Like everyone else who operates in the field, this blog may have touched once or twice on the issues arising out of Schrems. Both Robin (here) and Tim (here) have provided some summaries of the sorts of alternatives data controllers will need to think about, and the guidance issued by the Article 29 Working Party as a result. But what, everyone has been asking, does the European Commission have to say about all this?

Happily, the heavy lids of ignorance may be lifted as the Commission has awoken. (Whether it more closely resembles the Force or a Kraken is perhaps a matter of personal preference.) It has produced a lengthy document which is actually both helpful and readily understandable. Not adding umpteen recitals probably helps. It draws together a lot of the practical issues and much of the existing guidance from the Article 29 WP already discussed for a sort of cheat-sheet document to help you navigate the ongoing choppy waters. You can find and download it here.

By way of precis, it informs us that the Commission has now “intensified” discussions with the US about a new Safe Harbour agreement, and that it hopes to have an outcome in three months. That would indeed require a considerable intensification, but there is nothing like ongoing illegality to concentrate the mind.

In the meantime, the Commission reminds us that Binding Corporate Rules are an option only for internal group company data transfers (something often overlooked), summarises what the Article 29 WP have suggested need to be included and, rather optimistically, noted that the process has been facilitated and sped up by inter-Data Protection Authority liaison. Unfortunately, the reality is that in the UK, the ICO has always warned that BCR approval can take 12 months, and many readers will have had the experience of it taking considerably longer. The ICO has a lot of balls to juggle and not many hands, and there has been a deafening silence from the multinationals who want BCRs of suggestions of paying for the resources to get them more quickly.

Outside of the BCR context, the Commission stresses its own approved contractual solution between controllers: the Standard Contract Clauses. There are currently four approved sets: two as between controllers and two as between controller and processor. They include obligations as regards security measures, information to the data subject in case of transfer of sensitive data, notification to the data exporter of access requests by the third countries’ law enforcement authorities or of any accidental or unauthorised access, and the rights of data subjects to the access, rectification and erasure of their personal data, as well as rules on compensation for the data subject in case of damage arising from a breach by either party to the SCCs. The model clauses also require EU data subjects to have the possibility to invoke before a DPA and/or a court of the Member State in which the data exporter is established the rights they derive from the contractual clauses as a third party beneficiary. What the Commission adds is to point out that Commission decisions are binding in Member States, and SCCs are a result of Commission decisions. The presumption is, therefore, that the SCCs provide adequate protection (although they can be challenged in a court and referred to the CJEU if necessary). DPAs will want to check any boutique amendments to the SCCs for compliance.

The Commission points out that under the new Regulation the proposal is that neither SCCs nor BCRs will require further authorisation by a national authority.

The third option is, of course, the derogations in Article 26(1). The Commission goes through each, highlighting the existing guidance on them and attempting the balance of making them look like workable solutions whilst stressing the need to construe them strictly. It may well be that much of the routine transfer businesses have used – because of banking transfers or international travel – will be covered by the contractual derogations providing, of course, that the transfer is necessary. The Article 29 Working Party considers that there has to be a “close and substantial connection”, a “direct and objective link” between the data subject and the purposes of the contract or the pre-contractual measure as an aspect of the necessity test. The derogation cannot be applied to transfers of additional information not necessary for the purpose of the transfer, or transfers for a purpose other than the performance of the contract (for example, follow-up marketing). If consent is relied upon it must be “unambiguous”, and so cannot be implied.

What the Commission does not really discuss is the ability of controllers to carry out their own adequacy assessment and rely on that. It is theoretically possible, but inevitably it is a risky route to adopt in this new-found atmosphere of data protection litigation.

The Commission also accepts that all of its other adequacy decisions are open to challenge in courts, but does not consider any to be at immediate risk.

By way of update on global reactions, readers may be aware that the German DPA has taken the most restrictive post-Schrems line; it has declined to approve any new BCRs or amended SCCs for the time being, although it has not said it will invalidate existing agreements. It has also taken a very restrictive line on consent. In Ireland, the remittal by the CJEU to the Irish Courts has led to the start of the domestic process of investigation into adequacy, but those proceedings are at a very early stage still. The passing of the Judicial Redress Bill by the US House of Representatives is being seen as one step closer to the possibility of remedying one hole in the Safe Harbour scheme, which was the difficulty of EU citizens vindicating their rights in the US. Under the new Bill they could, in theory, be designated so that vindication was more plausible, but that is a long way from resolving all of the issues. There are also likely to be implications for the TTIP negotiations, although the sense is that data protection will be carved out of TTIP altogether and left to the new Regulation. However, it is also of interest that the impact has been wider than just the EU-US relationship. Israel – currently subject to an adequacy decision itself – has revoked its own decision giving prior authorisation for the transfer of data from Israel to US companies signed-up to the Safe Harbor, doubtless to ensure that the EU-Israel adequacy decision is not undermined by proxy.

None of this is likely to be the last word, or post, on the subject. January 2016, by which time a solution has to have been found or the DPAs will start enforcing, seems awfully close…

Christopher Knight

This is not a lengthy analytical post; it is by way of quick update on the much overlooked younger sibling of the proposed General Data Protection Regulation: the Data Protection Directive for the police and criminal justice sector. Most practitioners are understandably focussing on the Regulation: that is the instrument which will affect most of us most of the time. But the EU is proposing to harmonise the rules across sectors and, at the same, implement a new Directive applicable to the police and criminal justice sectors. The existing Directive does not, of course, apply to that arena by virtue of article 3(2) (although the DPA 1998 is unlimited in its scope, so the point has rarely been of much relevance domestically). Read the rest of this entry »

As if TalkTalk don’t have enough to think about at the moment, the House of Commons yesterday discussed the sanctions available to the Information Commissioner for significant data breaches. Responding to an urgent question on the TalkTalk incident, the Minister for Culture and the Digital Economy (wasn’t that one of Gladstone’s titles once?), Ed Vaizey, made a number of interesting comments. Read the rest of this entry »

On 6^th October 2015 the CJEU declared the Commission’s Safe Harbor Decision invalid, in Case C-362/14 Schrems.  Since then, data protection specialists have discussed little else; and Panopticon has hosted comments by Chris Knight, Anya Proops, and Robin Hopkins.

How have EU data protection regulators responded to the judgment?

The ICO’s immediate response came in a statement from Deputy Commissioner David Smith.  This struck a careful and measured tone, emphasising that the Safe Harbour is not the only basis on which transfers to the US can be made, and referring to the ICO’s earlier guidance on the range of ways in which overseas transfers can be made.

On 16^th October the Article 29 Working Party issued a statement taking a rather more combative line.  Here are the main points.

1. The question of massive and indiscriminate surveillance (i.e. in the US) was a key element of the CJEU’s analysis. The Court’s judgment required that any adequacy analysis implied a broad analysis of the third country domestic laws and international commitments.

2. The Working Party urgently called on Member States and European institutions to open discussions with the US authorities to find suitable solutions. The current negotiations around a new Safe Harbour could be part of the solution.

3. Meanwhile the Working Party would continue its analysis of how the CJEU judgment affected other transfer tools. During this period Standard Contractual Clauses and Binding Corporate Rules could still be used.  If by the end of January 2016 no appropriate solution with the US had been found, the EU regulators would take “appropriate actions”.

4. Transfers still taking place based on the Safe Harbour decision were unlawful.

There are a couple of key messages here.  One is that it seems doubtful that the Article 29 Working Party would regard an adequacy assessment by a data controller as being a proper basis for transfer to the US:  see point 1.  A second is that there is a hint that even standard clauses and BCRs might not be regarded a safe basis for transfer (see point 3): the answer will depend on the outcome of the Working Party’s further analysis of the implications of Schrems.

In May 2012, Transport for London licensed Uber London Limited as an operator of private hire vehicles in London.

Uber is controversial.  It’s a good example of how new technology can disrupt existing business models in unexpected ways.  One controversy is addressed by Ouseley J in Transport for London v Uber London Limited and others [2015] EWHC 2918 (Admin):  whether the way in which the Uber fare is calculated infringes the criminal prohibition on the use of a taximeter in a London private hire vehicle. Answer – it doesn’t.

What does any of this have to do with Panopticon?  Our usual concerns, broadly speaking, are with access to public sector information, and with information privacy (including its interaction with freedom of expression).  But these fields are fundamentally shaped by developments in the technology that is used for collecting, sharing and using information.  A wider understanding of the legal issues to which those developments can give rise is valuable, even if it takes us a little outside the usual ambit of this blog.

So:  in London there are black cabs, and there are private hire vehicles (PHVs).  PHVs are subject to three-fold licensing:  the operator, the vehicle, and the driver must all be licensed.  One of the restrictions under which PHVs operate is that it is a criminal offence for the vehicle to be equipped with a taximeter: see section 11(1) of the Private Hire Vehicles (London) Act 1998.  A taximeter is defined by section 11(3) as “a device for calculating the fare to be charged in respect of any journey by reference to the distance travelled or time elapsed since the start of the journey (or a combination of both)”.

Uber operates in London as a licensed PHV operator (though the vehicles in its network include both PHVs and black cabs).  It uses technology that – as Ouseley J points out – was not envisaged when the relevant legislation was introduced in 1998.  “As was agreed, the changes brought about by the arrival of Google, the Smartphone equipped with accurate civilian use GPS, mobile internet access and in-car navigation systems, would not have been within the contemplation of Parliament in 1998.” (Google was in fact incorporated in 1998, and what it has to do with the case is obscure, but let that pass).

In order for the Uber system to operate, both the driver and the customer must have a smartphone, and must download the Uber Driver App and Customer App respectively.  The customer makes a booking using the Customer App.  The booking is transmitted to Uber’s servers in the US, and thence to the smartphone of the driver of the nearest vehicle in London – if that driver does not accept the booking, it is sent to the next nearest vehicle.  When the driver picks up the customer, the driver presses the “begin trip” icon on the Driver App.  At the end of the journey he presses “end trip”.  Signals are then sent to Uber’s servers in the US by the driver’s Smartphone, providing them with GPS data from the driver’s smartphone and time details.  One of the servers (“Server 2”) obtains information from another server about the relevant fare structure, and then calculates the fare and transmits information to the Driver App and the Customer App about the amount charged.  The customer’s credit or debit card is charged for the journey.

Does all this mean that the vehicle is equipped with a taximeter?

No, said Ouseley J, in proceedings brought by Transport for London seeking a declaration that PHVs in the Uber network are not equipped with a taximeter.

The argument before Ouseley J was that the driver’s smartphone, operating using the Driver App, was a taximeter.  But the fatal objection to this argument was that the fare was calculated by Server 2 not by the smartphone, and hence the calculation was done remotely and not in the vehicle itself.  To contravene section 11, it was not sufficient that the calculation was done using information uploaded from the smartphone, and that the calculation was then transmitted to and received on the smartphone.  Hence the smartphone was not a device falling within section 11(3). Moreover, even if the smartphone was a relevant device, the vehicle was not equipped with it; it was the driver who was equipped, and so the prohibition in section 11(1) was not infringed in any event.

Ousely J considered the case-law about the need to adopt an updating or “always speaking” construction of legislation, to take account of technological or scientific developments: see R (Quintavalle) v Secretary of State for Health [2003] UKHL 13, [2003] 2 AC 687.  This case law had no bearing, since the section 11 was in general terms and entirely capable of being applied to modern technology; there was no need to adopt any updating construction of the section.

The Uber case is a useful reminder that controversies about the implications of developments such as big data, cloud computing, and mobile internet access, are not just about privacy and data protection.  Rather, the issues are pervasive and can be expected to affect every corner of the law (and of politics, the economy, and society).

The mobile data devices that we use are constantly interacting with other devices and information storage facilities, including servers.  For the purpose of our daily lives, usually all we are interested in is specific transactions (like booking and paying for a PHV): we do not need to think about the different stages of information processing that underpin the transaction.  But for regulatory purposes, breaking down a transaction into those stages, and understanding when and how each stage takes place, can be essential.  Uber drivers and customers don’t need to think about Server 2:  but if you want to know whether Uber breaks the law, Server 2 is crucial.

The recent decision of the Court of Appeal in W, X, Y and Z v Secretary of State for Health, Secretary of State for the Home Department and British Medical Association [2015] EWCA Civ 1034 offers rich pickings for information lawyers.  It deals with the status of information about medical treatment; it looks at the scope of common law protection for private and confidential information generally; and it illustrates how wider public law concepts can apply in the field of information sharing.

The context is the arrangements for charging for NHS services.  Persons who are not ordinarily resident can be charged for their use of the NHS, under the National Health Service (Charges to Overseas Visitors) Regulations 2011 (“the Charging Regulations”).  Under amendments made to the Immigration Rules in 2011, individuals with unpaid NHS debts of at least £1,000 may face immigration sanctions.  Also in 2011, the Secretary of State issued Guidance (“the Guidance”) on implementing the Charging Regulations.

The Guidance provides for information-sharing in support of the Charging Regulations.  NHS bodies are to transmit certain information (“the Information”) about non-resident patients to the Secretary of State for Health, who then passes it to the Home Office.  The Information includes the name, date of birth and gender of the patient, current address (if known), nationality, travel document number and expiry dates, the amount and date of the patient’s NHS debt, and the NHS body to which it is owed.

In judicial review proceedings, four non-UK residents challenged the legality of part of the Guidance.  In substance, they were challenging the information sharing arrangements outlined above.  They lost before Silber J, who held that the Information did not constitute confidential or private information.  The BMA were sufficiently concerned by this that they applied to intervene in the proceedings on appeal.  They were represented by Panopticon regular Anya Proops.

The Court of Appeal considered the issues under three broad headings: first, whether disclosure breached the claimants’ common law rights to privacy or confidentiality; secondly, a group of arguments about vires; and thirdly, the application of Article 8 of the European Convention on Human Rights.

On the first issue, the Court of Appeal considered privacy and confidentiality together. The Court distinguished two questions.  The first whether the Information was private or confidential in nature; and, if yes, the second was whether the claimants’ rights had been breached.

As to the first question, the Court held that Silber J had adopted the wrong approach by asking whether disclosure would be “highly offensive” (adopting the language of Lord Hope in Campbell v MGN [2004] UKHL 22).  That formulation was relevant to whether an interference with the right to privacy was justified; on the prior question of whether information was private, the touchstone was Lord Nicholls’ formulation in Campbell of whether the person in question had a reasonable expectation of privacy.

The Court accepted the BMA’s submission that the Information was inherently private because it told you something about the individuals’ health: it revealed that they had been unwell to the extent that they needed to seek medical care from an NHS body; and in some cases the nature of the NHS body would indicate the nature of the illness.  It did not matter that the Information was not about the details of the medical treatment in question.  The Court also referred to various guidance (e.g. from the GMC and the BMA) that all identifiable patient data held by a doctor or hospital should be treated as confidential.  Nevertheless, the Court held that the Information was generally not private in relation to the Secretary of State and the Home Office.  The reason was that the Guidance made clear that overseas visitors treated in NHS hospitals would be made aware that in certain circumstance the Information would be passed to the Secretary of State for onward transmission to the Home Office.  This awareness would negate any reasonable expectation of privacy.

The Court was at pains to emphasise that this part of its judgment should not be of concern to the BMA or other medical authorities, and was not intended to dismantle the general principle that health and medical information was inherently private and confidential.  Despite these assurances, this aspect of the judgment is surprising.  If information is inherently private, then one would not expect to be able to negate a reasonable expectation of privacy simply by telling the individual that you intend to disclose the information.  What you told the individual might very well be relevant to the second stage of the inquiry – i.e. whether interference with privacy was justified.  But, to take an extreme example, what if an NHS body told overseas visitors that full details of their treatment would be posted on a public website? Surely this would not be enough to defeat their reasonable expectation of privacy in relation to treatment information.  The point is especially strong given the nature of the services to which the Information related – a patient seeking NHS medical treatment will very often have no real choice whether to accept the service offered, even if they dislike what they are told about how their information will be handled.  It is not like deciding whether you should sign up for a social media site when you are unhappy with its privacy policy.

The Court went on to hold that, even if the claimants had a right to privacy and confidentiality in the Information, that right was not infringed by disclosure in accordance with the Guidance.  This issue required a balancing exercise, weighing the public benefit from disclosure against the harm done by interference with the right.  Silber J had been correct to conclude that the balance (if it needed to be drawn) came down in favour of disclosure.  He had relied on four factors:  the low level of intrusion into individual privacy; the fact that overseas patients were told about the disclosure; the legitimate aim of recovering NHS debts and ensuing defaulters were not able to stay in the UK; and the fact that the Information was securely transmitted to a limited group of civil servants.

On the second issue (as to vires) the Court discussed a range of related challenges.

The claimants relied on the principle of legality, whereby fundamental rights cannot be infringed without clear Parliamentary authority.  The Court held that the principle did not apply, since disclosure did not infringe the claimants’ privacy rights:  see above.  Next, the claimants argued that the NHS bodies did not have the power to pass on the information to the Secretary of State.  The Court held that they had both the power and the duty to pass it on:  the Guidance, read as a whole, amounted to a direction that they should do so, and the Secretary of State had the power to give such a direction under section 48 of the National Health Service Act 2006.  The use of that power was not impliedly excluded by the existence of a power under section 251 of the same Act to make regulations about the processing of patient information.  The Secretary of State was entitled to rely on the section 48 power, and was not obliged to use the regulation-making power under section 251.  The power under section 48 could only be used where the Secretary of State considered its use to be necessary for his functions under the 2006 Act. It was true that under the Charging Regulations it was the NHS bodies, not the Secretary of State, that made and recovered charges; but the Secretary of State could rely on his own general functions under section 1 of the 2006 Act, to continue the promotion of a comprehensive health service, as providing a proper basis for use of the section 48 power.

The Court then held that the Secretary of State had the power to pass the information on in turn to the Home Office.  He could rely for this purpose on his incidental powers under section 2 of the 2006 Act.  Alternatively, he could rely on his common law powers, even if the residual category of ministerial power not dependent on either statute or prerogative was to be confined to the exercise of powers for identifiably governmental purposes (as to which, see R (Shrewsbury and Atcham BC) v Secretary of State for Communities and Local Government [2008] EWCA Civ 148).  Finally, the Guidance did not fetter the NHS bodies’ discretion:  the effect of the Guidance, in conjunction with section 48 of the 2006 Act, was that they had no choice but to pass on the information, and hence there was no discretion to be fettered.

On the third issue (Article 8) the Court concluded that any interference with the Article 8(1) right would be justified under Article 8(2).

It was argued for the claimants that any interference with the Article 8(1) right would not be “prescribed by law”.  The Court held that the combination of the Guidance and the operation of the Data Protection Act 1998 provided sufficient safeguards against arbitrary or abusive disclosure to satisfy this aspect of Article 8(2).