Included in this Data Issues Roundup: Changes to ICO notification fees; Judge states ECJ should decide on EU-US data transfers; Vehicle Remarketing Association puts the spotlight on vehicle data issue and more...

United Kingdom

Changes to ICO notification fees

The ICO have clarified that the registration fees data controllers have to pay are to change next year when the GDPR is implemented.

Currently, organisations that process personal data as data controllers are obliged to inform the ICO about the data controller's processing activities, such as the personal data they process and the type of processing undertaken. As part of this, the data controllers are required to pay a notification fee, which varies depending on the size of the organisation.

Under GDPR, Member States are no longer required to hold a data controller register and as such data controllers will not need to notify the ICO of the data controllers' processing activities. As the notification fee is used to fund the majority of the ICO's work, questions quickly arose as to how the ICO would be funded going forward and it has now been confirmed that data controllers will be required to pay a fee to the ICO under the Digital Economy Act.

The amount of the notification fees payable under the Digital Economy Act is unknown at present, but the Department for Digital, Culture, Media and Sport (in consultation with the ICO) are hoping to make the new fee system fair and reflective of an organisation's processing activities.

The new fee system will go live on 1 April 2018 with organisations being told to renew their notification as usual or face criminal proceedings. The ICO expects that payments made during the 2017/2018 financial year under the current system will run for a full year.

Judge states ECJ should decide on EU-US data transfers

A Judge in Ireland's High Court has decided to refer a Facebook privacy case to the ECJ for a preliminary ruling. In another challenge by Max Schrems, the Austrian privacy campaigner, Ms Justice Caroline Costello said that the ECJ should make the decision on the adequacy of model clauses used by internet sites, such as Facebook, to transfer users' personal data to the US.

The case could have major implications for EU trade with the US. Many companies rely on the standard contractual clauses approved by the European Commission (aka "model clauses") to transfer data such as credit card payments between EU countries and the US.

Many will remember the 2015 Schrems case where the ECJ principally overturned Safe Harbour, the predecessor to Privacy Shield, which (amongst other things) governed the protection of EU personal data in the US. Similar to the 2015 Schrems case, emphasise is again being placed on whether EU citizens are given adequate protection from American mass surveillance with the focus now being on the reliability of model clauses.

Vehicle Remarketing Association puts the spotlight on vehicle data issue

The Vehicle Remarketing Association has highlighted the concerns arising in light of GDPR in relation to personal data removal from fleet vehicles prior to resale.

From May 2018, it will be a necessity for fleet operators to have a clear policy and audit trail on data they obtain from vehicles and the reason for its utilisation. Operators should consider the current processes in place and any third party contractors used for their data cleanse. Operators that do not meet the requirements may face a fine of up to €20m or 4% of global annual turnover.

The upcoming GDPR will present challenges for remarketing companies who will have to remove sat navigation and Bluetooth phone records from used vehicles.

Data Protection Code Consultation opened by Fundraising Regulator

The Fundraising Regulator is asking charities, fundraisers and the public for feedback on proposed changes to the Fundraising Practice Code in a consultation running from October to Friday 8th December.

The consultation seeks to update the Code to reflect the GDPR, make it clear to fundraisers about their data protection duties and address issues identified by penalty notices levied by the ICO over the last two years.

The Regulator is proposing three new sections for the Code which is expected to be published in spring next year. These are:

  • Legitimate Interest: To incorporate GDPR and the NCVO working group on donor communications recommendations
  • Processing: To include information on applying the data protection rules to activities using personal data
  • Consent: To include draft ICO GDPR guidance