Monthly Archives: January 2016

Data Protection In 2016 And Beyond – Less Velvet Glove, More Iron Fist

A Protection Data Protection Law in 2016 and beyond – More Iron Fist, Less Velvet Glove

For some time now, commentators on online privacy and data protection have predicted a “tipping point”, where the public would finally realise the impact of sharing so much of their most private information online and grow tired of the endless trade in that information, leading to the spam texts and e-mails with which we’ve all become sadly familiar. After all, in the information age where businesses, platforms and brands are built and targeted around the habits and demographics of their users, knowledge truly is power. For some time, the EU has taken the use of that knowledge and the data which underpins it very seriously, which led to the original Data Protection Directive in 1995, subsequently implemented by all EU member states and reflected in UK Law by the Data Protection Act 1998.

The basic concepts set out in the Directive were all very noble and (comparatively) straightforward, imposing standards and restrictions upon any entity which collects and controls the use of personal data (defined very widely, and including photographs and even IP addresses) relating to identifiable and living individuals to control the manner in which that data is collected, used and distributed. The other side of that coin saw the grant of certain specific rights to individual “data subjects”, including access to any personal data (to a certain extent) held about them by a “controller”, details as to how and to who, that data was being used and disclosed, to object to that use in certain circumstances and to obtain compensation where damage was suffered as a result of data being processed unlawfully, i.e. not in line with eight “data protection principles”.

Still with me? For a long time, Data Protection was seen as the new Health & Safety, with many businesses dismissing their compliance obligations as something that they intended to get around to eventually, or worse, ignoring them completely. That ignorance aside, the Information Commissioner’s Office has been increasingly willing to take steps to bring the various sanctions at its disposal to bear against businesses who misuse personal data, or alternatively don’t take proper steps to ensure that it remains secure. Against this backdrop, and the rise of big data, social media, targeted marketing and the personalised consumer experience, we’ve seen Monetary Penalties levied against the likes of Sony after the Playstation Network was hacked in 2011 to the tune of £250,000.

Although questions remain as to whether or not the UK is a more secure place after five years’ worth of enforcement of Data Protection Law by the ICO, the 66 monetary penalties it has issued since 2010 (which can, for the time being, issue a penalty of up to £500,000 for breaches of the Data Protection Act 1998, Privacy Regulations 2003 and other legislation which were either deliberate or reckless and cause substantial damage or distress) show that it’s far from the “toothless tiger” many though it to be at the start of the decade. It’s been particularly hard on data breaches in the public sector but also seen as relatively lenient on the likes of Google, who escaped serious censure after its “Street View” project saw a vast amount of personal data collected from open wi-fi networks across the UK.

There has been a marked improvement in the profile and importance of data protection issues in the minds of the public after high-profile hacks involving Ashley Madison, Talk Talk and others, as well as the introduction of the hugely controversial “right to be forgotten” (even though the terminology’s probably wrong) which came out of a Spanish case whose ruling allows individuals to ask Google to remove search results which link to outdated, incorrect or irrelevant data in which there’s no real public interest. That “right” has already been used as a blunt instrument to remove data from the public eye where defamation or other reputation management tools are no longer an option, although the EU’s Article 29 Working Party has since provided guidance which has allowed Google to refuse more and more of the thousands of requests they receive to remove elements of an individual’s online presence on a daily basis.

All that said, however, we’ve only just begun. Whilst many businesses complain that compliance with data protection law is simply too complex for them, and based on a “one size fits all” counsel of protection, the issue is about to move significantly higher up the corporate and legal risk agenda with the recent publication of the new EU General Data Protection Regulation during December last year. Some four years in the making, the GDRP itself is supplemented by the new Data Protection Directive, and aims to strengthen the existing legal framework across member states’ 500 million citizens. With the concepts such as the digital single market and the new and improved “right to be forgotten” at its core, the existing patchwork of laws across the continent will eventually be swept away – I say eventually, as the chances are that the new legislation won’t come into effect until the back end of 2017. That delay notwithstanding, however, it’s worth thinking now about how to plan for the impending changes and planning to recruit for a Data Protection or Privacy Officer – you’re about to need one.

The GDPR raises a number of issues for businesses, the headline being the concept of “privacy by design”, which should be the guiding principle for any use of “processing” of personal data and shored up by policies (and in some cases the mandatory appointment of a Data Protection Officer) which demonstrate that commitment, alongside better processes to allow individuals (who should increasingly be referred to by pseudonyms and not their true names, which will be mandatory in some industries) to more easily obtain access to information about how their personal data is used in a concise, transparent, straightforward and user-friendly manner.

Consent to the processing of personal data has long been a key concept in data protection law, and although in some circumstances (usually relating to marketing to either existing customers or individuals who’ve made enquiries of a business) it can be “implied”, when the GDPR is fully introduced businesses will be expected to use methods of obtaining consent which is “unambiguous”. This reflects and strengthens the current position that consent must be specific, informed and active, and “opt-in” rather than “opt-out” consent (including in relation to receiving marketing materials) will be the only acceptable standard.

Equally significant is a shift away from the lion’s share of compliance falling on the shoulders of Data Controllers (who obtain personal data and direct how it can be processed) to placing more responsibility on Data Processors, to whom the Controller outsources either the storage or processing of data. Although currently Processors are bound to comply with the existing law and instructions of their processor (with their responsibilities set out by law in a written contract), in future they’ll be subject to stricter controls, not least relating to the transfer of data or appointment of any “sub-processors”.

Turning to what happens when data security is breached, the GDPR requires businesses to notify their Data Protection Authority within 72 hours, a significant change to the current position, where there is no legal obligation to report breaches but there is strong encouragement to report serious breaches which could have a detrimental effect on data subjects, and a higher presumption of clemency or at least assistance in any ICO enforcement action as a result. Not only that, but if the breach is likely to lead to a high risk to the rights and freedoms of individuals, consumers and data subjects should also be notified without delay. Against the backdrop of the recent Vidal-Hall decision which saw the Court confirm that damages could be recovered for distress caused as a result of a data breach rather than pure monetary losses, it’s likely that data protection claims by consumers will become permanent fixtures of court lists and potentially a major source of growth for law firms looking for the next wave in large-scale or high-volume litigation.

As noted above, the “right to be forgotten” tilted at in the Google Spain case from May 2014 will become a matter of legislation and national law (eventually), with obligations on businesses to delete personal data which they no longer need or in relation to which consent to processing has been withdrawn without undue delay. Again, this is a shift away from the current obligations to ensure that data processed is only held for as long as necessary and kept updated, with which many businesses already struggle, especially where dealing with huge customer databases.

What didn’t survive the negotiation and wrangling across the EU was the introduction of a “digital age of consent”, raised from 13 to 16, against a huge backlash from tech giants and commentators over a resultant ban on social media use and ultimately left in the hands of member states – notably, the UK has already stated that the UK’s age of digital consent will not be raised. However, the new high watermark for monetary penalties of up to 4% of global turnover in the event of the most serious breaches has made the cut, and this alone should focus the attention of businesses across the continent on their commitments and obligations relating to their use and exploitation of personal data.

So, is it time to panic? Not yet – helpfully, the ICO has made 5 key suggestions for businesses looking to skill up before the GDPR becomes law, focussing on assessing how and where consent for processing is obtained from individuals, accountability and record-keeping, staffing up to ensure that businesses have the right expertise to deal with new obligations and planning in peacetime for when, not if, a breach takes place.

In a time when even “safe harbour” and the assumption that the US was a “safe“ place to which personal data could be transferred (not any more, at least for the time being, following a case brought by privacy activist Max Schrems following the Ed Snowden revelations) is now a thing of the past, the huge, fundamental and permanent change which the GDPR introduces simply can’t be ignored. Consumers and individuals certainly won’t against recent high-profile breaches, and planning to manage if not mitigate its impact should be as important to every business as simply keeping the lights on. Brussels will expect nothing less.

Reputation Management In The Social Media World – Impossible Dream Or Comeback Kid?

In the social media world, where brands are made and broken overnight, more ethical consumers search for the slightest excuse to turn against the establishment for lapses in moral judgment and anyone’s opinion and snap judgment, it may be easy to think that the days of managing, let alone defending your reputation are long gone.

After all, recent reports show that, since the Defamation Act 2013 came into force, defamation as a legal discipline may be on the decline – Thomson Reuters recently found that only 20 defamation cases reached a hearing in 2012 to 2013, down 58% on 2008-2009’s high watermark of 48. In fact, the total number of defamation cases fell from 86 to 63. As much as the new requirement of serious harm has done much to discourage and weed out claims with tenuous merit (replacing the more active approach to case management and strike-outs led by the Jameel line of cases some years ago), it may be fair to think that both the media and potential claimants are becoming more cautious and less eager to have the details of their dispute and any potential vindication undone by crowdsourced opinion, potentially creating a Streisand Effect of massive proportions and undoing the whole objective.

You may think that, but I think you may be wrong. Buried in these figures, alongside the drop in claims brought by businesses of 45%, was an increase in defamation cases linked to social media activity, which is increasingly becoming the new battleground in the war of public perception. We’re starting to see a line of cases such as Cooke. Lachaux and Brett Wilson, all of which have begun to fill in the blanks of the 2013 Act’s “plain English” approach to a traditionally obtuse and esoteric legal discipline We may yet be starting to see the new frontier and a move back towards a more equal realignment of the interests of business against the occasionally ill-informed individual.

That said, defamation is only a part of the online conversation prism. As it has struggled to re-establish its relevance in the information age, data protection has well and truly come out swinging, with the recent ground-breaking Vidal-Hall decision potentially opening up a whole new era of claims for non-pecuniary damage arising from breaches of the Data Protection Act 1998. The first few claims relating to data breaches are only now starting to make their way into court lists, and the next few years are going to be fascinating as Judges get to grips with the true worth of privacy, both before and after it’s compromised. Not only that, but the line between citizen “journalism” and the private purposes exemption from the 1998 act’s stringent requirement may being data privacy to the fore of public consciousness like never before, with the IP address replacing the PI litigator as the next wave of volume litigation.

As straight privacy cases also continue to make headlines and set the criteria for “reasonable expectation” and genuine public interests, with social media playing an increasingly important role both as a source and distribution channel of the most intimate information and the “right to be forgotten” continues to be defined through Google’s own imperfect implementation of the Spanish decision against them which gave birth to the very concept, the fact is that in the digital environment the defence of reputation and privacy is increasingly complex and involves more ingenuity than ever before. As technology has outpaced the legal framework which (tries) to regulate it, the next few years may well see a much clearer picture emerge of what businesses and individuals can be expected to tolerate in a 24-hour news cycle, often driven by contributors without any formal journalism training. The lawyers who can evolve to meet that challenge may yet truly help their clients continue to prosper in the unflinching gaze of a crowd which is sometimes not as wise as we wish it to be.

We are fortunate to live in interesting times, and what comes next may yet remind us that the basic rights to defend unwarranted attacks and the pre-eminence of privacy could make the enlightened even more lucky. Reputational risk is at the top of many agendas, and defending it may be see the playing out of what we as human beings love more than anything else – a comeback story.