Photo of Clare Sellars

GDPROrganizations which fail to implement appropriate technical and organizational security measures to protect personal data and suffer personal data breaches as a result, increasingly may find themselves facing the double whammy of both enforcement action by the UK Information Commissioner’s Office (ICO), (which can include significant financial penalties) and potentially also group-style legal actions brought by data subjects.

British Airways, which suffered a cyber incident that is believed to have started in June 2018 and led to a personal data breach involving almost 500,000 of its customers, has found itself on the receiving end of such an action.Continue Reading UK Group-Style Data Breach Actions Continue

Article29On 17 December 2020, the UK Information Commissioner’s Office (ICO) published its new Data Sharing Code of Practice, as required under the Data Protection Act 2018 (DPA18).

The new Code provides practical guidance for controllers that share personal data with other controllers on how to ensure that data sharing complies with applicable data protection requirements. The new Code is a statutory code and updates the ICO’s previous data sharing code, which was published in 2011. The ICO has also instigated a new data sharing information hub which provides further support for organizations involved in data sharing.
Continue Reading UK Information Commissioner Publishes New Data Sharing Code of Practice

Despite concerns expressed by regulators and privacy activists, the use of facial recognition technology appears to be on the rise and is becoming increasingly common in everyday life as a result of various different issues.

One recent example of the use of such technology involves the Southern Cooperative, which has reportedly trialed certain facial recognition technology in a number of Co-op stores over the last few months.  The technology, developed by Facewatch, notifies staff of the presence in stores of individuals with past records of “theft or anti-social behaviour” and apparently has been implemented to try to combat a recent significant increase in attacks on employees by shoplifters.
Continue Reading Use of Facial Recognition Technology Increasing

GDPROn 16 October 2020, in a long-awaited decision, the UK Information Commissioner’s Office (ICO) finally announced that it has fined British Airways (BA) £20 million for failing to protect the personal and financial details of over 400,000 customers.  The ICO originally announced in July 2019 its intention to fine BA £183 million in respect of a security breach, meaning that the final amount of the fine was over 90% lower than the original suggested amount.  Notwithstanding this, the BA fine is still the largest fine that the ICO has ever issued.
Continue Reading British Airways Fined £20 Million by ICO for Data Breach

FAQOn 5 May 2020, the Information Commissioner’s Office (ICO) published a blog setting out the Information Commissioner’s new priorities for UK data protection during COVID-19 and beyond. This follows on from the document published on 15 April 2020, in which the ICO promised an “empathetic” approach to its enforcement of data protection laws during the coronavirus outbreak, prioritizing areas likely to cause the greatest public harm and directing its services towards providing guidance for organizations about how to comply with the law during the crisis.
Continue Reading The UK Information Commissioner’s Regulatory Approach and Priorities During COVID-19

Digital LockIn news that will no doubt alarm many of the airline’s passengers, easyJet plc (easyJet) has confirmed that it has suffered a serious data breach affecting nine million customers as the result of a cyber-attack.  In addition to certain personal data including email addresses and travel details, the credit card details of 2,208 customers have apparently been impacted and the UK Information Commissioner’s Office (ICO) has been informed.
Continue Reading easyJet Suffers Data Breach Involving Nine Million Customers

Article 29Following the limited relaxation of lockdown restrictions by the UK Government and the likely return to the workplace of at least some employees, the UK Information Commissioner’s Office (ICO) has published some helpful guidance for employers on the data protection issues raised by workplace testing for coronavirus.

The guidance notes that, although data protection law does not stop employers taking measures that are required to protect their staff and the public during the coronavirus pandemic, personal data must be handled carefully.
Continue Reading UK Information Commissioner Issues New Guidance for Employers on Workplace Testing for Coronavirus

lockThe European Data Protection Board (EDPB) has updated its Guidelines on GDPR consent to clarify that making access to a website conditional on accepting cookies – so-called “cookie walls” – does not constitute valid consent and that scrolling or swiping through a webpage cannot constitute consent either, under any circumstances.

Updated Guidelines

“Guidelines on consent under Regulation 2016/679” were first published in November 2017 by the EDPB’s predecessor, the Article 29 Working Party, and formally adopted in April 2018. The EDPB has now produced a slightly updated version of those Guidelines which, apart from two important clarifications, essentially remain the same. The clarifications appear in the sections of the Guidelines on “Conditionality” and “Unambiguous indication of wishes” and concern, respectively, the validity of consent provided by individuals when interacting with “cookie walls” and the question of scrolling or swiping through a webpage or similar user activity to indicate consent.
Continue Reading European Data Protection Board Updates Guidelines on GDPR Consent

The use of artificial intelligence and surveillance technology of various kinds is increasingly being used as a weapon in the fight against coronavirus around the world.  Recent examples include the use of facial recognition software in Russia to enforce lockdown restrictions, while in France monitoring software has apparently been trialed with a view to using video surveillance cameras once lockdown has been moderated to determine whether citizens are adhering to social distancing rules and wearing masks.

In recent days it has been reported that various companies are in discussions with the UK Government regarding the use of facial recognition technology in connection with the much discussed concept of so-called “immunity passports”.
Continue Reading The Use of Facial Recognition Technology to Combat COVID-19

In an interesting data protection case, Elgizouli (Appellant) v Secretary of State for the Home Department (Respondent) [2020] UKSC 10, the UK Supreme Court has held that the UK Government breached data protection laws in passing information to US authorities following a mutual legal assistance (MLA) request that could involve the US seeking the death penalty for two men.  The men are alleged to have been members of a terrorist group operating in Syria involved in the torture and murder of hostages.
Continue Reading UK Held to Have Breached Data Protection Laws Over Alleged Islamic State Members