On 15 April 2020 the ICO published a statement on its regulatory approach during the coronavirus pandemic. Recognising that operational and financial pressures caused by the coronavirus may impact organisations’ ability to fully comply with aspects of data protection laws, the ICO has stated it intends to apply an empathetic, “flexible and pragmatic” approach in its enforcement of data protection laws during the crisis, as well as any enforcement under the Freedom of Information Act…
The European Commission has published a Recommendation for use of technology and data to combat and exit from the COVID-19 crisis, in particular concerning mobile apps and use of anonymised mobility data. What does the Recommendation cover? The Recommendation establishes a process for developing a common approach (Toolbox) to use digital measures to address the COVID-19 crisis. The Toolbox will include practical measures for making effective use of technology and data, focusing on a: Pan-European…
With a changing digital landscape and emerging data driven technologies, the rules of the Directive on Privacy and Electronic Communications (Directive 2002/58/EC) are in need of updating. The proposed E-Privacy Regulation was intended to address new legal challenges and complement the General Data Protection Regulation (GDPR) in relation to privacy in electronic communications. The first draft of the E-Privacy Regulation was presented in January 2017, with the aim that it would be passed quickly and would apply from May…
On March 2, 2020, the Information Commissioner’s Office (ICO) issued a lead generator, CRDNN Limited (CRDNN), with a maximum £500,000 fine under the Privacy and Electronic Communications Regulations 2003 (PECR) for making more than 193 million automated nuisance calls. The full monetary penalty notice can be viewed here. What happened? CRDNN first came to the ICO’s attention due to a significant number of complaints from subscribers regarding large volumes of unsolicited marketing calls marketing a number of…
The European Data Protection Board (EDPB) has published its draft guidelines on processing personal data in the context of connected vehicles for public consultation. The Guidelines have a wide reach and will apply to more than just vehicle manufacturers. We have summarised the key points and recommendations from the EDPB in the Guidelines below. The public can provide comments to the EDPB until March 20th, 2020. Thereafter, the EDPB will finalize and adopt the Guidelines,…
On February 19, 2020 the ICO published its draft guidance on the AI auditing framework for public consultation, which is open until April 1, 2020. We have summarised the key themes below. What is the draft guidance? The draft guidance, which runs to over 100 pages, provides advice and recommendations on how to understand data protection law in relation to artificial intelligence. It clarifies how to assess the data protection risks posed by AI and…
Late last year the UK Information Commissioner’s Office issued its first formal monetary penalty notice under the GDPR. The ICO fined Doorstep Dispensaree £275,000 for, among other things, failing to keep sensitive data securely and providing an inadequate privacy notice to data subjects. This fine was based on a number of fundamental breaches by Doorstep Dispensaree: for example, most of its internal policies had not been updated since before the entry into force of the…
In this edition of the Data Protection Download, Benjamin Slinn and Zelander Gray cover the latest UK and Europe-wide updates in data protection. Topics covered in this month’s update include: Brexit ICO’s new age appropriate design code European Data Protection Board guidelines on connected vehiclesEDPB Guidance on processing personal data through video devices Met Police use of live facial recognition EUR 27.8 million fine imposed by Italian SAAviva v Oliver: Breach of confidence Click here…
The ICO has published its final Age Appropriate Design Code of Practice for Online Services, following a public consultation last year. The code sets out 15 standards applicable to certain online services aimed at or likely to be accessed by children, requiring the “best interests” of the child to be the primary driver of product and service design. Who should read this? Anyone that designs or develops online services will need to consider whether the…
In this episode, your host Brian Hengesbaugh is joined by Benjamin Slinn, a senior associate in our London office, to discuss how data protection may look in a post-Brexit Europe. In this episode, you will learn about: What to expect during the transition period, which lasts until December 31, 2020Potential changes in international data transfers after the transition period expiresPractical steps from a data protection perspective that companies should consider taking to prepare for the end…