A Collection is a selection of features, articles, comments and opinions on any given theme or topic. It allows you to stay up‑to‑date with what interests you most.
Login here to access your saved articles and followed authors.
We have sent you an email so you can reset your password.
Sorry, we had a problem.
Tags related to this article
Published 22 December 2016
After an uncertain summer concerning the future of the GDPR, the autumn has seen some clarity on its future when Karen Bradley MP, the Secretary of State for Culture, Media and Sport, confirmed that the UK government would be implementing the GDPR and reviewing it to determine how British businesses can be helped with data protection while maintaining high levels of protection for members of the public.
Elizabeth Denham, the UK's Information Commissioner, responded to Karen Bradley's statement with an ICO blog (the "Blog"), stating "I see this as good news for the UK. One of the key drivers for data protection change is the importance and continuing evolution of the digital economy in the UK and around the world. That is why both the ICO and UK government have pushed for reform of the EU law for several years." The Blog emphasised the ICO's plan to support implementation of the GDPR stating that, "the ICO is committed to assisting businesses and public bodies to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond" and that the GDPR will boost digital economy and safeguard citizen's privacy rights and give people greater control over their data. Elizabeth Denham notes that a revised timeline will be published next month setting out areas of guidance that the ICO will be prioritising over the next six months. We've also seen the first of these guidance notes from the ICO with the launch of the revised Code of Practice on "Privacy Notices, Transparency and Control", please see our full analysis here.
In Europe, we have seen some increased GDPR guidance activity from the Article 29 Working Party. They have published a summary of the discussions from the 'Fablab' workshop entitled "GDPR – from concepts to operational toolbox DIY" which took place on 26 July 2016 in Brussels. The summary discussed issues such as the designation of a data protection officer and the conflict of interest issue when appointing a data protection officer, the benefits and concerns of data portability, the risks of data protection impact assessments and certification mechanisms. The workshop was attended by 90 participants including 40 representatives from various data protection authorities to discuss operational and practical issues linked to the GDPR with the intention of developing a set of best practices and guidelines for the implementation of the GDPR. Another workshop will be organised in 2017. The summary can be read here.
Uncertainty reigns for International Transfers
However, whilst we head towards certainty in one area of data protection law, uncertainty reigns in the world of international transfers of personal data. Please see our round up here.
New Enforcement style for ICO
The autumn has also shown us an insight into the enforcement style of the new ICO. Known for her proactive rather than reactive approach to data protection breach enforcement, Elizabeth Denham announced at the IAPP conference in Brussels, that she intended to introduce a more proactive DPA enforcement regime, highlighting the investigation into the proposed sharing of personal data between Facebook and WhatsApp as an example. At the end of August, WhatsApp announced its plans to share user account information with its parent company Facebook. WhatsApp stated that such an arrangement would deliver users improved Facebook usability in the form of ads and product experiences. Users have since been asked to agree to WhatsApp's updated terms to allow the data sharing. The updated terms have proved controversial - although acceptance of data sharing with Facebook is not mandatory to continue to use the service, it appears that many users had thought it was due to the way in which the terms were presented by the app to the user.
In response to WhatsApp's changes, the ICO released a statement revealing that it would look into the approach taken by WhatsApp in order to ensure transparency and explore user concerns about potential lack of control over personal data. To view the ICO statement, please click here.
We therefore predict an approach in the UK akin to the international "Privacy Sweeps" in which the ICO currently participates. Every year, members of the Global Privacy Enforcement Network (the "GPEN") conduct a ‘Sweep’ to coordinate a global analysis of privacy practices. This Sweep is not an investigation or audit. Instead it encourages international collaboration among the 25 data protection authorities who are members of GPEN, and raises awareness of common global privacy issues. This year's 'Sweep' assessed the quality of privacy communications in relation to the Internet of Things. Please see our analysis here.
We've also seen Ms Denham put her support behind fines for directors for breaches of Privacy and Electronic Communications Regulations. Since April 2015, companies behind nuisance calls can be fined but, all too often, companies declare bankruptcy as a means of evading paying fines. In order to put pressure on directors to ensure that their companies comply with the law, the government recently announced that, as of Spring 2017, company directors can each be fined up to £500,000 by the ICO if they breach the Privacy and Electronic Communications Regulations. Read Elizabeth Denham's, UK's Information Commission, statement in response to the government's announcement here. She also stressed that she intends to be proactive in engaging with different industries to understand the challenges they have with data protection compliance.
Finally, as if Ms Denham has not been busy enough, we have seen the highest monetary penalty to date levied against TalkTalk. To see our analysis of this and other cyber security matters, please see our cyber security round up here. Please also see our ICO enforcement round up here.
Over to the courts
We've seen an interesting subject access request considering the disclosure of third party personal data without consent. Please see our employment data protection expert Khurram Shamsee's analysis of what this means for employers here.
In the regulated world, we have seen the FCA choose to drop its market study into the use of Big Data. Please see our analysis here.
Best of the rest
To read our updates from across the world, please click here.
Colleagues can sign up to the alerter here, by selecting Data Protection from the Advisory or Insurance categories.
Follow us on twitter @DACBprivacy
London - Walbrook
+44 (0)20 7894 6577
+44 (0)20 7894 6566
+44 (0)117 918 2260
Jade Kowalski, Rhiannon Webster, Ceri Fuller, Khurram Shamsee, Sophie Devlin, Christopher Air
Jade Kowalski, Rhiannon Webster
Aleksandar Dimitrov, Neal Pal
Rhiannon Webster, Charlie Christie
Michael McMillen, Rhiannon Webster
Ceri Fuller, Khurram Shamsee, Jade Kowalski, Sophie Devlin, Christopher Air
Rhiannon Webster, Khurram Shamsee
Charlotte Burnett, Rodrigo Fernández Guerra Fletes, Rowena McCormack
Khurram Shamsee, Rhiannon Webster