Photo of Eleanor Brooks

Eleanor Brooks

Subscribe to Eleanor Brooks's Posts

On 12 March 2019, the European Parliament issued its first position on the text proposed by the European Commission for a Regulation of the European Parliament and of the Council on ENISA (the European Union Agency for Network and Information Security), also known as the EU Cybersecurity Act.

Initiatives to build strong EU-wide cybersecurity

The EU Cybersecurity Act was proposed in 2017 to:

i) Provide a permanent mandate for ENISA (to replace its limited mandate that would have expired in 2020);

ii) Allocate more resources to ENISA to enable it to fulfil its goals; and

iii) Establish an EU framework for cybersecurity certification for products, processes and services that will be valid throughout the EU.

The European Parliament, Council and Commission reached an informal trialogue agreement on the proposal of the EU Cybersecurity Act in December last year. Now that the European Parliament adopted its first-reading position, it is expected that the European Council will adopt the proposed Regulation without further amendments. The Regulation will then be published into the EU Official Journal and will enter into force 20 days following that publication.

Continue Reading The European Parliament adopts first stance to proposed EU Cybersecurity Act

In April 2018 the European Commission (Commission) published its Communication on the digital transformation of health and care in the Digital Single Market (Communication). The Commission outlined the need for reforms to health care systems and the development of innovative digital solutions. On 6 December 2018, the European Economic and Social Committee (EESC) published its opinion on the Communication (Opinion) in which it expressed its agreement with the vision set out by the Commission.

Opinion of the European Economic and Social Committee

The EESC noted its support of the Commission’s proposed action in relation to three main areas: (i) secure access of the public to, and sharing of, health data across borders; (ii) disease prevention and personalised health and care; and (iii) digital tools for citizen empowerment and person-centred care.

The Opinion focuses on the impact of digital transformation on five main areas:


Continue Reading Digital transformation of health and care

The Joint Committee on Human Rights has launched an inquiry into the right to privacy under Article 8 of the European Convention on Human Rights (ECHR) and the “Digital Revolution”. The inquiry will examine whether further safeguards to regulate the collection, use, tracking, retention and disclosure of personal data by private companies are required to protect human rights in the new digital age.

The key human right considered to be at risk is the right to private and family life under Article 8.

The Committee has also stated that freedom of expression (Article 10), freedom of assembly and association (Article 11) and prohibition of discrimination (Article 14) are also deemed to be at risk.

The Committee are now in the process of collecting written evidence of the threats posed to human rights by the processing of personal data by companies, and instances where those rights have been breached. The Committee have raised the following five questions and requested responses to be submitted online by 31 January 2019:


Continue Reading Joint Committee on Human Rights launches inquiry into Article 8 and the digital revolution

“2018 was the year that people have woken up to the importance of privacy and have begun to bite back at big tech”.

This was the view expressed by James Dipple-Johnstone, Deputy Commissioner (Operations) at the UK Information Commissioner’s Officer (ICO), during his recent speech at the Institute of Directors in London.

The speech focused on the ICO’s regulation of tech giants in the digital age. It highlighted the many benefits of big tech and big data, indicating that their influence and importance is only likely to grow. However, his speech also stressed that there are deep public concerns about the business models of some tech giants and their increasingly opaque uses of personal data.

Continue Reading Regulating the tech giants

Earlier this month, the Information Commissioner’s Office (ICO) published security guidance in its guide to the General Data Protection Regulation (GDPR).

The guidance focuses specifically on encryption and passwords. It suggests points to be considered during implementation and offers some helpful “dos and don’ts”.

Encryption

Article 32 of the GDPR specifies encryption as an example of an appropriate technical and organisational measure. The guidance states four things that should be considered when implementing encryption:

  1. The algorithm. This should be appropriate for its use and should be assessed regularly to ensure that it remains appropriate;
  2. The key size. This should be large enough to protect against an attack, and its appropriateness should be assessed regularly;
  3. The software. The ICO states that this should meet current standards such as FIPS 140-2 and FIPS 197; and
  4. The security of the key. The ICO provides that keys must be kept securely and businesses should have processes in place to generate new keys when necessary.

The ICO makes clear that, depending on the context of the incident, regulatory action may be pursued where data is lost or destroyed and it was not encrypted.

Continue Reading ICO publishes security guidance on encryption and passwords

The UK government launched its Smart Data Review on 28 September 2018 (Review). The Review will look at how technology, such as online comparison tools and open banking, can be used to make it easier for consumers to get good deals on essential services and put an end to consumers paying unjustifiable ‘loyalty penalties’ for staying with their service providers rather than switching.

Background to the Review

The government’s Modernising Consumer Markets green paper highlighted the challenges that consumers face in regulated markets, such as financial services, energy and telecoms. It recognised that consumers often struggle to stay on top of their contracts for essential services, find it difficult to identify the best deal and end up paying considerably more by not switching.

These challenges have been further highlighted by a ‘super-complaint’ submitted to the Competition and Markets Authority (CMA) by Citizens Advice, the UK consumer watchdog, on the same day that the Review was launched. This complaint estimates a cost of £4.1 billion per year to consumers who remain loyal to their service providers in these markets. This penalty is disproportionately paid by vulnerable, lower income and less educated consumers who do not realise they are being penalised for their loyalty and face obstacles when trying to shop around. The CMA will now investigate the complaint and engage with relevant regulators, such as the FCA and Ofcom, before publishing its response.

In relation to the Review, the government recognises that new technologies, such as automatic switching services and utility management services, have the potential to address many of the problems faced by consumers in regulated markets. However, these innovative intermediary services require access to customer data, which is often locked away in a way that works against consumers and innovators. For example, development of these services can be constrained by difficulties in accessing data on consumers’ current tariffs, their usage and the other available deals in standard formats.

Continue Reading UK government launches Smart Data Review

The Information Commissioner’s Office (ICO) has published its Technology Strategy for 2018 to 2021. The Strategy, part of the ICO’s focus on adapting to rapidly developing technologies, outlines eight “technology goals” and the measures that will be implemented to achieve them.

Technology goals

Broadly, these goals include increased technology training for the ICO’s staff and appointment of staff with technology expertise, greater public and industry engagement in terms of the data protection risks posed by technology, and engagement with other regulators internationally. It is apparent from the Strategy that the ICO is placing greater emphasis on adapting to the ever-changing technological environment, through increased engagement and enhancement of its technical expertise and technical solutions.

The ICO also commits to publishing further guidance and reports on the use of data protection design by default. This guidance will be “technically feasible and proportionate” and will likely include analysis of the data protection implications of emerging technologies, such as artificial intelligence (AI) and machine learning.

Continue Reading ICO publishes Technology Strategy for 2018–2021

The European Union Agency for Network and Information Security (ENISA) has published a paper on the security challenges that arise from the convergence of Internet of Things (IoT) and Cloud computing. The paper is directed at IoT developers, IoT integrators and Cloud service providers, and concludes with a number of suggested steps to achieve secure solutions.

ENISA defines IoT as “a cyber-physical ecosystem of interconnected sensors and actuators, which enable intelligent decision making”. This would include, for example, smart homes, Fitbits and Apple Watches. ENISA divides the IoT ecosystem into three components, (i) devices, (ii) communications and (iii) Cloud platform, backend and services.

The growth of IoT in recent years has put pressure on Cloud computing to evolve in order to accommodate IoT’s needs, including aggregating, storing and processing the data that it generates. This resulted in a new model, the “IoT Cloud”.

The emergence of the IoT Cloud poses potential security risks, and ENISA is primarily concerned about the fact that IoT devices provide access to Cloud systems, and therefore any attack on an IoT device can potentially lead to a more widespread attack.

Continue Reading Security challenges arising out of the convergence of Internet of Things and Cloud computing

In the joined cases of Banco Santander SA v. Demba and another (Case C-96/16) and Cortes v. Banco de Sabadell SA (Case C-94/17), the European Court of Justice (ECJ) considered the application of the Unfair Contract Terms Directive (Directive) in two joined cases concerning the rate of default interest in consumer loan agreements, which were referred by the Spanish courts.

The Unfair Contract Terms Directive

The Directive protects consumers from unfair terms included in contracts. In Spain, the Directive is implemented into national law via the LGDCU (Ley General para la Defensa de los Consumidores y Usuarios y otras leyes complementarias (Royal Legislative Decree 1/2007)). The LGDCU provides that the test of fairness can be applied to all terms not individually negotiated and all practices not expressly agreed. A term may be deemed unfair if it causes a significant imbalance in the parties’ rights and obligations arising under the contract, to the detriment of the consumer.

Facts of the cases

The ECJ was asked to provide a preliminary ruling on certain questions referred by the Spanish courts in two joined cases:

(i) In the first case, the default interest rates on unsecured loan agreements (concluded between individual borrowers and Banco Santander) were 18.50 per cent and 23.70 per cent, compared to ordinary interest rates of 8.50 per cent and 11.20 per cent, respectively. After the borrower’s defaulted, the bank sought enforcement of its claim by assigning its debt to a third party in accordance with Spanish law.

(ii) In the second case, an individual’s mortgage loan agreement with a bank provided an ordinary interest rate of 5.5 per cent per annum, which was subject to change after the first year, and which was 4.75 per cent at the time of the main proceedings. The default interest rate was 25 per cent per annum. The consumer argued that this was unfair.

Continue Reading ECJ ruling on fairness of disproportionately high default interest rate in consumer loan agreements

The Information Commissioner’s Office (‘ICO’) has published its 2017/2018 Annual Report, covering the 12 months leading up to 31 March 2018. The report is the ICO’s annual report to Parliament as required by the Data Protection Act 1998 (‘DPA’), and outlines the achievements and work of the ICO. Among the findings reported are the number of self-reported personal data breaches and a summary of fines issued by the ICO.

Upward trends

The ICO received a huge increase in telephone, live chat and written queries from the public and organisations. In the last quarter of 2017, it received 30,000 more such calls than in the previous three months. The report claims 235,672 calls were received by the ICO’s helpline, an increase of 24.1 per cent year-on-year, while 30,469 live chats were requested, up 31.5 per cent. Of the queries received, the majority of concerns related to data subject access (39 per cent), the disclosure of data (16 per cent), the inaccuracy of data (11 per cent) and securing the right to prevent processing (9 per cent).

With regards to personal data breaches, the number of self-reported cases increased significantly: 3,172 incidents were reported to the ICO over the course of 2017/2018, a 29.6 per cent increase. It is anticipated that the number of self-reported data breaches is likely to increase further during the 2018/2019 report period, to reflect the new mandatory data breach notification requirements under GDPR. This position was confirmed during an ICO webinar, where it was revealed that there were 1,792 personal data breaches notified to the ICO in June, a 173 per cent rise on the 657 reports received in May 2018, and an almost fivefold increase compared to April, when just 367 notifications were received.

Continue Reading ICO publishes its 2017/2018 Annual Report