ICO publishes goals for 2016 – 19

The Information Commissioner’s Office (ICO) has set out its objectives for the next three years, which include more efficiency and ensuring organisations better understand their information rights obligations.

Six corporate objectives identified for 2016 – 2019 are:

  • organisations should have better understanding of their information rights obligations  
  • proportionate use of enforcement powers to ensure compliance with improved information rights
  • customers to receive a proportionate, fair and efficient response to their information rights concerns
  • ICO is alert and responsive to changes which impact on information rights
  • ICO should be efficient and well prepared for the future

It will interesting to see how if these objectives change if Brexit is successful. If so, the ICO will remain the supervisory body  for the UK but whether it has any influence amongst the other European regulators is unclear. The ICO will still have the power to enforce fines but these will be marginally smaller in comparison to the new levels being brought in via the General Data Protection Regulation (GDPR). In the EU under the GDPR businesses have the potential to be fined the greater of EUR 20,000,000 or 4% of annual turnover for data breaches. 

The full document can be found here

Record fine issued from the ICO for company behind 46m nuisance calls

The Information Commissioner’s Office (ICO) has fined Prodial Ltd £350,000. The ICO received over 1,000 complaints about the company, which played recorded messages in regard to PPI claims, with opt out options often not available.

Christopher Graham, Information Commissioner said:

“This is one of the worst cases of cold calling we have ever come across. The volume of calls made in just a few months was staggering.  

 This was a company that knew it was breaking the law. A company director admitted that once the ICO became involved, the company shut down. That stopped the calls, but we want to send a clear message to other firms that this type of law-breaking will not pay.  

 That is why we have handed out our highest ever fine. No matter what companies do to try to avoid the law, we will find a way to act.”

The company has been placed into voluntary liquidation, but the ICO are working with the liquidators to recover the fine.   

The full article can be found here

Investigatory Powers Bill published

The Investigatory Powers Bill was introduced to Parliament on 1 March with tighter privacy safeguards. It is scheduled to become law before the end of 2016. according to the Home Office the Bill is now:

  • clearer, with tighter technical definitions and stricter codes of practice setting out exactly how the powers in the Bill will be used
  • includes stronger privacy safeguards, strengthening protection for lawyers and journalist’s sources
  • bans UK agencies from asking foreign intelligence agencies to undertake activity on their behalf unless they have a warrant approved by a Secretary of State and Judicial Commissioner

Analysis by BBC Home Affairs Correspondent Danny Shaw

"When the draft legislation was published last November, police were concerned about a rather large gap.

Although they would have had powers to find out if a suspect was visiting illegal websites, downloading abuse images or accessing terrorist material, they wouldn't get details of other online activity which might be relevant to their investigation.

So, a travel website a drug trafficker books tickets on would have been out of bounds, as would a banking website used by a fraudster to transfer money. The new Bill attempts to plug those gaps. But in doing so it's left a far broader range of internet services which the law enforcement and intelligence world will be able to see than was the case before."

The creation of the Investigatory Powers Bill came as a result of various recommendations and comprehensive reviews of the Regulation of Investigatory Powers Act 2000 (RIPA) which were carried out by David Anderson QC, the Independent Reviewer of Terrorism Legislation, The Intelligence and Security Committee of Parliament (ISC) and a panel convened by the Royal United Services Institute (RUSI).

The Bill has been met with sharp criticism and is being coined by some as the "snoopers charter" as it allows law enforcement to freely hack phones, personal computers and tablets. The National Crime Agency (NCA)  has stated that this type of surveillance will only occur if there is a "threat to life". What this means is uncertain and it can be interpreted in a number of ways.

Further to this the Investigatory Powers Bill allows decryption of end to end encryption platforms such as those used over certain mobile phones. This has come as a shock for many technology companies  in the UK  in light of the  fierce amount of  arguments and legal battles being raised in the US with regards to encryption and 'back-dooring'. The Home Office has stated that like the hacking of personal tech, decryption will only occur if it is feasible. Again what "feasible" means remains to be seen.

Link to Investigatory Powers Bill 2015-16 can be found here


Facebook investigated by German Bundeskartellamt

Facebook is facing a number of fresh allegations this time in Germany for abuse of German data protection and competition laws. The Bundeskartellamt,  the German federal cartel office is bringing the case on the grounds that Facebook's terms of service break data protection laws by forcing users to sign up to ad tracking which in turn provides Facebook with a vast amount of data. This data provides an enormous revenue stream for Facebook.  The Bundeskartellamt argue that this constant data stream strengthens Facebook's position within the social media marketplace which is an abuse of a dominant position and anti-competitive.

The Bundeskartellamt has said, "that in order to access the social network, users must first agree to Facebook’s collection and use of their data by accepting the terms of service but that it was difficult for users to understand and assess the scope of the agreement."

Facebook have issued the following statement:

“We are confident that we comply with the law and we look forward to working with the Federal Cartel Office to answer their questions.”

This is an unusual case and perhaps the first of its kind wherein we are seeing competition law combine with data protection issues and social media becoming its own marketplace.

The link to the Guardian article can be found here


President Obama signs Judicial Redress Act

The US President has signed the Judicial Redress Act into law. It grants non-US citizens a private right of action for alleged privacy violations for the first time. 

It was signed after Congress approved an amendment that puts limits on the right to sue to citizens of countries which:

  • permit the 'transfer of personal data for commercial purposes' to the US
  • do not impose personal data transfer policies which 'materially impede'

In an Oval Office release the president said:

"We take our privacy seriously.  And along with our commitment to innovation, that’s one of the reasons that global companies and entrepreneurs want to do business here.  We enforce our privacy laws, unlike a number of other countries.  And in fact, just this month, we finished a landmark new agreement called the Privacy Shield, which provides tough new protections to safeguard consumer data, and it gives certainty to thousands of businesses representing hundreds of billions of dollars in trade."