Written by Sandy Gilchrist, Director, Priviness
First the European Convention on Human Rights (ECHR) established various rights and freedoms in 1950, including the right to life, the right to a fair trial, and, Article 8, the right to respect for private and family life (the right to privacy) – this was recognised in the UK with the Human Rights Act 1998 – NB the freedoms included freedom of thought, conscience and religion; freedom of expression; and freedom of assembly and association.
Regarding your privacy, this could only be interfered with (for example, by processing your personal information) if you have a purpose and a legal basis for doing so – otherwise, such processing would be unlawful.
So, when 50 years passed since the ECHR, and the Charter established the fundamental right to protection of personal data (the right to data protection) in 2000, we find ourselves having two connected rights.
First, privacy, which includes the obligation to process personal data lawfully, and secondly, data protection, which includes the obligation to ensure that any personal data that is to be processed is adequately protected.
Any processing of personal data that is unlawful violates the latest in data protection obligations, the General Data Protection Regulations (“GDPR” – an EU instrument that organisations in the UK will still need to comply with after Brexit, if Brexit goes ahead, where they are processing personal data concerning individuals in the EU) and its manifestation into UK law, the Data Protection Act 2018.
Also, any processing of personal data that is unlawful also constitutes an infringement of the right to privacy (there being a requirement to have a legal basis for processing), and an individual can seek remedy related to the tort of misuse of personal information where they felt they had a “reasonable expectation of privacy.”
In the context of both privacy and data protection, the common thread is the unlawful processing of personal data. In the landmark CNIL case re Google LLC, the processing is unlawful because adequate information has not been provided to individuals to explain how their personal data will be used (for targeted advertising), and the legal basis being relied upon (consent) is not sufficient in terms of the standard set out by GDPR (that the individual should give explicit consent, not relying on implicit or inferred consent).
The explanatory notice (explaining the targeted advertising) is an obligation set out in GDPR – without it, it is an infringement of your right to be informed (about how your personal data is being processed lawfully) – it is a required safeguard in data protection terms, otherwise known as adequate technical and organisational measures (TOMs). The question is whether the individual had a “reasonable expectation of privacy” – was their right to privacy infringed too? If so, Google LLC can expect a plethora of private claims related to privacy (in addition to data protection related claims).
But this is just the tip of the iceberg. The authorities explain that unlawful processing is any form of processing which violates the GDPR.
Oh, and a personal data breach includes when personal data is being processed unlawfully (due to the inadequacies of the organisation to put in place TOMs to ensure GDPR is not violated). So, if you cannot prove you have adequate TOMs in place, that’s a personal data breach. If you cannot prove you have not been breached, then you have. And if you cannot prove that the rights and freedoms of individuals have not been infringed, then they have.
On the other hand, someone seeking remedy related to your organisation’s inadequacies to protect personal data have a challenge on their hand: they need to prove that infringement of their rights and freedoms and / or violation of GDPR has occurred. And this is where it gets relatively easy.
Go to the website and have a look at the ‘privacy statement’ or ‘cookie notice’ – when it comes to processing your personal data, is it clear how and why this is done, for how long, by whom, and with whom it is shared; and do you know what your rights are? That’s what happened to Google LLC. They didn’t adequately explain what was going on.
Is the processing lawful? For example, is the organisation relying on ‘consent’? If so, did they assume consent as part of a consumer contract? That would be wrong on several levels. Again, Google made that mistake. Multiple personal data breaches.
If you run an organisation, email email@example.com and we’ll help you get compliant with your privacy as well as data protection obligations… keeping personal data breaches down to a minimum. The first article I wrote for Business Leader was about Max Schrems and Facebook — “watch this space,” I advised – and, guess what, the individual who is responsible for the CNIL against Google LLC is, er, Max Schrems in his current guise (None of Your Business – NOYB.eu). So, when it comes to personal data, beware – be very aware.