The CJEU has ruled that the operator of a website may have a legitimate interest in storing certain personal data relating to visitors to that website in order to protect itself against cyber attacks.
In the case of Patrick Breyer v Bundesrepublik Deutschland (Case – C582/14), Mr Breyer had brought an action before the German courts to prevent websites, run by Federal German institutions, from registering and storing his IP addresses. The institutions register and store the IP addresses of visitors to their sites, together with the date and time when a site was accessed, with the aim of preventing cyber attacks and to make it possible to bring criminal proceedings.
The main question before the CJEU was whether dynamic IP addresses constitute “personal data” for data protection purposes. The court found that a dynamic IP address would constitute personal data where the website operator had the legal means of identifying the relevant individual with the help of additional information from the internet service provider. The court further found that, in the case, the German institutions had a legitimate interest in processing such personal data for the purpose of preventing cyber attacks.
Further details of the case can be found here.
On 23 October 2016, the Department for Culture Media and Sport (“DCMS“) confirmed plans to introduce personal liability for directors in relation to “nuisance calls”.
Under the proposals, directors could each be fined up to £500,000 by the Information Commissioner’s Office (“ICO“) which, when combined with existing company penalties of up to £500,000, would create a potential maximum company and director penalty of up to £1,000,000. The proposals will be implemented through amendments to the Privacy and Electronic Communications Regulations 2003 which will be set out in the draft Digital Economy Bill currently being considered by Parliament.
The Digital Economy Bill seeks to improve internet connectivity and provide protections for internet users through a range of measures, including further regulation of direct marketing through a new Direct Marketing Code. Although it is not clear how such measures would interact with any proposed amendments to the ePrivacy Directive currently being considered in Europe.
The DCMS’ statement follows a Public Bill Committee Hearing on 13 October 2016 to discuss the latest draft of the Digital Economy Bill. At the hearing the Information Commissioner, Elizabeth Denham, stated she would support moves to introduce director liability for nuisance calls. Although the ICO can currently impose fines of up to £500,000 on a company that seriously breaches data protection laws, and has issued almost £4 million in fines in the past year alone, a large portion of this money is not recovered due to companies going into liquidation. However, alternative companies often reappear soon afterwards with the same directors. Denham agreed that an amendment to the Bill would be helpful to avoid these occurrences.
The Public Bill Committee stage concluded at the beginning of November 2016, with the aim of the Digital Economy Bill receiving Royal Assent by the end of Spring 2017.
To view a copy of the statement, please click here.
The House of Commons Science and Technology Committee (“Committee“) recently published its findings following an inquiry into robotics and artificial intelligence (“AI“) in March 2016.
The published report examines the potential value and capabilities of robotics and AI, as well as legal issues and adverse consequences to consider in this area. In particular, it considers data privacy and consent issues, as well as discussions around accountability and liability.
The Committee’s conclusions and recommendations include the following:
- Governance – standards and regulations: A suitable governance framework is necessary to regulate and standardise robotic applications. This includes a proposed standing Commission on Artificial Intelligence to develop principles governing the development and application of AI techniques, as well as advising the Government on any regulation required. The governance framework will need to be assessed on a regular basis in light of legal, ethical and societal issues that arise, to ensure the framework remains effective.
- Education and skills: There is a need to re-skill and up-skill on a continuing basis given the potential impact of robotics and AI on the UK workforce. The Committee suggests that the Government publishes its Digital Strategy as soon as possible and commits to sufficiently flexible education and training systems that take account of these changes in workforce demands.
- Research, funding and innovation: The Government needs to establish a Robotics and Autonomous Systems Leadership Council as soon as possible to provide co-ordination and direction in this field, as well as produce a strategy setting out the Government’s ambitions and financial support for the area.
The report also highlights that robotics and AI are already being considered as part of more mainstream legislative debates – in particular, in this year’s Queen’s Speech, the Government announced that the Modern Transport Bill aims to put “the UK at the forefront of autonomous and driverless vehicles ownership and use”.
Please click here for a copy of the Robotics and Artificial Intelligence House of Commons Select Committee Report.
The fine was the consequence of a cyber security breach in October 2015, which led to the theft of personal data of almost 157,000 customers, including the bank account number and sort code details of nearly 16,000 customers.