Included in this issue: ICO publishes Brexit statement; EU-US Privacy Shield agreed; Pokémon Go personal data scare and more...
ICO publishes Brexit statement
The Information Commissioner's Office (ICO) has published a short statement following the UK referendum result. It confirms that the ICO shall be discussing the implications of the result and its impact on data protection in the coming weeks.
At this stage, it is not clear how the UK will renegotiate its relationship with the EU. Once the UK formally leaves the EU, the General Data Protection Regulation (GDPR) will not apply in the UK. However, since the GDPR comes directly into force across the EU from 25 May 2018, it will apply in the UK in the interim period until the UK exits the EU. In any event, the territorial scope of the GDPR means that organisations collecting and using personal information from citizens in the EU will need to comply with it regardless of where they are located. UK businesses handling personal data should continue preparations for the GDPR.
Following Brexit negotiations, it is highly likely that the UK would be required to prove that it has "adequate" data protection standards in place in order to be classified as a "safe" destination for EU personal data. It seems highly likely that the UK will enact provisions identical or very similar to the GDPR in order to achieve an adequacy ruling. It is unknown at this stage whether the UK would also be required to implement additional measures.
A copy of AG's Q&A on the Impact of Brexit on Data Protection is available here.
ICO publishes annual report for 2015/2016
The ICO has published its 2015/2016 annual report, highlighting key data protection issues from the last year. A particularly notable point was the large increase in fines being levied by the ICO, which were up to almost £2m million, following changes to the law in April 2015. Key fines have been issued in relation to nuisance marketing and companies engaging in cold calling practices.
The report also highlights the ICO's achievements in 2015/2016, including its role in the right to be forgotten case involving Google, its role in the parliamentary cyber security inquiry, and subsequent cyber security work and guidance highlighting technology risks. The report flags political uncertainty in relation to the Brexit result, however the report highlights that no major changes are expected to the UK data protection regime, or the role of the ICO, for at least the next financial year.
UK government publishes Digital Economy Bill
The UK government has published the Digital Economy Bill (the Bill), which intends to improve internet connectivity across the UK and protect internet users. It aims to empower consumers and includes provisions designed to make it easier for them to make informed choices between communications providers. It also contains provisions to protect children from online pornography, by requiring age verification to access sites.
The Bill aims to strengthen the enforcement capabilities of the ICO particularly in relation to direct marketing. It would give the ICO's Direct Marketing Guide, statutory footing, making it mandatory for marketers to comply with the rules, and easier for the ICO to pursue non-compliance.
ICO issues stop order to "sugging" firm
The ICO has issued a stop order against nuisance call company, Change and Save Ltd, that had falsely claimed it was phoning people as part of a lifestyle survey when it was actually trying to sell services – a practice known as "sugging". The direct marketing rules and related guidance issued by the ICO do not apply if an organisation contacts customers to conduct genuine market research. In this case, however the calls went on to advertise will writing, funeral and legal services. Change and Save Ltd's tried to argue that it was not subject to the direct marketing rule s, this argument failed.
The ICO's head of enforcement, Steve Eckersley issued the following statement; "Firms trying to avoid direct marketing rules will be quickly found out… Trying to disguise a nuisance call as a survey or market research simply will not wash".
EU-US Privacy Shield agreed
On 12 July 2016, the EU Commission adopted the EU-US Privacy Shield, the framework agreement which will cover personal data transfers between the EU and the US.
The EU-US Privacy Shield intends to facilitate controlled and transparent personal data transfers between the EU and the US. It contains stronger obligations on companies handling personal data and provides a redress system for EU citizens who feel that their personal data has been mishandled. US companies will need to self-certify that they meet the requirements of the agreement. It also contains transparency obligations on the US government and the US has ruled out indiscriminate mass surveillance of personal data sent to the US under the EU-US Privacy Shield.
Pokémon Go personal data scare
Users of new gaming app Pokémon Go were alarmed to read that the app had ostensibly been given "full access" to their Google accounts after signing in using Google's shared sign-in service. If users had inadvertently granted full access to their Google accounts (which could include photographs, documents and emails), this would have constituted a major security vulnerability.
It seems, however, that this was a case of misinformation rather than a security vulnerability. Both Google and Niantic Labs, the Pokémon Go developers, have confirmed that they do not have full access to user's Google accounts. Reportedly, the issue occurred because Niantic Labs used an outdated version of Google's shared sign-in service, and a spokesperson for Niantic Labs said, "Pokémon Go only accesses basic Google profile information (specifically, your user ID and email address)". It is likely that questions will be asked of why Google misrepresented that higher levels of permission had been granted by users.