In preparation for European Data Protection Day on 28 January, the ICO commissioned a survey on attitudes towards data protection. The YouGov poll revealed growing public concern over data privacy and security.

Of more than 2000 respondents questioned:

  • 95% considered it “very or fairly important” that companies were clear from the outset about how their personal data would be used
  • 94% said it was “very or fairly important” for their personal data not to be shared with third parties
  • 20% would definitely stop using the services of a company that had incurred a data security breach, and 57% would consider stopping the services of such company

The survey results suggest that protection of personal data has become a far higher priority for individuals. With the new General Data Protection Regulation (GDPR) looming, companies that incur data breaches already face the prospect of increased enforcement action and higher regulatory fines (as the ICO’s maximum fining powers increase from £500,000 to 4% of worldwide turnover). Companies may also be faced with individuals “voting with their feet” and taking their business elsewhere, even if they are not personally affected by the data breach.

The ICO has already made headway in considering the GDPR and its implementation. On 26 January, it hosted a European Data Protection Reform workshop, in which stakeholders were invited to discuss what they considered to be the key issues and implications for data controllers of the data protection reforms. Key themes explored during the workshop included:

  • How to approach data subject access requests involving pseudonymised data
  • Whether trade organisations should issue their own guidance to compliance
  • Whether there are differences between ‘explicit’ consent (which will be required for profiling), and ‘ordinary’ consent
  • How the ‘Code of Conduct’ under Article 38 of the draft text would work in practice

The message from the ICO is that not much will change under the GDPR, and it may be possible to “tweak” much of its existing guidance. Nevertheless, the ICO has welcomed the feedback it has received as it considers what more needs to be done to prepare for the new rules.
In a separate development on Data Protection Day, the U.S. Senate Judiciary Committee approved a bill that would grant EU citizens a right of redress in U.S. courts, by way of a right to allege U.S. government misuse of the individual’s personal data. Such right of redress is, however, conditioned on the relevant EU member state permitting personal data transfers to the United States for commercial purposes.  The bill is significant because one of the central criticisms of the Safe Harbor regime was the individual’s lack of redress where his or her personal data was transferred to the United States and misused by U.S. governmental authorities.  This lack of legal redress has been widely seen as an obstacle to reaching any new agreement on a replacement for the invalidated Safe Harbor regime.