data protection Archives - IT Support

Highlighting an early target of tackling cookie pop-ups, the UK government is to appoint John Edwards as the new ‘light touch’ ICO who will be expected to reform post-Brexit data protection rules for the UK.

Data Protection Reforms

Since Brexit, the UK government has been seeking to reform data protection regulations in the UK in a way that it says will cut down on what Digital Secretary Oliver Dowden has been quoted describing as the “needless bureaucracy” of the current system of data protection and data transfer between countries. The Government message is that the appointment of a new ICO who could “go beyond the regulator’s traditional role” would be a way to reform regulations and make new data adequacy agreements with other countries that would reduce barriers to data transfer, help data (and more trade) to flow more freely, and improve innovation and economic growth. The government has been keen to stress that despite (and perhaps to facilitate) these planned changes, the new regulator will have a “light touch”, but data will still be protected.

Cookie Pop-Ups

It appears that cookie pop-ups have been used by the UK government as an example and as part of the justification for wanting to make changes to data protection laws. Digital Secretary Oliver Dowden has argued in recent media reports that the requirement for the kind of cookie pop-ups that are present on most large sites, asking for permission to store a user’s personal information, are a visible example of the kind of needless bureaucracy at work that could be avoided with a change to data regulations.

What Is Data Adequacy?

Data Adequacy partnerships are agreements that protections are in place and are similar in two countries, thereby allowing the safe sending of people’s personal data internationally. Having a data adequacy partnership in place was part of the negotiations with the EU for Brexit.

For post-Brexit UK, heralded by the impending appointment of John Edwards as the new ICO, the UK government is now keen to make new, more frictionless data adequacy partnership agreements with the EU and many different countries which the UK wants to trade with.

Criticism

Critics of the UK government’s post-Brexit push to reform data protection regulations with new data adequacy partnerships are worried that this could weaken the UK GDPR and lead to the personal and private data of UK citizens being put at risk of being taken and shared.

Privacy advocates have also been sceptical as to whether it is realistic and possible for the UK government to give UK citizens and consumers more control over how their data is used on the one hand, while also giving businesses (and the government) greater freedoms to use that data through new agreements.

EU and GDPR

It was only in June this year that the UK government managed to achieve a data adequacy agreement with the EU, and any more proposed changes to that agreement now by the UK may be difficult to negotiate.

Who Is John Edwards?

John Edwards, the person named to succeed the current Information Commissioner (data protection regulator) Elizabeth Denham, is currently New Zealand’s Privacy Commissioner and head of its Office of the Privacy Commissioner (OPC), where he has been in the job for more than 7 years. Prior to his work with the OPC, he was a self-employed barrister and solicitor focusing on information and privacy law, and Chair of the Global Privacy Assembly from 2014-17.

In addition to his obvious legal background and experience, he is also known for overseeing New Zealand’s adequacy status with the EU, which is one of the reasons why he is favoured for the UK job.

Hates Facebook?

Mr Edwards is also known for his apparent dislike for Facebook. In April 2019 for example, after Facebook appeared to not accept any responsibility for the Christchurch massacre (mosque shootings) where one shooter described YouTube to be “a significant source of information and inspiration”, Mr Edwards was quoted from his Twitter account in the Guardian as saying, “Facebook cannot be trusted” and that the company were “morally bankrupt pathological liars”. He was also quoted as saying of Facebook that they “allow the live streaming of suicides, rapes, and murders, continue to host and publish the mosque attack video, allow advertisers to target ‘Jew haters’ and other hateful market segments, and refuse to accept any responsibility for any content or harm”.

Recently, Mr Edwards has indicated on his Twitter account that he doesn’t hate Facebook.

Why Is This Relevant?

The relevance of a possible Facebook-hater as the ICO is that he would be responsible for imposing fines for breaches of the UK Data Protection Act 2018 and the Privacy in Electronic Communications Regulations (PECRs) and would have an influence over the UK government’s Online Safety Bill. This Bill is designed to establish a new regulatory framework to tackle harmful content online and would, therefore, potentially affect Facebook as a major content hosting platform.

Is An Overseas Regulator A Problem?

Some critics have highlighted the fact that the current UK ICO, Elizabeth Denham, who has been criticised for not enforcing data protection laws well enough, has been working from home in Canada throughout most of the pandemic, and the UK now looks set to appoint another ICO from overseas where there is a different data protection regime.

What Does This Mean For Your Business?

If the government’s argument is to be accepted, changing data protection laws to help data transfers between different countries and the UK could unlock more trade and benefits for British businesses. If the argument of some data privacy/security advocates is to be accepted, new data laws could mean that our personal data is more at risk and that the government is proposing a balancing act that may not be possible to realistically achieve. For Facebook and other social media companies, the appointment of John Edwards as the new ICO may give them cause for concern given his previous comments about Facebook, and his soon-to-be power over the imposition of penalties and the possible impact of the development of the UK’s Online Safety Bill.

The ICO has fined the Conservative Party £10,000 for sending unlawful marketing emails to people who did not want to receive them.

Breach

The ICO has decided that after an investigation into emails sent from the Conservative Party, in the name of Rt Hon Boris Johnson MP, during the eight days in July 2019 after he was elected Prime Minister, the Conservative Party breached the Privacy and Electronic Communications Regulations (PECR) of 2003.

Unsolicited Emails

The breach of PECR occurred because, as the ICO concluded, the Conservative Party did not have the necessary valid consent in cases where marketing emails were received by complainants. Although 51 emails were found to be conclusively in breach of the regulations, the Conservative Party sent out 1,190,280 marketing emails between 24 July and 31 July 2019, and the ICO accepts it is likely that some of those emails would have been validly sent, but that it is not possible to identify what that proportion is. This is because, as stated by the ICO, “the Conservative Party failed to retain clear records of the basis upon which people had consented to receive marketing emails, as required by law.”

More Marketing Emails Sent During The Investigation

The ICO expressed concern that while the investigation into the initial breach was underway before the Conservative Party had addressed the original compliance issues, it “engaged in an industrial-scale marketing email exercise during the December 2019 General Election campaign, sending nearly 23 million emails” which “generated a further 95 complaints”.

Stephen Eckersley, ICO Director of Investigations, said “It’s really concerning that such large-scale processing occurred during the ICO’s ongoing investigation and before the Conservative Party had taken all the steps necessary to ensure that its processing, and database of people who would receive emails, was fully compliant with the data protection and electronic marketing regulations”.

The Fine

There has been criticism from some online commentators that the £10,000 fine may not be enough, when considering that according to newspaper reports, one luxury hamper of organic food delivered to 10 Downing Street recently cost £27,000.

What Does This Mean For Your Business?

It is disappointing and concerning that such a big political party (the party now in government) would not check or know about and/or failed to comply with well-publicised data protection laws. As those at the heart of UK law-making, this does not reflect well.

For businesses, this story is a reminder that there are clear laws pertaining to direct marketing (i.e. any communication of advertising or marketing material directed at particular individuals). It is a reminder that consent is vital, and it is important to keep clear records of the basis upon which people consent. Ignoring the regulations can result in a hefty fine and could prove very damaging to the reputation of a business.