This the first of our monthly Data Protection round ups covering topics for the start of 2016.
Data Protection Regulation Workshops
Following approval by the EU institutions in tripartite negotiations in December, we are awaiting agreement of the final text of the General Data Protection Regulation, expected in the coming months. We are planning to run a series of workshops on the Regulation in the course of 2016. If you would be interested in attending, please contact us.
Telegraph fined for Election Day email campaign
In the first action of its kind taken against a newspaper, the ICO has fined Telegraph Media Group GBP 30,000 for urging its online subscribers to vote Conservative in the 2015 General Election, in breach of direct marketing rules. It announced last month that the paper had fallen foul of regulations by including a letter from Editor Chris Evans within a daily news bulletin service on 7 May 2015.
Under the Privacy and Electronic Communications (EC Directive) Regulations 2003, a recipient of direct marketing emails or SMS messages is automatically deemed to have opted out of receiving such marketing messages. The Regulations, which sit alongside the Data Protection Act 1998, require direct marketers to obtain an individual's consent to being contacted for the purpose of marketing.
In the case of the Telegraph, the ICO decided that the editor's unsolicited e-mail campaign constituted direct marketing which subscribers had not consented to receive along with their usual service. While the editorial content of newspapers may often display political bias, the ICO said in its press release, the letter from Mr Evans had "crossed a line".
Privacy campaigner Tim Turner, writing on his 2040 Information Law blog, said the fine was evidence that the ICO was "losing its appetite for DP enforcement". He pointed to another recent case in which the ICO issued a fine of £250 to patient support group the Bloomsbury Patient Network after it disclosed the identities of HIV patients through an email error. It comes as the EU begins the process of finalising the new General Data Protection Regulation, which paves the way for maximum civil monetary penalties (CMPs) of up to £15 million or 4% of global turnover.
ICO's warning to EU Referendum campaign groups
As the UK gears up to hold a vote on its continued membership of the EU perhaps as early as June, would-be campaign groups have been warned they must comply with the Privacy and Electronic Communications (EC Directive) Regulations 2003 in any email or mobile communications with the public. The ICO said on its blog last week that groups must register as data processors and comply with certain basic principles, including requirements to clearly identify the organisation when sending marketing messages, and to contact only those individuals who have consented to receive marketing messages from that specific organisation.
Apple calls for rethink over UK Investigatory Powers bill
Apple has expressed concerns that draft legislation currently before the UK Parliament may leave its customers' personal data more vulnerable. The technology firm told a parliamentary committee last month that the so-called Snoopers' Charter, which places IT and communications companies under a duty to assist security agencies worldwide and requires them to hold onto communications records, could prevent it from using robust encryption on its messaging service.
Apple also highlighted the territorial scope of the draft bill, which it fears amounts to a legal requirement to help security agencies hack into its own devices regardless of which country the device is in. This could lead to situations where companies are caught between conflicting legal duties where a UK warrant overlaps with a regulatory regime in the host state.
Ireland: new advice on drones and body-worn cameras
Ireland's data protection office has issued separate guidance on unmanned aerial vehicles (drones) and body-worn cameras, in response to increasing use of both for private recreational, commercial and law-enforcement purposes. Users are reminded that any activity that results in personal data being collected potentially engages Ireland's Data Protection Act(s). For example, where drones are being used for specific purposes (such as aerial photography or journalism), the data controller must do as much as possible to notify the public of any risk that their data may be collected, and of their intention to share it with third parties. The guidance on drones can be accessed here. The requirement to notify the public is also one of the main considerations raised by the guidance on body-worn cameras, which can be accessed here. The latter should be read in conjunction with existing guidance on CCTV.
EDPS issues new guidance on eCommunications and mobile devices
The European Data Protection Supervisor (EDPS) has published two new pieces of guidance on the use of electronic communications (eCommunications) and mobile devices. Assistant EDPS Wojciech Wiewiorowski said in a press release earlier this month that the guidelines offered practical advice in applying data protection principles such as those enshrined in the Data Protection Act 1998 to digital communications. Both areas required specific advice due to the complex and fast-evolving nature of communications technology, he added.
The guidance, which supports EU Regulation 45/2001, may be of particular assistance to employers with regard to telephone, internet and mobile devices used by their employees. Areas covered by the eCommunications guidelines include:
- Billing and management of communications services;
- Monitoring of or access to emails in the employee's absence; and
- Disciplinary proceedings
The Mobile Devices guidelines deal with the processing of personal data created in relation to employees using mobile devices, as well as advice on acceptable-use policies.
Delaware: Companies selling on the internet must display privacy policies
The US state of Delaware, which is home to many globally-recognised businesses, now requires privacy policies to be prominently displayed on commercial websites that collect "personally identifiable information" (PII). The new rules are contained in the Delaware Online Privacy and Protection Act (DOPPA), which came into force on 1 January. Under DOPPA, issues that must be addressed by policies include: the categories of PII that will be collected from users; and third parties with whom this data may be shared. The term "PII" can refer to both personal data and sensitive personal data as defined by the Data Protection Act 1998.
China insists on right to set its own internet laws
China's President has used an address to a world internet conference, hosted in the city of Wuzhen, to defend the country's right to set its own limits on internet freedoms. In comments that were live-tweeted by the state news agency Xinhua, Xi Jingping said: "Freedom is what order is meant for, and order is the guarantee of freedom. We should respect internet users' rights to exchange ideas and express their minds and we should also build good order in cyberspace in accordance with law as it will help protect the legitimate rights and interests of all internet users."
Delegates at the conference centre had access to a host of sites from which China's 670m internet users are blocked, including Twitter, Facebook and Wikipedia.
The conference was being held as a prominent civil rights lawyer stood trial in Beijing in what is being described as a landmark freedom of speech case. Pu Zhiqiang faces eight years in prison for publishing posts that criticised the Communist Party on a social networking site.
To view the original article, please click here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
