In-depth analysis: The many-headed hydra of fraud
The continuing drive to tackle insurance fraud has met with an encouraging degree of success in recent years…
Published 1 September 2016
Herewith, your back to school edition of our data protection alerter. We start back in June with the EU referendum result; which has given the GDPR an uncertain future. Please see our analysis of where we think this leaves the future of data protection law in the UK.
In the words of Christopher Graham, borrowing from an old Chinese curse "may you live in interesting times", at the launch of the ICO's 2015 Annual Report on 28 June, it was Graham's turn to leave "in interesting times" as the launch of the report coincided with his last day in office. Please see our summary of the launch. Elizabeth Denham (a former Commissioner of the Office of the Information and Privacy Commissioner for British Columbia (Canada) then took up the reigns on 18 July, stating that she was "excited about the challenges ahead".
A change of leadership and uncertainty following the EU Referendum result has not hampered ICO activity. This summer the ICO have:
On the subject of consumer trust, we have also seen the Culture, Media and Sport Select Committee's findings on the TalkTalk incident, which makes for interesting reading. Please see our analysis here.
Cyber security continues to dominate privacy news. Please see our cyber security round up here.
Moving to case law, we have heard that Google have withdrawn their appeal in the case of Vidal-Hall v Google. Readers may recall previous coverage on this case available here. To recap the key points, the Court of Appeal determined that damages were recoverable under the DPA for mere distress (without also having to prove financial damage). Legal commentators predicted that the ruling might open the floodgates to compensation claims arising from data protection breaches. Google subsequently applied to the Supreme Court for permission to appeal – which was granted in part, however this appeal has now been withdrawn. On the basis that the GDPR allows for damages to be recoverable for distress alone once it is fully in force in May 2018, as a point of law it made little sense for Google to continue to challenge this point.
We also saw an interesting case in the High Court, where it was held that a data protection policy did not have the force of contract. See our analysis here and a number of cases on the jurisdiction in which enforcement action can be taken in cases of multijurisdictional data processing. Please see our round-up here.
We've also seen a hive of activity where the worlds of data protection and regulation overlap for financial services companies. The Financial Conduct Authority ("FCA") has:
Released its guidance for firms outsourcing to the cloud and other third party IT services. Please see our analysis here;
Launched its advice unit as part of Project Innovate. Please see our summary here.
Whilst applications for FCA's Sandbox closed on 8th July, the FCA have announced a second wave of applications can be made between November and mid January 2017. See our summary of the FCA Sandbox available here, including information on other sandboxes around the world.
Heading over to Europe, the European Commission has published its final draft of a code of conduct on privacy of health mobile applications, which is drafted to meet the requirements of current law and the GDPR. Please see our summary and analysis here.
Last but by no means least, we have seen, despite much criticism, the finalisation of the Privacy Shield, replacing the Safe Harbor regime in the US. Applications opened on 1 August. Please see the full story on the Privacy Shield here.
To read our updates from across the world, please click here.
Colleagues can sign up to the alerter here, by selecting Data Protection from the Advisory or Insurance categories.
Follow us on twitter @DACBprivacy