More cross-border Data Protection

On Thursday the Court of Justice of the European Union issued another decision on the interpretation of Direction 95/46/EC – the Data Protection Directive.  The case was on reference from the Hungarian Supreme Court and asked a number of questions around when a data controller is established in a particular member state for the purposes of the Directive.

Factual Background

Weltimmo s.r.o is a company registered in Slovakia under Slovakian law. It operates one or more property websites which are written in Hungarian and feature Hungarian properties.  The Company offered one month’s free advertising before beginning to charge its customers for the use of its service.  Somewhat unsurprisingly a lot of people took advantage of the one month free offer and then sought to have their adverts and personal data erased at the conclusion of the free month.  Weltimmo did not delete the advertisements or their personal data and instead charged its customers for the use of its services.  Those charges went unpaid and Weltimmo passed details of the ‘debtors’ onto debt collection agencies in Hungary.

Complaints were made to the Hungarian Data Protection Authority who found that Weltimmo had breached Data Protection law.  A fine of approximately €32,000 was imposed on Weltimmo.  Weltimmo appealed and the fine was overturned; however, it was determined that Weltimmo was established in Hungary for the purposes of Hungary’s data protection law.  Weltimmo disagreed and appealed to the Hungarian Supreme Court, who made a reference to the Court of Justice of the European Union.

Other important facts narrated in the Court’s decision are: that the company had a Hungarian bank account; it had a letter box in Hungary that was used for its every day affairs; and it had a representative in Hungary who sought to negotiate settlements of the unpaid debts.

Court’s decision

The Court made reference to Google Spain and stated that “establishment on the territory of a Member State implies the effective and real exercise of activity through stable arrangements and that the legal form of such an establishment, whether simply a branch or subsidiary with a legal personality.” [28] The Court went on to say that there is a “flexible definition of the concept of ‘establishment’, which departs from a formalistic approach whereby undertakings are established solely in the place where they are registered.” [29]

Essentially what the Court is stating here is that there may be a difference between where a company is registered and where it is established for the purposes of data protection law.  It is necessary to look at where the exercise of activity is and not just about where it has a physical presence by way of a building or a registered office.  A company registered in Scotland, but which deals exclusively in the Republic of Ireland might find itself subject to the data protection law of the Republic of Ireland as opposed to that of the United Kingdom.

In the present case, the Court noted at paragraph [32] that “the activity exercised by Weltimmo consists, at the very least, of the running of one or several property dealing websites concerning properties situated in Hungary, which are written in Hungarian and whose advertisements are subject to a fee after a period of one month.  It must therefore be held that the company pursues a real and effective activity in Hungary.”

In Google Spain the Court held that the Directive does not require the processing of personal data to be carried out by the establishment, but only that it be carried out “in the context of the activities” of the establishment (Google Spain, [52]).  The Court considered that there was “no doubt” that this was the case in the Weltimmo case. [38] Therefore, unless any of the facts concerning bank accounts, representatives and letter boxes proved to be incorrect (matters which it is for the national court to determine) Weltimmo is established in Hungary for the purposes of data protection law.

The Court did stress that the owners of the properties being advertised had Hungarian nationality was of no relevance in determining the question of which national law was applicable. [40]

The referring court had also sought guidance from the Court concerning the imposition of sanctions.  The Court emphasised the responsibility of national authorities to take action within their own territory and that they may investigate any complaints made to it where the national law of another member state is applicable. [54] However, the Court was equally clear that a national authority cannot impose a sanction upon a data controller who is not established in their territory. [56] This is fairly obvious and stems from the sovereignty of nations.  In those circumstances the national authority that has investigated the matter should pass on the case to the national authority that has jurisdiction to impose a penalty seeking that they do so; based where necessary on any information supplied to that national authority by the authority who initially investigated the complaint.  [57]

For example, the Information Commissioner’s Office cannot take action against Facebook because it is not established in the UK; however, it may investigate a complaint from someone in the UK as to how Facebook has processed their personal data before passing it to the Irish Data Protection Commissioner, who does have jurisdiction by virtue of Facebook being established in the Republic of Ireland.  It would then be for the Irish Data Protection Commissioner to establish whether Facebook has broken Irish Law in relation to data protection and to then impose penalties in accordance with Irish Law, making use of the information passed to it by the ICO.

This is an important judgment that gives very good and strong advice on handling cross-border data protection issues where the internet is involved.  It stresses the need for data protection authorities across Europe to work in co-operation to ensure the rights of data subjects are protected whilst personal data is being processed.  The coming reforms (expected to be in force middle – late 2018) will not move away from that; indeed, with the proposed ‘one-stop’ regulation it will only increase that requirement.

Round-Up on DPA and PECR: September 2015

A new, trial feature on the blog in which I take a monthly look at the Monetary Penalty and Enforcement Notices issued by the ICO together with the formal undertakings also published.

September has seen the Information Commissioner issue two Monetary Penalty Notices in respect of breaches of PECR and publish three formal undertakings following breaches of the DPA.

General Dental Council

The General Dental Council (‘the GDC’), a statutory regulator, gave the Commissioner an undertaking to comply with the seventh Data Protection Principal.  This followed an incident in which fitness to practice allegations and a CD containing background information relative to the allegations were sent to the wrong practitioner.  An investigation by the GDC established that the error had occurred because the recipient had a similar name to the intended recipient.

The GDC had in place guidance on the processing of such information; this had not been followed by the employees who had arranged for this information to be sent out.  The GDC’s guidance and processes required that the CD on which the background information was sent was encrypted.  In this particular incident the CD was not encrypted.

The Commissioner established that while the GDC had in place sufficient policies and procedures, there was a lack of corporate refresher training in relation to data protection for those employees whose job roles entailed the processing of personal data.  The GDC had introduced induction training, but this was not rolled out to existing staff.  The GDC did have examples of where data protection training was being delivered; however, much of this was delivered on an ad hoc basis.

The Undertaking records a second incident where a patient’s dental records had gone missing.  The GDC’s investigation suggested that the records had never left their office, but had instead been securely destroyed.  However, the employee involved in this incident had not received induction data protection training.

Cold Call Elimination Ltd

The Commissioner served a Monetary Penalty Notice on Cold Call Elimination Ltd following breaches of PECR.  Somewhat ironically Cold Call Elimination Ltd was making unsolicited cold calls to sell a service and device to stop unsolicited cold calls.

The Commissioner wrote to the company following a number of complaints to the Commissioner and the Telephone Preference Service.  The Company provided an explanation and further explained that it would be putting in additional measures relating to unsolicited marketing calls.  The Commissioner placed the company on a period of monitoring for a period of 3 months, during which a large number of complaints continued to be received.

The Commissioner’s Office met with Cold Call Elimination Ltd to discuss its compliance with PECR following which a further period of monitoring took place.  During that second period of monitoring there was a drop in the number of complaints received, but the Commissioner described this as an insignificant drop.

The Commissioner had received 46 complaints directly from individuals who were subscribed to the Telephone Preference Service between 14 June 2013 and 31 March 2015.  The Telephone Preference Service had received 336 complaints over the same period.

The Commissioner determined that the company was in breach of Regulation 21 of PECR and subsequently issued a Monetary Penalty Notice in the amount of £75,000.

Martin & Company

Martin & Company, a firm of solicitors, gave the Commissioner an undertaking to comply with the seventh Data Protection Principal following an incident in which a DVD containing CCTV footage went missing.  The firm was acting for a criminal accused and the CCTV footage was released to them by the Crown Office and Procurator Fiscal Service (‘the COPFS’).  Martin & Company is based in Ayr and the DVD required to be collected from the COPFS office in Kilmarnock.  Martin & Company instructed a third party to collect the DVD from the COPFS.  The DVD went missing having been collected by the third party, but before reaching Martin & Company.

The Commissioner’s investigation found that there were some shortcomings in Martin & Company’s procedures.  In particular the Commissioner highlighted a lack of guidance to staff regarding the DPA as well as relevant training on the DPA.  The Commissioner also took the view that there was a lack of formal procedure for staff when arranging to have personal data collected from outside of the office environment.

FlyBe Limited

FlyBe Limited, an airline, gave the Commissioner an undertaking to comply with the seventh Data Protection Principal following an incident in which a temporary employee sent a scanned image of another individual’s passport to his personal E-mail address.  The incident occurred in the department responsible for processing airside clearance for other FlyBe staff.

The Commissioner investigated and discovered that FlyBe did not provide any training to its staff members who processed personal data, including the temporary employee who was involved in this particular incident.  The Commissioner also found that FlyBe’s data protection policy was inadequate and only provided limited information.

Home Energy & Lifestyle Management Ltd

The Commissioner served a Monetary Penalty Notice on Home Energy & Lifestyle Management Ltd following breaches of PECR.  Home Energy & Lifestyle Management Ltd engaged in a marketing campaign via automated recorded calls to 6 million people in relation to the ‘Green Deal’, a Government backed energy saving initiative

The Commissioner wrote to the company having received a number of complaints about the calls being made.  The Company explained that it had now ceased the marketing campaign and that it had not realised that there were different rules in the Privacy and Electronic Communications Regulations for recorded calls as opposed to “live” calls.  The company also sought to explain the calls by attempting to lay the blame at the door of the third party company it had contracted to make the calls on its behalf.

The Commissioner’s office received 242 complaints concerning Home Energy & Lifestyle Management Ltd’s calls during a three month period of monitoring. The Commissioner decided that the company had breached Regulation 19 of PECR. The Commissioner also found that the company had breached Regulation 24 of PECR by not identifying the person who was sending the automated marketing calls, not providing the address of the person and not providing a telephone number on which the person responsible for making the calls can be reached free of charge.

The Commissioner issued a Monetary Penalty notice requiring the company to pay the sum of £200,000, the largest amount ever required for a breach of PECR. Press reports of the Monetary Penalty Notice have indicated that the company intends to appeal.


In respect of the three undertakings for breaches of the Data Protection Act 1998 it is clear that data controllers, even large organisations, are still failing in the basics by not having in place adequate policies and procedures covering data protection and failing to provide adequate induction and refresher training on data protection to those who handle personal data.  This is a regular feature in enforcement action taken by the Information Commissioner.  Having in place sufficient policies and procedures, as well as training and adequate checks to ensure compliance, will reduce the chances of experiencing a data breach in the first place.  Furthermore, it will undoubtedly serve to mitigate any enforcement action taken by the Commissioner should a data controller experience a breach.

The Monetary Penalty Notices issued this month highlight the importance of ensuring that organisations undertaking marketing by telephone have in place he appropriate consents and take sufficient steps to ensure that the calls are not made to individuals who have registered with the Telephone Preference Service.  They also highlight the truth of the latin maxim ignorantia legis neminem excusat – or ignorance of the law excuses no one. Following a change in the law, it is now much easier for the Commissioner to issue Monetary Penalty Notices in respect of breaches of PECR; it is therefore now much more likely that breaches of PECR will result in the Commissioner issuing Monetary Penalty Notices.

Home Office, Twitter and Immigration

Immigration is never far from the headlines in the UK and this has been true for a number of years.  On 1 August 2013 the Home Office conducted a high profile immigration operation around the UK which caused debate and discussion in the UK.  On that day in August 2013 the Home Office published a series of tweets which provided details of the number of persons that they had arrested during the day accompanied by the hashtag #immigrationoffenders and in some cases photographs.

In the days that followed there was national press coverage online on the BBC News website, the Guardian, the New Statesman and others as well as international, for example on the website of Le Parisen, a newspaper in France.  This operation came around a month or so after the mobile billboard campaign ran by the Home Office, which popularly became known as ‘the racist van’ – a campaign that was criticised by the Advertising Standards Authority when the partially upheld a complaint against the Home Office.  Much of the criticism of the 1 August 2013 operation, known as ‘Operation Compliance’ was around the operation itself and centred on concerns about racial profiling.  However, some people considered whether the Home Office was properly complying with the Data Protection Act 1998 and there was even some consideration as to whether the activities might be considered as prejudicing future criminal proceedings (if any).

After some consideration I made a Freedom of Information request to the Home Office in August 2013 concerning the events of 1 August 2013, a request that finally came to a conclusion on 3 September 2015.  The Home Office initially refused the request and largely upheld that position on internal review (which it took over 9 months to complete).  The Information Commissioner found in his decision notice that the Home Office were entitled to withhold some of the information that they had withheld, but not the rest (see the ICO’s decision here – which also sets out my request in full).  The Home Office then appealed this to the First-Tier Tribunal (Information Rights).  The Tribunal dismissed the Home Office’s appeal (the Tribunal’s decision can be read here) after a hearing in late June 2015.  The information that was disclosed can be read here (this document does include some of the information that had been earlier disclosed, but the Home Office included it in the new disclosure for “consistency”).

What the information reveals is nothing sinister; it shows civil servants planning and executing a public relations campaign highlighting the work that the Home Office is undertaking.  My principal interest though was always around what consideration the Home Office had given to data protection implications, as well as concerns around prejudicing future criminal prosecutions and also compliance with civil service guidance (which someone else had written about following a tweet of a similar nature about a month earlier).

The information that has been disclosed reveals quite a lot by what it does not contain.  There appears to be no direct consideration of data protection or of prejudice to future criminal proceedings or civil service guidance.  Of course, these matters could have been considered and there simply exists no record of them having been considered (that, I suggest, would show a lack of proper and effective record keeping).  There is an indirect reference to the data protection and prejudice matters in the email extract dated 31/7.2013 at 16:42.

The information also shows that the Home Office changed the hashtag prior to the operation commencing.  It would appear from the information disclosed that they had initially intended to use #illegalworking.  It seems that they changed their mind because the 1 August 2013 operation was not solely targeting those working without the proper papers and permission and they feared criticism from using the #illegalworking hashtag.

Of course this information is not anywhere near as valuable as it might have been had it been released in August or September 2013, many people will have forgotten all about the 1 August 2013 operation (I suspect it will be etched in my mind for some time to come having lived it, studied it, discussed it and litigated it for over 2 years).  It has been a long road, but nonetheless the information that has been released is valuable:  it largely shows a measured discussion by civil servants who appear to be trying to demonstrate to the public in relevant and imaginative ways the work of one of the Departments of State; however, it does appear to highlight some weaknesses in the planning for such media operations and if anything, hopefully these matters will be considered in future operations.

#GE2015, Data Protection, Privacy and FOI

It is now two days since the UK went to the polls to elect the 650 people who will be responsible for representing us until Parliament dissolves on Monday 20 April 2020 (assuming the Fixed-Term Parliaments Act 2011 remains in place and intact).  The result was significant for many reasons, some of which I may address in a future blog post.  The focus of this blog post though will be the possible impact on Data Protection, Privacy and Freedom of Information following the result in this election.

Data Protection and Privacy

These two areas, in their current form, rely heavily on EU law.  Both the Data Protection Act 1998 and the Privacy and Electronic Communications Regulations implement EU directives into UK law.

It is well known that one of the promises David Cameron made was a referendum on the UK’s continued membership of the EU if the Conservatives were returned to power with a majority.  They were, albeit a small and fragile one, and as such it is likely that in 2017 we will have a referendum on whether the UK will continue to be part of the EU, or not.  If the UK were to leave the EU (and this is purely hypothetical at this stage), then there would be no requirement for the UK to continue to comply with EU law; including the Directives underpinning the Data Protection Act and the Privacy and Electronic Communications Regulations.

Withdrawal from the EU would not, of course, immediately repeal every piece of law that is implementing an EU Directive – such a position would be unworkable.  Overtime there would, like there is in every other area of law, be reform and that could include both the Data Protection Act and the Privacy and Electronic Communications Regulations.

That is not the end of the story though; our continued relationship with the EU will have some impact in this area, especially with regards to the Data Protection Act.  If we were to remain part of the EEA, we would still have to comply with EU law except in some areas: data protection is not one of those.  So, if we withdrew from the EU and remained part of the EEA, nothing would change.

If we withdrew from both the EU and the EEA there would still be some Data Protection implications.  The eighth Data Protection Principal prevents the transfer of personal data outside the EEA unless the country or territory to which the personal data is to be sent “ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.”  In other words, we would require some form of Data Protection or Privacy legislation that meets the test of “adequate” under EU data protection law.  This is a requirement that looks set to stay as part of the Data Protection Regulation currently working its way through the EU legislative process.  In all likelihood we would probably adopt the same data protection regulations as the EU, or something substantially similar thereto.  For that reason, Data Protection and Privacy looks fairly safe over the coming 5 years.

Freedom of Information

Scotland has its own Freedom of Information laws that cover Scottish public authorities.  These laws will likely remain largely unchanged in light of the 2015 election result.

Freedom of Information Act 2000

The FOIA covers English and Welsh authorities as well as UK-wide authorities such as UK Government Departments, the British Transport Police, the BBC, Channel 4 etc.  They are not popular with the Government; they force the Government to reveal information it would rather keep secret.  The Prime Minister isn’t a big fan of FOI; it “furs up the arteries of Government”.  We can expect to see some changes to FOI laws over the coming 5 years: the veto will likely be strengthened in light of the recent UK Supreme Court decision in the Prince Charles case; there could well be changes to the cost limits making it harder to get access to information and there could be the introduction of fees (at least for Tribunal cases).  Substantial harm could be done here (and if you value FOI and the power it gives you to access information held by public bodies I would commend the Campaign for Freedom of Information to you – they could need a lot of help, support and money over the coming 5 years).

Environmental Information Regulations 2004

These implement an EU Directive and provide a much tighter access to information regime with respect to Environmental Information – they also cover a much wider number of bodies than the FOIA does.  While they implement an EU Directive, they have their origin in another international Convention (one which is not anything to do with the EU), the Aarhus Convention.  The UK is a signatory and so if it were to remain a signatory it is likely that there would be no change to the substance of the EIRs.  There would be changes though.

Currently, because they are based upon EU law, they are subject to the primacy of EU law.  It is largely for this reason that the veto was held not to apply to Environmental Information.  It also gives recourse to the Court of Justice of the European Union in respect of interpretation (as was seen with Fish Legal).  This strengthens the EIRs significantly.  However, all is not lost.  In terms of the Aarhus Convention there is a right of remedy to the Aarhus Compliance Committee.

Councillors, Erroneous Benefit Claims, FOI and DPA

The relationship between FOI and Data Protection is one that causes frequent tension.  Obtaining personal data on third parties held by public authorities under FOI is, rightly, a difficult task.  On Sunday it was reported that Cornwall Council refused to release, in response to a Freedom of Information request, the name of a Councillor who had been advised by the Council that they had “erroneously claimed entitlement to Housing Benefit and Council Tax Benefit / Support” while they were a member of the Council, and that the amount involved was less than £5,000.  The Council refused to disclose the name of the Councillor on the basis that it was exempt under section 40(2) of the Freedom of Information Act (which exempts the release of personal data where its release would be in contravention of the Data Protection Act (DPA)).  This resulted in an interesting discussion between a few individuals on twitter relative to whether the Council was correct to withhold the Councillor’s name.

Lynn Wyeth concluded that it came down to the standard Data Protection Officer’s answer of “it depends” – and it really does; there is a whole heap of information missing which would be relevant to whether releasing the Councillor’s name would breach the DPA.

The starting point in respect of this one is establishing whether it is personal data, clearly it is; not only is it personal data, but it falls within the definition of sensitive personal data in section 2 of the DPA.  The information concerned here is personal data concerning the alleged commission of an offence by an individual (claiming benefits to which you’re not entitled being a criminal act).  This is an important point because the restrictions placed upon the processing of sensitive personal data are a lot more stringent than personal data which is not considered sensitive under the DPA.

The first Data Protection Principal is clear, that personal data must be processed fairly and lawfully.  It goes on to provide that personal data should not be processed unless at least one of the conditions in Schedule 2 is applicable; in the case of sensitive personal data it is also necessary to ensure that one of the conditions in Schedule 3 applies as well.

When it comes to releasing personal data under FOI, the condition in schedule 2 that is most often (if not always) applicable is Condition 6(1).  This condition provides:

The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

In other words, a person seeking the release of personal data about a  third party under FOI must be able to show that he has a legitimate interest and that it is necessary for the personal data to be disclosed in pursuance of that legitimate interest.  I would say that it would generally be the case that uncovering wrong-doing by an elected official while holding public office is a legitimate interest.  Unless the matter was reported in the newspapers or in other media at the time the accusation was being pursued by the body concerned, it would be necessary for the data controller to release the personal data in order to enable the third party to pursue their legitimate aim (uncovering misconduct by a public official and holding them to account).

However, this is personal data that falls within the scope of sensitive personal data and as such the very fact that condition 6(1) of Schedule 2 to the DPA is likely to be satisfied it is not the case that releasing the personal data would be fair and lawful.  There needs to be a condition in schedule 3 that is applicable as well.

In the normal course of things there wouldn’t, in my view, be a condition in schedule 3 which would apply – unless the data subject consented to the disclosure.  However, in certain circumstances it may be possible to use the paragraph 3(b) of Schedule 3 which applies where the processing is necessary:

in order to protect the vital interests of another person, in a case where consent by or on behalf of the data subject has been unreasonably withheld.

There are a number of key words here.  The first is “necessary”; if there was another way in which the vital interests of another person could be met without the data controller releasing the information then it wouldn’t apply (for example, if there had been a news report revealing the name – but then the FOI request wouldn’t have been necessary in the first place).  The next is “vital”; there is not, to my knowledge, any case law on what exactly “vital” means in the DPA – it appears in a number of places within Schedule 3.   It could reasonably be argued that uncovering the misappropriation of public funds by an individual elected to public office and holding that individual to account is a “vital” interest of a person other than the data controller (essentially everyone who the data subject is elected to represent).  Finally, the data subject’s consent must be unreasonably withheld.

This is where this case becomes particularly complicated.  It would seem that no criminal proceedings were ever brought against the councillor in question, and certainly it appears that there has been no conviction.  There is a presumption at the very heart of the criminal justice system in each of the legal jurisdictions in the UK: innocent until guilt is established.  As there would appear to be no criminal conviction in this case, the Councillor is an innocent member of the public holding elected public office.  The fact that there is no conviction, in my view, makes it harder to argue that there are vital interests to be protected.

This isn’t that straightforward though; some weight needs to be given to the fact that this individual was accused of making erroneous claims for benefits while an elected official.  Furthermore, it is necessary to give some weight to the fact that some form of procedure was carried out to reclaim overpayments made to the councillor.  However, that alone might not be enough to make release of their name under FOI fair and lawful.  There are other factors to be considered.  For example, if there was a settlement agreement in place which proceeded upon the basis of no admission of liability then that, I suggest, would tend to count against disclosure; especially if this was exactly how an individual who didn’t happen to be an elected member of the council would be dealt with.  That leads onto the next issue; was there any preferential treatment given to the Councillor? It would appear not, the Council has said that it was handled in accordance with the normal procedures.  Had it not been handled in accordance with normal procedures (e.g. he was given special treatment because he happened to be a councillor) then that might tip the balance in favour of disclosure because it would suggest some level of impropriety over and above the allegation that there was an ‘erroneous claim’.

In essence, these decisions are finely balanced.  I’m not going to say whether the Council was right or not to refuse to disclose because I’m not in possession of all of the relevant facts.  I don’t know what has gone on behind the scenes here, I don’t know whether the consent of the data subject has been sought let alone withheld unreasonably.  The journalist who made the request can make use of their right to request an internal review of the handling of the request and then complain to the Information Commissioner.  What I would say though is that simply because an elected official has been accused of something which may or may not amount to a criminal offence is not, in of itself, necessarily a justifiable reason to process personal data by releasing it under the Freedom of Information Act.

Devolving Data Protection

The Data Protection Act 1998 (DPA) applies across the whole of the United Kingdom and is enforced centrally by the Information Commissioner’s Office in Wilmslow (which also has offices in Belfast, Cardiff and  Edinburgh).  Anyone who has been following Scottish politics recently will be aware that a Commission has been established to make proposals on further devolution to Scotland following the Scottish Independence Referendum in September.  It has been suggested by the Law Society of Scotland in their written evidence [pdf] to the Smith Commission that consideration should be given to devolving data protection to Scotland.

This was a proposal that caught my eye when I read the Law Society of Scotland’s evidence, and it is an interesting one. Is there any real reason as to why Data Protection ought not to be devolved?

The Law Society of Scotland narrate within their evidence the confusion that can arise with the Scottish Information Commissioner being approached in respect of enforcement action relating to Data Protection, a function that she does not presently undertake.  The Scottish Information Commissioner enforces the Freedom of Information (Scotland) Act 2002, the Environmental Information (Scotland) Regulations 2004 and the INSPIRE (Scotland) Regulations 2009.  In their evidence, the Society makes reference to the way in which Freedom of Information (Scotland) Act 2002 and the DPA interact.  They rightly point out that the Scottish Information Commissioner is required to make decisions in respect of whether it would breach the DPA to release personal data in response to a FOI request.

The interaction between DPA and FOI is a well known difficulty and there has been litigation surrounding it, such as in South Lanarkshire Council v the Scottish Information Commissioner (on which I have previously written here and here).  Understandably it must be difficult for the Scottish Information Commissioner to take decisions on disclosure in respect of personal data when her office is not also responsible for enforcing the DPA – it risks her taking a decision with which the Information Commissioner in Wilmslow might well disagree with (and consequently result in a Scottish public Authority breaching its obligations under the DPA).

The law relating to Data Protection comes from the EU, but that on its own would not prohibit its devolution. The INSPIRE (Scotland) Regulations 2009 and the Environmental Information (Scotland) Regulations 2004 both give effect to EU Directives in Scotland.  Ultimately, it is the UK Government that is accountable to the EU for the implementation of EU law within the United Kingdom.  That fact though doesn’t appear to have stopped the UK Government from devolving to Scotland the power to implement EU law into Scots law in some areas already.

There is a difference between the DPA and the legislation that the Scottish Information Commissioner currently enforces. The DPA applies to the private sector to the same extent as the public sector.  The legislation currently enforced by the Scottish Information Commissioner applies to public sector and bodies falling within certain definitions that provide functions of a public nature only.  There is a degree of difference between them; for example, the bodies caught by the Environmental Information (Scotland) Regulations is wider than the bodies caught by the Freedom of Information (Scotland) Act 2002.  What has this got to do with devolving Data Protection?  It might not be of an immediately obvious nature; however, the bodies covered by the Freedom of Information (Scotland) Act 2002, the Environmental Information (Scotland) Regulations 2004 and the INSPIRE (Scotland) Regulations 2009 are all largely based entirely within Scotland; there are almost no examples of where the Scottish law here applies to bodies carrying out functions elsewhere in the UK.  Is this difference (i.e. the cross jurisdictional aspect of Data Protection) a sufficient reason not to devolve Data Protection to Scotland?

In terms of FOI, public bodies which have functions across the whole of the UK, or are part of the UK Central Government, are covered by the UK equivalent and not the Scottish law. Some examples include: the BBC, the British Transport Police, the Scotland Office, the Office of the Advocate General for Scotland, the Home Office, the Department for Work and Pensions and HMRC.  In these cases the Freedom of Information Act 2000, the Environmental Information Regulations 2004 and the INSPIRE Regulations 2009 apply and it is the UK Information Commissioner in Wilmslow who enforces their compliance.

In terms of devolution, it is logical why the Freedom of Information Act 2000, the Environmental Information Regulations 2004 and the INSPIRE Regulations 2009 apply to UK wide bodies. It would undoubtedly present difficulties for those organisations if they had to comply with different requirements in different parts of the UK.  However, in terms of FOI, some bodies already have that difficulty.

It does not appear to be widely known, but some of the UKs biggest businesses are covered by FOI law to a very limited extent. The likes of Tesco, Sainsbury’s, Asda and Boots are all subject to FOI law in respect of their NHS Pharmaceutical and Optometry services.  These are the bodies that have the difficulty of complying with two separate FOI regimes.  In respect of their services contracted by the NHS in Scotland it is the Freedom of Information (Scotland) Act 2002 and the Environmental Information (Scotland) Regulations 2004 that apply (and the Scottish Information Commissioner is responsible for enforcement) while in respect of their services contracted by the NHS in England it is the Freedom of Information Act 2000 and the Environmental Information Regulations 2004 that apply (and the UK Information Commissioner is responsible for enforcement).  A request to one of those bodies for information on a UK wide scale would require them to deal with the request under two separate access to information schemes (potentially four if the information was environmental in nature).  Outside of the world of access to information legislation there is a great deal of differences between the legal frameworks in which UK wide businesses operate across the UK.  A contemporary example might be statutory charges for carrier bags.  Wales, Northern Ireland and Scotland all have them while England does not.  As a consequence businesses operating across the UK have to adopt difference practices on carrier bags to ensure legal compliance in those parts of the UK that do require charges to be made for carrier bags.  This is a fairly minor example, but there are some which are much more substantial in nature.

In terms of devolving data protection to Scotland, if it were to be devolved at all, there are two options. The first would be to devolve it only in respect of data controllers domiciled in Scotland.  This would mean Scottish domiciled data controllers would have to comply with a Scottish Data Protection Act while data controllers domiciled elsewhere in the UK would have to comply with a UK Data Protection Act.  This is probably not a good option from the point of view of Data Subjects; some UK wide companies would be domiciled in Scotland and some would be domiciled elsewhere in the UK.  This could cause confusion as to which Information Commissioner they ought to be dealing with in relation to a data protection concern.  For example, in that situation customers of RBS might find themselves dealing with the Scottish Commissioner as RBS is a company registered in Scotland.  This is the sort of confusion that the Law Society of Scotland mentioned within their response as to why consideration ought to be given to devolving data protection to Scotland.  The other option is to simply devolve Data Protection and that would mean any UK-wide organisation operating in Scotland would have to comply with both the UK and the Scottish Data Protection Acts – it would be no different to multi-nationals who have to comply with the different Data Protection regimes across the world or the multitude of other areas where UK-wide businesses already have to comply with different laws north and south of the border.

Devolving Data Protection to Scotland wouldn’t end the UK Information Commissioner’s responsibilities in Scotland. He would still be responsible for dealing with Freedom of Information in respect of the many bodies covered by the Freedom of Information Act 2000 and the Environmental Information Regulations 2004 which operate in Scotland.  His office would also still be responsible for enforcing the Privacy and Electronic Communications (EC Directive) Regulations 2003 (which overlap considerably with data protection) unless responsibility for implementing the E-Privacy Directive upon which they are based was similarly devolved to Scotland.

So, should Data Protection be devolved? Well, there is no good reason against it that I can see.  There would be a good opportunity for devolution in the form of the Data Protection Regulation currently working its way through the EU legislative process.  At that stage Data Protection law in the UK will have to change and if this were to be an area for devolution to Scotland that would seem like a sensible time to do it.  However, given the nature of EU Regulations as opposed to EU Directives, the practical effect of devolving Data Protection to the Scottish Parliament would be limited.  The question would become “what is the point?”.  The arguments in favour of further devolution to Scotland centre around the Scottish Parliament taking decisions on matters for Scotland which do not need to be reserved; however, the practical effect of the new Data Protection Regulation would be that there would be almost no scope for the Scottish Parliament to take decisions on data protection; there would be an EU Regulation which has direct effect in all EU member states, without the need to pass domestic legislation.  Any legislation, UK or Scottish, would simply be regurgitating the Regulation alongside some minor consequential and transitional matters.

The Law Society of Scotland argues that the new regulation means that there is less of a need for data protection to be a reserved matter; that would be true because from an EU compliance point of view there would be no risk to the UK Government. They also seem to place a lot of weight on the issue of confusion between the responsibilities of the two information commissioners; however, I’m not sure that would be resolved by devolving data protection – in fact there is real potential for it to be compounded rather than resolved.  The only real argument is the one concerning FOI decisions involving third party personal data, but so far that doesn’t appear to have been an issue.  Indeed, in the South Lanarkshire Council case mentioned above, the Supreme Court agreed with the approach of the Scottish Information Commissioner; although there is always scope for the Scottish Information Commissioner to get things wrong.  That said, the UK Information Commissioner could equally get things wrong and wrongly order the disclosure of personal data under FOI.

Should data protection be devolved?  There doesn’t seem to be strong case one way or the other.  In the grand scheme of things there are far more important issues in the devolution debate than whether the Scottish Parliament should get power devolved over an issue that won’t actually amount to much power at all.

Consultation on PECR Monetary Penalty Notice Threshold: Initial Thought

Section 55A of the Data Protection Act 1998 (DPA) confers upon the Information Commissioner the power to issue a Monetary Penalty Notice (MPN) to Data Controllers for serious contraventions of the DPA.  This power is extended to cover contraventions of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECRs) by virtue of an amendment made to Regulation 31 of the PECRs.

The test for issuing a MPN for contraventions of either the DPA or the PECRs is as set out in Section 55A of the DPA and it requires a number of boxes to be ticked before the Commissioner can issue one:

  • That the commissioner is satisfied that there has been a serious contravention of section 4(4) of the DPA (or a serious contravention of the PECRs)
  • The contravention was of a kind likely to cause substantial damage or substantial distress
  • and either the contravention was deliberate but failed to take reasonable steps to prevent it; or that the data controller knew (or ought to have known) that there was a risk that the contravention would occur and that such a contravention was of a kind likely to cause substantial damage or substantial distress but failed to take reasonable steps to prevent it

It looks complicated, and to an extent it is.  However, what is clear from the way in which the statutory provisions have been drafted and from the binding interpretation given to them by the Upper Tribunal in The Information Commissioner v Niebel [pdf] is that the test is an almost impossibly high one to meet.

The Department of Culture Media and Sport (DCMS) has issued a consultation document seeking the views of those interested as to whether the threshold should be lowered (and to what) for the Commissioner to be able to issue a MPN in respect of breaches of the PECRs (the proposal would see the test remain as is in respect of contraventions of the DPA).

The consultation document makes three proposals:

  1. do nothing
  2. replace the requirement for the contravention to be of a kind likely to cause substantial damage or substantial distress with a requirement that the contravention is of a kind likely to cause annoyance, inconvenience or anxiety
  3. remove the requirement for the contravention to be of a kind likely to cause substantial damage or substantial distress altogether and replace it with nothing

The Commissioner favours the third option and the DCMS state in the consultation document that their provisional view is that the third option is their preference too.

I’ve given the consultation some consideration since its publication on Saturday and begun to formulate my response (it’s nor a particularly lengthy consultation document and does present three clear and simple options).  What has struck me though is what is missing from option three.  The current test and the second option within the consultation document both include situations where the Data Controller ought to have known that there was a risk that the contravention would occur and that such a contravention was of a kind likely to cause substantial damage or substantial distress but failed to take reasonable steps to prevent it.  However, this appears to be missing from the third option as expressed within the consultation document.

This apparent omission concerns me.  It creates a defence where someone can demonstrate that they didn’t know that there was a risk the contravention would occur even when it is apparent to all and sundry that they really should have known there was a risk.  It basically excuses negligence.  It allows a completely unreasonable situation to avoid the regulatory sanction of a MPN.

This seems like a glaring omission to me and it’s something I’ll certainly be thinking about the possible ramifications of in more detail before submitting a response to the DCMS.  I thought it was an interesting point that was worth raising in a blog.

The DCMS consultation can be found here [pdf] and the deadline for responses to be received by the DCMS is 7 December 2014.