Back in 2013, we published a blog post entitled, “European Regulators and the Eternal Cookie Debate” about what constitutes “consent” for purposes of complying with the EU’s cookie rules. The debate continues… Yesterday, the ICO published new guidance on the use of cookies and a related “myth-busting” blog
Continue Reading ICO Updates Guidance on Cookies and Similar Technologies
United Kingdom
ICO issues draft code of practice on designing online services for children
Earlier this month, the UK’s Information Commissioner’s Office published a draft code of practice (“Code”) on designing online services for children. The Code is now open for public consultation until May 31, 2019. The Code sets out 16 standards of “age appropriate design” with which online service providers should comply when designing online services (such as apps, connected toys, social media platforms, online games, educational websites and streaming services) that children under the age of 18 are likely to access. The standards are based on data protection law principles, and are legally enforceable under the GDPR and UK Data Protection Act 2018. The Code also provides further guidance on collecting consent from children and the legal basis for processing children’s personal data (see Annex A and B of the Code). The Code should be read in conjunction with the ICO’s current guidance on children and the GDPR.
Continue Reading ICO issues draft code of practice on designing online services for children
ICO opens beta phase of privacy “regulatory sandbox”
On March 29, 2019, the ICO opened the beta phase of the “regulatory sandbox” scheme (the “Sandbox”), which is a new service designed to support organizations that are developing innovative and beneficial projects that use personal data. The application process for participating in the Sandbox is now open, and applications must be submitted to the ICO by noon on Friday May 24, 2019. The ICO has published on its website a Guide to the Sandbox, which explains the scheme in detail.
The purpose of the Sandbox is to support organizations that are developing innovative products and services using personal data and develop a shared understanding of what compliance looks like in particular innovative areas. Organizations participating in the Sandbox are likely to benefit from having the opportunity to liaise directly with the regulator on innovative projects with complex data protection issues. The Sandbox will also be an opportunity for market leaders in innovative technologies to influence the ICO’s approach to certain use cases with challenging aspects of data protection compliance or where there is uncertainty about what compliance looks like.
The beta phase of the Sandbox is planned to run from July 2019 to September 2020. Around 10 organizations from private, public and third sectors will be selected to participate. In the beta phase, the ICO is focusing on data processing that falls within the remit of UK data protection law.
Continue Reading ICO opens beta phase of privacy “regulatory sandbox”
European Regulators Are Intensifying GDPR Enforcement
Earlier this year, in the run-up to the General Data Protection Regulation’s (“GDPR”) May 25, 2018 date of application, a major question for stakeholders was how zealously the GDPR would be enforced. Now, as the GDPR approaches its six-month birthday, an answer to that question is rapidly emerging. Enforcement appears…
Continue Reading European Regulators Are Intensifying GDPR Enforcement
IoT Update: The UK publishes a final version of its Code of Practice for Consumer IoT Security
By Grace Kim and Siobhan Kahmann
Following an informal consultation earlier this year – as covered by our previous IoT Update here – the UK’s Department for Digital, Culture, Media and Sport (“DCMS”) published the final version of its Code of Practice for Consumer IoT Security (“Code”) on October 14, 2018. This was developed by the DCMS in conjunction with the National Cyber Security Centre, and follows engagement with industry, consumer associations, and academia. The aim of the Code is to provide guidelines on how to achieve a “secure by design” approach, to all organizations involved in developing, manufacturing, and retailing consumer Internet of Things (“IoT”) products. Each of the thirteen guidelines are marked as primarily applying to one or more of device manufacturers, IoT service providers, mobile application developers and/or retailers categories.
The Code brings together what is widely considered good practice in IoT security. At the moment, participation in the Code is voluntary, but it has the aim of initiating and facilitating security change through the entire supply chain and compliance with applicable data protection laws. The Code is supported by a supplementary mapping document, and an open data JSON file which refers to the other main industry standards, recommendations and guidance. Ultimately, the Government’s ambition is for appropriate aspects of the Code to become legally enforceable and has commenced a mapping exercise to identify the impact of regulatory intervention and necessary changes.
Continue Reading IoT Update: The UK publishes a final version of its Code of Practice for Consumer IoT Security
UK “No-Deal Brexit” Technical Notice Sets Out Plans on EU – UK Data Flows
On September 13, 2018, the UK government published a series of technical notices on how to prepare for a scenario in which the UK leaves the EU without agreement on March 29, 2019 (“no-deal Brexit”). The government stressed that a no-deal Brexit “remains unlikely given the mutual interests of the UK and the EU in securing a negotiated outcome,” but that “it’s our duty as a responsible government to prepare for all eventualities.” One of the notices, “Data protection if there’s no Brexit deal,” sets out the UK government’s position on data flows between the UK and EU and recommends actions that organizations should take to help ensure the continued flow of personal data from the EU to the UK if no agreement is reached.
Data privacy standards in the UK to remain the same
In the event of a no-deal Brexit, the technical notice is clear that the UK will maintain the same data protection standards as exist today. This is because the General Data Protection Regulation (“GDPR”) currently applies in the UK (as it remains, for now, an EU Member State), and, at the point of a no-deal Brexit, the UK would incorporate the GDPR into UK law. The GDPR rules — now and following Brexit — are supplemented by the UK Data Protection Act 2018, which sets out how certain aspects of the GDPR apply in the UK (e.g., in relation to children’s data).
Continue Reading UK “No-Deal Brexit” Technical Notice Sets Out Plans on EU – UK Data Flows
The UK Adopts Data Protection Act 2018
Having received Royal Assent on May 23, 2018, the UK Data Protection Bill is now an Act of Parliament.
The Data Protection Act 2018 (the “Act”) implements the General Data Protection Regulation (“GDPR”) and replaces the UK Data Protection Act 1998.
Notable provisions that make use of the ability…
Continue Reading The UK Adopts Data Protection Act 2018
Covington Artificial Intelligence Update: House of Lords Select Committee publishes report on the future of AI in the UK
Reflecting evidence from 280 witnesses from the government, academia and industry, and nine months of investigation, the UK House of Lords Select Committee on Artificial Intelligence published its report “AI in the UK: ready, willing and able?” on April 16, 2018 (the Report). The Report considers the future of AI in the UK, from perceived opportunities to risks and challenges. In addition to scoping the legal and regulatory landscape, the Report considers the role of AI in a social and economic context, and proposes a set of ethical guidelines. This blog post sets out those ethical guidelines and summarises some of the key features of the Report.
Continue Reading Covington Artificial Intelligence Update: House of Lords Select Committee publishes report on the future of AI in the UK