Join Hunton & Williams at the 2012 Europe Data Protection Intensive, now hosted by the International Association of Privacy Professionals (“IAPP”) in London, April 25-26, 2012. Hunton & Williams privacy professionals will be featured speakers in the following sessions:
Join us at the International Association of Privacy Professionals (“IAPP”) Global Privacy Summit in Washington, D.C., March 7-9, 2012. Hunton & Williams privacy professionals will be featured speakers in the following sessions:
- Mending Fences after a Breach Thursday, March 8, 12:15 p.m. Speakers include: Lisa J. Sotto, partner and head of the Global Privacy and Data Security practice, Hunton & Williams LLP; Susan Grant, Director of Consumer Protection, Consumer Federation of America; and Joanne B. McNabb, Chief, California Office of Privacy Protection.
On January 25, 2012, the UK Information Commissioner’s Office (“ICO”) published an initial statement welcoming the European Commission’s proposed new General Data Protection Regulation (the “Proposed Regulation”), and commended the Commission’s efforts to strengthen the rights of individuals, recognize important privacy concepts such as privacy by design and privacy impact assessments, and include accountability requirements.
Monetary penalties are one mechanism in a suite of tools that the UK Information Commissioner’s Office (“ICO”) uses to encourage compliance with data protection regulations. The ICO generally uses monetary penalties to sanction deliberate or negligent breaches of the law, but the purpose is not to impose financial hardship but rather to “act as an encouragement towards compliance, or at least as a deterrent against non-compliance.” The following is a brief overview of the ICO’s authority to issue monetary penalties.
On February 7, 2012, the UK Ministry of Justice launched its Call for Evidence on the European Commission’s proposed general data protection regulation and criminal justice data protection directive (the “Proposals”). The Ministry is looking to gain perspective and solicit feedback on how the Proposals likely would impact organizations and individuals in the UK.
In recent weeks, regulators in California and Illinois have issued guidance on responding to data security breaches, while UK and California authorities released online forms for organizations to use when providing notification of a breach to regulators.
In December 2011, the UK Information Commissioner’s Office (“ICO”) released a new breach notification form, reinforcing its expectation that organizations provide notification whether or not such notification is legally required. Sector-specific breach notification requirements were introduced in the UK by The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011, and since May 2011, public electronic communication service providers have been required to notify the ICO, and in some cases affected individuals, in the event of a data security breach. All other organizations are strongly encouraged to notify the ICO of serious security breaches, and the fact that an incident was reported voluntarily is something the ICO takes into consideration when determining the appropriate enforcement action.
Throughout 2011, the UK Information Commissioner’s Office (“ICO”) escalated its use of data protection audits, encouraging organizations to submit to voluntary audits and seeking to increase its ability to conduct compulsory audits. Currently, the ICO has the authority to compel central government departments to undergo audits, but it would like to extend compulsory audits to include local government, the national health service and the private sector.
On January 25, 2012, the European Commission released a data protection law reform package, including its proposed General Data Protection Regulation (the “Proposed Regulation”). The UK Information Commissioner’s Office (“ICO”) has reacted positively to the Proposed Regulation, in particular commending efforts to strengthen the rights of individuals, the recognition of important privacy concepts such as privacy by design and privacy impact assessments, and new accountability requirements to ensure organizations properly demonstrate and document their data protection safeguards and procedures.
On January 12, 2012, Hunton & Williams hosted an hour-long webinar on the current enforcement environment in the U.S. and EU. The webinar, Current Trends in Global Privacy Enforcement, covered issues ranging from the Federal Trade Commission’s tougher approach to investigations to increased monitoring of corporate privacy practices by European data protection authorities. Hunton & Williams speakers included Lisa J. Sotto, partner and head of the Global Privacy and Data Security practice, London partner Bridget Treacy, London senior attorney Rosemary Jay and Brussels ...
On December 28, 2011, UK Information Commissioner Christopher Graham outlined the ICO’s agenda for 2012 in a post on the ICO blog, highlighting the European Commission’s proposals for reviewing the EU data protection framework, the post-legislative scrutiny process with respect to the UK Freedom of Information Act (“FOIA”) and the ICO’s Information Rights Strategy. The Commissioner cautioned against allowing data protection compliance to fall by the wayside in the current, tough economic climate, especially given the inevitable reputational damage caused by big data breaches and the ICO’s power to impose fines.
On December 13, 2011, the Information Commissioner issued updated guidance on compliance with recent changes to UK law governing the use of cookies (The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (“Regulations”)). Organizations were given a twelve-month grace period to comply with the new law. Initial guidance on the Regulations was released on May 9, 2011, but the Information Commissioner characterized that guidance as merely a “starting point for getting compliant rather than a definitive guide,” signaling that further advice would follow if appropriate.
Members of Parliament on the House of Commons Justice Select Committee have called for courts in the United Kingdom to be given greater powers to imprison and fine individuals who breach the Data Protection Act (“DPA”). The Committee stated in its October 18, 2011 report that the current penalties for unlawfully obtaining personal data (under Section 55 of the DPA) are an inadequate deterrent, and urged the government to exercise its power to introduce prison sentences without delay. Although currently a magistrates’ court can issue fines of up to £5,000 for breaches of Section 55 (and the Crown Court can impose unlimited fines), in practice, penalties often are limited to only a few hundred pounds.
On September 7, 2011, the United Kingdom Information Tribunal published a decision that appears to resolve the long-running uncertainty regarding the extent to which anonymized personal information may be disclosed under the UK’s Freedom of Information legislation. The UK’s FOIA was introduced and applicable to most of the UK in 2000, with equivalent law following for Scotland in 2002.
Hunton & Williams announces that Rosemary Jay, formerly head of the privacy practice at Pinsent Masons and the former head of the legal team at the UK Information Commissioner’s Office, will join the firm’s Privacy and Data Security practice in October. Ms. Jay will be based in the firm’s London office. As a senior lawyer, Ms. Jay will bring more than 20 years of data protection experience to Hunton & Williams, enhancing both the firm’s renowned privacy practice and its Centre for Information Policy Leadership.
On September 14, 2011, UK Information Commissioner Christopher Graham said that the private sector “isn’t as good as it thinks it is” when it comes to data protection compliance, and that many of the compliance problems that arise originate in the private sector. While giving evidence to the House of Commons Justice Select Committee, the Commissioner criticized the private sector and, in particular, banks and other financial services companies.
Lush Cosmetics Ltd. (“Lush”) has avoided a monetary penalty for its breach of the UK Data Protection Act 1998. Instead, the UK Information Commissioner’s Office (the “ICO”) has required Lush to sign an undertaking that obliges the company to “ensure that future customer credit card data will be processed in accordance with the Payment Card Industry Data Security Standard.”
On July 6, 2011, the UK Information Commissioner’s Office (the “ICO”) released its Annual Report and Financial Statements for 2010/11. Characterizing information as “the currency of democracy,” the report highlights the wide range of the ICO’s activities during the last twelve months, which focused on education and the provision of good practice guidance in addition to enforcement activities.
Speaking at the British Bankers’ Association’s Data Protection and Privacy Conference in London on June 20, 2011, Viviane Reding, Vice President of the European Commission and Commissioner for Justice, Fundamental Rights and Citizenship, signaled her intention to streamline data protection to “simplify the regulatory environment” and “substantially reduce the administrative burden” for businesses. In return, Reding expects businesses to ensure “safe and transparent digital products and services.”
Two former employees of mobile phone provider T-Mobile have been ordered by a court in the United Kingdom to pay £73,700 (approximately $120,000) for the theft of T-Mobile customers’ personal data. The Chester Crown Court ordered David Turley and Darren Hames to pay £45,000 and £28,700 respectively, under confiscation orders, along with prosecution costs.
On June 6, 2011, Hunton & Williams hosted a panel discussion on what organizations in the UK, France, Germany and the Netherlands are doing to comply with the EU’s new cookie law. The webinar, Consent for Cookies: Preparing for the EU Cookie Law, featured David Evans, Group Manager of Business and Industry of the UK Information Commissioner’s Office, and Hunton & Williams Brussels-based associates Olivier Proust, Dr. Jörg Hladjk and Martijn ten Bloemendal. The panel was moderated by Bridget C. Treacy, partner in the London office of Hunton & Williams.
On May 26, 2011, the United Kingdom’s Lord Chancellor and Secretary of State for Justice Kenneth Clarke spoke before the EU Committee of the British Chamber of Commerce in Belgium. His remarks focused on data protection, a subject he characterized as one “heavily on the agenda” in Brussels and in many EU Member States. Clarke emphasized his own role as a proponent of data protection and a defender of civil liberties and individual freedom, and discussed the introduction into Parliament of a major bill to enhance individual freedom in the UK. Key measures in the bill, many of which respond to issues raised over the past few years by the UK Information Commissioner, include:
- Greater independence for the Information Commissioner
- Safeguards against misuse of counter-terrorism stop and search powers
- Further regulation of the use of closed-circuit television monitoring
- Reform of the regulations governing vetting and barring of ex-offenders and persons working with children and vulnerable adults
On June 6, 2011, join Hunton & Williams for a panel discussion on the implementation of the new EU Cookie Law in the UK, France, Germany and the Netherlands. EU law on the use of cookies is changing. Opt-in consent will be required, but specific requirements may differ across the EU. What are organizations doing to ensure compliance with the new cookie law? Listen to David Evans, Group Manager of Business and Industry of the Information Commissioner's Office, explain the steps that UK organizations are expected to take. Learn about cookie compliance in France, Germany and the ...
On May 25, 2011, the UK Information Commissioner’s Office (the “ICO”) issued a news release stating that organizations and businesses that run websites aimed at UK consumers will be given up to 12 months to “get their house in order” before enforcement of the new cookie law begins. Information Commissioner Christopher Graham made it clear, however, that “[t]his does not let everyone off the hook. Those who choose to do nothing will have their lack of action taken into account when we begin formal enforcement of the rules.”
From May 26, 2011, UK law regulating the use of cookies on websites will change from an opt-out regime, to one requiring prior opt-in consent. This change poses significant practical challenges for website operators. In guidance on the new regulations, the UK Information Commissioner has acknowledged the challenge but warned that website operators must take steps now to ensure that they are ready to comply.
On May 11, 2011, the UK Information Commissioner’s Office (the “ICO”) published a new statutory code of practice on the sharing of personal data. As stated in the ICO’s press release, the code of practice covers best practices for both routine and one-off data sharing activities, and offers organizations tips for reducing the risk of inappropriate or insecure data sharing. By helping organizations understand how to share data appropriately, the code of practice should facilitate compliance with the Data Protection Act and minimize the risk of enforcement actions by the ICO or other regulators.
On April 15, 2011, the United Kingdom’s Department for Culture, Media and Sport (“DCMS”) announced that the UK will adopt the new EU rules on cookies without “gold-plating” the regulations by imposing additional national requirements, to help ensure that British companies can compete with the rest of Europe. As we previously reported, the UK government had reassured businesses that it would carry out the implementation in a manner that would minimize the impact on businesses and consumers.
On March 16, 2011, UK Information Commissioner Christopher Graham shared details of the government’s proposals for the implementation of the e-Privacy Directive with delegates at the Direct Marketing Association’s Data Protection Conference in London. A letter from the Minister for Culture, Communications and Creative Industries, Ed Vaizey, provides important reassurance to business that “Government is committed to introducing the amended provision in a way that minimises impacts to business and consumers.”
On March 8, 2011, the UK Information Commissioner’s Office (the “ICO”) issued a warning to UK businesses on the forthcoming amendments to the Privacy and Electronic Communications Directive (2002/58/EC as amended by 2009/136/EC) that will require businesses operating websites in the UK to obtain consent from website visitors to store information on their computers and retrieve that information in the form of cookies.
On January 17, 2011, the Centre for Information Policy Leadership at Hunton & Williams LLP (the “Centre”) released a response to the European Commission’s consultation paper, “A comprehensive approach on personal data protection in the European Union.” In its response, prepared by Richard Thomas, former UK Information Commissioner and Global Strategy Advisor of the Centre, the Centre calls for a modernized European framework for data protection that addresses the realities of the digital age.
On January 14, 2011, the European Network and Information Security Agency (“ENISA”), which was created to enhance information security within the European Union, published a report entitled “Data breach notifications in the EU” (the “Report”).
Currently, there is wide debate throughout the EU regarding data breach notification requirements. The debate stems from recent high-profile data breach incidents and the introduction of mandatory data breach notification requirements for telecommunication service providers imposed by EU Directive 2009/136/EC (amending EU Directive 2002/58/EC, the “e-Privacy Directive”), which must be integrated into EU Member States’ national laws by May 25, 2011. The goal of the Report is to assist Member States, regulatory authorities and private organizations with their implementation of data breach notification policies.
The 32nd International Conference of Data Protection and Privacy Commissioners held in Jerusalem this October continued the trend from past conferences by enacting a resolution, this time with respect to the adoption of global privacy standards. The Jerusalem Declaration calls for an intergovernmental conference in 2011 or 2012 to negotiate a binding international agreement guaranteeing respect for data protection and privacy, and facilitating cross-border coordination of enforcement efforts. The basis for the binding international agreement would be the Madrid ...
In the first use of his powers to impose monetary penalties, the UK Information Commissioner has announced fines for two organizations with respect to serious breaches of the UK Data Protection Act.
- Hertfordshire County Council must pay a fine of £100,000 after staff accidentally faxed highly sensitive information to the wrong recipients, on two separate occasions.
- A4e Limited, an employment services company, must pay £60,000 following the theft of an unencrypted laptop from an employee’s home, putting the data of 24,000 people at risk.
On November 19, 2010, the UK Information Commissioner’s Office (the “ICO”) announced that Google has signed an undertaking committing it to improve its data processing practices. The undertaking follows an ICO investigation into the collection of payload data by Google Street View cars in the UK. Google’s Senior Vice President, Alan Eustace, signed the undertaking on behalf of Google, Inc.
The UK Information Commissioner’s Office (“ICO”) has announced the outcome of its investigation into the collection of payload data by Google Street View cars in the UK. The ICO has concluded that there was a “significant breach” of the UK Data Protection Act in that “the collection of this information was not fair or lawful and constitutes a significant breach of the first principle [of the Act].”
While the ICO has the power to impose monetary penalties for serious breaches of the Act, capped at £500,000 per breach, in this case the ICO has determined that the appropriate course is to secure an undertaking from Google, requiring it to implement additional data protection safeguards.
On behalf of a group of interested parties (the “Group”), Hunton & Williams and Acxiom submitted a response to the UK Ministry of Justice’s (“MoJ”) recent Call for Evidence on the effectiveness of current data protection legislation in the UK. The Group is comprised of representatives from more than 40 organizations, including Barclays Bank, Dell, Fujitsu and GE Capital, all of which are committed to using personal data responsibly. Hunton & Williams and Acxiom, a global leader in interactive marketing services, with the attendance of the Group, worked together over the last two months to host two discussion meetings, and produced a submission summarizing the Group’s views.
On October 8, 2010, the UK Information Commissioner’s Office launched a consultation on a new statutory code of practice on the sharing of personal data.
As stated in the ICO’s press release, the draft code sets out a model of good practice, covering routine and one-off arrangements for sharing data with third parties. The code offers guidance on issues such as:
- The factors that an organization must take into account when deciding whether or not to share personal data
- The point at which individuals should be told that their data will be shared
- The security and staff training measures that must be implemented
- The rights of individuals to access their personal data
- Circumstances in which it is not acceptable to share personal data
The UK Information Commissioner’s Office (the “ICO”) has indicated that UK law firm ACS:Law could face a maximum penalty of £500,000 following a major data breach.
Personal information, including names and addresses, of over 8,000 Sky broadband subscribers and 400 PlusNet users was made publicly available following an apparent attack on ACS:Law’s website. The broadband customers involved are suspected by ACS:Law’s clients of illegally file-sharing copyright work, including music and, in some instances, pornographic films.
On September 2, 2010, police in New Zealand issued a statement to confirm that there was no evidence Google committed a criminal offense in relation to the data it collected from unsecured WiFi networks during the Street View photography capture exercise. The case has now been referred back to the New Zealand Privacy Commissioner. A spokesperson from the New Zealand police force took the opportunity to underline the need for Internet users to make sure that security measures are properly implemented when using WiFi connections in order to prevent their information from being improperly accessed.
In a statement released on July 29, 2010, the UK Information Commissioner's Office ("ICO") has found that the information collected by Google from unsecured WiFi networks during the Street View photography capture exercise "does not include meaningful personal details that could be linked to an identifiable person." This follows an assessment carried out by the ICO on a sample of the data in question at Google's London offices.
The UK Ministry of Justice has issued a Call for Evidence on the effectiveness of current data protection legislation in the UK. Responses must be submitted by October 6, 2010. “It will give the [UK] Government a solid evidence base to use in negotiations with other European Union parties. I believe we have everything to gain from a sensible, proportionate and rights-based data protection framework, and one that works for you as businesses, service-providers and citizens,” said Minister of State for Justice, Lord McNally.
On July 7, 2010, the UK Information Commissioner’s Office published a new code of practice for the collection of personal data online. Launching the new code at a data protection conference, UK Information Commissioner Christopher Graham said, “the benefits of the internet age are clear: the chance to make more contacts, quicker transactions and greater convenience. But there are risks too. A record of our online activity can reveal our most personal interests. Get privacy right and you will retain the trust and confidence of your customers and users; mislead consumers or collect information you don’t need and you are likely to diminish customer trust and face enforcement action from the ICO.”
On May 28, 2010, the UK Information Commissioner’s Office issued a press release stating that it has been notified of more than 1,000 data security breaches since it began keeping records in late 2007. There is no mandatory reporting requirement in the UK, so the actual number of breaches is likely to be significantly higher. The ICO’s press release notes that the majority of breaches occur as a result of human or technical errors, such as employees improperly disclosing data to third parties or automated machines sending out letters to the wrong addresses.
According to a report issued by the EU Agency for Fundamental Rights (“FRA”), European data protection authorities lack sufficient independence and funding. In addition, DPAs impose few sanctions for violations of data protection laws. DPAs “are often not equipped with full powers of investigation and intervention or the capacity to give legal advice or engage in legal proceedings.” In a number of countries, including Austria, France, Germany, Latvia, the Netherlands, Poland and the UK, “prosecutions and sanctions for violations are limited or non-existing.” ...
On April 19, 2010, the Privacy Commissioner of Canada, Jennifer Stoddart, and the heads of nine other international data protection authorities took part in an unprecedented collaboration by issuing a strongly worded letter of reproach to Google’s Chief Executive Officer, Eric Schmidt. The joint letter, which was also signed by data protection officials from France, Germany, Ireland, Israel, Italy, the Netherlands, New Zealand, Spain and the United Kingdom, highlighted growing international concern that “the privacy rights of the world’s citizens are being forgotten as Google rolls out new technological applications.”
On April 8, 2010, the Digital Economy Act (the “Act”), containing provisions relating to online copyright infringement, network infrastructure and digital safety, became law in the UK. The Act’s main provisions include:
- new duties for the Office of Communications (the UK’s communications regulator), to report every three years on issues such as the UK’s communications infrastructure and Internet domain name registration;
- additional obligations on Internet Service Providers (“ISPs”) that seek to reduce online copyright infringement;
- increased penalties for online copyright infringement; and
- intervention powers with respect to Internet domain registries.
Demos, an independent UK-based think tank, has published a report describing the views of a cross-section of British people on how their personal data are used by the public and private sectors. Private Lives: A People’s Inquiry Into Personal Information (the “Report”) was researched in the context of the UK Information Commissioner’s Office’s consultation on the Personal Information Online Code of Practice. The Information Commissioner called for industry and research groups to provide context for the new Code of Practice. “What emerges from the study is a fascinating picture of a public who certainly care about information rights, but who are by no means hysterical about perceived threats to liberty or privacy,” observed UK Information Commissioner Christopher Graham.
On March 3, 2010, the UK Information Commissioner launched a report on the "Privacy Dividend" (the “Report”), which outlines the business case for proactively investing in privacy protection. The lack of a robust business case is a common barrier to privacy investment, and too often such investment is approved only after a privacy breach or other crisis occurs.
On February 1, 2010, it became compulsory for randomly selected passengers at Heathrow and Manchester airports in the UK to pass through full body scanners before boarding their flights. This enhanced security screening has been implemented following the attempted Christmas Day terrorist attack at the Detroit airport in the United States, after which the British government announced that it would begin mandatory body scanning at all UK airports. The move has raised concerns about the excessive collection of personal data.
On January 12, 2010, the UK government laid regulations before Parliament to bring into force civil monetary penalties of up to £500,000 ($800,000) for serious data breaches. These penalties are likely to take effect starting April 6, 2010. Significantly, the penalties will apply not only to data security breaches, but also to all serious breaches of the UK Data Protection Act 1998. Accordingly, collecting personal data for a sweepstakes contest then deliberately, and without consent, disclosing the data to a third party to populate a tracing database for commercial purposes might well be subject to a penalty.
On October 29, 2009, the European Commission (the “Commission”) proceeded to the second phase of infringement proceedings against the UK relating to the UK’s implementation of EU e-privacy and personal data protection laws. EU Member States must ensure the confidentiality of communications by prohibiting interception and surveillance without user's consent. The Commission maintains that the UK has failed to fully implement these requirements into its national laws and has identified three specific flaws in the existing UK laws governing the confidentiality of electronic communications:
- The UK does not have an independent national authority responsible for (i) supervising the interception of communications and (ii) complaints about unlawful interception of electronic communications, despite the requirement to this effect contained within EU laws and imposed on Member States;
Background
On November 9, 2009, the UK's Ministry of Justice launched a consultation seeking the public's views on the proposed implementation of a maximum penalty of £500,000 (approximately US$837,950) for serious breaches of the UK Data Protection Act 1998 (the "DPA"). This Consultation follows the Information Commissioners' publication of draft guidance this week, explaining the circumstances in which a fine will be imposed. The launch of the Consultation puts to rest recent speculation as to the level of fine likely to be imposed for a deliberate or serious breach of the DPA, including for data security breaches.
The DPA imposes obligations on data controllers that process personal data to: (i) process personal data fairly and lawfully; (ii) obtain personal data only for specified lawful purposes, and not further process personal data in any manner incompatible with such purposes; (iii) ensure that personal data are adequate, relevant and not excessive in relation to the purposes for which they are processed; (iv) ensure that personal data are accurate and, where necessary, kept up-to-date; (v) keep personal data only for as long as is necessary for the purposes for which they are collected; (vi) process personal data in accordance with individuals' rights; (vii) implement appropriate technical and organizational measures against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data; and (viii) not transfer personal data to a jurisdiction outside the European Economic Area unless that jurisdiction affords adequate protection levels for individuals' rights and freedoms in relation to the processing of personal data.
Hunton & Williams is pleased to announce that Richard Thomas CBE, the former UK Information Commissioner, has joined the firm as Global Strategy Adviser. Richard Thomas was the UK’s Information Commissioner from November 2002 until his retirement at the end of June 2009. He was appointed by HM The Queen and held independent status, reporting directly to Parliament, on a range of regulatory, promotional and advisory responsibilities under the Data Protection Act 1998, the Freedom of Information Act 2000 and related laws. He also served as a member of the European Union’s Article ...
The new UK Information Commissioner, Christopher Graham, shared his vision for data protection regulation at his first conference speech in London yesterday. As the keynote speaker at the 8th Annual Privacy and Data Protection Conference, chaired by Hunton & Williams partner, Bridget Treacy, Christopher Graham positioned himself as a fair, but tough, regulator who will not be afraid to use his strengthened enforcement powers.
On September 23, 2009, the Information Commissioner's Office (the "ICO"), the UK's data protection regulator, issued a press release announcing the approval of the Hyatt Hotels Corporation's binding corporate rules ("BCR") under the new mutual recognition procedure. Hyatt is the first UK applicant to receive approval under the mutual recognition procedure.
Mutual recognition was devised to speed up the process of BCR approval by EU Data Protection Authorities ("DPAs"). Under "mutual recognition," one EU Member State's DPA acts as the lead authority on a company's BCR application. Once approved by the lead authority, the other participating members of the procedure automatically approve the BCR application.
The UK Financial Services Authority (FSA) has announced today fines for three HSBC entities totaling £3 million for failing to have adequate systems and controls in place to protect their customers' confidential data. HSBC Life UK Limited (HSBC Life) was fined £1,610,000, HSBC Actuaries and Consultants Limited (HSBC Actuaries) was fined £875,000 and HSBC Insurance Brokers Limited (HSBC Insurance Brokers) was fined £700,000.
The cost to register as a data controller in the United Kingdom is likely to increase significantly later this year, rising from £35 to £500 for companies with annual sales of at least £25.9 million and 250 or more employees.
The UK Information Commissioner has proposed a two-tiered fee structure as part of the Data Protection (Notification and Notification Fees) (Amendment) Regulations 2009 (the “Regulations”). The Regulations are expected to come into force as of October 1, 2009.
The UK Information Commissioner is initiating a consultation to develop a code of practice that will help companies address online privacy issues. It is anticipated that the code will provide guidance on the following matters:
- Operating a privacy-friendly website
- Rights and protections for individuals
- Privacy choices and default settings
- Cyberspace and territoriality
The UK Information Commissioner's Office has published a review of the strengths and weaknesses of the EU Data Protection Directive, commissioned from RAND Europe.
The concept of such a review was highly radical when first proposed. It provoked the promise of a similar study from the European Commission and generated much debate as to whether, and if so when, the Directive itself might be reviewed. The conclusions of the RAND study are much less radical than anticipated but more likely, as a consequence, to stimulate constructive debate within Europe as to the future shape of data protection law. Whilst not endorsing the RAND study, in April 2009, the European Privacy and Data Protection Commissioners' Conference discussed the themes raised by RAND and issued a declaration committing to contribute to the ongoing debate concerning the future of data protection law, including better implementation and enforcement of the existing legal framework.
Following numerous complaints about the use of behavioral advertising technology by internet service providers, the European Commission (the “Commission”) launched infringement proceedings against the United Kingdom for an alleged failure to keep people’s online details confidential. The EU Telecoms Commissioner, Viviane Reding, has called upon the UK to change its national laws to ensure the confidentiality of communications by prohibiting interception and surveillance without the user's consent. If the UK does not comply, the Commission can issue a final warning before taking the UK to the European Court of Justice.
The UK Advertising Standards Authority (“ASA”) recently upheld a complaint under the UK Committee of Advertising Practice Code (“CAP Code”) which requires UK marketers to obtain the explicit consent of consumers before disclosing their personal information to third parties for direct marketing purposes.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code