Call McGarr Solicitors on: 01 6351580

Personal Data Transfers after Brexit (Aug 2019 edition)

“There will no longer be a fundamental right to data protection post Brexit & this is something which cannot be remedied by domestic legal settlements short of a British Bill of Rights, & even then perhaps not so if Parliament retains sovereignty”

Professor Andrew D Murray
London School of Economics

Brexit is a challenge to any UK organisation attempting to plan even a few months ahead. It may represent an even greater challenge for any other organisation trading with the UK. The facts change regularly and policies are generated, promoted and abandoned at a dizzying pace.

However, one thing that has yet to receive the appropriate level of public attention is the impact that Brexit is likely to have on the UK services sector. Specifically the largest part of it, which relies on transfers of personal data.

Under the GDPR EU companies will need to show a legal basis for any transfers of personal data from the EU27 to the UK after the 31st October 2019. The UK is profoundly integrated into the data flows of the other EU27 countries. This, on its own, represents a significant risk factor in Brexit.

Source: GB Office for National Statistics. https://www.ons.gov.uk/businessindustryandtrade/internationaltrade/bulletins/internationaltradeinservices/2017

In particular, a chaotic No-Deal Brexit, which we now estimate to be the most likely outcome of this protracted process, will pose significant risks.

Data Compliance Europe, our consultancy services firm, has completed an analysis document on this issue, which we are making available for download. We are doing so because we think that it is critical to raise awareness of this issue in advance of the date set for UK departure, the 31st October.

Companies and organisations will have to take steps now to ensure that data flows may continue uninerrupted.

DOWNLOAD THE DATA COMPLIANCE EUROPE REPORT (4.6MB pdf)

McGarr Solicitors finalists for Personal Injury/Medical Negligence Law Firm of the Year

It’s always nice to get a little nod of recognition for the work you do. So we’re very pleased to announce that McGarr Solicitors have been nominated as finalists in the Travelers Irish Law Awards in the category of Personal Injury/ Medical Negligence Law Firm of the Year.

What makes the recognition of our work sweeter was the quote from our client in the nomination.

“You trusted me when I came to see you and I had nothing but my story to tell you. And that gave me the confidence to trust you.”

Being a firm that represents injured people means learning to listen. We’re pleased to hear it makes a difference.

Data Transfers and the Brexit Withdrawal Agreement

On 14th November 2018, the EU and British Government published a draft of a withdrawal agreement to deal with the UK’s departure from the EU. [This analysis has been updated as of 2nd April 2019].

The Agreement has since been endorsed by the governments of the EU member states. It has been rejected three times by the UK parliament. But, despite this, it remains the only available basis for the UK to leave the EU with transitionary arrangements, including arrancements for data transfers. It proposes the UK departure from the EU in March 2019 (since extended to April or May 2019), with a ‘transition period’ ending (initially) on the 31st December 2020. After that point the UK is bound to follow EU rules if it wishes to continue access to the EU market (or, alternatively, to accept goods checks etc between Northern Ireland and the rest of the UK).

What does the agreement say about data?

For data protection purposes, the articles of primary interest in the Draft Withdrawal Agreement are Articles 127-129, dealing with the application of EU law during the Transition Period and Articles 70-73. These latter provisions deal with “Data and Information processed or obtained before the end of the transition period or on the basis of this agreement”. Article 71.1 confirms that EU law is applicable, directly in the UK, to data transfers made to countries outside the UK. Article 71.2 says that EU law shall not directly apply in the UK to data processed under an adequacy decision. Article 71.3 says that if there’s no adequacy agreement the UK is bound to the requirement to provide the equivalent level of protection to data subjects as required under EU law. Article 72 says that EU data law will apply to the organs of the UK state. Article 73 says that UK data which is transferred to the EU shall be treated as though it were the data of a Member State. It does not say that the converse is also true.

Applying Union Law not the same as being a Union Member

This has been read- insofar as any public attention has been paid to the issue- as meaning that the UK may carry on as before during the transition period, treated as if it were a member state for the purposes of data transfers. But, clearly, this not what is stated in Articles 70-73, on data processing. A basis could be found grounded in an optimistic reading of Articles 127.1 and 127.3, read together. Art 127.1:
Unless otherwise provided in this Agreement, Union law shall be applicable to and in the United Kingdom during the transition period.
Art 127.3:
During the transition period, the Union law applicable pursuant to paragraph 1 shall produce in respect of and in the United Kingdom the same legal effects as those which it produces within the Union and its Member States, and shall be interpreted and applied in accordance with the same methods and general principles as those applicable within the Union.
The problem for proponants of a cheery reading of these sections is that Union law is clear about one thing- that transferring personal data to a non-Member state requires a legal basis. Article 73 says that UK data which is transferred to the EU shall be treated as though it were the data of a Member State. It carefully does not say that EU data transferred to the UK shall be considered to be travelling to a Member State. It cannot, because the EU negotiators can’t agree something that would be illegal under EU law. What next? Under the Withdrawal Agreement European Union law is agreed to have the same ‘legal effects’ as those which it produces in the Union and its Member states, under Article 127.3. But, within the Union and its Member states, the effects of a personal data transfer under Union law depend on whether the destination country is a Member state, or whether it is not. Within the next few weeks, the UK will not be an EU Member state. And the agreement to apply Union law will have the legal effects which flow from that fact. Given the current uncertainty, it would be wise for companies to arrange for alternative legal grounds (Standard contract clauses etc) for data transfers to the UK to be in place before the 12th April 2019.

Ireland’s role in Myanmar atrocities

The Government and military forces of Myanmar are the central focus of the UN Human Rights Council mission report on the plight of the Rohingya people of Myanmar. However, the report cites Facebook’s involvement and states:

“The extent to which Facebook posts and messages have led to real-world discrimination and violence must be independently and thoroughly examined.”

Ostensibly, it falls to Ireland to initiate an examination as suggested by the Human Rights Council mission because the Facebook accounts established for the Myanmar military (the “posts and messages” referred to in the report) were, contractually, located in the Dublin offices of Facebook Ireland Ltd.

Genocide was one of the wrongful acts investigated by the Human Rights Council mission.

Genocide is defined in Article 2 of the “Convention on the Prevention and Punishment of the Crime of Genocide” (“the Genocide Convention”) as “any of the following acts committed with intent to destroy, in whole or in part, a national, ethnical, racial or religious group as such:

a) Killing members of the group;

b) Causing serious bodily or mental harm to members of the group;

c) Deliberately inflicting on the group conditions of life calculated to bring about its physical destruction in whole or in part;

d) Imposing measures intended to prevent births within the group;

e) Forcibly transferring children of the group to another group.

Ireland is bound by the Genocide Convention, having signed it and ratified it. The Convention (Article 4) requires punishment of offenders. Offenders may be “constitutionally responsible rulers, public officials or private individuals”. The Genocide Convention extends to the offence of “complicity”.

The Human Rights Council mission stated:

“The Mission regrets that Facebook is unable to provide country-specific data about the spread of hate speech on its platform, which is imperative to assess the adequacy of its response.”

The Human Rights Council mission also stated:

“Facebook has been a useful instrument for those seeking to spread hate, in a context where for most users Facebook is the Internet.”

Under Article 5 of the Genocide Convention, states are obliged to “provide effective penalties” for persons guilty of genocide or related offenses.

Under Article 50 of the 1949 Geneva Convention, by which Ireland is bound, states are under the obligation to search for persons alleged to have committed, or to have ordered to be committed, such grave breaches [war crimes], and shall bring such persons, regardless of their nationality, before its own courts… [or] hand such persons over for trial to another High Contracting Party …

At a minimum, Ireland is in a position, and obliged in law, to practically investigate the role of the Facebook platform in the “spread of hate” prior to and during the breaches of human rights law suffered by the Rohingya people of Myanmar and to secure the evidence which Facebook was unable to provide to the Human Rights Council mission.

The fact that Facebook has, reputedly, moved this evidence to California is not an obstacle; the European Parliament has challenged the propriety of that move and Ireland has the legal power, under the GDPR, to require, of Facebook, the return of the evidence to Ireland.

The UN Human Rights Council

Urgent questions for the Data Protection Commission.

A) Do you know that the United Nations Human Rights Council has deplored the failures of “Facebook” in connection with the facilitation of genocide by the Myanmar military in Rakhine district in Myanmar?

B) Do you not know that, under international criminal law, the commander of a military force is, in principal, responsible for the crimes of his forces?

C) Do you know that General Min Aung Hlaing, the commander of the Myanmar military forces (since 2011) communicated with his forces by means of, inter alia, the Facebook platform?

D) Do you know that General Min Aung Hlaing’s account with Facebook was established with Facebook Ireland Ltd. and that the law applicable to that account is Irish and EU law?

E) Do you know that Facebook Ireland Ltd., in or about 19th April 2018, purported to assign or transfer that account (and others) to Facebook Inc. in Menlo Park, California?

F) Do you know that the European Parliament has challenged the propriety of that assignment in paragraph 13 of a recent Resolution?

G) Do you know that any claims of individual Rohingya people for compensation for complicity by negligence or otherwise, if any, by Facebook Ireland Ltd., in the Myanmar genocide and other crimes for which General Min Aung Hlaing is responsible, can and should be brought in Ireland?

H) Do you know that the account records purportedly transferred by Facebook Ireland Ltd. to Facebook Inc. in or about 19th April 2018, are, in principle, evidence required in any criminal or civil claims brought against General Min Aung Hlaing or Facebook Ireland Ltd. arising from the Rohingya genocide and other crimes?

I) What steps, if any, does the Data Protection Commission intend to take to recover and secure, for the Rohingya people, that evidence, purportedly transferred by Facebook Ireland Ltd. to Facebook Inc. in or about 19th April 2018?

Google’s policeman

It is very nice to have a good infographic. See this infographic to understand (some of) the GDPR.

It is worth examining the infographic and contrasting it with Google’s latest boo-boo.

Sorry, that boo-boo is not recent; its old news. See it HERE and HERE.

Significantly, that too, a belated recognition that the horse has bolted, was a feature of the Facebook/Cambridge Analytica scandal.

Every detail of that embroglio was long in the public domain before it was seen as a scandal. The “scandal” was the maturing of insights; it was a process of “learning”, of a realisation of what was already known and in the public domain.

What is new in the “current” Google scandal is this; the GDPR is now current law.

The GDPR, when it comes to members of the public, requires a complaint to be lodged with a supervisory authority before the authority is obliged to launch an investigation.

Except that’s not strictly correct.

That may be what the “spokesman” for the Irish Data Protection Commission means in his/her response to a media inquiry (although that’s doubtful).

“Ireland’s data protection commissioner is not currently investigating Google’s data-tracking controversy as the tech giant has not yet officially incorporated its data protection residency here, according to a spokesman.”

Article 57(1)(a) says each supervisory authority shall, on its territory; “monitor and enforce the application of this Regulation”.

If that provision is to be of value, it means that the Irish Data Protection Commission must act, when it learns of a potential breach of the GDPR, notwithstanding the absence of a complaint about Google.

As for the exact terms of the statement by the spokesman for the Data Protection Commission; there is no such idea in the GDPR (or the Data Protection Act 2018) as a data controller “officially incorporating a data protection residency”.

Is the Data Protection Commission denying that Google is in the territory of Ireland?

Or, more subtly, is the Data Protection Commission refusing to recognise that location tracking is a GDPR issue, as is the issue of data subject consent to data processing?

In fact, Section 110 of the Data Protection Act 2018 makes the situation clear;

“110. (1) The Commission, whether for the purpose of section 109 (5)(e), section 113 (2), or of its own volition, may, in order to ascertain whether an infringement has occurred or is occurring, cause such inquiry as it thinks fit to be conducted for that purpose.”

What is not clear is what the Data Protection Commission means by its obscure explanation.

Perhaps it means that only the private sector (data subjects and their lawyers) can secure justice for users and protection for their personal data?

The GDPR is not US Confederate money

Senator Mark Warner is the Democrat Vice Chairman of the US Senate Intelligence Committee.

He issued a policy paper, in some fashion, in July 2018.

It includes the redundant idea that the US should have a law “mimicking” the GDPR (or a watered down version of it). This suggestion was directed to the idea that internet users should be entitled to give or withhold their consent to the use of or access to their personal data.

What the Senator seems not to know is that his fellow countrymen already have, in many situations, the benefit of such a law – the GDPR itself.

See this earlier post, adjunct to the topic, HERE.

We don’t have to read his paper to get some value from it. Clearly, it is predicated on the proposition that US citizens have no rights, in US law, with regard to their personal data (other than, presumably, rights in the law of contract). Good luck with that.

Facebook’s Foundations

Here is a report from the New York Times dated 3rd June 2018. It reports that Facebook has current deals with many “device
manufacturers” and that under the deals the manufacturers were given access to the personal data of Facebook users.

The important elements of that story are as follows:

1. The report is of current events, i.e., events after the EU General Data Protection Regulation (“GDPR”) came into force on 25th May 2018.

2. The Facebook users (like the New York Times reporters and the newspaper’s readers) had no knowledge that the “sharing” was going on. (Reputedly, the US Senate is looking into it.)

3. Those Facebook users had not given their consent to the “sharing”.

4. In the absence of explicit consent the sharing was a breach of Article 6 GDPR (and probably Article 9 GDPR).

5. Article 3 GDPR has the effect of extending the GDPR jurisdiction globally.

6. Article 26 GDPR defines “joint controllers”, a definition which on known facts embraces Facebook Inc. and Facebook Ireland Ltd.

7. Consequently, the benefits of the GDPR extend to and
are available to any Facebook user affected by the “sharing” by Facebook of the personal data. Those Facebook users can be resident anywhere (including the USA) because Facebook Inc. and Facebook Ireland Ltd. jointly control the personal data of every Facebook user in the world.

8. The relevant regulatory authority to address any complaint arising is the Irish Data Protection Commission. The Commission is a body empowered to apply fines of up to €20 million or 4% of global turnover, whichever is largest.

9. If point 6 above applies, the fine would be levied with regard to the turnover of Facebook Inc. and Facebook Ireland Ltd.

What are Facebook’s users going to do?

Sir Cliff Richard

There are two matters (at least) worth noting in Sir Cliff Richard’s deserved win in the English High court.

Firstly, it is heartening that a group of ordinary [women] citizens were sufficiently integrated as persons that they were immune to the effects of the smear attaching to Sir Cliff as a result of the disgraceful lynching of him by the BBC. Those citizens supported Sir Cliff by cheering for him outside the court on the delivery of the judgment.

Secondly, we in Ireland have seen something similar happen here. The similarity to the events in the UK at the house of Sir Cliff and, previously, in Ireland comes from one common feature; the actions of the police force in each jurisdiction.

The BBC clearly received advance notice of the planned raid on Sir Cliff’s house. That could only come from the UK police.

On 30th September 1996, in Dublin, the Garda Síochána executed a raid on the offices of Michael E. Hanahoe & Company, solicitors. In a subsequent High court action the court found as a probability that the Garda Síochána leaked the news of the impending raid to the Irish media. The Irish Times was to the fore in taking advantage of that leak and sent reporters and a photographer to cover the raid.

As it happened, the Dublin solicitors sued the Irish state rather than the Irish Times and were awarded substantial damages.

What the BBC should do now is identify the UK police officer(s) that leaked the information to them.

The Facial Images on the PSC are Biometric Data

Mock PSC

Contention:

That images of people’s faces which allow or confirm the identification of a person are biometric data and therefore data controllers and processors require a lawful basis under both Article 6 and Article 9 of the GDPR to process that data.

Evidence:

1) The GDPR

Article 4(14) of the General Data Protection Directive defines biometric data as follows; (emphasis added)

‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;

2) Irish Data Protection Commission

The Data Protection Commission has issued an information notice on Biometrics within which it helpfully sets out a number of different forms of data which meet the definition of Biometric data in the Commission’s opinion.

To quote the first type as described is sufficient for our purpose;

1.2 Types of biometric data.

There are three principal types of biometric data

Raw Images, consisting of recognisable data such as an image of a face or a fingerprint, etc

3) Article 29 Working Party

Opinion 3/20123 set out two forms of Biometric data, as agreed by the Working Party of all of the EU’s Data Protection Authorities. (emphasis added below). This definition was also cited in the Article 29 Working Party’s Opinion on Facial Recognition:

Biometric data can be stored and processed in different forms. Sometimes the biometric information captured from a person is stored and processed in a raw form that allows recognising the source it comes from without special knowledge e.g. the photograph of a face, the photograph of a finger print or a voice recording. Some other times, the captured raw biometric information is processed in a way that only certain characteristics and/or features are extracted and saved as a biometric template

4) Caselaw

Although the GDPR has not yet been litigated before the CJEU, a number of national and EU cases have addressed the definition of facial images as sensitive or biometric personal data.

ECJ C-291/12, Schwarz v. Bochum, 20135 set out in Article 1.2 COUNCIL REGULATION (EC) No 2252/20046 is entitled “security features and biometrics in passports and travel documents issued by Member States” (emphasis added) 

Passports and travel documents shall include a storage medium which shall contain a facial image. Member States shall also include fingerprints in interoperable formats.

Case Number LJN BK63317 Dutch High Court, 23 March 2010: specifically confirmed that images of faces alone were sensitive personal data, as they revealed sensitive data, such as ethnicity.

CASE OF S. AND MARPER v. THE UNITED KINGDOM

The European Court of Human Rights, which has an appreciation of the EU’s Data Protection Regime, but whose findings are not directly congruent with the CJEU’s on this matter, recognised nonetheless in Paragraph 81 of its judgment that facial records were on a par with fingerprint records and voice samples (which are not disputed to be biometric data)

The applicant’s fingerprint records constitute their personal data (see paragraph 68 above) which contain certain external identification features much in the same way as, for example, personal photographs or voice samples