All posts by Greg Whitaker

Impact of Brexit on data protection: EU Home Affairs Sub-Committee hears evidence The EU Home Affairs Sub-Committee continues to hear evidence from various experts on the implications of Brexit on the "EU data protection package". Particularly notable are the comments of Elizabeth Denham, the UK's Information Commissioner, regarding her hopes for the UK post-Brexit. Unsurprisingly for Denham and perhaps reassuringly for business, "the right way forward… is to fully adopt the general data protection regulation". However should the UK do so, questions persist as to the ICO's role, particularly in relation to its standing with the European Data Protection Board (EDPB). Denham was keen to emphasise that the Government should do anything it can to ensure the ICO has "some status" on the EDPB. Should it not, the UK will be at the mercy of the Board's decisions, but be without influence over its policy. Lord O'Neil of Clackmannan, a Labour peer, was … Continue Reading ››
This week, the ICO published the latest version of its paper on big data, AI and machine learning. Though not an official GDPR guidance document or code of practice, the paper sets out the ICO's views on the issues and has been updated to show how big data, AI, machine learning relate to the GDPR (however not the new draft PEC Regulation). Of note to Datonomy readers are the six key recommendations the Paper gives to help organisations achieve data protection compliance in a "big data world". The ICO states that organisations should…
  1. Carefully consider whether the big data analytics to be undertaken actually requires the processing of personal data. Often, this will not be the case; in such circumstances organisations should use appropriate techniques to anonymise the personal data in their dataset(s) before analysis.
  2. Be transparent about their processing of personal data by using a combination of innovative approaches in order … Continue Reading ››
Yesterday the ICO published its much anticipated guidance on consent under the GDPR for public consultation. This is a key practical area of compliance for all businesses. The new test for consent under the GDPR is higher than under the current rules and the penalties for failing to obtain valid consent potentially much harsher; organisations will need to review their data collection notices and opt ins and potentially make changes to websites and apps to ensure they are compliant by May 2018. The guidance sits alongside the ICO's Overview of the GDPR and explains its recommended approach to compliance and what counts as valid consent. On the tricky issue of verifiable parental consent to children's use of social media, the ICO has promised further guidance at a later date. The consultation will run from now until 31 March 2017, and any comments on the guidelines should be sent … Continue Reading ››
As Max Schrems continues to do battle over Model Clauses in the Irish High Court, the Article 29 Working Party (WP29) has this week issued guidance surrounding EU-US Privacy Shield (Privacy Shield) related complaints. The guidance will be of note to any EU citizen wishing to complain about the handling of their personal data that has been transferred from the EU to one of the, as of 24 February, 1724 Privacy Shield registered organisations. It encompasses a template complaint form and Rules of Procedure and should provide parties concerned with all the information necessary to notify a breach under the 6 month old framework. The Rules of Procedure provide guidance on how an "Informal Panel of EU DPAs" (Panel) will operate in advising US organisations following a complaint. The Panel will aim to provide guidance within 60 days after receiving a complaint form. The complaint … Continue Reading ››
Yesterday, 10 January, the European Commission (EC) presented its formal proposals for the new ePrivacy Regulation. On initial analysis, the first official draft of the Regulation appears broadly similar to last month's leaked version, explored by Datonomy here. Datonomy will be providing a fuller analysis, however in the meantime the EC's Fact Sheet provides a useful starting point. The Commission's aim is to have the new Regulation adopted by 25 May 2018 when the GDPR takes effect. Olswang's Head of Digital and Data, Elle Todd, and Alex Dixie, the firm's Head of Adtech, will be taking a first look at the practical impacts of the new proposals in a webinar at 15:00 UK time on Thursday 19 January. Follow this link to register. In particular the webinar will examine:
 ‘If men were angels, no government would be necessary. If angels were to govern men, neither external nor internal controls on government would be necessary. In framing a government which is to be administered by men over men, the great difficulty lies in this: you must first enable the government to control the governed; and in the next place oblige it to control itself'. James Madison, 1788 (highlighted in the AG's opinion) Enabling a government to control the governed, whilst obliging it to control itself, is the dilemma with which the European Court of Justice (ECJ) has been faced in its preliminary ruling on the appeal decisions of Tele2 and Watson. In today's ruling against the UK Government, the ECJ has clarified that national governments need to respect EU standards on data retention in their domestic legislation. The ruling is a potentially embarrassing setback for Theresa May, as … Continue Reading ››
Yesterday (13 December) in time-honoured tradition, a draft proposal of the European Commission's (EC) new ePrivacy Regulation was leaked. The official draft of the proposal is not expected to be published by the EC until January 2017, and it is possible some of the detail will change before then. Datonomy will be providing fuller analysis of the real thing in the near future, but an initial look at the leaked draft – which (typos aside) gives a good indication of what to expect - reveals the following:
  1. It's a Regulation rather than a Directive (as predicted by Datonomy here)
As with the GDPR, this is intended to provide additional harmonisation and simplification. However, there are a number of areas where Member States can nuance provisions.
  1. A fining regime similar to GDPR
Offenders can expect turnover based fines. For example, fines of up to 2% of turnover, or up to 10,000,000 … Continue Reading ››