The UK data protection regulator, the Information Commissioner’s office, has issued three significant monetary penalties over recent months focusing on cyber security issues. The most recent enforcement was a monetary penalty of £1.25 million on Ticketmaster in connection with an incident which occurred during February 2018 and June 2018 (although the enforcement only relates to the period after 25 May 2018 when the GDPR came into force). In the ICO’s view there was a failure…
The UK data protection regulator, the Information Commissioner’s Office, has issued a monetary penalty to £20m on British Airways in connection with a cyber-attack which took place in 2018. In the ICO’s view there was a failure to process personal data in a manner that ensured appropriate security, as required under Articles 5(1)(f) and Articles 32 of the GDPR. The incident commenced with a “supply chain attack” where BA’s network was accessed by an attacker…
Questions continue to arise over the interplay of the second Payment Services Directive (PSD2) with the General Data Protection Regulation (GDPR). Both PSD2 and the GDPR are complex legislation and the relationship between distinct provisions of each law and how they work together is not altogether clear, which has led to uncertainty for payment service providers, including banks. For example, when is “consent” required to access payment data and what does consent mean? To this…
The ICO, together with The Alan Turing Institute, recently published its finalised guidance on explaining decisions made with AI, following a public consultation which closed in January this year. Who should read this? The guidance is relevant for any organisation using, or thinking of using, AI to support or make decisions about individuals (including if you are procuring an AI system from a third party).It will be of particular use for DPOs, and legal…
On 8 June 2020 the UK Government published its response to the Department for Digital, Culture, Media and Sport (“DCMS”) Select Committee’s report on Immersive and Addictive Technologies (“Report”). The response sets out the Government’s next steps regarding issues identified in the Report, which will be relevant for companies in the video games sector as well as those involved with immersive technologies. This could result in increased regulation in certain areas. For example, the outcome…
Brian Hengesbaugh is joined by Ben Slinn (Associate, London) and Brandon Moseberry (Partner, Chicago) to discuss developments around Children’s data in the United Kingdom and United States. Tune in to hear: Overview of the final version of the UK ICO’s Age-Appropriate Design Code of Practice for Online ServicesThings companies should do now to address the new codeGeneral guidelines to follow in the US in regards to children’s data https://open.spotify.com/episode/2qsEEttIZxAZmcsXWg7Ka6 Related Resources UK ICO Age Appropriate…
It has been two years since the GDPR came into force on 25 May 2018 and during that time, we have seen more guidance published at an EU level as well as from data protection authorities in Member States which has impacted how organisations approach areas of GDPR compliance. We have also seen enforcement action from data protection authorities across the EU and UK. There have also been other significant developments, over the past two…
The final version of the ICO’s Age Appropriate Design Code was published earlier this year. It needs to be approved by Parliament, and there will then be a 12 month period before it comes into force. The ICO expects the Code to be in force by autumn 2021. Although this may sound like a long time away, to comply with the Code existing services will need to be reviewed and where necessary updated, and changes to design…
On 4 May 2020 the European Data Protection Board (“EDPB”) adopted updated guidelines on consent under the GDPR (the “New Guidelines”). The New Guidelines supersede the guidelines on consent originally adopted by the EDPB’s predecessor, the Article 29 Working Party, on 10 April 2018 (the “2018 Guidelines”), and subsequently endorsed by the EDPB. The New Guidelines clarify the EDPB’s position on two specific issues: Cookie Walls – consent is not valid if access to a…
In the weeks and months ahead, contact tracing technologies will play a critical role in the societal fight against COVID-19, and the quest to restore order. A number of recent developments both in the European Union and the United Kingdom offer insight on the regulatory expectations in the widespread use of location data for this new health policy purpose. In this post, we summarise key points from the following UK and EU regulatory guidance, which…