In a press release, the EC outlined the main changes that will be made to the data protection regime in the EU::

-          There will be one set of rules across the EU, rather than each EU Member State having its own rules.

-          The scope of the people caught by the data protection law will be increased. The rules will apply to data controllers who are not established within the EU if the data processing relates to offers of goods or services to data subjects within the EU or a monitoring of EU data subjects’ behaviour. Clearly, this is intended to cover large online players from the US such as Google.

-          In addition, what counts as personal data is being widened. Data will be personal data if it is not just data held by the data controller that can identify the individual but also data held by a third party which, in combination with the data held by the data controller, could identify. This could catch rights holders that hand over Internet Protocol addresses to Internet service providers for enforcement of copyright infringement under the Digital Economy Act 2010.

-          There will no longer be an obligation for organisations to notify (or register) all data protection activities to data protection regulators (such as the Information Commissioner’s Office (ICO) in the UK), but only data breaches will need to be notified; however, that will need to take place within 24 hours of becoming aware of the breach. Organisations will need to have continuous monitoring and reporting systems in place at all times. Security breaches must also be notified to data subjects “without undue delay”.

-          In place of general notification obligations, organisations will have to maintain documentation and records showing their processing activities, and be subject to strict audit requirements and produce that to the authorities on demand.

-          Data controllers will also have to comply with training requirements.

-          People will be able to access and transfer their own data more easily. They will have a right to be given their data in a convenient portable format such as a disk or MP3 file. They will also have a right to be told how long their data will be kept for.

-          Data subjects will have a right to be told where the data controller got their data from.

-          There will be a “right to be forgotten” where people will be able to delete their data if there are no grounds for it being retained. This will put a huge burden on Internet businesses in particular, which will have to do what they can to ensure links to the data is deleted by others even after they have deleted it.

-          Member State regulators, such as the ICO, will be strengthened to allow them to better enforce the rules, with possible fines of up to £1m or 2% of a company’s global turnover. The amount of the fine will depend on the nature, gravity and duration of the breach; whether the breach was deliberate or negligent; previous history of breaches; what security measures had been put in place; and the level of co-operation with the authorities.

-          All organisations will have to appoint data protection officers unless they have fewer than 250 employees, in which case they will be exempt from this requirement.

-          Clearer rules for the transfer of data across borders within multi-national organisations will be introduced. In addition, national data protection authorities will need to approve bespoke agreed clauses as an alternative to the standard contractual clauses for transfers between an organisation in one EU country and another organisation outside of the EU.

-          Any consent from a data subject will have to be explicit rather than implied. Any written consent such as a tick-box will need to be distinguishable from other consents. This would mark a change from current online acceptance practice.

-          Data access policies will have to be not only fair but also transparent.

-          The law will move from data being permitted if “not excessive” to effectively minimising the data as it will only be legitimate if the purpose cannot be fulfilled by processing non-personal data.

-          Data processors (people who process data on behalf of data controllers and do not take any decisions in respect of the data) are currently not subject to the data protection requirements. They are only caught under contract law when data controllers (as they are required to do) enter into a written agreement with the data processor to contain certain safeguards. That will change. Under the new regime, data processors will have specific direct obligations to maintain security of data under the law.

-          Data controllers will generally not be able to charge data subjects for data subject access requests.

The proposals will be sent to the European Parliament and the Council of Ministers for discussion, and will take effect two years after they have eventually been adopted.

Paul Gershlick, a Partner at Matthew Arnold & Baldwin LLP, comments: “This proposed law makes depressing reading. The Commission has trumpeted the ease of cost to business, but such a statement totally ignores all the other increases in regulation that this law would introduce. On balance, this will involve much more red tape for business to have to comply with. At a time when SMEs need a helping hand to grow and help to rescue the EU’s economy, this development is not going to be welcomed. Instead of considering SMEs’s legitimate interests, the Commission seems to have been too focused on protecting EU citizens against big US Internet businesses.

“The one plus side is that the new data protection law will be implemented in one consistent way across the whole EU; the major downside, though, is that it will involve much stricter obligations than businesses currently face, including tougher internal programmes and records and quick reports to the regulators and data subjects of data breaches. And there will now be much bigger fines for breaches. Let’s hope some of the provisions are softened before the law is passed.”

The Information Tribunal has disagreed with the Information Commissioner’s ruling, and ruled that, if the email still existed, it was still “held” and therefore the University should disclose the email or issue a valid refusal notice.

Whilst this ruling relates to the Environmental Information Regulations, it is based on the same principles as disclosures under the Freedom of Information Act 2000 and is an interesting precedent.

Whilst this ruling relates to the Environmental Information Regulations, it is based on the same principles as disclosures under the Freedom of Information Act 2000 and is an interesting precedent.

Paul Gershlick, Head of Pharmaceuticals and Life Sciences at Partner at Matthew Arnold & Baldwin LLP and a data protection law specialist, comments: “We need to understand the facts as the ICO sees them and then make a judgement, but such a large fine seems harsh given that the hospital appear to have been the victim and no data actually got into the public domain through the hospital’s action with the police when the items appeared on eBay. This action signals the tough intentions of the UK’s data protection regulator in dealing with data security breaches involving people’s health data.”

The ICO sets out a plan of 5 Es: eduate, empower, engage, enable and enforce. It is not purely about enforcement as it wants to educate and help too, but that is clearly the end result if there are problems. It wants to target its limited resources to the areas in which it perceives are the greatest need to act to protect individuals. It will consider the volume, nature and sensitivity of the data and the number of people affected. Ultimately, it will consider what is in the public interest.

The ICO wants to ensure that its activities are conducted transparently, proportionately, consistently, targeted and in an accountable way. It also wants to see a high proportion of the public aware of their privacy rights and how to enforce them.

The Information Rights Strategy can be found here: http://www.ico.gov.uk/about_us/plans_and_priorities/information_rights_strategy.aspx.

The guidance advocates a cookie audit to identify the cookies used, distinguishing between session, persistent and third party cookies, look at how privacy-intrusive each cookie is and how clear information is provided to users.

The ICO has also given further guidance on obtaining consent. It says that website operators should have minimal use of cookies until users have consented. Implied consent is not a viable option at the moment, but as users become more aware of cookies, that could be used. It also advocates contractual obligations between third parties and website owners governing the collection of consent for the third party cookies.

The ICO’s report and the guidance can be found here:  http://www.ico.gov.uk/news/latest_news/2011/must-try-harder-on-cookies-compliance-says-ico-13122011.aspx.

The changes to the guidance largely reflect the revisions made to the Privacy and Electronic Communications Regulations in May 2011, under which electronic communications providers must inform the ICO about all data protection breaches. The main difference is the recommendation to provide a monthly report rather than simply to maintain a record of breaches which can be audited by the ICO for compliance.

The fine follows a similar incident last year where public parts of a document about another child were sent to the same member of the public by the council. The ICO admonished the council, with the council promising to improve its processes.

In addition to the fine, the council has been ordered to retrain all staff in relation to data protection before the end of March 2012, with refresher training to follow every three years.

The “Article 29 Working Party”, which is a committee of national regulators from each EU State (including the UK’s Information Commissioner’s Office), will provide the basis for the new board. The board will offer support to each country’s regulator and, it is hoped, will bring about more harmonisation between the data protection laws in each Member State.

The ICO highlights that it believes the new framework must:

-          be clear and easy to understand and provide a cost-effective means of individuals exercising their rights;

-          set out a clear structure with overarching high-level principles based on risk, context and purpose with flexibility for enforcement bodies, rather than a prescriptive approach based on lists;

-          involve an obligation on organisations to carry out a private impact assessment where processing could have a significant or adverse effect on an individual, uses intrusive technology or creates a particular risk.

-          ensure that data processors are responsible and accountable, with the emphasis on the maintenance of standards rather than simply having a ‘process’ that complies with the law; and

-          allow the ICO more inspection and enforcement powers in both the private and public sectors with less emphasis on prior approval and authorisation of a data processor’s activities.

The ICO was critical of recent statements suggesting that consumers should have a “right to be forgotten” as it could mislead and create false expectations and be impossible to implement in practice.

The full text of the briefing can be found here.

The Information Commissioner’s Office (ICO) have been informed of the breach and the business secretary, or his office, could be liable for a fine of up to £500,000 if the ICO finds that data protection law has been seriously breached.

The report can be found here: http://www.publications.parliament.uk/pa/cm201012/cmselect/cmjust/1473/147302.htm.

Of particular concern in the pharmaceutical sector is that out of 47 undertakings that the ICO has agreed with organisations that have breached the Data Protection Act since April, 40% of those have been in the healthcare sector.

The ICO’s press release can be found here.

The ICO’s consultation document can be found here: http://www.ico.gov.uk/about_us/consultations/our_consultations.aspx.

The ICO has now completed the audit and has said that Google has taken ‘reasonable steps’ to improve its privacy policies and that it has taken action in all the areas in which it had agreed to do so. The ICO has now asked Google to continue its improvements and to better inform its users of its privacy policies.

The Article 29 Working Party’s opinions are not legally binding and they only represent the body’s own interpretation of data protection laws. However, they can be very persuasive and should not be ignored. It will be interesting to see what changes are made by the UK’s regulator, the Information Commissioner’s Office, to its stance on consent following this opinion. This can potentially affect a lot of businesses, particularly Internet ones.

The Article 29 Working Party opinion can be found here: http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2011/wp187_en.pdf.

The ICO highlighted one case where a member of staff left 29 patient records in a public place after taking them from the NHS premises. In another case, one NHS Trust sent details about a vulnerable adult to an engineering company. Five health organisations have signed undertakings, promising to improve their standards, but the ICO wants the rest of the health industry to take note.

The European Commission is now consulting with communications service providers, consumer groups, Member States and others on practical guidelines that would harmonise the rules across the EU. It has asked the following questions:

• How would organisations comply with the new notification obligation?
• What types of breaches should trigger individuals being notified?
• What means of notification should take place and what procedure should be followed?
• What information should be in the notification to the regulator and the affected individuals?

The consultation is open until 9 September and can be found here: http://europa.eu/rapid/pressReleasesAction.do?reference=IP/11/887&format=HTML&aged=0&language=EN&guiLanguage=en..

Lancashire Police has agreed to take appropriate security measures to prevent data being accessed without authorisation, and it has also promised to conduct quality assurance checks before material is published on its website. It has further decided to implement a new policy for staff emphasising the importance of taking appropriate action to safeguard data.

The Regulations mean that, in basic terms, consent must be obtained from a website user before a website operator can place a cookie on the user – if a user refuses to give their consent, the cookie cannot be placed. Various means of obtaining consent have been suggested, but the ICO went for the straightforward route on its own website – a tick-box when you arrive on the website homepage telling you that, unless you give your consent, certain parts of the website will not work properly.

Under the Freedom of Information Act, a member of the public can request that certain information be disclosed by a public body. In this instance, a member of the public asked the ICO to disclose figures of who was giving their consent to the placement of the cookie. The information disclosed showed that 90% of users refused to give their consent. The cookie was a Google Analytics cookie and, as a result, 90% of users disappeared from the ICO’s analytics.

It’s easy to ignore this information – what would the ICO want this information for anyway? The importance, however, is in the fact that other websites who use cookies and have to ask for consent are likely to see a similar pattern, and those websites might use the information collected for advertising purposes – analytics for advertising may see the information they have to use drastically reduced, and many Internet businesses that rely on advertising for revenue may be operating at a handicap.

Information is key to the ongoing development of the advertising-run Internet, but also to the business that rely on the Internet for revenues, whether advertising based or not. A commercially viable option for obtaining consent to place cookies is an essential tool going forward for any Internet-dependent business.

The new law has been attacked for providing little privacy benefits to users, whilst adversely affecting their online experience and adding red tape and cost to website operators as well as potentially operating their viability with advertising revenue affected. This development will surely only add to those concerns.

The ICO has recently given website operators a one year window to comply with the new law, but has warned of action against anyone not taking appropriate steps to prepare. Meanwhile, the European Commission has now thrown down the gauntlet to industry to create industry standards by June 2012 that will create standard ways of gaining user consent to cookies. Neelie Kroes, a European Commissioner, has threatened to use all available means to protect citizens’ privacy if this does not happen. So far, only six countries (including the UK) across the European Union have implemented the new cookies opt-in law.

If you would like to discuss what options you have in order for your business to comply with the Regulations, please contact us on mark.weston@mablaw.com, paul.gershlick@mablaw.com or simon.weinberg@mablaw.com.

CCTV images can be considered as personal data, and the ICO’s action came after CCTV footage of a shopper from the website was posted on YouTube. The ICO has made it clear that such disclosure of personal data should take place only where ‘necessary’ i.e. for the purposes of crime detection, rather than just for entertainment, as it was here.

The ICO criticised Internet Eyes for not encrypting CCTV images it shared with its members, and it was also not tracking member activity meaning that it could not trace who had posted the video on YouTube. The ICO has made sure that the website has signed an undertaking to ensure encryption and sufficient tracking, and has also requested that the website not allow a member to access CCTV footage taken within a 30 mile radius of the member’s registered location, in an attempt to decrease the likelihood that those people visible in the footage are identifiable to a particular member.

It is an offence under the Data Protection Act to knowingly or recklessly obtain personal data without consent. The data was important to T-Mobile and its competitors as it contained details of names, addresses, telephone numbers and customer contract end dates. This is the first time the Information Commissioner has sought a confiscation order under the Proceeds of Crime Act. That is where an order is made to deprive the wrong-doer from any benefit he has received from the crime.

The Information Commissioner has hailed the result in this case as marking a new chapter in deterrents against misuse of personal data. This case proves that there will be an audit trail and his office will try to find what has happened to it, and will take appropriate action, according to the Commissioner. The fine is the largest ever for employees who have stolen personal data for their own gain.

The technology automatically recognises users in photographs where a person in the photograph has been ‘tagged’ and then applies the technology to other photographs to automatically suggest a name to tag the person in the photograph, but without the subject’s consent. The technology has been switched on but as far as the user’s privacy settings are concerned, this has been done on an ‘opt-out’ rather than ‘opt-in’ basis.

The concern stems from the fact that Facebook has not told users how the information collected by the technology will be used nor obtained prior consent, and the fact that privacy settings are not as clear as they might be. The use has been criticised by the European Union’s Article 29 Working Party, which represents the ICO and its counterparts across the EU. The ICO has suggested that users should be given more information about the technology and the ability to refuse consent to its use in relation to their profile.

Having made the first serious mistake, the Council was criticised by the ICO for then failing to implement sufficient training and procedures before two further mistakes occurred. One involved distributing confidential personal data to people who had subscribed to the Council’s newsletter, and in the other a family support worker sent an email with sensitive personal data to the wrong email group.

This is the largest fine since the ICO acquired the right last year to fine data controllers up to £500,000 for serious breaches of the Act.

The guidance lists a number of questions an organisation must ask before it shares personal data, such as:

• whether an individual is likely to be damaged by the data being shared;
• whether an individual is likely to object to the data being shared;
• whether the organisation’s objective can be achieved without sharing the data or some of it; and
• whether the organisation has the legal power to share the data.

Under the guidance, the organisations sharing data also need to perform their own analysis as to whether they need to inform the relevant individuals that the data has been shared. The Act requires organisations to give and update users with privacy statements of what data is collected about them and how it is used, including the type of organisation which it is disclosed to and for what purpose. Similarly, the ICO said that organisations should assess whether they need to update their notifications (which are commonly called registrations) with the ICO when they share data, as failure to keep up-to-date the notification is a criminal offence.

The ICO said that the guidance should be relevant to the sharing of personal data between data controllers. Sharing data between a data controller and a data processor is permitted under the Act provided that the data controller has certain safeguards stipulated in the Act when using a processor to process data on its behalf (such as having a written contract under which the processor agrees only to process the data in accordance with the controller’s instructions).

The guidance is likely to be most relevant to public bodies, such as local authorities sharing data with charities to which they have outsourced welfare work in the local community. The guidance also gives details of:

• how to respond to freedom of information requests if the organisation is in a data sharing agreement; and
• how and when to keep records of data sharing.

Under the FOIA a person can request details from a public authority as to whether the public authority holds certain information and, if so, to have that information disclosed to them. Under the FOIA such information is exempt from disclosure if disclosure would contradict any of the data protection principles.

In this case, the All Party Group asked for information from the Ministry of Defence regarding treatment of people detained at war in Afghanistan and Iraq. The Upper Tribunal ruled that the disclosure of anonymised personal data could not for the purposes of FOIA be considered the processing of personal data as the recipient would not be able to identify any of the persons to whom the data related, and as such the data protection principles did not apply. This was despite the fact that the discloser still owed the people whose data was anonymised duties as data controller under the DPA.

Geo-location services involve any services related to the actual location of a particular device, and the people linked to that device. The services may be used in any number of growing ways, such as for tagging where a photograph was taken, providing useful information for users as to where a local service such as a restaurant is located, recovering lost or stolen items, identifying where children are or whether friends are nearby. Geo-location data can be gathered in a number of ways, such as through GSM base stations, GPS, WiFi and RFID readers.

The Working Party’s findings are particularly strict and may affect a range of different types of organisation, from network operators to controllers of geo-location infrastructure (such as WiFi access points), to application providers, through to social networking sites that provide location-based functionality for mobile devices. The Article 29 Working Party’s opinion is not legally binding, but it is best practice to do so as it is the body of the European Union’s data protection regulators and so it strongly indicates how the regulators will interpret compliance with data protection legislation.

The change reflects EU legislative changes, but after considering the issue over the last couple of years, the Government has suddenly given website operators the news that they had been dreading just before the 26 May deadline: it will not be enough to obtain consent automatically on a general basis through their users’ browsers; other steps will be needed.

This has led to concerns as to how it will affect the user-friendliness of sites. But the law is clear – consent is needed. How to show consent is not clearly set out in the new law. The Information Commissioner’s Office has provided some guidance with suggestions. The type of consent the user must give will vary according to what the cookie contains, at what point in the process it is placed and also according to what the user may already have agreed to.  See here. However, the guidance does not give totally definitive answers.

We have already been advising clients on how to comply with this new law and have come up with some practical suggestions of our own. If you would like to obtain our advice, please contact us on mark.weston@mablaw.com or paul.gershlick@mablaw.com.

UPDATED 26 May: The Information Commissioner stated on 25 May, the day before the law comes into force, that although the law will still come into force on 26 May, his office will not take enforcement action for the first year following implementation against a site not obtaining consent to its use of cookies, provided that the site still provides clear information on the cookies used and it uses a brower-led solution by 25 May 2012.  In the meantime, the Commissioner will be working with Internet browser providers to find a technical solution so that browser-led consent can be provided within that timeframe. 

If websites can obtain consent through other means in the meantime, that would still be preferable, particularly as some people may not access a website through a browser and they would still need to give consent to cookies.

As part of the reforms, the ICO will also be given greater investigatory powers, under which the ICO will be able to demand information from Internet service provides (ISPs) and telecommunications companies to assist with investigations into possible breaches of the Regulations. The ICO will also be able to audit ISPs and telecommunications companies to ensure that they assist the ICO in these investigations.

The Information Commissioner, the Information Tribunal and now the High Court have ruled that the Department’s approach was wrong. The refusal should not have taken place. The data was totally anonymised when published. This would not have identified the personal details of the individuals involved, as that information would not have been made public. Therefore, no personal data would have been disclosed. To decide otherwise would nullify the chance of any anonymised data ever being published.

However, the Information Commissioner – the regulator in charge of regulating data protection issues in the UK – has criticised the move. He argued that there would be confusion caused by the overlap between his role and the new regulator. He also queried why the new code would only apply to local authorities and police rather than the private sector, especially when so many of the car parks are monitored by private companies that provide services for the public sector.

Paul Gershlick, a Partner at Matthew Arnold & Baldwin LLP and editor of Upload-IT, comments: “It is clear from the fines that the regulator has issued since the introduction of their new powers to fine £500,000 for serious breaches of the Data Protection Act, that they are looking to clamp down on unencrypted laptops, even if they are password-protected. This happens a lot. What should concern anyone that processes data about people is the way in which the regulator also seems happy to dish out fines to organisations that use other service providers to help with the processing of their data. This may apply to anyone who has a website hosted, outsources payroll, or any other outsourced service.”

Simon Weinberg, a solicitor at Matthew Arnold & Baldwin LLP, comments: ‘The fines send a strong message to anyone handling data that not only do new fining powers exist for breaches of the DPA but also that the ICO is actually willing to use those powers. They highlight two things in particular that the ICO will not tolerate: poor care over particularly sensitive data (such as child abuse in the Council’s case) and the common mistake of failing to encrypt laptops that contain personal data (in A4e’s case).’