In its recent paper, Update report into adtech and real time bidding (20 June 2019), the ICO has set out a biting criticism of how real time bidding (RTB) currently operates in the UK. The phrase disproportionate, intrusive and unfair occurs three times, and intrusive on its own is used an additional three times. The … Continued
Most data subject access requests (SARs) are routine, but every now and again one comes along which stretches the law beyond where it would normally go. Rudd v Bridle[1] was such a SAR. Dr Rudd was a medical doctor, and eminent in his field. He had more than a hundred scientific articles to his name, … Continued
This article appeared in the January 2019 edition of Privacy Laws & Business – www.privacylaws.com. Planning for data breach – the role of the DPO DPOs have a major role to play in relation to preventing and minimising the impact of data breaches in their organisations. This is true even if you don’t have … Continued
On 21st January, the CNIL (the French ICO) fined Google €50 million for breaches of the GDPR. The amount of the fine is unlikely to worry Google unduly (it was fined €4.3 billion by the EU Commission in July 2018 for abuse of its dominant position in relation to the Android system. Google is appealing.) … Continued
The UK data protection regulator, the Information Commissioner’s Office, has issued an enforcement notice against Father Christmas under the General Data Protection Regulation (679/2016/EU). The notice relates primarily to the Naughty Children List. The notice is particularly noteworthy because it has been issued against a business headquartered in the North Pole and which does not … Continued
CNIL, the French ICO, has ordered a marketing company to delete the 67 million records it holds. Vectaury, a Paris-based marketing company, operated by persuading mobile app producers to include a proprietary piece of code in their apps. Once loaded onto a user’s phone, the Vectaury code would send geolocation and other user data to … Continued
The ICO has issued its first enforcement notice against an organisation which seems to have no presence in the EU. The company, AggregateIQ Data Services Ltd, is based in Canada, and the enforcement notice seems to be a spin out of the Cambridge Analytica case. The extra-territorial reach of the GDPR is as yet untested, … Continued
The intention was that a new version of the E-Privacy Directive (replacing the UK’s Privacy and Electronic Communication Regulation, more commonly known as PECR) would come into force at the same time as the GDPR. That did not happen, and the draft E-Privacy Directive is still going through the rounds in the EU (an updated … Continued
The large fines available to the ICO under the GDPR grabbed the headlines, but the fines have always been the least of the bills payable by a breaching company. For example, Talk Talk was fined £400,000 for its data breach, but the actual costs of remedying the breach have been estimated as between £30 million … Continued
Warning! This article is a heavy read. Only proceed if you are interested in the detail of GDPR. One of the central pillars of the GDPR is the requirement for a number of organisations to have a DPO. There are three categories of organisation that are required to have a DPO. Two of the … Continued