Privacy & Data Protection
Other sections of this issue:
Privacy & Data Protection | ISP-Liability & Media Law | Contracts & E-Commerce |
Electronic Communications & IT
The United Kingdom strengthens the data protection act enforcement
This contribution outlines the procedural changes to the enforcement mandate of Information Commissioner as well as changes to the funding structure of the Information Commissioner’s Office.
Up to now, the UK authorities have lagged behind their European (in particular, French and Dutch) counterparts with regard to enforcement of the data protection law with penalties being oftentimes far below the costs of compliance.
The current system is about to change with the Ministry of Justice publishing proposals to create a more robust system of enforcement.
The proposals mainly deal with strengthening or providing additional powers to the Information Commissioner and with changing the funding system to ensure Information Commissioner has the necessary resources to monitor compliance.
The most important change under the proposals is that the Information Commissioner will have a power to directly impose fines on controllers of personal data for deliberate and reckless breaches of the Data Protection Act. The Ministry of Justice is currently considering whether to utilise a similar model for penalties to that which is used by the Financial Services Authority with the penalties attached to the turnover. It is hoped that the prospect of substantial fines for deliberate or reckless breaches will act as a strong deterrent and help ensure that organisations take their data protection obligations more seriously.
Another important proposal is that the organisations shall notify the Information Commissioner of significant data protection breaches. This will not become a mandatory requirement (like in the US) but the failure to notify will be taken into account by the Information Commissioner when deciding on the level of penalty for non-compliance. The Government gave the Information Commissioner a mandate to publish the guidelines for notifying the data protection breaches.
The proposals also provide additional powers to the Information Commissioner with regard to investigating and monitoring compliance of the data controllers.
Finally, there will be a number of changes with regard to the notification process which also serves as a funding mechanism for the Information Commissioner’s Office. The data controllers which provide false information in their notification will be subject to a separate penalty. The notification fee (currently at £35) will change and a tier-system depending on the turnover and a number of employees will be introduced instead. There is likely to be an increase in the notification fee for large data controllers.
The private operators shall pay close attention to these changes and not turn a blind eye on their data protection compliance in the UK.
For more information, contact: Maksim Kostenko or Gaela Bailey.
ECJ rules that "journalistic purposes" exemption must be construed broadly
Article 9 of Directive 95/46 provides in an exemption for the processing of personal data carried out solely for journalistic purposes if necessary to reconcile the right to privacy with freedom of expression. Most of the Directive’s obligations will not be applicable in this situation. In a decision dated 16 December 2008, the European Court of Justice interpreted the scope of this exemption.
Facts of the case
A Finnish newspaper collected data, such as names, dates of birth and income, from the Finnish tax authorities and published extracts from those data in its regional editions. Pursuant to Finnish law, these data were considered to be public.
The Finnish newspaper transferred these personal data in the form of a CD-ROM to another company which offered text-messaging services. These personal data were then made available at a charge of EUR 2 per message.
Various complaints were filed with the Finnish data protection authorities with regard to these activities. One of these authorities initiated proceedings before the Administrative Court of Helsinki in order to have the activities of the newspaper and the text-messaging service provider prohibited. The request was denied in first instance. The appeal court decided to refer a number of prejudicial questions to the ECJ.
Processing of personal data and the scope of Directive 95/46
The ECJ was first requested to rule on two matters which only required an application of the definitions provided for in Directive 95/46.
In response to a first question, the ECJ stated that the name, date of birth and income of a natural person were to be considered personal data. The collection, publishing, transferring and text-messaging of such data amounts to a processing.
With regard to another question, the ECJ ruled that Directive 95/46 was applicable for the processing of public data. Such data are not outside the scope of this Directive.
The most interesting part of the judgment relates to the interpretation of article 9 of Directive 95/46.
The ECJ stated that the object of this article is to reconcile two fundamental rights: the protection of privacy and freedom of expression. Notions relating to that freedom, such as journalism, are to be construed broadly. The limitation must however only be applied when strictly necessary, the Court further stated.
Just how broad the notion must be construed became apparent when the ECJ stated the following:
- the exemption not only applies to media undertakings, but to every person engaged in journalism;
- profit making is not a bar to the applicability of the exemption;
- the used medium, such as paper or the internet, is not relevant;
- the object of “journalistic activities” is the disclosure to the public of information, opinions or ideas.
References: Recent Case Law - curia.europa.eu
For more information, contact: Olivier Van Droogenbroek.
For more information, please contact the professional(s) listed below, or your regular Crowell & Moring contact.