SlideShare a Scribd company logo

UK & EU Freedom of Information & Data Protection: Continuity & Change

David Erdos
David Erdos

This presentation explores continuities and changes in the interface between freedom of information and personal information protection at pan-EU level and in the UK under the amended law of the Data Protection Act 2018 and Regulation 2018/1725. Comparing both regimes, it especially focuses on fairness and balancing, the requirement to demonstrate the "necessity" of processing, the position of the deceased and the relationship between disclosure, transparency and sensitive personal data rules.

1 of 31
Dr David Erdos Centre for Intellectual Property & Information Law (CIPIL) Faculty of Law, University of Cambridge
Outline  Transnational and Comparative Introduction  Formal law of EU and UK  General interpretation by courts, tribunal, ICO & EDPS  Situation as regards sensitive personal data  Conclusions
Transnational Introduction  Interface exists between DP and FOI, as essentially confirmed in C-466/00 Österreichischer Rundfunk (2003).  The DPD included Rectial 72 which stated:  Article 86 of the GDPR goes further stating:  Still strong case that this law & related processing should comply with GDPR (subject to permissible derogations). “this Directive allows the principle of public access to official documents to be taken into account when implementing the principles set out in this Directive.” “Personal data in official documents … may be disclosed by the authority or body in accordance with Union or Member State law to which the public authority or body is subject in order to reconcile public access to official documents with right to the protection of personal data pursuant to this Regulation.”
Comparative Introduction  In practice, formal law on DP-FOI interface differs widely across Europe.  Some countries have let FOI “trump” DP subject to some kind of public interest test for certain personal information:  Ireland  Sweden  In many other countries and at the EU level, FOI has essentially been made subject to ordinary DP (or further restricted here):  Pan-EU: Regulation (EC) 1049/2001  United Kingdom  France  Portugal  Greece (Fuster, 2014, p. 223)  Significance divergence is likely to persist in GDPR era.
EU Regulation 1049/2001  Art. 2 provides EU citizens and organizations with general right of access to EU documents.  However, inter alia, Art. 4.1 establishes an exception where:  The DP legislation applicable to EU institutions is Regulation 2018/1725  Unlike the previous Regulation 45/2001, this instrument states “disclosure would undermine the protection of: … (b) privacy and the integrity of the individual, in particular in accordance with Community legislation regarding the protection of personal data.” “Union institutions and bodies shall reconcile the right to the protection of personal data with the right of access to documents in accordance with Union law.” (art. 9(3))
UK FOIA, s. 40  For purposes of FOIA, limitations of “data” re: manual holding are generally disapplied (s. 40 (3A)(b)).  Request where applicant is the data subject:  Automatic refusal (s. 40(1))  Subject access regime then applies with modified regime for expanded meaning of “data” also (subject to cost limit)  The accuracy principle also applies here (DPA ss. 21(2) & 24)  Disclosure where applicant is not the data subject: Reject where “disclosure of the information to a member of the public otherwise than under this Act would contravene – any of the data protection principles.” (s. 40(3A)(a) & s. 40(5B)(a))
UK FOIA, s. 40 cont.  In addition must refuse if:  Would contravene right to object (s. 40(3B), or  Information exempt from subject access (s. 40(4A)).  However, these exemptions are subject to a public interest test set out in s. 2(2)(b), whilst the other exemptions are absolute (s. 2(3)(f)&(fa))  The same structure applies to disapplication of duty to confirm or deny holding of material (s. 40(5A-B)).  However, in this case the public interest generally applies.
What are the ʻDP Principlesʼ here?  Under the old DPA 1998, the DP Principles referred to essentially the entire substantive scheme.  The amended law states that:  What is the status of other parts of GPDR Ch. II (Principles) i.e. special categories (art. 9) & criminal data (art. 10)? (7) ….“the data protection principles” means the principles set out in – (a) Article 5(1) of the GDPR, and (b) section 34(1) of the Data Protection Act 2018 [re law enforcement] … (8) In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(e) of the GPDR (lawfulness) would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.
The Principles (art. 5(1)) Personal data shall be: (a) Processed lawfully, fairly and in a transparent manner in relation to the data subject (ʻLawfulness, fairness and transparencyʼ) (b) Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes … (ʻPurpose Limitationʼ) (c) Adequate, relevant and limited to what is necessary is necessary in relation to the purposes for which they are processed (ʻData minimisationʼ); (d) Accurate and, where necessary, up to date; every reasonable step must be taken to ensure that personal data that are inaccurate having regard to the purposes for which they are processed, are erased or rectified without delay (ʻaccuracyʼ); (e) Kept in a form which permits identification of data subjects for no longer than is necessary for the purpose for which the personal data are processed … (ʻstorage limitationʼ); (f) Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisation measures (ʻintegrity and confidentialityʼ).
Some other UK FOI Laws  Environmental Information Regulations:  Regulation 13 is the mirror image of s. 40 FOIA (except that intelligence services processing not excluded).  FOIA (Scotland) 2002  s. 38 is generally the mirror image of s. 40 FOIA.  In addition, s. 38 establishes absolute exemption for:  Personal census information (s. 38(1)(c)) – protected for 100 years (see s. 38(6) and s. 58(2)(b)).  A deceased person’s medical record (s. 38(1)(d)).
UK FOIA & the Deceased  In general, information about the deceased is not “personal data” (GDPR, Recital 27).  In such circumstances the following come to the fore:  s. 41 FOIA (information provided in confidence)  Reg. 12 (5) (f), EIR (interests of personal who provided info)  s. 36 (2), FOIA (Scotland) re: confidentiality.  See ICO, Information About the Deceased.
ICO, FOI and the GDPR  Despite ambiguities above, ICO approach remains stable:  Does note that GDPR changes definition of sensitive data and the subject access rules.  But otherwise suggests continuation of status quo. “The General Data Protection Regulation (GDPR) came into effect on 25 May 2018. The Data Protection Act 1998 will be replaced in the UK with the Data Protection Act 2018. Our approach to considering the disclosure of personal data under the Freedom of Information Act 2000 (FOIA) and the Environmental Information Regulations 2004 (EIR) remains largely the same and our existing guidance is still of use. We will amend it in due course.” (ICO, n.d./2018)
General Interpretation: ICO Approach (1)  No independent content here to “incompatibility”  “The third, fourth and fifth principles [essentially replicated in art. 5(1)(c)-(e) of GDPR] are only likely to be relevant to holding and using data, not to disclosure.”  Similar statement re: security, data transfer etc.  Purposes = authority’s business purposes, so no need to specify FOIA in notification to data subjects (or presumably in record keeping). “There are eight data protection principles [under DPA 1998]. For the purposes of disclosure under the FOIA, it is only the first principle – data should be processed fairly and lawfully – that is likely to be relevant.” (ICO, n.d., p. 10)
ICO Flowchart  Check that release would be fair  Check legitimating condition (cf. art. 6 GDPR) met  Consider whether release lawful (little independent content but cf. Art. 8 ECHR) “There are six conditions … but only condition 1 (consent) or condition 6 (legitimate interests) should be relevant to disclosure under FOIA.” (ICO, n.d., p. 31)
ICO Core Fairness Criteria  Sensitive personal data  Possible consequences of disclosure  Public domain (esp. if authoritative & very accessible)  Reasonable expectations  Nature or content of information  Circumstances in which data was obtained  Private vs. public life  (Fair processing notices)  Balance with general interests in transparency  General public interest in transparency  Public interest in issue  Public interest in specific information
ICO on Necessity etc.  Necessity is required due to need for legal ground:  “Pressing social need” & proportionality but also state:  Others ways test differs from qualified exemption: “where the information in question is relatively innocuous, the general need for transparency regarding public bodies may constitute a sufficiently “pressing social need”.” (ICO, n.d., p. 35) “there is no assumption of disclosure as there is with qualified exemption … If the public authority discloses personal data in contravention of DPA principles, it is in breach of its duty as a data controller.” (ICO, n.d., p. 29)
Stance of Courts: House of Lords (now UKSC) “there is no presumption in favour of the release of personal data under the general obligation that FOISA lays down. The references which that Act makes to provisions of DPA 1998 must be understood in the light of the legislative purpose of that Act, which was to implement Council Directive 95/46/EC. The guiding principle is the protection of the fundamental rights and freedoms of persons, and in particular their right to privacy with respect to the processing of personal data: see recital 2 of the preamble to, and article 1(1) of, the Directive.” (Lord Hope in Common Services (2008) at [7])
High Court: Corporate Officer (2008)  “Pressing social need” not = “indispensable”  “Pressing social need” not = “desirable” or “useful” “It was common ground that 'necessary' within para 6 of Sch 2 to the DPA should reflect the meaning attributed to it by the European Court of Human Rights when justifying an interference with a recognised right, namely that there should be a pressing social need and that the interference was both proportionate as to means and fairly balanced as to ends.” (at [43])
Tribunal IN Corporate Officer (2007) “we find that when assessing the fair processing requirements under the DPA that the consideration given to the interests of data subjects, who are public officials where data are processed for a public function, is no longer first or paramount. There interests are still important, but where data subjects carry out public functions, hold elective office or spend public funds they must have the expectation that their public actions will be subject to greater scrutiny than would be the case in respect of their private lives. This principle still applies even where a few aspects of their private lives are intertwined with the public lives, but where the vast majority of processing of personal data relates to the data subject’s public life.” (para. 78)
Tribunal Corporate Officer on Transparency  Note different logic of argument here to ICO guidance  Note criticism of reasoning (“not completely clear”) in Jay (2012, pp. 263-4)  Issue not directly considered by EWHC in appeal “we accept … that the requirements of paragraph 2(1) of Part II to Schedule 1 [the data subject notification provisions] have been met. We are particularly able to make this finding as the wording of paragraph 2 (1) (a) only requires that the data controller “ensures so far as practicable” that data subjects are provided with the information in sub-paragraph (3), so there is no absolute requirement.” (para. 75)
Tribunal Guardian (2009)  Facts: Request for information on judges etc. reprimanded etc. by Lord Chancellor in response to complaint.  Held: Information should not be disclosed.  Reasoning:  Expectation internal disciplinary matter private  More senior member of staff, higher expectation  Issues of sensitive personal data (despite no argument on this point – see later)
Tribunal Dun (2011)  Facts: Case in part considered removal of ID and contact details of junior civil servants authored, referred to or were copied into document.  Held: Redaction necessary in circumstances unless had already been accidental disclosure.  Reasoning: Required case-by-case analysis. However: “Having considered the redacted names and contact details of junior civil servants the Tribunal is satisfied that disclosure would not be fair and would be unwarranted” (at 43)
C-28/08 Bavarian Lager (2010)  Re: interpretation of Art. 4 (1) Reg. (EC) 1049/2001:  Two very different views: 1. Threshold theory (Bavarian Lager, EDPS, CFI) 2. Renvoi theory (European Commission, UK, ECJ)  Second theory now clearly authoritative.  Interpretation may shed a slight of UK FOIA also. “disclosure would undermine the protection of: … (b) privacy and the integrity of the individual, in particular in accordance with Community legislation regarding the protection of personal data.”
C-28/08 Bavarian Lager (2010)  Facts: Bavarian Lager internal market violation claim. Infringement proceedings opened. Meeting. Proceedings dropped. Request names of people at meeting. Rejected where no consent (in 2 cases) or unable to contact (in 3).  Held: Commission right to refuse disclosure in all 5 cases.  Reasoning: “[W]here a request based on Regulation No. 1049/2001 seeks to obtain access to documents including personal data, the provisions of Regulation No 45/2001 became applicable in their entirety, including Articles 8 and 18 thereof.” (at [63])
A. 8 (same thrust in art. 9(1)(b) of new Reg) “personal data shall only be transferred to recipients subject to the national law adopted for the implementation of Directive 95/46/EC, … (b) if the recipient establishes the necessity of having the data transferred and if there is no reason to assume that the data subject's legitimate interests might be prejudiced.” (Reg. 45/2001) “As Bavarian Lager had not provided any express and legitimate justification or any convincing argument in order to demonstrate the necessity for those personal data to be transferred, the Commission has not been able to weigh up the various interests of the parties concerned. Nor was it able to verify whether there was any reason to assume that data subjects’ legitimate interests might be prejudiced, as required by Article 8 (b) of Regulation No. 45/2001.” (at [77])
Reg. 45/2001, art. 18 (cf. arts. 14-16 of new Reg) “The data subject’s right to object The data subject shall have the right: … (b) to be informed before personal data are disclosed for the first time to third parties or before their and used on their behalf for the purposes of direct marketing, and to be expressly offered the right to object free of charge to such disclosure of use.”  A. 14-16 of new Reg. mirrors information notice req. in GDPR:  Originally direct collection: New notice if new purpose.  Other personal data: Also new notice unless e.g. “disproportionate basis” but then safeguards including “making the [transparency] information publicly available”.
EDPS on Transparency (2011) “The institution involved, as controller of the data, is under an obligation to inform the data subject at the moment of collection of the data about, inter alia, the purpose of the processing operation for which the data are intended and the recipients or categories of recipients of the data (see Articles 11 and 12 of the [old] data protection regulation [45/2001]) …. In situations in which the public disclosure is not unconditionally announced at the moment of the data collection, the EDPS considers it an element of fair processing (Article 4(1)(a) of the [2001] data protection regulation [45/2001]) that the data subject is informed subsequently before the information is in fact disclosed to the public. Informing the data subject about the envisaged disclosure enables data subjects to invoke their rights under the data protection regulation.” (p. 9)
Sensitive Data: ICO Approach  Under DPA 1998 took strict view re: special vires:  Argued best to consider special vires before general vires.  ICO has maintained this strict approach under DPA 2018: “The only [special] conditions … that are relevant to disclosures under FOIA are condition 1 (explicit consent) or condition 5 (information already made public by the individual). This is because the other conditions concern disclosure for a stated purpose, and so cannot be relevant to the ‘applicant-blind’ and ‘purpose-blind’ nature of disclosure under FOIA.“ (p. 30) “[P]ublic authorities should consider whether disclosure would breach the data protection principles. (In the case of special category or criminal offence data, public authorities must also satisfy one of the conditions listed in Article 9 of the GDPR).”
Tribunal Carleton (2009) Facts: Request to HMCS re: criminal charges, verdict and imposition of Court in relation to named individual who had appeared before Court earlier in the month. Held: Could not be released. Reasoning:  Disclosure would be unfair.  Apparent anomalies re: press coverage and/or attendance at Court noted in judgment.
Tribunal Brett (2009) Facts: Request for various information related to evidence given by Carmen Proetta re: Death on the Rock programme. Held: Parts which were sensitive information of Proetta could not be released. Reasoning:  Open to considering provisions for disclosing for special expressive purposes & research* as relevant.  But both had number of conditions attached.  Held “substantial public interest” not met.  Also unpersuaded that ordinary legitimating condition met. * - Test now only requires “public interest” re: research (but other restrictions apply).
Conclusions  FOI-DP interface widely divergent within EU national laws.  UK FOI-DP interface has been formally very restrictive, but in practice less so (although this laxity may have peaked).  Pan-EU FOI-DP interface is in formal terms similarly restrictive & in practice seems much more rigorously applied.  Variety of conundrums especially as regards transparency requirements and sensitive personal data vires.  DP Act may liberalise formal law here somewhat but depends on interpretation by relevant actors – ICO, courts etc.

Recommended

The implementation of gdpr in greece (1)
The implementation of gdpr in greece (1)The implementation of gdpr in greece (1)
The implementation of gdpr in greece (1)
FOTIOS ZYGOULIS
 
Transatlantic Data Privacy - From Safe Harbor to Privacy Sheidl
Transatlantic Data Privacy - From Safe Harbor to Privacy SheidlTransatlantic Data Privacy - From Safe Harbor to Privacy Sheidl
Transatlantic Data Privacy - From Safe Harbor to Privacy Sheidl
Daniel Parziale, CIPP/US
 
Data Protection Guide – What are your rights as a citizen?
Data Protection Guide – What are your rights as a citizen?Data Protection Guide – What are your rights as a citizen?
Data Protection Guide – What are your rights as a citizen?
Edouard Nguyen
 
FOI reply from MoJ regarding meetings between Grayling and BFG representatives
FOI reply from MoJ regarding meetings between Grayling and BFG representativesFOI reply from MoJ regarding meetings between Grayling and BFG representatives
FOI reply from MoJ regarding meetings between Grayling and BFG representatives
bjknight
 
Compatible use of personal data (개인정보 이용의 양립가능성)
Compatible use of personal data (개인정보 이용의 양립가능성)Compatible use of personal data (개인정보 이용의 양립가능성)
Compatible use of personal data (개인정보 이용의 양립가능성)
David Lee
 
Factsheet data protection and Right to be Forgotten
Factsheet data protection and Right to be ForgottenFactsheet data protection and Right to be Forgotten
Factsheet data protection and Right to be Forgotten
Edouard Nguyen
 
No Man is an Island: The Battle for Data Privacy
No Man is an Island: The Battle for Data PrivacyNo Man is an Island: The Battle for Data Privacy
No Man is an Island: The Battle for Data Privacy
Kate Chan
 
Dead Ringers? Legal Persons & the Deceased in European Data Protection Law
Dead Ringers? Legal Persons & the Deceased in European Data Protection LawDead Ringers? Legal Persons & the Deceased in European Data Protection Law
Dead Ringers? Legal Persons & the Deceased in European Data Protection Law
David Erdos
 

Recommended

The implementation of gdpr in greece (1)
The implementation of gdpr in greece (1)The implementation of gdpr in greece (1)
The implementation of gdpr in greece (1)
FOTIOS ZYGOULIS
 
Transatlantic Data Privacy - From Safe Harbor to Privacy Sheidl
Transatlantic Data Privacy - From Safe Harbor to Privacy SheidlTransatlantic Data Privacy - From Safe Harbor to Privacy Sheidl
Transatlantic Data Privacy - From Safe Harbor to Privacy Sheidl
Daniel Parziale, CIPP/US
 
Data Protection Guide – What are your rights as a citizen?
Data Protection Guide – What are your rights as a citizen?Data Protection Guide – What are your rights as a citizen?
Data Protection Guide – What are your rights as a citizen?
Edouard Nguyen
 
FOI reply from MoJ regarding meetings between Grayling and BFG representatives
FOI reply from MoJ regarding meetings between Grayling and BFG representativesFOI reply from MoJ regarding meetings between Grayling and BFG representatives
FOI reply from MoJ regarding meetings between Grayling and BFG representatives
bjknight
 
Compatible use of personal data (개인정보 이용의 양립가능성)
Compatible use of personal data (개인정보 이용의 양립가능성)Compatible use of personal data (개인정보 이용의 양립가능성)
Compatible use of personal data (개인정보 이용의 양립가능성)
David Lee
 
Factsheet data protection and Right to be Forgotten
Factsheet data protection and Right to be ForgottenFactsheet data protection and Right to be Forgotten
Factsheet data protection and Right to be Forgotten
Edouard Nguyen
 
No Man is an Island: The Battle for Data Privacy
No Man is an Island: The Battle for Data PrivacyNo Man is an Island: The Battle for Data Privacy
No Man is an Island: The Battle for Data Privacy
Kate Chan
 
Dead Ringers? Legal Persons & the Deceased in European Data Protection Law
Dead Ringers? Legal Persons & the Deceased in European Data Protection LawDead Ringers? Legal Persons & the Deceased in European Data Protection Law
Dead Ringers? Legal Persons & the Deceased in European Data Protection Law
David Erdos
 
Reconciling Humanities and Social Science Research With Data Protection
Reconciling Humanities and Social Science Research With Data ProtectionReconciling Humanities and Social Science Research With Data Protection
Reconciling Humanities and Social Science Research With Data Protection
David Erdos
 
Report of the advisory committee to google on the right to be forgotten
Report of the advisory committee to google on the right to be forgottenReport of the advisory committee to google on the right to be forgotten
Report of the advisory committee to google on the right to be forgottenGreg Sterling
 
THE BRAZILIAN LAW ON PERSONAL DATA PROTECTION
THE BRAZILIAN LAW ON PERSONAL DATA PROTECTIONTHE BRAZILIAN LAW ON PERSONAL DATA PROTECTION
THE BRAZILIAN LAW ON PERSONAL DATA PROTECTION
IJNSA Journal
 
Box 10
Box 10Box 10
Box 10
OmPrakash63906
 
Box 13
Box 13Box 13
Box 13
OmPrakash63906
 
Regulation of Medical Research under European Data Protection
Regulation of Medical Research under European Data ProtectionRegulation of Medical Research under European Data Protection
Regulation of Medical Research under European Data Protection
David Erdos
 
Box 11
Box 11Box 11
Box 11
OmPrakash63906
 
Constitutional Privacy and Data Protection in the EU
Constitutional Privacy and Data Protection in the EUConstitutional Privacy and Data Protection in the EU
Constitutional Privacy and Data Protection in the EU
David Erdos
 
20200504_Research Data & the GDPR: How Open is Open?
20200504_Research Data & the GDPR: How Open is Open?20200504_Research Data & the GDPR: How Open is Open?
20200504_Research Data & the GDPR: How Open is Open?
OpenAIRE
 
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...John Nas
 
Ubicomp challenges for privacy law
Ubicomp challenges for privacy lawUbicomp challenges for privacy law
Ubicomp challenges for privacy law
blogzilla
 
Research and The Law
Research and The LawResearch and The Law
Research and The Law
Michael Bromby
 
LSA19: What Europe Can Teach U.S. Companies About Location and Data Privacy W...
LSA19: What Europe Can Teach U.S. Companies About Location and Data Privacy W...LSA19: What Europe Can Teach U.S. Companies About Location and Data Privacy W...
LSA19: What Europe Can Teach U.S. Companies About Location and Data Privacy W...
Localogy
 
Comparing EU and Council of Europe Data Protection Standards in the Context o...
Comparing EU and Council of Europe Data Protection Standards in the Context o...Comparing EU and Council of Europe Data Protection Standards in the Context o...
Comparing EU and Council of Europe Data Protection Standards in the Context o...
David Erdos
 
Factsheet data protection_en
Factsheet data protection_enFactsheet data protection_en
Factsheet data protection_enGreg Sterling
 
[CB19] Applicability of GDPR and APPI to international companies and the impa...
[CB19] Applicability of GDPR and APPI to international companies and the impa...[CB19] Applicability of GDPR and APPI to international companies and the impa...
[CB19] Applicability of GDPR and APPI to international companies and the impa...
CODE BLUE
 
Box 9
Box 9Box 9
Box 9
OmPrakash63906
 
The Right to Be Forgotten in European Search Results
The Right to Be Forgotten in European Search ResultsThe Right to Be Forgotten in European Search Results
The Right to Be Forgotten in European Search ResultsGreg Sterling
 
GDPR, DPAs and the Journalistic Media: Walking the Regulatory Tightrope
GDPR, DPAs and the Journalistic Media: Walking the Regulatory TightropeGDPR, DPAs and the Journalistic Media: Walking the Regulatory Tightrope
GDPR, DPAs and the Journalistic Media: Walking the Regulatory Tightrope
David Erdos
 
euregs
euregseuregs
euregsbwgoodman
 
Istanbul conference 2011_roberto_lattanzi
Istanbul conference 2011_roberto_lattanziIstanbul conference 2011_roberto_lattanzi
Istanbul conference 2011_roberto_lattanziAtıf ÜNALDI
 
The UK and EU Personal Data Regime After Brexit: Another Switzerland?
The UK and EU Personal Data Regime After Brexit: Another Switzerland?The UK and EU Personal Data Regime After Brexit: Another Switzerland?
The UK and EU Personal Data Regime After Brexit: Another Switzerland?
David Erdos
 

More Related Content

What's hot

Reconciling Humanities and Social Science Research With Data Protection
Reconciling Humanities and Social Science Research With Data ProtectionReconciling Humanities and Social Science Research With Data Protection
Reconciling Humanities and Social Science Research With Data Protection
David Erdos
 
Report of the advisory committee to google on the right to be forgotten
Report of the advisory committee to google on the right to be forgottenReport of the advisory committee to google on the right to be forgotten
Report of the advisory committee to google on the right to be forgottenGreg Sterling
 
THE BRAZILIAN LAW ON PERSONAL DATA PROTECTION
THE BRAZILIAN LAW ON PERSONAL DATA PROTECTIONTHE BRAZILIAN LAW ON PERSONAL DATA PROTECTION
THE BRAZILIAN LAW ON PERSONAL DATA PROTECTION
IJNSA Journal
 
Regulation of Medical Research under European Data Protection
Regulation of Medical Research under European Data ProtectionRegulation of Medical Research under European Data Protection
Regulation of Medical Research under European Data Protection
David Erdos
 
Constitutional Privacy and Data Protection in the EU
Constitutional Privacy and Data Protection in the EUConstitutional Privacy and Data Protection in the EU
Constitutional Privacy and Data Protection in the EU
David Erdos
 
20200504_Research Data & the GDPR: How Open is Open?
20200504_Research Data & the GDPR: How Open is Open?20200504_Research Data & the GDPR: How Open is Open?
20200504_Research Data & the GDPR: How Open is Open?
OpenAIRE
 
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...John Nas
 
Ubicomp challenges for privacy law
Ubicomp challenges for privacy lawUbicomp challenges for privacy law
Ubicomp challenges for privacy law
blogzilla
 
Research and The Law
Research and The LawResearch and The Law
Research and The Law
Michael Bromby
 
LSA19: What Europe Can Teach U.S. Companies About Location and Data Privacy W...
LSA19: What Europe Can Teach U.S. Companies About Location and Data Privacy W...LSA19: What Europe Can Teach U.S. Companies About Location and Data Privacy W...
LSA19: What Europe Can Teach U.S. Companies About Location and Data Privacy W...
Localogy
 
Comparing EU and Council of Europe Data Protection Standards in the Context o...
Comparing EU and Council of Europe Data Protection Standards in the Context o...Comparing EU and Council of Europe Data Protection Standards in the Context o...
Comparing EU and Council of Europe Data Protection Standards in the Context o...
David Erdos
 
Factsheet data protection_en
Factsheet data protection_enFactsheet data protection_en
Factsheet data protection_enGreg Sterling
 
[CB19] Applicability of GDPR and APPI to international companies and the impa...
[CB19] Applicability of GDPR and APPI to international companies and the impa...[CB19] Applicability of GDPR and APPI to international companies and the impa...
[CB19] Applicability of GDPR and APPI to international companies and the impa...
CODE BLUE
 
The Right to Be Forgotten in European Search Results
The Right to Be Forgotten in European Search ResultsThe Right to Be Forgotten in European Search Results
The Right to Be Forgotten in European Search ResultsGreg Sterling
 
GDPR, DPAs and the Journalistic Media: Walking the Regulatory Tightrope
GDPR, DPAs and the Journalistic Media: Walking the Regulatory TightropeGDPR, DPAs and the Journalistic Media: Walking the Regulatory Tightrope
GDPR, DPAs and the Journalistic Media: Walking the Regulatory Tightrope
David Erdos
 

What's hot (19)

Reconciling Humanities and Social Science Research With Data Protection
Reconciling Humanities and Social Science Research With Data ProtectionReconciling Humanities and Social Science Research With Data Protection
Reconciling Humanities and Social Science Research With Data Protection
 
Report of the advisory committee to google on the right to be forgotten
Report of the advisory committee to google on the right to be forgottenReport of the advisory committee to google on the right to be forgotten
Report of the advisory committee to google on the right to be forgotten
 
THE BRAZILIAN LAW ON PERSONAL DATA PROTECTION
THE BRAZILIAN LAW ON PERSONAL DATA PROTECTIONTHE BRAZILIAN LAW ON PERSONAL DATA PROTECTION
THE BRAZILIAN LAW ON PERSONAL DATA PROTECTION
 
Box 10
Box 10Box 10
Box 10
 
Box 13
Box 13Box 13
Box 13
 
Regulation of Medical Research under European Data Protection
Regulation of Medical Research under European Data ProtectionRegulation of Medical Research under European Data Protection
Regulation of Medical Research under European Data Protection
 
Box 11
Box 11Box 11
Box 11
 
Constitutional Privacy and Data Protection in the EU
Constitutional Privacy and Data Protection in the EUConstitutional Privacy and Data Protection in the EU
Constitutional Privacy and Data Protection in the EU
 
20200504_Research Data & the GDPR: How Open is Open?
20200504_Research Data & the GDPR: How Open is Open?20200504_Research Data & the GDPR: How Open is Open?
20200504_Research Data & the GDPR: How Open is Open?
 
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
 
Ubicomp challenges for privacy law
Ubicomp challenges for privacy lawUbicomp challenges for privacy law
Ubicomp challenges for privacy law
 
Research and The Law
Research and The LawResearch and The Law
Research and The Law
 
LSA19: What Europe Can Teach U.S. Companies About Location and Data Privacy W...
LSA19: What Europe Can Teach U.S. Companies About Location and Data Privacy W...LSA19: What Europe Can Teach U.S. Companies About Location and Data Privacy W...
LSA19: What Europe Can Teach U.S. Companies About Location and Data Privacy W...
 
Comparing EU and Council of Europe Data Protection Standards in the Context o...
Comparing EU and Council of Europe Data Protection Standards in the Context o...Comparing EU and Council of Europe Data Protection Standards in the Context o...
Comparing EU and Council of Europe Data Protection Standards in the Context o...
 
Factsheet data protection_en
Factsheet data protection_enFactsheet data protection_en
Factsheet data protection_en
 
[CB19] Applicability of GDPR and APPI to international companies and the impa...
[CB19] Applicability of GDPR and APPI to international companies and the impa...[CB19] Applicability of GDPR and APPI to international companies and the impa...
[CB19] Applicability of GDPR and APPI to international companies and the impa...
 
Box 9
Box 9Box 9
Box 9
 
The Right to Be Forgotten in European Search Results
The Right to Be Forgotten in European Search ResultsThe Right to Be Forgotten in European Search Results
The Right to Be Forgotten in European Search Results
 
GDPR, DPAs and the Journalistic Media: Walking the Regulatory Tightrope
GDPR, DPAs and the Journalistic Media: Walking the Regulatory TightropeGDPR, DPAs and the Journalistic Media: Walking the Regulatory Tightrope
GDPR, DPAs and the Journalistic Media: Walking the Regulatory Tightrope
 

Similar to UK & EU Freedom of Information & Data Protection: Continuity & Change

Istanbul conference 2011_roberto_lattanzi
Istanbul conference 2011_roberto_lattanziIstanbul conference 2011_roberto_lattanzi
Istanbul conference 2011_roberto_lattanziAtıf ÜNALDI
 
The UK and EU Personal Data Regime After Brexit: Another Switzerland?
The UK and EU Personal Data Regime After Brexit: Another Switzerland?The UK and EU Personal Data Regime After Brexit: Another Switzerland?
The UK and EU Personal Data Regime After Brexit: Another Switzerland?
David Erdos
 
250220 blockchain gdpr_blockchain_hillemann_presentation
250220 blockchain gdpr_blockchain_hillemann_presentation250220 blockchain gdpr_blockchain_hillemann_presentation
250220 blockchain gdpr_blockchain_hillemann_presentation
DennisHillemann
 
Jamaica's Data Protection Act: Compliance required from the business community
Jamaica's Data Protection Act: Compliance required from the business communityJamaica's Data Protection Act: Compliance required from the business community
Jamaica's Data Protection Act: Compliance required from the business community
Emerson Bryan
 
LEGAL AND REGULATORY STRUCTURE PREVAILING IN THE UK RELATED TO DATA PRIVACY A...
LEGAL AND REGULATORY STRUCTURE PREVAILING IN THE UK RELATED TO DATA PRIVACY A...LEGAL AND REGULATORY STRUCTURE PREVAILING IN THE UK RELATED TO DATA PRIVACY A...
LEGAL AND REGULATORY STRUCTURE PREVAILING IN THE UK RELATED TO DATA PRIVACY A...
DamaineFranklinMScBE
 
IT & Internet Law
IT & Internet LawIT & Internet Law
IT & Internet Law
DamaineFranklinMScBE
 
Data_privacy_law_in_Asia_pacific 08] (2).ppt
Data_privacy_law_in_Asia_pacific 08] (2).pptData_privacy_law_in_Asia_pacific 08] (2).ppt
Data_privacy_law_in_Asia_pacific 08] (2).ppt
Karo73
 
The GDPR, Brexit, the UK and adequacy
The GDPR, Brexit, the UK and adequacyThe GDPR, Brexit, the UK and adequacy
The GDPR, Brexit, the UK and adequacy
Lilian Edwards
 
Right to be forgotten final paper
Right to be forgotten final paperRight to be forgotten final paper
Right to be forgotten final paperreporter1120
 
Google Spain and its Aftermath 2014-2023: An EU and UK GDPR Perspective
Google Spain and its Aftermath 2014-2023: An EU and UK GDPR PerspectiveGoogle Spain and its Aftermath 2014-2023: An EU and UK GDPR Perspective
Google Spain and its Aftermath 2014-2023: An EU and UK GDPR Perspective
David Erdos
 
European Data Protection and Social Networking
European Data Protection and Social NetworkingEuropean Data Protection and Social Networking
European Data Protection and Social Networking
David Erdos
 
Factsheet on the "Right to be Forgotten" ruling
Factsheet on the "Right to be Forgotten" rulingFactsheet on the "Right to be Forgotten" ruling
Factsheet on the "Right to be Forgotten" ruling
Silesia SEM
 
Presentation on GDPR
Presentation on GDPRPresentation on GDPR
Presentation on GDPR
DipanjanDey12
 
Indonesian Legislatives Passes Personal Data Protection Bill.pdf
Indonesian Legislatives Passes Personal Data Protection Bill.pdfIndonesian Legislatives Passes Personal Data Protection Bill.pdf
Indonesian Legislatives Passes Personal Data Protection Bill.pdf
AHRP Law Firm
 
Get Data Protection Right (GDPR)
Get Data Protection Right (GDPR)Get Data Protection Right (GDPR)
Get Data Protection Right (GDPR)
miiker
 
VIAF GDPR
VIAF GDPRVIAF GDPR
VIAF GDPR
Biblioteca Nacional de España
 
[REPORT PREVIEW] GDPR Beyond May 25, 2018
[REPORT PREVIEW] GDPR Beyond May 25, 2018[REPORT PREVIEW] GDPR Beyond May 25, 2018
[REPORT PREVIEW] GDPR Beyond May 25, 2018
Altimeter, a Prophet Company
 
Quick guide gdpr
Quick guide gdprQuick guide gdpr
Quick guide gdpr
Miguel Mello
 
Constitutional law project (1)
Constitutional law project (1)Constitutional law project (1)
Constitutional law project (1)
PreetPatel74
 

Similar to UK & EU Freedom of Information & Data Protection: Continuity & Change (20)

euregs
euregseuregs
euregs
 
Istanbul conference 2011_roberto_lattanzi
Istanbul conference 2011_roberto_lattanziIstanbul conference 2011_roberto_lattanzi
Istanbul conference 2011_roberto_lattanzi
 
The UK and EU Personal Data Regime After Brexit: Another Switzerland?
The UK and EU Personal Data Regime After Brexit: Another Switzerland?The UK and EU Personal Data Regime After Brexit: Another Switzerland?
The UK and EU Personal Data Regime After Brexit: Another Switzerland?
 
250220 blockchain gdpr_blockchain_hillemann_presentation
250220 blockchain gdpr_blockchain_hillemann_presentation250220 blockchain gdpr_blockchain_hillemann_presentation
250220 blockchain gdpr_blockchain_hillemann_presentation
 
Jamaica's Data Protection Act: Compliance required from the business community
Jamaica's Data Protection Act: Compliance required from the business communityJamaica's Data Protection Act: Compliance required from the business community
Jamaica's Data Protection Act: Compliance required from the business community
 
LEGAL AND REGULATORY STRUCTURE PREVAILING IN THE UK RELATED TO DATA PRIVACY A...
LEGAL AND REGULATORY STRUCTURE PREVAILING IN THE UK RELATED TO DATA PRIVACY A...LEGAL AND REGULATORY STRUCTURE PREVAILING IN THE UK RELATED TO DATA PRIVACY A...
LEGAL AND REGULATORY STRUCTURE PREVAILING IN THE UK RELATED TO DATA PRIVACY A...
 
IT & Internet Law
IT & Internet LawIT & Internet Law
IT & Internet Law
 
Data_privacy_law_in_Asia_pacific 08] (2).ppt
Data_privacy_law_in_Asia_pacific 08] (2).pptData_privacy_law_in_Asia_pacific 08] (2).ppt
Data_privacy_law_in_Asia_pacific 08] (2).ppt
 
The GDPR, Brexit, the UK and adequacy
The GDPR, Brexit, the UK and adequacyThe GDPR, Brexit, the UK and adequacy
The GDPR, Brexit, the UK and adequacy
 
Right to be forgotten final paper
Right to be forgotten final paperRight to be forgotten final paper
Right to be forgotten final paper
 
Google Spain and its Aftermath 2014-2023: An EU and UK GDPR Perspective
Google Spain and its Aftermath 2014-2023: An EU and UK GDPR PerspectiveGoogle Spain and its Aftermath 2014-2023: An EU and UK GDPR Perspective
Google Spain and its Aftermath 2014-2023: An EU and UK GDPR Perspective
 
European Data Protection and Social Networking
European Data Protection and Social NetworkingEuropean Data Protection and Social Networking
European Data Protection and Social Networking
 
Factsheet on the "Right to be Forgotten" ruling
Factsheet on the "Right to be Forgotten" rulingFactsheet on the "Right to be Forgotten" ruling
Factsheet on the "Right to be Forgotten" ruling
 
Presentation on GDPR
Presentation on GDPRPresentation on GDPR
Presentation on GDPR
 
Indonesian Legislatives Passes Personal Data Protection Bill.pdf
Indonesian Legislatives Passes Personal Data Protection Bill.pdfIndonesian Legislatives Passes Personal Data Protection Bill.pdf
Indonesian Legislatives Passes Personal Data Protection Bill.pdf
 
Get Data Protection Right (GDPR)
Get Data Protection Right (GDPR)Get Data Protection Right (GDPR)
Get Data Protection Right (GDPR)
 
VIAF GDPR
VIAF GDPRVIAF GDPR
VIAF GDPR
 
[REPORT PREVIEW] GDPR Beyond May 25, 2018
[REPORT PREVIEW] GDPR Beyond May 25, 2018[REPORT PREVIEW] GDPR Beyond May 25, 2018
[REPORT PREVIEW] GDPR Beyond May 25, 2018
 
Quick guide gdpr
Quick guide gdprQuick guide gdpr
Quick guide gdpr
 
Constitutional law project (1)
Constitutional law project (1)Constitutional law project (1)
Constitutional law project (1)
 

More from David Erdos

Regulatory Enforcement of UK Data Protection
Regulatory Enforcement of UK Data ProtectionRegulatory Enforcement of UK Data Protection
Regulatory Enforcement of UK Data Protection
David Erdos
 
Generative AI, Search Engines and GDPR
Generative AI, Search Engines and GDPRGenerative AI, Search Engines and GDPR
Generative AI, Search Engines and GDPR
David Erdos
 
The Brexit Isles Alter Ego? Revisiting Ireland's Commonwealth Exit 1948-49
The Brexit Isles Alter Ego? Revisiting Ireland's Commonwealth Exit 1948-49The Brexit Isles Alter Ego? Revisiting Ireland's Commonwealth Exit 1948-49
The Brexit Isles Alter Ego? Revisiting Ireland's Commonwealth Exit 1948-49
David Erdos
 
Data Protection Post-Brexit: Can the UK Craft a Credible New Approach?
Data Protection Post-Brexit: Can the UK Craft a Credible New Approach?Data Protection Post-Brexit: Can the UK Craft a Credible New Approach?
Data Protection Post-Brexit: Can the UK Craft a Credible New Approach?
David Erdos
 
The GDPR and Journalism: Enforcement and Beyond
The GDPR and Journalism: Enforcement and BeyondThe GDPR and Journalism: Enforcement and Beyond
The GDPR and Journalism: Enforcement and Beyond
David Erdos
 
Data Protection and Journalism: The Changing Landscape
Data Protection and Journalism: The Changing LandscapeData Protection and Journalism: The Changing Landscape
Data Protection and Journalism: The Changing Landscape
David Erdos
 
UK GDPR: What New Direction?
UK GDPR: What New Direction?UK GDPR: What New Direction?
UK GDPR: What New Direction?
David Erdos
 
Disclosure, Exposure and the "Right to be Forgotten" After Google Spain
Disclosure, Exposure and the "Right to be Forgotten" After Google SpainDisclosure, Exposure and the "Right to be Forgotten" After Google Spain
Disclosure, Exposure and the "Right to be Forgotten" After Google Spain
David Erdos
 
Data Protection and "Intermediary" Responsibility: An Historical Perspective
Data Protection and "Intermediary" Responsibility: An Historical PerspectiveData Protection and "Intermediary" Responsibility: An Historical Perspective
Data Protection and "Intermediary" Responsibility: An Historical Perspective
David Erdos
 
Data Protection and Academia: Fundamental Rights in Conflict
Data Protection and Academia: Fundamental Rights in ConflictData Protection and Academia: Fundamental Rights in Conflict
Data Protection and Academia: Fundamental Rights in Conflict
David Erdos
 
European Data Protection, the Right to be Forgotten and Search Engines
European Data Protection, the Right to be Forgotten and Search EnginesEuropean Data Protection, the Right to be Forgotten and Search Engines
European Data Protection, the Right to be Forgotten and Search Engines
David Erdos
 
Data Protection and Academic Research: The New GDPR Framework
Data Protection and Academic Research: The New GDPR FrameworkData Protection and Academic Research: The New GDPR Framework
Data Protection and Academic Research: The New GDPR Framework
David Erdos
 
New Media Internet Expression and European Data Protection
New Media Internet Expression and European Data ProtectionNew Media Internet Expression and European Data Protection
New Media Internet Expression and European Data Protection
David Erdos
 
EU General Data Protection Regulation & Transborder Information Flow
EU General Data Protection Regulation & Transborder Information FlowEU General Data Protection Regulation & Transborder Information Flow
EU General Data Protection Regulation & Transborder Information Flow
David Erdos
 

More from David Erdos (14)

Regulatory Enforcement of UK Data Protection
Regulatory Enforcement of UK Data ProtectionRegulatory Enforcement of UK Data Protection
Regulatory Enforcement of UK Data Protection
 
Generative AI, Search Engines and GDPR
Generative AI, Search Engines and GDPRGenerative AI, Search Engines and GDPR
Generative AI, Search Engines and GDPR
 
The Brexit Isles Alter Ego? Revisiting Ireland's Commonwealth Exit 1948-49
The Brexit Isles Alter Ego? Revisiting Ireland's Commonwealth Exit 1948-49The Brexit Isles Alter Ego? Revisiting Ireland's Commonwealth Exit 1948-49
The Brexit Isles Alter Ego? Revisiting Ireland's Commonwealth Exit 1948-49
 
Data Protection Post-Brexit: Can the UK Craft a Credible New Approach?
Data Protection Post-Brexit: Can the UK Craft a Credible New Approach?Data Protection Post-Brexit: Can the UK Craft a Credible New Approach?
Data Protection Post-Brexit: Can the UK Craft a Credible New Approach?
 
The GDPR and Journalism: Enforcement and Beyond
The GDPR and Journalism: Enforcement and BeyondThe GDPR and Journalism: Enforcement and Beyond
The GDPR and Journalism: Enforcement and Beyond
 
Data Protection and Journalism: The Changing Landscape
Data Protection and Journalism: The Changing LandscapeData Protection and Journalism: The Changing Landscape
Data Protection and Journalism: The Changing Landscape
 
UK GDPR: What New Direction?
UK GDPR: What New Direction?UK GDPR: What New Direction?
UK GDPR: What New Direction?
 
Disclosure, Exposure and the "Right to be Forgotten" After Google Spain
Disclosure, Exposure and the "Right to be Forgotten" After Google SpainDisclosure, Exposure and the "Right to be Forgotten" After Google Spain
Disclosure, Exposure and the "Right to be Forgotten" After Google Spain
 
Data Protection and "Intermediary" Responsibility: An Historical Perspective
Data Protection and "Intermediary" Responsibility: An Historical PerspectiveData Protection and "Intermediary" Responsibility: An Historical Perspective
Data Protection and "Intermediary" Responsibility: An Historical Perspective
 
Data Protection and Academia: Fundamental Rights in Conflict
Data Protection and Academia: Fundamental Rights in ConflictData Protection and Academia: Fundamental Rights in Conflict
Data Protection and Academia: Fundamental Rights in Conflict
 
European Data Protection, the Right to be Forgotten and Search Engines
European Data Protection, the Right to be Forgotten and Search EnginesEuropean Data Protection, the Right to be Forgotten and Search Engines
European Data Protection, the Right to be Forgotten and Search Engines
 
Data Protection and Academic Research: The New GDPR Framework
Data Protection and Academic Research: The New GDPR FrameworkData Protection and Academic Research: The New GDPR Framework
Data Protection and Academic Research: The New GDPR Framework
 
New Media Internet Expression and European Data Protection
New Media Internet Expression and European Data ProtectionNew Media Internet Expression and European Data Protection
New Media Internet Expression and European Data Protection
 
EU General Data Protection Regulation & Transborder Information Flow
EU General Data Protection Regulation & Transborder Information FlowEU General Data Protection Regulation & Transborder Information Flow
EU General Data Protection Regulation & Transborder Information Flow
 

Recently uploaded

Car Accident Injury Do I Have a Case....
Car Accident Injury Do I Have a Case....Car Accident Injury Do I Have a Case....
Car Accident Injury Do I Have a Case....
Knowyourright
 
怎么购买(massey毕业证书)新西兰梅西大学毕业证学位证书注册证明信原版一模一样
怎么购买(massey毕业证书)新西兰梅西大学毕业证学位证书注册证明信原版一模一样怎么购买(massey毕业证书)新西兰梅西大学毕业证学位证书注册证明信原版一模一样
怎么购买(massey毕业证书)新西兰梅西大学毕业证学位证书注册证明信原版一模一样
9ib5wiwt
 
Matthew Professional CV experienced Government Liaison
Matthew Professional CV experienced Government LiaisonMatthew Professional CV experienced Government Liaison
Matthew Professional CV experienced Government Liaison
MattGardner52
 
The Reserve Bank of India Act, 1934.pptx
The Reserve Bank of India Act, 1934.pptxThe Reserve Bank of India Act, 1934.pptx
The Reserve Bank of India Act, 1934.pptx
nehatalele22st
 
Ease of Paying Tax Law Republic Act 11976
Ease of Paying Tax Law Republic Act 11976Ease of Paying Tax Law Republic Act 11976
Ease of Paying Tax Law Republic Act 11976
PelayoGilbert
 
1比1制作(swansea毕业证书)英国斯旺西大学毕业证学位证书托业成绩单原版一模一样
1比1制作(swansea毕业证书)英国斯旺西大学毕业证学位证书托业成绩单原版一模一样1比1制作(swansea毕业证书)英国斯旺西大学毕业证学位证书托业成绩单原版一模一样
1比1制作(swansea毕业证书)英国斯旺西大学毕业证学位证书托业成绩单原版一模一样
9ib5wiwt
 
The Main Procedures for Obtaining Cypriot Citizenship
The Main Procedures for Obtaining Cypriot CitizenshipThe Main Procedures for Obtaining Cypriot Citizenship
The Main Procedures for Obtaining Cypriot Citizenship
BridgeWest.eu
 
XYZ-v.-state-of-Maharashtra-Bombay-HC-Writ-Petition-6340-2023.pdf
XYZ-v.-state-of-Maharashtra-Bombay-HC-Writ-Petition-6340-2023.pdfXYZ-v.-state-of-Maharashtra-Bombay-HC-Writ-Petition-6340-2023.pdf
XYZ-v.-state-of-Maharashtra-Bombay-HC-Writ-Petition-6340-2023.pdf
bhavenpr
 
Consolidated_Analysis_report_(Phase_1_to_7)_of_Criminal_and_Financial_backgro...
Consolidated_Analysis_report_(Phase_1_to_7)_of_Criminal_and_Financial_backgro...Consolidated_Analysis_report_(Phase_1_to_7)_of_Criminal_and_Financial_backgro...
Consolidated_Analysis_report_(Phase_1_to_7)_of_Criminal_and_Financial_backgro...
YashSingh373746
 
Understanding about ITR-1 and Documentation
Understanding about ITR-1 and DocumentationUnderstanding about ITR-1 and Documentation
Understanding about ITR-1 and Documentation
CAAJAYKUMAR4
 
How to Obtain Permanent Residency in the Netherlands
How to Obtain Permanent Residency in the NetherlandsHow to Obtain Permanent Residency in the Netherlands
How to Obtain Permanent Residency in the Netherlands
BridgeWest.eu
 
Roles of a Bankruptcy Lawyer John Cavitt
Roles of a Bankruptcy Lawyer John CavittRoles of a Bankruptcy Lawyer John Cavitt
Roles of a Bankruptcy Lawyer John Cavitt
johncavitthouston
 
定制(nus毕业证书)新加坡国立大学毕业证学位证书实拍图原版一模一样
定制(nus毕业证书)新加坡国立大学毕业证学位证书实拍图原版一模一样定制(nus毕业证书)新加坡国立大学毕业证学位证书实拍图原版一模一样
定制(nus毕业证书)新加坡国立大学毕业证学位证书实拍图原版一模一样
9ib5wiwt
 
办理(waikato毕业证书)新西兰怀卡托大学毕业证双学位证书原版一模一样
办理(waikato毕业证书)新西兰怀卡托大学毕业证双学位证书原版一模一样办理(waikato毕业证书)新西兰怀卡托大学毕业证双学位证书原版一模一样
办理(waikato毕业证书)新西兰怀卡托大学毕业证双学位证书原版一模一样
9ib5wiwt
 
ALL EYES ON RAFAH BUT WHY Explain more.pdf
ALL EYES ON RAFAH BUT WHY Explain more.pdfALL EYES ON RAFAH BUT WHY Explain more.pdf
ALL EYES ON RAFAH BUT WHY Explain more.pdf
46adnanshahzad
 
Abdul Hakim Shabazz Deposition Hearing in Federal Court
Abdul Hakim Shabazz Deposition Hearing in Federal CourtAbdul Hakim Shabazz Deposition Hearing in Federal Court
Abdul Hakim Shabazz Deposition Hearing in Federal Court
Gabe Whitley
 
Debt Mapping Camp bebas riba to know how much our debt
Debt Mapping Camp bebas riba to know how much our debtDebt Mapping Camp bebas riba to know how much our debt
Debt Mapping Camp bebas riba to know how much our debt
ssuser0576e4
 
Bharatiya Nagarik Suraksha Sanhita power.pptx
Bharatiya Nagarik Suraksha Sanhita power.pptxBharatiya Nagarik Suraksha Sanhita power.pptx
Bharatiya Nagarik Suraksha Sanhita power.pptx
ShivkumarIyer18
 
一比一原版麻省理工学院毕业证(MIT毕业证)成绩单如何办理
一比一原版麻省理工学院毕业证(MIT毕业证)成绩单如何办理一比一原版麻省理工学院毕业证(MIT毕业证)成绩单如何办理
一比一原版麻省理工学院毕业证(MIT毕业证)成绩单如何办理
o6ov5dqmf
 
Secure Your Brand: File a Trademark Today
Secure Your Brand: File a Trademark TodaySecure Your Brand: File a Trademark Today
Secure Your Brand: File a Trademark Today
Trademark Quick
 

Recently uploaded (20)

Car Accident Injury Do I Have a Case....
Car Accident Injury Do I Have a Case....Car Accident Injury Do I Have a Case....
Car Accident Injury Do I Have a Case....
 
怎么购买(massey毕业证书)新西兰梅西大学毕业证学位证书注册证明信原版一模一样
怎么购买(massey毕业证书)新西兰梅西大学毕业证学位证书注册证明信原版一模一样怎么购买(massey毕业证书)新西兰梅西大学毕业证学位证书注册证明信原版一模一样
怎么购买(massey毕业证书)新西兰梅西大学毕业证学位证书注册证明信原版一模一样
 
Matthew Professional CV experienced Government Liaison
Matthew Professional CV experienced Government LiaisonMatthew Professional CV experienced Government Liaison
Matthew Professional CV experienced Government Liaison
 
The Reserve Bank of India Act, 1934.pptx
The Reserve Bank of India Act, 1934.pptxThe Reserve Bank of India Act, 1934.pptx
The Reserve Bank of India Act, 1934.pptx
 
Ease of Paying Tax Law Republic Act 11976
Ease of Paying Tax Law Republic Act 11976Ease of Paying Tax Law Republic Act 11976
Ease of Paying Tax Law Republic Act 11976
 
1比1制作(swansea毕业证书)英国斯旺西大学毕业证学位证书托业成绩单原版一模一样
1比1制作(swansea毕业证书)英国斯旺西大学毕业证学位证书托业成绩单原版一模一样1比1制作(swansea毕业证书)英国斯旺西大学毕业证学位证书托业成绩单原版一模一样
1比1制作(swansea毕业证书)英国斯旺西大学毕业证学位证书托业成绩单原版一模一样
 
The Main Procedures for Obtaining Cypriot Citizenship
The Main Procedures for Obtaining Cypriot CitizenshipThe Main Procedures for Obtaining Cypriot Citizenship
The Main Procedures for Obtaining Cypriot Citizenship
 
XYZ-v.-state-of-Maharashtra-Bombay-HC-Writ-Petition-6340-2023.pdf
XYZ-v.-state-of-Maharashtra-Bombay-HC-Writ-Petition-6340-2023.pdfXYZ-v.-state-of-Maharashtra-Bombay-HC-Writ-Petition-6340-2023.pdf
XYZ-v.-state-of-Maharashtra-Bombay-HC-Writ-Petition-6340-2023.pdf
 
Consolidated_Analysis_report_(Phase_1_to_7)_of_Criminal_and_Financial_backgro...
Consolidated_Analysis_report_(Phase_1_to_7)_of_Criminal_and_Financial_backgro...Consolidated_Analysis_report_(Phase_1_to_7)_of_Criminal_and_Financial_backgro...
Consolidated_Analysis_report_(Phase_1_to_7)_of_Criminal_and_Financial_backgro...
 
Understanding about ITR-1 and Documentation
Understanding about ITR-1 and DocumentationUnderstanding about ITR-1 and Documentation
Understanding about ITR-1 and Documentation
 
How to Obtain Permanent Residency in the Netherlands
How to Obtain Permanent Residency in the NetherlandsHow to Obtain Permanent Residency in the Netherlands
How to Obtain Permanent Residency in the Netherlands
 
Roles of a Bankruptcy Lawyer John Cavitt
Roles of a Bankruptcy Lawyer John CavittRoles of a Bankruptcy Lawyer John Cavitt
Roles of a Bankruptcy Lawyer John Cavitt
 
定制(nus毕业证书)新加坡国立大学毕业证学位证书实拍图原版一模一样
定制(nus毕业证书)新加坡国立大学毕业证学位证书实拍图原版一模一样定制(nus毕业证书)新加坡国立大学毕业证学位证书实拍图原版一模一样
定制(nus毕业证书)新加坡国立大学毕业证学位证书实拍图原版一模一样
 
办理(waikato毕业证书)新西兰怀卡托大学毕业证双学位证书原版一模一样
办理(waikato毕业证书)新西兰怀卡托大学毕业证双学位证书原版一模一样办理(waikato毕业证书)新西兰怀卡托大学毕业证双学位证书原版一模一样
办理(waikato毕业证书)新西兰怀卡托大学毕业证双学位证书原版一模一样
 
ALL EYES ON RAFAH BUT WHY Explain more.pdf
ALL EYES ON RAFAH BUT WHY Explain more.pdfALL EYES ON RAFAH BUT WHY Explain more.pdf
ALL EYES ON RAFAH BUT WHY Explain more.pdf
 
Abdul Hakim Shabazz Deposition Hearing in Federal Court
Abdul Hakim Shabazz Deposition Hearing in Federal CourtAbdul Hakim Shabazz Deposition Hearing in Federal Court
Abdul Hakim Shabazz Deposition Hearing in Federal Court
 
Debt Mapping Camp bebas riba to know how much our debt
Debt Mapping Camp bebas riba to know how much our debtDebt Mapping Camp bebas riba to know how much our debt
Debt Mapping Camp bebas riba to know how much our debt
 
Bharatiya Nagarik Suraksha Sanhita power.pptx
Bharatiya Nagarik Suraksha Sanhita power.pptxBharatiya Nagarik Suraksha Sanhita power.pptx
Bharatiya Nagarik Suraksha Sanhita power.pptx
 
一比一原版麻省理工学院毕业证(MIT毕业证)成绩单如何办理
一比一原版麻省理工学院毕业证(MIT毕业证)成绩单如何办理一比一原版麻省理工学院毕业证(MIT毕业证)成绩单如何办理
一比一原版麻省理工学院毕业证(MIT毕业证)成绩单如何办理
 
Secure Your Brand: File a Trademark Today
Secure Your Brand: File a Trademark TodaySecure Your Brand: File a Trademark Today
Secure Your Brand: File a Trademark Today
 

UK & EU Freedom of Information & Data Protection: Continuity & Change

  • 1. Dr David Erdos Centre for Intellectual Property & Information Law (CIPIL) Faculty of Law, University of Cambridge
  • 2. Outline  Transnational and Comparative Introduction  Formal law of EU and UK  General interpretation by courts, tribunal, ICO & EDPS  Situation as regards sensitive personal data  Conclusions
  • 3. Transnational Introduction  Interface exists between DP and FOI, as essentially confirmed in C-466/00 Österreichischer Rundfunk (2003).  The DPD included Rectial 72 which stated:  Article 86 of the GDPR goes further stating:  Still strong case that this law & related processing should comply with GDPR (subject to permissible derogations). “this Directive allows the principle of public access to official documents to be taken into account when implementing the principles set out in this Directive.” “Personal data in official documents … may be disclosed by the authority or body in accordance with Union or Member State law to which the public authority or body is subject in order to reconcile public access to official documents with right to the protection of personal data pursuant to this Regulation.”
  • 4. Comparative Introduction  In practice, formal law on DP-FOI interface differs widely across Europe.  Some countries have let FOI “trump” DP subject to some kind of public interest test for certain personal information:  Ireland  Sweden  In many other countries and at the EU level, FOI has essentially been made subject to ordinary DP (or further restricted here):  Pan-EU: Regulation (EC) 1049/2001  United Kingdom  France  Portugal  Greece (Fuster, 2014, p. 223)  Significance divergence is likely to persist in GDPR era.
  • 5. EU Regulation 1049/2001  Art. 2 provides EU citizens and organizations with general right of access to EU documents.  However, inter alia, Art. 4.1 establishes an exception where:  The DP legislation applicable to EU institutions is Regulation 2018/1725  Unlike the previous Regulation 45/2001, this instrument states “disclosure would undermine the protection of: … (b) privacy and the integrity of the individual, in particular in accordance with Community legislation regarding the protection of personal data.” “Union institutions and bodies shall reconcile the right to the protection of personal data with the right of access to documents in accordance with Union law.” (art. 9(3))
  • 6. UK FOIA, s. 40  For purposes of FOIA, limitations of “data” re: manual holding are generally disapplied (s. 40 (3A)(b)).  Request where applicant is the data subject:  Automatic refusal (s. 40(1))  Subject access regime then applies with modified regime for expanded meaning of “data” also (subject to cost limit)  The accuracy principle also applies here (DPA ss. 21(2) & 24)  Disclosure where applicant is not the data subject: Reject where “disclosure of the information to a member of the public otherwise than under this Act would contravene – any of the data protection principles.” (s. 40(3A)(a) & s. 40(5B)(a))
  • 7. UK FOIA, s. 40 cont.  In addition must refuse if:  Would contravene right to object (s. 40(3B), or  Information exempt from subject access (s. 40(4A)).  However, these exemptions are subject to a public interest test set out in s. 2(2)(b), whilst the other exemptions are absolute (s. 2(3)(f)&(fa))  The same structure applies to disapplication of duty to confirm or deny holding of material (s. 40(5A-B)).  However, in this case the public interest generally applies.
  • 8. What are the ʻDP Principlesʼ here?  Under the old DPA 1998, the DP Principles referred to essentially the entire substantive scheme.  The amended law states that:  What is the status of other parts of GPDR Ch. II (Principles) i.e. special categories (art. 9) & criminal data (art. 10)? (7) ….“the data protection principles” means the principles set out in – (a) Article 5(1) of the GDPR, and (b) section 34(1) of the Data Protection Act 2018 [re law enforcement] … (8) In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(e) of the GPDR (lawfulness) would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.
  • 9. The Principles (art. 5(1)) Personal data shall be: (a) Processed lawfully, fairly and in a transparent manner in relation to the data subject (ʻLawfulness, fairness and transparencyʼ) (b) Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes … (ʻPurpose Limitationʼ) (c) Adequate, relevant and limited to what is necessary is necessary in relation to the purposes for which they are processed (ʻData minimisationʼ); (d) Accurate and, where necessary, up to date; every reasonable step must be taken to ensure that personal data that are inaccurate having regard to the purposes for which they are processed, are erased or rectified without delay (ʻaccuracyʼ); (e) Kept in a form which permits identification of data subjects for no longer than is necessary for the purpose for which the personal data are processed … (ʻstorage limitationʼ); (f) Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisation measures (ʻintegrity and confidentialityʼ).
  • 10. Some other UK FOI Laws  Environmental Information Regulations:  Regulation 13 is the mirror image of s. 40 FOIA (except that intelligence services processing not excluded).  FOIA (Scotland) 2002  s. 38 is generally the mirror image of s. 40 FOIA.  In addition, s. 38 establishes absolute exemption for:  Personal census information (s. 38(1)(c)) – protected for 100 years (see s. 38(6) and s. 58(2)(b)).  A deceased person’s medical record (s. 38(1)(d)).
  • 11. UK FOIA & the Deceased  In general, information about the deceased is not “personal data” (GDPR, Recital 27).  In such circumstances the following come to the fore:  s. 41 FOIA (information provided in confidence)  Reg. 12 (5) (f), EIR (interests of personal who provided info)  s. 36 (2), FOIA (Scotland) re: confidentiality.  See ICO, Information About the Deceased.
  • 12. ICO, FOI and the GDPR  Despite ambiguities above, ICO approach remains stable:  Does note that GDPR changes definition of sensitive data and the subject access rules.  But otherwise suggests continuation of status quo. “The General Data Protection Regulation (GDPR) came into effect on 25 May 2018. The Data Protection Act 1998 will be replaced in the UK with the Data Protection Act 2018. Our approach to considering the disclosure of personal data under the Freedom of Information Act 2000 (FOIA) and the Environmental Information Regulations 2004 (EIR) remains largely the same and our existing guidance is still of use. We will amend it in due course.” (ICO, n.d./2018)
  • 13. General Interpretation: ICO Approach (1)  No independent content here to “incompatibility”  “The third, fourth and fifth principles [essentially replicated in art. 5(1)(c)-(e) of GDPR] are only likely to be relevant to holding and using data, not to disclosure.”  Similar statement re: security, data transfer etc.  Purposes = authority’s business purposes, so no need to specify FOIA in notification to data subjects (or presumably in record keeping). “There are eight data protection principles [under DPA 1998]. For the purposes of disclosure under the FOIA, it is only the first principle – data should be processed fairly and lawfully – that is likely to be relevant.” (ICO, n.d., p. 10)
  • 14. ICO Flowchart  Check that release would be fair  Check legitimating condition (cf. art. 6 GDPR) met  Consider whether release lawful (little independent content but cf. Art. 8 ECHR) “There are six conditions … but only condition 1 (consent) or condition 6 (legitimate interests) should be relevant to disclosure under FOIA.” (ICO, n.d., p. 31)
  • 15. ICO Core Fairness Criteria  Sensitive personal data  Possible consequences of disclosure  Public domain (esp. if authoritative & very accessible)  Reasonable expectations  Nature or content of information  Circumstances in which data was obtained  Private vs. public life  (Fair processing notices)  Balance with general interests in transparency  General public interest in transparency  Public interest in issue  Public interest in specific information
  • 16. ICO on Necessity etc.  Necessity is required due to need for legal ground:  “Pressing social need” & proportionality but also state:  Others ways test differs from qualified exemption: “where the information in question is relatively innocuous, the general need for transparency regarding public bodies may constitute a sufficiently “pressing social need”.” (ICO, n.d., p. 35) “there is no assumption of disclosure as there is with qualified exemption … If the public authority discloses personal data in contravention of DPA principles, it is in breach of its duty as a data controller.” (ICO, n.d., p. 29)
  • 17. Stance of Courts: House of Lords (now UKSC) “there is no presumption in favour of the release of personal data under the general obligation that FOISA lays down. The references which that Act makes to provisions of DPA 1998 must be understood in the light of the legislative purpose of that Act, which was to implement Council Directive 95/46/EC. The guiding principle is the protection of the fundamental rights and freedoms of persons, and in particular their right to privacy with respect to the processing of personal data: see recital 2 of the preamble to, and article 1(1) of, the Directive.” (Lord Hope in Common Services (2008) at [7])
  • 18. High Court: Corporate Officer (2008)  “Pressing social need” not = “indispensable”  “Pressing social need” not = “desirable” or “useful” “It was common ground that 'necessary' within para 6 of Sch 2 to the DPA should reflect the meaning attributed to it by the European Court of Human Rights when justifying an interference with a recognised right, namely that there should be a pressing social need and that the interference was both proportionate as to means and fairly balanced as to ends.” (at [43])
  • 19. Tribunal IN Corporate Officer (2007) “we find that when assessing the fair processing requirements under the DPA that the consideration given to the interests of data subjects, who are public officials where data are processed for a public function, is no longer first or paramount. There interests are still important, but where data subjects carry out public functions, hold elective office or spend public funds they must have the expectation that their public actions will be subject to greater scrutiny than would be the case in respect of their private lives. This principle still applies even where a few aspects of their private lives are intertwined with the public lives, but where the vast majority of processing of personal data relates to the data subject’s public life.” (para. 78)
  • 20. Tribunal Corporate Officer on Transparency  Note different logic of argument here to ICO guidance  Note criticism of reasoning (“not completely clear”) in Jay (2012, pp. 263-4)  Issue not directly considered by EWHC in appeal “we accept … that the requirements of paragraph 2(1) of Part II to Schedule 1 [the data subject notification provisions] have been met. We are particularly able to make this finding as the wording of paragraph 2 (1) (a) only requires that the data controller “ensures so far as practicable” that data subjects are provided with the information in sub-paragraph (3), so there is no absolute requirement.” (para. 75)
  • 21. Tribunal Guardian (2009)  Facts: Request for information on judges etc. reprimanded etc. by Lord Chancellor in response to complaint.  Held: Information should not be disclosed.  Reasoning:  Expectation internal disciplinary matter private  More senior member of staff, higher expectation  Issues of sensitive personal data (despite no argument on this point – see later)
  • 22. Tribunal Dun (2011)  Facts: Case in part considered removal of ID and contact details of junior civil servants authored, referred to or were copied into document.  Held: Redaction necessary in circumstances unless had already been accidental disclosure.  Reasoning: Required case-by-case analysis. However: “Having considered the redacted names and contact details of junior civil servants the Tribunal is satisfied that disclosure would not be fair and would be unwarranted” (at 43)
  • 23. C-28/08 Bavarian Lager (2010)  Re: interpretation of Art. 4 (1) Reg. (EC) 1049/2001:  Two very different views: 1. Threshold theory (Bavarian Lager, EDPS, CFI) 2. Renvoi theory (European Commission, UK, ECJ)  Second theory now clearly authoritative.  Interpretation may shed a slight of UK FOIA also. “disclosure would undermine the protection of: … (b) privacy and the integrity of the individual, in particular in accordance with Community legislation regarding the protection of personal data.”
  • 24. C-28/08 Bavarian Lager (2010)  Facts: Bavarian Lager internal market violation claim. Infringement proceedings opened. Meeting. Proceedings dropped. Request names of people at meeting. Rejected where no consent (in 2 cases) or unable to contact (in 3).  Held: Commission right to refuse disclosure in all 5 cases.  Reasoning: “[W]here a request based on Regulation No. 1049/2001 seeks to obtain access to documents including personal data, the provisions of Regulation No 45/2001 became applicable in their entirety, including Articles 8 and 18 thereof.” (at [63])
  • 25. A. 8 (same thrust in art. 9(1)(b) of new Reg) “personal data shall only be transferred to recipients subject to the national law adopted for the implementation of Directive 95/46/EC, … (b) if the recipient establishes the necessity of having the data transferred and if there is no reason to assume that the data subject's legitimate interests might be prejudiced.” (Reg. 45/2001) “As Bavarian Lager had not provided any express and legitimate justification or any convincing argument in order to demonstrate the necessity for those personal data to be transferred, the Commission has not been able to weigh up the various interests of the parties concerned. Nor was it able to verify whether there was any reason to assume that data subjects’ legitimate interests might be prejudiced, as required by Article 8 (b) of Regulation No. 45/2001.” (at [77])
  • 26. Reg. 45/2001, art. 18 (cf. arts. 14-16 of new Reg) “The data subject’s right to object The data subject shall have the right: … (b) to be informed before personal data are disclosed for the first time to third parties or before their and used on their behalf for the purposes of direct marketing, and to be expressly offered the right to object free of charge to such disclosure of use.”  A. 14-16 of new Reg. mirrors information notice req. in GDPR:  Originally direct collection: New notice if new purpose.  Other personal data: Also new notice unless e.g. “disproportionate basis” but then safeguards including “making the [transparency] information publicly available”.
  • 27. EDPS on Transparency (2011) “The institution involved, as controller of the data, is under an obligation to inform the data subject at the moment of collection of the data about, inter alia, the purpose of the processing operation for which the data are intended and the recipients or categories of recipients of the data (see Articles 11 and 12 of the [old] data protection regulation [45/2001]) …. In situations in which the public disclosure is not unconditionally announced at the moment of the data collection, the EDPS considers it an element of fair processing (Article 4(1)(a) of the [2001] data protection regulation [45/2001]) that the data subject is informed subsequently before the information is in fact disclosed to the public. Informing the data subject about the envisaged disclosure enables data subjects to invoke their rights under the data protection regulation.” (p. 9)
  • 28. Sensitive Data: ICO Approach  Under DPA 1998 took strict view re: special vires:  Argued best to consider special vires before general vires.  ICO has maintained this strict approach under DPA 2018: “The only [special] conditions … that are relevant to disclosures under FOIA are condition 1 (explicit consent) or condition 5 (information already made public by the individual). This is because the other conditions concern disclosure for a stated purpose, and so cannot be relevant to the ‘applicant-blind’ and ‘purpose-blind’ nature of disclosure under FOIA.“ (p. 30) “[P]ublic authorities should consider whether disclosure would breach the data protection principles. (In the case of special category or criminal offence data, public authorities must also satisfy one of the conditions listed in Article 9 of the GDPR).”
  • 29. Tribunal Carleton (2009) Facts: Request to HMCS re: criminal charges, verdict and imposition of Court in relation to named individual who had appeared before Court earlier in the month. Held: Could not be released. Reasoning:  Disclosure would be unfair.  Apparent anomalies re: press coverage and/or attendance at Court noted in judgment.
  • 30. Tribunal Brett (2009) Facts: Request for various information related to evidence given by Carmen Proetta re: Death on the Rock programme. Held: Parts which were sensitive information of Proetta could not be released. Reasoning:  Open to considering provisions for disclosing for special expressive purposes & research* as relevant.  But both had number of conditions attached.  Held “substantial public interest” not met.  Also unpersuaded that ordinary legitimating condition met. * - Test now only requires “public interest” re: research (but other restrictions apply).
  • 31. Conclusions  FOI-DP interface widely divergent within EU national laws.  UK FOI-DP interface has been formally very restrictive, but in practice less so (although this laxity may have peaked).  Pan-EU FOI-DP interface is in formal terms similarly restrictive & in practice seems much more rigorously applied.  Variety of conundrums especially as regards transparency requirements and sensitive personal data vires.  DP Act may liberalise formal law here somewhat but depends on interpretation by relevant actors – ICO, courts etc.