Category: UK
28. November 2018
The business and employment-oriented service LinkedIn processed the email addresses of 18 million non-members and targeted them with advertising on Facebook without permission.
A non-LinkedIn user issued a complaint to the Data Protection Commission that their email address had been obtained and used by the organisation for the purposes of targeted advertising on Facebook. Within Ireland’s Data Protection Commission the concerns grew regarding LinkedIn’s processing of personal data of non-users. Therefore, the office conducted an audit of the multinational LinkedIn Ireland, home to the company’s EU headquarters, and stated that it used million of e-mail addresses of non-users.
Also involved is LinkedIn Corp in the US, which processes data on behalf of LinkedIn Ireland. They targeted – by means of 18 million addresses – the individuals in Facebook. According to the commissioner’s annual report LinkedIn in the US carried out the processing in the absence of instructions from LinkedIn in Ireland (the controller). Said annual report covers the period from January 1st to May 24th 2018. Then the old office of the Data Protection Commissioner ceased to exist due to the General Data Protection Regulation. The new Data Protection Commission came into existence on May 25th 2018.
23. November 2018
Last week the U.K. and EU could conclude a draft withdrawal agreement for the United Kingdom to leave the European Union as of 30th March 2019. The agreement covers the “divorce” of both of them and a non-binding political statement concerning their ideas for the future relations. The declaration is referring to a commitment regarding an ambitious free trade agreement, containing areas including financial services, continued free flow of data, and other subjects relating to the EU such as defense matters have been picked up.
After the U.K. will have left the EU in March 2019 a 21-month transition period is planned in order to facilitating business sectors in their planning. Thus, at least until the beginning of 2021, EU regulations would remain effective keeping the U.K. in the single market and Customs Union. However, this time frame could also be extended by common agreement.
With regard to data protection, the withdrawal agreement directly addresses data protection and security issues in Articles 70 to 74. These provisions stipulate that EU data protection rules, including the GDPR, shall apply in the U.K. when using personal data of data subjects outside the United Kingdom exchanged before the end of the transition period. Furthermore, after the end of the transition period, the U.K. is obliged to further apply these EU rules to the processing of “EU personal data”, until the U.K. data protection laws to be enacted ensure an adequate level of data protection which is “essentially equivalent” to that of the EU. In the process of becoming subject to this formal adequacy decision to be established by the EU Commission the U.K.’s applicable data protection regime has to be assessed in the first place. In the event of annulling or repealing the adequacy decision, the provisions of the withdrawal agreement would be relevant for the EU personal data transferred to the U.K. to ensure the same “essentially equivalent” standard of data protection directly.
In other words, under the concluded agreement, the GDPR as well as the corresponding Data Protection Act would remain the applicable data protection law in the U.K. for the foreseeable future.
13. November 2018
On November 8th, Privacy International – a British non-governmental organisation – has filed complaints against seven data brokers (Axiom, Oracle), ad-tech companies (Criteo, Quandcast, Tapad) and credit referencing agencies (Equifax, Experian) with data protection authorities in France, Ireland and the UK.
Privacy International accuses those companies of violating the GDPR: They all collect personal data from a wide variety of sources and merge them into individual profiles. Therefore, information from different areas of an individual’s life flow together to create a comprehensive picture e.g. online and offline shopping behaviour, hobbies, health, social life, income situation.
According to Privacy International, the companies not only deal with the collected data, but also with the conclusions they draw about their data subjects: Life situation, personality, creditworthiness. Among their customers are other companies, individuals and governments. Privacy International accuses them to violate data protection principals such as transparency, purpose limitation, data minimisation, integrity and confidentiality.
Furthermore, the companies have no valid legal basis for the processing of personal data, in particular for the purpose of profiling. According to Privacy International, where those companies claim to have the consent of the data subjects, they cannot prove how this consent was given, nor that the data subjects voluntarily provided it after sufficient and clear information.
“Without urgent and continuous action, data will be used in ways that people cannot now even imagine, to define and manipulate our lives without us being to understand why or being able to effectively fight back,” Frederike Kaltheuner, Privacy International’s data exploitation programme lead, said.
With its complaint, Privacy International takes advantage of a new possibility for collective enforcement of data protection created by the GDPR. The Regulation allows non-profit organisations or associations to use supervisory procedures to represent data subjects (Art. 80 GDPR).
29. January 2018
Withdrawal of the United Kingdom from the Union and EU leads to United Kingdom become a third country.
The European Commission annouced, that on 30.03.2019, 00:00h (CET) the United Kingdom will no longer be member of the Union and EU, all Union and secondary law will cease to apply.
That means, tat all stakeholders processing personal data need to consider the legal repercussions of Brexit, beacuse as of the withdrawal date, the EU rules for transfer personal data to third countries apply. GDPR allows a transfer if the controller or processor provides appropriate safeguards.
Safeguards may be provided by:
- Sandarad data protection clauses (SCC)
- the Commission has adopted three sets of model clauses which are available on the Commission’s website
- Binding corporate rules (BCR)
- legally binding data protection rules approved by the competent data protection authority which apply within a corporate group
- Condes of Conduct
- Approved Codes of Conduct together with binding and enforceable commitments of the controller or processor in the third country
- Certification mechanisms
- Approved certification mechanisms together with binding and enforceable commitments of the controller or processor in the third country
Besides a transfer may take place based on consent, for the performance of a contract, for exercise of legal claims or for important reasons of public interest.
These procedures are already well-known to business operators beacuse they are uses today for the transfer of personal data to non EU-countries like the USA, Russia or China.
The decision is disappointing for everyone who were hoping for an adequate level of data protection in the United Kingdom.
Stakeholders should prepare for the requirements associated with recognition as a third country.
13. October 2017
The Information Commissioner’s Office (ICO) has fined Vanquis Bank and advertising firm Xerpla £125,000 in total.
Vanquis Bank had sent over a million spam text messages and spam emails promoting its credit card. As the recipients had not given consent for such messages, Vanquis Bank’s marketing campaign was deemed illegal and a fine of £75,000 was imposed on the Bradford based bank.
Ad firm Xerpla had sent over a million spam emails promoting various products. The ad firm was fined £50,000 for not having the right consent of the recipients as it was not clear and specific enough.
“People need to be properly informed about what they are consenting to. Telling them their details could be passed to ‘similar organisations’ or ‘selected third parties’ cannot be relied upon as specific consent,” ICO Head of Enforcement Steve Eckersley said, adding, “these firms should have taken responsibility for ensuring they had obtained clear and specific consent for the sending of the messages. They didn’t and that is unacceptable.”
The UK government introduced the Data Protection Bill to implement the General Data Protection Regulation (GDPR – 2016/679).
The GDPR enters into force on 25th May 2018 in the European Union. After the brexit, until now it was unclear if the UK would implement the GDPR into UK domestic law. The Data Protection Bill implements not only the legal requirements of the GDPR. The Law Enforcement Directive (2016/680) and the standards of the Council of Europe’s draft modernized Convention 108 on processing of personal data carried out by the intelligence services will also be adopted in the new Data Protection Law of the UK.
The new Law will replace the existing UK Data Protection Act 1998.
Currently the bill is at the beginning of the parliamentary process. The first reading in the House of Lords was held on 13th September, the second on 10th October. The bill consist of seven parts and 18 Schedules.
The data flow between European countries and the UK will not cause those problems that caused concerns after the Brexit, because the data protection level in Europe and the UK will be equal.
24. August 2017
According to BBC.com, the fraud prevention group Cifas warns that cases of identity theft increase year by year in the UK. In the first six months of the year Cifas already recorded 89,000 cases, which is a 5% increase in relation to the same period of the last year and a new record.
BBC.com further reports that Simon Dukes, chief executive of Cifas, said: “We have seen identity fraud attempts increase year on year, now reaching epidemic levels, with identities being stolen at a rate of almost 500 a day.” It is further explained that “these frauds are taking place almost exclusively online. The vast amounts of personal data that is available either online or through data breaches is only making it easier for the fraudster.”
Fraudsters are targeting data such as the name, address, date of birth or bank account details. They gather these data by hacking computers, stealing mails or buying data through the “dark web”. Also, victims are tricked into giving away their personal data. However, most of the thefts, about 80%, are committed online and mostly without notice of the victims. The crimes often come to light, when for example the first random bill arrives.
The victims of impersonation were breaked down into categories of ages, showing that it is most likely that people in their 30s and 40s are victims of identity thefts, since about this group of people often a high amount of information was gathered online. It is further reported that according to Cifas, the amount of cases fell for the group of over-60s, while the group of 21 to 30 years old showed the biggest increase of cases.
11. August 2017
According to a Press Release from the Information Commissioner’s Office (“ICO”), the TalkTalk Telecom Group (“TalkTalk”) was fined for violating the UK Data Protection Act. More than 21.000 customers could be the victims of scams and frauds.
As a result of an investigation in 2014, the ICO fined TalkTalk 100.000 GPB by failing to protect customer data. The breach was possible because of a lack of security of a portal holding a huge amount of customer data. One company with access to the portal was Wipro, an IT services company in India. 40 employees of Wipro had access to personal data of between 25.000 to 50.000 customers. During the investigation, three accounts were found that had unauthorized access to this portal. The ICO determined that TalkTalk did not ensure the security of the customer data held in this portal. There were different reasons:
- The portal was accessible via any device. There was no restriction on which devices the portal can be accessed.
- The search engine of the portal allowed wildcards searches (with * as a placeholder to get many results).
- The search engine allowed up to 500 results per search.
The access rights were too wide-ranging regarding the high amount of customer data held by the portal. The ICO fined TalkTalk because it breached one of the principles of the UK Data Protection Act by not implementing enough technical and organizational measures.
4. April 2017
After the Brexit, keeping data by the UK companies and organizations is expected to become more certain locally than globally.
Elizabeth Denham, the UK’s Information Commissioner, recently commented before the House of Lords EU Home Affairs Sub-Committee, that the UK should apply to the European Commission for a full “adequacy” decision in terms of proving the adequate data protection measures as UK will become soon a non-EU country.
British government comments on the free trade deal with these words: “no deal for the UK is better than a bad deal for the UK”.
In the context of Brexit, it is crucial for the industry of the UK to keep the data-flows unhindered though.
British politician David Davis indicates that the UK and EU are now on their way to find and maintain equivalence (and not identity) in their relations (especially when it comes to business) in order to keep up their common interest.
Even though Davis is not using the “adequacy” term in his speech, this is what the UK technology industry is asking for.
Government assures that if no accord in that matter will be reached, there are still many alternatives to adequacy.
28. March 2017
In consequence of the Westminster Bridge attack in London, Home Secretary Amber Rudd announced that she wants to meet several tech giants in order to make sure law enforcement is able to access encrypted data for terrorism investigation.
The topic came up as the attacker reportedly used the messaging application WhatsApp shortly before his attack began. As WhatsApp uses end-to-end encryption, neither law enforcement nor WhatsApp itself can read messages. The same applies to Apple’s iMessage. While Rudd did not want to make public which tech companies she will meet in detail, Google confirmed that it will be meeting the UK government.
“We need to make sure that organisations like WhatsApp, and there are plenty of others like that, don’t provide a secret place for terrorists to communicate with each other,“ Rudd said. Labour leader Jeremy Corbin, however, stated that law enforcement already had enough powers and that there needed to be a balance between the right to know and the right to privacy.
In the meantime, Microsoft confirmed that it had provided email information relating to the Westminster Bridge attack to the British authorities after it had received lawful orders.
Pages: Prev 1 2 3 4 5 6 7 8 Next 
