Data protection: rights and obligations
- Marie has a friend Louis who has been experiencing serious migraines recently and is thinking of visiting a famous physician in Kensington, Jean d’Oubli. Marie publicly states on her Facebook page that Jean d’Oubli was investigated for clinical malpractice in France 15 years ago, before moving to London as his reputation was in tatters. She therefore recommended that Louis and other friends avoid his practice in Kensington. Dr d’Oubli has contacted Marie directly and asked her to remove the content but she has refused, saying that her comments are made for ‘purely personal purposes’ and therefore data protection rules don’t apply to her. She adds that even if they did, she has a right to freedom of expression and it is true that Dr d’Oubli was investigated for malpractice. Dr d’Oubli has therefore contacted Facebook and asked it to remove the comments. Facebook wants to know whether it is a data controller for the purposes of data protection law, and, if so, what obligations it has under data protection law vis-à-vis Dr d’Oubli.
To answer this question I would expect the student to discuss in order:
- To firstly identify that a large part of this question is a red herring. The material in relation to Marie may raise issues of both defamation and data protection law: Marie clearly is a data controller and data processor and it seems unlikely she will fall within the domestic purposes exemption given Lindqvist and Ryneš. However the question asks us to advise Facebook not Jean or Marie so the relationship between their actions is not relevent.
- Firstly then we must advise Facebook as to whether it is a data controller. This is defined as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”. This suggests Facebook is a data controller a point confirmed by the Facebook fan page case where the court observed, Facebook were clearly a controller for they ‘primarily determine the purposes and means of processing the personal data of users of Facebook and persons visiting the fan pages hosted on Facebook.”
- What obligations do Facebook have? Well they have many including ensuring the processing is fair and proportionate but here this question is addressing the right to data erasure under Art.17 of GDPR or more widely the so-called right to be forgotten. This entails an analysis of both Art.17 and of the Google Spain SL and Google Inc. v AEPD and NT1 and NT2 v Google LLC decisions. This analysis should lead us to assume it is likely that Jean has the right to have this data deleted under these provisions and that Facebook should delete the information unless they feel there is an overriding public interest – see NT1 and NT2 v Google LLC.
- You are an adviser to Bettr an online gambling service. Bettr recently fired Todd who was spending all his free time brushing up on his rights under the EU General Data Protection Regulation. Before his dismissal Todd had been the subject of a disciplinary procedure. He has contacted Bettr seeking access under the GDPR to (a) all email correspondence in which he is mentioned by name or by his Bettr handle @BettrthanU, and (b) the names of the attendees of the meeting where his dismissal was first discussed. Todd, who worked in an open-plan office, is also arguing that the use by Bettr of CCTV cameras in this space is incompatible with GDPR and therefore that images of him breaching company policy are unlawful and cannot be used against him. Bettr suggests that the presence of CCTV cameras in the office is well documented and that their CCTV policy allows data storage for one year.
Advise Bettr as to its responsibilities to Todd under EU data protection law.
To answer this question I would expect the student to discuss in order:
- Firstly students should identify that this is a question on Subject Access Rights (SAR) and that data subjects may under s. 45 of the Data Protection Act make a subject access request (giving effect to Art.15 GDPR).
- Students may discuss that the aim of s. 45 is to allow data subjects to check what data is held on them and how that data is being processed and/or transmitted onwards. Further by s.52(4) the data controller may require the data subject to provide further information to prove his identity and may refuse to comply with a subject access request (SAR) until this information is supplied – so Bettr may ask Todd for more information should it think it needs it, although as an ex-employee this is unlikely.
- Dealing first with the email correspondence then the question is whether it is correspondence about him or about others. This means looking at Durant v Financial Services Authority, Edem v IC & Financial Services Authority, Dawson-Damer v Taylor Wessing LLP, and Ittihadieh v 5–11 Cheyne Gardens and Deer v The University of Oxford to determine whether the information is rightly information about which Todd is the data subject and should be handed over. Ultimately it is likely on the authorities that Todd should be given this information.
- Next the information of the people present at the meeting. It seems likely specifically applying Edem that Bettr may claim this is the personal data of the attendees and as this is not specifically data about Todd Bettr may be able to withhold this data.
- Finally the CCTV. It is clear that the capture of an identifiable image of a person on a CCTV system is personal data – Rynes. The question is could Bettr retain this information. They should have a CCTV policy which complies with the ICO code of practice. Under the code the operator of the CCTV should not keep information for longer than strictly necessary to meet their purposes for recording it. One year does seem a long retention period, Bettr should review whether this is appropriate.