Included in this issue: New Information Commissioner appointed; Nuisance call company fined £50,000 by the ICO; GDPR published in the Official Journal of the EU and more...


New Information Commissioner appointed

Elizabeth Denham has been appointed as the new UK Information Commissioner following confirmation released from the Culture, Media and Sport select committee. Ms Denham will take over from Christopher Graham on 28 June 2016, leaving her current role as the Privacy and Information Commissioner for British Columbia, Canada, subject to approval from the Queen.

Ms Denham will face the challenge of preparing the UK for the incoming General Data Protection Regulation (GDPR), which comes into full force on 25 May 2018.

The ICO Statement is available to access here.

For a copy of the official report click here.

Nuisance call company fined £50,000 by the ICO

Nevis Home Improvements Ltd, a home improvements energy efficiency company, has been fined £50,000 by the ICO for making over 2.5 million recorded phone calls, causing 175 complaints to be made. The penalty was issued due to a serious contravention of Regulation 19 of the Privacy and Electronic Communication (EC Directive) Regulation 2003, which restricts the use of automated calls.

This is the 19th company to be fined by the ICO since changes to the law in April 2015 made it easier to punish nuisance callers. Over £2 million in fines has been issued since April 2015, compared to £360,000 during the previous 12 months. Companies should check their direct marketing strategies to ensure that they don't fall foul of the rules.

A copy of the ICO News publication is available here.


GDPR published in the Official Journal of the EU

Organisations have just over two years to prepare for the arrival of the GDPR which will come into force on 25 May 2018, following its publication in the Official Journal of the EU on 4 May 2016.

Harmonising data protection rules across Europe, the GDPR grants new rights for data subjects including: the right of data portability; enhanced rights of erasure; and, the right to object to profiling. Higher levels of consent will also apply meaning that it is important for organisations to review their consent processes. Organisations processing large amounts of data will be required to appoint a data protection officer. Increased fines of up to 4% of worldwide turnover, or 20 million Euros (whichever is higher) should provide a clear incentive for organisations to make GDPR compliance a priority.

The EU Commission press release is available here.

EU Commission proposes completion of new EU-US data protection "Umbrella Agreement"

The EU Commission has proposed that the EU should adopt an Umbrella Agreement with the US, which will regulate the transfer of personal data between EU and US law enforcement agencies. The Umbrella Agreement will serve as a means to cover all personal data exchanged between the EU and the US for the purpose of prevention, detection, investigation and prosecution of criminal offences, including terrorism - will provide safeguards for data subjects and allow EU citizens to have access to the US courts in the event of privacy breaches. EU Parliamentary approval will be required before the EU Council can conclude the agreement.

The EU Commission press release is available here.

Passenger name record (PNR) data directive published in Official Journal of the EU

EU member states have until 25 May 2018 to implement the PNR data directive into national law. The directive , aimed at detecting, preventing and enabling prosecution of terrorism offences and serious crime – requires airlines to provide PNR data for flights entering and leaving the EU. Member states will be required to establish a competent authority to receive the PNR data and to appoint a data protection officer to monitor the processing of such data. Some countries, including the UK, already have processes in place so can begin collecting data once the directive has been implemented into national law. The publication of the PNR coincides with the GDPR and the two will come into force on the same date.

Helena Brown

Helena Brown

Partner, Commercial and Data Protection & Head of Data
Edinburgh, UK

View profile