The ICO released a statement outlining their approach to regulation during the coronavirus pandemic.
The ICO released a statement this week, outlining their approach to regulation during the global coronavirus pandemic, almost one month after publishing their first approach regarding data protection during COVID-19, as we informed in one of our previous blogs.As the pandemic continues to affect the ways in which people do business, the regulatory authority has deemed this time “exceptional times in the nation’s history” and as such acknowledges that the impact of the public health crisis on government, public bodies and businesses is significant enough that it should outline a new empathetic and pragmatic approach to their functioning capacity. The ICO has expressed its intent to be flexible, taking into account the burdens their actions may place on businesses, many of which are already facing staff and operating capacity shortages, and severe financial and other pressures.
In its recently released statement, the ICO outlines its new approach surrounding engagement with the public and organisations, regulatory action, and also the Freedom of Information Act and Environmental Information Regulations. The ICO also stated that it has prioritised its services to give additional guidance to organisations on how to comply with the law during these special times. The regulatory authority also acknowledged that effects of this public health crisis are likely to be felt for some time after it is over, and as such, its flexibility will continue to be necessary in some areas for many months to come. It’s intent is to keep this guidance under review as the situation progresses, and to issue updates where necessary.
The ICO recognizes its responsibility to take into account the special circumstances that many organisations find themselves today as a result of the public health crisis. As such, Elizabeth Denham, Information Commissioner, in the statement released earlier this week, said “It is important that we regulate for the time we are in now, but it is important too that we look to the future. Data protection can play a central role in promoting economic growth when we come out of this pandemic: encouraging public trust in innovation and supporting the UK as it steps forward in the global economy.”
The ICO has recently imposed the maximum fine of £500,000 on a Scottish company, CRDNN Ltd for making nearly 200 million automated nuisance calls.
After receiving over 3000 complaints about CRDNN Ltd, formerly known as Contact Reach Digital Ltd, the ICO launched an investigation which resulted in a fine of £500,000 for unlawful marketing in the form of automated nuisance calls. Of those calls made, over 63.5 million connected. Some were even made to Network Fall’s Banavie Control Centre, clogging the line meant for drivers and pedestrians at unsupervised rail crossings, potentially putting lives at risk.
The investigation was launched after a raid by the ICO, of the company’s headquarters in Clydebank where computer equipment and documents were seized. The investigation revealed that over 1.6 million calls per day were being made between June 1st and October 1st of 2018. The calls were for the purpose of direct marketing and they were made from so-called ‘spoofed’ numbers. This means that people who received the calls could not identify who was making them, which is against Article 14 GDPR.
In a statement by the ICO’s head of investigations, Andy Curry, he reveals that not only were these calls unsolicited, but consumers who attempted to opt out of those calls were simply bombarded with even more as a result. Mr Curry goes on to explain that CRDNN incurred the maximum fine due to the fact that the company’s directors “knowingly operated the business with complete disregard for the law” and did all in their power to avoid detection, even going as far as transferring the operation abroad, and attempting to liquidate.
The ICO has issued an enforcement notice to the CRDNN Ltd, ordering them to comply with the privacy and electronic communications regulations laws within 35 days of their receipt of this notice. This enforcement notice, issued on February 26th 2020, states that CRDNN’s actions violated regulations 19 and 24 of PECR.
We recently reported on two fines issued by the Italian DPA (Garante) on TIM Spa ,and Eni Gas E Luce, for Euro 27.8 million and 11.5 million respectively. The ICO has now taken a stand against data mismanagement with this new fine. With officials cracking down on companies which mismanage their data, it is imperative that companies ensure that they are in line with the GDPR, PECR 2013, and the DPA 2018.
The Financial Conduct Authority (FCA), the Information Commissioner’s Office (ICO) and the Financial Services Compensation Scheme (FSCS) release a joint statement warning FCA authorised companies and Insolvency Practitioners (IPs) to be responsible when dealing with customers’ personal data.
On February 7th 2020, the Financial Conduct Authority (FCA), the Information Commissioner’s Office (ICO) and the Financial Services Compensation Scheme (FSCS) released a joint statement warning FCA authorised firms and insolvency practitioners (IPs) against the unlawful sale of clients’ data to claims management companies (CMCs). This is because it has come to their attention that some FCA-authorised firms and IPs have attempted to sell clients’ personal data to these CMCs unlawfully. The CMCs may not be acting in consumers’ best interest and may also be unlawfully marketing their services.
While The FCA handbook states that CMCs are required to act honestly, fairly and professionally in line with the best interests of their customers, they may not be acting in the customer’s best interest. As a matter of fact, CMCs that intend to buy and use such personal data must demonstrate their compliance with privacy laws. Although contracts may vary, standard contracts typically do not provide sufficient legal consent for personal data to be shared with CMCs to market their services, and may not be lawful.
Why Selling Customers’ Data with CMCs may not be Lawful.
Apart from the fact that most standard contracts simply do not provide the legal consent for customers’ personal data to be sold to CMCs,companies who pass on customers’ personal information may also fail to meet the requirements of the the Data Protection Act 2018 and GDPR. Thereafter, any direct marketing calls, text or emails carried out by CMCs may breach the Privacy and Electronic Communications Regulations 2003 (PECR).
What are the implications of such breaches in data protection legislation?
Companies are expected by law to abide by the Data Protection Act 2018, the GDPRand the FCA Handbook. In the case of FCA authorised companies and IPs in particular, the CMCOB Claims Management: Conduct of Business sourcebook applies. In cases where the ICO or FCA finds these companies to be in breach of any of these data protection laws, they will take appropriate action,and there could be serious legal consequences.
Time and again,we see fines being imposed on companies for breaches in these data protection laws, and just last week,we reported on the Italian DPA Fining TIM SpA in excess of EUR 27 Million for unlawful data processing.
The ICO has released a statement on the implementation of Brexit and the implications on data protection.
On January 31, 2020, the UK officially left the European Union and entered a Brexit Transition Period, which runs through December 2020. Prior to that, on January 29th, the UK’s ICO released a statement on the implications of this Brexit implementation on data protection. The ICO iterates that they will continue to act as the lead supervisory authority for businesses and organizations that operate within the UK.
During this transition, the GDPR will steadily apply, and the ICO suggests that businesses that process customers’ personal data continue to follow their guidelines, and the protocol already in place. The GDPR will cease to apply at the end of this transitional period. However, the UK government intends to incorporate the provisions of the GDPR into UK data protection law beyond December 2020.
That said, businesses and organisations that offer goods or services to people in the EU are still expected to follow the EU’s version of the GDPR beyond the transitional period. However, for now, these companies and organizations will not need to appoint a European representative. GDPR transfer rules will apply to any data coming from the EEA into the UK. As a result, these companies may need help deciding how to transfer personal data to the UK in line with the GDPR.
The ICO has also updated their Brexit FAQs to reflect any recent changes. They will continue to update their external guidance as they regularly monitor the situation.
Does this sound like too much to plan? We have prepared a summary of the ICO guidance below:
During the transition period (until the end of 2020).
After the transition period.
|Will the GDPR continue to apply in the UK?
||It will depend on negotiations. The default position is the same as for a no-deal Brexit. However, the GDPR will be brought into UK law as the ‘UK GDPR’
|Is a EU Representative necessary?
||Yes, If you are offering goods or services to or monitoring the behavior of individuals in the EEA.
|What will the UK data protection law be?
||Data Protection Act 2018 (DPA 2018).
||The provisions of the GDPR will be incorporated directly into UK law from the end of the transition period, to sit alongside the DPA 2018.
|What role will the ICO have?
||The ICO will remain the independent supervisory body regarding the UK’s data protection legislation.
||The ICO will remain the independent supervisory body regarding the UK’s data protection legislation.
|Can we still transfer data to and from Europe?
||From the end of the transition period, GDPR transfer rules will apply to any data coming from the EEA into the UK.
Does your company process customers’ personal information in the UK? If so, Brexit may affect the way you process personal data. Aphaia’s data protection impact assessments and Data Protection Officer outsourcing will assist you with ensuring compliance.