Data in the News
Updated: May 7
Welcome to our monthly round up of some of the biggest data related stories hitting the headlines ...
Brussels will allow data to continue to flow from the EU to the UK after deciding that Britain had an adequate level of protection for personal information. A draft decision by the European Commission is expected to be approved this week, the Financial Times reported on Monday.
The move will help with features of EU-UK law enforcement cooperation and will be welcomed by businesses that transfer personal customer information.
The UK’s data regulator is writing to WhatsApp to demand that the chat app does not hand user data to Facebook, as millions worldwide continue to sign up for alternatives such as Signal and Telegram to avoid forthcoming changes to its terms of service.
Elizabeth Denham, the information commissioner, told a parliamentary committee that in 2017, WhatsApp had committed not to hand any user information over to Facebook until it could prove that doing so respected GDPR.
But, she said, that agreement was enforced by the Irish data protection authority until the Brexit transition period ended on 1 January. Now that Britain is fully outside the EU, ensuring that those promises are being kept falls to the Information Commissioner’s Office.
The Information Commissioner’s Office (ICO) has issued fines totalling £480,000 to four separate companies for making unlawful calls to numbers registered with the Telephone Preference Service (TPS).
Chameleon Marketing (H.I) Ltd from Leeds; Rancom Security Limited based in Sutton Coldfield; Repair & Assure Limited from Redhill and Solar Style Solutions Limited in Stockton on Tees were found to have made 2.4million illegal calls between them, resulting in over 250 complaints to the ICO and the TPS.
It is against the law to make marketing calls to numbers that have been registered with the TPS for more than 28 days, unless people have provided consent.
Andy Curry, Head of Investigations at the ICO, said:
“Nuisance calls are an invasion of people’s privacy that can cause great distress and worry, particularly where people have taken steps to protect themselves by signing up to the TPS. We will always take robust action against companies who we find are ignoring the law in pursuit of their own gain.”
Data protection post-Brexit was not the most polarising subject facing EU and UK trade deal negotiators last year. It was, however, of fundamental importance for both sides to agree a framework.
Whether this was achieved in the resulting Trade and Cooperation Agreement is subjective – the data provisions in the Agreement provide some degree of short-term certainty for businesses and organisations, but the long-term arrangements are yet to be settled.
Under the Trade and Cooperation Agreement, data has continued to flow from the EU and EEA to the UK since 1 January 2021. This is because the Agreement allows for an interim “specified period” during which the existing data protection regime continues as the status quo. Data is continuing to flow from the UK to the EU and EEA, but this was a UK decision and was not addressed in the Agreement.
The specified period will last for four months from 1 January 2021, but the EU and UK can agree to extend the period by a further two months. This time is needed because an “adequacy decision” has not yet been made by the European Commission. As the UK is now a third country from the EU’s perspective, an adequacy decision reflects whether the EU considers the UK’s data protection regime to be sufficiently similar, or equivalent, to the EU’s data protection regime.
Laws surrounding the use of data between the UK and the EU have changed following the end of the Brexit transition period, meaning UK businesses must now comply with rules in both territories.
The EU General Data Protection Regulation (GDPR), which came into force in 2018, requires organisations to put data protection measures in place when either offering goods and services or monitoring the behaviour of individuals within the EU.
However, the UK’s GDPR regulations are now separate from the EU’s GDPR regulations, following the trade deal which came into effect on 1 January, meaning there are now two data protection legislations instead of just one: UK GDPR covering individuals in the UK and EU GDPR for individuals in the EU. Businesses holding both types of data, will now need to adhere to each of the two separate legislations.
The UK is now officially considered a ‘third country’ under the EU GDPR, meaning that UK businesses serving EU consumers will need to comply with both the UK and EU GDPR measures.
And finally …
Unfortunately, data breaches happen almost every day, and the NSC doesn't see this changing any time soon. While people may not be able to stop their personal data being lost in a breach, there is still plenty that individuals and families can do to protect themselves from the potential impact of data breaches. The NSC has chosen to explain it all in their new guidance.
This blog is aimed at security professionals and data/privacy experts, who may be interested in why the NSC recommends taking certain steps, but not others.