On 17 June 2022, the UK government released its much anticipated response to the consultation on the reform of the UK data protection regime. As part of the UK’s post-Brexit national data strategy, the consultation gathered responses on proposals aimed at reforming the UK’s data protection regime to boost the UK economy. In its response, the UK government has signalled which of the proposals it will be proceeding with and are likely to appear in an upcoming Data Reform Bill.

Overall, these reforms do not overhaul the existing UK data protection compliance regime, which is derived from EU legislation such as the General Data Protection Regulation and ePrivacy Directive. Instead, the proposals are incremental and largely modify obligations that organizations will be familiar with under the existing regime. As expected, these reforms are largely business-focused, with an overall aim of reducing compliance burdens faced by businesses of all sizes and facilitating the use (and re-use) of data for research.

Continue Reading UK Government Publishes Its Response on the Reform of the UK Data Protection Regime

Today RopesDataPhiles brings you thoughts from across the pond, with an update on the UK Information Commissioner’s international data transfer agreement and its supporting documentation.

Some days it all comes together.  The sun’s shining in London for what feels like the first time in months.  One of the kids is going on a week-long school trip.  And just when you think it can’t get any better, you remember that the UK Information Commissioner’s international data transfer agreement and its supporting documentation have come into effect, following a period of Parliamentary approval.

As of Monday, 21 March, organisations transferring personal data from the UK have a range of options for papering those transfers.  As you’ll see, it’s going to feel much like the pick ‘n’ mix you get at the cinema, only without the intense initial rush followed by a crippling sense of doom when you realise what’s ahead.  Or maybe it’s exactly like that.

Continue Reading The IDTAs of March

There were 887 million reasons why one GDPR story was dominating the press on Friday. But sneaking under the radar was a decision from the English High Court that I reckon should be more interesting to businesses in the UK.

In a nutshell, the High Court rejected a £5,000 claim for distress-related damages brought by an individual whose personal data were involved in a cyber-attack suffered by DSG, a British retailer that operates the Currys PC Worlds and Dixons Travel brands. The claim relied on breach of confidence, misuse of private information, breach of the DPA 1998 and common law negligence, and the judgment is short and easy to digest, so it’s well worth a read.
Continue Reading De-stressing Distress Disputes

Cyber SecurityThe recent High Court case of London Borough of Lambeth v A.M. offers a salutary lesson in the importance of properly redacting documents. This issue comes up more than you’d think – and certainly more than it should.

You’ll recall that, in the spirit of transparency, the European Commission recently publicized a heavily redacted version of its AstraZeneca COVID-19 vaccine contract. The problem was that the Commission had been too transparent – literally. All of the redacted content in the contract could be viewed by simply using the bookmark tool in Adobe Acrobat’s Reader. Redactio ad absurdum.
Continue Reading When [Blank] Goes Wrong

GDPROn 16 October 2020, in a long-awaited decision, the UK Information Commissioner’s Office (ICO) finally announced that it has fined British Airways (BA) £20 million for failing to protect the personal and financial details of over 400,000 customers.  The ICO originally announced in July 2019 its intention to fine BA £183 million in respect of a security breach, meaning that the final amount of the fine was over 90% lower than the original suggested amount.  Notwithstanding this, the BA fine is still the largest fine that the ICO has ever issued.
Continue Reading British Airways Fined £20 Million by ICO for Data Breach