E-COMMERCE DATA PROTECTION- PART I

Page 1

E-COMMERCE LAW
DATA PROTECTION
PRESENTATION BY: DR ANDREW IWOBI

Page 2

BACKGROUND OF DATA PROTECTION (DP) REGIME

Primary Purpose of DP Regime:
- Safeguarding personal privacy, by:
  - Regulating collection, storage, and distribution of personal information.
  - Preventing misuse or mishandling of personal data.
- Historical Context:
  - Less demand for a DP regime prior to the digital age:
    - Reliance on paper-based records limited data access.
    - Manual filing systems made data retrieval cumbersome and time-consuming.
  - Example:
    - Vehicle purchasers used to rely on paper documents (e.g., MOT test results); now, online checks available (e.g., GOV.UK).

Page 3

Role of Data Protection in Safeguarding Privacy

Privacy Importance:
- First highlighted by Warren & Brandeis as the “right to be left alone.”
- Enshrined in various national and international laws, including:
  - Nigerian Constitution 1999, Section 37: Privacy of citizens protected.
  - Chinese Constitution 1982, Article 40: Freedom and privacy of correspondence protected.
  - European Convention on Human Rights 1950, Article 8: Right to respect for private and family life guaranteed.
  - UN Declaration of Human Rights 1948, Article 48: Right to protection against arbitrary interference with privacy.

Page 4

Modern Threats to Privacy:
- Personal data collection and distribution threaten individual privacy.
- Measures introduced by EU and UN:
  - EU Charter, Article 8: “Everyone has the right to the protection of personal data concerning him or her”.
  - UN General Assembly (2016): Affirmed that “the same right people have offline must also be protected online”.

Page 5

Relevance of Data Protection to E-Commerce

Consumer Confidence:
- Online consumers need a safe environment for electronic marketplaces to thrive.
- Efficient DP regime is essential for privacy, ensuring consumer confidence.
- Recognised by Elizabeth France (U.K. DP Registrar) and the European Commission in its paper, ‘Safeguarding Privacy’.

Page 6

EU Data Protection Framework

Global Recognition:
- The EU DP framework considered the most comprehensive and influential.
- Originated with the Data Protection Directive (DPD) in 1995.
  - Introduced national laws across EU member states, including UK’s DPA 1998.
- GDPR Superseding DPD (May 2018):
  - UK’s DPA 1998 replaced by DPA 2018.

Page 7

Three Fundamental Dimensions of the EU GDPR Regime

Key Data Protection Concepts
Main Actors in the Data Protection Landscape
Core Data Protection Principles

Page 8

Key Concepts

Personal Data Identification:
- What constitutes Personal Data (PD)?
Processing Definition:
- What constitutes processing under GDPR?

Page 9

What Constitutes Personal Data?

Art.1(1) GDPR: Provisions apply only to processing of PD.
Carey’s Perspective:
- Identification of personal data is often straightforward:
  - Bank storing customer info (name, address, etc.).
  - Employer holding employee data (salary, health status, etc.).

Page 10

Definition of Personal Data (PD)

Art.4(1) GDPR:
- PD = Information relating to an identified or identifiable person.
Carey’s Insight:
- The definition is framed so broadly = a wide interpretation of what constitutes PD. = almost anything that relates to an identifiable individual qualifies.

Page 11

Identifiers under Art.4(1) GDPR

Examples of Identifiers Include:
- Name, identification number, location data, online identifiers.

Page 12

Other Factors Relating to Identifiability

Identifiers may relate to various personal aspects:
- Physical, genetic, mental, economic, cultural, or social identity factors.
- The list is non-exhaustive; other identification means may also apply.

Page 13

What Constitutes Processing under GDPR?

Art.4(2) GDPR Definition:
- Any operation performed on personal data, including collection, storage, and destruction.
- Murray’s View: Definition is expansive, covering a wide range of activities.

Page 14

Academic Debate on What Constitutes Processing

Carey:
- The definition of processing is so wide, that essentially everything that can be done with data by an organisation, including the obtaining and the destruction, amounts to processing.
- Essentially, processing includes everyday data tasks, even non-automated actions.
- Carey also points out that the recording of CCTV images or other identifying characteristics also constitutes processing.

Page 15

Judicial Interpretation

The term “Processing” has been recognised in the judicial sphere.
Campbell v Mirror Group Newspapers: The definition of processing is so wide, it involves day to day operations involving the use of electronic equipments such as the laptop.
CJEU judgements: Swedish case against Lindqvist (C-101/01) a church worker who set up a website to provide parishioners with information was engaged in the processing of PD.
Spanish case of Google Spain v AEPD: This ruling established that search engines are considered data processors, and they must comply with data protection regulations when handling personal data.

Page 16

Non-Automated Data Processing

GDPR applies to both automated and manual data processing.
Filing System Definition (Art.4(6)):
- Any structured set of personal data which are accessible by specific criteria. (e.g. folder titled “names” which can be used to identify someones name).
- This^ is reinforced by Recital 15 of the Preamble to the GDPR, which states that “Files, or sets of files… which are not structured according to specific criteria should not fall within the scope of this Regulation”.

Page 17

Key Characteristics of Filing Systems

Carey’s Conclusion:
- The key characteristics of a relevant filing system is (1) structure by reference to individuals, and (2) the ready accessibility of specific information.
- e.g. where an organisation holds info on its employees in paper-based files arranged by its HR Department in some logical order, such as alphabetical, chronological, or by department, this allows for quick retrieval of records when needed. This is the sort of structure that will constitute processing under GDPR.
- By Contrast, the judgment in Smith v Lloyds Bank TSB illustrates that an unstructured pile of documents or collection of papers randomly stored in boxes will not constitute a relevant filing system for this purpose as it lacks the organisation and accessibility required to ensure compliance with data protection regulations.

Page 18

Main Actors in Data Protection Landscape

The Controller:
- The entity responsible for complying with data protection law.
The Processor:
- A natural or legal person which processes personal data on behalf of the controller.
The Data Subject:
- Individuals whose personal data are processed.

Page 19

The Role of the Controller

Definition (Art.4(7)) GDPR:
- The natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data.
- Very broad definition.
Carey’s Argument:
- The definition is so broad that in general, all sole traders, self-employed professionals, and companies, including supermarkets, law firms, schools, hospitals etc, are all capable of being the controller.
Joint Controllers:
- Google v Spanish Newspaper case = Determined that there can be more than one controller in relation to any PD processing. E.g. Google and the Spanish Newspaper were held to be joint controllers.

Page 19

The Controller Outside EU

Article 3(1) GDPR establishes that the regulation applies to the processing of personal data of individuals within the EU, regardless of whether the data controller is located within the EU or outside of it.
Article 3(2) further clarifies that the regulation also applies to data controllers who are not established in the EU but (1) offer goods or services to data subjects in the EU, or (2) monitor their behaviour as far as their behaviour takes place within the EU.
This^ means that organisations based outside the EU must comply with the GDPR when engaging with EU citizens, ensuring that adequate data protection measures are implemented to safeguard personal information.

Page 20

The Role of the Processor

Definition (Art.4(8) GDPR):
- “A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”.
Carey Explains:
- Controllers often use 3rd party companies to process their data to save time and money.
- “As long as the 3rd party merely acts on the instructions of the controller and does not itself determine the purposes or means of the processing of data, it will be the processor”.
- Most controllers in the EU engage in Outsourcing Arrangements, where the controller passes tasks to a processor.
- Examples include farming out to 3rd party suppliers - activities of a business, such as debt collection, call centres, website hosting, destruction etc.

Page 21 + 22

Joint Obligations of Processors and Controllers

Under GDPR, legal responsibilities now extend to processors, including maintaining records and cooperating with authorities.
Previously, under DPD 1995, the controller bore the entire legal responsibility for ensuring that the processing of data was complied with.
= Under GDPR, both the controller and processor are responsible for complying with the law.

These Obligations Include: (Rodway & Carey)

(These obligations are pointed out by Rodway and Carey).
Article 27 = Appointing EU representatives where the Controller and Processor are not based/established in the EU.
Article 31 = Co-operating with relevant protection authorities.
Article 32 = Implementing appropriate technical and organisational security measures.
Articles 45-46 = Complying with restrictions on international transfers of personal data to 3rd countries (non-E.U member states).
Article 30(2) = Maintaining records of processing activities undertaken on behalf of the controller which should include info on matters such as, the processors name, contact details etc.
To ensure compliance with these obligations, national supervisory authorities can (for the first time) impose a range of sanctions and corrective measures against processors and controllers.

Page 23

The Data Subject

Article 4(1) GDPR defines personal data as “any information relating to an identified or identifiable natural person”.
Natural person = the data subject.
GDPR and DPD’s objective = to safeguard the rights and interests of the data subject.
The regime has equipped data subjects with an array of rights, which are exercisable against data controllers and processors.

Page 24

National Supervisory Authorities

Article 51(1) GDPR: Each EU member state must designate authorities to monitor GDPR enforcement. To:
(1) protect the fundamental rights of data subjects in relation to processing, and (2) to facilitate the free flow of personal data in the EU.
Article 51(1)&(2) = Authorities shall act completely independent in performing its task and shall not take influence or instruction from anyone.

Page 25

Article 57 = Outlines the main tasks to be undertaken by the authorities. Including:
Monitoring and enforcing the regulation, promoting public awareness and understanding, dealing with complaints etc.
Article 68 GDPR = promote consistency mainly through membership of European Data Protection Board.

Page 26

Powers of Supervisory Authorities

Authorities possess (1) investigative, (2) corrective, and (3) authorisation/advisory powers under Art.58 GDPR.

Investigative Powers (Article 58(1))

To conduct DP audits.
To order controllers/processors to furnish it with relevant info concerning their activities.
To obtain access to the premises and data processing equipment of controllers/processors, and the personal data they hold.

Page 27

Corrective Powers (Article 58(2))

To Issue warnings and reprimands to controllers/processors regarding potential or actual infringements of the regulations.
To impose administrative fines for non-compliance (Article 83). In the case of serious infringements, Article 83(5) allows fines up to 20 million euro or 4% of the company’s annual turnover (whichever is highest).
To impose temporary/permanent limitations/bans on processing.
To order controllers/processors to comply with requests by data subjects to exercise rights conferred on them by the regulation.
To order controllers to communicate PD breaches to the affected data subjects.

Page 28

Authorisation/Advisory Powers (Article 58(3))

To provide opinions to their national parliaments or governments, other institutions/bodies or the general public on any issue relating to the protection of personal data.
To issue opinions on and approve draft codes of conduct prepared under Article 40 with a view to contributing to the proper application of the GDPR within specific sectors or professional associations.
To accredit certification bodies under Article 43 to possess an appropriate level of expertise in relation to data protection.
To adopt, authorise or approve contractual clauses as well as binding corporate rules which are designed to facilitate the transfer of personal data under Articles 46 and 47, to countries outside the EEA which would not otherwise ensure an adequate level of protection for such data.

Page 29 + 30

Core Data Protection Principles (Art.5 GDPR)

The 6 DP principles in Article 5(1) are:
Personal Data must be:
- Processed Lawfully, Fairly, and Transparently.
- Collected for Legitimate Purposes only.
- Relevant and Limited to Necessary Data.
- Accurate and Up-to-date.
- Stored No Longer than Necessary.
- Secure against Unauthorised Processing (Integrity and Confidentiality Principle).

The 7th DP principle:

Article 5(2) introduces a new “accountability” principle not explicitly provided for in previous data protection regimes.
It stipulates that controllers shall be responsible for complying with the 6 Data Protection principles in Article 5(1) and must be able to demonstrate such compliance.

Page 31

Penalties for Non-Compliance with DP Principles

Administrative Fines (Article 83(5) GDPR: Up to €20 million or 4% of global annual turnover for serious breaches.
Breaches include: Collecting irrelevant data, contrary to Principle C. Storing inaccurate data on a person, contrary to Principle D. Keeps data on a person for longer than is necessary, contrary to Principle E.
Compensation for Damage (Article 82(1) GDPR: Data subjects can claim compensation for infringements.

Page 32

DP Principle 1: Fairness, Lawfulness, and Transparency Principle

Fairness (Dehorn & Casey)
Data collected in a non-deceptive/misleading manner, aligning with reasonable and legal expectations.
PD may be obtained unfairly even if the individual who is deceived is not the data subject. Dehorn & Casey = “I might obtain data from you that relates to your brother, even if your brother was neither misled or deceived.”

Page 33 + 34

Transparency

Dehorn & Casey = Transparency is linked to Article 12 GDPR.
Controllers must inform data subjects regarding the processing of their personal data. (e.g. where a data subject makes a subject access request under Article 15)
Article 12 = processors must communicate information clearly, ensuring data subjects understand their rights.
Similar to Reg 13 of CCR 2013 = PCI must be provided in a clear and comprehensible manner, and in a way appropriate to the means of communication used.
Dehorn & Casey = “The requirement of transparency also obliges the controller to inform data subjects about their rights”.
Dehorn & Casey further suggest that the best way to comply with Article 12 is to place in the public domain (e.g. on the data controllers website) a fair processing, privacy or data protection notice or policy which includes the relevant information relating to the data subjects rights.

Page 35

Lawfulness

GDPR prescribes conditions which must be satisfied for the processing of PD to be lawful.
The conditions vary on the nature of the PD being processed.
These conditions are provided for in Article 6(1), which deals with the processing of ordinary PD.
Article 9(2) deals with the processing of special (more sensitive) categories of PD.

Page 36

Ordinary Personal Data (Article 6(1))

A controller engaged in processing ordinary PD must satisfy at least one of the conditions in this provision:
- DS must give consent to processing their PD,
- The processing is necessary for the performance of the contract, which the DS is a party of,
- The processing is necessary for compliance with a legal obligation,
- The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- The processing is necessary for the purpose of legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

Special Categories of Personal Data (Art.9 GDPR)

Sensitive data such as health or ethnic background have stricter processing rules.

Page 37

Conditions for Processing Sensitive Data (Art.9(2))

Consent must be explicit or processing necessary for specific legal obligations or vital interests.

Page 36

Consent as a Basis for Lawful Processing

Defined as a clear, informed agreement from the data subject.

Page 37

Clarity in Consent Requirement

Consent cannot be assumed or implied; must be obtained directly through unambiguous actions.

Page 38

Conditions surrounding Consent (Art.7 GDPR)

Controllers must demonstrate that consent was freely given, distinguishable, and revocable.

Page 39

Parental Consent for Processing Children’s Data

Consent must be obtained from a guardian for data processing of those under 16 or 13 depending on jurisdiction.

Page 40

Rights of Data Subjects under GDPR

Strong focus on transparency, access, rectification, and erasure rights.

Page 41

Right of Access (Art.15)

Allows data subjects to confirm if their data is processed and access information regarding their data rights.

Page 42

Right to Rectification (Art.16)

Data subjects can request corrections to their personal data held by controllers.