Global Privacy & Security Compliance Law Blog

UK’s ICO Publishes New Guidance on Cookies

Posted in GDPR, Security

The guidance clarifies the interplay between the PECR and GDPR and provides practical steps to achieving cookie compliance.

By Fiona M. Maclean, Laura Holden, and Grace E. Erskine

The UK’s data protection supervisory authority, the Information Commissioner’s Office (ICO), published guidance on 3 July 2019 to provide greater clarity to organisations grappling with how the General Data Protection Regulation (GDPR) applies to cookies and similar technologies. The new guidance makes it clear that under the GDPR, consents cannot be the default or blind setting, and consents cannot be bundled, as had been the common “wait and see” practice among many online businesses and sites. Organisations subject to the ICO jurisdiction will want to pay immediate attention to this guidance, including some helpful, pragmatic tips.

The European law on cookies can be found in the European Directive 2002/58/EC (ePrivacy Directive) (as amended by Directive 2009/136/EC), as implemented into UK law by the Privacy and Electronic Communications Regulation 2003 (as amended) (PECR). Regulation 6 PECR constitutes the foundation of the UK rules requiring organisations setting non-essential cookies on websites to provide “clear and comprehensive information” to users and to obtain their consent to the use of cookies.  Continue Reading

UK Regulator Imposes Two Substantial Fines for GDPR Data Breaches

Posted in GDPR

The ICO issued notices of intent to fine British Airways and Marriott. What happened?

By Gail Crawford, Fiona Maclean, Hayley Pizzey, and Calum Docherty

On 8 July 2019, the UK Information Commissioner’s Office (ICO) announced a notice of intent to fine British Airways £183.39 million (about US$230 million) for violating the General Data Protection Regulation (GDPR). The proposed fine is the largest to date under the GDPR, and equals 1.5% of British Airways’ 2017 global turnover, according to the Financial Times. It follows months of investigation after British Airways notified the ICO of a security incident that led to the theft of customer data in September 2018.

Then on 9 July 2019, the ICO announced a notice of intent to fine Marriott International £99.2 million (about US$124 million) for infringements of the GDPR stemming from a data breach at Starwood, which it acquired in 2016. According to the Wall Street Journal, this fine represents 2.5% of Marriott’s global revenue. Marriott initially announced the data breach in November 2018, which led to an ICO probe. Continue Reading

New UAE Health Law Enters Into Effect

Posted in Legislative & Regulatory Developments, Security

Healthcare entities should immediately assess whether Federal Law No. 2 of 2019 applies to their practices.

By Brian A. Meenagh

On 6 February 2019, the President of the United Arab Emirates (UAE) in conjunction with the UAE Minister of Health and Prevention (the Minister) issued a new law on the use of information and communications technology (ICT) in health fields in the UAE. Federal Law No. 2 of 2019 (the Law) entered into effect in May 2019 and will likely affect the activities of a number of entities operating in the healthcare sector in the UAE, including healthcare service providers, life sciences companies, cloud service providers, healthcare IT systems suppliers, and medical insurance providers. Continue Reading

RuNet Law: New Russian Law Could Significantly Impact Telecom and Internet Providers and Social Media Platforms

Posted in Legislative & Regulatory Developments, Privacy, Security

Broadly written rules would allow the Russian government greater central control over content and data flows, and greater access to users’ information.

By Fiona M. Maclean and Ksenia Koroleva

On May 1, 2019, the Russian President signed draft law No. 608767-7, commonly referred to as the Russian Internet Law, or “RuNet Law” (Federal Law No. 90-FZ “On Amending Federal Law ‘On Communications’ and Federal Law ‘On Information, Information Technology and Information Protection’”). The majority of RuNet Law amendments will come into effect on November 1, 2019.

The RuNet Law’s principal provisions include:

  • Introducing rules for the centralization and control of data traffic (g., the RuNet Law establishes a centralised Russian Internet data traffic routing system)
  • Requiring entities involved in the transfer of data to install additional equipment and comply with new obligations that aim to ensure such centralization

Continue Reading

ICO Launches Consultation on Age-Appropriate Design: A Code of Practice for ISS

Posted in GDPR, Legislative & Regulatory Developments, Privacy

Online services have until 31 May to respond to 16 draft standards of age-appropriate design.

By Fiona Maclean and Olga M. Phillips

The ICO is required by s123 of the Data Protection Act 2018 to prepare a code of practice which contains guidance on standards of age-appropriate design of relevant information society services likely to be accessed by children. On 15 April, the ICO published a draft code of practice on age-appropriate design for online services (the Code). A copy of the Code can be found here.

Who does the Code apply to?

The Code is aimed at Information Society Services (ISS), which is defined as “any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services”. In practice, this definition extends to almost all online services including apps, websites, social media platforms, online messaging services, online marketplaces, content streaming services, and even news and educational websites.

The reference to “remuneration” is often seen as confusing. However, the ICO clarified that remuneration covers services funded by advertising, but also those provided to end users free of charge.

ISS should also note that the Code applies if children (i.e. a person under 18) are likely to use the service. This definition includes services that are designed specifically for children, as well as those that may appeal to children or those that were designed for adults but have, in fact, attracted children. Continue Reading

UK’s Proposed “Online Harms” Compliance and Enforcement Regime Will Target Platforms

Posted in Privacy, Security

UK publishes White Paper with hard-hitting regulatory proposals to tackle online harms.

By Alain Traill, Stuart Davis, Andrew Moyle, Deborah Kirk and Gail Crawford

On 8 April 2019, the Home Office and the Department for Culture, Media and Sport (DCMS) published an “Online Harms White Paper”, proposing a new compliance and enforcement regime intended to combat online harms. The regime is designed to force online platforms to move away from self-regulation and sets out a legal framework to tackle users’ illegal and socially harmful activity. Although the regime appears to target larger social media platforms, the proposals technically extend to all organisations that provide online platforms allowing user interaction or user-generated content (not limited to social media companies or even ‘service providers’ in the traditional sense) and set out a potentially onerous and punitive compliance and enforcement regime for a broad set of online providers. Continue Reading

What Companies Can Learn From CNIL’s Privacy Consent Cases on Targeted Marketing … in 60 Seconds

Posted in GDPR, Privacy

The closure of four cases involving targeted advertising provides lessons for navigating compliance standards under the GDPR.

By Myria Saarinen and Elise Auvray

Four French advertising technology companies that received a warning in 2018 from the French Data Protection Authority (CNIL) have all implemented the regulator’s required changes. The recent closure of the cases highlights opportunities for businesses at all layers of the adtech value chain to address emerging compliance challenges.

The companies — Fidzup, Teemo, Singlespot, and Vectaury — collect geolocation data for targeted advertising purposes via third-party apps. Initially, the French regulator found that they had failed to obtain an informed, freely given, and specific consent from app users, since:

  • The information provided was insufficient, as it was unclear, used complex terms, and was difficult to access.
  • The consent was not based on an affirmative declaration, as the options were pre-ticked.
  • Users were not asked to consent to the processing of their geolocation data specifically.

Continue Reading

EDPB Clarifies Use of Consent and Other Legal Grounds for Clinical Trials, but Challenges Remain

Posted in GDPR, Legislative & Regulatory Developments

European regulators are expected to align their processes and guidance to accommodate the EDPB’s recommended approach to processing special categories of personal data.

By Gail E. Crawford, Frances Stocks Allen, and Mihail Krepchev

In January, the European Data Protection Board (EDPB) issued an opinion (Opinion) on the interplay between the General Data Protection Regulation (GDPR) and the Clinical Trials Regulation (CTR), which: (1) confirms that consent under the GDPR and CTR are different concepts; and (2) sets out the EDPB’s recommendations on the appropriate legal basis required for processing personal data in connection with clinical trials conducted in the EEA (which is unlikely to be consent).

Practical Takeaways

While the Opinion brings some much-needed certainty to the area of consent and other legal grounds for clinical trials, challenges remain. Outlined below are the key challenges and the steps that sponsors of clinical trials in the EEA (Sponsors) should take when designing their research activities: Continue Reading

No Deal Brexit and Data Transfers: Companies Must Prepare Now

Posted in GDPR, Legislative & Regulatory Developments, Privacy

Companies should identify data flows, implement a data transfer solution, and update internal documents and privacy notices.

By Fiona M. Maclean and Jane Bentham

Since our blog on “What a “No Deal” Brexit Means for UK Data Privacy”, the European Data Protection Board (EDPB) has published two information notes on data transfers in the event of a “no deal” Brexit:

  • A general note on the various data transfer mechanisms (and exceptions) under the GDPR
  • A specific note on the Information Commissioner’s Office (ICO), the UK regulator, as a Lead Supervisory Authority for Binding Corporate Rules

The UK government has also issued a paper titled “Implications for Business and Trade of a no Deal Exit on 29 March 2019,” including a small section on data transfers. The paper states that the government’s primary aim is to ensure that the UK leaves the EU on 29 March 2019 (the Exit Date) with an agreed and approved Withdrawal Agreement and Political Declaration (the Proposed Deal). Of course it is possible that Brexit may be delayed by extending Article 50 to give the UK more negotiating time with the EU. Continue Reading

4 Questions to Consider When Dealing With Children’s Data in the US

Posted in GDPR, Legislative & Regulatory Developments, Privacy, Security

The FTC and many state attorneys general aggressively monitor apps, websites, and internet-connected products for COPPA compliance.

By Jennifer C. Archie, Michael H. Rubin, and Alexander L. Stout

In the United States, collecting data directly from children under 13 years of age is tightly regulated by a federal statute, which is aggressively monitored and enforced. Under the Children’s Online Privacy Protection Act (COPPA), even seemingly straightforward online data collection and storage practices such as logging an IP address or storing an email address are subject to strict requirements, such as providing notice and obtaining advanced parental consent prior to collection or storage.

Under COPPA, obtaining proper consent can be technically or administratively burdensome, expectations shift with technological advancement, regulatory exceptions are vague, and penalties are calculated on a per-violation basis. COPPA is enforced by the Federal Trade Commission (FTC) and state attorneys general, both of which are very active in this area. Although the FTC maintains a website with answers to frequently asked questions, the law is complicated, and companies should consult with an attorney. Continue Reading

LexBlog