Tag: GDPR

data protection

Now you’re just somebody that I used to know

by kelsey farishLeave a Comment on Now you’re just somebody that I used to know
Now you’re just somebody that I used to know

The GDPR has been in force for less than two weeks, but Europeans have already started to contact companies left, right and centre to exercise their newly enshrined statutory “right to be forgotten.”

However, this right is not absolute, and only applies in certain circumstances. Let’s look at the balancing act between a data subject’s right to have their data erased on the one hand, and an organisation’s need to maintain data for legitimate purposes, on the other.

Organisations (data controllers and processors) are obliged to only collect and use personal data in a lawful manner, as set out in Article 6. There are several types of “lawful processing,” including in instances where an individual grants his or her explicit and informed consent. But lawful processing also covers the use of data for a controller’s legitimate interests, the performance of a contract, or legal obligations, such as fraud prevention. For more on lawful processing, check out my earlier post – Lights, camera, data protection?

With this in mind, it’s important to note that only in certain scenarios does an individual have the right to be forgotten. Under Article 17(1), their data must be either:

  1. no longer necessary for the original purpose
  2. processed based on consent, which is now withdrawn
  3. processed based on the organisation’s legitimate interests, which the individual objects to;
  4. processed for direct marketing purposes, which the individual objects to;
  5. processed unlawfully (in contravention of Article 6);
    or
  6. erased to comply with a legal obligation.

But before an organisation hits “delete” it must see if any purposes for retention apply. In pre-GDPR days gone by, data subjects had to prove they had the right for their data to be erased. The burden now lies with the controller to prove that they have a legal basis for retaining the data. If so, the organisation has a lawful reason to refuse the erasure request. In fact, deleting data when an exemption does apply could be a breach of the law!

The purposes for retention under Article 17(3) are:

  1. the right of freedom of expression and information;
  2. complying with a legal obligation, or for performing a task in the public interest;
  3. for reasons of public health;
  4. for archiving in the public interest, including scientific or statistical research; or
  5. for the establishment, exercise or defence of legal claims.

Additionally, “manifestly unfounded” or “excessive” requests may be refused outright.

From what I’ve seen in practice over the last few days, most erasure requests are made because an individual no longer wants to receive marketing emails. Fair enough: in shifting responsibility onto corporate controllers, the right to be forgotten strengthens individual control. It also signifies public disapproval of entities which process – and, in some instances abuse – enormous quantities of personal information without the explicit consent or knowledge of the individuals concerned.

For those of us interested in the societal and human rights implications (I’m telling you – data protection isn’t just for the techies amongst us!) it’s worthwhile to consider how journalism fits into the picture.

As Oxford’s International Data Privacy Law summarises rather eloquently: The nebulous boundaries and susceptibility to misuse of the right to be forgotten make it a blunt instrument for data protection with the potential to inhibit free speech and information flow on the Internet.

As early as 2012, Reporters Without Borders (formally, Reporters Sans Frontières) criticized the right to be forgotten – then in early draft stages – as a generalised right that individuals can invoke when digital content no longer suits their needs. This runs the risk of trumping the public interest in the information’s availability. RSF also contends that the demand for complete erasure of online content, or the “right to oblivion”, could place impossible obligations on content editors and hosting companies.

EU Commissioner Viviane Reding responded to the criticism from RSF by explaining that the [GDPR] provides for very broad exemptions to ensure that freedom of expression can be fully taken into account.

Note – this post covers the statutory Right to Erasure under Article 17 of the GDPR. Although related, it is distinguished from the recent high-profile cases against Google, in which the English Supreme Court held that a defendant convicted of a crime was entitled to the right to be forgotten, and therefore delisted from Google search results. A more serious offence, with fewer mitigating circumstances, did not attract the same right.

photo © Cassidy Kelley

data protection, employment law, Entertainment Industry

Lights, camera, data protection.

by kelsey farish1 Comment on Lights, camera, data protection.
Lights, camera, data protection.

Cannes: movie stars, auteurs, glamour, the French Riviera, and… data privacy?

Before the cameras start rolling, a film production company will need to agree service contracts for cast and crew.  In honour of the Cannes Film Festival happening this week, let’s consider how data protection issues need to be addressed for an actor’s contract.

A standard Actor’s agreement will cover payment, travel and residence allowances, box office bonuses, and of course, intellectual property.  But if the production company intends to process a significant amount of personal data about the Actor – such as dates and locations of filming, and details of travel arrangements and accommodation –  the agreement should also contain a data protection clause.  Remember that “processing” is widely defined, and covers any activity involving personal data, including storing, sharing, or reading.

Related image
The Cannes 2018 poster, featuring an image from Jean-Luc Godard’s 1965 film “Pierrot le Fou.”

“The Actor agrees and hereby give her consent to the holding and processing of personal data relating to the Actor in any form, whether obtained or held in writing, electronically or otherwise, by the Producer.”

The above clause may be acceptable under the UK Data Protection Act 1998, but is problematic under the incoming General Data Protection Regulation (GDPR).

Consent. As worded above, the Actor is providing the Producer with blanket consent to process her personal data.  Under the GDPR, consent means “freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her” (Art. 4(11)).

Given that this is a contract between a prospective employee and her boss, there is an imbalance of power between the parties. Accordingly, the Actor’s consent statement is unlikely to be considered “freely given” as is required under the GDPR.  Furthermore, personal data processing should neither be disguised nor bundled with the provision of a contract (Art 7(4)).

Even in other contexts, it would be unwise to rely on the Actor’s consent for processing, as this can cause difficulties if consent is withdrawn at a later date.  It is therefore advisable to rely on another lawful basis.

Another lawful basis? “Lawful basis” is just another way of saying “reason to do something.” Consent is just one of the six lawful bases permitted (Art. 6 GDPR). As the conditions for consent are very strict and unlikely to be met in this scenario, the Producers should consider their other options:

  • Contract: Processing is necessary for a contract with the person. Employment contracts are certainly applicable in this instance: for example, the Producers must process the Actor’s bank details to pay her.
  • Legal obligation: Processing is necessary for the Producers to comply with the law. This could include their tax obligations for HMRC, or complying with money laundering regulations.
  • Legitimate interests: The Producers must process the data for their legitimate interests. This could include business purposes such as sending out publicity emails with the Actor’s name and contact details, posting her image on social media, and so on. This is the most flexible basis to rely upon, but requires the Producers to demonstrate (inter alia) that their objectives are not unreasonable, and do not harm the Actor’s human rights (Recital 47).
  • The other lawful bases of protecting vital interests and carrying out a public task are not applicable in our scenario, but worth noting for completeness.

To be GDPR compliant, the clause could be amended to something like:

The Producers will collect and process the Actor‘s personal data in accordance with the Privacy Notice annexed to this Agreement. The Actor will sign and date the Privacy Notice and return it to the Executive Producer within 10 days of signing this Agreement.

The purpose of the Policy Notice is to provide the ActorActor with the information she is entitled to receive as a data subject (Articles 13 and 14). The Privacy Notice, likely to take the form of a letter, will explain how the Producer obtains, uses, and retains the Actor’s personal data. It will also set out the relevant lawful bases for each type of processing, and explain how the Actor can exercise her rights (Articles 15 through 22 inclusive).

Of course, the work doesn’t end once the agreement is signed. The Producers will need to make sure anyone who handles personal data within their organisation understands the new requirements under the GDPR. Having clear policies is only part of the story: those policies will need to be followed.

It’s a common misconception that the GDPR is just about IT security and marketing emails filling up your inbox. In reality, the legislation will provide enhanced rights for data subjects, and it’s important to remember that employees are data subjects too.

data protection

The Six Principles of Data Protection: Facebook fails

by kelsey farishLeave a Comment on The Six Principles of Data Protection: Facebook fails
The Six Principles of Data Protection: Facebook fails

Facebook may believe that dubious data collection and security practices justify a more connected audience: the incoming General Data Protection Regulations say differently.

Once again, data privacy is in the headlines. But this time, it isn’t a credit agency or department store that has fallen short of consumer expectations: instead, it’s Facebook. Much credit is due to Carole Cadwalladr and her team at The Guardian, who first broke the the Cambridge Analytica story.

#DeleteFacebook was trending on Twitter for a while, and I myself was considering ditching my account – not least because I simply don’t use Facebook often. While I’ve decided against deletion, I was genuinely saddened – although, in retrospect, not surprised – to come across the leaked 2016 “Ugly Truth” Memo from a Facebook executive Andrew “Boz” Bosworth. You can see the Memo in full at Buzzfeed, but the part that hit me hardest reads as follows:

We connect people. Period.

That’s why all the work we do in growth is justified. All the questionable contact importing practices. All the subtle language that helps people stay searchable by friends. All of the work we do to bring more communication in. The work we will likely have to do in China some day. All of it.

The natural state of the world is not connected. It is not unified. It is fragmented by borders, languages, and increasingly by different products. The best products don’t win. The ones everyone use win.

“Questionable contact importing practices”? By Bosworth’s own admission, “the ugly truth is that we believe in connecting people so deeply that anything that allows us to connect more people more often is de facto good.”

The General Data Protection Regulations (GDPR) say differently. With less than two months to go until the implementation date of 25 May (!) I’ve set out a little refresher on the main responsibilities for organisations below.

Article 5 of the GDPR contains Six Principles of personal data collection and processing. The data controller (the company collecting or otherwise controlling the data) are responsible for, and must be able to demonstrate, compliance with these principles.

(A) Processed lawfully, fairly and in a transparent manner.
A company collecting data must make it clear as to why the data are being collected, and how the data will be used. The company must provide details surrounding the data processing when requested to do so by a person whose data is collected (the “data subject”). “Questionable practices” are likely neither fair nor transparent!

(B) Collected for specified, explicit and legitimate purposes.
Have you ever filled in a form, only to think, “why am I being asked this question?” This principle states that organisations should not collect any piece of personal data that doesn’t have a specific purpose, and a data subject must give explicit consent for each purpose. A lawful purpose could mean fulfilling a contract: for example, your address is required for shipping something you bought online.

(C) Adequate, relevant and limited to what is necessary.
Companies strive to understand customer buying behaviours and patterns based on intelligent analytics, but under this principle, only the minimum amount of data required may be stored. Asking for one scanned copy of a drivers’ licence may be adequate, but asking for a drivers’ licence, passport, and birth certificate might be more than necessary.

(D) Accurate and, where necessary, kept up to date.
Controllers must ensure personal data is accurate, valid and fit for purpose. Accordingly, data subjects have the right under Article 16 (Right of Rectification) to rectify any personal data held about themselves.

(E) Kept for no longer than is necessary.
This principle limits how data are stored and moved, and for how long. When data is no longer required, it should be deleted. This is closely related to the Right of Erasure (“Right to be Forgotten”) under Article 17, which I previously wrote about in respect of the Google case in England.

(F) Processed in a manner that ensures appropriate security.
This principle is perhaps what most people think about when they think of data protection. It means that IT systems and paper records must be secure, and the security must be proportionate to the risks and rights of individual data subjects. Negligence is no longer an excuse under GDPR!

In 2016, a Gallup study found that Millennials (those of us born between 1981 and 1996) are generally aware of potential data security risks, but less likely to be concerned about them. Prior to familiarising myself with these principles, I simply thought data protection was another phrase for “IT security”. I thought it was just about firewalls, encryption, and outsmarting hackers.

But in the months I’ve been helping clients to get ready for the GDPR, I’ve realised that compliance is about more than just having strong passwords: it really is a mindset. That’s what’s so disappointing about Facebook’s apparent attitude towards the end consumer, in which people are seen only as a series of clicks or “likes” which can be analysed, predicted, and manipulated – at any cost. My Facebook account may remain active, but I for one will certainly be less engaged.

Photo credit – Book Catalogue

Briefing, data protection

Google prepares for the first “Right to Be Forgotten” trials in England

by kelsey farish2 Comments on Google prepares for the first “Right to Be Forgotten” trials in England
Google prepares for the first “Right to Be Forgotten” trials in England

All human beings have three lives: public, private, and secret.
― Gabriel García Márquez

The European Union’s Court of Justice decision in Google Spain v Agencia Española de Protección de Datos, Mario Costeja González (“Google Spain”) confirmed the “right to be forgotten” for European citizens. This right is further enshrined in the upcoming General Data Protection Regulations (GDPR). Accordingly, European data protection law grants individuals a qualified right to have personal data relating to them removed from search engines.

This right is however considered by some to be a uniquely European phenomena, which resulted from one unusual CJEU judgement. Now, two upcoming cases against Google will be the first time in which the “right to be forgotten” will be considered by the English Courts. 

Two unnamed claimants, known only as NT1 and NT2, are bringing a companion case against Google to enforce their right to be forgotten. (NT1 v Google and NT2 v Google,  [2018] EWHC 67 (QB) (Rev 3))

Continue reading “Google prepares for the first “Right to Be Forgotten” trials in England”

data protection

Silent Witness: silent on data protection officers

by kelsey farish1 Comment on Silent Witness: silent on data protection officers
Silent Witness: silent on data protection officers

Silent Witness is a BBC crime drama about a team of forensic pathology experts and their investigations into various crimes – it’s a bit like American hit shows Bones and Law & Order. In a recent episode, a cyber hacker steals the files of 30,000 patients from a hospital, and then extorts the hospital for payment. As medical secrets are leaked, several murders are tied to the data breach.

In addition to the criminal investigations, boardroom drama ensues when the hospital chief is questioned about the (apparently awful) cyber security firm he selected. It was at this point that I turned to my husband in disbelief and said, “where on Earth is the hospital’s data protection officer!?”

Of course, television dramas are entitled their artistic licence. I’m not sure data protection officers make for enthralling plot devices, if I’m honest. But shows like this demonstrate just how mainstream data breaches, cyber security and hacking personal data have become. In fact, many non-lawyers are now familiar with at least some concept of data protection legislation.

With just four months to go until the new General Data Protection Regulations (“GDPR”) come into effect and replace the Data Protection Act 1998, here is a reminder as to when a private organisation is required by law to have a data protection officer (“DPO”).

Continue reading “Silent Witness: silent on data protection officers”

data protection

A Soundtrack for Data Security

by kelsey farish1 Comment on A Soundtrack for Data Security
A Soundtrack for Data Security

So much of the explosion in innovation in the music industry is around technological processes. But artists still need to focus on their art. To do so, they need to surround themselves with tech-savvy people. And hire a good lawyer.
– Gigi Johnson, Director of the Center for Music Innovation, University of California Los Angeles

Privacy policies are painful to read, not least because they’re very technical, boring, and long. According to a recent study, if the average person read every privacy policy for each website they visited in a given year, it would take approximately 244 hours, or 40 minutes each and every day. In spite of this, privacy policies have begun to attract mainstream attention.

Continue reading “A Soundtrack for Data Security”

data protection

Cyber security gets Hollywood makeover

by kelsey farishLeave a Comment on Cyber security gets Hollywood makeover
Cyber security gets Hollywood makeover

Hacking is a major issue for many industries – but Hollywood is an especially tempting target. The new Entertainment Security Operations Center in Los Angeles hopes to provide a secure system for studios to control their valuable creative content.

HBO, Sony Pictures, and Netflix have all been hacked in major security breaches. In addition to embarrassing information being made public and loss of consumer confidence, infiltration can cost a film or television company big bucks. According to a Carnegie Mellon University study, films leaked online before official release can lose nearly 20% of their box office revenue. Furthermore, paid subscriptions for Netflix or HBO become less appealing to viewers if they can simply watch their favourite shows elsewhere for free.

Why is Hollywood so poorly equipped to safeguard itself from data breaches? Outsourcing may be partially to blame. Special effects, musical scores, set engineering, and technicians are often provided by independent contractors and freelancers. While workers could be brought in-house, doing so would be expensive and limit flexibility when sourcing the best talent. Unfortunately, many of these small firms and individuals simply lack the resources to defend against sophisticated attacks. As a result, the hundreds or even thousands of people working on a project’s creation and distribution become security risks. Continue reading “Cyber security gets Hollywood makeover”