Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends

Tag Archives: UK

Posted in International/EU Privacy

State of the Cyber Nation: UK Government Report on Cybersecurity Breaches

On 19 April 2017, the UK Government’s Department for Culture, Media and Sport (DCMS) published a report on cyber security breaches and how they affected UK companies in the last year. The report indicates that a number of UK companies have not implemented comprehensive cybersecurity policies or implemented strong safeguards to protect against cyber attacks. The General Data Protection Regulation — in particular the requirement to ensure all personal data is protected by appropriate technical and organisational measures — provides a real opportunity for any organisation to build a new cyber security strategy. Documenting the decisions taken on these measures will be useful for showing compliance with the new requirements for data protection by design and by default.

Posted in International/EU Privacy

UK ICO Publishes Guidance on Consent Under GDPR

The UK Information Commissioner’s Office has just published draft guidance on consent under GDPR. This is an interesting move given that the Article 29 Working Party has promised guidance on the same topic later this year, but reading the guidance makes it clear why the ICO decided to prioritise it: many of the practices which it identifies as unacceptable are fairly common in the UK, meaning many companies are going to have to re-think their approach to legitimising their data processing.

Posted in International/EU Privacy

ICO Turns Spotlight on Data Broker Industry

Data brokers are organisations that obtain data from a variety of sources and then sell or license it to third parties. Many trade in personal data, which is purchased by their customers for several purposes, most commonly to support marketing campaigns. The UK data protection regulator has for some time been actively enforcing against organisations who buy individuals’ personal data for direct marketing purposes without first conducting appropriate due diligence to ensure that those individuals have adequately consented to receiving marketing communications. However, in a recently issued monetary penalty notice, the ICO indicated that it may be shifting its enforcement strategy. This post discusses the latest developments.

Posted in International/EU Privacy

Privacy in 2017 – From Challenges to Opportunities

After all of the 2016 drama, the start of a brand new year is a welcome development in itself – a clean sheet for a script yet to be written. However, 2017 will not be without challenges and the same applies to the world of privacy and data protection. Many of the big issues that arose during 2016 will need to be addressed in 2017. In addition, new questions will no doubt emerge. Here is an overview of the privacy challenges that lie ahead and what can be done about them.

Posted in International/EU Privacy

UK Department for Transport Launches Consultation on Regulations for Civil Drone Usage

The 2016 holiday gift guides have heavily featured consumer drones; as such, it is not unfeasible that you or someone you know will receive a drone in the coming weeks. In anticipation of that happy event, on 21 December the UK Department for Transport gave its own gift: a consultation paper on ensuring the safe use of drones, to help the UK to tap into this growing market.

Posted in International/EU Privacy

The CJEU Gives the UK Government Another Brexit Dilemma

In yet another key case dealing with the balance between citizens’ privacy and the ability of the state to intrude into it, the Court of Justice of the European Union has ruled on the compatibility with European Union law of legislation that authorises the retention of communications data, which includes personal data. The reference from the UK Court of Appeal resulted from a challenge to the Data Retention and Investigatory Powers Act 2014 brought by individuals that include Tom Watson, deputy leader of the Labour Party and represented by Liberty. Interveners include the Law Society of England and Wales, the Open Rights Group, and Privacy International. The CJEU considered the compatibility of such legislation with the e-Privacy Directive, Articles 7 and 8 of the Charter of Fundamental Rights of the European Union—which protect private and family life and personal data respectively—and its previous decision in C-293/12 Digital Rights Ireland—which invalidated the Data Retention Directive.

Posted in International/EU Privacy

A Way Forward for UK Data Protection

The people of the UK have spoken and our collective choice is to leave the European Union. Some are dreading the likely tsunami of economic hardship. Others are excited about what may lie ahead. Most of us are shocked. But as numbing as the verdict of the UK electorate may be, there are crucial political, legal and economic decisions to be made. The ‘To Do’ list of the UK government will be overwhelming, not least because of the dramatic implications that each of the items on the list will have for the future of the country and indeed the world. Steering the economy will be a number one priority and with that, the direction of travel of the digital economy – which, at the end of the day, is one of the pillars of prosperity in the UK and everywhere else.

Posted in International/EU Privacy

Why Brexit Will Not Happen (In Data Protection)

The thing about referendums is that the consequences of one outcome or another are likely to be rather disparate. If Brexit turns out to be rejected by the majority of the UK electorate, we will simply carry on as normal – quietly enjoying the benefits of the European Union whilst moaning about the threat that […]

Posted in Consumer Privacy

Three Signs Your Native Ad Needs a Disclosure: The FTC Issues Native Advertising Guidelines

If you’ve ever opened your washing machine to find white socks turned a pale shade of pink, you can relate to the sentiment of Buzzfeed UK’s piece “14 Laundry Fails We’ve All Experienced.” Humorous and empathetic, the piece mimicked Buzzfeed’s editorial tone and style, but also subtly promoted the message of a commercial advertiser—in this case, Dylon, a color dye manufacturer. And in what may be a sign of things to come in the US, the piece drew the attention of the U.K.’s advertising regulator, the Advertising Standards Authority, which cited Buzzfeed for failing to make the piece “obviously identifiable” as commercial content, a violation of the U.K.’s Committee on Advertising Practices Code.

Posted in International/EU Privacy

Why Silicon Valley Should Care About the UK Investigatory Powers Bill

The need for proper and legitimate powers to enable intelligence and law enforcement agencies to do their job and to keep everyone safe requires little justification. However, in our data-rich and uber-connected way of life, those powers necessarily involve a substantial degree of intrusion into our digital comings and goings, and that makes things complicated. In a show of political awareness and legislative dexterity, in November 2015, the UK government presented its draft Investigatory Powers Bill—an attempt to strike a balance between intelligence and law enforcement needs with the protection of ordinary citizens’ privacy. The Bill seeks to adopt a comprehensive and sophisticated framework of modern law enforcement and intelligence gathering powers. It is currently being scrutinized by a parliamentary committee and subject to public consultation.

Posted in International/EU Privacy

Recap on the ICO Stance on Data Security

The UK’s Information Commissioner’s Office is known to prefer an “engaging” rather than an enforcement approach with organisations. However, when looking at the “action we’ve taken” page on the ICO website the ICO’s enforcement activity seems to be increasing by the day. While the ICO has stated that it wants to focus its enforcement efforts going forward on unsolicited marketing, such as nuisance messages and calls, breaches of security requirements have to date attracted the majority of the ICO’s enforcement attention. Therefore, organisations operating in the UK would be well-served to focus on understanding and adhering to the ICO’s expectations for data security compliance.

Posted in International/EU Privacy

UK Government Seeks to Preserve Data Retention Powers

On 10 July, the UK government announced cross-party backing for emergency legislation designed to ensure that the police and security services can continue to access communications data held by communications service providers for the purpose of investigating criminal activity and protecting national security. This is in response to the recent European Court of Justice judgment of 8 April 2014 in joined cases (C-293/12 Digital Rights Ireland & C-594/12 Seitlinger) which declared the Data Retention Directive (2006/24/EC) invalid.

Posted in Cybersecurity & Data Breaches, International/EU Privacy

Survey Exposes Gaps in UK Companies’ Readiness for Cyber Threats

A recent survey from the UK Government’s Department for Business, Innovation and Skills has highlighted that the majority of FTSE 350 firms are not regularly taking cyber risks into account in their decision making. Despite a growing international trend in cyber crime targeted at businesses, the survey showed that only 14 percent of FTSE 350 companies regularly consider cyber threats, and nearly half of those surveyed do not even include cyber risks on their company’s strategic risk register.

Posted in International/EU Privacy

UK ICO Suggests Preparations for Draft EU Data Protection Regulation

The continued uncertainty around the draft EU Data Protection Regulation presents something of a challenge for data controllers. It’s clear that it could require them to make significant changes to how they handle individuals’ data, but the ongoing fundamental political disagreements make it difficult to predict which changes will make it into the final form of the legislation. So it is interesting to see the recommendations on the UK ICO’s blog on where to start in preparing for reforms, highlighting three areas: consent, breach notification, and privacy by design.

Posted in Consumer Privacy, International/EU Privacy

UK ICO Publishes Guidance on Social Networking and Online Forums

The UK Information Commissioner’s Office recently published new guidance on the application of data protection laws to social networking and online forums that clarifies that organizations operating social networking sites or online forums may have responsibilities as data controllers under the UK Data Protection Act, including the responsibility to take reasonable steps to check the accuracy of any personal data posted on its site by third parties.

Posted in International/EU Privacy

UK ICO Publicizes Concerns on Draft Data Protection Regulation

Concerned that the prescriptive nature of the proposed EU Data Protection Regulation will impose a significant additional administrative burden on regulators, the UK Information Commissioner’s Office as published on its website a letter to the Secretary of State for Justice which re-states the Information Commissioner’s concerns about the proposed Regulation.

Posted in Cybersecurity & Data Breaches, International/EU Privacy

UK Publishes Call for Evidence on Proposed EU Cybersecurity Directive

In February 2013 the European Union published the EU Cyber Security Strategy and accompanying proposed Directive. Now, in anticipation of the implementation of the Directive, the UK’s Department for Business, Innovation and Skills (BIS) has published a call for evidence to look at the impact of the Directive upon businesses in the UK.

Posted in International/EU Privacy

UK Parliament Committee Requests Written Evidence on Proposed EU Data Protection Framework

On June 28, the UK Parliament Justice Select Committee, chaired by Sir Alan Beith MP, issued a request for written evidence for its new inquiry into the European Union Data Protection framework proposals, including the much-debated proposal for a new EU Data Protection Regulation. This post discusses the questions posed by the request.

Posted in News & Events

Blogging from the IAPP London Data Protection Intensive

IAPP Europe is currently holding its Data Protection Intensive 2012 in London. This entry from London partner Quentin Archer contains an instant report from today’s opening session, and summarizes the comments of UK’s Information Commissioner and Yahoo’s Vice-President for EMEA Advertising Marketplaces. The comments of the Information Commissioner are especially insightful regarding enforcement, cookies, and the pending European Regulation.

Posted in International/EU Privacy

Hogan Lovells Submits Comments on Proposed EU Regulation to UK Ministry of Justice

The United Kingdom Ministry of Justice is engaged in a consultation on the impact of the proposal of the European Commission for a Data Protection Regulation to replace the EU Directive and implementing legislation, and solicited submissions by 6 March. On 29 February 2012, Hogan Lovells held a session in London for clients where we sought and obtained views on the impact of the proposals made by the European Commission for a new Data Protection Regulation. Yesterday, the firm made a submission to the Ministry of Justice on the proposed Regulation. This document contains a distillation of our own observations and comments made to us by clients.

Posted in International/EU Privacy

London Privacy Workshop Seeks Input for UK Consultation

Hogan Lovells partners Quentin Archer, Roger Tym and Winston Maxwell hosted a London workshop on February 29, 2012 aimed at collecting comments for the UK Ministry of Justice’s public consultation on the proposed EU privacy Regulation. Workshop participants commented on the right to be forgotten, data portability, the accountability principle, data breach notifications, proposed requirements for consent, fining powers, and the “one-stop-shop” principle.