avatar

James Clark

Author's details

Name: James Clark
Date registered: June 15, 2015

Latest posts

  1. UK: House of Commons Committee responds to UK Government’s Strategy for Post-Brexit Data Transfers and Privacy Standards — April 13, 2017
  2. UK: The perils of indirect marketing consents — February 22, 2017
  3. UK: Government Outlines Strategy for Post-Brexit Data Transfers and Privacy Standards — February 2, 2017
  4. UK: Lessons to learn from a £40,000 fine for a mishandled subject access request. — August 12, 2016
  5. UK: New GDPR guidance and the Government’s view on the future of data protection — July 8, 2016

Author's posts listings

UK: House of Commons Committee responds to UK Government’s Strategy for Post-Brexit Data Transfers and Privacy Standards

In February this year, the UK Government published a white paper outlining its approach to the on-going negotiations on exiting the European Union (“EU“). In response, the House of Commons Exiting the European Union Committee (“the Committee“)  has issued a report on the Government’s negotiation strategy which, inter alia, supports the Government’s intention to ensure the uninterrupted flow of personal data between the UK and the EU, by retaining the same data protection standards as the EU.

The Committee’s report recognises that many parts of the UK economy are heavily reliant on the stability of cross-border data flows. During a roundtable held by the Committee, with representatives of the digital and tech sector in London in January 2017, the need to ensure uninterrupted data flows between the UK and the EU following Brexit was a common priority. The Committee emphasised the importance of the Government protecting uninterrupted data flows between the UK and the EU, by securing a data adequacy agreement with the EU before the aforementioned negotiations conclude.

EU rules support data sharing between Member States, outlining the rights of EU citizens and the obligations to which companies must adhere when processing and transferring their data. The Committee acknowledges that, while there is a ‘strong operational argument’ for the UK to retain unimpeded access to EU data, the extent to which this proposition materialises will depend on the UK’s commitment to ensuring that its data protection provisions remain aligned with those of the EU, and what arrangements can be agreed around the databases. It is suggested that the level of access ultimately agreed may not equate to the level currently enjoyed within the EU.

According to teckUK, the trade association for the digital sector, in its report on The UK Digital Sectors after Brexit:

‘Failure to secure adequacy may force the “localisation” or redirection of data flows on EU citizens (that requires storage and/or processing outside the UK), risking fragmented communications links and data flows between the UK and European partners. In addition, many UK businesses will need to implement costly alternative legal mechanisms, many of which are subject to ongoing legal challenge and uncertainty. Continued uncertainty over EU–UK data flows could also see companies restrict the amount and type of data processed in the UK. Such an outcome could impact data infrastructure and in particular data centres in the UK, which are among the region’s and the world’s most active.’

It will ultimately be for the EU Commission to decide whether UK law and its enforcement is adequate once the UK leaves the EU. An adequacy decision allows personal data to flow from the EU to a third country without further safeguards, which is important for enabling the import and export of data. Currently, UK overseas territories such as the Isle of Man, Jersey and Guernsey are countries which benefit from such a decision. Understandably, businesses want confirmation of the Government’s approach prior to the UK’s exit, in order to maintain business certainty. Should the UK fail to secure an adequacy decision, the Committee’s report suggests that its competitiveness and attractiveness as a destination for investment may diminish, if all sectors of the UK economy are unable to rely upon international data flows between the UK and the EU.

The UK will almost certainly still be a Member State in May 2018 when the General Data Protection Regulation (“GDPR“) comes into force. The Government’s white paper provides a strong indication that the UK will not deviate significantly from the GDPR standards following its exit from the EU, at least in the medium term. Adopting standards which mirror, or are closely aligned with those of the EU, could make an adequacy decision regarding UK law more likely following Brexit, but not necessarily certain.

James Clark, Associate and Elinor Cavil, Vacation Scheme Student, DLA Piper UK LLP

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/uk-house-of-commons-committee-responds-to-uk-governments-strategy-for-post-brexit-data-transfers-and-privacy-standards/

UK: The perils of indirect marketing consents

A credit broker has been fined £120,000 by the Information Commissioner’s Office (“ICO”) under section 55A of the Data Protection Act 1998 for sending millions of marketing texts, all of which were sent without proper consent. The news was released on the ICO’s website on 15 February 2017 as an investigation had revealed that Digitonomy Ltd had used affiliated marketing companies to send out over five million messages all of which offered cash loans as part of a marketing campaign.

Digitonomy had contravened regulation 22 of the Privacy and Electronic Communications (e-Privacy) Regulations 2003 (“PECR“), which generally prohibits the sending or instigating of a transmission of unsolicited communications to a consumer for the purpose of direct marketing, unless that person has given their prior consent.

The law clearly states that data subjects must provide companies with specific consent to the receipt of marketing text messages. Evidencing such consent is particularly difficult where, like Digitonomy, you are relying on consumer details which have been obtained by a third party on your behalf. By way of example, Digitonomy Ltd stated their consent wording from affiliate companies was “you consent to us and our trusted partners contacting you by SMS, mail, email, telephone and automated message”. This wording was insufficient to protect Digitonomy as one of the “trusted partners”.

Consent must be freely given, specific and informed and involve a positive indication signifying the individual’s agreement. This enforcement action should provide fair warning to businesses who buy marketing lists from third parties, contract with third parties to carry out the marketing for them, or even share contact details within a corporate group for marketing purposes to make thorough checks and be satisfied that personal data has been obtained fairly and lawfully with the necessary consent.

The 2015 case of Optical Express (Westfield) Limited v Information Commissioner was a clear statement of the law in this area, in which the First-tier Tribunal found that consent has to be provided to the sender of the communications.  Data subjects must understand that they are providing a marketing consent to a specific third party, or failing that, have some reasonable expectation as to the identity of the third party (for example, the industry it operates in and the type of goods and services it might attempt to sell).  Further, consent must always be explicit and obtained on a clear opt-in basis.

This latest salvo in the ICO’s on-going war with the spammers is also a salutary lesson for companies operating across the full-range of B2C sectors about the dangers or relying on woolly indirect marketing consents, and the care that must be taken when obtaining marketing lists from commercial partners or group companies.

James Clark and Katrina Hennessy

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/uk-the-perils-of-indirect-marketing-consents/

UK: Government Outlines Strategy for Post-Brexit Data Transfers and Privacy Standards

The UK Government has today published a white paper setting out its approach to the forthcoming negotiations on exiting the European Union, and its vision for a ‘post-Brexit’ settlement.  In a chapter entitled ‘Ensuring free trade with European markets’, the white paper outlines the Government’s intention to retain data protection standards in the UK which are equivalent to those in the EU.

The free flow of data between the UK and continental Europe is an important foundation of cross-border trade, and a fact of life for many UK and EU businesses and consumers. EU law, both in its current form through Directive 95/46/EC, and in the General Data Protection Regulation (“GDPR“), which will apply from May 2018 onwards, restricts the transfer of personal data from the EU to ‘third countries’ which do not have a level of data protection recognised as equivalent by the European Commission.  This is expressly addressed in the white paper, which commits the Government to seek a solution which preserves stable data transfers between the UK and EU once the UK officially becomes a third country:

 8.39 The European Commission is able to recognise data protection standards in third countries as being essentially equivalent to those in the EU, meaning that EU companies are able to transfer data to those countries freely.

8.40 As we leave the EU, we will seek to maintain the stability of data transfer between EU Member States and the UK.

Whilst an equivalency decision is not specifically referred to as the Government’s goal, this is a strong indication that the UK is not planning to deviate significantly from the GDPR standards which it will adopt, whilst it is almost certainly still a member of the EU, in May 2018.

The statements contained in the white paper are the latest in a line of public pronouncements which have helped to give a degree of clarity and reassurance around the UK Government’s plans for data protection law in the UK in the wake of Brexit. In her first speech as the new Information Commissioner in September 2016, Elizabeth Denham talked about the ‘fundamental importance’ of data flows between the UK and the EU, and about the need for consistency of law and standards.   More recently, the UK’s Data Protection Minister, Matt Hancock, confirmed in evidence given to the House of Lords Home Affairs sub-committee that (i) the UK will implement the GDPR in full in May 2018; and (ii) that, as and when the UK revaluates its legal framework post-Brexit, it needs to prioritise data sharing with international partners.

Given the potential for upheaval caused by Brexit across a whole range of areas which are based, directly or indirectly, on EU law, it is encouraging to be given an indication that the UK is leaning towards a strategy of stability and equivalence in the field of data protection. The GDPR represents a once-in-a-generation change in data protection and privacy law, which the UK Government, the ICO and businesses have been gearing up to for several years. The inference from these latest statements is that that preparation will not be in vain, and that the broad framework of the GDPR will be the basis for UK data protection law both in sixteen months’ time, and in the eventual post-Brexit landscape.

DLA Piper’s GDPR microsite provides a user friendly overview of the key legislative changes and compliance requirements associated with the upcoming change in data protection law.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/uk-government-outlines-strategy-for-post-brexit-data-transfers-and-privacy-standards/

UK: Lessons to learn from a £40,000 fine for a mishandled subject access request.

Background

The UK’s privacy regulator, the Information Commissioner’s Office (“ICO”), has issued a GP practice with a fine of £40,000 for unlawfully disclosing the personal data of two individuals in  response to a data subject access request (“SAR”) from a third person.  In its public statement on the enforcement action, the ICO criticised the practice for not having adequate systems or training in place to ensure that its staff were equipped to deal with SARs properly.

A SAR is a request under section 7 of the Data Protection Act 1998 for, amongst other things, the personal data of the requester which is held by the organisation to which the request is directed. In this case, the request came from a father, who submitted the request on behalf of his son, asking for details of his son’s medical records.  However, in preparing what appears to have been a hasty response to the request, the surgery also disclosed personal details relating to the child’s mother, who was estranged from the father, as well as those of the mother’s parents and an older child the man was not related to.  This was in spite of explicit instructions to the surgery from the mother  to protect her details from the father.

Although the person at the surgery dealing with the request made some effort to consult with the child’s GP, the decision was made to disclose the child’s entire medical records without any redaction.

The ICO indicated that it had taken into account the individual liability of the surgery’s partners when setting the level of the fine, and that most organisations would expect to receive a much larger fine for a similar breach.

 

Lessons

This case illustrates a number of common failings with the way in which organisations deal with SARs. In particular, the following shortcomings were apparent:

 

  1.  Preparing a “blanket” response to a SAR – a SAR is a request for an individual’s personal data only. It does not authorise an individual to receive full copies of any records relating to them, and an organisation should not simply disclose an individual’s file in its entirety.
  2. Not taking into account third party personal data – the ICO’s guidance is very clear that an organisation does not have to comply with a SAR where doing so would necessitate the disclosure of a third party’s personal data where that third party: (i) has not consented to the disclosure of their personal data; and (ii) it is not otherwise reasonable to disclose their personal data without their consent. In this case, the mother had explicitly told the surgery to protect her personal details, so it was clear that the surgery should have redacted her details from the records disclosed, or withheld any records that could not be disclosed without revealing her details. In other cases, organisations will need to either actively seek consent from third parties, or make judgments about whether it is reasonable in all the circumstances to disclose third party personal data without consent.
  3. Not having a system in place to deal with SARs – when the SAR was received, there was a clear breakdown in communication between the staff member nominally responsible for the response, and those within the surgery who knew the child and were aware of the mother’s warnings. In addition, the staff member responsible does not appear to have followed a set process for considering and responding to the request, but simply sent out the child’s file in its entirety. A good SAR system, underpinned by an appropriate policy, will follow a series of steps, from validating the identity of the requester and the scope of the request, to conducting a full and proper search, pulling in all relevant parts of the organisation, to then considering the relevant records and applying any exemptions to the records to redact information which should not be disclosed.
  4. Not providing staff with training on data protection – the ICO made it clear that it did not blame the individual staff member, but rather the surgery as a whole for not providing its staff with appropriate training regarding their obligations under data protection law, and the particular issues to consider when dealing with SARs.

SARs are sometimes seen as an inconvenient administrative burden by organisations. However, the General Data Protection Regulation, due in force in 2018, will enhance the rights of data subjects, even further and reduce the response time for organisations from 40 to 30 days.  Therefore there has never been a more important time to get to grips with dealing with information rights, and, as this case demonstrates, there are potentially severe consequences for not doing so.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/uk-lessons-to-learn-from-a-40000-fine-for-a-mishandled-subject-access-request/

UK: New GDPR guidance and the Government’s view on the future of data protection

It has been a hectic fortnight for UK politics, and in the past few days there has also been a flurry of activity on the data protection front.  The Information Commissioner’s Office (“ICO”), the UK’s data protection and information rights regulator, has published its promised overview of the General Data Protection Regulation’ (“GDPR”), whilst the UK’s data protection minister, Baroness Neville-Rolfe, has given a speech outlining the Government’s views on the future of data protection post-Brexit, and of data transfers in the light of the proposed EU-US Privacy Shield.

As we explained in a previous post,  the ICO has promised a phased approach to publishing guidance relating to the GDPR, the pan-EU data protection law, in the run-up to its coming into force in May 2018.  The first fruit of this labour was the ‘12 steps to take now’ document.   The second, the significantly more detailed ‘Overview of the General Data Protection Regulation‘, was published yesterday.

In the introduction to its new guidance, the ICO tackles the issue of Brexit, and the UK’s future departure from the EU, head on. In essence, it considers that it is still important to provide GDPR related guidance to UK based organisations for a number of reasons:

  • many UK businesses operate internationally, and will have overseas operations which will still be in the EU post-Brexit;
  • the GDPR contains several new features (e.g. breach notification and data portability) which all information rights professionals need to be familiar with;
  • international consistency around data protection laws is crucial, and the UK will need to adopt similar (or possibly the same) standards as the rest of the EU to be deemed capable of offering an adequate level of protection and to free up cross-border data flows (see today’s detailed post from my colleagues Andrew and JP in which this issue is considered in detail).

The guidance itself, written in the ICO’s familiarly pragmatic and clear style, is a good high level introduction to the key themes of the GDPR, and in particular the new data subject rights.

Meanwhile, speaking at a Privacy Laws & Business conference, Baroness Neville-Rolfe, Minister for Data Protection, echoed some of the comments made in the ICO’s introduction to its new guidance. She emphasised that one of the few certainties of these uncertain times is that, if UK organisations wish to handle EU citizens’ data, they will need to be assessed as providing an adequate level of data protection against the standard of the GDPR. Baroness Neville-Rolfe also touched on the issue of timing, and the likelihood (although not certainty) that the UK’s departure from the EU will come at a point in time after the entry into force of the GDPR.

The Minister also covered the issue of EU-US data transfers, and the negotiations to agree a renewed ‘Safe Harbor’ style agreement be means of the proposed EU-US Privacy Shield. The Minister confirmed reports that the Article 31 Committee (comprised of representatives of the Member States who cooperate in taking decisions on matters of data protection law) is currently meeting to iron out concerns expressed by the EU Parliament, the EU Data Protection Supervisor and the Article 29 Working Party about the draft of Privacy Shield which was published in February. Early indications are that agreement may very recently have been reached on a revised text – please watch this space for further details.

Finally, Baroness Neville-Rolfe also made a number of comments on another issue which is high up many corporate agendas – cyber security and data breaches. She discussed the Government’s investment in a National Cyber Security Centre, which will be a single point of contact for industry to get advice and support on cyber security. The Minister also gave a strong and clear message that businesses must do more to ensure their staff have an understanding of cyber threats, and that they have procedures and systems in place to detect and respond to threats which are becoming more prevalent with every passing day.

James Clark, Associate, DLA Piper UK LLP

 

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/uk-new-gdpr-guidance-and-the-governments-view-on-the-future-of-data-protection/

Turkey: New Data Protection Law

 

On April 7, 2016 the long awaited Law on Protection of Personal Data (“New Law”) was published in the Official Gazette. With this event, a new era started for all entities and individuals in Turkey which deal with personal data on a daily basis.

The New Law is mainly based on the principles in EU Directive 95/46 EC, however the increased standards of the General Data Protection Regulation (“GDPR”), which will be enforced in the EU from May 2018, are not reflected in the New Law. In that sense, although the New Law will be behind the European rules and regulations on data protection, this is a very important step as this is Turkey’s first specific data protection law.

One of the first questions that comes to one’s mind when a change occurs, such as the enactment of the New Law, is whether he or she will be affected by the change. If you are a data subject or if you or your company collects, store or processes personal data, the answer is yes, you will be directly affected. Further, since Turkey is a country with an ever-increasing technology penetration and with a large population of more than 75 million people, the effects of the New Law will be critical for all those 75 million data subjects and more importantly for companies which collect, process and transfer personal data.

With the New Law, a Data Protection Board (an independent decision making body) and Data Protection Authority (a body operating under the Prime Ministry) will be established to watch over data processing and transfer activities. Further, entities which control the ways and purposes for which personal data is processed will be deemed data controllers and shall have specific obligations such as the obligation to register with the data protection registry, obligation to inform the public and other security obligations.

Under the New Law, the main rule to collect and process personal data is to obtain explicit consent of the person whose data will be collected/processed (“data subject”). However, personal data can also be collected and processed without data subject’s consent if any of the conditions stated below exists;

  • If collection and processing is permitted by any specific law provision,
  • If data subject is under a circumstance that prevents him/her from providing consent (due to an actual impossibility or lack of legal capacity) and processing is necessary for protection of data subjects’ or third parties’ life or physical integrity,
  • If processing is necessary for forming or performance of a contract to which the data subject will be/is party,
  • If processing is mandatory for data controller to perform his/her legal duties,
  • If personal data has been made available to public by data subject himself/herself,
  • If processing is mandatory for assigning, using or protecting a right.

Further, the conditions above are also applicable for the transfer of personal data to third parties within Turkey.

On the other hand, for the transfer personal data out of Turkey, in addition to the conditions above, a) the country to which personal data will be sent must have sufficient protection or b) data controllers in Turkey and the third country must guarantee protection of personal data in writing , in which case the Data Protection Board will allow the transfer.

As the changes are drastic and will have wide range of effects, the New Law provides for certain adjustment periods. In light of that, certain articles which stipulate the rules for transfer of personal data, obligation to register with data protection registry and security obligations will enter into force on October 7, 2016. In addition to that, the New Law stipulates that consents which were obtained legally until the enactment of the New Law shall be deemed valid unless data subjects revoke their consent. The New Law also provides a 2 year period for all personal data, processed or collected before the enactment of the New Law to be brought in conformity with the New Law.

These adjustment periods should be used as efficiently as possible by companies as being non-conformant with the rules in the New Law will have serious consequences such as possible imprisonment for terms of up to 4 years and administrative fines of up to TRY 1.000.000 (approx. USD 345.000 as of 29.06.2016).

 

 

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/turkey-new-data-protection-law/

UK – GOVERNMENT REPORT RECOMMENDS STRONGER POWERS FOR THE ICO

Background

 

On 17 June 2016 the House of Commons Select Committee for Culture, Media and Sport (“The Committee”) published its report on the inquiry into the current state of cyber security and protection of personal data. The inquiry was triggered by a cyber attack which compromised the data of TalkTalk customers, on 21 October, 2015. TalkTalk is a UK based telecommunications provider.

 

The Committee considered the problem of the increasing size and frequency of cyber-attacks upon personal data. The report recognised the limits of the current powers of the Information Commissioner’s Office (“ICO”), the UK’s personal data regulator, and made a number of recommendations concerning how the ICO could become both more proactive in dealing with attacks.

 

ICO’s Current Powers

Under UK law, the ICO helps companies comply with UK data protection law in a number of ways, including:

  •  through ensuring the proper collection, use and storage of personal information;
  •  through enforcing the Privacy and Electronic Communications Regulations in respect of electronic marketing;
  •  maintaining a register of companies processing personal data as “data controllers”; and
  •  by helping public bodies to correctly apply various Freedom of Information and Environmental Information  laws, regulations and codes.

In order to achieve these aims there are a range of powers available to the ICO including the ability to bring criminal proceedings, non-criminal enforcement, consensual audits, impose fines (up to a maximum of £500,000), and make assessments of good practice. Despite the powers available to the ICO, the current volume of attacks suggests that the body needs reforming to better address cyber security concerns.

 

Report Recommendations

The Committee recognised the limits to the powers of the ICO and made a number of recommendations for improvement. These are focused around early prevention, increasing consumer awareness of privacy protection and increased capabilities to provide deterrence through more serious repercussions where a breach occurs.

In order to facilitate prevention of attacks the Committee recommended that the ICO be enabled to undertake non-consensual audits of companies, particularly in the health and local government sectors. It also recommended annual reports on the preventative measures that a company is taking. The combination of these should help to keep the ICO informed as to whether or not there are issues of compliance with data protection regulation and enable a more proactive approach to data protection.

The Committee also proposed that the ICO needs more powers to increase customer awareness of their data protection rights. The report recommended imposing fines where a company does not offer adequate guidance to customers on how to verify the authenticity of communications. Under the Committee’s plans, this would be complemented by the proposed ‘privacy seal’ which would work on a traffic light system, demonstrating to consumers that a company follows high compliance standards, is making progress towards this, or is “yet to have taken the issue seriously.” These recommendations should help the ICO to ensure that consumers are able to make informed decisions on whether or not a company demonstrates “good privacy practice” in handling their personal data.

Finally, where an attack has already taken place it was recommended that the ICO needs to be able to access a broader range of remedies, such as custodial sentences by bringing into force sections 77 and 78 of the Criminal Justice and Immigration Act 2008. This would discourage individuals from disregarding the proper handling of data by treating it as “merely” a corporate compliance obligation. The committee also recommended introducing fines for failure to report breaches which would increase dependant upon the time taken to report an incident, therefore incentivising early reporting.

 

Implications of the GDPR

The Committee made a number of recommendations which overlap with the changes that will come into force in 2018 through the EU wide General Data Protection Regulation (“GDPR“).

The GDPR will increase the powers of the ICO in a number of ways. Companies who commit serious infringements will be liable to pay fines of up to 4% of global annual turnover or €20 million, whichever is the greater amount. The regulations will also introduce mandatory reporting for personal data breaches within a 72 hour timeframe of the breach taking place. Finally, the GDPR will empower the ICO to place greater emphasis on ensuring the transparent handling of personal data by companies, and on the importance of having clear, easily digestible but also comprehensive privacy notices, which tell individuals about how their personal data is used and the rights that they have under the GDPR.

The Committee report acknowledged that the GDPR will “help focus attention on data protection” but sought to make its own recommendations to complement these and increase the ICO’s powers further.

 

Conclusion

The direction of travel indicated by both the Committee’s report and the changes in EU legislation are clear. We are moving towards a world where personal data handling is treated with the utmost seriousness by regulators. Those regulators will have a mandate to ensure that individuals are provided with clear, upfront information about how their data is looked after, and that strong redress is taken when things go wrong. It is the companies who take a pro-active approach – who engage with their customers, their suppliers and their regulators to ensure that they are providing accurate information about data processing, and that they have the right information security systems in place – that will be best placed to survive in this new landscape.

 

 

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/uk-government-report-recommends-stronger-powers-for-the-ico/

EUROPE: Does the use of ad-blocker detectors breach the e-Privacy Directive?

Online advertising has become increasingly sophisticated in recent years, progressing from text, to flash animations, to auto-playing videos. In response, increasing numbers of web users have turned to ad-blocking software to de-clutter and speed up their browsing experience.

 

However, the use of such software is obviously bad news for advertisers and for site owners, who rely on page impressions and click through to generate a return on investment or revenue respectively. Consequently, some sites have implemented their own “ad-blocker detection software”.  This  detects whether users have ad blockers installed on their devices, and then denies access to the site or to specific content unless the ad-blocker is disabled or the site is added to the user’s ‘white list’ of permitted sites.

 

In the past week, correspondence has emerged which indicates that the European Commission believes such detectors should be regulated by the EU’s e-Privacy Directive, Directive 2002/58/EC (“Directive“). Following an enquiry from a European privacy advocate, a letter from the Commission was disclosed which expressed the opinion that ad-blocker detectors would fall within the scope of Article 5.3 of the Directive.

 

Article 5.3 of the Directive permits the storing of information or the gaining of access to information stored in the terminal equipment of a user, where that user has given his or her consent, and has been supplied with clear and comprehensive information. This is sometimes known as the “cookie law”, as it is the same provision which gave rise to the requirement in the EU to provide information about, and obtain at least click through consent to the installing of cookies on a user’s device.  As ad-blocker detectors work by storing a script on the user’s device, the Commission clearly believes they fall into the same category.

 

This interpretation is broadly in line with previous guidance from the EU’s Article 29 Working Party, which has indicated that Article 5.3 should be read as covering tracking technologies more broadly, and not just cookies. Parts of another EU Directive[1] give examples of technologies caught by Article 5.3, including spyware, web bugs and hidden identifiers.

 

If ad-blocker detectors are treated as equivalent to cookies, it may negate their usefulness. If site owners were required to ask for consent to use such detectors, the majority of users with ad-blockers (who are typically amongst the more savvy web users), are likely to refuse to give that consent.  This will leave site owners and advertisers with a need to find more creative solutions, or to re-assess why it is that the use of ad-blockers is on the rise, and address the underlying causes.

 

In the meantime, companies who make use of online advertising would be advised to ensure their privacy policies and notices cover comprehensively the use of any tracking technologies (including detectors), and to review their contracts with either advertisers or site owners, as appropriate, to ascertain what they say about obligations to obtain consents from site users to data processing activities.

 

The publication of this letter may well give rise to a legal challenge to test the point, and establish categorically whether detectors are caught by Article 5.3. If they are, we might expect some guidance from national Data Protection Authorities.

[1] Recitals 24 and 65 of Directive 2009/136/EC

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/does-the-use-of-ad-blocker-detectors-breach-the-e-privacy-directive/

Extent of mobile location tracking in the UK laid bare by new report

An e-privacy organisation has today released the findings of an investigation which reveals the extent of mobile location tracking in the UK.

The report, published by Krowdthink Limited, examines the contracts, policies and practices of mobile Wi-Fi service providers in relation to location tracking.

According to the report, mobile and Wi-Fi service providers know – ‘without you knowing – where you are, how you got there and can figure out where you are going.’ Many people are location-tracked by their mobile phone device each day, unaware of the highly sensitive data that this generates which can and is then sold on for profit. The report reveals that many mobile phone and Wi-Fi service providers, including wireless hotspots, are not telling customers upfront at the point of contract signature or online via their websites that the customer’s movements will be tracked and location data (which can be saved for up to 12 months) can then be used for marketing purposes or sold onto third parties. The details of this is often concealed in contracts and the fact that customers can opt out of location tracking is often unclear.

The level of detail extracted by service providers can reveal a customer’s gender, sexual orientation, religion and many other personal details that could present serious risks to blackmailing. Mobile phone service providers often anonymise data which means that they are not legally obliged to ask for consent, however customers need to be aware of the weakness of anonymisation alone to secure our personal information as low dimension data can be de-anonymised.

93% of UK citizens opt in to location tracking by default, meaning that nearly every one of us with a mobile phone, even a simple one, is being location tracked all the time. Under the Data Protection Act (DPA), consumers can opt out of this by contacting their service provider and following the introduction of the General Data Protection Regulation (GDPR) we will, in certain circumstances, have the right to have all of our data erased (the so-called “right to be forgotten”).

The GDPR will require mobile phone service providers and providers of Wi-Fi networks to provide more transparent and consumer friendly privacy contracts. At the moment, the report has found that  many of these contracts  separate out the clauses that discuss what data is collected from consumers from the clauses that discuss usage with location . Service providers try to legitimise their obtaining of location data as something that is needed for routing phone calls or meeting the requirements of government security, however this is not always true.

Mobile phone companies and providers of Wi-Fi networks should consider doing the following:

  •  communicate privacy notices, including information about location tracking, at the point that data is first collected from users;
  • ensure consent is obtained to the use of location tracking data, in accordance with the Privacy and Electronic Communications Regulations;
  • make privacy policies as clear, transparent and consumer friendly as possible;
  • ensure privacy policies communicate to data subjects what their rights are;
  • consider providing users with easy to follow instructions about how to switch off GPS or Wi-Fi location tracking features;
  • ensure users understand who location data will be shared with and for what purposes; and
  • only retain location data for as long as is necessary to fulfil the purposes for which it was collected.

You can find Krowdthink’s report here – http://www.krowdthink.com/report.pdf

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/extent-of-mobile-location-tracking-in-the-uk-laid-bare-by-new-report/

UK – Freedom of Information – Independent Commission report

The Independent Commission on Freedom of Information, tasked with the job of examining the Freedom of Information Act over the last ten years, published its report earlier last week. The resounding opinion was that overall the Act is “working well” and there will be no wholesale changes.

In our previous blog post we had hoped that we would see even more transparency in Government contracting, purchasing, invoicing and service performance, and to this extent the Commission appears to agree. It intends to spread transparency throughout public services, making sure all public bodies routinely publish details of senior pay and perks. However, the Commission could only express an opinion (not make any recommendations) that the Act should be extended to those who are providing public services under contract.

Those public bodies inundated with FOI requests may be disappointed with the Commission’s recommendation that monetary charges should not be introduced.

Overall it appears that the Commission has drawn a careful balance between being more sympathetic to greater openness, while also backing some changes that would help public authorities to keep some material secret. It will be interesting to see where the balance is struck when Government begins to implement the Commission’s recommendations.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/uk-freedom-of-information-independent-commission-report/

Older posts «