Do we need to regulate generally accepted, low risk forms of data processing that individuals are now comfortable with as part of daily life (e.g. on-line orders, payroll processing and employment contract administration) to the same standard as types of processing that intrude more clearly on an individual’s privacy (e.g. tracking user preferences, monitoring communications etc.)? Should the draft European Data Protection Regulation impose differing standards depending on the risk to the individual from the processing in question, rather than

ICO_Image1.JPGWith data breaches and the new cookies rules never far from the press or industry agendas, and with a new European framework on the horizon, the past year has been a busy one for the Information Commissioner’s Office (ICO). Its Annual Report for 2011/12, along with a companion webcast, reflect this changing privacy landscape. Both offer useful insights into the ICO’s priorities for the coming year.

In terms of enforcement action (perhaps one of the most

Our 27 June post on the new Indian data privacy regime discussed the key provision of the Information Technology (Amendment) Act 2008 and its implementing regulations, the new Rules.  It also considered some of the questions left unanswered by the Rules.  What categories of personal data do the Rules apply to?  How is the required consent to be obtained?  To what extent do the Rules apply to organizations not based in India but with outsourced operations there, or

iStock_globe.jpgOur May 26, 2011 blog post on the new European cookies rules introduced by the revised E-Privacy Directive marked the deadline for EEA Member States to implement the Directive into national law.  As of late August, only the UK, Denmark, Estonia, Finland, Ireland, Malta and Sweden have introduced laws fully implementing the amendments contained in the revised Directive.

The delay on the part of the remaining Member States comes as no surprise, given the significant confusion and controversy surrounding the

A series of recent rulings by the Swiss Courts have raised the bar for data processing justification under Swiss law.  Whilst Switzerland is not part of the European Economic Area, and is therefore not subject to the European Data Protection Directive, its data privacy rules contain a number of similar, or at least recognisable, principles.  The broad data processing principles are set forth in Article 4 of the Swiss Federal Data Protection Act (the DPA) which states that personal

Thumbnail image for Thumbnail image for iStock_Lock.jpgThe UK’s data privacy regulator, the Information Commissioner’s Office (ICO) has recently issued further statutory guidance on its powers to impose monetary penalties.  This guidance builds on an earlier statutory guidance note issued by the ICO back in January 2010, by providing greater clarification on the key factors in the ICO decision process when imposing monetary penalties.  Broadly, the guidance emphasises that monetary penalty notices are intended for the most serious breaches only, with the objective of encouraging

Thumbnail image for Thumbnail image for iStock_000005643842XSmall.jpgThe UK’s data privacy regulator, the Information Commissioner’s Office (ICO), has recently issued its largest fine to date against a single data controller, for breaches of the Data Protection Act 1998 (the DPA).  

This latest fine, of £120,000 imposed on Surrey County Council, continues a string of increasing financial penalties imposed by the ICO following the bolstering of its enforcement powers by the Criminal Justice and Immigration Act 2008 in April 2010.  Since then, the ICO

Thumbnail image for iStock_globe.jpgOn 16 May 2011, the European Commission’s Article 29 Working Party released their latest Opinion on the status of geolocation data for the purposes of European privacy rules. Though not strictly binding on EEA Member States or businesses operating within Europe, the Working Party’s Opinions are highly influential and certainly set the scene for changes to come. This latest Opinion confirms the position taken by the European Data Protection Supervisor, that geolocation data should be considered ‘personal data’, and

In the run up to today’s deadline for EEA Member States to implement the EU’s revised Privacy and Electronic Communications Directive, including its new rules requiring consent to the use of cookies, the UK Department of Culture, Media and Sport (the DCMS) and the UK’s privacy regulator, the ICO, have released further guidance for businesses, both on the requirements of the new rules and how they are expected to be enforced.

In terms of the UK’s revised Privacy

When the revised Privacy and Electronic Communications Directive was approved in November 2009, with its updated wording requiring prior consent to the use of cookies, European Union Member States were given until the end of May 2011 to implement the changes into their respective national laws.  That deadline is fast approaching, and the lack of action from governments and regulators is telling.  Controversy and confusion surrounding the new cookies rules have been widespread, not only for European based businesses, but