The UK Government has laid adequacy regulations before Parliament that, once in force from 12 October 2023, will permit use of the UK – US “Data Bridge” as a safeguard for personal data transfers from the UK to the US under Article 44 UK GDPR.Read More
Sending unsolicited marketing emails could prove costly to UK organisations, as bike and car accessory retailer Halfords have recently discovered.
Last month, Halfords were handed a fine of £30,000 by the Information Commissioner’s Office (ICO) for sending around half a million unsolicited marketing email messages to customers who had not previously opted-in to marketing (see here).
The fine was issued under the Privacy and Electronic Communications Regulations (PECR), which gives people specific privacy rights in relation to electronic communications and restricts how unsolicited direct marketing is carried out.
An investigation carried out by the ICO found that the retailer broke the laws governing electronic communications by sending out emails relating to a government voucher scheme that gave people £50 off the cost of repairing a bike at any participating store or mechanic in England. The email not only pointed customers to the government website, it also invited them to book a bike assessment and to redeem their voucher at their chosen Halfords store. The ICO concluded that the insinuation of Halfords having a direct connection with the government scheme encouraged its customers to redeem the voucher in its stores and that Halfords was therefore advertising its own services.
PECR prevents organisations from sending emails or messages to people unless they have consented to it or they are an existing customer who has bought similar products or services in the past (known as the “soft opt-in” rule).
Halfords argued that the email constituted a service message and should not be categorised as direct marketing, but the ICO maintained that the email did constitute direct marketing because it satisfied the definition of such under Paragraph 35 of the ICO’s Direct Marketing Guidance (see here). In addition, the ICO concluded that the soft opt-in rule could not apply because the targeted customers had already opted out.
Andy Curry, Head of Investigations at the ICO said: “This [decision] sends a message to similar organisations to review their electronic marketing operations, and that we will take necessary action if they break the law.”
The UK Government has finally published its highly anticipated Data Protection and Digital Information Bill (the Bill), marking the first significant post-Brexit change to the UK’s data protection regime. Following Brexit, the UK continued following the EU General Data Protection Regulation, incorporated into UK law as the UK GDPR, and the UK implementation of the EU ePrivacy Directive, the Privacy and Electronic Communications Regulations 2003 (PECR), also remained in force.
The Bill is only at the start of the legislative process, and it remains to be seen how it will develop if it is amended during its passage through Parliament, but early indications are that it represents more of an evolution than a revolution in the UK regime. That will come as a relief to businesses that transfer personal data from the EU to the UK, because it reduces the risk that the EU might rescind the UK’s adequacy status.
For a start, the Bill actually preserves the UK GDPR, its enabling legislation the Data Protection Act 2018, and the PECR, because it is drafted as an amending act rather than a completely new legislative instrument. This does not contribute to user-friendliness, as interpreting UK data protection requirements will require a great deal of cross-referencing across texts.
The more eye-catching proposed changes in the Bill include:
- The inclusion of a list of “legitimate interests” that will automatically qualify as being covered by the lawful basis in UK GDPR Article 6(e).
- Some limitations on data subject access requests, such as the possibility of refusing “vexatious or excessive” requests.
- More exemptions from the requirement to obtain consent to cookies.
- Much higher fees for breach of PECR.
The Bill will now progress through various Parliamentary stages over the coming months in order to become law.
In the Queen’s speech at the state opening of parliament on 10 May 2022, the UK government announced its intention to change the UK’s data protection regime in a new Data Reform Bill. This follows a consultation last Autumn on how the UK GDPR could be reformed following the UK’s exit from the European Union (EU).
The government claims that the new Bill would:
- Create a data protection framework focused on “privacy outcomes” that would reduce the burdens on businesses, and a “clearer regulatory environment” to encourage “responsible innovation”.
- Ensure that citizens’ data is “protected to a gold standard”, while enabling more efficient sharing of data between public bodies.
- Modernise the Information Commissioner’s Office and require it to be “more accountable to Parliament and the public”.
The Queen’s speech also announced plans to replace the Human Rights Act 1998, which incorporated the European Convention on Human Rights into UK law. According to the government a new “Bill of Rights” would “end the abuse of the human rights framework and restore some common sense to [the] justice system”. This would be achieved by “establishing the primacy of UK case law”, which means that UK courts would no longer be required to follow the case law of the European Court of Human Rights.
Taken together, both of these proposed new legislative measures could change the balance of protection of individuals’ rights in the UK, both generally and in the specific area of personal data regulation. Their development will be closely watched by data protection professionals, because any significant changes in the UK data protection regime could prompt the EU to review its post-Brexit UK adequacy decision, potentially leading to the end of decades of seamless transfers of personal data from the EU to the UK.
On 9 July 2020, the Office of the Australian Information Commissioner (OAIC) and the UK Information Commissioner’s Office (ICO) announced they have opened a joint investigation into the personal information handling practices of Clearview AI Inc.
The OAIC has stated the investigation will focus on ClearView AI’s use of “scraped” data and biometrics of individuals.Read More
Russian hackers are accused of penetrating up to 400 Australian businesses in 2017 as part of an alleged state-sponsored cyber-espionage campaign, targeting millions of computers across the world.
The Australian government made the announcement in light of an extraordinary joint statement from the US and UK governments pointing a stern finger at Russia for sponsoring cyber-attacks on government, private organisations, critical infrastructure providers and internet services providers.
According to recent research conducted on behalf of cybersecurity firm Clearswift, finance and HR departments represent the biggest cybersecurity threat to organisations. The study polled more than 4500 information technology decision makers, security professionals and employees in the US, UK, Germany and Australia and found that 46% of respondents believed that finance departments posed a security threat to their organisation. In addition, 42% of respondents believed the same of an organisation’s HR departments.