Data Protection Act and Freedom of Information Acts rights and duties now mainstream
This 20th Anniversary edition of Privacy Laws & Business United Kingdom Report coincides with the 20th Anniversary of the enactment of the Freedom of Information Act (FOIA) on 30 November 2000.
Data protection and freedom of information are now part of our national landscape, as shown by surveys of public awareness by the Information Commissioner. Usually data protection law hits the headlines more often than the FOIA, following a major data breach, such as that suffered by BA and Marriott Hotels or as part of the long-running Morrisons saga (PL&B UK Report May 2020).
But campaigning groups and publications use the FOIA to uncover public sector failings great and small at local and national level. For example, putting “Freedom of Information Grenfell fire” into a search engine will show a mass of public sector documentation on that subject alone. The influence of the FOIA is due not only to the reach of the statute itself but also to the consequent much greater climate of openness over this period. These days, a vast amount of previously confidential information is now published routinely on public sector websites.
What few had foreseen is the extent to which the Court of Appeal and the Supreme Court are called upon to interpret data protection law (p.15 and p.19) and they have also made judicial decisions on the Freedom of Information Act. The next Data Protection Act case before the Supreme Court, expected in April next year, will be far reaching. It will rule not only on procedural matters, such as the deployment of representative actions, but also on whether the concept of “damage” should be extended to “loss of control” over personal data which is an aspect of damage little considered in the past.
Enforcement of the laws
As a symbol of regulatory change, the title of the Regulator changed in January 2001 from Data Protection Commissioner to Information Commissioner. This reflects the fact that the scope of the commissioner’s operations had broadened to supervise both laws, a task which successive commissioners have relished. Former Information Commissioner, Richard Thomas, has always been delighted how his “Scores on the doors” campaign led to the requirement for restaurants and cafes to display the results of their latest inspection by the local Environmental Health Inspector, in an effort to drive up food hygiene standards.
Enforcement goes well beyond the Information Commissioner’s Enforcement Notices and fines, although the explicit statement of how the fines were calculated in the Marriott Hotels and BA cases is certainly welcome. The fines at around 20% of the figure first mentioned is certainly a relief to the companies and a recognition by the ICO that the current Covid-19 pandemic has had a disastrous effect on many companies. The ICO’s assertion that it is a reasonable and pragmatic regulator has been enhanced by these recent much reduced fines.
But enforcement tools can, and are, also wielded by claimants, both in the form of group litigation orders and representative actions. Often these cases are supported (encouraged?) by litigation funders. Even that traditional tool, data subject access requests, are increasingly being used in litigation proceedings to support claims.
As the ICO has received increased funds in recent years, Elizabeth Denham, Information Commissioner, has broadened the ICO’s scope to encourage conversations between her assurance team and companies which use personal data in an innovative manner. This win-win interaction is the main feature of our podcast on the ICO Regulatory Sandbox, released on 27 October, and will be the subject of our 9th podcast to be released in a few days.
Getting close to the policy makers and regulators
We at Privacy Laws & Business continue our path established from the start in 1987 in securing close relationships with the policy makers and regulators so we learn about the decision-making process and how the sometimes idealistic objectives of the texts in the statutes need to be balanced against what is possible. Recently, we have been learning about German data protection law in our webinar series how regulators and a judge at state level choose to interpret the facts of a case in the light of what a company can do in a specific circumstance.
PL&B’s 33rd Annual International Conference now online and starts on 19 November
Nowhere to Hide, our 33rd Annual International Conference, is a selection of some of the sessions we would have run in Cambridge in July. The first session is on Thursday 19 November on California’s new privacy law. Of course, we have one on Brexit and adequacy on 7th December with a speaker from the DCMS: How the UK is assessing the adequacy of, and free flow of data with, other countries and vice versa in the post Brexit era. These 11 online sessions run into January.
I greatly appreciate the continuing support of my dedicated colleagues and of you, our PL&B Report subscribers. We are pleased to attract some new contacts via our webinars and podcasts but our regular Reports and News are at the heart of what we do.
We would welcome your written commendations which we would then add to those we have published over the last year on the back page of each edition (p.24).
As we move in January into our 21st year of continuous publication of this PL&B UK Report and the 35th year of our PL&B International Report, Laura, Editor, firstname.lastname@example.org, and I, email@example.com, are always keen to receive your comments and suggestions.
Stewart Dresner, Publisher
The controller/processor dilemma: EDPB consults on guidance
One of the first questions an organisation must ask itself when considering its data protection compliance responsibilities is: “Are we controller or processor?” By Emma Erskine-Fox of TLT.
Enforcement guidance: ICO says it will not shoot to kill
Marta Dunphy-Moriel and Alexander Dittel of Kemp Little assess the guidance which was issued immediately before the much reduced BA and Marriott fines.