Expect to see a *lot* of press releases from people trying to hawk their wares under the banner of the #GDPR, shouting about the €1.2bn fine which the Irish DPC has said it intends to impose on Facebook.

Yes, you should focus on doing things correctly.

No, your risk has not increased massively overnight.

#UKGDPR #DataProtection

More #UKGDPR / #DataProtection news: the High Court of England and Wales has decided that the group claim for data protection breaches against Google / DeepMind, resulting in a loss of control of NHS patient data, cannot continue, because there is a lack of commonality amount the claimants.

Each might have a good case individually but, collectively, they're just not enough common ground to make this a group claim.

https://caselaw.nationalarchives.gov.uk/ewhc/kb/2023/1169

ICO fines TikTok £12.7m. Looks like the contraventions were around allowing access to under 13s and failing to provide adequate transparency information

#UKGDPR #dataprotection

https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2023/04/ico-fines-tiktok-127-million-for-misusing-children-s-data/

With one eye to the mastodon.social personal data breach, if you are a fedi (not necessarily Mastodon) admin in the UK / subject to the UK GDPR, would some kind of summary of your obligations under the UK GDPR - I am thinking either blogpost or free jitsi training session or both - be of interest?

Replies / comments welcome, to help me gauge interest!

#UK #UKGDPR #FediAdmin

The decision about Experian's appeal against the ICO's decision is out:

https://informationrights.decisions.tribunals.gov.uk/DBFiles/Decision/i3175/Experian%20Limited%20EA-2020-0317%20FP%20(17.02.23).pdf

Neither side comes out looking great here, and Experian got off *very* lightly: no fine, no finding that its use of credit reference data for direct marketing was unfair.

Basically, told to provide transparency information.

#GDPR #UKGDPR

A *very* quick blogpost about today's announcement from the ICO that it has "decided to stop enforcing personal data breach reports made under Regulation 5A [PECR]".

Very muddy waters.

https://decoded.legal/blog/2023/01/the-ico-breach-reporting-under-reg-5a-pecr-and-muddy-muddier-waters

#GDPR #UKGDPR #PECR

"The ICO has decided to stop enforcing personal data breach reports made under Regulation 5A."

???

https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2023/01/change-to-regulation-concerning-communication-service-providers/

#pecr #ukgdpr

December has flown by with lots of fun festive extra activities on the mind, presents to buy and events to go to. 🎄
 
This means it's been easy to lose track of important developments in data protection - an area of law which continues to be busy all year round! 🧐
 
So whilst lots of us are winding down for a nice long holiday weekend, here are five significant events in December from a GDPR and UK GDPR perspective in case you missed them:
 
1️⃣ The EU Commission has proposed a draft EU - US Data Privacy Framework (the new 'privacy shield' ). However, whilst the draft is significant, the decision has not been finalized. The process which expected to take another 6 months.

2️⃣ The UK Information Commissioner published various important pieces including its Direct Marketing Guidance which has long been anticipated by the industry. The ICO also released a forward thinking piece called 'Tech Horizons' which examines the implications of some of the most significant technological developments for privacy in the next two to five years.

3️⃣ The EU has signed a declaration on EU digital rights and principles that highlights "the EU's commitment to a secure, safe and sustainable digital transformation." The declaration is wider than just protecting personal data including #ESG themes around sustainability and digital inclusion.

4️⃣ Microsoft plans to roll out a 'data boundary' for its EU customers from 1 January to help their customers comply with their commitments under the GDPR.

5️⃣ New draft texts has been released for significant EU legislation in the data space, including the upcoming #AI Act, and the EU Data Act.
 
And of course, there were many more developments. Would anything else make your top 5?

#dataprotectionlaw #dataprivacylaw #dataprotection #GDPR #UKGDPR #data #Privacyshield #internationalbusiness

"The data bridge regulation (previously referred to as data adequacy) made by the UK government of the Republic of Korea came into effect on 19 December 2022."

https://www.gov.uk/government/publications/uk-data-adequacy-for-the-republic-of-korea-supporting-documents

#UKGDPR #DataProtection

As a data protection lawyer, I often seen companies push data retention or data deletion policies to the bottom of the list.

It's sometimes seen as less important, because customers don't typically see this.

However, a recent fine by the CNIL shows there are real risks in delaying and never quite getting round to it. 😬

In this instance, Discord (a popular chat platform for gamers 🎮) received a fine over 800,000 euros for:

❌ Not having a written data retention policy
❌ Not having specific retention periods or criteria for determining retention periods
❌ Failing to ensure data protection by default in the way the application sat in the background on Windows platforms
❌ Failure to ensure security by not setting strong enough password criteria
❌ Failure to carry out data protection impact assessments.

If you are a company dealing with customers in the EU or UK, there is no better time than now to be elevating data retention/deletion on your 'to do' list. ✔️

#dataprotection #dataprivacy #dataretention #datadeletion #dataprocessing #gaming #gamingnews #GDPR #UKGDPR

https://www.cnil.fr/en/discord-inc-fined-800-000-euros

Obviously, a privacy notice means nothing if you don't trust me - and I am a random bloke on the Internet, so why *would* you trust me?! - but if you care, our privacy notice for the Christmas card jape is here:

https://decoded.legal/privacy_notice_christmas_cards/

#GDPR #UKGDPR #Christmas

UK finalises landmark data decision with South Korea to help unlock millions in economic growth:

https://www.gov.uk/government/news/uk-finalises-landmark-data-decision-with-south-korea-to-help-unlock-millions-in-economic-growth

#UKGDPR #DataProtection #DataTransfer

For those who follow #dataprotectionlaw in the UK. The UK Information Commissioner released an update to the guidance on this yesterday.

The update includes:

- new section on transfer risk assessments (TRAs) and;
- a Transfer Risk Assessment tool.

#UKGDPR

Link: https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2022/11/blog-international-transfers-empowering-innovation-and-growth-whilst-protecting-people-s-personal-information/

This week I spoke about international data transfers with a couple colleagues on a webinar. 🎙️​

The challenges around this are ongoing, despite the possible new EU-US privacy shield and adequacy discussions in the UK under way.

Want to listen the webinar? Link: https://www.osborneclarke.com/events/dipping-data-transferring-personal-data-out-uk. (you will need to sign up with some org details to access).

The first half, my colleague provides an overview of using the UK International Data Transfer Agreement and Addendum. In the second half I talk about updates with regards to transferring personal data to the US. Enjoy! 🙂​

#dataprivacy #dataprotection #GDPR #UKGDPR

And we have ICO guidance on international data transfers - in particular, transfer risk assessments.

But *not* guidance on the #IDTA (yet).

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-transfers/

#UKGDPR #GDPR #DataProtection

Less than a week to go! Last chance for tickets for our in-person conference. Tickets free for members, £50 for non-members. A great line-up of speakers, lunch provided. Can't wait to see everyone #DataProtection #GDPR #UKGDPR #FOI #FreedomOfInformation https://nadpo.co.uk/event/nadpo-conference-2022/

📆 We’re looking forward to speaking about pressing Freedom of Information issues at the NADPO Annual Conference on Tuesday (22 Nov).

Confirmed speakers include:
👉John Edwards, Information Commissioner
👉 Maurice Frankel @CampaignFoI
👉 Prof Victoria Nash @oiioxford
👉 Prof Lillian Edwards @lilianedwards

Non-members can get tickets here: https://nadpo.co.uk/event/nadpo-conference-2022-tickets-nonmember/…

#FOI #FreedomOfInformation #FOIA #DataProtection #GDPR #UKGDPR

Most alarms raised start as carefully worded and civil enquiries. In reply to this a prior thread that worked through a scenario, where poorly controlled surveillance via #OnlineSafetyBill and excessive ministerial power in linked secondary legislation is likely to have some unintended consequences

Ones that will lean on FOI, judicial review, #UKGDPR and #HumanRightsAct, plus investigative journalism and maybe protest to counter. All being undermined right now

@Janet_LegReg I would need to give it a lot more thought. In particular, identifying what the relevant transfers are, and who does them.

For example, I suspect that there's a world of difference between an English admin who backs up their instance to a server in the USA, and a user of an instance in the UK @-mentioning someone in the USA.

#UKGDPR #InternationalTransfers

RT @boell_eu
@OpenRightsGroup @jimkillock @EUdelegationUK @TerryReintke @GDelbosCorfield @CarolineLucas @natalieben @UKandEU @juliahimmrich @JeanLambertLDN @ZackPolanski @DigitalEU @ellajakubowska1 @accessnow @DIGITALEUROPE @cdteu @mikarv @DCMS @Jiri_Mnuk @CMAgovUK @1Br0wn @EU_Competition @Iptegrity @sebabecks @ellenejudson 🟢 What would it take for the #UK to "operate as the world's data hub"? @jimkillock, A. Stepanova, H-W Low & @ds_m4riano consider areas of divergence with #EU law in the UK's #DataProtection & #DPDIBill: https://eu.boell.org/en/uk-data-protection-reform @OpenRightsGroup @PrivacyMatters @edri #GDPR #UKGDPR