"GDPR: One year on" report On 30 May 2019, the ICO published its "GDPR: One year on" paper to share its reflections and learnings on the 1st year of GDPR implementation, along with a blog post by the Information Commissioner, Elizabeth Denham. The paper outlines ICO's work on providing support, taking action, fostering innovation and growing its function and sets out key numbers providing a useful insight into ICO's role. Highlights of the paper include: Public awareness, especially in respect of data rights and the ICO's role, has increased - this has also resulted in an increase in data rights requests since 25 May 2018, a 66% increase in traffic to the ICO's helpline, live chat and written advice services (amounting to 470,000 communications in 2018/2019) and 16.6 million views of the ICO's online GDPR guide. Supporting organisations has been key to ICO's function - the ICO will be soon establishing a one-stop-shop for SMEs (along with the already established dedicated helpline, live chat and SME sessions) and is in the process of creating four statutory codes on data sharing, direct marketing, age-appropriate design and data protection and journalism. In addition, it has called on the Government to legislate on the use of personal data in political campaigns. In terms of enforcement, the ICO is increasingly using its powers to change behaviours. 15 assessment notices have been issued under the new legislation among others in conjunction with ICO's investigations into data analytics for political purposes, political parties, data brokers and credit reference agencies. From 25 May 2018 to 1 May 2019, 14,000 data breaches were reported - a significant increase compared to the 3,300 notifications received the year before- although only a very small number of these resulted in an improvement plan or a monetary penalty. Also, 41,000 data protection concerns were submitted to the ICO (nearly double compared to 2017/2018), with the health sector, local government and lenders being amongst the most exposed sectors. The ICO has been involved in around 23% of the cases with EU-wide implications and aims to strengthen its links with EU authorities and continue having a leading role within the global privacy community. Highlights of its work on enabling innovation include the ICO Sandbox and its Research Grant Programme to support innovative privacy initiatives. In terms of resources, the ICO's workforce has grown to 700 and will continue to grow to meet the increased demand of ICO services. Also, the ICO has secured more funding by increasing its fee income by 86% compared to last year and by issuing penalties for non-payment of fees which amounted to nearly £100,000. Information Commissioner's Office (ICO) 04 & Information Commissioner's Office (ICO) Date Description As the Information Commissioner confirmed, the ICO will be taking "robust action" against non-compliance. Many of the ICO investigations launched under the GDPR are nearing completion and the outcome - to be expected soon - will demonstrate ICO's actions to protect the public. Organisations are expected to go beyond baseline compliance during the second year of the GDPR and to focus on accountability and real evidenced understanding of risks. During the next period, ICO's regulatory priorities will focus on data broking, use of data in political campaigning, children's privacy, cyber security, AI, big data and machine learning, web and cross-device tracking for marketing, use of surveillance and facial recognition technology and freedom of information compliance. 3 June Project explAIn interim report The ICO and the Alan Turing Institute released their interim report on project explAIn. This collaboration aims at creating practical guidance to assist organisations with explaining artificial intelligence ("AI") decisions to affected individuals. The report highlights three main findings: 1. Context is key when providing explanations. The report finds that in some areas, such as recruitment and criminal justice, the expectation for explanations regarding the decision making process is much higher than in others such as healthcare. Participants also stated that the importance and the purpose of the explanation should also vary depending on who it is addressed to and their level of understanding of a particular topic (e.g. in the healthcare context the explanation shouldn't be the same for a doctor as for a patient). 2. There is a clear need for improved education and awareness around AI. 40% of the suggestions made by participants around how to build confidence in AI were around awareness building or education related activities. The report doesn't show who should take responsibility for this but argues that information on AI should come through various means (e.g. schools, social medias, broadcast medias, individual involvement etc.). 3. There are a number of hurdles to overcome to deploy explainable AI. Most participants were confident regarding the possibility to technically explain the decision process. One of the main issues highlighted by the industry consultation is around internal accountability and the lack of a standard approach in assigning responsibility and ownership around AI explanation in the company. Other issues include the difficulty to keep up with innovation, cost, resources, complexity of the explanations, commercial sensitivity or disclosure of third party personal data. According to the report, the main consequence of these findings is that there is no "one size fits all" approach. The right explanation will very much depend on the context considered. The report perceives this as the strongest message that emerged from the discussions with juries and the roundtables. The full report is available here. Information Commissioner's Office (ICO) & 05 Date Description 20 June ICO Update Report On Adtech And Real Time Bidding – Adtech Industry On Notice On 20 June 2019, the Information Commissioner published an update report on her office's review of adtech and real time bidding (‘RTB’) which is a form of auctioned online advertising. The report - which is a progress update rather than formal guidance - raises very significant concerns about the compliance of the adtech industry with the General Data Protection Regulation (‘GDPR’) and the Privacy and Electronic Communications Regulations (‘PECR’). Headline points include: 1. Special category data is being unlawfully collected in the adtech industry, as explicit consent - the only valid lawful basis for such processing - is not being obtained. 2. Personal Data is unlawfully collected in the adtech industry due to the mistaken understanding that legitimate interests is a valid lawful basis for the placing and/or reading of cookies. According to ICO, legitimate interest has a limited role in this context, and in the Commissioner’s view consent is the appropriate lawful basis for RTB. 3. Industry initiatives such as the IAB Transparency and Consent Framework (‘IAB TCF’) do not currently address ICO's concerns. 4. Privacy Notices do not currently go far enough in explaining to individuals what happens to their data. The Commissioner is asking controllers to re-evaluate their practices. But while the report outlines deficiencies, it does not provide any clear solutions. Please find our full analysis of this report here. << Back to table of contents 06 & UK Cases Date Description 17 April Green v Group Ltd & others  EWHC 954 (Ch) This case relates to a claim arising from the processing of data by the group of companies informally known as 'Cambridge Analytica'. The High Court considered whether to appoint the incumbent joint administrators of the Cambridge Analytica companies as liquidators, despite objections about their conduct being raised by a contingent creditor. The creditor asserted on numerous grounds that the administration had not been conducted properly by the administrators, including on grounds of data protection law. This case summary considers limited aspects of the facts and judgment. Facts Cambridge Analytica companies combined data collection and analysis with strategic communications to create targeted advertisements for various political parties and campaign groups. Following the high-profile scandal centered around the group’s harvesting of personal data from Facebook profiles without consent, the group faced financial difficulties and upon taking insolvency advice, asked the court to place them into administration. Despite the negative press surrounding the Cambridge Analytica companies and their activities, the proposed administrators asserted that they considered it reasonably likely for the objective of the administration (i.e. the sale of the companies) to be achieved, and the court granted the administration order on 3 May 2018. It soon transpired that the companies could not, in fact, continue to trade as the Information Commissioner’s Office (ICO) held the companies' laptops and servers. The administrators attempted to market the business anyway, but no substantial offers to purchase the companies were put forward so the administrators sought to place the company into compulsory liquidation and to be appointed liquidators. The majority of creditors approved the administrators' proposal but one contingent creditor objected to the appointment of the incumbent administrators as liquidators on multiple grounds in the fact that that, prior to the administration order, the creditor had issued proceedings against two of the Cambridge Analytica companies for satisfaction of a data subject access request and pre-action disclosure. The Subject Access Request The creditor in question, a US academic, had submitted a subject access request to one of the Cambridge Analytica companies in January 2017. He did not receive a satisfactory reply from the company and instructed solicitors to draft a letter before action requesting a full response and outlining a claim for compensation for distress caused by the breach of the DPA 1998, and the torts of misuse of private information and breach of confidence. No response that could be put before the Court was received. On 16 March 2018 the creditor issued proceedings against several of the Cambridge Analytica companies which was based on s. 7 DPA 1998 and sought an order that the subject UK Cases UK Cases & 07 Date Description access request was complied with by a specified date, along with an application for pre-action disclosure of particular documents before pursuit of the s.7 DPA 1998 claim. On 4 May, the day after the Cambridge Analytica companies entered administration, the ICO sent an Enforcement Notice addressed to one of the companies, SCL Elections Limited ('Elections'), requiring it to provide a more satisfactory response to the creditor's SAR. The administrators took no steps to comply with the Enforcement Notice and did not seek to appeal the Enforcement Notice under s.48 DPA 1998, given that (i) the Enforcement Notice was addressed to Elections, (ii) the administrators were not the data controller, (iii) the servers on which the personal data was stored were in the ICO's custody and control with Elections having no access; and (iv) Elections had no staff as of 22 May 2018. The ICO sought to commence criminal proceedings against Elections, which entered a plea and received a £15,000 fine and had to pay a £170 victim surcharge and £6,000 costs as a consequence. Decision The court determined that the appointment of the administrators as liquidators was “conducive to the proper operation of the liquidation”. In respect of the data protection issues raised by the creditor: Failure to comply with the Enforcement Notice did not amount to misconduct The High Court’s view supported the generally held view that the Southern Pacific Personal Loans decision (that a liquidator will not be considered a data controller in respect of data processed by the insolvent company) also applies to administrators. Administrators act as the company’s agent, and will only be considered a data controller where they take decisions about the processing of data as principle, not as an agent. Therefore, in this case, the administrators were not personally responsible for compliance with the provisions of the Data Protection Act 1998 in respect of the data processed by the company, including but not limited to data subject access requests. Mr Justice Norris did not find that the administrators were guilty of any misconduct in relation to the Enforcement Notice. The judgment noted that the questions to be considered by the administrators were: (i) whether it is in the interests of the general body of creditors or a necessary part of discharging statutory duties to help the creditor pursue his data rights; and (ii) whether choosing not to help the creditor would cause unfair harm to the interests of the credit (limited to interests as a creditor, not as an academic or campaigner). Mr Justice Norris agreed with the administrators that compliance with the Enforcement Notice would have been disproportionately costly, as it would have required the administrators to search for the creditor’s data among 700 terabytes of data in the custody of the ICO. It was held that compliance with the request would have been detrimental to the body of creditors as a whole, and that the decision not to search for the creditor's data was one a competent administrator could properly make. No duty to investigate previous data protection issues The High Court found that implicit in the creditor's complaint was an assumption that the administrators were under a general duty to investigate data breaches which took place before the administrators were appointed. Mr Justice Norris confirmed that investigations into data protection infringements are not for administrators or liquidators to conduct – these should remain the responsibility of external 08 & UK Cases Date Description regulators, not conducted by insolvency office holders at creditors' expense. The duty of administrators and liquidators is only to investigate breaches of directors' duties to the company and creditors. The full judgment is available here. 17 May Mrs Ashley Judith Dawson- Damer, Mr Piers Dawson Damer, Ms Adelicia Dawson Damer v Talyor Wessing LLP (& Others)  EWHC 1258 On 17 May, the High Court handed down the third decision on this case and provided some important clarifications on the definition of a relevant filing system, the legal professional privilege exemption and what constitutes a reasonable and proportionate search. Background Taylor Wessing (TW), acted as the English solicitor to a trustee of Bahamian family trusts (Yuills Trusts) which included the Glenfinnan Settlement .The First Claimant, Mrs Dawson Damer, was a discretionary beneficiary of the Glenfinnan Settlement and she had challenged the validity of the appointments made out of that settlement. Back in 2014, together with her adult children, she served subject access requests on Taylor Wessing under the Data Protection Act 1998. TW refused to provide the information requested in the SARs, relying on the legal professional privilege exemption in paragraph 10 of Schedule 7 to the Data Protection Act 1998 (DPA 1998) (the” LPP Exemption”). The Claimants challenged this and TW was successful at first instance. The Claimants then appealed. In March 2015, the First Claimant also commenced proceedings in the Bahamas against the trustee of the Glenfinnan Settlement and that litigation is ongoing. It is an important part of the background that under S839(8) of the Bahamian Trustee Act 1998 (the “BTA”) trustees cannot be compelled to disclose to any beneficiary or other person certain documents relating to any letter of wishes, deliberations of trustees or other documents relating to the trustees’ exercise of discretion and the Bahamian court would similarly not be able to order such disclosure. In February 2017, the Court of Appeal held that the LPP Exemption only applies to information which would attract LPP as a matter of English law (and the judge at first instance was wrong to suggest that it also exempted information which would be protected from disclosure under Bahamian law). Further, TW could not refuse to provide information on the basis that any search for non-LPP material would require disproportionate effort. Whilst a search does not need to be exhaustive, solicitors relying on the LPP Exemption must evidence that they have carried out a reasonable and proportionate search of their files. Finally the Court of Appeal held that the first instance judge was also wrong to decline to enforce the subject access request because the Claimants intended to use the information in their ongoing Bahamian litigation. An application by TW to appeal to the Supreme Court was refused. The Court of Appeal however remitted a number of issues back to the High Court for further determination. Out of these, the points below are worth noting. UK Cases & 09 Date Description Decision Relevant Filing System Firstly the Court had to consider whether the paper files maintained by TW before it moved to electronic files were a “relevant filing system” as defined under the DPA 1998 because if so, TW would be required to search them. The Court concluded that TW’s paper files held on under the client description “Yuills Trusts” and arranged in chronological order, are a ‘relevant filing system’ for the purpose of the DPA 1998 and TW was required to further search these files. In doing so, the Court departed from the restrictive interpretation of a “relevant filing system” in the Court of Appeal’s decision in Durant v Financial Services Authority  FSR 573 and instead concluded that the approach of the CJEU in re Tietosuojavaltuutettu (Case C-25/17) must now be followed. This was on the basis that Durant had been decided before the right to the protection of personal data was enshrined as a fundamental EU right by Article 8 of the Charter of Fundamental Rights and that since then, the perspective has changed and the focus is on the need for protection of the data subject, as opposed to the burden on the data controller. The Deputy Judge found that the requirement in Durant that there must be a structured referencing mechanism containing a sufficiently sophisticated and detailed means of readily indicating whether and where an individual file specific criteria or information about the applicant can be readily located is inconsistent with re Tietosuojavaltuutettu. However, he rejected the argument that the sole criterion is whether the personal data can be “easily retrieved”. Instead he determined that 3 elements were needed: (i) The data must be structured by reference to specific criteria. (ii) The criteria must be “related to individuals”. (iii) The specific criteria must enable the data to be easily retrieved. However, permission to appeal on this issue has already been granted. Legal Professional Privilege Secondly, the Court had to relook at the LPP Exemption and in particular whether there was scope to rely on legal advice privilege as well as litigation privilege. The Court found that TW was entitled to claim LPP over documents on this basis. This is now clearly stated in the Data Protection Act 2018 ( Schedule 2, Part 4, Para 19). Mrs Dawson Damer tried to argue that such privilege was a joint privilege between a beneficiary and trustee under English law. Whilst the Deputy Judge agreed with this point under English trust law, he went on to question the effect of the Bahamian Trustee Act on this. In his view, given that Bahamian law governed the Glenfinnan Settlement, this should be the relevant law upon which to consider whether the Claimant has a “joint privilege”. In this case, the relevant provisions under the BTA state that where Bahamian law applies to a trust, a beneficiary has no automatic right to see the legal advice to a trustee prior to any threatened litigation and no proprietary rights to 10 & UK Cases Date Description documents containing that advice and so no “joint privilege” can exist under that law. Consequently, the beneficiary cannot prevent reliance on the relief provided for by the LPP Exemption. Reasonable and Proportionate Searches The Deputy Judge made a number of findings specific to the facts and held that further searches needed to be carried out to discharge TW obligations under the DPA 1998 and certain searches did not. In particular, the Deputy Judge held that searching a backup system would be disproportionate and would run the risk of disclosing confidential data about the law firm's clients or employees. Also it would also be disproportionate to search ex-employees personal spaces but not those of current employees. Implications This decision should be positive news for trustees who had been concerned about the potential for subject access requests to be used by litigious beneficiaries. This case was decided under the DPA 1998 which has now been replaced by the GDPR and the Data Protection Act 2018. However, the LPP Exemption remains in the DPA 2018 in Schedule 2, Part 4, Para 19 and it is now clearly states that it covers personal data to which a claim to legal professional privilege (or confidentiality of communications in Scotland) could be maintained in legal proceedings; or in respect of which a duty of confidentiality is owed by a professional legal adviser to his client. The GDPR also contemplates certain additional grounds upon which trustees might be justified in withholding disclosure – for example, on the basis of conflicting duties of confidentiality or where such disclosure would “adversely affect the rights and freedoms of others” (Article 15(4) GDPR). 11 June Advertising Standards Authority Limited v Robert Neil Whyte Mitchell  EWHC 1469 This case relates to an application by the ASA for an injunction to prevent an unintended recipient of an email from using, publishing, communicating or disclosing any part of the email or its attachments on the grounds that the contents were confidential and in part legally privileged. As Mr Justice Warby puts it “just about everyone who uses email will have had an experience similar to the one that led to this application”. Facts In this case, an investigating officer at the ASA who had been looking at a complaint about a billboard advert criticizing the Royal Bank of Scotland, apparently funded by Mr Mitchell (the person under investigation), accidentally sent an email and a number of attachments to Mr Mitchell instead of the ASA’s lawyers. The attachments included details of the complaint, photo of the billboard, correspondence exchanged with Mr Mitchell, draft recommendations for a complaint, emails containing legal advice and a written opinion from Counsel from 2009. Once the office realised his mistake, he promptly tried to recall the message and emailed Mr Mitchell asserting that the email was UK Cases & 11 Date Description confidential and should be deleted. This was later followed up with letters, voicemails and texts including a letter stating that an injunction would be sought in the absence of suitable undertakings from Mr Mitchell. Mr Mitchell had evidently been aware of these communications from an early stage as he started posting on Twitter but he did not reply under 5 days later and made it clear that no undertakings would be forthcoming. It was against this background that the ASA issued an application for an injunction. Decision The Court decided the case in favour of the ASA and ordered the injunction. Where an application for an injunction is to restrain an alleged breach of confidence, the Court must be persuaded that the claimant is likely to establish that the information has the quality of confidence, that the information has been imparted to or acquired by the defendant in circumstances importing an obligation of confidence and the defendant threatens or intends to misuse the information. With respect to the documents which were legally privileged, the established principles are that where the disclosure is as the result of an obvious mistake, the Court should ordinarily intervene. Although there may be exceptions where the Court could properly refuse relief on other grounds, the law does not require the Court to engage in the balancing of the public interest in upholding the privilege as against the public interest in allowing the documents to be used in litigation. Mr Justice Warby also stated that when it comes to the imposition of a duty of confidence, there is no special treatment for privileged information and it would be treated in the same manner as any other confidential information. In granting the injunction, the Court found that apart from the photograph, the email and the attachments were confidential in nature and Mr Justice Warby was satisfied that there was a threat or a risk that if not restrained, Mr Mitchell would publish the information – this was based on some of his previous tweets and emails sent to the ASA and also based on his past behaviour.
Register now for your free, tailored, daily legal newsfeed service.
Questions? Please contact firstname.lastname@example.orgRegister
UK & EU Data Protection Bulletin: June 2019 Highlights
To view this article you need a PDF viewer such as Adobe Reader.
Popular articles from this firm
If you would like to learn how Lexology can drive your content marketing strategy forward, please email email@example.com.
Related topic hubs
Vice President, General Counsel and Compliance Officer
The MMIC Group
"I LOVE this resource. Absolutely the best and most reliable single source of what’s going on that affects our business. THANKS!!"