Included in this issue: Freedom of Information (FOI) requests: application of the appropriate limit exemption; "Citizens' Guide" to the Privacy Shield published; EU Commission reports on E-Privacy Directive consultation.


Freedom of Information (FOI) requests: application of the appropriate limit exemption

The Information Commissioner's Office (ICO) has ruled that Nottinghamshire County Council (the Council) failed to provide sufficient reasons for applying the costs compliance exemption in section 12 Freedom of Information Act 2000 (the Act), when refusing a FOI request relating to complaints of bullying and harassment at work.

Section 12 of the Act provides an exemption to compliance with FOI requests if the costs of compliance would exceed the appropriate limit - in this case £450 for a public authority (£600 for central government). The complainant made a FOI request to the Council, asking for details about bullying and harassment, including the number of complaints made, and details about how each claim was handled by the Council. The Council provided the number of complaints but refused to provide additional information requested on the basis that it would take too long and would exceed the cost limit.

The ICO has made clear that public authorities must provide a reasonable estimate of the costs of responding to a FOI request, including a clear breakdown and assessment of costs. It noted that the Council in this case failed to provide sufficient rationale at the time of refusal. Further to this the Council had not carried out sample exercises to determine the cost of locating files, or explained what measures it had undertaken to establish any type of estimates. Due to this Council failing to provide an adequate assessment of how it estimated costs, the ICO found that the section 12 exemption was therefore not triggered. In addition, the Council was also seen to have failed to provide adequate advice and assistance, pursuant to section 16 of the Act, since it did not explain what information (if any) could be provided within the appropriate limit.

When seeking to rely on section 12 of the Act, reasoned responses should be provided at the time of refusal.

Read the ICO decision


"Citizens' Guide" to the Privacy Shield published

The European Commission has published a "citizens' guide" outlining individuals' rights and recourse under the EU-US Privacy Shield (Privacy Shield). The data sharing agreement safeguards the processing of personal data sent to US companies from the EU.

The guide sets out the obligations on Privacy Shield companies and rights of data subjects. The following principles are addressed, such as: the right to be informed; limitations on the use of data; length of storage; and security. It also sets out the rights of individuals to access and correct their data, and to submit a complaint.

The guide focuses on the complaint process in detail, outlining a number of channels available. If a complaint is made directly to a company who is covered by the Privacy Shield, it has an obligation to respond within 45 days. Companies under the Privacy Shield are obliged to provide an independent remedial process to investigate unresolved complaints free of charge. Alternatively they can select an alternative dispute resolution process, to which a link must be provided on their website, or they can submit to the jurisdiction of an EU member state data protection authority. Further options include complaints to: the US Department of Commerce; the US Federal Trade Commission; and, in cases involving the US public authorities, the newly established Ombudperson.

American companies who wish to sign up to the Privacy Shield, need to register and self-certify that they meet the requirements annually. At a news conference in Brussels on 1 August 2016 Věra Jourová, the European justice, consumers and gender equality Commissioner, said: "The privacy shield ensures easier redress for individuals in case of any complaints. I am therefore confident that the privacy shield will restore the trust of Europeans in the way their personal data are transferred across the Atlantic and processed by companies there."

The Article 29 Working Party are less convinced. This year will be a test for the Privacy Shield before it faces scrutiny next summer.

Read the Citizen's Guide

EU Commission reports on E-Privacy Directive consultation

The EU Commission has published a summary report of the public consultation on the review of the Privacy and Electronic Communications Directive (2002/58/EC) (E-Privacy Directive). The public consultation forms part of the EU Commission's evaluation of the E-Privacy Directive and could potentially have an impact on upcoming legislative reform. The review of the E-Privacy directive aims to reinforce trust and security in EU digital services and forms a key part of the Digital Single Market Strategy.

Last week, EU data regulators published opinions on the E-Privacy Directive, which advocated extending the scope of the regime beyond traditional telephone and internet service providers, to cover all "functionality equivalent" services such as messaging in social networks and Voice over IP services. They also suggested increasing consent requirements. The results of the EU Commission's consultation seemingly support such views, and 71% of citizens who responded felt that the scope of the E-Privacy Directive was too narrow. In respect of consent for direct marketing, 90% of respondents (excluding industry respondents) favoured opt-in consent, whilst 76% of industry respondents favoured opt-out consent requirements. The findings of the consultation largely support the opinions of EU data regulators in favour of legislative change.

Read the full report

Helena Brown

Helena Brown

Partner, Commercial and Data Protection & Head of Data
Edinburgh, UK

View profile