The Importance of Adequate Consent under the GDPR: HMRC Forced to Delete Five Million Records

The UK privacy regulator, the Information Commissioner’s Office (“ICO“) has recently found Her Majesty’s Revenue and Customs (“HMRC“) liable for a “significant” breach of the GDPR relating to the collection of consents with respect to biometric data. The enforcement action is a timely reminder that a higher standard of (explicit) consent is required with respect to so-called special category data (including biometric data). However, the enforcement action is also interesting because the ICO chose not to fine HMRC but to instead require certain action to be taken (namely the deletion of records), demonstrating that GDPR enforcement is not necessarily all about big monetary penalties.

Continue reading

ICO framework for AI proposed to help support innovative use of this emerging technology

At the end of March the Information Commissioner’s Office (ICO) published an outline of the proposed structure for its auditing framework for the use of personal data in an Artificial Intelligence (AI) context. Once finalised the framework has potential to help catalyse the use of this new emerging technology within the restrictions of data protection regulation. In particular, it is intended to support the ICO in assessing data controller compliance, as well as providing data protection and risk management guidance, in relation to AI. Continue reading

Clarification on the status of the EU-US Privacy Shield on a no deal Brexit

The UK Government has published a new data-related Brexit statutory instrument clarifying the position with respect to transfers of personal data to the US in reliance on the EU-US Privacy Shield (the “Privacy Shield“) and in a no-deal Brexit scenario.

Transfers to the US under the Privacy Shield are currently made pursuant to a special category of adequacy decision based on a specific arrangement put in place between the US and EU authorities. However, advice and guidance on how such arrangements could continue to work in a no-deal Brexit scenario had differed. Continue reading

ICO and FCA announce new Memorandum of Understanding

On 18 February 2019, the Information Commissioner’s Office (the “ICO“) and the Financial Conduct Authority (the “FCA“) published a new Memorandum of Understanding (“MoU“) between them. This will no doubt be of interest to any business regulated by the FCA and while it is good news that regulators will be co-operating in the exercise of their functions, the MoU does not remove the risk for such businesses that they could, in the event of any data protection breach, face parallel investigation and enforcement action from more than one regulator, both with very significant sanctioning powers.

We have set out below a high-level overview of the MoU, the conduct of investigation and enforcement and the legal basis on which information can flow between the two regulators – paving the way for further joined-up regulatory thinking in the wake of the GDPR. Continue reading

Disinformation and ‘fake news’: Data implications of the Select Committee report

The revelations surrounding Cambridge Analytica’s use of personal data and involvement with the Vote Leave campaign raised serious questions about the use of personal data in the EU referendum campaign and more widely by technology companies in general.

The subsequent investigation by the Digital, Culture, Media and Sport Select Committee (the “DCMS Select Committee“) has drawn attention to the activities of technology companies and the widespread use of digital personal data in political campaigning. It has been the catalyst for multiple investigations into a range of issues, including the extent to which electoral law is fit for purpose, the use of data analytics in political campaigns and policy recommendations concerning personal information and political influence.

The DCMS Select Committee published its final report (the “Report“) on 18 February 2019 (available here). Continue reading

Brexit Withdrawal Agreement: Impact for data protection

Following a UK Cabinet meeting on 14 November 2018, the UK Government has announced support for the text of a draft Withdrawal Agreement and an outline of the Political Declaration on the Future Relationship agreed with EU negotiators. The Withdrawal Agreement sets out the arrangements for the UK’s withdrawal from the EU on 29 March 2019 and includes a transition period through to 31 December 2020, during which EU law will continue to apply in and to the UK (the “Transition Period”). Data protection features in both the draft Withdrawal Agreement and the outline Political Declaration, reflecting the significance of the data protection rules to both the EU and the UK.

Continue reading

General Data Protection Regulation: first enforcement notice shows extra-territorial reach

The UK data protection regulator, the Information Commissioner’s Office (ICO), has issued its first enforcement notice under the EU’s new strict data protection law, the General Data Protection Regulation (679/2016/EU) (GDPR). The notice is particularly noteworthy because it has been issued against a company located in Canada, which does not appear to have any presence within the EU.

Not only is it the first extra-territorial notice issued by the ICO under the GDPR, but it is the first action ever taken by the ICO against an entity outside the UK. It is understood that the notice is being appealed. The extraterritorial reach of the GDPR is as yet untested and, without any regulatory guidance as to interpretation, how that appeal plays out may be an early indicator as to the issues that could arise in extra-territorial enforcement under the GDPR.

Click here for the full article.

Continue reading

Data breaches: new Article 29 Working Party guidance

In anticipation of the GDPR, various guidance has been published by the Article 29 Working Party, the body of national EU data regulators.

Of most relevance in the cyber context is the guidance on personal data breach notifications; the Article 29 Working Party issued its initial guidance in October 2017 and published a final version of the guidelines (which remained mostly unchanged) in February 2018.

This guidance relates to the new requirement under the GDPR for all controllers to notify the appropriate data protection authority of a personal data breach, following a cyber attack for example. This will include providing the regulator with a significant amount of information about the breach and marks a change from the previous regime (under the Data Protection Act 1998) where notification to the ICO was not mandatory, although the ICO encouraged notification for serious breaches.

The key areas addressed by the guidance include further clarity on what constitutes awareness of a breach, when notification is and is not required in respect of examples of different types of breaches, when the clock starts running in relation to the 72 hour deadline and how to manage conflicting requirements of the GDPR and those of law enforcement authorities outside of the EU. For further information, a copy of the guidance can be found here.

Continue reading

Internet of Things – ICO’s six reasons why businesses should be thinking about data protection and the DCMS’s Secure by Design Report

In light of the booming market of the Internet of Things (“IoT”) and of the General Data Protection Regulation (“GDPR”), the Information Commissioner’s Office (“ICO”) has published an article focusing on the key factors manufacturers and retailers of IoT devices should be thinking about. This follows the ICO’s draft guidance on data controller and processor liability issued in September last year, which can be found here.

Continue reading

The GDPR: Practical European Guidance on personal data breach notification requirements

The GDPR introduces a new mandatory requirement for all controllers to notify the appropriate data protection authority of a “personal data breach” likely to result in a risk to people’s rights and freedoms, for example following a cyber-attack. This will include providing the regulator with a significant amount of information about the breach and marks a change from the present regime where notification to the ICO is not mandatory (although the ICO does already encourage notification for “serious breaches”).

The GDPR also includes a new obligation to notify the affected data subjects themselves: when a “personal data breach is likely to result in a high risk to the rights and freedoms of natural persons”. There is an exception in relation to those parts of the data which have been rendered unintelligible to unauthorised persons through the application of technical measures such as encryption or so-called “salting and hashing”.

Fines for breach of the separate fundamental requirements to implement appropriate technical and organisational security measures under Article 32(1) of the GDPR are set at the lower tier under the new sanctions regime. Article 33(5) also requires controllers to document all personal data breaches – comprising the facts of the breach, its effects and remedial actions taken – so as to enable regulators to verify compliance with the Article 32 requirements. This is in line with the accountability principle that runs through the provisions of the GDPR.

The Article 29 Working Party recently issued guidance which discusses the notification obligations and includes some worked examples of various types of breaches, including when notification is and isn’t required. Continue reading