What else is going on in Data Protection?
Other than the changes to the law on ‘cookies’, here’s a round-up of the latest other news in the data protection headlines.
Draft DP Regulation
The biggest change to data protection in the last 10 years has finally arrived with the publication of the draft Data Protection Regulation.
Member States now have the unenviable task of trying to agree the form of the regulations between them. The UK Information Commissioner has already expressed concerns with a number of the draft provisions (see detailed response).
The key changes that are proposed by the draft Regulation are:
- Regulation by one Member State – where an organisation processes personal data across a number of EU jurisdictions, instead of complying with the laws of each jurisdiction, instead the processing will be regulated by the laws of the Member State where that organisation’s main establishment’ is located (or where the bulk of the processing takes place if none).
- Additional enforcement powers and sanctions – Data Protection Authorities will have an increased set of duties as well as enhanced enforcement powers. Penalties for intentional or negligent breaches of data protection law will reach a maximum of 2% of annual global turnover for "enterprises" or fines of up to 1 million Euros in other cases. The definition of what constitutes an "enterprise" is likely to be looked at closely prior to enactment.
- Mandatory security breach notification – data protection authorities must be informed of a data security breach by the data controller “without undue delay and, where feasible, not later than 24 hours of becoming aware of it”. Data subjects must then be informed “without undue delay” of the breach unless the relevant data protection authority is satisfied that the data was sufficiently protected from being accessed by an unauthorised user, for example, by encryption.
- Consent – consent is given a new definition (which will be directly enforceable in the UK) – as “any freely given, specific, informed and explicit indication” of the data subject’s wishes. It cannot be relied upon without explicit prior authority from the individual where there is a significant imbalance of power between the data subject and the data controller (e.g. in employment scenarios). This new definition is likely to lead to require most service providers to rewrite their terms and conditions and obtain ‘fresh’ consents from their customers to use their data unless they have been best practice and relied on ticked boxes (an opt –in).
- Data transfers outside the EU – there is considerably more detail on how to effect compliant data transfers outside the EU but a greater need for prior authorisation of transfers than is currently the case in the UK.
- New requirement to have a Data Protection Officer – organisations with over 250 employees will be required to have a designated ‘Data Protection Officer’ to help ensure the organisation’s compliance with data protection law (subject to limited exceptions).
- Data controllers and data processors – for the first time, data processors which process data on behalf of their client organisations are liable for complying with data protection rules.
- Right to be forgotten – individuals will now have the right to have our personal data removed from online records under certain circumstances. There are exceptions to this right including where the personal data is necessary for exercising freedom of expression or is held for historical, statistical and scientific research purposes.
- Right to data portability – in order to make it easier to transit from one online service to another, individuals now will have the right to obtain a copy of their data in a particular format easier where that data is processed electronically and in a commonly used, structured format.
- Right not to be profiled – individuals have an enhanced right not to be subject to any measures based on automated ‘profiling’ processes.
- Additional administrative requirements – The general obligation to notify has gone but has been replaced with a more onerous obligation to maintain a form of compliance register and to conduct prior privacy impact assessments where their processing operations present specific risks to individuals’ rights.
Protection of Freedoms Bill
The UK’s new Protection of Freedoms’ bill covering issues such as fingerprinting, use of CCTV and the extension of the organisations covered by the UK Freedom of Information Act 2000 (“FOIA”) is undergoing its final reading in the House of Lords before receiving royal assent. It also makes changes to criminal records checks.
Freedom of Information Act 2000
The FOIA has also recently completed a review in the UK by the Parliamentary committee. The aim of the review is to identify whether the FOIA’s stated objectives (transparency about decisions made affecting public spending) have been met in a cost efficient and proportionate manner. The outcome of this review will be published in Download once available.
The UK Information Commissioner has also recently released guidance on the disclosure of emails in private email accounts such as yahoo or hotmail where the emails are used in the course of public authority business.
ICO publishes revised DPA monetary penalties guidance
The UK Information Commissioner has issued new guidance on the exercise of its power to impose monetary penalties for serious breaches of the Privacy and Electronic Communications (EC Directive) Regulations 2003 and provides examples of circumstances which may warrant a penalty including making a large number of automated marketing calls based on recorded messages or sending large numbers of marketing text messages to individuals who have not consented to receive them, particularly if distress and anxiety is caused to the recipients.
Systematic failings in the processes to record and respect marketing objections which leads to an organisation persistently sending marketing faxes to recipients who have clearly objected. A person covertly tracking someone’s mobile location data will also be covered.
"There is a lot of compliance work to be getting on with in preparation for all the forthcoming changes to data protection rules in the UK."
"Member States now have the unenviable task of trying to agree the form of the regulations between them. The UK Information Commissioner has already expressed concerns with a number of the draft provisions."