The ICO has fined EE £100,000 under the Data Protection Act 1998 (“DPA“) for sending text messages to customers without their consent, in breach of the Privacy and Electronic Communications Regulations 2003 (“PECR“).
In February and March 2018 EE sent direct marketing text message to customers informing them that they would soon be eligible for a handset upgrade, and that they could “countdown” to their upgrade date using the “My EE” app. The text message also promoted other features of the My EE app.
In March 2018, EE sent a second batch of messages to customers who had not downloaded or interacted with the My EE app following the first message.
On 3 July 2017 the Information Commissioner’s Office (“ICO“) determined that the Royal Free NHS Foundation Trust (the “Trust“) had breached the Data Protection Act 1998 (the “Act”) when it provided patient details to Google’s DeepMind.
The Trust provided personal data of approximately 1.6 million patients to Google’s Deep Mind as part of clinical safety tests of a new application ‘Streams’. The application is designed to provide an alert, diagnosis and detection system for acute kidney injury. However an ICO investigation found several issues with the way in which the personal data was handled, including that patients were not adequately informed of how their data would be used (i.e. as part of the clinical safety tests). These shortcomings amounted to non-compliance with at least four of the eight data protection principles under the Act. Continue reading
The fine was the consequence of a cyber security breach in October 2015, which led to the theft of personal data of almost 157,000 customers, including the bank account number and sort code details of nearly 16,000 customers.
The EU General Data Protection Regulation has finally been approved and published in the Official Journal. The countdown to its application date of 25 May 2018 has therefore begun.
The European Commission published its first draft of the EU General Data Protection Regulation (the “GDPR“) in January 2012, a comprehensive reform of current the existing EU regime. In April 2016, after over four years of debate, the final text of the GDPR was formally approved.