THE INFORMATION COMMISSIONER’S ROLE UNDER THE DPA

December 13th, 2011 by Rachel Kamm

An interesting issue about the scope of the DPA arose in The Law Society and others v Rick Kordowski [2011] EWHC 3185 (QB). The Law Society and a number of firms of solicitors sought an injunction requiring the Defendant, the publisher of the “Solicitors from Hell” website, to cease publication of the website in its entirety and to restrain him from publishing any similar website. The causes of action relied upon were libel, harassment under the Protection from Harassment Act 1997 and breach of the Data Protection Act 1998.

The Defendant was the data controller of personal data, including sensitive personal data (for example, allegations made by a third party on the Defendant’s website about the alleged commission of an offence by a solicitor). Mr Justice Tugendhat did not mince his words in finding that the Defendant was in breach of the DPA:

In breach of the First Data Protection Principle the Defendant has not processed the personal data of the solicitors and other individuals named on the Website fairly and lawfully. The Defendant has processed the said personal data in a grossly unfair and unlawful way by, in particular, (a) publishing highly offensive defamatory allegations about these solicitors and other individuals on the Website; (b) pursuing a course of conduct against these solicitors and other individuals that amounts to harassment contrary to the PHA; (c) on numerous occasions refusing to remove the posting about a solicitor or other individual unless the Defendant is paid a fee. This is not permitted by law and is disreputable. (d) None of the conditions in Schedule 2 of the DPA 1998 is met by the Defendant in respect of the processing of the said personal data on the Website.

In breach of the Fourth Data Protection Principle the personal and sensitive personal data about solicitors and other individuals processed by the Defendant and published on the Website is not accurate, indeed it is usually seriously inaccurate. The Claimants rely upon the following, amongst other matters: (a) The wholly inaccurate and untrue allegations processed and published by the Defendant via the Website about the Third Claimant; (b) The Schedule of Complaints which sets out and describes how the personal data of solicitors and other individuals processed and published by the Defendant via the Website is inaccurate. (c) The Defendant’s failed attempts to justify defamatory allegations in the many cases brought against him for libel in respect of the defamatory publications on the Website as evidence of inaccurate information; in breach of the Sixth Data Protection Principle the Defendant did (and does) not process personal data of the solicitors and other individuals who are Individual Complainants in accordance with their rights, as he has failed to comply with the request made in the Complaints’ solicitor’s letter dated 12 August 2011.

…on 12 August 2011 the Claimants’ solicitor gave the Defendant formal notice under section 10(1) of the DPA that the individual complainants, who include the Third Claimant, required the Defendant to cease the processing of their personal data (i.e. to remove the offending material from the Website and destroy any copies retained elsewhere) as the processing of this data was (and continues) causing them unwarranted damage and distress. Additionally, the Claimants’ solicitor required the Defendant to agree not to process any data in the manner complained of in the future. As a result of the Defendant’s failure to comply with the Notice, he has breached the Sixth Data Protection Principle. The Defendant did not state that he considered the notice to be unjustified (as he could have done under section 10(3)(b) of the DPA).”

Not surprisingly, given these findings, Mr Justice Tugendhat concluded that the Third Claimant was entitled to an order under section 10(4), requiring the Defendant to comply with the Notice. He went on to comment on the scope of the DPA and the Information Commissioner’s powers.  The background was that the Chief Executive of the Law Society had written to the Information Commissioner to complain about the website. The Information Commissioner had responded that the DPA was not designed to deal with this kind of case. The Commissioner considered that it was “not the purpose of the DPA to regulate an individual right to freedom of expression – even where the individual uses a third party website, rather than his own facilities, to exercise this“. He relied on section 36 DPA, which provides that “Personal data processed by an individual only for the purposes of that individual’s personal, family or household affairs (including recreational purposes) are exempt from the Data Protection principles under provisions of Parts II [rights of data subjects and others] and III [Notification by data controllers]“. The Commissioner also highlighted the practical difficulties of trying to use the DPA to regulate material posted on websites.

Mr Justice Tugendhat expressed considerable sympathy with the Commissioner’s comments about the practical difficulties in cases such as this. However, his starting point was that the offensive comments on the website in question were unlawful and that the DPA required that data be processed lawfully. He did not see how the exemption in section 36 DPA could apply in this case.  Mr Justice Tugendhat commented that had  the Defendant been publishing information in the public interest on his website, he could have relied on the exemption relating to journalism in section 32 DPA. Further, the fact that a claimant may have claims under common law torts or the Human Rights Act 1998, did not prevent enforcement under the DPA. He concluded by commenting that where there is any room for argument as to whether processing is unlawful under the general law, it may be more appropriate that a complainant should be required to pursue his remedy in the courts and further that there be many grounds on which the Commissioner may properly decline to exercise his powers under Part V DPA. However, where there is no room for argument that processing is unlawful, it was more difficult to say that the matter was not one which could be dealt with under Part V DPA. This ruling potentially has significant implications for the Commissioner in practice.

Rachel Kamm

THE EUROPEAN COOKIE MONSTER

July 19th, 2011 by Rachel Kamm

Here’s an update to my post of 5 June about the ICO’s guidance on obtaining the consent of users before ‘cookies’ can be placed on machines. The European Data Protection Supervisor, Peter Hustinx, gave a public lecture on 7 July 2011 on the privacy implications of online behavioural advertising. This included discussion of ‘cookies’. He commented that browser providers have developed opt-out solutions, whereas the ideal is to have privacy-by-default unless individual preferences are set using a “privacy wizard”. The lecture also suggested that recent speeches made by the European Commission’s Vice President, Neelie Kroes, raise doubts about the Commission’s position on the e-Privacy Directive’s requirements; the Commission has expressed support for initiatives which Mr Hustinx considers are in fact non-compliant.

COOKIE MONSTER

June 5th, 2011 by Rachel Kamm

The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 came into force on 26 May 2011 and amend the Privacy and Electronic Communications (EC Directive) Regulations 2003, which cover direct marketing by electronic means and the use of cookies.  

The amendments give the Information Commissioner new powers to  serve a monetary penalty on an organisation when very serious breaches of the 2003 Regulations occur and to investigate breaches of the 2003 Regulations by obtaining information from certain third party organisations.

They also introduce an additional requirement where a website uses ‘cookies’, which are small files of letters and numbers downloaded on to a device when the user accesses certain websites, which allow the website to recognise the device. Except where a ‘cookie’ is strictly necessary, websites will now have to obtain the consent of the user or subscriber before ‘cookies’ can be placed on machines.  The Information Commissioner has published guidance on the change to the rules. Organisations have 12 months from 26 May 2011 to make sure they comply with the new rules.  

The Information Commissioner has issued this statement about how he intends to approach enforcing the new rules and using the new powers.

ICO’S SURVEILLANCE REPORT 2010: ‘SLEEPWALKING’ RISK REMAINS; ‘PRIVACY IMPACT ASSESSMENTS’ PROPOSED FOR NEW LEGISLATION

November 15th, 2010 by Robin Hopkins

The Information Commissioner has delivered his latest report to the Home Affairs Select Committee on “the state of surveillance” in the UK. The report traces privacy-related developments since the Commissioner’s 2006 report on the same theme, which memorably observed that the UK may be “sleepwalking into a surveillance society”. According to the November 2010 report, that warning

 “… is no less cogent in 2010 than it was several years ago. It is not being suggested that the UK is a ‘police state’ or that there are surveillance conspiracies afoot against the public. Neither the 2006 report nor this one supports such an assumption, and evidence for it is lacking. Much of what is taken to be surveillance is done for benign reasons and has beneficial effects on individuals and society. But much surveillance also goes beyond the limits of what is tolerable in a society based on the rule of law and human rights, one of which is the right to privacy.”

The report provides an illuminating summary of trends in (amongst others) the use of CCTV, body scanning and border control (including ‘ethnic targeting’ for security searches), workplace monitoring, social networking, ‘crowdsourcing’, the monitoring of protest activities and even the use of unmanned drones. Scrutiny is also given to a number of governmental policy tools, such as databases and the use of ‘social sorting’ (eg into groups such as ‘high cost, high risk’ social groups who are vulnerable to social exclusion’) to develop targeted welfare strategies.

As regards private-sector online commerce, the Commissioner recommends a number of measures to correct what he describes as the “worrying trend particularly with those who provide on-line services not to have thought through the privacy implications of their activities and given users robust privacy settings as a default”.

What to do about the risks identified in the report? The ICO’s recommendations focus principally on overhauling the legislative process insofar as it affects privacy, by introducing: 

  • a requirement for a privacy impact assessment to be presented during the parliamentary process where legislative measures have a particular impact on privacy;
  • an opportunity for the Information Commissioner to provide a reasoned opinion to Parliament on measures that engage concerns within his areas of competence, and
  • a legal requirement to make sure all new laws that engage significant privacy concerns undergo post-legislative scrutiny to ensure they are being implemented and used as intended by Parliament.

If implemented, these measures would add substantially to the ICO’s clout as the guardian of privacy.

The report can be found here, with the accompanying press release from the ICO here.

NEW ICO CODE OF PRACTICE FOR PROCESSING OF PERSONAL DATA ONLINE

July 15th, 2010 by Robin Hopkins

The Information Commissioner has published a new Code of Practice explaining how the DPA applies in an online world, and offering ‘good practice’ advice for the collection and use of personal data through the internet.

The Code covers (among other things) application and payment forms, social networking sites, cookies and other personally-targeted marketing. It considers the difficulties of ‘non-obvious identifiers’ (such as IP addresses linked to devices rather than to individuals), cross-border data transfers by multinational or non-domestic organisations, and the practice of outsourcing the storage of databases to other web-based companies.

With the aid of examples from such contexts, the Code turns established principles into specific recommendations for internet businesses, including: avoid collecting personal data too early in the relationship or transaction with the user; only collect personal as far as is necessary; provide a clear explanation of how users’ personal data will be processed; ensure that employees only have access to customers’ personal data where necessary, and that this access withdrawn as soon as their employment ends.

Certain suggestions will be particularly welcomed by privacy campaigners: alert users to the security risks associated with ‘autocomplete’ forms; give users a simple option of declining to have their personal data stored and of disabling cookies or other trackers of their online behaviour, and make it easy for them to contact the data controller about how their personal data is being used.

Paying for the ICO

October 2nd, 2009 by Timothy Pitt-Payne QC

Organisations that process personal data must notify the Information Commissioner’s Office, and pay an annual fee. Up to now the fee has been £35, for all data controllers. With effect from 1st October 2009, some large data controllers will instead pay a fee of £500.

The changes are made by the Data Protection (Notification and Notification Fees) (Amendment) Regulations 2009 (SI 2009 No 1677). These divide data controllers into two groups: tier 1 organisations, which pay £35, and tier 2 organisations, which pay £500. All data controllers not in tier 2 are in tier 1.

A data controller will be in tier 2 if it satisfies the following three conditions: (i) it is not a charity or a small occupational pension scheme; (ii) it has been in existence for more than a month; and (iii) it has a turnover of £25.9 million or more for the data controller’s financial year and 250 or more members of staff, or it is a public authority with 250 or more members of staff. There are detailed provisions as to how turnover and staff numbers should be calculated for these purposes.

An explanatory memorandum issued by the Ministry of Justice gives the policy background to the change. Essentially it argues that large organisations cost more for the ICO to regulate, and so should pay a higher fee. The memorandum suggests that about 4% of data controllers will pay the higher fee, and that the extra annual income to the ICO will be about £4.7 million.

 A more interesting question perhaps – and one that the new Regulations do not affect at all – is who is obliged to notify the Information Commissioner. Anyone who uses a computer to process personal data is a data controller and obliged to notify, unless they are subject to an exemption. Under section 36 of the Data Protection Act 1998, personal data processed by an individual only for the purposes of that individual’s personal, family or household affairs (including recreational purposes) are exempt from the duty to notify (and indeed from most of the rest of the Act as well). This is sometimes referred to as the “domestic use”, or “Christmas card list” exemption: if you keep your family’s Christmas card list on a computer, you do not have to notify the ICO that you are processing personal data, and you can spend the £35 on something else instead.

But what if you put personal data on to the internet? The Lindqvist case in the European Court of Justice suggests that the domestic exemption would not apply here, because information posted on the internet is available to all the world. Since Lindqvist was decided, there has been an explosion of blogging, and social networking, all internet-based. How much of this activity would come within the domestic use exemption remains unclear.

 

 

Bad Phorm?

April 16th, 2009 by Anya Proops

The European Commission has announced that it is mounting a legal challenge in respect of the use of targeted online advertising in the UK. The challenge follows complaints which were made to the Commission in response to BT’s act of testing the technology on BT broadband users without their consent. The technology, which is the brainchild of a company called Phorm, enables internet service providers (ISPs) to profile what sites internet users visit so as to enable advertising companies more astutely to target their adverts on individual users. The Commission has taken the view that the UK has breached EU data protection laws by permitting the deployment of the technology in the absence of user consent. The Information Commissioner’s Office has previously stated that the use of the technology would be permissible if operated on the basis that users have opted in to the system. The Commission’s challenge raises real questions as to the legality of Google’s recently launched behavioural targeting system. See further my post on this system below.

The Age of Internet Surveillance

April 6th, 2009 by Anya Proops

With effect from today, all UK internet service providers (“ISP”) will be required to retain data relating to every email which is sent and every online telephone call which is made using their services. The data, which must be stored by ISPs for 12 months, will not include the content of the email or the call. It will however include the date, time, duration and routing of the online communication as well as information as to the internet subscriber or user. The obligation to retain this data is imposed under the Data Retention (EC Directive) Regulations 2009 (“the Regulations”). The regulations were enacted in order to bring into effect the provisions of the Data Retention EU Directive 2006/24/EC. The Directive was itself enacted in response to concerns that a lack of consistency of approach to data collection across Europe, particularly in the field of internet communications, was hampering the fight against crime, including international terrorism. The effect of the Regulations, which come into force today, is that the data retention principles which already apply to telecoms providers under the Data Retention (EC Directive) Regulations 2007 will now also apply to internet providers. As well as retaining the communications data, the internet service provider must afford access to particular data where they are required to do so by law (regulation 7). They must also abide by certain principles relating to the protection and security of the data (regulation 6).