Included in this edition of data & privacy news: Join our Data Disputes Webinar on Tuesday 3 November; ICO issues final penalty of £20m to British Airways for data breach and more...

Data Download webinar: lessons learnt from the BA fine on Tuesday 3 November

Join our Data Management Team on Tuesday 3 November at Midday as they discuss the lessons learnt from the recent BA fine. Sign up here

ICO issues final penalty of £20m to British Airways for data breach

The ICO has fined British Airways £20m for a data breach affecting more than 400,000 of its customers. 

During the investigation, the ICO found that airline was breaching data protection law by processing large amounts of personal data without adequate measures in place. Consequently, BA was the subject of a cyber-attack during 2018, which went undetected for more than two months.

The ICO issued BA with a notice of intent to fine in June 2019. This was finalised by the ICO after it received representations from the airline and considered the impact of the coronavirus pandemic on the business. 

Irish Data Protection Commissioner investigating Instagram over handling of children's personal data

Instagram, a social media app owned by Facebook, is being investigated by Ireland's Data Protection Commissioner (DPC) over its handing of children's data on the app.

Facebook could face a huge fine if it is found to have breached privacy laws by allowing email addresses and phone numbers of those under 18 to be made public.

Facebook is disputing the claims but assisting the DPC with its investigations.

House of Lords highlights concerns around granting of UK adequacy decision

The House of Lords has published a report on the future relationship between the UK and the EU in the business world, highlighting concerns that the UK will not be granted an adequacy decision for data transfers. 

The House of Lords is calling on the Government to push for an "assessment to be concluded as soon as possible, to give businesses in the UK and EU legal certainty and time to prepare".

ICO investigating 15 contact tracing companies for their data protection approach

The ICO is investigating 15 companies that provide contract-tracing services to pubs and restaurants for their data protection practices including "direct marketing".

Reports suggest that some companies are exploiting QR barcodes to gather confidential information such as name and addresses and pass them onto marketers, credit companies and insurance brokers. Government guidelines clearly state that personal data collected should kept for 21 days but should only be used for the NHS Test and Trace.

Governments sign statement pushing for backdoor into encrypted services

The UK, USA, Australia, Canada, New Zealand, India and Japan have all signed a statement asking technology companies to offer a backdoor into encrypted services, allowing for the safety of the public to be embedded in system designs and enable law enforcement agencies access to content in a readable and usable format when authorisation is lawfully issued. 

End-to-end encryption gives users access to messaging services without owners being able to see the conversations. If this is stopped, then it could allow for malicious individuals to access private conversations. This has been criticised by many large technology companies, advocacy groups, as well as the general public.

Given recent findings by the CJEU in relation to the UK's surveillance legislation and the need for the UK to obtain an adequacy decision post-Brexit, this move may be seen by some as a signal of the UK's intentions for international co-operation in the future

ICO publishes outcome of compulsory audit of Department for Education 

The ICO has published its summary of the audit it carried out on the Department for Education (DfE) in February 2020, implying that data protection was not being prioritised and this impacted the DfE's ability to comply with the UK's data protection laws.  

During the audit, a 139 recommendations for improvement were found with more than half been classified as urgent or high priority. 

The DfE has been given pre-agreed timescales to make improvements and will be continually monitored by the ICO. If progress falls behind the schedule set, then enforcement action will follow. 

Key Contacts

Ross McKenzie

Ross McKenzie

Partner, Commercial & Data Protection
Aberdeen, UK

View profile
Helena Brown

Helena Brown

Partner, Commercial and Data Protection & Head of Data
Edinburgh, UK

View profile
Dr. Nathalie Moreno

Dr. Nathalie Moreno

Partner, Commercial and Data Protection
London

View profile

Subscribe to updates

Get our latest updates delivered to your inbox

Related News

All News
Abstract Mergers Acquisitions 21 Dec 23

Addleshaw Goddard LLP, legal counsel to ETC Holdings, on its acquisition of Shanta Gold Limited
Abstract - Stairs - New Service 9 Mar 21

AG Supports the Creation of a Ground-Breaking New Dispute Resolution Service
26 Feb 18

Addleshaw Goddard adds fire power to Data offering with the hire of leading expert in Scotland

Related Insights

All Insights
Data Protection - March 2024 - Infographic Teaser 26 Mar 24

Data Diaries - March 2024
Technology 15 Mar 24

The Saudi National Cybersecurity Authority Publishes New Regime for the Regulation of Cybersecurity Service Providers
Data - wire 12 Mar 24

The executive regulations to the Oman personal data protection law - What you should know.

Read articles and register for events & webinars via LinkedIn

Follow AG Insight on LinkedIn