Blog post from multiple authors at the ICO detailing some of the ICO’s recent international cooperation work: including a meeting between EU supervisory bodies for the eIDAS regulation, a visit from senior investigators from the Office of the Privacy Commissioner of Canada, and participation in the 28th European Case Handling Workshop.
Blog post from multiple authors at the ICO detailing some of the ICO’s recent international cooperation work: including the attending and participating in the 38th International Privacy Conference in Marrakesh (including a GPEN session), and a visit by ICO staff to the Office of the Personal Data Protection Inspector in Georgia.
The UK’s new Information Commissioner, Elizabeth Denham delivered her initial speech at Ctrl-Shift’s “Achieving Growth through Trust” conference in London. She used the speech to outline her priorities and focus for the coming years, including a focus upon the combination of privacy and innovation and the opportunities that arise from this. Part of the speech focused on the implications of Brexit for UK data protection law and the extent to which the GDPR is likely to apply in the UK context.
ICO blog post on the impacts of the collapse of the Safe Harbour arrangement following the Court of Justice of the European Union’s decision on the Schrems case, finding that the Safe Harbor arrangement did not ensure adequate protection for personal data transferred from the EU to the US in line with the eight data protection principle. The post includes some contextual background, the implications for organisations, the need to act, and potential future developments.
ICO blog drawing attention to the continued relevance of the guidance it has produced on the implementation and impacts of the EU general data protection regulation.
A short statement presented by the ICO in response to the result of the UK referendum on membership of the EU.
““Over the coming weeks we will be discussing with Government the implications of the referendum result and its impact on data protection reform in the UK.
“With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organisations and to consumers and citizens. The ICO’s role has always involved working closely with regulators in other countries, and that will continue to be the case.
“Having clear laws with safeguards in place is more important than ever given the growing digital economy, and we will be speaking to government to present our view that reform of the UK law remains necessary.”
“A company which sent more than 500,000 texts urging people to support its campaign to leave the EU has been fined by the Information Commissioner’s Office.”
The enforcement action was taken under Section 55 of the Data Protection Act 1998 in relation to a serious contravention of Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulation 2003.
“The UK will continue to need clear and effective data protection laws, whether or not the country remains part of the EU.
The UK has a history of providing legal protection to consumers around their personal data. Our data protection laws precede EU legislation by more than a decade, and go beyond the current requirements set out by the EU, for instance with the power given to the ICO to issue fines. Having clear laws with safeguards in place is more important than ever given the growing digital economy, and is also central to the sharing of data that international trade relies on.”
On March 14, 2016, Information Commissioner’s Office (ICO) released its first guidance named “Preparing for the General Data Protection Regulation (GDPR) – 12 Steps to Take Now”. The guide establishes a series of recommendations that aim to inform bodies’ data privacy and governance programs ahead of the anticipated mid-2018 entry into force of the GDPR.
The Guide highlights a number of the new requirements for organisations and the importance of early planning as they will be more onerous for data controllers. Indeed, organizations need to assess which parts of the GDPR are likely to have the most impact such as; legal bases for data processing and data breaches, documenting and reviewing personal data held by organisations, privacy notices, methods through which consent is obtained, and other proactive measures such as PbD or DPIAs.
The ICO announced that further guidance can be expected but now, planning compliance efforts shall be implemented in light of the GDPR. To do that, the ICO will listen to stakeholders’ concerns in the areas where support and guidance is required.
“When David Smith wrote about Safe Harbor back in October, he spoke about a critical few months that he hoped would see the emergence of Safe Harbor 2.0.
That process has taken a little longer than hoped, but after much activity in Brussels and Washington last week the European Commission announced the EU-US Privacy Shield. The Shield is intended to replace the Safe Harbor framework, previously recognised as providing adequate protection for personal data transferred from the EU to Safe Harbor member companies in the USA.
The Article 29 Working Party, which is the grouping of European data protection authorities including the ICO, has consistently called for the European Commission and USA authorities to conclude their discussions on a replacement for Safe Harbor by the end of January. That deadline was met (just). The group met in Brussels last week to assess the latest position, as we said we would do back in October. The statement released on the back of that meeting last week welcomed the fact that the negotiations had concluded and the process to analyse what is proposed can start soon.
It is too early to say whether the new Shield provides adequate protection for personal data passed from the EU to the USA. The Article 29 Working Party will provide an opinion to the European Commission about the Shield, as envisioned under Article 30(1)(b) of the Data Protection Directive. It will also continue its work in assessing whether other transfer tools, such as standard contractual clauses (SCCs) and binding corporate rules (BCRs) can act as effective safeguards for personal data transferred to the USA.
We’re very much aware that organisations have been seeking clarity about how they can transfer data to the USA in compliance with the Data Protection Act. Until the Article 29 Working Party has produced its opinion on the Shield, there is not any new guidance for organisations at this stage – they must wait until the process of assessing the Shield is complete and the European Commission has made a formal decision on adequacy.
We’re clear that organisations can continue to use other tools such as SCCs and BCRs for transfers to the USA. Organisations should continue to take stock of the transfers they make and have a proper understanding of the legal basis, so that they are in a good position to act, should they need to. It may be useful to contact organisations in the USA to which you transfer personal data to highlight the possibility that the Shield may need to be considered in future.
The Article 29 statement mentions that data protection authorities will consider complaints about transfers under Safe Harbor. Our position remains the same as in October – whilst complaints can be considered the usual ICO regulatory policy will be applied. We will be guided by the risk posed to individuals and steps that can be reasonably expected of data controllers. We will not be seeking to expedite complaints about Safe Harbor while the process to finalise its replacement remains ongoing and businesses await the outcome.”