Data Protection

The Article 29 Working Party (WP29) has published long-awaited draft guidance on transparency and consent under the General Data Protection Regulation (“GDPR”).  We are continuing to analyze the lengthy guidance documents, but wanted to highlight some immediate reactions and aspects of the guidance that we think will be of interest to clients and other readers of InsidePrivacy.  The draft guidance is open for consultation until 23 January 2018.
Continue Reading EU Regulators Provide Guidance on Notice and Consent under GDPR

On September 13, 2017, the UK Government published a new Data Protection Bill regulating the use of individuals’ personal data.

The Bill, which is intended to replace the UK Data Protection Act 1998, would serve a range of functions, most notably setting out how the UK intends to make use of its leeway to derogate from basic rules in the new EU General Data Protection Regulation 2016/679 (the “GDPR”).  For instance, the GDPR allows countries in the EU to modify its rules or introduce additional sanctions where necessary to protect freedom of expression, research, or other public interest objectives.

The Bill would also apply “GDPR-like” rules to data that is not covered by the GDPR (such as data in unstructured paper-based files), implement of the new EU Police and Criminal Justice Data Protection Directive (the “PCJ DPD”), and set down privacy and data security rules for its intelligence agencies.

The Bill will now undergo further debate and amendment, and should hopefully clear both Houses of Parliament in advance of May 25, 2018, when the GDPR will become law in the UK subject to any modifications implemented by the Bill.

This post discusses some of the Bill’s salient points for commercial organizations.
Continue Reading UK Government Publishes New Data Protection Bill

Earlier this month, the UK Government published a consultation on plans to implement the EU Directive on security of network and information systems (the “NIS Directive”, otherwise known as the Cybersecurity Directive).  The consultation includes a proposal to fine firms that fail to implement “appropriate and proportionate security measures” up to EUR 20 million or 4% of global turnover (whichever is greater).

We summarise the UK Government’s plans below, including which organisations may be in scope — for example, in the energy, transport and other sectors, as well as online marketplaces, online search engines, and cloud computing service providers — and the proposed security and incident reporting obligations.

Organisations that are interested in responding to the consultation have until September 30, 2017 to do so.  The UK Government will issue a formal response within 10 weeks of this closing date, and publish further security guidance later this year and next.  A further consultation on incident reporting for digital service providers will be run later this year; the Government invites organisations that are interested in taking part to provide appropriate contact details.
Continue Reading UK Government Proposes Cybersecurity Law with Serious Fines

The EU’s Article 29 Working Party (“WP29”) has issued new guidance on data processing in the employment context.  Adopted on June 8, 2017, the guidance primarily takes account of the existing data protection framework under the EU Data Protection Directive (Directive 95/46/EC), but also considers the developments coming into force on May 25, 2018 under the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”).

The WP29 released the guidance partly as a result of the GDPR, but also due to the number of new technologies that have been adopted since previous WP29 publications relating to personal data in the workplace (see Opinion 8/2001 on the processing of personal data in the employment context and the 2002 Working Document on the surveillance of electronic communications in the workplace).  As the WP29 observes, these new technologies enable extensive systematic processing of employees’ personal data and present significant challenges to privacy and data protection.

The new guidance is not restricted to the protection of persons with an employment contract, but is more expansive in scope and intended to cover a range of individuals in an employment relationship with an organization, such as applicants and part-time workers (the term “employee” applies broadly in all such contexts).  The guidance discusses a number of distinct employment scenarios: processing operations during the recruitment and employee screening stage; processing for monitoring ICT usage in and out of the workplace; time, attendance and video monitoring; processing relating to employees’ use of vehicles; as well as the disclosure of employee data to third parties and international transfers of personal data.
Continue Reading EU Article 29 Working Party Releases Extensive GDPR Guidance on Data Processing at Work

In a new post on the Covington Digital Health blog, our colleagues discuss a new European Cloud in Health Advisory Council whitepaper calling for a review of European healthcare data protection rules holding back greater adoption of cloud computing and AI; and for more discussion about the ethics and governance of re-use of patient

On Thursday, April 20th, the UK government launched a “Call for Views” regarding the UK’s options for the implementation of the new EU General Data Protection Regulation (GDPR) at national level.  The consultation deadline is May 10th, at mid-day UK time.

Although the GDPR was an effort to bring greater harmonization to data protection regimes throughout the EU, it nevertheless contains a number of areas in which national laws can deviate from its default position – for instance to permit researchers to store and use health data without having to repeatedly seek consents, or to ensure that freedom of expression is not unfairly curtailed by the “right to be forgotten.”
Continue Reading UK Starts 3-Week Consultation on GDPR Implementation

The UK Information Commissioner’s Office (ICO), which enforces data protection legislation in the UK, has fined a company £20,000 (approximately 24,000 USD / 23,000 EUR) for not exercising sufficient due diligence when buying and using marketing databases.

The ICO found that over 580,000 individuals’ contact details had been obtained by The Data Supply Company Ltd (“TDSC”) from sources such as financial institutions and competition websites, and then sold on to third parties.  This had led to at least 21,045 unsolicited text messages and 174 complaints.

Because the data was used for direct electronic marketing (by email, SMS, etc.), TDSC was not entitled to rely on its data sources’ generic consent requests, such as “We may share your information with carefully selected third parties where they are offering products or services that we believe will interest you”, nor even fuller notices that disclosed “long lists” of general categories of possible recipients of the data.
Continue Reading UK Company Fined For Buying And Selling Non-Compliant Marketing Databases

On March 2, 2017, the Information Commissioner’s Office (“ICO”) released draft guidance for UK organizations on how the notion of consent will be interpreted and applied when the General Data Protection Regulation (“GDPR”) comes into force in May 2018.

The ICO is currently engaging in a public consultation on the draft guidance, which expires on