The revelations surrounding Cambridge Analytica’s use of personal data and involvement with the Vote Leave campaign raised serious questions about the use of personal data in the EU referendum campaign and more widely by technology companies in general.
The subsequent investigation by the Digital, Culture, Media and Sport Select Committee (the “DCMS Select Committee“) has drawn attention to the activities of technology companies and the widespread use of digital personal data in political campaigning. It has been the catalyst for multiple investigations into a range of issues, including the extent to which electoral law is fit for purpose, the use of data analytics in political campaigns and policy recommendations concerning personal information and political influence.
The DCMS Select Committee published its final report (the “Report“) on 18 February 2019 (available here). Continue reading
As we all continue to try to grapple with the implications of a no-deal Brexit, the last week or two has seen the publication of a few things of interest from a data protection perspective:
The EDPB’s view of data transfers in a no-deal Brexit scenario
On 12 February 2019, the European Data Protection Board (the “EDPB“) published a general information note on data transfers under the GDPR in the event of a no-deal Brexit (available here). In summary, the information note provides that organisations must comply with the GDPR when transferring personal data from the EU to the UK, which will become a “third country” for GDPR purposes (from 00.00 am CET on 30 March 2019). No new or additional safeguards are contemplated by the EDPB which effectively means that organisations must choose between:
- Standard contractual clauses (which the EDPB acknowledges are “ready to use”);
- Binding corporate rules;
- Codes of conduct or certification mechanisms (although none are yet approved/available under the GDPR); or
- Derogations such as individual explicit consent (although the EDPB emphasises that the derogations must be interpreted restrictively and mainly relate to processing activities that are occasional and non-repetitive).
For further information regarding the potential impact of a no-deal Brexit on data transfers, including an analysis of worked examples, please see our previous blog post available here.
In light of the booming market of the Internet of Things (“IoT”) and of the General Data Protection Regulation (“GDPR”), the Information Commissioner’s Office (“ICO”) has published an article focusing on the key factors manufacturers and retailers of IoT devices should be thinking about. This follows the ICO’s draft guidance on data controller and processor liability issued in September last year, which can be found here.
On 23 October 2016, the Department for Culture Media and Sport (“DCMS“) confirmed plans to introduce personal liability for directors in relation to “nuisance calls”.
Under the proposals, directors could each be fined up to £500,000 by the Information Commissioner’s Office (“ICO“) which, when combined with existing company penalties of up to £500,000, would create a potential maximum company and director penalty of up to £1,000,000. The proposals will be implemented through amendments to the Privacy and Electronic Communications Regulations 2003 which will be set out in the draft Digital Economy Bill currently being considered by Parliament.
The Digital Economy Bill seeks to improve internet connectivity and provide protections for internet users through a range of measures, including further regulation of direct marketing through a new Direct Marketing Code. Although it is not clear how such measures would interact with any proposed amendments to the ePrivacy Directive currently being considered in Europe.
The DCMS’ statement follows a Public Bill Committee Hearing on 13 October 2016 to discuss the latest draft of the Digital Economy Bill. At the hearing the Information Commissioner, Elizabeth Denham, stated she would support moves to introduce director liability for nuisance calls. Although the ICO can currently impose fines of up to £500,000 on a company that seriously breaches data protection laws, and has issued almost £4 million in fines in the past year alone, a large portion of this money is not recovered due to companies going into liquidation. However, alternative companies often reappear soon afterwards with the same directors. Denham agreed that an amendment to the Bill would be helpful to avoid these occurrences.
The Public Bill Committee stage concluded at the beginning of November 2016, with the aim of the Digital Economy Bill receiving Royal Assent by the end of Spring 2017.
To view a copy of the statement, please click here.