Category Archives: ICO

The Information Commissioner's Office (ICO), the UK's data protection regulator, is cracking down on the online gambling sector's use of personal data to promote online gambling. It has contacted around 400 companies to threaten them with fines of up to £500,000 if they are found to be collecting and using personal data for marketing in a manner which does not comply with the Data Protection Act 1998 (DPA) and the Privacy and Electronic Communications Regulations 2003 (PECR). In its press release, the ICO said it is writing to over 400 companies, all believed to be egaming marketing affiliates, demanding they set out how they use people’s personal details and send marketing texts, including where they got people’s personal information from and how many texts they sent. What is the ICO worried about? The ICO has expressed concern that the prolific use of affiliate marketing is resulting in a lack of accountability, … Continue Reading ››
What is the new code and what does it recommend? The Information Commissioner's Office (ICO) on 7 October 2016 has published a new code of practice on privacy notices, following its consultation back in February of this year. It provides guidance to organisations on how to make privacy notices more engaging and effective for individuals while emphasising the importance of greater choice and control over what is done with their data. The ICO has also published a useful checklist of the information that needs to be included in the privacy policy. You can check the ICO's privacy notice checklist here. The code rightly states that current privacy notices tend to be "too long, overly legalistic, uninformative and unhelpful" and recommends a blended approach. It encourages the use of different techniques, such as a just-in-time message informing the data subject why their email is needed or a short video explaining how … Continue Reading ››
The case of TalkTalk v ICO UK: Service Providers must comply with the 24 hour notification rule when a customer provides detailed complaint of a personal data breach On August 30, 2016, the Information Rights Tribunal (the "Tribunal") dismissed an appeal from TalkTalk Telecom Group Plc ("TalkTalk") challenging a £1,000 monetary penalty which had been imposed on the company by the ICO for a delay in issuing a personal breach notification back in in March 2016. Whilst a small amount of money, at stake was an important principle as to the point at which the time limits for notification of a security breach commence. The Tribunal held that the ICO did have legal basis for imposing the monetary penalty notice.  TalkTalk should have notified the data breach within 24 hours after the detection of the breach, and it was feasible for the company to have done so. Whilst this specific to the … Continue Reading ››
On 2 February the ICO announced that it had published a new code of practice relating to privacy notices, transparency and control, which aims to keep pace with the increasingly complex digital landscape and also take into account the broader transparency rules under the GDPR.  The ICO’s current guidance, from 2010, is here. ‘Transparency’ under the GDPR Although organisations are already required to provide certain details in relation to the identity of the data controller and the purposes for which the data is being collected, the GDPR will increase the amount of information which must be provided to individuals, including the rights available to them, information on data transfers and the source of the data.  All information must be presented in a concise, transparent, intelligible and easily accessible form, using clear and plain language and tailored to the specific audience (including children).  Organisations which fail to meet these requirements … Continue Reading ››
It is just over four years since Datonomy reported on the leak of the Commission's original DP reform proposals and, as most readers will have heard by now, last night the EU institutions reached political agreement on the General Data Protection Regulation. Agreement was also reached on the other part of the reform package, the less-reported-on Data Protection Directive for the police and criminal justice sector.  We do not have  final texts, although  key Council analysis documents of the compromise texts for both the GDPR and the Directive  have been leaked on  the Statewatch website, and this, combined with reports from sources in Brussels, gives us an indication of where the key aspects of the Regulation have ended up. Datonomy will of course be analysing the finalised  texts once these become available. What's next? When will the new rules be in force? The compromise texts will now  go back to the Council and the … Continue Reading ››
The likely demise of the US Safe Harbor is dominating the data news headlines - but what else is happening in the world of data and cyber regulation? Datonomy provides a round up of other recent developments in Europe and Asia. With contributions from Andreas Splittgerber and Christian Leuthner in Germany, Sofia Fontanals in Spain and Matthew Hunter, Daniel Jung and Aisling O’Dwyer in Asia, in this update we cover:
  • EU policy and regulation including latest news from Brussels on the GDPR and NISD
  • News from the UK
  • News from Germany
  • News from Spain
  • News from Asia
EU POLICY AND REGULATION
  • GDPR and NISD: Commission President Junker has yet again affirmed the “swift adoption” of the GDPR and NISD as priorities in this open letter of 9 September to the European Parliament. Below we take a more detailed look at the recent procedural progress of these two (not-so-swift) proposals.
Before Datonomy readers   head off for their well-earned summer holidays, here’s a quick round up of “end of term" UK and EU regulatory activity. The weekly cyber update will also be taking a break during the rest of August, but will return - with batteries re-charged  - in the Autumn to continue monitoring regulatory developments in the fields of data and cyber security. EU POLICY AND REGULATION
  • Network and Information Security Directive: Another glimmer of progress in the long-running saga of the NISD, and in particular the still unresolved question of the extent to which online platforms will be caught by the new breach reporting requirements. Following the recent sighting of a Council document on the scope of “essential services” (reported last week), on 31 July another potentially very significant new document was listed on the Consilium website. Entitled “Proposed approach to digital service platforms”, this promising-sounding document is, at the time … Continue Reading ››