After an uncertain summer concerning the future of the GDPR, the autumn has seen some clarity on its future when Karen Bradley MP, the Secretary of State for Culture, Media and Sport, confirmed that the UK government would be implementing the GDPR and reviewing it to determine how British businesses can be helped with data protection while maintaining high levels of protection for members of the public.
Elizabeth Denham, the UK's Information Commissioner, responded to Karen Bradley's statement with an ICO blog (the "Blog"), stating "I see this as good news for the UK. One of the key drivers for data protection change is the importance and continuing evolution of the digital economy in the UK and around the world. That is why both the ICO and UK government have pushed for reform of the EU law for several years." The Blog emphasised the ICO's plan to support implementation of the GDPR stating that, "the ICO is committed to assisting businesses and public bodies to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond" and that the GDPR will boost digital economy and safeguard citizen's privacy rights and give people greater control over their data. Elizabeth Denham notes that a revised timeline will be published next month setting out areas of guidance that the ICO will be prioritising over the next six months. We've also seen the first of these guidance notes from the ICO with the launch of the revised Code of Practice on "Privacy Notices, Transparency and Control", please see our full analysis here.
In Europe, we have seen some increased GDPR guidance activity from the Article 29 Working Party. They have published a summary of the discussions from the 'Fablab' workshop entitled "GDPR – from concepts to operational toolbox DIY" which took place on 26 July 2016 in Brussels. The summary discussed issues such as the designation of a data protection officer and the conflict of interest issue when appointing a data protection officer, the benefits and concerns of data portability, the risks of data protection impact assessments and certification mechanisms. The workshop was attended by 90 participants including 40 representatives from various data protection authorities to discuss operational and practical issues linked to the GDPR with the intention of developing a set of best practices and guidelines for the implementation of the GDPR. Another workshop will be organised in 2017. The summary can be read here.
Uncertainty reigns for International Transfers
However, whilst we head towards certainty in one area of data protection law, uncertainty reigns in the world of international transfers of personal data. Please see our round up here.
New Enforcement style for ICO
The autumn has also shown us an insight into the enforcement style of the new ICO. Known for her proactive rather than reactive approach to data protection breach enforcement, Elizabeth Denham announced at the IAPP conference in Brussels, that she intended to introduce a more proactive DPA enforcement regime, highlighting the investigation into the proposed sharing of personal data between Facebook and WhatsApp as an example. At the end of August, WhatsApp announced its plans to share user account information with its parent company Facebook. WhatsApp stated that such an arrangement would deliver users improved Facebook usability in the form of ads and product experiences. Users have since been asked to agree to WhatsApp's updated terms to allow the data sharing. The updated terms have proved controversial - although acceptance of data sharing with Facebook is not mandatory to continue to use the service, it appears that many users had thought it was due to the way in which the terms were presented by the app to the user.
In response to WhatsApp's changes, the ICO released a statement revealing that it would look into the approach taken by WhatsApp in order to ensure transparency and explore user concerns about potential lack of control over personal data. To view the ICO statement, please click here.
We therefore predict an approach in the UK akin to the international "Privacy Sweeps" in which the ICO currently participates. Every year, members of the Global Privacy Enforcement Network (the "GPEN") conduct a ‘Sweep’ to coordinate a global analysis of privacy practices. This Sweep is not an investigation or audit. Instead it encourages international collaboration among the 25 data protection authorities who are members of GPEN, and raises awareness of common global privacy issues. This year's 'Sweep' assessed the quality of privacy communications in relation to the Internet of Things. Please see our analysis here.
We've also seen Ms Denham put her support behind fines for directors for breaches of Privacy and Electronic Communications Regulations. Since April 2015, companies behind nuisance calls can be fined but, all too often, companies declare bankruptcy as a means of evading paying fines. In order to put pressure on directors to ensure that their companies comply with the law, the government recently announced that, as of Spring 2017, company directors can each be fined up to £500,000 by the ICO if they breach the Privacy and Electronic Communications Regulations. Read Elizabeth Denham's, UK's Information Commission, statement in response to the government's announcement here. She also stressed that she intends to be proactive in engaging with different industries to understand the challenges they have with data protection compliance.
Finally, as if Ms Denham has not been busy enough, we have seen the highest monetary penalty to date levied against TalkTalk. To see our analysis of this and other cyber security matters, please see our cyber security round up here. Please also see our ICO enforcement round up here.
Over to the courts
We've seen an interesting subject access request considering the disclosure of third party personal data without consent. Please see our employment data protection expert Khurram Shamsee's analysis of what this means for employers here.
In the regulated world, we have seen the FCA choose to drop its market study into the use of Big Data. Please see our analysis here.
Best of the rest
- as of 1 November 2016, online retailers have new duties under the revised payment card industry data security standards (the "PCI DSS"). Online retailers now have to ensure that there are no default security settings in place, ensure that administrator accounts are unique to each individual and not generic or shared, and that passwords are secure and of a good length and complex enough. Please click here to read the PCI DSS. Please click here for a guide on the PCI DSS;
- as referenced in our May edition, it was announced that, following the implementation of the GDPR, the ePrivacy Directive (2002/58/EC as amended) ("Directive") would also be reviewed and a consultation was opened. In August the European Commission published a summary of responses to the consultation which predictably showed polar opposite views from EU citizens on one hand and industry on the other, on the effectiveness of the current Directive and the need for stronger requirements in any replacement legislation. The Commission has been carrying out an in-depth analysis of the replies to the public consultation. The full synopsis report will be published in autumn 2016. The European Commission's summary is available here; and
- as previously reported in our April alerter, a German citizen challenged the German federal government's storage of IP addresses of users of government websites and the claim was referred to the Court of Justice of the European Union (the "CJEU"). On 19 October 2016, the CJEU ruled that dynamic IP addresses can constitute personal data (the "Ruling"). The Ruling was made on the basis that a user's internet service provider 'ISP' has and may provide additional data that, along with the IP address, could lead to the identification of a user. The Ruling is in line with the GDPR which expanded the definition of personal data to include online identifiers. The German Federal Court of Justice will now have to decide on the claim itself. To read the Ruling, please click here. To read the CJEU's press release on the Ruling, click here.