DP, IP, the UK and BrexitThe Great Data Protection Law Reform Saga of 2012-8 (?)

Lilian EdwardsProfessor of E-GovernanceUniversity of Strathclyde

Lilian.edwards@strath.ac.uk@lilianedwards

A. From the DPD to the GDPR• Directive 95/46/EC of EU on the protection of individuals with regard

to the processing of personal data and on the free movement of such data. Human rights based. Much case law now draws on Charter of Rights and ECtHR as well as European Court of Justice.

• Intended to address computerisation/databases but NOT the Internet• Implemented in UK by DPA 1998 and many SIs• DPD extended to deal with technological challenges eg spam, cookies,

location data, by Privacy and Electronic Communications Directive 2002/58/EC revised Oct 2009, i/f May 2011 (the “cookie” or E-Privacy Directive)(UK: PECD Regs

• Reform by General DP Regulation (GDPR), plus Directive on policing – 1st draft, Jan 25 2012; final compromise, Jan 2016; official text May 2016

• 2 yrs for member states (MSs) to implement by May 2018 - DIRECT EFFECT OF REG – ICO says this is on track

• ? Would a post Brexit UK implement GDPR?

Key Definitions in the DPD – art 2

• “Data” means information which is being processed by means of equipment operating automatically, or is recorded with the intent that it should be processed by this equipment, or is recorded as a part of a relevant manual filing system. (see ECJ case, Lindqvist)

• “Data controller”: a person or company who determines the purpose and means of the data processing.

• “Data processor” is the person who processes the data on behalf of the data controller.

• “Data subject” is defined in art 2 as part of concept of personal data..

Personal data• Scope of DPD restricted to “processing” of “personal

data” = “• “information relating to an identified or identifiable

natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity”

• + see recital 26 [itals added]• “Processing” – very widely defined..

DPD Principles(primarily art 6)1. Personal Data shall be processed lawfully and fairly (“collection

limitation”) (-> grounds including consent)2. Personal Data shall be obtained only for one or more specified and

lawful purposes, and shall not be further processed in a manner incompatible with those purposes (“purpose /use limitation”).

3. Personal data shall be adequate, relevant and not excessive in relation to the purpose for which it was processed

4. Personal data shall be accurate and kept to date if necessary (“data quality”).

5. Personal data shall not be kept for a longer time than it is necessary for purpose of processing. (“retention”)

6. Personal data can only be processed in accordance with the rights of the data subjects (“openness”) (eg SARs)

7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing (“security”).

8. Data export principle – EU personal data only to be exported outside EU to countries with “adequate” privacy protection

(not) Key reforms under the GDPR

• Principles – added principle of minimisation of data processed; and accountability principle for DCs (notification dropped)

• (?)Personal data – not much change to definition in arts, but cf recital 26 and “singling out” ; however new category of pseudonymous data introduced (still personal) (UK – more restrictive definition?)

• (?)Data controller/data processor – some changes to increase control over cloud provider by DC

Key reforms under GDPR 1. ConsentDPD , Art 2 “any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.”No explicit definition in UK DPAGDPR art 4 (11) adds unambiguousAnd revocability as key aspect of valid consent (GDPR art 7(3)).And “a clear affirmative action” ie silence is not acceptance Arguably new(er) requirements in GDPR (art 7(2) and (4))– written consent to processing should not be “bundled” ie one consent to everything at once - consent not free if tied to providing a service but the processing not necessary for that service(cf FB etc)BUTNOT required all consent be “explicit” – sensitive PD onlyNOT explicit that consent void if “significant imbalance of power”Privacy icons NOT required for policies but are encouraged

New user rights2. Right to be forgotten (RTBF) – GDPR, art 17. Right of DS to “obtain from the DC the erasure of personal data” if

– data no longer necessary for original purpose– DS withdraws consent– DS objects to their PD being used for profiling– They have been “unlawfully processed”

• Aimed at hosts/publishers, inc social networks, cloud hosts. NOT JUST SEARCH ENGINES – see Google Spain v Costeja.

• Exceptions – see art 17(3). – Freedom of expression– Archives, historical, statistical and scientific research? (cf Wikipedia

on criminal convictions)– For proof in legal claims

• Not liked in UK HL EU Committee report, 2014 (re G Spain)

3. Right to data portability• Right to data portability, ie, for DS to get a copy of their data to

take elsewhere (GDPR art 20) - “in in a structured, commonly used and machine-readable format”

• Also right to have such data transmitted directly from co A to B “where technically feasible”– Aimed at breaking “lock in” to sites like Facebook – network

effects– Some see as additional burden for service providers – But UK has promoted as new market opportunity for

infomediaries– UK MiData initiative – mainly re energy cos, also banks, mobile phone

cos – see Enterprise & Regulatory Reform Act 2013 – powers in reserve, not yet implemented

Increased enforcement - 14. Mandatory security breach notification (GDPR art 33-34). • Already introduced for telcos/ISPs in PECD art 17(1)• Devil in the details:

– what triggers (all PD breaches “unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons – data encrypted or pseudonymised?);

– Tell DPA – for UK, ICO– communication to individual DSs only if “high risk” of above– how long to fix before notifying (within 72 hours if feasible) – Parallel notification under EU Network Information Security

Directive (NIS) likely (affects non PD breaches as well)• How effective? US, Japanese experience found SBN

not that helpful. Lack of US style class action rules tho Vidal-Hall v Google may help

Increased enforcement - 25. Penalties• GDPR originally suggested penalties of up to €1

million or up to 2% of the global annual turnover of a company. EU Parl suggested 5% turnover, up to 100 mn Euros.

• Final GDPR – two levels– Up to 10 mn Euros or 2% annual global turnover– Up to 20 mn Euros or 4% global turnover for more severe

infringements• Cf USA –big privacy breach cases, FTC large fines –

2012, Google fined $22.5m (but < 1 day’s profit) ; FB, 2012, no fine but $16,000/day per violation of agreed privacy settlements & 20 years audit

New approaches?• 6. “Privacy by design and default” etc • Mandatory! “the controller shall.. having regard to the state

of the art and the cost of implementation” (art 25)– Implement “technical and organisational” measures to

implement DP principles– Art 35; DP impact assessments – if “high risk” processing,

esp using “new technologies”, DPIA to be carried out before processing

– Esp likely for automated profiling systems, or “systematic monitoring of public areas”

– Little enthusiasm from private sector– BUT - UK ICO has lead EU on PIAs?

Effect of non implementation GDPR?• Adequacy• GDPR art 45 – EU personal data can only be transferred to third

countries where Commission has decided “adequate level of protection”

• US avoided this with safe harbor agreement but..• Hard line on this from EU since Schrems (CJEU, 2014)

– DP has the status of a fundamental right, therefore review has to be strict– “adequate” does not mean identical to EU law but “equivalent”– Vital for state authorities to be bound as much by guarantees as private

actors– Derogations on ground state security possible but must not be vague, pass

necessity & proportionality test and give redress rights to EU subjects• Concerns continue into Privacy Shield (EDPS, A29 etc)• Tweaks to GDPR unlikely to violate “adequacy” but Investigatory

Powers Act 2016?

Investigatory Powers Act 2016

• Likely issues in the IP Act? “one of the most extreme surveillance laws ever passed in a democracy”– Collection of bulk personal data sets– Internet Connection Records– Bulk retention of meta data (eg web traffic for a year of

all users) (cf DRI Ireland, CJEU, 2014 vs Davis/ Tele2, CJEU, Opinion July 2016 – judgment due December 21)• Opinion laid down 5 stringent conditions for general

retention to be legal– “Equipment interference” (legalised covert state

hacking)

Alternatives to “adequacy”? • Explicit consent of DS (art 49(1(a))– But (recital 111) only where transfer is “occasional” and

“necessary”; and where other grounds aren’t useable (rec 113)• Standard contractual clauses (SCCs)(art 46)• Binding corporate rules (BCRs)(art 47)• Special adequacy decision eg Privacy Shield• However• All but BCRs under challenge & BCRs of limited application (intra

company transfers)– DRI vs Privacy Shield (CJEU, Sept 2016)– Irish DPC has referred SCCs to CJEU, May 2016 – Ustaran - “The

prospect of the standard contractual clauses being declared invalid is the Armageddon of lawful global data flows.”