At its plenary meeting on February 13, 2019, in Brussels, the European Data Protection Board (“EDPB”) adopted an Information Note on Data Transfers under the GDPR in the Event of a No-Deal Brexit, and an Information Note on BCRs for Companies Which Have ICO as BCR Lead Supervisory Authority.
On January 30, 2019, the UK Information Commissioner’s Office (“ICO”) released a discussion paper on the upcoming beta phase of its regulatory sandbox initiative (the “Discussion Paper”). The ICO had launched a call for views on creating a regulatory sandbox in September 2018, and the feedback received facilitated developing systems and processes necessary to launch the beta phase.
On December 29, 2018, the UK Information Commissioner’s Office announced that Elizabeth Denham, UK Information Commissioner, was awarded a CBE for her services to protecting information. Denham’s award was announced in the United Kingdom’s 2019 New Year’s Honours list. This honor reflects Denham’s achievements as the UK Information Commissioner and the enhanced leadership, visibility and impact that she has brought to the role and the Office.
On January 15, 2019, the UK House of Commons rejected the draft Brexit Withdrawal Agreement negotiated between the UK Prime Minister and the EU by a margin of 432-202. While the magnitude of the loss sets in motion a process which could potentially have resulted in an early general election being held, on January 16 a majority of British Members of Parliament rejected a vote of no confidence in Theresa May’s government.
On December 20, 2018, the Department of Commerce updated its frequently asked questions (“FAQs”) on the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks (collectively, the “Privacy Shield”) to clarify the effect of the UK’s planned withdrawal from the EU on March 29, 2019. The FAQs provide information on the steps Privacy Shield participants must take to receive personal data from the UK in reliance on the Privacy Shield after Brexit.
EU data protection authorities (“DPAs”) are proving their willingness as enforcers with respect to the GDPR, not just with regard to the most serious acts of non-compliance but also for errors of a more administrative nature. Under the previous regime, DPAs typically required companies to register their processing activities with the regulator, but the GDPR now permits organizations to maintain data processing inventories internally, only showing them to DPAs when there is a particular need to do so. In the UK, the Information Commissioner’s Office (“ICO”) introduced a requirement for organizations to pay a “data protection fee,” which data controllers falling under the ICO’s scope must pay once a year. Those companies that fail to pay the fee risk incurring a fine of up to £4,350 each.
On November 19, 2018, The Register reported that the UK Information Commissioner’s Office (“ICO”) issued a warning to the U.S.-based The Washington Post over its approach to obtaining consent for cookies to access the service. Continue Reading UK ICO Issues Warning to Washington Post Over Cookie Consent Practices
On October 11, 2018, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP submitted comments to the UK Information Commissioner’s Office (“ICO”) in response to its call for views on creating a regulatory sandbox. Continue Reading CIPL Responds to ICO Call for Views on Creating a Regulatory Sandbox
The Information Commissioner’s Office (“ICO”) in the UK has issued the first formal enforcement action under the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 (the “DPA”) on Canadian data analytics firm AggregateIQ Data Services Ltd. (“AIQ”). The enforcement action, in the form of an Enforcement Notice served under section 149 of the DPA, requires AIQ to “cease processing any personal data of UK or EU citizens obtained from UK political organizations or otherwise for the purposes of data analytics, political campaigning or any other advertising purposes.” Continue Reading ICO Issues First Enforcement Action Under the GDPR