Electronic Discovery: Reviewing UK data from outside the EU

If data is processed and hosted in the UK, can it be reviewed from outside of the UK? How does the ICO view this? Does the Data Protection Act allow for review of data from outside of the EU?

Review platforms, such as Attenex, Relativity, RingTail, or IConect, allow for reviewers to plough through very large amounts of documents usually via a web browser. The reviewers can be anywhere in the world, as long as they have access to the internet.  E.g. a Manchester case, with the data hosted in London, can be reviewed by a law firm in Bristol. This example, of 3 UK cities, does not pose any legal problems. However what if the review is to be conducted outside of the UK? E.g if the data to be reviewed is from the UK, is processed and hosted in the UK, but reviewed by a  New York law firm, what does the law state about this?

The UK legislation says both a lot and very little about the subject.

The Data Protection Act has 8 core principles, it is the eighth principle which is most relevant in this case.   This principle states that ““Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.”

This means that data cannot be transferred out of the EEA, without permission of the custodian/person whose data it is, a safe harbor agreement, consent of the EU, or other acceptable EU security measure.

What does this mean for a reviewers? Is the data “transferred” out of the EEA durign a review? The term transfer is not described in legislation. Tools like Relativity, can prevent the physical of native documents, and only allow a “review” of the text or image (TIFF/PDF), this would imply that data was not transferred from the UK to the reviewers country (in this example the US), as it has not left anywhere. Also the act does not count transit as transfer.

However the ICO takes a different view. The ICO’s opinon on 2nd March 2008, and previously implied by the ICO, is that reviewing data from the the US (or any third party country) would effectively come under the eighth principle, as it is a transfer of data under the meaning of the act.

This taken alone would imply that reviewing data from a third party country, outside of the EEA would be an offence, which the ICO could prosecute for. With the ICO gradually gaining  more powers to protect data and privacy  in the UK, and pushing for more powers, the threat of a fine to law firms and data processesors has to be taken seriously.

However the ICO has stated that this problem can be resolved by a contract with the third party reviewing the data. For example if Company A was hosting data from Company B and Law Firm C, based in the US, wanted to review the data a contract between Company B and Law Firm C, guaranteeing the protection of the data, and suitable IT security by Company B and Law Firm C, should resolve the problem, and prevent any breach of the eighth principle.

Legal advice from an independent law firm and the ICO should be obtained in relation to transferring data outside of the UK. This article is provided for information purposes only and should not be construed as legal advice.

How Can The Police Legally “Hack” Into Computers?

On 5th January 2009, the BBC published an article stating how the  police are to be encouraged to  “hack” into personal computers, for the purposes of investigation, following an EU report on the subject. This statement raises many questions, not least of which is:

“How can the police legally hack into my computer?”

Firstly the actual EU report,that the BBC mentions, its not quite as explosive as implied by the BBC. The report, entitled “Council Conclusions on a Concerted Work Strategy and Practical Measures Against Cybercrime” states that “If necessary, the European platform could be a tool for …….facilitating remote searches if provided for under national law” (emphasis added).

The EU does not provide for covert searches and surveillance,  but instead thinks this is an effective method of investigating computer crime, and suggests  member states use whatever laws they have available.

This still leaves the question of What laws are available to the UK Police for covert computer searches?

The UK Police don’t have much to say on the issue, with very little documentation produced by the advisory body  known as the Association of Chief of Police Offices – ACPO  – on the subject of . In 2005 ACPO did release the National Intelligence Model which only has this to say about covert operations:

“Covert operational teams are regularly deployed within communities and in the investigation of  serious crimes. In addition to gathering operation-specific information, unrelated information will also be generated. This must also be recorded and evaluated following the principles for managing and sanitising confidential information“

ACPO has even less to say on the subject of covert searches:

“Covert searches – surveillance authorities may be required – collection of personal data by covert means.”

In 1997 the at the reading of the Police Bill in the House of Lords the subject of covert searches was discussed:

“Surveillance and covert searches are likely to be authorised if a chief constable thinks that they are necessary; they would then be approved by one of the commissioners“

But the Police Bill was superseed by RIPA (2000), which allows for all sorts of methods survellliance, phone tapes, and intrusive survelleiance. It these survelliance power that allow  the police to search computers remotely (i.e hack computers),  as this law providers for covert and intrusive searches.

The Home Office document, Covert Surveillance – Code of Practice, produced as a guide for the police to use RIPA, states this:

5.6 In many cases, a surveillance investigation or operation may
involve both intrusive surveillance and entry on or interference with
property or with wireless telegraphy. In such cases, both activities
need authorisation. This can be done as a combined authorisation (see
paragraph 2.11).

It then goes on to state this about who can authorize this:

5.7 An authorisation for intrusive surveillance may be issued by the Secretary of State (for the intelligence services, the Ministry of Defence, HM Forces and any other public authority designated under section 41(l)) or by a senior authorising officer (for police, NCIS, NCS and HMCE).

5.10 The senior authorising officer should generally give authorisations in writing. However, in urgent cases, they may be given orally. Urgent oral case, a statement that the senior authorising officer expressly authorised the conduct should be recorded in writing applicant as soon as is reasonably practicable.

5.11 If the senior authorising officer is absent then as provided section 12(4) of the Police Act 1996, section 5(4) of the Police (Scotland) Act 1967, section 25 of the City of London Police or sections 8 or 54 of the 1997 Act, an authorisation can be given writing or, in urgent cases, orally by the designated deputy.

5.12 In an urgent case, where it is not reasonably practicable regard to the urgency of the case for the designated deputy to consider the application, a written authorisation may be granted  person entitled to act under section 34(4) of the 2000 Act.

There is no doubt that RIPA provides the police with much needed powers, but it has also been miused many times. Both by the police and more commonly by councils. In fact there were so many occurences of RIPA being misused at a local level, the central government had to warn the councils to stop misusing the powers in this way.

This is not the issue of if the powers are needed, or if they will be misused, we know the powers are needed, but we also know they will be misused. Whenever people are given access to data and survelliance, there will always misuse it, it is, sadly a fact of life.

The issue is do we want the goverments exectuve agencies (and councils) to have these powers, knowing they will misuse them? Is that a balanced risk?

Data Retention: Article 29 Working Party

Within the EU there is a body with the catchy title of “Working Party on the Protection of Individuals
with regard to the Processing of Personal Data”, this group produces guidelines and policy in relation to personal data on every thing from the police to direct sales.

Despite a name that just rolls off the tongue, the Working Party are often known simply as “Article 29 Working Party“,  this is because they were formed under Article 29 of the even more catchy “Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data“

Article 29 states that:

1. A Working Party on the Protection of Individuals with regard to the Processing of Personal Data, hereinafter referred to as ‘the Working Party’, is hereby set up.
   It shall have advisory status and act independently.
2. The Working Party shall be composed of a representative of the supervisory authority or authorities designated by each Member State and of a representative of the authority or authorities established for the Community institutions and bodies, and of a representative of the Commission.
   Each member of the Working Party shall be designated by the institution, authority or authorities which he represents. Where a Member State has designated more than one supervisory authority, they shall nominate a joint representative. The same shall apply to the authorities established for Community institutions and bodies.
3. The Working Party shall take decisions by a simple majority of the representatives of the supervisory authorities.
4. The Working Party shall elect its chairman. The chairman’s term of office shall be two years. His appointment shall be renewable.
5. The Working Party’s secretariat shall be provided by the Commission.
6. The Working Party shall adopt its own rules of procedure.
7. The Working Party shall consider items placed on its agenda by its chairman, either on his own initiative or at the request of a representative of the supervisory authorities or at the Commission’s request.

Even back in 1997, just a few years after the Article 29 WP, was set up it published a report identifying the problems of companies collecting large amounts of data about EU citizens.

The report  entitled,  Anonymity on the Internet, stated that:

Over the past 25 years it has become apparent that one of the greatest threats to this fundamental
right to privacy is the ability for organisations to accumulate large amounts of information about
individuals, in a digital form which lends itself to high-speed (and now very low-cost) manipulation,
alteration and communication to others. Concerns about this development and the potential misuse
of such personal data has led all European Member States (and now the Community with directive
95/46/EC) to adopt specific data protection laws which set down a framework of rules governing
the processing of personal information.

Over the past decade  with the development of the data protection laws within the EU and its member states, Article 29 WP has continued to push for  better privacy and protection for inidivuals.

In 2008 Article 29 WP started to push the search engines to reduce the amount of data they retain from EU citizens, with a push for the data to be stored no longer than 6 months.  Google has reduced its data retention to 18 months, Microsoft is considering 6 months,  and Yahoo! has stated it will go as low as 3 months.

S and Marper v UK: Judgment

The judgement for the historic case of S and Marper v the United Kingdom is below.

The background case details for S and Marper are available here

Result for the case, in brief, are available here

The key question, of “Will the police delete DNA as a result of the ruling” is discussed here?

EUROPEAN COURT OF HUMAN RIGHTS

880

4.12.2008

Press release issued by the Registrar

GRAND CHAMBER JUDGMENT
S. AND MARPER v. THE UNITED KINGDOM

The European Court of Human Rights has today delivered at a public hearing its Grand Chamber judgment¹ in the case of S. and Marper v. the United Kingdom (application nos. 30562/04 and 30566/04).

The Court held unanimously that:

· there had been a violation of Article 8 (right to respect for private and family life) of the European Convention on Human Rights;

· it was not necessary to examine separately the complaint under Article 14 (prohibition of discrimination) of the Convention.

Under Article 41 (just satisfaction), the Court considered that the finding of a violation, with the consequences that this would ensue for the future, could be regarded as constituting sufficient just satisfaction in respect of the non-pecuniary damage sustained by the applicants. It noted that, in accordance with Article 46 of the Convention, it would be for the respondent State to implement, under the supervision of the Committee of Ministers, appropriate general and/or individual measures to fulfil its obligations to secure the right of the applicants and other persons in their position to respect for their private life. The Court awarded the applicants 42,000 euros (EUR) in respect of costs and expenses, less the EUR 2,613.07 already paid to them in legal aid. (The judgment is available in English and French.)

1.  Principal facts

The applicants, S. and Michael Marper, are both British nationals, who were born in 1989 and 1963 respectively. They live in Sheffield, the United Kingdom.

The case concerned the retention by the authorities of the applicants’ fingerprints, cellular samples and DNA profiles after criminal proceedings against them were terminated by an acquittal and were discontinued respectively.

On 19 January 2001 S. was arrested and charged with attempted robbery. He was aged eleven at the time. His fingerprints and DNA samples² were taken. He was acquitted on 14 June 2001. Mr Marper was arrested on 13 March 2001 and charged with harassment of his partner. His fingerprints and DNA samples were taken. On 14 June 2001 the case was formally discontinued as he and his partner had become reconciled.

Once the proceedings had been terminated, both applicants unsuccessfully requested that their fingerprints, DNA samples and profiles be destroyed. The information had been stored on the basis of a law authorising its retention without limit of time.

2.  Procedure and composition of the Court

The application was lodged with the European Court of Human Rights on 16 August 2004 and declared admissible on 16 January 2007. The Chamber to which the case was assigned decided to relinquish jurisdiction to the Grand Chamber on 10 July 2007³.

The National Council for Civil Liberties and Privacy International were granted leave to intervene in the written procedure before the Grand Chamber.

A public hearing took place in the Human Rights building, Strasbourg, on 27 February 2008.

The judgment was given by the Grand Chamber of 17 judges, composed as follows:

Jean-Paul Costa (France), President,
Christos Rozakis (Greece),
Nicolas Bratza (United Kingdom),
Peer Lorenzen (Denmark),
Françoise Tulkens (Belgium),
Josep Casadevall (Andorra),
Giovanni Bonello (Malta)
Corneliu Bîrsan (Romania),
Nina Vajić (Croatia),
Anatoly Kovler (Russia),
Stanislav Pavlovschi (Moldova),
Egbert Myjer (Netherlands),
Danutė Jočienė (Lithuania),
Ján Šikuta (Slovakia),
Mark Villiger (Switzerland)⁴,
Päivi Hirvelä (Finland),
Ledi Bianku (Albania), judges,

and also Michael O’Boyle, Deputy Registrar.

3.  Summary of the judgment⁵

Complaints

The applicants complained under Articles 8 and 14 of the Convention about the retention by the authorities of their fingerprints, cellular samples and DNA profiles after their acquittal or discharge.

Decision of the Court

Article 8

The Court noted that cellular samples contained much sensitive information about an individual, including information about his or her health. In addition, samples contained a unique genetic code of great relevance to both the individual concerned and his or her relatives. Given the nature and the amount of personal information contained in cellular samples, their retention per se had to be regarded as interfering with the right to respect for the private lives of the individuals concerned.

In the Court’s view, the capacity of DNA profiles to provide a means of identifying genetic relationships between individuals was in itself sufficient to conclude that their retention interfered with the right to the private life of those individuals. The possibility created by DNA profiles for drawing inferences about ethnic origin made their retention all the more sensitive and susceptible of affecting the right to private life.

The Court concluded that the retention of both cellular samples and DNA profiles amounted to an interference with the applicants’ right to respect for their private lives, within the meaning of Article 8 § 1 of the Convention.

The applicants’ fingerprints were taken in the context of criminal proceedings and subsequently recorded on a nationwide database with the aim of being permanently kept and regularly processed by automated means for criminal-identification purposes. It was accepted that, because of the information they contain, the retention of cellular samples and DNA profiles had a more important impact on private life than the retention of fingerprints. However, the Court considered that fingerprints contain unique information about the individual concerned and their retention without his or her consent cannot be regarded as neutral or insignificant. The retention of fingerprints may thus in itself give rise to important private-life concerns and accordingly constituted an interference with the right to respect for private life.

The Court noted that, under section 64 of the 1984 Act, the fingerprints or samples taken from a person in connection with the investigation of an offence could be retained after they had fulfilled the purposes for which they were taken. The retention of the applicants’ fingerprint, biological samples and DNA profiles thus had a clear basis in the domestic law.

At the same time, Section 64 was far less precise as to the conditions attached to and arrangements for the storing and use of this personal information.

The Court reiterated that, in this context, it was essential to have clear, detailed rules governing the scope and application of measures, as well as minimum safeguards. However, in view of its analysis and conclusions as to whether the interference was necessary in a democratic society, the Court did not find it necessary to decide whether the wording of section 64 met the “quality of law” requirements within the meaning of Article 8 § 2 of the Convention.

The Court accepted that the retention of fingerprint and DNA information pursued a legitimate purpose, namely the detection, and therefore, prevention of crime.

The Court noted that fingerprints, DNA profiles and cellular samples constituted personal data within the meaning of the Council of Europe Convention of 1981 for the protection of individuals with regard to automatic processing of personal data.

The Court indicated that the domestic law had to afford appropriate safeguards to prevent any such use of personal data as could be inconsistent with the guarantees of Article 8 of the Convention. The Court added that the need for such safeguards was all the greater where the protection of personal data undergoing automatic processing was concerned, not least when such data were used for police purposes.

The interests of the individuals concerned and the community as a whole in protecting personal data, including fingerprint and DNA information, could be outweighed by the legitimate interest in the prevention of crime (the Court referred to Article 9 of the Data Protection Convention). However, the intrinsically private character of this information required the Court to exercise careful scrutiny of any State measure authorising its retention and use by the authorities without the consent of the person concerned.

The issue to be considered by the Court in this case was whether the retention of the fingerprint and DNA data of the applicants, as persons who had been suspected, but not convicted, of certain criminal offences, was necessary in a democratic society.

The Court took due account of the core principles of the relevant instruments of the Council of Europe and the law and practice of the other Contracting States, according to which retention of data was to be proportionate in relation to the purpose of collection and limited in time. These principles had been consistently applied by the Contracting States in the police sector, in accordance with the 1981 Data Protection Convention and subsequent Recommendations by the Committee of Ministers of the Council of Europe.

As regards, more particularly, cellular samples, most of the Contracting States allowed these materials to be taken in criminal proceedings only from individuals suspected of having committed offences of a certain minimum gravity. In the great majority of the Contracting States with functioning DNA databases, samples and DNA profiles derived from those samples were required to be removed or destroyed either immediately or within a certain limited time after acquittal or discharge. A restricted number of exceptions to this principle were allowed by some Contracting States.

The Court noted that England, Wales and Northern Ireland appeared to be the only jurisdictions within the Council of Europe to allow the indefinite retention of fingerprint and DNA material of any person of any age suspected of any recordable offence.

It observed that the protection afforded by Article 8 of the Convention would be unacceptably weakened if the use of modern scientific techniques in the criminal-justice system were allowed at any cost and without carefully balancing the potential benefits of the extensive use of such techniques against important private-life interests. Any State claiming a pioneer role in the development of new technologies bore special responsibility for striking the right balance in this regard.

The Court was struck by the blanket and indiscriminate nature of the power of retention in England and Wales. In particular, the data in question could be retained irrespective of the nature or gravity of the offence with which the individual was originally suspected or of the age of the suspected offender; the retention was not time-limited; and there existed only limited possibilities for an acquitted individual to have the data removed from the nationwide database or to have the materials destroyed.

The Court expressed a particular concern at the risk of stigmatisation, stemming from the fact that persons in the position of the applicants, who had not been convicted of any offence and were entitled to the presumption of innocence, were treated in the same way as convicted persons. It was true that the retention of the applicants’ private data could not be equated with the voicing of suspicions. Nonetheless, their perception that they were not being treated as innocent was heightened by the fact that their data were retained indefinitely in the same way as the data of convicted persons, while the data of those who had never been suspected of an offence were required to be destroyed.

The Court further considered that the retention of unconvicted persons’ data could be especially harmful in the case of minors such as the first applicant, given their special situation and the importance of their development and integration in society. It considered that particular attention had to be paid to the protection of juveniles from any detriment that could result from the retention by the authorities of their private data following acquittals of a criminal offence.

In conclusion, the Court found that the blanket and indiscriminate nature of the powers of retention of the fingerprints, cellular samples and DNA profiles of persons suspected but not convicted of offences, as applied in the case of the present applicants, failed to strike a fair balance between the competing public and private interests, and that the respondent State had overstepped any acceptable margin of appreciation in this regard. Accordingly, the retention in question constituted a disproportionate interference with the applicants’ right to respect for private life and could not be regarded as necessary in a democratic society. The Court concluded unanimously that there had been a violation of Article 8 in this case.

Article 14 in conjunction with Article 8

In the light of the reasoning that led to its conclusion under Article 8 above, the Court considered unanimously that it was not necessary to examine separately the complaint under Article 14.

***

The Court’s judgments are accessible on its Internet site (http://www.echr.coe.int).

Press contacts
Adrien Raif-Meyer (telephone: 00 33 (0)3 88 41 33 37)
Tracey Turner-Tretz (telephone: 00 33 (0)3 88 41 35 30)
Sania Ivedi (telephone: 00 33 (0)3 90 21 59 45)

The European Court of Human Rights was set up in Strasbourg by the Council of Europe Member States in 1959 to deal with alleged violations of the 1950 European Convention on Human Rights.

¹ Grand Chamber judgments are final (Article 44 of the Convention).

².  DNA stands for deoxyribonucleic acid; it is the chemical found in virtually every cell in the body and the genetic information therein, which is in the form of a code or language, determines physical characteristics and directs all the chemical processes in the body. Except for identical twins, each person’s DNA is unique. DNA samples are cellular samples and any sub-samples or part samples retained from these after analysis. DNA profiles are digitised information which is stored electronically on the National DNA Database together with details of the person to whom it relates.

³ Under Article 30 of the Convention, where a case pending before a Chamber raises a serious question affecting the interpretation of the Convention or the protocols thereto, or where the resolution of a question before the Chamber might have a result inconsistent with a judgment previously delivered by the Court, the Chamber may, at any time before it has rendered its judgment, relinquish jurisdiction in favour of the Grand Chamber, unless one of the parties to the case objects.

⁴ Judge elected in respect of Liechtenstein.

⁵ This summary by the Registry does not bind the Court.

“I” v Finland – Data Protection and Privacy | Where is My Data?

Results:

On 17th July 2008, at the European Court of Human Rights, in the case of I v Finland the court found for “I” and against Finland. The ECHR, based in Strasbourg,   awarded  “I” over €13,000 in damages and €20,000 in costs.

The full court decision,  I v Finland (case number 20511/03)  is available here.

Over View of the case

The applicant “I”, now 48 years old, stated that her private medical records were accessed by the other people, who did not need to and as a result of which she possibly lost her job as a nurse.

The access, which occurred around 1992  was not recorded, as there was no records to record access to medical records in Finland in the early 1990s.

The ECHR decided that as the hospital was controlled by the State (Finland), the  Finnish government was therefore responsible for the actions at the hospital and access to the medical records.

A key finding of the case was that the  court stated that personal information relating to a patient undoubtedly belongs to his or her private life. Therefore  Article 8, freedom to a private life, is applicable in this case. Based on this the European Court of Human Rights found that a person’s right to respect for their private life (under the ECHR,) may be breached where the State fails to take appropriate steps to secure data, so that it cannot be accessed improperly.

Article 8  not only means that the government must not interfere unduly into a person’s private life, but the government must also undertake positive actions to prevent such interference, e.g to produce or enforce  systems and protocols to protect data.

This case is particularly interesting as there no statement that there was deliberate and unauthorized access of data, only that there was failure to secure the data appropriately. i.e a breach of Finland’s positive obligations under Article 8 of the Human Rights Act

Summary: The ECHR found that if personal data is not secured adequately, and the State does not take positive steps to do so (and not just legislation but technical and procedural steps as well), then the state is in breach of Article 8.

Full case background