UK data protection bulletin Jan/Feb 2015

18 February 2015

Highlights to note in the Jan/Feb bulletin are:

  • the cookie sweep undertaken by the ICO and a selection of other data protection authorities. Almost 500 websites targeting European consumers were reviewed and compliance with the ePrivacy Directive's notice/consent requirements was assessed. The sweep revealed that the provision of cookie information has improved, but the majority of websites are still not requesting consent where necessary.

  • changes to the rules on monetary penalties for breach of the E-privacy Regulations in the UK. Previously, the ICO could only take action against illegal tele and email marketing if it could show that the marketing would be likely to cause substantial damage or substantial distress. This threshold has now been removed.

  • Google's undertaking to the ICO to change its privacy policy. Organisations should note the comments by the ICO head of enforcement, that the ICO considers that the measures Google is putting in place (in particular, a clearer, more accessible and more precise policy) are requirements for all data controllers, especially when they seek to combine data from different sources.

  • the first ever Investigatory Powers Tribunal decision which held actions by UK intelligence agencies to be unlawful for failing to be sufficiently transparent about its regime for use of private communications of individuals located in the UK obtained by the US through PRISM; and

  • the response of the A29 Working Party on questions relating to health data processed in connection with apps and mobile devices. The response notes that health data does not just cover obvious medical data (e.g. blood pressure readings), but data such as mood indicators where this is processed to draw an inference about a person's well being.

View the full Bulletin (PDF) >>