If a data protection officer or other privacy practitioner was asked to list the issues that had been occupying the majority of their time over the last few years, there is a strong possibility that they would mention the entry into force of the General Data Protection Regulation (the “GDPR”), overseas data transfers and Data Subject Access Requests. As such, it is perhaps unsurprising that these three issues have generated some of the most noteworthy legal developments over the course of the last few months. We discuss these developments below, in the order in which they happened:
Official draft of the new ePrivacy regulation is released
On 10 January 2017, the European Commission released the proposed text of a new ePrivacy Regulation to replace the ePrivacy Directive. It, perhaps ambitiously, is intended to be implemented at the same time as the GDPR.
The ePrivacy Regulation is intended to complement the GDPR and there are a number of commonalities between the two (i.e. extraterritorial effect and potential maximum fines of up to 4% of annual worldwide turnover). As with the ePrivacy Directive, the ePrivacy Regulation governs direct marketing by electronic means and its provisions are to apply in addition to those of the GDPR.
Much of the contents of the official draft will come as no surprise to businesses, following the publication of a leaked draft in December 2016. However, one provision is particularly interesting, in relation to direct marketing. It had been commonly understood that the ePrivacy Regulation would continue to require organisations to obtain the consent of an individual before sending out electronic direct marketing. Indeed, the leaked draft contained the following clause, which clearly set this out:
“The use of electronic communications services by natural or legal persons for the purposes of transmitting direct marketing communications is allowed only in respect of end-users who have given their prior consent.”
However, in the official draft released on 10 January 2017, this was changed to the following:
“Natural or legal persons may use electronic communications services for the purposes of sending direct marketing communications to end-users who are natural persons that have given their consent.”
On an ordinary reading, the revised official draft suggests that consent is one ground for sending direct marketing materials but that other grounds may be relied upon. Whilst, as noted above, the ePrivacy Regulation is still in draft form only and will no doubt be subject to amendment as it passes through the legislative process, this revision may mean that organisations could send electronic direct marketing to individuals on grounds other than their consent. Developments should be monitored.
Subject Access Requests – A mix of good and bad news for data controllers
The bad news…
In February 2017, the Court of Appeal delivered its judgment in the case of Dawson-Damer v Taylor Wessing, which raised three issues of significance. The facts in summary were as follows:
Ms Dawson-Damer was the beneficiary of a Bahamian trust, who was in dispute with the trustees. Taylor Wessing was the English firm of solicitors acting on behalf of the trustees. Ms Dawson-Damer served subject access requests (“SARs”) on Taylor Wessing, who refused to provide the information requested in the SARs, relying on the legal professional privilege (“LPP”) exemption in Schedule 10, paragraph 9, of the Data Protection Act 1998 (“DPA 1998”). At first instance, the High Court agreed that Taylor Wessing was not obliged to provide the information requested. Ms Dawson-Damer appealed.
The Court of Appeal found, firstly, that the exemption for LPP applies only to a claim to LPP which would be recognised in UK legal proceedings. Secondly, Taylor Wessing could not refuse to search for information on the grounds that the majority of material they would be required to search through would probably be subject to LPP, so looking for non-LPP material in amongst it would require disproportionate effort. To rely on LPP, a solicitor has to carry out a reasonable search of its files. Thirdly, the fact that Ms Dawson-Damer had a collateral motive (i.e. assisting her in the dispute with the trustees), for making her subject access request was not a ground on which the court should rely to refuse to exercise its discretion in her favour by ordering Taylor Wessing to comply with the SAR. Whilst the first two points will be of greatest concern to solicitors, who may find their ability to rely on LPP curtailed in the future, the third issue is likely to be of concern to data controllers in general, who can and frequently do face subject access requests from data subjects who see it as a tool to assist in litigation against the data controller.
The good news…
In the joined cases of Ittihadieh v 5-11 Cheyne Gardens & Ors and Deer v Oxford University, one of the judgment’s highlights was that the Court of Appeal provided guidance on how extensively data controllers must search for documents, finding that, in responding to a data subject access request, a controller’s implied obligation to search for documents may be limited to what is reasonable and proportionate. The DPA 1998 did not require the data controller to leave no stone unturned. The court also reaffirmed the definition of personal data approved in Durant v FSA, finding that the mere mention of someone’s name in a document does not necessarily mean that the document contains their personal data. It is more a question of whether the document concerns information that is of sufficient relevance to the data subject. To decide whether that is the case, the court referred to the Durant case and to Edem v The Information Commissioner, noting that certain documents may be obviously about a person, but to the extent they are not, ‘biographical significance’ may be taken into account.
These findings may prove more helpful to data controllers, although they are unlikely to be the final word on SARs in this heavily litigated area.
ICO consults on GDPR consent guidance
On 2 March 2017, the Information Commissioner's Office (“ICO”) published its draft guidance on consent under the GDPR, for consultation until 31 March 2017. Following the consultation, the ICO intends to publish its final guidance in May 2017. The guidance explains the ICO’s recommended approach to compliance and what counts as valid consent. In the same manner as the majority of recent ICO guidance, it seeks to provide practical help as opposed to the more in-depth and legalistic guidance generally provided by the Article 29 Working Party (which aims to publish its own consent guidance in the first ‘semester’ of 2017).
The guidance provides a useful summary of the ICO’s intended approach and the majority of the provisions are not wholly surprising. Some of the key points are as follows:
- Businesses may need to revise their consent mechanisms to meet the higher standard of consent under the GDPR
- Under the GDPR, consent requires a clear affirmative action, and pre-ticked opt-in boxes will no longer count as valid consent
- Consent must be unbundled, meaning that distinct processing operations may require their own consent and, there is a presumption, which may be overturned, that where consent is bundled with other terms and conditions (i.e. as a pre-condition of service), this will not be valid
Whilst many businesses may find this guidance helpful, for those businesses reliant on consent, it is unhelpful because, in places, it arguably strays beyond the requirements of the GDPR without making clear whether the ICO is interpreting the law (very strictly) or simply advocating good practice. For example, the guidance states that where a data controller wishes to share personal data with a third party, such third parties should be named: “even precisely defined categories of third-party organisations will not be acceptable under the GDPR”. A requirement to name third party controllers goes beyond the requirements of Article 7 of the GDPR or Recital 42, which states that only that in order for “consent to be informed, the data subject should be aware at least of the identity of the controller”.
It will be interesting to see if the final draft makes the distinction between the requirements of the law and the ICO’s recommended good practice any clearer.
Proceedings concluded in Schrems II – will the CJEU be asked to rule on whether EU model clauses are invalid?
On 15 March 2017, (after a five and a half week hearing), proceedings concluded at the Irish High Court in the case of the Irish Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems (a case known colloquially as ‘Schrems II’). Judgment has been reserved, but is expected in the coming months, at which point the Irish High Court will confirm whether it will ask the CJEU to rule on whether the standard contractual clauses should be declared invalid (for the purposes of transferring data from the EU to the US).
If the court decides to refer the case to the CJEU, this will follow the same course of events as the earlier Schrems case (Maximillian Schrems v Data Protection Commissioner), in which, following a reference from the same court, the CJEU delivered a judgment 18 months later that declared the “Safe Harbour” arrangements for EU/US data transfers invalid.
Facebook (along with the US Government) argued during the proceedings that the adverse consequences for business in both the EU and US would be huge if the standard contractual clauses were found to be invalid. A more objective view is that whilst it would be disruptive to business (the fall of safe harbour was considered particularly disruptive to SMEs, who were ill-prepared to deal with some of the complex issues it gave rise to), this is not the first and probably not the last time that personal data transfers have been challenged, and given the importance of data flows for trade, a solution is bound to be found rather quickly. We await developments.