ICO framework for AI proposed to help support innovative use of this emerging technology

At the end of March the Information Commissioner’s Office (ICO) published an outline of the proposed structure for its auditing framework for the use of personal data in an Artificial Intelligence (AI) context. Once finalised the framework has potential to help catalyse the use of this new emerging technology within the restrictions of data protection regulation. In particular, it is intended to support the ICO in assessing data controller compliance, as well as providing data protection and risk management guidance, in relation to AI. Continue reading

The internet, to regulate or not to regulate? House of Lords calls for new digital regulator

The House of Lords Select Committee on Communications has published a report recommending a new approach to, and comprehensive and holistic strategy for, regulating the digital environment. Unsurprisingly the report concludes that the “digital world has not kept pace with its role in our lives” and, in particular, it calls for the establishment of a new ‘Digital Authority’ to provide oversight, as well as instruct and co-ordinate existing regulators. While over a dozen regulators have partial responsibility for regulating the digital market, no one regulator has complete oversight. The Committee argues that this has resulted in a digital environment that is fragmented, with gaps and overlaps, as well as  a regulatory infrastructure that is incapable of responding to the challenges that the modern online world presents. Continue reading

Clarification on the status of the EU-US Privacy Shield on a no deal Brexit

The UK Government has published a new data-related Brexit statutory instrument clarifying the position with respect to transfers of personal data to the US in reliance on the EU-US Privacy Shield (the “Privacy Shield“) and in a no-deal Brexit scenario.

Transfers to the US under the Privacy Shield are currently made pursuant to a special category of adequacy decision based on a specific arrangement put in place between the US and EU authorities. However, advice and guidance on how such arrangements could continue to work in a no-deal Brexit scenario had differed. Continue reading

The German FCO/Facebook decision: implications for data privacy regulation

The German competition authority, the Federal Cartel Office (“FCO“) last week announced the results of its investigation into Facebook for a novel abuse of dominance involving consent for its data collection. Whilst the full decision is not yet public, the FCO has published a background paper here. In short, the FCO found that Facebook had a dominant position in the German market for social networks, and abused this with its data collection policy. The FCO did not impose a fine on Facebook, but has instead required Facebook in the future to only use data from non-Facebook sources where it has users’ voluntary consent, the withholding of which cannot be used to deny access to Facebook. Facebook has announced that it will appeal. Continue reading

UK Government note clarifies “no deal” and data protection

The UK Government has published a “no deal” note to clarify how data protection law will work in the event that the UK leaves the EU without a deal. The note confirms that separate draft regulations and more detailed guidance will be published in the next few weeks but, in the meantime, it clarifies at a high level a number of key issues for organisations both within the UK and outside but doing business with the UK. Continue reading

Data protection if there’s no Brexit deal

On 13 September 2018, the UK Government published a series of technical notes setting out the implications in various sectors and areas of a ‘no deal’ scenario (i.e. a scenario in which the UK leaves the EU without an agreement), including a note specifically covering data protection. The note sets out the actions UK organisations should take to enable the continued flow of personal data between the UK and the EU in the event that the UK leaves the EU in March 2019 with no agreement in place.

Transferring data from the UK to the EU

Even in the event of a ‘no deal’ scenario, the technical note confirms that there should not be any impact on the transfer of personal data from the UK to the EU and beyond. A combination of the UK Data Protection Act 2018 and the EU Withdrawal Act would incorporate the GDPR into UK law. As such, the provisions currently found in Chapter V of the GDPR, which prohibit the transfer of personal data outside of the EEA without adequate safeguards in place, would remain. UK entities would therefore continue to be able to freely send personal data from the UK to the EU, and would continue to need to satisfy an appropriate legal basis to legitimise the transfer of personal data beyond European borders.

The technical note further confirms that, “in recognition of the unprecedented degree of alignment between the UK and EU’s data protection regimes, the UK would at the point of exit continue to allow the free flow of personal data from the UK to the EU”. However, there is a potential sting in the tail as the technical note provides that the UK will keep this under review – once the UK data protection regime is no longer required to mirror the GDPR, it would in theory be possible for the UK Government to amend the UK rules to provide that, for example, no personal data could be transferred outside of the UK without additional safeguards in place – meaning that this could potentially change in the future. Continue reading

The GDPR: ICO issues draft guidance on data controller and processor liability

In the run up to the GDPR applying from next year, there has been a variety of practical guidance for compliance at the European level through the Article 29 Working Party (“WP29”) (which reflects the consolidated view of national supervisory data protection authorities in each member state) and at the national level through the UK Information Commissioner’s Office (“ICO”). Continue reading