Comprehensive Overview of GDPR and Information Law Updates
This content delves into the implications and obligations introduced by the General Data Protection Regulation (GDPR) and Information Law updates, emphasizing the increased responsibilities for data controllers, fines for non-compliance, and the criticality of data protection compliance in organizations. It also discusses core GDPR obligations, rights of data subjects, transparency requirements, lawful processing, and data security measures. The content raises thought-provoking questions surrounding liability in data processing and the impact of GDPR on data controllers.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
GDPR AND INFORMATION LAW UPDATE Timothy Pitt-Payne QC Timothy Pitt-Payne QC 27 September 2018
A perfect storm? Arrival of GDPR (read together with new DPA 2018) - more intense obligations for data controllers - eye-watering fining regime: up to 20m Euro or 4% of global turnover - ICO powers to issue processing limitations/bans Result: - DP compliance now top organisational priority - non-compliant approach potentially critical or fatal to key projects But note: compliance not a perfect safeguard - - Various Claimants v Morrisons [2017] EWHC 3113 (QB) liability in group claim for innocent/compliant data controller/employer (subject to appeal to CA). A burning question would the outcome be the same under GDPR/DPA 2018?
GDPR Core Obligations lawful processing of personal data (Art 5-11 and 22) - additional protections for sensitive data (Arts 9-10) transparency in data processing arrangements (Arts 12-15) - privacy notices (Arts 13-14); subject access (Art 15) - general obligation to facilitate exercise of transparency rights (Art 12(2)) data security (Arts 5(1)(f) and 32) - duty to secure appropriate security , appropriate technical and organisational measures ( ATOMs )
Rights of data subjects transparency privacy notices & SARs - - - additional info in notices/SARs (including right to lodge complaint) SARs generally free of charge but right to refuse requests which are manifestly unfounded or excessive, particularly because of their repetitive character (???) Art 12(5) controlling processing - - - right to rectification of inaccurate data without undue delay (Art 16) right to erasure/right to be forgotten without undue delay (Art 17) right to object to processing - must be upheld unless DC demonstrates overriding, compelling legitimate grounds for processing (Art 21); automatic injunctive relief - right to restrict processing on interim basis: (a) where accuracy challenged, pending verification by DC; (b) where Art 21 objection made, pending DC determination on objection (Art 18) -
Lawful processing (ordinary data) compliance with data protection principles (Art 5) processing must meet Art 6 legality condition including: - consent (Art 6(1)(a)) BUT consent is generally inapplicable in employment context because of power imbalance (rr. 32, 43 and 44) - necessary for the performance of a contract to which the data subject is party (Art 6(1)(b)); - necessary for compliance with legal obligation (Art 6(1)(c)) - necessary for purposes of the data controller s or third party legitimate interests (Art 6(1)(f)) (NB - inapplicable to public authorities Art 6(1)) Necessity imports concept of proportionality (i.e. balancing of rights and interests); proportionality of approach central concept in GDPR
Sensitive data Arts 9 and 10 General prohibition on processing SCD (Art 9(1)) unless meets Art 9(2) condition e.g - consent (but again generally inapplicable re employment) (Art 9(2)(a)) - necessary for purpose of carrying out obligations/exercising rights of the data controller or data subject in field of employment (Art 9(2)(b)) - necessary for establishment/defence of legal claims (Art 9(2)(f)) - necessary for substantial public interest purposes (Art 9(2)(g)) see DPB, s. 10 and schedule 1 for relevant provisions/safeguards general prohibition on processing convictions/offences data unless authorised under Union or Member State law Art 10 - see DPB, s. 10 and schedule 1 for relevant conditions/safeguards see also general ban on automated processing with significant legal effects (Art 22) could include automated e-recruitment (r. 71)
Data processors Definition (Art 4(8)) - data processor - person processing data on DC s behalf (does not include DC employees) Duties general obligations: - to enter into contract with DC (Art 28) - to act only in accordance with DC s instructions (Art 29); - to ensure data security (Art 32); - to appoint a DPO where necessary (Art 37) - Duties re sub-contracting (Arts 28(2) and (4)) Re attribution of liability Art 82(3) DC and processor have defence to compensation claim if they can prove not responsible for the event giving rise to the damage
Exemptions Art 23 general power to enact domestic legislation to restrict rights/obligations e.g. to protect rights and freedoms of others Data Protection Act 2018 cl. 15 and Schedule 2 see e.g. - - - - - - - - - prejudice to criminal law enforcement legal proceedings/advice protection of the public protecting regulatory processes protection of third party individuals protection of LPP protection of management forecasts/planning negotiations with the data subject confidential references
Enforcement judicial enforcement (see Art 79) e.g. - injunctive relief and/or compensation claims (see further Morrisons) - rectification claims regulatory action (see Arts 58 and 83) - investigatory powers (includes powers to compel provision of information/access to premises) - issue warnings/reprimands - issue enforcement notices requiring compliance (including bans) - order rectification - substantially enhanced fining powers risk of dual enforcement: potentially business critical/fatal note criminal offences in DPA 2018
Morrisons the Facts senior internal IT auditor unhappy about disciplinary process/verbal warning harbours secret grudge given access to payroll data relating to M s entire workforce (120,000 people) as part of statutory audit process (addresses; phone nos; bank account details; salary info) as an act of retaliation, copies the data from work laptop; then weeks later, whilst at home using personal devices, uploads data re 100K employees to internet (via Tor) sentenced to 8 years; sentencing judge finds M the principal intended victim ICO investigates finds no breach by M group claim brought by 5,500 affected employees (lawyers on CFAs) - distress compensation only - if group succeeds, potential claimant cohort of 100,000 HC lists trial on liability only (re 10 lead claimants; remainder of claims stayed)
Judgment on absolute liability claim [37-65] absolute liability case legally unsound - M did not authorise or facilitate Skelton s criminal misuse of the data - AS not acting as M s agent in context of criminal attack acting as a third party data controller re data he misused M not a data controller in respect of that data M only a data controller re data it practically controlled o o o - M did not, in its own capacity as DC, breach any of the DPPs relied on - CL/BOC claim failed for same reasons
Judgment on DPP7 breach claim [83-125] No breach of DPP7 (save in one causally inconsequential respect) - Tor detection claim monitoring to achieve detection would itself have been unlawful (breach of AS s privacy rights; see Barbelescu v Romania; potential constructive dismissal) - data deletion M ought to have done more to ensure deletion from AS s laptop but causally irrelevant, as AS s criminal copying of data effected whilst conduit role ongoing and hence before issue of deletion arose - the AS risk factor fact AS had expressed disgruntlement about disciplinary process no proper basis for M treating him as posing a risk/adopting special measures adoption of special measures would itself have been unlawful (given rise to constructive dismissal situation) o
What about FOIA? * Easy to overlook in view of emphasis on GDPR developments? How will the FOIA personal data exemption in s40 operate post-GDPR? How will the EIR operate after Brexit? Some recent cases in relation to costs/vexatiousness - Kirkham [2018] UKUT 126 - Ashton [2018] UKUT 208 - Oxford Phoenix [2018] UKUT 192