The case of TalkTalk v ICO UK: Service Providers must comply with the 24 hour notification rule when a customer provides detailed complaint of a personal data breach On August 30, 2016, the Information Rights Tribunal (the "Tribunal") dismissed an appeal from TalkTalk Telecom Group Plc ("TalkTalk") challenging a £1,000 monetary penalty which had been imposed on the company by the ICO for a delay in issuing a personal breach notification back in in March 2016. Whilst a small amount of money, at stake was an important principle as to the point at which the time limits for notification of a security breach commence. The Tribunal held that the ICO did have legal basis for imposing the monetary penalty notice. TalkTalk should have notified the data breach within 24 hours after the detection of the breach, and it was feasible for the company to have done so. Whilst this specific to the … Continue Reading ››
On 14 July 2016, the US Court of Appeals for the Second Circuit ruled that Microsoft cannot be forced by US law enforcement to hand over customer emails stored in its Ireland data centre. At stake were fundamental questions about privacy in the cloud. The decision has been hailed by the technology sector and privacy campaigners around the world as a global milestone for the advancement of laws balancing the legitimate interests of law enforcement and individuals' right to privacy. But what does a US Court decision about data on a server in Ireland mean for cloud in Asia? In this post, we look at the Court's decision and why it is good news for the whole cloud ecosystem in Asia. What was the case about? The case centred on a warrant issued by US law enforcement in a narcotics case. The warrant required Microsoft to hand over emails that were stored … Continue Reading ››
In the past year, we have seen Safe Harbor declared invalid and the EU-US Privacy Shield put in place, as well as the start of the countdown to GDPR compliance. Datonomy contributors Elle Todd and Rob Bratby join Jamie Davies from Telecom to discuss all things data and reflect on the changes to EU data protection regulation over the past twelve months. Find the article here.
Last week, Singapore's minister for Home Affairs and Law announced plans to strengthen cybersecurity legislation as part of his government's National Cybercrime Action Plan, strengthening Singapore's establishment as a technology hub for the region and signaling a significant advancement in its Smart Nation Programme. Acknowledging the worrying trends in cybercrime rates and the evolving creativity of attackers, My Shanmugam emphasised the need for legislation to keep pace with national cybersecurity initiatives. The new Cybersecurity Act, announced earlier this year, is expected to be tabled in 2017. The legislation will aim to enhance law enforcement investigative and enforcement powers and, significantly, advance the accountability of companies responsible for processing and/or collecting sensitive data. Previous commentary from the government on the new Cybersecurity Act focused more heavily on accountability for companies responsible for data collection and processing than last week's announcements, which considered cybersecurity more broadly. "A significant part of the legislation … Continue Reading ››
The Spanish data protection watchdog (AEPD) has launched a first call for companies to start adapting to the new General Data Protection Regulation (GDPR), which will take effect from 25 May 2018. GDPR represents a major change in the management and culture of personal data protection. The AEPD outlines the following key areas to prepare for implementation: 1. Consent. The GDPR sets out that consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data. This excludes the so-called tacit consent, permitted by current Spanish data protection regulations.In the AEPD's view, consent obtained prior to the GDPR's entry into force will be only lawful provided that informed consent complies with the new GDPR rules when these take effect in 2018. Thus, the AEPD recommends that entities that until now have used … Continue Reading ››
The new Prime Minister won't have welcomed the publication yesterday of the European Court of Justice (ECJ) advocate general's legal opinion since it has potentially worrying implications for her Investigatory Powers Bill (dubbed by the media as the 'Snooper's Charter') and UK data transfers in a post-Brexit era. In a case initiated by a member of her own cabinet (David Davis, now minister for Brexit resulting in him dropping his name from the action at the beginning of this week), Labour MP Tom Watson and others, the matter concerned the data retention obligations placed on electronic communications services under the Data Retention and Investigatory Powers Act (DRIPA). The ECJ case linked these proceedings with a Swedish case on a similar point. First it is worth noting that the Advocate General's opinion is not legally binding and is only a recommendation. However it is often followed by the ECJ and his comments … Continue Reading ››
In what's turned out to be a great week for US privacy developments, hot on the heels of the Privacy Shield announcement, yesterday, 14 July, the 2nd US Circuit Court of Appeals gave its anxiously awaited judgment in the Microsoft search warrant saga. The case centred on a warrant in a US narcotics case requiring Microsoft to hand over emails that were stored on a Microsoft server in Dublin. After Microsoft refused, a District Court in Manhattan held in 2014 that Microsoft was compelled to hand the emails over. Microsoft appealed. At stake of course was not just some emails, but fundamental questions concerning the extent to which one country can extend its long arm of the law into another jurisdiction and the individual's rights to privacy and protection under their own domestic laws. No wonder then that this case quickly became a cause celebre not only for privacy … Continue Reading ››