UK Report 103 out now



Lead story:

Using car journey data with consent and pseudonymisation

wejo, a software business that analyses data from car journeys, says that privacy is at the heart of its platform. Laura Linkomies reports.

Contents also include:

  • Comment: Privacy protection should be based on ethics and trust
  • ICO’s Denham: Organisations need to embrace the GDPR
  • Every company is a data company
  • Relaxed restrictions? The ICO view on international transfers
  • Useful court guidance on dealing with subject access requests
  • GDPR one year on
  • An AI Code of Conduct: Can the NHS set standards and limits?
  • The perils of third-party data and data subject access requests
  • Court rulings on vexatious and costly requests
  • UK secures data flow deals with several countries
  • ICO: Government needs to address political influencing with other online harms
  • Ticketmaster faces class action for data breach
  • Morrisons case can go to the Supreme Court
  • ICO publishes updated guidance on certification and codes of conduct

Publisher's Cover Note

Every company is a data company

UK-based software company, wejo (p.1), provides a fascinating narrative. A company established in 2014, it really swims along with both adding value to data and working within a privacy laws framework. Its website states:

“Since 2014, wejo has been innovating with connected vehicle and mobility data to create ground-breaking products and services that revolutionise the way we travel. wejo’s purpose is much more than data monetisation, we’re a mobility enabler. We enable smarter, safer and greener journeys for all.”

The interview by Laura Linkomies, Editor, with wejo’s Head of Security, Risk and Compliance (p.1) explains how this win-win approach works. He explains that wejo is in regular contact with the ICO and “it is advantageous to be in close contact with the regulators.”

Making privacy norms work alongside innovation is very much at the heart of the ICO’s drive to achieve fairness in the collection and use of personal data (p.8). But this message is not only for tech companies, such as those working on Artificial Intelligence in the health sector (p.14). Increasingly every company is a data company (p.16) to a greater or lesser extent. Companies’ attempts to balance on the one hand the principles of purpose limitation and fair use, and on the other monetisation of data assets will be a continuing theme in the future.

I expect that societal norms will shift over time as attitudes change. Device users increasingly recognise the phenomenon of the “privacy paradox” that most people say that they want to protect their privacy while at the same time willingly giving away vast amounts of personal data via their mobile devices.

There is also this tension in central and local government and the National Health Service. The public sector collects masses of data in compartments which could be brought together using appropriate anonymization or pseudonymisation techniques for advancing social policy goals of fighting crime and protecting vulnerable children and others. How should policy makers balance purpose limitation in collecting personal data and advancing a harmonious society?

Collective/class actions

We will watch with great interest the claim for damages issued at the High Court in Liverpool on 3rd April in which more than 650 individuals are taking on Ticketmaster in a collective action suit (p.12) enabled by the GDPR but little used in the UK. Other claims for compensation pursued by the same Widnes-based law firm, Hayes Connor, are ongoing against British Airways and Dixons Carphone Warehouse.

On 15 April, it was announced that the ongoing collective action against Morrisons (p.15) has been given permission to take the case to the Supreme Court.

These issues and many more will be addressed at GDPR’s influence ripples around the world, Privacy Laws & Business’s 32nd Annual International Conference 1-3 July at St. John’s College, Cambridge. You can attend for one, two or three days at this residential conference and can share a place with colleagues, for example, three people can attend one per day on a three day ticket. Residential places are going fast so take a look now for full registration details.

We look forward to meeting you there.

Regards,

Stewart Dresner, Publisher