By which we mean: some that we did miss blogging about. With apologies and better late than nevers, here’s a round-up of three recent(ish) cases worthy of note. In R (Open Rights Group) v SSHD digital campaigners Open Rights Group and The3million (campaigning on behalf of so many EU Citizens living in the UK) challenged the immigration exemption – one of the few new features in the DPA 2018 that strengthens the controller’s hand – as incompatible with fundamental charter rights to privacy and protection of personal data. They also contended that it was too broad, vague and lacking in the safeguards required by the parent Article 23 GDPR (which enables Member States to enact domestic exemptions).The exemption follows a formula which is familiar from other exemptions, old and new – processing of personal data relating to some public good is exempt from data subject rights, to the extent that the public good is jeopardised by execise of those rights. The immigration-specific exemption is new – as the Secretary of State’s witness explained [29], ‘where an exemption was required in an immigration context, reliance was placed on the crime exemption contained latterly in s.29 of DPA 1998’. In other words, the Home Office was getting by OK under the old regime, and one aspect of the challenge to the exemption was that the introduction of a measure infringing fundamental rights must be ‘strictly necessary’.
Not so, said Supperstone J – the test of strict necessity only applies where the measure itself creates or requires an infringement of fundamental rights. By contrast the immigration exemption ‘makes abstract provision for an exemption which may be relied upon by data controllers if they can justify doing so in the circumstances of a particular case’ [32]. That is, it is has its own built-in proportionality test – it can only be used so far as necessary in a given case, and the proper unit of analysis is the application of the exemption to the facts of a given case [42-43]. Supperstone J also dismissed accusations of vagueness and arbitrariness: [33-38] and [51-55].
The Information Commissioner, in the familiar guise of 11KBW’s Chris Knight, tried to chart a middle course: the exemption was in accordance with the law, but could only be proportionate if accompanied by statutory guidance, particularly given the likelihood that the data in question is sensitive and the data subject vulnerable. Despite the strikingly high deployment of the exemption, however – in its first year it was used to justify at least some redaction in 59% of immigration SAR responses [22] – the Commissioner accepted that there was no evidence it was being routinely misused. Given that concession, and his view on the clarity of the exemption, Supperstone J felt that there was nothing broken about the exemption that needed fixing by means of guidance [61-64].
The Claimants have been granted permission to appeal.
GC v CNIL
Robin has already blogged about the Google v CNIL decision that confirmed that global delisting was not a requirement of the right to be forgotten [2019] EWHC 2562 (Admin) (click here for blog post) but Google had another right-to-be-forgotten win in a decision published the same day. C-136/17 GC v CNIL concerned a reference from the French Conseil d’État on questions arising from four de-referencing requests. The underlying stories all contained relating to sensitive personal data (though at first blush, all too seem to have a genuine public interest angle). The decision develops the Court’s thinking from the Google Spain case in two key ways.
Firstly, it confirmed that although search engine operators must be regarded as controllers, subject to restrictions on processing sensitive personal data, they are not in the same position as website operators who actually host the content in question. The restrictions only apply ‘in the context of the responsibilities, powers and capabilities’ of the data controller. Although Google’s powers and capabilities are pretty vast, they do not extend to pro-actively policing the internet, or even the page summaries thrown up by a search. Rather, Google is only obliged to consider whether processing restrictions bite when a data subject requests it [47-48].
Secondly, de-referencing should not follow automatically from a request for it, even where sensitive personal data is in play. There is a balance to be struck with the public’s rights to receive and impart information. Hardly revolutionary, you might be thinking, as this is precisely what Article 17(3)(a) of the GDPR says. (Although the case was under the old Directive, the Court repeatedly looked forward to the position under the GDPR). Although this principle is tucked away in Google Spain (at [81]), it features much more prominently in GC v CNIL [57-68], and is effectively a vindication of the case-by-case approach that Google has been taking to right-to-be forgotten requests.
C. Knight, Barrister, drafted the observations of the UK Government.
You might have thought that only a bold or foolish operator would rely on pre-ticked consent boxes these days, whether as a basis to collect personal data or to undertake electronic marketing. Well, you would have been right. Planet 49 ran promotional lotteries, one of which featured a pre-ticked box on the registration page, agreeing for cookies to be placed on the user’s browser. In short, the Court of Justice ruled that E-Privacy consent and GDPR consent were equivalent and therefore active consent. Even though Planet49 accepted that the cookie data was personal data, the Court’s conclusion did not depend on this: it held that as the E-privacy Directive protects the individual’s ‘private sphere’, and that included information, personal or not, that is stored on users’ devices – so the same standard of consent should apply.
As if that wasn’t enough, Planet49 had failed to provide adequate transparency about how cookies would be used: in particular, which third parties would have access to them and how long they would be stored.
Although the decision contains few surprises, particularly in relation to pre-ticked boxes, it continues the incremental strengthening of privacy rights. Notably, what is required for informed consent to e-marketing was judged not only by reference to the data protection definition of consent, but by transparency requirements of Art 10 of the old DP Directive, and in future by the Art. 13 and 14 GDPR requirements – a specific, and so more onerous standard.