The Information Commissioner’s Office (ICO) recently published a summary report of its fact finding forum on data protection issues arising from advertising technology (adtech). Adtech is a term commonly used to refer to all technologies, software and services used for delivering and targeting online advertisements.

The ICO compiled responses from over 2,300 participants in an online survey, and conducted fieldwork with more than a hundred stakeholders (publishers, advertisers, start-ups, adtech firms, lawyers and citizens). The ICO highlighted three key challenges of adtech: (i) transparency, (ii) lawful basis and (iii) security.

Continue Reading ICO investigates adtech awareness through fact finding forum

The Information Commissioner’s Office (ICO) is inviting organisations to help develop a framework for future auditing of artificial intelligence (AI).

A team from the ICO’s Technology Policy and Innovation Directorate will develop the framework. The framework is intended to help regulators ensure AI applications are transparent, fair and appropriately risk assessed.

As well as the invitation, the ICO has established a blog site where it will provide updates on its thinking about development of the framework.


Continue Reading Involved in AI? The ICO wants to hear from you.

On 18 February 2019, the Information Commissioner’s Office (ICO) and the Financial Conduct Authority (FCA) updated their Memorandum of Understanding (MoU) with an aim to reinforce and develop their cooperation, collaboration, and information and intelligence sharing.

Cooperation and information sharing

The ICO and FCA have set out what matters they will communicate with each other and the exchange of information between them. Subject to legal restrictions on the disclosure of information, the ICO and FCA have agreed to:
Continue Reading FCA and ICO strengthen cooperation in renewed memorandum of understanding

On 6 March 2019, the Information Commissioner’s Office (ICO) will host a fact-finding forum in central London. The aim of this forum is to facilitate a dialogue between ad-tech stakeholders. The ICO wants to understand the complexities of ad-tech practices.

Why ad-tech?

‘Ad-tech’ is the product of technology’s transformation of the advertising industry. It uses personal data to compile a personal profile, which is then used to decide whether or not to target an individual with a particular advert. Publishers sell advertising spaces by a process of real-time bidding. Ad-tech practices heavily rely on the use of personal data and artificial intelligence.

The ICO is interested in learning more about ad-tech practices for a number of reasons. Firstly, ad-tech falls within the ICO’s priority areas of ‘online tracking’ and ‘artificial intelligence’, identified in the ICO’s Tech Strategy. Secondly, the ICO recognises that while there are benefits arising from ad-tech, there is also a cause for concern, in particular in relation to real-time bidding. Thirdly, the ICO has received complaints about ad-tech firms’ non-compliance with the General Data Protection Regulation (GDPR).

The ICO acknowledges that there are many diverging views on the overlap between ad-tech practices and GDPR-compliant personal data processing.

Continue Reading UK regulator to focus on ad-tech

Earlier this month, the Information Commissioner’s Office (ICO) brought a criminal prosecution against the parent company of Cambridge Analytica, SCL Elections, for failing to comply with an enforcement notice issued by the ICO. SCL was fined £15,000 and ordered to pay costs.

The criminal prosecution may not sound surprising – after all, SCL had failed to comply with an enforcement notice. Clearly the ICO is taking a hard-line approach to enforcement. SCL, however, was in administration at the time of the enforcement notice and therefore a key point to note here is that a company is still required to ensure it complies with its data protection responsibilities, including any enforcement, even when it is in administration.

Background

In January 2017, U.S. citizen Professor David Carroll made a subject access request to SCL. SCL responded disclosing some personal data, but Professor Carroll suspected that SCL had not disclosed everything. The response from SCL also contained inadequate information about where the data had been obtained and how it would be used. He complained to the ICO, who shared his concerns.

The ICO contacted SCL in September 2017 to ask for further information. SCL was not cooperative, incorrectly claiming that Professor Carroll had no legal right to access the data because he was not a UK citizen or based in the United Kingdom. In rejecting SCL’s claim that a U.S. citizen has no legal right to access the data, the ICO confirmed that “anyone who requests their personal information from a UK-based company or organisation is legally entitled to have that request answered, in full, under UK data protection law.”


Continue Reading ICO brings prosecution against SCL Elections

On November 28, 2018, the U.S. Securities and Exchange Commission’s (SEC) request for a preliminary injunction against Defendants Blockvest, LLC (Blockvest) and Blockvest’s founder and chairman Reginald Buddy Ringgold, III (Ringgold) was denied by United States District Court for the Southern District of California.

Blockvest and Ringgold were offering and selling unregistered securities in the

The U.S. Securities and Exchange Commission (SEC) recently settled two initial coin offering (ICO) enforcement actions grounded on the sale of unregistered securities. The two settlements, one with CarrierEQ Inc. (or AirFox) and the other with Paragon Coin Inc., are the first time the SEC has imposed civil penalties on companies solely for offering digital

The Information Commissioner’s Office (ICO) has prosecuted an individual under the Computer Misuse Act 1990 (CMA 1990), resulting in a six-month prison sentence. This prosecution is the first of its kind by the ICO.

The facts

The defendant was a man named Mustafa Kasim. Mr Kasim was employed in the motor repair industry and had used a colleague’s log-in details to access a software system. This allowed Mr Kasim to access the personal data of customers, such as their names, phone numbers, and vehicle and accident information, without permission. Mr Kasim continued to access the software after moving to a different organisation.
Continue Reading ICO brings criminal prosecution for data misuse

On 26 September 2018 the Information Commissioner’s Office (ICO) began formal enforcement action against 34 organisations that have failed to pay their data protection fees. Notices of intent have been served on both private and public sector organisations, including the NHS, government organisations, and businesses in recruitment, finance and accountancy. They have until 17 October 2018 to respond. Those who fail to pay could face a maximum fine of £4,350.

Data protection fees were introduced by the Data Protection (Charges and Information) Regulations 2018. The Regulations came into force at the same time as the General Data Protection Regulation (see our previous blog on this here). Proceeds from the data protection fee are used to fund the ICO. Fees are calculated by reference to three tiers. Micro organisations must pay £40; small and medium organisations pay £60; large organisations pay £2,900.

Continue Reading ICO takes action against organisations for failure to pay new data protection fee

The Information Commissioner’s Office (ICO) has published its Technology Strategy for 2018 to 2021. The Strategy, part of the ICO’s focus on adapting to rapidly developing technologies, outlines eight “technology goals” and the measures that will be implemented to achieve them.

Technology goals

Broadly, these goals include increased technology training for the ICO’s staff and appointment of staff with technology expertise, greater public and industry engagement in terms of the data protection risks posed by technology, and engagement with other regulators internationally. It is apparent from the Strategy that the ICO is placing greater emphasis on adapting to the ever-changing technological environment, through increased engagement and enhancement of its technical expertise and technical solutions.

The ICO also commits to publishing further guidance and reports on the use of data protection design by default. This guidance will be “technically feasible and proportionate” and will likely include analysis of the data protection implications of emerging technologies, such as artificial intelligence (AI) and machine learning.

Continue Reading ICO publishes Technology Strategy for 2018–2021