Lloyd v Google: What DPOs need to know

Last week, the UK Supreme Court handed down its much anticipated judgement in the case of Lloyd v Google LLC [2021] UKSC 50. It is a significant case because it answers two important questions (1) whether US style class action lawsuits can be brought for data protection claims and (2) whether damages can be claimed for mere “loss of control” of personal data where no actual damage has been suffered by data subjects. If the Supreme Court had decided that the answer to either of these questions was “yes”, it would have resulted in Data Controllers being targeted with much more costly data breach litigation. 

The present case was brought by Richard Lloyd, a former director of consumer rights group Which?, who alleged that between 2011 and 2012, Google cookies collected data on health, race, ethnicity, sexuality and finance through Apple’s Safari web browser, even when users had chosen a “do not track” privacy setting on their phone. Mr Lloyd sought compensation, under section 13 of the old Data Protection Act 1998. 

Mr Lloyd sought to bring a claim in a representative capacity on behalf of 4 million consumers; a US style “class action”. In the UK, such claims currently need consumers to opt-in, which can be a lengthy process (and costly). Mr Lloyd attempted to set a precedent for opt-out cases, meaning one representative could bring an action on behalf of millions without the latter’s consent. He sought to use Rule 19.6 of the Civil Procedure Rules which allows an individual to such bring a claim where all members of the class have the “same interest” in the claim. Because Google is a US company, Mr Lloyd needed the permission of the English court to pursue his claim. Google won in the High Court only for the decision to be overturned by the Court of Appeal. If Mr Lloyd had succeeded in the Supreme Court on appeal, it could have opened the floodgates to many more mass actions against tech firms (and other data controllers) for data breaches.

The Supreme Court found class actions impermissible in principle in the present case. It said that, in order to advance such an action on behalf of each member of the proposed represented class, Mr Lloyd had to prove that each one of those individuals had both suffered a breach of their rights and suffered actual damage as a result of that breach. Mr. Lloyd had argued that a uniform sum of damages could be awarded to each member of the represented class without having to prove any facts particular to that individual. In particular, he had argued that compensation could be awarded under the DPA 1998 for “loss of control” of personal data constituted by any non–trivial infringement by a data controller of any of the requirements of the DPA 1998.

The Supreme Court  rejected these arguments for two principal reasons. Firstly, the claim was based only on section 13 of the DPA 1998, which states that “an individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage”. The court ruled that “damage” here means material damage, such as financial loss or mental distress, as caused by unlawful processing of personal data in contravention of the DPA 1998 (i.e. simply infringing the DPA 1998 does not in itself constitute “damage”). Secondly, in order to recover compensation under section 13 of the DPA 1998, it is necessary to prove what unlawful processing (by Google) of personal data relating to each individual actually occurred. A representative claim could have been brought to establish whether Google was in breach of the DPA 1998 as a basis for pursuing individual claims for compensation but not here where Mr Lloyd was claiming the same amount of damages (£750) for each of the 4 million iPhone users.

This case was decided under the DPA 1998.  Article 82(1) of the UK GDPR sets out the right to compensation now; “Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered”. The similar wording to the DPA 1998 means that the outcome would be the same if Mr Lloyd had commenced his action post GDPR.

The Lloyd-Google judgment means that those seeking to bring class-action data protection infringement compensation cases have their work cut out. However, claims under Art 82 can still be brought on an individual basis – in fact the judgment seems to indicate that individual cases can have good prospects of success. There is more to come in this area. TikTok is facing a similar case, brought by former Children’s Commissioner Anne Longfield, which alleges that the video-sharing app used children’s data without informed consent. 

This and other GDPR developments will be discussed in detail on our forthcoming GDPR Update workshop. We have a one place left on our Advanced Certificate in GDPR Practice course starting in January.

advanced_cert

Data Protection Officers and Conflicts of Interest

photo-1539795845756-4fadad2905ec

In May 2018, with the implementation of GDPR, some senior managers (and many junior ones) found themselves thrown into the then unknown statutory role of Data Protection Officer (“DPO”). Two years on, some now have a better understanding of their role whilst others are still battling to manage the many different requirements of the job.

Articles 38 and 39 of the GDPR outline the role of the DPO. They should, amongst other things, be:

  • involved in data breach discussions and investigations whilst being provided with adequate resource to fulfil their obligations;
  • not dismissed for the performance of their duties as DPO;
  • able to offer secrecy and confidentiality to data subjects in relation to data protection matters within the organisation; and
  • actively involved and consulted on the data processing risks associated to proposed data processing activities within the organisation, which are usually highlighted within the Data Protection Impact Assessment (DPIA).

The law is still in its infancy, and remains largely untested in the courts, but a recent case may lead to a few DPOs feeling a little nervous about their role.

€50,000 Fine

The Belgian Data Protection Authority recently issued a €50,000 fine to an organisation after it ruled that the organisation’s DPO had a conflict of interest under Article 38(6) of GDPR. The DPO had been employed by the organisation as the Head of Compliance, Risk Management and Audit in addition to acting as DPO.

A reportable data breach lead to an investigation by the Belgian regulator who sought to dig a little deeper into the organisation’s general approach to privacy compliance.
The investigation focussed on three main potential infringements of GDPR namely:

  1. The duty to cooperate with the data protection authority
  2. The accountability obligations of the organisation in relation to data breach notifications and data protection risk assessments
  3. The requirements related to the position of the DPO

The investigation found that the organisation’s DPO appointment failed to meet the requirements of the legislation as the individual was responsible for the processing of personal data in the areas of compliance, risk and audit and therefore could not independently advise on such matters.

Many data protection experts have interpreted this ruling as preventing any employee who is a “head of department” from carrying out the DPO rule without a conflict of interest, although the situation is not as clear cut.

Conflict of Interests

Whilst the employer will pay their salary, the DPO must be able to act independently and without fear or favour. The Article 29 Working Party’s Guidelines on DPO’s makes reference to a number of roles which would be considered to pose a conflict of interests with the position of DPO namely; Chief Executive, Chief Operating Officer, Chief Financial Officer, Chief Medical Officer, Head of Marketing, Head of HR and Head of IT.
All of these roles involve a significant amount of personal data processing and decision making, resulting in an impossible independent standpoint to be taken on data matters arising as a result.

This ruling presents an opportunity for organisations to review their DPO position.
Both the organisation and the individual must be clear about the role. The job description should be reviewed from time to time in the light of changing roles and responsibilities. This may flag up potential conflicts of interest.

It is common for DPOs, especially in the public sector, to wear many “hats” due to budget constraints. Whilst GDPR does allow this, if there is any doubt about a conflict of interests, the decision-making process should be documented and the position reviewed.
If any mitigating measures are to be put in place to reduce the risk of conflict these should be outlined and reviewed periodically as new risks and processing activities are presented to the organisation.

Data protection and privacy is an ever-changing area of compliance and in the coming years, more case law will be generated as the principles of the legislation are put to the test. With the end of the Brexit transition period approaching and changing uses of technology due to the global coronavirus pandemic, organisations will need to remain alert to potential issues arising from their original GDPR implementation plan.

Samantha Smith is a Data Protection Manager and qualified Solicitor with experience of data protection compliance projects across both public and private sectors. This and other GDPR developments will be covered in our new online GDPR update workshop. Our next online  GDPR Practitioner Certificate course is  fully booked. A few places are left  on the course starting in August.

GDPR and Data Protection Impact Assessments: When and How?

CJgbrkzUwAAJSZA

Article 35 of GDPR introduces a new obligation on Data Controllers to conduct a Data Protection Impact Assessment (DPIA) before carrying out personal data processing likely to result in a high risk to the rights and freedoms of individuals. If the DPIA identifies a high risk that cannot be mitigated, the Information Commissioner’s Office (ICO) must be consulted.

DPIAs are a tool which can help Data Controllers identify the most effective way to comply with their GDPR obligations and reduce the risks of harm to individuals through the misuse of their personal information. A well-managed DPIA will identify problems and allow them to be fixed at an early stage, reducing the associated costs and damage to reputation, which might otherwise occur.DPIAs are also an important tool for accountability as they help Data Controllers to demonstrate that appropriate measures have been taken to ensure compliance with the Data Protection Principles (see Article 5(2)).

Guidance

Two documents are essential in understanding the concept of a DPIA, namely the Article 29 Working Party’s (A29WP) data protection impact assessment guidelinesand the ICO’s DPIA guidance.

When is a DPIA needed?

Carrying out a DPIA is not mandatory for every personal data processing operation. It is only required when the processing is “likely to result in a high risk to the rights and freedoms of natural persons” (Article 35(1)).

Such processing, according to Article 35(3)), includes (but is not limited to):

  • systematic and extensive evaluation of personal aspects relating to an individual  which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the individual or similarly significant effect the individual
  • processing on a large scale of special categories of data or of personal data relating to criminal convictions or offences
  • a systematic monitoring of a publically accessible area on a large scale

So what other cases will involve “high risk” processing that may require a DPIA? The ICO’s DPIA guidance sates that it requires a Data Controller to do a DPIA if it plans to:

  • use new technologies;
  • use profiling or special category data to decide on access to services;
  • profile individuals on a large scale;
  • process biometric data;
  • process genetic data;
  • match data or combine datasets from different sources;
  • collect personal data from a source other than the individual without providing them with a privacy notice (‘invisible processing’);
  • track individuals’ location or behaviour;
  • profile children or target marketing or online services at them; or
  • process data that might endanger the individual’s physical health or safety in the event of a security breach.

The ICO guidance contains screening checklists to help Data Controllers decide when to do a DPIA. In addition they are advised to think carefully about doing a DPIA for any other processing that is large scale, involves profiling or monitoring, decides on access to services or opportunities, or involves sensitive data or vulnerable individuals. Even if there is no specific indication of likely high risk, it is good practice to do a DPIA for any new major project involving the use of personal data.

What information should the DPIA contain?

The GDPR sets out the minimum features of a DPIA in Article 35(7) (see also Recitals 84 to  95):

  • A systematic description of the envisaged processing operations and the purposes, including, where applicable, the legitimate interests pursued by the Data Controller.
  • An assessment of the necessity and proportionality of the processing in relation to the purposes.
  • An assessment of the risks to Data Subjects
  • The measures in place to address the risks, including safeguards and security measures, and to demonstrate that the Data Controller is complying with GDPR.

A DPIA can address more than one project. A sample DPIA template is included with the ICO guidance and number of methodologies are referenced in the A29WP guidance (Annex 2).

When should a DPIA be conducted?

DPIAs should be conducted prior to the processing operation commencing. DPIAs are an integral part of taking a Privacy by Designapproach which is emphasised in Article 25. The DPIA should be treated as a continual process, not a one-time exercise. Data Controllers should start it early and update it throughout the lifecycle of the project.

What about current data processing operations?

The GDPR comes into force on 25th May 2018, and DPIAs are legally mandatory only for processing operations that are initiated after this date. Nevertheless, the Article 29 Working Party strongly recommends carrying out DPIAs for all high-risk operations prior to this date.

The ICO says that Data Controllers should also review their existing processing operations to identify whether they currently do anything that would be considered likely high risk under the GDPR. If so, they have to be confident that they have already adequately assessed and mitigated the risks of that project. If not, they may need to conduct a DPIA now to ensure the processing complies with the GDPR. However, the ICO does not expect Data Controllers to do a new DPIA for established processing where they have already considered relevant risks and safeguards (as part of a formal or informal risk assessment process) – unless there has been a significant change to the nature, scope, context or purposes of the processing since that previous assessment.

The ICO recommends that Data Controllers document their review and reasons for not conducting a new DPIA where relevant, to help them demonstrate compliance if challenged.

Who should conduct the DPIA?

A DPIA may be conducted by the Data Controller’s own staff or an external consultant. Of course the Data Controller remains liable for ensuring it is done correctly. The Data Protection Officer’sadvice, if one has been designated, must also be sought as well as the views (if appropriate) of Data Subjects or their representatives and Data Processors.

If the DPIA suggests that any identified risks cannot be managed and the residual risk remains high, the Data Controller must consult with the Information Commissioner before moving forward with the project. The ICO will give written advice within eight weeks, or 14 weeks in complex cases. If appropriate, the ICO may issue a formal warning not to process the data, or ban the processing altogether.

Regardless of whether or not consultation with the ICO is required, the Data Controller’s obligations of retaining a record of the DPIA and updating the DPIA in due course remain.

Even if ICO consultation is not required, the DPIA may be reviewed by the ICO at a later date in the event of an audit or investigation arising from the Data Controller’s use of personal data.

What are the risks of non-compliance?

Failure to carry out a DPIA when the processing is subject to a DPIA (Article 35(1) and (3)), carrying out a DPIA in an incorrect way (Article 35(2) and (7) to (9)), or failing to consult the ICO where required (Article 36(3)(e)), can each result in an administrative fine of up to 10 million Euros, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.

Need to train frontline staff quickly? Our GDPR e learning course is ideal for frontline staff. Our next GDPR Practitioner Certificate course in London is fully booked. We have 3 places left in Bristol.

We have just launched our GDPR helpline.

Information Rights Expert joins Act Now GDPR Team

BioPic - Scott Sammons 

Act Now Training is pleased to announce that Scott Sammons has joined its team of consultants.

Scott is an experienced information governance practitioner having worked in both the public and private sector for 10 years, most recently as the GDPR implementation lead for Essex County Council. With certificates in Data Protection and Freedom of Information, his experience and expertise makes him a great addition to our team.

Scott’s GDPR experience includes:

  • Implementation of GDPR in a local authority
  • ROPA deployment
  • Information Mapping & risk assessment
  • Consent & Marketing workshops
  • GDPR awareness sessions for the private sector

Currently Scott also volunteers for the IRMS. The IRMS is one of the leading professional bodies for those that work in information governance and information management.

Scott contributes frequently to guidance and awareness of information related matters via blogging as well as volunteering for the IRMS running events and developing materials for information professionals.

Scott said :

“I am really pleased to be joining the Act Now team. I hope to assist in delivering Act Now’s range of information rights courses as well as developing new ones. My public and private sector experience will I believe stand me in good stead to assist Act Now’s clients with their information rights workload.”

Ibrahim Hasan said:

“I am pleased the Scott has become a part of our growing and wonderful team of vastly experienced trainers. His real-world experience and knowledge of information rights will help us expand our services and deliver even more courses to our client base. We have become well known for the trainers we have with their fantastic skill and experience but also for their ability to deliver a difficult subject for many, in a simple and plain speaking way. ”

Act Now Training is growing rapidly and with over 15 years experience in this sector, we have the grounding to help your organisation with their information rights needs. We offer a full range of training and consultancy services including health checks to gauge your preparedness for GDPR and audits as well offering full certificate courses.

Act Now Recently launched its brand new E-Learning Package specifically aimed at frontline staff. It has been a huge success with hundreds of people having signed up. Click here to find out more!

Our GDPR Practitioner Certificate is proving very popular with those who need to get up to speed with GDPR as well as budding Data Protection Officers.  If you require this or any other course delivered at your premises, tailored to your needs, please get in touch and we would be happy to deliver it for you.

 

 

GDPR and the Role of the Data Protection Officer

canstockphoto16242260_thumb.jpg

The clock has started on the biggest change to the European data protection regime in 20 years. After four years of negotiation, the new EU General Data Protection Regulation (GDPR) will take effect on 25th May 2018.

In the UK, it will replace the Data Protection Act 1998 (DPA). With some GDPR breaches carrying fines of up to 4% of global annual turnover or 20 million Euros, now is the time to start planning (if you have not already started!).

You might be forgiven for thinking that the Brexit vote means that there is no need to worry about GDPR (being a piece of EU legislation) or that its effect will be time limited. The Government has now confirmed that GDPR is here to stay; well beyond the date when the UK finally leaves the European Union.

Section 4 of GDPR introduces a statutory position of Data Protection Officer (DPO) who will have a key role in ensuring compliance with GDPR. But who exactly will need a DPO and what is his/her role? The Article 29 Data Protection Working Party has now clarified this in its recently published guidance (the A29 Guidance) and a useful FAQ. Technically these documents are still in draft as comments have been invited until the end of January 2017.

Who needs a DPO?

For the first time Data Controllers as well as Data Processors are required to appoint a Data Protection Officer in three situations (Article 37(1)):

  1. where the processing is carried out by a public authority or body

Public authorities and bodies are not defined within the legislation. The guidance says that this is a matter for national law. It’s fair to say that all bodies subject to the Freedom of Information Act or the Freedom of Information (Scotland) Act will be covered by this requirement e.g. councils, government departments, the health sector, schools, emergency services etc.  However it is likely to also cover private companies that carry out public functions or deliver public services in the area of water, transport, energy, housing etc. (See also the decision in Fish Legal v Information Commissioner and others [2015] UKUT 0052 (AAC) which considers the definition of public authorities under the Environmental Information Regulations 2004.)

Purely private companies not involved in public functions or delivering services will only need to appoint DPO if they engage in certain types of data processing operations explained in Article 37:

  1. where the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale

Under this provision companies whose primary activities involve processing personal data on a large scale for the purposes behavioural advertising, online tracking, fraud prevention, detection of money laundering, administering loyalty programs, running CCTV systems, monitoring smart meters etc. will be caught by the DPO requirement.

c) where the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and  offences

The A29 Guidance states that the “and” above should be read to say “or” (a diplomatic way of saying the proof-readers did not do their job!). Special categories of data are broadly the same as Sensitive Personal Data under the Data Protection Act 1998 e.g. ethnic origin, political opinions, religious beliefs, health data etc. This provision will cover, amongst others, polling companies, trade unions and cloud providers storing patient records.

Unless it is obvious, organisations that don’t need to appoint a DPO should keep records of their decision making process. The A29 Guidance suggests that it will be still be good practice to appoint a DPO in some cases; for example, where private organisations carry out public tasks. This could include companies delivering core public services under an outsourcing arrangement e.g. housing maintenance companies, charities delivering social services etc. A group of undertakings may appoint a single DPO provided that he/she is easily accessible and there are no conflicts of interests.

Even organisations not based in the EU may be caught by GDPR and the requirement to appoint a DPO. GDPR will apply to any entity offering goods or services (regardless of payment being taken) and any entity monitoring the behaviours of citizens residing within the EU. Companies are now directly responsible for DP compliance wherever they are based (and not just their EU based offices) as long as they are processing EU citizens’ personal data.

The DPO’s Tasks

According to Article 37(5), the DPO, who can be a staff member or contractor, shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfill the tasks referred to in Article 39. These are:

  • to inform and advise the controller or the processor and the employees who are
    processing personal data of their obligations pursuant to this Regulation;
  • to monitor compliance with this Regulation, including the assignment of responsibilities, awareness- raising and training of staff involved in the processing operations, and the related audits;
  • to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
  • to cooperate with the supervisory authority (the ICO in the UK);
  • to act as the contact point for the supervisory authority on issues related to the processing of personal data

Qualities

The A29 Guidance states:

“Although Article 37 does not specify the professional qualities that should be considered when designating the DPO, it is a relevant element that DPOs should have expertise in national and European data protection laws and practices and an in depth understanding of the GDPR. It is also helpful if the supervisory authorities promote adequate and regular training for DPOs.”

The necessary level of expert knowledge should be determined according to the data processing operations carried out and the protection required for the personal data being processed. For example, where a data processing activity is particularly complex, or where a large amount of sensitive data is involved, the DPO may need a higher level of expertise and support. The necessary skills and expertise include:

  • expertise in national and European data protection laws and practices including an in depth
  • understanding of the GDPR
  • understanding of the processing operations carried out
  • understanding of information technologies and data security
  • knowledge of the business sector and the organisation
  • ability to promote a data protection culture within the organisation

Act Now has recently launched its GDPR Practitioner Certificate aimed at up skilling existing and future DPOs in both the public and private sector. To learn more please visit our website or download the flyer.

The DPO must be allowed to perform tasks in an independent manner and should not receive any instructions regarding the exercise of their tasks. He/She reports to the highest management level in the organisation and cannot be dismissed or penalised for doing their job.

Article 38(2) of GDPR requires the organisation to support its DPO by “providing resources necessary to carry out [their] tasks and access to personal data and processing operations, and to maintain his or her expert knowledge.” The A29 Guidance says that, depending on the nature of the processing operations and the activities and size of the organisation, the following resources should be provided to the DPO:

  • Active support of the DPO’s function by senior management
  • Sufficient time to for DPOs to fulfil their duties
  • Adequate support in terms of financial resources, infrastructure (premises, facilities, equipment) and staff where appropriate
  • Official communication of the designation of the DPO to all staff
  • Access to other services within the organisation so that DPOs can receive essential support, input or information from those other services
  • Continuous training

The DPO will be at the heart of the data protection framework for many organisations, facilitating compliance with the provisions of the GDPR. Now is the time to appoint one to ensure that you get the most suitably qualified. Some say 28,000 will be required in the UK and US. Others have even suggested there will be a skills shortage!

There is certainly a lot to learn and do in less than 18 months when GDPR comes into force. Training and awareness at all levels needs to start now.

Do you think mandatory Data Protection Officers under GDPR will lead to higher salaries for DPOs?
Participate in our Twitter survey:

https://twitter.com/ActNowTraining/status/816980420357132290

Make 2017 the year you get prepared for the General Data Protection Regulation (GDPR). See our full day workshops and new GDPR Practitioner Certificate.

%d bloggers like this: