Following a public consultation on its draft code of practice with parents, children, schools, children’s campaign groups, developers, tech and gaming companies and online service providers which closed on 31 May 2019, the Information Commissioner’s Office (ICO) submitted its Age-Appropriate Design Code of Practice on 12 November 2019 but due to restrictions in the pre-election period it was not permitted to be published until 23 January 2020. Continue reading
Tag: data protection
In this update, we provide you with a brief summary of two recent developments in relation to sanctions imposed under the General Data Protection Regulation (“GDPR”).
- Firstly, the Berlin Data Protection Authority (“Berlin DPA”) recently announced its willingness to impose multimillion-euro fines for breaches of the GDPR. This shows that also in Germany significant fines can no longer be ruled out. It appears that Berlin DPA is following in the footsteps of the French Data Protection Authority (“CNIL”) and the UK Information Commissioner’s Office (“ICO”) which have both previously imposed fines in the millions.
- Secondly, for the first time a court has awarded immaterial damages compensation for a GDPR breach in Austria.
We take a look at what this means for companies and the developments that have been made since the implementation of the GDPR.
- The ICO has published a notice of its intent to fine British Airways £183.39 million for its 2018 data breach where the personal data of 500,000 customers was stolen by hackers;
- This is the first ‘mega fine’ issued by a European data regulator since the implementation of the GDPR;
- The ICO acted as lead supervisory authority and has confirmed that it has been liaising with other EU privacy regulators;
- No details have yet been published by the ICO regarding the specific GDPR infringements involved;
- British Airways now has the chance to respond to the notice of intent, after which a final decision will be made by the ICO.
The ICO has fined EE £100,000 under the Data Protection Act 1998 (“DPA“) for sending text messages to customers without their consent, in breach of the Privacy and Electronic Communications Regulations 2003 (“PECR“).
In February and March 2018 EE sent direct marketing text message to customers informing them that they would soon be eligible for a handset upgrade, and that they could “countdown” to their upgrade date using the “My EE” app. The text message also promoted other features of the My EE app.
In March 2018, EE sent a second batch of messages to customers who had not downloaded or interacted with the My EE app following the first message.
At the end of March the Information Commissioner’s Office (ICO) published an outline of the proposed structure for its auditing framework for the use of personal data in an Artificial Intelligence (AI) context. Once finalised the framework has potential to help catalyse the use of this new emerging technology within the restrictions of data protection regulation. In particular, it is intended to support the ICO in assessing data controller compliance, as well as providing data protection and risk management guidance, in relation to AI. Continue reading
The House of Lords Select Committee on Communications has published a report recommending a new approach to, and comprehensive and holistic strategy for, regulating the digital environment. Unsurprisingly the report concludes that the “digital world has not kept pace with its role in our lives” and, in particular, it calls for the establishment of a new ‘Digital Authority’ to provide oversight, as well as instruct and co-ordinate existing regulators. While over a dozen regulators have partial responsibility for regulating the digital market, no one regulator has complete oversight. The Committee argues that this has resulted in a digital environment that is fragmented, with gaps and overlaps, as well as a regulatory infrastructure that is incapable of responding to the challenges that the modern online world presents. Continue reading
The UK Government has published a new data-related Brexit statutory instrument clarifying the position with respect to transfers of personal data to the US in reliance on the EU-US Privacy Shield (the “Privacy Shield“) and in a no-deal Brexit scenario.
Transfers to the US under the Privacy Shield are currently made pursuant to a special category of adequacy decision based on a specific arrangement put in place between the US and EU authorities. However, advice and guidance on how such arrangements could continue to work in a no-deal Brexit scenario had differed. Continue reading
The German competition authority, the Federal Cartel Office (“FCO“) last week announced the results of its investigation into Facebook for a novel abuse of dominance involving consent for its data collection. Whilst the full decision is not yet public, the FCO has published a background paper here. In short, the FCO found that Facebook had a dominant position in the German market for social networks, and abused this with its data collection policy. The FCO did not impose a fine on Facebook, but has instead required Facebook in the future to only use data from non-Facebook sources where it has users’ voluntary consent, the withholding of which cannot be used to deny access to Facebook. Facebook has announced that it will appeal. Continue reading
The UK Government has published a “no deal” note to clarify how data protection law will work in the event that the UK leaves the EU without a deal. The note confirms that separate draft regulations and more detailed guidance will be published in the next few weeks but, in the meantime, it clarifies at a high level a number of key issues for organisations both within the UK and outside but doing business with the UK. Continue reading