UK Data Protection E-news - October 2010
- EU Commission takes UK to court
- Government proposes lenient cookie regime but a data breach notification duty on providers of electronic communications services to include fines and criminal penalties
- Consultation on Bribery Act 2010
- ICO responds to Ministry of Justice consultation on revision of the EU DP Directive
- Data sharing consultation launched by ICO
- Trial starts of consumer personal data store and management scheme
The European Commission decided on 30 September to refer the United Kingdom to the EU's Court of Justice for not fully implementing EU rules on the confidentiality of electronic communications. The court case questions the implementation of both the EU e-Privacy Directive and the Data Protection Directive. The Commission says that:
- there is no independent national authority to supervise the interception of some communications, although the establishment of such authority is required under the e-Privacy and Data Protection Directives, in particular to hear complaints regarding interception of communications
- current UK law authorises interception of communications not only where the persons concerned have consented to interception but also when the person intercepting the communications has ‘reasonable grounds for believing’ that consent to do so has been given. These UK provisions do not comply with EU rules defining consent as "freely given, specific and informed indication of a person’s wishes"
- current UK law prohibiting and providing sanctions in case of unlawful interception are limited to ‘intentional’ interception only, whereas EU law requires Members States to prohibit and to ensure sanctions against any unlawful interception regardless of whether committed intentionally or not.
2. Government proposes lenient cookie regime but a data breach notification duty on providers of electronic communications services to include fines and criminal penalties
The Directive amendments say that consent is not required when a cookie is strictly necessary to deliver a service which has been explicitly requested by the user.
While this is difficult to define, it gives the ICO ‘the flexibility to adjust to changes in usage and technology’, the government says.
The amendments introduced a data breach notification duty on providers of electronic communications services. The government proposes that the ICO issue guidance in relation to the notification mechanism.
Fines may be introduced for certain breaches, and criminal penalties may apply for the most serious breaches. The government wants to ensure that ICO has sufficient audit powers in this sector.
Responses are sought by 3 December.
The government opened a consultation on the Bribery Act on 14 September. This transparency initiative is part of the government’s work “balancing a range of practical advice and promotion of corporate good practice with proactive civil and criminal law enforcement.” The UK government has contributed to negotiations on the 2009 OECD Anti-Bribery Recommendation and a review of the UN Convention Against Corruption. The consultation, which in open to all interested parties, closes on 8 November. Implementation of the Act is required by April 2011.
Read about these issues in the next issue of PL&B UK Newsletter (November).
The Information Commissioner’s response on 6 October stresses that a new DP framework must clearly define personal data and make the definition more relevant to modern technologies. Data protection principles are sound and should not be changed. However, definitions of processor and controller should be looked at, and a more collective form of responsibility could be established by introducing an explicit accountability principle. The ICO notes that in today’s business world, organisations that at first sight appear to be data processors, may in fact have much control over processing, and thus act as data controllers. With regard to international transfers, the ICO says that the ‘future framework should focus much more on risk assessment by the exporting data controller and should be clearer about data controllers’ responsibility’. ICO promotes accountability, but recognises that it needs to be scalable to the size of the organisation concerned.
The MOJ was seeking stakeholders’ views for the purpose of its input into the revision of the EU Data Protection Directive. More about this topic in the next PL&B UK newsletter. See the ICO response.
The ICO is currently consulting on a statutory code for sharing personal data (PL&B UK Newsletter July 2010 p.10 and September 2010 p.18). The consultation, which runs until 5 January 2011, seeks views on whether the code strikes the right balance between recognising the benefits of sharing personal data and the need to protect it. The ICO wants to know, for example, whether the code is relevant to the types of data sharing your organisation is involved in, and whether it deals adequately with situations where data is shared as a result of a merger or acquisition.
See the consultation.
According to the DMA, the trial of the first personal data store for consumers will have ‘significant and wide-ranging’ implications for direct marketers, brands and their customers. The trial, to which the ICO contributes, is run by the Mydex Community Interest Company. It has recently commenced trials of its personal data store (PDS). The PDS provides individuals with the tools they need to store and manage their personal details, to have them externally verified, and, at their discretion, to share them with organisations.
Read more about this topic in the next issue of PL&B UK Newsletter.
For further details on the Privacy Laws & Business UK Newsletter, please click here.
Copyright Privacy Laws & Business 2010