Welcome to Chapter 8.As every diligent reader of Bar Talk will now know, there is a new European-authored General Data Protection Regulation (GDPR). This will be in force in late May this year. It will be accompanied by a new Data Protection Act in the UK. The latter is still under Parliamentary scrutiny, so we have concentrated on briefing you on the "knowns" in GDPR rather than the "unknowns" in the new Data Protection Act. A summary of the latter will follow when it emerges from the Parliamentary process and becomes Law.
We have broken down the new Regulation into a number of theatrical scenes, dubbed Chapters. This seemed to us to be an appropriate metaphor for the Bar. So far, the scenes are as follows: an Introduction (the Programme) [ here], Chapter 1, (the Players) [ here], Chapter 2 (Roles of Principal Members of the Cast - the Data Controller) [ here]; Chapter 3 (A Continuation of the Data Controller's role) [ here]; Chapter 4 (Further data protection principles with which the Data Controller has to comply) [ here] ; Chapter 5 (Roles of Principal Members of the Cast - the Data Subject) [ here]; Chapter 6 (Roles of the principal members of the Cast - the Data Processor [ here]; Chapter 7 (The Melodrama Part 1 -What happens when it all goes wrong) [ here].
We urge you to read these. They are a relatively light-hearted look at the world of Data Protection. They are very important given the tighter emphasis on this area in the GDPR.
Chapter 8: What happens when it all goes wrong - The Melodrama Part 2
The Melodrama Part 1 looked at what actions you had to take and who you had to inform in the event of a "personal data breach", that is, where you left your computer and all its data about individuals on the bus. Or some malcontent trapped you into clicking on an apparently bona fide link in an email which destroyed all the data you held on your computer. We gave other examples as well.
Part 2 looks at where it hurts most - in your pocket. There are two parts. The first concerns the Data Subject's civil rights. The second addresses administrative fines that the ICO can levy.
Civil Rights (Art.82)
Art.82 sets out the right to compensation from the Data Controller and the Data Processor. Under the Act, (that is, the existing Data Protection Act) only the Data Controller was liable. There was also some confusion as to whether a Data Subject had to suffer pecuniary damage before claiming for distress. The Court of Appeal settled this in 2015 inGoogle Inc v (1) Judith Vidal-Hall (2) Robert Hann (3) Marc Bradshaw(Claimants) and the ICO (Intervener)[2015] EWCA Civ 311 allowing distress claims based on distress only without proof of pecuniary damage.
The GDPR now refers to "material or non-material damage". Does that expression leave us in the dark again? Borrowing from the clause 166(1) Data Protection Bill (version as of 4 March 2018) (sorry, we said we would not refer to this and we have done it twice now, but some guidance of what is likely to happen in the future is useful), "non-material damage" in Art. 82 includes distress.
In summary therefore:
Any Data Controller is liable for "damage" caused by processing which infringes GDPR
Any Data Processor is liable for "damage" caused by processing only where (A) it has not complied with its Data Processor obligations in the GDPR (B) it has not followed the Data Controller's lawful instructions, either by not following or acting outside of these instructions
If more than one Data Controller and/or Data Processor is involved in the relevant processing each is liable for the entire damage (but can claim back from the others that part of the compensation corresponding to the others' share of responsibility for the damage)
Neither Data Controller nor processor is liable if they prove that they are not in any way responsible for the event giving rise to the damage.
Administrative Fines (Arts.83-84)
The Act permitted the ICO to levy fines of up to £500,000 in respect of a failure to comply with the Principles. The position is rather more serious when the GDPR comes into force. In summary, fines are now up to:
Euros 10m (or 2% worldwide revenue if this is higher) - yes, you did read that correctly; millions- in respect of breaches of Arts.:8 (child's consent to receipt of services); 11 (identification of data subjects); 25-39 (obligations of controllers and processors), 42 and 43 (certification to demonstrate compliance with GDPR).
Euros 20m (or 4% of worldwide revenue if this is higher) for breaches of Arts. 5, 6, 7 and 9 (basic principles for processing including conditions for consent); 12-22 (data subject's rights); 44-49 (transfers of data to third countries); GDPR Chapter IX (as far as the Bar is concerned, rules made in the UK giving the ICO powers in relation to professional secrecy obligations; see Art.90); 58 (non-compliance with ICO orders).
It is worth remembering that:
If you and your chambers stick to the rules outlined in previous Chapters [see here and here] then the question of fines should not arise. But this does require a change of mindset. Instead of keeping everything, get rid of what you really do not need as soon as it is feasible to do so. If you need to keep papers on computer, use strong passwords and encryption and try to anonymise data (if you use Word, the Find and Replace function is a good starting point). Going forward, structure your documents so that is it easy to anonymise them in the future.
The ICO would prefer to ensure compliance rather than penalising errors, so the best thing to do is ask for guidance if you are in any doubt.
In particular, if you have done something you are less than proud of - your computer is heading to Edinburgh on the train but you are not - tell your IT manager and chambers immediately (…..but try the train company first!)
Not all penalties are automatic. This is not an on-the-spot fine situation (though fixed penalties will exist of up to £4350 if you haven't paid your registration fee). The ICO will consider the case.
Factors taken into account will be (A) the nature, gravity and duration of the failure (B) the intentional or negligent character of the failure (C) mitigating actions taken by you to minimise damage (D) how culpable you were taking into account the nature of technical and organisational measures employed (E) previous failures (F) the degree of cooperation given to the ICO to remedy the failure and mitigate adverse effects (G) the categories of personal data affected (H) how the ICO came to know of the failure (i.e. did you notify it) (I) the extent to which you complied with any previous enforcement notices (J) your adherence to approved ICO Codes of Conduct or Certification mechanisms (K) other aggravating or mitigating factors (L) whether the proposed penalty is "effective, proportionate and dissuasive".
There is a right of appeal against any ICO decision.
The UK has the power to lay down and implement rules on other penalties applicable to infringements of the GDPR but which are not subject to administrative fines. Again, penalties have to be "effective, proportionate and dissuasive".
Other ICO Powers (Art 58)
Having got the serious stuff out of the way, we will now deal with the other powers the ICO has in its armoury. The ICO has investigative powers and corrective powers. These apply to you in your capacities as Data Processors and Data Controllers.
The investigative powers allow the ICO to:
Order you to provide information it requires for the performance of its tasks
Carry out investigations by way of data protection audits
Review certifications (don't worry about these for the moment)
Notify you of an alleged infringement of the GDPR
Obtain access to all personal data and information necessary for the performance of its tasks
Obtain access to your premises, including computer equipment, subject to compliance with UK procedural Law.
The corrective powers include the following:
Issuing you with a warning that intended processing are likely to infringe the GDPR
Issuing you with reprimands where you have infringed the GDPR
Ordering you to comply with a data subject's requests to exercise their rights under the GDPR
Ordering you to comply with the GDPR in ways specified by the ICO and within specified timescales
Ordering you to communicate a personal data breach to the Data Subject (Data Controllers only)
Issuing temporary or permanent limitations on processing including a ban on processing
Ordering deletion or rectification of personal data, or restrictions on processing and requiring you to inform recipients of personal data of such actions
Imposing administrative fines (as above)
Ordering you to stop sending data to recipients in foreign countries or to an international organisation (more about this in a later Chapter)
The Data Protection Bill contains some restrictions on these powers in relation to privileged documents in respect of data protection matters. We will deal with these when the Bill becomes Law.
The ICO also has a series of administrative and advisory powers. If you wish to read these, they are at Art. 58(3). These include powers to issue certifications, previously mentioned but not immediately relevant.
IT Panel