The New Saudi Arabian Federal Data Protection Law 

The Middle East is fast catching up with Europe when it comes to data protection law. The Kingdom of Saudi Arabia(KSA) has enacted its first comprehensive national data protection law to regulate the processing of personal data. This is an important development alongside the passing of the new UAE Federal DP law. It also opens up opportunities for UK and EU Data Protection professionals especially as these new laws are closely aligned with the EU General Data Protection Regulation (GDPR) and the UK GDPR

The KSA Personal Data Protection Law (PDPL) was passed by Royal Decree M/19 of 9/2/1443H on 16 September 2021, approving Resolution No. 98 dated 7/2/1443H (14 September 2021). The detailed Executive Regulations are expected to be published soon and will give more details about the new law. It will be effective from 23rd March 2022 following which there will be a one year implementation period.

Enforcement 

PDPL will initially be enforced by the Saudi Arabian Authority for Data and Artificial Intelligence (SDAIA).The Executive Regulations will set out the administrate penalties that can be imposed on organisations for breaches. Expect large fines for non-compliance alongside other sanctions. PDPL could mirror the GDPR which allows the regulator to impose a fine of up to 20 million Euros or 4% of gross annual turnover, whichever is higher. PDPL also contains criminal offences which carry a term of imprisonment up to 2 years and/or a fine of up to 3 million Saudi Royals (approximately £566,000). Affected parties may also be able to claim compensation.

Territorial Scope

PDPL applies to all organisations that are processing personal data in the KSA irrespective of whether the data relates to Data Subjects living in the KSA. It also has an “extra-territorial” reach by applying to organisations based abroad who are processing personal data of Data Subjects resident in the KSA. Interestingly, unlike the UAE Federal DP law, PDPL does not exempt government authorities from its application although there are various exemptions from certain obligations where the data processing relates to national security, crime detection, statutory purposes etc.

Notable Provisions

PDPL mirrors GDPR’s underlying principles of transparency and accountability and empowers Data Subjects by giving them rights in relation to their personal data. We set out below the notable provisions including links to previous GDPR blog posts for readers wanting more detail, although more information about the finer points of the new law will be included in the forthcoming Executive Regulations. 

  • Personal Data – PDPL applies to the processing of personal data which is defined very broadly to include any data which identifies a living individual. However, unlike GDPR, Article 2 of PDPL includes within its scope, the data of a deceased person if it identifies them or a family member.
  • Registration  Article 23 requires Data Controllers (organisations that collect personal data and determine the purpose for which it is used and the method of processing) to register on an electronic portal that will form a national record of controllers. 
  • Lawful Bases – Like the UAE Federal DP law, PDPL makes consent the primary legal basis for processing personal data. There are exceptions including, amongst others, if the processing achieves a “definite interest” of the Data Subject and it is impossible or difficult to contact the Data Subject.
  • Rights – Data Subjects are granted various rights in Articles 4,5 and 7 of the PDPL which will be familiar to GDPR practitioners. These include the right to information (similar to Art 13 of GDPR), rectification, erasure and  Subject Access. All these rights are subject to similar exemptions found in Article 23 of GDPR.
  • Impact Assessments – Article 22 requires (what GDPR Practitioners call) “DPIAs” to be undertaken in relation to any new high risk data processing operations. This will involve assessing the impact of the processing on the risks to the rights of Data Subjects, especially their privacy and confidentiality.
  • Breach Notification – Article 20 requires organisations to notify the regulator, as well as a Data Subjects, if they suffer a personal data breach which compromises Data Subjects’ confidentiality, security or privacy. The timeframe for notifying will be set by the Executive Regulations.
  • Records Management – Organisations will have to demonstrate compliance with PDPL by keeping records. There is a specific requirement in Article 3 to keep records similar to a Record of Processing Activities(ROPA) under GDPR.
  • International Transfers – Like other data protection regimes PDPL  imposes limitations on the international transfer of personal data outside of the KSA. . There are exceptions; further details will be set out in the Executive Regulations.
  • Data Protection Officers – Organisations (both controllers and processors) will need to appoint at least one officer to be responsible for compliance with PDPL. The DPO can be an employee or an independent service provider and does not need to be located in the KSA. 
  • Training – After 23 March 2022, Data Controllers will be required to hold seminars for their employees to familiarise them with the new law.

Practical Steps

Organisations operating in the KSA, as well as those who are processing the personal data of KSA residents, need to assess the impact of PDPL on their data processing activities. Work needs to start now to implement systems and processes to ensure compliance. Failure to do so will not just lead to enforcement action but also reputational damage. The following should be part of an action plan for compliance:

  1. Training the organisation’s management team to understand the importance of PDPL, the main provisions and changes required to systems and processes. 
  2. Training staff at all levels to understand PDPL at how it will impact on their role.
  3. Carrying out a data audit to understand what personal data is held, where it sits and how it is processed.
  4. Reviewing how records management and information risk  is addressed within the organisation.
  5. Drafting Privacy Notices to ensure they set out the minimum information that should be included.
  6. Reviewing information security policies and procedures in the light of the new more stringent security obligations particularly breach notification.
  7. Draft policies and procedures to deal with Data Subjects’ rights particularly requests for subject access, rectification and erasure.
  8. Appointing and training a  Data Protection Officer.

Act Now Training can help your organisation prepare for PDPL. We are running a webinar on this topic soon and can also deliver more detailed in house training. Please get in touch to discuss you training needs. We are in Dubai and Abu Dhabi from 16th to 21st January 2022 and would be happy to arrange a meeting.

Posted in International, KSA, Privacy, Saudi Arabia | Tagged , , , , | Leave a comment

The New UAE Federal Data Protection Law

The United Arab Emirates has enacted its first comprehensive national data protection law to regulate the collection and processing of personal data. Federal Decree Law No. 45 of 2021 regarding the Protection of Personal Data (PDPL) was published by the Cabinet Office on 27th November 2021 as part of a legal reform programme in advance of the UAE’s Golden Jubilee. The detailed Executive Regulations are expected to be published on 20th  March 2022 with the new law becoming fully enforceable six months later.

The UAE is no stranger to data protection laws. The Dubai International Financial Centre (DIFC) Data Protection Law No. 5 of 2020 became enforceable in October 2020. However, it only applies companies under the jurisdiction of the DIFC as well as those processing personal data on their behalf.  In February 2021, the Abu Dhabi Global Market (ADGM) enacted its new Data Protection Regulations 2021 with the same limited applicability.  There are also a number of other sector specific laws in the UAE which address personal privacy and data security. 

Applicability

PDPL applies to all organisations that are processing personal data in the UAE irrespective of whether the data relates to Data Subjects living in the UAE. It also has an “extra-territorial” reach by applying to organisations based abroad who are processing personal data of Data Subjects resident in the UAE. PDPL does not apply to government data, government authorities that control or process personal data and personal data held by security and judicial authorities. Health data, credit data and banking data are also excluded as they are protected by other laws.

Key Provisions

PDPL is closely aligned with the EU General Data Protection Regulation (GDPR) and the UK GDPR. It mirrors their underlying principles of transparency and accountability and, like them, empowers Data Subjects by giving them rights in relation to their personal data. We set out below the notable provisions. We have included links to previous GDPR blog posts useful for readers wanting more detail:

  • Lawful Bases – Article 4 states that personal data can only be processed with the consent of the Data Subject. Exceptions include, amongst others, if the processing is: necessary to execute a contract to which the Data Subject is a party; required to protect interests of the public; relates to data already in the public domain; necessary to comply with other laws. Interestingly, PDPL does not include “legitimate interests” as a lawful basis for processing, as is found in GDPR.
  • Consent – Where consent is used as the lawful basis for processing personal data, it should be obtained from Data Subjects in a specific, clear and unambiguous form and should be freely given through a clear affirmative statement or action (Article 6). Consent can be withdrawn at any time.
  • Rights – Data Subjects are granted various rights in Articles 14-18 of the PDPL which will be familiar to GDPR practitioners. These include  Subject AccessData Portability, rectification or erasure of personal data, restriction on processing, objection to automated decision making and the right to stop processing.
  • Data Protection Impact Assessments – Article 21 requires, what GDPR Practitioners call, “DPIAs” to be undertaken in relation to any new high risk data processing operations. This will involve assessing the impact of the processing on the risks to the rights of Data Subjects, especially their privacy and confidentiality.
  • Breach Notification – Article 9 requires organisations to notify the regulator, as well as a Data Subjects, if they suffer a personal data breach which compromises Data Subjects’ confidentiality, security or privacy. The timeframe for notifying will be set by the Executive Regulations.
  • Data Processors – PDPL imposes direct compliance obligations on Data Processors in Article 8 and obligations on Data Controllers when engaging them, similar to Article 28 of GDPR e.g. contracts.
  • Records Management – Organisations will have to demonstrate compliance with PDPL by keeping records. There is a specific requirement in Article 7 to “keep a register of Personal Data” similar to a Record of Processing Activities(ROPA) under GDPR.
  • International Transfers – Article 22  imposes limitations on the international transfer of personal data outside of the UAE.  Similar to the concept of the “adequacy” under the GDPR, the regulator is expected to approve certain countries as having “sufficient provisions, measures, controls, requirements and rules” for protecting privacy and confidentiality of personal data. Article 23 sets out exceptions although further details will be set out in the Executive Regulations.
  • Data Protection Officers – Organisations (both controllers and processors) will need to appoint a Data Protection Officer (DPO) in certain circumstances, set out in Article 10, including where the processing creates a high-level risk due to the use of new technology or the volume of the personal data; processing includes an assessment of sensitive personal data as part of profiling or automated processing; or where large volumes of sensitive personal data are processed. The DPO can be an employee or an independent service provider and does not need to be located in the UAE. Articles 11 set out the responsibilities of the DPO and it is interesting to note that, just like under the GDPR, the PDPL gives the role protected status i.e. they cannot be dismissed for doing their job.

Enforcement 

PDPL will be enforced by the UAE’s Data Office. The Executive Regulations will set out the administrate penalties that can be imposed on organisations for breaches. They could mirror current laws, such as the DIFC DP Law, where the maximum fine for a breach is $100,000. Organisations may also be required to pay compensation directly to Data Subjects or be sued by them. Alongside other sanctions, GDPR allows the regulator to impose a fine of up to 20 million Euros or 4% of gross annual turnover, whichever is higher. It will be interesting to see if PDPL follows GDPR.

Practical Steps

PDPL is likely to become fully enforceable by the end of September 2022. Organisations operating in the UAE need to assess the impact on their data processing activities. Systems and processes need to be put in place to ensure compliance. Failure to do so will not just lead to enforcement action but also reputational damage. The following should be part of an action plan for compliance:

  • Training staff at all levels to understand PDPL at how it will impact on their role.
  • Carrying out a data audit to understand what personal data is held, where it sits and how it is processed.
  • Reviewing how records management and information risk  is addressed within the organisation.
  • Reviewing information security policies and procedures in the light of the new more stringent security obligations particularly breach notification.
  • Draft policies and procedures to deal with Data Subjects’ rights particularly requests for subject access, rectification and erasure.
  • Appointing and training a  Data Protection Officer.

Act Now Training can help your organisation prepare for PDPL by training your staff and the all-important Data Protection Officer. We have delivered training to UAE businesses using our UAE specific training courses.  This includes our very popular DPO Certificate course customised for the UAE. We can also deliver customised in house training both online and face to face. 

Please get in touch to discuss you training needs. We are in Dubai from 16th to 21st January 2022 and would be happy to arrange a meeting.

Posted in Dubai, International, UAE | Tagged , , , , , | 1 Comment

What a Year! 2021 Review

MicrosoftTeams-image (8)

As we come to the end of another year, the Act Now team would like to thank all our delegates for their continued support and our associates for their hard work. It has been a challenging year but we have all taken the opportunity to learn and grow. 

Much happened in 2021 in the privacy arena. We had the first GDPR fine Issued to a charity as well as the Cabinet Office finally being fined for the 2020 New Year’s Honours List data breach. In September, the Government launched a consultation entitled “Data: A new direction” intended “to create an ambitious, pro-growth and innovation-friendly data protection regime that underpins the trustworthy use of data.” Cynics will say that it is an attempt to water down the UK GDPR just a few months after the UK received adequacy status from the European Union. Time will tell! We predict that 2022 is going to be the year of AI and Data Ethics. We are planning some workshops to help you navigate through the thorny issues. 

It wasn’t all about GDPR. At the end of the year, it seemed like the Government was ready to launch another attack on freedom of information. At present they are distracted by other troubles (unauthorised Christmas parties) but it will be interesting to see if the threat of FOI reform rears its head in 2022. 

In 2021 Act Now has been at the forefront of helping the IG/DP community stay abreast of developments and rise to the challenges of working from home and continuing to learn. We have delivered over 250 online workshops and launched some great new courses and products including our Advanced Certificate in GDPR Practice.
We intended to run 3 of these certificate courses in 2021. Such was the demand that we ran a total of 8, all of which were fully booked. With some great reviews, we will continue to improve this course. Watch this space for some exciting and challenging new courses in 2022. Alongside our usual training programme, we ran a number of free webinars on a range of topics including cyber security, risk management and the CCPA. 

Act Now has also continued to raise the media profile of Information Governance in 2021. Ibrahim Hasan was interviewed twice by the BBC on a variety of topics including footballers’ data, data breaches and vaccine passports. He was also on RT News talking about FOI. 

Data Protection is going global. With laws being passed in the Middle East, Africa and North America, we are now looking to spread the information privacy message further afield by promoting our US CCPA and Dubaiprivacy programmes. We have exciting announcements planned in 2022.

2021 ended with some great news. Act Now Training won the Information and Records Management Society (IRMS) Supplier of the year award at the IRMS conference in Birmingham. We were also delighted to welcome solicitor and information law expert, Kate Grimley Evans, to our team of associates. Kate is a Fee Paid Member of the Upper Tribunal.

These are exciting times for information governance professionals. Act Now is committed to raising awareness and the importance of Information Rights. We want to continue to support IG professionals with their professional development by developing training that helps them to navigate this often complex but interesting area. 

The Act Now office will be closed for the holiday season from Thursday the 23rd December. We will be back in the office from the 5th January 2021.

Wishing you all a safe and enjoyable Christmas and a successful new year. 

Posted in Uncategorized | Leave a comment

FOI Under Attack

Last week, a government minister called the Freedom of Information Act (FOI) a “truly malign piece of legislation”. Lord Callanan, a minister at the Department for Business, Energy & Industrial Strategy, made the comments during a parliamentary debate. He was defending the government’s decision that FOI should not apply to a new Defence research agency

It is not surprising that a government minister has expressed his dislike of FOI. The Act is very popular amongst politicians but only when they are in opposition. This view rapidly changes when they take up government positions and are on the receiving end of FOI requests. Tony Blair introduced the Act but regretted it in his memoirs, calling himself “a naive, foolish, irresponsible nincompoop”.

This new attack on FOI is not just about the Advanced Research and Invention Agency (ARIA) and whether it should be subject to FOI. This a minister expressing his frustrations about legislation which has no doubt made the Government’s life more difficult especially during the Pandemic. Information requests have been made about key government decisions, the actions of advisers in allegedly breaking lockdown rules (Barnard Castle) and the award of lucrative PPE supplies contracts to companies who seemingly have little experience of the health sector. In July, the Information Commissioner launched an investigation into reports that ministers and senior officials have been using private correspondence channels, such as Whatsapp and private email accounts, to conduct sensitive official business. 

FOI allows the public to see how their money is being spent. It is extraordinary that a body like ARIA, which is responsible for spending £800 million of public funds over four years, should be free from the scrutiny that applies to the whole public sector including small parish councils. ARIA will be tasked with handing out lucrative research contracts and so the public have a right to know how their money will be spent.

Fees

Lord Callanan also said that charging the public fees for requesting government information was an “excellent idea”. This idea has also been backed by the incoming Information Commissioner, John Edwards. He told a committee of MPs in September that it was “legitimate” to ask the public to meet the cost of digging out the relevant information.

One of the governments arguments for introducing fees is that it costs money to deal with complex freedom of information request. However the current legislation already allows for fees to be charged if a request takes more than 18 hours to deal with or 24 hours if made to a government department. 

Introducing a flat fee or fees for all requests, will undermine the public’s trust in government. At a time when the economy is weak and the cost of living is going up, why should the public have to pay for information that has been gathered by public bodies using public funds? In a sense they would be asked to pay for it twice. Fees also mean that only the rich would be able to scrutinise and challenge decisions made by public bodies which affect their lives. 

It could be that Lord Callanan’s comments signal the start of a government attempt to weaken FOI. If this is the case, bearing in mind Boris Johnson’s parliamentary majority, we should all be concerned. The Government must lead by example and not weaken FOI because it is a hindrance.

Watch Ibrahim Hasan’s interview with RT News here.

Looking for an FOI qualification? We have one place left on our online FOI Practitioner Certificate course starting in January. 

Posted in BBC Interview, FOI, FOI Fees, Ibrahim Hasan, Uncategorized | Tagged , , , , , | 1 Comment

Leading Information Lawyer Joins the Act Now Team

19c25fe5-cee8-4311-8ebe-30a834915e6e-3

Act Now Training welcomes solicitor and information law expert, Kate Grimley Evans, to its team of associates. Kate specialises in helping clients with all aspects of data protection and freedom of information. She was formerly the Head of Information Law at Stone King LLP. She has also worked for other top law firms including Eversheds and Mills & Reeve. Kate is currently a Consultant Solicitor for Bates Wells and Kesteven Partners Limited.

Kate is an expert in her field and has specialist knowledge of data protection compliance in the education and charity law sectors. She is the author of the leading guidance on data protection and information law matters for the museums’ sector and is currently writing a chapter (on schools) for an Oxford University Press book on data protection.

Kate has spoken at high profile conferences such as the Grammar School Heads’ Association Conference, Institute of School Business Leaders Conference and the Optimus Education Conference. Like our other associate Susan Wolf, Kate is a Fee Paid Member of the Upper Tribunal assigned to the Administrative Appeals Chamber (Information Rights Jurisdiction) and First Tier Tribunal General Regulatory Chamber (Information Rights Jurisdiction). 

Ibrahim Hasan, director of Act Now Training, said:

“I am delighted that Kate has joined our team. Her wealth of experience in the education and charity sectors, will help us develop further our training and consultancy offerings to these important sectors.”

In time Kate will be delivering all the workshops on our current programme as well as developing new ones. She will also be available to conduct audits and health checks and deliver in house training particularly for charities and schools. 

Learn about the latest GDPR developments in next week’s GDPR Update workshop. We have a one place left on our Advanced Certificate in GDPR Practice course starting in January.

Posted in Uncategorized | Tagged , , | 1 Comment

Cabinet Office Receives £500,000 GDPR Fine

The Information Commissioner’s Office (ICO) has fined the Cabinet Office £500,000 for disclosing postal addresses of the 2020 New Year Honours recipients online.

The New Year Honours list is supposed to “recognise the achievements and service of extraordinary people across the United Kingdom.” However in 2020 the media attention was on the fact that, together with the names of recipients, the Cabinet Office accidentally published their addresses; a clear breach of the General Data Protection Regulation (GDPR) particularly the sixth data protection principle and Article 32 (security).

The Honours List file contained the details of 1097 people, including the singer Sir Elton John, cricketer Ben Stokes, the politician Iain Duncan Smith and the TV cook Nadiya Hussain. More than a dozen MoD employees and senior counter-terrorism officers as well as holocaust survivors were also on the list which was published online at 10.30pm on Friday 26th December 2019. After becoming aware of the data breach, the Cabinet Office removed the weblink to the file. However, the file was still cached and accessible online to people who had the exact webpage address.

The personal data was available online for a period of two hours and 21 minutes and it was accessed 3,872 times. The vast majority of people on the list had their house numbers, street names and postcodes published with their name. One of the lessons here is, always have a second person check the data before pressing “publish”.

This is the first ever GDPR fine issued by the ICO to a public sector organisation. A stark contrast to the ICO’s fines under the DPA 1998 where they started with a local authority. Article 82(1) sets out the right to compensation:

“Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.”

It will be interesting to see how many of the affected individuals pursue a civil claim. 

(See also our blog post from the time the breach was reported.)

This and other GDPR developments will be discussed in detail on our forthcoming GDPR Update workshop. We have a one place left on our Advanced Certificate in GDPR Practice course starting in January.

Posted in Data Breach, Fines, GDPR, ICO, ICO Fine, Uncategorized | Tagged , , | 1 Comment

Act Now Training Wins IRMS Award

Act Now Training is proud to announce that it has won the Information and Records Management Society (IRMS) Supplier of the year award for 2021.

The awards ceremony took place on Monday night at the IRMS Conference in Birmingham. Act Now was also nominated for two others awards. Congratulations to all the other winners.

Ibrahim Hasan said:

“I would like to thank the IRMS as well as the Act Now team. This award recognises the hard work of our colleagues who are focussed on fantastic customer service as well as our experienced associates who deliver great practical content and go the extra mile for our delegates. We are committed to helping advance the profession and raising the awareness of the importance of Information Rights as a fundamental Human Right; and enable a culture of respect and trust within organisations.” 

The Innovation of the Year award went to Dapian which is a cloud based programme designed to assist those conducting Data Protection Impact Assessments and Information Sharing Agreements. Act Now helped develop Dapian alongside nine organisations from the public and private sector including the IRMS.

Despite the pandemic, it has been a fantastic year for Act Now. We have delivered over 250 online workshops and launched some great new courses and products. Our Advanced Certificate in GDPR Practice has been really well received by experienced GDPR practitioners who want to enhance their skills and knowledge. We have run eight fully booked courses this year with fantastic reviews. We have also launched our very popular UK and EU GDPR Handbooks.

We have exciting plans for 2022. Watch this space!

Posted in Uncategorized | Tagged , , , , | 1 Comment

New Workshop on Law Enforcement Data and Part 3 DPA 2018 announced.

phil-hearing-xBNaf9VL8Es-unsplash

In the world of Law Enforcement, Data Protection is about compliance with both the UK GDPR and the Law Enforcement Directive (LED) as implemented by Part 3 of the  Data Protection Act 2018. This does not just cover the police but any ‘competent authority’ with a ‘law enforcement purpose’ e.g. local authority regulatory services. 

While Part 3 is very similar to the GDPR, it is starkly different in a few key areas and can confuse those who do not deal with it regularly. A recent Scottish case shows that even the ICO can get it wrong.  

As part of our growing range of practical workshops for data protection professionals, 
Act Now Training has launched a full day workshop on this important topic. Our expert trainer, Scott Sammons, will cover the basic requirements under the LED principles, look at practical steps, explore the LED SAR exemptions and see where you can re-use your GDPR controls for an LED purpose.  

This workshop can also be customised and delivered to your organisation at your premises or virtually. Get in touch to learn more. 

advanced_cert

Posted in Criminal Data, Criminal Data, Law Enforcement, LED, Part 3 DPA 2018, Uncategorized | Tagged , , , , | Leave a comment

Lloyd v Google: What DPOs need to know

Last week, the UK Supreme Court handed down its much anticipated judgement in the case of Lloyd v Google LLC [2021] UKSC 50. It is a significant case because it answers two important questions (1) whether US style class action lawsuits can be brought for data protection claims and (2) whether damages can be claimed for mere “loss of control” of personal data where no actual damage has been suffered by data subjects. If the Supreme Court had decided that the answer to either of these questions was “yes”, it would have resulted in Data Controllers being targeted with much more costly data breach litigation. 

The present case was brought by Richard Lloyd, a former director of consumer rights group Which?, who alleged that between 2011 and 2012, Google cookies collected data on health, race, ethnicity, sexuality and finance through Apple’s Safari web browser, even when users had chosen a “do not track” privacy setting on their phone. Mr Lloyd sought compensation, under section 13 of the old Data Protection Act 1998. 

Mr Lloyd sought to bring a claim in a representative capacity on behalf of 4 million consumers; a US style “class action”. In the UK, such claims currently need consumers to opt-in, which can be a lengthy process (and costly). Mr Lloyd attempted to set a precedent for opt-out cases, meaning one representative could bring an action on behalf of millions without the latter’s consent. He sought to use Rule 19.6 of the Civil Procedure Rules which allows an individual to such bring a claim where all members of the class have the “same interest” in the claim. Because Google is a US company, Mr Lloyd needed the permission of the English court to pursue his claim. Google won in the High Court only for the decision to be overturned by the Court of Appeal. If Mr Lloyd had succeeded in the Supreme Court on appeal, it could have opened the floodgates to many more mass actions against tech firms (and other data controllers) for data breaches.

The Supreme Court found class actions impermissible in principle in the present case. It said that, in order to advance such an action on behalf of each member of the proposed represented class, Mr Lloyd had to prove that each one of those individuals had both suffered a breach of their rights and suffered actual damage as a result of that breach. Mr. Lloyd had argued that a uniform sum of damages could be awarded to each member of the represented class without having to prove any facts particular to that individual. In particular, he had argued that compensation could be awarded under the DPA 1998 for “loss of control” of personal data constituted by any non–trivial infringement by a data controller of any of the requirements of the DPA 1998.

The Supreme Court  rejected these arguments for two principal reasons. Firstly, the claim was based only on section 13 of the DPA 1998, which states that “an individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage”. The court ruled that “damage” here means material damage, such as financial loss or mental distress, as caused by unlawful processing of personal data in contravention of the DPA 1998 (i.e. simply infringing the DPA 1998 does not in itself constitute “damage”). Secondly, in order to recover compensation under section 13 of the DPA 1998, it is necessary to prove what unlawful processing (by Google) of personal data relating to each individual actually occurred. A representative claim could have been brought to establish whether Google was in breach of the DPA 1998 as a basis for pursuing individual claims for compensation but not here where Mr Lloyd was claiming the same amount of damages (£750) for each of the 4 million iPhone users.

This case was decided under the DPA 1998.  Article 82(1) of the UK GDPR sets out the right to compensation now; “Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered”. The similar wording to the DPA 1998 means that the outcome would be the same if Mr Lloyd had commenced his action post GDPR.

The Lloyd-Google judgment means that those seeking to bring class-action data protection infringement compensation cases have their work cut out. However, claims under Art 82 can still be brought on an individual basis – in fact the judgment seems to indicate that individual cases can have good prospects of success. There is more to come in this area. TikTok is facing a similar case, brought by former Children’s Commissioner Anne Longfield, which alleges that the video-sharing app used children’s data without informed consent. 

This and other GDPR developments will be discussed in detail on our forthcoming GDPR Update workshop. We have a one place left on our Advanced Certificate in GDPR Practice course starting in January.

advanced_cert
Posted in Data Breach, DPO, Fines, Google, Uncategorized | Tagged , , , | Leave a comment

To Share or Not to Share; That is the Question! 

elaine-casap-qgHGDbbSNm8-unsplash

On 5th October 2021 the Data Sharing Code of Practice from the Information Commissioner’s Office came into effect for UK based Data Controllers.  

The code is not law nor does it ‘enforce’ data sharing, but it does provide some useful steps to consider when sharing personal data either as a one off or as part of an ongoing arrangement. Data Protection professionals, and the staff in the organisations they serve, will still need to navigate a way through various pressures, frameworks, and expectations on the sharing of personal data; case by case, framework by framework. A more detailed post on the contents of the code can be read here.  

Act Now Training is pleased to announce a new full day ‘hands on’ workshop for Data Protection professionals on Data Sharing. Our expert trainer, Scott Sammons, will look at the practical steps to take, sharing frameworks and protocols, risks to consider etc. Scott will also explore how, as part of your wider IG framework, you can establish a proactive support framework; making it easier for staff to understand their data sharing obligations/expectations and driving down the temptation to use a ‘Data Protection Duck out’ for why something was shared/not shared inappropriately.  

Delegates will also be encouraged to bring a data sharing scenario to discuss with fellow delegates and the tutor. This workshop can also be customised and delivered to your organisation at your premises or virtually. Get in touch to learn more.

advanced_cert

Posted in Data Sharing, ICO, Uncategorized | Tagged , , | Leave a comment