On July 18, 2022, the UK Government introduced into Parliament the Data Protection and Digital Information Bill (the Data Reform Bill), which proposes legislation to reform the UK data protection regime. A recent article in Entertainment Law Review by Ropes & Gray attorneys Rohan Massey, Christopher Foo & Edward Machin analyzes the Data Reform Bill’s
Security may not be the first word that comes to mind when thinking about GDPR and UK GDPR compliance, but recent matters indicate it should certainly be near the top of any compliance checklist.
Security of personal data is fundamental to every organization, and its significance scales depending on the type of data processing that takes place. Of the penalties issued for data protection infractions across the EU and UK in 2022 so far, over 70 include security, which is almost 20% of the total fines issued. Specifically, these fines were issued due to a breach of Article 32 of the GDPR/UK GDPR: failing to have appropriate technical and organizational measures in place to protect personal data. A breach of Article 32 of the GDPR or UK GDPR technically only attracts the “standard maximum” fine of €10/£8.7 million or 2% of global annual turnover, however the offence is often coupled with other transgressions, which has led to fines over €20 million.…
On 17 June 2022, the UK government released its much anticipated response to the consultation on the reform of the UK data protection regime. As part of the UK’s post-Brexit national data strategy, the consultation gathered responses on proposals aimed at reforming the UK’s data protection regime to boost the UK economy. In its response, the UK government has signalled which of the proposals it will be proceeding with and are likely to appear in an upcoming Data Reform Bill.
Overall, these reforms do not overhaul the existing UK data protection compliance regime, which is derived from EU legislation such as the General Data Protection Regulation and ePrivacy Directive. Instead, the proposals are incremental and largely modify obligations that organizations will be familiar with under the existing regime. As expected, these reforms are largely business-focused, with an overall aim of reducing compliance burdens faced by businesses of all sizes and facilitating the use (and re-use) of data for research.…
The UK Information Commissioner (ICO) has launched a new toolkit for organizations which are planning to use personal data for data analytics as part of the ICO’s priority work on artificial intelligence (AI).
The toolkit outlines some important personal data protection considerations which organizations should take into account at the beginning of any scheme involving such personal data processing and follows the ICO’s recent publications ‘Explaining decisions made with AI’ and ‘Guidance on AI and data protection’.
Continue Reading UK Information Commissioner Launches Data Analytics Toolkit
On 16 October 2020, in a long-awaited decision, the UK Information Commissioner’s Office (ICO) finally announced that it has fined British Airways (BA) £20 million for failing to protect the personal and financial details of over 400,000 customers. The ICO originally announced in July 2019 its intention to fine BA £183 million in respect of a security breach, meaning that the final amount of the fine was over 90% lower than the original suggested amount. Notwithstanding this, the BA fine is still the largest fine that the ICO has ever issued.
Continue Reading British Airways Fined £20 Million by ICO for Data Breach
On 5 May 2020, the Information Commissioner’s Office (ICO) published a blog setting out the Information Commissioner’s new priorities for UK data protection during COVID-19 and beyond. This follows on from the document published on 15 April 2020, in which the ICO promised an “empathetic” approach to its enforcement of data protection laws during the coronavirus outbreak, prioritizing areas likely to cause the greatest public harm and directing its services towards providing guidance for organizations about how to comply with the law during the crisis.
Continue Reading The UK Information Commissioner’s Regulatory Approach and Priorities During COVID-19
In an interesting data protection case, Elgizouli (Appellant) v Secretary of State for the Home Department (Respondent)  UKSC 10, the UK Supreme Court has held that the UK Government breached data protection laws in passing information to US authorities following a mutual legal assistance (MLA) request that could involve the US seeking the death penalty for two men. The men are alleged to have been members of a terrorist group operating in Syria involved in the torture and murder of hostages.
Continue Reading UK Held to Have Breached Data Protection Laws Over Alleged Islamic State Members
A landmark group claim for compensation under data protection laws in the UK between employees and employer has failed. The UK’s Supreme Court has held that a rogue employee’s activities were not sufficiently connected with his employment to make Morrison, his employer, vicariously liable for the data protection breach. If it had been held liable Morrison would have been in line to make compensation payments to nearly 10,000 employees.
The case relates to an incident in 2014 and was brought under the Data Protection Act 1998 (DPA), but it is likely that findings would be the same under the GDPR and the UK Data Protection Act 2018.
Continue Reading UK’s Landmark Group Claim for Compensation Under Data Protection Laws – Morrison’s Found Not Vicariously Liable for Actions of Rogue Employee
Uncertainty is the new normal. UK criminal and regulatory enforcement authorities, like the rest of us, are adjusting to unprecedented levels of business disruption.
The UK Information Commissioner (ICO) has issued some advice for data controllers in recognition of the significant challenges being presented by the Coronavirus (COVID-19) pandemic.
Among other things, in a move that will no doubt come as a relief to many data controllers, the ICO has confirmed that, during the pandemic, it will refrain from…