data protection

Subscribe to data protection

The ICO has announced plans to replace its existing employment practices guidance with a more user-friendly online resource. The new resource will be divided into specific topics such as recruitment and selection, employment records, monitoring of workers, and information about workers’ health.

In particular, the new guidance aims to:

  • Address the changes in data protection law,
  • Reflect the changes in the way that employers use technology and interact with staff, and
  • Meet the needs of people using the ICO’s guidance products.

To this end, the ICO has launched a public consultation to gather views on these and related subject areas.

The consultation

The ICO has prepared a survey for completion by those wishing to take part in the consultation. Contributions may be submitted by responding to an online survey or by completing and returning a word document by email or post.

The deadline for responding is midnight on Thursday 21 October 2021.Continue Reading The UK’s ICO launches public consultation on employment practices

The English High Court delivered an important judgement earlier this year in Sanso Rondon v LexisNexis Risk Solutions UK Ltd [2021] EWHC 1427 (QB). You can read the judgment here.

Where an organisation based outside the EU is subject to the EU General Data Protection Regulation (GDPR) either because they sell goods or services to, or monitor the behaviour of, individuals, they are usually required to appoint a representative. Since Brexit where such processing involves individuals in the UK, a UK based representative is also required under the UK GDPR.

This case concerned the liability of the UK representatives of data controllers based outside the UK. The High Court struck out the claim and held that Article 27 GDPR does not create ‘representative liability’.

Background

The claimant Mr Sansó Rondón brought a claim against LexisNexis Risk Solutions, the designated ‘representative’ of U.S. company World Compliance Inc. (WorldCo). WorldCo is the controller of a database containing millions of profiles of individuals. The claimant argued WorldCo’s processing of his personal data in producing a profile of him breached the GDPR. The defendant applied for the claim to be struck out, or alternatively for summary judgment, arguing that a representative cannot be held liable for the actions of a controller and the remedies sought can only be obtained from a controller.Continue Reading Is an Article 27 GDPR representative liable for a controller’s breach? Not according to the English High Court

City A.M. has interviewed Howard Womersley Smith, an expert Fintech and Data lawyer and partner in Reed Smith’s Technology & Data London team, on London’s current startup FinTech scene.

Sitting down with Womersley Smith, City AM reflected on a range of London Fintechs urging the Financial Conduct Authority (FCA) to break banks’ dominance over the use of consumer data. Womersley Smith sided with Fintechs and has long been saying that the startup scene needs exactly that to properly thrive in 2021. Fintechs have argued that the end of banks dominance would increase competition in the savings, credit, mortgages and pensions markets. However, Womersley Smith believes that we are some way off true portable banking. However, he noted that there is another factor in play, that of trust where banking with a household name provides an element of comfort for consumers which is difficult for challengers to compete with.
Continue Reading City A.M. interviews Howard Womersley Smith on London’s start up Fintech scene

Recent cases have highlighted the continued tensions between the GDPR and U.S. demands for discovery in the context of U.S. litigation and investigations. This issue can present a real concern for companies operating on both sides of the pond seeking to comply with obligations on either side. Whilst the GDPR provides EU citizens with valuable protections on the processing and cross-border transfer of their data, it is not an automatic shield from the demands of U.S. state or federal laws that require the preservation, collection, and potential disclosure of any documentation relevant to a matter – regardless of where it originates or to whom it relates.

The process of U.S. discovery that requires the transfer of potential evidence originating or stored in the EU to the U.S. will often trigger obligations under the GDPR where it involves the processing and cross-border transfer of personal data. While previous cases have shown U.S. courts to be reluctant to allow foreign laws to be a barrier to U.S. discovery, two recent cases have provided insight on the U.S. courts’ approach when dealing with the GDPR in this context.
Continue Reading GDPR vs. U.S. discovery: The conflict continues

On 4 June 2020, Singapore’s Personal Data Protection Regulations 2014 (Regulations) were amended to specify that recipients of personal data located outside Singapore which are certified under the Asia‑Pacific Economic Cooperation Cross-Border Privacy Rules (APEC CBPR) System, would satisfy the cross-border data transfer requirements under Singapore’s data protection law.

The same outcome would be achieved if the recipient is a data intermediary (i.e., processes personal data on behalf of another), and is certified under the Asia‑Pacific Economic Cooperation Privacy Recognition for Processors (APEC PRP) System.
Continue Reading Singapore’s data transfer rules amended to recognise APEC CBPR and PRP certifications

A Dutch court has held that a grandmother was in breach of the General Data Protection Regulation (GDPR) for posting pictures of her grandchildren on social media platforms without their parents’ consent and refusing to delete them after multiple requests.

The GDPR does not apply to the processing of personal data by an individual “in the course of a purely personal or household activity”.

However, the court said that it was not sufficiently established what security settings the grandmother had on her social media accounts, and it was not clear whether the photos could have been found via search engines. As a result, the court was not convinced that posting the photos on social media sites constitutes a “purely personal or household activity”, as this places them in the public domain, and they could then be further distributed and used by third parties.
Continue Reading Dutch court holds that a grandmother is in breach of the GDPR for failing to remove photos of her grandchildren from social media platforms

On 13th May, the European Commission’s eHealth Network published its interoperability guidelines for approved contact tracing mobile applications in the EU, guiding developers when designing and implementing applications and backend solutions to ensure efficient tracing of cross-border infection chains. These guidelines serve as a follow-up action to their previously published ‘Common EU Toolbox for Member States’ on mobile applications to support contact tracing in the EU’s fight against COVID-19 on 15th April.

Why are interoperable apps considered important in the fight again COVID-19? It is almost inevitable that in today’s day and age we would look to technology to be part of the solution. The hope is that interoperable apps will facilitate the tracing of cross-border infection chains, which is particularly valuable for cross-border workers, tourism, business trips and neighbouring countries.
Continue Reading The Commission’s eHealth Network looks to develop the interoperability framework for contact tracing apps

On 18 March, the Task Force for Relations with the United Kingdom (UKTF) of the European Commission published its Draft Text of the Agreement on the New Partnership with the United Kingdom (Draft Agreement). It translates the negotiating directives, approved by Member States, into a legal text, in line with the Political Declaration agreed between the EU and the UK. The Draft Agreement was sent to the UK following consultation with the European Parliament and the Council of the European Union, and aims to provide a tool to support the negotiations and enable progress with the UK’s relationship with the EU.

The Draft Agreement covers all areas of the negotiations. Most importantly for us, the Draft Agreement includes provisions around the digital economy and data protection. These draft provisions ensure that the parties commit to a high level of data protection and recognise the importance of promoting and protecting the fundamental rights of privacy and data protection. The parties also agree to cooperate (as much as national laws permit) at bilateral and multilateral levels, which may include dialogue, exchange of expertise, and cooperation on enforcement with respect to personal data protection.
Continue Reading No, we haven’t forgotten about Brexit: UKTF publishes a draft agreement for the future EU-UK partnership

The Data & Marketing Association and the Incorporated Society of British Advertisers have published a “Seven-Step Ad Tech Guide” (the Guide) to help address the privacy challenges of Real Time Bidding (RTB) in programmatic advertising.

RTB is an automated auction process that allows advertising space to be bought and sold on a per-impression basis. When a user visits a publisher’s property (usually a website or app), this triggers a bid request that usually contains personal data (such as the user’s demographic information, browsing history, location and the page being loaded). The bid request goes from the publisher’s property to an ad exchange. It is then submitted to multiple advertisers who can automatically submit bids to place their adverts on the publisher’s property so that it can be viewed by the user in real time, and the ad impression goes to the highest bidder.

As the provision of targeted, personalised advertising through RTB relies on the use of personal data (particularly as more detailed bid requests are deemed to be more attractive to advertisers), various data protection issues and challenges arise in relation to RTB, which have concerned the UK’s Information Commissioner’s Office (ICO).

The Guide was produced in consultation with the ICO and seeks to address concerns that the ICO identified in its investigation into RTB and the ad-tech industry. The ICO announced in early May that this investigation is currently on hold during the COVID-19 pandemic, but it plans to restart work in the coming months as its concerns about ad-tech remain.
Continue Reading The 7-Step Ad Tech Guide – New guidance issued by industry bodies on programmatic advertising

The Personal Data Protection (Amendment) Bill 2020 (the Bill) was published today for public consultation.

Key amendments proposed in the Bill include:

  1. Increased financial penalties for breaches of the Personal Data Protection Act (the Act) of up to 10 per cent of annual gross turnover in Singapore or S$1 million, whichever is higher.
  2. Mandatory data breach notification to Singapore’s Personal Data Protection Commission (the Commission) and affected individuals.
  • The timeline for notifying the Commission has been tweaked to within three calendar days from the day an organisation assesses that a breach is notifiable (this was previously 72 hours).
  • There will be regulations to prescribe the categories of personal data which, if compromised in a data breach, will be considered likely to result in significant harm to the individuals affected.
  • The exceptions to notifying affected individuals are: (a) where remedial actions have been taken; or (b) where the personal data is subject to technological protection measures (e.g., encryption), such that the breach is unlikely to result in significant harm to the affected individuals.
  • Please also refer to our earlier client alert here.