The Pandora Papers comprise a huge quantity of highly sensitive data about the hidden wealth of many in the public eye – but how is it possible to publish a report revealing such sensitive information given data privacy laws? Our data privacy specialist, Priya Thapar, explains.
An investigation by more than 600 journalists from 150 news outlets unearthed offshore dealings of 35 current and former world leaders and more than 300 other current and former public officials and politicians around the world. Known as the Pandora Papers, the findings are considered one of the largest ever leaks of confidential records in history. The information, believed to be in excess of 11.9 million documents and around 2.9 terabytes of data, constitutes 14 offshore service providers which deliver professional services to wealthy individuals and corporations seeking to obtain financial benefits through shell companies, trusts, foundations and other entities in low-tax or no-tax jurisdictions.
Will there be consequences for those who have published this information?
The leaked data was provided to the ICIJ (International Consortium of Investigative Journalists) directly. ICIJ has protected the identity of those who have passed on this information. No details have been provided on how access to this information was gained or by whom. The interesting question is, how can the ICIJ or the media houses reporting this story, prevent liability? The answer is simple. The public interest exemption.
This exemption disapplies some of the provisions of the GDPR and requires the journalists to demonstrate that they reasonably believed that the disclosure was a “necessary and proportionate interference” with the rights of the data subjects and that the disclosure was in the public interest.
Assuming they are able to do this, although some of the data leaked relates to individuals in the UK who would not have consented to the disclosure of their personal and financial information, there will be very little these data subjects can do by way of recourse.
What are the key learning points for Data Controllers?
The leak has exposed the most secured and confidential information that was protected by the controllers concerned with the best state-of-the art technology. This highlights a need for all data controllers to not only deploy robust security measures but also regularly monitor the security levels and have a plan in place to assess potential threats and likely damage resulting from any future breach. At the same time, it is important for organisations processing personal data to be aware of the exemptions under GDPR that can have an impact on their processing activities.
If this story has got you thinking about your organisation’s approach to data privacy, please do give me a call. I’m always happy to talk through issues and suggest how these can be addressed.