Fox Rothschild LLP (LexBlog United Kingdom)

The United Kingdom’s Information Commissioner’s Office recently issued guidance on how to keep employment records. This is good advise for employers beyond Europe (and particularly in California). The data retention requirements of the California Privacy Rights Act are the same as GDPR. Here are some key takeaways: Accuracy Retention limitation Transparency Right of erasure Accountability

The UK’s Information Commissioner’s Office has issued guidance on the scope of age appropriate design code, and they want public comment. This is very important for companies subject to the already passed California Age Appropriate Design Code, and those who could be covered in the future by copy-cat state bills. Key points: Likely to access: Significant Number...

The old saying went that “if you don’t want it on the front page of the newspaper, don’t put it in an email.” Well, if you don’t want to produce it as part of an employee’s Data Subject Access Request (DSAR), it shouldn’t be part of your employee files. Employee DSARs are coming soon to...

The United Kingdom’s Information Commissioner’s Office has issued draft guidance regarding governance and anonymization. What does it mean for GDPR and for the host of new US Privacy laws, including CPRA, CDPA and CPA? And why is it so important? Though intended to help with GDPR compliance, this guide also helps with how to implement...

The UK’s Information Commissioner’s Office (ICO) has issued guidance on pseudonymisation. Here are some key points: What is it? At a basic level, pseudonymisation starts with a single input (the original data) and ends with two outputs (the pseudonymised dataset and the additional information). Together, these can reconstruct the original data. However, in relation to...

The UK’s Information Commissioner’s Office (ICO) has issued guidance on pseudonymisation. Here are some key points: What is it? At a basic level, pseudonymisation starts with a single input (the original data) and ends with two outputs (the pseudonymised dataset and the additional information). Together, these can reconstruct the original data. However, in relation to...

What does the U.K. Information Commissioner’s Office have to say about what it takes for adtech initiatives to be compliant with data protection? “There is an opportunity for market participants to move towards developing solutions that incorporate key considerations of data protection compliance. They should also place the interests, rights and freedoms of individuals at...

The United Kingdom’s Information Commissioner’s Office has released the second chapter in its anonymization guide for public comment. Here are some key points: An effective anonymization process seeks to reduce the likelihood of someone being identified or identifiable to a sufficiently remote level. This level depends on a number of factors specific to the context....

The United Kingdom has issued an ambitious report on its 10 year plan to become an AI super power. The document lays out a detailed business plan with 3 month, 6 month and longer objectives. Notably: The document states that the government is also exploring how privacy enhancing technologies (PET) can remove barriers to data...

The UK’s Information Commissioner’s Office (ICO) is taking on cookie banners. The office will call on fellow G7 data protection and privacy authorities to work together to overhaul cookie consent pop-ups in favor of software and device privacy settings. “Joined by the Organisation for Economic Co-operation and Development (OECD) and the World Economic Forum (WEF), each G7...

Here is one more note on the UK Department for Digital, Culture, Media and Sport’s (DCMS) new international transfers initiative: The documents contain a template and a detailed questionnaire for assessing the adequacy of the destination third country in connection with data protection. These are organized, thorough and very user-friendly documents that should even prove...

The Information Commissioner’s Office (‘ICO’) has issued new guidance for public consultation on cross-border transfers of personal data from the UK to third countries without an adequacy decision, replacing the old Standard Contractual Clauses (‘SCCs’) which are currently in use for such transfers. The guidance has three documents: Guidance on conducting Schrems transfer impact assessment...

The United Kingdom’s Information Commissioner’s Office has issued guidance for public consultation on cross-border transfers of personal data from the UK to third countries without an adequacy decision, replacing the old Standard Contractual Clauses (SCCs) which are currently in use for such transfers. According to the ICO press release, “the new guidance has been designed...

The UK Information Commissioner’s Office is calling for collaboration with UX and design firms for the implementation of the Age-Appropriate Design Code. Per the ICO: “We know that the aims of the design community align with this vision set out in the Children’s Code and can see design practices evolving. Designers are more conscious of...

The United Kingdom’s Information Commissioner’s Office published its action plan for 2021. Areas of focus include: the Age Appropriate Design Code data sharing. data broking, the use of sexual crime victims’ personal information, adtech, including audits focused on digital marketing platforms. Additional guidance is forthcoming on: political campaigning facial recognition, codes of conduct and...

In atypical 2020 fashion, Santa actually gave UK the #1 present on its Christmas list: adequacy for cross-border data transfers from the EU as part of an overall trade deal. Bloomberg reports the deal will include an interim solution for a maximum of 6 months while the European Commission considers a full adequacy decision for...

Do any of these things pertain to your business? Are you outsourcing your HR, IT or payroll function to a UK-based organization? Are you using a UK-based marketing company to send marketing communications to your customer database? Is your occupational health provider based in the UK? Is your pension scheme based in the UK? Are...

Blockchain and data protection: A report issued by the Law Society and Tech London Advocates & Global Tech Advocates highlights the extent of unknowns in a series of questions posed for the UK Information Commissioner’s Office. What does “all means reasonably likely to be used” mean under Recital 26 of the General Data Protection Regulation...

A group of UK MPs wrote a letter to the UK Information Commissioner’s Office demanding stronger data protection enforcement. “It is imperative that you take action to establish public confidence – a trusted system is critical to protecting public health. The ICO has powers to compel documents to understand data processing, contractual relations and the...

In the wake of the UK A-Level algorithm fallout, the U.S. National Institute of Standards and Technology (NIST) has published a report, for public comment, on the Four Principles of Explainable Artificial Intelligence. “AI is becoming involved in high-stakes decisions, and no one wants machines to make them without an understanding of why,” said NIST...

The UK’s Information Commissioner Office’s has issued a revised statement on the Schrems II. “Further work is underway by the European Commission and EDPB to provide more comprehensive guidance on extra measures you may need to take. In the meantime you should take stock of the international transfers you make and react promptly as guidance...

As lockdown restrictions  ease and businesses begin to reopen, the UK Information Commissioner’s Office (ICO) has set out the key steps organizations need to consider around the use of personal information. The guidance focuses on six principles: Only collect and use what is necessary Keep it to a minimum Be clear, open and honest with...

A comment requested that the California Attorney General clarify the specific requirements for making privacy notices “easy to read and understandable to the average consumer” under the California Consumer Privacy Act regulations. The Attorney General responded: The provisions of Section 999.305(a)(2) are sufficient to make this clear. Also, notices cannot be misleading. Contrast:  European Union:

Coronavirus and Data Protection: The UK Information Commissioner’s Office has issued an opinion on the Google-Apple joint initiative for contact tracing apps. Key Takeaways The Google and Apple framework appears to be aligned with data protection principles. The app developers have primary responsibility to ensure data protection principles are met. There must be transparency as...

The UK Information Commissioners’ Office says government can use personal data from mobile phones to track/fight COVID-19. “The UK’s privacy watchdog has said the government can legally use personal data from people’s mobile phones to track and monitor behavior if it helps fight the spread of coronavirus.” “It emerged that the government was in talks...

The United Kingdom’s Information Commissioner’s Office has provided it’s guidance on COVID-19 and data privacy. Public health messages are not direct marketing. It’s about being proportionate – if some data processing feels excessive, then it probably is. The ICO is a reasonable and pragmatic regulator… Regarding compliance with data protection, it will take into account...

“In an age where children learn how to use an iPad before they ride a bike, it is right that organizations designing and developing online services do so with the best interests of children in mind,” said UK Information Commissioner, Elizabeth Denham. “Children’s privacy must not be traded in the chase for profit.” The UK...

A new study has found only 11.8% of the most popular Consent Management Platforms (CMPs) used on UK websites meet the minimal requirements under GDPR and Europe’s eDirective regulations regarding cookies and consent. The researchers’ scraper was used to determine whether a consent form met GDPR and eDirective requirements. The rules say consent must be...

“Adequacy” seems to be the hardest word. On the brink of Brexit and the UK becoming a “third country” without a so called “adequacy” status for the cross border transfer of personal data from the European Union — Could California have its own Privacy Shield arrangement separate from the rest of the U.S.? This question emerged...

The United Kingdom’s Information Commissioner’s Office has issued for public consultation a  draft guidance on the Right of Access under the General Data Protection Regulation (GDPR). Read my detailed analysis for key takeaways on how to handle the access request, and how to structure your systems to ensure that one does not fall between the...