COMPETITION & REGULATORY GROUP

Charles Russell LLP5 Fleet PlaceLondonEC4M 7RDwww.charlesrussell.co.uk

Charles Russell LLP Floor 31, World Trade CentreWest TowerIs Al Kabeer AvenuePO Box 31249 ManamaKingdom of Bahrainwww.charlesrussell.bh

Data Protection Update

Andrew Sharpe

18 March 2010

DATA PROTECTION

• Introduction– Laws– Definitions/jargon

• Data Protection Principles• New Enforcement Powers• “Hot topics” and future for data

protection

INTRODUCTION

LAW• Data Protection Act 1998

– Data Protection Directive 95/46/EC– see Europa website for other national laws (

http://ec.europa.eu/justice_home/fsj/privacy/index_en.htm)

– “the Act is certainly a cumbersome and inelegant piece of legislation” (Morland J, Naomi Campbell v MGN Limited [2002] EWHC 499 (QB))

INTRODUCTION - Law

• Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426)– Privacy and Electronic Communications (EC

Directive)(Amendment) Regulations 2004 (SI 2004/1039)

– Privacy and Electronic Communications Directive 2002/58/EC

• Durant -v- Financial Services Authority [2003] EWCA Civ 1746

INTRODUCTION - Definitions

Section 1(1) Data Protection Act 1998:• “data controller” means, subject to

subsection (4), a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed;

INTRODUCTION - Definitions

• “data processor”, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller;

• “data” means information which is or is intended to be processed automatically (i.e. computerised) or forms part of a relevant filing system

INTRODUCTION - Definitions

• “relevant filing system” means any set of information relating to individuals structured by reference to individuals or criteria relating to individuals in such a way that specific information relating to an individual is readily accessible– “on a par” with a computerised filing system– “temp test”

INTRODUCTION - Definitions

• “personal data” means information relating to a living individual who can be identified from that data or from other information in the possession of the data controller– narrow interpretation – must be significantly biographical, have

individual as its focus and affect an individual’s privacy (personal or professional)

INTRODUCTION - Definitions

• “sensitive personal data” means personal data relating to race, politics, religious beliefs, physical or mental condition, sexual life, offences (allegations and sentence), membership of trade union

INTRODUCTION - Definitions

• “processing data” means obtaining it, recording it, holding it, carrying out operations with respect to it, including:– alteration – retrieval – consultation – use – disclosure – erasure

INTRODUCTION - Definitions

Section 1(4) Data Protection Act 1998:• where personal data are processed only for

purposes for which they are required by or under any enactment to be processed, the person on whom the obligation to process the data is imposed by or under that enactment is for the purposes of this Act the data controller.

DATA CONTROLLER LIABLE FOR DATA PROCESSOR.

INTRODUCTION - DPA 1998 Exemptions

• National security• Crime and taxation• Regulatory activities usually statutory

and usually designed to protect the public

• Health, education social work• Research history and statistics• Disclosures required by law or made in

connection with legal proceedings

DATA PROTECTION PRINCIPLES

Summary

1. Process fairly and lawfully

2. Obtain data only for one or more specified purposes

3. Data adequate relevant and not excessive

4. Data accurate and kept up to date

5. Data not to keep longer than necessary

6. Process in accordance with rights of data subject

7. Take appropriate security measures

8. No transfer of data outside EEA without adequate protection

Personal data must be processed fairly and lawfully and, in particular, shall not be processed unless- (a) at least one condition in Schedule 2 is met,

and

(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

First Principle

• Personal data must be processed fairly and lawfully and … one of the conditions must be met – fair processing only if data controller is

identified to data subject, together with identity of any data protection representative, and purpose(s) for which data are intended to be processed is stated

– conditions at Schedule 2 or 3 to DPA 1998

First Principle Conditions

• Consent to processing is most used condition (explicit consent for sensitive personal data )

• Can process personal data without consent in certain circumstances e.g.:– paragraph 6 of Schedule 2: “The processing is

necessary for the purposes of legitimate interests pursued by the data controller or by third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.”

DATA PROTECTION PRINCIPLES

Summary

1. Process fairly and lawfully

2. Obtain data only for one or more specified purposes

3. Data adequate relevant and not excessive

4. Data accurate and kept up to date

5. Data not to keep longer than necessary

6. Process in accordance with rights of data subject

7. Take appropriate security measures

8. No transfer of data outside EEA without adequate protection

Personal Data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

Personal Data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed

Personal data shall be accurate and where necessary kept up to date

Personal data processed for any purpose or purposes shall not be kept longer than necessary for that purpose or purposes

Fifth Principle

• Personal data processed for any purpose or purposes shall not be kept longer than necessary for that purpose or purposes– often misused as a reason not to process

personal data inappropriately, most famously by Humberside Police (deleted information on Ian Huntley may have prevented Soham murders)

– question of judgement for data controller

DATA PROTECTION PRINCIPLES

Summary

1. Process fairly and lawfully

2. Obtain data only for one or more specified purposes

3. Data adequate relevant and not excessive

4. Data accurate and kept up to date

5. Data not to keep longer than necessary

6. Process in accordance with rights of data subject

7. Take appropriate security measures

8. No transfer of data outside EEA without adequate protection

Personal data shall be processed in accordance with the rights of the data subject.

Sixth Principle

• Personal data shall be processed in accordance with the rights of the data subject– data subject access rights– “stop” notices for damage or distress– “stop” notices for direct marketing– “stop” notices for automatic decision making

processes

DATA PROTECTION PRINCIPLES

Summary

1. Process fairly and lawfully

2. Obtain data only for one or more specified purposes

3. Data adequate relevant and not excessive

4. Data accurate and kept up to date

5. Data not to keep longer than necessary

6. Process in accordance with rights of data subject

7. Take appropriate security measures

8. No transfer of data outside EEA without adequate protection

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss destruction of or damage to personal data

Seventh Principle: data processors/outsourcing

• Express terms governing due diligence of data processors– where processing carried out by data

processor on behalf of data controller, data controller must take reasonable steps to ensure compliance with technical and organisational measures

– ensure data processor subject to contractual obligations AND include audit rights for at least Seventh Principle

DATA PROTECTION PRINCIPLES

Summary

1. Process fairly and lawfully

2. Obtain data only for one or more specified purposes

3. Data adequate relevant and not excessive

4. Data accurate and kept up to date

5. Data not to keep longer than necessary

6. Process in accordance with rights of data subject

7. Take appropriate security measures

8. No transfer of data outside EEA without adequate protection

Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data

Eighth Principle

• Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data– export always permitted where data subject

give consent to transfer– other transfers without consent possible

(Schedule 4 of the DPA 1998)

Lawful Export of Data

• Disclosure outside of the EEA– to third country approved by Commission

(Art. 25(6)) (Argentina, Australia, Canada, Guernsey, Isle of Man, Jersey, Switzerland)

– US Safe Harbor - http://www.export.gov/safeharbor/

– Binding corporate rules (Art. 26(2))– Model Contracts (Art. 26(4))

Model Contracts

• In standard form for use in following situations:– Controller to processor:

• Commission Decision (2002/16/EC) of 27 December 2001

– Controller to controller:• Commission Decision (2001/497/EC) of 15 June

2001• Commission Decision C(2004)5271 of 7 January

2005 (preferred)

Transfer of Data Agreements

• New controller to processor approved agreement– effective date 15 May 2010– set out in 2010/87/EU Commission Decision

of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (notified under document C(2010) 593)

Transfer of Data Agreements

– available in Word (http://ec.europa.eu/justice_home/fsj/privacy/modelcontracts/index_en.htm)

– introduces obligations on sub-processors– not yet formally adopted by Information

Commissioner

ENFORCEMENT

• Investigations• Enforcement Notice• Prosecution• Criminal Justice and Immigration Act

2008• Coroners and Justice Act 2009

Criminal Justice and Immigration Act 2008

• introduces monetary penalties for breach of data protection principles (s.144)– amends Data Protection Act 1998 (new sections 55A

– 55E)– maximum penalty set by Secretary of State– fining guidelines published by Information

Commissioner’s Office (see www.ico.gov.uk)

• only allowable for:– “serious contravention of [a data protection principle]”– “likely to cause substantial damage or substantial

distress”– deliberate breaches or where controller knew or ought

to have known that there was risk of contravention and that the contravention would be likely to cause substantial damage or substantial distress

Criminal Justice and Immigration Act 2008

• secondary legislation being passed to bring into effect

• no official announcement as to when it will be brought into effect

• maximum penalty– £500,000– some lobbying, including from previous Information

Commissioner, to be given OFT-style power (i.e. up to 10% annual turnover of offender)

• appears from secondary legislation that measures being passed to be bring measures into effect on 6 April 2010

Coroners and Justice Act 2009

• Royal Assent on 12 November 2009• Part 8 – Data Protection Act amendments

– assessment notices - will give Information Commissioner statutory audit powers over government departments and public authorities

– data-sharing code – requires ICO to produce code for data sharing, to be approved by Secretary of State (and Parliament)

• Some lobbying, including by previous IC, for assessment notice power to be for private as well as public sector

HOT TOPICS

• Breach notification

Privacy and Electronic Communications Directive 2002/58/EC

• Amended by Citizens’ Rights Directive 2009/135/EC

• Amendments introduce breach notification requirements by electronic communications networks or services providers to national regulatory bodies and subscribers

• Member States must implement by 18 June 2011

Breach Notification

• some early discussion about widening measure to all data controllers, and including general public notification– Reding speech 23 October 2009– already more extensive breach notification

in some member states (e.g. some federal states in Germany)

– EU looking closely at mixed practice in USA, where majority of states have some kind of breach notification law

Andrew SharpeCharles Russell LLPTel: + 44 (0) 20 7203 5194

+973 17 133219Mobile:+ 44 (0) 77 1307 9516

+973 39 035451Email: andrew.sharpe@charlesrussell.co.uk

andrewjsharpe

TMT_Lawyer

http://www.linkedin.com/in/andrewsharpe

CRITique at http://charlesrussell.wordpress.com

Offices in: London, Oxford, Cambridge, Cheltenham, Guildford, Geneva (Switzerland), Manama (Bahrain)This information has been prepared as a general guide only and does not constitute advice on any specific

matter. We recommend that you seek professional advice before taking action. No liability can be accepted by us for any action taken or not taken as a result of this information.

Charles Russell LLP is a limited liability partnership registered in England and Wales, registered number OC311850, and is regulated by the Solicitors Regulation Authority. Any reference to a partner in relation to Charles Russell LLP is to a member of Charles Russell LLP or an employee with equivalent standing and

qualifications. A list of members and of non-members who are described as partners, is available for inspection at the registered office, 5 Fleet Place, London EC4M 7RD.

www.charlesrussell.co.uk www.charlesrussell.bh