Memorandum of understanding

A Memorandum of Understanding has been Signed Between the UK’s ICO and the Office of the Australian Information Commissioner

A Memorandum of Understanding has been signed between the UK’s ICO and the Office of the Australian Information Commissioner (OAIC), to facilitate cooperation and collaboration.

A memorandum of understanding has been signed between the UK’s ICO and the Australian Information Commissioner, due to the fact that the two share similar functions and duties in their respective countries. The two parties have realised the need for increased cross-border enforcement and cooperation, with the nature of this modern global economy, and the rate at which personal data crosses borders. With the signing of this memorandum of understanding the parties involved have set out the broad principles of their collaboration and a legal framework, which governs the exchange of irrelevant information and Intelligence between the two.

Overview of the Scope of the Memorandum of Understanding.

This memorandum of understanding that the parties signed last month should not be seen as a requirement on the part of any of these two parties to cooperate with each other. There is no legal requirement to cooperate in circumstances that would breach their individual responsibilities. This is simply a way for the two parties to deepen their existing relations and develop them further, in an effort to promote exchange and assistance with the enforcement of laws protecting personal information. The intent is to work together by sharing expertise, experiences and best practices, cooperating on specific projects and investigations and also, sharing information and Intelligence to support their individual and collective work. This collaboration is made without the intent of sharing any personal data. If the parties do wish to share personal data they will consider compliance with their own data protection laws which may require entering into a written agreement or arrangement regarding the sharing of that personal data. Based on section 132(1) of the DPA 2018, the UK commissioner can only share certain information if she has the lawful authority to do so.

Review of the Memorandum of Understanding.

The UK’s ICO and the OAIC will monitor the operation of their memorandum of understanding and biennially review it. Either of the parties do have the right to request a review sooner. There is a designated point of contact for each of the parties in the event that any issues arise in relation to this memorandum of understanding. In addition this agreement may only be amended by the parties in writing and signed by each of them.

As stated above, the memorandum of understanding between the ICO and the OAIC does not affect the transfer of personal data between both countries. Currently, there is no adequacy decision for data transfers to Australia, so one of the safeguards covered by the GDPR should apply, like Standard Contractual Clauses or Binding Corporate Rules. Furthermore, one should note that an anti-encryption law was approved two years ago in Australia, which obliges Australian companies to construct back access doors to information in such a way that it is available to the Government, while being required not to communicate the existence of such System to the users or customers, therefore directly colliding with GDPR.

Do you have questions about how this new agreement may affect your company? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Statement on Personal Data

The FCA, ICO and FSCS release a Joint Statement Warning FCA Authorised Firms and IPs to be Responsible with Personal Data

The Financial Conduct Authority (FCA), the Information Commissioner’s Office (ICO) and the Financial Services Compensation Scheme (FSCS) release a joint statement warning FCA authorised companies and Insolvency Practitioners (IPs) to be responsible when dealing with customers’ personal data.

On February 7th 2020, the Financial Conduct Authority (FCA), the Information Commissioner’s Office (ICO) and the Financial Services Compensation Scheme (FSCS) released a joint statement warning FCA authorised firms and insolvency practitioners (IPs) against the unlawful sale of clients’ data to claims management companies (CMCs). This is because it has come to their attention that some FCA-authorised firms and IPs have attempted to sell clients’ personal data to these CMCs unlawfully. The CMCs may not be acting in consumers’ best interest and may also be unlawfully marketing their services.

While The FCA handbook states that CMCs are required to act honestly, fairly and professionally in line with the best interests of their customers, they may not be acting in the customer’s best interest. As a matter of fact, CMCs that intend to buy and use such personal data must demonstrate their compliance with privacy laws. Although contracts may vary, standard contracts typically do not provide sufficient legal consent for personal data to be shared with CMCs to market their services, and may not be lawful.

Why Selling Customers’ Data with CMCs may not be Lawful.

Apart from the fact that most standard contracts simply do not provide the legal consent for customers’ personal data to be sold to CMCs,companies who pass on customers’ personal information may also fail to meet the requirements of the the Data Protection Act 2018 and GDPR. Thereafter, any direct marketing calls, text or emails carried out by CMCs may breach the Privacy and Electronic Communications Regulations 2003 (PECR).

What are the implications of such breaches in data protection legislation?

Companies are expected by law to abide by the Data Protection Act 2018, the GDPRand the FCA Handbook. In the case of FCA authorised companies and IPs in particular, the CMCOB Claims Management: Conduct of Business sourcebook applies. In cases where the ICO or FCA finds these companies to be in breach of any of these data protection laws, they will take appropriate action,and there could be serious legal consequences.

Time and again,we see fines being imposed on companies for breaches in these data protection laws, and just last week,we reported on the Italian DPA Fining TIM SpA in excess of EUR 27 Million for unlawful data processing.

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and UK Data Protection Act? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

ICO Brexit data protection

The UK’s ICO Releases Statement on Data Protection and Brexit Implementation.

The ICO has released a statement on the implementation of Brexit and the implications on data protection.

On January 31, 2020, the UK officially left the European Union and entered a Brexit Transition Period, which runs through December 2020. Prior to that, on January 29th, the UK’s ICO released a statement on the implications of this Brexit implementation on data protection. The ICO iterates that they will continue to act as the lead supervisory authority for businesses and organizations that operate within the UK.

During this transition, the GDPR will steadily apply, and the ICO suggests that businesses that process customers’ personal data continue to follow their guidelines, and the protocol already in place. The GDPR will cease to apply at the end of this transitional period. However, the UK government intends to incorporate the provisions of the GDPR into UK data protection law beyond December 2020.

That said, businesses and organisations that offer goods or services to people in the EU are still expected to follow the EU’s version of the GDPR beyond the transitional period. However, for now, these companies and organizations will not need to appoint a European representative. GDPR transfer rules will apply to any data coming from the EEA into the UK. As a result, these companies  may need help deciding how to transfer personal data to the UK in line with the GDPR.

The ICO has also updated their Brexit FAQs to reflect any recent changes. They will continue to update their external guidance as they regularly monitor the situation.

Does this sound like too much to plan? We have prepared a summary of the ICO guidance below:

During the transition period (until the end of 2020).

After the transition period.

Will the GDPR continue to apply in the UK? Yes It will depend on negotiations. The default position is the same as for a no-deal Brexit. However, the GDPR will be brought into UK law as the ‘UK GDPR’
Is a EU Representative necessary? No Yes, If you are offering goods or services to or monitoring the behavior of individuals in the EEA.
What will the UK data protection law be? Data Protection Act 2018 (DPA 2018). The provisions of the GDPR will be incorporated directly into UK law from the end of the transition period, to sit alongside the DPA 2018.
What role will the ICO have? The ICO will remain the independent supervisory body regarding the UK’s data protection legislation. The ICO will remain the independent supervisory body regarding the UK’s data protection legislation.
Can we still transfer data to and from Europe? Yes From the end of the transition period, GDPR transfer rules will apply to any data coming from the EEA into the UK.



Does your company process customers’ personal information in the UK? If so, Brexit may affect the way you process personal data. Aphaia’s data protection impact assessments and Data Protection Officer outsourcing will assist you with ensuring compliance.

ICT regulation 2020

ICT Regulation in 2020: What to expect? An Aphaia Perspective


Aphaias Managing Partner Bostjan Makarovic and Partner Cristina Contero Almagro weigh in on ICT regulation in 2019 and offer their predictions and hopes for 2020.


To say it has been an eventful 2019 for data protection, ICT Governance and ePrivacyspecifically within the EU and United Kingdomwould be an understatement. Indeed, with 2019 being the first full year with the GDPR, it proved to be a year of lessons, policy implementations, new developments, court rulings and fines all centred on honouring the privacy and rights of individuals in todays highly technical, online based era. In fact, Privacy Affairs reports a total of 150 fines totaling 103,852,871 for the year, with a 50 million sanction on Google being the largest fine of the year.


So, with 2019 winding down to give way to 2020, we sat down with Aphaias Managing Partner Bostjan Makarovic and Aphaia Partner Cristina Contero Almagro for their professional insights on the year passed and their expectations and projections for 2020.


From a data protection and AI ethics standpoint How would you describe 2019? What would you pinpoint as two of the most impactful occurrences in regards to ICT regulation in the year just past?


Bostjan: 2019 has been the year when the topic of AI seems to have found a special place in the EU’s regulatory landscape. In addition, important new practical questions on the intersection of privacy and AI regulation have emerged, say in relation to smart billboards.


Cristina: AI Ethics standpoint: I would say 2019 has been a turning year. On 8 April 2019, the High-Level Expert Group on AI presented their Ethics Guidelines for Trustworthy Artificial Intelligence, which was part of a series of four documents. In April we also became members of the European AI Alliance, a multi-stakeholder forum for engaging in a broad and open discussion of all aspects of AI development and its impact on the economy and society, which allows us to interact with the AI-HLEG. The first AI Assembly took place on 26th June in Brussels and we were invited to attend, so we did. The Policy and Investment Recommendations on AI and the piloting process of the AI Ethics Guidelines were launched at this event. This year has also been the year of our YouTube channel, and we hope to keep working on our vlogs during 2020.


Data protection standpoint: 2019 has been the first whole year with the GDPR, as it started to apply in May 2018. We have been able to learn from the fines and the guidelines launched both from Member States DPAs and EU bodies, as the EDPB. One of the most expected event of this year was the publication of the cookies guidance from DPAs (ICO in UK, AEPD in Spain, CNIL in France, etc.), although we will still have to wait for the new ePrivacy Regulation.



As we look ahead to 2020, from your analysis what are some expectations? Do you foresee any changes or implementations that would be have a big effect on the way businesses operate?


Cristina: I personally hope that EU Guidelines rise awareness of the importance of ethics, and that this addresses the approval of code of conducts for the industry. We also expect a revised ePrivacy Regulation proposal as part of the forthcoming EU Croatian Presidency. 


It would be also great to see how 2020 becomes the year of 5G, as it will definitely impact the way we do businesses, and our lives as such, plus it is closely linked to data protection and AI Ethics. There is a lot of work to do there. It is challenging and we are looking forward to this becoming a reality. Smart cities, self-driving cars, AR… there is a whole world outside waiting for 5G!


We cannot forget about Brexit, that may severely impact data protection and AI ethics across Europe.


Bostjan: In the second half of 2020, the new European Electronic Communications Code (EECC) will directly affect both communications services and telecoms infrastructure providers across the EU. I am also wondering whether in 2020 European Commission might seriously start looking into the possibility of a mandatory regulatory framework for AI, in addition to that of GDPR.



What advice would you give to online businesses and companies utilizing AI to ensure they get on top of the changes coming in 2020?


Cristina: With no doubtsThey should contact Aphaia! (just kidding). What I would advise that they look at the past and hear their customers. Look at the past because, with the example of GDPR for instance, it is easy to see how costly not doing the right thing from the beginning is, and hearing their customers, because the audience is demanding trustworthy AI, and they may not see a negative impact of not providing it for now, but it is just a matter of time, ‘adapt or die’.



Bostjan: As Cristina pointed out, getting timely compliance advice is crucial. GDPR requirement for ‘data protection by design and by default’ already requires businesses to look into privacy matters at the point of the development of the product, not once it has been finalised or even launched. In the second half of 2020, many online businesses providing voice, chat or messaging platforms will also need to ensure they comply with the EECC.



Do you need assistance in ICT policy or regulation? Aphaia provides  GDPR and UK Data Protection Act 2018 consultancy services, data protection impact assessments,  Data Protection Officer outsourcing , AI ethics assessments and telecoms policy and regulation consultancy services.