Photo of Curtis McCluskey

The Upper Tribunal (Administrative Appeals Chamber) in IC v Miller [2018] UKUT 229 (AAC) has rejected an appeal brought by the Information Commissioner (IC), which was in relation to a First-Tier Tribunal (FTT) decision finding that “small data” (i.e., data concerning five or fewer individuals or households) was not exempt from disclosure under the Freedom of Information Act 2000 (FOIA).

The FTT decision

A request for disclosure under FOIA was made to the Ministry of Housing, Communities and Local Government (MHCLG) (then named Department for Communities and Local Government (DCLG)). The request for information concerned data held by local authorities with regards to homelessness between 2009 and 2012, which had not been published by the MHCLG. The MHCLG refused to disclose the data.

The matter went to the FTT, which found that the small data did not constitute “personal data”, as defined by section 1(1) of the DPA 1998, and it was not exempt from disclosure under section 40(2) of FOIA.

The IC appealed the FTT’s decision on various grounds, including that in relation to small data, the information was exempt from disclosure under section 40(2) of FOIA.Continue Reading Upper Tribunal says “small data” is not exempt under FOIA

To enhance cyber resilience, the EU is building a certification framework for information and communication technology (ICT) products, services and processes. On 8 June 2018, the Council agreed a Proposal (known as the Cybersecurity Act) to prepare for negotiations with the European Parliament to finalise the text.

One of the effects of the Proposal is that it will upgrade the current European Union Agency for Network and Information Security (ENISA) into a more stable EU agency for cybersecurity.

Cybersecurity certification

The Proposal introduces a tool to create a more comprehensive regulatory framework for specific ICT processes, products and services designed to help ensure compliance with specified cybersecurity requirements.

Certificates issued under the scheme will be recognised, legally, across the EU. This will therefore have the dual effect of building trust in users – given the technology certification will mean the technology has received the European-security stamp – and enabling businesses to carry out their business cross-border. The resilience behind the technology in relation to accidental or malicious data loss or alteration will be certified.

This certification scheme addresses the barriers in the EU where Member States have implemented different standards to one another, for example Member States have issued regulations which improve country-specific requirements around security.

The details of this certification scheme and its requirements will, in particular, be important to network and data service operators, including cloud computing service providers.

The certification will be optional unless it is specified as a legal requirement under an EU law or Member State law.Continue Reading EU to create a cybersecurity certification framework

The UK government has opened a consultation on exemptions to paying a data protection fee, giving businesses the opportunity to lobby for new exemptions to be introduced.

Businesses that are responsible for processing personal data (i.e. controllers) are required to pay a data protection fee to the Information Commissioner’s Office (ICO). These fees are: £40

You may well remember our blog from last year which outlined the Commission’s proposal for a framework in relation to the free flow of non-personal data in September 2017 (you can view our blog here).

On 19 June 2018, the European Parliament, Council and the European Commission reached a political agreement on the rules that will allow data to be stored and processed everywhere in the EU, without unjustified restrictions.

In addition to supporting the creation of a competitive data economy within the Digital Single Market, these new rules will remove barriers which hinder the free flow of data. Predictions suggest that this could boost Europe’s economy by an estimated growth of up to 4 per cent GDP by 2020. You can find more information on the European Commission’s website.

Key objectives

The new rules on the free flow of non-personal data will:

  • Ensure the free flow of data across borders: this will prohibit data localisation restrictions permitting organisations to be able to store data anywhere in the EU. Also, requiring Member States to communicate to the Commission any remaining or planned data localisation restrictions in “limited specific situations of public sector data processing”.
  • Ensure data availability for regulatory control: allowing public authorities to access data – for scrutiny and supervisory control – despite where it is stored and/or processed in the EU. Also, Member States may sanction users that do not provide access to data stored in another Member State.
  • Encourage creation of codes of conduct for cloud services: to facilitate switching between cloud service providers under clear deadlines. The Commission states that this “will make the market for cloud services more flexible and the data services in the EU more affordable”.

Continue Reading EU reaches agreement on rules allowing free flow of non-personal data

The General Data Protection Regulation ((EU) 2016/9679) (GDPR) came into effect on 25 May 2018. One of the key principles centres on integrity and confidentiality of personal data. Article 5(1)(f) of the GDPR provides that personal data shall be:

“processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (emphasis added)”

The GDPR goes a little further than the previous data protection framework (that is, under the EU Data Protection Directive 95/46/EC) and provides some description of the technical and organisational measures expected to achieve a level of security appropriate to the risk associated with the processing of personal data (see Article 32 of the GDPR). Inevitably, however, decisions around security will need to be made by the controller and/or processor – and it will therefore be for them to determine what is “appropriate”.

We have seen that the National Cyber Security Centre (NCSC) and the Information Commissioner’s Office (ICO) have published ‘security outcomes’ aiming to provide some further guidance on the security of processing personal data.

On 18 May 2018, the NCSC and ICO published a set of technical security outcomes considered to represent “appropriate measures” under Article 5(1)(f). This guidance describes an overall set of outcomes that are considered ‘appropriate’ to prevent personal data being accidentally or deliberately compromised.Continue Reading ICO and NCSC issue guidance on security outcomes under GDPR

On 13 April 2018, the High Court, in NT1 & NT2 v Google LLC [2018] EWHC 799 (QB), ruled against Google, in favour of two businessmen advocating for the right to be forgotten. You can find the full judgment here, but in this blog we explore the reasoning behind the Court’s decision.

Right to be forgotten/right to erasure

The Court of Justice of the EU confirmed the right to be forgotten as an existing right under data protection laws, in Google Spain SL v Agencia Espanola de Protección de Datos Case of 2014: 317. The right to be forgotten is made explicit in the EU General Data Protection Regulation 2016/679 (GDPR) text. Essentially, in the GDPR the right is an enhanced right of erasure. The right is not absolute, which means that a controller does not need to comply with the request if there is a legitimate reason for continuing to process the personal data.

Case summary

Two separate businessmen brought cases, which were consolidated. Each case centred on the reporting of business-related criminal convictions that were spent and over a decade old:

  • NT1 was convicted of conspiracy to commit false accounting and tax evasion; and
  • NT2 pleaded guilty to conspiracy to tap phones and hack computers of environmental activists who had made threats against him and his business.

Continue Reading The High Court considers the right to be forgotten

Recently, the European Commission endorsed draft horizontal provisions for cross-border data flows and personal data protection in trade agreements – as personal data is a fundamental right, it is not something which can be the subject of negotiation in EU trade deals.

Relatedly, the Article 29 Working Party (A29WP) consultation on the guidelines under Article 49 of the General Data Protection Regulation (GDPR) concerning cross-border data transfer derogations has closed, paving the way for the guidance to be finalised and issued later this year.

Cross-border data flows

Cross-border data flows are key to most organisations, which include moving around employee information, sharing financial details for online transactions, and analysing individuals’ browsing habits to serve them targeted advertisements.

The European Commission is seeking to break down barriers to the flow of data between businesses in future trade deals as part of its push towards a more digital economy, while at the same time safeguarding these key fundamental data protection principles. The preferred approach to facilitate the ongoing trade negotiations and to legitimise cross-border data flows are ‘adequacy decisions’ – which means the European Commission (the Commission) identified the third country (which is outside the European Economic Area) as providing adequate protections to those data protection laws in the EU.
Continue Reading European Commission approves provisions for cross-border data flows while consultation on GDPR Article 49 guidance closes

With less than three months until the General Data Protection Regulation 2016/279 (GDPR) comes into effect on 25 May 2018, the Article 29 Working Party (WP29) published revised guidelines on personal data breach notification (Guidelines). You may well remember our recent blog covering the Guidelines when the WP29 issued its initial guidance on 3 October 2017.

The revised Guidelines are largely similar, so in this blog, we provide a recap of the Guidelines regarding personal data breach notification requirements under GDPR.

Personal data breach

The WP29 has provided that a personal data breach – that is, a breach of security which could lead to loss, destruction, damage or unauthorised disclosure or access to personal data – can be categorised as follows:

  1. Confidentiality breach: unauthorised or accidental disclosure or access to personal data.
  2. Integrity breach: unauthorised or accidental alteration of personal data.
  3. Availability breach: accidental or unauthorised loss of access or destruction of personal data.

Continue Reading Article 29 Working Party issues revised guidance on personal data breach notification

The Article 29 Working Party (WP29) has published updated guidelines on Binding Corporate Rules (BCRs) to reflect the requirements set out in the General Data Protection Regulation (GDPR). The two documents, which replace previous WP29 working papers (WP 153 and WP 195) and remain open for public consultation until January 17, 2018, are:

(i) Working Document setting up a table with the elements and principles to be found in Binding Corporate Rules (WP 256)

(ii) Working Document setting up a table with the elements and principles to be found in Processor Binding Corporate Rules (WP 257)

The two documents include tables setting out the elements and principles to be included in controller BCRs and processor BCRs. These tables have been amended specifically to:

Meet the requirements of Article 47 GDPR

  • Clarify the necessary content of BCRs as stated in Article 47 GDPR
  • Make the distinction between what must be included in BCRs and what must be presented to the competent supervisory authority in the BCRs application
  • Give the principles the corresponding text references in Article 47 GDPR (for controller BCRs)
  • Provide further guidance on each of the requirements

Both documents note that Article 47 GDPR is clearly modeled on the working documents relating to BCRs previously adopted by WP29. However, to ensure their compatibility with GDPR, Article 47 does specify new requirements to be considered for adopting new BCRs or updating existing ones.
Continue Reading Article 29 Working Party issues new guidelines for Binding Corporate Rules


On 4 October 2017, the Article 29 Working Party (“WP29”) released its final guidelines on Data Protection Impact Assessments (“DPIA”), which were initially proposed in draft form in April 2017. Article 35 of the General Data Protection Regulation (“GDPR”) provides that the controller shall carry out an assessment of the impact of the envisaged processing operations, if the type of processing is likely to result in a high risk to the rights and freedoms of natural persons. A failure to comply could lead to a fine of up to €10 million, or up to 2% of the total worldwide annual turnover, whichever is higher.

The WP29’s final version provides additional guidelines, particularly the criteria to be applied in determining whether or not a DPIA is mandatory, and how to carry out a DPIA. We explore some of the key guidelines below.

Changes to Criteria

Under the GDPR, conducting DPIAs is required if the data processing is “likely to result in high risks”. Although the GDPR provides examples of data processing operations that would fall into this category, both versions of the guidelines mention that this is a “non-exhaustive list”.

The WP29’s final guidance reduces the criteria for determining whether a DPIA is mandatory to nine considerations – removing international transfers as a factor. Controllers may consider this as an advantage, given many data processing activities involve international transfers.

The relevant criteria include:

  • Evaluation or scoring (including profiling and predicting)
  • Automated decision-making with legal or similar significant effect
  • Systematic monitoring
  • Sensitive data or data of a highly personal nature
  • Data processed on a large scale
  • Matching or combining data sets
  • Data concerning vulnerable data subjects
  • Innovative use or applying new technological or organizational solutions
  • When the processing prevents data subjects from exercising a right or using a service or a contract

Continue Reading Article 29 Data Protection Working Party Publishes Final Guidelines on Data Protection Impact Assessments