Court of Appeal rules on subject access request in favour of data subjects

Laura Monro
Laura Monro

Back in November 2015 we reported that the High Court decision in Dawson-Damer v Taylor Wessing brought cautious optimism for data controllers when the judge refused to make an order for compliance with three subject access requests (see https://idatalaw.com/2015/11/24/high-court-decision-brings-cautious-optimism-for-data-controllers/). However, the Court of Appeal has taken a different approach, overturning the High Court decision and ordering compliance by Taylor Wessing, the data controller, with the subject access requests.

In its decision the Court of Appeal focused on the following three key issues:

The extent of the legal professional privilege exception

One of the family members was involved in litigation in the Bahamas with Taylor Wessing’s client which was the Bahamian trustee of the family’s trust fund. Taylor Wessing did not comply with the subject access requests, claiming to be entitled to the exemption for legal professional privilege. The High Court decided that all documents in respect of which the trustee would be entitled to resist disclosure under the ongoing litigation in the Bahamas would be protected by the legal professional privilege exception under English law.

However, the Court of Appeal took a more narrow view, finding that the legal professional privilege exception:

  1. applies only to documents which are protected by legal professional privilege under English law, and does not extend to systems of law outside the UK; and
  2. does not extend to documents which are the subject of non-disclosure rules, in this case the applicable rules being the trustee’s right of non-disclosure.

Whether any further search would involve “disproportionate effort”

The Data Protection Act provides that a data controller must supply the data subject with a copy of the information requested under a subject access request unless the supply of such information “is not possible or would involve disproportionate effort”.

Although the High Court concluded that it was not reasonable or proportionate for Taylor Wessing to carry out searches to determine if any particular document was covered by privilege, the Court of Appeal disagreed.

 The Court of Appeal stated that Taylor Wessing must produce evidence to show what it has done to identify the material and to work out a plan of action. It found that further compliance with the subject access requests would not involve disproportionate effort by Taylor Wessing, and that disproportionate effort must involve more than an assertion that it is too difficult to search through voluminous papers.

Whether the judge would have been entitled to refuse to exercise his discretion in favour of the data subjects because their motive was to use the information in legal proceedings against the trustees

The Court of Appeal held that the High Court judge was wrong not to enforce the subject access requests despite the motive of the data subjects.

Neither the Data Protection Act nor the ICO’s subject access code of practice provides that data subjects have to inform the data controller of their reason for making the subject access request, or what they intend to do with the information requested. There is no “no other purpose” rule which would allow a data controller to refuse to respond to a subject access request if the data subject proposes to use the information obtained for a purpose other than verifying or correcting the personal data held about them.

It follows that the intention of the data subject to use the personal data for the purpose of litigation proceedings cannot be used by a data controller to avoid complying with a subject access request.

The decision of the Court of Appeal finds in favour of the data subjects and serves as a warning to data controllers that significant effort may be needed in responding to subject access requests. Data controllers should also bear in mind that following the implementation of the GDPR in May 2018 there will be less time to comply with subject access requests – the GDPR requires that information must be provided without delay and at the latest within one month of receipt rather than the current 40 days. It is prudent for data controllers to be reviewing their policies and procedures now to ensure that they will be able to comply with the GDPR once it comes into force.

Laura Monro is an associate in the commerce & technology team at City law firm Fox Williams LLP and can be contacted at lmonro@foxwilliams.com

Advertisements

Dynamic IP address can be personal data

Nigel Miller
Nigel Miller

Whether or not an IP address is “personal data” can be a crucial question because the answer determines whether or not the data is subject to the rigours of the EU Data Protection Directive (in the UK, the Data Protection Act).

An IP address is a number used to identify a device on a network. An IP address can be “dynamic” or “static”. A static IP address remains constant and does not change every time the device connects to the Internet. In contrast, the more usual dynamic IP address changes each time a new connection is made.

It has long been agreed that static IP addresses are personal data because they enable a link to be made with a particular device for profiling. IP addresses enable an individual to be “singled out” (even if that individual’s real-world identity remains unknown).

In its early opinion 4/2007, the Article 29 Working Party accepted that an IP address, for example, for a computer in an Internet café used by many people may not identify any particular individual. In other cases, however, the IP address can be associated with a particular user if for example there is a log of who used the computer at the relevant time. The Working Party therefore concluded that all IP information should be treated as personal data, “to be on the safe side”.

The question of whether a dynamic IP address can be “personal data” was less certain.

Patrick Breyer v Bundesrepublik Deutschland

The Court of Justice of the European Union (CJEU) has now ruled that dynamic IP addresses held by a website operator are personal data where the operator has “the legal means which enable it to identify the data subject with additional data which the internet service provider has about that person”.

While a dynamic IP address alone may not directly identify an individual, when combined with other information a dynamic IP address could be used to identify the individual user.

The question before the Court was whether a dynamic IP address can be personal data if the relevant additional information is in the hands of a third party (an internet service provider).

The case was brought by a politician, Mr Patrick Breyer, against the Federal Republic of Germany seeking to prevent them from storing, or arranging for third parties to store, his IP address from when he consulted publicly accessible websites of German Federal institutions. Mr Breyer claimed that IP addresses qualify as personal data under data protection laws; and therefore that consent was needed for processing such data.

If a user of a website reveals his identity on the website, for example by completing a form, then the IP address is certainly personal data because the operator of that website is able to identify the user by linking his name to his computer’s IP address.

However, if the user does not reveal his identity, the IP address alone does not enable the user to be directly identified. The website operator can identify the user only if the information relating to his identity is communicated to them by his ISP.

The court decided that the fact that the additional data necessary to identify the user are held, not by the website operator, but by the user’s ISP does not exclude dynamic IP addresses from being personal data. The question is whether the website operator has a legal way to obtain the additional data from the ISP. In that case it was decided that the Federal Republic of Germany did have a legal means to obtain the necessary additional information from the ISP and therefore the raw dynamic IP address data should be regarded as personal data.  For information to be treated as “personal data”, it is not necessary that all the information enabling the identification of the data subject must be in the hands of one person.

Comment

The Court has decided that a dynamic IP address could – but will not always necessarily – constitute personal data. In light of this decision, businesses that have not up to now been treating dynamic IP addresses as personal data need to re-assess that position and may need to alter data compliance practices. This may for example impact businesses engaged in online analytics and targeted advertising.

It may be that the case highlights a possible difference between the UK Data Protection Act and the implementation of the Directive in other EU countries. In the UK, data is personal data if an individual can be identified from those data and from “other information which is in the possession of, or is likely to come into the possession of, the data controller”. Is data “likely” to come into the possession of a data controller where the only way for him to obtain it is to ask for it?

All this will soon become academic as, looking ahead to May 2018, the General Data Protection Regulation (GDPR) specifically includes online identifiers, such as IP addresses, in its definition of “personal data”. It’s not that the position is now beyond doubt, it’s just that the nature of the question is changing …

 

Nigel Miller is a partner in the commerce & technology team at City law firm Fox Williams LLP and can be contacted at nmiller@foxwilliams.com

Data, duties and directors

Jessica Calvert
Jessica Calvert

The ICO blog recently reported that of the £2.7 million worth of fines issued in relation to nuisance calls since April 2015, only 6 of the 27 fines issued have been paid, leaving a total of £2.26 million penalties unpaid. The Privacy and Electronic Communications (EC Directive) Regulations 2003 (“Privacy Regulations”) contain powers for the ICO to fine companies which make marketing calls and texts, where the recipients have not consented to be contacted.

Recent fines that have been issued include:

  • a £70,000 fine to London based Nouveau Finance Limited, a company that sent 2.2 million spam text messages without consent from the recipients;
  • a £30,000 to Assist Law, a will writing firm in Weston-Super-Mare for making unsolicited marketing calls to persons registered with the Telephone Preference Service (TPS) for over a year.

Many of the companies fined however have so far avoided paying the fines by filing for insolvency. As the regulator put it “leaving by the back door as the regulator comes through the front door”.

At present the ICO can issue fines of up to £500,000 where there has been a serious contravention. These can be imposed on any legal person (e.g. a business or charity, or an individual), however there is no specific right to fine the directors responsible for such companies. A change to legislation is expected in Spring 2017 which will introduce fines of up to £500,000 for directors of nuisance marketing firms, and hopefully break the cycle whereby the same directors continue to operate under a new company.

The change in law should also be noted by all directors that fall within the remit of the Data Protection Act 1998 (“DPA”), if not the Privacy Regulations, as there is a clear move being made to seek to penalise those accountable for breaches relating to personal data. Points worth noting are:

  • The ICO have the power to fine directors for breaches of the Data Protection Act where breach can be shown to have occurred with a director’s consent, connivance or neglect;
  • Under the GDPR fines of value up to 4% of annual worldwide turnover, or 20 million euros, whichever is greater, will be possible;
  • When the GDPR is enacted data processors as well as data controllers will also be caught; and
  • Breach of general director duties to act in good faith, in the best interests of the company, and to exercise reasonable care, skill and diligence could result in an action for damages, termination of a directorship, or disqualification as a director.

Jessica Calvert is an associate in the commerce & technology team at City law firm Fox Williams LLP and can be contacted at jcalvert@foxwilliams.com

ICO reports its own data security breaches

Josey BrightAn article in the Evening Standard last week revealed that the ICO has investigated itself in a number of complaints made against it since 2013, at least 11 of which have been upheld.

Seven of the complaints resulted in the ICO being ordered to take action to prevent further breaches, two with compliance advice being given, and two with concerns being raised.

There were also at least three occasions where the ICO’s own staff reported themselves to the Information Commissioner for accidental breaches of individuals’ personal data, although the Information Commissioner ruled that there was “no detriment” to anyone arising from the self-reported breaches.

The ICO’s internal investigations were revealed following a Freedom of Information request made by Liberal Democrat peer, Lord Paddick. In a letter to Lord Paddick’s office, the ICO’s lead information access officer, Ian Goddard, said: “We oversee the Data Protection Act 1998 but we also have to comply with its requirements. This means that on occasion we will have to self-report to ourselves in our capacity as a regulator. It also means that individuals can raise complaints about us, to us, in our capacity as a regulator.”

The article serves as a reminder that, from 25 May 2018, when the General Data Protection Regulation (“GDPR”) comes into force, it will be mandatory to report data breaches. Currently, under the Data Protection Act, it is not compulsory for data controllers (excluding telco’s) to report breaches of data security to the ICO although ICO non-binding guidance recommends that serious breaches should be brought to its attention.

Under the GDPR, organisations will be required to notify the ICO of a data breach without undue delay and where feasible, within 72 hours. In addition, data processors will be required to notify data controllers of a data breach. Failure to report a breach could result in a fine, as well as a fine for the data breach itself. With the maximum fines under the GDPR raised to the higher of 4% of annual worldwide turnover or 20 million euros, organisations should ensure that they have the right procedures in place to detect, report and investigate a personal data breach.

Josey Bright is an associate in the commerce & technology team at City law firm Fox Williams LLP and can be contacted at jbright@foxwilliams.com

Appointing a Data Protection Officer: practical points

elisabettaWith the implementation of the General Data Protection Regulations (“GDPR”) companies are expected to put in place clear governance measures to ensure compliance. Amongst other things, these measures include the minimisation of data protection breaches and the strengthening of internal policies and training procedures. This may also involve the appointment of a Data Protection Officer (“DPO”). Set out below some practical points companies should consider when appointing a DPO.

Managing the DPO appointment process

This new requirement left most companies with a number of questions relating to the appointment of a DPO, including:

  • Timeline for appointments
  • Obligation to appoint a DPO
  • Qualifications required by a DPO
  • Tasks of a DPO
  • One individual to represent the companies of a group of undertakings (“Group”)
  • Existing member of staff or external candidate and type of contract

Timeline

Companies are not required to comply with the GDPR until the 25 May 2018 and until then there is no obligation to appoint a DPO. Although the deadline seems somewhat remote, companies should take into consideration the timeframes required (i) to find the appropriate candidate with the right qualifications to fulfil the role; and (ii) to approve headcount. Further, should a company decide to appoint an existing member of staff, appropriate training must be arranged and this may take time.

Obligation to Appoint

Article 37(1) sets out instances where companies are under a strict obligation to appoint a DPO. These are when the processing:

  1. is carried out by a public authority (except for courts acting in their judicial capacity);
  2. requires regular and large scale systematic monitoring of individuals (eg. online behaviour tracking); or
  3. consists of large scale processing of special categories of data (such as data that reveals racial or ethnic origin, political opinions, religious beliefs etc.) or data relating to criminal convictions and offences.

Qualifications

The GDPR does not expressly set out a list of compulsory qualifications required by a DPO, but Article 37(5) provides that a DPO must be appointed on the “basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Art 39”. As such, it would be reasonable for a company to assess its needs based on the type of processing it carries out and the protection the data processed requires when assessing the level of qualification expected of a DPO.

Tasks

The tasks of a DPO are set out in Article 39 and include:

  1. informing and advising the company and employees about their obligations under the GDPR and data protection laws;
  2. monitoring compliance with GDPR and other data protection laws (eg. training of staff, internal audits, managing internal data protection activities, data protection impact assessments etc.); and
  3. cooperating with supervisory authorities and becoming their first point of contact.

One Appointment for the Group

When it comes to group enterprises, the GDPR allows for one single individual to be appointed as the DPO for the whole Group, being the Group’s companies located in the EU and/or outside of the EU. More particularly, Article 37(2) states that “a group of undertakings may appoint a single data protection officer provided that a data protection officer is easily accessible from each establishment”.

Internal or External Candidate

Companies may decide to appoint an existing member of staff as their DPO, provided that no conflict of interests arises, or decide to hire someone external. The DPO may be employed or hired on a service contract basis. However, the costs of selecting an internal candidate and training them must be balanced against the costs of recruiting someone external.

Although a company may save some money when appointing an existing member of staff rather than going through the often laborious and expensive recruiting process, it is important to balance costs and convenience against the benefits of selecting a candidate with the right level of experience and knowledge in order to provide the company with the adequate compliance program that could successfully sustain the regulatory checks of the supervisory authority.

Whilst hiring a DPO will become something that most companies will have or will decide to comply with, it is worth considering that becoming a DPO carries certain responsibilities that could reduce the appeal for such role. Being responsible for the company’s potential penalty of up to 20 million Euros or 4% of the organisation’s worldwide turnover for non-compliance, might not be so appealing to an individual that does not have the required expertise to ensure the company’s compliance with the GDPR.

Securing the right level of protection your company requires based on your activities should be a priority and one that does not need to wait until May 2018.

Elisabetta Elia is an associate in the commerce & technology team at City law firm Fox Williams LLP and can be contacted at eelia@foxwilliams.com