UK Data Protection Newsletter June 2015






Full text


UK Data Protection




Headlines this month:


Data Protection reform update


New regulation must not lower data protection standards


Raid on Manchester Call Centre


Recent data breaches


EU update



EData Protection reform update

The EU Council agreed on many aspects of the Commission’s initial proposal including that the legislation will be a Regulation and not a Directive and it will also be applicable to non-EU companies if they are offering services to EU consumers. It also agreed the one-stop-shop approach where companies will have to deal with a single national Data Protection Authority, the ‘right to be forgotten’ (although not as an absolute right), data portability and fines should be a maximum of 2% of a

company’s annual global turnover.

The first Trilogue meeting took place on the 24th June. Jan Philipp Abrecht, Rapporteur for the European Parliament, said that agreement should be reached by the end of the year. He said:

“The Trilogue today showed very clearly that this is feasible if all parties are open to compromise. All parties are committed to the timetable. The texts are actually a lot closer to each other now than we thought a few months ago”.

Now all three drafts have been agreed there are some aspects that we know will be included in the final version of the Regulation:

• Fines will be significant and likely to be at least

2% of global turnover or €1,000,000. Fines are likely to be focussed on data security breaches and unauthorised monitoring

• The regulation will be applicable to companies

outside the EU where they offer services to EU


The EU council reached agreement on its recommendations concerning the data

protection reform on 15th June. This means that all three versions of the text are now on

the table from the Commission, Parliament and the Council and now Trilogue discussions

have commenced to agree the final regulation. The timetable to complete is by the end

of this year and there will then be two years before the final Act comes into force.







New regulation must not lower data protection standards

It is agreed that it should be possible to process data for purposes that not incompatible with the original purpose provided there is a legal basis.

The Article 29 Working Party has sent a letter outlining its view on the progress in modernising data protection stating that they feel the European Union is making real progress and outlining its views on the three texts currently under discussion.

Points made in the letter include:

• The text of the regulation should be clear and

comprehensible leaving no doubt about the

rights and protections for individuals

• Innovation should not be compromised – the

Working Group believes that data protection should build trust and provide a competitive advantage. The regulation should apply to any controller whatever the risk of privacy but there should be scalability and flexibility

The Working Party has cited areas that it believes require further consideration including:

• Ensuring that personal data is defined in

a broad manner in line with ‘technological

evolution’. It should take into consideration situations where people can be “singled out” by identifiers or other information. It should take IP addresses and other identifiers into consideration

• Pseudonymisation should be considered as a

privacy enhancing tool but this data should not be defined as a new category of data making it at all exempt from Regulation

• Processing data for archiving, scientific, statistical and historical research purposes should remain possible and not be considered an incompatible purpose

• Data subjects’ rights should be reinforced and

improved. All surveys confirm expectations for personal empowerment and control over privacy. Existing rights must not be reduced. Portability should be encouraged

• Data Protection Authorities should be equipped with appropriate powers of enforcement and

sufficient resources. Sanctions should be

strongly reinforced whether the controller is a private or public entity. The DPA should be able to assist the controller with guidelines and tools

• Mandatory data breach reporting at least for

‘significant’ incidents

• Data Processors will have obligations as well as

data controllers

The Council draft leaves it open to member states to determine whether data controllers must appoint

Data Protection Officers while the other two drafts

require them for all organisations other than SMEs which do not process large amounts of data.

The Council also wish “explicit consent” to only be necessary where sensitive data is involved, as with the current directive, but the other two drafts wish to tighten the rules.

The EU Article 29 Working Party (representing EU Data Protection Authorities) has stated

that new data protection regulation must not dilute existing data protection standards.

The Data Protection Authorities (DPAs) believe that the proposal to allow data controllers

to process data for purpose that is incompatible with its original purpose violates the

purpose limitation principle.



Raid on Manchester Call Centre


Recent data protection breaches

Automatic calls played a recorded message and if people responded to the call by pressing a number on their phone they were put through to call centre staff. 7,000 complaints were received by the ICO which are believed to relate to calls made by the business. The calls related to PPI, debt management, delayed flight compensation and miss-sold pensions or pension reviews.

The law on making automated calls requires the caller to have received specific consent to receiving automated calls from the organisation.

The ICO’s Enforcement Group Manager said:

“Companies know what the rules are on these types of calls. They need to know too that people are sick of them, and when people complain to us, we will act. “Today’s searches are no one-off. We’ve got around 60 active investigations into organisations we believe are breaking the rules around nuisance calls and texts. Those investigations will result in fines and other enforcement action, and will cause some disruption to the companies who appear intent on causing it themselves.”

London Borough of Hammersmith and


The London Borough of Hammersmith and Fulham signed an Undertaking to comply with the Seventh Data Protection Principle further to a number of incidents where individuals sent a number of emails to the wrong people. The ICO deemed the amount of data protection training and awareness amongst its staff to be insufficient.

Pembrokeshire County Council

Pembrokeshire County Council signed an Undertaking to comply with the Seventh Data Protection Principle after failing to fully redact a number of individuals from a subject access request. Although appropriate procedures were in place the ICO found that there was insufficient oversight in responding to the request.

The Information Commissioner’s Office has raided a Manchester call centre believing it is

responsible for millions of nuisance calls. It believed that it contained an automatic dialler

that was capable of making 100,000 calls each day.







EU update

The below provides an EU update from a Regulatory

Strategies’ partner, Newgate Public Relations, in

Brussels, and provides an insight into the progress of

the EU’s draft data protection regulation: After being at a standstill for over a year out of

more than 3,5 years of negotiations, the Council has finally come to a conclusion on the Data Protection Regulation. The Latvian Justice Minister Rasnacs, whose country has held the Council Presidency since January was “glad that we have managed to achieve a general agreement on the regulation during our presidency. It is a big step forward.” Despite the Council’s green light on the regulation as a whole, a number of officials voiced concerns with the draft legislation, especially with regards to data processing, data transfers outside the EU, and the one-stop-shop measure. The Ministers were also worried about the text’s language on liability for companies, arguing it would put a financial burden on technology businesses.

 Slovenia and Austria voted against the draft law. The Austrian Minister of Justice Brandstetter said he was not supportive of the legislation just yet, but hoped that trialogue talks would bring the regulation closer to Austria’s strict data protection standards. The German Minister of Interior de Maizière cheered on the Council approach and called for Ministers to move forward despite his unease over some parts of the law.

The first meeting of trilogue negotiations between the Commission, Parliament and Council took place on 24 June only 10 days after the Council agreement. The parties at the table decided on a roadmap and sought a common position as to the general direction the negotiations had to go.

After the meeting, the Parliament’s Rapporteur Jan Albrecht commented that the aim is to achieve a legally certain and unified data protection

standard, starting from the level of protection that is enshrined in the current 1995 Directive. “The three texts which are now on the table are far more similar to each other than any of us thought would be the case – there has been quite a lot of agreement already,” he said.

The Council’s Presidency will be in the hands of Luxembourg as from 1 July and the Minister of Justice Felix Braz is confident that the package will receive final approval by the end of the year. He said: “We share the goals of the reform. We want to give people more control over their personal data and ensure the same high level of protection in the 28 Member States, and also enable business to act effectively in the digital single market.”

The industry remains eagle-eyed and is watching keenly for any further negative developments for (technology) businesses. Some specific points of the current text cause concern, according to the digital industry association IAB Europe.

For instance, several provisions of the text may outlaw the processing of aggregated customer data that provides advertisers with crucial information about the effectiveness of their ads. Additionally, businesses are concerned about the Council of Ministers having undermined the one-stop shop principle, which was the centre-piece of the original proposal.


“The current approach is blunt and indiscriminate – a far cry from the supposed objective of making EU rules fit for purpose in the Internet age”, said Townsend Feehan, chief executive of IAB Europe. He added that future regulation needs to enable digital advertising to fund the informational, educational, entertainment and e-commerce services that European users enjoy online at little or no cost. In terms of next steps, the chair of the Parliament’s Civil Liberties Committee, Claude Moraes MEP, is very much willing to push the file forward in the trilogue negotiations, since it has been dragging on for such a long time: “Reforming it has become an urgent priority”.

The incoming Luxembourg Presidency indicated that an agreement on the general approach is to be expected at the EU Justice Ministers’ meeting

in October 2015. Before then, 8 more trilogue meetings have been scheduled. The trialogues as a whole should then be closed by December 2015, which gives businesses another 6 months to approach policymakers and make their voices heard.





Related subjects :