Included in this issue of Data & Privacy News: FCA refers itself to the ICO over data breach, Google plans to move British user's data to the US and more...


FCA refers itself to the ICO over data breach

The FCA has admitted that it exposed confidential information such as names, addresses and telephone numbers of about 1,600 individuals in November 2019 when it mishandled a response to a Freedom of Information Act request on its website. 

The responses related to the number and nature of complaints that the regulator handled between 2 January 2018 and 17 July 2019. 

The FCA has referred itself to the Information Commissioner's Office (ICO). 

Google plans to move British user's data to the US

Prompted by Brexit, Google is planning to move data and user accounts of its British users from the EU to the US, leaving the sensitive personal data of millions of individuals uncovered by GDPR. 

As part of the move, it is being suggested that Google will require British users to accept new terms of service referencing the new jurisdiction.

A particular concern being raised by this is that under Irish jurisdiction (which governs where the majority of EEA personal data held by Google is currently located), it would be difficult for British authorities to recover personal data (e.g. in a criminal investigation). The move to the US, however, does at least in theory allow British authorities to more easily obtain data from US companies under the Cloud Act. 

EC plans new rules to protect individuals from misuse of AI

The European Commission is intending to draft new rules to protect individuals from misuse of artificial intelligence (AI) technology, but some experts are dissatisfied that the published white paper did not provide more details. Thierry Breton, the Industry Commissioner, has suggested that this new legislation should be similar to the GDPR, including large scale fines, but critics say further detail is required. 

Slimmed-down EU draft regulations could be on the way

Telecoms and internet platforms could face a revised, slimmed-down EU draft of the ePrivacy regulation in the next few weeks as the European Commission and Croatia try to salvage the Regulation. 

Croatia, which is currently chairing meetings between the bloc's national governments, is proposing stripping out some of the more contentious measures in the draft ePrivacy Regulations to move it forward. 

The ePrivacy Regulation has stalled recently due reasons such as how its fits with GDPR, how to handle cookie walls and whether EU telecoms companies should be given more freedom to use customer information without consent. 

EDPB confirms data protection authorities will discuss cookie-consent guidelines in March

Joëlle Jouret, a legal adviser at the European Data Protection Board (EDPB), has said that national data protection authorities will revise cookie consent guidelines at the EDPB meeting between 19-20 March after several authorities adopted conflicting approaches. 

Many website publishers have complained that the introduction of recent national guidelines has caused differing interpretations of the rules making it difficult to adopt a global compliance approach to cookies. 

New Ofcom powers to police social media blasted by business and tech groups

Business and tech groups have blasted Nicky Morgan's plans to give broadcaster regulator, Ofcom, an expanded role in policing the internet, calling the plans "unworkable", "unrealistic" and a threat to free speech. 

Ofcom's new role was first proposed in an online harms legislation white paper in July 2019, and will see it place a duty of care on companies to safeguard users from illegal content.

All registered companies who use direct marketing must sign up to the ICO

The ICO has published a draft code on direct marketing to help ensure that organisations meet their obligations. All registered companies who use direct marketing must ensure that their practices comply with the law. The ICO is currently consulting on the content of the draft code until 4 March 2020.

As part of an extensive programme to ensure payment of the data protection fee, the ICO is contacting all registered companies within the UK to remind them of their requirement to pay.

Data breach unveiled at Estée Lauder

Cybersecurity researcher, Jeremiah Fowler, has uncovered a data breach in a database owned by Estée Lauder. 

More than 440 million user records containing information such as email addresses were found in plaintext in an open cloud database.  

Estée Lauder has not commented on the incident. 

Key contacts

Ross McKenzie

Ross McKenzie

Partner, Commercial Services
Aberdeen, UK

View profile
Helena Brown

Helena Brown

Partner, Head of Data
Edinburgh, UK

View profile
Beatrice Duke

Beatrice Duke

Managing Associate, Commercial
Leeds

View profile
Carolyn Krampitz

Carolyn Krampitz

Managing Associate, Commercial Services
Germany

View profile