There's rarely a quiet week in data protection — and this one was no exception. Below are two developments from the past seven days that caught my eye.
Story #1: Exemptions to providing privacy notices
More than six years into the life of the GDPR, most organisations are familiar with (and in most cases understand the rationale behind) the requirement to privacy transparency information to individuals.
This is typically done in the form of a privacy notice. And the most common scenario sees the controller collects personal data directly from the individual. For example:
- An applicant sending their CV to a potential employer.
- A healthcare company's wearable device monitoring patients' heart rates.
- A limited partner providing AML and KCL information prior to being admitted to a private equity fund.
The controller needs to think carefully about ensuring that the notice accurately describes the processing at issue (as well as meeting the other requirements of Article 13 of the GDPR), and must provide the privacy notice prior to or at the time of collection of the personal data. But, for the most part, these scenarios are straightforward.
*****
Things become more difficult when personal data are obtained indirectly from third parties. In the examples above, this could done via (1) a recruitment agency, (2) a clinical research organisation, or (3) the administrator or other party supporting the general partner.
Just as when personal data are collected directly, Article 14 of the GDPR requires the controller to provide its privacy notice to the data subjects whose personal data are collected indirectly. In some cases, this will be relatively straightforward — whether the controller provides the notice itself (e.g., before the candidate attends their first interview), or instructs the providing party to do so on its behalf (e.g., in the fund management context).
But in other cases this is not, or may not be, possible. For that reason, Article 14(5) provides four exemptions to providing the information set out in a privacy notice — albeit the EDPB has made clear that these exemptions should be interpreted narrowly.
*****
On Thursday, the Advocate General of the European Court of Justice issued an opinion on the exemption contained in Article 14(5)(c) of the GDPR: the controller is subject to a national or EU law requirement to obtain or disclose the personal data and that law provides appropriate protections for the data subject's legitimate interests.
The case is fact-specific, given that it relates to processing of personal data for COVID-19 immunity certificates. Nevertheless, the AG's conclusion that, for the purpose of Article 14(5)(c), “obtaining” comprises personal data that have been obtained indirectly as well as personal data that are generated by the controller, is notable.
Articles 14(5)(a), (b) and (d) of the GDPR do not contain language about obtaining personal data. And controllers look to rely on Article 14(5)(b) — i.e., where the provision of transparency information “proves impossible or would involve a disproportionate effort” — in a wider range of situations than the other exemptions.
Interestingly, however, the AG says the following:
“It follows from the dichotomy between direct and indirect collection of data that all cases in which the data are not obtained from the data subject fall under the material scope of Article 14. It is irrelevant whether the data are generated by the controller to the extent that they are not obtained from the data subject. The broad material scope of Article 14 is also confirmed by recital 61, which refers to data ‘obtained from another source', that is to say, a source other than the data subject.”
*****
The issue of transparency is central to the topic that is front and centre for many clients: Artificial Intelligence.
How should they tell individuals about the use of their personal data? When should this be done? And what happens where they — or their service providers — don't have direct contact with the relevant individuals?
The EDPB in its recent report of the work undertaken by its “ChatGPT Taskforce” makes clear that, at least in the context of personal data scraped from publicly accessible sources, the Article 14(5)(b) exemption described above “could apply”, given that it would involve disproportionate effort — or indeed by essentially impossible — to provide those individuals with a privacy notice.
Does that position also apply to personal data generated by the controller, per the AG's opinion? It will be interesting to see whether the ECJ, which is not bound (but usually follows the position taken) by the AG, limits that conclusion to Article 14(5)(c) of the GDPR.
Given the difficulty of providing transparency information in the context of scraping, it may not ultimately make a significant difference — i.e., because if a controller cannot provide information in one context, whether or not the personal data are received or generated isn't determinative (because the individual isn't being provided with a privacy notice in any event). But particularly in the context of AI, where personal data may be collected for one purpose and used for another, the answer could impact the information that a controller needs to make available publicly (e.g., in its website privacy notice).
Story #2: Is it futile to fine public authorities for breaches of data protection law?
In May, the UK ICO said that it intended to fine the Police Service of Northern Ireland £750,000 in relation to an incident in which the personal data of its entire workforce — nearly 9,500 serving officers and staff — was accidentally included in a spreadsheet provided in response to a Freedom of Information Act request. The information included individuals' names, rank, location and unit.
Anyone with a passing knowledge of The Troubles will realise the potential implications of the disclosure. In fact, the PSNI admitted that the information had been obtained by dissident Republicans.
*****
In announcing the proposed fine, the ICO said that it could have been £5.6 million — but the Commissioner had applied his discretion to reduce the quantum of fine in line with an approach to public sector enforcement introduced by the ICO in 2022.
The thinking is that issuing large fines to public organisations will ultimately hurt the tax payer and simply cycle the money paid back into the government washing machine. Rather, fines will be reserved for the most serious cases (of which this is obviously one).
But the larger issue aside of whether fines work as a regulatory deterrent, I'm interested in the following question: if you're not going to issue the maximum penalty (or at least a more significant one), does it make sense to issue any financial penalty? In the public sector context, would it be better to require the organisation to change its practices within a specific timeframe?
*****
Clearly, breaking the law deserves some sort of punishment — and a financial penalty is a clear and well-understood deterrent for organisations not to engage in the same type of conduct that led to that penalty. If public bodies understand that they're unlikely to be fined for non-compliance, is there any real incentive to take data protection law seriously (beyond doing the right thing, professional pride, etc.)?
That said, in the PSNI example, would £750,000 be better spent on policing and keeping citizens safe? (Or at least ensuring the security of its employees' personal data.) The same thinking could apply to a healthcare organisation. And so on.
Quite obviously, public authorities aren't above the law — and they shouldn't be encouraged (or allowed) to think that there won't be consequences for non-compliance. Indeed, there is perhaps a case to made that government organisations should be most compliant, given how embedded they are in our lives.
The PSNI has said that it can't afford the fine, and perhaps the Information Commissioner will take that into account in any final enforcement notice. But this issue will rumble on.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.