DATA PROTECTION BULLETIN – APRIL 27 2023
Welcome to the latest edition of our bi-weekly Data Protection Bulletin, where we keep you informed on the latest key insights, government regulatory activity, and enforcement actions in the world of data protection.
In this issue,, we will be diving into the latest developments and trends in data privacy, discussing how businesses and organisations can stay compliant with data protection laws, and exploring the consequences of non-compliance. Whether you’re a data privacy professional or simply interested in staying informed, this bulletin is your go-to source for all things data protection.
- Key Insights
- Government Regulatory Activity
- Enforcement Actions
Missed our last update? Check it out here.
DPAS Analysis of Incoming EU Legislation that Might Impact UK Organisations
The European Union is proposing legislation to curb the growth of big tech and promote data protection and other digital rights. The proposed EU digital rights reforms to existing legislation represent a significant move by the EU to regulate the digital sector and ensure a level playing field for all companies.
The developments in EU regulations will have significant implications not only for EU member states and the organisations that operate there but also for the UK. As a major trading partner with the EU, organisations in the UK will need to consider how these new regulations could impact their operations too. Read our article – 4 Key EU Digital Rights Reforms That May Impact UK Organisations – to understand the proposed EU digital rights reforms and their potential impact on big tech companies and digital rights, as well as how the UK might be affected by these developments.
GOVERNMENT AND REGULATORY ACTIVITY
UK Data Protection and Digital Information Bill Proceeds to Committee Stage
Following debate in Parliament on its second reading on the 17th of April, the Data Protection and Digital Information Bill, the UK’s post-Brexit replacement for the EU’s General Data Protection Regulation (GDPR) data regime, has now been sent to the Public Bill Committee for consideration. The committee, in turn has called for written evidence from people with relevant expertise and experience or a special interest in the bill.
During the second reading, MPs flagged concerns around the free flow of data for global companies, geopolitical issues such as data adequacy with the EU, rising legal costs for businesses and human interventions for automated decision-making. It is expected that these points will form the focus of the committee’s assessments at their recommendations to the full House of Commons, following which the bill may proceed to the third reading.
You can access the call for bill draft, explanatory notes and call for written evidence here.
UK applies to become an Associate Member of Global Cross Border Privacy Rules Forum
The UK applied, on 17 April, to join the Global Cross Border Privacy Rules (CBPR) Forum as an Associate Member, as announced by the US Commerce Department. The UK will be the first new jurisdiction to participate in the Global CBPR Forum since it was established last year. The group, which released the Global CBPR Framework and the Forum’s Terms of Reference on 13 April, is aiming to widen participation from APEC countries to allow participation by economies anywhere in the world.
The current members include the United States, Australia, Canada, Japan, Republic of Korea, Mexico, the Philippines, Singapore, and Chinese Taipei.
ICO reprimands Surrey Police and Sussex Police for recording more than 200,000 phone calls without people’s Knowledge
The Information Commissioner’s Office (ICO) has issued a reprimand to both Surrey Police and Sussex Police, following the rollout of an app that recorded phone conversations and unlawfully captured personal data. The app was first made available in 2016 and was originally intended to be used as recording software by a small number of specific officers, but Surrey Police and Sussex Police chose to make the app available for all staff to download.
According to the ICO, ‘“Sussex Police and Surrey Police failed to use people’s personal data lawfully by recording hundreds of thousands of phone calls without their knowledge. People have the right to expect that when they speak to a police officer, the information they disclose is handled responsibly. We can only estimate the huge amount of personal data collected during these conversations, including highly sensitive information relating to suspected crimes. This case should be a lesson learned to any organisation planning to introduce an app, product or service that uses people’s personal data. Organisations must consider people’s data protection rights and implement data protection principles from the very start.’
Online recruitment firm fined £130,000 for sending 107 million spam emails targeting Jobseekers
The Information Commissioner’s Office (ICO) has fined Join The Triboo Limited £130,000 for bombarding people with spam emails.
Between 1 August 2019 and 19 August 2020, a confirmed total of 107 million direct marketing messages were sent by Join the Triboo Limited and from those messages 437,324 were received by distinct individuals. This means that each individual received on average 244 emails during the relevant period and that those messages contained direct marketing material for which subscribers had not provided valid consent.
The ICO issued over £2 million in penalties against companies responsible for nuisance calls, texts and emails in 2022. According to the ICO, some of those investigations began with a single complaint from a member of the public, and it will be working closely with other regulators and industry partners to share intelligence and take targeted action against companies and directors responsible for initiating nuisance calls.