Matthew Arnold & Baldwin LLP | Giving you a lot more than just law... » privacy and electronic communications regulations

ICO gives verdict on implementation of new cookies rules: websites must do better

Paul Gershlick — Fri, 23 Dec 2011 16:16:49 +0000

The Information Commissioner’s Office – the UK’s data protection regulator – has given a damming report on websites’ implementation of new cookies laws, under which website users must receive clear information of the cookies that are used on a site and their consent must be obtained for the use. The law changed in May this year, but the ICO gave websites a further year to make the changes. However, it said at the time that businesses must make the changes. The purpose of the year’s grace was to allow steps to be taken to be ready. The ICO is disappointed, though, that many businesses are doing nothing to address the new law and this is not acceptable. In the report, it has provided updated guidance on how to comply, including suggested wording for the information and how links should be used to the relevant wording. The guidance says that providing the information through a privacy policy is not normally enough.

The guidance advocates a cookie audit to identify the cookies used, distinguishing between session, persistent and third party cookies, look at how privacy-intrusive each cookie is and how clear information is provided to users.

The ICO has also given further guidance on obtaining consent. It says that website operators should have minimal use of cookies until users have consented. Implied consent is not a viable option at the moment, but as users become more aware of cookies, that could be used. It also advocates contractual obligations between third parties and website owners governing the collection of consent for the third party cookies.

The ICO’s report and the guidance can be found here: http://www.ico.gov.uk/news/latest_news/2011/must-try-harder-on-cookies-compliance-says-ico-13122011.aspx.

ICO advises communications providers to inform of data protection breaches every month

Simon Weinberg — Thu, 22 Dec 2011 11:08:56 +0000

The Information Commissioner’s Office (ICO) has released updated guidance in which it advises electronic communication providers to inform the ICO of breaches to users’ personal data each month. The guidance also recommends that, if a breach is particularly serious, the ICO should be informed immediately by using a new standard notification form.

The changes to the guidance largely reflect the revisions made to the Privacy and Electronic Communications Regulations in May 2011, under which electronic communications providers must inform the ICO about all data protection breaches. The main difference is the recommendation to provide a monthly report rather than simply to maintain a record of breaches which can be audited by the ICO for compliance.

ICO warns of £500,000 fine for single incident of spam or automated calls

Mark Weston — Fri, 29 Jul 2011 04:10:24 +0000

The Information Commissioner’s Office – the regulator in charge of enforcing UK data protection laws. – has warned businesses that they could face fines of up to £500,000 for a single incident of breaking the recently revised e-privacy laws. Under recent amendments to the Privacy and Electronic Communications Regulations, the ICO now has the power to fine an organisation for a serious breach of up to £500,000. The ICO has warned that sending spam emails, secretly gathering information about people’s locations through their mobile phones and sending automated marketing calls could trigger the new fines. Under the law, the fines can be issued without any prior warning to correct if someone has seriously contravened the Regulations and it was likely to cause substantial damage or substantial distress in circumstances where the contravention was either deliberate or the offender must have known that there was a risk and failed to take reasonable steps to prevent it.

European Justice Commissioner say users should be notified of privacy breaches

Mark Weston — Thu, 02 Jun 2011 08:51:31 +0000

The European Justice Commissioner has stated that the Electronic Communications Framework Directive (Framework) – the European law requiring telecoms companies to immediately notify users of breaches of their privacy – should be extended to social media, online banking, online shopping and video games. The Framework is being implemented in the UK as an amendment to the Privacy and Electronic Communications Regulations.

Viviane Reding was speaking in response to several recent high profile data breaches, such as that by Sony in relation to its PlayStation Network, which affected 100 millions users. She criticised the delay of seven days before users were told of the Sony breach and she said notification of data loss should be immediate.

She added that all companies, even those outside the European Union, should comply with EU data protection laws if they target users based in the EU.

UK tops the table for spam

Simon Weinberg — Tue, 30 Nov 2010 17:06:51 +0000

The UK ranks above other Western European countries for the circulation of spam (junk email), according to a survey produced by Trend Micro, an Internet security business. Nearly 10% of spam emails from Western Europe were sent from the UK. The most popular contents of the emails were commercial spam offering incentives such as ‘quick and easy weight loss’, emails offering business opportunities such as ‘work from home’ schemes, and job-related spam.

Government recommends change to interception law following EU threat

Paul Gershlick — Wed, 17 Nov 2010 10:56:47 +0000

The Home Office has recommended a change in the laws relating to interception of communications. A complaint had been made to the European Commission following BT’s controversial trial of the Phorm targeted ads. The Commission said that English law did not fully comply with EU requirements and was preparing to take the UK to the European Court of Justice over the this. In the wake of this, the Government has now proposed that the Regulation of Investigatory Powers Act is amended so that it deals with unintentional (as well as intentional) unlawful interception, and it requires explicit opt-in for information to be intercepted. Currently under English law, communications can be intercepted not just where there is explicit consent but where the interceptor has reasonable grounds to believe that consent has been given.

ISPs seek judicial ruling over legality of Digital Economy Act

Mark Weston — Wed, 21 Jul 2010 16:43:32 +0000

BT and Talk Talk – the Internet service providers – have asked the High Court to provide a ruling as to whether the Digital Economy Act is unlawful. They complain that the Act was scrambled through in a rush to pass legislation just before the General Election and that it conflicts with European Union laws protecting privacy and electronic communications. The ISPs say that implementing systems and processes that would enable them identify, communicate with and cut off users who share copyright material without authorisation would cost tens of millions of pounds. They say it would be better to get a court ruling now as to whether the new laws will be lawful rather than waste money on implementing something where the law turns out to be unenforceable.

It’s a case of ‘Do As We Tell You’ not ‘Do As We Do’ as Labour is the latest political party caught out for flouting privacy laws when canvassing

Paul Gershlick — Wed, 10 Feb 2010 21:46:22 +0000

The Labour Party has embarrassingly been told off for breaching the privacy rights of 500,000 people in a canvassing campaign, when it sent the recipients a recorded message of actress Liz Dawn telling them to vote labour. Unsolicited automated telephone calls without consent breach the Privacy and Electronic Communications (EC Regulations) 2003. A member of the public complained in July 2007 that they were receiving those calls, but the Information Commissioner’s Office – the UK data protection regulator – received further complains in 2009. The ICO has served an enforcement notice on Labour requiring the Party to ensure no further automated direct marketing calls are made without consent. If Labour breaches the enforcement notice, they could be fined. Labour is not the only Party at it – the Conservatives, Liberal Democrats and Scottish National Party have all received enforcement notices in the past for employing the same tactics. It seems to be a case of the politicians making the law for everyone else to comply with, but thinking they are above the law – sound familiar?