Disclosure of information to the Commissioner 132 Confidentiality of information 133 Guidance about privileged communications Fees 134 Fees for services 135 Manifestly unfounded or excessive requests by data subjects etc 136 Guidance about fees Charges 137 Charges payable to the Commissioner by controllers 138 Regulations under section 137: supplementary

367

Appendices

Reports etc 139 Reporting to Parliament 140 Publication by the Commissioner 141 Notices from the Commissioner PART 6 ENFORCEMENT Information notices 142 Information notices 143 Information notices: restrictions 144 False statements made in response to information notices 145 Information orders Assessment notices 146 Assessment notices 147 Assessment notices: restrictions Information notices and assessment notices: destruction of documents etc 148 Destroying or falsifying information and documents etc Enforcement notices 149 Enforcement notices 150 Enforcement notices: supplementary 151 Enforcement notices: rectification and erasure of personal data etc 152 Enforcement notices: restrictions 153 Enforcement notices: cancellation and variation Powers of entry and inspection 154 Powers of entry and inspection Penalties 155 Penalty notices 156 Penalty notices: restrictions 157 Maximum amount of penalty 158 Fixed penalties for non-compliance with charges regulations 159 Amount of penalties: supplementary 368

Proposed UK Changes to DPA 2018 re Data Protection

Guidance 160 Guidance about regulatory action 161 Approval of first guidance about regulatory action Appeals etc 162 Rights of appeal 163 Determination of appeals 164 Applications in respect of urgent notices Complaints 165 Complaints by data subjects 166 Orders to progress complaints Remedies in the court 167 Compliance orders 168 Compensation for contravention of the GDPR UK GDPR 169 Compensation for contravention of other data protection legislation Offences relating to personal data 170 Unlawful obtaining etc of personal data 171 Re-identification of de-identified personal data 172 Re-identification: effectiveness testing conditions 173 Alteration etc of personal data to prevent disclosure to data subject The special purposes 174 The special purposes 175 Provision of assistance in special purposes proceedings 176 Staying special purposes proceedings 177 Guidance about how to seek redress against media organisations 178 Review of processing of personal data for the purposes of journalism 179 Effectiveness of the media’s dispute resolution procedures Jurisdiction of courts 180 Jurisdiction Definitions 181 Interpretation of Part 6 369

Appendices

PART 7 SUPPLEMENTARY AND FINAL PROVISION Regulations under this Act 182 Regulations and consultation Changes to the Data Protection Convention 183 Power to reflect changes to the Data Protection Convention Rights of the data subject 184 Prohibition of requirement to produce relevant records 185 Avoidance of certain contractual terms relating to health records 186 Data subject’s rights and other prohibitions and restrictions Representation of data subjects 187 Representation of data subjects with their authority 188 Representation of data subjects with their authority: collective proceedings 189 Duty to review provision for representation of data subjects 190 Post-review powers to make provision about representation of data subjects Framework for Data Processing by Government 191 Framework for Data Processing by Government 192 Approval of the Framework 193 Publication and review of the Framework 194 Effect of the Framework Data-sharing: HMRC and reserve forces 195 Reserve forces: data-sharing by HMRC Offences 196 Penalties for offences 197 Prosecution 198 Liability of directors etc 199 Recordable offences 200 Guidance about PACE codes of practice The Tribunal 201 Disclosure of information to the Tribunal 370

Proposed UK Changes to DPA 2018 re Data Protection

202 Proceedings in the First-tier Tribunal: contempt 203 Tribunal Procedure Rules Interpretation 204 Meaning of “health professional” and “social work professional” 205 General interpretation 206 Index of defined expressions Territorial application 207 Territorial application of this Act General 208 Children in Scotland 209 Application to the Crown 210 Application to Parliament 211 Minor and consequential provision Final 212 Commencement 213 Transitional provision 214 Extent 215 Short title Schedule 1 — Special categories of personal data and criminal convictions etc data Part 1 — Conditions relating to employment, health and research etc Part 2 — Substantial public interest conditions Part 3 — Additional conditions relating to criminal convictions etc Part 4 — Appropriate policy document and additional safeguards Schedule 2 — Exemptions etc from the GDPR UK GDPR Part 1 — Adaptations and restrictions based on as described in Articles 6(3) and 23(1) Part 2 — Restrictions based on as described in Article 23(1): restrictions of rules in Articles 13 to 21 and 34 Part 3 — Restriction based on Article 23(1): for the protection of rights of others Part 4 — Restrictions based on as described in Article 23(1): restrictions of rules in Articles 13 to 15

371

Appendices

Part 5 — Exemptions etc based on Article 85(2) for reasons of freedom of expression and information Part 6 — Derogations etc based on Article 89 for research, statistics and archiving Schedule 3 — Exemptions etc from the GDPR UK GDPR: health, social work, education and child abuse data Part 1 — GDPR UK GDPR provisions to be restricted Part 2 — Health data Part 3 — Social work data Part 4 — Education data Part 5 — Child abuse data Schedule 4 — Exemptions etc from the GDPR UK GDPR: disclosure prohibited or restricted by an enactment Schedule 5 — Accreditation of certification providers: reviews and appeals Schedule 6 — The applied GDPR and the applied Chapter 2 Part 1 — Modifications to the GDPR Part 2 — Modifications to Chapter 2 of Part 2 Schedule 7 — Competent authorities Schedule 8 — Conditions for sensitive processing under Part 3 Schedule 9 — Conditions for processing under Part 4 Schedule 10 — Conditions for sensitive processing under Part 4 Schedule 11 — Other exemptions under Part 4 Schedule 12 — The Information Commissioner Schedule 13 — Other general functions of the Commissioner Schedule 14 — Co-operation and mutual assistance Part 1 — Law Enforcement Directive Part 2 — Data Protection Convention Schedule 15 — Powers of entry and inspection Schedule 16 — Penalties Schedule  17 — Review of processing of personal data for the purposes of journalism Schedule 18 — Relevant records Schedule 19 — Minor and consequential amendments Part 1 — Amendments of primary legislation 372

Proposed UK Changes to DPA 2018 re Data Protection

Part 2 — Amendments of other legislation Part 3 — Modifications Part 4 — Supplementary Schedule 20 — Transitional provision etc Part 1 — General Part 2 — Rights of data subjects Part 3 — The GDPR UK GDPR and Part 2 of this Act Part 4 — Law enforcement and intelligence services processing Part 5 — National security certificates Part 6 — The Information Commissioner Part 7 — Enforcement etc under the 1998 Act Part 8 — Enforcement etc under this Act Part 9 — Other enactments

373

Index [all references are to paragraph number]

A Abuse online background to protection, and, 1.2 EDPS, and, 15.28 future issues, 15.25 importance of protection, and, 1.6 Accreditation of bodies tasks of EDPB, and, 6.20 tasks of EDSAs, and criteria, 2.23 generally, 2.24 Accuracy purpose of protection, and, 1.11 Adequacy exception importance, 5.6 timing, 5.7 Adoption of standard contractual clauses tasks of EDSAs, and, 2.17 Advice see also Authorisation and advisory powers tasks of EDPB, and, 6.6, 6.30 tasks of EDSAs, and generally, 2.11 processing, on, 2.19 Algorithms generally, 15.16 Anonymisation generally, 15.17 Approval of binding corporate rules tasks of EDPB, and, 6.13–6.14 tasks of EDSAs, and, 2.26 Artificial intelligence (AI) EDPS, and, 15.28 generally, 15.15 Assessment notices authorisation and advice powers, and, 9.9 Audit requests authorisation and advice powers, and, 9.13 Authorisation and advisory powers assessment notices, 9.9 corporations, against, 10.20 data subjects, and, 11.10

Authorisation and advisory powers – contd destruction of documents and information, 9.11 enforcement notices, 9.7–9.8 entry, 9.12 European Data Protection Supervisor, and, 7.14 failure to comply, 9.16 falsification of documents and information, 9.11 information notices, 9.14 information orders, 9.15 inspection, 9.12 introduction, 9.5 limitations, 9.10 penalties, 9.6 re-identifying de-identified personal data, 9.18–9.19 requests for audit, 9.13 restrictions, 9.10 testing re-identification provisions, 9.19 types, 9.2 unlawful obtaining of personal data, 9.17 Authorisation of contractual clauses tasks of EDSAs, and, 2.25 B Big data generally, 15.15 Binding corporate rules (BCR) tasks of EDPB, and, 6.13–6.14 tasks of EDSAs, and, 2.26 Bio data EDPS, and, 15.28 generally, 15.4 Blockchain generally, 15.12 Body camera images background to protection, and, 1.2 Body scanners health data, and, 15.6 Breach notifications obligations of controllers, and, 10.32–10.33 powers of EDPS, and, 7.15

375

Index Brexit adequacy exception importance, 5.6 timing, 5.7 advice and commentary, 5.12 cancellation of Article 50, and, 5.22 changes from GDPR, 5.9 Commission guidance, 5.20 conclusion, 5.23 cooperation, and, 14.1 Data Protection Act 2018, and, 4.8– 4.12 data protection rules, and, 1.7 data protection supervisory authorities, and, 2.6 data transfer exceptions, 5.5 general rule, 5.4 introduction, 5.3 procedures, 5.5 European Data Protection Board, and generally, 6.3 guidance, 5.21 European Data Protection Service, and generally, 7.1 guidance, 5.19 ICO guidance ‘broader’ transfer guide, 5.15 FAQ, 5.16 further documents, 5.17 generally, 5.13 introduction, 5.12 Preparation, 5.18 Six Steps Guide, 5.14 introduction, 5.1 Keeling Schedule Amendments DPA 2018, to, 5.10 GDPR, to, 5.11 national laws, and, 3.2 need for stable, clear data environment, 5.2 C CCTV generally, 15.7 Certification bodies tasks of EDSAs, and accreditation, 2.23 generally, 2.24 tasks of EDPB, and accreditation, 6.20 requirements, 6.21

Certifications, seals and marks tasks of EDPB, and, 6.18 tasks of EDSAs, and encouragement, 2.21 review, 2.22 Charter of Fundamental Rights data subjects, and, 11.1 Child personal data background to protection, and, 1.2 Closed-circuit television generally, 15.7 Cloud computing generally, 15.13 Codes of conduct tasks of EDPB, and, 6.18–6.19 tasks of EDSAs, and accreditation of bodies, 2.23–2.24 encouragement of creation, 2.20 Communication of breach to data subject obligations of controllers, and, 10.33 Companies see Corporations Charter of Fundamental Rights data subjects, and, 11.1 Compensation data subjects, and, 11.3–11.4 Complaints handling tasks of EDSAs, and, 2.8 Complaints to DSPAs controller, against, 2.43 corporations, and fines, 10.4–10.16 generally, 10.2 penalties, 10.5 right to lodge, 10.3 data subjects, by fines, 11.11 generally, 11.5 introduction, 11.2 penalties, 11.11 powers of DPSA, 11.7–11.10 right to remedy, 11.6 suspension of proceedings, 11.12 data subjects, for, 2.44 processor, against, 2.43 regulator, against, 2.42 regulator, to, 2.41 Compliance background to protection, and, 1.2 inward-facing, 1.9 outward-facing, 1.8

376

Index Computer hardware disposal, 15.21 Confidentiality European Data Protection Board, and, 6.43 European Data Protection Supervisor, and, 7.18 Consent purpose of protection, and, 1.11 Consistency generally, 14.5 introduction, 14.2 mechanism, 14.5 tasks of EDPB, and decision, 6.29 opinions, 6.25 Consultation with interested parties tasks of EDPB, and, 6.32 Contractual clauses tasks of EDSAs, and adoption, 2.17 authorisation, 2.25 Contribution to EDPB tasks of EDPB, and, 6.6 tasks of EDSAs, and, 2.27 Controllers data subjects’ rights, and, 11.3 obligations breach notifications, 10.32–10.33 communication of breach to data subject, 10.33 cooperation with supervisory authority, 10.30 data protection by design and by default, 10.23 data protection impact assessments, 10.34 generally, 10.21 joint controllers, 10.24 prior consultation, 10.35 records, 10.29 representatives where not established in EU, 10.25 responsibility, 10.22 purpose of protection, and, 1.11 terminology of protection, and, 1.10 Cooperation Brexit, and, 14.1 conclusion, 14.11 consistency, and generally, 14.5 introduction, 14.2 mechanism, 14.5

Cooperation – contd controllers, and, 10.30 data protection supervisory authorities, and generally, 2.32 other authorities, with, 2.14 suspension, and, 2.33 European Data Protection Board, and dispute resolution, 14.6 encouragement between DPSAs,  6.26 generally, 6.44 European Data Protection Supervisor, and, 7.17 exchange of information, 14.8 GDPR, and, 14.2 generally, 14.2 introduction, 14.1 joint operations, 14.4 mutual assistance, 14.3 nature, 14.2 ‘One-Stop Shop’, 14.9 procedure, 14.2 processors, and, 10.30 purpose, 14.2 urgency procedure, 14.7 WP29/EDPB Guidelines, 14.10 Corporations complaints to DPSAs fines, 10.4–10.16 generally, 10.2 penalties, 10.5 right to lodge, 10.3 controller obligations breach notifications, 10.32–10.33 communication of breach to data subject, 10.33 cooperation with supervisory authority, 10.30 data protection by design and by default, 10.23 data protection impact assessments, 10.34 generally, 10.21 joint controllers, 10.24 prior consultation, 10.35 records, 10.29 representatives where not established in EU, 10.25 responsibility, 10.22 erasure orders, 10.19

377

Index Corporations – contd fines aggravating factors, 10.16 amount, 10.4 compliance with Codes or certification, 10.15 compliance with previous orders,  10.14 cooperation, 10.11 criteria for calculation, 10.4 degree of responsibility, 10.9 duration, 10.6 examples, 10.4 gravity, 10.6 history of infringement, 10.10 intent, 10.7 introduction, 10.4 method by which authority becomes aware, 10.13 mitigating factors, 10.16 mitigation actions, 10.8 nature, 10.6 proportionality, 10.4 types of infringement, 10.4 types of personal data, 10.12 GDPR, and, 10.1 introduction, 10.1 investigative powers, 10.18 orders, reprimands and warnings,  10.19 penalties, 10.5 powers of DPSAs, and authorisation and advisory, 10.20 corrective, 10.19 exercise, 10.17 introduction, 10.17 investigative, 10.18 processor obligations cooperation with supervisory authority, 10.30 generally, 10.27 processing under authority, 10.28 representatives where not established in EU, 10.25 security of processing, 10.31 rectification orders, 10.19 right to effective judicial remedy, 10.2 right to lodge complaint with DPSA,  10.3 US position, 10.1 warnings, reprimands and orders,  10.19

Corrective powers data protection supervisory authorities, and corporations, against, 10.19 generally, 9.4 types, 9.2 data subjects’ rights, and,, 11.9 European Data Protection Supervisor, and, 7.13 Court procedures background to protection, and, 1.2 D Data breaches EDPS, and, 15.28 importance of protection, and, 1.6 tasks of EDPB, and, 6.10–6.11 Data controllers see Controllers Data ethics EDPS, and, 15.28 generally, 15.18 new research, 15.20 trust, 15.19 Data processing see Processing Data processors see Processors Data protection aims, 1.11 backdrop, 1.2 Brexit, 1.7 compliance inward-facing, 1.9 outward-facing, 1.8 concepts, 1.11 definitions, 1.10 GDPR, 1.7 importance, 1.6 introduction, 1.1 processing, 1.12–1.13 purpose, 1.6 regulators, 1.3–1.4 rules aims, 1.11 compliance, 1.8–1.9 conclusion, 1.14 concepts, 1.11 definitions, 1.10 introduction, 1.7 processing, 1.12–1.13 terminology, 1.5

378

Index Data Protection Act 2018 Brexit, and, 4.12 data protection rules, and, 1.7 extent of implementation of GDPR,  4.9–4.10 generally, 4.8 ‘No Deal’ Brexit, and, 4.11 proposed changes, 5.10 Data protection advisory authority generally, 4.3 Data protection by default background to protection, and, 1.2 obligations of controllers, and, 10.23 Data protection by design (DPbD) background to protection, and, 1.2 importance of protection, and, 1.6 obligations of controllers, and,  10.23 Data Protection Commission cases, 4.16 generally, 4.15 funding calls for increases, 13.7 comparative needs, 13.8 complaint to EU, 13.13 generally, 4.27 introduction, 13.6 office, 13.10 proportionate needs, 13.8 response to 2019 Budget, 13.12 resources, 13.11 staff, 13.9 technical resources, 13.11 implementation of GDPR into national law, 3.5 independence, 4.27 investigative powers Apple, 4.22 Facebook, 4.18 Google, 4.17 Instagram, 4.20 introduction, 4.16 LinkedIn, 4.24 Official Public Service Card,  4.25 Quantcast International, 4.23 Twitter, 4.21 WhatsApp, 4.19 office resources, 13.10 Privacy Shield, 4.26 staff, 13.9 technical resources, 13.11

Data protection impact assessments background to protection, and, 1.2 obligations of controllers, and, 10.34 tasks of EDSAs, and, 2.18 Data protection supervisory authorities (DPSAs) activities introduction, 2.6 powers, 9.1–9.23 reports, 9.22 tasks, 2.7–2.28 advisory powers, 9.5–9.19 annual reports, 9.22 application of GDPR, 2.3 appointment of members, 2.30 authorisation and advisory powers assessment notices, 9.9 corporations, against, 10.20 destruction of documents and information, 9.11 enforcement notices, 9.7–9.8 entry, 9.12 failure to comply, 9.16 falsification of documents and information, 9.11 information notices, 9.14 information orders, 9.15 inspection, 9.12 introduction, 9.5 limitations, 9.10 penalties, 9.6 re-identifying de-identified personal data, 9.18–9.19 requests for audit, 9.13 restrictions, 9.10 testing re-identification provisions,  9.19 unlawful obtaining of personal data, 9.17 background to protection, and,  1.3–1.4 Brexit, and, 2.6 Commission v Austria decision findings, 12.13 generally, 12.11 issues, 12.12 Commission v Germany decision findings, 12.10 generally, 12.8 issues 12.9 compensation, 2.45 competence, 2.32

379

Index Data protection supervisory authorities (DPSAs) – contd complaints against controller or processor,  2.43 against regulator, 2.42 for data subjects, 2.44 to regulator, 2.41 complaints by corporations fines, 10.4–10.16 generally, 10.2 penalties, 10.5 right to lodge, 10.3 conclusion, 2.47 cooperation coercive powers, and, 9.4 generally, 2.32 other authorities, with, 2.14 suspension, and, 2.33 corrective powers corporations, against, 10.20 generally, 9.4 data subjects’ rights, and authorisation and advisory, 11.10 corrective, 11.9 fines, 11.11 generally, 11.7 investigative, 11.8 penalties, 11.11 suspension of proceedings, 11.12 definition, 2.2 establishment general obligation, 2.4 introduction, 2.3 EEA states, in, 4.4 erasure orders, 9.4 EU law, and, 2.3 EU member states, in, 4.2 financial independence conclusion, 13.15 direct influence, and, 13.4 external influence, and, 13.4 financial independence, 13.2 increases in resopurces, 13.5 indirect influence, and, 13.4 introduction, 13.1 Irish Data Protection Commission, 13.6–13.12 resource increases, and, 13.5 staff, 13.3 undue influence, and, 13.1 financial resources, 12.5

Data protection supervisory authorities (DPSAs) – contd fines generally, 2.34 introduction, 9.4 level 1, 2.35 level 2, 2.36 level 3, 2.37 other, 2.38 funding conclusion, 13.15 direct influence, and, 13.4 EDPB Secretariat, and, 13.14 external influence, and, 13.4 financial independence, 13.2 increases in resopurces, 13.5 indirect influence, and, 13.4 introduction, 13.1 Irish Data Protection Commission, 13.6–13.12 resource increases, and, 13.5 staff, 13.3 undue influence, and, 13.1 GDPR, and, 2.1 impact off dual legal requirements, 2.3 independence Commission v Austria decision, 12.11– 12.13 Commission v Germany decision, 12.8– 12.10 comparison of provisions in DPD 95/46 and GDPR, 12.14 conclusion, 12.17 financial resources, 12.5 funding, and, 13.1–13.15 GDPR, and, 12.2 generally position, 12.1 generally, 2.5 infrastructure resources, 12.7 introduction, 12.2 office resources, 12.6 overview, 2.3 staff resources, 12.3 technical resources, 12.4 Information Commissioner’s Office cases, 4.7 generally, 4.6 guides, 4.6 investigations, 4.7 powers, 9.1–9.23 infrastructure resources, 12.7 introduction, 2.2

380

Index Data protection supervisory authorities (DPSAs) – contd investigative powers corporations, against, 10.18 generally, 9.3 membership rules, 2.30 names of national EU regulators, 4.2 national law, and, 2.3 non-EU states, in, 4.5 office resources, 12.6 orders, reprimands and warnings, 9.4 penalties administrative fines, 2.23–2.37 generally 2.38 powers authorisation and advisory, 9.5–9.19 corporations, against, 10.17–10.20 corrective, 9.4 data subjects’ rights, and, 11.7–11.12 exercise, 9.1 generally, 2.39 introduction, 9.1 investigative, 9.3 overview, 2.6 types, 9.2 powers against corporations authorisation and advisory, 10.20 corrective, 10.19 exercise, 10.17 introduction, 10.17 investigative, 10.18 powers on behalf of data subjects’ rights authorisation and advisory, 11.10 corrective, 11.9 fines, 11.11 generally, 11.7 investigative, 11.8 penalties, 11.11 suspension of proceedings, 11.12 prohibition on production of certain records, 9.21 qualifications of members, 2.30 rectification orders, 9.4 remedies, and compensation, 2.45 complaints against controller or processor, 2.43 complaints against regulator, 2.42 complaints for data subjects, 2.44 complaints to regulator, 2.41 current decision trends, 2.46 introduction, 2.40

Data protection supervisory authorities (DPSAs) – contd remedies, and – contd liability, 2.45 reports, 9.22 reprimands, warnings and orders, 9.4 resources conclusion, 12.17 financial, 12.5 generally position, 12.1 infrastructure, 12.7 introduction, 12.2 office, 12.6 staff, 12.3 technical, 12.4 right to be forgotten orders, 9.4 rules, 2.30 secrecy, 2.31 staff resources, 12.3 status, 2.2 tasks accreditation of Code bodies, 2.23–2.24 adoption of standard contractual clauses, 2.17 advice, 2.11 advice on processing, 2.19 approval of binding corporate rules, 2.26 authorisation of contractual clauses, 2.25 complaints handling, 2.8 contribution to EDPB, 2.27 cooperation with other authorities, 2.14 data protection impact assessments, 2.18 encouragement of creation of Codes, 2.20 encouragement of certification, seals and marks, 2.21 enforcement of GDPR, 2.9 generally, 9.20 introduction, 2.7 investigation of complaints, 2.8 investigation on application of GDPR, 2.15 monitoring GDPR, 2.9 monitoring relevant developments, 2.16 other, 2.29 promotion of awareness of obligations, 2.12 promotion of awareness of processing, 2.10

381

Index Data protection supervisory authorities (DPSAs) – contd tasks – contd provision of information, 2.13 record of infringements and actions, 2.28 review of certifications issued, 2.22 technical resources, 12.4 terminology, 2.1 undue influence prohibition, 2.5 warnings, reprimands and orders, 9.4 Data retention importance of protection, and, 1.6 Data subjects see also Corporations authorisation and advisory powers, 11.10 Charter of Fundamental Rights, and,  11.1 compensation, 11.3–11.4 complaints to DPSA fines, 11.11 generally, 11.5 introduction, 11.2 penalties, 11.11 powers of DPSA, 11.7–11.10 right to remedy, 11.6 suspension of proceedings, 11.12 conclusion, 11.14 controllers, and, 11.3 corrective powers, 11.9 examples, 11.2 fines generally, 11.11 introduction, 11.2 GDPR, and, 11.1 introduction, 11.1 investigative powers, 11.8 liability of controllers and processors, 11.3 penalties generally, 11.11 introduction, 11.2 powers of DPSA authorisation and advisory, 11.10 corrective, 11.9 fines, 11.11 generally, 11.7 investigative, 11.8 penalties, 11.11 suspension of proceedings, 11.12 processors, and, 11.3 remedies, 11.2

Data subjects – contd representation generally, 11.13 introduction, 11.2 right to effective judicial remedy generally, 11.4 introduction, 11.2 right to lodge complaint generally, 11.5 introduction, 11.2 right to remedy against DPSA generally, 11.6 introduction, 11.2 rights generally, 11.2 introduction, 11.1 suspension of proceedings generally, 11.12 introduction, 11.2 terminology of protection, and, 1.10 TFEU, and, 11.1 Data transfer Brexit, and exceptions, 5.5 general rule, 5.4 introduction, 5.3 procedures, 5.5 future issues, 15.26–15.27 tasks of EDPB, and, 6.15 Data trust generally, 15.19 Deletion after purpose lifecycle purpose of protection, and, 1.11 Destruction of documents and information authorisation and advice powers, and, 9.11 Direct marketing purpose of protection, and, 1.11 Disposal of computer hardware generally, 15.21 DNA health data, and, 15.5 Doorbell images background to protection, and, 1.2 Drones background to protection, and, 1.2 generally, 15.10 E Electronic evidence generally, 15.23

382

Index Enforcement notices authorisation and advice powers, and, 9.7–9.8 Enforcement of GDPR tasks of EDSAs, and, 2.9 Entry authorisation and advice powers, and, 9.12 Erasure background to protection, and, 1.2 corporations, and, 10.19 importance of protection, and, 1.6 purpose of protection, and, 1.11 tasks of EDPB, and, 6.7 Ethics EDPS, and, 15.28 generally, 15.18 new research, 15.20 trust, 15.19 EU law data protection supervisory authorities, and, 2.3 European Data Protection Board (EDPB) background, 6.1 Brexit, and, 6.3 chair, 6.40 composition, 6.2 conclusion, 6.45 confidentiality, 6.43 cooperation dispute resolution, 14.6 encouragement between DPSAs,  6.26 generally, 6.44 dispute resolution, 14.6 EDPS, and, 6.2 establishment generally, 6.2 introduction, 4.3 functions, 6.4 GDPR, and, 4.3 guidelines binding corporate rules, 6.14 data transfers, 6.15 fines, 6.16 generally, 6.34 introduction, 5.21 review, 6.17 independence generally, 12.15 introduction, 6.3

European Data Protection Board (EDPB) – contd membership, 4.3 opinions adoption and endorsement, 6.34 joint publication, 6.37 publication, 6.34 procedures confidentiality, 6.43 cooperation, 6.44 introduction, 6.42 publications, 6.34 registers, 6.38 reports annual report, 6.33 opinions, and, 6.34 resources, 6.39 role of Commission, 6.2 Secretariat funding, 13.14 generally, 6.41 tasks accreditation of bodies, 6.20 advice to Commission, 6.6, 6.30 binding corporate rules, 6.13–6.14 certification bodies, 6.20–6.21 certifications, seals and marks, 6.18 codes, 6.18–6.19 consistency decision, 6.29 consistency opinions, 6.25 consultation with interested parties, 6.32 contribution to EDPB, 6.6 cooperation between DPSAs, 6.26 data breaches, 6.10–6.11 date transfers, 6.15 erasure procedures, 6.7 exchange of information, 6.26–6.28 fines, 6.16 forgetting procedures, 6.7 format of binding corporate rules, 6.13 guidelines, 6.14–6.17 high-risk data breaches, 6.11 icons, 6.23 introduction, 6.4 law and practice, 6.28 monitoring application of GDPR, 6.5 opinions on certification, 6.22 opinions on Codes, 6.19 opinions on consistency, 6.25 opinions on icons, 6.23 opinions on third countries, 6.24

383

Index European Data Protection Board (EDPB) – contd tasks – contd profiling, 6.9 promotion of training programmes, 6.27 provision of information to Commission, 6.31 reporting data breaches, 6.10–6.12 requirements for certification bodies, 6.21 review of GDPR, 6.8 review of guidelines, 6.17 right to be forgotten procedures, 6.7 third countries, 6.24 training programmes, 6.27 topic documents, 6.39 European Data Protection Supervisor (EDPS) appointment, 7.2 authorisation and advisory powers, 7.14 breach notifications, 7.15 Brexit, and, 7.1 budget, 7.8 conclusion, 7.19 confidentiality, 7.18 cooperation, 7.17 corrective powers, 7.13 duties, 7.7 establishment, 7.2 fines, 7.13 GDPR, and, 7.1 future issues, 15.28 generally, 4.3 guidelines generally, 7.16 introduction, 5.19 independence generally, 12.16 introduction, 7.9 international cooperation, 7.17 introduction, 7.1 investigations, 7.12 mission, 7.3 monitoring and policing technological change, 7.6 orders, reprimands and warnings, 7.13 powers authorisation and advisory, 7.14 corrective, 7.13 generally, 7.11 introduction, 7.7

European Data Protection Supervisor (EDPS) – contd professional secrecy, 7.18 purpose, 7.3 regulatory basis, 7.2 remit, 7.4 reprimands, 7.13 rules, 7.8 secrecy, 7.18 Secretariat, 7.8 status, 7.8 tasks, 7.10 technological development, 7.5–7.6 warnings, 7.13 European Economic Authority (EEA) supervisory authorities, and, 4.4 European Union (Withdrawal) Act 2018 definitions, 4.14 details, 4.14 explanatory notes, 4.13 generally, 4.12 Royal Assent, 4.14 EU-US Privacy Shield annual review, 8.11 Data Protection Commission (Ireland), 4.26 generally, 8.10 purpose of protection, and, 1.11 Exchange of information generally, 14.8 tasks of EDPB, and, 6.26–6.28 F Facial recognition generally, 15.7 Failure to comply authorisation and advice powers, and, 9.16 Fairness purpose of protection, and, 1.11 Falsification of documents and information authorisation and advice powers, and  9.11 Federal Trade Commission (FTC) Cambridge Analytica complaint,  8.12 generally, 8.7 Financial independence see also Funding generally, 13.2

384

Index Fines corporations, and aggravating factors, 10.16 amount, 10.4 compliance with Codes or certification, 10.15 compliance with previous orders, 10.14 cooperation, 10.11 criteria for calculation, 10.4 degree of responsibility, 10.9 duration, 10.6 examples, 10.4 gravity, 10.6 history of infringement, 10.10 intent, 10.7 introduction, 10.4 method by which authority becomes aware, 10.13 mitigating factors, 10.16 mitigation actions, 10.8 nature, 10.6 proportionality, 10.4 types of infringement, 10.4 types of personal data, 10.12 data subjects’ rights, and generally, 11.11 introduction, 11.2 generally, 2.34 level 1, 2.35 level 2, 2.36 level 3, 2.37 other, 2.38 powers of EDPS, and, 7.13 tasks of EDPB, and, 6.16 Forgetting background to protection, and, 1.2 importance of protection, and, 1.6 purpose of protection, and, 1.11 tasks of EDPB, and, 6.7 Funding conclusion, 13.15 direct influence, and, 13.4 EDPB Secretariat, and, 13.14 external influence, and, 13.4 financial independence, 13.2 increases in resopurces, 13.5 indirect influence, and, 13.4 introduction, 13.1 Irish Data Protection Commission calls for increases, 13.7 comparative needs, 13.8 complaint to EU, 13.13

Funding – contd Irish Data Protection Commission – contd introduction, 13.6 office, 13.10 proportionate needs, 13.8 response to 2019 Budget, 13.12 resources, 13.11 staff, 13.9 technical resources, 13.11 resource increases, and, 13.5 staff generally, 13.3 Irish Data protection Commission, 13.9 undue influence, and, 13.1 G Gaming devices generally, 15.8 General Data Protection Regulation (GDPR) see also National laws cooperation, and, 14.2 corporations, and, 10.1 data protection supervisory authorities, and, 2.1 data subjects’ rights, and, 11.1 direct effect, 1.7, 3.3 European Data Protection Board, and, 4.3 implementation into national law Austria, 3.9 background, 3.2 Belgium, 3.8 France, 3.6 Germany, 3.7 introduction, 3.3 Ireland, 3.5 Italy, 3.10 other Member States, 3.12 Spain, 3.11 UK, 3.4 importance of protection, and, 1.6 independence, and, 12.1 proposed UK changes, 5.11 purpose of protection, and, 1.11 status, 3.3 supervisory authorities, and, 2.1 Genomics health data, and, 15.5 Guidance Commission, 5.20 European Data Protection Board binding corporate rules, 6.14

385

Index Guidance – contd European Data Protection Board – contd data transfers, 6.15 fines, 6.16 generally, 6.34 introduction, 5.21 review, 6.17 European Data Protection Supervisor, and generally, 7.16 introduction, 5.19 Information Commissioner’s Office ‘broader’ transfer guide, 5.15 FAQ, 5.16 further documents, 5.17 generally, 5.13 introduction, 5.12 Preparation, 5.18 Six Steps Guide, 5.14 introduction, 5.1 H Hardware devices disposal, 15.21 generally, 15.8 Health data bio data, 15.4 body scanners, 15.6 DNA sequencing, 15.5 generally, 15.4 genome research, 15.5 profiling, 15.4 sensitive personal data, as, 15.4 High-risk data breaches tasks of EDPB, and, 6.11 Home leisure devices background to protection, and, 1.2 I Icons tasks of EDPB, and, 6.23 Identity theft purpose of protection, and, 1.11 Independent public authority generally, 2.2 Independence see also Independence of DSPAs European Data Protection Board funding, and, 13.14 generally, 12.15 introduction, 6.3 European Data Protection Supervisor generally, 12.16 introduction, 7.9

Independence – contd generally position, 12.1 Independence of DSPAs Commission v Austria decision findings, 12.13 generally, 12.11 issues, 12.12 Commission v Germany decision findings, 12.10 generally, 12.8 issues 12.9 comparison of provisions in DPD 95/46 and GDPR, 12.14 conclusion, 12.17 financial resources, 12.5 funding, and conclusion, 13.15 direct influence, and, 13.4 EDPB Secretariat, and, 13.14 external influence, and, 13.4 financial independence, 13.2 generally, 12.5 increases in resources, 13.5 indirect influence, and, 13.4 introduction, 13.1 Irish Data Protection Commission, 13.6–13.12 resource increases, and, 13.5 staff, 13.3 undue influence, and, 13.1 GDPR, and, 12.2 generally position, 12.1 generally, 2.5 infrastructure resources, 12.7 introduction, 12.2 office resources, 12.6 overview, 2.3 staff resources, 12.3 technical resources, 12.4 Individual data subjects see also Data subjects compensation, 11.3–11.4 complaints to DPSA, 11.5–11.12 conclusion, 11.14 introduction, 11.1 remedies, 11.2 representation, 11.13 rights, 11.2 Information Commissioner’s Office (ICO) see also Data protection supervisory authorities background to protection, and, 1.3

386

Index Information Commissioner’s Office (ICO) – contd Brexit, and adequacy exception, 5.6–5.8 advice and commentary, 5.12 cancellation of Article 50, and,  5.22 changes from GDPR, 5.9 Commission guidance, 5.20 conclusion, 5.23 data transfer, 5.3–5.5 EDPB guidance, 5.21 EDPS guidance, 5.19 ICO guidance, 5.13–5.18 introduction, 5.1 need for stable, clear data environment, 5.2 Keeling Schedule Amendments,  5.10–5.11 cases, 4.7 generally, 4.6 guidance ‘broader’ transfer guide, 5.15 FAQ, 5.16 further documents, 5.17 generally, 5.13 introduction, 5.12 Preparation, 5.18 Six Steps Guide, 5.14 investigations, 4.7 Information notices authorisation and advice powers, and, 9.14 Information orders authorisation and advice powers, and, 9.15 Inspection authorisation and advice powers, and, 9.12 International cooperation see also Cooperation EDPS, and, 15.28 generally, 14.1 powers of EDPS, and, 7.17 International Privacy Engineering Network (IPEN) EDPS, and, 15.28 Internet of Things EDPS, and, 15.28 generally, 15.14 Internet service providers (ISP) data retention, and, 1.6

Investigative powers corporations, against, 10.18 Data Protection Commission (Ireland) Apple, 4.22 Facebook, 4.18 Google, 4.17 Instagram, 4.20 introduction, 4.16 LinkedIn, 4.24 Official Public Service Card, 4.25 Quantcast International, 4.23 Twitter, 4.21 WhatsApp, 4.19 data protection supervision authorities application of GDPR, 2.15 complaints, 2.8 corporations, against, 10.18 generally, 9.4 types, 9.2 data subjects’ rights, and, 11.8 electronic evidence, and, 15.23 European Data Protection Supervisor, 7.12 Irish Data Protection Commission cases, 4.16 generally, 4.15 funding calls for increases, 13.7 comparative needs, 13.8 complaint to EU, 13.13 generally, 4.27 introduction, 13.6 office, 13.10 proportionate needs, 13.8 response to 2019 Budget, 13.12 resources, 13.11 staff, 13.9 technical resources, 13.11 implementation of GDPR into national law, 3.5 independence, 4.27 investigative powers Apple, 4.22 Facebook, 4.18 Google, 4.17 Instagram, 4.20 introduction, 4.16 LinkedIn, 4.24 Official Public Service Card, 4.25 Quantcast International, 4.23 Twitter, 4.21 WhatsApp, 4.19

387

Index Irish Data Protection Commission – contd office resources, 13.10 Privacy Shield, 4.26 staff, 13.9 technical resources, 13.11 J Joint controllers general obligations, 10.24 K Keeling Schedule Amendments DPA 2018, to, 5.10 GDPR, to, 5.11 L Lawful processing generally, 1.13 Libra currency overview, 1.1 Limitations authorisation and advice powers, and, 9.10

National laws – contd implementation of GDPR, and Austria, 3.9 background, 3.2 Belgium, 3.8 France, 3.6 Germany, 3.7 generally, 3.3 introduction, 3.2 Ireland, 3.5 Italy, 3.10 other Member States, 3.12 Spain, 3.11 UK, 3.4 introduction, 3.1 other nations, 3.12 Non-compliance authorisation and advice powers, and, 9.16

M Medical data bio data, 15.4 body scanners, 15.6 DNA sequencing, 15.5 generally, 15.4 genome research, 15.5 profiling, 15.4 sensitive personal data, as, 15.4 Monitoring powers of EDPS, and 7.6 tasks of EDPB, and application of GDPR, 6.5 tasks of EDSAs, and application of GDPR 2.9 relevant developments, 2.16 Mutual assistance see also Cooperation generally, 14.3

O Off-site working generally, 15.24 One-Stop Shop cooperation, and, 14.9 Online abuse background to protection, and, 1.2 EDPS, and, 15.28 future issues, 15.25 importance of protection, and, 1.6 Opinions European Data Protection Board, and adoption and endorsement, 6.34 joint publication, 6.37 publication, 6.34 tasks of EDPB, and certification, 6.22 Codes, 6.19 consistency, 6.25 icons, 6.23 third countries, 6.24 Orders, reprimands and warnings corporations, and, 10.19 powers of EDPS, and, 7.13

N National laws background, 3.2 Brexit, and, 3.2 context, 3.2 data protection supervisory authorities, and, 2.3

P Penalties see also Fines corporations, and, 10.5 data protection supervisory authorities, and generally, 9.6 introduction 2.38

388

Index Penalties – contd data subjects’ rights, and generally, 11.11 introduction, 11.2 Personal data importance of protection, and, 1.6 terminology of protection, and, 1.10 Politics generally, 15.29 Prior consultation obligations of controllers, and, 10.35 Privacy purpose of protection, and, 1.11 terminology, 1.5 Privacy by design background to protection, and, 1.2 Privacy Shield annual review, 8.11 Data Protection Commission (Ireland), 4.26 generally, 8.10 purpose of protection, and, 1.11 Processing authority, under, 10.28 criteria, 1.12 data protection rules, and, 1.12–1.13 introduction, 1.12 lawful processing, 1.13 obligations of processors, and authority, under, 10.28 security, 10.31 purpose of protection, and, 1.11 security, 10.31 terminology of protection, and, 1.10 Processors cooperation with supervisory authority, 10.30 data subjects’ rights, and, 11.3 generally, 10.27 obligations cooperation with supervisory authority, 10.30 generally, 10.27 processing under authority, 10.28 representatives where not established in EU, 10.25 security of processing, 10.31 processing under authority, 10.28 representatives where not established in EU, 10.25 security of processing, 10.31 terminology of protection, and, 1.10

Production of certain records prohibition of requirement, 9.21 Professional secrecy European Data Protection Supervisor, and, 7.18 Profiling generally, 15.3 health data, and, 15.4 politics, and, 15.29 tasks of EDPB, and, 6.9 Promotion of awareness tasks of EDSAs, and obligations, 2.12 processing, 2.10 Promotion of training programmes tasks of EDPB, and, 6.27 Proportionality EDPS, and, 15.28 purpose of protection, and, 1.11 Provision of information tasks of EDPB, and, 6.31 tasks of EDSAs, and, 2.13 Pseudonymisation generally, 15.17 R Records infringements and actions, of, 2.28 obligations of controllers, and, 10.29 tasks of EDSAs, and, 2.28 Rectification orders corporations, and, 10.19 Registers European Data Protection Board, and, 6.38 Regulators see also Data protection supervisory authorities background to protection, and, 1.3–1.4 terminology, 2.1 Re-identifying de-identified personal data authorisation and advice powers, and, 9.18–9.19 Remedies data protection supervisory authorities, and compensation, 2.45 complaints against controller or processor, 2.43 complaints against regulator, 2.42 complaints for data subjects, 2.44 complaints to regulator, 2.41

389

Index Remedies – contd data protection supervisory authorities, and – contd current decision trends, 2.46 introduction, 2.40 liability, 2.45 data subjects’ rights, and, 11.2 purpose of protection, and, 1.11 Reporting data breaches tasks of EDPB, and, 6.10–6.12 Reports data protection supervisory authorities, and, 9.22 European Data Protection Board, and annual report, 6.33 opinions, and, 6.34 Representation data subjects, and generally, 11.13 introduction, 11.2 Representatives where not established in EU obligations of controllers, and, 10.25 obligations of processors, and,  10.25 Reprimands corporations, and, 10.19 Requests for audit authorisation and advice powers, and, 9.13 Restrictions authorisation and advice powers, and, 9.10 Resting re-identification provisions authorisation and advice powers, and, 9.19 Revenge porn background to protection, and, 1.2 EDPS, and, 15.28 Review of certifications issued tasks of EDSAs, and, 2.22 RFID tags generally, 15.8 Ride shares generally, 15.11 Right to be forgotten background to protection, and, 1.2 importance of protection, and, 1.6 purpose of protection, and,  1.11 tasks of EDPB, and, 6.7 Right to effective judicial remedy corporations, and, 10.2

Right to effective judicial remedy – contd data subjects, and generally, 11.4 introduction, 11.2 Right to lodge complaint corporations, and, 10.3 data subjects, and generally, 11.5 introduction, 11.2 Right to privacy purpose of protection, and, 1.11 Risk assessment background to protection, and, 1.2 purpose of protection, and, 1.11

S Safe Harbor purpose of protection, and, 1.11 Secrecy data protection supervisory authorities, and, 2.31 Security purpose of protection, and, 1.11 Security devices background to protection, and, 1.2 Self driving generally, 15.11 Security of processing obligations of processors, and,  10.31 Sensitive (special) personal data health data, and, 15.4 terminology of protection, and, 1.10 Smart devices generally, 15.8 Smart toys drones, 15.10 generally, 15.9 Standard contractual clauses tasks of EDSAs, and adoption, 2.17 authorisation, 2.25 Supervisory authorities background to protection, and, 1.2 Suspension of proceedings data protection supervisory authorities, and cooperation, 2.33 data subjects’ rights, and generally, 11.12 introduction, 11.2

390

Index T Takedown background to protection, and, 1.2 purpose of protection, and, 1.11 Televisions background to protection, and, 1.2 Theft purpose of protection, and, 1.11 Third countries tasks of EDPB, and, 6.24 Training programmes tasks of EDPB, and, 6.27 Transfer of data Brexit, and exceptions, 5.5 general rule, 5.4 introduction, 5.3 procedures, 5.5 future issues, 15.26–15.27 tasks of EDPB, and, 6.15 Transparency purpose of protection, and, 1.11 Treaty for the EU (TFEU) data subjects’ rights, and 11.1 U Undue influence data protection supervisory authorities, and, 2.5 United Kingdom see also Data Protection Act 2018 implementation of GDPR into national law, 3.4 United States Cambridge Analytica complaint,  8.12 corporations, and, 10.1 current approach federal, 8.3–8.5 states, 8.6 data protection and privacy regulation conclusion, 8.14

United States – contd data protection and privacy regulation – contd current federal approach, 8.3–8.5 current state-led approach, 8.6 data transfer, 8.8–8.12 EU-US privacy bridges, 8.4 Federal Trade Commission, 8.7 introduction, 8.1–8.2 legal background, 8.2 proposals for federal laws, 8.13 data transfer, 8.8–8.12 EU-US relationship data transfer, 8.8–8.12 ‘Privacy Bridges’ report, 8.4 Privacy Shield, 8.10–8.11 Federal Trade Commission, 8.7 financial sector, 8.3 introduction, 8.1 legal background, 8.2 proposals for federal laws, 8.13 telecoms sector, 8.3 video rentals, 8.3 Unlawful obtaining of personal data authorisation and advice powers, and, 9.17 Urgency procedure cooperation, and, 14.7 V Visualisation services generally, 15.13 Voice assistants background to protection, and, 1.2 W Warnings corporations, and, 10.19 European Data Protection Supervisor, and, 7.13 WP29/EDPB Guidelines cooperation, and, 14.10

391