Tag Archives: UK Information Commissioner’s Office (ICO)

ICO Updates Guidance on Cookies and Similar Technologies

Back in 2013, we published a blog post entitled, “European Regulators and the Eternal Cookie Debate” about what constitutes “consent” for purposes of complying with the EU’s cookie rules.  The debate continues…  Yesterday, the ICO published new guidance on the use of cookies and a related “myth-busting” blog post.  Some of the “new” guidance really … Continue Reading

ICO opens beta phase of privacy “regulatory sandbox”

On March 29, 2019, the ICO opened the beta phase of the “regulatory sandbox” scheme (the “Sandbox”), which is a new service designed to support organizations that are developing innovative and beneficial projects that use personal data.  The application process for participating in the Sandbox is now open, and applications must be submitted to the … Continue Reading

UK Issues Regulations on Post-Brexit Data Protection Law

Two sets of regulations aimed at readying UK data protection law for a post-Brexit world have been promulgated in recent weeks.  These regulations, which were made pursuant to the EU (Withdrawal) Act 2018 (EUWA), will only come into force in most respects upon the UK’s withdrawal from the EU.  Broadly speaking, these regulations are intended … Continue Reading

Information Commissioner’s Office Issues Guidance on UK Data Protection Law in the Event of a “No-Deal” Brexit

On December 13, 2018, the Information Commissioner’s Office (“ICO”) in the United Kingdom issued guidance on the state of UK data protection law should the country leave the European Union (“EU”) without having reached an agreement on the terms of its withdrawal.  Much of this latest guidance is consistent with the ICO’s earlier guidance on … Continue Reading

European Regulators Are Intensifying GDPR Enforcement

Earlier this year, in the run-up to the General Data Protection Regulation’s (“GDPR”) May 25, 2018 date of application, a major question for stakeholders was how zealously the GDPR would be enforced.  Now, as the GDPR approaches its six-month birthday, an answer to that question is rapidly emerging.  Enforcement appears to be ramping up significantly.  … Continue Reading

ICO consults on privacy “regulatory sandbox”

Designing data-driven products and services in compliance with privacy requirements can be a challenging process.  Technological innovation enables novel uses of personal data, and companies designing new data-driven products must navigate new, untested, and sometimes unclear requirements of privacy laws, including the General Data Protection Regulation (GDPR).  These challenges are often particularly acute for companies … Continue Reading

GDPR Applies From Today

The much discussed and long-awaited General Data Protection Regulation (“GDPR”) applies from today, May 25, 2018.  It will update and harmonize data protection laws across the EU, and sets out comprehensive rules in relation to personal data handling, as well as the rights of individuals over their personal data. It is unclear how aggressively the … Continue Reading

GDPR Contracts and Liabilities Between Controllers and Processors

On 13 September, the Information Commissioner’s Office (ICO) published draft guidance on GDPR contracts and liabilities on contracts between controllers and processors under the GDPR (the “Guidance”).  The ICO is consulting on the Guidance until 10 October.  We summarize the key aspects of the Guidance below.… Continue Reading

UK Government Proposes Cybersecurity Law with Serious Fines

Earlier this month, the UK Government published a consultation on plans to implement the EU Directive on security of network and information systems (the “NIS Directive”, otherwise known as the Cybersecurity Directive).  The consultation includes a proposal to fine firms that fail to implement “appropriate and proportionate security measures” up to EUR 20 million or … Continue Reading

The Information Commissioner’s Office Publishes a Consultation Paper on Profiling and Automated Decision-Making under the GDPR

By Dan Cooper and Rosie Klement On April 2, 2017, the Information Commissioner’s Office (“ICO”) released a consultation paper for UK organizations to comment on how the new profiling provisions under the General Data Protection Regulation (“GDPR”) could be interpreted and applied when the GDPR comes into force in May 2018. The public consultation on … Continue Reading

UK Information Commissioner’s Office Publishes Draft Guidance on Consent under the GDPR

By Dan Cooper and Rosie Klement On March 2, 2017, the Information Commissioner’s Office (“ICO”) released draft guidance for UK organizations on how the notion of consent will be interpreted and applied when the General Data Protection Regulation (“GDPR”) comes into force in May 2018. The ICO is currently engaging in a public consultation on … Continue Reading

Inherited Infrastructure, Outdated Software, And Other Failings That Led To TalkTalk’s Record Fine

On October 5, 2016, the UK Information Commissioner’s Office (“ICO”) fined telecoms company TalkTalk a record £400,000 for failing to put in place appropriate data security measures and allowing a cyber-attacker to access TalkTalk customer data “with ease.”  The ICO highlighted several  technical and organizational deficiencies as justification for issuing its largest fine to-date.  Many … Continue Reading

UK Telco Loses Appeal; Should Have Reported Data Breach Within 24 Hours Of Customer Complaint, Not Fuller Investigation

By Phil Bradley-Schmieg and Gemma Nash On August 30, 2016, a major UK telecoms company (TalkTalk) lost its appeal against a fine imposed on it for failing to report a personal data breach to the UK national data protection authority (the Information Commissioner) within 24 hours of its receipt of a customer’s complaint. Commission Regulation … Continue Reading

ICO Publishes New Guidance On Encryption

On March 3, 2016, the UK’s Information Commissioner’s Office (“ICO”) released new guidance on encryption.  The guidance aims to provide advice to organizations on protecting personal data (such as customer and employee data) through the use of encryption.  There is no legally-binding requirement under UK data protection law to encrypt data, either when static or … Continue Reading

Company Receives Record Fine from UK Regulator For Cold Calling

The UK’s data protection regulator, the Information Commissioner’s Office (“ICO”), has imposed a fine of £350,000 on Prodial Ltd (“Prodial”) for making over 46 million unsolicited automated telephone calls to generate leads in relation to payment protection insurance refunds.  This is the highest fine issued by the ICO to date.… Continue Reading

EU DPA Enforcement Guidance Post-Schrems

Industry eagerly awaits further guidance from data protection authorities (“DPAs”) relating to the EU-U.S. Privacy Shield as well as on the validity (or otherwise) of other mechanisms for transfers to the U.S. such as standard contractual clauses (“SCCs”) and binding corporate rules (“BCRs”).  As we explained in recent posts (here and here), publication of an … Continue Reading

UK ICO Issues Largest Ever Fine In Connection With Automated Marketing Calls

The UK Information Commissioner’s Officer (“ICO”) has issued its largest fine to date in connection with using an automated calling system to make direct marketing calls.  The ICO found that Home Energy & Lifestyle Management Ltd (“HELM”), a green energy company that made millions of automated marketing calls in relation to “free” solar panels, recklessly … Continue Reading

Regulators in the U.S. and U.K. Monitoring Mobile Apps and Websites Directed at Children

By Megan L. Rodgers What information is being collected by mobile apps and websites directed at kids? With whom is that information shared? What notice is provided to parents? Regulators in the U.S. and abroad continue to focus on these issues. The FTC recently released a follow-up report on privacy notices in mobile apps directed … Continue Reading

ICO Fines Insurance Company £175k for Data Security Breach, Criticising Lack of Policies

By Mark Young and Tom Jackson On February 20, 2015, the Information Commissioner’s Office (“ICO”) fined Staysure.co.uk Ltd (“Staysure”), an online travel insurer, £175,000 for failing to protect its customers’ personal data.  In addition to technical vulnerabilities, the ICO took into account Staysure’s lack of security policies and practices when levying the fine. In short, … Continue Reading

The UK’s Data Protection Regulator to Introduce “Privacy Seals” for Businesses

By Fredericka Argent The UK’s Information Commissioner’s Office (ICO) has announced that it is looking to introduce a system of “privacy seals” for organizations doing business in the UK.  The seal is intended to be a consumer-facing stamp of approval demonstrating that a particular organization is meeting or surpassing the compliance requirements of the UK’s Data Protection … Continue Reading

UK Data Protection Regulator Surveys Use of Smart Medical Devices

By Phil Bradley-Schmieg The UK Information Commissioner’s Office (ICO) has launched an informal survey of current practices relating to the use of data-enabled medical devices and apps. The short and anonymous survey explores whether organisations have put in place specific policies and procedures, asset registers, IT security requirements for medical device procurement policies, information governance … Continue Reading

ICO Releases Concrete Guidance on Privacy Requirements When Recording Video with Drones

On October 15, 2014, the UK Information Commissioner’s Office (ICO) published an updated code of practice for surveillance cameras.  Among other topics, the ICO uses the Code to begin to address privacy practices for drones.  Drones are not new, but two factors are now making questions about drones and privacy practices more pressing.  First, many … Continue Reading

Google Fined by the CNIL for Privacy Breaches as European Regulators Continue Investigation

On January 8, 2014, the French data protection authority, the Commission nationale de l’informatique et des libertés (CNIL), announced that it was imposing a fine of €150,000 on Google, as well as a requirement that Google, within eight days of the decision, publicize the fine on its own website (at www.google.fr) for a period of … Continue Reading

The ICO Publishes New Guidance on Direct Marketing

By Helena Marttila-Bridge and Colin Warriner On 10 September 2013, the UK’s Information Commissioner (ICO) released new guidance on direct marketing.  The paper canvasses the marketing rules found in the Data Protection Act 1998 and the Privacy and Electronic Communications (EC Directive) Regulations 2003, with the aim of helping companies to comply with the law … Continue Reading
LexBlog