By Felicity McMahon
Date of Publication: 28 Jan 2015
28th January 2015 is Data Protection Day (Data Privacy Day outside Europe). With data protection set to be of growing importance in 2015, below are a few of the key issues businesses, lawyers, and the general public are likely to face over the coming year.
A new General Data Protection Regulation? Since 2012 the EU has been seeking to negotiate an implement a new Data Protection Regulation to replace the Data Protection Directive which dates from 1995, and which in the UK was implemented by the Data Protection Act 1998 (“DPA”). Agreement on some issues has been reached, and there is now significant momentum within the EU institutions to reach total agreement – with the President of the European Commission stating that the Regulation should be finalised during the first quarter of 2015. Key issues still to be decided, include, for example, the definition of consent. So whether this timetable is achievable remains to be seen.
Once agreed, the Regulation will not come into force for another 2 years. However, it will make some important changes to the law, so businesses will need to use that time to ensure they are fully compliant when the time comes. Likely changes include:
- a broadened definition of “personal data”;
- a changed definition of “consent” leading to the need to consider whether ‘”opt-in” and “opt-out” approaches to getting consent remain compliant;
- a requirement for many businesses to appoint a Data Protection Officer;
- larger potential fines for data breaches;
- more onerous reporting requirements where a data breach occurs;
- changes to how anonymised data can be used;
- a legislative basis for the “right to be forgotten”;
The scope of the “right to be forgotten”: Since the Google Spain decision, analysed on the 5RB website here, a huge number of people have made requests to Google and other search engines for the removal of data about them which they say is no longer relevant. Google have responded by setting up a team to process such requests and an Advisory Council to consider how to balance the right to be forgotten and the public’s right to information.
An important remaining battleground is whether search engines need to remove offending results only from their EU-based website (e.g. google.co.uk, google.fr) or from their sites worldwide, in particular google.com. The EU’s Article 29 Working Party issued guidance in November 2014 stating that results ought to be de-listed from .com domains too in order to comply with the CJEU ruling. And a court in Paris held in September that links to defamatory material should be removed from Google’s worldwide sites on the penalty of the payment of fines by its French subsidiary. Google has so far resisted this move to implement the “right to be forgotten” on a global scale. Whether European data protection rules should be or can be imposed on the rest of the world will be a key question for 2015.
Using data protection to remove defamatory material: The DPA allows an individual to seek to prevent a data controller from processing data about him or her which is inaccurate. Whilst there has been a lot of media focus on individuals seeking removal of out of date data (see above), seeking removal of inaccurate data is likely to also prove a useful tool for those faced with inaccurate and potentially defamatory material posted about them. A case was brought on this basis against Google, but settled in late 2014 – a case report on the early stages of Hegglin v Google can be found here. It is unlikely to be the last case of its kind.
The scope of compensation available under the DPA: Section 13 DPA allows individuals to obtain compensation for failures to comply with the Act which causes “damage”. Compensation is also available for “distress” but, in most cases, only if the person who has suffered distress has also suffered “damage”. This begs the question: What is the scope of “damage”? Tugendhat J took the preliminary view in Vidal-Hall v Google that damage could include non-pecuniary damage. However, the Upper Tribunal declined to follow that approach to “damage” when looking at another section of the DPA in IC v Niebel. If compensation is indeed available in situations where an individual has not suffered any financial loss, it may make a claim in damages under the DPA viable in more situations than previously anticipated.
Who can take advantage of the journalism exemption? Section 32 DPA provides an exemption from certain requirements of the Act where the data processing takes place with a view to the publication of journalistic material (there are also requirements for a reasonable belief that publication would be in the public interest and that compliance with that provision is incompatible with the special purposes of journalism). In a case brought against NGO Global Witness by Benny Steinmetz, the ICO made an assessment under the DPA, deciding that Global Witness was covered by the exemption. Confirmation that the journalism exemption applies beyond the traditional media (such as newspapers and broadcasters) will be welcome to many, but the debate about what constitutes journalism is likely to continue. For more on recent developments in data protection and the media, including analysis of the Global Witness assessment and ICO Guidance see this article by 5RB‘s Gervase de Wilde.
Anonymity in public reports: There has been much concern recently about the difficulties public bodies face when seeking to publish investigation reports (e.g. where there has been a serious incident or failing in a public service), with data protection concerns cited as the main reason why names and certain details are not included in what is published. Criticism is often then rife – with claims that those against whom critical findings have been made seem to be being protected. There is a difficult balancing act for public bodies when carrying out investigations between complying with their data protection obligations, and yet being transparent and accountable to the public. Managing expectations at the outset, and being clear what type of report it is envisaged will be published once the investigation is concluded is of the utmost importance. Where a serious incident occurs, calls for public inquiries and investigations are unlikely to go away – as such this is an issue likely to be faced by public bodies in 2015 and the years to come.
Use of data for marketing: Where marketing is online, by phone, email or text message such use of data is governed by the Privacy and Electronic Communications Regulations 2003. With spam email/texts/calls continuing to be a bane of modern life, and a regular complaint by consumers, it is important for businesses to get marketing right. The issue of the adequacy of consent (e.g. opt-ins and opt-outs) remains live, and is likely to be changed when the new Data Protection Regulation comes into force. Similarly new forms of data capture, for example via apps and the myriad of smart devices now on the market, will continue to present a challenge for those responsible for compliance, and those regulating.
General data compliance: Businesses are becoming increasingly aware of their obligations as data controllers and the potential reach of these obligations within all aspects of their operations that deal with individuals’ data. Similarly, the public are becoming more aware of their rights under the DPA, including: the right to request of a copy of their personal data (a subject access request under s.7 DPA), the right to seek to prevent processing of inaccurate or out of date personal data, and/or processing which causes damage and distress. The ICO is continuing to issue fines, and publicly reprimanding serious data breaches. In particular with a new Data Protection Regulation on the horizon, 2015 is a good time for businesses to ensure their data protection house is in order.