On 3 July 2019 the ICO published its new Guidance on the use of cookies and similar technologies (Guidance) which replaces the previous guidance on cookies (last updated in May 2012) and complements the ICO’s guidance on cookies in its Guide to PECR .Why has the ICO published new guidance now?Currently, the use of cookies is subject to two overlapping regimes: the Privacy and Electronic Communications Regulations (PECR), which implement the e-Privacy Directive in the…
On 20th June 2019 the Information Commissioner’s Office (ICO) published its “Update report into adtech and real time bidding” setting out the ICO’s findings and views on data protection practices in the adtech industry. This follows a review by the ICO of the adtech industry including engagement with industry stakeholders. The review focused specifically on real time bidding (RTB) as, according to the ICO, this type of online behavioural advertising appears particularly challenging from a…
In the first part of this article here we looked at the background facts and circumstances of breach in the Equifax decision by the UK’s DPA, the ICO. This second part sets out some key learnings from the case.Review intra-group data processing arrangementsThe ICO focussed on a number of flaws in the arrangements between Equifax and its US parent. In particular, the ICO noted that:At the relevant time, Equifax did not have an adequate data…
In the first of this two part article we look at the facts and outcome of the recent Equifax data breach. In the second part we set out some lessons which can be learned from the ICO’s approach and findings. Background FactsOn 19 September the UK DPA the Information Commissioner’s Office (ICO) issued Equifax Ltd (Equifax) with a £500,000 fine, the highest issued to date, for failing to protect the personal information of up to 15…
The UK has seen a successful collective action brought by data subjects against Morrisons, a large supermarket chain, relating to a data security incident.The claim itself relates to the actions of a rogue Morrisons employee who developed a grievance against the organisation and resolved to damage it. He was on the internal audit team and was the conduit for passing to the external auditor various information, including payroll information which was normally located on the…
2016 saw further seismic changes to the data protection framework globally and, in particular, the EU. The year heralded the long-negotiated GDPR, the NIS Directive, the Privacy Shield and ended with a flurry of further developments at EU and UK level.We have pulled together a summary of key developments as well as things to watch out for in 2017.Article 29 Working Party (“WP29”) Guidelines on GDPRThe WP29 adopted guidelines on three major GDPR requirements, namely:DPOLead…
Part of the b:INFORM 2015/2016 Cloud Survey Trend SeriesMany banking regulators consider cloud computing to be a form of outsourcing. For supervised financial institutions, use of external cloud computing for material business functions is a regulated activity. Previously issued guidance by financial regulators on outsourcing and offshoring is likely to apply to cloud services, in addition to specific cloud related statements.Board Level Attention RequiredThe FFIEC in the US, the FCA in the UK, and APRA…
On 9 December 2015 the European Commission announced the first set of legislative proposals as part of its Digital Single Market (DSM) Strategy. The proposals include:Portability The Commission has released its proposals for portability of content in the Community. The draft Regulation on ensuring the cross-border portability of online content services (‘the draft Regulation’) sets out that providers of AV content services must enable cross-border portability for their users. This will be important for content services and rights…
On 1 October 2015, the UK’s new Consumer Rights Act 2015 came into force. The Act is noteworthy because it establishes a new category of product called digital content and certain rights that consumers have when they buy such content. Any business with an e-commerce element aimed at UK customers will want to pay attention to these new developments.1. What Is The UK Consumer Rights Act About?The Act provides certain rights and remedies for consumers…
Letting employees use their personal devices for work purposes can make good business sense for a company. Apart from potentially saving on overhead, many employees are happier and will work longer and more effectively if they can use their own devices for both professional and personal activities. Companies should nevertheless make sure they’ve covered off their data security and privacy risks before launching a bring your own device (BYOD) program. Security and privacy sometimes seem to…