On 5 March 2024, the UK data protection regulator (ICO) published guidance on biometric recognition (the Guidance), following a consultation with stakeholders in October 2023. The Guidance clarifies the concept and properties of biometric data and provides practical considerations for organisations contemplating or using biometric recognition systems.Continue Reading ICO Publishes Biometric Data Guidance
The UK Information Commissioner (ICO) was reportedly set to sound a note of caution recently, at Politico’s Global Tech Day, regarding the potential privacy risks that can arise in the context of generative artificial intelligence (AI).
Privacy risks of generative AI
While acknowledging the potentially significant advantages and benefits that generative AI can bring, both to organisations and society more generally, the ICO’s Exec Director of Regulatory Risk, Stephen Almond, was expected to reiterate to businesses the need to consider the potential data protection issues around generative AI, noting that ensuring the compliance of such technologies with applicable data protection laws needs to be robustly scrutinised.Continue Reading UK Information Commissioner Warns of Privacy Risks Around Generative AI
Introduction
Ahead of its much-anticipated guidance on the UK International Data Transfer Agreement / Addendum (IDTA) (the United Kingdom’s version of the EU standard contractual clauses (EU SCCs)), the UK data protection regulator, the Information Commissioner’s Office (ICO), has revised its guidance on international transfers of personal data under the UK GDPR (Transfer Guidance).Continue Reading UK Data Protection Regulator Updates its Guidance on Data Transfers
The UK Government’s vision for a post-Brexit data protection regime includes controversial changes to the remit and workings of the Information Commissioner’s Office. In a Privacy Laws & Business article on possible ICO reform, Edward Machin considers what its proposed structure, duties and powers means for the independence of the regulator and its standing on
On July 18, 2022, the UK Government introduced into Parliament the Data Protection and Digital Information Bill (the Data Reform Bill), which proposes legislation to reform the UK data protection regime. A recent article in Entertainment Law Review by Ropes & Gray attorneys Rohan Massey, Christopher Foo & Edward Machin analyzes the Data Reform Bill’s
On 17 June 2022, the UK government released its much anticipated response to the consultation on the reform of the UK data protection regime. As part of the UK’s post-Brexit national data strategy, the consultation gathered responses on proposals aimed at reforming the UK’s data protection regime to boost the UK economy. In its response, the UK government has signalled which of the proposals it will be proceeding with and are likely to appear in an upcoming Data Reform Bill.
Overall, these reforms do not overhaul the existing UK data protection compliance regime, which is derived from EU legislation such as the General Data Protection Regulation and ePrivacy Directive. Instead, the proposals are incremental and largely modify obligations that organizations will be familiar with under the existing regime. As expected, these reforms are largely business-focused, with an overall aim of reducing compliance burdens faced by businesses of all sizes and facilitating the use (and re-use) of data for research.Continue Reading UK Government Publishes Its Response on the Reform of the UK Data Protection Regime
A recent decision by the Austrian Supervisory Authority (“SA”) casts a spotlight on the complexities of data transfers and cookie use, and highlights a shift in regulatory focus onto these topics in the year ahead. Regulators around Europe are increasingly beginning to weigh in on such transfers, and the outcomes of their deliberations will shape the data transfer compliance landscape in the months to come. These decisions present complex questions about the future of data transfers in the EU and UK.
Continue Reading Increased EU Scrutiny of US Data Transfers Through Cookie Use
The UK Information Commissioner (ICO) has launched a new toolkit for organizations which are planning to use personal data for data analytics as part of the ICO’s priority work on artificial intelligence (AI).
The toolkit outlines some important personal data protection considerations which organizations should take into account at the beginning of any scheme involving such personal data processing and follows the ICO’s recent publications ‘Explaining decisions made with AI’ and ‘Guidance on AI and data protection’.
Continue Reading UK Information Commissioner Launches Data Analytics Toolkit
On 17 December 2020, the UK Information Commissioner’s Office (ICO) published its new Data Sharing Code of Practice, as required under the Data Protection Act 2018 (DPA18).
The new Code provides practical guidance for controllers that share personal data with other controllers on how to ensure that data sharing complies with applicable data protection requirements. The new Code is a statutory code and updates the ICO’s previous data sharing code, which was published in 2011. The ICO has also instigated a new data sharing information hub which provides further support for organizations involved in data sharing.
Continue Reading UK Information Commissioner Publishes New Data Sharing Code of Practice
On 16 October 2020, in a long-awaited decision, the UK Information Commissioner’s Office (ICO) finally announced that it has fined British Airways (BA) £20 million for failing to protect the personal and financial details of over 400,000 customers. The ICO originally announced in July 2019 its intention to fine BA £183 million in respect of a security breach, meaning that the final amount of the fine was over 90% lower than the original suggested amount. Notwithstanding this, the BA fine is still the largest fine that the ICO has ever issued.
Continue Reading British Airways Fined £20 Million by ICO for Data Breach