Category Archives: Consumer Protection

The ICO recently announced “subtle but significant” changes in its approach to data protection complaints about businesses made by the public. Consumer facing brands will want to stay on the right side of the law anyway – what will the changes mean in practice, and when does a business run the risk of enforcement action?  The ICO has launched a Consultation entitled ‘our new approach to data protection concerns’, running from 18 December 2013 to 31 January 2014, seeking to collect the views of ICO regulated organisations. The proposed changes are planned to take effect from 1 April 2014.  Why is the ICO’s approach changing? The ICO received 40,000 written enquiries or complaints, and 214,000 phone calls in 2012/13 from members of the public. In only 35% of these instances, had data protection legislation actually been breached. The ICO is therefore encouraging individuals to address their concerns to the organisation complained … Continue Reading ››
Datonomy considers the Germany authorities’ reaction to the PRISM affair, and the wider practical consequences this could have for international transfers being made under the auspices of U.S. Safe Harbor and model contracts. After the reports about extensive surveillance activities by foreign and European intelligence services, especially by the American National Security Agency (NSA) and the UK Government Communications Headquarters (GCHQ) and possible transfers of personal data to them by American companies, European data protection authorities are raising their voices. In a letter dated 13 August 2013, the chairman of the Article 29 Working Party expressed his deep concern to the Vice-President of the European Commission, Viviane Reding, urging her to seek for more clarification from the U.S. as well as announcing the intention of the European data protection authorities to conduct own investigations regarding the compliance of foreign and European intelligence programs with EU data protection principles. Concrete actions have … Continue Reading ››
Draft rules coming into effect next month for communications service providers on when and how to notify data security breaches are the clearest indication yet of the obligations proposed for all data controllers under the draft General Data Protection Regulation. The new telco-specific regime includes some welcome concessions on when deadline for notifying regulators starts, and the circumstances when individuals need to be notified. Datonomy analyses the new rules. Who is the new regulation aimed at? Last week, the European Commission presented a new draft Commission Regulation on the measures applicable to the notification of personal data breaches under the E-Privacy Directive 2002/58/EC. This Regulation (like the notification requirements under the 2002 Directive) applies only to “providers of publicly available telecommunications services” and will come into force in August 2013. According to the E-Privacy Directive, telecom companies, internet service providers and other providers of publicly available electronic communications services (“CSPs”) are … Continue Reading ››

Earlier this week, a new set of online behavioural advertising (OBA) rules came into effect, aiming to secure transparency and control for web users. The new rules will be enforced by the ASA. As OBA is typically administered by the use of cookies, these rules supplement existing opt in and transparency rules for cookies under the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (Regulations), which are enforced by the ICO.

As Datonomy readers are no doubt aware, OBA is a form of targeted advertising whereby third party advertising networks partner with websites from whom they collect data on users’ web viewing behaviour, in order to deliver them advertising that is more likely to be of interest. To illustrate by way of example, one of the Datonomy Home Team admits to being practically stalked by advertising for a particular brand of luxury handbag, as a result of … Continue Reading ››
Following wide range criticism from the opposition, the unions and various data protection officials, the German government coalition last week eventually withdrew its highly disputed bill for a new employee data protection regime in Germany. The bill, which the government had originally published in August 2010 and which had been substantially amended twice since then, was supposed to introduce new rules for the collection, processing and use of employee data prior to and during an employer-employee relationship. Amongst the most disputed regulations of the bill were various provisions which, subject to certain restrictions, allowed for
  • the use of tracking systems for the location of employees;
  • pre-recruitment medial examinations;
  • video surveillances of non-publicly accessible business premises;
  • the collection, processing and use of biometric data; and
  • the collection, processing and use of data generated through the use of telephone, internet or other telecommunication services.
According to senior government officials, additional discussions with the relevant stakeholders shall now take place before … Continue Reading ››
In a decision as of 6 March 2012 that covers aspects of consumer rights related to data protection, the Berlin regional court ruled that several clauses of Facebook Ireland Ltd.'s terms and conditions violate German consumer laws and are therefore void (LG Berlin, Judgement of 6 March 2012, 16 O 551/109). Facebook Ireland Ltd. is the contract partner of all Facebook users that are not residents of the USA or Canada. Firstly, the court said that the users' consent in Facebook's terms and conditions regarding the use of their personal data for advertising purposes is void. The reason for this assessment is not known yet - however, in a case against Google, the regional court of Hamburg had decided in 2009 that a consent provided in terms and conditions to a certain use of personal data unreasonably disadvantages a consumer if they are not specifically informed about the intended use of … Continue Reading ››
On 18 August the European Parliament published its 230-page legislative report: its full title is The Report on the proposal for a directive of the European Parliament and of the Council amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on consumer protection cooperation. The Parliament has published a provisional text of the proposal as adopted at this first-reading stage.

The Datonomy blog hopes to bring further information on the progress of this set of proposals as it unfolds.