This presentation explores continuities and changes in the interface between freedom of information and personal information protection at pan-EU level and in the UK under the amended law of the Data Protection Act 2018 and Regulation 2018/1725. Comparing both regimes, it especially focuses on fairness and balancing, the requirement to demonstrate the "necessity" of processing, the position of the deceased and the relationship between disclosure, transparency and sensitive personal data rules.
A paper written in April 2016 for my Corporate Compliance & Enterprise Risk Management course on the switch from
the EU-US Safe Harbor to the EU-US Privacy Shield data privacy regimes.
Data Protection Guide – What are your rights as a citizen?Edouard Nguyen
Guide UK Data Protection Law EUROPA - Internal Market - Data Protection - Data Protection Guide – What are your rights as a citizen?http://ec.europa.eu/justice/policies/privacy/docs/guide/guide-ukingdom_en.pdf
Dead Ringers? Legal Persons & the Deceased in European Data Protection LawDavid Erdos
Whilst it is sometimes suggested that the treatment of legal and deceased person data during European data protection’s development has been broadly comparable, this presentation demonstrates the stark divergences which are in fact apparent. Despite early fusion, legal persons have been increasingly seen to have lesser and, more importantly, qualitatively different information entitlements compared to natural persons, thereby leaving European data protection with a very limited and indirect role here. In contrast, natural persons and the deceased have not been conceived as normatively dichotomous and since the 1990s there has been growing interest both in establishing sui generis direct protection for deceased data and also indirect inclusion through a link with living natural persons. Whilst the case for some indirect inclusion is overwhelming, a broad approach to the inter-relational nature of data risks further destabilizing the personal data concept. Nevertheless, given that jurisdictions representing almost half of the EEA’s population now provide some direct protection and the challenges of managing digital data on death continue to grow, the time may be ripe for a ‘soft’ recommendation on direct protection in this area. Drawing on existing law and scholarship, such a recommendation could seek to specify the role of both specific control rights and diffuse confidentiality obligations, the criteria for time-limits in each case and the need for a balance with other rights and interests which recognises the significantly decreasing interest in protection over time. N.B. The full working paper accompanying these slides may be found at https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3599852
A paper written in April 2016 for my Corporate Compliance & Enterprise Risk Management course on the switch from
the EU-US Safe Harbor to the EU-US Privacy Shield data privacy regimes.
Data Protection Guide – What are your rights as a citizen?Edouard Nguyen
Guide UK Data Protection Law EUROPA - Internal Market - Data Protection - Data Protection Guide – What are your rights as a citizen?http://ec.europa.eu/justice/policies/privacy/docs/guide/guide-ukingdom_en.pdf
Dead Ringers? Legal Persons & the Deceased in European Data Protection LawDavid Erdos
Whilst it is sometimes suggested that the treatment of legal and deceased person data during European data protection’s development has been broadly comparable, this presentation demonstrates the stark divergences which are in fact apparent. Despite early fusion, legal persons have been increasingly seen to have lesser and, more importantly, qualitatively different information entitlements compared to natural persons, thereby leaving European data protection with a very limited and indirect role here. In contrast, natural persons and the deceased have not been conceived as normatively dichotomous and since the 1990s there has been growing interest both in establishing sui generis direct protection for deceased data and also indirect inclusion through a link with living natural persons. Whilst the case for some indirect inclusion is overwhelming, a broad approach to the inter-relational nature of data risks further destabilizing the personal data concept. Nevertheless, given that jurisdictions representing almost half of the EEA’s population now provide some direct protection and the challenges of managing digital data on death continue to grow, the time may be ripe for a ‘soft’ recommendation on direct protection in this area. Drawing on existing law and scholarship, such a recommendation could seek to specify the role of both specific control rights and diffuse confidentiality obligations, the criteria for time-limits in each case and the need for a balance with other rights and interests which recognises the significantly decreasing interest in protection over time. N.B. The full working paper accompanying these slides may be found at https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3599852
Reconciling Humanities and Social Science Research With Data ProtectionDavid Erdos
Humanities and social science research contribute enormously to collective public knowledge and discussion. Such activity will almost invariably involve the processing of personal information and will, therefore, trigger the application of EU data protection law including the forthcoming General Data Protection Regulation (GDPR). This presentation argues that the GDPR’s default provisions – especially as regards the presumption of consent for sensitive data, data subject notification rules and strict discipline provisions – pose an acute threat to such activity. Moreover, whilst the research derogations (Art. 89) ameliorate a few of the issues, they are principally designed for work based on a highly structured, predetermined and largely fiduciary model such as is common in bio-medicine. As recognised by a wide variety of research organizations during debate on the GDPR (including the Wellcome Trust and UK Economic and Social Research Council), given that social/humanities scholarship is intrinsically linked to public knowledge and discussion, it should in fact benefit not just from these research derogations but also from the more permissive (but not absolute) derogations for free speech. The GDPR now recognises this but granting free speech protection for “academic expression” alongside that of journalism, literature and art (Art. 85 (2)). (N.B. These slides are based on a talk given at the University of Hong Kong “Positioning Privacy and Transparency in Data-intensive Research and Data-drive Regulation” on 8 November 2016).
THE BRAZILIAN LAW ON PERSONAL DATA PROTECTIONIJNSA Journal
Rapid technological change and globalization have created new challenges when it comes to the protection and processing of personal data. In 2018, Brazil presented a new law that has the proposal to inform how personal data should be collected and treated, to guarantee the security and integrity of the data holder. The General Law Data Protection - LGPD, was sanctioned on September 18th, 2020. Now, the citizen is the owner of his personal data, which means that he has rights over this information and can demand transparency from companies regarding its collection, storage, and use. This is a major change and, therefore, extremely important that everyone understands their role within LGPD. The purpose of this paper is to emphasize the principles of the General Law on Personal Data Protection, informing real cases of leakage of personal data and thus obtaining an understanding of the importance of gains that meet the interests of Internet users on the subject and its benefits to the entire Brazilian society.
Regulation of Medical Research under European Data ProtectionDavid Erdos
Medical research provides unique and critical public benefits but also necessarily involves the processing of some of the most sensitive and private data - which European Data Protection is rightly concerned with safeguarding. Looking at the law across all European Economic Area (EEA) jurisdictions, this presentation outlines the barriers which application of default European data protection norms can pose to such work from requirements to obtain consent for sensitive personal data processing, to data subject notification rules and subject access. Drawing on a survey of Data Protection Authorities it also indicates that regulators are inclined to interpret the law strictly here although enforcement is often rather limited. The presentation then looks forward to the future under the General Data Protection Regulation (GDPR) arguing that the obstacles in the way of getting the law right here remain formidable and, in addition, there is a need for much greater engagement between DPAs and those involved in medical research. (N.B. These slides are based on talk given to the PHG Foundation at Hughes Hall on 13 October 2015 but have been updated in light of the finalization of the GDPR).
Constitutional Privacy and Data Protection in the EUDavid Erdos
Although both data protection and the right to privacy (or respect for private life) are recognised within the EU Charter, they are otherwise generally seen as having very different constitutional histories. The right of privacy is often seen as traditional and data protection as novel. Drawing on a comprehensive analysis of rights within EU State constitutions, it can be shown that this distinction is overdrawn. Only five current EU States recognised a constitutional right to privacy prior to 1990, although approximately three quarters and also the European Convention do so today. Subsidiary constitutional rights related to the home and correspondence but not honour and/or reputation are more long-standing and this helps link the core of privacy to the protection of intimacy. Constitutional rights to data protection emerged roughly contemporaneously and were often linked to a general right to privacy but are still only found in around half of EU States. There is also no clear consensus on specific guarantees, although around half of the States which recognise these do include rights to transparency and a slightly lower number right to rectification. This could suggest that data subject empowerment over a wide range of connected information is an important emerging particularity tied to data protection as a constitutional guarantee.
20200504_Research Data & the GDPR: How Open is Open?OpenAIRE
Presentation by Prodromos Tsiavos (Senior Legal Advisor - ARC/ Director - Onassis Group) as delivered during the OpenAIRE Legal Policy Webinar series on May 4th 2020.
More information and recordings: https://www.openaire.eu/item/openaire-legal-policy-webinars
Comparing EU and Council of Europe Data Protection Standards in the Context o...David Erdos
In the event of Brexit, the UK will leave the EU Charter, the GDPR and related EU instruments. It will, however, remain committed not only to achieving EU ‘adequacy’ standard but doing this within the framework of Council of Europe’s Data Protection Convention 108+. These slides therefore explore the commonalities and contrasts between EU DP and Convention 108+. Both have a similar scope and common principles. However, Convention 108+'s transparency and sensitive data rules are considerably less stringent and there are many fewer compulsory controller discipline provisions. Whilst only modest change should be expected initially as the UK will essentially replicate the GDPR in the short-term, this less prescriptive and more flexible approach is likely to exert an influence on UK data protection should Brexit happen.
[CB19] Applicability of GDPR and APPI to international companies and the impa...CODE BLUE
The speech will describe the new Data Protection Laws in Europe (GDPR) and Japan (APPI with supplementary rules). It will give recommendations to company leaders and IT experts on how to avoid or cope with applicability of these laws and describe necessary IT Security measures under the GDPR.
The speech will describe when the GDPR and APPI are applicable, when data is considered personal data, how Japanese and EU companies benefit from the new trade deals “EU-Japan Strategic Partnership Agreement” (SPA) and the “EU-Japan Economic Partnership Agreement” (EPA). The speech aims to answer international IT experts’ questions on compliance with APPI and GDPR.
GDPR, DPAs and the Journalistic Media: Walking the Regulatory TightropeDavid Erdos
How is and should the future of data protection regulation of the journalistic media develop under the GDPR? State law in this area remains highly divergent but the great majority do recognise that qualified data protection requirements and partial regulatory supervision should apply here. This points to a continuing, albeit sensitive, role for DPAs. But these authorities have many other demands and remain highly resource constrained. It is argued that a co-regulatory synergy between self- and statutory regulation provide the best mechanism to elucidate the necessary detailed balanced standards and for monitoring these. DPAs should develop a strategic approach including through according greater deference to self-regulatory bodies which take data protection standards and this balancing task seriously. The codes of conduct and monitoring provisions in articles 40 and 41 of the GDPR may be deployed directly here or at least provide a guide for a sui generis approach, with the new European Data Protection Board playing a facilitative rather than a controlling role.
N.B. These slides are based on a talk I gave at a joint HEC Paris Law Department and Science Po Law School seminar on 30 November 2018. I am grateful for the feedback I received there.
N.N.B. Please note that the chart in Slide Six unfortunately failed to display that as of Autumn 2018 approximately 40% of statutory data protection laws enacted by EEA jurisdictions still subject journalism to full DPA supervision.
The UK and EU Personal Data Regime After Brexit: Another Switzerland?David Erdos
These slides provide an overview of the personal data relationship between the UK and EU after Brexit. Under the Trade and Cooperation Agreement, the UK will have the closest connection with the EU here outside the European Economic Area and Switzerland. This is especially clear in the area of justice and security where there is very extensive provision for data exchange based on common standards. However, in the general area of data protection the framework only points to mutual adequacy. Even with the evolving formulation of this as “essential equivalence”, significant flexibility is retained and this may ultimately result in more substantive divergence than EU-Switzerland given the UK’s more distinct data protection approach. Common bona fide implementation of the Council of Europe’s Data Protection Convention 108+ may provide a good lodestar in the medium term and I very tentatively map out what this may could mean for default standards in the UK related to sensitive data and integrity and also specific substantive restrictions to ensure a more graduated approach and reconciliation with other competing rights.
Reconciling Humanities and Social Science Research With Data ProtectionDavid Erdos
Humanities and social science research contribute enormously to collective public knowledge and discussion. Such activity will almost invariably involve the processing of personal information and will, therefore, trigger the application of EU data protection law including the forthcoming General Data Protection Regulation (GDPR). This presentation argues that the GDPR’s default provisions – especially as regards the presumption of consent for sensitive data, data subject notification rules and strict discipline provisions – pose an acute threat to such activity. Moreover, whilst the research derogations (Art. 89) ameliorate a few of the issues, they are principally designed for work based on a highly structured, predetermined and largely fiduciary model such as is common in bio-medicine. As recognised by a wide variety of research organizations during debate on the GDPR (including the Wellcome Trust and UK Economic and Social Research Council), given that social/humanities scholarship is intrinsically linked to public knowledge and discussion, it should in fact benefit not just from these research derogations but also from the more permissive (but not absolute) derogations for free speech. The GDPR now recognises this but granting free speech protection for “academic expression” alongside that of journalism, literature and art (Art. 85 (2)). (N.B. These slides are based on a talk given at the University of Hong Kong “Positioning Privacy and Transparency in Data-intensive Research and Data-drive Regulation” on 8 November 2016).
THE BRAZILIAN LAW ON PERSONAL DATA PROTECTIONIJNSA Journal
Rapid technological change and globalization have created new challenges when it comes to the protection and processing of personal data. In 2018, Brazil presented a new law that has the proposal to inform how personal data should be collected and treated, to guarantee the security and integrity of the data holder. The General Law Data Protection - LGPD, was sanctioned on September 18th, 2020. Now, the citizen is the owner of his personal data, which means that he has rights over this information and can demand transparency from companies regarding its collection, storage, and use. This is a major change and, therefore, extremely important that everyone understands their role within LGPD. The purpose of this paper is to emphasize the principles of the General Law on Personal Data Protection, informing real cases of leakage of personal data and thus obtaining an understanding of the importance of gains that meet the interests of Internet users on the subject and its benefits to the entire Brazilian society.
Regulation of Medical Research under European Data ProtectionDavid Erdos
Medical research provides unique and critical public benefits but also necessarily involves the processing of some of the most sensitive and private data - which European Data Protection is rightly concerned with safeguarding. Looking at the law across all European Economic Area (EEA) jurisdictions, this presentation outlines the barriers which application of default European data protection norms can pose to such work from requirements to obtain consent for sensitive personal data processing, to data subject notification rules and subject access. Drawing on a survey of Data Protection Authorities it also indicates that regulators are inclined to interpret the law strictly here although enforcement is often rather limited. The presentation then looks forward to the future under the General Data Protection Regulation (GDPR) arguing that the obstacles in the way of getting the law right here remain formidable and, in addition, there is a need for much greater engagement between DPAs and those involved in medical research. (N.B. These slides are based on talk given to the PHG Foundation at Hughes Hall on 13 October 2015 but have been updated in light of the finalization of the GDPR).
Constitutional Privacy and Data Protection in the EUDavid Erdos
Although both data protection and the right to privacy (or respect for private life) are recognised within the EU Charter, they are otherwise generally seen as having very different constitutional histories. The right of privacy is often seen as traditional and data protection as novel. Drawing on a comprehensive analysis of rights within EU State constitutions, it can be shown that this distinction is overdrawn. Only five current EU States recognised a constitutional right to privacy prior to 1990, although approximately three quarters and also the European Convention do so today. Subsidiary constitutional rights related to the home and correspondence but not honour and/or reputation are more long-standing and this helps link the core of privacy to the protection of intimacy. Constitutional rights to data protection emerged roughly contemporaneously and were often linked to a general right to privacy but are still only found in around half of EU States. There is also no clear consensus on specific guarantees, although around half of the States which recognise these do include rights to transparency and a slightly lower number right to rectification. This could suggest that data subject empowerment over a wide range of connected information is an important emerging particularity tied to data protection as a constitutional guarantee.
20200504_Research Data & the GDPR: How Open is Open?OpenAIRE
Presentation by Prodromos Tsiavos (Senior Legal Advisor - ARC/ Director - Onassis Group) as delivered during the OpenAIRE Legal Policy Webinar series on May 4th 2020.
More information and recordings: https://www.openaire.eu/item/openaire-legal-policy-webinars
Comparing EU and Council of Europe Data Protection Standards in the Context o...David Erdos
In the event of Brexit, the UK will leave the EU Charter, the GDPR and related EU instruments. It will, however, remain committed not only to achieving EU ‘adequacy’ standard but doing this within the framework of Council of Europe’s Data Protection Convention 108+. These slides therefore explore the commonalities and contrasts between EU DP and Convention 108+. Both have a similar scope and common principles. However, Convention 108+'s transparency and sensitive data rules are considerably less stringent and there are many fewer compulsory controller discipline provisions. Whilst only modest change should be expected initially as the UK will essentially replicate the GDPR in the short-term, this less prescriptive and more flexible approach is likely to exert an influence on UK data protection should Brexit happen.
[CB19] Applicability of GDPR and APPI to international companies and the impa...CODE BLUE
The speech will describe the new Data Protection Laws in Europe (GDPR) and Japan (APPI with supplementary rules). It will give recommendations to company leaders and IT experts on how to avoid or cope with applicability of these laws and describe necessary IT Security measures under the GDPR.
The speech will describe when the GDPR and APPI are applicable, when data is considered personal data, how Japanese and EU companies benefit from the new trade deals “EU-Japan Strategic Partnership Agreement” (SPA) and the “EU-Japan Economic Partnership Agreement” (EPA). The speech aims to answer international IT experts’ questions on compliance with APPI and GDPR.
GDPR, DPAs and the Journalistic Media: Walking the Regulatory TightropeDavid Erdos
How is and should the future of data protection regulation of the journalistic media develop under the GDPR? State law in this area remains highly divergent but the great majority do recognise that qualified data protection requirements and partial regulatory supervision should apply here. This points to a continuing, albeit sensitive, role for DPAs. But these authorities have many other demands and remain highly resource constrained. It is argued that a co-regulatory synergy between self- and statutory regulation provide the best mechanism to elucidate the necessary detailed balanced standards and for monitoring these. DPAs should develop a strategic approach including through according greater deference to self-regulatory bodies which take data protection standards and this balancing task seriously. The codes of conduct and monitoring provisions in articles 40 and 41 of the GDPR may be deployed directly here or at least provide a guide for a sui generis approach, with the new European Data Protection Board playing a facilitative rather than a controlling role.
N.B. These slides are based on a talk I gave at a joint HEC Paris Law Department and Science Po Law School seminar on 30 November 2018. I am grateful for the feedback I received there.
N.N.B. Please note that the chart in Slide Six unfortunately failed to display that as of Autumn 2018 approximately 40% of statutory data protection laws enacted by EEA jurisdictions still subject journalism to full DPA supervision.
The UK and EU Personal Data Regime After Brexit: Another Switzerland?David Erdos
These slides provide an overview of the personal data relationship between the UK and EU after Brexit. Under the Trade and Cooperation Agreement, the UK will have the closest connection with the EU here outside the European Economic Area and Switzerland. This is especially clear in the area of justice and security where there is very extensive provision for data exchange based on common standards. However, in the general area of data protection the framework only points to mutual adequacy. Even with the evolving formulation of this as “essential equivalence”, significant flexibility is retained and this may ultimately result in more substantive divergence than EU-Switzerland given the UK’s more distinct data protection approach. Common bona fide implementation of the Council of Europe’s Data Protection Convention 108+ may provide a good lodestar in the medium term and I very tentatively map out what this may could mean for default standards in the UK related to sensitive data and integrity and also specific substantive restrictions to ensure a more graduated approach and reconciliation with other competing rights.
Are blockchain and EU-GDPR compatible? This presentation from 2020, from Dennis Hillemann (Podcast: The Blockchain lawyer), explains the most important legal challenges. The presentation explains:
- What are basic principles of GDPR?
- What are basic functionalities of the blockchain technology?
- What main issues are there between GDPR and blockchain technology?
- What is personal data in a blockchain scenario?
- Personal data & encryption and & hashing
- Salting and Peppering
- Data processor and controller in a blockchain scneario
- Right to rectification and right to erasure
- Transfer to third countries
- National and internatinal activities to bring Blockchain and GDPR together.
LEGAL AND REGULATORY STRUCTURE PREVAILING IN THE UK RELATED TO DATA PRIVACY A...DamaineFranklinMScBE
Privacy ideas have had a long tradition within the UK and can be tracked prior to the common law and their recent appearance within the General Data Protection Regulation (GDPR)(Garcia-Alfaro et al., 2014). At the moment, Article 8 of the European Convention on Human Rights (ECHR) points out the right to privacy, which is also integrated into UK law owing to the Human Rights Act (HRA) of 1998 and also incorporated in the General Data Protection Regulation (Cornock, 2018). Despite the European Court of Human Rights, which is located in Strasbourg and not part of the European Union, it upholds privacy rights and data protection laws through its enforcement of the European Convention on Human Rights and Convention 108 and has also considered the question of the safeguards of personal data from the viewpoint of rights of access to such data (Zaeem and Barber, 2020).
If the UK leaves the EU and EEA, will it be "adequate" for data transfers from the EU? Evidemnce suggests not, especially following the passing of the IP Act and the Tele2/Watson CJEU decision.
Google Spain and its Aftermath 2014-2023: An EU and UK GDPR PerspectiveDavid Erdos
These slides explore how EU and UK data protection as applied to search engine indexing has evolved in the nine years following the Google Spain (2014) judgment. This judgment has provided a very real and valuable remedy for hundreds of thousands of data subjects but the working out of its rather ad hoc limitations concerning “significant and additional” rights effect and action only in the context of “responsibilities, powers and capabilities” have raised many questions as regards legal certainty, the role of courts as opposed to legislatures and whether “effective and complete protection” is really being secured (an issue which is especially heightened in jurisdictions such as the UK given limited action by the UK DPA in a number of areas). The slides are based my book chapter in Peter Coe and Paul Wragg (eds.), Landmark Cases in Privacy Law (Hart, 2023).as well as talks given at the Universities of Belfast, Cambridge, Leeds, Manchester and Public Service Budapest.
European Data Protection and Social NetworkingDavid Erdos
These slides explore significant issues arising under data protection for both users and platforms as a result of the publication of third party personal data on such sites. Although the GDPR’s new wording of the household exemption could potentially exclude non-intrusive processing (e.g. sharing innocuous pictures taken in public), the Court of Justice of the EU (CJEU) is increasingly insistent that users acquire responsibilities when the publish such data to an indeterminate number. In principle, most EU Data Protection Authorities (DPAs) accept this although others including the UK and Irish have been very resistant. Many users could therefore have weighty data protection obligations here, although if contributing to a collective public debate they may be covered by the journalistic/special expression derogation and in any case there is a need for a balance with freedom of expression. CJEU ʻjoint controllerʼ case law also points to social networking sites have their own duties here, a proposition which has been backed by Working Party, the UK DPA and the UK courts. Whilst the e-Commerce ʻhostʼ shield should significantly limit ex ante responsibility here, this must be tempered by the ʻduty of careʼ which is inherent in being a ʻcontrollerʼ under data protection. In sum, data protection in principle remains central to the regulation of ʻonline harmsʼ here although ensuring effective and well-balanced regulation in practice remains a formidable challenge.
See further:
“Intermediary Publishers and European data protection: Delimiting the ambit of responsibility for third-party rights through a synthetic interpretation of the EU acquis”, International Journal of Law and Information Technology (Vol. 26(3), pp. 189-225) (2018) - https://academic.oup.com/ijlit/article/26/3/189/5033541
“Beyond ʻHaving a Domesticʼ? Regulatory Interpretation of European Data Protection Law and Individual Publication”, Computer Law and Security Review (Vol. 33 (3), pp. 275-297) (2017) - Pre-print https://www.repository.cam.ac.uk/handle/1810/263883
With GDPR coming into effect, we can see a lot of changes in the privacy policies of companies doing business online. The presentation is a description of GDPR and its implications in India and worldwide. The main aim of the presentation is to identify the key issues of data privacy and the rights available to the consumer who's data is to be shared.
Indonesian Legislatives Passes Personal Data Protection Bill.pdfAHRP Law Firm
The long-awaited Personal Data Protection Bill was finally passed by the Indonesian legislative on 20 September 2022 after initiating the prioritised legislative program three years ago. This legislative milestone would make it the first law to set comprehensive rules regarding personal data protection. The finalized bill is still due for approval from the President before it is enacted as law
Regulatory Enforcement of UK Data ProtectionDavid Erdos
These slides show that, although the (UK) GDPR mandates strong enforcement and a prioritisation of this by the regulator including through the handling of data subject complaints, severe limitations exist in practice. Indeed, in 2022-23 the Information Commissioner’s Office (ICO) did not serve a single GDPR enforcement notice, secured no criminal convictions and issued only 4 GDPR fines totalling (after later adjustment) less than £0.2M. The Tribunal has removed any substantive bite to the individual order to progress complaints remedy and the Parliamentary Committees have failed to provide effective holistic scrutiny. There is a case for some of the legislative reforms now proposed including reconstituting the ICO as a corporate board and increasing transparency. However, others risk providing a de jure entrenchment of the ICO’s positioning away from being a comprehensive upholder of core data protection rights. None directly address the serious challenges present here but a two-fold approach would do so. The order to progress complaints should police the appropriateness of the ICO’s substantive as well as procedural response and not-for-profit representative complaints should be permitted even without the mandate of data subjects in order to encourage well-argued, strategically important cases. Second, and at least as importantly, the Equality and Human Rights Commission should be obliged to periodically provide holistic scrutiny of the ICO’s enforcement track-record from a human rights perspective within which data protection rights must ultimately sit. These slides are based on a full Working Paper which may be viewed here: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4284602
These slides explore the interface between generative AI services such as ChatGPT and Google Bard and the GDPR in light of the experience of search engine indexing under the EU framework. In contrast to search engines, EU data protection authorities have responded promptly to the emergence of generative AI and, in principle, have stressed the need for full data protection compliance. However, in reality a host of legal problems remain live including an absence of a clear legal basis at least for sensitive personal data, uncertainty about whether data quality standards and data subject rights at least as regards background processing are or even can be met and failures of transparency as regards the categories, sources and storage periods for the personal data under processing. There is a serious likelihood, and indeed even present indications, that generative AI services will seek to claim the extra- and even contra-legislative derogations crafted in case law for search engines which limit duties to situations where processing is liable to affect fundamental rights “significantly and additionally” and to actions which are deemed to fall within the “responsibilities, powers and capabilities” of the service operators. Such derogations grant operators too much discretion and pay insufficient attention to the highly active manner in which generative AI services process personal data.
The Brexit Isles Alter Ego? Revisiting Ireland's Commonwealth Exit 1948-49David Erdos
This slides reexplore the discussions and outcome surrounding Ireland’s Commonwealth exit in 1948-49 in light of the those which surrounded the UK-EU negotiations vis-à-vis Brexit. In each case it may be argued that a reluctant Member hastily committed to an exit which critics argued put a range of links, especially as regards trade and citizenship, at risk. Nevertheless, Ireland was more akin to a semi-detached Associate as opposed to a full Commonwealth Member at the time of its final exit in the late 1940s and had thereby already taken a number of steps to protect its position. Compared to Brexit, Ireland’s Commonwealth exit was also more concerned with symbolism as opposed to practical change. These factors, as well as decentralisation in the Commonwealth itself and significant support for Ireland from Commonwealth Members with large Irish diaspora populations, limited the trade-offs associated with exit in the Irish case. Nevertheless, similarly to Brexit, the remaining Members were keen safeguard their existing legal obligations, ensure the continuing cohesion of the group and protect their own interests. Costs to the departing Member remained evident. In the case of Ireland, this was apparent in terms of a tightening of links between Northern Ireland and Great Britain, a requirement to commit to more secure and broader reciprocal migration ties and exclusion from full participation in the institutions which shaped the Sterling and Commonwealth Preference Areas which it continued to be a part. Whilst far from a doppleganger, Ireland’s exit can, at least at the time of secession itself, usefully be seen as the Brexit Isles’ alter ego. For the accompanying full Working Paper see https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4437102
Data Protection Post-Brexit: Can the UK Craft a Credible New Approach?David Erdos
These slides, based on a talk given to the Society of Legal Scholars’ Conference 2022, finds that the current Data Protection and Digital Information Bill is substantively wide-ranging but not radical. Many of the changes could be considered a plausible gloss on the General Data Protection Regulation (GDPR) or achieve a result which could be justified under its restrictions/derogations clause. Those which go further such as the changes to the solely automated decision-making rights remain well within the parameters of the Data Protection Convention 108+. There is a danger that the Bill’s substantive modifications may be insufficiently innovative to address concerns about the scope and depth of the GDPR’s rules. On the other hand, the Bill’s regulatory changes do little to confront the limited enforcement of data protection and the new de jure flexibility offered to the Information Commissioner may further entrench the existing “soft” supervisory approach.
The GDPR and Journalism: Enforcement and BeyondDavid Erdos
The interface and indeed tension between GDPR rights and journalism freedom of expression is profound. These slides, prepared for the EDPS Enforcement Conference 2022 (https://www.edpsconference2022.eu/en/press-media/media) explore the attempt to ensure a legal reconciliation across the EU Member States and how Data Protection Authorities (DPAs) might address their legal, resource and epistemic challenges here through facilitating meta/co-regulatory strategies including in the area of citizen media.
Data Protection and Journalism: The Changing LandscapeDavid Erdos
These slides provide an overview of the changing landscape for data protection and journalism in decade or so since the Leveson Inquiry. As well as detailing the core public interest and incompatibility tests, they look at developments in case law, at the ICO and under the GDPR and DPA 2018. They are intended to provide background to the ICO consultation on a data protection and journalism code of practice which runs until 10 January 2022.
These slides explore the reforms to the UK General Data Protection Regulation (GDPR) proposed by the UK Government in Data: A New Direction. It is argued that they are both significant and unbalanced against the data subject but (aside potentially from the e-privacy rules) not generally radical. The great bulk of the proposed substantive changes to data protection could plausibly be justified under the derogation clauses available to EU Member States within the GDPR itself. Reforms to the integrity duties of controllers and others are more far-reaching. Nevertheless, their broad structure remains compatible with even the revised version of the Council of Europe framework, Data Protection Convention 108+, which both the EU and UK remain strongly committed to. Finally, the proposals to shift ICO supervision de jure away from a priority focus on individual data subject rights and complaints are difficult to square even with Convention 108+. Nevertheless, de facto the ICO far from acts as a legal champion for the data subject today. Indeed, despite receiving over 36,000 complaints from individuals during 2020-21, it issued just three fines under the GDPR (all concerning data security breaches) and just one injunctive enforcement notice.
Disclosure, Exposure and the "Right to be Forgotten" After Google SpainDavid Erdos
*** N.B. For full working paper see https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3505921 ***
This paper argues that Google’s essentially blanket and unsafeguarded dissemination to webmasters of URLs deindexed under the Google Spain judgment involves the disclosure of the claimant’s personal data, cannot be justified either on the purported basis of their consent or that this is legally required but instead seriously infringes European data protection standards. Disclosure of this data would only be compatible with the initially contextually sensitive context of collection where it was (i) reasonably necessary and explicitly limited to the purposes of checking the legality of the initial decision and/or bona fide research and (ii) was subject to effective safeguards that prevented any unauthorised repurposing or other use. Strict necessity thresholds would need to apply where disclosure involved special category data or was subject to reasoned objection by a data subject and international transfers would require appropriate safeguards as provided by the European Commission’s standard contractual clauses. Disclosing identifiable data on removals to end users would directly and fundamentally undermine a data subject’s rights and, therefore, ipso facto violate purpose limitation and legality, irrespective of a data subject claims rights in data protection, defamation or civil privacy. The public’s legitimate interests in receiving information on personal data removals should be secured through safeguarded scientific research that the search engines should facilitate and promote.
Data Protection and "Intermediary" Responsibility: An Historical PerspectiveDavid Erdos
These slides look historically at the tension between being in "control" of personal data and benefiting from certain freedom of expression shields when acting as an “intermediary” between an original content producer and an end user. It is show that these tensions emerged as early as the 1980s in European data protection, with both the French and certain Scandinavian Data Protection Authorities (DPAs) adopting a strict construction of law vis-à-vis provides of interactive services on the Minitel and various news archive and other public databases respectively. By the late 1990s when the e-Commerce Directive 2000/31/EC was being negotiated a similar tension re-emerged in the form of the data protection “exemption” (art. 1(5)(b)) and the more general ambiguity as to whether “active” as opposed to “passive” services could benefit from the “host” shield (art. 14) in any case. A partial solution to the latter question was found in the reasonable “duties of care” preamble inserted in the instrument as recital 48. These early debates cast a new perspective on more contemporary developments in EU data protection and e-Commerce case law including C-131/12 Google Spain, C-507/17 Google v CNIL and C-18/18 Glawischnig-Piesczek.
Data Protection and Academia: Fundamental Rights in ConflictDavid Erdos
This keynote talk to Norwegian National Conference on Research Ethics on 18 September 2018 explored the tension between European data protection norms and the nature of much of academic work, focusing on problems as regards the basic model of data management, the notion of critical inquiry and the need in some circumstances to resort to covert methods. It argued that the "historical and scientific research purposes" provisions in Article 89 of the GDPR largely fail to address these difficulties and stressed the centrality of the protections for "academic expression" including alongside journalism in Article 89 which is correctly predicated on reconciling data protection with the fundamental right to freedom of expression.
European Data Protection, the Right to be Forgotten and Search EnginesDavid Erdos
Provides background and explores the interpretation and enforcement of search engines' obligations under European data protection almost four years on from Google Spain (2014) and on the cusp of the new GDPR era. Focuses on four ongoing controversies: (i) the scope of such responsibilities under DP, (ii) the regulation of sensitive persona data, (iii) the legitimacy of webmaster notification and (iv) the geographical scope of action required.
Data Protection and Academic Research: The New GDPR FrameworkDavid Erdos
These slides provide an overview of the new data protection framework for academic research under the GDPR, situating this within the broader context of ethical review. After outlining the broad scope and default duties of the GDPR, the slides look at the critical issue of distinguishing processing for “academic purposes” - common in humanities and social studies – from processing only for “research” – common in the biomedical and other “hard” sciences. Whilst the former is subject to wide and liberal derogations akin to journalism, the latter is subject to mandatory safeguards and limited (and often further safeguarded) derogations. The implications of all this for ensuring lawful processing is outlined focusing on purposes specification, transparency, legal vires, data export and discipline duties as regards processors and co-controllers. It is finally noted that article 23 of the GDPR could permit further flexibility in future through secondary legislation.
New Media Internet Expression and European Data ProtectionDavid Erdos
These slides are based on my keynote address to the Maison Française d'Oxford conference "Data Privacy Law: Policy and Legal Challenges", 20 November 2015. Drawing on both doctrinal analysis and a survey of European Data Protection Authorities (DPAs) it makes four key claims about law and practice as entrenched in C-131/12 Google Spain (2014). Firstly, both the Court of Justice and especially European DPAs have adopted an expansive interpretative stance as regards data protection applied to internet expression. Secondly, that paradigm has serious implications for a range of internet actors beyond search engines. Thirdly, enforcement has been both limited and sporadic. Fourthly, a focus by DPAs on enforcement can result in the production of detailed guidance which "reads down" the law and therefore is some tension with the expansive interpretative stance generally adopted, the implementation of the Google Spain decision against search engines being a case in point.
EU General Data Protection Regulation & Transborder Information FlowDavid Erdos
These slides are based on the talk I gave to the Wisconsin International Law Journal's Annual Symposium "Stamping Privacy's Passport? The Role of International Law in Safeguarding Individual Privacy" (Wisconsin, USA; 8 April 2016). This talk argued that European data protection's formal understanding of transborder data flow regulation (TBDF) is not only potentially very broad but has not appropriately balanced data protection against other key rights such as freedom of information and association. Many of these existing structural difficulties are exacerbated under the newly agreed General Data Protection Regulation (GDPR). In order to better reconcile the values at stake, Data Protection Authorities (DPAs) should also develop models to "authorize" low-risk TBDFs via self-certification by data controllers themselves. Member States should also make broad use of the derogations the Regulation leaves available. More generally, a contextual, risk-based interpretation of the GPDR must be developed which seeks to provide robust privacy and other individual safeguards without putting in jeopardy Europe’s other core values and liberties.
Car Accident Injury Do I Have a Case....Knowyourright
Every year, thousands of Minnesotans are injured in car accidents. These injuries can be severe – even life-changing. Under Minnesota law, you can pursue compensation through a personal injury lawsuit.
Matthew Professional CV experienced Government LiaisonMattGardner52
As an experienced Government Liaison, I have demonstrated expertise in Corporate Governance. My skill set includes senior-level management in Contract Management, Legal Support, and Diplomatic Relations. I have also gained proficiency as a Corporate Liaison, utilizing my strong background in accounting, finance, and legal, with a Bachelor's degree (B.A.) from California State University. My Administrative Skills further strengthen my ability to contribute to the growth and success of any organization.
How to Obtain Permanent Residency in the NetherlandsBridgeWest.eu
You can rely on our assistance if you are ready to apply for permanent residency. Find out more at: https://immigration-netherlands.com/obtain-a-permanent-residence-permit-in-the-netherlands/.
ALL EYES ON RAFAH BUT WHY Explain more.pdf46adnanshahzad
All eyes on Rafah: But why?. The Rafah border crossing, a crucial point between Egypt and the Gaza Strip, often finds itself at the center of global attention. As we explore the significance of Rafah, we’ll uncover why all eyes are on Rafah and the complexities surrounding this pivotal region.
INTRODUCTION
What makes Rafah so significant that it captures global attention? The phrase ‘All eyes are on Rafah’ resonates not just with those in the region but with people worldwide who recognize its strategic, humanitarian, and political importance. In this guide, we will delve into the factors that make Rafah a focal point for international interest, examining its historical context, humanitarian challenges, and political dimensions.
A "File Trademark" is a legal term referring to the registration of a unique symbol, logo, or name used to identify and distinguish products or services. This process provides legal protection, granting exclusive rights to the trademark owner, and helps prevent unauthorized use by competitors.
Visit Now: https://www.tumblr.com/trademark-quick/751620857551634432/ensure-legal-protection-file-your-trademark-with?source=share
UK & EU Freedom of Information & Data Protection: Continuity & Change
1. Dr David Erdos
Centre for Intellectual Property & Information Law (CIPIL)
Faculty of Law, University of Cambridge
2. Outline
Transnational and Comparative Introduction
Formal law of EU and UK
General interpretation by courts, tribunal, ICO & EDPS
Situation as regards sensitive personal data
Conclusions
3. Transnational Introduction
Interface exists between DP and FOI, as essentially confirmed
in C-466/00 Österreichischer Rundfunk (2003).
The DPD included Rectial 72 which stated:
Article 86 of the GDPR goes further stating:
Still strong case that this law & related processing should
comply with GDPR (subject to permissible derogations).
“this Directive allows the principle of public access to official documents
to be taken into account when implementing the principles set out in
this Directive.”
“Personal data in official documents … may be disclosed by the authority
or body in accordance with Union or Member State law to which the
public authority or body is subject in order to reconcile public access to
official documents with right to the protection of personal data pursuant
to this Regulation.”
4. Comparative Introduction
In practice, formal law on DP-FOI interface differs widely across
Europe.
Some countries have let FOI “trump” DP subject to some kind of
public interest test for certain personal information:
Ireland
Sweden
In many other countries and at the EU level, FOI has essentially
been made subject to ordinary DP (or further restricted here):
Pan-EU: Regulation (EC) 1049/2001
United Kingdom
France
Portugal
Greece (Fuster, 2014, p. 223)
Significance divergence is likely to persist in GDPR era.
5. EU Regulation 1049/2001
Art. 2 provides EU citizens and organizations with general
right of access to EU documents.
However, inter alia, Art. 4.1 establishes an exception where:
The DP legislation applicable to EU institutions is Regulation
2018/1725
Unlike the previous Regulation 45/2001, this instrument states
“disclosure would undermine the protection of: …
(b) privacy and the integrity of the individual, in particular in
accordance with Community legislation regarding the protection
of personal data.”
“Union institutions and bodies shall reconcile the right to the
protection of personal data with the right of access to documents
in accordance with Union law.” (art. 9(3))
6. UK FOIA, s. 40
For purposes of FOIA, limitations of “data” re: manual
holding are generally disapplied (s. 40 (3A)(b)).
Request where applicant is the data subject:
Automatic refusal (s. 40(1))
Subject access regime then applies with modified regime for
expanded meaning of “data” also (subject to cost limit)
The accuracy principle also applies here (DPA ss. 21(2) & 24)
Disclosure where applicant is not the data subject:
Reject where “disclosure of the information to a member of the
public otherwise than under this Act would contravene – any of
the data protection principles.” (s. 40(3A)(a) & s. 40(5B)(a))
7. UK FOIA, s. 40 cont.
In addition must refuse if:
Would contravene right to object (s. 40(3B), or
Information exempt from subject access (s. 40(4A)).
However, these exemptions are subject to a public interest
test set out in s. 2(2)(b), whilst the other exemptions are
absolute (s. 2(3)(f)&(fa))
The same structure applies to disapplication of duty to
confirm or deny holding of material (s. 40(5A-B)).
However, in this case the public interest generally applies.
8. What are the ʻDP Principlesʼ here?
Under the old DPA 1998, the DP Principles referred to
essentially the entire substantive scheme.
The amended law states that:
What is the status of other parts of GPDR Ch. II (Principles) i.e.
special categories (art. 9) & criminal data (art. 10)?
(7) ….“the data protection principles” means the principles set out in –
(a) Article 5(1) of the GDPR, and
(b) section 34(1) of the Data Protection Act 2018 [re law enforcement]
…
(8) In determining for the purposes of this section whether the lawfulness
principle in Article 5(1)(e) of the GPDR (lawfulness) would be contravened
by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to
be read as if the second sub-paragraph (disapplying the legitimate interests
gateway in relation to public authorities) were omitted.
9. The Principles (art. 5(1))
Personal data shall be:
(a) Processed lawfully, fairly and in a transparent manner in relation to the data
subject (ʻLawfulness, fairness and transparencyʼ)
(b) Collected for specified, explicit and legitimate purposes and not further
processed in a manner that is incompatible with those purposes … (ʻPurpose
Limitationʼ)
(c) Adequate, relevant and limited to what is necessary is necessary in relation
to the purposes for which they are processed (ʻData minimisationʼ);
(d) Accurate and, where necessary, up to date; every reasonable step must be taken
to ensure that personal data that are inaccurate having regard to the purposes for
which they are processed, are erased or rectified without delay (ʻaccuracyʼ);
(e) Kept in a form which permits identification of data subjects for no longer than is
necessary for the purpose for which the personal data are processed … (ʻstorage
limitationʼ);
(f) Processed in a manner that ensures appropriate security of the personal data,
including protection against unauthorized or unlawful processing and against
accidental loss, destruction or damage, using appropriate technical or organisation
measures (ʻintegrity and confidentialityʼ).
10. Some other UK FOI Laws
Environmental Information Regulations:
Regulation 13 is the mirror image of s. 40 FOIA (except
that intelligence services processing not excluded).
FOIA (Scotland) 2002
s. 38 is generally the mirror image of s. 40 FOIA.
In addition, s. 38 establishes absolute exemption for:
Personal census information (s. 38(1)(c)) – protected for 100
years (see s. 38(6) and s. 58(2)(b)).
A deceased person’s medical record (s. 38(1)(d)).
11. UK FOIA & the Deceased
In general, information about the deceased is not
“personal data” (GDPR, Recital 27).
In such circumstances the following come to the fore:
s. 41 FOIA (information provided in confidence)
Reg. 12 (5) (f), EIR (interests of personal who provided
info)
s. 36 (2), FOIA (Scotland) re: confidentiality.
See ICO, Information About the Deceased.
12. ICO, FOI and the GDPR
Despite ambiguities above, ICO approach remains stable:
Does note that GDPR changes definition of sensitive data
and the subject access rules.
But otherwise suggests continuation of status quo.
“The General Data Protection Regulation (GDPR) came into effect
on 25 May 2018. The Data Protection Act 1998 will be replaced in
the UK with the Data Protection Act 2018.
Our approach to considering the disclosure of personal data
under the Freedom of Information Act 2000 (FOIA) and the
Environmental Information Regulations 2004 (EIR) remains
largely the same and our existing guidance is still of use. We will
amend it in due course.” (ICO, n.d./2018)
13. General Interpretation: ICO Approach (1)
No independent content here to “incompatibility”
“The third, fourth and fifth principles [essentially replicated
in art. 5(1)(c)-(e) of GDPR] are only likely to be relevant to
holding and using data, not to disclosure.”
Similar statement re: security, data transfer etc.
Purposes = authority’s business purposes, so no need to
specify FOIA in notification to data subjects (or
presumably in record keeping).
“There are eight data protection principles [under DPA 1998]. For
the purposes of disclosure under the FOIA, it is only the first
principle – data should be processed fairly and lawfully – that is
likely to be relevant.” (ICO, n.d., p. 10)
14. ICO Flowchart
Check that release would be fair
Check legitimating condition (cf. art. 6 GDPR) met
Consider whether release lawful (little independent
content but cf. Art. 8 ECHR)
“There are six conditions … but only condition 1 (consent) or
condition 6 (legitimate interests) should be relevant to
disclosure under FOIA.” (ICO, n.d., p. 31)
15. ICO Core Fairness Criteria
Sensitive personal data
Possible consequences of disclosure
Public domain (esp. if authoritative & very accessible)
Reasonable expectations
Nature or content of information
Circumstances in which data was obtained
Private vs. public life
(Fair processing notices)
Balance with general interests in transparency
General public interest in transparency
Public interest in issue
Public interest in specific information
16. ICO on Necessity etc.
Necessity is required due to need for legal ground:
“Pressing social need” & proportionality but also state:
Others ways test differs from qualified exemption:
“where the information in question is relatively innocuous, the
general need for transparency regarding public bodies may
constitute a sufficiently “pressing social need”.” (ICO, n.d., p. 35)
“there is no assumption of disclosure as there is with qualified
exemption … If the public authority discloses personal data in
contravention of DPA principles, it is in breach of its duty as a
data controller.” (ICO, n.d., p. 29)
17. Stance of Courts: House of Lords (now UKSC)
“there is no presumption in favour of the release of personal data
under the general obligation that FOISA lays down. The
references which that Act makes to provisions of DPA 1998 must
be understood in the light of the legislative purpose of that Act,
which was to implement Council Directive 95/46/EC. The
guiding principle is the protection of the fundamental rights and
freedoms of persons, and in particular their right to privacy with
respect to the processing of personal data: see recital 2 of the
preamble to, and article 1(1) of, the Directive.”
(Lord Hope in Common Services (2008) at [7])
18. High Court: Corporate Officer (2008)
“Pressing social need” not = “indispensable”
“Pressing social need” not = “desirable” or “useful”
“It was common ground that 'necessary' within para 6 of Sch 2
to the DPA should reflect the meaning attributed to it by the
European Court of Human Rights when justifying an
interference with a recognised right, namely that there should
be a pressing social need and that the interference was both
proportionate as to means and fairly balanced as to ends.” (at
[43])
19. Tribunal IN Corporate Officer (2007)
“we find that when assessing the fair processing requirements
under the DPA that the consideration given to the interests of
data subjects, who are public officials where data are processed
for a public function, is no longer first or paramount. There
interests are still important, but where data subjects carry out
public functions, hold elective office or spend public funds they
must have the expectation that their public actions will be
subject to greater scrutiny than would be the case in respect of
their private lives. This principle still applies even where a few
aspects of their private lives are intertwined with the public lives,
but where the vast majority of processing of personal data relates
to the data subject’s public life.” (para. 78)
20. Tribunal Corporate Officer on Transparency
Note different logic of argument here to ICO guidance
Note criticism of reasoning (“not completely clear”) in
Jay (2012, pp. 263-4)
Issue not directly considered by EWHC in appeal
“we accept … that the requirements of paragraph 2(1) of Part II to
Schedule 1 [the data subject notification provisions] have been
met. We are particularly able to make this finding as the
wording of paragraph 2 (1) (a) only requires that the data
controller “ensures so far as practicable” that data subjects are
provided with the information in sub-paragraph (3), so there is
no absolute requirement.” (para. 75)
21. Tribunal Guardian (2009)
Facts: Request for information on judges etc. reprimanded
etc. by Lord Chancellor in response to complaint.
Held: Information should not be disclosed.
Reasoning:
Expectation internal disciplinary matter private
More senior member of staff, higher expectation
Issues of sensitive personal data (despite no argument on
this point – see later)
22. Tribunal Dun (2011)
Facts: Case in part considered removal of ID and contact
details of junior civil servants authored, referred to or
were copied into document.
Held: Redaction necessary in circumstances unless had
already been accidental disclosure.
Reasoning: Required case-by-case analysis. However:
“Having considered the redacted names and contact details of
junior civil servants the Tribunal is satisfied that disclosure
would not be fair and would be unwarranted” (at 43)
23. C-28/08 Bavarian Lager (2010)
Re: interpretation of Art. 4 (1) Reg. (EC) 1049/2001:
Two very different views:
1. Threshold theory (Bavarian Lager, EDPS, CFI)
2. Renvoi theory (European Commission, UK, ECJ)
Second theory now clearly authoritative.
Interpretation may shed a slight of UK FOIA also.
“disclosure would undermine the protection of:
…
(b) privacy and the integrity of the individual, in particular in
accordance with Community legislation regarding the
protection of personal data.”
24. C-28/08 Bavarian Lager (2010)
Facts: Bavarian Lager internal market violation claim.
Infringement proceedings opened. Meeting. Proceedings
dropped. Request names of people at meeting. Rejected
where no consent (in 2 cases) or unable to contact (in 3).
Held: Commission right to refuse disclosure in all 5 cases.
Reasoning:
“[W]here a request based on Regulation No. 1049/2001 seeks to
obtain access to documents including personal data, the
provisions of Regulation No 45/2001 became applicable in their
entirety, including Articles 8 and 18 thereof.” (at [63])
25. A. 8 (same thrust in art. 9(1)(b) of new Reg)
“personal data shall only be transferred to recipients subject to the
national law adopted for the implementation of Directive 95/46/EC,
… (b) if the recipient establishes the necessity of having the data
transferred and if there is no reason to assume that the data
subject's legitimate interests might be prejudiced.” (Reg. 45/2001)
“As Bavarian Lager had not provided any express and legitimate
justification or any convincing argument in order to demonstrate
the necessity for those personal data to be transferred, the
Commission has not been able to weigh up the various interests of
the parties concerned. Nor was it able to verify whether there was
any reason to assume that data subjects’ legitimate interests might
be prejudiced, as required by Article 8 (b) of Regulation No.
45/2001.” (at [77])
26. Reg. 45/2001, art. 18 (cf. arts. 14-16 of new Reg)
“The data subject’s right to object
The data subject shall have the right:
…
(b) to be informed before personal data are disclosed for the first
time to third parties or before their and used on their behalf for the
purposes of direct marketing, and to be expressly offered the right
to object free of charge to such disclosure of use.”
A. 14-16 of new Reg. mirrors information notice req. in GDPR:
Originally direct collection: New notice if new purpose.
Other personal data: Also new notice unless e.g.
“disproportionate basis” but then safeguards including
“making the [transparency] information publicly available”.
27. EDPS on Transparency (2011)
“The institution involved, as controller of the data, is under an
obligation to inform the data subject at the moment of collection of
the data about, inter alia, the purpose of the processing operation for
which the data are intended and the recipients or categories of
recipients of the data (see Articles 11 and 12 of the [old] data
protection regulation [45/2001]) ….
In situations in which the public disclosure is not unconditionally
announced at the moment of the data collection, the EDPS considers
it an element of fair processing (Article 4(1)(a) of the [2001] data
protection regulation [45/2001]) that the data subject is informed
subsequently before the information is in fact disclosed to the public.
Informing the data subject about the envisaged disclosure enables
data subjects to invoke their rights under the data protection
regulation.” (p. 9)
28. Sensitive Data: ICO Approach
Under DPA 1998 took strict view re: special vires:
Argued best to consider special vires before general vires.
ICO has maintained this strict approach under DPA 2018:
“The only [special] conditions … that are relevant to disclosures
under FOIA are condition 1 (explicit consent) or condition 5
(information already made public by the individual). This is
because the other conditions concern disclosure for a stated
purpose, and so cannot be relevant to the ‘applicant-blind’ and
‘purpose-blind’ nature of disclosure under FOIA.“ (p. 30)
“[P]ublic authorities should consider whether disclosure would
breach the data protection principles. (In the case of special
category or criminal offence data, public authorities must also
satisfy one of the conditions listed in Article 9 of the GDPR).”
29. Tribunal Carleton (2009)
Facts: Request to HMCS re: criminal charges, verdict and
imposition of Court in relation to named individual who
had appeared before Court earlier in the month.
Held: Could not be released.
Reasoning:
Disclosure would be unfair.
Apparent anomalies re: press coverage and/or
attendance at Court noted in judgment.
30. Tribunal Brett (2009)
Facts: Request for various information related to evidence given by
Carmen Proetta re: Death on the Rock programme.
Held: Parts which were sensitive information of Proetta could not
be released.
Reasoning:
Open to considering provisions for disclosing for special
expressive purposes & research* as relevant.
But both had number of conditions attached.
Held “substantial public interest” not met.
Also unpersuaded that ordinary legitimating condition met.
* - Test now only requires “public interest” re: research (but other restrictions apply).
31. Conclusions
FOI-DP interface widely divergent within EU national laws.
UK FOI-DP interface has been formally very restrictive, but in
practice less so (although this laxity may have peaked).
Pan-EU FOI-DP interface is in formal terms similarly
restrictive & in practice seems much more rigorously applied.
Variety of conundrums especially as regards transparency
requirements and sensitive personal data vires.
DP Act may liberalise formal law here somewhat but depends
on interpretation by relevant actors – ICO, courts etc.