On 7 August, the UK government released its statement of intent, which set out its proposals for a Data Protection Bill (the “Bill”) to replace the Data Protection Act 1998 (“DPA”) and “bring data protection laws in the UK up to date”.

In the forward to the statement of intent, Matt Hancock, Minister of State for Digital, outlines that the Bill, due to be published in September, will “allow the UK to continue to set the gold standard on data protection”.

The Bill’s primary function will be to bring the EU General Data Protection Regulation (“GDPR”) into domestic law (although technically the GDPR will have direct effect in the UK from 25 May 2018, the government appears to be taking this approach to ensure these new data protection laws will continue to apply following Brexit). A summary of the primary changes that the GDPR will … Continue Reading ››

It is estimated that 70% of employers now screen the social media profiles of job candidates as part of their recruitment process. In light of these practices, last month the Article 29 Working Party issued a series of guidelines in an attempt to safeguard the privacy of job applicants. The Working Party has warned employers that they should not assume they can process data gathered from an individual’s social media profile just because it is publicly available. The guidelines recommend that there should be legal grounds to justify this type of processing, such as legitimate interests. Employers are also advised to consider whether the social media profiles of job applicants are ‘related to business or private purposes’ as this can be an important indication of the legal admissibility of the data inspection. In addition, the Working Party has indicated that applicants should be informed if social media screening will take place, … Continue Reading ››
The ICO on the 4th of July 2017 took a step forward with regards to privacy protection for the UK public from overseas data protection threats and risks, by publishing its first ever International Strategy document. This document supports the earlier ICO 'Information Rights Strategic Plan 2017 - 2021' document and is set to help the ICO meet overseas data protection challenges in a globalised world, including those in relation to key areas such as the GDPR and Brexit. The document sets out what the ICO sees as its main international concerns over the next four years, which are:
  • Operating as an effective and influential data protection authority at European level while the UK remains a member of the EU and when the UK has left the EU, or during any transitional period.
  • Maximising the ICO’s relevance and delivery against its objectives in an increasingly globalised world with rapid growth of online technologies.
  • Ensuring that UK … Continue Reading ››
In order to support the application of the General Data Protection Regulation (GDPR) the European Commission’s Directorate-General for Justice and Consumers is establishing a new expert group to be comprised of various stakeholders including academics, legal practitioners and organisations. The 27-member group will support the early preparation of possible implementing and/or delegated acts, and provide stakeholders with an opportunity to share their experiences in applying the GDPR. As Datonomy readers will already be familiar, there are a number of issues in the GDPR where there is scope for the detailed application to be fleshed out by means of these Commission-made measures. Organisations may well want to take the opportunity to influence this detail. Specifically, this year the Commission intends to launch studies on certification mechanisms and standardised icons in order to assess whether there would be added value in adopting delegated and/or implementing acts in these areas. The Commission would therefore … Continue Reading ››
Since its hotly awaited publication in January, the Proposal for an ePrivacy Regulation ("Proposal") has come under scrutiny from various stakeholders. Recently both the Article 29 Working Party ("WP29"), and the European Data Protection Supervisor ("EDPS"), have joined the chorus. Though both independent bodies are pleased with the concepts in the legislation, both express various concerns, with WP29 describing theirs as particularly 'grave'. Those (grave) concerns, alongside some recommendations are explored in detail below. EDPS: concerns over consent, tracking and cookies. As expected in his Opinion the EDPS welcomes various parts of the Proposal, including the legislators' choice for a regulation rather than a directive, and the extension of scope to over-the-top (“OTT”) communications services such as Skype and WhatsApp. The Commission's ambition to bring all publically accessible networks and services within the scope of the confidentiality requirements is also praised. However, though the EDPS … Continue Reading ››
The Article 29 Working Party ("WP29") has recently adopted new General Data Protection Regulation ("GDPR") Guidance, this time focusing on Data Protection Impact Assessments ("DPIAs"). The Guidelines aim to clarify when a DPIA is required and provide criteria for the lists of the kind of processing operations which are subject to the requirement for a DPIA, to be adopted by Data Protection Authorities under Article 35(4) of the GDPR. Although the guidance has been formally “adopted”, the WP29 is welcoming comments from stakeholders until 23 May 2017, so it is possible that elements may be modified in the near future. The guidance is significant as it represents EU data protection authorities’ collective interpretation of this important new compliance requirement. Any comments on the guidelines can be sent to the following addresses: JUST-ARTICLE29WP-SEC@ec.europa.eu and presidenceg29@cnil.fr by 23 May 2017. What is a Data Protection Impact Assessment? DPIAs are not a formal requirement … Continue Reading ››
The current data protection landscape in Indonesia Until recently, Indonesia has had a largely patchwork approach to personal data protection. There is not currently a singular comprehensive data protection law or regulation; nor, for example, are there any regulations specifically addressing cookies and location data. Overall, the scattered guidance is found in regulations relating to employees; banks; criminal procedures; human rights; health; financial services; and the more detailed Electronic Information and Transactions Law (Law No. 11 of 2008) ("EIT Law") and its implementing regulations, among others. In 2012, Indonesia passed Government Regulation 82 ("GR82"), implementing various aspects of the EIT Law but with a key focus on ensuring that electronic system operators for "public services" use Indonesia-based data-centres. The scope of "public services" is still somewhat unclear but it has the potential to cover both government organisations and certain public-facing private sector businesses (which may include certain organisations in banking, insurance, health, … Continue Reading ››

this blog discusses data protection law, practice and problems