Infringing the UK GDPR, technically

It’s always nice to see wonky(ish) data protection stuff in the mainstream press.  This time, it’s a story in The Guardian about the UK ICO finding that the DVLA has been using the wrong lawful basis to share drivers’ personal data with private parking firms.

Here comes the science bit — concentrate!  The DVLA had taken the position that the appropriate basis for sharing motorists’ personal data with car park management firms to recover fines is Art. 6(1(c) of the UK GDPR (i.e. that the processing is necessary for compliance with a legal obligation to which it is subject).  For its part, the ICO found that the correct legal basis was Art. 6(1)(e) (i.e. that the processing is necessary for the performance of a task in the public interest). 

The legal obligation basis isn’t the right fit, the ICO said, because Regulation 27(1)(e) of the Road Vehicle (Registration and Licensing) Regulations 2002 allows, but doesn’t require, the DVLA to share drivers’ details.  For example, it would have discretion to refuse a request from a cark park management company in certain cases – indicating that it isn’t legally obliged to share data in all cases.   

You may ask yourself, how did I get here (and why should I care)?  Well, one line jumped out at me from the ICO’s explanation of why it wasn’t taking enforcement action against the DVLA: “The Commissioner regards this as a technical infringement of the law.”

Maybe I’ve lost all sense of what is and isn’t interesting, but I reckon that’s in the former column.  We all know that, in practice, not all infringements of law are equal.  Still, it’s noteworthy to see the ICO acknowledging that, in cases where (1) the real-world effects on individuals are low and (2) the infringement is "technical" in nature, there may not be a public interest in bringing enforcement action.

That makes some sense to me.  It would be harder to take the position if there wasn’t an appropriate legal basis in the first place, or the legal basis involved was less zero sum* than those in question here (e.g., consent or legitimate interests).  

But as the ICO has itself acknowledged, swapping between legal bases is likely to be unfair to individuals, so this is far from cut and dry.  You could argue that in this case the drivers were not actually affected — but that's not always going to be the case.  In any event, it's interesting to get an insight into the ICO's thinking on an important aspect of the law and its enforcement (technical or otherwise).

Lastly, The Guardian quotes a motoring expert who says that drivers are entitled to compensation from the DVLA for its breaches of the UK GDPR.  That may be technically correct, but the recent English case law on distress-based and de minimis** actions suggest that the courts will likely put the brakes on such claims.

* See my previous post on why lawyers should almost never use Latin.

** Oh dear, I’ve done it again.