UK & Europe
Insurance & Reinsurance
Welcome to the February Global Data & Privacy Update. This update is dedicated to covering the latest legislative developments affecting the way data is managed and protected, as well as reporting on the most recent news governing data breaches and industry developments.Written by Mark Williamson, Isabel Ost and Charlotte Gatland
To celebrate Data Protection Day 2019, the European Commission has released an infographic that contains some interesting statistics about the GDPR since it came into force last year. These include:
Click here to see the infographic from the European Commission.
The UK Government has released guidance on its proposed amendments to the GDPR and UK Data Protection Act 2018 in the case of a no-deal Brexit. The guidance states that the fundamental principles, obligations and rights that organisations and data subjects have become familiar with will stay the same, but the changes proposed are necessary in order to ensure, among other things:
However, the guidance notes that UK companies will still need to consider appropriate safeguards for transfers of personal data from the EEA to the UK on the basis that the EU will not have granted the UK an adequacy decision prior to the date of a no-deal Brexit.
Click here to read the Government's guidance.
The European Data Protection Board (EDPB) has released a plan of work for the next two years. This work program includes:
Click here to read the EDPB's full work program for 2019 to 2020.
The ICO and FCA have signed a memorandum of understanding (MoU) setting out how they intend to co-operate going forward. The MoU builds on the last document, signed in 2014, to set out more ways in which both will work together pursuant to each regulator's legislative remit, including the recently enforced data protection legislation.
The MoU goes further than the last signed memorandum by suggesting ways both the ICO and FCA might, in their discretion, decide to work together, for example, notifying the other of potential infringements of legislation within its enforcement power and discussing matters of interest. It is essentially a statement that both regulators will have due regard to the other's regulatory ambit and be helpful to the other's aims.
Click here to read the Memorandum of Understanding.
The Committee for Convention 108 (the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data) published guidelines on the use of artificial intelligence (AI) and data protection. The guidelines contain measures for law makers, AI developers, manufacturers and service providers.
The measures aim to prioritise the protection of human rights, particularly individuals’ rights with respect to their personal data, when AI is being used. The report behind these guidelines recognises that personal data is often an intrinsic part of AI, being both an input and output. The guidance notes the importance of applying the updated Convention 108 principles (which share significant similarities with the GDPR principles), when AI is using personal data. The guidelines also recommend that a human rights by design approach (analogous to the GDPR privacy by design concept) is applied when using and creating AI to ensure that individuals' human rights are not compromised through the use of AI.
Click here to read Convention 108’s Guidelines on AI and Data Protection.
The ICO has fined both Leave EU Group Limited (Leave EU), an EU referendum campaign group, and Eldon Insurance Services Limited (Eldon) for the unlawful sending of marketing emails.Background
Leave EU sent emails to its subscribers for the primary purpose of political campaigning and included in some of those emails an advertising banner for Eldon's services. The Commissioner stated that an email such as these ones is still classed as being sent for direct marketing purposes even where that it is not the primary purpose of the email; the marketing banner included in Leave EU's emails was created by Eldon; there was no contractual agreement between the two relating to the emails; and the arrangements surrounding the inclusion of the banner are unclear.Invalid Consent under PECR
The Commissioner noted some of the measures that Eldon should have taken to satisfy itself that the marketing of its services via Leave EU was lawful. These measures included performing adequate due diligence to confirm that Leave EU's privacy notice adequately informed individuals about the potential marketing activities and putting in place a contractual agreement with Eldon that provided assurances to Eldon of the lawful marketing of its products by Leave EU.