What is the new code and what does it recommend? The Information Commissioner's Office (ICO) on 7 October 2016 has published a new code of practice on privacy notices, following its consultation back in February of this year. It provides guidance to organisations on how to make privacy notices more engaging and effective for individuals while emphasising the importance of greater choice and control over what is done with their data. The ICO has also published a useful checklist of the information that needs to be included in the privacy policy. You can check the ICO's privacy notice checklist here. The code rightly states that current privacy notices tend to be "too long, overly legalistic, uninformative and unhelpful" and recommends a blended approach. It encourages the use of different techniques, such as a just-in-time message informing the data subject why their email is needed or a short video explaining how … Continue Reading ››
As part of our GDPR readiness webinar series, in this session we will look at the jurisdictional changes and challenges that the new Regulation (set to apply from 25 May 2018) presents.  In particular we will look at the following:
  • Does the Regulation provide for a uniform law across the EU or will different Member States have different provisions?
  • If not, which Member State’s law will apply in different circumstances?
  • What will be the extra-territorial application of GDPR to non-European entities – who is caught?
  • Which will be the lead regulatory authority and what will be its powers of enforcement?
  • What will the co-operation procedures be and what will be the role of the new European Data Protection Board?
  • What will be the effect of Brexit?
  • Q&A Session
Speakers: Dan Tench (Partner, Litigation), Anya Proops QC (11KBW) and Elle Todd (Partner and Head of Digital and Data) Olswang. Date: Thursday 20 October 2016 Time: 3pm – 4pm GMT To register for this webinar … Continue Reading ››
Security breaches always get a lot of press attention but to date there haven't been that many large fines imposed by the Information Commissioner's Office (the "ICO") in the UK. However, last week saw a big one (although some have questioned whether it is big enough) with TalkTalk being given a record GBP400,000 penalty due to a violation of the DPA's seventh principle on security. This comes on the back of the GBP1,000 fine a couple of weeks ago in respect of TalkTalk's failure to give notice to the regulator in due time, which we reported on: http://datonomy.eu/2016/09/13/ico-wins-tiny-penalty-but-significant-principle-in-talktalk-security-breach-saga/ This case relates to cyber-attacks perpetrated against TalkTalk between 15 and 21 October 2015 exploiting vulnerabilities in certain webpages. Personal data of 156,959 customers including financial information was impacted with the attacker accessing the personal data of all of the customers along with bank account numbers and sort code of 15,656. When imposing … Continue Reading ››
The case of TalkTalk v ICO UK: Service Providers must comply with the 24 hour notification rule when a customer provides detailed complaint of a personal data breach On August 30, 2016, the Information Rights Tribunal (the "Tribunal") dismissed an appeal from TalkTalk Telecom Group Plc ("TalkTalk") challenging a £1,000 monetary penalty which had been imposed on the company by the ICO for a delay in issuing a personal breach notification back in in March 2016. Whilst a small amount of money, at stake was an important principle as to the point at which the time limits for notification of a security breach commence. The Tribunal held that the ICO did have legal basis for imposing the monetary penalty notice.  TalkTalk should have notified the data breach within 24 hours after the detection of the breach, and it was feasible for the company to have done so. Whilst this specific to the … Continue Reading ››
On 14 July 2016, the US Court of Appeals for the Second Circuit ruled that Microsoft cannot be forced by US law enforcement to hand over customer emails stored in its Ireland data centre. At stake were fundamental questions about privacy in the cloud. The decision has been hailed by the technology sector and privacy campaigners around the world as a global milestone for the advancement of laws balancing the legitimate interests of law enforcement and individuals' right to privacy. But what does a US Court decision about data on a server in Ireland mean for cloud in Asia? In this post, we look at the Court's decision and why it is good news for the whole cloud ecosystem in Asia. What was the case about? The case centred on a warrant issued by US law enforcement in a narcotics case. The warrant required Microsoft to hand over emails that were stored … Continue Reading ››
In the past year, we have seen Safe Harbor declared invalid and the EU-US Privacy Shield put in place, as well as the start of the countdown to GDPR compliance. Datonomy contributors Elle Todd and Rob Bratby join Jamie Davies from Telecom to discuss all things data and reflect on the changes to EU data protection regulation over the past twelve months. Find the article here.
Last week, Singapore's minister for Home Affairs and Law announced plans  to strengthen cybersecurity legislation as part of his government's National Cybercrime Action Plan, strengthening Singapore's establishment as a technology hub for the region and signaling a significant advancement in its Smart Nation Programme. Acknowledging the worrying trends in cybercrime rates and the evolving creativity of attackers, My Shanmugam emphasised the need for legislation to keep pace with national cybersecurity initiatives. The new Cybersecurity Act, announced earlier this year, is expected to be tabled in 2017. The legislation will aim to enhance law enforcement investigative and enforcement powers and, significantly, advance the accountability of companies responsible for processing and/or collecting sensitive data. Previous commentary from the government on the new Cybersecurity Act focused more heavily on accountability for companies responsible for data collection and processing than last week's announcements, which considered cybersecurity more broadly. "A significant part of the legislation … Continue Reading ››

this blog discusses data protection law, practice and problems