4 The Law – Human Rights and Data Protection
This Chapter is in two parts – Human Rights and Data Protection.
4.1 For the current legal position in Scotland, see Chapter 2. It is also worth considering the attitude of the courts in Scotland to ‘new’ sciences, especially as some developing biometrics have not yet been accepted or tested in our courts. While normally the Court will intervene only upon challenge by the defence or Crown to the admissibility of such evidence, it seems likely that, with increasing emphasis on effective case management by the judiciary, the Courts may become more pro-active. In any event, the Courts in Scotland are alive to issues relating to the testing of reliability and admissibility of new technologies  .
4.2 Human rights are a key consideration in this area, deserving of detailed attention. The European Court of Human Rights has considered challenges to the capture and retention of biometric data, as well as other related matters. Further challenges are in the pipeline  . It seems likely that there may be developments in jurisprudence about the proportionality of indefinite retention of biometric data without any supporting evidence or gravity threshold for the triggering conviction, an area commented on without approval in S and Marper v the UK in which the Court pointed out:
‘The United Kingdom thus also appears to be the only member State expressly to allow the systematic and indefinite retention of both profiles and samples of convicted persons. Complaint mechanisms before data-protection monitoring bodies and/or before courts are available in most of the member States with regard to decisions to take cellular samples or retain samples or DNA profiles.’ 
4.3 As discussed in Chapter 8, any such development would necessitate reconsideration of current Scottish legislative provision for the retention of DNA and fingerprints.
4.4 With thanks to our Advisory Group colleague, Diego Quiroz, this Chapter starts in Part 1 with extracts from a paper he prepared to assist in a detailed human rights appreciation of this area. Diego’s full paper will be published along with the report.
4.5 Data protection is another key area when it comes to biometric data. We are grateful to Ken Macdonald, Head of ICO Regions for providing the helpful summary which completes the Chapter in Part 2.
Human rights – introduction
4.6 The purpose of this section is to provide a short overview of the human rights framework around the use of biometric data for law enforcement purposes in Scotland, and the associated biometric data retention regime (in relation to the retention and disposal of DNA, fingerprints and photographic images).
4.7 The first part of this section is an overview of the key human rights considerations that should be taken into account in relation to the use of biometric data, including use by private actors when performing public functions. The second part examines how a human rights based approach could be applied when thinking about a framework for the use of biometrics.
4.8 There are strict human rights obligations, derived from the Human Rights Act 1998 (‘ HRA’), and human rights standards emerging from international human rights treaties, that would help public authorities to ensure any new framework is fit for purpose. The Equality Act 2010 sets a number of general and specific duties for public sector organisations  in relation to non-discrimination  . As a starting point, and as recommended by the Council of Europe, the introduction and use of new technologies should take full account of, and not contravene, fundamental principles such as the inherent dignity of the individual and respect for the human body, the rights of the defence and the principle of proportionality in the provision of criminal justice  .
4.9 From the outset, it is important to note that there is a lack of evidence on the effectiveness/reliability of some biometric technologies (e.g. facial images)  currently used by law enforcement agencies  . There is a need for an effective assessment of the benefit of these technologies to ensure that any new regime is based on utility and public safety and derives from sound evidence rather than anecdote or impression  . It is also crucial to ensure that there is greater transparency and public participation around the use of biometric data in the criminal context  .
4.10 Nowadays, a significant shift has been made, as biometrics is used more and more in the private sector, primarily due to technological developments and investment by the private sector. There is a legitimate expectation that private actors (e.g. business enterprises dealing with the use of biometric data in different ways) should comply with all applicable laws and respect human rights  . Furthermore, the Government has a duty to take appropriate steps to prevent, investigate, punish and provide redress for human rights abuses committed by private actors.
Human Rights Law
4.11 The HRA, which incorporates the European Convention on Human Rights ( ECHR) into UK law, sets out the fundamental rights and freedoms that everyone in the UK is entitled to, and makes it unlawful for a public authority to act in a way which is incompatible with Convention rights.
4.12 It is paramount that the relevant public authorities put in place an effective human rights framework when biometrics are used by law enforcement agencies. This framework should also reflect ethical considerations, and the values of the people living in Scotland.
4.13 Other international standards in relation to the storage and management of data include the Council of Europe Convention 108  , European Union ( EU) instruments such as Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data  , as well as the case law of the Court of Justice of the European Union and the EU Charter on Fundamental Rights  .
4.14 As a consequence, any policy and legal framework for its use must be consistent with the human rights framework, and other guarantees laid down by relevant data protection laws. The use of personal data is sensitive and must be protected from abuse and arbitrariness. In this light, complaint and regulation mechanisms are important and necessary safeguards against arbitrariness.
Article 2 – the Obligation of the State to Protect the Right to Life
4.15 Article 2 safeguards the right to life and sets out the circumstances when deprivation of life may be justified. This is one of the most fundamental provisions in the Convention which imposes a duty to protect life through taking practical steps to address situations where there is an identifiable and real threat to life, including from attacks by other private individuals. The action required must be reasonable without imposing an impossible or disproportionate burden on the authorities.
4.16 This Article is relevant to the investigation by the State of murder and other serious crime.
Article 8 – the right to respect for private life, home and correspondence
4.17 It is acknowledged that the acquisition and retention of biometric data plays a role in criminal justice policy and practice. However, such practices can engage the reasonable expectation of privacy that people have  . It is therefore crucial that there are safeguards in place to ensure the right of the public to be protected from crime is balanced with the rights of the individual.
4.18 Article 8 of the ECHR and the HRA require respect for private and family life, home and correspondence. These concepts are sometimes indistinguishable and cover the protection of the moral and physical integrity of the individual. Article 8 therefore encompasses a wide range of issues. Biometric data can contain a significant amount of sensitive information about an individual’s identity, including information about their health  and their unique genetic code.
4.19 In S and Marper v the UK, the European Court of Human Rights ( ECtHR) stated that:
‘the protection afforded by Article 8 of the Convention would be unacceptably weakened if the use of modern scientific techniques in the criminal justice system were allowed at any cost and without carefully balancing the potential benefits of the extensive use of such techniques against important private life interests… The Court considers that any State claiming a pioneer role in the development of new technologies bears special responsibility for striking the right balance in this regard.”’ 
4.20 The Court referred to a Canadian Supreme Court case ( R v RC  ) which considered the issue of retaining a juvenile first-time offender’s DNA sample on the national database. The court upheld the decision by a trial judge who had found, in the light of the principles and objects of youth criminal justice legislation, that the impact of the DNA retention would be grossly disproportionate. In his opinion in that case, Fish J observed:
‘Of more concern, however, is the impact of an order on an individual’s informational privacy interests. In R v Plant, the Court found that section 8 of the Charter protected the “biographical core of personal information which individuals in a free and democratic society would wish to maintain and control from dissemination to the state”. An individual’s DNA contains the “highest level of personal and private information”: S.A.B. Unlike a fingerprint, it is capable of revealing the most intimate details of a person’s biological make-up. ... The taking and retention of a DNA sample is not a trivial matter and, absent a compelling public interest, would inherently constitute a grave intrusion on the subject’s right to personal and informational privacy.’
4.21 Article 8 of the ECHR is a qualified right, which requires the State to justify any interference by reference to its legality and necessity. So, any restrictions should be:
- In accordance with the law: ‘requires the impugned measure both to have some basis in domestic law and to be compatible with the rule of law, which is expressly mentioned in the preamble to the Convention and inherent in the object and purpose of Article 8. The law must thus be adequately accessible and foreseeable, that is, formulated with sufficient precision to enable the individual – if need be with appropriate advice – to regulate his conduct’  ;
- In pursuit of a legitimate aim: a public authority which intends to interfere with a person’s rights under Article 8 must be able to demonstrate that such interference is based on one of the legitimate aims set out in Article 8(2), including ‘ the prevention of disorder or crime’ and ‘the protection of the rights and freedoms of others’  ; and
- Necessary in a democratic society: ‘An interference will be considered “necessary in a democratic society” for a legitimate aim if it answers a “pressing social need” and, in particular, if it is proportionate to the legitimate aim pursued and if the reasons adduced by the national authorities to justify it are relevant and sufficient’  . In terms of assessing proportionality, three main issues are relevant:
a) the degree of the interference;
b) whether there were less intrusive means available; and
c) the procedural safeguards available.
4.22 An alternative formulation of proportionality was given by Lord Reed in a UK Supreme Court case ( Bank Mellat v Her Majesty’s Treasury  ):
[I]t is necessary to determine (1) whether the objective of the measure is sufficiently important to justify the limitation of a protected right, (2) whether the measure is rationally connected to the objective, (3) whether a less intrusive measure could have been used without unacceptably compromising the achievement of the objective, and (4) whether, balancing the severity of the measure's effects on the rights of the persons to whom it applies against the importance of the objective, to the extent that the measure will contribute to its achievement, the former outweighs the latter.
4.23 The use, including both the collection and retention of biometric data, is by its nature intrusive. There is a need for greater clarity about when the police or law enforcement agencies may collect biometric data from a person without their consent.
4.24 While matters are relatively clear in relation to fingerprints, that is not the case for other biometric data. The use of facial biometrics and facial biometric recognition systems, which are used for intelligence/investigative purposes, is far more intrusive than CCTV, and can be taken without knowledge or consent. Public interest and public safety are paramount, however a rights-based legal framework that respects Article 8 should be in place to guard against the risks of misuse  .
4.25 Examples of physiological characteristics used for biometric authentication include fingerprints and DNA. The use of databases and DNA retention has come into question in the United Kingdom. This includes R (RMC and FJ) v MPS (Metropolitan Police Service)  where the court held that the retention of custody photographs amounted to an unlawful interference with R’s and F’s Article 8 rights. In S and Marper v the UK, the European Court of Human Rights ( ECtHR) was ‘ struck by the blanket and indiscriminate nature of the power of retention in England and Wales’ of DNA and the ‘ fact that the same rules applied to juveniles (such as S) as to adults, despite the need to consider children differently under the criminal justice system to comply with the UN Convention on the Rights of the Child’.  The Court commented also on ‘ [T]he need for such safeguards …[being] all the greater where the protection of personal data undergoing automatic processing is concerned, not least when such data are used for police purposes.’
4.26 In relation to the margin of appreciation, the ECtHR articulated in S and Marper v the UK:
‘A margin of appreciation must be left to the competent national authorities in this assessment. The breadth of this margin varies and depends on a number of factors including the nature of the Convention right in issue, its importance for the individual, the nature of the interference and the object pursued by the interference. The margin will tend to be narrower where the right at stake is crucial to the individual's effective enjoyment of intimate or key rights. Where a particularly important facet of an individual's existence or identity is at stake, the margin allowed to the State will be restricted.  Where, however, there is no consensus within the Member States of the Council of Europe, either as to the relative importance of the interest at stake or as to how best to protect it, the margin will be wider.’ 
4.27 A key consideration is the length of time for which data are stored. Useful guidance can be found in S and Marper and the Committee of Ministers’ Recommendation No. R (92)1 and R 87 (15)  which advises that personal data kept for police purposes should be deleted if it is no longer necessary for the purposes for which it was stored. So, biometric data taken from individuals should be routinely deleted when it is no longer necessary to keep them for the purposes for which they were collected. A blanket policy on retention of any type of biometric data of persons suspected, but not convicted, of offences does not strike a fair balance between private and public interests. In light of this test, it is difficult to see how there can be sufficient justification to retain biometric data indefinitely.
4.28 Both international and national courts have found that the blanket retention of biometric data ( DNA profiles, cellular samples and fingerprints and custody photographs) is unlawful and constitutes an unjustified interference with the right to respect for private life, in violation of Article 8 of the ECHR  . The UK response to the Marper case was, in part, the Protection of Freedoms Act 2012 ( PoFA), which introduced regulation and restrictions where their absence had been criticised. The 2012 Act also established the office of the UK Biometrics Commissioner.
4.29 It is worth noting that in S and Marper, the ECtHR praised Scotland for the choice of time limits on retention of DNA. The ECtHR also suggested that the indefinite retention of the DNA of even convicted persons was not acceptable as a blanket policy, although the legal landscape relating to retention post-conviction is less clear and probably not finally settled. In the UK Supreme Court case of Gaughran v Chief Constable of the Police Service of Northern Ireland  , the majority held that the blanket policy of retaining DNA profiles from all convicted persons was within the margin of appreciation, and proportionate and justifiable interference under Article 8(2). There was a strong dissent by Lord Kerr who argued that the policy was not rationally connected to the objective of countering crime as there is no evidence that indefinite retention of biometric data of all persons convicted of a recordable offence in any way contributes to the detection and identification of future crime. He further argued that the policy failed to strike a fair balance between the rights of society and those of the individual, concluding that ‘clearly, a far more nuanced, more sensibly targeted policy can be devised’  . The case is awaiting consideration at the ECtHR.
4.30 There are questions in relation to what ‘convicted’ means e.g. cautions, reprimands and final warnings, and the proportionality of retaining data indefinitely in such cases. Marper requires the UK Government to give detailed consideration to the use or planned use of other biometric technologies (including facial images) which must meet Convention requirements.
4.31 One of the key points under human rights law is that biometric data constitute personal data. As a consequence, any policy and legal framework for its use  must be consistent with the human rights framework, and other guarantees laid down by relevant data protection laws.  The use of personal data is sensitive and must be protected from abuse and arbitrariness. 
Impact on other human rights
4.32 The use of biometric data by law enforcement agencies engages a number of human rights beyond Articles 2 and 8 of the ECHR. Law enforcement agencies should give due consideration to the use of biometrics and its impact on other human rights and fundamental freedoms. These include:
- The prohibition of torture, inhuman, degrading treatment or punishment (Article 3 of the ECHR)
- The right to liberty and security (Article 5 of the EHCR)
- Due process and the right to a fair trial (Article 6 of the ECHR)
- Freedom of religion (Article 9 of the ECHR)
- Freedom of expression and association (Article 10 and 11 of the ECHR)
- The principle of non-discrimination (Article 14 of the ECHR)
4.33 More detailed reference to the potential relevance of Articles 3, 5 and 6 is given in the full text of the Human Rights paper by Diego Quiroz.
4.34 Effective law enforcement and the protection of human rights are complementary and mutually reinforcing objectives, which must be pursued together as part of States’ duty to protect individuals’ rights and freedoms within their jurisdiction.
Articles 9 to 11 – democratic freedoms
4.35 Human rights are legal guarantees which protect individuals and groups against actions and omissions that interfere with fundamental freedoms and human dignity. Democratic freedoms are fundamental to the existence of a democratic society, where views, ideas and information can be exchanged. These freedoms include the right to respect for freedom of expression, assembly and association, and freedom of thought, conscience and religion.
4.36 While there is a general requirement to refrain from unjustified interference, there may be situations where law enforcement agencies are justified in doing so. However, any interference with these rights must comply with a number of conditions if it is to be consistent with the Convention.
4.37 The use of biometric data without the consent of the individual and, in particular, while exercising their fundamental freedoms of religion, assembly or association would not only be a significant interference with Article 8 but will engage these other rights. It is worth noting that indiscriminate practices may have a severe, unintended and inhibiting effect on the exercise of our democratic freedoms. Therefore, the authorities should ensure that any relevant operation, for example, the policing of public protests and demonstrations, complies with human rights norms and international standards. On this point, see also paragraph 2.6 of the submission to the IAG by No2 ID Scotland.
Equality and non-discrimination
4.38 The principles of equality and non-discrimination are central to human rights law and are recognised as norms in both the domestic and international framework  . In line with this, the Government should ensure that the principle of non-discrimination is interpreted and applied consistently by law enforcement agencies. The practice of collecting, retaining and deleting biometric data should afford special consideration to the situation of vulnerable and disadvantaged groups, including children.
4.39 While the use of biometric data to profile potential suspects may, in principle, be a permissible means of investigation and can be an important law enforcement tool, it is important that enforcement agencies do not use broad profiles that reflect unexamined generalisations and/or stigmatisation. The European Union Network of Independent Experts on Fundamental Rights has expressed serious concerns about profiling  on the basis of characteristics such as nationality, age or birthplace. These experts have recommended that profiling must strictly comply with the principles of necessity, proportionality and non-discrimination as well as being subject to close judicial scrutiny and periodic review  .
4.40 There is a risk that certain groups are disproportionately affected by collection and retention measures in this area. The UK DNA database holds about a third of all black men and about three quarters of all young black men (aged 16 to 34) resident in the UK, and the proportion of the Asian population held on the DNA database is steadily increasing. People with mental illness are also over-represented on the database  . The collection and retention of biometric data of these groups may compound and increase other institutional or societal discrimination or bias.
4.41 According to established jurisprudence of the ECtHR and international human rights bodies, any measures having the purpose or effect of creating a difference in treatment (based on a prohibited ground), which are not reasonably or objectively justified, are discriminatory  .
A Human Rights Approach to Biometrics
4.42 Human rights should continue to be mainstreamed into the strategies, policies and operational processes of policing  . The IAG advocates a human rights based approach to the use of biometric data. The key principles of this approach are: legality, accountability, effective participation, non-discrimination and empowerment. For further detail, see the full text of the Human Rights paper by Diego Quiroz.
4.43 The human rights framework for biometric data should also have an effective, accessible and independent mechanism of review for the individuals concerned. For example, there should be provision for independent review of the justification for the retention of biometric data according to defined criteria, including such factors as the seriousness of the offence, previous arrests, utility of the retention and period of retention, the strength of the suspicion against the person and any other special circumstances. Individuals should be provided with an effective remedy to challenge the storage of biometric data and its use  . A formal scheme for destruction ensures accountability and community trust in the system. Complaint mechanisms play an important role in protecting against potential abuses and arbitrariness.
4.44 Sufficient information regarding the governance and management of biometric data should be in the public domain to maintain transparency, accountability and public confidence in their use  .
ECHR – Other relevant cases
4.45 It is worth noting two other relevant ECtHR cases. First, Peruzzo and Martens v Germany  in which the applicants, who had been convicted of serious criminal offences, complained about the domestic court’s orders to collect cellular material from them and to store it in a database in the form of DNA profiles for the purpose of facilitating the investigation of possible future crimes.
4.46 The Court declared the application inadmissible as manifestly ill-founded. It found that the domestic rules on the taking and retention of DNA material from persons convicted of offences reaching a certain level of gravity as applied in the case of the applicants had struck a fair balance between the competing public and private interests and fell within the respondent State’s acceptable margin of appreciation.
4.47 And, second, Affaire Aycaguer v France  in which the applicant alleged that there had been a breach of his right to respect for his private life on account of the order to provide a biological sample for inclusion in the national computerised DNA database ( FNAEG) and the fact that his refusal to comply with that order had resulted in a criminal conviction.
4.48 The Court held that there had been a violation of Article 8. It observed in particular that in 2010 the Constitutional Council had declared the provisions on the FNAEG to be in conformity with the Constitution, subject, inter alia, to ‘determining the duration of storage of such personal data depending on the purpose of the file stored and the nature and/or seriousness of the offences in question’. The Court noted that, to date, no appropriate action had been taken on that reservation and that there was currently no provision for differentiating the period of storage depending on the nature and gravity of the offences committed. The Court also ruled that the regulations on the storage of DNA profiles in the FNAEG did not provide the data subjects with sufficient protection, owing to its duration and the fact that the data could not be deleted. The regulations therefore failed to strike a fair balance between the competing public and private interests.
ECHR – Outstanding cases
4.49 Two relevant cases are awaiting consideration by the ECtHR, in addition to Gaughran. One is Catt v ACPO  in which the UK Supreme Court held that the retention of personal data, including photographs, of a person who is not suspected of any criminality for an undefined period of time was acceptable  . In another strong dissent, Lord Toulson argued that the policy was not proportionate as the police had not justified the value of retaining the information on Catt. He also noted that the police had not argued that removing it would be impractical – this had been presumed by the court.
4.50 In JJ and SU v UK  , the ECtHR will consider the Safeguarding Vulnerable Groups Act 2006 (English legislation) which introduced ‘barred lists’ that, in effect, precluded the individual from working with the relevant group, whether adult or child. The applicants were included in the barred lists after being convicted of, and cautioned for, a criminal offence respectively. They were not given an opportunity to make representations before inclusion in the lists. However, various options were open to them to challenge their inclusion. Again, issues of necessity and proportionality will be considered which may also be relevant to the retention of biometric data.
4.51 For additional human rights consideration of the issues, see also the Justice Scotland submission to the IAG.
Data Protection and Biometrics – introduction
4.53 Data Protection legislation in the UK and throughout the wider EU provides a framework for the handling of personal data. In summary, personal data are data which relate to a living individual who can be identified from it directly or with other information which is in the possession of, or is likely to come into the possession of, the data controller (i.e. the organisation using the information).
4.54 The current Data Protection Act 1998 ( DPA) transposes into UK law the provisions of the European Data Protection Directive 95/46/ EC. Along with associated Regulations, the DPA provides the legal framework for all processing of personal data throughout the UK. However, in May 2018, a new data protection regime will apply throughout the EU as a consequence of adoption by the EU of the General Data Protection Regulation ( GDPR) and the Law Enforcement Directive ( LED). The LED will be transposed into UK law through the Data Protection Bill 2017 ( DPB) which is currently being considered by the Westminster Parliament. The Bill will also legislate on matters contained within the GDPR which have been derogated to individual Member States.
The Revised Data Protection Regime
4.55 As indicated above, the European data protection regime will change with effect from May 2018. General processing of personal data must be undertaken in compliance with the GDPR and processing for law enforcement purposes by designated or ‘competent’ authorities – i.e. named authorities with powers to investigate and/or prosecute crimes and impose sentences, together with certain other organisations -– must conform with the LED however transposed into domestic law. The GDPR contains a number of derogations to Member States and these, as well as the transposition of the LED into UK law, are being considered within the DPB. The new Data Protection Act is expected to be passed in February 2018.
4.56 The GDPR extends the current data protection regime in a number of ways. It updates the definition of personal data to reflect scientific and technological advances which have taken place since the passing of Directive 95/46/ EC; it provides a number of enhanced rights for data subjects; and it requires data controllers to strengthen their governance procedures in relation to personal data. Similar changes are seen in within the law enforcement provisions of the DPB.
4.57 As with the existing regime, the GDPR is framed around a number of principles. Although worded slightly differently, the new set reflect the current ones. They require that personal data are:
a) processed lawfully, fairly and in a transparent manner in relation to individuals;
b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
d) accurate and, where necessary, kept up to date;
e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
4.58 Both GDPR and the law enforcement provisions require that the controller shall be responsible for, and be able to demonstrate, compliance with the principles. This includes a presumption of privacy by design, i.e. building protection into data handling policies and procedures. Additionally, the law enforcement provisions of the DPB require that logs are kept of any automated processing of personal data, i.e. where a system undertakes processing by automated means. The logs required include collection, alteration, consultation with, disclosure, combination and erasure of personal data records.
4.59 Both the GDPR and the law enforcement provisions adopt a definition of personal data which explicitly includes biometric information within it as a ‘special category’. Any processing of biometric information must therefore be undertaken in compliance with either the GDPR or the new Data Protection Act (when enacted) according to whether the processing is general processing or for law enforcement purposes. In this regard, biometric data are defined as ‘ personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of an individual, which allows or confirms the unique identification of that individual, such as facial images or dactyloscopic [i.e. fingerprint] data’  .
4.60 The processing of biometric data is only permitted in the GDPR where one of a number of conditions apply. These include consent, for the vital interests of the data subject where the subject is incapable of giving consent, for the establishment, exercise or defence of legal claims or if courts are acting in their judicial capacity and for reasons of public interest in the area of public health. However, the derogations granted to Member States allow extensions and/or exemptions to these conditions to apply under certain circumstances. The DPB therefore proposes additional conditions for processing such as for preventing and detecting unlawful acts.
4.61 Moreover, where a controller is a competent authority as defined in schedule 7 of the DPB and is processing for law enforcement purposes (the prevention, investigation, detection or prosecution of criminal offences), there are further restrictions on the conditions for processing which can be used. Although outwith the remit of this Group, it should be noted that there are also restrictions on the conditions for processing which can be claimed by the intelligence services.
4.62 Both the GDPR and the law enforcement provisions require that where processing is likely to result in a high risk to the rights and freedoms of individuals, a data protection impact assessment ( DPIA, previously known as a Privacy Impact Assessment or PIA) should be undertaken. The assessment must consider the risks to the rights and freedoms of the data subjects, the measures envisaged to address these risks and the safeguards, security measures and mechanisms to ensure the protection of the data. Where the processing is likely to result in a high risk to the rights and freedoms of the individuals (in the absence of mitigations), the data controller must consult with the Information Commissioner.
4.63 Regulation of the new data protection regime will be the responsibility of the UK Information Commissioner. Individuals may raise concerns about the manner in which their personal data have been handled, and compliance with their rights contained in the GDPR and the law enforcement provisions, with her. In this regard she will have enhanced powers of assessment and enforcement and she will be statutorily required to issue guidance on how she proposes to exercise her functions relating to assessment notices, enforcement notices and penalty notices. Failure to comply with a notice served by the Commissioner will continue to be a criminal offence. In addition, data controllers will be required to notify the Commissioner of any security breach which is likely to result in a risk to the rights and freedoms of individuals within 72 hours of it having been discovered (and, where there is a high risk to those rights and freedoms, the affected individuals must be notified too).
4.64 The Commissioner’s ability to serve civil monetary penalties following the breach of any of the data protection principles will be much enhanced following implementation of the new regime. In the most severe cases, where individual rights are at greater risk of being compromised, the maximum penalty will be the greater of 4% of annual turnover or €20m, whilst, for other breaches, the maximum penalty will be the greater of 2% of annual turnover or €10m. In addition, failure to report a notifiable security breach within the statutory time period may result in a further penalty of the greater of 2% of annual turnover or €10m being imposed.