Photo of Helena Marttila-Bridge

Helena Marttila-Bridge is an associate in the technology and media group in the London office who joined the firm as a trainee solicitor in 2009.  Her practice focuses on intellectual property, data protection, and information technology law, and encompasses regulatory compliance and advisory work.

The UK’s data protection regulator, the Information Commissioner’s Office (“ICO”), has imposed a fine of £350,000 on Prodial Ltd (“Prodial”) for making over 46 million unsolicited automated telephone calls to generate leads in relation to payment protection insurance refunds.  This is the highest fine issued by the ICO to date.
Continue Reading Company Receives Record Fine from UK Regulator For Cold Calling

On October 23, 2013, the European Parliament adopted a resolution calling for the suspension of an EU-US Agreement on the transfer of financial data for the purposes of the Terrorist Finance Tracking Program (the so-called “SWIFT Agreement”).  The resolution comes after allegations that the US National Security Agency (NSA) has had unauthorized access to EU citizens’ bank data held by the Belgian company SWIFT.

The SWIFT Agreement, which entered into force in 2010, permits the sharing of EU citizens’ bank data with US authorities for the purposes of preventing, investigating and prosecuting conduct pertaining to terrorism or terrorist financing subject to a number of data protection safeguards.

However, following the recent allegations that the NSA has had direct access to EU citizens’ financial payment messages and related data in breach of the SWIFT Agreement, the European Parliament adopted the resolution asking the European Commission to suspend the Agreement.  The resolution also calls for further investigations of the NSA spying allegations by requesting the Council and the EU Member States to authorize the Europol Cybercrime Centre to carry out a full on-site technical investigation and by inviting the Parliamentary Committee on Civil Liberties, Justice and Home Affairs to conduct a special inquiry into the mass surveillance of EU citizens.

Continue Reading European Parliament Calls for Suspension of the SWIFT Agreement following NSA Surveillance Claims

By Helena Marttila-Bridge and Colin Warriner

On 10 September 2013, the UK’s Information Commissioner (ICO) released new guidance on direct marketing.  The paper canvasses the marketing rules found in the Data Protection Act 1998 and the Privacy and Electronic Communications (EC Directive) Regulations 2003, with the aim of helping companies to comply with the law when engaging in direct marketing activities.  Those activities remain broadly understood, and include the delivery of all promotional materials, including those with only a small marketing element, materials promoting not-for-profits like charities or political parties as well as market research activities if their real purpose is promotional.  Direct marketing also encompasses traditional forms of marketing (e.g., telesales, mailshots) as well as newer methods (e.g., online marketing and social networking).  However, the ICO suggests that advertising not targeted at particular recipients, such as website advertising that appears the same to all site visitors, is not covered by the direct marketing rules.

Continue Reading The ICO Publishes New Guidance on Direct Marketing

By Fredericka Argent and Helena Marttila-Bridge

On 21 February 2013, the ICO launched a consultation on its proposal for a new code of practice regulating the press in the UK.  The consultation is in response to the publication of the Leveson Report in November 2012, which recommended significant and wide-ranging changes to the structure and regulation of news reporting in the UK.  As we blogged here, the ICO responded to the Leveson Report with comments on the role of the Data Protection Act 1998 (the “DPA”) in regulating the press and promises to issue new press guidance.

The ICO has made clear that the code of practice is not intended to create any new legally binding obligations. Rather, the proposed code will lay down guidance on the application of section 32 of the DPA, which provides an exemption from compliance with certain data protection principles where personal data is processed, among other things, with a view to the publication of journalistic material in the public interest (the so-called “special purposes” exemption).  Although the precise content of the code of practice is a work-in-progress, the ICO has proposed to cover at least the following topics:

Continue Reading UK’s Information Commissioner’s Office Issues Consultation on Data Protection and the Press

On July 1st, 2012, the Article 29 Working Party (WP29), a group consisting of data protection authorities of all EU Member States, adopted a long-awaited opinion on cloud computing.  While acknowledging the advantages of cloud computing, the opinion sets out a number of data protection issues that may arise from the wide-scale deployment of cloud computing services by both businesses and administrations.  The opinion highlights that, in most scenarios, the cloud client is the controller of the personal data stored in the cloud and, therefore, it is the responsibility of the client to select a cloud service provider that can guarantee compliance with EU data protection legislation.   The opinion then sets out a number of recommendations that cloud clients should bear in mind when selecting a cloud service provider.  


Continue Reading Article 29 Working Party Publishes an Opinion on Cloud Computing

On 19 June 2012, the Article 29 Working Party (WP29), a group that gathers the data protection authorities of all twenty-seven EU Member States, published a working document that sets out a full checklist of the requirements that binding corporate rules (BCRs) for processors must meet.  BCRs are internal rules applying to entities of a multinational corporation that regulate the transfer of personal data originating in the European Economic Area (EEA).  BCRs are one of the ways to legitimately transfer personal data to countries outside the EEA which the European Commission has not deemed to provide an adequate level of data protection. 

BCRs have traditionally been adopted by companies acting as controllers over personal data but there has been discussion about expanding the application of the rules to service providers processing personal data on behalf of controllers, i.e., processors.  In fact, the current proposal for the EU data protection regulation would explicitly expand the use of BCRs to processors. The purpose behind  processor BCRs is to guarantee to the clients of processors that transfers of personal data made in relation with the performance of services by the processor are adequately protected under the EU data protection laws.

The WP29 working document sets out the elements that must be found in BCRs for processors and what needs to be presented to national data protection authorities in the BCR application.  The WP29 has provided similar guidance in the context of BCRs for controllers.  Key points from the working document include:

Continue Reading Article 29 Working Party Publishes Guidance on Binding Corporate Rules for Processors

On May 25, 2012, the UK’s data protection authority, the ICO, issued updated guidance on the new cookie rules (Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011).  As we have reported here and here, when the rules were first introduced in May 2011, the ICO granted UK website operators a “honeymoon” period of

In a judgment laid down on 16 February 2012 in the Case 360/10 Sabam v. Netlog, the Court of Justice of the European Union (CJEU) ruled that EU national courts cannot issue injunctions forcing social networks to monitor their sites for illegal file-sharing because such injunctions would not strike a fair balance between the rights of intellectual property holders, on the one hand, and the rights of social network users to privacy and freedom to receive or impart information, on the other.

The ruling was a response to a request for a preliminary ruling by a Belgian court in a case involving music royalties collecting society, SABAM, and a social networking platform, Netlog.  SABAM had claimed that Netlog’s platform was being used to make music and audiovisual copyright works available to the public without SABAM’s consent and without Netlog paying it any fees.  SABAM sought an injunction under European copyright laws that would have required Netlog to introduce a filtering system to monitor illegal file-sharing by its users. 

The Belgian court referred the case to the CJEU asking the Court to rule whether the fundamental right to privacy and freedom of expression, which are enriched in the EU Charter of Fundamental Rights, would prevent national courts from issuing such injunctions.

The CJEU held that a system, which would filter most of the information which is stored on a social network’s servers in order to identify and block on its servers electronic files containing copyright works, would not only result in a serious infringement of the freedom to conduct business, but would also infringe the social network users’ right to privacy because such system would involve the identification, systematic analysis and processing of personal data connected with the user profiles.  The injunction could also potentially undermine the freedom of information since the filtering system may not have adequately distinguished between unlawful content and lawful content — possibly resulting to the blocking of lawful communications.

Continue Reading EU Court Rules that Forcing Social Networks to Monitor the Internet Infringes Right to Privacy

On October 26, 2011, the French Data Protection Authority, the CNIL, published guidance on the implementation of the new cookie rules arising from the amendments to the EU e-Privacy Directive 2002/58/EC (the “Directive”).  The new cookie rules have been implemented into French national law via the ordinance of August 24, 2011, relating to electronic communications (the “Ordinance”).

Under the old rules, companies offering websites, mobile applications and other online offerings had to inform users that cookies were utilized and to supply them with information as to how to “opt-out” if the users objected to the cookie being created on their devices.  Companies would often incorporate this information into the website’s main privacy statement.

According to the new rules, it is not permitted to deploy cookies (i) without the user’s prior consent (“opt-in”), and (ii) without the user having been provided with clear and comprehensive information about the cookies.  Apart from suggesting in the interpretative language of the Directive that browser settings might be used to obtain a user’s consent, the Directive does not specify how these requirements should be met.  Instead, the interpretation of the rules is left for individual member states.

Continue Reading French Data Protection Authority Releases Guidance on the Use of Cookies