Photo of Katalina Bateman

The UK’s new prime minister, Boris Johnson, has vowed that the UK will leave the EU on October 31, 2019. A unilateral (or “hard”) Brexit poses many privacy and data protection challenges for companies that operate in the UK.  Post-Brexit privacy and data protection issues that you need to consider include:

  • how to maintain uninterrupted

25 May 2019 was GDPR’s first birthday. Since its introduction, privacy and data protection issues have continued to dominate public debate and regulators have signalled that large fines for non-compliance are imminent. Now is an opportune time to review your privacy and data protection regimes. We have more regulatory guidance and case law than we

The Dutch Data Protection Authority (DPA) released its GDPR fining policy on 14 March 2019, becoming the first EU Member State supervisory authority to set out a structure for calculating administrative fines for failing to comply with the GDPR.

Four categories of fines plus an aggravating category

The legal maximum monetary fine that can be imposed on a party breaching the GDPR is €20 million or up to 4 per cent of the company’s worldwide annual turnover, whichever amount is higher. In view of this broad (and very high) ceiling, the Dutch DPA has taken a step forward to categorise violations of the GDPR into four tiers of fines. According to their fining policy, the category of fine is determined by the nature, seriousness and duration of the violation, as well as the number of individuals involved in or affected by the breached obligation.

Each of the four penalty categories sets a minimum amount for the fine, which can then be increased or decreased on a case-by-case basis:

  • Category I: between €0 and €200,000
  • Category II: between €120,000 and €500,000
  • Category III: between €300,000 and €725,000
  • Category IV: between €450,000 and €1 million.

Continue Reading Is the Dutch GDPR fining matrix setting the tone for the ICO’s future fining policy?

In a recent request for a preliminary ruling in a case concerning Amazon, the Advocate General Pitruzzella (AG) has given his opinion that the Consumer Rights Directive (2011/83/EU) (CRD) requires traders to offer their consumers a choice of means of communication, but this is not confined to the trader’s telephone number. The CRD includes the trader’s telephone number, fax number and e-mail address, “where available, to enable the consumer to contact the trader quickly and communicate with him efficiently”. The AG clarified that this is therefore not limited to a telephone number, and accordingly traders may use other means of communication with consumers as long as they are consistent with the technical means of the transaction being made.

Online trades imply sufficient knowledge of interacting over the internet

The Federation of German Consumer Organisations (Verbraucherzentrale Bundesverband) brought a claim asserting that Amazon did not offer sufficient contact channels to its consumers before the conclusion of an online sale – in spite of the online sales platform’s automated call-back facility and online chat service. There was a particular concern that consumers were not provided with the company’s fax number and were also prompted to follow an identity-verification process before they could have access to Amazon’s general helpline telephone number.Continue Reading Must online traders provide consumers with a contact telephone number? Advocate General says no…t necessarily

The Data Retention and Acquisition Regulations 2018 (the regulations) entered into force on 31 October 2018. The regulations concern the retention of communications data by telecommunications and postal operators and the acquisition of communications data by public authorities.

“Communications data” means data concerning a communication transmission, but not the content of the communication. For example, it includes the method of communication, and the sender and receiver of the communication, but excludes what was said or written.

Tele2 and Watson

The regulations were introduced following the Court of Justice of the European Union’s (CJEU) ruling on the Tele2 and Watson case in 2016, which found that the scope of the UK’s data retention regime was too wide to be compatible with European Union (EU) law.

The CJEU found that the retention and acquisition of communications data can only be justified where: (1) the objective is fighting serious crime, (2) only data that is “strictly necessary” is retained, and (3) the retained data is kept within the EU. There should also be independent administrative or judicial authorisation for the retention and acquisition of communications data. The CJEU therefore required the UK to limit the scope of its data retention regime.Continue Reading UK government introduces Data Retention and Acquisition Regulations 2018

In Xerpla Ltd v. Information Commissioner [2018] UKFTT 2017_0262 (GRC) (14 August 2018), an English General Regulatory Tribunal has overturned a fine, issued by the Information Commissioner’s Office (ICO) against the direct marketing company, Xerpla Ltd, after the ICO determined that Xerpla had failed to obtain the necessary consents for electronic communications to its subscribers.

The ICO fined Xerpla £50,000 in October 2017 for sending 1.26 million marketing emails to its subscribers, which, according to the ICO, breached the Privacy and Electronic Communications (EC Directive Regulations 2003) (PECR). Central to PECR is that any direct marketing emails to subscribers must only be sent with the prior consent of the email recipient.

The tribunal found that Xerpla’s subscribers had “consented to, and knew they were consenting to, the direct marketing of third party offers for all kind of products and services… That is why they subscribed…” It was therefore considered obvious what was being consented to, given the services offered by Xerpla.Continue Reading First tribunal case overturning an ICO fine for sending marketing emails without opt-in consent

The House of Commons Library, which aims to provide impartial research and analysis to MPs and their staff, has published a briefing paper on the impact of Brexit on data protection law in the UK (“the Paper”).

The Paper summarises the background to EU data protection law and notes that inconsistent implementation of the Data Protection Directive (95/45/EC) across EU Member States led to the European Commission proposing a new legislative framework for data protection. In its now finalised form, this has two elements:

  • The General Data Protection Regulation (Reg 2016/679), which came into force 24 May 2016, with a two-year implementation period (“GDPR”); and
  • The Directive on data transfers for policing and judicial purposes (2016/680/EU), which came into force 5 May 2016, and must be transposed into national law by Member States by 6 May 2018

The GDPR will apply in the UK from 25 May 2018, although part of the Data Protection Act 1998 will need to be repealed to avoid any duplications or inconsistencies with the GDPR. Matt Hancock, Minister for Digital and Culture, told the House of Lords Select Committee on the European Union earlier this year that the Government “will bring forward legislation in the next session in order to put that into practice”. The Queen’s Speech of 21 June 2017, also introduced a new Data Protection Bill which “will ensure that the United Kingdom retains its world-class regime protecting personal data”. (See our recent blog on this for further details.)
Continue Reading House of Commons publishes briefing paper on Brexit and data protection

The Information Commissioner’s Office (ICO) has published an updated data subject access code of practice (the Code) to reflect developments following two major Court of Appeal judgments published in early 2017: Dawson-Damer and others v Taylor Wessing LLP [2017] EWCA Civ 74 and Ittihadieh v 5-11 Cheyne Gardens RTM Company Ltd and Others [2017]

On 23 May 2017, our European IT, Privacy and Data Security team hosted a breakfast roundtable to discuss the most pertinent GDPR questions that our clients are facing, with only 12 months to go until the GDPR comes fully into effect. With the many new and enhanced obligations that the GDPR is introducing for businesses,

“A year from now, the European Union will start benefiting from the new data protection standards.”

This week, the European Commission’s most senior voices gave an official statement promoting the benefits of the new General Data Protection Regulation (GDPR). Andrus Ansip (Vice-President) and Věra Jourová (Commissioner) of the European Commission aimed their statement at all