Directors of companies responsible for nuisance calls and other direct marketing privacy breaches may now be subject to monetary penalties, and several have already been banned from acting as directors.
Coming soon: A new ICO direct marketing Code of Practice with up to date practical guidance on applying the data protection and privacy rules.
On 9 July 2019, the UK Information Commissioner’s Office (ICO) published its annual report, containing details of its activities and financial statements between April 2018 and March 2019.
Activities include using its new powers of inspection, imposing 'record-breaking' monetary penalties, receiving concerns from 'record numbers' of people, and launching a formal investigation into the use of data analytics for political purposes. So it seems a lot of records have been broken in the year, though I suspect with the recent notices of intention to fine British Airways and Marriott, the current year may be pretty record-breaking too.
The progression of the EU Copyright Directive was a hot topic whilst I was on maternity leave, and it was finally adopted in April 2019. Meanwhile, UK trade secrets legislation snuck through under the radar, as the deadline for implementation of EU Trade Secrets Directive (9 June 2018) came and went.
The EU Copyright Directive was part of the EU Digital Single Market (DSM) strategy, and several other pieces of DSM legislation have also recently been adopted.
The second thing which didn’t happen whilst I was on maternity leave: The new EU ePrivacy Regulation wasn’t finalised. The new Regulation is due to replace the EU ePrivacy Directive and the UK’s current ePrivacy Regulations (commonly referred to as ‘PECR’).
Since my previous update from 2018: The GDPR is here! What now?, the UK Information Commissioner’s Office (ICO) and the EU European Data Protection Board (EDPB) have continued to publish new and updated guidance on the GDPR and UK Data Protection Act 2018. The EDPB has also provided its first Opinions. This article provides an overview on some key topics.
When I started my "10 things that happened…" series I decided that an update on social media legal issues would be interesting. Since then, I keep on discovering more and more publications and cases which I want to read and discuss. So there is a bit of a mixture in this article – a few top choices from my research.
The first of my two things that didn’t happen: Brexit. At least not yet. As with many other aspects of Brexit, it is difficult to plan ahead properly on legal issues without certainty on what is going to happen and when. Deal or no deal? Customs Union? Single Market? Or maybe we won’t leave at all… Legal concerns may be hugely different depending on the type of Brexit and when (or if) it happens.
Recent court judgments have some important conclusions relating to subject access requests (SARs) and, in particular, personal data relating to third party individuals. The relevant law for these cases is the Data Protection Act 1998. Similar principles will apply to equivalent rules under the GDPR and Data Protection Act 2018, though I have also raised some important differences in my article.
On 23 January 2019, Japan was recognised by the EU Commission as having sufficient data protection laws for the purposes of data transfers. This means that personal data can be transferred from the EU to Japan without the need for additional measures under Chapter V of the GDPR (though note that all the other requirements of the GDPR still need to be met in relation to such transfers).
There has been a lot of ICO enforcement action to catch up on. Most of this action has been under the previous Data Protection Act 1998 (as it relates to data processing activities prior to the application of the GDPR).
What happened in the legal world whilst I was on maternity leave? That’s what I’ve been catching up on. Whilst I was cuddling and playing over the past 10 months, some exciting legal stuff went on. In a series of 12 articles, I will discuss my top 10 things that happened, and my top two things that didn’t happen.
Up first: The GDPR had its first birthday.