International Developments in Data Protection

Here is our latest data protection update covering developments in the law in the UK, Australia and China, as well as a fine for Facebook resulting from data sharing with WhatsApp.

UK & Ireland:

The right to be forgotten may have been established, now it is time for the right to be forgiven.

On May 4th 2017 the Court of Appeal in Northern Ireland decided a case which meant that previous convictions could not remain on the record for all time.  This has led to questions about how long you keep such records and their use as they can impact a person’s ability to seek employment.

The law, before the judgment of the Court of Appeal, was that, under the Rehabilitation of Offenders Act 1974, previous convictions were spent in accordance with a certain timetable in relation to civil matters.  However, the 1974 Act did not apply to criminal matters, although the criminal courts were meant to apply the 1974 Act in spirit.  

In the Data Protection Act 1998, the fifth data protection principle requires that ‘personal data shall not be kept for longer than is necessary  for [a particular and pre-defined] … purpose.’  In relation to criminal convictions a number of issues arose as to the factors to be considered as to whether a previous criminal matter should be erased from the record.  These included factors such as the seriousness of the offense and the age of the conviction.  The court stated: -

“[34]… In a number of cases, there is simply no mechanism for undoing the damage done by the inclusion of a conviction or caution. This is irrespective of the triviality of the circumstances, the lapse of time since the events or the lack of its relevance to the future pursuant of the employment or other activity sought to be undertaken.”

There were four cases for the court to decide.  In the first case, a defendant was convicted in 1999 of two offences of shoplifting which she committed whilst suffering from un-medicated and uncontrolled schizophrenia, which had been undiagnosed at the time of the offence. Some 15 years later, she applied to be a care assistant and, as a result of the criminal record check, she was told that the ‘pattern’ of offending behaviour meant that she would not be considered for the post. In the court’s judgment, they said that the acts were so remote in time that they could not constitute a pattern of behaviour and, as such, they agreed that the retention of those data of the 1999 conviction was unfair and was not necessary for the purposes of keeping criminal records for people in vulnerable positions. 

In the second case, a young boy in 2006 had, through curiosity, engaged in sexually exploratory conduct with two slightly younger boys, albeit that they were consenting. Years later he applied for a job at a library of a local college and was told his criminal record would be examined.  To forestall any revelation he resigned from the post. The court agreed again that this was a remote act committed by somebody who, through lack of judgment and proper education, had committed acts which were serious at the time but in relation to which age was a significant factor. Therefore these data should not have been used in that case.

The third case involved a minor act involving actual bodily harm and a gap of 31 years.  The court unhesitatingly made it clear that 31 years was a huge amount of time and therefore the previous conviction should be ignored. 

Finally, a mother was witnessed hitting a three-year-old child and this was aggravated by later allegations of violence, and also of the person under investigation lying about her involvement with the offence, and her identity. Although in the judgment it is not clear what dates were involved, the court determined that it was appropriate for this information to be used in subsequent enquires about the mother. 

The upshot of this is that it is no longer automatically the case that criminal convictions may be retained forever and certainly the police and criminal records authorities are going to have to be much more careful about what is disclosed.  There is no guidance as yet from the Court of Appeal on what factors to look at. It is expected that the Information Commissioner will provide some guidance, especially since she has be proactive in the issue of having a criminal convictions limited in time.  It is unclear whether this ruling will apply to criminal convictions for use in court for the purposes of impeaching a witness or the defendant in court proceedings.

This could be significant if your organisation holds criminal record information or uses it as part of its vetting processes.  We will provide further updates when guidance issued.

Europe:

Facebook & WhatsApp: Further Adverse Consequences

We reported in October 2016 on the decision of the Hamburg Commissioner for Data Protection ordering Facebook to stop collecting user data from the WhatsApp messenger app and delete any data already received without user consent.  One of the issues highlighted by the decision was that Facebook has promised after its acquisition of WhatsApp that it would not be harvesting user data. 

Facebook has now been fined €110m (£94m) by the European commission for providing misleading information regarding its takeover of WhatsApp in 2014, in breach of EU merger rules.  The information concerned was Facebook’s assurance that it would not be able to pair corresponding user accounts on both platforms.  The commission found that in 2014 Facebook staff were aware it was technically possible to do so and, of course, the social network went on to harvest WhatsApp’s user data. 

The fine could have been double the size, however the commission took into account Facebook’s cooperation in the investigation.  The decision to allow the merger of the two companies is not affected. 

It was noted that in the current data economy, competition regulators need to closely examine the effects of a merger between companies holding substantial personal data.  Facebook is additionally subject to investigation in Germany, Belgium, the Netherlands and Spain in relation to whether it is abusing its dominant position by failing to tell users how their data is being used. 
This matter highlights how data protection issues can have a wide reaching effect and serves as a warning to companies looking to merge with or acquire other data heavy entities with a view to sharing personal data. 

Australia:

Mandatory Data Breach Notification coming

Change is coming to Australia with the introduction of mandatory data breach reporting.   

This regulatory development aligns Australia with Europe, the US, New Zealand and Canada in requiring regulated entities to report breaches.  Organisations covered by the Privacy Act 1988 will have to report data breaches from February 22nd 2018.  Organisations must have processes and procedures in place for assessing data breaches and responding appropriately, and should use the intervening period to prepare.  Organisations will be required to notify the Australian Information Commissioner and affected consumers of data breaches which meet the threshold test.

The Threshold Test: To determine whether a breach is notifiable, there must be unauthorised access to or disclosure of personal data and a reasonable person would believe that such breach is ‘likely to result in serious harm’ to the data subject.  Alternatively, the loss of information is in circumstances which are likely to lead to unauthorised access to or disclosure of personal data with likely serious harm to the data subject. 

Breaches must be notified as soon as practicable. If a breach is suspected, the entity must take reasonable steps to assess within 30 days whether the ‘relevant circumstances amount to an eligible breach.’

Notice must be provided to the Information Commissioner as well as affected individuals. If the entity cannot contact every affected data subject, a statement must be published online and publicised. 

Failures to comply can result in fines of up to AUS$360,000 for individuals or AUS$1.8 million for corporations. 

Entities can avoid these notification requirements if they take remedial action before any serious harm to data subjects has occurred, as a result of which serious harm is no longer likely to occur. 

Security measures can mitigate an organisation’s reporting requirements if they limit the likelihood of unauthorised access or disclosure; or the ability of the information being used to cause serious harm in the event of unauthorised access or disclosure. 

China:

Update on Cyber Security Data Protection

The Government of the People’s Republic of China is becoming increasingly aware of the need to legislate for data security and protection in order to keep up with international standards.  In consequence a new Cybersecurity Law was introduced and came into force on June 1st 2017.

The new law introduces new obligations for network suppliers, and sets out new rules relating to security, notice of data processing, and consent. The general approach has been that data relating to Chinese individuals or generated in China should be kept on Chinese servers. Restrictions are also placed on data transferred by certain companies which affect the ‘critical infrastructure’ in China. As the definition of this is somewhat broad and unclear, the provisions could affect a range of multinational enterprises. 

Going forward, a full revision of existing laws concerning data protection and privacy is expected which will place further restrictions on consent and data transfers abroad. 

Data transfers by ordinary businesses

International data transfers are currently permitted, subject to certain exceptions and the data subject’s consent. The exceptions concern data which impacts on national security, social stability, and the rights of others. 

Some sectors also have specific rules prohibiting such data transfers.  For instance, the banking sector has internal (non-statutory) rules prohibiting international transfers and the health sector is subject to statutory rules prohibiting transfers. There is no reciprocity treaty with the EU, and the EU has not certified China as an adequate jurisdiction so far as concerns transfers. 

Consent of the data subject

Businesses should always obtain consent for use and transfer of Chinese data. The only exceptions to the requirement of consent concerns national security or criminal matters. There are no provisions which enable the necessity of consent to be avoided for the conduct of contracts or for legitimate purposes. 

Comment

The new Cybersecurity Law still leaves certain gaps in the regime. For example, there are no clear rules around pseudonymised data (where identifying fields within a data record are replaced by artificial identifiers), which is a technique often used under EU rules to avoid infringing the privacy of data subjects.  Likewise there is no status enhancement given to sensitive personal data.  

There is currently no registration requirement but, as part of the general Chinese law it is necessary to show legitimacy, legality, and necessity when collecting and using personal data. ‘Critical infrastructure’ companies will also have to be pre-assessed by the relevant authorities before data transfers are permitted. 

Consent is invariably required and must be kept confidential and not disclosed. However, the form of consent is not specified, so businesses should take care that consent is sufficient for the purpose.

Special rules concerning security apply to telecommunications and internet service providers but otherwise there are no special rules concerning security.

A new law is anticipated, and it is expected to align in most respects with EU data protection law so as to promote trade with the EU. However, no specific details have emerged from the Government thus far.