We are delighted to welcome you to the August edition of our Data, Privacy & Cyber Bulletin.
Once upon a time, the summer may have provided some respite from significant data protection developments. We certainly haven't seen that trend this year, either here in the UK or overseas. This edition takes in a wide selection of commentary on various issues including:
- An active month for the ICO including the publication of draft guidance relating to the biometric data and technologies and a joint release with the Competition and Markets Authority regarding harmful online design and practices that prompt users to provide more personal data than necessary.
Also, hot off the press is a joint statement from the ICO and eleven other data protection authorities from around the world, calling for the protection of people’s personal data from unlawful data scraping taking place on social media sites. Social media companies have been invited to reply to the statement in the next month, and we will comment on any developments in response to the statement. - Analysis of concerns around the exclusion of war risks from stand-alone commercial cyber policies, and its relevance to professional services firms.
- Ongoing regulatory issues faced by Meta including our review of the challenge to the dispute resolution process under the GDPR in the European courts, and recent action taken by the Norwegian data protection authority in the face of what it calls 'persistent non-compliance' by Meta.
- The National Cyber Security Centre's Sixth Annual Report on Active Cyber Defence.
- HM Treasury's consultation on proposals to ban "cold calls" for consumer financial services and products.
This month, we are delighted to include guest content from Kochhar & Co, who provide an overview of the new data privacy law recently enacted in India, with special thanks to Stephen Mathias.
For those interested in the topics of data, intellectual property, cryptocurrencies, and Web3 more generally, please register here for our upcoming You, Me, and Web3 event, which will be held at our London Walbrook office on 2 October 2023.
Website design: ICO and CMA call for an end to harmful architecture
We consider the ICO and CMA joint position paper, 'Harmful Design in Digital Markets', which issues a warning to companies to ensure than their website design is in compliance with data protection, consumer and competition law and guidance.
ICO consults on draft biometric data guidance
We review draft guidance relating to biometric data and biometric technologies by the ICO, and provide our view on the benefits of and defects within the guidance. This guidance is the first of two phases, the latter will focus on biometric classification and data protection and will be the subject of a call for evidence early next year.
Cyber cover for professional advisers and the collateral damage writeback
We analyse recent concerns around war risks and their exclusion from stand-alone commercial cyber policies, and how this may be relevant to professional services firms particularly exposed to cyber risk.
Appeal against first-ever UK GDPR fine dismissed: Civil standard of proof applies to ICO monetary penalty notices
We consider the appeal against the first ever UK GDPR fine issued, as heard by the Upper Tribunal. The decision affirms the burden and standard of proof in the First Tier Tribunal. The Upper Tribunal rejected arguments advanced by Doorstop Dispensaree that the criminal standard of proof should have been used, and affirmed that the civil standard of proof applies.
Data transfers: Meta challenges EDPB's binding decision which resulted in €1.2 billion fine
We review the arguments advanced by Meta as part of an appeal seeking to annul the European Data Protection Board's binding decision in the recent data transfer decision which resulted in the imposition of the largest ever GDPR fine in the amount of €1.2 billion. The appeal is wide-ranging and calls into question the entire system of dispute resolution under the GDPR, including the role of the EDPB.
Meta move to consent not fast enough for Norwegian data protection authority
We discuss the recent decision of the Norwegian data protection authority, Datatilysnet, to temporarily ban Meta from processing of personal data for behavioural advertising in Norway, and how this verdict was reached.
Cyber Criminals Continue Phishing for Trouble
The National Cyber Security Centre published its sixth annual report on the Active Cyber Defence program which found that phishing remains the most common type of cyberattack in the UK with over 77,000 incidents. We consider the report's key findings and the ongoing challenges to the UK business community.
The proposed ban on cold calling: what will it mean for the financial services sector?
We examine the recent consultation issued by HM Treasury regarding proposals to ban "cold calls" for consumer financial service and products, as well as the potential unintended consequences such a ban might cause.
India’s new Data Privacy Law: an overview
Colleagues at Kochhar & Co have provided an overview of the new Digital Personal Data Protection Act which will act as the primary piece of data protection legislation in India. The article discusses how India has chosen a somewhat different path from other countries by enacting a simpler and less prescriptive law than the typical GDPR-type legislation.