Author

Joanna De Fonseka

Browsing

It has been two years since the GDPR came into force on 25 May 2018 and during that time, we have seen more guidance published at an EU level as well as from data protection authorities in Member States which has impacted how organisations approach areas of GDPR compliance. We have also seen enforcement action from data protection authorities across the EU and UK. There have also been other significant developments, over the past two…

On 4 May 2020 the European Data Protection Board (“EDPB”) adopted updated guidelines on consent under the GDPR (the “New Guidelines”). The New Guidelines supersede the guidelines on consent originally adopted by the EDPB’s predecessor, the Article 29 Working Party, on 10 April 2018 (the “2018 Guidelines”), and subsequently endorsed by the EDPB. The New Guidelines clarify the EDPB’s position on two specific issues: Cookie Walls – consent is not valid if access to a…

Joanna de Fonseka, a senior associate in Baker McKenzie’s London office, joins host Brian Hengesbaugh to discuss the use of contact tracing apps in the United Kingdom. Download and listen to learn: Takeaways from the recent guidance from the ICO on contact tracing appsKey privacy considerations as the use of contact tracing apps becomes a reality in the midst of the COVID-19 pandemicDevelopments at the EU level regarding contact tracing apps and mobility data https://open.spotify.com/episode/0jtEkAQeYjZKdZkKp0ewGX…

In the weeks and months ahead, contact tracing technologies will play a critical role in the societal fight against COVID-19, and the quest to restore order. A number of recent developments both in the European Union and the United Kingdom offer insight on the regulatory expectations in the widespread use of location data for this new health policy purpose. In this post, we summarise key points from the following UK and EU regulatory guidance, which…

On 15 April 2020 the ICO published a statement on its regulatory approach during the coronavirus pandemic. Recognising that operational and financial pressures caused by the coronavirus may impact organisations’ ability to fully comply with aspects of data protection laws, the ICO has stated it intends to apply an empathetic, “flexible and pragmatic” approach in its enforcement of data protection laws during the crisis, as well as any enforcement under the Freedom of Information Act…

With a changing digital landscape and emerging data driven technologies, the rules of the Directive on Privacy and Electronic Communications (Directive 2002/58/EC) are in need of updating. The proposed E-Privacy Regulation was intended to address new legal challenges and complement the General Data Protection Regulation (GDPR) in relation to privacy in electronic communications. The first draft of the E-Privacy Regulation was presented in January 2017, with the aim that it would be passed quickly and would apply from May…

On March 2, 2020, the Information Commissioner’s Office (ICO) issued a lead generator, CRDNN Limited (CRDNN), with a maximum £500,000 fine under the Privacy and Electronic Communications Regulations 2003 (PECR) for making more than 193 million automated nuisance calls.  The full monetary penalty notice can be viewed here. What happened? CRDNN first came to the ICO’s attention due to a significant number of complaints from subscribers regarding large volumes of unsolicited marketing calls marketing a number of…

The European Data Protection Board (EDPB) has published its draft guidelines on processing personal data in the context of connected vehicles for public consultation. The Guidelines have a wide reach and will apply to more than just vehicle manufacturers. We have summarised the key points and recommendations from the EDPB in the Guidelines below. The public can provide comments to the EDPB until March 20th, 2020. Thereafter, the EDPB will finalize and adopt the Guidelines,…

On February 19, 2020 the ICO published its draft guidance on the AI auditing framework for public consultation, which is open until April 1, 2020. We have summarised the key themes below. What is the draft guidance? The draft guidance, which runs to over 100 pages, provides advice and recommendations on how to understand data protection law in relation to artificial intelligence. It clarifies how to assess the data protection risks posed by AI and…

After January 31, 2020 the UK ceases to be a Member State of the European Union and, under the terms of the Withdrawal Agreement agreed between the UK and the EU-27, a transition period applies until December 31, 2020. From a data protection perspective, this has a number of implications. We have summarised the key points below, including what happens after the UK leaves the EU on January 31, the implications for international data transfers,…