Mac Macmillan

When Did You Last See Your Filing Cabinets? UK ICO Fine for Discarded Data Shows Accountability in Action

If you care enough about privacy issues to be a regular reader of this blog, you probably know that one of the Big Changes under GDPR will be the introduction of “accountability” as a legal obligation, i.e. it will now be a requirement that a data controller is able to demonstrate its compliance with the principles relating to processing of personal data set out in Article 5 of the GDPR. You may even have started thinking about what this means for your organisation: how are you going to get your development teams to adopt privacy by design and default? What are you doing about data minimisation? Do you apply appropriate levels of encryption to your personal data? In our ever-more digitally driven world, it’s easy to get caught up in the sophisticated stuff, but a recent UK ICO decision reminds us that accountability is about the simple stuff as well. Which brings us to filing cabinets.

Posted on March 28th, 2017 By Mac Macmillan and Sam Choi Posted in International/EU Privacy

ICO Issues Fine for Marketing Emails Disguised as Service Messages

The Information Commissioner’s Office has issued a £70,000 fine against Flybe and a £13,000 fine against Honda Motor Europe Ltd for breaching Regulation 22 of the Privacy and Electronic Communications Regulations by sending emails requesting individuals to update their marketing preferences.

Posted on March 8th, 2017 By Mac Macmillan Posted in International/EU Privacy

UK ICO Publishes Guidance on Consent Under GDPR

The UK Information Commissioner’s Office has just published draft guidance on consent under GDPR. This is an interesting move given that the Article 29 Working Party has promised guidance on the same topic later this year, but reading the guidance makes it clear why the ICO decided to prioritise it: many of the practices which it identifies as unacceptable are fairly common in the UK, meaning many companies are going to have to re-think their approach to legitimising their data processing.

Posted on July 30th, 2015 By Mac Macmillan Posted in International/EU Privacy

“Europe’s Big Opportunity” – The European Data Protection Supervisor on the General Data Protection Regulation

Following on from the Article 29 Working Party’s Opinion in June, the European Data Protection Supervisor has now published his own recommendations for the proposed General Data Protection Regulation. Unsurprisingly, given that the EDPS is a member of the Working Party, the views expressed are in line with that Opinion. At this point you may be tempted to stop reading, but wait, there is more. In addition to expressing his vision of the GDPR (more on which below) and producing his own recommendations for every single article of the GDPR, the EDPS has demonstrated his commitment to practicality by making this all available as a mobile app. The app allows you to select which of the drafts you wish to see side by side, scroll rapidly through the contents to select a particular article, or search on the whole text so you can see at a glance what each version says, for example, about pseudonymisation or profiling. Whilst the app may have limited appeal, and is unlikely to keep small children entertained on long car journeys, it will be a thing of joy for its target audience.

Posted on June 24th, 2015 By Mac Macmillan and Sarah Taieb Posted in International/EU Privacy

Part 7: The New Accountability Regime

Accountability has been described by the Article 29 Working Party as a way of “showing how responsibility is exercised and making this verifiable”. Accountability is far from being a new concept. It was introduced back in 1980 in the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. This entry is an excerpt from Hogan Lovells’ “Future-proofing privacy: A guide to preparing for the EU Data Protection Regulation.”

Posted on December 9th, 2013 By Mac Macmillan Posted in Consumer Privacy

Progress Falters on EU Data Protection Regulation at Council Meeting

The Council of the EU failed to make any progress towards the adoption of an agreed negotiating position on the Data Protection Regulation at its meeting on Friday, 6 December 2013. While momentum had begun to build following the vote by the EU Parliament’s LIBE Committee in October, expectations of progress within the Council were dampened by the formal agenda circulated before the Justice and Home Affairs (JHA) Committee met, which tabled a review of the current state of play and detailed discussion of the one-stop-shop issue.

Posted on November 20th, 2013 By Mac Macmillan Posted in International/EU Privacy

Where Next for the Draft Data Protection Regulation?

The EU’s Work on Data Protection Reform continues following the vote of the EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) on 21 October 2013 to adopt compromise amendments. The 104 compromise amendments represent a consolidation of proposals submitted by various European Parliament committees. Hogan Lovells has prepared a detailed analysis of the compromise amendments approved by the LIBE committee, which is attached to this post.

Posted on September 17th, 2013 By Mac Macmillan Posted in Consumer Privacy, International/EU Privacy

ICO Provides Further Guidance on Encryption

The UK Information Commissioner’s Office (the “ICO”) recently published further guidance on encryption on its blog. The ICO has taken the position for some time that if a business holds sensitive personal information on portable or mobile devices, it should protect that information using appropriate encryption software. If that does not occur and such information is compromised, the ICO has stated that it may pursue regulatory action. The guidance does not modify the ICO’s position on encryption, but it does explain in layman’s terms what the ICO means by encryption and the different types of encryption that are available, so non-technical data protection officers may find it a helpful introduction to this topic.

Posted on September 13th, 2013 By Mac Macmillan Posted in Consumer Privacy, International/EU Privacy

European MEP Calls for Investigation of Online Price Discrimination

Price discrimination based on tracking of Internet Protocol addresses – numerical identifiers assigned to devices that are connected to the Internet – was in the news again this week after a Belgian Member of the European Parliament, Marc Tarabella, called for action from the European Commission to investigate the practice.

Posted on September 4th, 2013 By Mac Macmillan Posted in Cybersecurity & Data Breaches, Employment Privacy, International/EU Privacy

UK Council Successfully Appeals ICO Fine Arising from Processor Breach

The UK First Tier Tribunal issued a decision on August 21 finding that the Information Commissioner’s Office (ICO) was wrong to impose a £250,000 fine on Scottish Borders Council in relation to an incident where pension records of former Council employees were discovered overflowing from recycling bins outside a local supermarket. The Tribunal held that the contravention, while serious, was not of a kind likely to cause substantial damage or substantial distress, which is a requirement for imposing such a penalty. The decision may have implications for the ICO’s approach to imposing monetary penalties in the future.

Posted on June 7th, 2013 By Mac Macmillan Posted in International/EU Privacy

UK ICO Publicizes Concerns on Draft Data Protection Regulation

Concerned that the prescriptive nature of the proposed EU Data Protection Regulation will impose a significant additional administrative burden on regulators, the UK Information Commissioner’s Office as published on its website a letter to the Secretary of State for Justice which re-states the Information Commissioner’s concerns about the proposed Regulation.