Included in this issue of Data & Privacy News: ePrivacy regulation unlikely to apply before 2021; New UK standards to help protect self-driving cars from hacking; Mobile networks leave millions of customers open to text scams that take payment through phone bills and more...

Legislation update

Draft Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 laid before Parliament

The draft Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 have been laid before Parliament in preparation for the UK's withdrawal from the European Union. 

The draft Regulations merge the General Data Protection Regulations (GDPR) and applied GDPR into the "UK GDPR". They also amend other primary and subordinate legislation to ensure that the UK legal framework for data protection continues to function correctly after exit day. 

The Regulations will fully come into force on exit day.

ePrivacy Regulation unlikely to apply before 2021

Issues such as processing of electronic communications data, protection of terminal equipment, privacy settings and supervisory authorities remain unsolved with the ePrivacy Regulation, so it is unlikely that the Regulations will apply before 2021.

The Council of the EU still has to finalise its approach before the trialogue of the final version of the draft Regulation for adoption can commence between the Council of the EU, European Commission and the European Parliament. It is predicted that this trialogue will not start until after European elections in May 2019.

The latest draft of the Regulations also includes a provision that the draft Regulation will apply 24 months from its adoption date. 

US Privacy Shield progress slow

Progress with the US Privacy Shield agreement is slow, with many of the recommendations made in the 2017 review requiring further evaluation due to late implementation by the US.

The main issue identified in the 2018 review was the same as that mentioned in the 2017 review; the lack of a permanent ombudsperson. The European Commission has set a deadline of the 28 February 2019 for an appointee to be identified, failing which the Commission will "consider taking appropriate measures" against the US.

ICO takes action against care homes over failure to pay data protection fee

The Information Commissioner's Office (ICO) has initiated formal enforcement action against care homes for failure to pay the new data protection fee, warning that they could face a maximum fine of £600.

Care homes do not fall within the exemptions for the data protection fee as they process particularly sensitive personal information for health and patient care.

Organisations have 21 days to respond to the ICO's notice. Payment of the fee will prevent action being taken.

New UK standards to help protect self-driving cars from hacking

The British Standards Institute has published cyber security standards aimed at protecting self-driving cars from cyber-attacks. 

The guidance, funded by the Department for Transport, has been developed with the help of academics and experts from Jaguar Land Rover, Ford, Bentley and the National Cyber Security Centre.

The standards should act as a marker for those developing self-driving car technology.

Mobile networks leave millions of customers open to text scams that take payment through phone bills

Mobile networks are exposing millions of customers to text scams that allow money to be taken directly though their phone bills, often through services that they do not require or have never consciously signed up for.

Despite many customers complaining about the unexpected charges on their phone bills, regulators have allowed some of the third-party companies to continue operating with impunity.

The text scams work through direct carrier billing, a system run by O2, Vodafone, EE and Three, which allows customers to buy goods or services on their mobiles by the click of a button rather than using card details.