Information Commissioner

The UK government has issued the Privacy and Electronic Communications Regulations (Amendment) 2018 (ePrivacy Regs), which comes into force on 17 December 2018.

The ePrivacy Regs amend the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) and modify the application of the Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010 and the Data Protection (Monetary Penalties) Order 2010. The amendments are intended to ensure that the regime covering breaches is “effective, proportionate and dissuasive” in accordance with the criteria outlined in the PECR.

Background on PECR

The PECR covers several areas, including marketing by electronic means, the use of cookies and similar technologies, security of public electronic communication services, and the privacy of customers using such communication networks and services. The GDPR does not replace the PECR but sits alongside it. All applicable companies that send electronic marketing or use cookies (or similar technology) must now comply with the PECR and the GDPR.Continue Reading Privacy and Electronic Regulations (Amendment) 2018

The Upper Tribunal (Administrative Appeals Chamber) in IC v Miller [2018] UKUT 229 (AAC) has rejected an appeal brought by the Information Commissioner (IC), which was in relation to a First-Tier Tribunal (FTT) decision finding that “small data” (i.e., data concerning five or fewer individuals or households) was not exempt from disclosure under the Freedom of Information Act 2000 (FOIA).

The FTT decision

A request for disclosure under FOIA was made to the Ministry of Housing, Communities and Local Government (MHCLG) (then named Department for Communities and Local Government (DCLG)). The request for information concerned data held by local authorities with regards to homelessness between 2009 and 2012, which had not been published by the MHCLG. The MHCLG refused to disclose the data.

The matter went to the FTT, which found that the small data did not constitute “personal data”, as defined by section 1(1) of the DPA 1998, and it was not exempt from disclosure under section 40(2) of FOIA.

The IC appealed the FTT’s decision on various grounds, including that in relation to small data, the information was exempt from disclosure under section 40(2) of FOIA.Continue Reading Upper Tribunal says “small data” is not exempt under FOIA

The Information Commissioner, Ms Elizabeth Denham, has published her comments on the European Commission’s consultation on the draft implementing regulation (“Implementing Regulation”) of the Network and Information Security Directive ((EU) 2016/1148) (“NIS Directive”).

The Implementing Regulation sets out the further elements that need to be taken into account by digital service providers (“DSPs”) under the NIS Directive for managing the risks posed to the security of their network and IT systems from cybersecurity threats, and sets out further parameters to determine whether an incident has a ‘substantial impact’ on their service.

While the Information Commissioner recognises the need to increase security of essential services, she cautioned against the ‘setting [of] overly rigid parameters for the determination of an impact which is substantial’, as this may be undesirable and ‘could lead to a failure to report incidents’.

Background

The Information Commissioner published her comments on the basis that it is proposed that the ICO will be the competent national authority in the United Kingdom for the regulation of DSPs under the NIS Directive. DSPs are:

  • Cloud service providers
  • Online market places
  • Search engines

The NIS Directive details some of the factors which must be considered when assessing whether a breach has had a ‘substantial impact’. The Implementing Regulation expands on these factors and also provides specific parameters for when a notification will be required (e.g., if the incident caused material damage to a user which exceeds €1 million, or if the incident affected the provision of the services in two or more Member States).

Under the NIS Directive, a DSP will have to notify its competent national authority if it suffers an incident which has a ‘substantial impact’ on the service provided by a DSP.
Continue Reading ICO publishes response to consultation on European Commission’s implementing regulation to the NIS Directive

In her evidence to the Culture, Media and Sport Select Committee on 24 October, Secretary of State for the Department of Culture, Media and Sport (“DCMS”) Karen Bradley MP called out the EU General Data Protection Regulation (“GDPR”) as an example of EU law that the government would opt into. At the same time, the

Three months on from the landmark Brexit vote 23 June, the Information Commissioner’s Office is setting out its position regarding data protection laws in a post-Brexit UK. Elizabeth Denham, the new Information Commissioner, told the BBC that she believed the UK should adopt the General Data Protection Regulation (GDPR) regardless of Brexit.

Denham stressed that

With the Privacy Shield, the Umbrella Agreement and the GDPR capturing significant attention, it would be easy to overlook some of the other important developments that have taken place in the data protection sphere. We have rounded up some of the main stories.

Next UK Information Commissioner announced

Pending the formal approval process, Elizabeth Denham (Information and Privacy Commissioner, British Columbia, Canada) is scheduled to take over from Christopher Graham as the UK’s next Information Commissioner. Minister for Data Protection Baroness Neville-Rolfe, has commended Ms. Denham on her proactive approach to enforcing data protection law, and acknowledged her “track record of working with business and other stakeholders”. Ms. Denham’s appointment should take place in June as Mr. Graham’s term of office ends 28 June.
Continue Reading Update on the UK’s Information Commissioner, IP Addresses and Russia’s ‘Right to be Forgotten’ Laws

At the end of March, the UK Information Commissioner’s Office (ICO) released its corporate plan for 2014-2017 titled “Looking ahead, staying ahead” (the Plan). Information Commissioner Graham stated that the changes proposed are “about getting better results, for both consumers and for data controllers.”

As the UK’s supervisory body for upholding information rights, the ICO

The UK’s data protection authority, Information Commissioner’s Office (ICO), commissioned an independent survey investigating the understanding of the proposed EU data protection reform and associated costs. The survey involved 506 organisations, and one of the key findings is that as a general rule, businesses do not understand the implications of the proposed General Data Protection

This post was written by Cynthia O’Donoghue.

The First-Tier Tribunal General Regulatory Chamber for Information Rights has dismissed the first appeal against a Monetary Penalty Notice issued by the UK Information Commissioner’s Offices (ICO) for a serious violation of the Data Protection Act 1998 (DPA). The ICO had issued the Central London Community Healthcare