UK Data Protection E-news - May 2011

  1. UK companies given one year to find solutions to cookie-consent
  2. Information Commissioner’s term of office proposed to be seven years
  3. Former ACS Law owner fined just £1,000
  4. ICO publishes data sharing code
  5. ICO issues cookie advice

1. UK companies given one year to find solutions to cookie-consent

Organisations have been given one year to find a way to obtain consent from visitors to their websites to use cookies. Consent is required for complying with the Privacy and Electronic Communications Regulations, which entered into force today, 26 May.

The Information Commissioner Christopher Graham said: “…the necessary changes to the technology aren’t there yet. In the meantime, although there isn’t a formal transitional period in the Regulations, the government has said they don’t expect the ICO to enforce this new rule straight away. So we’re giving businesses and organisations up to one year to get their house in order. This does not let everyone off the hook. Those who choose to do nothing will have their lack of action taken into account when we begin formal enforcement of the rules.”

The Department for Culture, Media and Sport, on its behalf, issued an open letter on 26 May in response to criticism over the transposition of the amendments to the European Union e-Privacy Directive. While default browser settings cannot be considered to meet the requirements of the Directive, the department says that there is no rationale for the government to specify the technical measures needed to obtain consent. It continues to work with browser manufacturers to see if browsers can be enhanced to meet the requirements.

The letter says: “UK drafting at regulation 6 (3A) is enabling on three different counts as it:

i. Makes clear that amendment of browser settings or controls can constitute consent, providing legal certainty on this issue.

ii. Makes clear that browser settings are not the only means of obtaining consent;

iii. Allows for the subscriber not to amend settings and still signify consent.”

As to other means of obtaining consent, the ICO has made some suggestions, namely using pop-ups to ask for consent, or asking for consent when individuals first register or sign up to use the service, or choose to use a particular feature of the site.

There has also been some confusion over consent, as it has been understood to mean “prior consent”. The government clarifies that the word “prior” does not occur in Article 5(3). Thus consent may be given during or after processing.

See the open letter by Department of Culture, Media and Sport.

The next issue of PL&B’s UK Report will include an analysis of the ICO’s enforcement powers provided by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011. See the ICO’s guidance.

2. Information Commissioner’s term of office proposed to be seven years

The Protection of Freedoms Bill had the Commissioner’s term shortened into a one 5-year period. However, the Committee Stage debate on 13 May passed amendments that will increase the term to seven years. Both the Information Commissioner and the Campaign for Freedom of Information had welcomed, in principle, the move to a single term of office, but in oral evidence to the Committee, the Campaign for Freedom of Information suggested that a five-year term might be too short to allow the Commissioner to be fully effective.

The Information Commissioner and the government are in discussion about a framework document that includes more detail on the Commissioner’s independence and the day-to-day relationship between the Commissioner and the government. It is expected that the document will be published soon.

It has been proposed that the Commissioner will be able to charge, without consent from the Secretary of State, to recover the costs of, for example, hosting conferences and the provision of training, as long as it is not done for profit.

3. Former ACS Law owner fined just £1,000

The ICO has imposed a token fine on Andrew Jonathan Crossley, former owner of ACS Law, for exposing personal and sensitive personal details of 6,000 people online. Had the company still been trading, the fine would have been £200,000. The ICO said that the fines are meant to achieve compliance, and people’s circumstances are taken into account. However, Mr Crossley should have been aware of the DP Act being a lawyer himself. He said he had spent £20,000 as a result of the data breach incident, and ceased business activity.

ACS law specialised in pursuing alleged copyright infringement cases. Following an attack on ACS Law’s website, details of individuals, some of whom were linked to illegal file sharing, were available online for anyone to download. The details included names, addresses, medical conditions and details of sexual life. ACS law had failed to take appropriate security measures for personal data held on their web servers. According to the Information Commissioner, Christopher Graham, “the security measures ACS Law had in place were barely fit for purpose in a person’s home environment, let alone a business handling such sensitive details.”

4. ICO publishes data sharing code

The ICO launched its statutory Data Sharing Code on 11 May. The code of practice explains how the DP Act applies to the sharing of personal data and provides advice on good practice. In addition to the code, the ICO has published checklists that are intended to be used alongside the full code to ensure compliance. The checklists apply both to systematic data sharing and one off requests, which require different approaches.

The code is not legally enforceable itself, but it can be used in evidence in any legal proceedings, not just proceedings under the DPA.

As the code has been written in general terms, the ICO says that specialist areas may need to produce their own detailed, bespoke data sharing guidance.

5. ICO issues cookie advice

Unexpectedly, the UK’s Information Commissioner has today announced that UK businesses cannot yet rely on consent via browser settings when they prepare to comply with new regulations that implement amendments to the EU e-Privacy Directive. The regulations that enter into force on 26 May require that website owners seek consent for using cookies. The only exemption is for cases where the use of cookies is ‘strictly necessary’ for a service requested by the user.

The ICO’s advice is at 

Read more about this topic in the current PL&B UK Report.

For further details on the Privacy Laws & Business UK Newsletter, please click here.

Copyright Privacy Laws & Business 2011