Included in this Data Issues Roundup: ICO led global operation finds inadequacies in website privacy notices; EU court adviser deals setback to Facebook in privacy dispute; and Government responds to Brexit report on EU data protection package.
ICO led global operation finds inadequacies in website privacy notices
An international study, led by the ICO, has found that online privacy notices are often too vague and inadequate. There is significant room for improvement by organisations; who need to be more open, honest and clear in how they handle an individual's data.
As part of the study, the ICO reviewed 30 UK websites in the retail, banking and lending, and travel and finance price comparison sectors, identifying problems in the following areas:
- Failure to specify how and where data would be stored;
- Failure to explain whether they would share personal information with third parties (with only six making reference to their retention policy);
- Failure to provide clear instructions to users on removal of their date from the website; and
- Lack of clear instructions to a user on how to access data held about them.
Overall, the study found that some organisations still consulted out of date legislation and frameworks, with many of those offering services at international level unsure as to which legislation or jurisdiction applied.
Members of the Global Privacy Enforcement Network are looking to provide some guidance to data controllers to alleviate this issue.
The upcoming General Data Protection Regulations (GDPR) are a great opportunity for organisations to review and update their current website privacy policies and fair processing notices. At the heart of the GDPR are obligations of transparency and awareness. Website policies and notices are a useful tool for organisations to meet the GDPR obligations around fair and lawful processing, privacy by design and transparency.
EU court adviser deals setback to Facebook in privacy dispute
Yves Bot, Advocate General at the Court of Justice of the European Union (EU), has dealt Facebook a setback by stating that any data protection authority in the EU can take action against it for breaching privacy laws, even if its main establishment is in another member state.
The case originated from a dispute about a German fan page on the social networking site which gathered personal data on visitors to that page through cookies. The German court referred the case to the ECJ to decide whether a German authority had jurisdiction over Facebook in view of Facebook's Irish subsidiary who is responsible for its European data processing activities.
Although Yves Bots opinion is non-binding, views from an Advocate General tend to be followed by the Court’s judges and a final ruling should follow in the next few months.
The GDPR, which will be implemented in May 2018, introduces a one stop shop principle which ought to help multinational businesses like Facebook in that they only need to liaise with one lead supervisory authority in the member state of their main establishment. This should reduce the burden, uncertainty and inconsistency that presently exists under the Directive for businesses with business operations across member states.
Government responds to Brexit report on EU data protection package
Looking at the four elements of the EU's data protection package, the Committee report examined the options available to the Government for obtaining uninterrupted data flows following Brexit.
The report found that the best way to achieve unhindered data flow is to secure 'adequacy decisions' from the EC under Article 45 of the GDPR and Article 36 of the Police and Criminal Justice Directive to highlight that the UK has an equivalent standard of data protection to the EU. Without this arrangement, concerns could be raised about data-sharing in both commercial arrangements and law enforcement between the EU and its Member States after Brexit.
The Government said that it "wishes to secure unhindered and uninterrupted flows of data between the UK and the EU post-Brexit, to facilitate both trade and law enforcement cooperation." The Data Protection Bill (at committee stage in the House of Lords) aims to address this and move the UK towards an adequacy status following Brexit.