In the words of Christopher Graham, borrowing from an old Chinese curse "may you live in interesting times", at the launch of the ICO's 2015 Annual Report on 28 June, it was Graham's turn to leave "in interesting times" as the launch of the report coincided with his last day in office. Please see our summary of the launch. Elizabeth Denham (a former Commissioner of the Office of the Information and Privacy Commissioner for British Columbia (Canada)) then took up the reigns on 18 July, stating that she was "excited about the challenges ahead".
A change of leadership and uncertainty following the EU Referendum result has not hampered ICO activity. This summer the ICO have:
- Published an overview of the GDPR setting out the differences between the existing Data Protection Act ("DPA") and the new requirements;
- Published a response to the European Commission consultation on the E-Privacy Directive. Please see our summary here;
- Suggested 6 key steps to protect yourself when using internet of things devices. Please see our summary here;
- Continued apace with enforcement action. Please see our ICO enforcement round up here;
- Released the results of its research on consumer data protection attitudes in the UK, highlighting that consumers base their decisions on trust. Please see our analysis here.
On the subject of consumer trust, we have also seen the Culture, Media and Sport Select Committee's findings on the TalkTalk incident, which makes for interesting reading. Please see our analysis here.
Cybersecurity continues to dominate privacy news. Please see our cybersecurity round up here.
Moving to case law, we have heard that Google have withdrawn their appeal in the case of Vidal-Hall v Google. Readers may recall previous coverage on this case available here. To recap the key points, the Court of Appeal determined that damages were recoverable under the DPA for mere distress (without also having to prove financial damage). Legal commentators predicted that the ruling might open the floodgates to compensation claims arising from data protection breaches. Google subsequently applied to the Supreme Court for permission to appeal – which was granted in part, however this appeal has now been withdrawn. On the basis that the GDPR allows for damages to be recoverable for distress alone once it is fully in force in May 2018, as a point of law it made little sense for Google to continue to challenge this point.
We also saw an interesting case in the High Court, where it was held that a data protection policy did not have the force of contract. See our analysis here and a number of cases on the jurisdiction in which enforcement action can be taken in cases of multijurisdictional data processing. Please see our round-up here.
We've also seen a hive of activity where the worlds of data protection and regulation overlap for financial services companies. The Financial Conduct Authority ("FCA") has:
- Released its guidance for firms outsourcing to the cloud and other third party IT services. Please see our analysis here;
- Launched its advice unit as part of Project Innovate. Please see our summary here.
Whilst applications for FCA's Sandbox closed on 8th July, the FCA have announced a second wave of applications can be made between November and mid January 2017. See our summary of the FCA Sandbox available here, including information on other sandboxes around the world.
Heading over to Europe, the European Commission has published its final draft of a code of conduct on privacy of health mobile applications, which is drafted to meet the requirements of current law and the GDPR. Please see our summary and analysis here.
Last but by no means least, we have seen, despite much criticism, the finalisation of the Privacy Shield, replacing the Safe Harbor regime in the US. Applications opened on 1 August. Please see the full story on the Privacy Shield here.